Information security policies are the foundation of an organization's security program, as they define the objectives, roles, responsibilities, and standards for protecting the information assets and systems. However, information security policies are not static, and they need to be reviewed and updated regularly to reflect the changes in the organization's environment, risk profile, and compliance requirements. Therefore, the best course of action when conducting an organization-wide risk assessment is to review the policies against current needs to determine adequacy. This means comparing the policies with the current threats, vulnerabilities, controls, and best practices, and identifying any gaps or weaknesses that need to be addressed.
The other options are not the best course of action, as they do not consider the current needs of the organization. Reviewing and updating the policies to align with industry standards may not be sufficient, as the organization may have specific or unique needs that are not covered by the standards. Determining that the policies should be updated annually may not be realistic, as the frequency of updates may depend on the nature and complexity of the policies and the organization. Reporting that the policies are adequate and do not need to be updated frequently may not be accurate, as the policies may be outdated or ineffective, and may expose the organization to unnecessary risks. References = Risk Assessment and Analysis Methods:
Qualitative and Quantitative - ISACA, Does Your Organization Need a Security Risk Assessment? - ISACA, SP 800-39, Managing Information Security Risk: Organization, Mission ...

Software as a service (SaaS) is a cloud computing model that provides software applications over the internet, without requiring the customer to install or maintain them on their own devices1. SaaS applicationscan offer many benefits, such as scalability, accessibility, and cost-efficiency, but they also pose security risks, such as data breaches, unauthorized access, and compliance violations2.
One of the best ways to protect an organization against breaches when using a SaaS application is to use data loss prevention (DLP) tools. DLP tools are software solutions that monitor, detect,and prevent the unauthorized transmission or leakage of sensitive data from an organization's network or devices3. DLP tools can help an organization to:
Identify and classify sensitive data, such as personal information, intellectual property, or financial records, and apply appropriate policies and controls to protect them Encrypt data in transit and at rest, and use secure protocols and encryption keys to ensure data confidentiality and integrity Block or alert on suspicious or malicious data transfers, such as unauthorized uploads, downloads, or sharing of data to external sources or devices Audit and report on data activities and incidents, and provide evidence for compliance with data protection regulations and standards, such as GDPR, HIPAA, or PCI-DSS4 References = What is SaaS?, Top 7 SaaS Security Risks (and How to Fix Them), What is Data Loss Prevention (DLP)?, Data Loss Prevention (DLP) for SaaS Applications

A penetration test is a simulated cyberattack on a web infrastructure to evaluate its security posture and identify any vulnerabilities or weaknesses that could be exploited by an attacker. A penetration test is the best indicator of how well a web infrastructure protects critical information from an attacker, as it mimics the real-world scenarios and techniques that an attacker would use, and measures the effectiveness of the existing security controls and countermeasures. A penetration test can also provide recommendations for improving the security of the web infrastructure and reducing the risk exposure. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 236. CRISC by Isaca Actual Free Exam Q&As, Question 9. CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 236. Most Asked CRISC Exam Questions and Answers, Question 10.

The standard operating procedure (SOP) statement that best illustrates appropriate risk register maintenance is to remove risk when mitigation results in residual risk within tolerance levels. Residual risk is the risk that remains after the risk response or mitigation has been applied. Tolerance levels are the acceptable or allowable ranges of variation or deviation from the expected or desired outcomes or objectives. When the mitigation results in residual risk within tolerance levels, it means that the risk has been reduced or managed to an acceptable or satisfactory level, and that no further action or monitoring is required. Therefore, the risk can be removed from the risk register, as it is no longer a significant or relevant risk for the organization. The other options are not as appropriate as removing risk when mitigation results in residual risk within tolerance levels, as they are related to the transfer, acceptance, or change of the risk, not the removal of the risk. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.4: IT Risk Response, page 87.

A payroll manager discovers that fields in certain payroll reports have been modified without authorization.
This indicates that there is a risk of unauthorized access, use, disclosure, modification, or destruction of sensitive data, such as employee information, payroll records, tax returns, etc.
A control weakness that could have contributed most to this problem is that the programmer had access to the production programs. This means that the programmer could potentially alter the source code or configuration of the payroll software without proper authorization or approval.
The other options are not control weaknesses that could have contributed most to this problem. They are either irrelevant or less likely to cause unauthorized changes in the payroll software.
The references for this answer are:
Risk IT Framework, page 12
Information Technology & Security, page 6
Risk Scenarios Starter Pack, page 4