Chapter 5

Question 1

A board’s role in organizational governance is best described as

Answer 1

The board is the focal point for all governance activities and establishes the “tone at the top.” The board is also responsible for implementing best governance practices and providing oversight of organizational activities.

Question 2

How can a common risk language enhance an organization’s enterprise risk management (ERM) efforts?

Answer 2

ERM should be driven from the top down. Everyone in an organization has a role in effective risk management. Most organizations have layers (i.e., executives, line managers, and employees) and silos (i.e., operations, technology, quality management, and compliance). A common language cuts through the layers and breaks down silos. Without a common language, potential miscommunications and other communication issues can thwart risk management activities.

Question 3

According to Practice Advisory 1210.A1-1, “Obtaining External Service Providers to Support or Complement the Internal Audit Activity,” when assessing competency, the best way of checking on the reputation of an outside service provider is to do which of the following?

Answer 3

Contacting others familiar with the outside service provider’s work is a good way of determining reputation. The professional certification or license is a minimum requirement for any prospective service provider. The other responses are used to determine the provider’s independence and objectivity.

Question 4

Which of the following is not a role of the internal audit activity in best practice governance activities?

Answer 4

The internal audit activity is responsible for assessing and making recommendations for improving governance processes in the accomplishment of various organizational objectives. However, it is the role of management to ensure the timely implementation of the audit recommendations. The internal audit activity is responsible for the development of a timely procedure to monitor the disposition of the audit recommendations. The internal audit activity works with senior management and the audit committee to ensure that audit recommendations receive appropriate attention.

Question 5

Who is responsible for overseeing the evaluation of information security (data protection) and control?

Answer 5

Every person in an organization has a role in implementing internal controls. The audit committee oversees the evaluation of the organization’s internal control system. The CRO establishes policies related to information security, and senior managers ensure compliance with the policies. The CAE assesses (evaluates) the system of controls over information security.

Question 6

A section of a written code of conduct regarding conflict of interest should

Answer 6

A written statement for the items should define the issue; address expected behavior of employees, other corporate agents, and suppliers; and include provisions for activities, investments, or other interests that reflect on the entity’s integrity or reputation.

Question 7

The Turnbull guidance

Answer 7

The U.S. Securities and Exchange Commission (SEC) has identified the Turnbull guidance as a suitable framework for complying with U.S. requirements to report on internal controls over financial reporting, as set out in Section 404 of the Sarbanes-Oxley Act of 2002 and related SEC rules. Turnbull recommends a focus on significant risks rather than all risks, the development of risk reporting systems within existing information systems, and insists that employees be involved but have the necessary knowledge, skills, information, and authority to establish, operate, and monitor the system of internal control within their sphere of responsibility.

Question 8

A realistic outcome of a privacy framework evaluation is

Answer 8

In conducting an evaluation of the privacy framework, Practice Advisory 2130.A1-2 recommends that the internal auditor consider the “laws, regulations, and policies relating to privacy in the jurisdictions where the organization operates.”

Question 9

Which of the following is not an internal audit control responsibility with respect to fraud prevention, deterrence, and detection?

Answer 9

It is management’s responsibility to establish and maintain an effective control system. Translating an organization’s corruption prevention principles across operations would be a management responsibility.

Question 10

Internal auditing’s role in the risk management process of an organization can change over time and may encompass:

Answer 10

I. No role.

II. Auditing the risk management process as part of the internal audit plan.

III. Participation on oversight committees, monitoring activities, and status reporting

Question 11

Internal auditing’s role in the risk management process of an organization

Answer 11

Senior management and the board determine the role of internal auditing in the risk management process. Their view on internal auditing’s role is likely to be determined by factors such as the culture of the organization, ability of the internal audit staff, and local conditions and customs of the country. However, taking on management’s responsibility regarding the risk management process and the potential threat to the internal audit activity’s independence requires a full discussion and board approval.

Question 12

Which of the following has responsibility for a control self-assessment (CSA)?

Answer 12

The responsibility for the CSA process is shared among all employees in an organization.

Question 13

Which of the following is true of internal auditors?

