Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CRMA > Sample questions > Flashcards

Sample questions Flashcards

1
Q

Which one of the following is an objective of risk management?
A. To increase the likelihood of maximizing profits.
B. To facilitate greater operational effectiveness and efficiency.
C. To identify employees who are inclined to commit fraud.
D. To limit ambitions and risk-taking across the organization.

A

Solution: B
A. Incorrect. Among many others, this is an organizational objective that an
ERM system will help to achieve.
B. Correct. The aim of ERM is to increase the likelihood that the
organization will be well run and achieve multiple objectives.
C. Incorrect. Preventive and detective controls are risk response designed
for this purpose.
D. Incorrect. ERM should encourage measured risk-taking, not prevent it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of these statements BEST describes risk culture?
A. The system of values and behaviors present throughout an
organization that shape risk decisions.
B. The leadership and commitment to risk management from the
highest levels of the organization.
C. The level of authority and trust awarded to managers to determine
the risks they are prepared to take.
D. The policies and processes that define risk ownership, risk
responsibilities, and risk reporting requirements.

A

Solution: A
A. Correct. Risk management will be embedded in an organization when
risk identification, analysis, and treatment are a routine part of decisionmaking.
B. Incorrect. Leadership and commitment are important factors in
developing a risk culture, but they require buy-in and application from
everyone.
C. Incorrect. The primary purpose of a risk culture is not to limit or control
what people can or cannot do.
D. Incorrect. Policies and procedures alone do not guarantee risk
management will be effective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When is an organization risk-enabled?
A. When a risk strategy and policies are in place and communicated.
B. When risk management and internal control are fully embedded into
operations.
C. When the organization establishes a risk committee, a risk
management team, and risk processes.
D. When risk appetite has been defined.

A

Solution: B
A. Incorrect. These are important parts of establishing ERM, but they need
to be applied before the organization is risk-enabled.
B. Correct. ERM is enabled when it is working effectively throughout the
organization.
C. Incorrect. These are structural elements within the ERM framework.
D. Incorrect. Risk appetite sets limits and tolerances, but it is only one
element of the ERM process and needs to be applied effectively in a
risk-enabled organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The IIA’s definition of risk, taken from the glossary of the International
Professional Practices Framework, is as follows: “The possibility of an
event occurring that will have an impact on the achievement of
objectives. Risk is measured in terms of impact and likelihood.” Which
one of the following is NOT a risk?
A. Fluctuations in currency exchange rates will reduce sales in some
markets.
B. Power failure to the engine room for a prolonged period will reduce
production.
C. A shortage of qualified and well-trained employees will prevent
expansion.
D. Failure to achieve profit targets will reduce shareholder dividends.

A

Solution: D
A. Incorrect. This is a risk with significant impact that could be mitigated
through a response.
B. Incorrect. This is a risk with significant impact that could be mitigated
through a response.
C. Incorrect. This is a risk with significant impact that could be mitigated
through a response.
D. Correct. This is not a risk but the converse of an objective resulting from
the failure to apply sufficient control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Residual risk is BEST defined as:
A. The risk that a material error exists in the financial statements after
the audit.
B. The portion of inherent risk that remains after management executes
its risk responses.
C. The risk that audit procedures will fail to detect the error.
D. The internal and external risks that exist if there are no internal
controls in place.

A

Solution: B
A. Incorrect. This is “audit risk” from the external auditor’s perspective.
B. Correct. A management response will reduce a residual risk to an
inherent level within the risk appetite.
C. Incorrect. This is “detection risk” in the external audit risk model.
D. Incorrect. This is inherent risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the primary purpose of a code of ethical behavior and statement
of values in an organization?
A. To prevent people in the organization from breaking the law.
B. To clarify the expectations the organization has of its staff and what
external stakeholders can expect.
C. To minimize reputational damage to the organization.
D. To increase profits.conditions.

