Risk management is the process of identifying, analyzing, evaluating, treating, monitoring, and communicating the risks that may affect the achievement of an organization's objectives. The activity that best facilitates effective risk management throughout the organization is conducting periodic risk assessments, which are the systematic and structured methods of identifying and analyzing the potential sources and consequences of risk events. By conducting periodic risk assessments, an organization can proactively identify and prioritize the risks that pose the greatest threat or opportunity, and implement the appropriate risk responses to optimize the risk exposure and align it with the risk appetite and tolerance. References = CRISC Review Manual, 7th Edition, page 63.

Fraudulent transactions are those that involve deception, manipulation, or misrepresentation of information or data to obtain an unauthorized or improper benefit or advantage1. Fraudulent transactions can pose significant risks and losses for an organization, such as financial damages, legal liabilities, reputational damages, or operational disruptions2.
Enterprise resource planning (ERP) systems are integrated software applications that support the core business processes and functions of an organization, such as accounting, finance, human resources, supply chain, inventory, or customer relationship management3. ERP systems can facilitate the efficiency, accuracy, and security of business transactions, but they can also be vulnerable to fraudulent transactions, such as:
* Creating fake vendors or customers and processing false invoices or payments
* Manipulating or falsifying financial or accounting data or reports
* Changing or deleting critical or sensitive information or records
* Abusing or misusing access privileges or credentials
* Bypassing or compromising the system controls or security measures4
The design of procedures to prevent fraudulent transactions within an ERP system should be based on the control environment. The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The control environment comprises the following elements:
* The tone at the top, which reflects the leadership's commitment and attitude towards internal control and ethical conduct
* The organizational structure, which defines the roles and responsibilities, reporting lines, and authority levels for internal control
* The human resource policies and practices, which ensure that the staff have the appropriate skills, competencies, and incentives for internal control
* The risk assessment process, which identifies and evaluates the potential risks and threats to the organization's objectives and transactions
* The control activities, which are the specific policies, procedures, and mechanisms that prevent, detect, or correct errors or fraud in transactions
* The information and communication systems, which provide reliable and timely data and information for internal control and decision-making
* The monitoring and evaluation activities, which measure and report the performance and effectiveness of internal control and ensure continuous improvement By basing the design of procedures to prevent fraudulent transactions within an ERP system on the control environment, the organization can:
* Ensure that the procedures are aligned with the organization's objectives, values, and expectations regarding internal control and fraud prevention
* Provide clear and consistent guidance and instructions for the staff and stakeholders involved in the transactions and the ERP system
* Implement adequate and appropriate controls and safeguards to mitigate the risks and vulnerabilities of the transactions and the ERP system
* Monitor and evaluate the compliance and effectiveness of the procedures and the ERP system, and identify and address any issues or gaps References = What is Fraud?, Fraud Risk Management - AICPA, What is ERP?, ERP Fraud: How to Prevent It - ERP Focus, [COSO - Control Environment - Deloitte], [How to use COSO to assess IT controls - Journal of Accountancy]

The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure that the risk strategy is appropriate, because the risk strategy defines the enterprise's risk appetite, tolerance, and objectives, and guides the risk management process and activities. The board of directors should review the risk profile to ensure that it reflects the current internal and external environment, and that it aligns with the enterprise's strategy and goals. The other options are not the primary objective, because:
* Option B: KRIs and KPIs are aligned is a desirable outcome of the risk strategy, but not the primary objective of the board of directors reviewing the risk profile. KRIs and KPIs are indicators that measure and monitor the risk exposure and performance of the enterprise, respectively, and they should be consistent with the risk strategy and objectives.
* Option C: Performance of controls is adequate is a result of the risk response, but not the primary objective of the board of directors reviewing the risk profile. Performance of controls is the degree to which the controls are effective and efficient in mitigating the risks, and it should be evaluated and reported by the risk management function and the internal audit function.
* Option D: The risk monitoring process has been established is a prerequisite for the risk profile, but not the primary objective of the board of directors reviewing the risk profile. The risk monitoring process is the process of tracking and reporting the risk status and performance, and it should be implemented and executed by the risk management function and the business process owners. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 119.

The risk practitioner's best recommendation when one of an organization's key IT systems cannot be patched because the patches interfere with critical business application functionalities is to identify additional mitigating controls, as they may reduce the likelihood or impact of the vulnerabilities being exploited, and align the residual risk with the risk tolerance and appetite of the organization. The other options are not the best recommendations, as they may not address the risk adequately, or may introduce unacceptable consequences, such as disrupting the business operations, changing the risk strategy, or accepting excessive risk. References = CRISC Review Manual, 7th Edition, page 111.

The best metric to verify adherence to the policy that requires critical security patches to be deployed in production within three weeks of patch availability is the maximum time gap between patch availability and deployment, as it measures the longest duration that the organization takes to apply the patches, and ensures that it does not exceed the policy limit. The other options are not the best metrics, as they may not reflect the actual or optimal compliance with the policy, or may not be relevant or measurable for the policy, respectively. References = CRISC Review Manual, 7th Edition, page 110.