Domain III - Assurance Role of the Internal Auditor

Question 1

Internal audit plays several key roles in enterprise risk management (ERM). Which of the
following is not a legitimate role for internal audit to undertake?
a. Identifying the risk universe.
b. Offering consulting services in support of risk management.
c. Providing assurance that the management of key risks, including internal controls, is effective.
d. Constructing an annual plan based upon the identification and prioritization of an organization’s
risks.

Answer 1

Solution: a
a. Correct. Identifying and managing risk is the role of management. It is crucial that internal
audit not assume a direct role for identifying risk to ensure internal audit’s independence and
objectivity when performing assurance activities.
b. Incorrect. Advisory services or consulting, while subject to standards and safeguards, are
legitimate roles for internal audit.
c. Incorrect. This function is a key role for internal audit.
d. Incorrect. “The CAE prepares … the audit plan based on the audit universe, input from senior
management and the board, and an assessment of risk and exposures affecting the
organization.”

Question 2

Which of the following data or events is/are the best example(s) of a key risk indicator (KRI)
for pharmaceutical company Big Pharma?
I. A 15% drop in same sales-channel sales from 2013 to 2014.
II. The estimated cost to Big Pharma of a pending lawsuit.
III. The expiration of patent protection for Big Pharma’s blockbuster prescription drug ABC.
IV. The U.S. dollar appreciates 20% against the euro in one week.
a. I only.
b. II only.
c. III and IV.
d. II and III.

Answer 2

Solution: c (III and IV)
I. Incorrect. This is a lag indicator.
II. Incorrect. This is a key risk with the potential for significant impact. A KRI is a lead indicator of
risk-triggering events or conditions.
III. Correct. The end of patent protection introduces the opportunity for other firms to introduce less
expensive versions of ABC and weaken sales of this key source of Big Pharma’s revenue and
profit.
IV. Correct. KRIs are evidence of conditions that could trigger risks to an organization’s objectives.
Depending on how much of Big Pharma’s revenue comes from Europe and how it hedges foreign
exchange, this development could well pose an upside or downside risk.

Question 3

Consider the following events:
I. A nationwide retailer’s information systems are attacked one month before winter holidays, and
hackers steal millions of customers’ credit card data.
II. Negative publicity and customer fear resulting from the breach resulted in winter holiday sales
dropping 45% from the prior year.
III. The retailer promises customers that they will not be responsible for any fraudulent charges and
offers free credit monitoring for three years.
IV. Costs resulting from lost sales, lawsuits, and customer outreach efforts are estimated to run into
the billions.
Which of the following statements assigns the correct Mainelli risk indicator to the different
elements of the scenario?
a. Statement I is a challenge indicator.
b. Statement II is an action indicator.
c. Statement III is a risk incident indicator.
d. Statement IV is a health indicator.

Answer 3

Solution: a
a. Correct. Statement I tells us the trigger event has occurred.
b. Incorrect. Statement II is a health indicator because it lets us know how the risk event has
started to affect the retailer’s performance. Statement III is the action indicator, telling us
whether responsive actions have been taken.
c. Incorrect. Statement III is the action indicator, telling us whether responsive actions have been
taken. Statement IV is the risk incident indicator because it communicates the ultimate impact
of the breach on the retailer’s value.
d. Incorrect. See above.

Question 4

Which of the following statements is correct?
a. Positive assurance is based on a statement noting confirmed evidence of effective processes.
b. Positive assurance is based on a statement noting evidence of effective and ineffective processes.
c. Negative assurance is based on a statement that the auditor found evidence of ineffective
processes.
d. Negative assurance refers to the inability to give total confidence that all controls are effective
and will remain so.

Answer 4

Solution: b
a. Incorrect. This is only part of the correct definition of positive assurance, which is “Assurance
based on a statement noting confirmed evidence of effective or ineffective processes.”
b. Correct. See explanation above.
c. Incorrect. Negative does not equate to ineffective. Negative assurance is a statement noting the
absence of evidence to the contrary.
d. Incorrect. See above. Furthermore, the statement refers to auditors’ inability to provide absolute
assurance because an audit opinion is provided at a moment in time and is usually based on a
sample.