A

Solution: B
A. Incorrect. Although it is part of ethical behavior, an ethical code goes
beyond this.
B. Correct. An ethical code and statement of values define expected
behavior for everyone in the organization.
C. Incorrect. A code is not a risk response.
D. Incorrect. Increased profits result from doing the right thing, but that is
not the primary objective of an ethical code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

There are a number of internal and external stakeholders who have an
interest in successful enterprisewide risk management, but who has the
primary responsibility for identifying and managing risks?
A. Owners and shareholders.
B. The board of directors.
C. Management.
D. Risk managers.

A

Solution: C
A. Incorrect. Owners and shareholders are detached from operations and
are not in a position to manage risks.
B. Incorrect. While the board provides challenge to the risk management
process, it does not manage risks.
C. Correct. Managers at all levels of the organization have a responsibility
to identify and manage risks.
D. Incorrect. Risk managers help devise risk systems and procedures and
facilitate risk workshops, reporting, and monitoring, they do not identify
and manage risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

According to COSO’s framework, there are two types of controls: hard
and soft. Which of the following are soft controls?
A. Controls that rely on behavior and attitude.
B. Controls that are relatively easy to introduce, monitor, and manage.
C. Policies, processes, and specific measures, such as password
protection.
D. Controls (such as inspections and reviews) performed by people.

A 
Solution: A
A. Correct.
B. Incorrect. These are hard controls.
C. Incorrect. These are hard controls.
D. Incorrect. These are hard controls.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In January 2013, The IIA published a Position Paper, The Three Lines of
Defense in Effective Risk Management and Control. Which one of the
following operates as a second line of defense?
A. External auditors.
B. Senior management.
C. Risk management.
D. Operational management.

A 
Solution: C
A. Incorrect. These are external to the organization.
B. Incorrect. These are stakeholders.
C. Correct.
D. Incorrect. These are the first line.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

During monthly management meetings, the team leader always asks for
feedback on progress and ideas for new ways of working. What sort of
management style is the team leader using?
A. Democratic.
B. Autocratic.
C. Laissez-faire (from the French meaning to let happen).
D. Impoverished.

A

Solution: A
A. Correct. This is an inclusion style.
B. Incorrect. Autocratic has little or no consultation.
C. Incorrect. Laissez-faire is a hands-off style.
D. Incorrect. Impoverished style is task-focused rather than people-focused.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

There are a number of simple techniques commonly used to assist
decision-making. Which of the following is NOT one of those
techniques?
A. Cause and effect (or fish) diagrams.
B. Cost-benefit analysis.
C. Six thinking hats.
D. Delegation.

A

Solution: D
A. Incorrect. These diagrams provide the basis for decisions on
preventative controls.
B. Incorrect. This is financial cost versus value decision tool.
C. Incorrect. These are thinking modes to assist in decision-making.
D. Correct. Delegation is a management style, not a decision-making tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A purchasing manager has subcontracted repairs and maintenance to a
facilities management company. This is a new relationship and has been
entered into quickly. Which one of the following is NOT a control
measure that will help to mitigate the risks?
A. A schedule of regular communication and reporting.
B. Financial penalties for missed targets and performance failures.
C. Stated objectives and itemized responsibilities for each party.
D. Identifying an alternative subcontractor.

A

Solution: D
A. Incorrect. This is a detective control.
B. Incorrect. This is a corrective control.
C. Incorrect. This is a preventative control.
D. Correct. This will only avoid risks for a short time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An organization’s chief risk officer (CRO) is most effective when the
CRO:
A. Manages risk as a member of senior management.
B. Shares the management of risk with line management.
C. Shares the management of risk with the CEO.
D. Monitors risk as part of the enterprise risk management team.

A

Solution: D
A. Incorrect. Senior management has an oversight role in risk management.
B. Incorrect. The risk knowledge at the line level is specific only to that
area of the organization.
C. Incorrect. The chief audit executive (CAE) is not responsible for
managing risk.
D. Correct. The chief risk officer (CRO) is most effective when supported
by a specific team with the necessary expertise and experience related to
organizational risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The ISO 31000 and COSO ERM models have been thoroughly tested
and developed over many years and are widely regarded. The ISO
framework helps organizations with three activities. Which of the
following is NOT one of the three activities?
A. Increase the likelihood of achieving objectives.
B. Improve the identification of opportunities and threats.
C. Help managers better deal with the wide range of risks that threaten
an entity’s objectives.
D. Effectively allocate and use resources for risk treatment.

