McKeever CRMA Study System Course Overview

Course Overview
Thank you for using the McKeever CRMA Study System as a tool to help
you pass The IIA CRMA Exam.

Passing the exam portion of the CRMA exam involves 2 parts – 1) passing
Part 1 of the CIA Exam and 2) passing the CRMA Exam.

The actual CRMA Exam questions are confidential. As a result, the material
and practice questions presented are representative of the body of
knowledge tested by the CRMA Exam. They are not actual questions from
current or past CRMA Exams. The material has been developed and
compiled to the best of the author’s knowledge and from applying CRMA
principles as a Risk Management Practitioner.
The McKeever CRMA Study System will help you prepare for the CRMA
Exam as follows:
1) describes the many areas covered by the CRMA Exam

2) presents over 300 practice questions similar to what you will see on the
CRMA Exam

3) makes you comfortable with complexities and approaches required to

choose the BEST answer

4) provides you with guidance for correct answers and feedback about not
correct answers

5) helps you identify areas on the CRMA Exam that will require your
additional study time

The IIA web site lists a variety of study material and references to use in
passing Part 1 of the CIA Exam. The IIA web site also contains a listing of
references to use for the CRMA Exam.

The McKeever CRMA Study System covers the CRMA Exam in-depth.

The wording of multiple-choice questions can often be a greater challenge

than the actual material being tested. Therefore, throughout this workbook
there will be opportunities to understand both the technical material that
may appear on the CRMA Exam as well as how to clarify the wording used
in questions.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 1

McKeever CRMA Study System Course Overview

This material contains extensive discussion of the technical topics that

may appear on the CRMA Exam. There are sample questions within each
domain related to the topics. These domains contain the correct answer to
each question along with an explanation, which examines the wording of
the question. There are a substantial number of advanced questions.
These questions are more typical of what will appear on the CRMA Exam.
These advanced questions are presented in two parts. The first part
provides the questions only. The second part is more comprehensive with
the questions and their answers highlighted, along with an explanation of
the correct answer. Periodically throughout the workbook, there will be
extractions from these advanced questions to examine their wording
content, keyword traps, and technical content.

Although the discussions in each domain contain substantial material, it is

advised that participants review the advanced questions. Reviewing
practice questions and becoming familiar with the wording of multiple-
choice questions can be a great aid in preparing for a multiple-choice test.

There are also additional references available at www.pleier.com including

McKeever CCSA Study System, Operational Auditing: Adding Value to
Organizations, Risk Management & Risk Assessment, Exceeding
Expectations for Internal Auditors, and Transition: Internal Audit to Internal
Assurance.

Although review courses by themselves including the McKeever CRMA

Study System are generally not sufficient to ensure exam success this
study system will certainly provide you with an approach to significantly
improve your chances of passing. The IIA web site offers a variety of
additional references for further study that is also listed the Reference
Module of this workbook.

Please feel free to contact me at [email protected].

Wishing You the Best of Success on the CRMA Exam,

John J. McKeever
CRMA, CCSA, CQA, CFE, CPC, CBC

2 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Course Overview

McKeever CRMA Study System

Author
John J. McKeever
CRMA, CCSA, CQA, CFE, CPC, CBC
John McKeever is President & COO of Contemporary Business Concepts, LLC.
John has served as an Operations Manager, Consultant, Instructor, and on the
audit staff of AT&T. During his 15 years in the audit department at AT&T, he
conducted and led a wide range of audits and consulting projects. These
included numerous audits and projects of finance, operations, and information
technology processes.
John frequently speaks at public seminars, professional associations, state and
federal agencies, and corporations. His work has included developing and
delivering risk and control management programs specifically focused for the
needs of Senior Executives, Boards of Directors, and Audit Committees.
While in private practice; at the AT&T School of Business; and at The Institute of
Internal Auditors John has developed and delivered a number of programs which
include: The McKeever CRMA Study System, The McKeever CCSA Study
System, Consulting: A Value Added Service The Tools and Techniques That
Make It Work, COSO The Steps To Success, and Help Your Client Succeed with
Control Self-Assessment

For his achievements as a seminar leader, The Institute of Internal Auditors has
awarded John the designation of Distinguished Adjunct Faculty Member.
In addition John has authored numerous research papers that have addressed
the concepts of process improvement in business, employee empowerment, and
the management of effective teams. Using these tools, he has guided and
encouraged thousands of domestic and international professionals to move
toward process and business improvements.
John has degrees in Business Administration and Management from
Northeastern University, a Master of Science Degree in Management from
Stevens Institute of Technology, and a graduate level Certificate in Total Quality
Management from the University of Phoenix. He is a Certified Quality Auditor, a
Certified Fraud Examiner, a Certified Business Manager, a Certified Professional
Consultant, and holds a Certification in Risk Management Assurance. In addition,
John holds both a Control Self-Assessment Qualification and a Certification in
Control Self-Assessment.
He is a member of the American Society for Quality, The Institute of Internal
Auditors, The Association of Business Professionals in Business Management,
and the Association of Certified Fraud Examiners.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 3

McKeever CRMA Study System Course Overview

Index

Course Overview

Domain I: Organizational governance related to risk

management

Domain II: Principles of risk management processes

Domain III: Assurance role of the Internal Auditor (IA)

Domain IV: Consulting role of the Internal Auditor (IA)

Suggested Additional References

Appendices

Application Questions

Application Questions, Answers & Explanations

4 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Course Overview

Overview
CRMA® and the McKeever CRMA Study
System
Certificate in Risk Management Assurance (CRMA)

The Certificate in Risk Management Assurance® (CRMA®) is a specialty

certification program offered by The Institute of Internal Auditors (The IIA).
It is designed for internal auditors who develop specialized risk
management assurance skills. Gaining the required knowledge of areas
such as risk and control exposes internal auditors to the concepts that are
vital in more effectively using risk management principles to help clients
achieve their objectives.

Internal auditors at any experience level, in almost all positions, will benefit
from this certification program.

Visit the IIA’s web site www.theiia.org. There you will find a number of
valuable resources listed to help you pass both Part 1 of the CIA Exam and
the CRMA Exam.

Be certain to review The IIA’s web site resources in detail as the

information listed there tells what you need to know about the
requirements for becoming a CRMA including a CRMA Exam overview.

The McKeever CRMA Study System builds on the information available at

The IIA web site. It does not replace the need to review the information on
that web site.

The McKeever CRMA Study System provides a studying methodology and

techniques to help you successfully pass the CRMA Exam. In addition, you
should find that the McKeever CRMA Study System is an excellent,
practical, application reference source for applying risk management
principles in practice.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 5

McKeever CRMA Study System Course Overview

CRMA Exam
The CRMA Exam tests a candidate’s understanding of important risk
management fundamentals, processes, and related topics such as risks,
controls, and business objectives.

The CRMA Exam is offered using Computer-Based Testing (CBT).

CBT and is available any time of the year at a large number of Pearson VUE
test site locations.

Pearson VUE is a major corporation specializing in CBT for a large number

of certifications. You can locate a test site near you at the Pearson VUE
web site http://www.pearsonvue.com under Financial Services - Institute of
Internal Auditors.

Registration

This IIA's online Certification Candidate Management System (CCMS) is

ppen for registering for the Certification in Risk Management Assurance.

The one-part CRMA exam includes 100 multiple-choice questions covering

the four domains that are addressed in the McKeever CRMA Study System:

Domain I: Organizational governance related to risk management

Domain II: Principles of risk management processes

Domain III: Assurance role of the Internal Auditor (IA)

Domain IV: Consulting role of the Internal Auditor (IA) Domain 2 –

Candidates are given 2 hours to complete the CRMA Exam. For detailed
topic outlines, visit www.theiia.org/certification. Exam topics and format
are subject to change as approved by The IIA Board of Regents.

6 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Course Overview

McKeever CRMA Study System

The McKeever CRMA Study System provides the following to help you
successfully pass the CRMA Exam:

1) outlines how to study for the CRMA Exam

2) explains, in detail, the information you need about the contents of each
domain on the CRMA Exam and demonstrates techniques to address multiple-
choice question

3) provides over 300 sample questions, with answers and explanations, similar to
the ones you will see on the CRMA Exam - not the actual questions that may
appear on the CRMA Exam since the actual exam questions are confidential

4) provides an extremely valuable resource for both self-study mode and group
training

5) helps you identify areas where you need additional study prior to the exam

6) provides a guide for resources to use in preparing to pass the exam

How to Study for the CRMA Exam

There is no standard way to study for the CRMA Exam as each person has an
individual study style. However, the McKeever CRMA Study System does
provide proven test-taking techniques.

The McKeever CRMA Study System:

Study the modules covering CRM Domains in any sequence

Limit study to a comfortable time in both group study and self-study

Do not try to cover everything in one session

For group study we recommend no less than 16 hours of team study. This time
should include reviews of both the content in the modules and review of the
Sample Questions with Answers and Explanations.

While studying the material you will see a STOP sign with a sample question. Try
to determine the “best answer”. Then look at the answer and explanation in the
Application Questions, Answers & Explanation module.

Review the Application Questions module after studying the Domain modules.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 7

McKeever CRMA Study System Course Overview

Do not try to indentify every POSSIBLE answer just concentrate on identifying

the “best” of the choices provided.

The answer for each question with an explanation how to arrive at the "best
answer" is contained in the Application Questions, Answers & Explanations
module.

Prior to taking the actual CRMA Exam we suggest that you become very
comfortable with both the format of the exam and the type of questions you may
see on the actual exam. That way you will have the full 2 hours of the exam time
to answer the actual questions efficiently without wasting time.

Practice the use of the Pearson Vue system used for the CRMA Exam.

An excellent way to accomplish this is:

Go to the Pearson Vue web site, download a copy of the full-featured Tutorial
Demo Test at http://www.pearsonvue.com/iia/ and install it onto your hard drive.
Use the full-featured Tutorial Demo Test a number of times concentrating on
using the various features of that test. The Pearson Vue Tutorial Demo shows a
variety of formats. The CRMA Exam uses ONLY 100 questions that are multiple-
choice format - text and graph formats (no video, pictures, or essay).

Use both the "About Pearson VUE exams" and the full-featured Tutorial Demo
Test downloaded from the Pearson web site as part of your study BEFORE you
arrive at the testing center and again immediately before starting the CRMA
Exam at the testing center. Especially learn to use the following features of the
Pearson Vue System – not listed in any particular order (the "About Pearson
VUE Exams" downloaded with the Tutorial Demo is an excellent place to learn
about these capabilities):

a) Navigator

- provides review process for questions

- use to track your progress versus time
- use to ensure you answer all questions
- understand the use of status of: COMPLETE, INCOMPLETE, UNSEEN

b) Time Remaining indicator – be a “clock watcher” – pace yourself to complete

the entire exam on time answering ALL question. If you do not know an answer
then guess as there is no penalty for not correct answers.

c) use of the PREVIOUS - NAVIGATOR - NEXT options

d) use of REVIEW ALL - REVIEW INCOMPLETE - REVIEW FLAGGED

8 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Course Overview

e) use of the FLAGGED option

f) how to avoid prematurely exiting the exam

g) if you are taking the exam in a language other than English, make certain you
know how to see the English version of that question, in case needed

h) how to use the calculator provided for your use if needed

2) After using the Pearson Vue full-featured Tutorial Demo Test, then use the
Sample CRMA Questions on The IIA web site to review the type of questions on
the actual CRMA Exam. The Sample CRMA Questions on The IIA web site are
typical of what you will see on the CRMA Exam but are not presented using the
format of the CRMA Exam - the multiple-choice questions portion of the Pearson
Vue full-featured Tutorial Demo Test is the format used on the actual CRMA
Exam.

3) After using the Pearson Vue full-featured Tutorial Demo Test and reviewing
the Sample CRMA Questions on The IIA web site then try to answer the Sample
Questions in the Application Questions module of the McKeever CRMA Study
System. Then review and evaluate your answers and explanations in the
Application Questions, Answers & Explanations module.

Review any modules where you need additional information.

Consider acquiring any of the additional references lists on The IIA web site.

By this time you should feel comfortable with both the format of the CRMA Exam
and the type of questions you will see on the actual exam.

If you need additional study in an area covered on the CRMA Exam read the
content of that module in this workbook as many times as you need to. If you
need more in-depth understanding in an area use some of the references listed
on The IIA web site.

If you are ready to take the exam schedule a time and complete your information.

We recommend that you complete documentation a month or more prior to the

CRMA exam so that you will have time to complete any additional study that you
need to pass the exam.

Be certain you made an appointment to take the test and know the exact location
of the test center. The address and directions are located at
http://www.pearsonvue.com/iia/.

On the day of the exam wear comfortable clothing as the exam is 2 hours long.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 9

McKeever CRMA Study System Course Overview

Arrive early so that you feel relaxed.

If you would like email notification when new Pleier Corporation titles are
available send an email to [email protected] with the following information:

Name: _____________________________________

Company: __________________________________

Address: ___________________________________

City: ___________________________________

State or Province: ____________________________

Zip or Postal Code ________________________

Country: __________________________________

Email Address: ______________________________

Telephone Number: ___________________________

Source of Purchase: _________________________

Note: If you purchase your product directly from Pleier Corporation your product is
registered.

I Wish You Success in Passing the CRMA

Exam and Becoming CRMA Certified!

Author

10 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

DOMAIN I:
ORGANIZATIONAL
GOVERNANCE
RELATED TO RISK
MANAGEMENT

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 11

McKeever CRMA Study System Organizational governance related to risk management

Domain I: Organizations and

Organizational Culture
The objective of this module is to better prepare the participant to pass the
Certification in Risk Management Assurance Exam by discussing and
analyzing the technical dimensions of this domain while discussing
techniques to best manage multiple-choice questions.

Included are discussions of the skill requirements of a CRMA to:

A. Assess risk management processes in the context of alignment with

strategic imperatives

1) Objectives of risk management processes

2) Organization's risk culture
3) Risk capacity, appetite, and tolerance of organization

B. Assess the processes related to the elements of the internal

environment in which organizations seek to manage risks and achieve
objectives

1) Integrity, ethical values, and other soft controls

2) Role, authority, responsibility, etc., for risk management
3) Management's philosophy and operating style
4) Legal / Organizational structure
5) Documentation of governance-related decision-making
6) Capabilities, in terms of people and other resources (e.g., capital, time,
processes, systems, and technologies)
7) Management of third party business relationships
8) Needs and expectations of key internal stakeholders
9) Internal policies

C. Assess the processes related to the elements of the external

environment in which organizations seek to manage risks and achieve
objectives

1) Key external factors (drivers and trends) that may impact the objectives of
the organization
2) Needs and expectations of key external stakeholders (e.g., involved,
interested, influenced)

Source: The IIA International web site

12 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Organizations and Organizational Culture

In order for organizations to establish a risk culture, it is first necessary to
understand an organization as an entity. By simple definition, organizations are
social entities that are goal-directed deliberately structured active systems with
permeable boundaries. More specifically, organizations as social entities are
people or groups of people who function together to perform the tasks and
functions of the organization so that the organization may reach its objectives.

Deliberately structured organizations objectives and goals are typically

subdivided into subsets of activities. Hence, a different perspective of goals and
objectives become apparent at the different levels within an organization.
Although, with these different perspectives, these subdivided sets of activities
should work toward the overall organization objectives and goals.

With this in mind, the deliberate structure of an organization should facilitate and
coordinate the efforts of all of the subdivided sets and move uniformly toward one
efficient and effective effort.

All organizations have permeable boundaries that at least should separate them
from other organizations. This is called differentiation. This distinction defines
individual organizations, functions, and purposes. In terms of competition,
differentiation of purpose, product, or service will distinguish one organization
from another. From the competitive perspective this differentiation is what will
cause a customer or client to choose one company or organization over another.
Some reasons for these customers or clients differentiated choices could be
price, location, customer service, quality, likeability of the company, and
compatibility with customer needs and wants.

Organizations probably had more defined and distinctive boundaries in the past
However, in these more contemporary times the boundaries of organizations
have become and must be more permeable or flexible. In order to survive it is
now necessary that organizations share with each other information, cooperate,
and collaborate. The sharing of technology, ideas, and components as well as
international trade are just some examples of the necessity for more permeable
boundaries of today’s organizations.

Further, organizations can be subdivided into two distinct classes that directly
relate to the organizations focus and ability to address their risks and hence their
success. These classes of internal and externals risk will be discussed later in
detail. Internal risks include training; capabilities of staff and employees; the lack
of physical controls such as locks, cameras; and passwords to name a few.
Internal risks can be understood and fixed. Generally, there is or can be some
control over internal risks

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 13

McKeever CRMA Study System Organizational governance related to risk management

External risks on the other hand are the elements that keep an impact on the
organization but that the organization has little or no control over occurrences of
these risks. Consequently, the organization, although having little or no control
over the advent of these external risks, must plan for and manage these external
risks. External risks can include the environment, weather, interest rates, the
economy, international relations, international suppliers, exchange rates, politics,
government rules, and government regulations.

The two subcategories of organizations that relate to both the internal and
external risks are an open organization system and a closed organization
system. A closed system does not depend on the environment in which it
operates. The management of a closed system would be relatively simple to
understand and manage; with no external influences to worry about, the closed
organization system would most likely be stable and predictable. A closed
organization would be totally autonomous, enclosed and sealed off from the
outside world of external influences. Although possible, it is unlikely that a
completely closed organization system by definition could exist in today’s
business environment.

Answer the Following Question.

8. The Senior Vice President of Operations reports directly to the Chairman and
President of Products Inc. This is a family-owned company which has grown
substantially over the past few years. Now named Products International its
growth can be attributed mostly to the purchase of three international companies.
These newly-purchased companies provide similar products as the parent
company and were also looking to expand to international markets. As all of
these companies provide generally the same products which type of operating
environment is Products International?

a. product differentiation environment

b. open
c. conglomerate
d. closed

See Application Questions, Answers & Explanations module for answer.

14 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Categories:
An open system must interact with the environment. This is a more likely
situation in today’s environment. Open systems can be very complex and must
require innovative and proactive management. Open systems have to find and
obtain needed resources, interpret and act on environmental changes (external
risks), dispose of outputs, control and coordinate internal and external activities,
and manage environmental changes. Sometimes working closely with
competitors and international markets their complexity increases. Remember as
complexity increases so does risk.

Organizational structure definitions are fine to establish a framework for

organizational culture but it is people, humans that make an organization function
as it is intended. It is these people that establish the culture for such things as
ethics; attitude; morale; risk management; the establishment and implementation
of adequate controls; and move the organization toward its objectives most
efficiently and effectively.