Question 5

The CAE of Offshore Manufacturing (OMI) Incorporated suspects that its largest third-party
manufacturer is not adhering to OMI’s risk management requirements in its production
processes. To reinforce the whistleblower’s observations, the CAE conducts assurance reviews
of risk management processes for all manufacturing plants in which internal audit:
· Sets the scope of audits to focus on whether risk management processes related to
production are effective.
· Uses statistically significant sample sizes of documentation for review at each plant.
· Conducts focus groups and one-on-one interviews.
What is the biggest error that the CAE is making?
a. The scope of the audit is too narrow and should have included assurance reviews of financial
reports.
b. The sampling method is too expensive and resources should have been focused on the suspected
third-party company.
c. Focus groups are wasteful if employees are scared to voice concerns in front of colleagues about
observed weaknesses in risk management.
d. The CAE’s primary objective is to validate suspicions regarding OMI’s largest third-party
manufacturer.

Answer 5

Solution: d
a. Incorrect. Due to limited time and money, assurance reviews may not be able to cover every
item in one engagement. As long as all parties understand and agree to the scope of the review,
a limited set of objectives is legitimate and may help to prevent “mission creep.”
b. Incorrect. Selecting a statistically valid sample size is a cost-effective method to ensure integrity
of the resulting analysis. Furthermore, auditors should use statistically valid sample sizes at all
production plants under review.
c. Incorrect. While it is important for internal audit to acknowledge and control for a potential
“peer pressure effect,” focus groups are not an inherently flawed tool in the internal audit
toolkit.
d. Correct. Objectivity requires that internal audit follow the evidence without preconceived ideas
or the desire to prove a point.

Question 6

Which of the following statements is true when internal audit provides reasonable
assurance about the effectiveness of risk management processes?
a. The opinion meets The IIA’s definition for reasonable assurance.
b. Reasonable assurance recognizes the human element to risk management.
c. Reasonable assurance denotes that the findings are accurate given a statistically acceptable
standard of deviation (e.g., +/- 2%).
d. Reasonable assurance opinions are possible when assurance activities happen in accordance
with management’s prescribed schedule.

Answer 6

Solution: b
a. Incorrect. There is no IIA definition for reasonable assurance.
b. Correct. Reasonable assurance allows for the uncertainty that human error or bad intentions
may result in control failures.
c. Incorrect. Reasonable assurance, defined as “strong but not absolute assurance,” is not tied to a
universally acceptable standard deviation or margin of error.
d. Incorrect.

Question 7

Internal auditors at Creative Digits read about the fraud and reputational risks associated
with using digital channels such as social media and web applications to connect with their
customers and stakeholders. Although Creative Digits has a strong social media marketing
campaign, digital marketing risks are not currently included in the risk register. What should
the auditors do?
a. Audit the costs and benefits reported for each digital channel.
b. Notify the board that the risk is not addressed in the risk register.
c. Perform a risk assessment and determine the appropriate risk response.
d. Notify management involved in digital campaigns of the risks and provide advice.

Answer 7

Solution: d
a. Incorrect. Analyzing the costs and benefits of a marketing channel may help identify unrealized
gains (waste) or fraud, but it should be the responsibility of management (for example, the chief
marketing officer).
b. Incorrect. The auditors should contact appropriate members of management before bringing the
concern to the board.
c. Incorrect. Internal auditors should not conduct the risk assessment or determine the risk
response.
d. Correct.

Question 8

A multinational bank relies on internal audit during its mergers and acquisitions (M&A)
lifecycle. For which of the following M&A activities is internal audit best suited?
I. Identifying target companies.
II. Providing assurance regarding the financials of target private companies.
III. Conducting cybersecurity risk assessments of the target company.
IV. Performing a Foreign Corrupt Practices Act compliance review of newly acquired or merged
businesses.
a. I and II.
b. I and III.
c. II and IV.
d. III and IV.

Answer 8

Solution: c (II and IV)
I. Incorrect. Identifying target companies is a strategic role of management. Internal audit’s
appropriate role is limited to auditing the organization’s target identification process.
II. Correct. Auditing and providing assurance on the financials of the target company during the
due diligence of a potential merger or acquisition is a core internal audit function.
III. Incorrect. While cybersecurity vulnerability or risk assessments should be a part of the due
diligence process, this function belongs to the technical and business process managers and not
to internal audit.
IV. Correct. Conducting compliance audits, or coordinating with a stand-alone compliance unit if it
exists, is a key internal audit assurance function.