A

Solution: C
A. Incorrect. ISO focuses on this activity (per CRMA Study Guide, Domain
II).
B. Incorrect. ISO also focuses on this activity.
C. Correct. This is COSO’s (not ISO’s) key objective (per CRMA Study
Guide, Domain II).
D. Incorrect. ISO also focuses on this activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You are the chief audit executive (CAE) for a defense contractor in the
aerospace sector. Senior management and the board are very concerned
about information security risks. They have asked you to recommend a
risk management framework for the organization. Which ONE of the
following would you recommend?
A. COSO’s ERM framework.
B. ISO 31000.
C. IIA GAIT for Business and IT Risk.
D. The National Institute of Standards and Technology (NIST 800-37).

A

Solution: D
A. Incorrect. Both A and B are widely accepted frameworks, but D was
designed for this sector.
B. Incorrect. Both A and B are widely accepted frameworks, but D was
designed for this sector.
C. Incorrect. GAIT provides a top-down approach to identifying IT general
controls, but D was designed to focus on information security risks.
D. Correct. NIST was specifically designed for information systems and
this sector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

ISO 31000 provides a framework with five components for managing
risks and the way in which they interrelate in an iterative manner.
Which of the following is one of the five components?
A. Internal environment.
B. Mandate and commitment.
C. Categorization of information and information systems.
D. Control activities.

A

Solution: B
A. Incorrect. Both A and C are components of COSO’s ERM framework.
B. Correct. This is the first component in the ISO framework. The other
components are 1) design of framework for managing risk, 2)
implementing risk management, 3) monitoring and review of the
framework, and 4) continual improvement of the framework.
C. Incorrect. Both A and C are components of COSO’s ERM framework.
D. Incorrect. This is one of the principle steps in NIST 800-37.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The COSO thought leadership paper, Understanding and
Communicating Risk Appetite, identifies four considerations affecting
risk appetite. “The amount of risk that the entity is able to support in
pursuit of its objectives” is which of the four?
A. Existing risk profile.
B. Risk capacity.
C. Risk tolerance.
D. Attitudes toward risk.

A

Solution: B
A. Incorrect. This is the “current level and distribution of risks across the
entity and across various risk categories.”
B. Correct. Risk capacity is the amount of risk the entity can support.
C. Incorrect. This is “acceptable level of variation an entity is willing to
accept regarding the pursuit of its objectives.”
D. Incorrect. This is “the attitudes toward growth, risk, and return.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following is the best approach to use when benchmarking
the risk management process?
A. Meet with a competitor in your industry and exchange risk
management process information.
B. Ask your regulator which framework to use.
C. Meet with company operational management to establish a set of
criteria and objectives.
D. Research several frameworks and select the guidance from some or
all of the frameworks that work well with your company’s industry,
culture, and objectives.

A

Solution: D
A. Incorrect. Sharing trade secrets would not be ethical.
B. Incorrect. Although such a framework may have value, it may not meet
all the needs of your company.
C. Incorrect. While meeting with operational management would
incorporate management’s expertise, it may not provide a complete view
of your industry or regulations.
D. Correct. Reviewing multiple frameworks (and other sources) would
allow you to determine what would work best for your company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

According to COSO’s internal control framework, a precondition to risk
assessment is:
A. Establishing control procedures or activities.
B. Establishing a monitoring mechanism.
C. Establishing objectives or goals.
D. Establishing performance measures.

A

Solution: C
A. Incorrect. Risks must be identified prior to controls because control
activities are designed to address specific risks.
B. Incorrect. Monitoring occurs after risks are identified and controls are
implemented.
C. Correct. In the COSO framework, risks are only relevant with respect to
objectives.
D. Incorrect. Performance measures are not an explicit part of the COSO
model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

An organization has calculated that for every day its call center is not
available, it loses $250,000. The director of telecommunications has
identified external threats as the most serious risks to the call center and
has asked a consultancy firm to set up a duplicate offsite call center
with backup hardware and software. What has the director done?
A. Recognized that external threats cannot be reduced and ACCEPTS
the risks.
B. Established a contingency plan to REDUCE the risks.
C. Entered into a contractual agreement to SHARE the risks.
D. Taken action to limit the potential impact of external threats to
AVOID the risks.

