SU 2

Flashcard maker : Lily Taylor
When assessing the risk associated with an activity, an internal auditor should
A. Determine how the risk should best be managed.
B. Provide assurance on the management of the risk.
C. Update the risk management process based on risk exposures.
D. Design controls to mitigate the identified risks.
B. Provide assurance on the management of the risk.
Answer (B) is correct.
The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach (Perf. Std. 2100). Assurance services involve the internal auditor’s objective assessment of management’s risk management activities and the degree to which they are effective.
The primary reason that a bank would maintain a separate compliance function is to
A. Better manage perceived high risks.
B. Strengthen controls over the bank’s investments.
C. Ensure the independence of line and senior management.
D. Better respond to shareholder expectations.
A. Better manage perceived high risks.
Answer (A) is correct.
The risk management process identifies, assesses, manages, and controls potential risk exposures. Organizations such as brokers, banks, and insurance companies may view risks as sufficiently critical to warrant continuous oversight and monitoring.
Which of the following represents the best statement of responsibilities for risk management?

Management | Internal Auditing |Board

A. Responsibility for risk | Oversight role | Advisory role
B. Oversight role | Responsibility for risk | Advisory role
C. Responsibility for risk |Advisory role | Oversight role
D. Oversight role | Advisory role | Responsibility for risk

