ACCT520 Unit #4
Which of the following may be assessed by the internal auditor as part of the risk management process? Significant risks Ongoing monitoring activities Previous risk evaluation reports by management, internal auditors, external auditors, and any other sources
1 and 2 only.
Risk management, at any level, consists of Identifying potential events that may affect the entity Managing the associated risk to be within the entity's risk appetite
1 and 2.
Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that Organizational objectives support and align with the organization's mission Significant risks are identified and assessed Appropriate risk responses are selected that align risks with the organization's risk appetite Relevant risk information is captured and communicated in a timely manner across the organization
1, 2, 3, and 4.
Which of the following activities are included in ERM? Determining risk appetite Identifying potential risks Communicating information on risks consistently and at all levels Providing assurance on the effectiveness of risk management
1, 2, 3, and 4.
Which of the following are core assurance roles provided by the internal audit activity? Giving assurance on risk management processes Evaluating risk management processes Reviewing the management of key risks Setting the risk appetite
1, 2, and 3 only.
According to the COSO ERM framework, the organization establishes business objectives that align with and support strategy. Which of the following may relate to business objectives? Operational excellence Financial performance Compliance obligations
1, 2, and 3.
Risk modeling in a consulting service is done by ranking the engagement's potential to Improve management of risk Add value Improve the organization's operations
1, 2, and 3.
The maturity model approach to providing assurance on the risk management process determines where risk management is on the maturity curve and whether It is progressing as expected It adds value It meets organizational needs
1, 2, and 3.
Which of the following are part of the risk analysis process? Assessing the significance of an event Assessing the event's likelihood Considering the means to manage the risk
1, 2, and 3.
Who is responsible for the organization's risk management and control processes? The internal auditor. The external auditor. Senior management. The board of directors.
3 and 4 only.
Which of the following is the correct order of steps in the risk management process? Identify risks Monitor risk responses Formulate risk responses Assess and prioritize risks Identify context
5, 1, 4, 3, 2.
For an enterprise wide risk management program to be most effective, it should be led by which of the following?
A centralized coordinator.
According to the COSO ERM framework, the position or internal entity that is best suited, as part of the enterprise risk management process, to devise and execute risk procedures for a particular department is
A manager within the department.
Which of the following are roles that the internal audit activity should not undertake since they would threaten its independence and objectivity?
All of the answers are correct.
Which of the following is a factor affecting risk?
All of the answers are correct.
Which of the following qualities should be possessed by a board of directors?
All of the answers are correct.
Which of the following is not a function of senior management with regard to enterprise risk management (ERM)?
Approving the provisions of the internal audit charter dealing with risk management.
Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks. Regarding the risks associated with issuing checks, which of the following risk management techniques does this represent?
Avoiding.
The primary reason that a bank would maintain a separate compliance function is to
Better manage perceived high risks.
According to the COSO ERM framework, which of following best describes the difference between strategy and business objectives?
Business objectives are the steps to achieve strategy.
Internal audit has prepared the following risk map for the upcoming audit year: Where should the chief audit executive devote the most internal audit resources?
Cannot be determined from the information given.
Which of the following has the greatest effect on the strategy and objective-setting component of the COSO ERM framework?
Changes in the organization's business context.
Which of the following members of an organization has ultimate ownership responsibility of the enterprise risk management, provides leadership and direction to senior managers, and monitors the entity's overall risk activities in relation to its risk appetite?
Chief executive officer.
Under the ISO 31000 model, the risk assessment element of a risk management process
Compares the established risk criteria with the results of the risk analysis.
According to the COSO ERM framework, the characteristic of risk that reflects its nature and scope is
Complexity.
According to ISO 31000, the design of a risk management framework involves all of the following except
Deciding on an appropriate risk response.
Senior management has identified the following risk areas within the organization: Derivatives trading: Likelihood high, Impact low Materials acquisition: Likelihood low, Impact low Petty cash: Likelihood high, Impact low Bond issue: Likelihood low, Impact high Transportation fleet: Likelihood high, Impact medium Which of the following is a true statement in terms of overall risk exposure of the areas named?
Derivatives trading has less risk exposure than the transportation fleet.
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. With respect to evaluating the adequacy of risk management processes, internal auditors most likely should
Determine that the key objectives of risk management processes are being met.
An internal auditor plans to audit the adequacy of controls over credit approval. Which of the following is not a required procedure in such an engagement?
Determine whether loans and other liabilities are valued in accordance with industry regulations.
