Professional Documents
Culture Documents
Correct
Correct
auditor should
A. Determine how the risk should best be managed.
B. Provide assurance on the management of the risk.
Answer (B) is correct.
The internal audit activity must evaluate and contribute
to the improvement of governance, risk management,
and control processes using a systematic and disciplined
approach (Perf. Std. 2100). Assurance services involve
the internal auditor’s objective assessment of
management’s risk management activities and the degree
to which they are effective.
C. Update the risk management process based on risk
exposures.
D. Design controls to mitigate the identified risks.
Question: 4 Which of the following goals sets risk management strategies at the
optimum level?
A. Minimize costs.
B. Maximize market share.
C. Minimize losses.
D. Maximize shareholder value.
Answer (D) is correct.
The risk management processes chosen depend on the
organization’s culture, management style, and business
objectives. These choices should optimize stakeholder
(for example, shareholder) value by coping effectively
with uncertainty, risks, and opportunities. Thus,
maximizing shareholder value is a comprehensive
approach that relates to risk management strategies
across the organization.
I. Significant risks
II. Ongoing monitoring activities
III. Previous risk evaluation reports by management, internal
auditors, external auditors, and any other sources
A. I and II only.
Answer (A) is correct.
Significant risks and ongoing monitoring activities are
assessed by the internal audit activity as part of the risk
management process (Inter. Std. 2120). But review of
previous risk evaluation reports is a means of obtaining
evidence for an assessment.
B. I and III only.
C. II and III only.
D. I, II, and III.
Question: 12 The board’s expectations of the internal audit activity regarding the
risk management process is
A. Noted in the work programs for formal consulting
engagements.
B. Included in the business continuity plan.
C. Codified in the charters of the internal audit activity and the
board.
Answer (C) is correct.
The chief audit executive (CAE) is to obtain an
understanding of senior management’s and the board’s
expectations of the internal audit activity in the
organization’s risk management process. This
understanding is then codified in the charters of the
internal audit activity and the board (PA 2120-1, para. 4).
D. Reviewed by the internal auditors immediately following a
disaster.
Question: 13 Which of the following is the most accurate term for a process to
identify, assess, manage, and control potential events or situations
to provide reasonable assurance regarding the achievement of the
organization’s objectives?
A. The internal audit activity.
B. Control process.
C. Risk management.
Answer (C) is correct.
Risk management is “a process to identify, assess,
manage, and control potential events or situations to
provide reasonable assurance regarding the achievement
of the organization’s objectives” (The IIA Glossary).
Accordingly, the internal audit activity evaluates and
contributes to the improvement of risk management,
governance, and control processes using a systematic and
disciplined approach.
D. Consulting service.
I. Monitoring activities.
II. Evaluating the risk management process as part of the
engagement plan.
III. Participating on oversight committees, monitoring of
activities, and status reporting.
IV. Managing and coordinating the process.
A. I only.
B. II only.
C. I, II, and III only.
D. I, II, III, and IV.
Answer (D) is correct.
The internal audit activity’s role in the risk management
process of an organization can change over time and
may include responsibilities along a continuum that
extends from (1) no role; (2) auditing the risk
management process as part of the internal audit plan;
(3) active, continuous support and involvement in the
risk management process, such as participation on
oversight committees, monitoring activities, and status
reporting; and (4) managing and coordinating the
process (PA 2120-1, para. 4).
Question: 15
The internal audit activity must evaluate the effectiveness and contribute to the
improvement of risk management processes. With respect to evaluating the adequacy
of risk management processes, internal auditors most likely should
A. Recognize that organizations should use similar techniques for managing
risk.
B. Determine that the key objectives of risk management processes are being
met.
Answer (B) is correct.
Internal auditors need to obtain sufficient and appropriate evidence to
determine that key objectives of the risk management processes are being
met to form an opinion on the adequacy of risk management processes
(PA 2120-1, para. 8).
C. Determine the level of risks acceptable to the organization.
D. Treat the evaluation of risk management processes in the same manner as the
risk analysis used to plan engagements.
Question: 21 Which of the following is the correct order of steps in the risk
management process?
I. Prioritize risks
II. Monitor risk responses
III. Formulate risk responses
IV. Assess risks
V. Identify risks
A. V, IV, I, III, II.
Answer (A) is correct.
The risk management process involves five steps in the
following order: identify risks, assess risks, prioritize
risks, formulate risk responses, and monitor risk
responses.
B. I, II, III, IV, V.
C. V, I, III, IV, II.
D. V, I, IV, III, II.
Question: 23 Which of the following are part of the risk analysis process?
