Isaca Updated CRISC Exam Questions and Answers by mathias

The most important characteristic of a key risk indicator (KRI) to enable decision-making is illustrating changes in risk trends, as it provides a clear and timely indication of the direction and magnitude of the risk level and exposure, and enables the stakeholders to take proactive andappropriate actions to address the risk. The other options are not the most important characteristics, as they are more related to the monitoring, measurement, or identification of the risk, respectively, rather than the illustration of the risk trends. References = CRISC Review Manual, 7th Edition, page 110.

 Performing a post-implementation review is the best way to confirm whether appropriate automated controls are in place within a recently implemented system, as it helps to evaluate the effectiveness and efficiency of the system and its controls after they have been deployed and operationalized. A post-implementation review is a process of assessing and validating the system and its controls against the predefined criteria and objectives, such as functionality, performance, security, compliance, and user satisfaction. A post-implementation review can help to confirm whether appropriate automated controls are in place within a recently implemented system by providing the following benefits:

It verifies that the system and its controls meet the design specifications and standards, and comply with the relevant laws, regulations, and contractual obligations.

It identifies and measures the actual or potential benefits and value of the system and its controls, such as improved efficiency, reliability, or quality.

It detects and analyzes any issues, gaps, or weaknesses in the system and its controls, such as errors, inconsistencies, or vulnerabilities.

It provides recommendations and action plans to address the identified issues, gaps, or weaknesses, and to improve or enhance the system and its controls.

It communicates and reports the results and findings of the review to the relevant stakeholders, and solicits their feedback and suggestions.

The other options are not the best ways to confirm whether appropriate automated controls are in place within a recently implemented system. Conducting user acceptance testing is an important step to ensure that the system and its controls meet the user requirements and expectations, but it is usually performed before the system is implemented and operationalized, and it may not cover all aspects of the system and its controls. Reviewing the key performance indicators (KPIs) is a useful method to measure and monitor the performance of the system and its controls, but it may not provide a comprehensive or objective evaluation of the system and its controls. Interviewing process owners is a possible technique to collect and analyze information on the system and its controls, but it may not provide sufficient or reliable evidence to confirm the appropriateness of the system and its controls. References = Post-Implementation Review: The Key to a Successful Project, IT Risk Resources | ISACA, Post Implementation Review (PIR) - Project Management Knowledge

According to the CRISC Review Manual, risk taxonomy is the system of classification and categorization of risks based on common characteristics and attributes. Risk taxonomy is necessary to enable an IT risk register to be consolidated with the rest of the organization’s risk register, because it helps to ensure consistency, comparability, and alignment of the risks across the organization. Risk taxonomy also helps to facilitate the communication, reporting, and aggregation of the risks. The other options are not the correct answers, because they are not essential for consolidating the risk registers. Risk response is the action taken to address the risk, which may vary depending on the risk level and strategy. Risk appetite is the amount and type of risk that an organization is willing to accept, which may differ across the organization’s units and functions. Risk ranking is the process of prioritizing the risks based on their impact and likelihood, which may change over time and context. References = CRISC Review Manual, 7th Edition, Chapter 2, Section 2.1.2, page 69.

The first activity that should be performed when the time required to complete daily processing for a legacy application is approaching a risk threshold is to conduct a root-cause analysis. This will help to identify the source of the problem and the factors that are contributing to the increased processing time. By conducting a root-cause analysis, the enterprise can determine the most appropriate and effective solution to address the problem and prevent it from recurring. Temporarily increasing the risk threshold, suspending processing to investigate the problem, and initiating a feasibility study for a new application are not the first activities that should be performed, as they may not resolve the underlying issue and may introduce additional risks or costs. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.1.2, page 193.