CRISC Certified in Risk and Information Systems Control – Question195

Which of the following phases is involved in the Data Extraction, Validation, Aggregation and Analysis?

A.
Risk response and Risk monitoring
B. Requirements gathering, Data access, Data validation, Data analysis, and Reporting and corrective action
C. Data access and Data validation
D. Risk identification, Risk assessment, Risk response and Risk monitoring

Correct Answer: B

Explanation:

Explanation:
The basic concepts related to data extraction, validation, aggregation and analysis is important as KRIs often rely on digital information from diverse sources. The phases which are involved in this are:

  • Requirements gathering: Detailed plan and project’s scope is required for monitoring risks. In the case of a monitoring project, this step should involve process owners, data owners, system custodians and other process stakeholders.
  • Data access: In the data access process, management identifies which data are available and how they can be acquired in a format that can be used for analysis. There are two options for data extraction:
    – Extracting data directly from the source systems after system owner approval
    – Receiving data extracts from the system custodian (IT) after system owner approval Direct extraction is preferred, especially since this involves management monitoring its own controls, instead of auditors/third parties monitoring management’s controls. If it is not feasible to get direct access, a data access request form should be submitted to the data owners that detail the appropriate data fields to be extracted. The request should specify the method of delivery for the file.
  • Data validation: Data validation ensures that extracted data are ready for analysis. One of its important objective is to perform tests examining the data quality to ensure data are valid complete and free of errors. This may also involve making data from different sources suitable for comparative analysis. Following concepts should be considered while validating data:
    – Ensure the validity, i.e., data match definitions in the table layout
    – Ensure that the data are complete
    – Ensure that extracted data contain only the data requested
    – Identify missing data, such as gaps in sequence or blank records
    – Identify and confirm the validity of duplicates
    – Identify the derived values
    – Check if the data given is reasonable or not
    – Identify the relationship between table fields
    – Record, in a transaction or detail table, that the record has no match in a master table
  • Data analysis: Analysis of data involves simple set of steps or complex combination of commands and other functionality. Data analysis is designed in such a way to achieve the stated objectives from the project plan. Although this may be applicable to any monitoring activity, it would be beneficial to consider transferability and scalability. This may include robust documentation, use of software development standards and naming conventions.
  • Reporting and corrective action: According to the requirements of the monitoring objectives and the technology being used, reporting structure and distribution are decided. Reporting procedures indicate to whom outputs from the automated monitoring process are distributed so that they are directed to the right people, in the right format, etc. Similar to the data analysis stage, reporting may also identify areas in which changes to the sensitivity of the reporting parameters or the timing and frequency of the monitoring activity may be required.

Incorrect Answers:
D: These are the phases that are involved in risk management.