CHAPTER 4: RISK MANAGEMENT

1. According to COSO ERM (enterprise risk management), which of the following is not an
inherent challenge trong qt thiết lập chiến lược,.. that arises as part of establishing strategy and
business objectives?
a. Ensuring culture is clearly articulated by the board. (thể hiện rr)
b. Possibility of strategy not aligning (k phù hợp).
c. Implications ý nghĩa from the strategy chosen.
d. Risk to achieving the strategy.
PAGE 135
Setting and communicating culture is not part of establishing strategy and business
objectives. Also, while the board has a role in setting the culture, management is primarily
responsible for communicating it throughout the organization.
2. Which of the following external events will most likely impact a defense contractor (nhà thầu
quốc phòng) that relies on large government contracts for its success?
a. Economic event.
b. Natural environment event.
c. Political event.
d. Social event.
3. Which of the following is not an example of a risk-sharing strategy?
a. Outsourcing a noncore, high-risk area thuê ngoài những hđ k phải cốt lõi, rro cao
b. Selling a nonstrategic phi Cluoc business unit.
c. Hedging against interest rate fluctuations: phòng ngừa rro biến động LS
d. Buying an insurance policy to protect against adverse weather.
Selling a business unit is a risk avoidance strategy not sharing
4. An organization tracks a website hosting anonymous blogs about its industry. Recently,
anonymous posts have focused on potential legislation (luật pháp) that could have a dramatic
effect on this industry. Which of the following may create the greatest risk if this organization
makes business decisions based on the information contained on this website?
a. Appropriateness of the information.
b. Timeliness tính kịp thời of the information.
c. Accessibility of the information.
d. Accuracy and reliability of the information.
5. Which of the following risk management activities is out of sequence in terms of timing (k
đúng trình tự về mặt tg)?
a. Identify, assess (đánh giá), and prioritize risks.
b. Develop risk responses/treatments. Ung pho, xu li
c. Determine key organizational objectives.
d. Monitor (giam sat) the effectiveness of risk responses/treatments.
Key organizational objectives must be determined before the risks that threaten the
achievement of the objectives can be identified, assessed, and prioritized.
6. Who is responsible for implementing (thực hiện) ERM?
a. The chief financial officer.
b. The chief audit executive.
c. The chief compliance officer.
d. Management throughout the organization.
7. Which of the following is not a potential value driver (yếu tố thúc đẩy giá trị tiềm năng) for
implementing triển khai ERM?
a. Financial results will improve in the short run.
b. There will be fewer surprises from year to year.
c. There will be better information available to make risk decisions.
d. An organization’s risk appetite can be aligned with strategic planning (hoạch định chiến lược).
While there may be long-term financial benefits from ERM (ERM mang lại lợi ích trong
DH), organizations should not expect to see such benefits in the short run.
8. Which of the following is the best reason for the CAE to consider the organization’s strategic
plan in developing xây dựng the annual internal audit plan?
a. To emphasize the importance of the internal audit function to the organization.
b. To ensure that the internal audit plan will be approved by senior management ( ldd cấp cao)
c. To make recommendations to improve the strategic plan.
d. To ensure that the internal audit plan supports the overall business objectives.
It is important to align the internal audit plan with the organization’s business objectives.
9. When senior management accepts a level of residual risk (rủi ro tồn đọng) that the CAE
believes is unacceptable to the organization, the CAE should: SM chấp nhận, CAE thì k
a. Report the unacceptable risk level immediately to the chair of the audit committee and the
independent outside audit firm partner. (CT UB KT, đối tác KT độc lập)
b. Resign his or her position in the organization.
c. Discuss the matter with knowledgeable members of senior management and, if not resolved,
take it to the audit committee.
d. Accept senior management’s position because it establishes the risk appetite for the
organization.
10. The CAE is asked to lead the enterprise risk assessment as part of an organization’s
implementation of ERM. Which of the following would not be relevant with respect to protecting
the internal audit function’s independence and the objectivity of its internal auditors?
a. A cross-section of management is involved in assessing the impact and likelihood of each risk.