C.
Responsibility for risk | Advisory role | Oversight role
Answer (C) is correct.
Risk management is a key responsibility of senior management and the board. To achieve its business objectives, management ensures that sound risk management processes are in place and functioning. Boards have an oversight role to determine that appropriate risk management processes are in place and that these processes are adequate and effective. In this role, they may direct the internal audit activity to assist them by examining, evaluating, reporting, and/or recommending improvements to the adequacy and effectiveness of risk management processes (PA 2120-1, para. 1). Management and the board are responsible for their organization’s risk management and control processes. However, internal auditors acting in a consulting role can assist the organization in identifying, evaluating, and implementing risk management methodologies and controls to address those risks (PA 2120-1, para. 2).
Which of the following goals sets risk management strategies at the optimum level?
A. Minimize costs.
B. Maximize market share.
C. Minimize losses.
D. Maximize shareholder value.
D. Maximize shareholder value.
Answer (D) is correct.
The risk management processes chosen depend on the organization’s culture, management style, and business objectives. These choices should optimize stakeholder (for example, shareholder) value by coping effectively with uncertainty, risks, and opportunities. Thus, maximizing shareholder value is a comprehensive approach that relates to risk management strategies across the organization.
An internal auditor plans to conduct an audit of the adequacy of controls over investments in new financial instruments. Which of the following would not be required as part of such an engagement?
A. Determine if policies exist which describe the risks the treasurer may take and the types of instruments in which the treasurer may make investments.
B. Determine the extent of management oversight over investments in sophisticated instruments.
C. Determine whether the treasurer is getting higher or lower rates of return on investments than are treasurers in comparable organizations.
D. Determine the nature of controls established by the treasurer to monitor the risks in the investments.
C. Determine whether the treasurer is getting higher or lower rates of return on investments than are treasurers in comparable organizations.
Answer (C) is correct.
For this particular engagement, the auditor does not need to develop a comparison of investment returns with those of other organizations. In fact, some financial investment scandals show that such comparisons can be highly misleading because high returns were due to taking on a high level of risk. Also, this determination does not test the adequacy of the controls.
When the executive management of an organization decided to form a team to investigate the adoption of an activity-based costing (ABC) system, an internal auditor was assigned to the team. The best reason for including an internal auditor is the internal auditor’s knowledge of
A. Activities and cost drivers.
B. Information processing procedures.
C. Current product cost structures.
D. Risk management processes.
D. Risk management processes.
Answer (D) is correct.
The internal audit activity’s scope of work extends to evaluating the organization’s risk management processes. The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.
Internal auditors should review the means of physically safeguarding assets from losses arising from
A. Misapplication of accounting principles.
B. Procedures that are not cost justified.
C. Exposure to the elements.
D. Underusage of physical facilities.
C. Exposure to the elements.
Answer (C) is correct.
The internal audit activity must evaluate risk exposures relating to governance, operations, and information systems regarding the safeguarding of assets (Impl. Std. 2120.A1). For example, internal auditors evaluate risk exposure arising from theft, fire, improper or illegal activities, and exposure to the elements.
Which of the following activities is outside the scope of internal auditing?
A. Evaluating risk exposures regarding compliance with policies, procedures, and contracts.
B. Safeguarding of assets.
C. Evaluating risk exposures regarding compliance with laws and regulations.
D. Ascertaining the extent to which management has established criteria to determine whether objectives have been accomplished.
B. Safeguarding of assets.
Answer (B) is correct.
Safeguarding assets is an operational activity and is therefore beyond the scope of the internal audit activity.
In the risk management process, management’s view of the internal audit activity’s role is likely to be determined by all of the following factors except
A. Organizational culture.
B. Preferences of the independent auditor.
C. Ability of the internal audit staff.
D. Local conditions and customs of the country.
B. Preferences of the independent auditor.
Answer (B) is correct.
Ultimately, it is the role of senior management and the board to determine the role of internal auditing in the risk management process. Their view on internal auditing’s role is likely to be determined by factors such as the culture of the organization, ability of the internal audit staff, and local conditions and customs (PA 2120-1, para. 5).
Which of the following threatens the independence of an internal auditor who had participated in the initial establishment of a risk management process?
A. Developing assessments and reports on the risk management process.
B. Managing the identified risks.
C. Evaluating the adequacy and effectiveness of management’s risk processes.
D. Recommending controls to address the risks identified.
B. Managing the identified risks.
Answer (B) is correct.
Assuming management’s responsibility for the risk management process is a potential threat to the internal audit activity’s independence. It requires a full discussion and board approval (PA 2120-1, para. 5).
Which of the following may be assessed by the internal auditor to determine the effectiveness of the risk management process?
I. Significant risks
II. Ongoing monitoring activities
III. Previous risk evaluation reports by management, internal auditors, external auditors, and any other sources
A. I and II only.
B. I and III only.
C. II and III only.
D. I, II, and III.
A. I and II only.
Answer (A) is correct.
Significant risks and ongoing monitoring activities are assessed by the internal audit activity as part of the risk management process (Inter. Std. 2120). But review of previous risk evaluation reports is a means of obtaining evidence for an assessment.
The board’s expectations of the internal audit activity regarding the risk management process is
A. Noted in the work programs for formal consulting engagements.
B. Included in the business continuity plan.
C. Codified in the charters of the internal audit activity and the board.
D. Reviewed by the internal auditors immediately following a disaster.
C. Codified in the charters of the internal audit activity and the board.
Answer (C) is correct.
The chief audit executive (CAE) is to obtain an understanding of senior management’s and the board’s expectations of the internal audit activity in the organization’s risk management process. This understanding is then codified in the charters of the internal audit activity and the board (PA 2120-1, para. 4).
Which of the following is the most accurate term for a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives?
A. The internal audit activity.
B. Control process.
C. Risk management.
D. Consulting service.
C. Risk management.
Answer (C) is correct.
Risk management is “a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives” (The IIA Glossary). Accordingly, the internal audit activity evaluates and contributes to the improvement of risk management, governance, and control processes using a systematic and disciplined approach.
Risk management is the responsibility of management. The role of the internal audit activity in the risk management process may include which of the following?
I. Monitoring activities.
II. Evaluating the risk management process as part of the engagement plan.
III. Participating on oversight committees, monitoring of activities, and status reporting.
Managing and coordinating the process.
A. I only.
B. II only.
C. I, II, and III only.
D. I, II, III, and IV.
D. I, II, III, and IV.
Answer (D) is correct.
The internal audit activity’s role in the risk management process of an organization can change over time and may include responsibilities along a continuum that extends from (1) no role; (2) auditing the risk management process as part of the internal audit plan; (3) active, continuous support and involvement in the risk management process, such as participation on oversight committees, monitoring activities, and status reporting; and (4) managing and coordinating the process (PA 2120-1, para. 4).
