ACCT 4631 - Chap 4
Internal audit has prepared the following risk map for the upcoming audit year: Risk M: Medium Likelihood, High Risk Risk N:Meidum Likelihood, Meidum Risk Risk K: High Likelihood, Medium Risk Risk L: Low Likelihood, Low Risk Where should the chief audit executive devote the most internal audit resources? A. Cannot be determined from the information given. B. Risk K. C. All the identified risks should be allocated equal resources. D. Risk M.
A. Cannot be determined from the info given Risk K and Risk M both have one high risk measure and one medium risk measure, giving them the same overall risk exposure. Allocating more resources to one over the other cannot be justified based on the information given.
Which of the following threatens the independence of an internal auditor who had participated in the initial establishment of a risk management process? A. Managing the identified risks B. Recommending controls to address the risks identified. C. Developing assessments and reports on the risk management process. D. Evaluating the adequacy and effectiveness of management's risk processes.
A. Managing the identified risks Assuming management's responsibility for the risk management process is a potential threat to the internal audit activity's independence. It requires a full discussion and board approval
In the risk management process, management's view of the internal audit activity's role is likely to be determined by all of the following factors except... A. Preferences of the independent auditor. B. Local conditions and customs of the country. C. Ability of the internal audit staff. D. Organizational culture
A. Preferences of the independent auditor. Ultimately, the role of internal auditing in the risk management process is determined by senior management and the board. Their view on internal auditing's role is likely to be determined by factors such as the culture of the organization, ability of the internal audit staff, and local conditions and customs
All of the following are legitimate roles for internal audit in enterprise risk management (ERM) except... A. Setting Risk Appetite B. Coordinating ERM activities C. Coaching management in responding to risks D. Maintaining and developing the ERM framework
A. Setting Risk Appetite Setting the organization's risk appetite is a management role.
When a customer fails to pay his or her invoice within 2 months, a notification is sent to inform the credit manager of the situation. This is an example of which kind of event identification method? A. Threshold triggers. B. Internal analysis. C. Process flow analysis. D. Loss event data methodologies.
A. Threshold Triggers A predetermined risk response may be made when a certain event occurs, such as when cash is below a given level or a customer has not paid an invoice within a certain period of time.
The internal audit activity usually provides assurance about which of the following? 1. The design and effectiveness of risk management processes 2. Management of key risks 3. Risk assessment 4. Reporting risk and control status A. 3 and 4 only B. 1, 2, 3, and 4 C. 2, 3, and 4 only D. 1 and 2 only
B. 1, 2, 3, and 4 Assurance comes primarily from management. However, objective assurance is also provided by the internal audit activity, external auditors, and independent specialists. The internal audit activity usually provides assurance about the following: -The design and effectiveness of risk management processes -Management of key risks, including the effectiveness of response activities -Risk assessment -Reporting risk and control status
Which one of the following is not a dimension of the COSO ERM matrix? A. Audit. B. Entity. C. Objectives. D. Components.
B. Audit
Which of the following members of an organization has ultimate ownership responsibility of the enterprise risk management, provides leadership and direction to senior managers, and monitors the entity's overall risk activities in relation to its risk appetite? A. Internal auditors B. Chief Executive Officer C. Chief Financial Office D. Chirf Risk Officer
B. Chief Executive Officer The chief executive officer (CEO) sets the tone at the top of the organization and has ultimate responsibility for ownership of the ERM. The CEO will influence the composition and conduct of the board, provide leadership and direction to senior managers, and monitor the entity's overall risk activities in relation to its risk appetite. If any problems arise with the organization's risk appetite, the CEO will also take any measures to adjust the alignment to better suit the organization.
An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement? A. Determine the extent of management oversight over investments in sophisticated instruments. B. Determine whether the chief financial officer is getting higher or lower rates of return on investments than are chief financial officers in comparable organizations. C. Determine if policies exist which describe the risks the chief financial officer may take and the types of instruments in which the chief financial officer may make investments. D. Determine the nature of controls established by the chief financial officer to monitor the risks in the investments.
B. Determine whether the CFO is getting higher or lower rates of return on investment than are CFOs in comparable organizations For this particular engagement, the auditor does not need to develop a comparison of investment returns with those of other organizations. In fact, some financial investment scandals show that such comparisons can be highly misleading because high returns were due to taking on a high level of risk. Also, this determination does not test the adequacy of the controls.
The IIA Practice Guide concerning the ISO 31000 model describes three approaches to providing assurance on risk management processes. Which of the following is not one of these approaches? A. Process element. B. Negative assurance. C. Key principals D. Maturity model
B. Negative assurance Negative assurance is not a concept applicable to providing assurance on risk management processes described in the ISO 31000 model.
The level of assurance that risk management can provide regarding the achievement of entity objectives is A. Negative. B. Reasonable. C. Positive D. Absolute
B. Reasonable Risk management should provide reasonable assurance that entity objectives are achieved.
Which of the following is a true statement about the use by senior management and the board of the internal audit activity as a source of information about risk management processes? A. Senior management and the board need this information sooner than internal audit can provide it. B. The internal audit activity should be used as a source of information about the success of ongoing risk management activities. C. The internal audit activity cannot be expected to be objective about risk management processes. D. The internal audit activity is not a good source of information about the daily functioning of risk management processes.
B. The internal audit activity should be used as a source of information about the success of ongoing risk management activities. The two most important sources of information for ongoing assessments of the adequacy of risk responses (and the changing nature of the risks) are those closest to the activities themselves and the audit function. Operating managers may not always be objective about the risks facing their units, especially if they had a stake in designing a particular response strategy.
