CIA Exam Part 1
ISO 31000 provides for a risk management framework that includes
A leadership and commitment component. The risk management framework in ISO 31000 has six components. For example, the board and senior management demonstrate leadership and commitment by (1) implementing the framework's components; (2) adopting a policy that establishes a risk management plan or approach; (3) committing resources to risk management; and (4) assigning accountability, authority, and responsibility at each organizational level.
According to COSO's ERM framework, which view of risk is fully integrated?
A portfolio view is fully integrated. It is a composite view of the risks related to entity-wide strategy and business objectives and their effect on entity performance.
According to a principle stated in the performance component of the COSO's ERM framework, the organization identifies and selects risk responses. Which risk response is most appropriate when the risk is within the risk appetite?
Acceptance (retention) results in no action to alter the severity of the risk. Acceptance is appropriate when the risk is within the risk appetite. This term is synonymous with self-insurance.
Which of the following actions by an internal auditor is most likely a violation of The IIA's Code of Ethics?
Accepting a moderate gift from a customer of his or her organization.
According to the COSO ERM framework, the difference between inherent risk and actual residual risk results because of management's
Actions to alter the severity of inherent risk. Inherent risk is the risk without management actions to alter its severity. Actual residual risk remains after management actions to alter its severity.
The purpose of the internal audit activity can be best described as? (emphasis on best)
Adding value to the organization. (Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations (Definition of Internal Auditing).)
For an enterprise wide risk management program to be most effective, it should be led by which of the following?
An enterprise risk management (ERM) program is most effective when led by a centralized coordinator, such as a risk officer. This person facilitates ERM by working with other managers in establishing effective risk management in their areas of responsibility.
Risk management processes include risk identification. One method is
An event inventory. Certain events are common to particular industries. Software is available that provides lists that can be used as a starting point for event identification.
According to ISO 31000, which of the following is a principle of risk management?
Best available information. ISO 31000 is a principles-based approach to risk management. Its principles are the foundation for risk management. They also communicate the characteristics, value, and purpose of effective and efficient risk management.
The primary reason that a bank would maintain a separate compliance function is to
Better manage perceived high risks. The risk management process identifies, assesses, manages, and controls potential risk exposures. Organizations such as brokers, banks, and insurance companies may view risks as sufficiently critical to warrant continuous oversight and monitoring.
The elements of the ISO 31000 risk management process include
Communication and consultation.
Under the ISO 31000 model, the risk assessment element of a risk management process
Compares the established risk criteria with the results of the risk analysis.
According to the competency principle and the related Rules of Conduct in The IIA's Code of Ethics, internal auditors must
Continually improve their proficiency.
ERM's premise is that an organization exists to provide value. Value is eroded when
Day-to-day tasks are not performed. Value is eroded when (1) management's strategy does not produce expected results or (2) management does not perform day-to-day tasks.
According to ISO 31000, the design of a risk management framework involves all of the following except
Deciding on an appropriate risk response. Deciding on an appropriate risk response is not involved in the design of a risk management framework according to ISO 31000. The design of the framework involves (1) understanding the organization and its context; (2) articulating commitment to risk management; (3) assigning and communicating authorities, responsibilities, and accountabilities for risk management roles at all levels; (4) allocating resources (e.g., people, experience, processes, and information systems) to support risk management while recognizing the limitations of existing resources; and (5) establishing communication and consultation.
According to the ISO 31000 risk management framework, which of its components most likely involves assigning authorities for risk management?
Design.
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. With respect to evaluating the adequacy of risk management processes, internal auditors most likely should
Determine that the key objectives of risk management processes are being met.
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. With respect to evaluating the adequacy of risk management processes, internal auditors most likely should
Determine that the key objectives of risk management processes are being met. Internal auditors need to obtain sufficient and appropriate evidence to determine that key objectives of the risk management processes are being met to form an opinion on the adequacy of risk management processes.
An internal auditor plans to audit the adequacy of controls over credit approval. Which of the following is not a required procedure in such an engagement?