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. With respect to evaluating the adequacy of risk management processes, internal auditors most likely should
A. Recognize that organizations should use similar techniques for managing risk.
B. Determine that the key objectives of risk management processes are being met.
C. Determine the level of risks acceptable to the organization.
D. Treat the evaluation of risk management processes in the same manner as the risk analysis used to plan engagements.
B. Determine that the key objectives of risk management processes are being met.
Answer (B) is correct.
Internal auditors need to obtain sufficient and appropriate evidence to determine that key objectives of the risk management processes are being met to form an opinion on the adequacy of risk management processes (PA 2120-1, para. 8).
If an organization has no formal risk management processes, the chief audit executive should
A. Establish risk management processes based on industry norms.
B. Formulate hypothetical results of possible consequences resulting from risks not being managed.
C. Inform regulators that the organization is guilty of an infraction.
D. Formally discuss with the directors their obligations for risk management processes.
D. Formally discuss with the directors their obligations for risk management processes.
Answer (D) is correct.
In situations where the organization does not have formal risk management processes, the chief audit executive formally discusses with management and the board their obligations to understand, manage, and monitor risks within the organization and the need to satisfy themselves that there are processes operating within the organization, even if informal, that provide the appropriate level of visibility into the key risks and how they are being managed and monitored (PA 2120-1, para. 3).
Quantitative risk management methods are most appropriate for
A. Assessing personnel risks.
B. Developing a risk matrix.
C. The use of derivatives by the organization.
D. Identifying risks from the COSO’s enterprise risk management framework.
C. The use of derivatives by the organization.
Answer (C) is correct.
The organization designs risk management processes based on its culture, management style, and business objectives. For example, the use of derivatives or other sophisticated capital market products by the organization could require the use of quantitative risk management tools. But the internal auditor determines that the methodology chosen is sufficiently comprehensive and appropriate for the nature of the organization (PA 2120-1, para. 7).
Which of the following is not a responsibility of the chief audit executive?
A. To communicate the internal audit activity’s plans and resource requirements to senior management and the board for review and approval.
B. To coordinate with other internal and external providers of audit and consulting services to ensure proper coverage and minimize duplication.
C. To oversee the establishment, administration, and assessment of the organization’s system of risk management processes.
D. To follow up on whether appropriate management actions have been taken on significant reported risks.
C. To oversee the establishment, administration, and assessment of the organization’s system of risk management processes.
Answer (C) is correct.
Overseeing the establishment, administration, and assessment of the organization’s system of risk management processes is the role of senior management, not the CAE (PA 2130-1, para. 2).
Risk modeling or risk analysis is often used in conjunction with development of long-range engagement work schedules. The key input in the evaluation of risk is
A. Previous engagement results.
B. Management concerns and preferences.
C. Specific requirements of professional standards.
D. Judgment of the internal auditors.
D. Judgment of the internal auditors.
Answer (D) is correct.
Assessing the risk of an activity entails analysis of numerous factors, estimation of probabilities and amounts of potential losses, and an appraisal of the costs and benefits of risk reduction. Consequently, in assessing the magnitude of risk associated with any factor in a risk model, informed judgment by the internal auditor is required.
Risk is measured in terms of significance and likelihood. Excessive cash disbursements due to duplicate payments to vendors are events that most likely are placed in which area of a risk map?
A. Low significance, low likelihood.
B. Low significance, high likelihood.
C. High significance, medium likelihood.
D. High significance, low likelihood.
C. High significance, medium likelihood.
Answer (C) is correct.
Duplicate payments to vendors are considered high significance because they result in a material loss of cash if undetected. The likelihood is medium because they are a common irregularity. However, there is most often a good chance (not guaranteed) that a vendor will detect the error and correct it.
Which of the following is the correct order of steps in the risk management process?
I. Prioritize risks
II. Monitor risk responses
III. Formulate risk responses
IV. Assess risks
V. Identify risks
A. V, IV, I, III, II.
B. I, II, III, IV, V.
C. V, I, III, IV, II.
D. V, I, IV, III, II.
A. V, IV, I, III, II.
Answer (A) is correct.
The risk management process involves five steps in the following order: identify risks, assess risks, prioritize risks, formulate risk responses, and monitor risk responses.
Which of the following statements regarding monitoring risk responses is false?
A. The manager of an operating unit is in the best position to monitor the effects of the chosen risk response strategies.
B. The two least important sources of information for ongoing assessments of the adequacy of risk responses are those closest to the activities themselves and the audit function.
C. Analyzing risks and responses are among the normal duties of internal auditors.
D. Operating managers may not always be objective about the risks facing their units.
B. The two least important sources of information for ongoing assessments of the adequacy of risk responses are those closest to the activities themselves and the audit function.
Answer (B) is correct.
The two most, not least, important sources of information for ongoing assessments of the adequacy of risk responses are those closest to the activities themselves and the audit function.
Which of the following are part of the risk analysis process?
I. Estimating the significance of an event
II. Assessing the event’s likelihood
III. Considering the means to manage the risk
A. I and II only.
B. II and III only.
C. I and III only.
D. I, II, and III.
D. I, II, and III.
Answer (D) is correct.
The risk analysis process may be formal or informal. It involves estimating the significance of an event, assessing the event’s likelihood, and considering the means to manage the risk.
Which of the following is a false statement about risk responses?
A. Each organization must assess the relationship between the likelihood and significance of risks.
B. Identified risks cannot simply be accepted.
C. Some risks require the creation of elaborate control structures.
D. There is no direct correlation between the severity of a risk and the cost of the response to that risk.
B. Identified risks cannot simply be accepted.
Answer (B) is correct.
While some risks require the creation of elaborate control structures, others may simply be accepted.
Risk modeling in a consulting service is done by ranking the engagement’s potential to
I. Improve management of risk
II. Add value
III. Improve the organization’s operations
A. I and II only.
B. II and III only.
C. I and III only.
D. I, II, and III.
D. I, II, and III.
Answer (D) is correct.
Risk modeling in a consulting service is done by ranking the engagement’s potential to (1) improve management of risks, (2) add value, and (3) improve the organization’s operations (Impl. Std. 2010.C1). Senior management assigns a weight to each item based on organizational objectives. The engagements with the appropriate weighted values are included in the annual audit plan.
Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that
I. Organizational objectives support and align with the organization’s mission
II. Significant risks are identified and assessed
III. Appropriate risk responses are selected that align risks with the organization’s risk appetite
IV. Relevant risk information is captured and communicated in a timely manner across the organization
A. I and IV only.
B. II and III only.
C. I, II, and IV only.
D. I, II, III, and IV.
D. I, II, III, and IV.
Answer (D) is correct.
