4: (111) Risk Management

1: (54) Risk Management Processes

1- When a customer fails to pay his or her invoice within 2 months, a notification is sent to inform the
credit manager of the situation. This is an example of which kind of event identification method?

A. Threshold triggers.

B. Loss event data methodologies.

C. Internal analysis.

D. Process flow analysis.

Answer (A) is correct.

A predetermined risk response may be made when a certain event occurs, such as when cash is below a
given level or a customer has not paid an invoice within a certain period of time.

Answer (B) is incorrect.

Loss event data methodologies are used to associate losses with adverse events in the past to make
predictions. An example is matching workers’ compensation claims with the frequency of accidents.

Answer (C) is incorrect.

In internal analysis, the entity can consider its own experience with similar risks when planning a
response to future events.

Answer (D) is incorrect.

In process flow analysis, a single business process is studied in isolation for the events that affect its
inputs, tasks, responsibilities, and outputs.

2- Which of the following represents the best statement of responsibilities for risk management?

Management Auditing Board

A. Oversight role Advisory role Responsibility for risk

B. Responsibility for risk Oversight role Advisory role
C. Oversight role Responsibility for risk Advisory role
D. Responsibility for risk Advisory role Oversight role

Answer (A) is incorrect.

Management is responsible for risk management, not the oversight role performed by the board.
Answer (B) is incorrect.
Internal auditors are generally involved in the assurance and advisory role. The board has an oversight
role.
Answer (C) is incorrect.
Management performs the implementation role in risk management, and the board has an oversight role.
Internal auditors are generally involved in the assurance and advisory role.

Answer (D) is correct.

Risk management is a key responsibility of senior management and the board. To achieve its business
objectives, management ensures that sound risk management processes are in place and functioning.
Boards have an oversight role to determine that appropriate risk management processes are in place and
that these processes are adequate and effective. The internal audit activity should have a process for
planning, auditing, and reviewing risk management issues. It also evaluates risk management during
assurance and advisory reviews of an area or process. After communications with the board and senior
management, the CAE considers their risk appetite, risk tolerance, and risk culture. Moreover, (1)
management should be alerted to new risks or those not sufficiently mitigated, (2) recommendations and
action plans for risk exposure should be provided, and (3) sufficient information should be obtained to
evaluate risk management effectiveness (IG 2120).

3- Which of the following are roles that the internal audit activity should not undertake since they would
threaten its independence and objectivity?

A. All of the answers are correct.

B. Making decisions on risk responses.

C. Implementing risk responses on management’s behalf.

D. Imposing risk management processes.

Answer (A) is correct.

Among the risk management roles that threaten the independence and objectivity of the internal audit
activity are imposing risk management processes, making decisions on risk responses, and implementing
risk responses on management’s behalf.

Answer (B) is incorrect.

The internal audit activity also should not impose risk management process or implement risk responses
on management’s behalf.
Answer (C) is incorrect.
The internal audit activity also should not impose risk management process or make decisions on risk
responses.

Answer (D) is incorrect.

The internal audit activity also should not make decisions on risk responses or implement risk responses
on management’s behalf.

4- Standard 2120 states that the internal audit activity must evaluate the effectiveness and contribute
to the improvement of risk management processes. Conformance with Standard 2120 is best
demonstrated by

A. Review by the internal auditors immediately following a disaster.

B. The charter of the internal audit activity.

 C. The work programs for formal consulting engagements.

D. The business continuity plan.

Answer (A) is incorrect.

The internal audit activity’s role needs to be understood before a crisis.

Answer (B) is correct.

Documents demonstrating conformance with Standard 2120 include the internal audit charter. It
describes the internal audit activity’s roles and responsibilities regarding risk management. Other
documents include (1) the internal audit plan, (2) minutes of meetings in which internal audit
recommendations were discussed, (3) internal audit risk assessments, and (4) internal audit action plans
addressing risks.

Answer (C) is incorrect.

A work program is a listing of specific procedures.

Answer (D) is incorrect.

Business continuity planning is just one element of risk management.

5- When the executive management of an organization decided to form a team to investigate the
adoption of an activity-based costing (ABC) system, an internal auditor was assigned to the team.
The best reason for including an internal auditor is the internal auditor’s knowledge of

A. Risk management processes.

B. Current product cost structures.
C. Activities and cost drivers.
D. Information processing procedures.

Answer (A) is correct.

The internal audit activity’s scope of work extends to evaluating the organization’s risk management
processes. The internal audit activity should assist the organization by identifying and evaluating
significant exposures to risk and contributing to the improvement of risk management and control
systems.

Answer (B) is incorrect.

A management accountant has more knowledge than an internal auditor about a company’s current
product cost.
Answer (C) is incorrect.
An engineer has more knowledge than an internal auditor about activities and cost drivers.

Answer (D) is incorrect.

An information systems expert has more knowledge than an internal auditor about information needs and
information processing procedures.
6- A chief audit executive is reviewing the following enterprise-wide risk map:
I
LIKELIHOOD
M
P Remote Possible Likely
A Critical Risk A Risk B
C Major Risk D
T Minor Risk C
Which of the following is the correct prioritization of risks, considering limited resources in the internal
audit activity?

A. Risk A, Risk B, Risk C, Risk D.

B. Risk B, Risk C, Risk D, Risk A.
C. Risk D, Risk B, Risk C, Risk A.
D. Risk B, Risk C, Risk A, Risk D.

Answer (A) is incorrect.

Risk B clearly has a higher priority than Risk A. It has a higher likelihood and the same impact.

Answer (B) is incorrect.

Risk D has a higher likelihood and a greater impact than Risk C.

Answer (C) is correct.

Risk is the possibility of an event’s occurrence that could have an impact on the achievement of
objectives. Risk is measured in terms of impact (exposures) and likelihood (probability). Prioritizing is
needed to make decisions for applying resources to engagements based on the relative significance of
their risk and exposure estimates. The best order of priority listed (highest to lowest) is (1) Risk D (likely-
major), (2) Risk B (possible-critical), (3) Risk C (possible-minor), and (4) Risk A (remote-critical).
However, it is not entirely clear that Risk D and Risk C should have higher priorities than Risks B and A,
respectively. For example, depending on the values assigned to the variables, a possible-critical impact
(B) might have a higher priority than a likely-major impact (D).

Answer (D) is incorrect.

Risk D clearly takes precedence over Risk C. It has a higher likelihood and a greater impact.

7- Which of the following goals sets risk management strategies at the optimum level?

A. Maximize shareholder value.

B. Minimize costs.

C. Minimize losses.

D. Maximize market share.

Answer (A) is correct.

The risk management processes chosen depend on the organization’s culture, management style, and
business objectives. These choices should optimize stakeholder (for example, shareholder) value by
coping effectively with uncertainty, risks, and opportunities. Thus, maximizing shareholder value is a
comprehensive approach that relates to risk management strategies across the organization.

Answer (B) is incorrect.

Minimizing costs is not a comprehensive approach.
Answer (C) is incorrect.
Minimizing losses is not a comprehensive approach.

Answer (D) is incorrect.

Maximizing market share is not a comprehensive approach.

8- Which of the following is a true statement about the use by senior management and the board of
the internal audit activity as a source of information about risk management processes?

A. The internal audit activity cannot be expected to be objective about risk management processes.

B. The internal audit activity should be used as a source of information about the success of
ongoing risk management activities.

C. Senior management and the board need this information sooner than internal audit can provide
it.

D. The internal audit activity is not a good source of information about the daily functioning of risk
management processes.

Answer (A) is incorrect.

Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest. (Attr. Std.
1120).

Answer (B) is correct.

The two most important sources of information for ongoing assessments of the adequacy of risk
responses (and the changing nature of the risks) are those closest to the activities themselves and the
audit function. Operating managers may not always be objective about the risks facing their units,
especially if they had a stake in designing a particular response strategy.
Answer (C) is incorrect.
The board approves the internal audit activity’s work plan.

Answer (D) is incorrect.

Operational management’s proximity to the daily functioning of the risk management processes makes it
an important source of information about them. However, the internal audit activity is an important source
of information as well.

9- The level of assurance that risk management can provide regarding the achievement of entity
objectives is
A. Negative.
B. Reasonable.
C. Absolute.
D. Positive.

Answer (A) is incorrect.

Negative is a type, not a level, of assurance
Answer (B) is correct.
Risk management should provide reasonable assurance that entity objectives are achieved.

Answer (C) is incorrect.

No set of risk responses can provide absolute assurance that objectives will be achieved.

Answer (D) is incorrect.

Positive is a type, not a level, of assurance.

10- Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks.
Regarding the risks associated with issuing checks, which of the following risk management
techniques does this represent?
A. Avoiding.
B. Controlling.
C. Accepting.
D. Transferring.

Answer (A) is correct.

Risk responses may include avoidance, acceptance, sharing, and reduction. By eliminating checks, the
organization avoids all risk associated with them.

Answer (B) is incorrect.

Eliminating checks does not represent an ongoing control.

Answer (C) is incorrect.

Eliminating checks avoids instead of accepts the associated risk.

Answer (D) is incorrect.

Eliminating checks does not transfer risk to anyone else. Risk is eliminated.

11- The internal audit activity must evaluate the effectiveness and contribute to the improvement
of risk management processes. With respect to evaluating the adequacy of risk management
processes, internal auditors most likely should

A. Recognize that organizations should use similar techniques for managing risk.

B. Treat the evaluation of risk management processes in the same manner as the risk analysis used
to plan engagements.

C. Determine that the key objectives of risk management processes are being met.

D. Determine the level of risks acceptable to the organization.

Answer (A) is incorrect.

Risk management processes vary with the size and complexity of an organization’s business activities.

Answer (B) is incorrect.

Evaluating management’s risk processes differs from the internal auditors’ risk assessment used to plan
an engagement, but information from a comprehensive risk management process is useful in such
planning.
Answer (C) is correct.
Internal auditors need to obtain sufficient and appropriate evidence to determine that key objectives of the
risk management processes are being met to form an opinion on the adequacy of risk management
processes.

Answer (D) is incorrect.

Management and the board determine the level of acceptable organizational risks.

12- A recent inventory shortage at XYZ Corp., an unaffiliated supplier, contributed to production
failures at OPS Corp. in the current period. To avoid future production failures because of supplier
inventory shortages, the most appropriate method is for OPS to

A. Establish an inventory control framework at XYZ.

B. Inform XYZ about its risk appetite regarding supply failures.
C. Increase the size of orders.
D. Produce the inventory items instead of purchasing from suppliers.
Answer (A) is incorrect.
OPS has no authority to establish an inventory control framework at XYZ.

Answer (B) is correct.

The risk appetite is the level of risk that an organization is willing to accept (The IIA Glossary). Thus,
communicating about the risk appetite with external parties is an important aspect of risk management. It
allows the organization to develop strategies to work with suppliers who may have different objectives.

Answer (C) is incorrect.

Increasing order size does not address the cause of supplier failures.

Answer (D) is incorrect.

Although in-house production will eliminate the external parties, it may not be the most cost-effective
method. The external party may have cost advantages the organization does not.

13- Who is responsible for the organization’s risk management and control processes?

1. The internal auditor.

2. The external auditor.
3. Senior management.
4. The board of directors.
A. 3 and 4 only.
B. 1, 2, and 3.
C. 2 and 3 only.
D. 1 and 3 only.

Answer (A) is correct.

Risk management is a key responsibility of senior management and the board. To achieve its business
objectives, management ensures that sound risk management processes are in place and functioning.
Boards have an oversight role to determine that appropriate risk management processes are in place and
that these processes are adequate and effective. In this role, they may direct the internal audit activity to
assist them by examining, evaluating, reporting, or recommending improvements to the adequacy and
effectiveness of risk management processes. Management and the board are responsible for the
organization’s risk management and control processes.

Answer (B) is incorrect.

The internal and external auditors are not primarily responsible for risk management and control
processes.

Answer (C) is incorrect.

The external audit function is not responsible for the organization’s risk management systems.
Management may ask the external auditor to report any deficiencies in the control environment, but the
responsibility is management’s.

Answer (D) is incorrect.

The internal auditor evaluates risk management as a basis for findings and recommendations. But the
internal auditor is not responsible for operational management of its processes.

14- Internal auditors should review the means of physically safeguarding assets from losses arising from
A. Exposure to the elements.