A

Solution: B
A. Incorrect. The manger has taken action.
B. Correct. This is a controlled response to reduce a risk.
C. Incorrect. While there is a third party involved, management still owns
and takes full responsibility for managing the risk.
D. Incorrect. There is a response, not avoidance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

According to Robert S. Kaplan and Anette Mikes, establishing rules to
define what to do and what not to do will only be successful in
controlling one specific category of risk. Which of the following is the
specific risk category?
A. Strategic risks.
B. External risks.
C. Internal risks.
D. Theoretical risks.

A

Solution: C
A. Incorrect. Strategic risks cannot be fully controlled, as it may be
inherently risky to increase rewards.
B. Incorrect. The organization does not have the ability to prevent external
risks.
C. Correct. Internal risks can be controlled, eliminated, reduced, or avoided.
D. Incorrect. The risk is not avoided because there is a response.

22
Q

Which phrase BEST describes a control risk self-assessment exercise?
A. Examining how well controls are working in managing key risks.
B. Using standardized checklists to assist risk identification.
C. Reviewing processes systematically to identify vulnerabilities and
threats.
D. Determining the cost-effectiveness of controls.

A

Solution: A
A. Correct. CRSA is about matching controls to mitigate risks, usually
through facilitated group sessions.
B. Incorrect. This is one way to aid risk identification, but it does not
incorporate group discussion of risks or consideration of appropriate
controls.
C. Incorrect. This describes assessments.
D. Incorrect. This could be discussed, but it is not the primary purpose of
CRSA.

23
Q

Which of the following procedures form part of risk reporting?
I. Changes to the risk profile or the level of severity of risks.
II. Systematic checking of risk mitigation plans.
III. Weaknesses identified in the system for internal control.
IV. Updates on actions that have been taken with respect to risk
treatments.
A. 1, 2, and 4 only.
B. 1, 3, and 4 only.
C. 1, 2, and 3 only
D. 2, 3, and 4 only.

A

Solution: B
A. Incorrect.
B. Correct. Item 2 is part of control and assurance with the risk
management process and does not form part of reporting. Only option B
excludes item 2.
C. Incorrect.
D. Incorrect.

24
Q

Which activity does the following statement from the Project
Management Institute describe? “… the process of developing options
and actions to enhance opportunities and reduce threats to project
objectives.”
A. Risk analysis.
B. Risk mitigation planning.
C. Risk prioritization.
D. Risk mitigation implementation

A

Solution: B
A. Incorrect. Risk analysis considers the origins and nature of risks and
precedes assessment and prioritization.
B. Correct. The mitigation plan is a record of what is required to implement
the intended response or make amendments to existing responses.
C. Incorrect. Prioritization comes before mitigation planning and is about
ranking the severity of risks.
D. Incorrect. Implementation is about taking action.

25
Q

According to Sobel and Reding, a review of risk management processes
has three goals. Which one of the following is NOT one of those goals?
A. To determine the effectiveness of the risk management team.
B. To determine that the organization is achieving its goals because risk
management is working.

C. To identify and repair weaknesses and faults in risk management
processes.
D. To identify changes in the organization’s objectives and
environments and ensure risk management processes remain in
alignment.

A

Solution: A
A. Correct. A review is designed to continuously improve the effectiveness
of the risk process, not a specific department or team.
B. Incorrect. Achieving goals is a key objective of risk management.
C. Incorrect. Risk processes need to evolve as the organization develops.
D. Incorrect. Risk processes need to evolve as the organization develops.

26
Q

What type of indicator is a fall in sales on the previous period measured
by value and volume of goods and services?
A. Lag indicator.
B. Lead indicator.
C. Challenge indicator.
D. RAG (red, amber, green) indicator.

A

Solution: A
A. Correct. A lag indicator is a measure of something that has already
impacted the organization.
B. Incorrect. A lead indicator is a measure of something that will impact
the organization.
C. Incorrect. This is a measure that indicates the root cause of a risk
incident.
D. Incorrect. This is an indicator of current risk status—red, amber, and
green.

