CRISC Test Bank 1 Questions and
Answers & Rationales
Q1
Which section of the Sarbanes-Oxley Act specifies "Periodic financial reports must be
certified by CEO and CFO"?
A. Section 302
B. Section 404
C. Section 203
D. Section 409 - Correct Answer: A
Section: Volume A
Explanation
Section 302 of the Sarbanes-Oxley Act requires corporate responsibility for financial
reports to be certified by CEO, CFO, or designated representative.
Incorrect Answers:
B: Section 404 of the Sarbanes-Oxley Act states that annual assessments of internal
controls are the responsibility of management.
C: Section 203 of the Sarbanes-Oxley Act requires audit partners and review partners to
rotate off an assignment every five years.
D: Section 409 of the Sarbanes-Oxley Act states that the financial reports must be
distributed quickly and currently.
Q2
What is the PRIMARY need for effectively assessing controls?
A. Control's alignment with operating environment
B. Control's design effectiveness
C. Control's objective achievement
D. Control's operating effectiveness - Correct Answer: C
Section: Volume A
Explanation
Controls can be effectively assessed only by determining how accurately the control
objective is achieved within the environment in which they are operating. No conclusion
can be reached as to the strength of the control until the control has been adequately
tested.
,Incorrect Answers:
A: Alignment of control with the operating environment is essential but after the control's
accuracy in achieving objective. In other words, achieving objective is the top most
priority in assessing controls.
B: Control's design effectiveness is also considered but is latter considered after
achieving objectives.
D: Control's operating effectiveness is considered but after its accuracy in objective
achievement.
Q3
You work as the project manager for Bluewell Inc. There has been a delay in your
project work that is adversely affecting the project schedule. You decide, with your
stakeholders' approval, to fast track the project work to get the project done faster.
When you fast track the project, what is likely to increase?
A. Human resource needs
B. Quality control concerns
C. Costs
D. Risks - Correct Answer: D
Section: Volume A
Explanation
Fast tracking allows entire phases of the project to overlap and generally increases risks
within the project.
Fast tracking is a technique for compressing project schedule. In fast tracking, phases
are overlapped that would normally be done in sequence. It is shortening the project
schedule without reducing the project scope.
Incorrect Answers:
A: Human resources are not affected by fast tracking in most scenarios.
B: Quality control concerns usually are not affected by fast tracking decisions.
C: Costs do not generally increase based on fast tracking decisions.
Q4
David is the project manager of the HRC Project. He has identified a risk in the project,
which could cause the delay in the project. David does not want this risk event to
happen so he takes few actions to ensure that the risk event will not happen. These
extra steps, however, cost the project an additional $10,000. What type of risk response
has David adopted?
A. Avoidance
B. Mitigation
C. Acceptance
D. Transfer - Correct Answer: B
Section: Volume A
,Explanation
As David is taking some operational controls to reduce the likelihood and impact of the
risk, hence he is adopting risk mitigation. Risk mitigation means that actions are taken
to reduce the likelihood and/or impact of risk.
Incorrect Answers:
A: Risk avoidance means that activities or conditions that give rise to risk are
discontinued. But here, no such actions are taken, therefore risk in not avoided.
C: Risk acceptance means that no action is taken relative to a particular risk; loss is
accepted in case it occurs. As David has taken some actions in case to defend,
therefore he is not accepting risk.
D: David has not hired a vendor to manage the risk for his project; therefore he is not
transferring the risk.
Q5
Which of the following is the MOST important objective of the information system
control?
A. Business objectives are achieved and undesired risk events are detected and
corrected
B. Ensuring effective and efficient operations
C. Developing business continuity and disaster recovery plans
D. Safeguarding assets - Correct Answer: A
Section: Volume A
Explanation
The basic purpose of Information System control in an organization is to ensure that the
business objectives are achieved and undesired risk events are detected and corrected.
Some of the IS control objectives are given below:
Safeguarding assets
Assuring integrity of sensitive and critical application system environments
Assuring integrity of general operating system
Ensuring effective and efficient operations
, Fulfilling user requirements, organizational policies and procedures, and applicable laws
and regulations
Changing management
Developing business continuity and disaster recovery plans
Developing incident response and handling plans
Hence the most important objective is to ensure that business objectives are achieved
and undesired risk events are detected and corrected.
Incorrect Answers:
B, C, D: These are also the objectives of the information system control but are not the
best answer.
Q6
Which of the following is prepared by the business and serves as a starting point for
producing the IT Service Continuity Strategy?
A. Business Continuity Strategy
B. Index of Disaster-Relevant Information
C. Disaster Invocation Guideline
D. Availability/ ITSCM/ Security Testing Schedule - Correct Answer: A
Section: Volume A
Explanation
The Business Continuity Strategy is an outline of the approach to ensure the continuity
of Vital Business Functions in the case of disaster events. The Business
Continuity Strategy is prepared by the business and serves as a starting point for
producing the IT Service Continuity Strategy.
Incorrect Answers:
B: Index of Disaster-Relevant Information is a catalog of all information that is relevant
in the event of disasters. This document is maintained and circulated by IT Service
Continuity Management to all members of IT staff with responsibilities for fighting
disasters.
