Chapter 6

Internal Control and Risk Assessment

MULTIPLE CHOICE QUESTIONS

1. Which of the following best defines internal control?

A. Internal rules and/or regulations with which organizations are
expected to comply regarding accounting standards and preparation
of financial data.
B. A process by which management gains reasonable assurance that its
objectives will be achieved.
C. Procedures for input of and access to information systems used for
internal analysis of an organization's short-term and long-term
objectives.
D. A system of checks and balances that allows an organization to
maintain control over its resources (data, systems, and all other
assets).
B

2. Why is internal control so important?

A. Internal control is encouraged by several regulatory organizations,
and it is required by law for publicly traded companies in an
enactment in 1978 by the Cohen Commission.
B. Internal control is essential in lowering costs due to errors and
irregularities in an organization by using risk assessment and risk
management techniques.
C. Internal control enables management to maintain control over all its
activities and it provides a measure of protection against erroneous or
fraudulent financial reporting.
D. The U.S. Congress has enacted legislation requiring management of
publicly-traded companies to report on the effectiveness of their
internal control.
C

3. Which of the following best describes the Foreign Corrupt Practices Act of
1977 (amended 1988)?
A. It recommended that every publicly traded company include a report
in its annual report assessing the effectiveness of the company’s
internal control structure and procedures.
B. This act made it a felony to intercept electronic communications and
a misdemeanor to break into electronic mail storage facilities.
 C. In accordance with section 1029, "Fraud and Related Activity in
Connection with Access Devices," this act made it a crime to produce
or use a counterfeit access device.
D. It established provisions for record keeping and internal control for
companies registered with the Securities and Exchange Commission.
D

4. Which of the following best describes the Sarbanes-Oxley Act of 2002?

A. It recommended that every publicly traded company include a report
in its annual report assessing the effectiveness of the company’s
internal control structure and procedures.
B. This act made it a felony to intercept electronic communications and
a misdemeanor to break into electronic mail storage facilities.
C. In accordance with section 1029, "Fraud and Related Activity in
Connection with Access Devices," this act made it a crime to produce
or use a counterfeit access device.
D. It established provisions for record keeping and internal control for
companies registered with the Securities and Exchange Commission.
A

5. Which of the following first required that an organization have internal

control?
A. Securities and Exchange Act
B. AICPA Professional Standards
C. Foreign Corrupt Practices Act
D. Treadway Commission
C

6. Which of the following is not a reason that an external auditor would have an
interest in an organization's internal control?
A. Internal control provides a measure of protection against erroneous or
fraudulent financial reporting.
B. The external auditor is required to evaluate internal control in
planning an external audit, according to generally accepted auditing
standards.
C. Strong internal control can eliminate the test of controls required to
be performed by the external auditor.
D. The Sarbanes-Oxley Act of 2002 requires the external auditor attest to
and report on management’s assessment of internal control.
C

7. Which of the following best describes the requirement for a company to

report on the effectiveness of its internal control?
A. A company is required to report on the effectiveness of its internal
control only if the company is a bank or a thrift with assets of $150
million or more.
 B. Each publicly traded company is required to report on the
effectiveness of its internal control.
C. Each publicly traded and privately held company is required to report
the effectiveness of its internal control.
D. A company is not required to report on its internal control, but almost
every publicly traded company voluntarily reports on the
effectiveness of its internal control.
B

8. Which of the following documents has become the widely accepted authority
on internal control and is the basis for the others?
A. The AICPA’s Statement of Auditing Standard No. 78
B. COSO’s Internal Control - Integrated Framework
C. Information Systems Audit and Control Foundation’s COBIT
D. Institute of Internal Auditors Research Foundation’s Systems
Auditability and Control Report
B

9. Which of the following is not one of the three categories of entity objectives?
A. Compliance with applicable laws and regulations
B. Effectiveness and efficiency of operations
C. Human resource policies and practices
D. Quality of information
E. Organizational strategy
C

10. Which of the following are entity objective categories?

A. Effectiveness and efficiency of operations, safeguarding of assets,
strategy-setting, and quality of information
B. Organizational strategies, quality of information, effectiveness and
efficiency of operations, and compliance with applicable laws and
regulations
C. Compliance with applicable laws and regulations, risk assessment
objectives, risk response, and quality of information
D. Effectiveness and efficiency of operations, quality of information,
safeguarding of assets, and organizational control
B