27
Q

If key risks are the most important risks, what is a key risk indicator?
A. A measure that indicates a risk that has already materialized.
B. A measure that indicates a risk incident is about to occur.
C. A measure that indicates the root cause of a risk incident.
D. A measure that indicates the organization is performing to
expectations.

A

Solution: B
A. Incorrect. This is historical and describes a lag indicator.
B. Correct. A KRI is a measure that suggests a risk is about to materialize.
C. Incorrect. This describes a challenge indicator.
D. Incorrect: This describes a health indicator.

28
Q

Which of the following BEST describes the internal auditors’ role when
providing assurance on management risk reporting?
A. Creating a report of the company’s key risks.
B. Reviewing the accuracy and timeliness of key risk reports.
C. Providing key risk reports to the audit committee.
D. Providing key risk reports to the external auditors.

A

Solution: B
A. Incorrect. Management should create reports of key risks.
B. Correct. Internal audit’s key role is providing assurance on the accuracy
and timeliness of risk reporting.
C. Incorrect. Management should provide reports on key risks.
D. Incorrect. Management should provide reports on key risks.

29
Q

When establishing a risk reporting plan, management should:
A. Consider the types of events that could occur and determine the
frequency of reporting based on severity.
B. Create a plan based on management’s needs.
C. Report all events to the board of directors.
D. Consider the needs of the board of directors.

A

Solution: D
A. Incorrect. The board should have input on the type of information
reported and frequency.
B. Incorrect. The board should have input on the type of information
reported and frequency.
C. Incorrect. The board should have input on the type of information
reported and frequency.
D. Correct. The board should set the type of information reported and the
frequency.

30
Q

When conducting a review of the management of key risks, an internal
auditor will need to specify the scope and objectives of the audit and
then gather evidence. Which of the following criteria is specified by the
Standards for gathering information as evidence?
I. Sufficient information.
II Reliable information.
III. Relevant information.
IV. Useful information.
A. 1 only.
B. 1 and 2 only.
C. 1, 2, and 3 only.
D. 1, 2, 3, and 4.

A

Solution: D
A. Incorrect. This is appropriate but not the only criteria.
B. Incorrect. This is appropriate but not the only criteria.
C. Incorrect. This is appropriate but not the only criteria.
D. Correct. All four items are required by the Standards.

31
Q

What should an internal auditor do when reviewing a risk associated
with an activity?
A. Determine how the risk should best be managed.
B. Provide assurance on the management of the risk.
C. Update the risk management process based on risk exposures.
D. Design controls to mitigate the identified risks.

A

Solution: B
A. Incorrect. Determining how unacceptable risk should be managed is the
role of management.
B. Correct. The internal auditor’s role is to provide assurance on the
management of risk.
C. Incorrect. Designing and updating the risk management process is the
role of management.
D. Incorrect. Designing controls would impair the internal auditor’s
independence.

32
Q

Who has primary responsibility for providing information to the audit
committee on the professional and organizational benefits of
coordinating internal audit assurance and consulting activities with
other assurance and consulting activities?
A. The external auditor.
B. The CEO.
C. The CAE.
D. Each assurance and consulting function.

A

Solution: C
A. Incorrect. External audit’s focus is on the financial statements.
B. Incorrect. The CEO would not normally be responsible for planning.
C. Correct. The CAE should provide the audit committee with information
on coordination.
D. Incorrect. Not all other assurance and consulting activities are
organizationally responsible to the audit committee for their work.

33
Q 
Which risk indicator reveals the root cause of a risk event and prompts
an organization to take action?
A. Challenge indicator.
B. Risk indicator.
C. Action indicator.
D. Health indicator.
A

Solution: A
A. Correct. The challenge indicator prompts action.
B. Incorrect. The risk indicator records the final impact.
C. Incorrect. The action indicator provides feedback on action.
D. Incorrect. The health indicator shows whether the action worked.

34
Q

Who is MOST responsible for providing assurance to the board of
directors regarding risk management adequacy and effectiveness?
A. Management.
B. External auditors.
C. Audit committee.
D. Internal auditors.

A

Solution: A
A. Correct. As the owner of risk management, management is most
responsible for providing assurances.
B. Incorrect. External auditors typically do not provide assurance on risk
management.
C. Incorrect. The audit committee does not get involved in the day-to-day
dealings of risk management.
D. Incorrect. While the internal auditors provide assurance, they are not
responsible for risk management.

35
Q

Management implements a new process for which the correct
processing may be interpreted differently by a regulator. On what
should the internal auditors’ assurance to the board of directors focus?
A. Whether management’s decision-making process had a risk
assessment, relevant information, and appropriate approvals before
implementation.
B. Whether the information management used in making the decision
was accurate.
C. Whether management has consulted with the regulator before
implementation.
D. Whether the risk assessment process performed by management
used the appropriate criteria.

A

Solution: A
A. Correct. The internal auditors should provide assurance on the decisionmaking.
B. Incorrect. Internal audit may not be able to provide assurance on the
information used.
C. Incorrect. Consulting with a regulator may not be possible. Also,
deciding who to consult is a management decision.
D. Incorrect. The internal auditors may not be able to assess whether the
criteria were used.

36
Q

When it comes to risk management, which of the following activities
should the internal auditors NOT carry out?
A. Make decisions on mitigation of risk.
B. Consolidate reporting on risk.
C. Facilitate the identification of risk.
D. Monitor risk.

A

Solution: A
A. Correct. Management is responsible for mitigating risk.
B. Incorrect. The internal auditors may report on risk to the audit
committee.
C. Incorrect. The internal auditors may identify risk for audit or consulting
purposes.
D. Incorrect. The internal auditors should monitor risk for purposes of
identifying their internal audit plan.

37
Q

Who is responsible for identifying the risk universe in a fully mature
ERM environment?
A. Management.
B. The internal auditors.
C. Management and the internal auditors working together.
D. The board of directors.

A

Solution: A
A. Correct. In a fully mature ERM environment, management has the
capability to identify the risk universe.
B. Incorrect. The internal auditors identify the risk universe in earlier stages
of ERM maturity.
C. Incorrect. In a fully mature ERM environment, management identifies
the risk universe and the internal auditors use that universe.
D. Incorrect. The board typically does not have enough involvement in dayto-
day operations to identify the universe.

38
Q

An internal audit activity is performing an integrated audit of a critical
system. Working with management, the internal auditors have
determined that loss of the system for more than three hours is
unacceptable. Which of the following is the BEST way to manage this
risk?
A. Share the risk by purchasing insurance products.
B. Reduce the impact via business continuity planning.
C. Share the risk by outsourcing to an internal audit activity willing to
accept the risk.
D. Reduce the risk by investing in technology with enhanced failure
self-detecting and backup capabilities.

A

Solution: D
A. Incorrect. This is reactive and there are better responses.
B. Incorrect. Although many organizations use this, D is more proactive.
C. Incorrect. This does not address the damage to the organization’s
reputation.
D. Correct. This provides early warning and promotes timely action.

39
Q

An internal audit activity is using a process elements approach to assess
its organization’s risk management process. One of the key process
elements requires structured and ongoing communication. Which of the
following techniques could provide the MOST relevant and useful
evidence?
A. Documented review of board and audit committee meetings.
B. Interviews with those impacted by organizational operations.
C. Interviews with individuals involved in risk management.
D. Results from previous audits.

A

Solution: C
A. Incorrect. C provides the most relevant and useful evidence.
B. Incorrect. C provides the most relevant and useful evidence.
C. Correct. Interviews with individuals directly involved in risk
management activities could produce the most relevant and useful
information.
D. Incorrect. These results may no longer be relevant or useful.

40
Q

An internal audit activity is using a key principles approach to assess its
organization’s risk management process. One of the key principles is
that “risk management is transparent and inclusive.” In their review, the
internal auditors are focusing on the risk counsel activities. Which of
the following techniques could provide the MOST relevant and useful
evidence?
A. Ongoing CAE observation via ex officio participation at risk
counsel meetings.
B. Review the risk management literature for best practices.
C. Process mapping the organization’s risk identification activities.
D. Results from previous audits.