An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement?
Determine whether the chief financial officer is getting higher or lower rates of return on investments than are chief financial officers in comparable organizations.
Each of the following is a limitation of enterprise risk management (ERM), except
ERM can provide absolute assurance with respect to objective categories
According to COSO, the benefits of enterprise risk management (ERM) include all of the following except
Elimination of all risks.
Which of the following is closely related to traditional risk management instead of enterprise risk management (ERM)?
Emphasis on specific functions.
Internal auditors should review the means of physically safeguarding assets from losses arising from
Exposure to the elements
The internal auditors are assessing the risk of fraud involving senior management. An impact factor is
Fines and penalties.
If an organization has no formal risk management processes, the chief audit executive should
Formally discuss with the directors their obligations for risk management processes
According to COSO, which component of enterprise risk management (ERM) addresses an entity's operating structures and core values?
Governance and culture.
Which of the following components are supporting aspects of the COSO ERM framework?
Governance and culture; information, communication, and reporting.
The Chief Audit Executive's responsibilities for risk management include which of the following?
Having formal discussions with the board about their obligations for understanding, managing, and monitoring risks.
Which of the following is an example of risk reduction?
Hiring additional employees to perform routine maintenance checks on machinery.
Which of the following is not a component of the risk management framework of the ISO 31000 model?
Human and cultural factor.
According to the COSO ERM framework, which of the following is an essential element of the governance and culture component?
Human capital.
Which of the following is a false statement about risk responses?
Identified risks cannot simply be accepted.
Risk is measured in terms of
Impact and likelihood.
A recent inventory shortage at XYZ Corp., an unaffiliated supplier, contributed to production failures at OPS Corp. in the current period. To avoid future production failures because of supplier inventory shortages, the most appropriate method is for OPS to
Inform XYZ about its risk appetite regarding supply failures.
Enterprise risk management
Involves the identification of events with negative impacts on organizational objectives.
Risk modeling or risk analysis is often used in conjunction with development of long-range engagement work schedules. The key input in the evaluation of risk is
Judgment of the internal auditors.
According to the COSO ERM framework, which of the following has day-to-day responsibility for enterprise risk management?
Management.
Which of the following threatens the independence of an internal auditor who had participated in the initial establishment of a risk management process?
Managing the identified risks.
Which of the following goals sets risk management strategies at the optimum level?
Maximize shareholder value.
The function of the chief risk officer (CRO) is most effective when the CRO
Monitors risk as part of the enterprise risk management team.
Which of the following is a false statement concerning risk management? Risk management processes
Must be quantitative, formal, and embedded in business units.
According to the ISO 31000 risk management framework, the board is responsible for
Overseeing risk management.
What is the board's role in the risk management process?
Oversees risk management processes.
Which of the following are common process components of the COSO ERM framework?
Performance; review and revision.
According to COSO's ERM framework, which view of risk is fully integrated?
Portfolio view.
In the risk management process, management's view of the internal audit activity's role is likely to be determined by all of the following factors except
Preferences of the independent auditor.
The ISO 31000 approach to risk management is
Principles based.
When assessing the risk associated with an activity, an internal auditor should
Provide assurance on the management of the risk.
The underlying premise of the COSO ERM framework is that every organization exists to
Provide value for its stakeholders.
The level of assurance that risk management can provide regarding the achievement of entity objectives is
Reasonable.
Banks provide reconciliation statements to their clients. From the clients' perspective, this practice is a form of which method of managing risks associated with cash?
Reduction.
Company management completes event identification and analyzes the risks. The company wishes to assess its risk after management's response to the risk. According to the COSO ERM framework, which of the following types of risk does this situation represent?
Residual risk.
Senior management has identified the trading of marketable securities as a high-risk activity. In response, a new supervisory position was created. Every evening after the close of business, this supervisor reviews every trade made during the day. After 6 months of trading marketable securities under this system, the quantified risk reported by the internal audit activity is termed
Residual risk.
Which of the following represents the best statement of responsibilities for risk management?
Responsibility for risk Advisory role Oversight role
According to COSO, the component of enterprise risk management (ERM) that best relates to continuous improvement is
Review and revision.
A chief audit executive is reviewing the following enterprise-wide risk map: Which of the following is the correct prioritization of risks, considering limited resources in the internal audit activity?
Risk C, Risk A, Risk B, Risk D.
Which of the following is not an activity undertaken as part of risk management?
