CRMA- Certification in Risk Management Assurance Part 1 of 2

Which of the following best describes the internal auditors' role when providing assurance on risk management reporting? Select one. A. Creating a report on the organization's key risks. B. Reviewing the accuracy and timeliness of key risk reports. C. Providing key risk reports to the board or audit committee. D. Providing key risk reports to external auditors.

Solution: B

Which of the following describes the highest level of risk management maturity (commonly referred to as "risk-enabled")? Select one. A. When a risk strategy and policies are in place and communicated. B. When risk management and internal control are fully embedded into operations. C. When the organization establishes a risk committee, risk management team, and risk processes. D. When risk appetite has been defined.

Solution: B

Which of the following risk metrics best fits this description: A risk metric, recording the chance of a risk event occurring, usually expressed as a percentage. Select one. A. Impact. B. Likelihood. C. Persistence. D. Preparedness. E. Velocity.

Solution: B

Which of the following terms is closest in meaning to risk appetite? A. Existing risk profile. B. Risk capacity. C. Risk tolerance. D. Attitudes toward risk.

Solution: B

What actions must CAEs take if they believe the residual risk level remains at an unacceptable level? Select all that apply. A. Determine how the risk should be managed. B. Discuss the matter with senior management. C. Update the risk management processes based on actual risk exposure. D. Design controls that can be implemented to reduce severity to an acceptable level. E. Report the matter to the board. F. Seek a second opinion from a third party.

Solution: B and E

In the COSO Internal Control framework, there are two types of controls, namely hard and soft. Which of the following are examples of soft controls? Select all that apply. A. Policies and procedures. B. Tone at the top. C. Risk culture. D. Training. E. Role description. F. Organizational structure.

Solution: B, C, and D

Which of the following are elements of the control environment? Select all that apply. A. Independence. B. Integrity. C. Objectivity. D. Skill. E. Style. F. Structure.

Solution: B, D, E, and F

Which of the following items are likely to be included in the internal audit charter? Select all that apply. A. CAE's remuneration. B. CAE's dual reporting lines. C. The annual risk-based audit plan. D. Authority to access records, personal, and physical assets as required. E. The internal audit activity's annual budget. F. The scope and limits of the CAE's responsibilities.

Solution: B, D, and F

According to COSO's internal control framework, which of the following is a precondition to risk assessment? Select one. A. Establishing control procedures or activities. B. Establishing a monitoring mechanism. C. Establishing objectives or goals. D. Establishing performance measures.

Solution: C

An auditor becomes aware of a new regulation. To the best of the auditor's knowledge, management has not considered the implications of the new regulation for the organization, its goals, and its activities. What should the auditor do? Select one. A. Notify the board that management has not addressed the associated risks. B. Perform a risk assessment and determine the appropriate risk responses. C. Notify management of the regulatory requirement and potential compliance risks, and offer advice. D. Perform an audit of the compliance activity.

Solution: C

An organization uses training and written manuals to guide and supervise behavior and to control the outcomes of its accounting functions and responsibilities. Which of the following best describes the type of control that is being used? Select one. A. Preventative control. B. Detective control. C. Directive control. D. Corrective control.

Solution: C

Which of the following risk metrics best fits this description: A risk metric, measuring how frequently the circumstances arise that may give rise to the trigger event. Select one. A. Impact. B. Likelihood. C. Persistence. D. Preparedness. E. Velocity.

Solution: C

Which of the following risk metrics best fits this description: Risk metric used to measure the durability of conditions giving rise to the trigger event. Select one. A. Volatility. B. Interdependency. C. Persistence. D. Correlation.

Solution: C

From The IIA's ERM fan diagram, which of the following fall in the section of "legitimate internal audit roles with safeguards"? Select all that apply. A. Giving assurance that risks are effectively evaluated. B. Giving assurance on risk management processes. C. Coaching management in responding to risks. D. Consolidated reporting on risks. E. Imposing risk management processes. F. Making decisions on risk responses.

Solution: C and D

As part of its strategy for internal audit, a board makes use of a rotational model as a means of filling and replenishing the position of CAE in a three-year cycle, drawing upon long-serving members of the organization's senior management. Which of the following is likely to be the biggest disadvantage of using this approach? Select one. A. The board will need to establish a working relationship with the incoming CAE every three years. B. Each new CAE will be unfamiliar with the detailed workings of many of the functions in the organization and will need to build this knowledge. C. Throughout his or her tenure, the CAE will be unable to oversee assurance or consulting engagements that relate to areas of previous responsibility. D. The incoming CAE will be unfamiliar with the specific responsibilities and activities of the internal audit activity, and there is likely to be a period of time needed before the CAE can provide strong strategic leadership

Solution: D

Which of the following risk metrics best fits this description: A risk metric, measuring the ability of the organization to withstand the risk impacts. Select one. A. Impact. B. Likelihood. C. Persistence. D. Preparedness. E. Velocity.

Solution: D

Which of the following terms best matches this definition: "Disposition, sensibility, understanding, and mindset that relate to the character and traits of the individual." Select one. A. A body of knowledge. B. A competency framework. C. A competency-based interview. D. Attitudes and abilities, as components of a competency.

Solution: D

You are the CAE for a defense contractor in the aerospace sector. Senior management and the board are very concerned about information security risks. Which one of the following framework or set of standards would you recommend? Select one. A. COSO ERM - Integrating with Strategy and Performance. B. ISO 31000 Risk Management. C. IIA GAIT for Business and IT Risk. D. The National Institute of Standards and Technology NIST 800-37.