11. Which of the following are some of the characteristics of high quality
information?
A. Accurate, relative, current, and confidential (when necessary)
B. Accurate, complete, operational, and accessible
C. Accurate, confidential (when necessary), complete, and relevant
D. Accurate, explicit, internal, and confidential (when necessary)
C
12. Why do organizational objectives stress the importance of quality
information?
A. Quality information is required for accounting systems to operate
effectively.
B. Investors, creditors, managers, and other users rely on this
information.
C. The organization's reputation depends on the output of quality
information.
D. External auditors insist that the information provided them be of high
quality.
B

13. The five interrelated components of internal control (according to the COSO
framework) include the following:
A. Control environment, risk assessment, control activities,
organizational structure, and monitoring
B. Control environment, risk assessment, integrity and ethical values,
information and communication, and monitoring.
C. Control environment, risk assessment, control activities, information
and communication, and monitoring
D. Control environment, risk assessment, control activities, information
and communication, and human resource policies and practices
C

14. Which of the internal control components provides the foundation for all the
other components of internal control?
A. Risk assessment
B. Information and communication
C. Monitoring
D. Internal environment
D

15. Which of the following factors are included in the internal environment?
A. Human resource policies and practices, integrity and ethical values,
commitment to competence, and board of directors or audit
committee
B. Human resource policies and practices, integrity and ethical values,
risk assessment, and organizational structure
C. Board of directors, management’s philosophy and operating style,
commitment to competence, and quality of information
D. Assignment of authority and responsibility, organizational structure,
effective and efficient operations, and management’s philosophy and
operating style
A
16. Which factor has the most influence on the effectiveness of an organization's
internal control?
A. Competent, dedicated, trustworthy employees
B. Board of directors
C. Written policies and procedures
D. Employee training
A

17. The effectiveness of the board of directors in contributing to internal control

is best enhanced by which of the following?
A. Its independence
B. Its superiority to management
C. Its stockholder representation
D. Its legal power to govern the corporation
A

18. An audit committee is a subcommittee under the direction of whom?

A. The controller
B. The treasurer
C. The CEO
D. The board of directors
D

19. Which of the following is not a responsibility of an audit committee?

A. Recommending an external auditor
B. Attesting to the fairness of the financial statements
C. Reviewing significant financial information
D. Seeing that an effective internal control is maintained
B

20. Which of the following is not an essential component of the audit function of
an organization?
A. Senior management
B. Audit committee
C Internal auditors
D. External auditors
A

21. Which of the following statements regarding the audit committee is true?
A. It is a standing subcommittee of the board of directors.
B. Its main objectives are to protect against management wrongdoing
and to increase public confidence in the independent auditor's
opinion.
C. The committee should be composed of independent board members.
D. A, B, and C
E. B and C only
D
22. The audit committee is responsible for all of the following except:
A. Appointing and overseeing the external auditors
B. Directing investigations of possible fraud
C. Establishing internal control
D. Reviewing financial information
C

23. From the following factors, which one is least likely to impact the internal
environment?
A. Management philosophy and operating style
B. Human resource policies and practices
C. Job descriptions
D. Integrity and ethical values
C

24. Which of the following characteristics usually does not describe a

management philosophy or operating style that affects the internal
environment?
A. Management's behavior toward other managers or personnel
B. Management's approach to external political factors
C. Management's attitude toward accounting functions
D. Management's approach to business risk
B

25. Which of the following generally expresses the organizational structure?

A. Organizational chart
B. Managerial decision-making framework
C. Responsibility accounting chart
D. Functional model
A

26. Which of the following is not defined by the formal organizational structure?
A. Areas of responsibility
B. Limits of managerial authority
C. Lines of reporting
D Organizational goals and objectives
D

27. Which of the following best describes the importance of risk assessment?
A. Risk assessment allows management to determine the extent of the
internal controls required to eliminate inherent risk and to minimize
control risk.
B. Risk assessment is necessary to set priorities for risks in order of
frequency so the most frequently occurring risks can be eliminated in
a cost effective manner.
 C. As go the risks, so go the insurance premiums and costs. Risk
assessment is management's primary tool to lower insurance
premiums and casualty losses.
D. Risk assessment helps management set priorities and determine the
organization’s risk response.
D

28. The main goal in risk assessment is which of the following?

A. To achieve the lowest possible losses associated with risks identified
in the assessment process
B. To reduce risks to the minimum level possible consistent with factors
of assessment involved
C. To provide "reasonable assurance" and an acceptable level of risk
while achieving the lowest total cost (cost of controls added to loss
from risk)
D. To establish the most comprehensive control activities possible at a
reasonable cost to the organization
C