B. Under usage of physical facilities.

C. Procedures that are not cost justified.

D. Misapplication of accounting principles.

Answer (A) is correct.

The internal audit activity must evaluate risk exposures relating to governance, operations, and
information systems regarding the safeguarding of assets (Impl. Std. 2120.A1). For example, internal
auditors evaluate risk exposure arising from theft, fire, improper or illegal activities, and exposure to the
elements.
Answer (B) is incorrect.
Under usage of facilities relates to efficiency of operations.

Answer (C) is incorrect.

Procedures that are not cost justified relate to efficiency, not effectiveness, of operations.

Answer (D) is incorrect.

Misapplication of accounting principles relates to the reliability of information and not physical safeguards.

15- If an organization has no formal risk management processes, the chief audit executive should

A. Establish risk management processes based on industry norms.

B. Formulate hypothetical results of possible consequences resulting from risks not being
managed.

C. Inform regulators that the organization is guilty of an infraction.

D. Formally discuss with the directors their obligations for risk management processes.

Answer (A) is incorrect.

Internal auditors have no authority to establish risk management processes. They must seek direction
from management and the board as to their role in the process.

Answer (B) is incorrect.

Internal auditors are not required to perform a risk analysis of the possible consequences of not
establishing a risk management process. However, such a request might be made by management.

Answer (C) is incorrect.

In the absence of a specific legal requirement, internal auditors are not required to report to outside
parties.

Answer (D) is correct.

In situations where the organization does not have formal risk management processes, the chief audit
executive formally discusses with management and the board their obligations to understand, manage,
and monitor risks within the organization and the need to satisfy themselves that there are processes
operating within the organization, even if informal, that provide the appropriate level of visibility into the
key risks and how they are being managed and monitored.

16- Risk management, at any level, consists of

1. Identifying potential events that may affect the entity

2. Managing the associated risk to be within the entity’s risk appetite
A. 1 only.

B. 1 and 2.

C. 2 only.

D. Neither 1 nor 2.

Answer (A) is incorrect.

Risk management also consists of managing the associated risk to be within the entity’s risk appetite.

Answer (B) is correct.

Risk management, at any level, consists of (1) identifying potential events that may affect the entity and
(2) managing the associated risk to be within the entity’s risk appetite. Risk management should also
provide reasonable assurance that entity objectives are achieved.

Answer (C) is incorrect.

Risk management also consists of identifying potential events that may affect the entity.

Answer (D) is incorrect.

Risk management consists of both options.

17- Which of the following is the most accurate term for a process to identify, assess, manage, and
control potential events or situations to provide reasonable assurance regarding the achievement of
the organization’s objectives?
 A. Control process.

B. The internal audit activity.

C. Consulting service.

D. Risk management.

Answer (A) is incorrect.

Control processes are “the policies, procedures, and activities that are part of a control framework
designed to ensure that risks are contained within the risk tolerances established by the risk management
process” (The IIA Glossary).

Answer (B) is incorrect.

The internal audit activity assists in risk management; it is not the same thing as risk management.

Answer (C) is incorrect.

Consulting services are “advisory and related client service activities, the nature and scope of which are
agreed with the client” (The IIA Glossary).

Answer (D) is correct.

Risk management is “a process to identify, assess, manage, and control potential events or situations to
provide reasonable assurance regarding the achievement of the organization’s objectives” (The IIA
Glossary).

18- Which of the following represents a risk avoidance strategy?

A. The new manager has been tasked with the responsibility of tracking identified risks.
B. The company has elected to exit the construction industry due to the high number of injuries.
C. Providing training on new products for sales personnel to increase revenue.
D. The board has agreed to outsource the delivery segment of the business because of the high
costs.
Answer (A) is incorrect.
This action represents risk monitoring. Risk monitoring (1) tracks identified risks, (2) evaluates current risk
response plans, (3) monitors residual risks, and (4) identifies new risks.

Answer (B) is correct.

Risk avoidance ends the activity from which the risk arises. Exiting the industry avoids the risk of
construction injuries.

Answer (C) is incorrect.

This action represents risk reduction (mitigation). Risk reduction lowers the level of risk associated with an
activity. For example, providing training to sales personnel for new products reduces the risk of
decreased revenues due to lack of product knowledge.

Answer (D) is incorrect.

This action represents risk sharing. Risk sharing transfers some loss potential to another party. Examples
are insurance, outsourcing, hedging, and entering into joint ventures.

19- What is the board’s role in the risk management process?

 A. Ensures that sound risk management processes are functioning.
B. Consult in implementing risk management methods and controls.
C. Oversees risk management processes.
D. Contributes to the improvement of risk management processes.

Answer (A) is incorrect.

Management ensures that sound risk management processes are functioning. Management must focus
on risks at all levels of the entity and take the necessary action to manage them.

Answer (B) is incorrect.

In addition to its assurance role, the internal audit activity has a consulting role in identifying, evaluating,
and implementing risk management methods and controls. It determines that the methods chosen are
comprehensive and appropriate for the organization.

Answer (C) is correct.

Risk management is a key responsibility of senior management and the board. Boards have an oversight
function and determine that risk management processes are in place, adequate, and effective.

Answer (D) is incorrect.

According to Standard 2120, “the internal audit activity must evaluate the effectiveness and contribute to
the improvement of risk management processes.” Risk management processes include (1) identification
of context, (2) risk identification, (3) risk assessment and prioritization, (4) risk response, and (5) risk
monitoring.

20- The primary reason that a bank would maintain a separate compliance function is to

A. Better manage perceived high risks.

B. Ensure the independence of line and senior management.

C. Better respond to shareholder expectations.

D. Strengthen controls over the bank’s investments.

Answer (A) is correct.

The risk management process identifies, assesses, manages, and controls potential risk exposures.
Organizations such as brokers, banks, and insurance companies may view risks as sufficiently critical to
warrant continuous oversight and monitoring.

Answer (B) is incorrect.

Risk management is the direct responsibility of management.

Answer (C) is incorrect.

A separate compliance function will help respond to shareholder needs, but this is not its primary
purpose.
Answer (D) is incorrect.
A separate compliance function may help strengthen controls, but this is not its primary purpose.

21- Which of the following are part of the risk analysis process?

1. Estimating the significance of an event

 2. Assessing the event’s likelihood
3. Considering the means to manage the risk

A. 1 and 2 only.

B. 1, 2, and 3.

C. 2 and 3 only.

D. 1 and 3 only.
Answer (A) is incorrect.
The risk analysis process also includes considering the means to manage the risk.

Answer (B) is correct.

The risk analysis process may be formal or informal. It involves estimating the significance of an event,
assessing the event’s likelihood, and considering the means to manage the risk.

Answer (C) is incorrect.

The risk analysis process also includes estimating the significance of an event.

Answer (D) is incorrect.

The risk analysis process also includes assessing the event’s likelihood.

22- Internal audit has prepared the following risk map for the upcoming audit year:
I
LIKELIHOOD
M
P Low Medium High
A High Risk M
C Medium Risk N Risk K
T Low Risk L

Where should the chief audit executive devote the most internal audit resources?

A. Cannot be determined from the information given.

B. All the identified risks should be allocated equal resources.

C. Risk K.

D. Risk M.

Answer (A) is correct.

Risk K and Risk M both have one high risk measure and one medium risk measure, giving them the same
overall risk exposure. Allocating more resources to one over the other cannot be justified based on the
information given.
Answer (B) is incorrect.
Risks K and M clearly have greater overall risk exposure than Risks L and N.

Answer (C) is incorrect.

Risk K and Risk M have the same overall risk exposure. Allocating more resources to one over the other
cannot be justified based on the information given.
Answer (D) is incorrect.
Risk M and Risk K have the same overall risk exposure. Allocating more resources to one over the other
cannot be justified based on the information given.

23- The internal auditors are assessing the risk of fraud involving senior management. An impact factor
is
A. Inadequacy of internal controls.
B. Unusual transactions.
C. Fines and penalties.
D. Potential override of internal controls.

Answer (A) is incorrect.

Inadequacy of internal controls is a risk that normally is identified during risk assessment.

Answer (B) is incorrect.

The existence of complex or unusual transactions is a risk that normally is identified during risk
assessment.
Answer (C) is correct.
An impact factor is a potential result of an event. These events are usually identified through the risk
assessment process. For example, the consequences of fraud may include direct financial loss in the
form of fines and penalties.

Answer (D) is incorrect.

An impact factor is a potential result of an event. Potential override of internal controls is a cause of an
event that normally is identified during risk assessment.

24- A chief audit executive is reviewing the following enterprise-wide risk map:

I
LIKELIHOOD
M
P Remote Possible Likely
A Critical Risk C
C Major Risk B Risk A
T Minor Risk D

Which of the following is the correct prioritization of risks, considering limited resources in the internal
audit activity?
A. Risk C, Risk A, Risk B, Risk D.
B. Risk A, Risk B, Risk C, Risk D.
C. Risk B, Risk C, Risk A, Risk D.
 D. Risk C, Risk A, Risk D, Risk B.

Answer (A) is correct.

Risk is the possibility of an event’s occurrence that could have an impact on the achievement of
objectives. Risk is measured in terms of impact (exposures) and likelihood (probability). Prioritizing is
needed to make decisions for applying resources to engagements based on the relative significance of
their risk and exposure estimates. The best order of priority listed (highest to lowest) is (1) Risk C (likely-
critical), (2) Risk A (possible-major), (3) Risk B (remote-major), and (4) Risk D (remote-minor).

Answer (B) is incorrect.

Risk C has a higher likelihood and a greater impact than Risks A and B.

Answer (C) is incorrect.

Risks C and A clearly take precedence over Risk B. They have a higher likelihood and/or a greater
impact.
Answer (D) is incorrect.
Risk B clearly has a higher priority than Risk D. It has a higher likelihood and a greater impact.

25- Which of the following activities is outside the scope of internal auditing?

A. Ascertaining the extent to which management has established criteria to determine whether objectives have
been accomplished.

B. Evaluating risk exposures regarding compliance with laws and regulations.

C. Safeguarding of assets.

D. Evaluating risk exposures regarding compliance with policies, procedures, and contracts.

Answer (A) is incorrect.

Ascertaining the extent to which management has established adequate criteria to determine whether
objectives have been accomplished is within the scope of internal auditing.

Answer (B) is incorrect.

The internal audit activity must evaluate risk exposures relating to, among other things, the organization’s
compliance with laws, regulations, policies, procedures, and contracts.

Answer (C) is correct.

Safeguarding assets is an operational activity and is therefore beyond the scope of the internal audit
activity. However, the internal audit activity’s assurance function evaluates the adequacy and
effectiveness of controls related to the organization’s governance, operations, and information systems
regarding safeguarding of assets (Perf. Std. 2130).

Answer (D) is incorrect.

Internal auditors must evaluate risk exposures relating to, among other things, the organization’s
compliance with laws, regulations, policies, procedures, and contracts.

26- In the risk management process, management’s view of the internal audit activity’s role is likely to
be determined by all of the following factors except
 A. Organizational culture.
B. Preferences of the independent auditor.
C. Ability of the internal audit staff.
D. Local conditions and customs of the country.

Answer (A) is incorrect.

Organizational culture is a factor that influences management’s view of the role of internal auditing.

Answer (B) is correct.

Ultimately, the role of internal auditing in the risk management process is determined by senior
management and the board. Their view on internal auditing’s role is likely to be determined by factors
such as the culture of the organization, ability of the internal audit staff, and local conditions and customs.

Answer (C) is incorrect.

The ability of the internal audit staff is a factor that influences management’s view of the role of internal
auditing.

Answer (D) is incorrect.

Local conditions and customs of the country influence management’s view of the role of internal auditing.

27- Which of the following statements about risk management is false?

A. The internal audit activity may be directed to recommend improvements.

B. Management ensures that sound risk management processes are functioning.

C. Boards have an oversight function.

D. The internal audit activity may not have a consulting role in identifying, evaluating, and
implementing risk management methods.

Answer (A) is incorrect.

The internal audit activity may be directed to examine, evaluate, report, or recommend improvements.

Answer (B) is incorrect.

This is a true statement.
Answer (C) is incorrect.
Boards do have an oversight function. They determine that risk management processes are in place,
adequate, and effective.