Determining whether risk management processes are effective is a judgment resulting from the internal auditor’s assessment that
Organizational objectives support and align with the organization’s mission;
Significant risks are identified and assessed;
Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.
Which of the following statements about risk management is false?
A. Management ensures that sound risk management processes are functioning.
B. Boards have an oversight function.
C. The internal audit activity may be directed to recommend improvements.
D. The internal audit activity may not have a consulting role in identifying, evaluating, and implementing risk management methods.
D. The internal audit activity may not have a consulting role in identifying, evaluating, and implementing risk management methods.
Answer (D) is correct.
The internal audit activity does have a consulting role in identifying, evaluating, and implementing risk management methods and controls.
Which of the following is a false statement concerning risk management?
A. Every risk that could affect achievement of objectives must be considered.
B. Risk identification must be performed for the entire entity.
C. The manager of an operating unit is in the best position to monitor the effects of the chosen risk response strategies.
D. Risk management is too important to be delegated to a committee.
D. Risk management is too important to be delegated to a committee.
Answer (D) is correct.
In large or complex entities, senior management may appoint a risk committee to review the risks identified by the various operating units and create a coherent response plan.
Senior management has assessed all identifiable risks to the achievement of the organization’s objectives in terms of both probability and potential effect. The most likely next step is to
A. Adopt the ISO 9000 framework to ensure process quality.
B. Rank the identified risk areas.
C. Enter into electronic data interchange (EDI) arrangements with the organization’s most important suppliers.
D. Assign the task of ranking the identified risk areas to the internal audit activity.
B. Rank the identified risk areas.
Answer (B) is correct.
After all risks that could impact the achievement of organizational objectives have been identified, the next step is to rank the risk areas in terms of seriousness, i.e., the combination of probability and potential impact.
Which of the following is a true statement about the use by senior management and the board of the internal audit activity as a source of information about risk management processes?
A. The internal audit activity cannot be expected to be objective about risk management processes.
B. The internal audit activity is not a good source of information about the daily functioning of risk management processes.
C. Senior management and the board need this information sooner than internal audit can provide it.
D. The internal audit activity should be used as a source of information about the success of ongoing risk management activities.
D. The internal audit activity should be used as a source of information about the success of ongoing risk management activities.
Answer (D) is correct.
The two most important sources of information for ongoing assessments of the adequacy of risk responses (and the changing nature of the risks) are those closest to the activities themselves and the audit function. Operating managers may not always be objective about the risks facing their units, especially if they had a stake in designing a particular response strategy.
Which of the following is a false statement concerning risk management? Risk management processes
A. May be quantitative or subjective.
B. May be formal or informal.
C. May be embedded in business units or centralized.
D. Must be quantitative, formal, and embedded in business units.
D. Must be quantitative, formal, and embedded in business units.
Answer (D) is correct.
Risk management processes may be formal or informal, quantitative or subjective, or embedded in business units or centralized.
Which of the following is not an activity undertaken as part of risk management?
A. Risk identification.
B. Risk analysis.
C. Risk exposure.
D. Risk response.
C. Risk exposure.
Answer (C) is correct.
Risk exposure is a condition, not an activity.
Senior management has identified the following risk areas within the organization:
Derivatives trading:
Likelihood high, Impact low
Materials acquisition:
Likelihood low, Impact low
Petty cash:
Likelihood high, Impact low
Bond issue:
Likelihood low, Impact high
Transportation fleet:
Likelihood high, Impact medium
Which of the following is a true statement in terms of overall risk exposure of the areas named?
A. Derivatives trading has less risk exposure than the transportation fleet.
B. The transportation fleet has less risk exposure than the bond issue.
C. The transportation fleet has more risk exposure than the bond issue.
D. Materials acquisition has more risk exposure than petty cash.
A. Derivatives trading has less risk exposure than the transportation fleet.
Answer (A) is correct.
Risk exposure is measured in terms of (1) impact on the achievement of the entity’s objectives and (2) the likelihood (probability) of that impact. In this simple model, no values are assigned to impact and likelihood. Thus, one required assumption is that risk exposures for risk areas with the same impact and likelihood can be established only on the basis of professional judgment using factors not given in the question. A related assumption is needed when one risk area has a high (low) likelihood and a low (high) impact, and a second risk area has the opposite characteristics. In this case, professional judgment based on factors not given also is needed to determine which risk area has the higher risk exposure. A third assumption is that the risk area with the greater likelihood (impact) has a higher risk exposure than a second risk area with the same impact (likelihood). Based on the assumptions, derivatives trading has less risk exposure than the transportation fleet. These risk areas have the same likelihood, but the transportation fleet has a higher impact.
Senior management has identified the following risk areas within the organization:
Derivatives trading:
Likelihood high, Impact high
Materials acquisition:
Likelihood low, Impact low
Petty cash:
Likelihood high, Impact low
Bond issue:
Likelihood low, Impact high
Transportation fleet:
Likelihood high, Impact medium
Which of the following is a false statement in terms of overall risk exposure of the areas named?
A. The bond issue is riskier than petty cash.
B. The bond issue is riskier than materials acquisition.
C. Petty cash is riskier than materials acquisition.
D. The transportation fleet is riskier than petty cash.
A. The bond issue is riskier than petty cash.
Answer (A) is correct.
The bond issue and petty cash both have one high risk measure and one low risk measure; i.e., they have equivalent overall risk exposure.
The internal audit activity of a large not-for-profit organization is reviewing the following results of senior management’s latest enterprise-wide risk assessment:
Fictitious vendors:
Likelihood possible, Impact major
Internet intrusion:
Likelihood likely, Impact major
Executive nepotism:
Likelihood remote, Impact critical
Fraudulent fundraising:
Likelihood possible, Impact minor
Based on management’s assessment, where should the chief audit executive devote the most internal audit resources?
A. Fictitious vendors.
B. Internet intrusion.
C. Executive nepotism.
D. Fraudulent fundraising.
B. Internet intrusion.
Answer (B) is correct.
With a combination of major impact and likely occurrence, Internet intrusion has the greatest overall risk exposure and thus should receive the majority of limited internal audit resources.
The function of the chief risk officer is most effective when the chief risk officer
A. Manages risk as a member of senior management.
B. Shares the management of risk with line management.
C. Shares the management of risk with the chief audit executive.
D. Monitors risk as part of the enterprise risk management team.
D. Monitors risk as part of the enterprise risk management team.
Answer (D) is correct.
A chief risk officer is a member of management assigned primary responsibility for enterprise risk management processes. The chief risk officer is most effective when supported by a specific team with the necessary expertise and experience related to organization-wide risk.
Enterprise risk management
A. Guarantees achievement of organizational objectives.
B. Requires establishment of risk and control activities by internal auditors.
C. Involves the identification of events with negative impacts on organizational objectives.
D. Includes selection of the best risk response for the organization.