29. Which of the following is not a consequence of uncontrolled risk?

A. Data are produced that nobody uses or believe.
B. Management spends time dealing with unavoidable problems.
C. Public image is tarnished.
D. Critical information is unavailable when needed.
B

30. Which of the following includes risks that are all related to accounting
information system activities?
A. Computer system failure, information security breaches, errors and
irregularities in transaction authorization
B. Computer fraud, errors and irregularities in transaction authorization,
and internal audit fraud
C. Fraudulent financial reporting, external audit fraud, and concealment
of illegal acts
D. Inadequate training, system failure, risk disclosure, and irregularities
in transaction authorization
A

31. Which of the following is not a consequence of uncontrolled risks?

A. Credit ratings are eroded.
B. Favorable audit opinions are received.
C. Important decisions are based on faulty data.
D. Resources are lost, wasted, or abused.
B
32. What are the component factors in the assessment of risk?
A. Estimated probable loss and the estimated frequency of occurrence
B. Effectiveness of security measures and the value of the item involved
C. Estimated frequency of occurrence and the nature of the asset
D. Seriousness of the risk and the security measures employed
A

33. Which of the following is true concerning the cost/benefit model for risk
analysis?
A. As costs of controls increase, costs associated with risks decrease.
B. As costs of controls increase, costs associated with risks increase.
C. As total costs increase, costs associated with risks increase.
D. As total costs decrease, costs of controls decrease.
A

34. What is the optimal point of reasonable assurance for internal control?
A. When all possible controls are implemented
B. When the cost of controls equals the savings on losses from risks
C. When standard costing is used in inventory accounts
D. When no discrepancies exist between the inventory physical count
and the inventory account balance
B

35. IT governance
A. Should be part of enterprise governance.
B. Has historically been ignored in corporate governance matters.
C. Refers to issues surrounding technology solutions.
D. All of the above describe IT governance.

36. Which of the following best describes the Sarbanes-Oxley Act of 2002?
A. This act requires publicly-traded companies to include a report in its
annual report assessing the effectiveness of the company's internal
control structures/procedures.
B. This act made it a felony to intercept electronic communications and
a misdemeanor to break into electronic mail storage facilities.
C. This act makes it a crime to produce or use a counterfeit access
device.
D. This act established provisions for record-keeping and internal control
for companies registered with the Securities and Exchange
Commission.
A

37. Which of the following is TRUE regarding the Enterprise Risk Management
(ERM) framework?
 A. The ERM framework replaces the COSO internal control framework.
B. Proper identification of risk can help management properly allocate
resources.
C. The COSO requested the assistance of Ernst and Young for
development of the ERM.
D. All of the above are true statements regarding ERM.
B

38. The audit committee is responsible for all the following EXCEPT:
A. Appointing and overseeing the external auditors.
B. Directing investigations of possible fraud.
C. Establishing internal control.
D. Reviewing financial information.

39. What is the definition of internal control?

A. A process designed to guarantee that objectives related to
organizational strategy, quality of reporting, effectiveness and
efficiency of operations, and compliance with applicable laws and
regulations will be achieved.
B. A process designed to provide reasonable assurance that objectives
related to organizational strategy, quality of reporting, effectiveness
and efficiency of operations, and compliance with applicable laws
and regulations will be achieved.
C. A process designed to provide reasonable assurance that objectives
related to ethical values and integrity, quality of reporting,
effectiveness and efficiency of operations, and compliance with
applicable laws and regulations will be achieved.
D. A process designed to guarantee that objectives related to ethical
values and integrity, quality of reporting, SOX compliance, and
efficiency of operations will be achieved.
B

40. Which of the following statements is FALSE with regard to the Enterprise
Risk Management (ERM) framework?
A. The ERM is primarily focused on the risk aversion of management.
B. The ERM discusses the relationship between risk and strategy-setting.
C. The ERM is an ongoing process that permeates the entire company.
D. The ERM affects strategy-setting through risk identification.
A

41. Which of the following is true regarding Type II SAS 70 reports?

A. They include the company's opinion of the internal control system of
a third-party service provider.
 B. They include the results of testing of the third-party service provider's
internal control system.
C. The report must cover the third-party service provider's audit period.
D. All of the above are true statements regarding the Type II SAS 70
report.
D

42. Which of the following are required by the Sarbanes-Oxley Act of 2002?
A. Rotation of a company's external auditing firms every five years.
B. Limited loans under special circumstances to executive management.
C. Attestation as to the contents of the financial statements by the CEO
and CFO.
D. All of the above.