1 bộ phận quản lý liên quan có liên quan đến việc đánh giá tác động và khả năng xảy ra của từng
rủi ro
b. Risk owners are assigned responsibility for each key risk.
c. A member of senior management presents the results of the risk assessment to the board and
communicates that it represents the organization’s risk profile.
d. The internal audit function obtains assistance from an outside consultant in the conduct of the
formal risk assessment session. (Chức năng kiểm toán nội bộ nhận được sự hỗ trợ từ một nhà tư
vấn bên ngoài trong việc tiến hành phiên đánh giá rủi ro chính thức.)
Utilizing an outside consultant does not necessarily eliminate the impairment suy giảm of
the internal auditor’s objectivity. The function may still be perceived to have responsibility for
perform-ing a management function.
11. An internal audit engagement was included in the approved internal audit plan. This is
considered a moderately high-risk audit based on the internal audit function’s risk model. It is
currently on a two-year audit cycle chu kỳ KT 2 năm. Which of the following will likely have the
greatest impact on the scope and approach cách tiếp cận of the internal audit engagement?
a. The area being audited involves the processing of a high volume of transactions.
b. Certain components of the process are outsourced thuê ngoài.
c. A new system was implemented during the year, which changed how the transactions are
processed.
d. The total dollars processed in this area are material.
The other factors will influence the overall risk rating of the audit project
12. When assessing the risk associated with an activity, an internal auditor should:
a. Determine how the risk should best be managed xd cách quản lý rro tốt nhất.
b. Provide assurance on the management of the risk.
c. Update the risk management process based on risk exposures (mức độ rủi ro).
d. Design tkees controls to mitigate the identified risks.
13. One of the challenges of ERM in an organization that has a centralized structure cơ cấu tập
trung is that:
a. It may be difficult to raise awareness of the impact of work actions on other employees or
work areas.
b. Employees in these structures are inherently less risk averse. Ít sợ rủi ro hơn
c. Managers have less incentive (ít động lực hơn) to implement and monitor controls.
d. Effective controls are more difficult to design, and consistent application is more difficult to
achieve across the organization. Việc thiết kế các biện pháp kiểm soát hiệu quả khó khăn hơn và
khó đạt được việc áp dụng nhất quán trong toàn tổ chức.
 In a centralized structure, most communication is vertical chiều dọc, up and down a
hierar-chical chain of command. This impedes cản trở communication and awareness across
functional lines, which can be an obstacle for ERM
14. The function of the chief risk officer is most effective when he or she:
a. Manages risk as a member of senior management.
b. Shares the management of risk with line management.
c. Shares the management of risk with the CAE.
d. Monitors risk as part of the ERM team.
CRO is most effective when supported by a specific team with the necessary expertise and
experience related to organizational risk.
15. Enterprise risk management:
a. Guarantees achievement of business objectives.
b. Requires establishment of risk and control activities by internal auditors. YC ktv nb thiết lập
c. Involves the identification of events with negative impacts on business objectives.
d. Includes selection of best risk response for the organization.
 CHAPTER 5: BUSINESS PROCESSES AND RISKS
1. In assessing organizational risk in a manufacturing organization, which of the following would
have the greatest long-range impact on the organization?
a. Advertising budget.
b. Production scheduling.
c. Inventory policy.
d. Product quality.
Product quality presents the most significant risk to the long-term success of a
manufacturing organization. Advertising budget (Ngân sách QC), production scheduling (lập KH
SX), and inventory policy have secondary and short-term impacts on long-term objectives, but
alone would not determine long-range success.
2. Internal auditors often prepare process maps and reference portions (tham chiếu) of these
maps to narrative descriptions (mô tả tường thuật) of certain activities. This is an appropriate
procedure to:
a. Determine the ability of the activities to produce reliable information.
b. Obtain the understanding necessary to test the process.
c. Document that the process meets internal audit standards. Tài liệu quy trình đáp ứng chuẩn
mực kiểm toán nội bộ.
d. Determine whether the process meets established management objectives.