A

Solution: A
A. Correct. Ongoing observation could provide “real time” assurance. It
also could “shut down” discussions in some risk cultures.
B. Incorrect. Best practices literature will not provide relevant and useful
information on the transparency and inclusiveness of the organization’s
risk counsel discussions.
C. Incorrect. Although C is a good technique, it is not as valuable as A in
providing the most relevant and useful information on the transparency
and inclusiveness of the organization’s risk counsel discussions.
D. Incorrect. These results may no longer be relevant or useful.

41
Q

An auditor becomes aware of a new regulation. To the best of the
auditor’s knowledge, management has not assessed the risks. What
should the auditor do?
A. Notify the audit committee/board that management has not
addressed the risk.
B. Perform a risk assessment and determine the appropriate risk
treatment.
C. Notify management of the regulatory/compliance risk and provide
advice.
D. Perform an audit of the compliance activity.

A

Solution: C
A. Incorrect. Management should be notified first.
B. Incorrect. The internal auditors should not determine risk treatment.
C. Correct. The internal auditors should notify management and provide
advice.
D. Incorrect. Identifying a risk would not by itself necessitate an audit.

42
Q

When leading the risk management implementation, which activity
should the CAE NOT perform?
A. Obtain support and approval from management.
B. Develop a plan for responsibility transition to management.
C. Perform an audit of the ERM process.
D. Allow management to make risk decisions.

A

Solution: C
A. Incorrect. Management support and approval should be obtained.
B. Incorrect. The CAE should not permanently be responsible so as not to
impair objectivity.
C. Correct. This would be auditing one’s own work, which impairs
objectivity and is not in accordance with IIA Standards.
D. Incorrect. Management should make risk decisions.

43
Q

When looking at risk criteria, which of the following activities can the
internal auditors perform as part of their consulting role?
A. Determine possible risk events and outcomes.
B. Challenge management’s risk criteria.
C. Align decisions with risk tolerance.
D. Communicate risk criteria to the business.

A

Solution: B
A. Incorrect. The internal auditors may provide advice, but management
should make the determination.
B. Correct. If it is a consulting role, the internal auditors should challenge
management criteria with risk appetite.
C. Incorrect. Management should align its decisions with risk tolerance.
D. Incorrect. Management should communicate risk criteria.

44
Q

Which is NOT a safeguard when the internal auditors provide ERM
consulting?
A. Documenting internal audit’s consulting role in the internal audit
charter.
B. Making risk management decisions.
C. Advising management on risk.
D. Following The IIA’s Standards regarding consulting engagements.

A 
Solution: B
A. Incorrect. This is a safeguard.
B. Correct. Internal auditors should not make risk decisions.
C. Incorrect. This is a safeguard.
D. Incorrect. This is a safeguard.
45
Q

Management has asked internal audit to (as part of its consulting role)
help decide how best to mitigate a compliance risk. How should the
internal auditors respond?
A. Refuse to be involved in that decision.
B. Advise management to avoid the risk by obtaining insurance.
C. Perform an audit in the area and report it to management.
D. Perform research on the options and provide analysis.

A

Solution: D
A. Incorrect. The internal auditors may provide their advice as long as
management makes the decision.
B. Incorrect. The internal auditors should not make the decision.
C. Incorrect. An audit may not be necessary to obtain information.
D. Correct. If it is a consulting engagement, the internal audit function may
perform research and analysis.

46
Q

The chief information security officer asks the CAE to offer risk advice
regarding the implementation of a new security application. The only IT
auditor left the internal audit activity last week and a replacement has
not been hired. What should the CAE do?
A. Accept the consulting engagement
B. Decline the consulting engagement.
C. Accept the consulting engagement, but have the external auditor
review the CAE’s advice.
D. Accept the consulting engagement and hire a consulting agency.

A

Solution: B
A. Incorrect. The internal audit function should decline consulting
engagements for which it lacks the required experience.
B. Correct. A consulting engagement should be declined if the internal
audit function lacks the required experience.
C. Incorrect. A consulting engagement should be declined if internal audit
lacks the required experience.
D. Incorrect. Management should decide whether to hire an external
consultant.