C. Involves the identification of events with negative impacts on organizational objectives.
Answer (C) is correct.
Enterprise risk management (ERM) is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO, Enterprise Risk Management – Integrated Framework). The emphasis is on (1) the objectives of a specific entity and (2) establishing a means for evaluating the effectiveness of ERM.
Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks. Regarding the risks associated with issuing checks, which of the following risk management techniques does this represent?
A. Controlling.
B. Accepting.
C. Transferring.
D. Avoiding.
D. Avoiding.
Answer (D) is correct.
Risk responses may include avoidance, acceptance, sharing, and reduction. By eliminating checks, the organization avoids all risk associated with them.
Which of the following is a factor affecting risk?
A. New personnel.
B. New or revamped information systems.
C. Rapid growth.
D. All of the answers are correct.
D. All of the answers are correct.
Answer (D) is correct.
New personnel, new or revamped information systems, and rapid growth are all factors that affect risk.
Management considers risk appetite for all of the following reasons except
A. Evaluating strategic options.
B. Setting objectives.
C. Developing risk management techniques.
D. Increasing the net present value of investments.
D. Increasing the net present value of investments.
Answer (D) is correct.
Risk appetite should be considered in
Evaluating strategies,
Setting related objectives, and
Developing risk management methods.
Increasing the net present value of investments is an operational objective. It would be determined after consideration of the entity’s risk appetite and other strategic factors.
Components of enterprise risk management (ERM) are integrated with the management process. Which of the following correctly states four of the eight components of ERM according to the COSO’s framework?
A. Event identification, risk assessment, control activities, and objective setting.
B. Internal environment, risk responses, monitoring, and risk minimization.
C. External environment, information and communication, monitoring, and event identification.
D. Objective setting, response to opportunities, risk assessment, and control activities.
A. Event identification, risk assessment, control activities, and objective setting.
Answer (A) is correct.
Event identification, risk assessment, control activities, and objective setting are components of ERM. Event identification relates to internal and external events affecting the organization. It differentiates between opportunities and risks. Opportunities are referred to the strategy or objective-setting processes. Risk assessment considers likelihood and impact (see the definitions of risk in The IIA Glossary) as a basis for risk management. The assessment considers the inherent risk and the residual risk. Control activities are policies and procedures to ensure the effectiveness of risk responses. Objective setting precedes event identification. ERM ensures that (1) a process is established and (2) objectives align with the mission and the risk appetite.
Which of the following control models is fully incorporated into the broader integrated framework of enterprise risk management (ERM)?
A. CoCo.
B. COSO.
C. Electronic Systems Assurance and Control.
D. COBIT.
B. COSO.
Answer (B) is correct.
The Committee of Sponsoring Organizations of the Treadway Commission published Enterprise Risk Management – Integrated Framework. This document describes a model that incorporates the earlier COSO internal control framework while extending it to the broader area of enterprise risk management.
Limitations of enterprise risk management (ERM) may arise from
A. Faulty human judgment.
B. Cost-benefit considerations.
C. Collusion.
D. All of the answers are correct.
D. All of the answers are correct.
Answer (D) is correct.
The limitations of ERM are the same as those for control in general. They arise from the possibility of (1) faulty human judgment, (2) cost-benefit considerations, (3) simple errors or mistakes, (4) collusion, and (5) management override.
Inherent risk is
A. A potential event that will adversely affect the organization.
B. Risk response risk.
C. The risk after management takes action to reduce the impact or likelihood of an adverse event.
D. The risk when management has not taken action to reduce the impact or likelihood of an adverse event.
D. The risk when management has not taken action to reduce the impact or likelihood of an adverse event.
Answer (D) is correct.
Inherent risk is the risk when management has not taken action to reduce the impact or likelihood of an adverse event. Thus, it is risk in the absence of a risk response.
The internal auditors are assessing the risk of fraud involving senior management. An impact factor is
A. Nonretention of customers.
B. Inadequacy of internal controls.
C. Unusual transactions.
D. Potential override of internal controls.
A. Nonretention of customers.
Answer (A) is correct.
An impact factor is a potential result of an event. These events are usually identified through the risk assessment process. For example, the consequences of fraud may include direct financial loss and harm to its reputation, which in turn may lead to inability to attract skilled employees or customers.
Which risk response reflects a change from acceptance to sharing?
A. An insurance policy on a manufacturing plant was not renewed.
B. Management purchased insurance on previously uninsured property.
C. Management sold a manufacturing plant.
D. After employees stole numerous inventory items, management implemented mandatory background checks on all employees.
B. Management purchased insurance on previously uninsured property.
Answer (B) is correct.
The categories of risk responses under the COSO ERM model are avoidance, retention (acceptance), reduction, sharing, and exploitation. If management does not insure a building, the response is acceptance. Ordinarily, acceptance is based on a judgment that the cost of another response is excessive. However, once management purchases insurance, the risk is shared with an outside party.
Under the COSO’s ERM framework, which of the following most accurately describes risk management responsibilities?
A. In practice, management has primary responsibility.
B. The internal audit activity has an oversight role.
C. The board provides assurance about the effectiveness of ERM.
D. The chief audit executive should serve as chief risk officer.
A. In practice, management has primary responsibility.
Answer (A) is correct.
The board has overall responsibility. However, in practice, the board delegates responsibility for ERM to senior management, which should ensure that sound processes are in place and functioning.
Which of the following is closely related to traditional risk management instead of enterprise risk management (ERM)?
A. Rapid response to opportunities.
B. Organization-level view of risk.
C. Emphasis on specific functions.
D. Achieving financial goals.
C. Emphasis on specific functions.
Answer (C) is correct.
The enterprise risk management approach set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) attempts to approach an organization as a whole instead of focusing on any specific area or risk.
Which of the following members of an organization has ultimate ownership responsibility of the enterprise risk management, provides leadership and direction to senior managers, and monitors the entity’s overall risk activities in relation to its risk appetite?
A. Chief risk officer.
B. Chief executive officer.
C. Internal auditors.
D. Chief financial officer.
B. Chief executive officer.
Answer (B) is correct.
The chief executive officer (CEO) sets the tone at the top of the organization and has ultimate responsibility for ownership of the ERM. The CEO will influence the composition and conduct of the board, provide leadership and direction to senior managers, and monitor the entity’s overall risk activities in relation to its risk appetite. If any problems arise with the organization’s risk appetite, the CEO will also take any measures to adjust the alignment to better suit the organization.
Which of the following is an example of risk reduction?
A. Purchasing insurance.
B. Never beginning the risk-producing activity.
C. Hiring additional employees to perform routine maintenance checks on machinery.
D. After considering all the the alternatives and implementing control activities, continuing to engage in the risk-producing activity.
C. Hiring additional employees to perform routine maintenance checks on machinery.
Answer (C) is correct.
Hiring additional employees to perform routine maintenance checks on machinery would reduce the risk of a complete break-down in machinery and is an example of risk reduction.
