ARM 400
Which one of the following best describes why the Institute for Internal Auditors (IIA) has designed standards addressing the need for internal audit to evaluate the effectiveness of risk management?
. Audits are conducted under diverse legal and cultural environments. Requiring an auditor to validate particular points ensures that auditors and their activities meet their responsibilities.
There are two types of associated risk for data privacy, individual and general risk. General data privacy risk
. Can be categorized operational or reputational. A general data privacy risk is considered less specific than an individual risk. General data privacy risks concern a loss of reputation or safeguarding trade secrets.
According to the law of large numbers, as the number of exposure units insured increases,
. The relative accuracy of predictions about future losses increases.
Data Governance Tool
A data Governance committee also uses internal polices, external polices, enterprise data models and collaborative tools suach as agile project management to achieve its aims
data steward
A data steward is an experienced business analyst who views data as an organization's asset. This person represents the business aspects of data governance while IT supplies the technological expertise. C. A data steward is an experienced business analyst.
Which one of the following organizational policies or practices is based on a code of ethics?
A disclosure requirement regarding any potential conflict of interest an accountant might have in working with specific clients is based on the organization's code of ethics.
Risk Center
A discrete unit within an organization, having a leader and specific objectives, at which level a particular risk (or group of risks) is most appropriately and effectively managed.
Sarbanes-Oxley Act of 2002
A federal statutory law governing corporate directors in the areas of investor protection, internal controls, and penalties, both civil and criminal.
Which one of the following is the term used for a person—usually a manager—who advocates for and supports a specific aspect of the risk management process in an organization?
A risk champion is a person—usually a manager—who advocates for and supports a specific aspect of the risk management process in an organization.
The service representatives for Tauton Insurance will be eligible for a bonus only if the customer retention rate is increased by 5%. This is an example of which one of the following standards?
A severe risk tolerance level B. A critical success factor derived from a strategic objective C.** A corrective measure linked with an identified tolerance level D. A key performance indicator based on financial ratios
A speaker imparts information in verbal communications by
A speaker imparts information in verbal communications by
Auditing Standard No. 5 (AS 5)
A standard issued by the Public Company Accounting Oversight Board that applies when an auditor is engaged to audit management's assessment of the effectiveness of internal control over financial reporting.
A privacy impact assessment (PIA)
A tool used to identify and asses privacy risks
Which one of the following regulatory approaches allocates resources based on the concept of achieving the greatest potential good while simultaneously minimizing the overall costs?
A. Rules-based regulation B. Risk-based regulation Correct. Risk-based regulation allocates resources based on the concept of achieving the greatest potential good while simultaneously minimizing the overall costs. C. Evidence-based regulation D. Performance-based regulation
Many banks are using technology to search for and detect cyber-security threats locally and in the cloud. This application of technology, in which machines learn from humans, illustrates the use of
AI
Which one of the following is an example of a principles-based traffic control regulation?
Driver must maintain a reasonable following distance appropriate to speed and conditions Correct. Because it could be interpreted differently by different drivers and traffic control regulators, an example of a principles-based traffic control regulation is that a driver must maintain a reasonable following distance appropriate to speed and conditions.
Committee of Sponsoring Organizations of the Treadway Commission's (COSO's)
One internal control integrated framework consists of five essential components: the control environment, risk assessment, control activities, information and communication, and monitoring activities. When these components are applied across the organization, they create a "cube."
Ahocrazy
Adaptability is key; authority does not rest with one party
One advantage that a national organization would derive from creating risk centers is that it
Allows for participation by operational managers who may contribute to the risk analysis.
Risk-based capital
Amount of capital an insurer needs to support its operations, given the insurer's risk characteristics
Risk Owner
An individual accountable for the identification, assessment, treatment, and monitoring of risks in a specific environment.
The importance of strong control environments with independent oversight have become increasingly important
As organizations become more complex
Risk-based auditing
Auditing that prioritizes the use of an organization's limited internal audit resources in the areas that pose the greatest risk to the organization.
Which one of the following standards was developed in response to the financial crisis that began in 2007?
Basel III
A holistic approach that allows companies to better withstand short-term shocks and help ensure long-term business viability is known as
Business process management is a tool that organizations use to analyze, model, measure, and optimize business processes
Which one of the following stages of a strategic redeployment plan is designed to protect people, physical assets, and reputation?
C. Emergency stage
Colossal Casualty Insurance Company decided to conduct an internal audit of the company's operations. As part of the internal audit, several fictitious claims were submitted to the claims department to see if the claims would be approved and paid. Which one of the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) components of internal control was examined by this internal audit test?