Answer (D) is correct.

The internal audit activity does have a consulting role in identifying, evaluating, and implementing risk
management methods and controls.

28- Which of the following is not a responsibility of the chief audit executive?

A. To follow up on whether appropriate management actions have been taken on significant reported risks.
 B. To coordinate with other internal and external providers of audit and consulting services to ensure proper
coverage and minimize duplication.

C. To oversee the establishment, administration, and assessment of the organization’s system of risk
management processes.

D. To communicate the internal audit activity’s plans and resource requirements to senior management and
the board for review and approval.

Answer (A) is incorrect.

The CAE should establish and maintain a system to monitor the disposition of results communicated to
management.

Answer (B) is incorrect.

The CAE should share information and coordinate activities with other internal and external providers of
relevant assurance and consulting services to ensure proper coverage and minimize duplication of
efforts.
Answer (C) is correct.
Overseeing the establishment, administration, and assessment of the organization’s system of risk
management processes is the role of senior management, not the CAE.

Answer (D) is incorrect.

The CAE should communicate the internal audit activity’s plans and resource requirements, including
significant interim changes, to senior management and to the board for review and approval. The CAE
also should communicate the impact of resource limitations.

29- Risk modeling or risk analysis is often used in conjunction with development of long-range
engagement work schedules. The key input in the evaluation of risk is

A. Judgment of the internal auditors.

B. Management concerns and preferences.

C. Specific requirements of professional standards.

D. Previous engagement results.

Answer (A) is correct.

Assessing the risk of an activity entails analysis of numerous factors, estimation of probabilities and
amounts of potential losses, and an appraisal of the costs and benefits of risk reduction. Consequently, in
assessing the magnitude of risk associated with any factor in a risk model, informed judgment by the
internal auditor is required.

Answer (B) is incorrect.

To assess the risk posed by management concerns, informed judgment of the internal auditor is required.

Answer (C) is incorrect.

Professional standards do not specify the basic inputs for a risk analysis.
Answer (D) is incorrect.
The informed judgment of the internal auditor is still required to assess the magnitude of risk indicated by
previous engagement results.

30- Which risk response reflects a change from acceptance to sharing?

A. Management sold a manufacturing plant.

B. Management purchased insurance on previously uninsured property.

C. An insurance policy on a manufacturing plant was not renewed.

D. After employees stole numerous inventory items, management implemented mandatory

background checks on all employees.

Answer (A) is incorrect.

Selling property avoids all the risks of ownership

Answer (B) is correct.

The categories of risk responses under the COSO ERM model are avoidance, retention (acceptance),
reduction, sharing, and exploitation. If management does not insure a building, the response is
acceptance. Ordinarily, acceptance is based on a judgment that the cost of another response is
excessive. However, once management purchases insurance, the risk is shared with an outside party.

Answer (C) is incorrect.

Not renewing insurance represents a change from risk sharing to risk acceptance.
Answer (D) is incorrect.
Management originally accepted the risk of employee theft by not implementing pre-hire investigation.
Conducting background checks on all employees reduces the risk of theft.

31- Which of the following is the correct order of steps in the risk management process?

1. Identify risks
2. Monitor risk responses
3. Formulate risk responses
4. Assess and prioritize risks
5. Identify context

A. 1, 4, 3, 2, 5.
B. 1, 3, 5, 4, 2.
C. 5, 1, 4, 3, 2.
D. 1, 5, 4, 3, 2.
Answer (A) is incorrect.
Identifying context occurs before identifying risks.
Answer (B) is incorrect.
Identifying context occurs before identifying risks; assessing and prioritizing risks occurs before
formulating risk responses.

Answer (C) is correct.

The correct order of steps in the risk management process is as follows: identify context, identify risks,
assess and prioritize risks, formulate risk responses, and monitor risk responses.

Answer (D) is incorrect.

Identifying context occurs before identifying risks.

32- Which of the following is a false statement about risk responses?

A. Identified risks cannot simply be accepted.

B. Some risks require the creation of elaborate control structures.
C. There is no direct correlation between the severity of a risk and the cost of the response to that
risk.
D. Each organization must assess the relationship between the likelihood and significance of risks.

Answer (A) is correct.

While some risks require the creation of elaborate control structures, others may simply be accepted.

Answer (B) is incorrect.

This is a true statement about risk responses. For example, although the total physical destruction of a
data center may be highly unlikely, if it were to occur, the ability of the entity to function may be
questionable. Therefore, a contingency plan for such an occurrence is almost a necessity.

Answer (C) is incorrect.

There is no direct correlation between the severity of a risk and the cost of the response to that risk.
Answer (D) is incorrect.
Each organization must assess the relationship between the likelihood and significance of risks and must
design the appropriate controls.

33- Senior management has assessed all identifiable risks to the achievement of the organization’s
objectives in terms of both probability and potential effect. The most likely next step is to

A. Adopt the ISO 9000 framework to ensure process quality.

B. Assign the task of ranking the identified risk areas to the internal audit activity.

C. Rank the identified risk areas.

D. Enter into electronic data interchange (EDI) arrangements with the organization’s most important
suppliers.

Answer (A) is incorrect.

Whether adoption of the ISO 9000 framework is appropriate cannot be determined until the risk
assessment is complete.
Answer (B) is incorrect.
Risk management is a key responsibility of senior management and the board and cannot be delegated.

Answer (C) is correct.

After all risks that could impact the achievement of organizational objectives have been identified, the
next step is to rank the risk areas in terms of seriousness, i.e., the combination of probability and potential
impact.

Answer (D) is incorrect.

Whether EDI is appropriate cannot be determined until the risk assessment is complete.

34- Which of the following factors affects the control risk of an organization?

A. Segregation of duties.

B. Unusual pressures on management.

C. Potential problems like technological obsolescence.

D. Complex accounts that require expert valuations.

Answer (A) is correct.
Control risk is the risk that controls fail to effectively manage controllable risks. A common control is
segregation of duties. For example, it separates the responsibilities for authorization of transactions,
recording of transactions, and custody of assets. Thus, segregation of duties affects the control risk of an
organization.

Answer (B) is incorrect.

Although unusual pressures on management could result in management override of controls or fraud,
the existence of pressures alone does not affect control risk.

Answer (C) is incorrect.

Only control activities affect control risk. The identification of a risk is not a control activity.

Answer (D) is incorrect.

The existence of complex accounts requiring expert valuations does not affect control risk.

35- Senior management performed the following steps during its recent deliberations over risk
management:

1. Identified all the risks that might impede the achievement of the company’s mission.
2. Designed new procedures to mitigate the risks associated with surplus equipment, one of
the areas in which the risk of adverse impact was both material and likely.
3. Ensured that the director of surplus management understood and enacted the new
procedures.
4. Reviewed regular reports from internal audit about the effectiveness of the new
procedures for surplus equipment.
The most serious deficiency with the process is that
 A. Internal audit was involved in the process too late.

B. Senior management did not prioritize the identified risks.

C. The board did not create the position of chief risk officer.

D. Senior management did not consult with the director of equipment management before
formulating the risk response.

Answer (A) is incorrect.

The risk management process is management’s responsibility. Monitoring is an appropriate function
within the risk management process to be assigned to the internal audit activity.
Answer (B) is correct.
Management designed risk procedures related to one of the risk areas without regard to the potential
impact of the other identified risks.

Answer (C) is incorrect.

A chief risk officer may be appointed to coordinate the entity’s risk management activities. However, not
all entities can justify creating such a position in terms of the cost/benefit tradeoff.

Answer (D) is incorrect.

While those closest to an activity usually have the most knowledge about it, this is not the most serious
deficiency.

36- An internal auditor plans to conduct an audit of the adequacy of controls over investments in
new financial instruments. Which of the following would not be required as part of such an
engagement?

A. Determine the nature of controls established by the chief financial officer to monitor the risks in
the investments.

B. Determine whether the chief financial officer is getting higher or lower rates of return on
investments than are chief financial officers in comparable organizations.

C. Determine if policies exist which describe the risks the chief financial officer may take and the
types of instruments in which the chief financial officer may make investments.

D. Determine the extent of management oversight over investments in sophisticated instruments.

Answer (A) is incorrect.

A fundamental control concept over cash-like assets is the chief financial officer’s establishment of a
mechanism to monitor the risks.

Answer (B) is correct.

The auditor does not need to develop a comparison of investment returns with those of other
organizations. In some financial investment scandals, such comparisons can be highly misleading
because high returns were due to taking on a high level of risk. Also, this determination does not test the
adequacy of the controls.
Answer (C) is incorrect.
The first step should be to determine the nature of policies established to manage the risks associated
with the investments. New financial instruments are very risky.

Answer (D) is incorrect.

Sophisticated financial instruments are complex by their nature and can carry a high level of risk. Thus,
the auditor should determine the nature of the risk management process established to monitor and
authorize such investments.

37- The internal audit activity of a large not-for-profit organization is reviewing the following results of
senior management’s latest enterprise-wide risk assessment:

Likelihood possible, Impact

Fictitious vendors:
major
Internet intrusion: Likelihood likely, Impact major
Likelihood remote, Impact
Executive nepotism:
critical
Fraudulent Likelihood possible, Impact
fundraising: minor
Based on management’s assessment, where should the chief audit executive devote the most
internal audit resources?

A. Fictitious vendors.
B. Internet intrusion.
C. Executive nepotism.
D. Fraudulent fundraising.

Answer (A) is incorrect.

Fictitious vendors have a lower overall risk exposure than Internet intrusion.

Answer (B) is correct.

With a combination of major impact and likely occurrence, Internet intrusion has the greatest overall risk
exposure and thus should receive the majority of limited internal audit resources.
Answer (C) is incorrect.
Executive nepotism has a lower overall risk exposure than Internet intrusion.

Answer (D) is incorrect.

Fraudulent fundraising has the lowest overall risk exposure of the four identified areas.

38- Senior management has identified the following risk areas within the organization:
Derivatives trading: Likelihood high, Impact high
Materials acquisition: Likelihood low, Impact low
Petty cash: Likelihood high, Impact low
Bond issue: Likelihood low, Impact high
Transportation fleet: Likelihood high, Impact medium
Which of the following is a false statement in terms of overall risk exposure of the areas named?
A. The transportation fleet is riskier than petty cash.
 B. Petty cash is riskier than materials acquisition.
C. The bond issue is riskier than petty cash.
D. The bond issue is riskier than materials acquisition.
Answer (A) is incorrect.
The transportation fleet is riskier than petty cash.

Answer (B) is incorrect.

Petty cash is riskier than materials acquisition.

Answer (C) is correct.

The bond issue and petty cash both have one high risk measure and one low risk measure; i.e., they
have equivalent overall risk exposure.
Answer (D) is incorrect.
The bond issue is riskier than materials acquisition.

39- An internal auditor plans to audit the adequacy of controls over credit approval. Which of the
following is not a required procedure in such an engagement?

A. Determine whether policies exist that place credit limits on individual transactions that exceed
standardized thresholds.
B. Determine whether loans and other liabilities are valued in accordance with industry regulations.
C. Determine the extent of management oversight of loan covenants.
D. Determine the nature of controls established by the chief financial officer to monitor risks in the
acquisition of debt.

Answer (A) is incorrect.

The internal auditor should determine the nature of policies established to manage the risks associated
with credit approval. Credit approval should be subject to policies consistent with the organization’s
tolerance for credit risk.
Answer (B) is correct.
For an engagement to evaluate the controls over credit approval, the internal auditor does not need to
establish valuation criteria for the outstanding debt. Debt already acquired by the organization does not
require further credit approval. Also, the adequacy of controls is not the primary objective of an
engagement involving the valuation of complex debt instruments.

Answer (C) is incorrect.

Oversight by a management committee is an important control. Thus, the auditor should determine the
nature of the risk management process established to monitor and authorize undertakings represented by
loan covenants. The specific process used by an organization must fit its culture, management style, and
business objectives.

Answer (D) is incorrect.

A fundamental control concept over the assumption of liabilities is the chief financial officer’s
establishment of a mechanism to monitor the risks.

40- Which of the following is a false statement concerning risk management?

A. Every risk that could affect achievement of objectives must be considered.

 B. The manager of an operating unit is in the best position to monitor the effects of the chosen risk
response strategies.