Solution: D

When identifying an appropriate risk response, organizations have a range of choices and may often employ a blended approach combining two or more responses. Risk may be avoided (or terminated) by eliminating the activity or goal. If the response is anything other than avoid (or terminate), which of the following is always part of the response? Select one. A. Accept. B. Pursue. C. Reduce. D. Share.

Solution: A

Which of the following are considered to be elements of the system of internal control, in accordance with the IPPF glossary? Select all that apply. A. Integrity and ethical values. B. Management philosophy and operating style. C. Organizational structure. D. Assignment of authority and responsibility. E. Human resource policies and practices. F. Competence of personnel.

A, B, C, D, E, and F

According to the Standards, who is responsible for making a regular review of the internal audit charter? Select one. A. The CAE. B. The board. C. Senior management. D. External auditors.

A. The CAE. Correct. In accordance with Standard 1000 - Purpose, Authority, and Responsibility, the CAE must "periodically review the internal audit charter and present it to senior management and the board for approval."

Administrative reporting or functional reporting: A. Human resource administration. B. Routine internal communications. C. Reports relative to the internal audit activity's plan. D. Budget management. E. Assessment of the CAE's performance. F. Updates to the internal audit charter.

Administrative Administrative Functional Administrative Functional Functional

The following scenario relates to questions 82-84. Using COSO terminology, there are five main risk responses, namely: I. Accept. II. Avoid. III. Pursue. IV. Reduce. V. Share. 82. Consider the following example. An organization assesses its exposure to risk associated with fluctuations in currency exchange rates. In response, it determines a policy of agreeing prices by using the prevailing exchange rate at the point of sale rather than the point of payment, which may occur many months later. What is the best way to characterize this response to the inherent risk? Select one. A. I. B. II. C. III. D. IV. E. V.

E. V. Correct. The organization is sharing the risk with the customer. Between the point of sale and the payment date, fluctuations may favor either the organization or the customer. Agreeing the rate at the point of sale eliminates uncertainty at a later date but shares the gains or losses on fluctuating exchanges.

A CAE decides to advocate to senior management and the board for greater risk management maturity. Which of the following steps may the CAE take in this quest without imperiling organizational independence? Select all that apply. A. Undertake an analysis of risk management stakeholders. B. Include a focus on risk management processes in every assurance engagement, and at the end of the year, give an overall opinion on risk management effectiveness. C. Develop key messages that can be used to promote risk awareness throughout the organization. D. Set KPIs for risk management processes. E. Select an appropriate risk management framework that aligns with the organization's priorities and culture. F. Participate as a voting member of the selection panel to appoint a new CRO.

Solution: A, B, and C

Arrange the following stages in the lifecycle of a risk in the appropriate sequence. I. Final impact. II. Intermediate consequences. III. Intermediate events. IV. Risk event. V. Risk source. VI. Trigger event.

V VI III IV II I

Main purpose of assurance is to offer: Main purpose of consulting is to offer:

advice, opinion

The board is required to exercise oversight of the internal audit activity. How can the CAE help the board in this regard? I. By providing reports on the findings of internal audit engagements. II. By disclosing possible impairments to organizational independence. III. By repeating work undertaken by other assurance providers in order to determine the reliability of such work. IV. By sharing findings of assurance engagements with external auditors. Select one. A. I and II only. B. I and III only. C. II and III only. D. II and IV only.

A. I and II only. Correct. The CAE is required to make such reports and disclosures to the board, and they are key to the board maintaining active oversight of internal audit.

The following scenario relates to questions 82-84. Using COSO terminology, there are five main risk responses, namely: I. Accept. II. Avoid. III. Pursue. IV. Reduce. V. Share. Consider the following example. A small organization assesses its exposure to compliance risk associated with new, complex, and rapidly changing regulations on data privacy. In response, it determines that full compliance is prohibitively expensive and prepares contingency plans for paying fines and dealing with any notification to the public that it is noncompliant. What is the best way to characterize this response to the inherent risk? Select one. A. I. B. II. C. III. D. IV. E. V.

A. I. Correct. The organization has accepted the risk and is preparing to deal with, rather than minimize, the impacts it may sustain.

Threats to internal audit's independence have the effect of limiting its scope and authority. In general, internal audit needs to be able to plan, undertake, and report its activities without hindrance. A recent external quality review identified the following: I. The CEO is also the chair of the board. II. The CAE reports functionally to the chair of the board. III. The CAE was previously the chief compliance officer (over 12 months previously). IV. The CAE's meetings with the board always include full membership of the board. Which of these findings is likely to have the biggest negative impact on the independence of internal auditing? Select one. A. I and II only. B. I, II, and IV only. C. III only. D. II and III only.

B. I, II, and IV only. Correct. Taken together, the fact that the CAE reports to the chair of the board who is also the CEO, and does not have the chance to meet the board without members of management (including the CEO) being present, will greatly reduce the effective independence of internal audit from management.

47. When conducting risk identification for the first time, the following steps are applied: I. Develop an initial risk register. II. Conduct control risk self-assessment (CRSA). III. Calculate risk severity. IV. Define the risk universe. Which of the following is the most likely sequence of these steps? Select one. A. I, II, III, and IV. B. II, IV, I, and III. C. II, III, IV, and I. D. III, IV, II, and I.

B. II, IV, I, and III. Correct. CRSA is a good first step toward identifying risk through a structured workshop supported by surveys to ensure wide participation. Defining a risk universe follows from the lists of risks identified from CRSA, creating a more detailed articulation of what is relevant to the organization. A risk register follows from the risk register, creating an even more detailed account of risks, including risk ownership. Determining the risk severity is the last step once as much information as possible is known about the risk.