Determine whether loans and other liabilities are valued in accordance with industry regulations.
Which of the following activities are included in ERM?
Determining risk appetite Identifying potential risks Communicating information on risks consistently and at all levels Providing assurance on the effectiveness of risk management
Internal auditors specifically demonstrate conformance with the confidentiality principle by
Documenting distribution restrictions on engagement records. Internal auditors conform with engagement record confidentiality by documenting distribution restrictions in workpapers and reports and by retaining authorizations of all disclosures and approved distribution lists (IG, Code of Ethics: Confidentiality).
An internal auditor most directly violates the integrity principle under The IIA Code of Ethics by
Engaging in a legal act discreditable to the organization. Under Rule of Conduct 1.3 (Integrity), an internal auditor must not knowingly be a party to an illegal activity or engage in acts discreditable to the profession of internal auditing or to the organization.
According to the strategy and objective setting component of ERM, the organization
Establishes tolerances to evaluate achievement of objectives.
The governance and culture component of the COSO's enterprise risk management framework (ERM) most likely includes which principle?
Establishment of operating structures. The governance and culture component includes the principle that the organization establishes operating structures. They describe how the entity is organized and carries out day-to-day operations and generally are aligned with the entity's legal structure and management structure.
According to the strategy and objective setting component of the COSO's ERM framework, the organization
Evaluates alignment of a strategy with the risk appetite. The organization evaluates alternative strategies and their effects on the risk profile. It must evaluate (1) the strategy's alignment with its mission, vision, core values, and risk appetite, and (2) the implications of the chosen strategy (its risks, opportunities, and effects on the risk profile).
When performing an assurance engagement related to risk management processes, the internal audit activity (IAA) most likely
Evaluates risk exposures in information systems. The IAA must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the (1) achievement of the organization's strategic objectives; (2) reliability and integrity of financial and operational information; (3) effectiveness and efficiency of operations and programs; (4) safeguarding of assets; and (5) compliance with laws, regulations, policies, procedures, and contracts.
According to the COSO ERM framework, the lines of management accountability include a
First line that manages risks to meet objectives. The first line is the core business. It consists of the principal owners of risk. They manage performance and risks taken to achieve strategy and objectives.
The tone of the organization is consistent with a principle of which component of the COSO's enterprise risk management (ERM) framework?
Governance and culture.
The Chief Audit Executive's responsibilities for risk management include which of the following?
Having formal discussions with the board about their obligations for understanding, managing, and monitoring risks.
Which of the following is not a component of the risk management framework of the ISO 31000 model?
Human and cultural factor. The "human and cultural factor" is a principle, not a component, of the framework of risk management in the ISO 31000 model.
According to the COSO ERM framework, which of the following is an essential element of the governance and culture component?
Human capital. A principle within the governance and culture component is that the organization attract, develop, and retain capable individuals.
Which of the following is a principle of the performance component of the COSO's ERM framework?
Identification and selection of risk responses. The organization identifies and selects risk responses, recognizing that risk may be managed but not eliminated. Risks should be managed within the business context and objectives, performance targets, and risk appetite
Risk management, at any level, consists of
Identifying potential events that may affect the entity Managing the associated risk to be within the entity's risk appetite
Risk modeling in a consulting service is done by ranking the engagement's potential to
Improve management of risk Add value Improve the organization's operations
Freedom from conditions that threaten internal auditors' ability to do unbiased work is
Independence. Independence is "the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner" (The IIA Glossary).
Which of the following are elements of a supporting aspect component of the COSO ERM framework?
Information and communication. The COSO ERM framework consists of five interrelated components. The supporting aspect components are (1) governance and culture and (2) information, communication, and reporting. The common process components are (1) strategy and objective setting, (2) performance, and (3) review and revision.
An internal auditor who uses the CIA designation after it has expired most likely is engaging in an act discreditable under which principle of The IIA's Code of Ethics?
Integrity.
Which one of the following must be included in the internal audit charter?
Internal audit responsibility. The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter.