Connecting the tone:

Looking from the top-level of an organization downward, upper-level
management is responsible for the entire organization. Upper-level management
must establish objectives and goals, develop strategy, interpret the external
environment, and adjust for the influences that the external environment imposes
on the achievement of objectives. Further upper-level management must decide
upon and influence the organization design and structure. In more detail, upper-
level management must influence the entire organization toward compliance with
laws and regulations, facilitate the accomplishment of goals and objectives,
establish the reliability or information to internal and external stakeholders,
manage the efficient and effective use of resources, and solidify the safeguarding
of assets.

Probably most importantly is the tone that is established and emulated by upper-
level management. The words, speeches, posters, and newsletters are all fine
but without a sincere tone of support and belief from upper-level management, all
of the words, speeches, posters, and newsletters are just that and will have little
impact on the intended direction of the organization.

Next from the top down are middle-level managers. Middle-level managers are,
or should be concerned, with the functioning of individual departments such as
accounts payable, marketing, operations, and human resources to name a few.
These middle-level managers must interrelate the functioning of their respective
departments to the overall goals and objectives of the overall organization.
These middle-level managers must design and implement effective interrelations
of politics, technology, cooperation, along with risk and control management
among interfacing departments.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 15

McKeever CRMA Study System Organizational governance related to risk management

Lower-level management is, or should be, concerned with the day to day
operations of employees who have the hands on function of tangible tasks within
the organization. The overall organization goals and objectives must still be kept
in focus as these day to day tasks are accomplished. The objectives of these
day to day tasks at these lower levels should work together with the objectives
set by the upper-level management.

Combined These Multiple Levels of People Are Jointly

Responsible
for the Success of the Organization.
One of the major weaknesses in the interconnection of upper-level to lower-level
employees is communications. In other words, inadequate and ineffective
communication among these levels of employees can cause failure. Although
the tone may be set at top management levels this tone and direction may
become distorted as it works its way downward to middle-level and lower-level
management and even to the employees who perform the day to day tangible
tasks. This distortion, sometimes called noise in the communication channel,
can be internal politics, biases, attitudes, morale, and even just human
personalities. In any event, this noise inherent within a human communications
channel is natural and must be recognized and managed.

Therefore it is important that wherever and by whom the tone may be set, be that
an ethical tone, a management tone, a risk management tone, and a control
tone, that this tone be monitored for success. This monitoring control should be
established by those, upper management levels, which set the original tone.
Most importantly, adjustments should be made if the monitoring indicates that the
original tone, objectives, or goals are not being achieved. The key word here is
adjustment. A monitoring control without adjustment or action is a waste of
time.

Effective Organizations Are Clearly Focused And Are Customer Driven.

16 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Answer the Following Question.

4. In order to establish a sincere risk management culture within a company

upper-level management should communicate their tone and risk management
philosophy to everyone. The best communication channel to achieve this would
be by:

a. weekly broadcasts to all employees

b. demonstrating their upper-level sincerity by their actions
c. publishing the upper-level management risk management philosophy in
the company newspaper
d. communicating the risk management philosophy at meetings in person
with employees

See Application Questions, Answers & Explanations module for answer.

Summary: Organizations are social entities that are goal-directed, deliberately-

structured activities systems with permeable boundaries. This means that
organizations should focus on objectives and goals with a purpose. Further
organizations should be flexible, particularly in today’s large scope environment.
Because of the large scope of today’s environment, the influences of the external
environment must be identified and managed (external risk).

An organization is made up of people, humans, who are complex by nature. It is

necessary that humans at various levels within an organization function
collaboratively and as necessary to help the organization achieve its
overall objectives and goals. This must be managed.

It is appropriate and necessary that the upper level of humans, upper-level

management, establish objectives and goals develop strategy, interpret the
external environment, and manage the influences that the environment may have
on the achievement of objectives. These upper-level managers must establish
the tone, the attitude, and the ethical values, manage the morale and establish
the culture of the organization. All of this should be driven by an in-depth
understanding of the internal and external risk and forces that may influence the
achievement of the objectives and goals of the organization. Because this tone
and culture may be distorted as it is disseminated downward within the
organization this tone and culture of upper-level management must be
communicated downward with sincerity, monitored, and adjusted as
needed.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 17

McKeever CRMA Study System Organizational governance related to risk management

Operative Goals:
It is in these lower levels of management where operative goals are most
apparent. Operative goals define what is actually trying to be accomplished
and should define specific short-term measurable outcomes.

The measurement dimension of objectives and goals cannot be emphasized

enough. The measurement dimension control must have two parts, a noun and
a verb. The noun is the tangible measurement device while the verb is the action
that is taken on the results of the measurement. The best measurement
techniques focus on process and outputs. Process performance should measure
a sequence of activities, which by their completion achieve the overall objectives.

Remember it is better to make minor adjustments as small deviations are

recognized in the monitoring process than to wait for necessary major
adjustments.

Waiting to adjust for the major issues is crisis management while making minor
adjustments of deviations from accepted criteria is a preventive control.

Without this establishment of tone and culture with an effective

communications channel which is monitored and adjusted the risk of not
achieving the objectives and goals increases.

Therefore, it is the responsibility of upper-level management to identify internal

and external risks, those things that will impede the achievement of objectives,
as well as opportunity risk. Further, it is the responsibility of upper-level
management to communicate and encourage enthusiasm within all ranks of the
organization. However, more importantly, upper management must establish,
within all ranks, an adequate monitoring, and adjustment mechanism to keep
effective the achievement of objectives and the management of risk.

Therefore, this can be interpreted that the overall guidelines for the direction of
an organization is set by upper management communicated to everyone and is
the responsibility of everyone to manage so that the achievement of objectives
can be achieved.

If The Culture is Not Established, Encouraged, and Sincere with Upper

Management then This Synergy By Everyone Working Together Will Be
Compromised and The Likelihood of Success and The Achievement of
Objectives is Less Likely.

18 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

In terms of the risk culture, it is important that all those involved in the
achievement of objectives understand the risk that will stop the achievement of
the objectives as well as the consequences of not addressing those risks.
These consequences can be measured by understanding the risk appetite of the
organization.

In the simplest terms, the risk appetite is how much risk a person or
organization is willing to accept in order to achieve their objectives. Risk
appetite is directly related to the organizations strategy.

Management should consider its risk appetite as its alignment with its resources
including, people, processes, and infrastructure design. This alignment is
necessary to respond to the internal and external risks both appropriately and
effectively. This sounds simple enough. However, herein is the problem. Even
if a person or organization identifies a pending risk, the consequences of the
acceptance of that risk can very well be misunderstood.

Many Times Risk is Accepted Without a True Understanding of

Pending Consequences.

Therefore, not only a complete understanding of what the risk is but also the
consequences of not completely addressing that risk must be identified by upper-
level management and emulated sincerely to everyone involved.

Action on risk is important. The four steps in risk assessment are: identify
measure, prioritize, and act. Some general actions of risk management
include: avoidance, reduction, sharing, and acceptance. Nevertheless, when
considering action by controls the right type of controls applied at the right time
and in the right amount should be considered.

Keep in mind that all things operate within an environment. Entities, individual
people as well as large and small organizations operate within an environment.
Hence, they are subject to changes by that environment. As the environment
changes so do the objectives, the risks, and so should the controls that address
those risks.

The Larger And More Complex An Entity The More Influence The
Environment Will Have Upon The Risks. Therefore, The Risk Appetite And
Overall Risk Philosophy Entity Should Be Fluid.

Successful Companies Harness Employee Energy And Enthusiasm. They

Develop A Climate For Trust, Encouragement, and Productivity. Through
People This Culture Must Be Emulated From The Very Highest Levels To
The Very Lower Levels Within The Company.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 19

McKeever CRMA Study System Organizational governance related to risk management

ORGANIZATIONAL OBJECTIVES - the overall concepts

In simple language, objectives are something to try to accomplish. This can and
is often divided into subcategories.

This is how the categories work.

The mission or vision statement is generally very high-level and not very specific.
For example, a mission statement could be “our mission is to maintain the
highest quality of service to our customers”. However, this does not indicate
how to accomplish this.

Next on the list are objectives. Objectives are generally more specific than the
mission statement. An example might be: in order to enhance the customer
experience, so to expand our customer base. We will address our customers’
needs, modify, and adjust our services and products to satisfy our customers’
needs.

Next on the list are goals. Goals are the next level down and become more
specific. Goals should be Specific, Measurable, Accomplishable, Results-
orientated, and Time-bound (SMART). Goals are much more specific than the
objectives or mission.

A good way to consider this is to analyze SMART. Specific means that the goal
should identify exactly what is to be done. Measurable means that there is a
mechanism in place to monitor the activity to make sure it is operating as
intended. (Important with any monitoring “control” there must be a physical
monitoring mechanism and action to do something appropriate with what was
monitored). Results-orientated means that some deliverable or output is required
from the activity of the goal. If there is no measurable output then why do it?
Time-bound means that the goal should be accomplished within a specific time.

For example: our goal is to identify our customers’ needs each month where we
will identify and address the satisfied customers as well as the not satisfied
customers. With this information, we will provide reports to our planning
organization every month at monthly staff meetings and then follow up for the
effectiveness of results. A goal has much more detail and specifics than the
objectives or mission statements.

There is another subtask and category that can be attached to the goals. This is
strategy. Strategy is down to another level of detail. Strategy identifies how,
specifically the goals will be accomplished.

20 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

In addition, there are two subcategories of strategy. They are tactical and
strategic planning. Tactical planning is generally short-term. This means, by
definition, one year or less. Therefore, strategic planning is longer than one year.
(These are text book definitions) good for test and exams. However, in real
business setting short-term planning may be more or less than 12 months. The
definitions are less consequential in a real business setting as long as the
process owners understand the concept.

Here is an example: we will obtain, from a statistical model, surveys from each
customer every month. From the 15 questions asked our statisticians and data
compilers will present an evaluation of the survey results. Adjustments will be
made each month to enhance customer experiences and address customer
concerns (tactical). Further, a compilation of the monthly data will be complied
annually. A combination of the monthly data and the annual data will be used as
input to determine and evaluate costs of research and development physical
plant and equipment investment and staff investment on the five year plan.
Adequate and appropriate adjustments will be made to ensure that we
consistently maintain the highest quality of customer service (strategic).

Changes in plans become obvious here. Note how this finally connected back to
the broad mission statement.

Possibly professional risk and control experts may be comfortable with these
textbook type definitions. However, most process owners would not be. Process
owners may even become confused and intimidated and even fall into the trap of
building piles of paper to satisfy the textbook definitions and miss the overall
concept or risk and control management. In a real business setting, keep it
simple.

Objectives are Something to Try to Accomplish and

How.
Further, the term organizational objectives have been mostly used within a tool
called management by objectives (MBO). By definition MBO is a method
whereby the superiors and subordinates work together to identify and address
objectives. Together they define individual goals and objectives agree upon
them and identify a measurement method to determine if the agreed upon goals
and objectives are being achieved. MBO was developed many years ago. It
was frequently used in business for a number of years but is not used now as
much as in the past.

A major advantage of MBO was that it required communications and agreement

between the superiors and subordinates, hence eliminating or at least minimizing
objective achievement surprises while encouraging communication.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 21

McKeever CRMA Study System Organizational governance related to risk management

Just as the definition above it was important, with MBO, that the overall mission
statement be kept in mind and that the objectives being developed by the
superiors and subordinates work toward that overall mission.

Therefore organizational objectives are the overall objectives or

mission (often combined) of a process.
One thing to remember, the mission statement and high-level objectives flow
down from the very top of an organization to the bottom and they should all link
together. For example, there is a mission statement and high-level objectives
developed at the highest level.

Next, there are organizational objectives. Organizational objectives are at lower

levels. The high-level organizational objectives would be at the manager level.
Each supervisory group, within that manager’s responsibility could have slightly
different organizational objectives for their individual departments.

Even if there are slight differences in these objectives all of the objectives within
the company, at all levels, should be relative to each other and connect.

Organizational objectives are like a waterfall. It is all

water coming over the waterfall. The water can change
its shape from narrow to wide as it flows over the
waterfall. But it is all still water all connected together
flowing from the top to the bottom.

Some Approaches of Management

Management Deals With The Establishment And Achievement of
Objectives.

Setting objectives is the first part of a business equation.

Understand the Objectives Before Taking Action to Accomplish

Them.

Objectives Guide the Enterprise. They Help Determine the

Direction and Ultimate Vision of What the Enterprise Should Be.

22 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Answer the Following Question.

16. Organizational objectives have been mostly applied in the Management by

Objectives (MBO) approach to objective achievement. The MBO approach
facilitates the communication between management and their subordinate.
Therefore, organizational objectives, in order to be effective should:

a. be maintained and functional between a subordinate and their manager

b. be emulated and migrated
c. combine all of the efforts of the individual departments for an end goal
d. be only used in a highly open and communicative organization

See Application Questions, Answers & Explanations module for answer.

The Basic Functions of Management

Planning is necessary to provide direction and control. It is the selection of the
best choices for both short-term (tactical) and the long-term (strategic) goals.

Organizing brings the resources together to carry out the objectives.

Organization should include responsibility, which is the obligation to perform.

Staffing includes recruiting, selecting, and developing employees. Long-term

and short-term plans should be considered in staffing.

Directing moves the resources toward the goal. It includes interpersonal

relationships between managers and subordinates. Directing should include
communications among all parts of the organization.

Controlling monitors management efforts to determine if progress is being made

to achieve the objectives most efficiently and effectively. It should include
appropriate and periodic adjustments to maintain the efficient and effective
accomplishment of objectives. The basic internal control objectives are good
guidelines in this controlling process: compliance with laws and regulations,
accomplishments of goals and objectives, reliability of information, efficient
effective use of resources, and the safeguarding of assets.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 23

McKeever CRMA Study System Organizational governance related to risk management

Authority Gives the Right to Require Performance.

Organizations Without Authority And Responsibility Frequently Fail.

The three basic components in a process are objectives, risks, and

controls. Simply stated, the objectives are what is trying to be
accomplished. Risks are the barriers that will stop or slow down the
achievement of the objectives. Controls are the policies, procedures, and
actions that will diminish or eliminate the risks.

Generally, Protections Against Risks Offer Some Reasonable Assurance.

Some Common Terms Used To Define This Reasonable Assurance Are
Acceptance of Risk, Risk Appetite, or Risk Tolerance.

It is Unlikely that All Possible Risks All of the Time Can be Diminished or
Totally Eliminated.

Note: Risk appetite is the amount of risk an organization is willing to accept

in order to achieve its goals and objectives. An organization’s risk appetite can
be driven by the industry and regulatory environment (external risks). Concurrent
with an organization’s risk appetite is the organization’s risk tolerance. Risk
tolerance measures how far the organization is willing to deviate from their
risk appetite policy. Both the risk appetite and risk tolerance should be
established and guided by executive management and corporate governance.

Some Risk Has To Be Accepted For A Process To Function. Generally,

Accepting Risk Is Not The Issue. Understanding The Consequences of The
Accepted Risk Is The Issue.

The Risk Appetite and Tolerance Should Be Established by Upper-level

Management, Influenced by Internal and External Forces and Emulated
Throughout The Entire Organization.

There are often two reasons for any inappropriate acceptance of risk. One is that
the world changes rapidly. When a certain risk has been addressed and as
action has begun, the risk situation may change introducing new risks. The
problem is that these new risks may not have been adequately identified
and addressed. Therefore, changes in the environment in which the risk is
operating may cause an inappropriate acceptance of risk. Another reason for the
inappropriate acceptance of risk is a lack of understanding the
consequences.

24 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Answer the Following Question.

45. The Rental For You And Save Company, providing day-to-day items for short-
term use, has been in business for 22 years. This company provides products for
short-term use such as lawn furniture, household furniture, electronics, and even
tools. The company’s objective is to help customers who may need such items
for short-term use and who realize that it is not worthwhile to purchase such
items. The average rental time is one month. Contracts are signed with the
renters to return the items in the same condition as they were rented.

Although the number of times an item can be rented can vary depending on the
product, the average number of rental times for all items is currently 14.4 times.
Prior to five years ago, the average number of times for all items was 19.8. In
general, the more wear and tear on rented items the fewer times they can be
rented. In order to maintain company success the average time objective for all
items rented is 13.6 times. There has been a steady decrease from 19.8 to 14.4
over the past five years. Management began to become very concerned with this
trend particularly when the number reached 14.4. This difference between the
13.8 objective and the old number of 19.8 compared to the 13.8 objective vs. the
new number of 14.4 can best be described as:

a. risk appetite
b. risk assessment
c. a statistical process SPC risk variation range
d. risk tolerance

See Application Questions, Answers & Explanations module for answer.

When Accomplishing Objectives and Addressing Risk it is

Important to Think of the End Objective.

The end holds the consequences that may require handling in a reactionary
mode if the consequences are not anticipated and addressed adequately in a
preventive mode. The consequences of accepting risk in today's business
environment are far more apparent than they were even a few years ago. Rapid
changes with laws and regulations, embarrassment and reputation in various
news media, as well as global economic situations have substantially increased
the opportunities for pending risks.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 25

McKeever CRMA Study System Organizational governance related to risk management

What Works and What Does Not Work

A Matter of Opinion and Purpose

Some Management Styles:

Autocratic is very strict in its approach. Power is at the top. Subordinates have
little say in decision-making; they only follow orders.

Custodial is an approach that was popular in the 1930s. It is centered on the

workplace as being a happy place to work. The thought was that if everyone
were happy, productivity would increase. The concept by itself was not very
effective.

Supportive is an approach that addresses performance. This approach

stimulates participation and involvement. Leaders must have positive feelings
toward their people and believe that people want to do the best job they can.

Collegial is founded on teamwork. The manager is often part of the team

instead of a superior. The results can be self-discipline, responsibility, and self-
fulfillment.

What Organizational Culture Works Best?

The Four Types Of Organizational Cultures Are:

POWER

This environment has a high degree of control over individuals and less
opportunity for employee participation and input.

• employees are expected to obey without question

• the environment is a commanding managerial style

• the environment has emphasis on individuals rather than groups

• the environment has a high degree of loyalty to the boss

• there are implicit rules that must be followed

26 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

ROLE

• the environment has a strong emphasis on formal procedures

• individuals feel they are dispensable

• the environment consists of an impersonal and highly predictable

organization

• employees are expected to act within the parameters of job descriptions

ACHIEVEMENT

• there is a high emphasis on team commitment and the belief in the

organization’s mission

• although the work is exhausting, it is generally an extremely satisfying

creative environment

• flexibility and high levels of worker autonomy are present

• work is organized by the requirement of the task

• there is flexibility, the employee acts in the way considered suitable for the
tasks

PERSON / SUPPORT

• there is emphasis on values

• the nurturing of the personal growth and development of company

members is perceived to be a key competitive advantage

• there are little or no constraints on individuals - employees are allowed to

do what they see is necessary

There Is No Right Or Wrong With Any Of These Organizational Cultures.