C. Risk identification must be performed for the entire entity.

D. Risk management is too important to be delegated to a committee.

Answer (A) is incorrect.

Every risk that could affect achievement of objectives must be considered.

Answer (B) is incorrect.

The manager of an operating unit is in the best position to monitor the effects of the chosen risk response
strategies.
Answer (C) is incorrect.
Risk identification must be performed for the entire entity. Some occurrences may be inconsequential for
the entity but disastrous for an individual unit.

Answer (D) is correct.

In large or complex entities, senior management may appoint a risk committee to review the risks
identified by the various operating units and create a coherent response plan.

41- When assessing the risk associated with an activity, an internal auditor should

A. Update the risk management process based on risk exposures.

B. Design controls to mitigate the identified risks.

C. Provide assurance on the management of the risk.

D. Determine how the risk should best be managed.

Answer (A) is incorrect.

Designing and updating the risk management process is a role of management.
Answer (B) is incorrect.
The design and implementation of controls is the responsibility of management, not internal audit.

Answer (C) is correct.

The internal audit activity must evaluate and contribute to the improvement of processes using a
systematic, disciplined, and risk-based approach. Assurance service is an objective of evidence
examination to provide an independent assessment.

Answer (D) is incorrect.

Risk management is a key responsibility of senior management and the board, not the internal auditor.

42- The Chief Audit Executive’s responsibilities for risk management include which of the following?
 A. Ensuring sound risk management processes are functioning.

B. Having formal discussions with the board about their obligations for understanding, managing,
and monitoring risks.

C. Identifying, evaluating, and implementing risk management methods and control.

D. Determining the internal audit activity’s role in risk management.

Answer (A) is incorrect.

Management is responsible for ensuring that sound risk management processes are functioning. Risk
management processes are designed to fit the organization’s culture, management style, and objectives.

Answer (B) is correct.

The CAE must understand management’s and the board’s expectations of the internal audit activity in risk
management. This understanding is codified in the charters of the internal audit activity and the board. If
the organization has no formal risk management processes, the CAE has formal discussions with
management and the board about their obligations for understanding, managing, and monitoring risks.
Answer (C) is incorrect.
The internal audit activity may be directed to examine, evaluate, report, or recommend improvements to
risk management processes. Additionally, the internal audit activity has a consulting role in identifying,
evaluating, and implementing risk management methods and control.

Answer (D) is incorrect.

Senior management and the board are responsible for determining the internal audit activity’s role in risk
management. This role is based on factors such as organizational culture, abilities of the internal audit
staff, and local conditions and customs.

43- The company maintains a fund to pay for repairs to warehouse equipment. Which risk response
strategy is the company using?

A. Risk sharing.
B. Risk reduction.
C. Risk avoidance.
D. Risk retention.

Answer (A) is incorrect.

Risk sharing transfers some loss potential to another party, for example, having an insurance policy.
However, the company is using a form of self-insurance to manage the risk.

Answer (B) is incorrect.

Risk reduction (mitigation) lowers the level of risk associated with an activity. However, the company is
still exposed to the same level of risk.
Answer (C) is incorrect.
Risk avoidance ends the activity from which the risk arises. However, the company is still exposed to the
risk of equipment repairs.
Answer (D) is correct.
Risk retention accepts the risk of an activity and is synonymous with self-insurance. The company
accepts the risk of equipment repairs by using a form of self-insurance (a company fund) to pay for
repairs.

44- Which of the following threatens the independence of an internal auditor who had participated in
the initial establishment of a risk management process?

A. Evaluating the adequacy and effectiveness of management’s risk processes.

B. Developing assessments and reports on the risk management process.

C. Managing the identified risks.

D. Recommending controls to address the risks identified.

Answer (A) is incorrect.

Internal auditors assist both management and the board by examining, evaluating, reporting, and
recommending improvements on the adequacy and effectiveness of risk management processes.
Answer (B) is incorrect.
Developing assessments and reports on the organization’s risk management processes is not only an
internal audit role but normally also a high audit priority.

Answer (C) is correct.

Assuming management’s responsibility for the risk management process is a potential threat to the
internal audit activity’s independence. It requires a full discussion and board approval.

Answer (D) is incorrect.

Internal auditors may recommend controls.

45- Senior management has identified the following risk areas within the organization:

Derivatives trading: Likelihood high, Impact low

Materials acquisition: Likelihood low, Impact low
Petty cash: Likelihood high, Impact low
Bond issue: Likelihood low, Impact high
Transportation fleet: Likelihood high, Impact medium
Which of the following is a true statement in terms of overall risk exposure of the areas named?

A. The transportation fleet has more risk exposure than the bond issue.
B. Derivatives trading has less risk exposure than the transportation fleet.
C. Materials acquisition has more risk exposure than petty cash.
D. The transportation fleet has less risk exposure than the bond issue.
Answer (A) is incorrect.
Given (1) no values for impact and likelihood and (2) the required assumptions for this simple model, it
cannot be determined whether the transportation fleet or the bond issue has the higher risk exposure.
Their likelihoods and impacts differ in opposite directions. The transportation fleet has the higher
likelihood but the lower impact.

Answer (B) is correct.

Risk exposure is measured in terms of (1) impact on the achievement of the entity’s objectives and (2) the
likelihood (probability) of that impact. In this simple model, no values are assigned to impact and
likelihood. Thus, one required assumption is that risk exposures for risk areas with the same impact and
likelihood can be established only on the basis of professional judgment using factors not given in the
question. A related assumption is needed when one risk area has a high (low) likelihood and a low (high)
impact, and a second risk area has the opposite characteristics. In this case, professional judgment
based on factors not given also is needed to determine which risk area has the higher risk exposure. A
third assumption is that the risk area with the greater likelihood (impact) has a higher risk exposure than a
second risk area with the same impact (likelihood). Based on the assumptions, derivatives trading has
less risk exposure than the transportation fleet. These risk areas have the same likelihood, but the
transportation fleet has a higher impact.

Answer (C) is incorrect.

Materials acquisition has a lower likelihood than, and the same impact as, petty cash. Thus, petty cash
has the greater risk exposure.

Answer (D) is incorrect.

Given (1) no values for impact and likelihood and (2) the required assumptions for this simple model, it
cannot be determined whether the transportation fleet or the bond issue has the higher risk exposure.
Their likelihoods and impacts differ in opposite directions. The transportation fleet has the higher
likelihood but the lower impact.

46- Which of the following is not an activity undertaken as part of risk management?

A. Risk response.

B. Risk analysis.

C. Risk identification.

D. Risk exposure.

Answer (A) is incorrect.

Risk management processes include risk identification, risk analysis, and appropriate risk response.

Answer (B) is incorrect.

Risk management processes include risk identification, risk analysis, and appropriate risk response.

Answer (C) is incorrect.

Risk management processes include risk identification, risk analysis, and appropriate risk response.
Answer (D) is correct.
Risk exposure is a condition, not an activity.

47- Which of the following is a false statement concerning risk management? Risk management
processes

A. Must be quantitative, formal, and embedded in business units.

B. May be formal or informal.
C. May be embedded in business units or centralized.
D. May be quantitative or subjective.

Answer (A) is correct.

Risk management processes may be formal or informal, quantitative or subjective, or embedded in
business units or centralized.

Answer (B) is incorrect.

Risk management processes may be formal or informal.
Answer (C) is incorrect.
Risk management processes may be embedded in business units or centralized.

Answer (D) is incorrect.

Risk management processes may be quantitative or subjective.

48- The internal auditor should evaluate the adequacy of controls over the safeguarding of assets
from all of the following except

A. Misappropriation schemes.

B. Improper employee usage.

C. Exposure to the elements.

D. Underusage of physical facilities.

Answer (A) is incorrect.

The internal auditor should identify assets at risk of being misappropriated.

Answer (B) is incorrect.

The internal auditor should review the approved uses of secure assets and ensure that proper procedures
are applied to their use.

Answer (C) is incorrect.

The internal auditor should identify assets at risk of spoilage or destruction due to improper exposure to
the elements.

Answer (D) is correct.

The internal audit activity must evaluate risk exposures relating to governance, operations, and
information systems regarding the safeguarding of assets (Impl. Std. 2120.A1). For example, internal
auditors evaluate risk exposure arising from theft, fire, improper or illegal activities, and exposure to the
elements. But underusage of facilities relates to efficiency of operations.

49- Which of the following are core assurance roles provided by the internal audit activity?
 1. Giving assurance on risk management processes
2. Evaluating risk management processes
3. Reviewing the management of key risks
4. Setting the risk appetite

A. 3 and 4 only.
B. 1 and 2 only.
C. 1, 2, and 3 only.
D. 1, 2, and 4 only.

Answer (A) is incorrect.

Setting the risk appetite is not a core assurance role provided by the internal audit activity, but giving
assurance on and evaluating risk management processes are.

Answer (B) is incorrect.

Reviewing the management of key risks is also a core assurance role provided by the internal audit
activity.
Answer (C) is correct.
Giving assurance on risk management processes, evaluating risk management processes, and reviewing
the management of key risks are among the core assurance roles provided by the internal audit activity.

Answer (D) is incorrect.

The internal audit activity should not undertake roles that threaten its independence and objectivity;
therefore, the internal audit activity should not set the risk appetite.

50- Risk modeling in a consulting service is done by ranking the engagement’s potential to

1. Improve management of risk

2. Add value
3. Improve the organization’s operations

A. 1, 2, and 3.
B. 2 and 3 only.
C. 1 and 2 only.
D. 1 and 3 only.

Answer (A) is correct.

Risk modeling in a consulting service is done by ranking the engagement’s potential to (1) improve
management of risks, (2) add value, and (3) improve the organization’s operations (Impl. Std. 2010.C1).
Senior management assigns a weight to each item based on organizational objectives. The engagements
with the appropriate weighted values are included in the annual audit plan.
Answer (B) is incorrect.
Risk modeling in a consulting service also includes ranking the engagement’s potential to improve
management of risk.
Answer (C) is incorrect.
Risk modeling in a consulting service also includes ranking the engagement’s potential to improve the
organization’s operations.

Answer (D) is incorrect.

Risk modeling in a consulting service also includes ranking the engagement’s potential to add value.

51- Risk is measured in terms of

A. Discipline and structure.

B. Conditions that threaten the internal audit’s ability.

C. Adherence to policies, plans, and procedures.

D. Impact and likelihood.

Answer (A) is incorrect.

The control environment provides the discipline and structure for the achievement of the primary
objectives of the system of internal control.
Answer (B) is incorrect.
The IIA Glossary defines independence as the freedom from conditions that threaten the ability of the
internal audit activity to carry out internal audit responsibilities in an unbiased manner.

Answer (C) is incorrect.

The IIA Glossary defines compliance as the adherence to policies, plans, procedures, laws, regulations,
contracts, or other requirements.

Answer (D) is correct.

The IIA Glossary defines risk as the possibility of an event occurring that will have an impact on the
achievement of objectives. Risk is measured in terms of impact and likelihood.

52- Determining whether risk management processes are effective is a judgment resulting from the
internal auditor’s assessment that

1. Organizational objectives support and align with the organization’s mission

2. Significant risks are identified and assessed
3. Appropriate risk responses are selected that align risks with the organization’s risk
appetite
4. Relevant risk information is captured and communicated in a timely manner across the
organization

A. 1 and 4 only.

B. 2 and 3 only.

C. 1, 2, 3, and 4.
 D. 1, 2, and 4 only.

Answer (A) is incorrect.

The internal auditor should also assess whether appropriate risk responses are selected that align risks
with the organization’s risk appetite and whether significant risks are identified and assessed.

Answer (B) is incorrect.

The internal auditor should also assess whether organizational objectives support and align with the
organization’s mission and whether relevant risk information is captured and communicated in a timely
manner across the organization.

Answer (C) is correct.

Determining whether risk management processes are effective is a judgment resulting from the internal
auditor’s assessment that

1. Organizational objectives support and align with the organization’s mission;

2. Significant risks are identified and assessed;
3. Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
4. Relevant risk information is captured and communicated in a timely manner across the
organization, enabling staff, management, and the board to carry out their responsibilities.
Answer (D) is incorrect.
The internal auditor should also assess whether appropriate risk responses are selected that align risks
with the organization’s risk appetite.

53- Which of the following may be assessed by the internal auditor as part of the risk management
process?

1. Significant risks
2. Ongoing monitoring activities
3. Previous risk evaluation reports by management, internal auditors, external auditors, and
any other sources
A. 1 and 3 only.
B. 2 and 3 only.
C. 1 and 2 only.
D. 1 only.

Answer (A) is incorrect.

Review of previous risk evaluation reports by management, internal auditors, external auditors, and any
other sources is an audit procedure, a means of obtaining evidence for an assessment. Moreover,
internal auditors assess ongoing monitoring activities.

Answer (B) is incorrect.

Review of previous risk evaluation reports by management, internal auditors, external auditors, and any
other sources is an audit procedure, and internal auditors assess significant risks.

Answer (C) is correct.

Significant risks and ongoing monitoring activities are assessed by the internal audit activity as part of the
risk management process (Inter. of Std. 2120). But review of previous risk evaluation reports is a means
of obtaining evidence for an assessment.

Answer (D) is incorrect.

Ongoing monitoring activities may also be assessed by the internal auditor to determine the effectiveness
of the risk management process.

54- Which of the following statements regarding monitoring risk responses is false?

A. Operating managers may not always be objective about the risks facing their units.

B. Analyzing risks and responses are among the normal duties of internal auditors.

C. The manager of an operating unit is in the best position to monitor the effects of the chosen risk
response strategies.

D. The two least important sources of information for ongoing assessments of the adequacy of risk
responses are those closest to the activities themselves and the audit function.

Answer (A) is incorrect.

It is true that operating managers may not always be objective about the risks facing their units, especially
if they had a stake in designing a particular response strategy.

Answer (B) is incorrect.

The audit function is an important source of information for ongoing assessments of the adequacy of risk
responses; therefore, analyzing risks and responses are among the normal duties of internal auditors.

Answer (C) is incorrect.

Those closest to the activities themselves are an important source of information for ongoing
assessments of the adequacy of risk responses; therefore, the manager of an operating unit is in the best
position to monitor the effects of the chosen risk response strategies.

Answer (D) is correct.

The two most, not least, important sources of information for ongoing assessments of the adequacy of
risk responses are those closest to the activities themselves and the audit function.

2: (47) COSO Framework -- Enterprise Risk Management (ERM)

1- Which of the following components are supporting aspects of the COSO ERM framework?

A. Performance; review and revision.

B. Governance and culture; information, communication, and reporting.

C. Governance and culture; review and revision.

D. Strategy and objective-setting; performance.

Answer (A) is incorrect.

Performance and review and revision are common process components of the COSO ERM framework.
Answer (B) is correct.
The supporting aspect components of the COSO ERM framework are (1) governance and culture and
(2) information, communication, and reporting.
Answer (C) is incorrect.
Review and revision is a common process component of the COSO ERM framework.

Answer (D) is incorrect.

Strategy and objective-setting and performance are common process components of the COSO ERM
framework.
2- Which of the following qualities should be possessed by a board of directors?

A. All of the answers are correct.

B. A majority of the board should be outside directors.

C. Directors generally should have years of experience in the industry.

D. Directors must be willing to challenge management’s choices.

Answer (A) is correct.

Directors’ attitudes are a key component of the internal environment. They must possess certain qualities
to be effective.

 A majority of the board should be outside directors.

 Directors generally should have years of experience either in the industry or in corporate
governance.
 Directors must be willing to challenge management’s choices. Complacent directors increase the
chances of adverse consequences.

Answer (B) is incorrect.

Directors should also have years of experience in the industry and be willing to challenge management’s
decision.

Answer (C) is incorrect.

A majority of the board should be outside directors, and directors must be willing to challenge
management’s choices.

Answer (D) is incorrect.

A majority of the board should be outside directors, and directors should also have years of experience in
the industry.

3- The performance component of the COSO ERM framework addresses an entity’s

A. Risk identification, assessment, and prioritization methods.

B. Ability to leverage technology.

 C. Performance targets and tolerances.

D. Performance results and consideration of risks.

Answer (A) is correct.

The performance component addresses (1) risk identification, assessment, and prioritization; (2) risk
responses; and (3) the development of a portfolio view of risk.

Answer (B) is incorrect.

The information, communication, and reporting component addresses the leveraging of information and
technology.

Answer (C) is incorrect.

Formulation of business objectives is a risk management principle within the strategy and objective-
setting component. It includes the establishment of performance measures, targets, and tolerances.

Answer (D) is incorrect.

Review of entity performance results and consideration of risk is a risk management principle within the
review and revision component.

4- According to COSO’s ERM framework, which view of risk is fully integrated?

A. Risk view.
B. Risk profile view.
C. Portfolio view.
D. Risk category view.

Answer (A) is incorrect.

A risk view is minimally integrated. Risks are identified and assessed.

Answer (B) is incorrect.

A risk profile view is partially integrated. It is a composite view of the types, severity, and
interdependencies of risks related to a specific strategy or business objective and their effect on
performance.

Answer (C) is correct.

A portfolio view is fully integrated. It is a composite view of the risks related to entity-wide strategy and
business objectives and their effect on entity performance.

Answer (D) is incorrect.

A risk category results from limited integration. The risks identified and assessed in the risk view (minimal
integration) are categorized.

5- What is residual risk?

A. Risk that is under control.

B. Impact of risk.
 C. Underlying risk in the environment.

D. Risk that is not managed.

Answer (A) is incorrect.

Risk that is under control is managed risk.
Answer (B) is incorrect.
The impact of risk is its consequence.

Answer (C) is incorrect.

The underlying risk is the inherent risk.
Answer (D) is correct.
Residual risk is the risk remaining after management takes action to alter its severity. Such action
includes control activities in responding to a risk.

6. When ERM is effective regarding all of the objectives, the board and management have reasonable
assurance that

1. Reporting is reliable
2. Compliance is achieved
3. The extent of achievement of strategic and operations objectives is known
 A. 2 and 3 only.

B. 1 and 2 only.

C. 1 and 3 only.

D. 1, 2, and 3.

Answer (A) is incorrect.

The board and management also have reasonable assurance that reporting is reliable

Answer (B) is incorrect.

The board and management also have reasonable assurance that the extent of achievement of strategic
and operations objectives is known.

Answer (C) is incorrect.

The board and management also have reasonable assurance that compliance is achieved.

Answer (D) is correct.

When ERM is effective regarding all of the objectives, the board and management have reasonable
assurance that (1) reporting is reliable, (2) compliance is achieved, and (3) the extent of achievement of
strategic and operations objectives is known.

7. Which of the following is closely related to traditional risk management instead of enterprise risk
management (ERM)?

A. Emphasis on specific functions.

B. Rapid response to opportunities.

C. Achieving financial goals.

D. Organization-level view of risk.

Answer (A) is correct.

The enterprise risk management approach set forth by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) attempts to approach an organization as a whole instead of focusing on
any specific area or risk.

Answer (B) is incorrect.

Rapid response to opportunities is a characteristic of ERM, which tries to offset potential risks with
opportunities.

Answer (C) is incorrect.

Financial goals are an example of the methods ERM uses to achieve objectives in one or more separate
but overlapping categories.
Answer (D) is incorrect.
ERM tries to view risk as it affects every level of an organization.

8. Which of the following is an example of risk reduction?

A. After considering all the alternatives and implementing control activities, continuing to engage in
the risk-producing activity.

B. Purchasing insurance.

C. Hiring additional employees to perform routine maintenance checks on machinery.

D. Never beginning the risk-producing activity.

Answer (A) is incorrect.

This is an example of risk acceptance.
Answer (B) is incorrect.
Purchasing insurance is a form of risk sharing.

Answer (C) is correct.

Hiring additional employees to perform routine maintenance checks on machinery would reduce the risk
of a complete break-down in machinery and is an example of risk reduction.

Answer (D) is incorrect.

This is an example of risk avoidance.

9. The function of the chief risk officer (CRO) is most effective when the CRO

A. Shares the management of risk with the chief audit executive.

B. Manages risk as a member of senior management.
C. Monitors risk as part of the enterprise risk management team.
D. Shares the management of risk with line management.

Answer (A) is incorrect.

The CAE should not be accountable for a management function.

Answer (B) is incorrect.

Senior management has an oversight role in risk management.

Answer (C) is correct.

A CRO is a member of management assigned primary responsibility for enterprise risk management
processes. The CRO is most effective when supported by a specific team with the necessary expertise
and experience related to organization-wide risk.

Answer (D) is incorrect.

The risk knowledge at the line level is specific only to that area of the organization.

10. Each of the following is a limitation of enterprise risk management (ERM), except

A. ERM operates at different levels with respect to different objectives.

 B. ERM can provide absolute assurance with respect to objective categories.
C. ERM deals with risk, which relates to the future and is inherently uncertain.
D. ERM is as effective as the people responsible for its functioning.

Answer (A) is incorrect.

A limitation of ERM is that different objectives concern different needs, and the ERM attention devoted to
them varies.

Answer (B) is correct.

ERM cannot provide absolute assurance with respect to different objectives. However, if it could, it would
be an advantage, not a limitation.

Answer (C) is incorrect.

ERM is limited because some matters are beyond management’s ability to predict and control.

Answer (D) is incorrect.

Limitations of ERM arise from the possibility of faulty human judgment, simple errors or mistakes,
collusion, and management override.

11. Which of the entity objectives address effectiveness and efficiency?

A. Strategic objectives.
B. Operations objectives.
C. Compliance objectives.
D. Reporting objectives.

Answer (A) is incorrect.

Strategic objectives are consistent with and support the entity’s mission.

Answer (B) is correct.

Operations objectives address effectiveness and efficiency.

Answer (C) is incorrect.

Compliance objectives relate to adherence to laws and regulations.

Answer (D) is incorrect.

Reporting objectives relate to reliability of information contained in reports.

12. Which of the following is not a principle related to the review and revision component of the
COSO ERM framework?

A. The organization develops and evaluates its portfolio view of risk.

B. The organization pursues improvement of ERM.

 C. The organization identifies and assesses changes that may substantially affect strategy and
business objectives.

D. The organization reviews entity performance results and considers risk.

Answer (A) is correct.

“The organization develops and evaluates its portfolio view of risk” is one of the five principles related to
the performance component of the COSO ERM framework. The three principles related to the review and
revision component of the COSO ERM framework are the organization (1) identifies and assesses
changes that may substantially affect strategy and business objectives, (2) reviews entity performance
results and considers risk, and (3) pursues improvement of ERM.

Answer (B) is incorrect.

“The organization pursues improvement of ERM” is one of the three principles related to the review and
revision component of the COSO ERM framework. The organization must continually improve ERM at all
levels, even if actual performance aligns with target performance or tolerance.

Answer (C) is incorrect.

“The organization identifies and assesses changes that may substantially affect strategy and business
objectives” is one of the three principles related to the review and revision component of the COSO ERM
framework. Changes in the organization’s business context and culture are most likely to substantially
affect strategy and business objectives. Such changes may result from changes in the organization’s
internal or external environment.

Answer (D) is incorrect.

“The organization reviews entity performance results and considers risk” is one of the three principles
related to the review and revision component of the COSO ERM framework. Performance results that
deviate from target performance or tolerance may indicate (1) unidentified risks, (2) improperly assessed
risks, (3) new risks, (4) opportunities to accept more risk, or (5) the need to revise target performance or
tolerance.

13. The underlying premise of the COSO ERM framework is that every organization exists to

A. Identify and manage risks.

B. Maximize profits.

C. Provide value for its stakeholders.

D. Achieve strategy and business objectives.

Answer (A) is incorrect.

Risks are identified and managed to provide value for stakeholders.

Answer (B) is incorrect.

ERM’s broad premise is to create, preserve, and realize value for the entity’s stakeholders, not simply to
maximize profits.
Answer (C) is correct.
ERM is defined as the culture, capabilities, and practices, integrated with strategy-setting and
performance, that organizations rely on to manage risk in creating, preserving, and realizing value.

Answer (D) is incorrect.

Strategy and business objectives are the means by which the entity intends to add value for its
stakeholders.

14. Company management completes event identification and analyzes the risks. The company
wishes to assess its risk after management’s response to the risk. According to COSO, which of the
following types of risk does this situation represent?

A. Event risk.

B. Detection risk.

C. Residual risk.

D. Inherent risk.

Answer (A) is incorrect.