Which of the entity objectives address effectiveness and efficiency?
A. Strategic objectives.
B. Operations objectives.
C. Reporting objectives.
D. Compliance objectives.
B. Operations objectives.
Answer (B) is correct.
Operations objectives address effectiveness and efficiency.
Which of following are affected by external events that the entity may not be able to control?
I. Strategic objectives
II. Operations objectives
III. Reporting objectives
IV. Compliance objectives
A. I and II only.
B. III and IV only.
C. II and IV only.
D. I and III only.
A. I and II only.
Answer (A) is correct.
Strategic and operational matters are affected by external events that the entity may not control. Thus, ERM should provide reasonable assurance that management and the board receive timely information about whether those objectives are being achieved.
When a customer fails to pay his/her invoice within 2 months, a notification is sent to inform the credit manager of the situation. This is an example of which kind of event identification method?
A. Internal analysis.
B. Threshold triggers.
C. Process flow analysis.
D. Loss event data methodologies.
B. Threshold triggers.
Answer (B) is correct.
A predetermined risk response may be made when a certain event occurs, such as when cash is below a given level or a customer has not paid an invoice within a certain period of time.
Which of the following qualities should be possessed by a board of directors?
A. A majority of the board should be outside directors.
B. Directors generally should have years of experience in the industry.
C. Directors must be willing to challenge management’s choices.
D. All of the answers are correct.
D. All of the answers are correct.
Answer (D) is correct.
Directors’ attitudes are a key component of the internal environment. They must possess certain qualities to be effective.
A majority of the board should be outside directors.
Directors generally should have years of experience either in the industry or in corporate governance.
Directors must be willing to challenge management’s choices. Complacent directors increase the chances of adverse consequences.
The internal auditors’ determination of whether risk management processes are effective is a judgment resulting from which assessments?
I. Entity objectives support and are consistent with its mission
II. Significant risks are identified and assessed
A. I only.
B. II only.
C. I and II.
D. Neither I nor II.
C. I and II.
Answer (C) is correct.
The internal auditors’ determination of whether risk management processes are effective is a judgment resulting from the assessments that entity objectives support and are consistent with its mission and that significant risks are identified and assessed.
When ERM is effective regarding all of the objectives, the board and management have reasonable assurance that
I. Reporting is reliable
II. Compliance is achieved
III. The extent of achievement of strategic and operations objectives is known
A. I and II only.
B. II and III only.
C. I and III only.
D. I, II, and III.
D. I, II, and III.
Answer (D) is correct.
When ERM is effective regarding all of the objectives, the board and management have reasonable assurance that (1) reporting is reliable, (2) compliance is achieved, and (3) the extent of achievement of strategic and operations objectives is known.
Which of the following statements regarding the chief risk officer is false?
A. The creation of a separate risk management function may include the appointment of a chief risk officer.
B. The chief risk officer is a member of management assigned primary responsibility for ERM processes.
C. The chief risk officer is most effective when supported by a specific team with the necessary expertise.
D. The chief risk officer should be employed in the internal audit function.
D. The chief risk officer should be employed in the internal audit function.
Answer (D) is correct.
The chief risk officer should not be employed in the internal audit function.
Which of the following activities are included in ERM?
I. Determining risk appetite
II. Identifying potential risks
III. Communicating information on risks consistently and at all levels
IV. Providing assurance on the effectiveness of risk management
A. I and III only.
B. II and IV only.
C. I, II, and III only.
D. I, II, III, and IV.
D. I, II, III, and IV.
Answer (D) is correct.
Determining risk appetite, identifying potential threats, communicating information on risks consistently and at all levels, and providing assurance on the effectiveness of risk management are among the activities included in ERM.
Which of the following are core assurance roles provided by the internal audit activity?
I. Giving assurance on risk management processes
II. Evaluating risk management processes
III. Reviewing the management of key risks
IV. Setting the risk appetite
A. I and II only.
B. III and IV only.
C. I, II, and III only.
D. I, II, and IV only.
C. I, II, and III only.
Answer (C) is correct.
Giving assurance on risk management processes, evaluating risk management processes, and reviewing the management of key risks are among the core assurance roles provided by the internal audit activity.
Which of the following is not an example of an internal audit role that may be performed as a consulting engagement, given safeguards against loss of independence and objectivity?
A. Being accountable for risk management.
B. Championing establishment of ERM.
C. Facilitating identification and evaluation of risks.
D. Developing a risk management strategy for board approval.
A. Being accountable for risk management.
Answer (A) is correct.
This would threaten the audit activity’s independence and objectivity and therefore should not be performed as part of a consulting engagement.
Which of the following are roles that the internal audit activity should not undertake since they would threaten its independence and objectivity?
A. Imposing risk management processes.
B. Making decisions on risk responses.
C. Implementing risk responses on management’s behalf.
D. All of the answers are correct.
D. All of the answers are correct.
Answer (D) is correct.
Among the risk management roles that threaten the independence and objectivity of the internal audit activity are imposing risk management processes, making decisions on risk responses, and implementing risk responses on management’s behalf.
Which of the following approaches to providing assurance on the risk management process is based on the principle that effective risk management processes develop as value is added at each stage of maturation?
A. The process element approach.
B. The key principles approach.
C. The maturity model approach.
D. None of the answers are correct.
C. The maturity model approach.
Answer (C) is correct.
The maturity model approach is based on the principle that effective risk management processes develop as value is added at each stage of maturation. Accordingly, this approach determines where risk management is on the maturity curve and whether it (1) is progressing as expected, (2) adds value, and (3) meets organizational needs.
The maturity model approach to providing assurance on the risk management process determines where risk management is on the maturity curve and whether
I. It is progressing as expected
II. It adds value
III. It meets organizational needs
A. I and II only.
B. II and III only.
C. I and III only.
D. I, II, and III.
D. I, II, and III.
Answer (D) is correct.
The maturity model approach is based on the principle that effective risk management processes develop as value is added at each stage of maturation. Accordingly, this approach determines where risk management is on the maturity curve and whether (1) it is progressing as expected, (2) adds value, and (3) meets organizational needs.
Risk management, at any level, consists of
I. Identifying potential events that may affect the entity
II. Managing the associated risk to be within the entity’s risk appetite
A. I only.
B. II only.
C. I and II.
D. Neither I nor II.
C. I and II.
Answer (C) is correct.
Risk management, at any level, consists of (1) identifying potential events that may affect the entity and (2) managing the associated risk to be within the entity’s risk appetite. Risk management should also provide reasonable assurance that entity objectives are achieved.
Which component of ERM are policies and procedures that ensure the effectiveness of risk responses?
A. Control activities.
B. Risk assessment.
C. Monitoring.
D. Information and communication.
A. Control activities.
Answer (A) is correct.
Control activities are policies and procedures to ensure the effectiveness of risk responses.
The internal audit activity usually provides assurance about which of the following?