What Is Right or Wrong Is What Works In Each Specific Situation.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 27

McKeever CRMA Study System Organizational governance related to risk management

Answer the Following Question.

22. Which of the following would be the best organizational culture to implement
organizational objectives when there were concerns with wrongdoing activities?

a. role
b. power
c. achievement
d. person / support

See Application Questions, Answers & Explanations module for answer.

Some Regulatory Requirements that

Influence the Risk and Ethical Culture
Decision Process

The Federal Sentencing Guideline

Passed in 1991 The Federal Sentencing Guideline provides incentives for
corporations to maintain an adequate compliance program. This
compliance means adherence to an adequate internal control and risk
management process. This includes policies and procedures that will reduce the
probability of criminal conduct including bribes; kickbacks; conflict of interest;
inappropriate gifts and entertainment; antidiscrimination policies; and health and
safety issues. Violations of this guideline can result in various penalties as well
as perceived negative impacts. Integrated Control Frameworks such as The
Committee of Sponsoring Organizations (COSO) have been accepted as an
appropriate model for compliance.

28 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Foreign Corrupt Practice Act (FCPA)

Established in 1977 the FCPA has two main provisions. They are the anti-
bribery provision and the accounting provision. Included in the FCPA are 32
Department of Justice provisions and 26 Security and Exchange provisions.

Since 1977, the anti-bribery provisions of the FCPA have applied to all U.S.
persons and certain foreign issuers of securities. With the enactment of
additional amendments in 1998, the anti-bribery provisions of the FCPA now
applies to foreign firms and persons who cause, directly or through agents, an
act in furtherance of such a corrupt payment to take place within the territory of
the United States.

The FCPA also requires companies whose securities are listed in the United
States to meet specific accounting provisions. These accounting provisions,
which were designed to operate in tandem with the anti-bribery provisions of the
FCPA, require corporations covered by the provisions to: 1) make and keep
books and records that accurately and fairly reflect the transactions of the
corporation and 2) devise and maintain an adequate system of internal
accounting controls.

Recently a number of other nations have instituted similar regulations. These

nations include United Kingdom, China, Russia, India, and Brazil. United States
companies doing business in these countries should realize that they might fall
under these “other nation” regulations. It is important that United States
companies doing business in these other countries obtain legal advice on how
these “other nations” regulations may impact them.

Failure to demonstrate a sound anti-bribery compliance risk

management process could be disastrous to a company. Data
analytics are a way to validate the completeness and accuracy
of books and records, while providing an invaluable early
warning system against bribery and corruption.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 29

McKeever CRMA Study System Organizational governance related to risk management

Answer the Following Question.

43. Business regulations, operating requirements, laws and regulations as well as

professional guidelines for professionals such as attorneys, accountants, internal
auditors have become more complex and necessary as business has become
more complex. One way to avoid these regulation complexities and their
associated paperwork would be to operate a business in a closed environment.
Which of the following would not be a concern, in a publicly traded company, if
the company operated in a closed environment?

a. Foreign Corrupt Practice Act

b. Federal Sentencing Guideline
c. Sarbanes-Oxley
d. none of the above

See Application Questions, Answers & Explanations module for answer.

30 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

The Sarbanes-Oxley Act (SOX) of 2002 Overview

SOX was a reactionary control designed to address integrity issues in business.
The act enhanced existing clauses of the Foreign Corrupt Practices Act (FCPA)
of 1977. In addition, SOX instituted additional regulatory financial parameters on
publicly traded companies and their executives.

Some of the new provisions include:

• rotation of the lead audit partner every five years

• extending the statute of limitation on discovery of fraud from the existing

two years from the date of discovery to five years after the fraudulent act

• restricting the amount of and type of consulting work that auditors can
perform for their publicly traded companies

• requiring CEOs and CFOs, under SOX, to certify their company financial
statements

• directing the responsibilities of audit committees will now be responsible

for the hiring, compensation, and overseeing of the public auditors

In addition, SOX created a five member Public Company Accounting Oversight

Board (PCAOB) that has the authority to set and enforce auditing attestation,
quality control, and ethics. In addition, this board oversees the standards of
public accounting firms that audit public companies. Further, the PCAOB has the
responsibility to impose disciplinary and remedial sanctions for violations of the
board’s rules; securities laws; and professional auditing and accounting
standards.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 31

McKeever CRMA Study System Organizational governance related to risk management

Of Particular Interest to Internal auditors - Final Examinations

SOX section 302: Internal control certifications

SOX section 302 mandates a set of internal procedures designed to ensure

accurate financial disclosure. The signing officers must certify that they are
“responsible for establishing and maintaining internal controls” and “have
designed such internal controls to ensure that material information relating to the
company and their related subsidiaries is made known to such officers by others
within those entities, particularly during the period in which the periodic reports
are being prepared.” The officers must “have evaluated the effectiveness of the
internal controls as of a date within 90 days prior to the report” and “have
presented in the report their conclusions about the effectiveness of their internal
controls based on their evaluation as of that date.”

External auditors are required to issue an opinion on whether effective internal

control over financial reporting was maintained in all material respects by
management. This is in addition to the financial statement opinion regarding the
accuracy of the financial statements. The requirement to issue a third opinion
regarding management's assessment was removed in 2007.

SOX Section 404: Assessment of internal control

The most contentious aspect of SOX is Section 404, which requires management
and the external auditor to report on the adequacy of the company's Internal
Control over Financial Reporting (ICFR).

Under SOX section 404 management is required to produce an “internal control

report” as part of each annual Exchange Act report. The report must affirm “the
responsibility of management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting.” The report must
also “contain an assessment, as of the end of the most recent fiscal year of the
effectiveness of the internal control structure and procedures of the issuer for
financial reporting.” To do this, managers are generally adopting an internal
control framework.

Appendix 1 lists and discusses “Sarbanes-Oxley (SOX)” in more depth.

32 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Public Company Accounting Oversight Board

To augment the original SOX documentation, the Public Company Accounting
Oversight Board (PCAOB) on July 25, 2007 approved Auditing Standard No. 5
(AS5), which superseded Auditing Standard No. 2 (AS2), and has the following
key requirements for the external auditor:

• assess both the design and operating effectiveness of selected internal

controls related to significant accounts and relevant assertions, in the
context of material misstatement risks
• understand the flow of transactions, including IT aspects, sufficient
enough to identify points at which a misstatement could arise
• evaluate company-level (entity-level) controls, which correspond to the
components of the COSO framework
• perform a fraud risk assessment
• evaluate controls designed to prevent or detect fraud including
management override of controls
• evaluate controls over the period-end financial reporting process
• scale the assessment based on the size and complexity of the company
• rely on management's work based on factors such as competency,
objectivity, and risk
• the auditor is allowed to rely on knowledge from prior audits
• evaluate controls over the safeguarding of assets
• conclude on the adequacy of internal control over financial reporting.

Intentionally not complying with the SOX and Public Company Accounting
Oversight Board (PCAOB) guidelines has more serious consequences than not
complying by “accident”. SOX specifies with intent and without intent (for
example it was a mistake) errors. The “with intent” and “without intent”
specifications become an issues for legal debate.

So comparing the definitions of fraud with the requirements of SOX would imply
that not complying with the various sections of SOX could be construed as a
fraudulent act.

As can be seen here sections 302 and 404 are the final exams. In addition, as
can be seen here are the implications of other SOX section violations other than
sections 302 and 404 and their substantial consequences.

All these and many more regulations are fine but the management of risk goes
far beyond and deeper than general management, laws, and regulations. In
order to have an adequate risk management risk environment it is necessary that
there be an inherent belief in the right way to do things. The right way to do
things simply means the actions to achieve objectives ethically, efficiently, and
effectively. This inherent belief must be part of the nature of all those involved
within the process at all levels and in all functions.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 33

McKeever CRMA Study System Organizational governance related to risk management

Note: the goal of risk management should be to ensure that everyone is working
with the same level of understanding of risk and controls; everyone is working
toward the achievement of the overall organizations goals and objectives; and
everyone understands the organization’s management of the risk appetite.

A term often used in today’s risk management environment is “tone at the top”.
However, this term by itself is not enough. There must be sincere tone at the
top.

A Sincere Belief by Top Management

That is Emulated With Sincerity to All Lower Levels

Within any process, there is risk. Simply there is risk in making anything work.
With this in mind, it is necessary that some risk be accepted. If no risk was
willing to be accepted then nothing could get done. It is not a question of what
risk is being accepted but a question of understanding the risk that is being
accepted. This acceptance is called risk appetite or risk tolerance,

The Amount of Acceptable Risk Should Be a Conscious Decision with an

Understanding of the Consequences.

A Lack of Understanding of the Risk Appetite and Their Related

Consequences is a Risk Itself.

34 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

The Practicing Requirements of Internal Auditors

Below are excerpts from the Internal Auditors Code of Ethics of the Institute of
Internal Auditors. These excerpts will provide some guidance on the ethical and
operational boundaries within which internal auditors should function.

http://www.theiia.org/guidance/standards-and-practices/professional-practices-
framework/

A few comments about the Internal Audit Standards!

Revised Standards, Effective January 1, 2013

The International Internal Audit Standards Board (IIASB) recently proposed

changes to the Standards after consideration of input it received from internal
auditors and stakeholders, as well as global surveys and other research focused
on the International Standards for the Professional Practice of Internal
Auditing (Standards). The IIASB released the revision to the Standards
following the consideration and approval of due process by the International
Professional Practice Framework Oversight Council (IPPFOC). The new
Standards will be effective on January 1, 2013.

Introduction to the Standards

Internal auditing is conducted in diverse legal and cultural environments; within

organizations that vary in purpose, size, complexity, and structure; and by
persons within or outside the organization. While differences may affect the
practice of internal auditing in each environment, conformance with The IIA's
International Standards for the Professional Practice of Internal Auditing
(Standards) is essential in meeting the responsibilities of internal auditors and
the internal audit activity.

The purpose of the Standards is to:

1. Delineate basic principles that represent the practice of internal auditing.

2. Provide a framework for performing and promoting a broad range of value-
added internal auditing.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations.

Standards are principle-focused and provide a framework for performing and

promoting internal auditing.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 35

McKeever CRMA Study System Organizational governance related to risk management

The Standards are mandatory requirements consisting of:

Statements of basic requirements for the professional practice of internal auditing

and for evaluating the effectiveness of its performance. The requirements are
internationally applicable at organizational and individual levels. Interpretations,
which clarify terms or concepts, are contained within the statements.

Glossary of terms

Attribute Standards

Attribute Standards address the characteristics of organizations and parties

performing internal audit activities.

1000 – Purpose, Authority, and Responsibility

1000. A1 - The nature of assurance services provided to the organization must

be defined in the internal audit charter. If assurances are to be provided to
parties outside the organization, the nature of these assurances must also be
defined in the internal audit charter.

1000. C1 - The nature of consulting services must be defined in the internal audit
charter.

1010 – Recognition of the Definition of Internal Auditing, the Code of Ethics, and
the Standards in the Internal Audit Charter

The mandatory nature of the Definition of Internal Auditing, the Code of Ethics,
and the Standards must be recognized in the internal audit charter. The chief
audit executive should discuss the Definition of Internal Auditing, the Code of
Ethics, and the Standards with senior management and the board.

1100 – Independence and Objectivity

The internal audit activity must be independent, and internal auditors must be
objective in performing their work.

36 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Interpretation

Independence is the freedom from conditions that threaten the ability of the
internal audit activity to carry out internal audit responsibilities in an unbiased
manner. To achieve the degree of independence necessary to effectively carry
out the responsibilities of the internal audit activity, the chief audit executive has
direct and unrestricted access to senior management and the board. This can be
achieved through a dual-reporting relationship. Threats to independence must
be managed at the individual auditor, engagement, functional, and organizational
levels.

Objectivity is an unbiased mental attitude that allows internal auditors to perform

engagements in such a manner that they believe in their work product and that
no quality compromises are made. Objectivity requires that internal auditors do
not subordinate their judgment on audit matters to others. Threats to objectivity
must be managed at the individual auditor, engagement, functional, and
organizational levels.

1110 – Organizational Independence

The chief audit executive must report to a level within the organization that allows
the internal audit activity to fulfill its responsibilities. The chief audit executive
must confirm to the board, at least annually, the organizational independence of
the internal audit activity.

1110. A1 - The internal audit activity must be free from interference in

determining the scope of internal auditing, performing work, and communicating
results.

Specific comments The Institute of Internal Auditors' Code of Ethics

The purpose of The Institute of Internal Auditors' Code of Ethics is to promote an

ethical culture in the profession of internal auditing.

Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.

A Code of Ethics is necessary and appropriate for the profession of internal

auditing founded, as it is, on the trust placed in its objective assurance about risk
management, control, and governance. The Institute of Internal Auditors' Code
of Ethics extends beyond the definition of internal auditing to include two
essential components:

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 37

McKeever CRMA Study System Organizational governance related to risk management

1) Principles that are relevant to the profession and the practice of internal
auditing.

2) Rules of Conduct that describe behavior norms expected of internal auditors.

These rules are an aid to interpreting the Principles into practical applications
and are intended to guide the ethical conduct of internal auditors.

The Code of Ethics together with The Institute of Internal Auditors' Professional
Practices Framework and other relevant IIA pronouncements provide guidance
to internal auditors serving others. "Internal auditors" refers to IIA members,
recipients of / or candidates for IIA professional certifications, and those who
provide internal auditing services within the definition of internal auditing.

Applicability and Enforcement

Code of Ethics — Principles

Internal auditors are expected to apply and uphold the following principles:

1. Integrity
The integrity of internal auditors establishes trust and thus provides the basis
for reliance on their judgment.
2. Objectivity
Internal auditors exhibit the highest level of professional objectivity in
gathering, evaluating, and communicating information about the activity or
process being examined. Internal auditors make a balanced assessment of
all the relevant circumstances and are not unduly influenced by their own
interests or by others in forming judgments.
3. Confidentiality
Internal auditors respect the value and ownership of information they receive
and do not disclose information without appropriate authority unless there is a
legal or professional obligation to do so.
4. Competency
Internal auditors apply the knowledge, skills, and experience needed in the
performance of internal audit services.

38 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Rules of Conduct

1. Integrity

Internal auditors:

1.1. Shall perform their work with honesty, diligence, and responsibility.

1.2. Shall observe the law and make disclosures expected by the law and the
profession.

1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that
are discreditable to the profession of internal auditing or to the organization.

1.4. Shall respect and contribute to the legitimate and ethical objectives of the
organization.

2. Objectivity

Internal auditors:

2.1. Shall not participate in any activity or relationship that may impair or be
presumed to impair their unbiased assessment. This participation includes those
activities or relationships that may be in conflict with the interests of the
organization.

2.2. Shall not accept anything that may impair or be presumed to impair their
professional judgment.

2.3. Shall disclose all material facts known to them that, if not disclosed, may
distort the reporting of activities under review.

3. Confidentiality

Internal auditors:

3.1. Shall be prudent in the use and protection of information acquired in the
course of their duties.

3.2. Shall not use information for any personal gain or in any manner that would
be contrary to the law or detrimental to the legitimate and ethical objectives of the
organization.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 39

McKeever CRMA Study System Organizational governance related to risk management

4. Competency

Internal auditors:

4.1. Shall engage only in those services for which they have the necessary
knowledge, skills, and experience.

4.2. Shall perform internal audit services in accordance with the International
Standards for the Professional Practice of Internal Auditing (Standards).

4.3. Shall continually improve their proficiency and the effectiveness and quality
of their services.

Answer the Following Question.

5. The purpose of The Institute of Internal Auditors' Code of Ethics is to promote

an ethical culture in the profession of internal auditing.

Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization's operations. As such, it
helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk and control
management, and the governance processes.

Which of the following are not excerpts from the professional practice guidelines
for internal auditors?

a. shall not accept anything that may impair or be presumed to impair their
professional judgment.
b. internal auditors make a balanced assessment of all the relevant
circumstances and are not unduly influenced by their own interests or
by others in forming judgments.
c. this participation includes those activities or relationships that may be
in conflict with the interests of the organization.
d. none of the above

See Application Questions, Answers & Explanations module for answer.

40 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Risk-Based Auditing

With the continually expansion of information technology throughout

organizations internal audit recognized the need to move from the tradition audit
methodology of performing auditing called by some the “old paradigm” to a more
progressive method of risk-based auditing paradigm.

David McNamee was one of the primary authors of a research study performed
for and published by the Institute of Internal Auditors. Progressive internal audit
departments were studied to see if they were doing anything differently than
traditional internal auditing. The following graph compares and contrasts the
findings. There are a number of major changes in orientation reported, beginning
with the change from control-based to risk-based audits. The change in
focus is evident in the second item, the change in auditor orientation from
reactive, after-the-fact observers to coactive, real-time participants. As you
read through the other items think about how the new paradigm places internal
audit at a higher position in the organization – working on enterprise-wide
management programs and business processes. The focus has changed from
detail controls testing to covering significant business risks.

Source: David McNamee, “Risk Management and Risk Assessment”

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 41

McKeever CRMA Study System Organizational governance related to risk management

Something to Think About:

Ethics and Humans
Before a discussion about ethics (a term with varied interpretations), it is
appropriate to revisit fraud. Fraud could be considered a result of a weakened
ethical platform within people. It is important to understand that how ethics is
interpreted by one person may not be how another person interprets ethics.
Consequently, how one person interprets fraud may not be how another person
interprets fraud.

So First Back to Basics: Fraud.

Fraud encompasses three elements. These elements are: need or want

(motivation); opportunity; and rationalization. In addition, greed, and a feeling of
entitlement are a couple more elements can influence the opportunity of a fraud
event occurring.

A Definition, Fraud in Fact

A Definition,

A Fraud in fact is an intentional misrepresentation, concealment, or

nondisclosure for the purpose of inducing another in reliance upon it to
part with some valuable thing or to surrender a legal right. It is a false
representation of a matter of fact by words or conduct by false misleading
allegations by concealment of what should have been disclosed that
deceives or is intended to deceive another so to act upon it to legal injury.

However, the foundation of a fraud event is ethics not fraud by itself. Ethics is
the underlining platform from which fraud is perpetrated in the first place.
However, ethics is not tangible. It is not something that can be held in one’s
hand, seen, felt, or even sensed in any other way. So what is ethics? If it cannot
be sensed, how can we determine if ethics or the lack of ethics is even present?

If the foundation or weakness in the foundation from which fraud may be initiated
is vague then how can it be determined if fraud even existed. It seems all left to
interpretation.

