ARM 400 Practice Exam Review

Question 1

Malware is defined as Select one:
A. A tool for managing data security.
B. A hardware-based security breach.
C. Software designed to cause damage.
CorrectCorrect. Malware is any software that is designed specifically to cause harm or damage to a computer, server, or network.
D. Software technology used to encrypt data.

Answer 1

C. Software designed to cause damage.
Malware is any software that is designed specifically to cause harm or damage to a computer, server, or network

Question 2

Which one of the following is a data governance committee (DGC) responsibility?

Select one:
A. A data governance committee is charged with monitoring the volume of big data within an organization.
B. A data governance committee plays a key role in project management for data projects.
C. A data governance committee both retrieves and prepares metadata for use by an organization.
D. A data governance committee ensures there are few conflicts or redundancies in data standards and practices.

Answer 2

D. A data governance committee ensures there are few conflicts or redundancies in data standards and practices.
A data governance committee ensures there are few conflicts or redundancies in data standards and practices. This is achieved by having a cross-functional representation of all major stakeholders and eliminating potential conflicts early in the decision-making process involving data systems.

Question 3

Colossal Casualty Insurance Company decided to conduct an internal audit of the company’s operations. As part of the internal audit, several fictitious claims were submitted to the claims department to see if the claims would be approved and paid. Which one of the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) components of internal control was examined by this internal audit test?

Select one:
A. Monitoring activities.
B. Control environment.
C. Risk assessment.
D. Information and communication.

Answer 3

B. Control environment.

Question 4

Key risk indicators (KRIs) help organizations identify issues that can lead to losses. Effective KRIs are based on a company’s

Select one:
A. Sales volume.
B. Strategic objectives.
C. Product or industry.
D. Organizational structure.

Answer 4

B. Strategic objectives.
Effective KRIs are founded on an organization’s objectives. Management identifies areas of potential risk for each objective and then defines the information needed to measure and monitor the risks as they emerge or change.

Question 5

There are four major objectives of a compliance program. Which one of the following would not be considered an objective?

Select one:
A. Create a culture that encourages compliance and oversight within the firm
B. Notifying the United States Sentencing Commission of all reported incidents
C. Receive benefits from external sources for having an effective compliance program such as regulatory approval
D. Provide assurance to key stakeholders that the firm is in compliance with all laws, regulations and policies

Answer 5

B. Notifying the United States Sentencing Commission of all reported incidents

Question 6

George works for a large company and part of his job is to monitor assets according to their liquidity. George is particularly concerned that the company fleet cars are affecting its liquidity and rising fuel prices are having an adverse effect during tight economic markets. If George’s concerns were categorized as causes of loss according to the quadrants of risk, his concern most directly relates to which one of the following types of risks?

Select one:
A. Hazard risks
B. Financial risks
C. Strategic risks
D. Operational risks

Answer 6

B. Financial risks

Question 7

Which one of the following regulatory approaches allocates resources based on the concept of achieving the greatest potential good while simultaneously minimizing the overall costs?

Select one:
A. Performance-based regulation
B. Rules-based regulation
C. Risk-based regulation
D. Evidence-based regulation

Answer 7

C. Risk-based regulation
Risk-based regulation allocates resources based on the concept of achieving the greatest potential good while simultaneously minimizing the overall costs.

Question 8

Developing a risk-based audit plan requires a risk assessment. Under the model of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework, which one of the following explains how risk assessment is addressed?

Select one:
A. It is essentially the same as the traditional model, but is codified in steps that are reported.
B. It expands the risk assessment concept by identifying five interrelated components of internal control.
C. It is narrower and it provides concrete steps which are recommended and differ by industry.
D. It expands the risk assessment concept by comparing it to competitor audits.

Answer 8

B. It expands the risk assessment concept by identifying five interrelated components of internal control.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework expands on the concept of risk assessment by identifying five interrelated components of internal control.