Question 9

The city government of Hometown USA has an innovative staff and a culture that encourages
continuous improvement in its programming and processes, including its embedded ERM.
Each year, the city manager tasks management and internal audit to pursue opportunities for
innovations in city programming. Which would be the best risk management assurance
model for Hometown to employ?
a. Maturity model approach.
b. Process elements approach.
c. Key principles approach.
d. Comprehensive assessment approach.

Answer 9

Solution: a
a. Correct. Hometown’s ERM is established and supported and management is ready and
motivated to seek further improvements in its programming and ERM strategy and processes.
b. Incorrect. Process elements is a more rudimentary approach. Process elements is better suited to
an entity that has introduced ERM relatively recently or has not assessed its ERM systems for
several years.
c. Incorrect. Key principles is a more rudimentary approach. Like process elements, key principles
is better suited to an entity that has introduced ERM relatively recently or has not assessed its
ERM systems for several years.
d. Incorrect. Sobel and Reding’s comprehensive assessment approach operates like a combination
of the process elements and key principles approaches. Therefore, the same comments apply as
in b and d.

Question 10

Metro Power and Light (MPL) places safety as its first risk management priority.
Management identifies safety risks, develops policies and procedures, and provides regular
safety training for employees, partners, and citizens. MPL’s risk management group conducts
safety audits to ensure management conducts its safety duties. Internal audit provides
assurance that MPL has developed the correct safety controls and that they are working as
intended. Which of the following statements about MPL is true?
a. MPL enjoys comprehensive integrated coverage across the full spectrum of assurance providers.
b. MPL relies on all three lines of defense to own, manage, oversee, and provide independent
assurance over its safety risks.
c. MPL employs an integrated approach that avoids gaps and overlaps in assurance coverage.
d. MPL’s risk management approach provides for adequate regulatory or legal compliance.

Answer 10

Solution: b
a. Incorrect. For this statement to be true, MPL should also present evidence of strong relationships
with external assurance providers such as external auditors, regulators, and safety inspectors.
b. Correct. Management (1st line), risk and compliance (2nd line), and internal audit (3rd line) all
play integral roles in ERM with respect to safety.
c. Incorrect. We have no evidence that MPL conducts periodic assurance mapping. Assurance maps
show the coverage offered by the main classes of assurance providers and help the organization
to “ensure proper coverage and minimize duplication of efforts.”
d. Incorrect. Documentation of MPL’s strategy and practices should provide stakeholders with
confidence that MPL is meeting regulatory and legal obligations with respect to safety.

Question 11

Following COSO’s ERM framework, the board’s responsibilities for effective reporting of risks
should include which of the following?
a. Inserting specific engagements relating to risk management into the annual audit plan.
b. Selecting the specific techniques regarding event identification to be considered in the risk
management process.
c. Assuring success in management of key risks.
d. Regularly reviewing the key risks against risk appetite.

Answer 11

Solution: d
a. Incorrect. The CAE has primary responsibility for developing the annual audit plan.
b. Incorrect. Selecting specific techniques for event identification is the responsibility of
management, perhaps with input from others, such as a risk officer.
c. Incorrect. While the board should analyze how well ERM is operating in the management of key risks, it would be unrealistic to assure success.
d. Correct. The board should perform regular review/continuous monitoring

Question 12

According to IIA Practice Guide, Assessing the Adequacy of Risk Management Using ISO
31000, in providing confidence on process design, delivery, and documentation, the
following categories of questions should be included except:
a. Senior management involvement.
b. Only stand-alone processes.
c. Staff skills and knowledge.
d. Responsiveness to change.

Answer 12

Solution: b

a. Incorrect. Senior management involvement is important.
b. Correct. Embedded processes should be considered.
c. Incorrect. Staff members need the right skills and knowledge.
d. Incorrect. Responsiveness to change is a key element to consider.

Question 13

A 100-year-old manufacturing firm has had an excellent reputation for high-quality products,
with all sales to the private sector. Recently, the firm expanded sales to the government’s
defense department, and high profits rapidly declined. Historically, (1) personnel practices have been popular with employees—flexible work schedules and limited supervision
(resulting in high morale), and (2) security in warehouses and production has been limited
(yet minuscule pilferage occurred). In analyzing why profits have declined, which of these
risks would be of least concern?
a. A very loyal workforce is being replaced by a younger workforce with less loyalty and more
likelihood of abusing attendance requirements and engaging in pilferage.
b. In contract sales to the defense department, the firm is subject to tighter controls over classified
inventories, and the loose controls needed improvement.
c. The past lack of locks, fences, and barriers to the firm’s plant will risk more theft of expensive
defense-related inventories, and may violate defense security regulations.
d. A younger workforce will likely be less educated and trainable.