Keep In Mind That Upper-level Management Must Establish, Communicate

And Emulate An Ethical Culture Throughout Their Organization.

42 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

To compound all of this is the term ethical values. Ethical values are the
inherent believes of right and wrong within a person or group of persons.
Therefore, the word values must be the clue since the word values is the only
new word in the phrase. However, here we have another vague term, values.
Values are not tangible just like the concept or philosophy of ethics is not
tangible.

It seems that instead of two vague terms we now have a vague phrase. No
wonder there is fraud that just goes on and on. It seems that the underlying
foundation of right and wrong is just vague. So here we have it two non-tangible
words, a non-tangible phrase, and tangible humans. What a combination. An
added variable is that humans can and do adapt to the environment as the
environment changes around them. So maybe humans are non-tangible but are
vague as well.

Vagueness is a big trap in human existence. Vagueness allows humans an

opportunity to interpret definitions in this case the definition of ethics and ethical
values.

The judicial system is full of individuals who say they have done nothing wrong,
their interpretation of ethics. Although their interpretation may not be an
accepted interpretation by general society it is none the less an interpretation.

From the readings, of experts, it can be concluded that ethical values, a vague
phrase, is developed within humans at an early age. This foundation of ethical
values is then managed within humans to conform to the accepted guidelines of
the environment and of society in which they live and operate. This concept also
is true of companies and the environment in which they operate.

Nevertheless, here is the problem. If the word ethics is vague and the phrase
“ethical values” is vague then the interpretation must also be vague. Therefore,
the interpretation of ethics within society must be vague as well. Now we begin
to see the root cause of questionable activities and its interpretation.

Taking this a step further what causes a human to vary within the elastic
boundaries of ethical interpretation? This is actually a simple question. It has to
be motivation of financial gain. However, is this always the case? Wait if we
consider that financial gain is not always the motivator that will or can cause
humans to misinterpret ethical values. We must reconsider greed and
entitlement.

If a person’s inner beliefs are that they recognize acceptable right and wrong and
abide by those beliefs but environmental situations change which can cause
changes in these fundamental beliefs then a person may deviate from personal
fundamental beliefs.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 43

McKeever CRMA Study System Organizational governance related to risk management

An Issue of External Forces Influencing Humans

(External Risk)
External forces such as pressures from superiors, family members, peers, and
time can modify a person’s fundamental ethical values and beliefs and play a role
in how much a human will fluctuate within ethically accepted values or what they
believe are ethically accepted values at that particular time. It is not always
physical monetary value that changes the ethical value foundation.

Upper-level Management Must Recognize These Pressures and Manage

Them Appropriately. It Is These Upper-level Managers and The Board Of
Directors Who Must Establish The Appropriate Ethical Values and Emulate
Them to All Lower Levels While Not Falling To External and Internal
Pressures.

Based on this theory it could be said that ethical values are inherent within each
of us. Further that these ethical values are flexed by our own needs and external
forces. Further that our ethical values may not only be flexed by financial needs
and wants but as well by perceived and intangible needs and wants as well.

Ethics - A Definition:
Ethics (also known as moral philosophy) is a branch of philosophy that
addresses questions about morality — that is, concepts such as good
and evil; right and wrong; virtue and vice; justice; and other concepts.

So what is this ethics foundation or ethical value? It is an understanding, a

belief, and a support from one’s inner self of acceptable right and wrong.

Now that the definition of ethics and ethical values has been made perfectly
clear we can perceive from the definitions that what may be accepted in one
culture may not be accepted in another. So to go a step further what may be
accepted in one business environment may not be accepted in another.
Further whatever is accepted can change as the respective environment
changes. Therefore, the variation of the interpretation of ethics prevails as
needs, opportunity, entitlement, pressures, and greed change.

44 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Some Thoughts for Managers:

• What is ethics?

• How can the interpretation of ethics be managed?

• Is taking advantage of someone else’s fraud is not taking advantage of

someone else good ethics?

• Can fraud be decreased by increasing ethics values?

• Conversely, will a decrease in ethical values increase fraud?

Risk Assessment Made Simple

Integrated Control Frameworks Can be used as a Tool to Identify and
Address Risk

COSO along with other integrated control models including Enterprise Risk
Management (ERM) are some of the more contemporary tools that can be used
for this purpose.

The COSO model utilizes a combination of three control objectives and five
components. The three control objectives in the COSO literature were combined
from the five Institute of Internal Auditors control objectives.

Just to summarize, in order to implement integrated control frameworks a matrix

containing all of the control objectives and components should be developed.
The matrix is developed by putting the five control objectives horizontally across
the top and the five components vertically down the left side. This will result in a
15 box matrix. The boxes become the dimensions in the COSO integrated
control framework model. Develop risk and control questions for each of the 15
boxes to evaluate the adequacy of the risk and controls in that dimension.

Three control objectives: (from the original Institute of Internal Auditors control
objectives model)

• financial
• operational
• compliance

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 45

McKeever CRMA Study System Organizational governance related to risk management

The five components are:

• control environment
• risk assessment
• control activities
• monitoring
• communications

An excellent resource for developing the tests and test questions in any of the
dimensions of COSO is: Control Model Implementation Best Practices, by
James Roth ISBN 0-89413-390X, available from the Institute of Internal Auditor
book store www.theiia.org. This book has hundreds of test steps and questions
already in the COSO format. The material in the book can be directly applied to
the COSO model.

There are four steps that must be achieved in order to accomplish an

effective risk assessment. They are identify, measure, prioritize, and act.
A basic way to identify risk is to measure the strength of the controls in the
respective dimension of the COSO matrix. Remember risk and controls are
inversely proportional, at least in a pure world. Therefore a decrease in controls
will increase risk, and an increase in controls will decrease risk. Where there are
weaknesses in controls identified in the matrix there is risk.

After identifying the risk, measure and prioritize the identified risk. Measuring
and prioritizing can be combined in one process.

Any number of accounting or auditing textbooks will have lists of formulas to

measure and prioritize risk. In many cases, the literature will profess that these
risk formulas are necessary to perform an adequate risk assessment. In
actuality, they are not. The complexity of mathematics in these formulas is
generally extremely basic arithmetic. The formulas in most textbooks are
guidelines.

Risk assessment is subjective! The more subjectivity and perspective

considered when developing any risk assessment the more accurate the risk
assessment will be. The formulas provide a guideline, a benchmark, or a general
perspective. An adequate risk assessment must be combined with knowledge,
wisdom, and experience from professionals.

A good approach to any situation is to utilize the simplest approach and simplest
tools first then increase the complexity of the tools and approach, as the situation
deems necessary.

46 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

The simplest risk assessment formula is the Annual Loss Expectancy

(ALE). The ALE is determined by multiplying the probability of the risk
event occurring by the impact of the risk event. This tool can be used in any
type of risk assessment. The impact can be measured in monetary value or as a
factor in non-monetary impact situations.

The ALE formula is actually a simplified version of a textbook formula, the

absolute risk formula. The absolute formula multiplies three components, as
opposed to the two factors in the ALE. The third component in the absolute
formula is time. Time may not be necessary in all cases. However, it is
important to at least measure the probability and impact then determine if the
time factor is necessary. If the exposure being assessed is, time sensitive
then time could be added into the formula.

Any Risk Assessment Should Incorporate the Probability and

the Impact of a Situation.
Once the probability and impact results have been determined then a rank order,
prioritization of the risks, by importance can be established.

Putting this into perspective the probability is: how often something can
happen and the impact is what will happen when it happens.

Conducting An Appropriate Risk Assessment Can Be Involved, Should Be

Subjective, and May Incorporate Some Mathematical Tools.

The fourth step in the risk assessment process is to take action on the risk
identified, measured, and prioritized. Controls are the key to action. The
application of the right type and the right amount of controls applied at the
right time will help manage risk. However, keep in mind that it is highly
unlikely that all risk can be managed to zero all of the time.

Rule Of Thumb:

The More Volatile and Complex a Process is the Higher the Probability of
Risk.

Controls should not be applied until an adequate and appropriate risk

assessment has been conducted. Controls applied before an adequate and
appropriate risk assessment has been conducted will be an exercise in futility. In
the simplest terms, a great job will be done on the wrong thing.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 47

McKeever CRMA Study System Organizational governance related to risk management

Answer the Following Question.

26. The Manufacturer of Technical Things Company manufactures highly-

technical electronic products. Further, they operate in a highly-competitive
market. The company realizes that competition occurs from many international as
well as domestic sources. Because of this working environment, this company
performs risk assessments in many dimensions every two or three months. A
new CEO has just arrived at this company from a company that works in a much
more closed environment. The new CEO immediately wants to reduce time spent
on the risk assessment process, indicating that it is a waste of time. Further
suggesting that once or no more than twice a year would be adequate to perform
risk assessments. The new CEO suggested that the company resources could be
better used in other areas than sitting around in a room doing risk assessments
every month. As the risk officer, you should.

a. demonstrate to the new CEO the impending risks of the international

competition
b. tell the new CEO that this company is not like his previous company
c. agree with the new CEO it does make sense from an efficiency point of
view
d. try to convince the new CEO that frequent risk assessments in our
company’s type of environment is very appropriate if we are to succeed

See Application Questions, Answers & Explanations module for answer.

48 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

The stakeholders: Who Cares?

The Success and Direction of an Organization is Partly Measured and
Guided by Individuals or Groups Within and Outside the Organization that
Have a Stake in the Success of The Organization.

These Stakeholders Could Be Creditors, Suppliers, Employees, Owners,

And Investors.

One team of stakeholders, on the forefront of most companies, is the Board of

Directors (the Board of Directors should be independent of company
management and be qualified to address company issues and concerns).
In many cases, as can be seen from some of the regulations mentioned earlier,
the Board of Directors members as well as the executives and management of a
company can be held responsible for the positive or negative actions of the
company.

The Internal Audit Department is often referred to as the “eyes and ears” of the
Board of Directors. It is incumbent upon the Internal Audit Department to give
these internal stakeholders as much information as possible about apparent and
impending risk within the organization.

It is therefore necessary that the Internal Auditors performs their duties with due
diligence that they are capable and able to perform this need. Internal Auditors
performing within the parameters of their professional standards and maintaining
a current awareness of changes to these standards is a must if they are to
perform their duties with professionalism and due diligence.

However, this is mutual. It is also incumbent upon management and the Board
of Directors to do their parts. These internal stakeholders, including the Audit
Committee, should be proactive with the Internal Audit Department.

A Few Of The Proactive Questions Internal Stakeholders Should Ask:

• Do we effectively assess our compliance risks?

• Do we effectively monitor to detect inappropriate conduct?
• Do we establish and effectively communicate the appropriate tone at the
top?
• Do we have an effective system of policies and procedures that work to
manage risks?
• Do we have a methodology to identify and minimize controls that no
longer serve their purpose?
• Do we have an effective and efficient monitoring system in place to
monitor the status of our risk and control system and explain how it
works?

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 49

McKeever CRMA Study System Organizational governance related to risk management

Other internal stakeholders in a company are the employees at all levels - not
just management but the non-management employees as well. The
question is often asked who is responsible for the adequate administration
of controls within a company. The answer often given is management.
Well that is not true. The answer should be every employee. Every
employee within a company should be conscious and responsible for
controls and the achievement of objectives within their area of
responsibility. This goes back to common sense. In most companies, there
are more non-management employees than there are management employees.
So why would only a small percentage of employees be responsible for controls?
Therefore, all employees are internal stakeholders. They should all have a part
and a conscious understanding of what is needed to help the company that they
are employed in succeed.

However in order to make this work it is necessary that these internal

stakeholders have an understanding of the objectives and mission of the
company as well as the risks and control management that will help the company
succeed.

This understanding must be communicated and emulated downward by means

of training and communication from the Board of Directors, to upper-level
management, to middle-level management, to lower-level management, and
finally to the non-management stakeholders.

So how much influence do these stakeholders actually have? Well although

there is not a definitive answer, depending on who they are and the
circumstances, stakeholders do have influence to various degrees. Consider first
the external stakeholders such as creditors, suppliers, stockholders. Creditors
could exert substantial influence either positive or negative on an organization
depending on how the organization was performing.

Suppliers as well could exert some extensive influence. For example, suppliers
could hold up shipments of needed material for various reasons. Before
continuing, it is wise to consider that an organization uses various suppliers in
order to minimize the risk of one supplier’s total control (a preventive control).

In terms of stockholders, they may have some influence but it is mostly indirect.
If stockholders are not happy with the operations of the company, the stock price
would probably decrease. Stockholders and investors are concerned with factors
that could cause financial pressures to upper-level management and as well to
employees who may have invested in the company. These pressures could in
turn create collateral consequences even questionable acts.

50 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

In addition, and probably more important, is the perception positive or

negative that can be imposed upon a company by these external forces. The
problem with perception, especially negative perception, is that it multiplies itself
and grows and grows.

The key to success with this communication is the sincere buy-in by all the
internal stakeholders. This means that posters, signs, speeches, written policies,
procedures, and such do not work by themselves. This means that upper-level
management must sincerely communicate and emulate the need for a common
mission and provide adequate training and direction to all levels of internal
stakeholders so that everyone can help move the company toward the common
goal.

Written policies and procedures are generally considered a control by their

existence. The goal of policies and procedures should be to provide guidance to
everyone at all levels. That means that the policies and procedures should be
easily understood and useable by internal stakeholders at all levels. Policies and
procedures are a control and should be changed as the working environment
changes or as risk changes.

A word of caution if policies and procedures need to be changed it is not wise to

just add new policies and procedures onto the old ones. If policies and
procedures need to be changed or updated, it may be appropriate to remove or
modify the old policies and procedures. Overlaying new on top of old just creates
confusion and inefficiencies.

The key with policies and procedures is do they work. Do the policies and
procedures help everyone work toward the overall objectives of the company or
organization? If not they need to be adjusted.

So the next question is how does an organization know if the policies and
procedures are working. The answer is with the implementation and
application of an effective monitoring control. An effective monitoring control
can detect when and if the application of existing policies and procedures are
decreasing in effectiveness. As this happens minor adjustments in the policies
and procedures can be made to move the organization to the efficient and
effective achievement of its objectives.

Without an effective monitoring control, crisis management would be required to

make major changes to move the organization to its goals. Crisis management
generally is not very effective or efficient. In addition, humans do not like major
changes, hence creating confusion and ineffectiveness.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 51

McKeever CRMA Study System Organizational governance related to risk management

The interrelationship among stakeholders is very complex. Their influences can

go beyond the boundaries of the individual categories of stakeholders
themselves. Public perception (reputational risk) can have major positive or
negative impact on an organization or company.

As the public perception changes there can be an indirect influence on the

company. For example if the perception is negative then investors, customers,
and clients may move away from supporting the company. As this happens the
pressures on the Board of Directors increases. These pressures filter down and
impact all levels within the company. Whether positive or negative it becomes an
exponentially increasing phenomenon. Interestedly negative perception seems
to multiply at a greater rate than positive perception.

Therefore, the relationship among companies and their environmental

surroundings is extremely important. It is incumbent upon The Board of Directors
an upper-level management to recognize and address these perceptions.

Third Party Vendors and Suppliers, because of opportunity of risk in this

relationship, require some special consideration and discussion.

With the advent and implementation of the U.S. Foreign corrupt Practice Act and
the U.K. Bribery Act along with similar laws in other countries combined with the
interrelations in the international market place third party business relationships
have become extremely complex.

Remember: The More Complex A Process The Higher The Risk.

It is important for the management of the company or organization to maximize

the opportunities and minimize the risk opportunity with third-party vendors or
suppliers relationships.

Reliance on third-party relationships can significantly increase a company’s risk

profile, notably strategic, reputation, compliance, and transaction risks.
Increased risk arises from poor planning, oversight, and control on the part of the
company, and inferior performance or service on the part of the third party. This
may result in legal costs or loss of business.

Some guidelines: the company should establish strict and specific policies and
procedures for the relationship with third-party vendors and supplies. These
policies and procedures should be coauthored by legal professionals as well as
management. All employees, internal stakeholders, and external stakeholders
should review them and agree to abide by them.

52 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

One specific policy and procedure is the schedule of authorization. This is a

policy dictating who and at what level can authorize expenditures of specific
amounts. Another policy is who is authorized to add, subtract, or change
vendors on the vendor authorized list. A third policy is the audit process. A
fourth policy is an adequate and effective Code of Conduct or Code of Ethics.
The Code of Conduct should include a conflict of interest clause. This clause
should provide guidance for the relationships among the parent company and
their third-party activities.

These are only a few general policies for the management of

third-party stakeholders. It is advisable that each company or
organization employ legal advice in developing policies and
procedures for each specific relationship.

The Code of Conduct should be reviewed routinely by all internal stakeholders

and receive sincere concurrence. It should be written so that it is clearly
understood and is useable. Finally a schedule of audits should be completed
to determine compliance with prescribed polices to help identify opportunities or
acts of questionable activities.

Most Importantly Is Do These Policies And Procedures Work.

An Effective Monitoring Control Is A Must To Make Sure That

These Policies Work.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 53

McKeever CRMA Study System Organizational governance related to risk management

Relationships with Third-Party Vendors and Suppliers are A Risk

Area That Must Be Adequately Monitored.

Some key considerations for the administration of third-party relationships are:

• one primary system or process employed consistently and uniformly for all
third-party relations
• an adequate and proactive due diligence of third-party entities which
should and must be free both from bias and from any real or perceived
conflict of interest
• management oversight, (monitoring) provided with proactive involvement
by upper-level management
• communications of the values and compliance with laws and regulations
agreed to by the third-party entities
• an agreement completed from the third-party entities of their agreement
and commitment
• finally does the organization reject the relationship with those third-party
entities who will not comply with the philosophy and culture of the
organization

Interfacing with third-party entities in today’s business environment is almost a

necessity. Interfacing with various cultures, exchange rates, politics, multiple
laws and regulations from multiple countries requires extreme management
because of increased complexity and risk.

These Relationships Require The Involvement of Legal Advice Experienced

in Such Laws and International Matters.

At an overall level, the Boards of Directors and management should

properly oversee and manage third-party relationships and should adopt a
risk management process that includes:

• a risk assessment to identify the company’s needs and requirements

• proper due diligence to identify and select a third-party provider
• written contracts that outline duties, obligations, and responsibilities of the
parties involved
• on-going oversight of the third parties and third-party activities

54 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Answer the Following Question.