Risk Exposure
When the executive management of an organization decided to form a team to investigate the adoption of an activity-based costing (ABC) system, an internal auditor was assigned to the team. The best reason for including an internal auditor is the internal auditor's knowledge of
Risk Management Processes
According to the COSO ERM framework, a risk profile is a view of the relationship between
Risk and performance.
The amount and types of risk an entity is willing to accept in pursuit of value is the definition of
Risk appetite.
The performance component of the COSO ERM framework addresses an entity's
Risk identification, assessment, and prioritization methods
Which of the following is a false statement concerning risk management?
Risk management is too important to be delegated to a committee.
Which of the following is the most accurate term for a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives?
Risk management.
A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following responses to the risk?
Risk reduction.
The company maintains a fund to pay for repairs to warehouse equipment. Which risk response strategy is the company using?
Risk retention.
What is residual risk?
Risk that is not managed.
Which of the following activities is outside the scope of internal auditing?
Safeguarding of assets.
Which of the following factors affects the control risk of an organization?
Segregation of duties.
Senior management performed the following steps during its recent deliberations over risk management: Identified all the risks that might impede the achievement of the company's mission. Designed new procedures to mitigate the risks associated with surplus equipment, one of the areas in which the risk of adverse impact was both material and likely. Ensured that the director of surplus management understood and enacted the new procedures. Reviewed regular reports from internal audit about the effectiveness of the new procedures for surplus equipment. The most serious deficiency with the process is that
Senior management did not prioritize the identified risks.
Management considers risk appetite for all of the following reasons except
Setting risk capacity.
The internal auditor who works in enterprise risk management (ERM) may perform each of the following activities except
Setting the risk appetite of the organization.
A company purchases currency futures to respond to currency risk. However, due to increasing exchange rate fluctuations, the company has decided not to trade with foreign partners. Which of the following describes this change in risk response?
Sharing to avoidance.
An organization determined that its variable interest rate on an existing loan will increase significantly in the near future. It therefore decided to hedge its variable rate by locking in a fixed rate over the remaining loan period. According to the COSO ERM framework, this decision is which response to risk?
Sharing.
An entity defines its risk appetite in which component of the COSO ERM framework?
Strategy and objective-setting.
According to COSO, which of the following provides oversight of an entity's enterprise risk management (ERM)?
The board of directors.
Senior management has identified the following risk areas within the organization: Derivatives trading: Likelihood high, Impact high Materials acquisition: Likelihood low, Impact low Petty cash: Likelihood high, Impact low Bond issue: Likelihood low, Impact high Transportation fleet: Likelihood high, Impact medium Which of the following is a false statement in terms of overall risk exposure of the areas named?
The bond issue is riskier than petty cash.
Standard 2120 states that the internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Conformance with Standard 2120 is best demonstrated by
The charter of the internal audit activity.
Which of the following statements regarding the chief risk officer is false?
The chief risk officer should be employed in the internal audit function.
Which of the following represents a risk avoidance strategy?
The company has elected to exit the construction industry due to the high number of injuries.
According to COSO, ERM is best defined as
The culture, capabilities, and practices that organizations rely on to manage risk in creating, preserving, and realizing value.
Which of the following statements about risk management is false?
The internal audit activity may not have a consulting role in identifying, evaluating, and implementing risk management methods.
Which of the following is a true statement about the use by senior management and the board of the internal audit activity as a source of information about risk management processes?
The internal audit activity should be used as a source of information about the success of ongoing risk management activities.
Which of the following approaches to providing assurance on the risk management process is based on the principle that effective risk management processes develop as value is added at each stage of maturation?
The maturity model approach.
Which of the following is not a principle related to the review and revision component of the COSO ERM framework?
The organization develops and evaluates its portfolio view of risk.
Which of the following is not a principle related to the information, communication, and reporting component of the COSO ERM framework?
The organization identifies risks that disrupt operations of the ERM.
Inherent risk is
The risk when management has not taken action to reduce the impact or likelihood of an adverse event.
Which of the following statements regarding monitoring risk responses is false?
The two least important sources of information for ongoing assessments of the adequacy of risk responses are those closest to the activities themselves and the audit function.
When a customer fails to pay his or her invoice within 2 months, a notification is sent to inform the credit manager of the situation. This is an example of which kind of event identification method?
Threshold triggers.
The internal auditor should evaluate the adequacy of controls over the safeguarding of assets from all of the following except
Underusage of physical facilities.