Answer 13

Solution: d
a. Incorrect. This risk should be considered due to the firm’s popular personnel practices, and
perhaps changes in demographics of the new employees.
b. Incorrect. This is a likely risk in defense sales and should be considered.
c. Incorrect. This is a likely risk, especially if inventories are expensive and/or related to national
security and risk of theft by terrorist groups.
d. Correct. Younger employees are likely more educated and flexible to new technologies, so this
risk would be lower than the others cited.

Question 14

An internal auditor assigned to an assurance engagement of risk management processes
should understand and appreciate the technical language—concepts, principles, and terms—
of risk management processes. An auditor may also need to consider broader natural barriers
to effective risk management. Which of the following is a natural barrier?
a. An ERM framework that is not applicable for a particular entity.
b. Reluctance by the CEO to share negative information.
c. An inadequate event identification approach.
d. An outdated risk register.

Answer 14

Solution: b

a. Incorrect. Framework is a technical term related to risk management.
b. Correct. Reluctance to share bad news is common and not solely related to risks.
c. Incorrect. Event identification is a technical term in risk management.
d. Incorrect. Risk register is a technical term related to risk management.

Question 15

In an assurance engagement of risk management, an internal auditor identifies several
potential problems that, in the auditor’s judgment, need further exploration. Of the
following, which should the auditor be least concerned about?
a. The board monitors risk directly without sharing with any committees.
b. Reporting of key risks is on an as-needed basis rather than periodically.
c. The designation of key risks is from a standardized list applicable to any entity.
d. The number of key risks is limited to a defined number.

Answer 15

Solution: d

a. Incorrect. The board is generally too far from activities and should share duties.
b. Incorrect. Risk reporting should generally be on a regular, periodic basis.
c. Incorrect. Designation of key risks should be tailored to the organization.
d. Correct. Key risks should be limited to a defined range (e.g., 5 to 20) for simplicity.

Question 16

An assurance engagement of risk management processes by the internal audit activity should
start by doing all of the following except:
a. Proposing revision of the entity’s mission, strategy, and objectives.
b. Understanding the internal and external environment.
c. Gaining knowledge of the risk appetite, risk capacity, and risk tolerance.
d. Identifying inherent risks and residual risks.

Answer 16

Solution: a
a. Correct. Proposing revisions in these three areas would be beyond the auditor’s role, especially
at the start of the engagement.
b. Incorrect. This is consistent with the relevant standard and practice advisory.
c. Incorrect. Same as for option B.
d. Incorrect. Same as for option B.

Question 17

As a function within the organization, the internal audit activity must generally comply with
the organization’s policies and procedures, including risk management processes. However,
there may be some differences. Which of the following statements about the risk management
processes of the internal audit activity itself is accurate?
a. Due to its nature and independence, the internal audit activity is immune from risks.
b. The only risk of concern to an internal audit activity is that it might provide false assurance.
c. The internal audit activity is subject to all the same risks of any other function.
d. Risk management methodologies should be used in internal audit practices.

Answer 17

Solution: d

a. Incorrect. IIA guidance explicitly states the internal audit activity is not immune from risks.
b. Incorrect. Three broad categories are audit failure, false assurance, and reputation risk.
c. Incorrect. The risks relate to the internal audit activity’s unique mission and objectives.
d. Correct. Risk management methodologies should fit the environment.

Question 18

In delivering assurance on risk management, an IIA Practice Guide identifies three
approaches auditors might follow: (1) process elements, (2) key principles, and (3) maturity.
A textbook identifies only two: (1) comprehensive, seen as a combination of (1) and (2) in the Practice Guide, and (2) maturity. Rigid, specific rules for choosing an approach do not exist
for an audit activity, but general guidelines do exist. Which of the following statements is
valid?
a. Regardless of approach, if the internal auditor is not wholly independent of the risk
management function, assurance should be provided by a source other than internal audit.
b. A process, key principles, or comprehensive approach is suggested when ERM has been in use
and found to be effective, but further improvements are desired.
c. The maturity model approach identifies three levels, from “risk-aware” to “risk-managed.”
d. The maturity model approach is applicable when ERM has been introduced fairly recently.

Answer 18

Solution: a
a. Correct. Independence of the internal audit activity would potentially be impaired in this case.
b. Incorrect. The approaches noted apply when ERM is fairly new and not in place long enough to
be deemed effective.
c. Incorrect. The five levels in the maturity model approach are risk-naïve, risk-aware, riskdefined,
risk-managed, and risk-enabled. (Terms may vary.)
d. Incorrect. See the rationale for

Question 19

Assume an internal auditor is assigned to an assurance engagement over the risk
management process. The auditor discovers that the entity does not have an established risk
management process and has not adopted a recognized framework, such as COSO or ISO
31000. Which is the best explanation of the approach the auditor should take?
a. Select an appropriate framework and advise the entity to adopt it before continuing the
assurance framework.
b. Ignore the absence of the framework and proceed with the engagement.
c. After discussing the issue with the CAE, and consideration of input from senior management and
the board, decide if the assurance engagement must be adjusted.
d. Proceed with the engagement, but consider it to be a consulting engagement.

Answer 19

Solution: c
a. Incorrect. While facilitation or advisement on establishment of a framework may be performed
as a consulting engagement, it should not be performed as an assurance engagement.
b. Incorrect. The auditor should carefully consider the circumstances before proceeding, so
ignoring the absence of a framework would be inappropriate.
c. Correct. The CAE needs to use judgment as to the best approach to follow after consideration of
input from senior management and the board.
d. Incorrect. A decision as to whether to initiate a consulting engagement should be made by
management and properly coordinated with the charter and annual audit plan.

Question 20

If internal auditors are to be effective in providing assurance on risk management processes,
they must be knowledgeable of common concepts and terms used in these processes. This
knowledge should include awareness of quantitative and qualitative risk assessment
techniques and related terms. Match the specific techniques to the categories:
Categories: Non-probabilistic (NPM), benchmarking (B), probabilistic model (PM)
Techniques: Best in class (BIC), cash flow at risk (CFR), scenario analysis (SA)
a. CFR is in NPM.
b. BIC is in B.
c. SA is in PM.
d. CFR is in B.

Answer 20

Solution: b

a. Incorrect. CFR is in PM.
b. Correct. BIC is in B.
c. Incorrect. SA is in NPM.
d. Incorrect. CFR is in PM.

Question 21

For an internal audit plan to be appropriately risk-based, which of these must the CAE
consider?
I. Residual risks, key risks, and key controls.
II. The work of other assurance providers.
III. That the organization has communicated the risk appetite.
IV. Individual risk factors where there are significant reductions from inherent to residual controls.
a. I and II.
b. II and III.
c. I and IV.
d. II and IV.

Answer 21

Solution: c (I and IV)
I. Correct. Residual risks are those that exist after controls have been implemented, and key risks
are usually those with the highest ranking based on likelihood and impact. Once a CAE considers
the residual risks and the key risks that have been identified, the internal audit plan can be
developed to provide assurance of control activities.
II. Incorrect. The work of other assurance providers must be considered as the CAE is providing assurance across the entire enterprise when multiple parties manage risks, and the internal audit
plan and activity would feed into this assurance.
III. Incorrect. Once an organization develops a risk appetite and communicates it, the internal audit
activity must then consider the key risks that are identified as outside the risk appetite and the
responses to the risks.
IV. Correct. This highlights controls that are important to the organization.

Question 22

An auditor wants to review the organization’s management of key risks, so he looks at risk
mitigation implementation plans to find evidence of effective risk management. What should
he be considering by looking at the risk implementation plans?
a. If the risk mitigation implementation plans identify owners, timelines, and evidence of action
plans that were implemented.
b. If the plans follow COSO’s ERM framework.
c. The plans should show evidence of board approval.
d. That he has enough information in the risk mitigation implementation plan to perform a walkthrough.

Answer 22

Solution: a
a. Correct. Any risk mitigation implementation plan should show evidence of accountability and
timelines, as well as provide action-based plans that can be traced to outcomes.
b. Incorrect. A risk mitigation implementation plan is not a prescribed work document of COSO’s
ERM framework. The plan should be specific to the organization and show that risk mitigation
activities were carried out.
c. Incorrect. The board has an active role in oversight of effective risk management, but individual
risk mitigation implementation plans are operational in nature and not for board approval.
d. Incorrect. There are many methods used for information gathering by auditors in reviewing the
management of key risks. A walk-through does not need to be dependent on a risk mitigation
implementation plan.

Question 23

The following are key design features of KRIs except:
a. The organization should use KRIs consistently in all its lines of defense.
b. KRIs should be tied to the organization’s strategic scorecard.
c. Risk owners should be held accountable for risk mitigation activity of key risks over which they
have responsibility.
d. Implementing KRIs creates additional costs and should be embedded into the annual budgeting
cycle in advance.

Answer 23

Solution: d
a. Incorrect. A key design attribute of KRIs is the consistency of application across the
organization.
b. Incorrect. When the corporate scorecard and KRIs are comparable, the management of risks as
aligned to strategic goals becomes more effective.
c. Incorrect. Tying performance measurement indicators to KRIs will strengthen risk management.
d. Correct. Key risk indicators should be designed so that they are cost effective to implement and
measure.

Question 24

The program office for grants administration informed the internal auditors that its
organization has a robust ERM culture and discipline. However, the auditors found that key
risks were not properly analyzed and managed by the organization. What are the most likely
reasons that there are weaknesses in managing key risks?
I. Key risks are identified, but they are not prioritized and monitored.
II. Management has not acted in areas where residual levels of risk are above the organization’s risk
appetite.
III. Key risk indicators are not appropriately identified with the use of stress points.
IV. The risk responses assigned by management do not get to the root cause of the risk, thus the
responses are ineffective at managing risk.
a. I, II, and III.
b. I, III, and IV.
c. II, III, and IV.
d. I, II, III, and IV.

Answer 24

Solution: d (I, II, III, and IV)
I. Correct. Robust risk analysis requires several stages to be performed, including risk
identification, risk prioritization, risk mitigation, and risk monitoring.
II. Correct. If inherent risks for fraud are controlled via key controls, but residual risks remain
above the organization’s risk appetite and management does not pay attention to these risks, this
is a flaw in key risk management.
III. Correct. Understanding what key risk indicators are by identifying the trigger events, conditions,
or intermediate events is best done by identifying the stress points, which permit the
organization to be able to identify stages of fraud in grant appropriations.
IV. Correct. It is critical that the risk responses are appropriate to mitigating the risk of fraud. If
management chooses the wrong risk response, then the inherent risk of fraud will not be
controlled.

Question 25

The chief risk officer at Soups International has been reporting to senior management and
the risk committee of the board regularly on the organization’s key risk indicators, including
risk ratings and responses. Management and the board are surprised, however, when it is
revealed that one of Soups International’s major suppliers has been investigated and found
guilty of food contamination. What should the internal auditors do so surprises are avoided?
a. The auditors need to implement management’s risk responses.
b. Internal audit should give assurance that risks are correctly evaluated.
c. Internal audit should define the risk appetite so surprises are avoided.
d. Reorder the risk ratings to ensure that supplier risks are exposed.

Answer 25

Solution: b
a. Incorrect. This is not a legitimate role for internal audit to perform.
b. Correct. Auditors can assess exposures in the risk management process, including an evaluation
of the risk ratings.
c. Incorrect. Management and the board are responsible for setting risk appetite.
d. Incorrect. The risk ratings are assigned through a management process with input from the
auditors. The auditors do not determine the ratings, management does.

Question 26

The board of any nonprofit or private organization should receive reports about key risks.
What are some of the key elements that make risk reporting relevant for board oversight?
I. Risk reporting is repeatable over time.
II. A rigorous method and an analytical framework support risk reporting.
III. Reporting is applied periodically and regularly, as opposed to as needed.
IV. A separate committee sees the risk reports and then reports to the full board.
a. I, II, and III.
b. I, II, and IV.
c. II, III, and IV.
d. I, III, and IV.

Answer 26

Solution: a (I, II, and III)
I. Correct. Risk reporting should be repeatable.
II. Correct. Regardless of what methodology and analytical framework is used, risk reporting should
include evidence of rigor and analytics to support the report.
III. Correct. The reports should be updated regularly and the board should know annually when to
expect the risk report.
IV. Incorrect. It is not a requirement for a separate committee of the full board to review the risk
report first for effective reporting.

Question 27

Internal auditors should consider the reporting of risks as part of the assurance they provide
on risk management activities. Which of the following is not a best practice in risk reporting
that auditors would provide assurance on?
a. An organization limits the number of risks in a risk report to 5 to 20.
b. The information in the risk management plan and risk report flows up and down.
c. The report out on risks occurs when they have fallen outside the acceptable risk tolerance
levels.
d. The risk report is separate from the annual report or performance report.

Answer 27

Solution: c
a. Incorrect. Risk reporting should be kept simple; only the key risks should be reported out. There
is no defined limit of risks to report.
b. Incorrect. Information on risks needs to be shared so that stakeholders and employees are aware
of the risk appetite, the importance of key risks, and the activities that are occurring to
eliminate redundancies.
c. Correct. Risks have to be promptly identified and assessed, but risk reporting should be regular
and not reported only when risk tolerance thresholds have been crossed.
d. Incorrect. Even though the risk reporting process should be embedded within core management
systems, risk reporting should be separate from the annual financial report or performance
report.

Question 28

Which of the following is the most likely responsibility of the CAE in assuring that an
organization’s risk are adequately evaluated?
a. Hiring subject matter experts in all operation areas to fill out the internal audit team and
manage risks in operations.
b. Coordinate the activities of risk, compliance, and internal audit to ensure resources are being
used effectively and efficiently.
c. Ensure that the risk management activities are effective.
d. Develop review teams to oversee risk management activities in the organization.

Answer 28

Solution: b
a. Incorrect. Management takes responsibility for operation risk management. Therefore, the
assurance of risks by management would be considered in the CAE’s assessment, but the CAE
does not manage risks in operations.
b. Correct. Many organizations have distinct roles to oversee assurance activities, including
internal audit, compliance, and risk management. The CAE has the skills and knowledge to
provide coordination and reporting over all assurance functions to ensure they are effective.
c. Incorrect. It is management’s responsibility to ensure that risk management activities are
effective. Internal audit evaluates effectiveness and offers the board the appropriate level of
assurance for the nature and levels of risk that exist in the organization. There is a difference
between ensuring effectiveness and evaluating effectiveness to provide assurance.
d. Incorrect. Oversight of risk management activities is a role for the board.

Question 29

Kipper Co is a Canadian company with offices throughout the country. Kipper’s risk
management approach includes an enterprise risk matrix that allows senior management and
the board to view the top 10 risks to achieving the company’s strategic goals, risk owners,
mitigation activities, and residual risks. The CAE of Kipper wants to perform an assurance
mapping exercise. Which of the following is not a step she would perform in assurance
mapping?
a. Identify which of the risk management activities and residual risks fall within Kipper’s risk
appetite.
b. Identify which assurance providers are responsible for assessing the risks or control activities
tied to each of the 10 risks.
c. Provide assurance across the entire enterprise and its operations after considering the coverage
by all assurance providers.
d. Ensure that the internal auditors are the only source from which the board will seek assurance.

Answer 29

Solution: d
a. Incorrect. Without coordination of assurance providers, key risks may be misjudged and
ineffective control activities may go unnoticed.
b. Incorrect. The assurance map will show the coverage provided by the providers and help
identify and address gaps in the risk or control activities.
c. Incorrect. The CAE must understand the independent assurance requirements of the board and
the organization to provide information about each assurance activity by coordinating assurance
providers and reporting on gaps.
d. Correct. The board will use multiple sources to gain reliable assurance, including assurance
from management, external auditors, and internal auditors.

Question 30

While performing an assurance audit on the risk management process of International Flora
Group, the auditor evaluated the organization using the eight components of COSO’s ERM
framework as a benchmark. The auditor found defined responsibility for the internal
environment and robust policies and procedures protocols and documentation. Yet the risk
management philosophy was informal and not communicated uniformly. Using a maturity
model approach to the audit, what is the most likely rating the auditor would use on the
maturity-level scale?
a. Very weak.
b. Poor.
c. Mid.
d. Good.

Answer 30

Solution: b
a. Incorrect. The organization has formal controls communicated, so its ERM approach would not
rate this low.
b. Correct. While the control environment is strong, the internal environment is a necessary first
step to the maturity of ERM, and without formal risk management philosophy, the rating would
likely be poor.
c. Incorrect. The organization’s lack of communication would not lend itself to a mid-level ERM
approach.
d. Incorrect. Principles for ERM cannot be carried out regularly if the risk philosophy is informal.