I. The design and effectiveness of risk management processes
II. Management of key risks
III. Risk assessment
IV. Reporting risk and control status

A. I and II only.
B. III and IV only.
C. II, III, and IV only.
D. I, II, III and IV.

D. I, II, III and IV.
Answer (D) is correct.
Assurance comes primarily from management. However, objective assurance is also provided by the internal audit activity, external auditors, and independent specialists. The internal audit activity usually provides assurance about the following:

The design and effectiveness of risk management processes
Management of key risks, including the effectiveness of response activities
Risk assessment
Reporting risk and control status

The amount of risk an entity is willing to accept in pursuit of value is the definition of

A. Risk appetite.
B. Risk response.
C. Risk acceptance.
D. Risk.

A. Risk appetite.
Senior management has identified the trading of marketable securities as a high-risk activity. In response, a new supervisory position was created. Every evening after the close of business, this supervisor reviews every trade made during the day. After 6 months of trading marketable securities under this system, the quantified risk reported by the internal audit activity is termed

A. Responded risk.
B. True risk.
C. Managed risk.
D. Residual risk.

D. Residual risk.
The level of assurance that risk management can provide regarding the achievement of entity objectives is

A. Positive.
B. Absolute.
C. Reasonable.
D. Negative.

C. Reasonable.
Which of the following is a principal benefit of enterprise risk management (ERM)?

A. Preventing the network from being compromised by hackers.
B. Enabling the use of linear programming to optimize production.
C. Preventing loss of reputation and resources.
D. Ensuring no material errors or irregularities affect the published financial statements.