Event risk is risk due to unforeseen events taking place.

Answer (B) is incorrect.

Detection risk is the risk that the auditor will conclude that no material errors are present when in fact
there are.

Answer (C) is correct.

Risk that remains even after management’s initial response is residual risk.

Answer (D) is incorrect.

Inherent risk is risk that is natural or that exists in the absence of internal controls.

15. According to COSO, the difference between inherent risk and actual residual risk results because
of management’s

A. Actions to alter the severity of actual residual risk.

B. Inability to alter the severity of inherent risk.

C. Actions to alter the severity of inherent risk.

D. Inability to share the actual residual risk.

Answer (A) is incorrect.

Actual residual risk is the risk that remains after management’s actions to alter its severity.

Answer (B) is incorrect.

The difference results only if management actions alter the severity of inherent risk.
Answer (C) is correct.
Inherent risk is the risk without management actions to alter its severity. Actual residual risk remains after
management actions to alter its severity.
Answer (D) is incorrect.
The inability to share actual residual risk does not create the difference between inherent risk and actual
residual risk. Sharing is a risk response reduces inherent risk.

16. Senior management has identified the trading of marketable securities as a high-risk activity. In
response, a new supervisory position was created. Every evening after the close of business, this
supervisor reviews every trade made during the day. After 6 months of trading marketable securities
under this system, the quantified risk reported by the internal audit activity is termed

A. Responded risk.

B. Managed risk.

C. True risk.

D. Residual risk.

Answer (A) is incorrect.

“Responded risk” is not a meaningful term in this context.

Answer (B) is incorrect.

Managed risk is not as appropriate for this situation as one of the other answer choices.

Answer (C) is incorrect.

“True risk” is not a meaningful term in this context.

Answer (D) is correct.

Residual risk is the risk remaining after management takes action to alter its severity.

17. Company management completes event identification and assesses the severity of risk.
Management then acts to alter the severity of risk. According to COSO, which of the following types
of risk does this situation represent?

A. Inherent risk.

B. Detection risk.

C. Event risk.

D. Actual residual risk.

Answer (A) is incorrect.

Inherent risk is the risk that exists in the absence of management actions to alter its severity, that is, a risk
response in the form of acceptance or pursuit.

Answer (B) is incorrect.

Detection risk is the risk that the audit procedures performed to reduce audit risk to an acceptably low
level will not detect a material misstatement.

Answer (C) is incorrect.

COSO defines an event as an occurrence or set of occurrences. It defines risk as the possibility that
events will occur and affect the achievement of strategy and business objectives.

Answer (D) is correct.

Actual residual risk is the risk that remains after management acts to alter its severity. It should not
exceed target residual risk.

18. Management considers risk appetite for all of the following reasons except

A. Setting risk capacity.

B. Implementing risk responses.
C. Aligning with development of strategy.
D. Aligning with business objectives.

Answer (A) is correct.

Risk appetite consists of the types and amount of risk the entity is willing to accept in pursuit of value.
Among other things, risk appetite should be considered in

1. Aligning with development of strategy.

2. Aligning with business objectives.
3. Prioritizing risks.
4. Implementing risk responses.

Risk capacity is the maximum amount of risk an entity is able to assume. Management considers risk
capacity in setting risk appetite.
Answer (B) is incorrect.
Management considers risk appetite when implementing risk responses.

Answer (C) is incorrect.

Management considers risk appetite when evaluating strategic options.

Answer (D) is incorrect.

Management considers risk appetite when setting objectives.

19. A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it
decided to relocate its production facilities. According to COSO, this decision represents which of the
following responses to the risk?

A. Risk acceptance.
B. Risk sharing.
C. Risk reduction.
D. Prospect theory.

Answer (A) is incorrect.

Risk acceptance takes no action to alter the severity of the risk.
 Answer (B) is incorrect.
Risk sharing transfers some loss potential to another party.

Answer (C) is correct.

Risk reduction (mitigation) reduces the risk so that it is within the target residual risk profile and risk
appetite. By relocating its production facilities, the firm has reduced the risk of having difficulty
sourcing materials locally.

Answer (D) is incorrect.

Prospect theory is not a response to risk according to COSO.

20. According to the COSO ERM framework, which of the following is not a characteristic of business
objectives?

A. Dynamic.

B. Specific.

C. Observable.

D. Measurable.

Answer (A) is correct.

According to the COSO ERM framework, business objectives are (1) specific, (2) measurable, (3)
observable, and (4) obtainable. Business contexts may be characterized as dynamic, complex, or
unpredictable. A dynamic business context means new, emerging, and changing risks can appear at any
time.
Answer (B) is incorrect.
According to the COSO ERM framework, a characteristic of business objectives is that they are specific.

Answer (C) is incorrect.

According to the COSO ERM framework, a characteristic of business objectives is that they are
observable.
Answer (D) is incorrect.
According to the COSO ERM framework, a characteristic of business objectives is that they are
measurable.

21. Which of the following has the greatest effect on the strategy and objective-setting component of
the COSO ERM framework?

A. Reviews of industry peers and peer comparisons.

B. Compliance with obligations and achievement of expectations.
C. Changes in the organization’s business context.
D. Performance results that deviate from target performance.

Answer (A) is incorrect.

Methods of identifying areas for improvement of ERM include continual or separate evaluations, peer
comparisons, and reviews of industry peers. This relates to the review and revision component of the
COSO ERM framework.

Answer (B) is incorrect.

Compliance with obligations and achievement of expectations is one of the factors to be considered in
selecting and implementing risk responses. This relates to the performance component of the COSO
ERM framework.

Answer (C) is correct.

A principle related to the strategy and objective-setting component of the COSO ERM framework is that
the organization analyzes business context and its effect on the risk profile. Thus, changes in the
business context, among the choices, has the greatest effect on the strategy and objective-setting
component.
Answer (D) is incorrect.
Performance results that deviate from target performance or tolerance may indicate unidentified risks,
improperly assessed risks, new risks, opportunities to accept more risk, or the need to revise target
performance or tolerance. This relates to the performance component of the COSO ERM framework.

22. According to COSO, which of the following provides oversight of an entity’s enterprise risk
management (ERM)?

A. Management.
B. The board of directors.
C. The risk officer.
D. Financial executives.

Answer (A) is incorrect.

Management generally has day-to-day responsibility for managing ERM.

Answer (B) is correct.

The board provides risk oversight of ERM culture, capabilities, and practices. Also, board committees
may be formed for this purpose, e.g., a risk committee.
Answer (C) is incorrect.
A risk officer may coordinate risk management activities but will not provide oversight.

Answer (D) is incorrect.

Financial executives may be more involved with the internal auditing activity to ensure that risk
management processes regarding financial reporting are operating effectively. Their involvement with the
internal auditing activity is not oversight of ERM.

23. Enterprise risk management

A. Guarantees achievement of organizational objectives.

B. Involves the identification of events with negative impacts on organizational objectives.

C. Requires establishment of risk and control activities by internal auditors.

D. Includes selection of the best risk response for the organization.

Answer (A) is incorrect.
Risk management processes cannot guarantee achievement of objectives.
Answer (B) is correct.
The IIA Glossary defines risk management as a process to identify, assess, manage, and control
potential events or situations to provide reasonable assurance regarding the achievement of the
organization’s objectives. Thus, enterprise risk management involves the identification of events with
negative effects on achievement of organizational objectives.

Answer (C) is incorrect.

Involvement of internal auditors in establishing control activities impairs their independence and
objectivity.

Answer (D) is incorrect.

Enterprise risk management is concerned with selecting not the best risk response but the risk response
that falls within the enterprise’s risk tolerances and appetite.

24. The components of enterprise risk management (ERM) should be present and functioning. What
does “present” mean?

I. Components exist in the design of ERM.

II. Components exist in the implementation of ERM.
III. Components continue to operate to achieve strategy and business objectives.

A. II only.
B. I and II.
C. I only.
D. I, II, and III.

Answer (A) is incorrect.

The components also should exist in the design of ERM.

Answer (B) is correct.

The components and principles of ERM, and their related controls, should be present and functioning to
help the entity achieve its strategy and business objective. “Present” means such components, principles,
and controls exist in the design and implementation of ERM.

Answer (C) is incorrect.

The components also should exist in the implementation of ERM.

Answer (D) is incorrect.

“Functioning” means the components, principles, and controls continue to operate to achieve strategy and
business objectives.

25. Which of the following statements regarding the chief risk officer is false?

A. The chief risk officer is most effective when supported by a specific team with the necessary
expertise.
 B. The chief risk officer is a member of management assigned primary responsibility for ERM
processes.

C. The creation of a separate risk management function may include the appointment of a chief risk
officer.

D. The chief risk officer should be employed in the internal audit function.

Answer (A) is incorrect.

The chief risk officer is most effective when supported by a specific team with the necessary expertise
and experience related to organization-wide risk.

Answer (B) is incorrect.

It is true that the chief risk officer is a member of management assigned primary responsibility for ERM
processes.

Answer (C) is incorrect.

A separate function may coordinate and manage ERM and apply special skills and knowledge. The
creation of a separate risk management function may include the appointment of a chief risk officer.

Answer (D) is correct.

The chief risk officer should not be employed in the internal audit function.

26. According to COSO, which of the following has day-to-day responsibility for enterprise risk
management?

A. Internal auditors.

B. The board of directors.

C. Management.

D. External auditors.

Answer (A) is incorrect.

Internal auditors have an assurance function (the third line of management accountability). They must
have organizational independence and be objective.
Answer (B) is incorrect.
The board is responsible for risk oversight of ERM culture, capabilities, and practices. But it may delegate
that responsibility to a board committee (e.g., a risk committee).

Answer (C) is correct.

Management generally has day-to-day responsibility for managing risk. The principal owners of risk (first
line of accountability) manage performance and risks taken to achieve strategy and business objectives.

Answer (D) is incorrect.

External auditors must be independent of the entity and therefore must not perform management
functions. However, an external, independent audit provides information useful in managing ERM.
27. According to COSO, the position or internal entity that is best suited, as part of the enterprise risk
management process, to devise and execute risk procedures for a particular department is

A. The chief executive officer.

B. The audit committee.

C. The internal audit department.

D. A manager within the department.

Answer (A) is incorrect.

The CEO has the ultimate responsibility for ERM but does not devise and execute risk procedures for a
particular department on a day-to-day basis.

Answer (B) is incorrect.

The audit committee has an oversight role in relation to ERM, but it is not best suited to devise and
execute risk procedures for a particular department.

Answer (C) is incorrect.

The internal auditors are best suited to evaluate and improve the effectiveness of ERM, but they are not
the best to devise and execute the risk procedures.

Answer (D) is correct.

A manager within a particular department is best suited to devise and execute risk procedures for that
department. (S)he generally has the most knowledge and expertise about the individual risks that
threaten the achievement of business objectives. (S)he also can ensure that the procedures are carried
out on a day-to-day basis.

28. Which of the following activities are included in ERM?

1. Determining risk appetite

2. Identifying potential risks
3. Communicating information on risks consistently and at all levels
4. Providing assurance on the effectiveness of risk management

A. 1, 2, 3, and 4.
B. 2 and 4 only.
C. 1, 2, and 3 only.
D. 1 and 3 only.

Answer (A) is correct.

Determining risk appetite, identifying potential threats, communicating information on risks consistently
and at all levels, and providing assurance on the effectiveness of risk management are among the
activities included in ERM.
Answer (B) is incorrect.
ERM also includes determining risk appetite and communicating information on risks consistently and at
all levels.

Answer (C) is incorrect.

ERM also includes providing assurance on the effectiveness of risk management.
Answer (D) is incorrect.
ERM also includes identifying potential risks and providing assurance on the effectiveness of risk
management.

29. According to COSO, the benefits of enterprise risk management (ERM) include all of the following
except

A. Improved risk identification and management.

B. Improved resource allocation.

C. Decreased performance variability.

D. Elimination of all risks.

Answer (A) is incorrect.

ERM helps improve risk identification and management by integrating ERM practices throughout the
entire organization, starting with strategy selection through performance results.

Answer (B) is incorrect.

ERM helps to improve resource allocation by deploying resources based on the severity and priority of
risks.

Answer (C) is incorrect.

