CCS Exam Prep Free practice test →

Free CCS Practice Questions

10 free, exam-style Cannabis Compliance Specialist (CCS) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CCS practice test to study every exam domain.

Question 1

A licensed cultivator harvests a crop and reports 800 pounds to the state track-and-trace system, but internal records show 1,000 pounds were actually produced. The unreported 200 pounds are sold to an unlicensed buyer in a neighboring state. This activity is BEST classified as:

  1. Diversion, because licensed product is moving from the legal market into the illicit market
  2. Inversion, because product is leaving the cultivator's facility
  3. Shrinkage, because the inventory variance is unaccounted for
  4. Structuring, because the cultivator is breaking up the harvest into smaller reportable amounts
Show answer & explanation

Correct answer: A - Diversion, because licensed product is moving from the legal market into the illicit market

Question 2

A cannabis manufacturer assesses the inherent risk of solvent-related fire as HIGH. After implementing engineering controls, staff training, and a documented hot-work program, an independent audit confirms the controls are well designed and operating effectively. The residual risk is BEST described as:

  1. Equal to the inherent risk, because controls do not change the underlying nature of solvent operations
  2. Indeterminate, because residual risk cannot be assessed without comparing to the organization's risk appetite
  3. Eliminated, because effective controls fully remove the risk
  4. Lower than the inherent risk, because effective controls reduce the level of risk that remains after they are applied
Show answer & explanation

Correct answer: D - Lower than the inherent risk, because effective controls reduce the level of risk that remains after they are applied

Question 3

Marcus, the risk officer at a multi-state dispensary chain, notices that a single customer at one location has been making cash purchases of approximately $9,500 every other day for three weeks. The customer pays in older, well-circulated $100 bills and resides in a state where adult-use cannabis remains illegal. The MOST relevant risk area and primary risk driver are:

  1. Compliance risk area; regulatory complexity risk driver
  2. Operational risk area; people risk driver
  3. Money laundering risk area; geographic locations and customer types risk drivers
  4. Supply chain risk area; vendor reliability risk driver
Show answer & explanation

Correct answer: C - Money laundering risk area; geographic locations and customer types risk drivers

Question 4

The board of a cannabis operator formally adopts a risk-management policy, establishes a Board Risk Committee, and ensures the Chief Risk Officer has a direct reporting line to that committee. These actions MOST directly contribute to which CRMF component?

  1. Internal Control Environment, because the board is establishing tone from the top and the governance structure that supports all other components
  2. Risk Assessment, because the board is identifying risks at the governance level
  3. Control Activities, because the board is establishing specific controls
  4. Assurance Activities, because the Risk Committee provides independent oversight
Show answer & explanation

Correct answer: A - Internal Control Environment, because the board is establishing tone from the top and the governance structure that supports all other components

Question 5

When evaluating a corporate compliance program, the U.S. Department of Justice applies three fundamental questions. Which of the following BEST captures those three questions?

  1. Is the program documented? Is it audited annually? Is it certified by an external party?
  2. Is the program well designed? Is it being applied earnestly and in good faith (adequately resourced and empowered)? Does it work in practice?
  3. Is the program required by law? Is it cost-effective? Is it competitive with industry peers?
  4. Is the program approved by the board? Is it understood by employees? Is it free of past violations?
Show answer & explanation

Correct answer: B - Is the program well designed? Is it being applied earnestly and in good faith (adequately resourced and empowered)? Does it work in practice?

Question 6

Under FinCEN's 2014 guidance for financial institutions servicing marijuana-related businesses, a bank files a Suspicious Activity Report categorized as 'Marijuana Limited.' This designation indicates that:

  1. The bank has identified red flags consistent with the Cole Memorandum priorities and is escalating the relationship
  2. The bank is in the process of terminating the customer relationship due to compliance concerns
  3. The marijuana-related business has been determined to be operating illegally under state law
  4. The marijuana-related business is engaged in cannabis activity but the bank has not identified red flags beyond the cannabis activity itself
Show answer & explanation

Correct answer: D - The marijuana-related business is engaged in cannabis activity but the bank has not identified red flags beyond the cannabis activity itself

Question 7

A cannabis manufacturer onboards a new butane supplier for its extraction operations. To mitigate risk in this relationship, the company conducts identity verification, reviews the supplier's safety certifications, runs financial background checks, negotiates contractual audit rights, and schedules quarterly performance reviews. These activities collectively represent:

  1. Anti-money laundering controls within the Money Laundering risk area
  2. Vendor risk management controls within the Supply Chain risk area
  3. Diversion controls within the Illicit Cannabis Market risk area
  4. Business continuity controls within the Operational risk area
Show answer & explanation

Correct answer: B - Vendor risk management controls within the Supply Chain risk area

Question 8

A ransomware attack encrypts a cannabis cultivator's METRC integration server, climate-control software, and security camera storage during the final week before harvest. Production is halted and historical surveillance footage becomes inaccessible. Within the Operational risk area, this incident MOST directly involves which sub-category?

  1. People risk, because an employee may have clicked a phishing link
  2. Process risk, because backup procedures were inadequate
  3. Systems risk, because the incident involves the failure or compromise of technology systems
  4. External events risk, because the attack originated outside the organization
Show answer & explanation

Correct answer: C - Systems risk, because the incident involves the failure or compromise of technology systems

Question 9

The board of a cannabis operator formally states that the company is willing to pursue acquisitions in newly-legal adult-use states even where banking access remains limited, but is unwilling to operate in any jurisdiction where cannabis remains a federal enforcement priority. This statement BEST describes the organization's:

  1. Risk profile, because it describes the company's current aggregate risk exposure
  2. Risk tolerance, because it describes acceptable variation around operational targets
  3. Residual risk, because it describes the risk remaining after controls are applied
  4. Risk appetite, because it describes the strategic level and type of risk the organization is willing to accept in pursuit of its objectives
Show answer & explanation

Correct answer: D - Risk appetite, because it describes the strategic level and type of risk the organization is willing to accept in pursuit of its objectives

Question 10

A bookkeeper at a dispensary makes nine separate cash deposits of $9,500 each into the company's bank account over five business days, deliberately keeping each deposit below the $10,000 Currency Transaction Report threshold. This activity is BEST described as:

  1. Looping, because funds are cycling through the account
  2. Smurfing, because multiple individuals are involved in the deposits
  3. Structuring, because transactions are deliberately broken into amounts below the reporting threshold to evade BSA reporting requirements
  4. Layering, because the deposits create distance between the funds and their source
Show answer & explanation

Correct answer: C - Structuring, because transactions are deliberately broken into amounts below the reporting threshold to evade BSA reporting requirements

Ready for the real thing?

Practice hundreds more CCS questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing