Corporate government, Internal Control & ERM

Question 1

What are security models?

Answer 1

The approach to directly evaluate cybersecurity strategy

Question 2

The cyber risk management team is NOT

Answer 2

Responsible for managing all levels of risk in an organization, only at the entity level. Department-level cyber risks are the responsibility of the department managers

Question 3

Minor incidents of cybersecurity breaches should be reported to?

Answer 3

The cyber risk management team

Question 4

What is residual risk?

Answer 4

The risk that remains after any risk responses have been delt with

Question 5

Knox, president of Quick Corp., contracted with Tine Office Supplies, Inc., to supply Quick’s stationery on customary terms and at a cost less than that charged by any other supplier. Knox later informed Quick’s board of directors that Knox was a majority shareholder in Tine. Quick’s contract with Tine is

Answer 5

Valid since the contract is fair to Quick.

An officer, like a director, owes fiduciary duties of care and loyalty to the corporation and its shareholders. Knox was required to disclose fully the financial interest in the transaction to which the corporation was a party. But a transaction approved by a majority of informed, disinterested directors or shareholders or that is fair to the corporation is valid, regardless of a conflict of interest. Because Tine offers inventory at a cost lower than those charged by other suppliers, the contract is considered fair and valid.

Question 6

Who initiates the purchase of materials and supplies for an organization?

Answer 6

The inventory control department.

They have access to the inventory records and will know when items need to be replenished

Question 7

What is not a limitation of enterprise risk management (ERM)?

Answer 7

Absolute assurance cannot be given in regards to different objectives

Question 8

SOC 1 reports should include?

Answer 8

An opinion of the fair presentation of management’s description of the controls implemented at the service organization and whether they were suitably designed (SOC type 1 report). If the service auditor also has tested controls, the report may express an opinion on the operating effectiveness of the controls (SOC type 2 report).

Question 9

Which of the following is not a principle related to the review and revision component of the COSO ERM framework?

A. The organization identifies and assesses changes that may substantially affect strategy and business objectives.
B. The organization reviews entity performance results and considers risk.
C. The organization pursues improvement of ERM.
D. The organization develops and evaluates its portfolio view of risk.

Answer 9

D. The organization develops and evaluates its portfolio view of risk.

This is one of the five principles related to the performance component of the COSO ERM framework. The three principles related to the review and revision component of the COSO ERM framework are the organization (1) identifies and assesses changes that may substantially affect strategy and business objectives, (2) reviews entity performance results and considers risk, and (3) pursues improvement of ERM.

Question 10

The most effective preventive control to ensure proper handling of cash receipt transactions is?

A. One employee issues a prenumbered receipt for all cash collections; another employee reconciles the daily total of prenumbered receipts to the bank deposits.
B. Use predetermined totals (hash totals) of cash receipts to control posting routines.
C. Have bank reconciliations prepared by an employee not involved with cash collections and then have them reviewed by a supervisor.
D. The employee who receives customer mail receipts prepares the daily bank deposit, which is then deposited by another employee.

Answer 10

A. One employee issues a prenumbered receipt for all cash collections; another employee reconciles the daily total of prenumbered receipts to the bank deposits

Question 11

What members of an organization has ultimate ownership responsibility of enterprise risk management (ERM), provides leadership and direction to senior managers, and monitors the entity’s overall risk activities in relation to its risk appetite?

Answer 11

The chief executive officer (CEO)

Question 12

An essential element of the governance and culture component under COSO ERM is?

A. Human Capital
B. Risk responses
C. Reports on risk and culture
D. Information systems

Answer 12

A. Human Capital

Question 13

Which step in the COSO eight-step approach for implementing an effective enterprise risk management program involves identifying gaps and opportunities to integrate strategies and risk practices?

A. Step 3
B. Step 4
C. Step 5
D. Step 6

Answer 13

B. Step 4

Step 4 of the eight-step approach involves inventorying the existing risk management practices of the organization, identifying gaps and opportunities to integrate strategies and risk practices, and developing action steps to close the gaps or implement the opportunities.

Question 14

A firm has adopted ERM practices and has begun to establish operating structures for day-to-day operations. This activity is consistent with a principle of which component of ERM?

A. Information, communication, and reporting.
B. Governance and culture.
C. Review and revision.
D. Strategy and objective-setting.

Answer 14

B. Governance and culture.

Establishing operating structures is one of five principles related to the governance and culture component of ERM. These structures describe how the entity is organized and carries out its day-to-day operations. They generally align with the entity’s legal structure and management structure.

Question 15

An issuer is preparing to file its annual report prior to adopting a code of ethics for its senior financial officers. What action, if any, must the issuer take to comply with the Sarbanes-Oxley Act of 2002?

A. No action.
B. Adopt a code of ethics for senior financial officers within 60 days of filing.
C. Disclose in the annual report the lack of the code of ethics and the reason(s).
D. File the annual report after adopting a code of ethics for senior financial officers.

Answer 15

C. Disclose in the annual report the lack of the code of ethics and the reason(s).

Under the Sarbanes-Oxley Act, the issuer must disclose in the annual filing whether it has adopted a code of ethics for its senior financial officers and, if not, the reason(s).

Question 16

Inherent risk is

A. The risk when management has not taken action to reduce the impact or likelihood of an adverse event.
B. The risk after management takes action to alter its severity.
C. A potential event that may affect the achievement of strategy and business objectives.
D. A risk response.

Answer 16

A. The risk when management has not taken action to reduce the impact or likelihood of an adverse event.

Inherent risk is the risk when management does not act to alter its severity. Severity commonly is measured as a combination of impact and likelihood.

Question 17

The function of the chief risk officer (CRO) is most effective when the CRO

A. Shares the management of risk with line management.
B. Monitors risk as the risk management leader.
C. Manages risk as a member of senior management.
D. Shares the management of risk with the chief audit executive.

Answer 17

B. Monitors risk as the risk management leader.

A CRO is a member of management assigned primary responsibility for enterprise risk management processes. The CRO is most effective when supported by a specific team with the necessary expertise and experience related to organization-wide risk. The CRO should have in-depth knowledge of the organization’s overall strategic objectives and be delegated appropriate authority and allocated appropriate resources.

Question 18

Enterprise Risk Management (ERM) is closely aligned with corporate governance because it

A. Focuses management’s attention on the risks mitigated.
B. Identifies which of the organizations’ objectives is at greatest risk.
C. Identifies and isolates the silos in which risk exists.
D. Reduces the level of acceptable risks to be taken.

Answer 18

B. Identifies which of the organizations’ objectives is at greatest risk.

ERM recognizes risk management across the entire enterprise, so it identifies and responds to the organization’s greatest risks. Managing the risks of an organization is one of the goals of corporate governance.

Question 19

According to COSO, a risk profile is a view of the relationship between

A. Risk and performance.
B. Risk capacity and risk appetite.
C. Tolerance and risk appetite.
D. Inherent risk and target residual risk.

Answer 19

A. Risk and performance.

A risk profile is a composite view of (1) the types, severity, and interdependencies of risks related to a specific strategy or business objective and (2) their effect on performance.

Question 20

According to the COSO ERM framework, the characteristic of risk that reflects its nature and scope is

A. Velocity.
B. Persistence.
C. Severity.
D. Complexity.

Answer 20

D. Complexity.

Complexity is the nature and scope of a risk. Interdependence of risks ordinarily increases their complexity.

Question 21

Which of the following is not a performance result that indicates deviation from a target or tolerance?

A. Opportunities to accept more risk.
B. Unidentified cyber risks.
C. Operational disruption risk.
D. Improperly assessed risks.

Answer 21

C. Operational disruption risk.

Cyber risk refers to the risk of financial loss, operational disruption, and reputational damage from the failure of digital technology. Performance results that deviate from a target or tolerance may indicate (1) unidentified cyber risks, (2) improperly assessed risks, (3) new risks, (4) opportunities to accept more risk, and (5) the need to revise a target performance or tolerance.

Question 22

Company management completes event identification and analyzes the associated risks. The company wishes to assess its risk in the absence of any actions management might take to alter either the risk’s likelihood or impact. According to COSO, which of the following types of risk does this situation represent?

A. Event risk.
B. Inherent risk.
C. Residual risk.
D. Economic risk.

Answer 22

B. Inherent risk.

Risk is the possibility that events will occur and affect the achievement of strategy and objectives. Inherent risk is the risk in the absence of management actions to alter its severity.

Question 23

Which of the following is not a principle related to the information, communication, and reporting component of the COSO ERM framework?

A. The organization identifies risks that disrupt operations of the ERM.
B. The organization uses communication channels to support ERM.
C. The organization leverages its information systems to support ERM.
D. The organization reports on risk, culture, and performance at multiple levels and across the entity.

Answer 23

A. The organization identifies risks that disrupt operations of the ERM.

“The organization identifies risks that disrupt operations and affect the reasonable expectation of achieving strategy and business objectives” is one of the five principles related to the performance component of the COSO ERM framework. The three principles related to the information, communication, and reporting component of the COSO ERM framework are 1) the organization leverages its information systems to support ERM, 2) the organization uses communication channels to support ERM, and 3) the organization reports on risk, culture, and performance at multiple levels and across the entity.