17. Stakeholders in a company can take many forms. They can range from the
Board of Directors to every employee at any level within the company. External
stakeholders can be stockholders or other investors, customers, suppliers,
contractors, and others. Internal stakeholders consist of executives; upper-level,
middle-level, and lower-level management; and non-management employees. In
terms of ethics and the ethical tone, who should establish and monitor the ethical
tone for the external stakeholders and their relationship with the company?

a. the investor community including the Security and Exchange

Commission
b. the company attorneys who develop the contracts with the external
stakeholders
c. the Board of Directors of the company but the middle-level and lower-
level management of the company should provide the monitoring for
compliance
d. the Board of Directors of the company

See Application Questions, Answers & Explanations module for answer.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 55

McKeever CRMA Study System Organizational governance related to risk management

Why the Concern with Third Party Relations?

Some Risks Associated with

Third-Party Relationships
Strategic risk. Strategic risk is the risk to earnings or capital arising from
adverse business decisions or improper implementation of appropriate
decisions. Strategic risk can exist when there is an aggressive effort to remain
competitive or boost earnings, or using third-party relationships without fully
performing due diligence reviews or implementing the appropriate risk
management infrastructure to oversee the third party relationship. Strategic risk
also arises if management does not possess adequate expertise and experience
to properly oversee the activities of the third party.

Reputation risk. Reputation risk is the risk to earnings or capital arising from
negative public opinion. Of all risks, this risk can probably be the most harmful
both in the long-term and short-term. Third-party relationships that do not meet
the expectations of customers or clients expose the company to reputation risk.
Poor service, disruption of service, inappropriate sales recommendations, and
violations of consumer law allowed by third party relationships can result in
litigation, loss of business or both.

This is particularly true when the third party's employees interact directly with
customers or clients and employ situations or actions are not consistent with the
policies and standards of the parent company. In addition, publicity about
adverse events surrounding the third parties may increase (reputational risk).

Compliance risk. Compliance risk is the risk to earnings or capital arising from
violations of laws, rules, or regulations, or from nonconformance with
internal policies and procedures or ethical standards. This risk exists when
products, services, or systems associated with the third-party relationship are not
properly reviewed for compliance, or when the third party's operations are not
consistent with law, ethical standards, and policies and procedures of the parent
company.

56 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

Transaction risk. Transaction risk is the risk to earnings or capital arising from
problems with service or product delivery. Transaction risk is evident in each
product or service offered by the third party on behalf of the parent company.
Transaction risk can increase when the products, services, delivery channels,
and processes that are designed or offered by a third party do not fit with the
parent company’s, customer demands, or strategic objectives. A third party's
inability to deliver, on behalf of the parent company, products and services,
whether arising from fraud, error, inadequate capacity, or technology failure,
exposes the parent company to transaction risk.

Credit risk. Credit risk is the risk to earnings or capital arising from an obligor's
failure to meet the terms of any contract with the bank or otherwise to
perform as agreed. Credit risk may arise under many third-party scenarios.
Third parties that market or originate products or services on behalf of the parent
company can increase credit risk if management does not exercise effective due
diligence over, and monitoring of, the third party activities. Third-party
arrangements can have substantial effects on the quality of receivables and other
credit performance indicators when the third party conducts account
management, customer service, or collection activities. Improper oversight of
third parties who solicit and refer customers can also result in substantial credit
risk. The credit risk for some of these third-party programs may reflect back to
the parent company.

Other risks. Depending on the circumstances, third-party relationships may also

be subject to liquidity, interest rate, price, and foreign currency translation risk.

Country risk. In addition, the parent company may be exposed to country risk
when dealing with a foreign-based service provider. Country risk is the risk that
economic, social, and political conditions and events in a foreign country
that will adversely affect the parent company’s financial interests.
Therefore, it can be seen that there are substantial opportunities of risk when
engaging with third party relationships. Going back to basics, the higher the risk
the more control should be employed. This includes the control of audit.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 57

McKeever CRMA Study System Organizational governance related to risk management

Answer the Following Question.

3. The We Make It For You company provides custom-made products and parts
on demand for a number of domestic and international companies. In general, the
parts are made to specification and then shipped to the ordering company for
inclusion in their final products. In terms of risk which of the following categories
of risk would or should most concern the We Make It for You company?

a. country risk
b. transaction risk
c. credit risk
d. reputation risk

See Application Questions, Answers & Explanations module for answer.

Summary:
Risk and control management and the achievement of overall
objectives is the responsibility of everyone. However, in order
for this to be successful upper-level management and the Board
of Directors must recognize and manage the internal and
external risk as well establish a risk appetite (the amount of risk
that is willing to be accepted in order to achieve objectives).
Further, it is the responsibility of the Board of Directors and
management to effectively communicate and monitor this risk
philosophy and culture to everyone.

58 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management
Organizational governance related to risk management
1.1 Which of the following best defines
product or service differentiation?
1. social entities or environment
2. permeable boundaries
3. goal-directed activities
4. specific objectives
1.2 Companies can be subdivided into two
distinct categories. Which category requires
the most innovative and proactive
management.
1. closed
2. internal risk subcategory
3. risk and control based category
4. open
1.3 when upper-level management is
establishing a cultural philosophy they must
understand and adjust for:
1. internal and external politics
2. internal controls
3. feedback
4. internal and external risk
© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Answer 2 is the correct answer. Permeable
boundaries by definition are the boundaries
that separate one organization from another.
This differentiation could include price;
product or service characteristics; qualities;
and even customer service. The concept is
simple, why would a customer purchase from
one organization or company instead of
another with similar products or services. In
order to succeed it is important that a company
define and distinguish itself from the
competition. Further companies must adapt to
the constantly changing environment.
Answer 4 is the correct answer. Generally,
there are two categories in which a business
will operate. They are the open and closed
categories. The closed category means that a
company operates totally within its own
environment with no influence from any
outside forces. This is an unlikely operating
situation in today’s world. An open category
means that a company operates in an
environment influenced by external forces.
These forces can be from suppliers, investors,
interest rates, economy, and regulations to
name a few. More likely in today’s world
because of the changing world managers have
to adapt to these constant changes if they are
to succeed. Answers 2 & 3 are random words.
An open environment requires a proactive and
innovative management.
Answer 4 is the correct answer. The other
answers are nice common words but do not
apply to this question. The only answer that
may even warrant some consideration would
be answer 1. However, answer 1 is narrow
only addressing the politics. Politics can be a
risk but only one risk. Answer 4 implies
multiple internal risks and external risks. It is
much better to understand the implications of
as many internal and external risks as possible
when developing a cultural philosophy.
59
McKeever CRMA Study System Organizational governance related to risk management

1.4 Generally within any organization there are
multiple levels of management: upper, high,
middle and lower. Where the upper levels
address more conceptual issues, the lower
levels are more responsible for day to day
hands on operations. Which level of
management is responsible for the
implementation and effectiveness of an ethical
culture?
1. lower
2. upper
Answer 2 is the correct answer. A point of
confusion could be that lower-level
management is responsible for the day-to-day
operations. This includes that they are
responsible for the implementation of the
company ethical philosophy. This may be true
to a degree. However, it is upper-level
management who will establish, communicate,
and monitor the effectiveness of the ethical
culture that they establish. The responsibility
rests with upper-level management. Even
though other levels of management may help
with the implementation, the higher levels of
management are responsible.

3. high

4. middle

1.5 Communication is often a challenge among
people. What may be understood in one
communication effort may not be in another.
Basic components in the communication effort
that may cause a communication effort to
succeed or fail could include bias, politics,
personalities, preconceived opinions, and even
the time of day. All of these and others are
called noise in the communication channel.
What would be the best way to minimize this
noise when communicating an ethical policy
from upper-level management to the
employees?
Answer 4 is the correct answer. All of these
answers would help minimize the noise in the
communication channel. A simple approach is
to know your audience. That in this case is the
receivers of the message. Monitoring for
effectiveness is very important. Monitoring
can determine quickly if the message is being
distorted and hence a correction can be made.

1. make sure that the communication is

understandable and not intimidating to the
receivers

2. monitor the effectiveness at various levels

of the communication

3. ask for feedback from those receiving the

message

4. all of the above

60 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

1.6 What type of goals define what to
accomplish with a definitive outcome?
1. organizational goals
Answer 2 is the correct answer. This is an
exact definition question. The question is the
definition of operative goals. The other
answers are valid terms but not the answer to
this question.

2. operative goals

3. corporate goals

4. accounting goals

1.7 The amount of risk that a person or Answer 2 is the correct answer. This is an
organization is willing to accept can best be exact definition question. The definition of risk
defined as: appetite is in the question itself.

1. risk tolerance

2. risk appetite

3. acceptable risk

4. residual risk

1.8 In terms of what to accomplish which of Answer 2 is the correct answer. The order of
the following is most specific in scope? specificity is: 1) mission, with the broadest
scope, 2) objectives with a little more detail,
and 3) goals which are generally very specific
1. mission statement
describing how to get it done (details). The
acronym SMART is associated with goals.
2. goal statement That is specific, measurable, accomplishable,
results-orientated, and time-bound (when it will
be accomplished).
3. objective statement

4. risk and control statement

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 61

McKeever CRMA Study System Organizational governance related to risk management

1.9 Goal statements are specific in terms of
what to accomplished, how to accomplish it,
and when to accomplish it. However to
actually accomplish the mission it is necessary
to indentify the day-to-day operations of the
specifics for accomplishment. Which of the
following subcategory would generally help
with the accomplishments of two years or
more?
1. tactical planning
Answer 4 is the correct answer. This is a
definition question. The two answers to
consider here are tactical planning and
strategic planning. These are specific
subcategories of goal accomplishment. In
pure definition terms, tactical planning is
generally for one year or less. Strategic
planning is for one year or more. Although in
business these times may be more of less by a
little amount. However, strategic planning is a
longer future view of planning
accomplishment.

2. integrated risk assessment

3. external risk planning model

4. strategic planning

1.10 The basic functions of management are:
1. planning, organizing, authority,
responsibility, controlling
Answer 2 is the correct answer. This is an
exact definition answer. Planning, organizing,
staffing, directing, and controlling (POSDC) are
the basic functions of management.

2. organizing, planning, controlling, directing

and staffing

3. organizing, controlling, planning, directing

and responsibility

4. planning, organizing, staffing, directing,

and authority

62 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management
1.11 The complexity of business in today’s
environment requires the implementation of
specific rules and regulations by which
companies must operate. Which of the
following includes a very specific section for
corporate fraud and accountability?
1. Sarbanes-Oxley
2. the Foreign Corrupt Practice Act
3. the Federal Sentencing Guideline
4. the Professional Practice of Auditors
1.12 The Public Company Accounting
Oversight Board supplemented The Sarbanes-
Oxley law. In order to manage the adequacy of
risk and controls this Board encourages the
use of:
1. an annual risk assessment
2. a reporting mechanism to report to the
internal auditors
3. a methodology to analyze and compile an
integrated risk assessment
4. integrated control frameworks
© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Answer 1 is the correct answer. Section 11 of
Sarbanes-Oxley addresses corporate fraud and
accountability. This section and other sections
of Sarbanes-Oxley hold executives and
management responsible for wrongful acts and
retaliation against informants. This law holds
those in top-level management accountable to
make certain that the tone and appropriate
culture is communicated downward
throughout the organization and is working.
Answer 4 is the correct answer. The Public
Company Accounting Oversight Board
encourages the use of integrated control
frameworks to analyze the adequacy or risk
and control management. At the time this
literature was compiled from this Board COSO
an integrated control model was already in
existence so COSO was recommended in the
literature. Since then The Enterprise Risk
Management (ERM) model was developed.
ERM is an expanded version of COSO. ERM is
now also an applicable tool for this Board of
Director’s recommendations.
63
McKeever CRMA Study System Organizational governance related to risk management

1.13 Ethical beliefs are the inner beliefs of
humans to recognize right and wrong
acceptable within the environment and society
in which they live. What forces could have an
impact on an individual’s inner ethical beliefs?
1. internal forces
Answer 4 is the correct answer. All of these
forces could change or impact an individual’s
inner ethical values and beliefs. Further all of
answers 1, 2 & 3 can change frequently.
Therefore, the ethical values and culture must
be constantly monitored to make sure that the
accepted ethical values and culture are not
compromised by any of these forces.

2. change in individuals personal needs and

wants

3. external forces

4. all of the above

1.14 Risk assessment involves identifying the
risk, measuring the risk, prioritizing the risk,
and acting on the risk as necessary. However
even with all this, some risk must be accepted.
Which of the following is the most significant
problem with accepting risk?
1. the risk is so complex that it cannot be
identified therefore risk must be accepted
Answer 2 is the correct answer. This is a major
issue with those accepting risk. In many cases
those accepting risk just do not understand
what can happen if the risk is not addressed
adequately. The remaining answers are not
relevant to this question and probably not
relevant to business as well.

2. the consequences of the risk are not fully

understood

3. managing the risk is the job of the control

professionals so management accepts
risks until it is fixed

4. completing a total risk assessment is

generally so complex in large companies
that the effort is not worthwhile so risk is
accepted.

64 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Organizational governance related to risk management

1.15 Boards of Directors are considered Answer 4 is the correct answer. All of these
internal stakeholders. Especially in light of the answers are appropriate for a Board of
many recent laws and regulations, they are Directors to ask their management.
held specifically accountable for their actions
and the company actions. Which of the
following questions should these stakeholders
be asking of their management?

1. do we have a methodology to minimize

controls no longer effective

2. do we have an effective monitoring system

in place to monitor risks and controls

3. do we have an effective monitoring

mechanism in place to monitor
inappropriate conduct

4. all of the above

1.16 A good control when dealing with
external stakeholders (suppliers) is:
1. have multiple suppliers who can provide
the same or compatible products or
services
2. make sure that the contract with the
suppliers is exact with no options that can
impact the company they supply
3. make sure the supplier is physically close
to the company they supply to minimize
transportation costs
Answer 1 is the correct answer. This is the
best control from the answer choices.
Answers 2 & 3 are more or less random
thoughts. Although they might be controls to
consider, they are not better than answer 1.
Answer 4 requires caution and can be a red
flag of questionable activity (conflict of
interest) and other concerns. Generally, sole
source suppliers should only be used as a last
resort. Company legal advice is very
appropriate when working with sole source
suppliers.

4. use only sole source suppliers

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 65

McKeever CRMA Study System Organizational governance related to risk management
1.17 Which of the following are some of the
ways that third party relations with suppliers
and vendors can impact a company?
1. reputation risk
2. compliance risk
3. transaction risk
4. all of the above
1.18 What are two risks of which a company
should be concerned when dealing with third
party vendors or suppliers?
1. country risk and reputation risk
2. transaction risk and credit risk
3. strategic risk and compliance risk
4. all of the above
66 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Answer 4 is the correct answer. Every one of
these answers can impact a company.
Therefore, it is important that a company make
sure that the third party is aware of the
company culture and philosophy related to
ethics; risk and control culture; and
management. Further, make certain that
compliance with this culture will be monitored
and adjusted as needed.
Answer 4 is the correct answer and best
answer. A company must be concerned with
all of the risks in the answers when dealing
with third party vendors and suppliers. Any
and all combinations of these risks occurring
can have a negative impact on the company.
The company must monitor and make sure
these risks are controlled.
McKeever CRMA Study System Principles of risk management processes

DOMAIN II:
PRINCIPLES OF RISK
MANAGEMENT
PROCESSES

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 67

McKeever CRMA Study System Principles of risk management processes

Domain II: Principles of risk management processes

The objective of this module is to better prepare the participant to pass the
Certification in Risk Management Assurance Exam by discussing and
analyzing the technical dimensions of this domain while discussing
techniques to best manage multiple-choice questions.

Included are discussions of the skill requirements of a CRMA to:

A. Benchmark risk management processes using authoritative guidance

B. Evaluate risk management processes related to:

1. Setting objectives at all levels to achieve strategic initiatives

2. Identifying risks
3. Risk analysis and evaluation including correlation, inter-
dependencies, and prioritization
4. Risk response (e.g., avoid, transfer, mitigate, accept), including cost-
benefit analysis
5. Developing and implementing risk mitigation plans
6. Monitoring risk mitigation plans and emerging risks
7. Reporting risk management processes and risks, including risk
mitigation plans and emerging risks
8. Periodic review of risk management processes to aid in continuous
improvement

Source: The IIA International web site

68 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Principles of Risk Management Processes

Managers put assets at risk to achieve objectives.

Establishing Objectives

Establishing objectives should be the first step in any business process.

Establishing objectives has to be the first step whenever performing a review of
business risks, risk analysis, or control analysis. If the objectives are overlooked,
the efforts will be wasted.

Back to basics: These are the three basic elements of business objectives, risks,
and controls which should be addressed in that order. The very first element and
the foundation necessary to be able to address the implementation and
adequacy of risk management is an objective. Any process, physical task, or
human effort must have an objective, a clear focus of what is trying to be
accomplished.

Some of the general terms associated with the establishment of objectives, in

order of decreasing detail are the mission statement, the objectives, and goals.

Generally, the amount of detail to accomplish the objectives increases with the
definition of goals. However, no matter if the mission, objectives, or goals are
being discussed it is necessary that a clear focus of what to try to accomplish is
in mind.

Objectives Must Be Specified First, if objectives are not specified first

• risk will become overwhelming

• risk may not be controllable

• efforts and resources will be wasted

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 69

McKeever CRMA Study System Principles of risk management processes

Below are the criteria, most often associated with the definition of goals.
However, they can be utilized for establishing adequate objectives as well:

Specific: means that a definitive outline of what is to be accomplished be

identified. The more specifics that are identified the more likely the
objectives will be accomplished effectively and efficiently. Conversely, the
less specifics that are identified the less likely the objectives will be
accomplishes as intended. With fewer specifics, humans will interpret a
direction, which may not be in concert with the overall objectives. Hence,
inefficiencies will prevail.

Measurable: means the action to accomplish objectives is subject to

technological and human intervention. Therefore, it is important that a
measurable mechanism be put in place to monitor these actions to ensure
that the intended objectives are being accomplished. As with any
monitoring control the monitoring control should not only include a
physical monitoring mechanism but as well an action to adjust deviations
beyond accepted limits. For extensive objectives, (those which may take
an extensive time to complete) benchmark / status measurements are
appropriate. This means that periodic measurements at predetermined
times be established. These benchmarks / status measurements will help
to guide minor adjustments as they are recognized as opposed to waiting
until major adjustments are required.

Additional comments about benchmarking: benchmarking is the

measuring or comparing of an entity, process, or objective against
another real or perceived entity, process, or objective. Benchmarking
measures progress among or between these relationships. Benchmarking
can help establish in the process priorities, targets, and adjustment needs.

