Professional (CRCP) Practice
Examination Questions And Correct
Answers (Verified Answers) Plus
Rationales 2026 Q&A | Instant
Download Pdf
Question 1
Which of the following best defines the "tone at the top" in an organization’s
compliance framework?
A) The average salary of senior executives
B) The ethical culture and commitment demonstrated by leadership
C) The number of compliance training hours completed by staff
D) The frequency of board meetings
Answer: B
Rationale: Tone at the top refers to the ethical atmosphere and integrity
demonstrated by an organization’s senior leaders. It sets the foundation for all
compliance and risk management activities. Options A, C, and D are operational
metrics that do not capture the leadership-driven cultural element.
Question 2
Under the COSO ERM framework, which component is most directly associated
with identifying potential events that may affect the entity?
A) Control Activities
,B) Information and Communication
C) Event Identification
D) Monitoring
Answer: C
*Rationale: Event identification is a distinct component of the COSO Enterprise
Risk Management framework, focusing on recognizing internal and external
events that could impact strategy or performance. Control activities,
information/communication, and monitoring are other components but do not
directly address event identification.
Question 3
A compliance officer discovers that a subsidiary is using an unauthorized vendor in
a high-risk jurisdiction. What is the FIRST action to take?
A) Immediately terminate the vendor contract
B) Report the finding to the board of directors
C) Conduct a risk-based investigation to assess the scope and impact
D) Issue a public disclosure of the violation
Answer: C
*Rationale: The first step is to investigate to understand the nature, scope, and
risk of the unauthorized relationship. Premature termination (A) may disrupt
operations; reporting to the board (B) is premature without full facts; public
disclosure (D) would violate confidentiality and due process.
Question 4
Which regulation primarily governs the privacy of consumer financial information
in the United States?
A) Sarbanes-Oxley Act
B) Gramm-Leach-Bliley Act (GLBA)
C) Dodd-Frank Act
D) Foreign Corrupt Practices Act
,Answer: B
*Rationale: The GLBA requires financial institutions to explain their information-
sharing practices and protect sensitive data. SOX (A) addresses corporate
governance and financial reporting; Dodd-Frank (C) focuses on systemic risk; FCPA
(D) deals with anti-bribery.
Question 5
In operational risk management, the term "inherent risk" refers to:
A) Risk after applying all controls
B) The raw risk level without any mitigating controls
C) The residual risk accepted by management
D) The risk of financial statement misstatement
Answer: B
*Rationale: Inherent risk is the level of risk before any actions are taken to alter its
likelihood or impact. Residual risk (C) is after controls; option A is the same as
residual; D is a specific audit concept.
Question 6
Which of the following is a key principle of the Basel Committee’s Effective Risk
Data Aggregation and Risk Reporting (BCBS 239)?
A) Data should be stored in silos for security
B) Risk reports should be produced at least annually
C) Data accuracy and integrity must be maintained
D) Reporting should focus only on credit risk
Answer: C
*Rationale: BCBS 239 mandates accuracy, completeness, and timeliness of risk
data. Silos (A) are contrary; reports must be frequent (often daily or weekly), not
annual (B); and the principles cover all risk types, not just credit (D).
, Question 7
What is the primary purpose of a Risk Control Self-Assessment (RCSA)?
A) To calculate capital requirements
B) To empower business units to identify and assess their own risks
C) To replace internal audit
D) To price insurance premiums
Answer: B
*Rationale: RCSA is a participatory process where business managers assess risks
and controls in their areas. It does not replace audit (C), is not for capital
calculation (A) (though it may inform it), and is not insurance pricing (D).
Question 8
Which type of risk arises from the failure of internal processes, people, or
systems?
A) Market risk
B) Credit risk
C) Operational risk
D) Liquidity risk
Answer: C
*Rationale: Operational risk is defined as the risk of loss from inadequate or failed
internal processes, people, systems, or external events. Market (A), credit (B), and
liquidity (D) are separate risk categories.
Question 9
Under the Foreign Corrupt Practices Act (FCPA), which of the following is a
prohibited activity?
A) Paying a small "facilitation" fee to a low-level government official to expedite a
routine government action
B) Providing charitable donations to a local school in a host country