Question 9

The main advantage of a formal internal communication system is that

Select one:
A. It is easily accessed.
B. Individuals know to whom to report.
C. Formal internal communications takes time which may resolve issues.
D. Employees do not have direct access to each other.

Answer 9

B. Individuals know to whom to report.

Question 10

Parker International sets realistic goals for employees, and provides mentorships and educational opportunities to help them succeed. The company also provides profit sharing and employee wellness incentives. Which one of the following key resiliency traits does Parker International demonstrate?

Select one:
A. A culture of openness and trust
B. Valued employees
C. Clear company objectives
D. Strong relationships with vendors and customers

Answer 10

B. Valued employees

Question 11

Solvency II is a new regulatory standard in the European Union (EU) to establish principles for risk management and consistency in regulation for which one of the following industries?

Select one:
A. Transportation
B. Health care
C. Banking
D. Insurance

Answer 11

D. Insurance
Solvency II is a new regulatory standard in the EU to establish principles for risk management and consistency in regulation for the insurance industry.

Question 12

North American Furnishings has been in business for 18 years. The organization’s primary objectives are profitability and bottom-line results. It always sets aggressive goals. North American Furnishings values its customer bases. Which one of the following types of corporate culture exists at North American Furnishings?

Select one:
A. Market
B. Hierarchy
C. Clan
D. Adhocracy

Answer 12

A. Market
North American Furnishings has a market culture. Its primary objectives of profitability, bottom-line results, and secure customer bases are reflective of a market culture.

Question 13

Disaster recovery planning arose from the increasing use of and dependency on

Select one:
A. High-rise construction.
B. Technology.
C. International travel.
D. Global financial institutions.

Answer 13

B. Technology.

Question 14

Which one of the following statements is correct with respect to the role of a board of directors in risk oversight?

Select one:
A. Increasing pressure on boards of directors to provide greater enterprise-wide risk oversight comes from sources such as investors, rating agencies, and regulators.
B. A board’s risk management strategy and broad objectives typically have little effect in setting the tone for risk management across the entire organization.
C. A 2012 survey of executives revealed that practically all boards have formally assigned risk oversight responsibility to a board committee.
D. Financial services organizations are far less subject to regulatory pressure for increased transparency and risk oversight than are corporations in nonfinancial business sectors.

Answer 14

A. Increasing pressure on boards of directors to provide greater enterprise-wide risk oversight comes from sources such as investors, rating agencies, and regulators.

Question 15

The relationship between which two basic measures is critical for risk management in assessing risk and deciding whether and how to manage it?

Select one:
A. Correlation and likelihood
B. Exposure and time horizon
C. Likelihood and consequences
D. Volatility and time horizon

Answer 15

C. Likelihood and consequences
The relationship between likelihood and consequences is critical for risk management in assessing risk and deciding whether and how to manage it.

Question 16

The service representatives for Tauton Insurance will be eligible for a bonus only if the customer retention rate is increased by 5%. This is an example of which one of the following standards?

Select one:
A. A corrective measure linked with an identified tolerance level
B. A critical success factor derived from a strategic objective
C. A key performance indicator based on financial ratios
D. A severe risk tolerance level

Answer 16

A. A corrective measure linked with an identified tolerance level

Question 17

Encrypting data to block its use if stolen is an example of a

Select one:
A. Cyber-threat inventory approach.
B. Hardware-based security solution.
C. Incident response plan.
D. Software-based security solution.

Answer 17

D. Software-based security solution.

Question 18

The data quality principle of reasonability refers to

Select one:
A. The comprehensive nature of data.
B. The systematic process of tracing data.
C. The materiality or relevance of data.
D. The appropriateness of current data.

Answer 18

C. The materiality or relevance of data.
Reasonability refers to both materiality and relevance of data, testing whether the information provided is pertinent to the business objective at hand.

Question 19

Which one of the following is an internal source that can often provide information regarding risks that aren’t obvious?