Answers & Rationales
Q1
Which section of the Sarbanes-Oxley Act specifies "Periodic financial reports must be
certified by CEO and CFO"?
A. Section 302
B. Section 404
C. Section 203
D. Section 409 - Correct Answer: A
Section: Volume A
Explanation
Section 302 of the Sarbanes-Oxley Act requires corporate responsibility for financial
reports to be certified by CEO, CFO, or designated representative.
Incorrect Answers:
B: Section 404 of the Sarbanes-Oxley Act states that annual assessments of internal
controls are the responsibility of management.
C: Section 203 of the Sarbanes-Oxley Act requires audit partners and review partners to
rotate off an assignment every five years.
D: Section 409 of the Sarbanes-Oxley Act states that the financial reports must be
distributed quickly and currently.
Q2
What is the PRIMARY need for effectively assessing controls?
A. Control's alignment with operating environment
B. Control's design effectiveness
C. Control's objective achievement
D. Control's operating effectiveness - Correct Answer: C
Section: Volume A
Explanation
Controls can be effectively assessed only by determining how accurately the control
objective is achieved within the environment in which they are operating. No conclusion
can be reached as to the strength of the control until the control has been adequately
tested.
,Incorrect Answers:
A: Alignment of control with the operating environment is essential but after the control's
accuracy in achieving objective. In other words, achieving objective is the top most
priority in assessing controls.
B: Control's design effectiveness is also considered but is latter considered after
achieving objectives.
D: Control's operating effectiveness is considered but after its accuracy in objective
achievement.
Q3
You work as the project manager for Bluewell Inc. There has been a delay in your
project work that is adversely affecting the project schedule. You decide, with your
stakeholders' approval, to fast track the project work to get the project done faster.
When you fast track the project, what is likely to increase?
A. Human resource needs
B. Quality control concerns
C. Costs
D. Risks - Correct Answer: D
Section: Volume A
Explanation
Fast tracking allows entire phases of the project to overlap and generally increases risks
within the project.
Fast tracking is a technique for compressing project schedule. In fast tracking, phases
are overlapped that would normally be done in sequence. It is shortening the project
schedule without reducing the project scope.
Incorrect Answers:
A: Human resources are not affected by fast tracking in most scenarios.
B: Quality control concerns usually are not affected by fast tracking decisions.
C: Costs do not generally increase based on fast tracking decisions.
Q4
David is the project manager of the HRC Project. He has identified a risk in the project,
which could cause the delay in the project. David does not want this risk event to
happen so he takes few actions to ensure that the risk event will not happen. These
extra steps, however, cost the project an additional $10,000. What type of risk response
has David adopted?
A. Avoidance
B. Mitigation
C. Acceptance
D. Transfer - Correct Answer: B
Section: Volume A
,Explanation
As David is taking some operational controls to reduce the likelihood and impact of the
risk, hence he is adopting risk mitigation. Risk mitigation means that actions are taken
to reduce the likelihood and/or impact of risk.
Incorrect Answers:
A: Risk avoidance means that activities or conditions that give rise to risk are
discontinued. But here, no such actions are taken, therefore risk in not avoided.
C: Risk acceptance means that no action is taken relative to a particular risk; loss is
accepted in case it occurs. As David has taken some actions in case to defend,
therefore he is not accepting risk.
D: David has not hired a vendor to manage the risk for his project; therefore he is not
transferring the risk.
Q5
Which of the following is the MOST important objective of the information system
control?
A. Business objectives are achieved and undesired risk events are detected and
corrected
B. Ensuring effective and efficient operations
C. Developing business continuity and disaster recovery plans
D. Safeguarding assets - Correct Answer: A
Section: Volume A
Explanation
The basic purpose of Information System control in an organization is to ensure that the
business objectives are achieved and undesired risk events are detected and corrected.
Some of the IS control objectives are given below:
Safeguarding assets
Assuring integrity of sensitive and critical application system environments
Assuring integrity of general operating system
Ensuring effective and efficient operations
, Fulfilling user requirements, organizational policies and procedures, and applicable laws
and regulations
Changing management
Developing business continuity and disaster recovery plans
Developing incident response and handling plans
Hence the most important objective is to ensure that business objectives are achieved
and undesired risk events are detected and corrected.
Incorrect Answers:
B, C, D: These are also the objectives of the information system control but are not the
best answer.
Q6
Which of the following is prepared by the business and serves as a starting point for
producing the IT Service Continuity Strategy?
A. Business Continuity Strategy
B. Index of Disaster-Relevant Information
C. Disaster Invocation Guideline
D. Availability/ ITSCM/ Security Testing Schedule - Correct Answer: A
Section: Volume A
Explanation
The Business Continuity Strategy is an outline of the approach to ensure the continuity
of Vital Business Functions in the case of disaster events. The Business
Continuity Strategy is prepared by the business and serves as a starting point for
producing the IT Service Continuity Strategy.
Incorrect Answers:
B: Index of Disaster-Relevant Information is a catalog of all information that is relevant
in the event of disasters. This document is maintained and circulated by IT Service
Continuity Management to all members of IT staff with responsibilities for fighting
disasters.
