An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?

A. Acceptance
B. Transfer
C. Mitigation
D. Avoidance

Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?

A. Conduct user acceptance testing
B. Perform a post-implementation review
C. Interview process owners
D. Review the key performance indicators (KPIs)

An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

A. Process owner
B. Internal auditor
C. Risk manager
D. Project sponsor

When developing risk scenarios, it is MOST important to ensure they are:

A. structured and reportable
B. flexible and scalable
C. relevant and realistic
D. comprehensive and detailed

A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

A. Chief risk officer (CRO)
B. Business continuity manager (BCM)
C. Human resources manager (HRM)
D. Chief information officer (CIO)

Which of the following should be of MOST concern to a risk practitioner reviewing findings from a recent audit of an organization’s data center?

A. Ownership of an audit finding has not been assigned
B. The data center is not fully redundant
C. Audit findings were not communicated to senior management
D. Key risk indicators (KRIs) for the data center do not include critical components

Which of the following is the GREATEST advantage of implementing a risk management program?

A. Promoting a risk-aware culture
B. Improving security governance
C. Enabling risk-aware decisions
D. Reducing residual risk

An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner’s FIRST course of action?

A. Deploy a compensating control to address the identified deficiencies
B. Report the ineffective control for inclusion in the next audit report
C. Determine if the impact is outside the risk appetite
D. Request a formal acceptance of risk from senior management

Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

A. Audit trails for updates and deletions
B. Encrypted storage of data
C. Links to source data
D. Check totals on data records and data fields

An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?

A. Business process owner
B. Chief information security officer
C. Operational risk manager
D. Key control owner