Answer 13

Internal auditors do not have responsibility for internal control; management does. Internal auditors do have responsibility for monitoring controls. Internal auditors are not required to express an overall opinion on the adequacy of controls. If the CAE is asked to provide an opinion, the opinion should clearly specify evaluation criteria and scope over which the opinion applies.

Question 14

Which of the following is not a responsibility of the chief audit executive (CAE)?

Answer 14

Practice Advisory 2120-1 states that risk management is a key responsibility of senior management and the board, not the CAE. To achieve its business objectives, management ensures that sound risk management processes are in place and functioning. Boards have an oversight role to determine that appropriate risk management processes are in place and that these processes are adequate and effective. In this role, they may direct the internal audit activity to assist them by examining, evaluating, reporting, and/or recommending improvements to the adequacy and effectiveness of management’s risk processes.

Question 15

To minimize potential financial losses associated with physical assets, the assets should be insured in an amount that is

Answer 15

The types and amounts of insurance should be supported by periodic appraisals. The other options are either not appropriate or do not provide an adequate and accurate reflection of the value of an asset.

Question 16

The function of the chief risk officer (CRO) is most effective when the CRO

Answer 16

The chief risk officer is most effective when working with other executives and managers in establishing effective risk management in their areas of responsibility. This risk officer can work with other managers in establishing effective risk management practices, monitoring progress, and assisting those managers in reporting. Senior management has an oversight role. The CAE is not responsible for managing risk. Risk knowledge at the line level would be specific only to that area of the organization.

Question 17

Which factors determine the extent of assurance activities that internal audit provides in support of organizational governance?

Answer 17

The extent of internal audit governance assurance activities depends on the internal audit charter (which specifies the internal audit function’s role in governance assurance) and the specific direction from the board regarding current or ongoing expectations to perform such activities.

Question 18

Which factors determine the extent of assurance activities that internal audit provides in support of organizational governance?

Answer 18

The extent of internal audit governance assurance activities depends on the internal audit charter (which specifies the internal audit function’s role in governance assurance) and the specific direction from the board regarding current or ongoing expectations to perform such activities.

Question 19

Internal auditors can be considered as leading agents for change within an organization. Which of the following is not a good way to promote this concept?

Answer 19

The directive would “direct” rather than “sell” and thus would not be an appropriate choice.

Question 20

Which of the following goals sets risk management strategies at the optimum level?

Answer 20

Maximize shareholders values. This is a comprehensive approach and will relate to risk management strategies across the enterprise.

Question 21

Which of the following Committee of Sponsoring Organizations of the Treadway Commission (COSO) risk management responses would apply to a situation in which an organization moved from List A to List B by canceling their insurance because the costs were greater than the item’s replacement cost?

Answer 21

Sharing reduces risk likelihood or impact by transferring or otherwise sharing a portion of the risk. Common risk-sharing techniques include purchasing insurance products. Acceptance is taking no action to affect likelihood or impact.

Question 22

COCO Model

Answer 22

purpose, commitment, capability, and monitoring and learning?

Question 23

How can internal audit add value to the enterprise risk management (ERM) process?

Answer 23

Providing the audit committee and executive management with assurances that the ERM process is efficient, effective, and operating as it was intended
Using the output of the ERM process to develop its risk-based audit plan and to identify unexpected high-risk areas as circumstances change -
Both correct choices reflect The IIA definition of internal auditing and the role of internal auditors in helping “an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Question 24

An organization is introducing enterprise risk management (ERM) to management and employees. All of the following would support a successful startup of ERM projects except

Answer 24

implement ERM software. Providing ERM training and education, encouraging management to discuss risk concerns, and recognizing quick victories enhance the probability of a successful ERM project. Focusing on ERM software can distract from the primary objective for implementing ERM (i.e., enhancing risk management and control) and create the impression that ERM is “just another IT project.”

Question 25

An adequate system of internal controls is most likely to detect an irregularity perpetrated by

Answer 25

A good system of internal controls is likely to expose an irregularity if it is perpetrated by one employee, without the aid of others. Management can often override controls, singularly or in groups. A group has a better chance of successfully perpetrating an irregularity than does an individual employee.

Question 26

Which of the following is not true of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) - Integrated Framework?