43. Which of the following is NOT a key area for focus in IT governance?
A. Responsible handling of transactions, events and decisions, to include
management of mobile IT components such as laptops and PDAs.
B. Choice of public accounting firm to perform the annual audits and
provide tax consulting services.
C. Management of contracts and relationships with service providers
(i.e., outsourcing partners).
D. Timely and transparent disclosure of financial information and
performance measures.
B

44. Who is ultimately responsible for the implementation of cost-effective

internal controls?
A. The director of internal auditing.
B. The chief executive officer.
C. The information systems audit manager.
D. All of these individuals are ultimately responsible for the
implementation of cost-effective internal controls.
B

45. The primary objective of an external auditor’s obtaining an understanding of

a client’s internal control is to provide the auditor with which of the
following?
A. Evidential matter to use in reducing detection risk.
B. Knowledge necessary to plan the audit and related testing.
C. A basis from which to modify tests of controls.
D. Information necessary to prepare flowcharts.
B.
46. The Foreign Corrupt Practices Act requires which of the following?
A. The auditor engaged to examine the financial statements must report
to the SEC all illegal payments.
B. A publicly-held company must establish an independent audit
committee to monitor the effectiveness of a company’s internal
controls.
C. U.S. firms doing business abroad must report sizable payments to
non-U.S. citizens to the U.S. Justice Department.
D. A company registered with the SEC must devise and maintain an
adequate internal control.
E. All of these are required by the Foreign Corrupt Practices Act.
E

47. Which of the following statements about internal control is CORRECT?

A. Exceptional strong internal control is enough for the auditor to
eliminate substantive tests on a significant account balance.
B. Properly maintained internal control reasonably ensures that collusion
among employees cannot occur.
C. The cost-benefit relationship is a primary criterion that should be
considered in designing internal control.
D. The establishment and maintenance of internal control is an important
responsibility of the internal auditor.
E. All of these are correct statements about internal control.
C

48. Which of the following concepts are fundamental to the Enterprise Risk
Management (ERM) framework?
A. The ERM framework is a process applied across the enterprise
B. The ERM framework is effected by people to allow the organization
to achieve its objectives.
C. The ERM framework is applied in strategy setting to identify events
and manage risk within the organization’s risk appetite.
D. All of the above are concepts fundamental to the ERM framework.
D

49. Which of the following describe categories of entity objectives that must
exist before management can identify potential events?
A. High-level strategic goals aligned with and supporting the
organization’s vision or mission.
B. Effectiveness and efficiency of internal reporting.
C. Relevance of non-financial information and reporting.
D. Compliance with all laws and regulations.
E. All of these are categories of entity objectives.
A
50. Event identification includes:
A. Only negative events that impact risk.
B. Only positive events that indicate opportunities.
C. Both positive and negative events.
D. Neither positive nor negative events.
C

Use the following graph of the cost/benefit model for risk analysis to answer the next
five questions.

1
3
2
4

0 10 20 30 40 50 60 70 80 90 100

5
60. What does (1) represent?
A. Total cost
B. Loss area
C. Cost of controls
D. Level of assurance
E. Optimal point of reasonable assurance
A

61. What does (2) represent?

A. Total cost
B. Loss area
C. Cost of controls
D. Level of assurance
E. Optimal point of reasonable assurance
B
62. What does (3) represent?
A. Total cost
B. Loss area
C. Cost of controls
D. Level of assurance
E. Optimal point of reasonable assurance
C

63. What does (4) represent?

A. Total cost
B. Loss area
C. Cost of controls
D. Level of assurance
E. Optimal point of reasonable assurance
E

64. What does (5) represent?

A. Total cost
B. Loss area
C. Cost of controls
D. Level of assurance
E. Optimal point of reasonable assurance
D

TRUE/FALSE QUESTIONS

1. The Sarbanes-Oxley Act of 2002 recommended that every publicly traded

company include a report in its annual report assessing the effectiveness of
the company’s internal control structure and procedures.
T