Select one:
A. Board of directors
B. Human resources
C. Internal auditing
D. Production manager

Answer 19

C. Internal auditing
The internal audit function can often provide information regarding risks that aren’t obvious, such as employees creating a risk by not adhering to certain processes.

Question 20

Which one of the following statements is true with regard to preventive analytics?

Select one:
A. Preventive analytics involves data collection at discrete points in time, such as 10 AM or 4 PM each day, and comparison of these values at discrete points in time.
B. Preventative analytics uses human assets to analyze data collected by smart products.
C. Preventive analytics uses smart products and data analytics to identify root loss causes and their implications.
D. Preventive analytics is backward-looking, basing corrective prescriptions on the organization’s past loss history.

Answer 20

C. Preventive analytics uses smart products and data analytics to identify root loss causes and their implications.

Question 21

Clear-Rite Company specializes in the clean-up of hazardous chemical spills. Workers performing clean-up operations must use safety suits to prevent exposure to the chemicals. The suits include pulse and respiration monitors, body temperature sensors, and chemical sensors. The monitors and sensors report data to a mobile operations center which is deployed to each clean-up site. The pulse and respiration monitors and the sensors that are part of the protective gear are called

Select one:
A. Drone technologies.
B. Accelerometers.
C. Wearable technologies.
D. Magnetometers.

Answer 21

C. Wearable technologies.

Question 22

In an effort to reduce expenses, increase profitability, and reduce human errors; ABC Insurance Company decided to automate most of its personal lines underwriting function. The company now uses standardized application forms that are submitted electronically to one of the company’s regional offices. At each regional office, a computer with a scanner reads the applications. The computer has been programmed with acceptable answers to the questions. If the answers on the application are all acceptable, the policy is automatically issued. Rejected applications are automatically forwarded to a human underwriter who reviews them. The use of this technology has reduced the company’s expense ratio by two and a half percent, and reduced the time it takes to issue a policy. ABC Insurance Company’s use of computers to evaluate applications electronically is an application of

Select one:
A. Radiant sensors.
B. Actuator technology.
C. Risk management information systems.
D. Artificial intelligence.

Answer 22

D. Artificial intelligence.

Question 23

The business process management (BPM) life cycle incorporates five steps. Which one of the following best describes the first step in the BPM process?

Select one:
A. Processes are modeled to identify the organization’s response to what-if scenarios.
B. Processes are designed or redesigned by considering workflows and affected personnel.
C. Critical processes that support achievement of the organization’s goals are selected for analysis.
D. Processes are tracked so that statistics on their performance can be gathered.

Answer 23

B. Processes are designed or redesigned by considering workflows and affected personnel.

Question 24

One internal control integrated framework consists of five essential components: the control environment, risk assessment, control activities, information and communication, and monitoring activities. When these components are applied across the organization, they create a “cube.” This framework is the

Select one:
A. International Organization for Standardization’s (ISO’s) framework.
B. Institute of International Auditors (IIA) International Standards for the Practice of International Auditing.
C. Financial Accounting Standards Board’s (FASB’s) Internal Control Standard.
D. Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) framework.

Answer 24

D. Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) framework.

Question 25

After opening its third store, Shoehorn Shoes decided to purchase new inventory tracking software for all of its stores. Which one of the following external or internal environments does this decision relate to?

Select one:
A. Product environment
B. Economic environment
C. Operations environment
D. Physical environment

Answer 25

C. Operations environment

Question 26

Lucy is a chef at a restaurant. She is growing tired of working such long hours and not reaping the financial benefits. Lucy has been saving money with the goal of opening her own restaurant. She recently talked to a financial advisor about the options market as a way to grow her savings quickly. The financial advisor explained that it is a risky choice, but could potentially allow her to reach her goal of owning a restaurant in the near future. Lucy has decided to invest her savings in the options market. Which one of the following types of risk attitude does Lucy exhibit?