Enterprise risk management
Involves the identification of events with negative impacts on organizational objectives.
ISO 31000 is an approach to risk management. It describes a maturity model that provides assurance on the risk management process defined by ISO 31000. The maturity model approach
Is based on the principle that risk management must add value. The maturity model approach is based on the principle that effective risk management processes develop and improve with time as value is added at each phase in the maturation process. The basic principle is that risk management must add value.
ISO 31000 describes a maturity model assurance approach to risk management. An essential element of this approach is
Linkage of plan progress with a performance measurement system.
Which of the following are roles that the internal audit activity should not undertake since they would threaten its independence and objectivity?
Making decisions on risk responses. Implementing risk responses on management's behalf. Imposing risk management processes.
In an organization that has implemented ERM, who has overall responsibility for ERM?
Management. Management has overall responsibility for ERM and is generally responsible for the day-to-day managing of risk, including the implementation and development of the COSO ERM framework. Within management, the CEO has ultimate responsibility for ERM and achievement of strategy and business objectives.
Which of the following threatens the independence of an internal auditor who had participated in the initial establishment of a risk management process?
Managing the identified risks. Assuming management's responsibility for the risk management process is a potential threat to the internal audit activity's independence. It requires a full discussion and board approval.
Which of the following is a false statement concerning risk management? Risk management processes
Must be quantitative, formal, and embedded in business units. Risk management processes may be formal or informal, quantitative or subjective, or embedded in business units or centralized.
The ISO 31000 model describes three approaches to providing assurance on risk management processes. Which of the following is not one of these approaches?
Negative assurance. Negative assurance is not a concept applicable to providing assurance on risk management processes described in the ISO 31000 model.
Evaluation of the organization's portfolio view of risk relates to a principle stated in which component of the COSO's enterprise risk management (ERM) framework?
Performance.
In the risk management process, management's view of the internal audit activity's role is likely to be determined by all of the following factors except
Preferences of the independent auditor.
Which of the following is a component of The IIA's Code of Ethics?
Principles.
The chief audit executive (CAE) most likely promotes a culture of competency by
Providing evidence of an active quality assurance program. Explanation: The CAE may demonstrate a culture supportive of competency and the continual improvement of proficiency, effectiveness, and quality through evidence that a quality assurance and improvement program is active (IG, Code of Ethics: Competency).
The review and revision component of ERM includes the principle that the organization
Pursues improvement of ERM.
Risk management processes require risk analysis that includes
Qualitative or quantitative methods.
The level of assurance that risk management can provide regarding the achievement of entity objectives is
Reasonable.
An organization maintains an information security function. When it contracted with a security specialist to provide the service, what was the change in risk response?
Reduction to sharing. Reduction (mitigation) is action to reduce the severity of the risk so that it is within the target residual risk profile and risk appetite. For example, the risk of systems penetration can be reduced by maintaining an effective information security function within the entity. Sharing (transfer) is action taken to reduce the severity of the risk by transferring a portion of the risk to another party. Examples are (1) insurance; (2) hedging; (3) joint ventures; (4) outsourcing; and (5) contractual agreements with customers, vendors, or other business partners.
Banks provide reconciliation statements to their clients. From the clients' perspective, this practice is a form of which method of managing risks associated with cash?
Reduction. Risk responses may include avoidance, acceptance, sharing, pursuit, and reduction. By using bank reconciliations, businesses can reduce the risk of theft and misappropriation.
The maturity model approach adopted by ISO 31000 may have different forms. One is the capability maturity model (CMM). Another is the capability maturity model integration (CMMI) development V2.0. The maturity level in the CMM but not the CMMI is
Repeatable.
The information, communication, and reporting component of the ERM framework includes the principle that the organization
Reports on risk, culture, and performance.
Which of the following includes risk responses?
Residual risk profile. A risk profile is a composite view of the types, severity, and interdependencies of risks related to a specific strategy or business objective and their effect on performance. A risk profile may be created at any level or aspect of the organization. A residual risk profile includes risk responses.