2. One factor of the internal environment is management’s philosophy and

operating style.
T

3. One factor of the internal environment is integrity and ethical values.

T

4. One factor of the internal environment is the audit committee.

T

5. One factor of the internal environment is the board of directors.

T
6. One factor of the internal environment is organizational structure.
T

7. Two factors of the internal environment are the board of directors and control
activities.
F

8. Public interest in internal control is not as high now as it was twenty years
ago.
F

9. Controls must be justified by the benefits to be derived.

T

10. Three characteristics of high-quality information are that it is accurate,

complete, and required by more than 70% of the users of the accounting
system.
F

11. The Sarbanes-Oxley Act of 2002 requires each member of the audit
committee of a publicly traded company to be an independent member of the
board of directors.
T

12. The Sarbanes-Oxley Act of 2002 requires that a publicly traded company’s
independent auditor report directly to the audit committee.
T

13. Internal control is a state, or condition, of an organization’s internal control at

a point in time.
F

14. Parties who are interested in an organization’s internal control include

management, stakeholders, legislators, auditors, and professional
organizations.
T

15. The Foreign Corrupt Practices Act was passed to protect investors by
improving the accuracy and reliability of corporate disclosures made
pursuant to the securities laws.
F

16. Management is not required to report on its internal control.

F
17. The four objectives in the internal control framework are related to
organizational strategy, effectiveness of reporting (internal and external),
effectiveness and efficiency of operations, and compliance with applicable
laws and regulations.
T

18. The internal environment is the organizational infrastructure that supports

internal control.
T

19. One of the basic factors of the internal environment is an historical

perspective of the organization.
F

20. One of the basic factors of the internal environment is the board of directors
or audit committee.
T

21. The audit committee is composed of top managers of a company.

F

22. The organizational structure defines limits of managerial authority, areas of

responsibility, and lines of reporting.
T

23. The Enterprise Risk Management (ERM) framework discusses the

relationship between risk and strategy-setting.
T

24. The Sarbanes-Oxley Act (SOX) allows the director of internal audit to attest
to the internal control system of the company.
F

25. IT governance refers to the board of directors’ policies and procedures

related to the choice of IT audit firms.
F

26. Type II SAS 70 reviews are required for all third party service providers.
T

27. The Sarbanes-Oxley Act (SOX) requires that the external audit firm for a
company be rotated every five years.
F
SHORT ANSWER QUESTIONS

1. The president of a small company boasted to associates at a business club,

"Fortunately, we don't need internal control. You see, we're a family
business, and we're not going to steal from one another." Discuss the
wisdom of the president’s statement.

Answer:
The president of the small company should be informed that internal control
deals with risks other than just theft. Internal control will ensure quality of
information, effectiveness and efficiency of operations, and compliance with
applicable laws and regulations. In addition, many people have paid a high
price to learn that intrafamily theft can indeed occur.

2. An organization has just been audited by its external auditors. One

recommendation made by the auditors was to establish human resource
policies and practices to strengthen the organization’s control environment.
Discuss the kinds of human resource policies and practices the organization
should consider.

Answer:
Key human resource policies and practices that should be included in any
discussion are:
 Information security breaches
 Hiring. The organization should hire the best people it can and should pay
proper attention to the competency and integrity of prospective employees.
Newly hired employees should be assigned to responsibilities they can
handle and for which they are best suited.
 Orientation and Training. Management should recognize the importance of
effectively orienting and training employees and should use a variety of
formal and informal training techniques.
 Evaluating and Counseling. Periodic performance review and evaluation
procedures should focus on helping employees improve performance or,
where necessary, transferring the employees to more suitable work or even
terminating them.
 Promoting. Promotion policies should reward employees for outstanding
performance. The prospect of promotion helps create an environment in
which employees see the possibility of long-term careers with an
organization.
 Compensating. Employees must be properly compensated for their
performance in carrying out their assigned responsibilities.
 Remedial Actions. An organization should establish written policies and
procedures stating the disciplinary actions that will follow violations of
expected behavior. Prompt, impersonal disciplinary action sends a message
that violations will not be tolerated.
  In addition, employees should have the resources available to them that are
necessary to fulfill their job responsibilities. These resources include a
supportive working environment, appropriate technology, information, and
effective supervisors to whom they can turn for help when needed.

3. What are the documents that have contributed to our understanding of

internal control and the methods to achieve effective internal control?

Answer:
The documents are:
a. The Committee of Sponsoring Organizations of the Treadway
Commission’s Internal Control-Integrated Framework (COSO)
b. The Institute of Internal Auditors Research Foundation’s Systems
Auditability and Control Report (SAC)
c. The Information Systems Audit and Control Foundation’s Control
Objectives for Information and Related Technology (COBIT)
d. The American Institute of Certified Public Accountants’ Statement of
Auditing Standards No. 94 - The Effect of Information Technology
on the Auditor’s Consideration of Internal Control in a Financial
Statement Audit: An Amendment to SAS No. 55.
e. The Committee of Sponsoring Organizations Enterprise Risk
Management—Integrated Framework.