ERM helps management decrease performance variability by setting performance tolerances that align
with strategy, business objectives, and risk appetite.

Answer (D) is correct.

ERM helps to manage risks, but it does not eliminate risks.

30. Which of the following is not a principle related to the information, communication, and reporting
component of the COSO ERM framework?

A. The organization uses communication channels to support ERM.

B. The organization leverages its information systems to support ERM.
C. The organization identifies risks that disrupt operations of the ERM.
D. The organization reports on risk, culture, and performance at multiple levels and across the entity.

Answer (A) is incorrect.

“The organization uses communication channels to support ERM” is one of the three principles related to
the information, communication, and reporting component of the COSO ERM framework. Management
communicates the organization’s strategy and business objectives to internal and external stakeholders.
Communications methods include written documents, electronic messages, public events or forums, and
informal or spoken communications.

Answer (B) is incorrect.

“The organization leverages its information systems to support ERM” is one of the three principles related
to the information, communication, and reporting component of the COSO ERM framework. Data
management practices help ensure that risk information is useful, timely, relevant, and of high quality.

Answer (C) is correct.

“The organization identifies risks that disrupt operations and affect the reasonable expectation of
achieving strategy and business objectives” is one of the five principles related to the performance
component of the COSO ERM framework. The three principles related to the information, communication,
and reporting component of the COSO ERM framework are 1) the organization leverages its information
systems to support ERM, 2) the organization uses communication channels to support ERM, and 3) the
organization reports on risk, culture, and performance at multiple levels and across the entity.

Answer (D) is incorrect.

“The organization reports on risk, culture, and performance at multiple levels and across the entity” is one
of the three principles related to the information, communication, and reporting component of the COSO
ERM framework. The purpose of reporting is to support personnel in their (1) understanding of the
relationships among risk, culture, and performance and (2) decision making related to setting strategy
and objectives, governance, and day-to-day operations.

31. For an enterprise wide risk management program to be most effective, it should be led by which
of the following?

A. A centralized coordinator.

B. A management committee.

C. Audit committee members.

D. The chief audit executive.

Answer (A) is correct.

An enterprise risk management (ERM) program is most effective when led by a centralized coordinator,
such as a risk officer. This person facilitates ERM by working with other managers in establishing
effective risk management in their areas of responsibility.
Answer (B) is incorrect.
Although management is responsible for managing risks and the CEO is ultimately responsible for ERM,
an ERM program is most effective when led by a centralized coordinator.

Answer (C) is incorrect.

As directors, audit committee members provide only oversight of ERM.

Answer (D) is incorrect.

The chief audit executive (CAE) leads the internal audit activity, which is responsible for evaluating and
improving the risk management process. A CAE’s operational responsibility for an ERM program could
impair the objectivity of the internal audit activity.

32. The amount and types of risk an entity is willing to accept in pursuit of value is the definition of
 A. Risk acceptance.

B. Risk response.

C. Risk appetite.

D. Risk.

Answer (A) is incorrect.

Risk acceptance is one of the possible responses to risk.
Answer (B) is incorrect.
Risk response is management’s chosen course of action in regard to an identified risk.
Answer (C) is correct.
Risk appetite is the amount and types of risk an entity is willing to accept in pursuit of value.
Answer (D) is incorrect.
Risk is the possibility that an event will occur and negatively affect the achievement of objectives.

33. An entity defines its risk appetite in which component of the COSO ERM framework?

A. Strategy and objective-setting.

B. Governance and culture.

C. Performance.

D. Control environment.

Answer (A) is correct.

The entity defines risk appetite in the strategy and objective-setting component of ERM. In defining risk
appetite, the entity considers its mission, vision, culture, prior strategies, and risk capacity.
Answer (B) is incorrect.
The entity defines its risk appetite in the strategy and objective-setting component of ERM. The
governance and culture component is the basis for all of the components.

Answer (C) is incorrect.

Although the risk appetite concept is applied in the performance component, it is defined in the strategy
and objective-setting component.

Answer (D) is incorrect.

The control environment is a component of the COSO internal control framework, not the ERM
framework.

34. According to COSO’s ERM framework, which of the following is an essential element of the
governance and culture component?

A. Risk responses.
B. Reports on risk and culture.

C. Information systems.

D. Human capital.

Answer (A) is incorrect.

Implementing risk responses is a principle within the performance component.

Answer (B) is incorrect.

Reporting on risk, culture, and performance is a principle within the review and revision component.

Answer (C) is incorrect.

Leveraging information and technology is a principle within the information, communication, and reporting
component.
Answer (D) is correct.
A principle within the governance and culture component is that the organization attract, develop, and
retain capable individuals.

35. Which of the following members of an organization has ultimate ownership responsibility of the
enterprise risk management, provides leadership and direction to senior managers, and monitors the
entity’s overall risk activities in relation to its risk appetite?

A. Internal auditors.

B. Chief risk officer.

C. Chief financial officer.

D. Chief executive officer.

Answer (A) is incorrect.

The internal auditors evaluate the ERM and may provide recommendations.

Answer (B) is incorrect.

The risk officer works in assigned areas of responsibility in a staff function. The work of a risk officer often
extends beyond one specific area because the officer will have the necessary resources to work across
many segments or divisions.

Answer (C) is incorrect.

The CFO is subordinate to the CEO.

Answer (D) is correct.

The chief executive officer (CEO) sets the tone at the top of the organization and has ultimate
responsibility for ownership of the ERM. The CEO will influence the composition and conduct of the
board, provide leadership and direction to senior managers, and monitor the entity’s overall risk activities
in relation to its risk appetite. If any problems arise with the organization’s risk appetite, the CEO will also
take any measures to adjust the alignment to better suit the organization.
36. The internal auditor who works in enterprise risk management (ERM) may perform each of the
following activities except

A. Evaluating the design of the overall entity.

B. Setting the risk appetite of the organization.

C. Identifying improvement opportunities.

D. Auditing ERM.

Answer (A) is incorrect.

The entity’s assurance functions should be able to evaluate, and make recommendations to improve, the
design and operating effectiveness of the overall entity.
Answer (B) is correct.
Internal auditing performs an assurance function (the third line of management accountability). The
entity’s assurance function (1) audits (reviews) ERM practices, (2) identifies issues and improvements,
(3) makes recommendations, and (4) informs the board and executives of matters needing resolution.
The third line’s independence and objectivity should be enabled by reporting directly to the board. The
third line also should be able to evaluate, and make recommendations to improve, the design and
operating effectiveness of the overall entity. However, the first line of accountability determines the
entity’s risk appetite. Risk appetite consists of the types and amount of risk the organization is willing to
accept in pursuit of value. Subject to board approval, management sets the risk appetite.

Answer (C) is incorrect.

The entity’s assurance functions identify issues and improvements.
Answer (D) is incorrect.
The entity’s assurance functions (the third line of management accountability) include audit (review) of
ERM practices.

37. According to the COSO ERM framework, which of following best describes the difference
between strategy and business objectives?

A. Strategy is the plan to achieve business objectives.

B. Strategy is the organization’s core purpose, and business objectives are what the organization
aspires to achieve over time.

C. Business objectives are the steps to achieve strategy.

D. Business objectives are broader in scope than strategy.

Answer (A) is incorrect.

Strategy is the plan to achieve the organization’s mission and vision and apply its core values.

Answer (B) is incorrect.

Mission is the organization’s core purpose, but vision is its aspirations for what it intends to achieve over
time.
Answer (C) is correct.
Strategy is the plan to achieve the entity’s mission and vision and apply its core values. Business
objectives are the measurable steps taken to achieve the entity’s strategy.

Answer (D) is incorrect.

Strategy is the overall plan to achieve the organization’s mission and vision. It reflects a broader scope
than business objectives.

38. According to COSO, the component of enterprise risk management (ERM) that best relates to
continuous improvement is

A. Review and revision.

B. Monitoring.

C. Information, communication, and reporting.

D. Strategy and objective-setting.

Answer (A) is correct.

A principle related to the review and revision component states that the organization must continually
improve ERM at all levels even if actual performance aligns with target performance or tolerance.

Answer (B) is incorrect.

Monitoring is a component of the COSO internal control framework, not the ERM framework.

Answer (C) is incorrect.

Although the information, communication, and reporting component addresses how areas for
improvement may be communicated and reported, no related principles guide continuous improvement
efforts.

Answer (D) is incorrect.

No principles related to the strategy and objective-setting component guide continuous improvement
efforts.

39. Inherent risk is

A. A risk response.

B. The risk when management has not taken action to reduce the impact or likelihood of an adverse
event.

C. The risk after management takes action to alter its severity.

D. A potential event that may affect the achievement of strategy and business objectives.

Answer (A) is incorrect.

A risk response is an action taken to bring identified risks within the entity’s risk appetite.
Answer (B) is correct.
Inherent risk is the risk when management does not act to alter its severity. Severity commonly is
measured as a combination of impact and likelihood.

Answer (C) is incorrect.

The risk remaining after management takes action to alter its severity is actual residual risk.

Answer (D) is incorrect.

A risk event is a potential event that may affect the entity adversely.

40. An organization determined that its variable interest rate on an existing loan will increase
significantly in the near future. It therefore decided to hedge its variable rate by locking in a fixed rate
over the remaining loan period. According to the COSO ERM framework, this decision is which
response to risk?

A. Sharing.

B. Avoidance.

C. Acceptance.

D. Reduction.

Answer (A) is correct.

Sharing reduces the severity of the risk by transferring some risk to another party. Examples are
insurance; hedging; joint ventures; outsourcing; and contractual agreements with customers, vendors, or
other business partners.

Answer (B) is incorrect.

Avoidance is action to remove the risk. An action to remove variable interest rate risk is to pay the loan,
for example, by refinancing (not hedging) at a fixed rate.

Answer (C) is incorrect.

Acceptance takes no action to alter the severity of the risk.

Answer (D) is incorrect.

Reduction lowers the severity of the risk without transferring a portion of the risk.

41. According to COSO, ERM is best defined as

A. A process, effected by an entity’s board of directors, management, and other personnel,

designed to provide reasonable assurance regarding the achievement of objectives relating to
operations, reporting, and compliance.

B. A process that takes a control-based approach to an organization.

C. The culture, capabilities, and practices that organizations rely on to manage risk in creating,
preserving, and realizing value.

D. A serial process in which one component affects only the next component.
Answer (A) is incorrect.
The COSO’s internal control framework is a process, effected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives relating to operations, reporting, and compliance. The COSO ERM framework
complements and incorporates some concepts of, the COSO internal control framework.

Answer (B) is incorrect.

The COSO ERM framework takes a risk-based approach to an organization.

Answer (C) is correct.

The COSO ERM framework is a basis for coordinating and integrating all of an organization’s risk
management activities. Effective integration (1) improves decision-making, and (2) enhances
performance. It is defined as the culture, capabilities, and practices that organizations rely on to manage
risk in creating, preserving, and realizing value.

Answer (D) is incorrect.

The components are interrelated. For example, the governance and culture component affects all
components.

42. Which of the following is a factor affecting risk?

A. New personnel.

B. Rapid growth.

C. All of the answers are correct.

D. New or revamped information systems.

Answer (A) is incorrect.

New or revamped information systems and rapid growth are also factors affecting risk.

Answer (B) is incorrect.

New personnel and new or revamped information systems are also factors affecting risk.

Answer (C) is correct.

New personnel, new or revamped information systems, and rapid growth are all factors that affect risk.

Answer (D) is incorrect.

New personnel and rapid growth are also factors affecting risk.

43. According to COSO, a risk profile is a view of the relationship between

A. Risk and performance.

B. Inherent risk and target residual risk.

C. Risk capacity and risk appetite.

D. Tolerance and risk appetite.

Answer (A) is correct.
A risk profile is a composite view of (1) the types, severity, and interdependencies of risks related to a
specific strategy or business objective and (2) their effect on performance.

Answer (B) is incorrect.

Inherent risk is the risk in the absence of management actions to alter its severity. Target residual risk is
the risk the entity prefers to assume knowing that management has acted to alter its severity. But the risk
profile relates risk to a strategy or objective.

Answer (C) is incorrect.

An entity’s risk capacity is the maximum that can be assumed. The risk appetite is the maximum the entity
is willing to accept. Both appear on the risk profile. But the purpose of the profile is to view the
relationship between risks and a specific strategy or business objective and their effect on performance.