1. Evaluating strategies,
2. Setting related objectives, and
3. Developing risk management methods.
Increasing the net present value of investments is an
operational objective. It would be determined after
consideration of the entity’s risk appetite and other
strategic factors
Question: 36 Which of the following control models is fully incorporated into the
broader integrated framework of enterprise risk management
(ERM)?
A. CoCo.
B. COSO.
Answer (B) is correct.
The Committee of Sponsoring Organizations of the
Treadway Commission published Enterprise Risk
Management – Integrated Framework. This document
describes a model that incorporates the earlier COSO
internal control framework while extending it to the
broader area of enterprise risk management.
C. Electronic Systems Assurance and Control.
D. COBIT.
Question: 39 The internal auditors are assessing the risk of fraud involving senior
management. An impact factor is
A. Nonretention of customers.
Answer (A) is correct.
An impact factor is a potential result of an event. These
events are usually identified through the risk assessment
process. For example, the consequences of fraud may
include direct financial loss and harm to its reputation,
which in turn may lead to inability to attract skilled
employees or customers.
B. Inadequacy of internal controls.
C. Unusual transactions.
D. Potential override of internal controls.
Question: 41 Under the COSO’s ERM framework, which of the following most
accurately describes risk management responsibilities?
A. In practice, management has primary responsibility.
Answer (A) is correct.
The board has overall responsibility. However, in
practice, the board delegates responsibility for ERM to
senior management, which should ensure that sound
processes are in place and functioning.
B. The internal audit activity has an oversight role.
C. The board provides assurance about the effectiveness of
ERM.
D. The chief audit executive should serve as chief risk officer.
I. Strategic objectives
II. Operations objectives
III. Reporting objectives
IV. Compliance objectives
A. I and II only.
Answer (A) is correct.
Strategic and operational matters are affected by external events that the
entity may not control. Thus, ERM should provide reasonable assurance
that management and the board receive timely information about whether
those objectives are being achieved.
B. III and IV only.
C. II and IV only.
D. I and III only.
Question: 50
I. Reporting is reliable
II. Compliance is achieved
III. The extent of achievement of strategic and operations
objectives is known
A. I and II only.
B. II and III only.
C. I and III only.
D. I, II, and III.
Answer (D) is correct.
When ERM is effective regarding all of the objectives,
the board and management have reasonable assurance
that (1) reporting is reliable, (2) compliance is achieved,
and (3) the extent of achievement of strategic and
operations objectives is known.
Question: 51 Which of the following statements regarding the chief risk officer
is false?
A. The creation of a separate risk management function may
include the appointment of a chief risk officer.
B. The chief risk officer is a member of management assigned
primary responsibility for ERM processes.
C. The chief risk officer is most effective when supported by
a specific team with the necessary expertise.
D. The chief risk officer should be employed in the internal
audit function.
Answer (D) is correct.
The chief risk officer should not be employed in the
internal audit function
Question: 53 Which of the following are core assurance roles provided by the
internal audit activity?
Question: 54 Which of the following is not an example of an internal audit role that
may be performed as a consulting engagement, given safeguards
against loss of independence and objectivity?
A. Being accountable for risk management.
Answer (A) is correct.
This would threaten the audit activity’s independence
and objectivity and therefore should not be performed as
part of a consulting engagement.
B. Championing establishment of ERM.
C. Facilitating identification and evaluation of risks.
D. Developing a risk management strategy for board approval.
Question: 55 Which of the following are roles that the internal audit activity
should not undertake since they would threaten its independence
and objectivity?
A. Imposing risk management processes.
B. Making decisions on risk responses.
C. Implementing risk responses on management’s behalf.
D. All of the answers are correct.
Answer (D) is correct.
The internal audit activity should not undertake roles that
threaten its independence and objectivity. Examples of
such roles are
I. It is progressing as expected
II. It adds value
III. It meets organizational needs
A. I and II only.
B. II and III only.
C. I and III only.
D. I, II, and III.
Answer (D) is correct.
The maturity model approach is based on the principle
that effective risk management processes develop as
value is added at each stage of maturation. Accordingly,
this approach determines where risk management is on
the maturity curve and whether (1) it is progressing as
expected, (2) adds value, and (3) meets organizational
needs.
Question: 59 Which component of ERM are policies and procedures that ensure
the effectiveness of risk responses?
A. Control activities.
Answer (A) is correct.
Control activities are policies and procedures to ensure
the effectiveness of risk responses.
B. Risk assessment.
C. Monitoring.
D. Information and communication.
The internal audit activity usually provides assurance about which of
the following?