unit 4 multiple choice
Which of the following has the greatest effect on the strategy and objective-setting component of the COSO ERM framework? A.Compliance with obligations and achievement of expectations. B.Performance results that deviate from target performance. C.Changes in the organization's business context.
C.Changes in the organization's business context. A principle related to the strategy and objective-setting component of the COSO ERM framework is that the organization analyzes business context and its effect on the risk profile. Thus, changes in the business context, among the choices, has the greatest effect on the strategy and objective-setting component.
The function of the chief risk officer (CRO) is most effective when the CRO A.Shares the management of risk with line management. B.Manages risk as a member of senior management. C.Monitors risk as part of the enterprise risk management team. D.Shares the management of risk with the chief audit executive.
C.Monitors risk as part of the enterprise risk management team. A CRO is a member of management assigned primary responsibility for enterprise risk management processes. The CRO is most effective when supported by a specific team with the necessary expertise and experience related to organization-wide risk.
Which of the following is not an activity undertaken as part of risk management? A.Risk identification. B.Risk response. C.Risk exposure. D.Risk analysis.
C.Risk exposure. Risk exposure is a condition, not an activity.
A recent inventory shortage at XYZ Corp., an unaffiliated supplier, contributed to production failures at OPS Corp. in the current period. To avoid future production failures because of supplier inventory shortages, the most appropriate method is for OPS to A.Establish an inventory control framework at XYZ. B.Inform XYZ about its risk appetite regarding supply failures. C.Produce the inventory items instead of purchasing from suppliers. D.Increase the size of orders.
B.Inform XYZ about its risk appetite regarding supply failures. The risk appetite is the level of risk that an organization is willing to accept (The IIA Glossary). Thus, communicating about the risk appetite with external parties is an important aspect of risk management. It allows the organization to develop strategies to work with suppliers who may have different objectives.
Enterprise risk management A.Requires establishment of risk and control activities by internal auditors. B.Involves the identification of events with negative impacts on organizational objectives. C.Includes selection of the best risk response for the organization. D.Guarantees achievement of organizational objectives.
B.Involves the identification of events with negative impacts on organizational objectives. The IIA Glossary defines risk management as a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives. Thus, enterprise risk management involves the identification of events with negative effects on achievement of organizational objectives.
Senior management has identified the trading of marketable securities as a high-risk activity. In response, a new supervisory position was created. Every evening after the close of business, this supervisor reviews every trade made during the day. After 6 months of trading marketable securities under this system, the quantified risk reported by the internal audit activity is termed A.True risk. B.Residual risk. C.Responded risk. D.Managed risk.
B.Residual risk. Residual risk is the risk remaining after management takes action to alter its severity.
Which of the following is the correct order of steps in the risk management process? Identify risks Monitor risk responses Formulate risk responses Assess and prioritize risks Identify context A.1, 3, 5, 4, 2. B.1, 5, 4, 3, 2. C.1, 4, 3, 2, 5. D.5, 1, 4, 3, 2.
D.5, 1, 4, 3, 2. The correct order of steps in the risk management process is as follows: identify context, identify risks, assess and prioritize risks, formulate risk responses, and monitor risk responses.
According to the COSO ERM framework, the difference between inherent risk and actual residual risk results because of management's A.Inability to share the actual residual risk. B.Inability to alter the severity of inherent risk. C.Actions to alter the severity of actual residual risk. D.Actions to alter the severity of inherent risk.
D.Actions to alter the severity of inherent risk. Inherent risk is the risk without management actions to alter its severity. Actual residual risk remains after management actions to alter its severity.
For an enterprise wide risk management program to be most effective, it should be led by which of the following? A.A centralized coordinator. B.A management committee. C.Audit committee members. D.The chief audit executive.
A.A centralized coordinator. An enterprise risk management (ERM) program is most effective when led by a centralized coordinator, such as a risk officer. This person facilitates ERM by working with other managers in establishing effective risk management in their areas of responsibility.
Company management completes event identification and assesses the severity of risk. Management then acts to alter the severity of risk. According to COSO's ERM framework, the risk remaining after management's actions is A.Actual residual risk. B.Target residual risk. C.Inherent risk. D.Event risk.
A.Actual residual risk. Actual residual risk is the risk that remains after management acts to alter its severity. It should not exceed target residual risk.
According to ISO 31000, the design of a risk management framework involves all of the following except A.Deciding on an appropriate risk response. B.Allocating the necessary resources. C.Understanding the organization and its context. D.Establishing communication and consultation.
A.Deciding on an appropriate risk response. Deciding on an appropriate risk response is not involved in the design of a risk management framework according to ISO 31000. The design of the framework involves (1) understanding the organization and its context; (2) articulating commitment to risk management; (3) assigning and communicating authorities, responsibilities, and accountabilities for risk management roles at all levels; (4) allocating resources (e.g., people, experience, processes, and information systems) to support risk management while recognizing the limitations of existing resources; and (5) establishing communication and consultation.