Select one:
A. Risk obsessed
B. Risk seeking
C. Risk optimizing
D. Risk managed

Answer 26

B. Risk seeking
Lucy is exhibiting a risk seeking attitude. Her risk decision is based on a short-term horizon, and she believes it will allow her to reap significant rewards that are worth the risk. Individuals with a risk optimizing attitude balance aggressive and conservative tendencies.

Question 27

As a result of a risk assessment, Medford Factory identified several exposures that could interrupt its operations. Which one of the following would be categorized as an external exposure?

Select one:
A. An IT server failure
B. A fire breaking out in the warehouse
C. A poorly designed product that needs to be recalled
D. A widespread power outage

Answer 27

D. A widespread power outage

Question 28

Sound risk management decisions are predicated on

Select one:
A. Quality data.
B. Operational efficiencies.
C. Regulations and compliance.
D. Effective decision-making.

Answer 28

A. Quality data.
Quality data is critical to making sound risk management decisions. For example, up-to-date financial data may influence whether an organization decides to expand its product offerings.

Question 29

Which one of the following answers the question, “What shows we are a success?”

Select one:
A. Risk tolerance level
B. Key performance indicator
C. Strategic objective
D. Critical success factor

Answer 29

B. Key performance indicator

Question 30

The opening day finally arrived for a local amusement park that advertised its new roller coaster for months. The crowds were bigger than normal that day as folks lined up to try the new thrill ride. Everything was going well for the first few hours until around mid-day the ride all of a sudden screeched to a halt in the middle of a run. Fortunately the delay was only 15 minutes and the coaster was on flat track at the time and not a loop. However some technical issues prevented the ride from continuing that day and it had to be shut down. As a result, many patrons were upset and disappointed with the outcome. Knowing that successfully managing reputational risk involves quickly recognizing the risk to reputation, rapidly making important decisions to manage the risk and relying on leadership and culture for a favorable outcome, all of the following fit this criteria, EXCEPT:

Select one:
A. Reminding patrons that their attendance comes with an assumption of risk and no guarantees.
B. Providing vouchers that give free ice cream cones to all patrons in the park that day.
C. Publishing a press release on the root cause and corrective action taken to avoid future incidents.
D. Contacting the local news channel and speaking honestly about what happened and that the issue was resolved and should not occur again.

Answer 30

A. Reminding patrons that their attendance comes with an assumption of risk and no guarantees.

Question 31

Green Corporation suffered severe losses due to tornados at its northern facility. The Board of Directors issued a statement that the current costs outweighed any sustainable profits in the near term. The risk manager can best assist the Board in its long term decision making by

Select one:
A. Providing data on the frequency of wind storms, and work with the risk center and risk owner at that location to find alternatives to protect the facility.
B. Following the directives of the board of directors preserving his/her position with the company.
C. Playing no role since the risk manger’s focus is on preventing loss rather than reviewing senior management decisions.
D. Offering a white paper on the merits of shutting down the facility, laying off the staff and shifting the work to other locations.

Answer 31

A. Providing data on the frequency of wind storms, and work with the risk center and risk owner at that location to find alternatives to protect the facility.
The risk manager can best assist the Board in its long term decision making by providing data on the frequency of wind storms, and work with the risk center and risk owner at that location to find alternatives to protect the facility.

Question 32

Emerging technologies such as artificial intelligence and machine learning are being applied by some businesses as part of their internal audit and control process. A key benefit of such applications is

Select one:
A. Detection of fraud and inefficient practices in real time.
B. Reduced labor costs in the risk management department.
C. Gaining an historical perspective on inefficient and ineffective internal control measures.
D. Greater ability to quantify losses.

Answer 32

A. Detection of fraud and inefficient practices in real time.

Question 33

Which one of the following statements is true regarding separation of ownership and control in corporations?

Select one:
A. The incentive for managers and non-management board members to pursue their own interests at the expense of shareholders gives rise to agency costs.
B. Corporate governance is not concerned with the separation of ownership and control.
C. Shareholders retain decision-making authority while managers control business operations.
D. Limited liability of shareholders impedes the separation of ownership and control in corporations.

Answer 33

A. The incentive for managers and non-management board members to pursue their own interests at the expense of shareholders gives rise to agency costs.

Question 34

All of the following are true regarding the Federal Sentencing Guidelines, EXCEPT:

Select one:
A. They require an organization to have written standards and procedures.
B. They establish minimum components for an effective compliance program.
C. They can be used by federal courts.
Because of a 2005 U.S. Supreme Court decision, the Federal Sentencing Guidelines are not mandatory, but can be used by federal courts.
D. They are mandatory.

Answer 34

D. They are mandatory.

Because of a 2005 U.S. Supreme Court decision, the Federal Sentencing Guidelines are not mandatory, but can be used by federal courts.

Question 35

Which one of the following risk management objectives is critical for a manufacturer seeking new capital from investors, stockholders, and creditors?

Select one:
A. Reduce the deterrent effects of hazard risks
B. Eliminate downside risk
C. Social responsibility
D. Anticipate and recognize emerging risks

Answer 35

A. Reduce the deterrent effects of hazard risks

Question 36

Risk managers today differ from traditional risk managers in which one of the following ways?

Select one:
A. They struggle with data that is too large to capture, store, and analyze.
B. They attempt to minimize threats and optimize opportunities.
C. They generally look backward for risk factors.
D. They attempt to identify a loss’s predominant cause.

Answer 36

B. They attempt to minimize threats and optimize opportunities.

Question 37

The fundamental purpose of a risk management framework is to

Select one:
A. Maximize profits for all stakeholders.
B. Reduce the cost of risk.
C. Define and eliminate potential losses.
D. Integrate risk management throughout the organization.

Answer 37

D. Integrate risk management throughout the organization.

Question 38

There are two types of associated risk for data privacy, individual and general risk. General data privacy risk

Select one:
A. Involves legal and regulatory requirements.
B. Is of specific concern to the European Union.
C. Varies by the type of business or industry.
D. Can be categorized operational or reputational.

Answer 38

D. Can be categorized operational or reputational.

Question 39

When interviewing a risk owner, which one of the following questions should be asked?

Select one:
A. What written documentation is available for the interviewer to critique and disseminate to stakeholders?
B. What steps have been taken to ensure continuity of business in the event of a natural disaster?
C. How does the risk owner view the position from a time perspective and resources perspective?
D. What organizational directions are inhibiting increased production in the particular area reviewed?

Answer 39

B. What steps have been taken to ensure continuity of business in the event of a natural disaster?

Question 40

Which one of the following types of risk is best handled at the risk center level?

Select one:
A. Risks that do not involve any outside stakeholders are best handled at the risk center level.
B. Minor risks that do not have consequences outside the unit are best managed at the risk center level.
C. Significant risks that affect the entire organization are best managed at the risk center level.
D. Risks that involve multiple external stakeholders are best handled at the risk center level.

Answer 40

B. Minor risks that do not have consequences outside the unit are best managed at the risk center level.
Minor risks that do not have consequences outside the unit are best managed at the risk center level. Sometimes external stakeholders—such as suppliers, regulators, and customer—can perform the risk owner role for an organization. Significant risks to the organization should be managed at the corporate level.

Question 41

Which one of the following best describes an effective way to construct internal controls?

Select one:
A. The controls should be system based with oversight by one or two individuals.
B. The controls should lend themselves to true risk management concerns.
C. The controls should be quantitative and include segregation and transfer options.
D. The controls should be linear and create checks and balances.

Answer 41

D. The controls should be linear and create checks and balances.

Question 42

One corporate governance issue is accountability of directors. One method to increase accountability of directors is to

Select one:
A. Include more inside directors.
B. Decrease the independence of audit and compensation committees.
C. Conduct regular meetings of outside directors without management being present.
D. Ensure that the chief executive officer serves as board chairman.