While performing an assurance engagement on risk management processes, the auditor evaluated the organization using the COSO ERM - Integrating with Strategy and Performance as a benchmark. The auditor noted the following findings: • Clearly defined responsibilities for the internal environment. • Robust policies, procedures, and protocols in place. • Consistent use of documentation. • Informal risk management philosophy. • Inconsistent communication of risk attitude. • Inconsistent risk culture. In reporting on the risk management maturity, what is the most appropriate conclusion of the engagement? Select one. A. None. B. Initial - early stages of development. C. Repeatable - policies and procedures are in place, and practices are consistent, structured, and organized. D. Defined - policies and procedures are in place and adhered to, likely to have some functions with higher maturity than others. E. Managed - integrated, well structured, and impactful. F. Optimized - high level of integration, sophistication, and maturity.

B. Initial - early stages of development. Correct. While policies and procedures are in place and appear robust, the inconsistencies in understanding, attitude, and culture mean that the maturity cannot be ranked any higher than "initial."

The following scenario relates to questions 82-84. Using COSO terminology, there are five main risk responses, namely: I. Accept. II. Avoid. III. Pursue. IV. Reduce. V. Share. Consider the following example. An organization is assessing its exposure to risk associated with a serious outbreak of a contagious and occasionally fatal disease that is currently highly localized. In response, it considers a range of scenarios according to different projections for the spread of the virus. As a result, it decides to suspend trading in the affected region with immediate effect while at the same time initiate a new initiative to expand operations elsewhere. It also decides to continue to monitor the situation closely. What is the best way to characterize this response to the inherent risk? Select one. A. I. B. II. C. III. D. IV. E. V.

D. IV. Correct. The organization has attempted to reduce the likelihood of impact by avoiding trade with the affected region and reduce the impact by attempting to stimulate activity in other regions.

Threat to Independence OR Threat to Objectivity: A. Absence of a defined internal audit charter. B. Restricted access to some records, personnel, and physical assets. C. Self-interest. D. Strong familiarity with the activity under review. E. Lack of the necessary skills. F. A reporting line lower down in the organization than is needed for the activity to fulfill its responsibilities.

Ind. Ind. Obj. Obj. Obj. Ind.

A code of ethical behavior and statement of organizational values are risk responses to the possibility individuals may act in such a way as to cause damage to the organization. Which of the following statements about these responses are true? Select one. A. They are preventative measures designed to reduce likelihood. B. They are preventative measures designed to reduce impact. C. They are detective measures designed to alert management to instances of unethical behavior. D. They form part of contingency measures to help repair any damage that may be incurred as a result of unethical behavior.

Solution: A

An internal auditor is using a key principles approach to assess the organization's risk management processes. One of the key principles under review is that "risk management is transparent and inclusive." Which of the following techniques is likely to provide the most relevant and useful evidence? Select one. A. Ongoing observations made by the CAE from participating ex officio in risk council meetings. B. Review of risk management literature for best practices. C. Process mapping of the organization's risk identification activities. D. Results from previous audits.

Solution: A

In response to risk associated with valuable data and hardware, an organization introduces steel doors that require user IDs and unique passwords in order to restrict access to the servers. These are examples of which of the following type of control? Select one. A. Preventive controls. B. Corrective controls. C. Detective controls. D. Directive controls.

Solution: A

In the COSO Internal Control framework, there are two types of controls, namely hard and soft. Which of the following describes characteristics of soft controls? Select one. A. Controls that rely on behavior and attitude. B. Controls that are relatively easy to introduce, monitor, and manage. C. Policies, processes, and specific measures such as password protection. D. Controls designed, introduced, and performed by people.

Solution: A

Standard 2120 - Risk Management requires the internal audit activity to evaluate the effectiveness and contribute to the improvement of risk management processes. In determining whether risk management processes are effective, the standard states that the internal audit activity must undertake an assessment of which of the following sequence of activities? Select one. A. (i) Organizational objectives support and align with the organization's mission. (ii) Significant risks are identified and addressed. (iii) Appropriate risk responses are selected that align risks with the organization's risk appetite. (iv) Relevant risk information is captured and communicated in a timely manner. B. (i) Organizational risks are reviewed alongside the organization's mission. (ii) An assessment of these risks is measured against the organization's objectives. (iii) Risk information is shared with the board and key stakeholders. (iv) An implementation plan is produced to address those risks. C. (i) Appropriate risks are identified through a process of periodic assessment. (ii) Relevant risk information is presented to senior management and the board aligned with the mission and organizational objectives. (iii) A plan is produced to address and minimize those risks in accordance with the organization's risk appetite. (iv) Periodic assessments are conducted to evaluate conformance with the organization's mission and objectives, code of ethics, and standards. D. (i) Appropriate risks are identified in consultation with senior management and the board. (ii) The risk assessment plan is reviewed, as necessary, in response to changes in the organization's business operations, systems, and controls. (iii) Risk mitigation strategies are identified aligned with the organization's mission, objectives, and risk appetite. (iv) A risk mitigation plan is communicated in a timely manner.

Solution: A

Which of the following BEST describes risk culture? Select one. A. The system present throughout an organization of shared values and beliefs about risk that shapes attitudes, behaviors, and decisions. B. The leadership of and commitment to risk management from the highest levels of an organization. C. The level of authority and trust awarded to managers to determine the level of risk they are prepared to take. D. The policies and processes that define risk ownership, responsibilities, and reporting requirements.