47
Q

The chief compliance officer accepts a CAE position for a newly
created internal audit activity. Three months later, the new chief
compliance officer asks the CAE to provide advice regarding an update
of the compliance policy. What should the CAE do?
A. Decline the consulting engagement.
B. Accept the consulting engagement, but remind the new chief
compliance officer that the CAE has worked in the area.
C. Accept the consulting engagement, but have the external auditor
review the CAE’s advice.
D. Decline the consulting engagement, but have lunch with the chief
compliance officer to offer advice off the record.

A

Solution: A
A. Incorrect. The CAE should not accept the engagement because he/she
held responsibility for the function less than 12 months ago.
B. Correct. The CAE should not accept the engagement because he/she
held responsibility for the function less than 12 months ago.
C. Incorrect. The CAE should not accept the engagement because he/she
held responsibility for the function less than 12 months ago.
D. Incorrect. The CAE should not provide advice, even off the record,
because he/she held responsibility for the function less than 12 months
ago.

48
Q

Which of the following is the LEAST likely benefit an organization can
expect in implementing combined assurance?
A. Makes the oversight role of the board more effective.
B. Leads to improved efficiency in assurance activities.
C. Leads to reduction in external auditor fees for the annual audit of
financial statements.
D. Reduces assurance fatigue for managers and operations personnel.

A

Solution: C
A. Incorrect. This is one of the major benefits of the combined assurance
approach.
B. Incorrect. This is one of the major benefits of the combined assurance
approach.
C. Correct. Implementation of combined assurance is not likely to reduce
fees for the external financial audit.
D. Incorrect. This is one of the major benefits of the combined assurance
approach.

49
Q

In coordinating the implementation of a combined assurance approach
to risk management, the internal audit activity receives assurance on
various risks from a number of assurance providers in the organization.
To evaluate the reliability of the assurance from each particular
provider, the internal auditor would do which of the following?
I. Review the policies and procedures of every assurance provider to
ensure they prevent personnel from giving assurance in any area
where they had operating responsibilities.
II. Re-perform a sample of every assurance provider’s work.
III. Assess the extent to which the assurance provider’s objectives and
responsibilities are clearly articulated.
IV. Determine whether assurance providers have sufficient expertise
regarding organizational processes and risk.
A. 2 only.
B. 4 only.
C. 1, 3, and 4 only.
D. 1, 2, 3, and 4.

A

Solution: C
A. Incorrect. Re-performance of work for each provider is not practical, and
in cases where technical expertise is required, it is not possible. It would
only be done in selective cases.
B. Incorrect. Assessment of competency alone is not sufficient.
C. Correct. Consideration of 1, 3, and 4 are necessary, in addition to the
assurance provider’s impact in terms of getting results.
D. Incorrect. Re-performance of work for each provider is not practical, and
in cases where technical expertise is required, it is not possible.

50
Q

An organization is introducing a new product that is essential to
retaining market share in a highly competitive industry. The internal
audit activity has provided consulting services to the product
development team. The auditors on this project believe several
significant risks that could result in a “train wreck” have not been
identified and assessed. The CAE is invited to the CRO’s risk council
meeting. At the meeting, the CAE presents the risks and coaches
management on possible responses. At the end of the discussion, the
risk council elects to go forward with the product launch because none
of the risks presented were catastrophic. Which of the following is the
BEST way for the CAE to respond to the risk council’s decision?
A. No action is needed. It is a management decision and the risks are
within the organization’s risk appetite.
B. No action is needed. The CRO has primary responsibility for
coaching management on responses and internal audit cannot be
involved because it would impair independence and objectivity.
C. Discuss the matter with senior management after the meeting and
communicate the matter to the board.
D. Discuss the matter with the external auditors and communicate the
matter to appropriate external parties.

A

Solution: C
A. Incorrect. This is primarily because the internal auditors are responsible
for reviewing the management of key risks.
B. Incorrect. This is primarily because the internal auditors are responsible
for reviewing the management of key risks.
C. Correct. Collectively the risks could result in a “train wreck.” The
response conforms to mandatory guidance.
D. Incorrect. C is a better response.

CRMA (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions