Which of the following is MOST important for evaluating the operational effectiveness of a newly implemented control?

A. Continuous auditing techniques are used to ensure ongoing control monitoring.
B. Control owners are conducting timely monitoring and reporting of the control results.
C. The source data used for control performance is accurate and complete.
D. Self-assessment testing results are regularly verified by independent control testes.

Which of the following should be the PRIMARY objective of a risk awareness training program?

A. To promote awareness of the risk governance function.
B. To clarify fundamental risk management principles.
C. To enable risk-based decision making.
D. To ensure sufficient resources are available.

A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?

A. Regulatory requirements may differ in each country.
B. Business advertising will need to be tailored by country.
C. The data analysis may be ineffective in achieving objectives.
D. Data sampling may be impacted by various industry restrictions.

The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:

A. changes not requiring user acceptance testing.
B. changes that cause incidents.
C. changes due to emergencies.
D. personnel that have rights to make changes in production.

An organization's chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:

A. validate the CTO's decision wish the business process owner.
B. recommend that the CTO revisit the risk acceptance decision.
C. identify key risk indicators (KRIs) for ongoing monitoring.
D. update the risk register with the selected risk response.

The PRIMARY goal of a risk management program is to:

A. facilitate resource availability.
B. safeguard corporate assets.
C. help ensure objectives are met.
D. help prevent operational losses.

Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?

A. Trends in IT resource usage.
B. Increased resource availability.
C. Trends in IT maintenance costs.
D. Increased number of incidents.

The risk associated with a high-risk vulnerability in an application is owned by the:

A. security department.
B. vendor.
C. business unit.
D. IT department.

Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?

A. Updating the risk profile with risk assessment results.
B. Assigning quantitative values to qualitative metrics in the risk register.
C. Engaging external risk professionals to periodically review the risk.
D. Prioritizing global standards over local requirements in the risk profile.

Who is accountable for risk treatment?

A. Risk owner
B. Risk mitigation manager
C. Enterprise risk management team
D. Business process owner