Solution: A

Which of the following best describes a control risk self-assessment exercise? Select one. A. Examining how well controls are working in managing key risks. B. Using standardized checklists to assist risk identification. C. Reviewing processes systematically to identify vulnerabilities and threats. D. Determining the cost-effectiveness of controls.

Solution: A

Which of the following is the most likely reason why implementation of enterprise risk management (ERM) in an organization fails? Select one. A. ERM processes are not uniformly applied across the organization and there is insufficient focus on key entity-wide risks. B. ERM is not used as the driving force behind everything that the organization does. C. ERM is not implemented quickly enough, usually 12 months or less. D. The full ERM framework is not adopted immediately but implemented in stages instead.

Solution: A

Which of the following risk metrics best fits this description: A risk metric, recording the effect on an organization and its objectives of a risk event occurring, often expressed in financial terms. Select one. A. Impact. B. Likelihood. C. Persistence. D. Preparedness. E. Velocity.

Solution: A

Which of the following risk metrics best fits this description: Risk metric used to measure the degree of changeability in the risk and the source of the risk. Select one. A. Volatility. B. Interdependency. C. Persistence. D. Correlation.

Solution: A

Which of the following statements about assurance and consulting engagements are true? I. Governance, risk management, and control processes may be included in the scope of consulting engagements but must be included in assurance engagements. II. Consulting engagements should be accepted simply because management makes a request. III. Internal auditors may consider general observations (even if not part of a specific engagement) from consulting in developing audit plans. IV. Auditors do not need to disclose potential impairments to objectivity when accepting consulting engagements. Select one. A. I and III only. B. II and III only. C. I and IV only. D. III and IV only.

Solution: A

Members of the internal audit activity have been asked to assume a number of additional advisory roles related to ERM. Which of the following may be applied as appropriate safeguards for organizational independence and/or individual objectivity for assurance services? Select all that apply. A. Conforming to the requirements of the IPPF. B. Using "cooling off" periods such that internal auditors do not provide assurance on areas of the organizations where they have recently had responsibility or provided consultation. C. Deferring professional development opportunities to free up time for additional responsibilities related to ERM. D. Deferring planned assurance engagements to free up time for more advisory engagements. E. Reporting the outcomes of advisory work to senior management. F. Blocking access to the findings from advisory engagements to internal auditors conducting assurance engagements.

Solution: A and B

From The IIA's ERM fan diagram, which one falls in the section of "core internal audit roles with respect to ERM"? Select all that apply. A. Evaluating the reporting of key risks. B. Facilitating identification and evaluation of risks. C. Developing risk management strategy for board approval. D. Management assurance on risk. E. Implementing risk responses on management's behalf. F. Evaluating the reporting of key risks.

Solution: A and F

The definition of risk taken from the IPPF glossary is as follows: "The possibility of an event occurring that will have an impact on the achievement of objectives." Suppose an organization has the following objective: To sell 1,000 units at $10 each. Which of the following may be described as a risk for the organization? Select all that apply. A. A downturn in the economy may reduce demand by 10%. B. Overseas demand may exceed expectation and a total of 1,100 units are sold. C. A competitor may offer a similar product at a lower price and attract customers away. D. Foreign exchange rates may make the product cheaper for customers overseas, stimulating additional sales. E. A new method of production may become available. F. Climate change occurs less quickly than expected.

Solution: A, B, C, and D

Which of the following techniques may be used in root cause analysis? Select all that apply. A. Cause and effect (or fishbone) diagrams. B. Cost-benefit analysis. C. Fuzzy logic. D. Five whys. E. Waterfall model. F. Rapid development.

Solution: A, B, C, and D

Which of the following are examples of hard controls? Select all that apply. A. Physical counts. B. Policies. C. Shared values. D. Openness. E. Structure. F. Delegation.

Solution: A, B, E, and F

Continuous auditing comprises which of the following activities by the internal audit activity? Select all that apply. A. Continuous controls assessment. B. Continuous risk assessment. C. Continuous monitoring of risks and controls. D. Assessment of continuous monitoring.

Solution: A, B, and D

In many organizations, the CAE is asked to assume additional responsibilities with respect to ERM as a long-term or permanent part of his or her role. Such responsibilities can include monitoring, coordinating, advising, testing, analyzing, reporting, managing personnel (including the most senior risk officer), and directing risk management operations. In such situations, CAEs and boards are usually aware of the potential for impairments to internal audit's independence. Which of the following are legitimate benefits of such a move and consistent with the requirements of the Standards? Select all that apply. A. Utilizing the CAE in this way can lead to efficiency gains, reduce audit fatigue, and rationalize reporting and communications related to risk in such a way that benefits senior management and the board. B. The CAE is likely to have complementary skills that can be usefully applied to helping improve ERM processes. C. The CAE can oversee assurance engagements related to ERM but not participate directly on the engagement. D. The CAE will be able to identify professional development needs of managers and process owners with respect to risk management and provide some of the training. E. The most senior risk officer may report functionally and exclusively to the CAE without creating any restrictions on the role of the CAE as long as the board is fully aware of the situation. F. Internal auditors will be able to impose a consistent use of terminology and risk measures across the organization.

Solution: A, B, and D

According to the definition given in the IPPF, what does risk management do with respect to "potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives"? Select all that apply. A. Identify. B. Avoid. C. Assess. D. Manage. E. Control. F. Communicate.