C. Preventing loss of reputation and resources.
Answer (C) is correct.
ERM helps management to reach objectives, prevent loss of reputation and resources, report effectively, and comply with laws and regulations.
Which of the following is not a capability of enterprise risk management (ERM)?

A. Reduction of operational surprises and losses.
B. Better capital allocation.
C. Clear distinction between risk appetite and strategy.
D. Quicker response to opportunities.

C. Clear distinction between risk appetite and strategy.
Answer (C) is correct.
ERM enables an organization to consider risk appetite in evaluating strategies, setting objectives, and developing risk management methods.
The correct order for performing the first four phases of the enterprise risk management (ERM) process is

A. Internal environment, objective setting, event identification, risk assessment.
B. Risk assessment, objective setting, event identification, internal environment.
C. Objective setting, internal environment, event identification, risk assessment.
D. Event identification, risk assessment, internal environment, objective setting.

A. Internal environment, objective setting, event identification, risk assessment.
As described in the COSO enterprise risk management (ERM) model, which of the following is not a part of the internal environment?

A. Risk response.
B. Risk appetite.
C. Ethical values.
D. Risk management philosophy.

A. Risk response.
Answer (A) is correct.
Risk response is a separate component of the COSO ERM model from the internal environment component.
A team consisting of operational personnel, internal auditors, and outside consultants has performed a detailed review of the inputs, processes, and outputs of the credit and accounts receivable function. This type of event identification is known as

A. Process flow analysis.
B. Leading event indicators.
C. Loss event data methodology.
D. Trap event methodology.

A. Process flow analysis.
Answer (A) is correct.
In this type of event identification, a single business process, such as vendor authorization and payment, is studied in isolation for the events that affect its inputs, tasks, responsibilities, and outputs.
An organization that normally adheres to a conservative investment policy buys a block of high-yield bonds from a uranium exploration and mining company. This type of risk response is an example of

A. Risk retention.
B. Risk mitigation.
C. Risk exploitation.
D. Risk sharing.

C. Risk exploitation.
Answer (C) is correct.
Risk exploitation seeks risk to pursue a high return on investment.
Which of the following is not a function of senior management with regard to enterprise risk management (ERM)?

A. Approving the provisions of the internal audit charter dealing with risk management.
B. Establishing a consistent risk management philosophy across the whole entity.
C. Setting the organization’s risk appetite.
D. Determining the risk response to inherent risk.

A. Approving the provisions of the internal audit charter dealing with risk management.
Answer (A) is correct.
Approving the entire internal audit charter is a responsibility of the board.
Senior management performed the following steps during its recent deliberations over risk management:

1. Identified all the risks that might impede the achievement of the company’s mission.
2. Designed new procedures to mitigate the risks associated with surplus equipment, one of the areas in which the risk of adverse impact was both material and likely.
3. Ensured that the director of surplus management understood and enacted the new procedures.
4. Reviewed regular reports from internal audit about the effectiveness of the new procedures for surplus equipment.

The most serious deficiency with the process is that

A. Senior management did not consult with the director of equipment management before formulating the risk response.
B. Senior management did not prioritize the identified risks.
C. Internal audit was involved in the process too late.
D. The board did not create the position of chief risk officer.

B. Senior management did not prioritize the identified risks.
Answer (B) is correct.
Management designed risk procedures related to one of the risk areas without regard to the potential impact of the other identified risks.
Which of one the following is not a dimension of the COSO ERM matrix?

A. Audit.
B. Entity.
C. Objectives.
D. Components.

A. Audit.
All of the following are legitimate roles for internal audit in enterprise risk management (ERM) except

A. Setting risk appetite.
B. Coaching management in responding to risks.
C. Coordinating ERM activities.
D. Maintaining and developing the ERM framework.

A. Setting risk appetite.
Answer (A) is correct.
Setting the organization’s risk appetite is a management role.
Within the enterprise risk management (ERM) model, assurance about the effectiveness of risk management processes and the reduction of key risks to an acceptable level comes primarily from

A. The board.
B. The chief audit executive.
C. Management.
D. The independent auditor.

C. Management.
Answer (C) is correct.
Assurance about the effectiveness of risk management processes and the reduction of key risks to an acceptable level comes primarily from management.
Which of the following is not a component of the ISO 31000 model as described in The IIA Practice Guide?

A. Monitoring and review.
B. Continual improvement.
C. Unitary control framework.
D. Design of framework.

C. Unitary control framework.
Answer (C) is correct.
“Unitary control framework” is not a meaningful term in this context.
The IIA Practice Guide concerning the ISO 31000 model describes three approaches to providing assurance on risk management processes. Which of the following is not one of these approaches?

A. Maturity model.
B. Negative assurance.
C. Key principles.
D. Process element.

B. Negative assurance.
Answer (B) is correct.
Negative assurance is not a concept applicable to providing assurance on risk management processes described in the ISO 31000 model.

Get instant access to
all materials

Become a Member