Control enviornment
hierarchy
Decision making authority is well defined
Data governance provides
Definitions, standards and procedures for how data is used. Is the starting point or rule set for managing data
Which one of the following best describes how internal audit supports enterprise risk management (ERM)?
ERM implements risk management activities and internal audit assesses the results.
Clan
Famly
Contingency Production Stage
Focuses on minimizing downtime for the org.
Alternative Marketing Stage
Follows the emergency state, the organization must evaluate the impact of the disruption its reputation and market share - and it must determine whether it needs a new marketing strategy
An organization's goals and objectives are met by establishing and attaining measurable standards for the many activities it pursues. Which one of the following statements is correct with respect to those standards?
For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable.
A big-box store recently moved into a small town where mom and pop shops flourished for years. Knowing there could be some negative backlash from the long time loyal residents, the big-box store's executives went through the framework of managing their reputational risk to try to lessen any perceived negativity. The executives believed there are four key steps in handling reputational risk that are measuring, monitoring, managing and mitigating. Understanding that each step is critical to the overall process, The Chief Financial Officer wants to focus his attention and resources on mitigating reputational damage as he believes that is the most important step in the overall process.
Hiring a crisis-management firm to promote the big-box's corporate social responsibility program and respond if a disaster occurs.
Disaster recovery is considered a function of
IT
The main advantage of a formal internal communication system is that
Individuals know to whom to report.
risk avoiding (risk obsessed)
Individuals with this attitude focus on the negative side of potential risks. They seek methods of transferring risk to another entity to avoid it altogether, and they prefer to continue traditional methods of business operations rather than to innovate.
The fundamental purpose of a risk management framework is to
Integrate risk management throughout the organization.
3rd line of defense
Internal Audit
Responsible for entire compliance program
Internal Audit
Which one of the following answers the question, "What shows we are a success?"
Key performance indicator
An auditor identifies risks under the risk-based approach by
Looking at each objective and its controls identifying risks by asking, "What might go wrong?"
The managers and executives at Oakes Corporation feel pressure to improve quarterly financial results because they have become the laughingstock of their competitive niche. They wish to change this and restore the excellent light in which competitors once viewed them. Such concerns on the part of Oakes' leadership reflect concern for
Management reputation.
Which one of the following provides the frame of reference needed so data can be used appropriately for analysis and decision-making? Select one:
Metadata provides the frame of reference needed so data can be used appropriately for analysis and decision-making.
Which one of the following types of risk is best handled at the risk center level?
Minor risks that do not have consequences outside the unit are best managed at the risk center level. Sometimes external stakeholders—such as suppliers, regulators, and customer—can perform the risk owner role for an organization.
North American Furnishings has been in business for 18 years. The organization's primary objectives are profitability and bottom-line results. It always sets aggressive goals. North American Furnishings values its customer bases. Which one of the following types of corporate culture exists at North American Furnishings?
North American Furnishings has a market culture. Its primary objectives of profitability, bottom-line results, and secure customer bases are reflective of a market culture.
Which one of the following is an example of an external key risk indicator (KRI) that a manufacturer might monitor?
Number of employee injuries B. Age of accounts payable C. Amount of budget variances D. Cost of raw materials Correct. The cost of raw materials is an example of an external KRI that a manufacturer might monitor.
Market
Org is more concerned with outward relationships, bottom line, profits
Business Process Management 1st step
Processes are designed or redesigned by considering workflows and affected presonnel
The owners of West Coast Inn have identified a number of external risks to their business that are uncontrollable. They have decided to a business continuity plan in order to minimize the negative effects of the risks on its operations. West Coast Inn's plan will use a combination of a contingency model and a risk-transfer model. Which one of the following activities would be part of the risk-transfer model?
Purchasing business interruption insurance would be part of the risk-transfer model.
Which one of the following best describes how internal audit compliments a risk management initiative?
RM identifies, assesses and prioritizes risks. Internal audit develops a risk-based auditing plan that addresses material risks to an organization.
One of the major objectives of a compliance program is to receive benefits from external sources. Which one of the following is an example of a potential benefit from an external source?
Reductions in insurance premiums
Julian was having a conversation with Tania, one of his employees. At one point, Julian said, "What I hear you say is that you would like to take on more responsibility. Is that correct?" Which one of the following elements of active listening was Julian illustrating?
Response. By paraphrasing comments and checking understanding
The board of directors must use a thorough understanding of the organization's overall risk philosophy to determine the amount of risk the organization is willing to seek or accept in the pursuit of long-term objectives. This amount of risk is called the organization's
Risk Appetite
BD Company has made widgets for over 79 years using the same production techniques for fear of the huge costs from potential consumer lawsuits if production is changed and product quality suffers. With respect to its risk attitude, this organization would be classified as
Risk Avoiding. With respect to its risk attitude, this organization would be classified as risk avoiding.