4. What are the components of internal control?

Answer:
The components of internal control are:
a. Internal environment
b. Objective setting
c. Event identification
d. Risk assessment
e. Risk response
f. Control activities
d. Information and communication
e. Monitoring

5. What are four indications of management’s philosophy and operating style?

Answer:
Indicators of management’s philosophy and operating style are:
a. Behavior toward other managers or personnel
b. Approach to business risk
c. Attitude toward accounting functions
d. Attitude toward information processing
6. Define what a SAS 70 review is used for AND describe what the two
different types of reports that can result from one of these reviews will
contain.

Answer:
SAS 70 examinations enable service organizations to obtain a single report
for all/most of its user organizations' audit responses. It is essential to the
due diligence required for potential outsourced activities, and for the
requirements of Sarbanes-Oxley. The type I report describes the controls at a
specific point in time, with an audit opinion regarding whether the
descriptions present fairly the relevant aspects and whether the controls were
suitably designed for specified control objectives. The type II report also
includes an opinion of whether the controls tested were operating with
sufficient effectiveness to provide reasonable assurance that control
objectives were achieved during specified period (usually 6-12 months).

7. Describe 4 requirements pertaining to Sarbanes-Oxley.

Answer:
Any four of these: Management attestation to internal controls, auditor
attestation to internal controls, firms cannot provide non-audit services
contemporaneously with audit, PCAOB formed with 5 "financially literate"
members--3 non-CPAs, audit partner on job must be rotated every 5 years,
audit committee membership requirements/duties (at least one financially
iterate member), no personal loans to executives, criminal penalties for
destroying/creating documents that impede investigation, disclosure of
material adjustments/off-balance sheet transactions with unconsolidated
entities.

8. Describe the risk response component of the Enterprise Risk Management

(ERM) framework.

Answer:
There are four responses to identified risk: avoid, reduce/mitigate, share, or
accept. Management determines the response to identified risks in an attempt
to achieve a residual risk level aligned with the organization’s risk tolerance
or appetite, and reviews the relation to the costs v. benefits of those risk
responses. In addition to considering responses to risk on an individual or
group basis, management also considers the aggregate effect of risk
responses across the organization (portfolio approach).
9. Define Enterprise Risk Management.

Answer:
It is a process that is applied in a strategy setting that is effected by
the board of directors, management and other personnel. It is applied across
the entity, and includes an identification of potential events (both
positive/opportunities and negative/risks) as well as the response to those
events. The ERM allows management to manage risk within the
organization’s risk appetite and provides reasonable assurance of the entity
objectives related to strategy, information reporting, effectiveness/efficiency
of operations, and compliance with applicable laws and regulations.

10. Provide some examples of risks to accounting information systems.

Answer:
 Information security breaches
 Computer system failure and/or improper backup of the system
 Accounting system’s inability to meet the organization’s and users’ needs
 Excessive hardware and software acquisition costs
 Excessive operating and maintenance costs
 Inadequate training, development, and supervision of personnel
 Errors and inappropriate acts in transaction and master file maintenance
authorizations
 Errors and inappropriate acts in data input, processing, and output
 Fraudulent financial reporting
 Concealment of illegal acts

11. List some examples of things that would change the risk profile of an
organization.

Answer:
 Changes in the operating environment
 New personnel (especially changes in executive management)
 New or modified accounting systems/new technology
 Rapid growth
 Corporate reengineering
 Expansion into new markets or product lines
 Expanded foreign operations
 New accounting pronouncements
 Government legislation (e.g., Sarbanes-Oxley Act)

12. Define the following risk responses: avoid, reduce, share, accept.

Answer:
Avoiding risk means stopping or quitting the activity so as to get rid of the
risk. Reducing the risk means that management takes steps to reduce the
likelihood and/or impact of the identified risk, through control activities or
other means. Sharing the risk means reducing the likelihood or impact of the
risk by transferring some of the risk, such as is done when insurance is
purchased to protect an organization from losses due to fire. Accepting the
risk means taking no action to reduce the likelihood and/or impact of the risk.
In some cases, a risk cannot be avoided, but the organization decides to
ignore the risk because it is either impossible to control for, it is too
expensive to control, or the realization of the risk will have little impact on
the achievement of management objectives.