1. How is risk measured?

In terms of impact and likelihood.

2. What is a risk-based audit plan?

An audit plan that is logically related to the identified risks of the organization.

3. What is included in the audit universe?

All business units, processes, or operations that can be evaluated and defined.

4. Besides the audit universe, what else is the internal audit activity’s audit plan based on?

 Assessed risks
 Input from senior management and the Board

5. List internal risk factors.

 Quality of and adherence to controls

 Degree of change
 Timing and results of last engagement
 Impact
 Likelihood
 Materiality
 Asset liquidity
 Management competence

6. List external risk factors.

 Competitor actions
 Supplier prices and quality
 Industry issues
 Employee relations
 Government relations

7. Define risk management as defined by the IIA.

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance
regarding the achievement of the organization’s objectives.

8. Define inherent risk.

The susceptibility of information or data to a material misstatement given no related mitigating controls.

9. Define current (residual) risk.

Risk managed within existing controls or control systems.

10. With regard to risk, an internal audit plan focuses on

 Unacceptable current risks requiring management action

 Control systems on which the organization is most reliant
 Areas where the difference between inherent risk and residual risk is great
 Areas where inherent risk is very high
11. The internal audit plan prioritizes the internal audit activity’s engagements to obtain an understanding of the
organization’s

 Strategies
 Objectives
 Risks
 Risk management procedures

12. What is the key input in the evaluation of risk?

The internal auditor’s judgment.

13. The internal audit activity’s audit plan is based on

 The audit universe

 Input from senior management and the board
 Assessed risks

14. Define risk modeling.

An effective method used to rank and validate risk priorities when prioritizing engagements in the audit plan.

15. What is the audit risk model used by the AICPA?

Audit risk = Risk of material misstatement × Detection risk-base

Audit risk = (Inherent risk × Control risk) × Detection risk

16. Define audit risk in an internal audit context.

The risk that the auditor will provide senior management and the Board with flawed or incomplete information
about governance, risk management, and control.

17. Define inherent risk in an internal audit context.

The risk arising from the nature of the account or activity under review.

18. Define control risk in an internal audit context.

The risk that the system of internal control designed and implemented by management will fail to achieve
management’s goals and objectives for the account or activity under review.

19. Define detection risk in an internal audit context.

The risk that the auditor will fail to discover conditions relevant to the established audit objectives for the account
or activity under review.

20. Which of the four risks–audit, inherent, control, or detection–is under the auditor’s direct control?

Detection risk.

21. The components of inherent risk, control risk, and detection risk may be assessed in ____[1]____ or
____[2]____ terms.

 Quantitative
 Nonquantitative

22. Risk modeling in a consulting service can be accomplished by ranking the engagement’s potential to
  Improve management of risks,
 Add value, and
 Improve the organization’s operations

23. Risk factors (e.g., impact and likelihood) may be ____[1]____ based on professional judgments to determine
their ____[2]____, but the ____[3]____ need not be quantified.

 Weighted
 Relative significance
 Weights

24. Who is responsible for communicating the internal audit activity’s plans, resource requirements, purpose,
responsibility, etc., to senior management and the Board for review and approval?

Chief Audit Executive.

25. The proposed internal audit plan and the risk assessment are discussed with the board to communicate
_____[1]_____ and _____[2]_____.

 The risks addressed by the plan

 Those risks that cannot be addressed because of resource limits

26. The proposed internal audit plan includes

 The proposed assurance and consulting engagements

 The reason for selecting each engagement
 Objectives and scope of each engagement
 Projects indicated by the internal audit strategy

27. Who determines the frequency and content of reporting?

 The CAE
 Senior management
 The board

28. When the CAE believes that senior management has accepted an unacceptable risk, with whom must the CAE
discuss the matter first?

Senior management.