Risk management professionals must collaborate with data analysts during which two steps of the risk management process?
Risk management professionals must collaborate with data analysts to help them analyze risks and monitor the chosen risk treatments.
The difference between risk tech and insurtech is
Risk tech goes beyond insurtech by expanding its focus to making risk financing more efficient and preventing and mitigating losses in a variety of industries.
Which one of the following is one of the five steps of the risk management process?
Scan environment is one of the five steps of the risk management process
Encrypting data to block its use if stolen is an example of a
Software can be put in place to automatically encrypt data that is stolen or hacked from a business' system. D. Incident response plan.
Which one of the following statements regarding the structure and role of a board of directors is true?
The board of directors must be comprised of ten directors, with an equal number of inside and outside directors. B. Members of the board are appointed by the president of the company. C. The board is responsible for the day-to-day decisions at a corporation. D. Members of the board elect a director to be chairman of the board.
Which one of the following best explains how the role of the internal auditor changed with the passage of the Sarbanes-Oxley Act of 2002?
The internal auditor must adopt a stakeholder orientation by anticipating, monitoring and assessing business and operational risk.
objective risk
The measurable variation in uncertain outcomes based on facts and data.
Which one of the following statements is true regarding the business process management (BPM) life cycle model?
The model is driven by the collaboration of human and technological input.
business process management (BPM) life cycle model?
The model is driven by the collaboration of human and technological input.
Entity-level controls
The second level of a top-down review of internal controls that helps ensure that management directives relative to the entire entity are in place and are being carried out.
Communication Stage
The sole objective is to preserve or enhance stakeholders' trust and confidence in the organization.
Which one of the following is true regarding the communication stage of strategic redeployment?
The sole objective is to preserve or enhance stakeholders' trust and confidence in the organization.
Risk managers today differ from traditional risk managers in which one of the following ways?
They attempt to minimize threats and optimize opportunities.
Which one of the following risk management objectives is critical for a manufacturer seeking new capital from investors, stockholders, and creditors?
Those who would provide an organization with new capital seek assurances that the risk management program reduces the deterrent effects of hazard risks.
Autonomous Vehicle Applications (AVA) is a start-up company that develops safety technologies that can be sold to companies that are producing autonomous vehicles. One technology AVA is developing allows an autonomous vehicle to detect, extract, and analyze images; and then to respond to the images. For example, the technology would detect a presence in a crosswalk, extract the image, and a computer would analyze the image. When the image was determined to be a human being, the vehicle would slow down or stop until the crosswalk was clear. This technology, which is designed to capture and analyze images, and to act on the recognition of the image; is called
Transducer technology. B. Accelerometer technology. C. Computer vision.Correct. This technology is called computer vision. D. Visual acuity.
An organization evaluates key stakeholders' attitude toward risk in order to
Understand what risks are acceptable and to develop an effective enterprise-wide risk management program.
Preventative Analytics
Uses smart products and data analytics to identify root loss causes and their implications
When interviewing a risk owner, which one of the following questions should be asked?
What steps have been taken to ensure continuity of business in the event of a natural disaster?
Risk Optimizing (Risk Managed)
aggressive and conservative tendencies are balanced in this risk attitude
Risk seeking (risk naive)
based on short term horizon, both upside and downside
Speculative risk
chance of gain
Metadata
data about data
4th line of defense
external audit
business impact analysis (BIA) should identify the points in time when the interruption would have the greatest impact, what the operational impact would be, and
financial impact
Which one of the following best describes how the modern approach to internal auditing differs from the traditional approach?
he modern approach uses many systems-based techniques, determines activity based on the organization's business objectives, materiality of the risk and key threats to achieving business objectives rather than evaluating current controls.
Which one of the following best explains how a risk-managed organization views a proposed new product line?
it weighs the risk-reward relationship while realistically evaluating potential outcomes and consequences.
Successful organizations have goals and objectives. A financial or nonfinancial measurement that defines how successfully an organization is progressing toward its long-term goals is referred to as
key performance indicator (KPI)
1st line of defense
operational management
Subjective risk
opinion
Classifying risk appropriately can help in managing risk. Which one of the following statements is correct with respect to the classifications of risk?
pure risk is a chance of loss or no loss, but no chance of gain.
Sound risk management decisions are predicated on
quality of data
2nd line of defense
risk management functions
Malware
software that is intended to damage or disable computers and computer systems.
The Sarbanes-Oxley Compliance (SOX) category involves all of the following compliance levels, EXCEPT:
voluntary