44. According to COSO, which component of enterprise risk management (ERM) addresses an
entity’s operating structures and core values?

A. Review and revision.

B. Information, communication, and reporting.

C. Governance and culture.

D. Strategy and objective-setting.

Answer (A) is incorrect.

The review and revision component addresses the review of, and changes in, strategy, performance
targets and tolerance, and ERM practices.
Answer (B) is incorrect.
The information, communication, and reporting component addresses information systems,
communication channels, and reporting (on risk, culture, and performance).

Answer (C) is correct.

The governance and culture component addresses board responsibilities, operating structures, and core
values, among others.

Answer (D) is incorrect.

The strategy and objective-setting component addresses business context, risk appetite, strategy
selection, and business objectives.

45. Which of the following is not a function of senior management with regard to enterprise risk
management (ERM)?

A. Determining the risk response to inherent risk.

B. Setting the organization’s risk appetite.

C. Approving the provisions of the internal audit charter dealing with risk management.
D. Establishing a consistent risk management philosophy across the whole entity.

Answer (A) is incorrect.

Inherent risk is the risk in the absence of a risk response. Management makes risk response decisions.

Answer (B) is incorrect.

Along with the board, senior management sets the organization’s risk appetite.

Answer (C) is correct.

Approving the entire internal audit charter is a responsibility of the board.

Answer (D) is incorrect.

If senior management establishes a consistent risk management philosophy, all parts of the entity can
respond to risk appropriately.

46. Banks provide reconciliation statements to their clients. From the clients’ perspective, this
practice is a form of which method of managing risks associated with cash?

A. Reduction.

B. Accepting.

C. Avoiding.

D. Transferring.

Answer (A) is correct.

Risk responses may include avoidance, acceptance, sharing, pursuit, and reduction. By using bank
reconciliations, businesses can reduce the risk of theft and misappropriation.

Answer (B) is incorrect.

Using a bank reconciliation reduces, but does not accept, the risk associated with theft of cash.

Answer (C) is incorrect.

The risk of theft is not avoided through use of a bank reconciliation.

Answer (D) is incorrect.

Risk is not transferred to anyone else. The risk of theft is not being transferred to the bank.

47. According to the COSO ERM framework, the characteristic of risk that reflects its nature and
scope is
A. Persistence.
B. Velocity.
C. Complexity.
D. Severity.

Answer (A) is incorrect.

Persistence is how long a risk affects an entity, including the time it takes the entity to recover.

Answer (B) is incorrect.

Velocity is the speed at which a risk affects the entity.
Answer (C) is correct.
Complexity is the nature and scope of a risk. Interdependence of risks ordinarily increases their
complexity.
Answer (D) is incorrect.
Common measures of severity are combinations of a risk’s impact and likelihood.

3: (10) ISO 31000 Risk Management Framework

1- Which of the following is not a component of the ISO 31000 model?

A. Monitoring and review.

B. Continual improvement.

C. Unitary control framework.

D. Design of framework.

Answer (A) is incorrect.

Monitoring and review is a component of the ISO 31000 model.

Answer (B) is incorrect.

Continual improvement is a component of the ISO 31000 model.

Answer (C) is correct.

“Unitary control framework” is not a component of the ISO 31000 model.
Answer (D) is incorrect.
Design of framework is a component of the ISO 31000 model.

2- Which of the following approaches to providing assurance on the risk management process is
based on the principle that effective risk management processes develop as value is added at each
stage of maturation?

A. The process element approach.

B. The maturity model approach.

C. The key principles approach.

D. None of the answers are correct.

Answer (A) is incorrect.
The process element approach determines whether certain elements (i.e., formal risk identification, formal
risk analysis, risk evaluation, etc.) have been implemented.

Answer (B) is correct.

The maturity model approach is based on the principle that effective risk management processes develop
as value is added at each stage of maturation. Accordingly, this approach determines where risk
management is on the maturity curve and whether it (1) is progressing as expected, (2) adds value, and
(3) meets organizational needs.

Answer (C) is incorrect.

The key principles approach determines the extent to which risk management creates and protects value,
is fully integrated with management at all levels, is part of decision making, directly addresses uncertainty
in risk assessment, is systematic, is based on the best available information, is adapted to the specific
entity, considers human and cultural factors so that results are helpful to users of the process, is
transparent and inclusive of stakeholders, remains relevant, and promotes continuous improvement.

Answer (D) is incorrect.

One of the answers is correct.

3- The elements of the ISO 31000 risk management process include all of the following except
A. Risk analysis.
B. Risk treatment.
C. Risk appetite.
D. Risk identification.

Answer (A) is incorrect.

Risk analysis is an element of the ISO 31000 risk management process. Risk analysis considers the
impact and likelihood of each risk.
Answer (B) is incorrect.
Risk treatment is an element of the ISO 31000 risk management process. Risk treatment decides on an
appropriate risk response (avoid, share, reduce, or accept) that is consistent with the organization’s risk
appetite.

Answer (C) is correct.

The ISO risk management process consists of seven elements: (1) communication and consultation
requires ongoing, structured communication and consultation with those affected in the organization’s
operations; (2) establishing the context identifies and understands the external and internal factors that
will influence the organization’s risk management; (3) risk identification considers sources of risk, areas of
impact, and potential events and their causes and consequences; (4) risk analysis considers the impact
and likelihood of each risk; (5) risk evaluation prioritizes the identified risks; (6) risk treatment decides on
an appropriate risk response that is consistent with the organization’s risk appetite; and (7) monitor and
review evaluates whether the risk treatments are effective. Risk appetite is the amount of risk the
organization is willing to accept. It is considered during risk treatment, but is not a separate element.

Answer (D) is incorrect.

Risk identification is an element of the ISO 31000 risk management process. Risk identification considers
sources of risk, areas of impact, and potential events and their causes and consequences.

4- The monitoring and review component of the ISO 31000 risk management framework

A. Assesses the effectiveness of risk management processes.

B. Ensures the long-term effectiveness of risk management processes.

 C. Ensures sufficient resources have been committed.

D. Assists the organization in achieving its directives.

Answer (A) is correct.

The ISO 31000 risk management framework consists of five components: (1) a mandate and commitment
by the board and senior management, (2) the design of a framework for managing risk, (3) implementing
risk management, (4) monitoring and review of the framework, and (5) continual improvement of the
framework. Monitoring and review of the framework assesses the effectiveness of risk management
processes.

Answer (B) is incorrect.

This is the purpose of the continual improvement component of the ISO 31000 risk management
framework.

Answer (C) is incorrect.

This is a purpose of the mandate and commitment component of the ISO 31000 risk management
framework.

Answer (D) is incorrect.

This is the purpose of the implementation component of the ISO 31000 risk management framework.

5- The ISO 31000 model describes three approaches to providing assurance on risk management
processes. Which of the following is not one of these approaches?

A. Negative assurance.

B. Process element.

C. Key principles.

D. Maturity model.

Answer (A) is correct.

Negative assurance is not a concept applicable to providing assurance on risk management processes
described in the ISO 31000 model.
Answer (B) is incorrect.
The process element approach determines whether each element has been implemented.
Answer (C) is incorrect.
The key principles approach determines the extent to which risk management creates and protects value,
is fully integrated with management at all levels, etc.

Answer (D) is incorrect.

The maturity model approach is based on the principle that effective risk management processes develop
as value is added at each stage of maturation.

6- The maturity model approach to providing assurance on the risk management process determines
where risk management is on the maturity curve and whether
 1. It is progressing as expected
2. It adds value
3. It meets organizational needs

A.1, 2, and 3.
B.1 and 2 only.
C.2 and 3 only.
D.1 and 3 only.
Answer (A) is correct.
The maturity model approach is based on the principle that effective risk management processes develop
as value is added at each stage of maturation. Accordingly, this approach determines where risk
management is on the maturity curve and whether (1) it is progressing as expected, (2) adds value, and
(3) meets organizational needs.

Answer (B) is incorrect.

The maturity model approach also determines whether risk management meets organizational needs.

Answer (C) is incorrect.

The maturity model approach also determines whether risk management is progressing as expected.

Answer (D) is incorrect.

The maturity model approach also determines whether risk management adds value.

7- According to ISO 31000, which of the following is not a principle of risk management?

A. Promotes continuous improvement.

B. Explicitly addresses uncertainty.
C. Considers human and cultural factors.
D. Delegates accountability and authority.

Answer (A) is incorrect.

A principle of risk management according to ISO 31000 is that risk management promotes continuous
improvement.

Answer (B) is incorrect.

A principle of risk management according to ISO 31000 is that risk management explicitly addresses
uncertainty.

Answer (C) is incorrect.

A principle of risk management according to ISO 31000 is that risk management considers human and
cultural factors.
Answer (D) is correct.
According to the ISO 31000 risk management framework, 11 principles are the foundation for an effective
risk management process. These principles state that risk management (1) creates and protects value;
(2) is an integral part of organizational processes; (3) is part of decision making; (4) explicitly addresses
uncertainty; (5) is systematic, structured, and timely; (6) is based on the best available information; (7) is
tailored to each organization; (8) considers human and cultural factors; (9) is transparent and inclusive;
(10) is dynamic, repetitive, and responsive to change; and (11) promotes continuous improvement.

8- According to the ISO 31000 risk management framework, the board is responsible for

A. Identifying and managing risks.

B. Setting the organization’s risk attitude.
C. Overseeing risk management.
D. Providing assurance regarding the risk management system.

Answer (A) is incorrect.

Management is responsible for identifying and managing risks. Management must focus on risks at all
levels of the entity and take the necessary action to manage them.

Answer (B) is incorrect.

Management is responsible for setting the organization’s risk attitude, which is defined by ISO as an
“organization’s approach to assess and eventually pursue, retain, take, or turn away from risk.”
Management also identifies and manages risks.

Answer (C) is correct.

According to the ISO 31000 risk management framework, the board is responsible for overseeing risk
management and has overall responsibility for ensuring that risk management processes are in place,
adequate, and effective.

Answer (D) is incorrect.

The internal audit activity is responsible for providing assurance regarding the entire risk management
system. Standard 2120 states, “The internal audit activity must evaluate the effectiveness and contribute
to the improvement of risk management processes.”

9- The ISO 31000 approach to risk management is

A. Principles based.
B. Resource based.
C. Process based.
D. Objective based.

Answer (A) is correct.

The ISO 31000 is a principles-based approach to risk management. It states 11 principles that are the
foundation for an effective risk management process. Risk management (1) creates and protects value;
(2) is an integral part of organizational processes; (3) is part of decision making; (4) explicitly addresses
uncertainty; (5) is systematic, structured, and timely; (6) is based on the best available information; (7) is
tailored to each organization; (8) considers human and cultural factors; (9) is transparent and inclusive;
(10) is dynamic, repetitive, and responsive to change; and (11) promotes continuous improvement.

Answer (B) is incorrect.

The ISO 31000 approach to risk management is principles based, not resource based.
Answer (C) is incorrect.
The ISO 31000 approach to risk management is principles based, not process based.

Answer (D) is incorrect.

The COSO ERM approach to risk management is objective based.

10- According to ISO 31000, the design of a risk management framework involves all of the following
except

A. Integrating risk management into organizational processes.

B. Deciding on an appropriate risk response.

C. Allocating the necessary resources.

D. Establishing communication and reporting methods.

Answer (A) is incorrect.

According to a component of ISO 31000, the design of a framework for managing risk involves integrating
risk management into organizational processes.

Answer (B) is correct.

Deciding on an appropriate risk response is not involved in the design of a risk management framework
according to ISO 31000. According to a component of ISO 31000, the design of a framework for
managing risk ensures a foundation is established for effective risk management processes. This
foundation involves (1) understanding the organization and its context, (2) establishing a risk
management policy, (3) delegating accountability and authority, (4) integrating risk management into
organizational processes, (5) allocating the necessary resources, and (6) establishing internal and
external communication and reporting methods.

Answer (C) is incorrect.

According to a component of ISO 31000, the design of a framework for managing risk involves allocating
the necessary resources as part of the foundation for establishment of effective risk management
processes.

Answer (D) is incorrect.

According to a component of ISO 31000, the design of a framework for managing risk involves
establishing communication and reporting methods.