An organization has outsourced its internal audit activity to an external service provider (ESP). The ESP must make the outsourcing organization aware that it
Retained responsibility for the internal audit activity's effectiveness.
According to the COSO's enterprise risk management (ERM) framework, which of the following is consistent with a principle of its governance and culture component?
Retention of capable individuals. A principle of the governance and culture component of ERM is that the organization attracts, develops, and retains capable individuals. Management is responsible for defining the necessary human capital (needed competencies) to achieve objectives, and the human resources function assists management in developing competency requirements through processes that attract, train, mentor, evaluate, reward, and retain competent individuals. Moreover, contingency plans should be developed to prepare for succession.
Which component of ERM includes the principle that the organization identifies and assesses changes that may substantially affect strategy?
Review and revision.
According to COSO, the component of enterprise risk management (ERM) that best relates to continuous improvement is
Review and revision. A principle related to the review and revision component states that the organization must continually improve ERM at all levels even if actual performance aligns with target performance or tolerance.
Internal audit has prepared the following risk map for the upcoming audit year:
Risk K and Risk M both have one high risk measure and one medium risk measure, giving them the same overall risk exposure.
According to the COSO ERM framework, a risk profile is a view of the relationship between
Risk and performance.
The elements of the ISO 31000 risk management process include all of the following except
Risk appetite. Elements included are risk analysis, risk identification, and risk treatment.
Which of the following is not an activity undertaken as part of risk management?
Risk exposure. Risk exposure is a condition, not an activity.
The performance component of the COSO ERM framework addresses an entity's
Risk identification, assessment, and prioritization methods.
Which of the following is the most accurate term for a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives?
Risk management is "a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives" (The IIA Glossary).
Which of the following is a false statement concerning risk management?
Risk management is too important to be delegated to a committee. In large or complex entities, senior management may appoint a risk committee to review the risks identified by the various operating units and create a coherent response plan.
When the executive management of an organization decided to form a team to investigate the adoption of an activity-based costing (ABC) system, an internal auditor was assigned to the team. The best reason for including an internal auditor is the internal auditor's knowledge of
Risk management processes.
A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following responses to the risk?
Risk reduction. Risk reduction (mitigation) reduces the risk so that it is within the target residual risk profile and risk appetite. By relocating its production facilities, the firm has reduced the risk of having difficulty sourcing materials locally.
The elements of the ISO 31000 risk management process include
Risk treatment. Risk treatment is an element of the ISO 31000 risk management process. Risk treatment is a repetitive process of (1) selecting risk treatments (e.g., accept, avoid, reduce, share, or pursue), (2) implementing the treatment, (3) assessing the treatment's effectiveness, (4) determining whether the residual risk is acceptable, and (5) adopting another treatment if the first is unacceptable.
Principles included in The IIA's Code of Ethics are interpreted by Rules of Conduct. Which principles as interpreted require disclosures by internal auditors?
Rule of Conduct 1.1 (Integrity) states that internal auditors shall "observe the law and make disclosures expected by the law and the profession." Rule of Conduct 2.3 (Objectivity) states that internal auditors shall "disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review."
Management considers risk appetite for all of the following reasons except
Setting risk capacity.
The internal auditor who works in enterprise risk management (ERM) may perform each of the following activities except
Setting the risk appetite of the organization.
Factors in the selection of risk responses most likely include
Severity. Factors in selecting and implementing risk responses include (1) business context, (2) proportionality of costs and benefits to the severity and priority of the risk, (3) furtherance of compliance with obligations and achievement of expectations, (4) risk appetite and tolerance, and (5) risk severity.
A company purchases currency futures to respond to currency risk. However, due to increasing exchange rate fluctuations, the company has decided not to trade with foreign partners. Which of the following describes this change in risk response?