Solution: A, C, D, and E

Following a process of situational analysis and risk identification, an organization has decided to open a new warehouse that is situated in a potential flood plain. Because of its location, the operational costs are lower than other available alternatives and are likely to stay lower as prices rise elsewhere. The building has two floors and the organization has allocated the upper floor to store the materials most easily damaged by water. It has also taken out an expensive insurance policy to provide cover in the event of flooding and has commenced operations. Which of the following risk responses has it adopted? Select all that apply. A. Accept. B. Avoid. C. Pursue. D. Reduce E. Share.

Solution: A, C, D, and E

Which of the following are likely benefits an organization can expect in implementing combined assurance? Select all that apply. A. Makes the oversight role of the board more effective. B. Reduces the need for consulting engagements. C. Leads to improved efficiency in assurance activities. D. Leads to reduction in external auditor fees for the annual audit of financial statements. E. Reduces assurance fatigue for managers and operations personnel. F. Shortens the time for individual assurance engagements.

Solution: A, C, and E

Which of the following statements about the differences between assurance and consulting engagements are true? Select all that apply. A. Internal audit's involvement in a consulting engagement is generally at the request of management. B. During consulting engagements, internal audit is able to implement improvements in ERM. C. During consulting engagements, internal audit can only recommend improvements, and management is free to accept or reject the proposals. D. Unlike assurance activities, consulting does not have to be defined in the internal audit charter. E. Internal auditors can participate in a consulting engagement of an activity for which they have had responsibility within the last 12 months. F. Consulting engagements can be deferred until available resource is identified, but assurance engagements need to go ahead according to the agreed plan, even if available auditors do not have the required skills.

Solution: A, C, and E

In accordance with Standard 2010 - Planning, which of the following are needed to establish a risk-based plan? Select all that apply. A. A documented risk assessment conducted in consultation with senior management and the board at least once a year. B. The effective communication of risk appetite. C. Consideration of the work of other assurance providers. D. Alignment with the organization's goals. E. Strict adherence to the plan once it is agreed. F. Consideration of expectations of other stakeholders.

Solution: A, D, and F

According to Standard 2030 - Resource Management, the CAE must ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan. When appropriate resources are not available for an assurance engagement for risk management processes, a number of options are available. These options have relative merits and demerits related to costs, speed of acquisition, likely level of competency, familiarity with the organization, and the amount of training and supervision required. The annual audit plan has been approved and includes a highly technical assurance engagement related to cybersecurity, an area of great interest to the board. In discussions with senior management and the relevant process owners, the scope and date have been determined. However, just prior to the planned engagement, the internal auditor with the most relevant expertise decides to leave the organization and will be unavailable from the outset. Which of the following options is likely to be the most appropriate for the CAE? Select one. A. Defer the engagement and wait until a new member of the team is found with the corresponding skills. B. Recruit someone from the IT team from a similar area but for one of the overseas divisions to work alongside an experienced member of the internal audit activity. C. Hire an intern who is studying cybersecurity, has just completed the first year of their program, and is looking for experience over the summer. D. Provide intensive training for a member of the internal audit activity covering the technical aspects of cybersecurity.

Solution: B

An organization has calculated that for every day its call center is not available, it loses $250,000. The director of telecommunications has identified external threats as the most serious risks to the call center and has asked a consultancy firm to set up a duplicate offsite call center with backup hardware and software. In reacting to the possibility of call center closure and incurring financial losses, which risk response best describes the approach taken? Select one. A. Accept (or tolerate). B. Mitigate (or reduce). C. Pursue (or exploit). D. Avoid (or terminate). E. Share (or transfer).

Solution: B

An organization wishes to determine the optimal scope and scheduling of its IT risk assessment. What is the most efficient sequence of pre-assessment planning activities? I. Define the impact values of operational threat scenarios to the organization. II. Determine the vulnerability of the organization's hardware and software to external attacks or internal abuse. III. Identify the data that affect the organization's ability to achieve its goals and determine the criticality of the confidentiality, integrity, and availability of each class of data. IV. Identify where and how critical data are stored, transmitted, and processed. Select one. A. III, I, II, and IV. B. I, III, IV, and II. C. III, IV, II, and I. D. II, IV, I, and III.

Solution: B

As a cost-savings measure, an organization decides to outsource its internal audit function fully to a large accounting firm. Which of the following measures should the organization adopt to ensure continued conformance with the Standards? Select one. A. Insist that the work of the outsourced internal audit activity is reviewed by the external auditor on a periodic basis. B. Identify an individual within the organization to assume responsibility for internal audit and ensure a robust quality assurance and improvement program is established. C. Make it clear that the accounting firm is responsible for maintaining the effectiveness of the internal audit activity. D. Rotate the accounting firm at least once every five years to safeguard independence and objectivity.

Solution: B

In response to risk associated with valuable data and hardware, an organization introduces automated processes for quarantining suspected viruses and introducing patches when new risk is identified. These are examples of which of the following type of control? Select one. A. Preventive controls. B. Corrective controls. C. Detective controls. D. Directive controls.

Solution: B

The ISO 31000:2018 Risk Management standards links together three important aspects of an organization. Which one of the following is NOT of these aspects? Select one. A. Leadership and commitment. B. Stakeholder engagement. C. Value creation and protection. D. Risk management processes.

Solution: B

The chief compliance officer accepts the position of CAE in the same organization for a newly established internal audit activity. Three months later the new chief compliance officer asks the CAE to provide advice regarding an update of the compliance policy. What should the CAE do? Select one. A. Decline the consulting engagement. B. Accept the consulting engagement, but remind the new chief compliance officer that the CAE has worked in that area recently. C. Accept the consulting engagement, but have the external auditor review the CAE's advice. D. Decline the consulting engagement, but have lunch with the chief compliance officer to offer advice off the record.