Some uses of benchmarking:

• develop performance measures

• develop comparisons of performance relative to goods and services

• access ideas from proven practices

• develop best practices

• maintain a competitive advantage

70 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Some types of benchmarking:

• strategic: used when organizations need to improve by adjusting their

long-term strategy in line with other organizations that have succeeded

• competitive: developing an analysis of competitive organizations

• functional: used to analyze core business functions

• best practices: a comparisons of all facets of processes across similar

and dissimilar organizations

To perform a benchmark:

• determine what items to benchmark

• determine what organizations and specific processes to benchmark

against

• gather data by means of surveys, interviews, professional contacts,

and trade journals to name a few

• caution: Be careful to take this benchmarked information as just that

information and input. Remember that just because something worked
in one process does not mean that it will be an exact fit in another.
The information obtained in benchmark should be mixed, matched,
and modified to fit each specific process.

Summary: benchmarking is a tool to determine if a process is where it

should be at a point in time, in relation to competition, in some cases or
against established goals and objectives. However if the process is not
where it should be it is not enough to just identify that situation but it is
necessary to make appropriate adjustments to get it to where it should be.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 71

McKeever CRMA Study System Principles of risk management processes

Note: An additional benchmarking technique is to compare process or

measurements that are related but not the same, for example comparing
the number of items sold to revenue. A graphic representation would
show increase and decrease changes over the time of sales. Compared
to revenue on the same graph the changes of revenue should track with
the fluctuations of the number of items sold. If sales increased and the
revenue line remained the same or decreased for the same time period
question where the revenue is for the sales. When developing this graph
it is recommended that at least two but no more than four relationships be
depicted and analyzed on the graph. More than four can cause counter-
relationships which may distort the analysis. This is a good benchmarking
technique for fraud detecting.

Attainable: Mission statements, objectives, and goals should be

reasonable and attainable. If they are not attainable frustration by those
who are working toward the achievement of the objectives may develop.
This frustration can also lead to possible questionable activities or even
fraud. Mission statements, objectives, and goals should also be
achievable.

Results-oriented: Missions, objectives, and goals must have an end

target to achieve. The total achievement of the end target or the
achievement of various progression points on the way to achieving the
end target become an accomplishment. Without some target to achieve,
there is nothing to achieve. It is important to keep the end in mind.

Time-bound: The more specific the accomplishment effort becomes, for

example with goals, the more important the time factor becomes. For
example, will the objective be accomplished in one day, one week, one
month, or one year? Further when will the periodic benchmarks be
established? Without specific timeframes for accomplishment, the efforts
to accomplishment will just tend to never reach its goal. In addition,
without specific timeframes for accomplishment any measurement of the
status or overall completion of the objective becomes vague and adds little
value. Therefore, the measurement of the accomplishment of objectives
should not only measure what was accomplished but when it was
accomplished. The when it was accomplished becomes part of the
objective target.

So the acronym for establishing goals is SMART

72 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

The Key to Successful Risk Management

Understanding the Objectives and Ensuring

That They are Adequate, Appropriate, and Implemented.

It is important to adapt the definition to the environment in which it is applied and
adapt that definition to the environment appropriately. The concept and the
understanding are more important than the definition. It is important that
everyone involved is in agreement on what definition is to be used.

The definition of residual risk is the risk that remains after management
responses to risk. So residual risk by definition is after specific risks have been
determined by whatever means then appropriate and adequate controls have
been applied. However, even after the appropriate and adequate controls have
been applied some risk still remains (residual risk). Remember it is nearly
impossible to protect against all possible risk in every situation all of the time.
The more complex and volatile that a process is the more likely there will
be some remaining risk. Also the environment may change after the controls
have been put in place, hence remaining risk.

This is a good place to mention the two types of apparent risk. They are
internal and external risks. Internal risks are risks apparent within the process.
For example, inadequate training of new staff, inadequate security locks.
External risks are external to the process such as weather, changes in laws, and
changes to regulations.

More definitions:

Control risk: This is the apparent risk when applied controls failed to reduce
risk to an acceptable level. So if controls did not stop the risk, then there could
be residual risk.

It is more important to understand the concepts rather than definitions.

Audit risk: This simply means that audit reached wrong conclusions and
someone relied on those wrong conclusions. Hence, decisions were made
based on those wrong conclusions, which instead of adding controls to minimize
risk may have actually added risk and slowed the achievement of objectives.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 73

McKeever CRMA Study System Principles of risk management processes

What is next?

All these definitions are nice but something needs to be done to make the risk
and control management work.

The first step. There are four necessary steps in risk management. In this
order they are: IDENTIFY, MEASURE, PRIORITIZE, AND ACT. So no matter
what definitions are used these four steps must be conducted in this order.
Therefore, in simple language you have to know risk when you see it. Then that
risk must be measured by some acceptable means such as quantification like
alphanumerical criteria. Then these alphanumeric criteria should be prioritized,
generally but not always, by the most significant issues first. Then action should
be taken, (this means applying the proper controls, at the right time, in the
right amount) to the risk.

A special note here: The alphanumeric measurement of risk will provide a

general indication of the significance of identified risk. CAUTION, DO NOT
ONLY RELY ON THE ALPHANUMERIC INDICATORS. RISK ASSESSMENT
IS NOT A SCIENCE! ADEQUATE AND APPROPRIATE RISK ASSESSMENT
IS SUBJECTIVE AND REQUIRES HUMAN INPUT NOT JUST BASIC
ARITHMETIC.

The next step. One technique that has been useful in identifying measuring and
prioritizing risk is risk mapping. There are a number of risk mapping formats.
Sometimes called a risk map or heat map this tool helps identify the relationship
between the probability and the impact of a potential risk. Because of the many
variations, it is important to understand the objective and the audience when
developing a risk map.

Extensive examples of risk mapping models are in the Enterprise Risk

Management Integrated Framework literature (the application techniques book).
In a matrix, the risk map will identify the risk in terms of high, medium, and low.
For example, a potential risk might have a medium probability and a high impact.
Another potential risk could have a high probability and a low impact.

NOTE: A few areas of caution with the risk map. First high, medium and low can
mean different things to different people. Therefore, it is important to quantify
the specifics of what high, medium, and low mean. Next, process owners
could fall into the trap of only considering high impact risk. A consideration
is that a risk with a low impact but frequent occurrence (high probability) could be
a higher overall risk than a risk with a high impact that does not occur often. The
risk map, in pictorial form, helps minimize the possibility of falling into this trap.

74 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Another simple tool used to conduct a risk assessment is the absolute risk
assessment model. In this case a column table is developed. Using a
spreadsheet is a good example. The first column contains the identified risk, the
next column contains the probability, the next column contains impact, and the
next column contains the time. When the factors in all of the columns are
populated and multiplied the result, which considered all of these three
elements, will indicate a measured and prioritized relationship of the
identified risk.

Risk assessment tools such as risk maps and the absolute risk model help
identify risk but focus primarily on measuring and prioritizing risk to be acted
upon by the process owners. So referring back to the definitions of the types of
risk, inherent risk is the risk absent of any controls. Residual risk is the risk after
management’s response to risk.

These tools help focus (identify, measure, and prioritize) on the risk on which
management WILL need to act. So the acting on risk, applying controls, has not
taken place while these tools are being developed. The application of controls
will not take place until after the risk assessment tools have depicted the
risk issues.

To put it into context there are three stages of risk assessment: IDENTIFY,
MEASURE, PRIORITIZE. Risk assessment tools are just that they help assess
risk. Risk assessment tools are used in the identification, measurement, and
prioritization of the stages of risk assessment, before any controls are put in to
place.

IT IS IMPORTANT TO ADD SUBJECTIVITY INTO THE

MATHEMATICAL RESULTS.

Now that the risk has been identified, measured, and prioritized adequate
controls should be applied to manage the risk Identified, measured, and
prioritized, ACT (risk management). There are a number of ways to approach
this risk management. These ways are control the risk with appropriate and
adequate controls; share the risk; or accept the risk. Just a note, controlling the
risk is straight forward. However, accepting the risk and sharing the risk can
raise some concerns. The question becomes do the individuals who are sharing
or accepting the risk really understand what they are sharing or accepting.

Before risk assessment and risk modeling can be implemented it is necessary to

go back to basics. The first step in evaluating any process is to establish and
understand the objectives.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 75

McKeever CRMA Study System Principles of risk management processes

Objectives are a way for an organization to define its direction. Objectives

should determine how a company will allocate its resources and manage
strengths, weaknesses, and opportunities.

Business objectives are a consideration of what future course an organization

intends to take. In order to establish effective objectives an organization must
first determine what they do, who their clients are, and how they intend to
succeed. This requires that a business evaluate its competition and determine
how they can set themselves apart from their competition. This is called
differentiation.

Further in order for a company to establish business objectives, it must

understand where it is now, where it has been, and where it wants to go.

The Establishment and Adjustment of Objectives Should be Proactive,

Rather than Reactive.

In order for objectives to be effective, a business must establish and emulate

values. These values establish a foundation for the shared beliefs among the
internal and external stakeholders within a company. These values are controls.

The values of any organization help establish an identity

and a common culture.

Remember, as the operating environment of a business changes so should the

objectives of that organization. As the objectives change because of
environmental changes so does the risk and so should the controls that manage
the risk. The more complex a business process the more frequently these
adjustments should take place.

Summary

Risk is a concept that managers use to express their concerns about the probable
effects of an uncertain environment. Because the future cannot be predicted with
certainty, managers have to consider a range of possible events that could take
place. Each of these events could have a material effect on the enterprise and its
objectives.

The negative possibilities are "risks,"

the positive possibilities are "opportunities."

76 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

The Institute of Internal Auditors Standards for Planning

Considerations:

In Planning An Engagement, Internal Auditors Must Consider:

• the objectives of the activity being reviewed and the means by which that
activity is controlled

• the significance of risks to the activity and the means by which the risk is
kept to an acceptable level

• the adequacy and effectiveness of the activities risk and control

management

• the opportunities for making significant improvement to the activity’s risk

management and control processes

When planning an audit engagement for parties outside the organization, internal
auditors must establish a written understanding with those clients about the
objectives, scope, respective responsibilities, and other expectations including
restrictions on the distribution of the results of the engagement and access to
engagement records.

Some perspectives of risk

• danger of injury or loss

• the probability of a loss

• the exposure to danger, injury, or loss

The severity of risk depends upon:

o assets at risk

o type of threat

o time

o effectiveness of controls

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 77

McKeever CRMA Study System Principles of risk management processes

Exposure is the total value at risk without regard to the probability for a
negative event.

Types of Risk

Although all risks are generally referred to just “that risk” in many real business
situations it is appropriate to categorize risks into specific groups. For example,
specific definitions are not only useful for test-taking purposes but can be useful
when trying to focus on a specific remedy for identified risk.

Definitions are often developed by one’s background, experience, and education.

As such, definitions of the same item or concept may vary depending on where
and by whom it was originated. Nevertheless, for the purpose of this material, it
is useful to have exposure to some generic definitions of risk (listed below).

Human (people) risk includes, fatigue, memory lapses, inattention, collusion,

unacceptable behavior, sabotage, and negative morale.

Strategic risk results from all employees not working together in harmony
toward the common goals and objectives of the organization in a timely and
efficient effort.

Financial risks are a result of the cash flow relationship between receivables
(including cash) and payables. In other words financial risk is the organization
receiving more than it is incurring in expenses (making a profit). Alternatively, an
organization has more expenses than income (incurring a loss). An additional
question becomes how long an organization can sustain a loss. An added area
of financial risk is an organization’s ability to obtain or satisfy debt. Appendix 2
lists and discusses in more depth “Financial Ratios Useful in Risk
Management”.

Quality of product differentiates one organization from another. This

differentiation can work two ways. Superior product or services will generally
impress clients and customers and entice them to purchase more, hence grow
the business. On the other hand, poor quality will discourage customers and
clients from purchasing. In either case, good or poor quality (in the eyes of the
client or customer) can differentiate one organization from another.

78 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Service risk is the result of providing good or poor service to a customer or

client. For example providing excellent customer service to resolve a negative
experience with a customer can actually turn the customers negative impression
into a positive impression (positive reputational risk). However, providing poor
customer service while attempting to address a customer negative experience
will multiply that negative impression many times. This in turn could negatively
impact reputational risk.

Contract risk is a result of non-compliance with the terms and conditions of

agreed upon contracts. This could include such items as delivery times, quality,
costs, and payment agreements. These violations can further result in fines,
legal costs, and a tarnished reputation.

Information and technology risk is the result of the inability of information

technology system to function securely, efficiently, and accurately to provide the
appropriate information to those who need that information. In order to achieve
this, technology must be current utilizing contemporary software, which will
ensure integrity accuracy and safeguarding of information.

Internet technology risk is the inappropriate use of the internet and company
intranet capabilities.

Outsourcing risk results from the outsourced vendor provides inferior quality
products or services. This results in increased negative reputation to both the
outsourced vendor as well as the organization doing the outsourcing.

Environmental risk results for non-compliance with environmental laws and

regulations. This can result in fines, penalties, legal costs, and increased
negative reputational risk.

Communications risk is the result of a lack of effective communications among

employees at all levels. Very often, this is apparent within the levels of the
organization.

Marketing or sales risk is simply the risk of appropriately and adequately selling
the organizations goods and services. In relationship as this risk increases
revenues decrease as impacting financial risk.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 79

McKeever CRMA Study System Principles of risk management processes

International risk is the risk of doing business across country boundaries. In

today’s business environment doing business across country boundaries is very
common especially with the availability of today’s technology. From one
perspective, this provides an expanded market place. From another perspective,
this provides an opportunity for major, but often, unforeseen risks. When
conducting business across country boundaries many considerations have to be
addressed and managed including exchange rates, transportation, shipping,
culture, politics, contractual agreements, and local employee issues. One or any
combination of these considerations can result in substantial risk and even
company failure.

When focusing on assets at risk consider what

management put to work.

These considerations can include:

• size or type of the effort

• probability of failure

• location

• people

• money

• assets

• intellectual property

• business name and reputation

• future

80 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Answer the Following Question.

6. During a recent risk assessment exercise, utilizing a team of process owners, a

discussion of how to address the interrelationship risk among the processes
began to escalate. It seems that the process owners could not agree on the risks
that should be addressed. What was most likely a reason for this lack of focus?

a. the process owners do not understand the consequences of risk

b. the process owners do not understand the overall objectives of the
processes
c. the process owners should identify, measure, and prioritize the risks
d. the process owners should work in smaller teams to discuss risks in
the individual processes then work as a group

See Application Questions, Answers & Explanations module for the answer.

Four Components of Managing Risk

In order to complete a risk assessment and manage that risk it is first necessary
to identify the risk. Next, the risk must be measured. After this, the risk must
be prioritized. Finally, action (risk management) must be taken in order to
eliminate or minimize the risk (controls). Remember that it is probably not likely
that all risk will be eliminated completely no matter what controls are put into
place. This is because some controls may fail, outlive their life usefulness, some
risk may be accepted by the process owners, or be circumvented by intent.

Risk is the opposite of controls. Therefore, a way to identify risk is to determine

the controls in place and their status. The status of controls can range from none
to 100% effectiveness. Anything less than 100% allows for some risk. The
amount of risk may be within acceptable limits and would therefore require no
action. Risks close to or beyond acceptable limits require attention. Therefore,
required attention is the appropriate application of controls. An important
consideration is that those who decide to accept some risk must understand the
consequences of the risk that is being accepted. This means that a conscious
understanding and decision of the acceptance of any risk is important in effective
management.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 81

McKeever CRMA Study System Principles of risk management processes

External Risks

External risks are the impacts of risk occurrence that that are not in the direct
control of business process owners. However the business process owners
must be aware of these external risks and manage them. These external risks
can have significant impact on the achievement of objectives.

Some Examples of External risks:

• regulation changes

• weather

• unions

• technology changes

• impacts of competition

• overall economics

• understanding and changes in socially accepted norms

• international risk

• political risk

Some Risk Opportunities

• putting assets to work by their nature generates risk

• competence levels of employees (the less capable employees are the

higher the risk, for example new employees allow for the opportunity of
more risk as they are learning than do more experienced employees)

• complexity of business (the more complex a business or process the

higher the risk)

82 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Relationship of management processes, risks, and the assets of

the enterprise

Below is a high-level diagram of the relationship of management processes, risks,

and the assets of the enterprise. Included within the arrow marked "Management
Process and Control" are the internal controls governing the process.

Source - David McNamee “Risk Management and Risk Assessment”

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 83

McKeever CRMA Study System Principles of risk management processes

Risks can be controlled in a number of ways through risk management:

One of the more basic ways to manage risk is to avoid the risk altogether. This
simply means that if a risk is identified avoid any exposure to that risk. A simple
example of this would be if a possibility of dangerous driving conditions were
identified (risk) not driving would be (risk avoidance). In business not making a
substantial investment when an apparent risk of loss of assets in that investment
was identified is avoiding the risk altogether.

Another technique of managing risk is sharing the risk. Common to many of us is

the purchase of insurance to help protect our assets (home, automobile, and even
us). With insurance, the insured assumes some risk and some risk passes to the
insurance company. The amount of risk that is distributed between the insured and
the insurance company should depend upon the risk that the insured is willing to
accept.

A simple example of sharing risk in business would be the establishment of a

partnership in a business venture. In this case rather than one person assuming all
of the risk that risk is divided among or between the partners. However, it is
important to realize in this business case any benefits (opportunities) are also
distributed among or between the partners. This would be based on any
agreement between or among the partners. These agreements may be based on
the amount of risk or benefit any of the partners may be willing to accept. Hence
percentages among or between the partners is considered.

Another approach to managing risk is by controlling the actual risk. This simply
means that some risk was identified and is realized as part of the process. The risk
is just there. To manage this risk the process owner would (realizing the risk)
establish and employ appropriate controls at the right time in the appropriate
amount. Relating to a practical example, if a homeowner lived in an area that
experienced frequent and extensive power outages and it is necessary that the
homeowner have constant power, possibly for medical needs, a backup power
system may be appropriate (a control). However, the cost of the backup power
system (a control to manage the loss of power risk) must be weighed against the
willingness to accept the loss of power risk. Another consideration could be
considering the cost of a backup power system as compared to moving to a hotel
that had power (another control to manage the risk of loss of power).

In terms of business, a risk identified in a computer processing center (such as loss

of power or another natural disaster that may cause the computer system to fail)
may be identified. In this case, a control to manage this risk would be part of an
appropriate disaster recovery plan. Once again, the cost of the disaster recovery
plan should be weighed against the probability and impact of a failure of the
computer processing center.

84 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Some general consideration and caution relative to controlling risk is that

controls have a life cycle. Simply stated controls can outlive their usefulness.
What was an effective control at some point in the past may not be effective
today. In fact, a control that has outlived its usefulness may not be effective
today and could even be counterproductive.