Question 24

Which of the following symbolic representations indicates that new payroll transactions and the old payroll file have been used to prepare payroll checks, prepare a printed payroll journal, and generate a new payroll file?

Answer 24

Question 25

Which of the following is a key component of the COSO Framework for enterprise risk management (ERM)?

A. Risk assessment.
B. Risk response.
C. Risk retention.
D. Objective setting.

Answer 25

D. Objective setting.

Objectives must exist before management can identify potential events affecting their achievement.

Question 26

Which of the following describes the most effective preventive control to ensure proper handling of cash receipt transactions?

A. One employee issues a prenumbered receipt for all cash collections; another employee reconciles the daily total of prenumbered receipts to the bank deposits.
B. Use predetermined totals (hash totals) of cash receipts to control posting routines.
C. The employee who receives customer mail receipts prepares the daily bank deposit, which is then deposited by another employee.
D. Have bank reconciliations prepared by an employee not involved with cash collections and then have them reviewed by a supervisor.

Answer 26

A. One employee issues a prenumbered receipt for all cash collections; another employee reconciles the daily total of prenumbered receipts to the bank deposits.

Sequentially numbered receipts should be issued to maintain accountability for cash collected. Such accountability should be established as soon as possible because cash has a high inherent risk. Daily cash receipts should be deposited intact so that receipts and bank deposits can be reconciled. The reconciliation should be performed by someone independent of the cash custody function.

Question 27

To control purchasing and accounts payable, an information system must include certain source documents. For a manufacturing organization, these documents should include

A. Purchase orders, receiving reports, and vendor invoices.
B. Purchase requisitions, purchase orders, inventory reports of goods needed, and vendor invoices.
C. Purchase requisitions, purchase orders, receiving reports, and vendor invoices.
D. Receiving reports and vendor invoices.

Answer 27

C. Purchase requisitions, purchase orders, receiving reports, and vendor invoices.

Before ordering an item, the purchasing department should have on hand a purchase requisition reflecting an authorized request by a user department. Before a voucher is prepared for paying an invoice, the accounts payable department should have the purchase requisition, a purchase order (to be certain the items were indeed ordered), the vendor’s invoice, and a receiving report (to be certain the items were received).

Question 28

When choosing a communication channel to manage cyber risks, which of the following is not a factor considered?

A. Nature.
B. Urgency.
C. Cost.
D. Sensitivity.

Answer 28

C. Cost.

While the cost of a communication channel is a constraint to choosing the channel, it is generally not a determinant factor.

Question 29

A company wishes to identify all risks that could affect strategy and business objectives. According to the COSO ERM framework, which of the following types of risk does this situation represent?

A. Risk capacity.
B. Inherent risk.
C. Risk appetite.
D. Risk inventory.

Answer 29

D. Risk inventory.

Risk inventory consists of all identified risks that could affect strategy and business objectives.

Question 30

Communicating information related to risks is very important in enterprise risk management. Which individual is most likely in the best position to recognize problems as they arise related to customer product design needs?

A. Sales representative.
B. Risk manager.
C. Production manager.
D. Internal auditor.

Answer 30

A. Sales representative.

Unlike the other individuals, sales representatives interact with customers.

Question 31

Which of the following penalties may an issuer’s CEO and CFO incur for violating the Sarbanes-Oxley Act of 2002?

A. I, II and III.
B. I and II only.
C. I and III only.
D. I only.

Answer 31

A. I, II and III.

An issuer’s CEO and CFO may incur the following penalties for violating the Sarbanes-Oxley Act: forfeiture of bonus or other incentive-based compensation (pursuant to section 304 of the Act), prohibited from serving as an officer or director (pursuant to section 1105 of the Act), and forfeiture of profits received from the sale of the issuer’s stock (pursuant to section 304 of the Act).

Question 32

An internal auditor is considering a client’s organizational structure as it affects the ethical climate established by company management. Each of the following considerations is valid in this regard except

A. A highly structured organization with formal reporting lines may be appropriate regardless of entity size.
B. A decentralized environment may increase the risk that unethical decisions could be made by unit managers.
C. A company that is highly centralized will have a more diverse ethical culture than a company that is decentralized.
D. The appropriateness of an entity’s organizational structure depends in part on the nature of its activities.

Answer 32

C. A company that is highly centralized will have a more diverse ethical culture than a company that is decentralized.

A company that is highly centralized will have a less diverse ethical culture than a company that is decentralized. In a highly centralized company, policies and procedures are delivered from the top down. In a decentralized company, each individual unit likely has its own ethical culture, so the company itself has a more diverse ethical culture.