Solution: B

The chief information security officer asks the CAE to offer advice regarding the implementation of a new security application. The only internal auditor with the necessary expertise departed from the organization the previous week and a replacement has not yet been hired. Which of the following actions should the CAE follow? Select one. A. Accept the consulting engagement and perform it with existing auditors. B. Decline the consulting engagement. C. Accept the consulting engagement with existing auditors, but have the external auditor review the advice given. D. Accept the consulting engagement and hire a consultant from an external agency to perform it.

Solution: B

There are a number of internal and external parties that contribute to the effectiveness of risk management, but which one has the primary responsibility for identifying and managing risks? Select one. A. Members of the board. B. Senior management. C. Heads of risk, compliance, and control functions. D. The chief audit executive (CAE). E. External auditors. F. Regulators.

Solution: B

What is the difference between risk appetite and risk tolerance? Select one. A. Only risk appetite can be expressed as the product of likelihood and impact. B. Risk appetite is a higher-level statement expressing levels of risks that management deems acceptable, while risk tolerance sets the acceptable level of variation from particular objectives. C. Risk appetite is tactical and operational, while risk tolerance is a broad statement of an acceptable enterprisewide portfolio of risk. D. Risk tolerance is an acceptable variance from risk capacity.

Solution: B

When assessing the adequacy and effectiveness of risk criteria used in risk management, which of the following activities should internal auditors perform as part of their consulting role? Select one. A. Determine appropriate criteria based on possible risk events and outcomes. B. Challenge management's choice and use of risk criteria. C. Align decisions with risk tolerance. D. Communicate risk criteria to the organization.

Solution: B

Which of the following procedures form part of the content of risk reporting? I. Changes to the risk profile or the level of severity of risks. II. Systematic checks of risk mitigation plans. III. Weaknesses identified in the system of internal control. IV. Updates on actions that have been taken with respect to risk treatments. Select one. A. I, II, and IV only. B. I, III, and IV only. C. I, II, and III only. D. II, III, and IV only.

Solution: B

Which of the following provides the BEST definition of residual risk? Select one. A. The risk that a material error exists in the financial statements after audit. B. The portion of inherent risk that remains after management executes its risk responses. C. The risk that an audit may fail to detect a control deficiency. D. Risk severity prior to implementation of risk responses. E. A risk that cannot be mitigated. F. The amount of impact that can be eliminated by preventative measures.

Solution: B

With respect to internal audit assurance and consulting engagements related to risk management processes, which of the following statements are true? Select all that apply. A. The nature and number of parties involved are the same. B. Assurance engagements are generally delivered when risk management practices are established and operating, whereas consulting engagements are more likely when there are no processes, or they are immature, or have been found defective. C. If the skills required to deliver an assurance engagement are not available, it may be declined, since it is up to the internal audit activity to determine what to audit. D. If the skills for a consulting engagement are not available, they must be secured, since this is at the demand of management. E. Both assurance and consulting engagements must be based on a risk assessment and take into consideration error, fraud, and noncompliance. F. If risk management processes are mature, internal audit does not need to conduct its own risk assessment.

Solution: B

From The IIA's ERM fan diagram, which of the following fall in the section of "roles internal audit should not undertake"? Select all that apply. A. Evaluating risk management processes. B. Setting the risk appetite. C. Accepting accountability for risk management. D. Coordinating ERM activities. E. Championing the establishment of ERM. F. Maintaining and developing the ERM framework.

Solution: B and C

Which of the following statements are correct? Select all that apply. A. Positive assurance is based on a statement noting confirmed evidence of effective processes only. B. Positive assurance is based on a statement noting evidence of effective and ineffective processes. C. Positive assurance must be based on 100% sampling. D. Negative assurance is based on a statement that the auditor found evidence of ineffective processes. E. Negative assurance is based on a statement that, as a result of a comprehensive review, no significant instances of ineffective processes were found. F. Negative assurance is based on a limited audit scope.

Solution: B and F

According to Standard 1110 - Organizational Independence, which of the following actions by the board are examples of functional reporting to achieve organizational independence? Select all that apply. A. Approving appointments of internal auditors. B. Approving the internal audit charter. C. Approving the remuneration of the CAE. D. Approving the appointment of the CAE. E. Approving the internal audit activity budget. F. Approving the risk-based internal audit plan.

Solution: B, C, D, E, and F

Which of the following are likely to be found in an assurance map? Select all that apply. A. All of the theoretical risk to which the organization is exposed. B. The party that owns the risk and the control. C. Mandatory assessments by external agents of conformance to regulations and standards. D. The party that is providing assurance on the risk and control. E. Times and dates of planned audits. F. Actions and recommendations for remediation and improvement.

Solution: B, C, D, E, and F

Which of the following are appropriate goals of risk management? Select all that apply. A. To eliminate uncertainty. B. To facilitate greater operational effectiveness and efficiency. C. To limit risk-taking as much as possible. D. To support the attainment of organizational objectives. E. To facilitate well-informed decision-making. F. To guarantee outcomes from activities.

Solution: B, D, and E

Fill in the blanks to reflect the requirements of the Standards accurately. [Blank 1] must be independent and [blank 2] must be objective. Blank 1 (select one): A. Internal auditors. B. The internal audit activity. C. The appointment of the CAE. D. Determining the scope of all assurance and consulting engagements. Blank 2 (select one): A. Internal auditors. B. The internal audit activity. C. The appointment of the CAE. D. Determining the scope of all assurance and consulting engagements.