Answer 42

C. Conduct regular meetings of outside directors without management being present.

Question 43

Which one of the following best describes how internal audit supports enterprise risk management (ERM)?

Select one:
A. ERM provides the assessments that internal audit uses to test the viability of controls.
B. ERM implements risk management activities and internal audit assesses the results.
C. Internal audit implements the risk assessments provided by ERM.
D. Internal audit finds risks overlooked by ERM.

Answer 43

B. ERM implements risk management activities and internal audit assesses the results.

Question 44

Preventive controls assist the overall control environment of an organization by
Select one:
A. Detecting errors or inconsistencies after they occur.
B. Addressing reconciliation of accounting errors.
C. Reducing risk of unauthorized actions.
CorrectCorrect. Preventive controls reduce risk of unauthorized actions. Preventive controls are designed to prevent errors or inconsistencies in an organization. By implementing controls to prevent errors, the organization is able to reduce its risk.
D. Comparing different sets of data and investigating any differences.

Answer 44

C. Reducing risk of unauthorized actions.
Preventive controls reduce risk of unauthorized actions. Preventive controls are designed to prevent errors or inconsistencies in an organization. By implementing controls to prevent errors, the organization is able to reduce its risk.

Question 45

Which one of the following disruptions would most likely pose an immediate threat to an organization’s reputation?

Select one:
A. Data breach
CorrectCorrect. A data breach would most likely pose an immediate threat to an organization’s reputation because it is viewed as something that could have been avoided.
B. Forest fire
C. Global financial crisis
D. Widespread power outage

Answer 45

A. Data breach
A data breach would most likely pose an immediate threat to an organization’s reputation because it is viewed as something that could have been avoided.

Question 46

Asking a question such as “How do you think this will work out?” can help a speaker do which one of the following?

Select one:
A. Gain the support of executives and decision makers
B. Deliver a message that recipients don’t want to hear
C. Build trust among a diverse group of individuals
D. Request feedback and determine if the message has been understood.

Answer 46

D. Request feedback and determine if the message has been understood.

Question 47

Which one of the following best describes why the Institute for Internal Auditors (IIA) has designed standards addressing the need for internal audit to evaluate the effectiveness of risk management?

Select one:
A. Audits are conducted annually in many organizations. Requiring an auditor to validate the findings of prior years provides a comfort level to stakeholders.
B. Audits are conducted under diverse legal and cultural environments. Requiring an auditor to validate particular points ensures that auditors and their activities meet their responsibilities.
C. Audits may be self-serving to an organization depending on the experience level of an auditor. By indicating specific criteria, an auditor should be able to conduct a valid audit.
D. Audits are objective and independent of the politics of an organization. A pronouncement assists the auditor by defining review criteria.

Answer 47

B. Audits are conducted under diverse legal and cultural environments. Requiring an auditor to validate particular points ensures that auditors and their activities meet their responsibilities.

Question 48

Which one of the following is the term used for a person—usually a manager—who advocates for and supports a specific aspect of the risk management process in an organization?

Select one:
A. Risk champion
A risk champion is a person—usually a manager—who advocates for and supports a specific aspect of the risk management process in an organization.
B. Chief risk officer (CRO)
C. Risk manager
D. Internal auditor

Answer 48

A. Risk champion
A risk champion is a person—usually a manager—who advocates for and supports a specific aspect of the risk management process in an organization.

Question 49

North American Furnishings is using business process management to help it identify risks that threaten its processes. Which one of the following risks would be considered an internal risk?

Select one:
A. The rise in the cost of materials due to new forestry regulations
B. The loss of skilled craftspeople due to retirement
C. The drop in demand due to rising interest rates
D. The loss of available materials due to tornadoes

Answer 49

B. The loss of skilled craftspeople due to retirement