1. Which GRC application would you use to manage internal or external consultancy processes that aim to prove the effectiveness of controls?

Risk Management
Audit Management
Policy and Compliance Management
Vendor Risk Management

2. The Risk Scoring values are entered on the Risk Statement. What records inherits the values from the Risk Statement?

Risk Criteria Matrix
Registered Risk
Risk Framework
Risk Response Issue

3. What are the different states available out of the box for classic/standard Risk management?

New, Awaiting Approval, Respond, Review, Monitor, Retired
Draft, Assess, Review, Monitor, Retired
New, Assess, Respond, Review, Monitor, Retired
Draft, Assess, Respond, Review, Monitor, Retired

4. Which of the following statements correctly describe the risk management lifecycle process?
A. Access, Identify and Plan, Control, Review
B. Control, Review, Assess, Identify and Plan
C. Identify and Plan, Assess, Control, Review
D. Identify and Plan, Review, Assess, Control

5. The Users with the role ________ and higher can be assigned to a Risk Response task.

sn_grc_risk.user
sn_risk.owner
sn_risk.reader
sn_risk.user

6. Which role is required to assign Risk Response task?

Risk Reader
Risk Writer
Risk User
Risk Manager

7. David is an Audit Manager. In addition to Audit Manager, which roles should be assigned to ensure he can manage the audit process as well as other GRC functions related to audit? (Choose two)

sn_grc.manager
sn_grc.reader
sn_grc.user
sn_grc.developer
sn_audit.user

8. Which role(s) has the capability to create Policies? Choose two.)

Compliance User
Risk Manager
Compliance Manager
Compliance Admin

9. Which role is required to set up Policy Acknowledgement campaign? (Select two)

Policy Reviewer
Policy Approver
Compliance User
Policy Owner

10. In which state can Compliance Manager or above review Control and move it to either Monitor or return to Draft state?

Review
Awaiting Approval
New
Attest

11. Which one of the following is not a trigger for issue creation?

Risk assessment returns the inherent and residual risk impact as ‘Very High’
Control effectiveness is ‘Ineffective’ and the state of control test is ‘Closed Complete’
Attestation returns the result as ‘Not Implemented’
Indicator failure
Manual issue created by any manager or admin role as well as by audit user

12. In Risk Management, which role is required to move the risk record into the Monitor State?

Risk Reader
Risk Developer
Risk User
Risk Manager

13. Who can send the Policy back to draft or forward it by requesting approval? (Select three)

Approvers
Owning Group
Owner
Reviewers

14. Control Failure Factor represents the impact of Control Failures on what score?

Residual
Inherent
Calculated
Total

15. UCF has a collection of what? Select all UCF terms. (Choose three)

Citations
Control Indicators
Authority Documents
Controls
Policies

16. Who can move a Policy into Review? (Choose two)

Policy Approver
Policy Reviewer
Policy Owner
Admin

17. Which role reviews the risk response and moves the Risk record into the Monitor state at the appropriate time?

Risk User
Risk Reader
Risk Manager
Risk Owner

18. Which roles are inherited when a user is given the sn_audit.user role?
(Select all that apply)
a) sn_grc.reader
b) sn_compliance.reader
c) sn_risk.reader
d) sn_audit.external_auditor