What is the purpose of implementing ongoing and periodic review activities?
Correct Answer: C
Ongoing and periodic review activities are designed to evaluate the performance of actions and controls in terms of their effectiveness, efficiency, responsiveness, and resilience. Purpose of Reviews: Effectiveness: Ensures objectives are being met. Efficiency: Confirms optimal use of resources. Responsiveness: Measures the speed of adaptation to changes or issues. Resilience: Assesses the ability to recover from disruptions. Why Other Options Are Incorrect: A: Reviews complement external audits, not replace them. B: Cost reduction may be a result but is not the primary purpose. D: Documentation for legal defenses is a secondary benefit, not the main goal. Reference: COSO ERM Framework: Highlights the role of reviews in assessing risk management and control performance. OCEG GRC Capability Model: Recommends regular reviews for continuous improvement.
Question 112
What are the two aspects of value that Protectors are skilled at balancing within an organization?
Correct Answer: D
Question 113
What is the role of continuous control monitoring in the context of notifications within an organization?
Correct Answer: B
Continuous control monitoring involves automated systems that track organizational activities and generate alerts for specific notifications or anomalies that may require attention. Role of Continuous Control Monitoring: Provides real-time detection of risks, compliance issues, or performance deviations. Enhances the organization's ability to respond quickly to potential problems. Benefits: Improves the effectiveness of risk and compliance management by flagging issues promptly. Reduces manual effort and reliance on periodic reviews. Why Other Options Are Incorrect: A: Monitoring personal communications violates privacy and is not the intended purpose. C: While response tracking is important, it is not the primary focus of continuous control monitoring. D: Monitoring hotline performance is unrelated to control monitoring systems. Reference: COSO ERM Framework: Highlights the role of automated tools in risk and compliance management. OCEG GRC Capability Model: Discusses continuous control monitoring as part of a robust notification system.
Question 114
What is the relationship between the internal context and the culture of an organization within the LEARN component?
Correct Answer: B
Within the LEARN component of the Integrated Actions and Controls Model (IACM), the internal context and culture play a pivotal role in understanding and leveraging the organization's capabilities and resources to meet stakeholder needs. Internal Context: Refers to the organization's structure, roles, processes, and available resources (human, financial, physical, and technological). Provides the foundation for identifying how the organization functions and delivers value. Culture: Represents shared values, beliefs, and behaviors that influence decision-making and organizational priorities. Aligns the internal context with stakeholder expectations and strategic goals. Relevance to Stakeholders: A strong alignment between culture and context ensures the organization effectively meets stakeholder needs. Why Other Options Are Incorrect: A: Financial performance is an outcome, not a determinant. C: Risk appetite is a part of governance, not the primary focus of internal context and culture. D: Compliance is a subset of organizational requirements but does not fully describe culture and context. Reference: OCEG IACM Framework: Explains how internal context and culture support stakeholder-centric learning. COSO ERM Framework: Highlights the role of internal factors in organizational success.
Question 115
What types of actions and controls are included in the PERFORM component of the GRC Capability Model?
Correct Answer: D
The PERFORM component includes reactive, preventive, and corrective actions and controls, which are essential for executing governance, risk, and compliance processes effectively. Types of Actions and Controls: Reactive Controls: Respond to events or risks that have already occurred (e.g., incident response). Preventive Controls: Aim to avoid or mitigate risks before they materialize (e.g., access controls). Corrective Controls: Address issues or gaps identified after an event (e.g., remediation plans). Integration in the PERFORM Component: These controls ensure that the organization performs effectively while minimizing risks and achieving compliance. Why Other Options Are Incorrect: A: Internal, external, and hybrid controls describe types of oversight, not action types. B: Mandatory, voluntary, and optional actions relate to obligations, not control types. C: Proactive, detective, and responsive controls mix similar concepts but do not fully describe the PERFORM component. Reference: OCEG GRC Capability Model: Defines the types of actions and controls used in the PERFORM component. ISO 31000 (Risk Management): Discusses risk management controls as preventive, reactive, or corrective.