3. What is a business process?
a. How management plans to achieve the organization’s objectives.
b. The set of connected activities linked with each other for the purpose of achieving an objective
or goal.
c. A group of interacting, interrelated, or interdependent phụ thuộc elements forming a complex
whole.
d. A finite endeavor (having specific start and completion dates) undertaken to create a unique
product or service that brings about beneficial change or added value.
4. If a risk appears in the bottom right of quadrant II in the above risk control map, it means that:
a. There is an appropriate balance between risk and control.
b. The controls may be excessive relative to the risk.
c. The controls may be inadequate relative to the risk.
d. There is not enough information to make a judgment.
Following cost/benefit principles, processes with lower risk significance should generally have
fewer resources devoted to managing those risks. Since the control effectiveness is high in this
question, the controls may be excessive relative to the risk.
5. If a risk appears in the middle of quadrant IV in the above risk control map, it means that:
a. There is an appropriate balance between risk and control.
b. The controls may be excessive relative to the risk.
c. The controls may be inadequate relative to the risk.
d. There is not enough information to make a judgment.
Since the risk significance is so high, it is very important that the organization have high control
effectiveness.
6. Which of the following circumstances would concern the internal auditor the most?
a. A risk in the lower left corner of quadrant I.
b. A risk in the lower right corner of quadrant II.
c. A risk in the upper left corner of quadrant III.
d. A risk in the upper right corner of quadrant IV.
This risk is highly significant but control effectiveness is low, indicating the risk is not likely to
be managed to an acceptable level.
7. Which of the following are business processes?

I. Strategic planning.
II. Review and write-off of delinquent loans.
III. Safeguarding of assets.
IV. Remittance of payroll taxes to the respective tax authorities.

a. I and III.
b. II and IV.
c. I, II, and IV.
d. I, II, III, and IV.
All of these choices could be part of an organization's business processes. Safeguarding of assets
is an important control objective, but it is not a business process.

8. Which of the following symbols in a process map will most likely contain a question?
a. Rectangle.
b. Diamond.
c. Arrow.
d. Oval.
A diamond symbol represents a decision that is made; therefore, a question is typically included
in the symbol
9. After business risks have been identified, they should be assessed in terms of their inherent:
a. Impact and likelihood.
b. Likelihood and probability.
c. Significance and severity.
d. Significance and control effectiveness.
Inherent impact and likelihood are the common risk assessment criteria.
10. In a risk by process matrix, a process that helps to manage a risk indirectly would be shown
to have:
a. A key link.
b. A secondary link.
c. An indirect link.
d. No link at all.
When a process manages a risk in an indirect manner, it is considered a second-ary link.
11. A major upgrade to an important information system would most likely represent a high:
a. External risk factor.
b. Internal risk factor.
c. Other risk factor.
d. Likelihood of future systems problems.
An important information system upgrade would represent a significant change in operations,
processes, personnel, or technology, which is factor #8 in exhibit 5-12.
12. Which of the following is true regarding business process outsourcing?
a. Outsourcing a core, high-risk business process reduces the overall operational risk.
b. Outsourced processes should not be included in the internal audit universe.
c. The independent outside auditor is required to review all significant outsourced business
processes.
d. Management’s controls to ensure the outsourcing provider meets contractual performance
requirements should be tested by the internal audit function.
Outsourcing a business process does not allow management to abdicate respon-sibility for
ensuring the process operates effectively. Therefore, performance requirements should be built
into the outsourcing contract.

13. A company has recently outsourced its payroll process to a third-party service provider. An
audit team was scheduled to audit payroll controls in the annual audit plan prepared prior to the
outsourcing. What action should the audit team take, considering the outsourcing decision?
a. Cancel the engagement, because the processing is being performed outside the organization.
b. Review only the controls over payments to the third-party provider based on the contract.
c. Review only the company’s controls over data sent to and received from the third-party service
provider.
d. Review the controls over payroll processing in both the company and the third-party service
provider.
Management of the company is still accountable for the risks, so controls at the third-party
processor and the user organization are both important. As the controls at the third party and the
user organization interact, both must be reviewed. Although the process is being performed
outside the organization, the third party is an extension of the organization’s payroll process. The
risk here may actually increase because an external party controls part of the control
environment.