Which of the following activities are included in ERM? 1. Determining risk appetite 2. Identifying potential risks 3. Communicating information on risks consistently and at all levels 4. Providing assurance on the effectiveness of risk management A. 2 and 4 only B. 1, 2, and 3 only C. 1, 2, 3, and 4 D. 1 and 3 only
C. 1, 2, 3, 4 Determining risk appetite, identifying potential threats, communicating information on risks consistently and at all levels, and providing assurance on the effectiveness of risk management are among the activities included in ERM.
Which of the following is an example of risk reduction? A. Never beginning the risk-producing activity. B. After considering all the the alternatives and implementing control activities, continuing to engage in the risk-producing activity. C. Hiring additional employees to perform routine maintenance checks on machinery. D. Purchasing insurance.
C. Hiring additional employees to perform routine maintenance checks on machinery Hiring additional employees to perform routine maintenance checks on machinery would reduce the risk of a complete break-down in machinery and is an example of risk reduction.
The function of the chief risk officer (CRO) is most effective when the CRO A. Shares the management of risk with the chief audit executive. B. Shares the management of risk with line management. C. Monitors risk as part of the enterprise risk management team D. Manages risk as a member of senior management.
C. Monitors risk as part of the enterprise risk management team A CRO is a member of management assigned primary responsibility for enterprise risk management processes. The CRO is most effective when supported by a specific team with the necessary expertise and experience related to organization-wide risk.
Limitations of enterprise risk management (ERM) may arise from A. Collusion. B. Faulty human judgment. C. Cost-benefit considerations. D. All of the answers are correct.
D. All of the answers are correct The limitations of ERM are the same as those for control in general. They arise from the possibility of (1) faulty human judgment, (2) cost-benefit considerations, (3) simple errors or mistakes, (4) collusion, and (5) management override.
A team consisting of operational personnel, internal auditors, and outside consultants has performed a detailed review of the inputs, processes, and outputs of the credit and accounts receivable function. This type of event identification is known as A. Trap event methodology. B. Loss event data methodology. C. Process flow analysis. D. Leading event indicators.
C. Process flow analysis In this type of event identification, a single business process, such as vendor authorization and payment, is studied in isolation for the events that affect its inputs, tasks, responsibilities, and outputs.
When assessing the risk associated with an activity, an internal auditor should A. Update the risk management process based on risk exposures. B. Design controls to mitigate the identified risks. C. Provide assurance on the management of the risk. D. Determine how the risk should best be managed.
C. Provide assurancce on the management of the risk The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach (Perf. Std. 2100). Assurance services involve the internal auditor's objective assessment of management's risk management activities and the degree to which they are effective.
Which of the following statements about risk management is false? A. Boards have an oversight function. B. The internal audit activity may be directed to recommend improvements. C. The internal audit activity may not have a consulting role in identifying, evaluating, and implementing risk management methods. D. Management ensures that sound risk management processes are functioning.
C. The internal audit activity may not have a consulting role in identifying, evaluating, and implementing risk management methods. The internal audit activity does have a consulting role in identifying, evaluating, and implementing risk management methods and controls.
Risk management, at any level, consists of Identifying potential events that may affect the entity Managing the associated risk to be within the entity's risk appetite A. 1 only. B. 2 only. C. Neither 1 nor 2. D. 1 and 2.
D. 1 and 2 Risk management, at any level, consists of (1) identifying potential events that may affect the entity and (2) managing the associated risk to be within the entity's risk appetite. Risk management should also provide reasonable assurance that entity objectives are achieved.
Which of the following qualities should be possessed by a board of directors? A. A majority of the board should be outside directors. B. Directors generally should have years of experience in the industry. C. Directors must be willing to challenge management's choices. D. All of the answers are correct.
D. All of the answers are correct Directors' attitudes are a key component of the internal environment. They must possess certain qualities to be effective. - A majority of the board should be outside directors. Directors generally should have years of experience either in the industry or in corporate governance. -Directors must be willing to challenge management's choices. -Complacent directors increase the chances of adverse consequences.
Which of the following is not an example of an internal audit role that may be performed as a consulting engagement, given safeguards against loss of independence and objectivity? A. Championing establishment of ERM. B. Developing a risk management strategy for board approval. C. Facilitating identification and evaluation of risks. D. Being accountable for risk management.
D. Being accountable for risk management This would threaten the audit activity's independence and objectivity and therefore should not be performed as part of a consulting engagement.
The board's expectations of the internal audit activity regarding the risk management process are A. Noted in the work programs for formal consulting engagements. B. Reviewed by the internal auditors immediately following a disaster. C. Included in the business continuity plan. D. Codified in the charters of the internal audit activity and the board.
D. Codified in the charters of the internal audit acitivty and the board The chief audit executive (CAE) is to obtain an understanding of senior management's and the board's expectations of the internal audit activity in the organization's risk management process. This understanding is then codified in the charters of the internal audit activity and the board
he correct order for performing the first four phases of the enterprise risk management (ERM) process is A. Risk assessment, objective setting, event identification, internal environment. B. Objective setting, internal environment, event identification, risk assessment. C. Event identification, risk assessment, internal environment, objective setting. D. Internal environment, objective setting, event identification, risk assessment.
D. Internal Environment, Objective Setting, Event Identifcation, Risk Assessment
The internal auditor should evaluate the adequacy of controls over the safeguarding of assets from all of the following except A.Exposure to the elements. B. Misappropriation schemes. C. Improper employee usage. D. Underusage of physical facilities.
D. Underusage of physical facilities The internal audit activity must evaluate risk exposures relating to governance, operations, and information systems regarding the safeguarding of assets (Impl. Std. 2120.A1). For example, internal auditors evaluate risk exposure arising from theft, fire, improper or illegal activities, and exposure to the elements. But underusage of facilities relates to efficiency of operations.