Internal auditors should review the means of physically safeguarding assets from losses arising from A.Exposure to the elements. B.Misapplication of accounting principles. C.Procedures that are not cost justified. D.Underusage of physical facilities.
A.Exposure to the elements. The internal audit activity must evaluate risk exposures relating to governance, operations, and information systems regarding the safeguarding of assets (Impl. Std. 2120.A1). For example, internal auditors evaluate risk exposure arising from theft, fire, improper or illegal activities, and exposure to the elements. the others relate to efficiency not effectiveness
According to COSO, which component of enterprise risk management (ERM) addresses an entity's operating structures and core values? A.Governance and culture. B.Review and revision. C.Strategy and objective-setting. D.Information, communication, and reporting.
A.Governance and culture. The governance and culture component addresses board responsibilities, operating structures, and core values, among others.
The components of enterprise risk management (ERM) should be present and functioning. What does "present" mean? Components exist in the design of ERM. Components exist in the implementation of ERM. Components continue to operate to achieve strategy and business objectives. A.I and II. B.II only. C.I, II, and III. D.I only.
A.I and II. The components and principles of ERM, and their related controls, should be present and functioning to help the entity achieve its strategy and business objective. "Present" means such components, principles, and controls exist in the design and implementation of ERM.
The ISO 31000 approach to risk management is A.Principles based. B.Process based. C.Objective based. D.Resource based.
A.Principles based. ISO 31000 is a principles-based approach to risk management. Its principles are the foundation for risk management. They also communicate the characteristics, value, and purpose of effective and efficient risk management. Value creation and protection are the purposes of risk management. The principles are the following: (1) integrated, (2) structured and comprehensive, (3) customized, (4) inclusive, (5) dynamic, (6) best available information, (7) human and cultural factors, and (8) continual improvement.
According to the COSO ERM framework, a risk profile is a view of the relationship between A.Inherent risk and target residual risk. B.Risk and performance. C.Tolerance and risk appetite. D.Risk capacity and risk appetite.
B.Risk and performance. A risk profile is a composite view of (1) the types, severity, and interdependencies of risks related to a specific strategy or business objective and (2) their effect on performance.
The company maintains a fund to pay for repairs to warehouse equipment. Which risk response strategy is the company using? A.Risk sharing. B.Risk retention. C.Risk avoidance. D.Risk reduction.
B.Risk retention. Risk retention accepts the risk of an activity and is synonymous with self-insurance. The company accepts the risk of equipment repairs by using a form of self-insurance (a company fund) to pay for repairs.
An organization determined that its variable interest rate on an existing loan will increase significantly in the near future. It therefore decided to hedge its variable rate by locking in a fixed rate over the remaining loan period. According to the COSO ERM framework, this decision is which response to risk? A.Avoidance. B.Sharing. C.Acceptance. D.Reduction.
B.Sharing. Sharing reduces the severity of the risk by transferring some risk to another party. Examples are insurance; hedging; joint ventures; outsourcing; and contractual agreements with customers, vendors, or other business partners.
Which of the following is not a principle related to the review and revision component of the COSO ERM framework? A.The organization reviews entity performance results and considers risk. B.The organization develops and evaluates its portfolio view of risk. C.The organization identifies and assesses changes that may substantially affect strategy and business objectives. D.The organization pursues improvement of ERM.
B.The organization develops and evaluates its portfolio view of risk. The organization develops and evaluates its portfolio view of risk" is one of the five principles related to the performance component of the COSO ERM framework. The three principles related to the review and revision component of the COSO ERM framework are the organization (1) identifies and assesses changes that may substantially affect strategy and business objectives, (2) reviews entity performance results and considers risk, and (3) pursues improvement of ERM.
According to ISO 31000, which of the following is not a principle of risk management? A.Promotes continuous improvement. B.Considers human and cultural factors. C.Delegates accountability and authority. D.Considers the best available information.
C.Delegates accountability and authority. ISO 31000 is a principles-based approach to risk management. Its principles are the foundation for risk management. They also communicate the characteristics, value, and purpose of effective and efficient risk management. Value creation and protection are the purposes of risk management. The principles are the following: (1) integrated, (2) structured and comprehensive, (3) customized, (4) inclusive, (5) dynamic, (6) best available information, (7) human and cultural factors, and (8) continual improvement.
According to the COSO ERM framework, which of the following is an essential element of the governance and culture component? A.Risk responses. B.Information systems. C.Human capital. D.Reports on risk and culture.
C.Human capital. A principle within the governance and culture component is that the organization attract, develop, and retain capable individuals.
Risk is measured in terms of A.Conditions that threaten the internal audit's ability. B.Adherence to policies, plans, and procedures. C.Impact and likelihood. D.Discipline and structure.
C.Impact and likelihood. The IIA Glossary defines risk as the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.