14. Which flowcharting symbol indicates the start or end of a process?
a. Arrow.
b. Diamond
c. Oval.
d. Rectangle
An oval is used to indicate the start or end of a flow.
15. How does a control manage a specific risk?
a. It reduces the likelihood of the event giving rise to the risk.
b. It reduces the impact of the event giving rise to the risk.
c. It reduces either likelihood or impact or both.
d. It prevents the occurrence of the event.
A control can reduce event likelihood, or reduce the event impact, or both. In each case, the risk
is lessened.
 CHAPTER 6: INTERNAL CONTROL
1. Which of the following best describes an internal auditor’s purpose in reviewing the
organization’s existing governance, risk management, and control processes?
a. To help determine the nature, timing, and extent of tests necessary to achieve engagement
objectives.
b. To ensure that weaknesses in the internal control system are corrected.
c. To provide reasonable assurance that the processes will enable the organization’s objectives
and goals to be met efficiently hq and economically.
d. To determine whether the processes ensure that the accounting records are correct and that
financial statements are fairly stated.
Answer A is incorrect because it is a purpose of audit planning. Answer B is incor-rect because
correcting control weaknesses is a function of management, not of the internal auditor. Answer D
is incorrect because it is a basic objective from a financial accounting and auditing perspec-tive,
but it is not broad enough to cover the internal auditor’s entire purpose for review.
2. What is residual risk?
a. Impact of risk.
b. Risk that is under control.
c. Risk that is not managed.
d. Underlying risk in the environment.
Residual risk is the risk that is left over after all controls and risk management techniques have
been applied.
3. The requirement that purchases be made from suppliers on an approved vendor list is an
example of a: Yêu cầu mua hàng phải được thực hiện từ các nhà cung cấp trong danh sách nhà
cung cấp được phê duyệt là một ví dụ về
a. Preventive control.
b. Detective control.
c. Compensating control.
d. Monitoring control.
4. An effective system of internal controls is most likely to detect a fraud perpetrated phát hiện
gian lận by a:
a. Group of employees in collusion.
b. Single employee.
c. Group of managers in collusion.
d. Single manager.
 An effective system of internal controls is likely to expose a fraud if it is perpe-trated by one
employee without the aid of others. Answer A is incorrect because a group has a better chance of
successfully perpetrating an irregularity than does an individual employee. Answers C and D are
incorrect because management can often override controls, singularly or in groups.
5. The control that would most likely ensure that payroll checks are written only for authorized
amounts is to:
a. Conduct periodic floor verification of employees on the payroll.
b. Require the return of undelivered checks to the cashier.
c. Require supervisory approval of employee time cards.
d. Periodically witness the distribution of payroll checks.
Kiểm soát rất có thể sẽ đảm bảo rằng séc tiền lương chỉ được viết cho số tiền được ủy quyền là:
một. Tiến hành xác minh sàn định kỳ của nhân viên trong bảng lương.
b. Yêu cầu trả lại séc chưa giao cho nhân viên thu ngân.
c. Yêu cầu phê duyệt giám sát thẻ chấm công của nhân viên.
d. Định kỳ chứng kiến việc phân phối séc biên chế.
The employee’s supervisor would be in the best position to ensure payment of the proper
amount. Answer A is incorrect because employees may be properly included on payroll, but the
amounts paid may be unauthorized. Answer B is incorrect because undelivered checks provide
no evi-dence regarding validity of the amounts. Answer D is incorrect because witnessing a
payroll distribu-tion would not assure that amounts paid are authorized.
6. An internal auditor plans to conduct an audit of the adequacy of controls over investments in
new financial instruments. Which of the following would not be required as part of such an
engagement?
a. Determine whether policies exist that describe the risks the treasurer may take and the types of
instruments in which the treasurer may invest.
b. Determine the extent of management oversight over investments in sophisticated instruments.
c. Determine whether the treasurer is getting higher or lower rates of return on investments than
treasurers in comparable organizations.
d. Determine the nature of monitoring activities related to the investment portfolio.