Answer 26

Takes a more focused approach than traditional risk management
ERM takes a broader portfolio approach than traditional risk management and deals with risks and opportunities affecting the creation or preservation of organizational value

Question 27

An organization is changing to a quality assurance program that incorporates quality throughout the process. This is very different from its years of dependence on quality control at the end of the process. This type of change is a

Answer 27

cultural change because it involves a change in attitudes and mindset.

Question 28

In organizations without a risk management process, internal auditors should do which of the following?

Answer 28

Avoid responsibility for managing identified risks. Internal auditors can facilitate or enable risk management processes, but they should not own or be responsible for the management of the risks identified. Management, not internal auditing, is responsible for establishing a risk management process including high-level risk assessments.

Question 29

A primary benefit of using risk assessment and risk maps in enterprise risk management (ERM) is

Answer 29

standardized view of organizational risk emerges. A risk framework provides a master list that enables all risks identified in the organization to be tracked and categorized. An important step in ERM is to assess risks identified, and the ranking provides a standardized view of risks

Question 30

Which of the following represents the best governance structure

Answer 30

Operating management is responsible for risk management, executive management is responsible for oversight, and internal auditors serve in the capacity of oversight and advisory roles.

Question 31

Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks. Regarding the risks associated with issuing checks, which of the following risk management techniques does this represent?

Answer 31

By eliminating checks, the organization avoids all risk associated with them

Question 32

Which of the following best describes an internal auditor’s purpose in reviewing the organization’s existing risk management, control, and governance processes?

Answer 32

The purpose stated in Practice Advisory 2120-1 is to provide reasonable assurance that the processes will enable the organization’s objectives and goals to be met efficiently and economically.

Question 33

A statement indicating that an organization will not enter into an emerging market where trading partners have a high probability of work stoppages and supply chain disruptions reflects

Answer 33

Risk Appetite -Risk appetite is a high-level statement that broadly describes the level of risk that management deems acceptable. Risk tolerance is the acceptable level of variation relative to the achievement of objectives. Management selects risk responses—avoiding, accepting, reducing, or sharing risk—developing a set of actions to align risks with the entity’s risk tolerance and risk appetite.

Question 34

The auditor has recognized that a problem exists because the organizational unit has been too narrow in its definition of goals. The goals of the unit focus on profits, but the overall organizational goals are much broader. The auditor also recognizes that the audit client will resist any recommendations about adopting broader goals. The best course of action would be to

Answer 34

The auditor is responsible to the organization, not just the audit client, and should therefore report the problem to the audit client. Subtly mixing the suggested solution with the problem definition might be a strategy to get buy-in from the client, but it will not be suitable in every case and can easily be seen as manipulative.

Question 35

A control self-assessment can be used for all of the following except

Answer 35

judging the effectiveness of individuals responsible for specific control functions.
- Because the assessment is performed by the individuals performing the control tasks, it is less likely that individual performance issues will be highlighted by this method.

Question 36

Which of the following best exemplifies a “soft control” in a compliance and ethics program?

Answer 36

Employee responsibilities for reporting misconduct
Employee responsibilities are inherently subjective compared to the process, policy, procedure examples. Generally speaking, hard controls are more scientific in nature and soft controls are more humanistic.

Question 37

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) - Integrated Framework, the chief executive officer (CEO) is usually responsible for all of the following except

Answer 37

Establishing a common risk language would generally be the responsibility of the risk officer

Question 38

Which of the following is true of risk management techniques?

Because residual risk cannot be controlled, it should not be allowed to influence decisions.

Internal auditors should avoid risk matrices in favor of developing risks without outside influences.

Risk assessments should focus on financial hazards rather than soft issues.

Precise, detailed quantifications of risks can needlessly complicate risk assessments

Answer 38

Precise, detailed quantifications of risks can needlessly complicate risk assessments. Unless complex risk quantification is merited (e.g., derivatives), it’s best to keep the quantification and prioritization of risks simple. Rather than the traditional financial hazards, less tangible soft issues (e.g., human resources) are of increasing importance in risk assessments. Residual risk (the risk that remains after control is applied) must be considered in decision making. Internal auditors can use risk matrices as a tool to improve risk assessment; they should not develop risks in a vacuum.