An example of this could be that at some point in the past it was necessary to
have multiple levels of security (including guards) and other security devices
securing the assets in a building. The cost of these security controls is and was
expensive. In the past, they were appropriate. However today there are no
assets in the building but the security devices and guards are still protecting the
empty building. In this case, not only are these controls no longer effective but
also the extensive cost of these security controls are actually counterproductive.
There is a cost of a control that is no longer needed (the risk is no longer
apparent).

It is important to determine if there is risk (identify risk) before a method of

managing risk can be employed. So the question is how risk can be identified
with the least amount of complication and intimidation.

Probably approaching the identification of risk using the old adage keep it simple
may be the best approach. However, it is necessary to remember that in today’s
process environment the complexity of processes and the ever-changing
environment in which they operate can add complications and intimidation to the
risk identification process. Following this, it is virtually impossible for any one
person or group of persons to understand all of the variations and possibilities of
risk in today’s complex business environments. Therefore, it is necessary to rely
on as many sources and inputs as possible to help identify apparent risk.

So what sources can be utilized? Well first history, remember that what has
happened in the past may very well happen in the future. Realizing that
technology and the worldly environment change so rapidly some judgment and
common sense may need to be applied when gauging past events to current
events and the probability of future events occurring.

Professional associations like The Institute of internal Auditors have specific

specialties and are great sources of information. Most professional associations
have extensive research information in their areas of specialty and are willing, at
minimal costs or no cost at all, to provide their information to interested parties.
Do not hesitate to tap into professional associations for help.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 85

McKeever CRMA Study System Principles of risk management processes

Note: it is wise to know as many professional associations as possible and

their areas of specific focus. Many of these professional associations
routinely produce industry surveys and trade journals, which can be a
valued resource.

Another way to identify risk is to work backwards. This means start with the
controls or basic controls and ask how well are the control categories working.
Remember that the less controls work the more risk increases.

The institute of Internal Auditors CARES

These are some common control objectives originated in an early version of the
Institute of Internal Auditor Standards. These control objectives not only are a
reference to internal audit but are an excellent framework for business process
owners as well.

• Compliance with laws, regulations, policies, and procedures

• Accomplishment of goals and objectives

• Reliability of all information

• Efficient and effective use of resources

• Safeguarding assets

Using the backward approach for risk identification address each of these control
objectives and determine any weakness in each control objective. Weakness in
one or more parts of these control objectives may result in risk. The amount of
risk is inversely proportional to the amount of weakness in each category. For
example if it was determined that there was a weakness in the security of assets
control (there are some security controls in place but not the amount of controls
to optimize the management of risk) the amount of risk that was determined as
not controlled should require a decision to accept or control.

86 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Answer the Following Question.

10. There are four basic tasks necessary when conducting a risk management
exercise. These tasks are: identify the risk, measure the risk, prioritize the risk,
and act on the risk. Which of the following would not be considered part of the
act task?

a. share
b. avoid
c. prioritize
d. accept

See Application Questions, Answers & Explanations module for the answer.

Summary

Risk analysis is a rational, orderly, and comprehensive approach to problem

(risk) identification and probability determination. It is a method of anticipating
and estimating expected loss from the occurrence of some adverse event.

The key word when dealing with risk analysis is “estimating”. Risk analysis is not
a science nor is it a one-time process. The business changes and as it does
necessary adjustments must be made to accommodate to the new business
environment.

Risk analysis is a process which requires focused work to complete. Risk

analysis also needs management’s support in order to achieve a successful
outcome.

By its Own Existence Risk Analysis is a Control

Reminder: The Efforts and Costs to Control Risks should be Compatible with the
Cost and Impact of the Risks - Except In Extraordinary Circumstances.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 87

McKeever CRMA Study System Principles of risk management processes

Consider This Approach: How Often Can Something Happen (probability)?

And What Happens When It Happens (impact)?

This simple concept actually originates from a formalized risk assessment

formula. This formula measures the probably of a risk event happening (how
often can something happen) and the impact of that risk event when it occurs
(what happens when it happens). This simple phrase can put risk assessment
and the four components of risk assessment into everyday thinking.

Some red flags of identifying risk could be 1) recognizing

something that is not the way it should be and 2) the probability
of that something happening.

Additional Thoughts – Risk Identification

Risk identification involves speculating about the relevant threats (and possible
opportunities) that could affect a process’ ability to achieve its business goals. The
three main approaches to risk identification are: exposure analysis, (the
identification of risks that could affect assets), environmental analysis (the
identification of risks that could affect operations management processes and
controls), and threat scenarios, (a specialized exposure analysis for the
identification of risks in fraud and / or disaster situations).

Which one of these approaches is most appropriate depends upon the situation
and the timing of the process being analyzed.

Remember Risk Analysis Requires An Understanding Of The Probability,

Impact, And Time Of The Potential Risk.

Risk Management Is A Concept That Managers Use Or Should Use To

Identify Concerns About The Probable Effects Of An Uncertain
Business Environment.

88 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Probabilistic Risk

In life, humans have to make decisions about outcomes without perfect or

complete knowledge of the current or pending circumstances. Hence, the
amount of less than perfect knowledge about current or pending
circumstances introduces probabilistic risk.

For consideration: risk management of outsourced activities such as vendors and

consultants is a relatively new but is an increasingly growing opportunity for risk.

In terms of controls preventive controls are probably the best way to manage
outsourced risk. Such controls as: background checks, references, financial
checks, and the establishment of contracts are some wise approaches for these
preventive controls. Further legal advice is very appropriate when establishing a
relationship with outsourced activities. Do not hesitate to consult legal
professionals.

Contracts can vary in detail and specificity. However, contracts should be designed
with a detail understanding of the relationship and the risks that will be apparent
specific to each outsourced relationship. Some typical inclusions in outsourced
contracts may be: right to audit clauses and penalties for non-compliance, for
example penalties imposed when the quality of services, product, or deadlines are
not reached. In some cases, incentives for exceeding quality expectations or
deadlines may even be appropriate.

Remember that the contract and the amount of detail contained in the contract is a
control. Therefore, this complexity and detail should be guided by the opportunity
for risk with the outsourced activity. Get legal advice.

It is wise that the internal audit partner with the legal professionals and the process
owners consult when the process owners are engaging in outsourced activities.

The internal audit professionals bring a perspective of risk and control management
to the project. The legal professionals bring a legal perspective and the process
owners an operations perspective.

The December 2012, Internal Auditor Magazine: “A Close Eye on Business

Partners” is an excellent article, which identifies many types of outsourced
partners and the opportunity for risk that is possible with each. This article
can be obtained by contacting the Institute of Internal Auditors or can be
obtained on line at internal auditoronline.org.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 89

McKeever CRMA Study System Principles of risk management processes

Below are some common ways to approach a risk assessment (a combination of

these approaches is generally better than one approach).

• subjective risk factors.

• objective or historical risk factors.

• calculated risk factors.

Subjectivity and objectivity are important when performing a risk assessment.

Straight risk formula calculations are not enough!

Removing Bias from Subjective Risk Factors

Using risk factors means relying on a number of subjective judgments about risk.
Utilizing risk assessment formulas and later incorporating subjective judgments into
the risk assessment is an excellent approach to risk assessment.

Objective, historical, and calculated risks can be easily measured for use in a
quantitative risk model. Subjective risk factors are not as easily measured. Here
are two approaches, which are generally used in this order to minimize the bias that
comes with subjective risk assessment.

1. Intuition
Studies have shown that experienced risk and control experts can use intuition
to arrive at reasonable estimates of risk that cannot be measured accurately
from mathematical risk formulas. This type of measurement should be done on-
site where the full range of influence (observations, interviews, and analysis)
can be understood.

Intuition can be and should be combined using collaborative processes.

2. Collaborative (Group) Processes

The Delphi Technique and other group decision tools, such as Control / Risk
Self-Assessment are useful in pooling the experience and intuition of a larger
group of subject matter experts. With these tools consensus about the issues
and corrective action is based on expertise from the perspectives of several
subject matter experts. These consensus techniques help to minimize
measurement bias (because of debate) by canceling out personal bias.

90 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Example: Delphi Technique

• a panel of "subject matter experts" (experienced people whose judgment

on the issue is valid are gathered). Usually this panel consists of three or
more people; however, groups as small as two can be used. This
technique can work well if the groups are not in the same room however,
they should be solicited, for their opinion at the same time.

• for risk assessment, a list of the items to be assessed is presented

• each panelist privately ranks the items and weighs the risks for each of
the items on the list

• all lists are turned into the coordinator

• the coordinator compiles a composite list of the items by averaging the

scores received

• the coordinator gives a copy of the composite listing and the individual
listings back to the respective experts

• the experts compare their own lists with the composite list and may make
adjustments to their lists in light of the group's judgment

• repeat the steps until consensus is reached (this will usually happen in a
few rounds)

Control assessment, or risk self-assessment, similar to the Delphi technique

involves a facilitator and a group of subject matter experts. This technique is
different from the Delphi Technique as all of the subject matter experts are in
the same room. A facilitator encourages the subject matter experts to voice
their opinions about the apparent risk within their area of responsibility. Once a
list of these risks have been identified a measurement and prioritizing process
can take place whereby the group will now identify the most significant risks
from the entire list of identified risks (measurement).

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 91

McKeever CRMA Study System Principles of risk management processes

Additional risk management tools

SWOT Analysis: this model addresses the strengths, weakness, opportunities,
and threats of a proposed project. This model works particularly well when
analyzing the feasibility of a major proposed project. Utilizing a group of subject
matter experts in a discussion group each category can be discussed so that
the strengths, weaknesses, opportunities, and threats of that project can be
identified by the group opinion. (this can be completed individually as well but a
group of experts that will be able to provide a more diverse perspective) The
results of the analysis will provide a reasonable picture of the feasibility of the
proposed project.

Sensitivity analysis: is based on a strategic planning model.

This model is completed by asking the question “what if”.

Further “what if this happened what we would do”?

“If this happened what would happen to customer base, revenue, morale, etc?”

Again this can be completed individually or in a group. Remember the group

tends to be able to provide a more diversified perspective.

Economic analysis: will help determine the economic advantage or

disadvantage of putting assets to work. Remember putting assets to work
generates risk. So from this economic analysis a determination can be made as
to what the rate of return will be, (a rate of return should be established as a
benchmark before the economic analysis is conducted), what considerations
should be made about the future value of money (investment), what the rate of
return on assets (put to work) will be, just to name a few economic
determinations.

These are a few methods of conducting a risk assessment. No matter which

method is used, it is wise to encourage as much subjectivity and objectivity,
from as many sources as is practical, into the risk assessment process. The
amount of effort and investment, time, money, resources, should be driven by
the anticipated and perceived risk. Remember risk assessment is a control by
itself. Therefore, the amount of this control (risk assessment) should be driven
by the anticipated risk.

Risk assessment should include both a quantitative and qualitative analysis. It

is wise to step back from the risk assessment and individually or as a group ask:
“does this make sense”. This test will help ensure that a great job is not being
done on the wrong thing (applications of controls).

92 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

The following diagram outlines the risk management approach and the
interrelationships among the various components involved.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 93

McKeever CRMA Study System Principles of risk management processes

Risk measurement should involve both subjective judgment, mathematical

computations (risk assessment formulas) and references to objective and historical
data.

Some areas that can be impacted by risk:

• dollars at risk

• liquidity of the assets at risk

• competence of management and employees

• strength of internal control, weakness in internal controls can cause

exposures or potential risk

• time since last audit

Risk Terms
Risk is a concept. It is a measure of uncertainty (probabilities). In business
processes the uncertainty involves the achievement or the barriers to achieve
organizational objectives. Risk may have positive or negative consequences.
Generally, positive consequences are known as opportunities and negative
consequences are called threats or risks.

Consequences are tangible outcomes of risk on the decisions, events, or

processes. Although it can be difficult to identify and measure the intangible risk,
(sometimes called soft issues, like lack of morale, bad work ethics, inadequate
management style and others) we can and should anticipate the implications of
these soft issues.

Consequences can vary in severity depending on a number of factors such as:

• the assets at risk

• the type of threat

• the duration of the consequence

• the effectiveness of controls in place

94 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Exposure is the susceptibility to loss or a perception of a threat to an asset or

asset-producing process. Generally, the more valuable the asset is to achieving
the organization's established objectives, the more important that exposure
becomes. Exposure is controlled or diminished by adequate and effective risk
management techniques, including designing and maintaining effective controls.

Threat is a combination of the risk, the consequence of that risk, and the likelihood
that the negative event will take place. The type of threat is actually an expression
of the type of consequence such as fire, flood, error, omission, delay, fraud,
breakdown, and obsolescence. Threats are always present; controls keep them in
check (as long as the controls are effective).

The duration of the consequence affects its severity. This can be well described
with an example of a computer center. Most computer center managers will tell
you, if the computer is down for an hour, that's one consequence. However, if the
computer is down for a day that's another, and if it is down for a week that is
another and much more severe!

Finally, risk also can be referred to as "High", "Medium", or "Low." Taken literally,
that would mean that the probability of occurrence was respectively great, average,
or remote. A caution when using these types of terms: These terms can
mean different things to different people or organizations. It is important when
using such terms that specifics (such as quantifications) be attached to these
generic words.

Summary:

• risk is a measure of the uncertainty in events as a result of changes in the

condition of the business environment. The focus of management is how to
address the consequence of the risk (with adequate and effective controls).

• the strategic role of management in the organization should be matched with

a strategic risk assessment process of the organization. The key to the risk
assessment process lies in the chain of goals and objectives that permeate
throughout the organization.

• management control systems play an important part in the perception of risk.

Strong controls give the impression that risk is minimized (only if they work,
are not outdated, and are effective). However, in fact only the
consequences are minimized. There are no practical methods for making
uncertain events (risk) more certain.

• the management of risk follows the assessment of risk, just like treatment
follows diagnosis. To manage risk is the essence of good management.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 95

McKeever CRMA Study System Principles of risk management processes

Many organizations include a Risk Management function in their processes. This

specific function, in addition to the internal audit function, may be a separate
organizational function of corporate governance that supports the organization in
achieving its goals and objectives.

Risk Communication is another function important to organizations and the

appropriate and adequate management of risk. Communication includes or should
include crisis management, disaster planning, recovery operations, and similar
situations. This communications about risk and threats should be communicated
effectively to everyone.

The following graph illustrates the 3 major parts of a successful Risk

Analysis.

Risk Analysis

Risk Risk Risk

Assessment Management Communication

Risk Diversify Between

Identification the Risk Experts

Risk Share Expert to

Measurement the Risk Management

Risk Control Management

Prioritization the Risk to the Public

Source - David McNamee “Risk Management and Risk Assessment”

96 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Answer the Following Question.

15. Objectives are a very important element for the success of any process.
Which of the following would most likely be the root cause when the
consequences of risk among and within various processes are not adequately
considered?

a. there is no evidence of an analysis of the probability and impact of risk

b. an adequate risk assessment had not been completed
c. this is not an issue because each process probably has different
functions and objectives
d. communications is weak

See Application Questions, Answers & Explanations module for the answer.

Summary

Probability is the likelihood of a risk event occurring.

Impact is the result of the risk event happening (consequence).

Time is how long is an asset out of service and when did it go out of service?

Two things to consider: When it happened and how long did it continue.

During the time an asset is out of service, determines the consequences. In

other words, what revenue loss, other objective, or even what other type of
exposure (security etc.) will become apparent while the asset is out of service.

Time may be considered in risk evaluations. Ask the question, “Is the risk time
sensitive”. The answer will help make a determination of whether time should be
included in specific risk formulas and evaluations.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 97

McKeever CRMA Study System Principles of risk management processes

Risk assessment requires two distinct processes. Although not necessary, it is

recommended that actual measurements using various risk assessment formulas
be applied. These formulas provide a general perspective of apparent risk as
well as the magnitude of the risk. They also can be used to prioritize the risk by
magnitude of importance. (Caution it is not wise to just use these
mathematical formulas as a final determination of risk).

The next element of risk assessment is subjectivity. As the mathematical

formulas may provide a general perspective of risk, the subjectivity of identified
risk should be considered more important. In any risk assessment process the
application of subjectivity cannot be emphasized enough.

A risk assessment process should include a formula analysis and then a

conscious determination from as many experts and inputs as possible about the
appropriateness of the formula conclusions. In other words does the formula
make sense?

Of the two elements of a risk assessment the process, the formula approach, and
the subjective approach the subjectivity approach is probably the most important.

Some Risk Assessment Models

Direct Probability Estimates

• Total Risk = IR x CR x AR

• IR = inherent risk

• CR = control risk

• AR = audit risk

Annualized Loss Expectancy (ALE)

• ALE = P x T x I

• P = probability

• T = time

• I = impact

98 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Modified ALE

• Considers the probability of control failure

• ALE = P x P x Q

• P = probability of threat

• P = probability of control failure

• Q = maximum impact in dollars

Ranking and Traps

Absolute Ranking

• risks & consequences of business unit

• identified / measured

• ranked by their score

Relative Ranking

• risk & consequences of business unit

• identified / measured

• grouped into natural clusters

• assigned relative values

TRAP: words like the following can mean different things to different
people

• high

• Medium

• Low

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 99

McKeever CRMA Study System Principles of risk management processes

Matrix Ranking

A form of relative ranking

The matrices are used to measure risks and consequences of the business unit.

Components are sorted by axis.

Results in ranking of:

• high

• medium

• low

Once the quantification has been established then each risk can be prioritized in
order of importance. Again this should be done by interpreting the quantifications
and again applying objective subjective input.

Traps

Conscious consideration should be given after the appropriate

mathematical evaluations. The evaluations by themselves are not enough.
Business professionals should apply common sense to the mathematical
evaluations to determine whether the evaluations make sense. As a result,
adjustments may need to be made.

Risk Assessment is Not a Science

Risk Assessment is the Consideration of

the Probable Material Effects of Uncertain Events.

100 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Risk Assessment Philosophy

Risk assessment should encompass the entire business processes. Risk

Assessment should be an on-going process and not an effort that becomes
unchangeable (risk assessment should change as the environment in which the
business process operates and changes).

The evidence developed in the risk and control assessment process can be an
effective guide for the appropriate application of risk identification, risk
management, risk prioritization, and the application of appropriate controls.

A few words about evidence

The word evidence is often mistakenly associated only with fraudulent activity.
This is not true.
The objective of evidence is to give proof of the truth or belief in an issue. In
terms of risk assessment, (identification, measurement, and prioritization)
evidence supports the belief of the significance (probability and impact)
consequences of risk.
Evidence is appropriate in a risk assessment process to help encourage those
involved to believe in the risk issues. Hence, it is more likely that the appropriate
corrective action (applications of controls) will be employed. Evidence also
facilitates a formal documentation of the risk and / or the controls to manage the
risk event.

