Key control indicators (KCIs) are metrics that measure the performance and effectiveness of the controls that are implemented to mitigate the risks. KCIs can help to monitor the status and health of the controls, as well as to identify any issues or gaps that need to be addressed. The primary reason to adopt KCIs in the risk monitoring and reporting process is to provide assessments of mitigation effectiveness, meaning that they can help to evaluate how well the controls are reducing the risk exposure and achieving the desired outcomes.
KCIs can also help to support the risk management decision making and improvement actions, as well as to demonstrate the value and benefits of the controls. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.3.1.2, p. 115-116

Section: Volume D

Section: Volume C
Explanation
Explanation:
The organizational levels of the COSO ERM framework describe the subsidiary, business unit, division, and entity-levels of aspects of risk solutions.
Incorrect Answers:
B: Risk components includes Internal Environment, Objectives settings, Event identification, Risk assessment, Risk response, Control activities, Information and communication, and monitoring.
C: Strategic objectives includes strategic, operational, reporting, and compliance risks; and not entity-based risks.
D: This is not a valid answer.

The best control to minimize the risk associated with scope creep in software development is an established process for project change management. Scope creep is the uncontrolled expansion of the project scope due to changes in requirements, specifications, or expectations. A project change management process can help to prevent or reduce scope creep by defining the procedures for requesting, reviewing, approving, and implementing changes in the project. Retention of test data and results, business management review of functional requirements, and segregation between development, test, and production are other possible controls, but they are not as effective as a project change management process. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 11; CRISC Review Manual, 6th Edition, page 144.

Section: Volume D