Solution: Blank 1: B; Blank 2: A

An internal auditor is using a process elements activity approach to assess the organization's risk management processes. One of the key process elements under review is a requirement for structured and ongoing communication. Which of the following techniques is likely to provide the most relevant and useful evidence? Select one. A. Documented review of board and audit committee meetings. B. Interviews with those impacted by organizational operations. C. Interviews with individuals with responsibilities for risk management. D. Results from previous audits.

Solution: C

An organization is introducing a new product that is essential to retaining market share in a highly competitive industry. The internal audit activity has provided consulting services to the product development team. The auditors on this project believe several key risks that could result in significant negative impacts have not been fully considered or assessed. The CAE is invited to the chief risk officer's (CRO's) risk council meeting. At the meeting, the CAE presents the risks and coaches management on possible responses. At the end of the discussion, the risk council elects to go forward with the product launch because none of the risks presented were deemed to be catastrophic. Which of the following is the best way for the CAE to respond to the risk council's decision? Select one. A. No action is required. It is a management decision and the internal audit activity has fulfilled its obligations in drawing the risks to management's attention. B. No action is needed. Internal audit should not attempt to coach management on possible risk management responses as this is likely to impair independence and objectivity. C. Discuss the matter with senior management after the meeting and communicate the matter with the board. D. Discuss the matter with external auditors and other relevant external parties.

Solution: C

An organization is planning a risk assessment of the IT systems that process, store, and transmit its data relating to litigation. In accordance with The IIA's GAIT-R, what is the first and most important planning task the assessment team should undertake? Select one. A. Ensure the risk management team or assessment contractor has access to the technical expertise necessary to understand system configurations and software vulnerabilities. B. Conduct a thorough review of information security policies and procedures. C. Interview key members of senior management and operational managers to identify and rank threats to the business. D. Determine the types and proper mix of manual and automated controls needed to provide reasonable assurance.

Solution: C

In a "blended" engagement, what is it that is brought together? Select one. A. Assurance from more than one provider. B. Findings from more than one consulting engagement. C. Both assurance and consulting objectives in the scope. D. Findings based on quantitative and qualitative data.

Solution: C

In coordinating the implementation of a combined assurance approach to risk management, the internal audit activity receives assurance on various risks from a number of assurance providers in the organization. To evaluate the reliability of the assurance from each particular provider, the internal auditor would do which of the following? I. Review the policies and procedures of every assurance provider to ensure they prevent personnel from giving assurance in any area where they had operating responsibilities. II. Re-perform a sample of every assurance provider's work. III. Assess the extent to which the assurance provider's objectives and responsibilities are clearly articulated. IV. Determine whether assurance providers have sufficient expertise regarding organizational processes and risk. Select one. A. II only. B. IV only. C. I, III, and IV only. D. I, II, III, and IV.

Solution: C

In response to risk associated with valuable data and hardware, an organization introduces security cameras to identify unauthorized access to the servers. This is an example of which of the following type of control? Select one. A. Preventive controls. B. Corrective controls. C. Detective controls. D. Directive controls.

Solution: C

In the context of competencies, in the acronym KSA, the "A" typically stands for which of the following? Select one. A. Actions. B. Activities. C. Abilities. D. Agreement.

Solution: C

Standard 2120 - Risk Management requires that the internal audit activity evaluates the effectiveness and contributes to the improvement of risk management processes. In order to do this, the Implementation Guide requires that the internal auditor first considers which of the following? Select one. A. Identification of objectives and risks to achieving them; significance of risks; appropriate response to risks; key controls to manage risks; and the design adequacy of controls. B. Minutes of meetings; risk and control matrices and maps; results of surveys and interviews with management; and results of controls testing. C. The organization's size, complexity, life cycle, maturity, stakeholders, structure, and legal and competitive environment.

Solution: C

Which of the following statements regarding responsibilities held by the CAE beyond internal auditing are true? Select all that apply. A. The CAE cannot assume any responsibilities that fall outside of internal auditing. B. The CAE may only assume responsibilities that fall outside of internal auditing on a temporary basis. C. The CAE may assume any additional responsibilities without restriction as long as safeguards are in place to limit impairments to independence or objectivity. D. Assurance engagements for functions over which the CAE has responsibility must be overseen by a party outside the internal audit activity. E. Consulting engagements for functions over which the CAE has responsibility must be overseen by a party outside the internal audit activity. F. The CAE may oversee assurance engagements of functions for which he or she has responsibility as long as details of the impairment are disclosed to appropriate parties.

Solution: C and D

According to the definition given in the IPPF, what does governance do with respect to the "activities of the organization toward the achievement of its objectives"? Select all that apply. A. Assure. B. Assess. C. Direct. D. Inform. E. Manage. F. Monitor.

Solution: C, D, E, and F

In accordance with Standard 2450 - Overall Opinions, an overall audit opinion must be supported by information. What specific requirements must this information satisfy? Select all that apply. A. First-hand. B. Recent. C. Relevant. D. Reliable. E. Sufficient. F. Useful.

Solution: C, D, E, and F

Which of the following benefits are likely to accrue from adoption of a recognized framework as a benchmark when assessing an organization's risk management and control? Select all that apply. A. Legal enforceability of recommendations made to close the gap on the provisions of the framework. B. Confidence that all necessary and relevant aspects have been covered by the review. C. Access to a ready-made set of criteria as the basis of an assessment. D. Increased credibility and confidence by stakeholders in the value of the review and the legitimacy of findings and recommendations. E. Streamlined audit scope and timeline as a result of adopting and following a comprehensive preexisting framework. F. A useful teaching and learning tool that can be used to help identify areas for possible improvement.