Which of the following threatens the independence of an internal auditor who had participated in the initial establishment of a risk management process? A.Developing assessments and reports on the risk management process. B.Recommending controls to address the risks identified. C.Managing the identified risks. D.Evaluating the adequacy and effectiveness of management's risk processes.
C.Managing the identified risks. Assuming management's responsibility for the risk management process is a potential threat to the internal audit activity's independence. It requires a full discussion and board approval.
Which of the following are common process components of the COSO ERM framework? A.Information, communication, and reporting; strategy and objective-setting. B.Review and revision; governance and culture. C.Performance; review and revision. D.Governance and culture; performance.
C.Performance; review and revision. The common process components of the COSO ERM framework are (1) strategy and objective-setting, (2) performance, and (3) review and revision.
Which of the following factors affects the control risk of an organization? A.Complex accounts that require expert valuations. B.Unusual pressures on management. C.Segregation of duties. D.Potential problems like technological obsolescence.
C.Segregation of duties. Control risk is the risk that controls fail to effectively manage controllable risks. A common control is segregation of duties. For example, it separates the responsibilities for authorization of transactions, recording of transactions, and custody of assets. Thus, segregation of duties affects the control risk of an organization.
A company purchases currency futures to respond to currency risk. However, due to increasing exchange rate fluctuations, the company has decided not to trade with foreign partners. Which of the following describes this change in risk response? A.Reduction to avoidance. B.Acceptance to reduction. C.Sharing to avoidance. D.Transfer to mitigation.
C.Sharing to avoidance. Sharing (transfer) is action to reduce the severity of the risk by transferring a portion of the risk to another party. Examples are insurance; hedging; joint ventures; outsourcing; and contractual agreements with customers, vendors, or other business partners. Thus, purchasing currency futures shares the risk with an outside party. Avoidance is action to remove the risk. Avoidance typically suggests no response would reduce the risk to an acceptable level. Cessation of trading with foreign partners removes the currency risk and is therefore avoidance.
The internal auditors are assessing the risk of fraud involving senior management. An impact factor is A.Inadequacy of internal controls. B.Potential override of internal controls. C.Unusual transactions. D.Fines and penalties.
D.Fines and penalties. An impact factor is a potential result of an event. These events are usually identified through the risk assessment process. For example, the consequences of fraud may include direct financial loss in the form of fines and penalties. it is not potential override because An impact factor is a potential result of an event. Potential override of internal controls is a cause of an event that normally is identified during risk assessment.
Which of the following is an example of risk reduction? A.Purchasing insurance. B.After considering all the alternatives and implementing control activities, continuing to engage in the risk-producing activity. C.Never beginning the risk-producing activity. D.Hiring additional employees to perform routine maintenance checks on machinery.
D.Hiring additional employees to perform routine maintenance checks on machinery. Hiring additional employees to perform routine maintenance checks on machinery would reduce the risk of a complete break-down in machinery and is an example of risk reduction.
The underlying premise of the COSO ERM framework is that every organization exists to A.Identify and manage risks. B.Achieve strategy and business objectives. C.Maximize profits. D.Provide value for its stakeholders.
D.Provide value for its stakeholders. ERM is defined as the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
Which of the following is the most accurate term for a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives? A.Control process. B.The internal audit activity. C.Consulting service. D.Risk management.
D.Risk management. Risk management is "a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives" (The IIA Glossary).
A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following responses to the risk? A.Risk sharing. B.Prospect theory. C.Risk acceptance. D.Risk reduction.
D.Risk reduction. Risk reduction (mitigation) reduces the risk so that it is within the target residual risk profile and risk appetite. By relocating its production facilities, the firm has reduced the risk of having difficulty sourcing materials locally.
Standard 2120 states that the internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Conformance with Standard 2120 is best demonstrated by A.The work programs for formal consulting engagements. B.The business continuity plan. C.Review by the internal auditors immediately following a disaster. D.The charter of the internal audit activity.
D.The charter of the internal audit activity. Documents demonstrating conformance with Standard 2120 include the internal audit charter. It describes the internal audit activity's roles and responsibilities regarding risk management. Other documents include (1) the internal audit plan, (2) minutes of meetings in which internal audit recommendations were discussed, (3) internal audit risk assessments, and (4) internal audit action plans addressing risks.
Which of the following is not a principle related to the information, communication, and reporting component of the COSO ERM framework? A.The organization leverages its information systems to support ERM. B.The organization uses communication channels to support ERM. C.The organization reports on risk, culture, and performance at multiple levels and across the entity. D.The organization identifies risks that disrupt operations of the ERM.
D.The organization identifies risks that disrupt operations of the ERM. "The organization identifies risks that disrupt operations and affect the reasonable expectation of achieving strategy and business objectives" is one of the five principles related to the performance component of the COSO ERM framework. The three principles related to the information, communication, and reporting component of the COSO ERM framework are 1) the organization leverages its information systems to support ERM, 2) the organization uses communication channels to support ERM, and 3) the organization reports on risk, culture, and performance at multiple levels and across the entity.