C is the best answer. Although this might be informational, there is no need to develop a
comparison of investment returns with other organizations. Indeed, some financial investment
scandals show that such comparisons can be highly misleading because high returns were due to
taking on a high level of risk. Also, this is not a test of the adequacy of the controls.
7. Appropriate internal control for a multinational corporation’s branch office that has a
department responsible for the transfer of money requires that:
a. The individual who initiates wire transfers does not reconcile the bank statement.
b. The branch manager must receive all wire transfers.
c. Foreign currency rates must be computed separately by two different employees.
d. Corporate management approves the hiring of employees in this department.
Independent reconciliation of bank accounts is necessary for good internal control.
8. Who has primary responsibility for the monitoring component of internal control?
a. The organization’s independent outside auditor.
b. The organization’s internal audit function.
c. The organization’s management.
d. The organization’s board of directors.
The organization’s management has primary responsibility for the monitoring component of
internal control.
9. Reasonable assurance, as it pertains to internal control, means that:
a. The objectives of internal control vary depending on the method of data processing used.
b. A well-designed system of internal controls will prevent or detect all errors and fraud.
c. Inherent limitations of internal control preclude a system of internal control from providing
absolute assurance that objectives will be achieved.
d. Management cannot override controls, and employees cannot circumvent controls through
collusion.
Inherent limitations of internal control do, in fact, preclude a system of inter-nal control from
providing absolute assurance that objectives will be achieved.
10. Which of the following best exemplifies a control activity referred to as independent
verification?
a. Reconciliation of bank accounts by someone who does not handle cash or record cash
transactions.
b. Identification badges and security codes used to restrict entry to the production facility.
c. Accounting records and documents that provide a trail of sales and cash receipt transactions.
d. Separating the physical custody of inventory from inventory accounting.
A reconciliation performed by someone not otherwise involved in processing a transaction is an
example of an independent verification control activity.
11. The risk assessment component of internal control involves the:
a. Independent outside auditor’s assessment of residual risk.
b. Internal audit function’s assessment of control deficiencies.
c. Organization’s identification and analysis of the risks that threaten the achievement of its
objectives.
d. Organization’s monitoring of financial information for potential material misstatements.
The risk assessment component of internal control involves an organization’s identification and
analysis of the risk that threaten the achievement its objectives.
12. COSO’s Internal Control Framework consists of five internal control components and 17
principles for achieving effective internal control. Which of the following is/are (a) principle(s)?
I. The organization demonstrates a commitment to integrity and ethical values.
II. Monitoring activities.
III. A level of assurance that is supported by generally accepted auditing procedures and
judgments.
IV. A body of guiding principles that form a template against which organizations can evaluate a
multitude of business practices.
V. The organization selects, develops, and performs ongoing and/or separate evaluations to
ascertain whether the components of internal control are present and functioning.
a. II only.
b. I and V only.
c. II and IV only.
d. I, II, III, IV, and V.
I is principle 1 under Control Environment. V is principle 16 under Monitoring Activities. II is
one of the five elements. III is the definition of reasonable assurance. IV is the definition of a
framework.
13. When assessing the risk associated with an activity, an internal auditor should:
a. Determine how the risk should best be managed.
b. Provide assurance on the management of the risk.
c. Update the risk management process based on risk exposures.
d. Design controls to mitigate the identified risks.
The other choices reflect activities that should be performed by management.
14. Determining that engagement objectives have been met is ultimately the responsibility of the:
a. Internal auditor.
b. Audit committee.
c. Internal audit supervisor.
d. CAE.
The CAE has ultimate responsibility for all activities performed by the internal audit function.
Internal auditors and internal audit supervisors do not have the same level of responsi-bility as
the CAE. The audit committee doesn’t have this level of responsibility.
15. An adequate system of internal controls is most likely to detect an irregularity perpetrated by
a:
a. Group of employees in collusion.
b. Single employee.
c. Group of managers in collusion.
d. Single manager.
To be designed adequately and operating effectively, ICFR should address the concepts of
initiation, authorization, recording, processing, and reporting. Seeking is not addressed by ICFR