Solution: C, D, and F

A purchasing manager has subcontracted repairs and maintenance to a facilities management company. This is a new relationship and has been entered into quickly. Which of the following is NOT an appropriate control measure to avoid the risks associated with this relationship? Select one. A. A schedule of regular communication and reporting. B. Financial penalties for missed targets and performance failures. C. Stated objectives and itemized responsibilities for each party. D. Identifying an alternative subcontractor.

Solution: D

As part of its consulting role, internal audit has been asked by management to help decide how best to mitigate a compliance risk. How should the internal auditors respond? A. Refuse to be involved in that decision altogether. B. Direct management to transfer the risk by obtaining insurance coverage. C. Perform an audit in the area and report it to management. D. Undertake research on the options and provide analysis.

Solution: D

In response to risk associated with valuable data and hardware, an organization introduces written procedures for the IT security team to follow in the event of an unauthorized hack. This is an example of which of the following type of control? Select one. A. Preventive controls. B. Corrective controls. C. Detective controls. D. Directive controls.

Solution: D

Select the term that most closely matches this definition: "The policies, procedures (both manual and automated), and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organization is willing to accept." Select one. A. Control environment. B. Risk management processes. C. The operating environment. D. Control processes.

Solution: D

Which of the following is the best approach for an internal auditor to use when benchmarking risk management processes? Select one. A. Meet with a competitor organization and exchange information about risk management processes. B. Ask the regulator which framework to use. C. Meet with representatives of operational management to establish a set of criteria and objectives. D. Research several frameworks and select the guidance from some or all of the frameworks that are relevant to the organization, its industry, culture, and objectives. E. Select the risk management framework with which the internal auditor is most familiar and ensure that all aspects of it are applied. F. Refrain from benchmarking since other models and examples are unlikely to be relevant to the organization.

Solution: D

Which of the following risk metrics best fits this description: A risk metric, measuring how quickly a risk moves from trigger event to impact. Select one. A. Impact. B. Likelihood. C. Persistence. D. Preparedness. E. Velocity.

Solution: E

Which of the following best describes risk escalation? Select one. A. When the impact of one risk becomes the source of additional risk. B. Final consequences from a risk follow in quick succession from a trigger event. C. The occurrence of a trigger event and its impacts are recorded. D. Two events when they occur together lead to much greater impact than when they occur separately. E. The circumstances that are a source of risk change rapidly. F. Information related to a control failure is reported to relevant stakeholders.

Solution: F

Controls may be classified as follows: I. Preventative controls. II. Corrective controls. III. Detective controls. IV. Directive controls. Match these types of controls to the following descriptions. A. Designed to fix the damage when it has occurred. B. Designed to reduce likelihood. C. Designed to increase preparedness should an event or impact occur. D. Designed to identify when an event or impact has occurred.

Solution: See below. A. II. B. I. C. IV. D. III.

The following are definitions of risk management terms: I. Preparedness (or desire) to accept risk across a class or category of risks. II. Totality of all risks that may impact an organization's objectives. III. The actual spread of risks across the defined risk categories. IV. The general disposition toward risk for the organization as a whole. V. The ability to accept risk. Match these definitions to the following terms. A. Risk universe. B. Risk profile. C. Risk capacity. D. Risk appetite. E. Risk attitude.

Solution: See below. A. II. B. III. C. V. D. I. E. IV.

The definition of internal auditing from the IPPF is given below (fill in the blanks): A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to (blank 1). The internal audit activity helps an organization accomplish its objectives by (blank 2) to evaluate and improve the effectiveness of governance, risk management, and control processes. Blank 1 (select one): A. Ensure optimum operational efficiency and effectiveness. B. Provide oversight of the decision-making and actions of management. C. Create and protect organizational value. D. Add value and improve an organization's operations. E. Maintain efficient and effective oversight of decisions, actions, behaviors, and outcomes. F. Safeguard the structures and processes by which the organization is monitored, informed, managed, and directed. Blank 2 (select one): A. Reporting to senior management and the board. B. Bringing a systematic, disciplined approach. C. Identifying and evaluating opportunities and threats to the organization. D. Conducting relevant and insightful assessments. E. Maintaining effective stakeholder engagement. F. Encouraging innovation and change

Solution: See below. Blank 1: D. Blank 2: B.

In the Three Lines Model, in addition to the board, there are three main groups of activities that contribute to effective risk management and control: I. First line roles. II. Second line roles. III. Third line roles. Some roles are shared across two or more of the lines. For each of the following, identify whether the role sits in the first, second, or third line or with a combination of two or three of them. A. Identification of new and emerging risks. B. Ownership of risk. C. Assessment of risk. D. Implementation of risk management frameworks. E. Advising management on control deficiencies. F. Providing independent assurance on the adequacy and effectiveness of risk management.

a. 1. 11. 111 b.1 c.1. 11, 111 d. 1, 11 e.11, 111 f. 111

Match the definitions to the key terms. Key terms: I. Risk capacity. II. Risk tolerance. III. Risk profile. IV. Risk attitude. V. Risk appetite. VI. Risk universe. A. The level of risk that an organization is willing to accept. B. Totality of all risks that may impact an organization's objectives. C. The general mindset toward risk, growth, and return. D. The amount of risk that the entity is able to support in pursuit of its objectives. E. Acceptable level of variation an entity is willing to accept regarding the pursuit of its objectives. F. The level and distribution of risks across the entity and across various risk categories.

a. V b. VI c. IV d. I e. II f. III