Sharing to avoidance. Sharing (transfer) is action to reduce the severity of the risk by transferring a portion of the risk to another party. Examples are insurance; hedging; joint ventures; outsourcing; and contractual agreements with customers, vendors, or other business partners. Avoidance is action to remove the risk. Avoidance typically suggests no response would reduce the risk to an acceptable level. Cessation of trading with foreign partners removes the currency risk and is therefore avoidance
An organization determined that its variable interest rate on an existing loan will increase significantly in the near future. It therefore decided to hedge its variable rate by locking in a fixed rate over the remaining loan period. According to the COSO ERM framework, this decision is which response to risk?
Sharing. Sharing reduces the severity of the risk by transferring some risk to another party. Examples are insurance; hedging; joint ventures; outsourcing; and contractual agreements with customers, vendors, or other business partners.
An entity defines its risk appetite in which component of the COSO ERM framework?
Strategy and objective-setting. The entity defines risk appetite in the strategy and objective-setting component of ERM. In defining risk appetite, the entity considers its mission, vision, culture, prior strategies, and risk capacity.
The IIA's Competency Framework includes which core competency?
Technology-based audit methods.
When the internal audit activity outsources some of its functions to an external service provider (ESP),
The IIA's Standards must be followed by the ESP.
Which board committee appointed to oversee an organization's ERM most likely is required by law?
The Sarbanes-Oxley Act of 2002 required public companies to establish audit committees. Each member also must be a member of the board and independent. The audit committee, among other things, appoints the external auditor and ordinarily must preapprove the services it performs. Other board committees, e.g., risk, executive compensation, and nomination or governance, ordinarily are not required.
Senior management has identified the following risk areas within the organization: Derivatives trading: Likelihood high, Impact high Materials acquisition: Likelihood low, Impact low Petty cash: Likelihood high, Impact low Bond issue: Likelihood low, Impact high Transportation fleet: Likelihood high, Impact medium Which of the following is a false statement in terms of overall risk exposure of the areas named?
The bond issue is riskier than petty cash. The bond issue and petty cash both have one high risk measure and one low risk measure; i.e., they have equivalent overall risk exposure. Overall risk exposure (which incorporates likelihood and impact is what matters)
Which of the following is not a category of risk response strategies?
The categories of risk responses are (1) acceptance (retention), (2) avoidance, (3) pursuit, (4) reduction (mitigation), and (5) sharing (transfer). Accordingly, compliance is not a category of risk responses.
Which of the following are common process components of the COSO ERM framework?
The common process components of the COSO ERM framework are (1) strategy and objective-setting, (2) performance, and (3) review and revision.
According to COSO, which component of enterprise risk management (ERM) addresses an entity's operating structures and core values?
The governance and culture component addresses board responsibilities, operating structures, and core values, among others.
Which of the following statements about risk management is false?
The internal audit activity may not have a consulting role in identifying, evaluating, and implementing risk management methods. Emphasis on consulting.
Given that internal audit engagements must be performed with proficiency and due professional care, which of the following is true?
The internal audit activity need not decline an engagement because it currently lacks the needed competencies.
A new staff internal auditor was told to perform an engagement in an area with which the internal auditor was not familiar. Because of time constraints, no supervision was provided. In this situation,
The internal audit activity violated the Standards by not providing adequate supervision.
An organization that has adopted ERM considers the effect of strategy on its risk profile.
The intersection of the risk curve and risk appetite is not acceptable. Tolerance (risk tolerance) is the range of acceptable variation in performance results. The intersection of the risk curve and risk appetite exceeds the organization's risk tolerance.
Inherent risk is
The risk when management has not taken action to reduce the impact or likelihood of an adverse event.
Which of the following statements regarding monitoring risk responses is false?
The two most, not least, important sources of information for ongoing assessments of the adequacy of risk responses are those closest to the activities themselves and the audit function.
The internal auditor should evaluate the adequacy of controls over the safeguarding of assets from all of the following except
Underusage of physical facilities. (This has to do with efficiency)
Risk modeling most likely
Validates risk priorities. Risk modeling is a method of risk assessment and prioritization. It ranks and validates risk priorities when setting the priorities of engagements in the audit plan. Risk factors may be weighted based on professional judgments to determine their relative significance, but the weights need not be quantified.