Types of evidence
Best evidence: Primary evidence is generally original documents. This is the
strongest form of evidence. It is also the most difficult to dispute. However, be
careful of what is considered primary evidence. What may appear to be primary
on the surface may not be. It is important to validate the source if there are any
questions of authenticity.
Secondary evidence is not as solid as primary evidence. These are often
copies of original documents. Copies can be altered which diminish their
strength as evidence.
Direct evidence proves a fact without the necessity to use presumptions or
inferences. An example is direct testimony from a witness who has observed an
event.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 101

McKeever CRMA Study System Principles of risk management processes

Circumstantial evidence does not directly prove the existence of a fact. It does
give an inference that a fact exists. Circumstantial evidence by itself should not
be used to establish a fact.
Conclusive evidence is very strong evidence. By itself, it establishes a
condition or fact. Conclusive evidence is stronger than all other types of
evidence. Only one reasonable conclusion can be drawn from conclusive
evidence.
Corroborative evidence is evidence of a different character that when combined
with other evidence will establish the fact.
Opinion evidence is often used by expert witnesses. Evidence should establish
a fact. Opinion evidence is, as it says, the opinion of the person providing the
information. Even though experts often provide opinion evidence, the opinion of
every human being will differ. Opinion evidence is often used to clarify a point for
individuals less familiar with the topic.
Hearsay evidence is second-hand evidence. Hearsay evidence is made by
someone other than the person who directly witnessed the event. This should
not be taken by itself as the sole evidence to support a fact. However, hearsay
can be used as an indicator to prompt further investigation.
Physical evidence is obtained through observation, photographs, charts,
graphs, or other physical representations. A witness in the observation process
can further substantiate the physical evidence. This can help eliminate
controversy about the representation of the physical evidence.
Testimonial evidence is in the form of letters, statements, or notes in response
to inquiries or interviews.
Documentary evidence is documentation received by request. They are
documents related to the process being examined. Some examples include logs,
absence records, error reports, and packing lists.
Analytical evidence is evidence which results from such events as analysis,
recalculation, and verification.

102 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Evidence should possess the following components:

Sufficiency. This means that evidence should be adequate to provide a person
with appropriate knowledge of the facts. The type and method of sampling used
should also be appropriate for the objectives.
Competence. Competent evidence should be the best obtainable. The best
evidence is generally from various inputs and is compared to others. In addition,
competent evidence should be from reliable sources.
Relevance. Relevant evidence should be related to the issues being reviewed
or discussed. For example, although shipping invoices are good evidence in
some cases, they may not be relevant to whether goods were received.
Relevant evidence needs to be related to the issue and must prove or disprove
the condition.
Evidence and the proper application of evidence are useful tools in a risk
assessment process. Evidence may help establish a condition which everyone
can recognize, believe in, and, most importantly, address.

A Control is A Process That Guides an Activity Toward Some

Predetermined Objective. The Objective Should Have Some Desired or
Anticipated Outcome Which is Understood By All Those Involved in The
Process.

The Concept of A Control Cannot Exist Without a Clear Focus of

The End Achievement

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 103

McKeever CRMA Study System Principles of risk management processes

Integrated Control Frameworks

Integrated control frameworks can help identify, measure, and prioritize risk in
multiple and related dimensions of a process. Consequently, they help identify
needed controls in these dimensions of the process.

Control Frameworks and Rules and Regulations an Overview

As a reactionary control, because of multiple control breakdowns in business and
government integrated control frameworks began to evolve. One of the first to
emerge was produced by The Committee of Sponsoring Organizations (COSO)
of the Treadway Commission headed by James Treadway. This integrated
control framework became know as COSO.

The COSO independent commission summoned input from various business and
government professionals. Their purpose was to develop a standardized risk
and control framework which could be applied to any business or process.

In addition to providing a standard for risk and control management, which had
been inconsistent to this point among businesses and government entities, this
framework would introduce a new concept in risk and control management.
Incorporated in the framework was integration. This meant that risk and
controls would now be evaluated across and vertically in multiple entities of an
organization.

With COSO risks and controls would now be evaluated in a holistic view of
an entire organization including how various entities synergized or did not
synergize for a common objective.

It was realized that the root cause for inadequacies in the hard controls actually
resided in the adequacy or inadequacy of the soft controls. A new component of
risk and control management was also introduced with the advent of COSO.
COSO encourages a sincere evaluation of the soft controls and issues.

Traditionally risk and control professionals evaluated the more tangible controls
(the hard controls). The evaluation of these soft controls generally was a new
concept to traditional risk and control and business professionals. Assessment
of these soft controls now would require professionals to evaluate such things as
morale, ethical values, attitude, management philosophy, and employee
competency.

With the advent of this first integrated control model other organizations began to
develop subsequent and more specific control models focused on individual
process needs. Also as with most new developments, these subsequent models
incorporated enhancements to COSO.

104 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

The next model introduced was Criteria of Control Committee (risk management
and corporate governance) (CoCo) developed by The Canadian Institute of
Charted Accountants. This model incorporated a feedback loop that was a major
improvement over the original COSO model.

A number of other models were introduced subsequent to the CoCo model.

These included Cadbury from the United Kingdom, COBIT from ISACA for IT
professionals, the Enterprise Risk Management (ERM) model from the Treadway
Commission, and the revised 2013 COSO Model.

The ERM model, again, developed as a reaction to risk and control issues in
business and government, incorporated enhancements above all existing
models. One of the major enhancements of ERM is the specific requirement to
analyze strategy. As such, an analysis of strategic planning is required to
complete an ERM analysis.

Just a note: Strategic planning not only facilitates a view of the future by asking
what if this situation would happen what would we do, but also helps evaluate
external risk. External risk and strategic planning are synonymous.

Parallel to the implementation for these control models were a number of other
tools to help better manage risk and controls. These included the Public
Company Accounting Oversight Board (PCOAB), Sarbanes Oxley (SOX), a
number of quality analysis models such as Malcolm Baldridge, the International
Standards Organization ISO series and Basel III (the most recent model in this
category) which focuses on and strengthens prior versions of Basel financial and
banking regulations and applications.

Because international relationships and business is conducted routinely and is

increasing, a number of countries have instituted their own models. The U.K.
Bribery Act is one of the most stringent. In addition to this act China, Russia,
India, and Brazil have also instituted bribery acts of their own. With these acts in
place the business interrelationships between and among these countries
requires specific legal interpretation.

Most recently, because of the extensive and growing business relationships

among countries ISO 31000 has been introduced. ISO 31000 is designed to
provide a standardized internal risk and control management philosophy
internationally.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 105

McKeever CRMA Study System Principles of risk management processes

A legal perspective, with the exception of the United States Foreign Corrupt
Practice Act (FCPA), Sarbanes Oxley (SOX), and the various international
bribery acts, the integrated control frameworks including ISO 31000 and
Basel III are only recommendations not legal requirements.

However, in the United States, even though, Basel III is only a

recommendation the Federal Reserve Bank, the overseer of United States
banks, indicated in December 2011 that it would implement substantially all
of the Basel III rules emphasizing that these rules would apply to all banks
as well as other financial institutions with more than $50 billion in assets.

Back to the Basics

Three parts of a business

• objective

• risk

• controls

These Are The Three Components Of an Effective Control System.

The Objective is What to Try to Accomplish.

The Risk is The Barrier that Will Stop the Accomplishment of the Objective.

The Controls Are What Will Remove Or Diminish The Risk Barriers.

106 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Back To Basics First Internal Controls

Elements required in an effective control system:

• objective

• monitoring

• adjustment (verb)

The noun and the verb elements are both required in an effective control system.
A noun is a more tangible control like a report, a policy and procedure, or job aid.
The verb is the softer issue. For example, how well the noun works. Does the
report work? Do the workers understand the importance of the report?

The verb is the action part of controls which facilitates the noun
functioning as it is intended.

A Noun Without The Verb Will Allow The System To Fail.

Controls Have a Useful Life, Just Like Anything Else.

When The Controls Are Not Helping to Achieve the Objective, Eliminate or
Change Them.

Add Value By Combining, Eliminating And Changing Existing Controls.

The Mission Of Controls Is To Help The Business Reach Its Objectives As

Efficiently, Effectively, And Continually As Possible.

Controls Should Be Part Of The Normal Way Of Doing

Business. They Should Not Just Be An Add-On To The
Process.

Controls are a way to manage risk. However, the word “controls” has a number
connotations and applications. The word control comes from the Latin word
contra. Contra means against. By more contemporary definitions, the word
control means to hold back, constrain, or tie down. In terms of accounting or
auditing the word control means something that will fix or manage risk, (in simple
terms).

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 107

McKeever CRMA Study System Principles of risk management processes

Just like the varied definitions of controls, in the context of audit and accounting,
the word controls has varied applications. A primary application consideration is
where in a process controls should be applied. Consider the three applications
of controls: preventive, detective, and corrective. The application of controls is
best served in a preventive application. However, it is important to remember
that even though preventive controls are put into place detective and corrective
controls are still very much needed. Detective and corrective controls should be
used to monitor and adjust for inadequacies in the effectiveness and efficiency of
preventive controls.

Good, Better, and Best Controls

Corrective Controls Detective Controls Preventive Controls

Good Better Best

In general, it is much better to prevent problems before they happen,

correcting a relatively minor issue as opposed to correcting a major issue.

This proactive approach is more effective than waiting for problems to

occur and then reacting to the problem after the fact.

Preventing problems has greater benefits both in the long-term and short-
term.

The next question is who is responsible for the application of the preventive,
detective, and corrective controls? To answer this question, consider who owns
objectives, who owns risk, and who should own the controls to manage
objectives and risk.

The Cost of Controls Should Approximate The Cost of The Risk They Are
Controlling!

Some Exceptions: Life Threatening Situations Severe Consequences of

Reputation.

A Conscious Business Decision!

When the Cost of Controls Substantially Exceed

The Cost of the Risk They Are Controlling Adjust.

108 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

The Answer is: EVERYONE

Many business professionals claim ownership of setting objectives. They claim

ownership of the risk inherent within their processes. However, in many cases,
the same process owners will claim that the audit department should design and
manage controls because they are considered control experts. Generally, the
audit department is a small group within a large organization. It does not make
much sense for only a small group of risk and control experts to manage the
controls while the majority of the organization has little management of controls.
The more people within an organization that understand risk and control
concepts and then accept responsibility for risk and control management within
their areas of responsibility the better.

No process owner would say that the audit department should set their
objectives. Therefore, if objectives, risks, and controls work together, why
would a process owner say that someone else should develop and manage
their controls?

Integrated Control Frameworks

Detailed Overview of The COSO

COSO

COSO is one Integrated Control Framework.

The Committee of Sponsoring Organizations of the Treadway Commission

introduced the COSO framework.

COSO is an important step in expanding the understanding of total internal control

package. One of the most important concepts in COSO is the principle of universal
applicability. This is predicated on the concept that the internal control process
contains the same elements at the lowest level of the organization as it does in the
highest levels. Therefore, control assessments that are carried out at lower levels
have validity when aggregated ("rolled up") through lines of organization to the top.

COSO is a systematic, step-by-step method used to evaluate

and address the adequacy of controls in multiple dimensions of
a process (integrated control model).

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 109

McKeever CRMA Study System Principles of risk management processes

COSO like many other risk and control models was developed in a reactionary
mode. It was engineered and developed to address weaknesses in business
and government.

COSO has three control objectives and five components. The five components
are applied to each of the three control objectives for a total of 15 dimensions.
For COSO to succeed, it needs to be addressed as a way of doing business not
just more work. It should not be built onto the process; it should be built
into the process.

As an integrated control framework, COSO will help process owners and auditors
evaluate the adequacy of controls in multiple dimensions (integrated model) of a
process. COSO will help give a picture of how well all of the controls in all of
the dimensions are working together.

COSO Was a Reaction to Problems in Business And Government.

We can learn from this and act PREVENTIVELY!
CONTROLS HELP PREVENT PROBLEMS
History:

• Watergate (1973 – 1976)

• FCPA (Foreign Corrupt Practices Act) (1977)
• Treadway Commission (1987)
• FDICIA (FDIC Improvement Act) (1991)
• Federal Sentencing Guidelines (1991)
• COSO (1992) (modified 2013)
• ERM (2004)
• SOX 2002
• United Kingdom (UK) Bribery Act 2010

The Lessons to Be Learned From this History:

It is Better to Anticipate and Prevent Issues than to Manage them After the
Fact.

110 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Note: Of special concern are various international laws addressing fraud and
bribery not only within their geographic boundaries but companies or individuals
doing business within their boundaries from outside their boundaries. An
example is the U.K. Bribery Act which has a near-universal jurisdiction, allowing
for the prosecution of an individual or company with links to the United Kingdom,
regardless of where the crime occurred. This Act is described as "the toughest
anti-corruption legislation in the world". These types of laws impose severe
penalties for those violating the law and as well in various ways look to inhibit
such violations by strengthening controls.

COSO:

• can help get to the root cause of business problems

• can be a preventive tool

• can help ensure compliance with regulations and policies

• can be considered an industry standard

• can help educate management and employees about risk and control
techniques

Getting to the root cause of a risk or problem requires some additional comment.
A major benefit can be realized whenever it is possible to get to the root cause of
a risk or exposure and fix it.

One simple method of getting to the root cause is simply asking a series of
“whys”. For example, when a risk is identified ask why is that, then ask why
again, then ask why again until asking “why” reveals the same answer
repeatedly. Most likely when the why question reveals the same answer over
and over the root cause has been uncovered. Now this technique is not foolproof
but generally will give a good indication of the root cause based on the opinions
of those being asked why.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 111

McKeever CRMA Study System Principles of risk management processes

There is no magic number in the number of whys that should be asked. Some
say five whys others say seven whys. Probably the best answer is not some
specific number but the appropriate number of whys that is necessary to get to
the root cause.

It is beneficial to understand and address the root cause of

weaknesses in the control process.

Most often, the root cause of process problems reside in the attitudes, morale,
ethical values, and competency and understanding of policies of people. In the
COSO model, these soft elements reside in the Control Environment component.
COSO encourages addressing the adequacy of the control system within the
Control Environment (the softer issues).

COSO is becoming an industry standard for addressing the adequacy of controls.

As such, it will help ensure compliance with various laws and regulations. An
example of this is compliance with the Federal Sentencing Guideline and
Sarbanes-Oxley (SOX). Compliance can also mean compliance with internal
policies and procedures the internal laws and regulations inherent in a process.

Some COSO considerations:

• not one size fits all

• not the end all and be all (complete solution)

• not intended to replace traditional management and auditing!

• is just another tool.

• implementation is not the same for all organizations.

• should be considered as just another tool in managers’ and auditors’

toolboxes - not considered a replacement for all other tools.

• can be most effective when it is used in concert with other and existing
tools.

112 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

COSO’s Three Control Objectives

• operations

• reliability of financial reporting

• compliance with laws and regulations

Remember that COSO Goes Beyond the Financials. It Is a Business Tool.

COSO is a business tool. For example, reliability of information was expanded to

include reliability of all information needed to make the business succeed (not
just the financial information). Further, compliance with laws and regulations has
been expanded to include compliance with policies, procedures, memos, training
manuals, directives, and anything that is used to guide a process.

Answer the Following Question.

32. The COSO integrated control model incorporates five components and three
control objectives. These 15 dimensions of a process allow for developing an
analysis of the process. Which of the following dimensions describes an
understanding of a Code of Ethics or Code of Conduct document?

a. control activities and security of assets

b. monitoring of wrongdoing activities
c. communications of financial requirements
d. control environment and security of assets

See Application Questions, Answers & Explanations module for answer.

COSO implementation is not same for all organizations.

It is a flexible framework that requires conscious
decision-making for implementation.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 113

McKeever CRMA Study System Principles of risk management processes

COSO’s Five Components

Component 1 - Control Environment

The core of any business is its people with their individual attributes including
integrity, ethical values, competence, and the environment in which they operate.
These are the key components of a business and the foundation on which
everything rests.

Tone at the Top Part of the Control Environment

The tone at the top of an organization defines the cultural and ethical values of
an organization. If top level professionals do not support the new techniques
professionals at the lower levels of an organization will not either. Higher levels
of support for COSO increase the probability that it will be used successfully.
The objective is to get everyone involved. This may take both some bottom-up
and top-down involvement.

The Root Cause of Many Inherent Risks Reside in This Category.

Component 2 - Risk Assessment

A business must be aware of and deal with the risks it faces. It must set
objectives integrated with sales, production, marketing, financial, and other
activities to ensure the organization is operating in concert. A business must
also establish mechanisms to identify, analyze, and manage the related risks.
Risk assessment should encompass the entire business. It should be an on-
going process and not become unchangeable.

As the business changes, risk assessment must change and be modified to meet
the new exposures of the business and processes.

Risk assessment can also be used as a tool to help improve a process from
clients’ perspective. Our clients may not be able to understand how to recognize,
evaluate, and protect against business risk.

Component 3 - Control Activities

Control policies and procedures must be established and executed to help

ensure that the actions identified by management are formalized. These are the
more traditional methods of managing a process. These activities are often
referred to as the hard controls. Generally, the best evaluation will incorporate a
combination of traditional management and audit approaches with the new
COSO approach.

114 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

The 15 dimensions of COSO provide coverage of the control environment,

risk assessment, control activities, and other control dimensions.

Using anything different from the traditional methods of risk and control
management may require some planning and convincing. Using COSO
may be a change from the traditional approach. Therefore, some planning
and convincing may be necessary to convince process owners that COSO
and other integrated control models may be good process management
tools.

Component 4 – Monitoring

The entire process must be monitored and modified as necessary. In this way,
the system can react dynamically, changing as conditions warrant. This is critical
to the success of the operation. No matter how well the control structure is
established if not monitored and addressed it will not be effective.

Process owners need to know if they are staying on the course and are meeting
their objectives. They need to know when the course has changed and need to
be able to change directions to meet the new objectives.

Component 5 – Information and Communication

Surrounding these control activities and the entire business process are
information and communication systems. Information and communications
enable the process to capture and exchange the information needed to conduct,
manage, and control the operations. Communications should be in all directions.
Communications should be sufficient to provide adequate and appropriate
information to those who need to be informed.

Communications should be a method for people to perform based on their

knowledge.

There were five control objectives identified in an early version of the IIA
Standards. They were and still are a good foundation for sound business
practices. In COSO, the five IIA control objectives were combined into three
control objectives.

When utilizing an integrated control framework like COSO to address risk and
control issues mix, match, and combine the COSO elements to fit specific needs.
However COSO does recommend reviewing all 15 dimensions. The fifteen
dimensions are the five components applied to each of the COSO three control
objectives. The ultimate objective is not to miss any dimension of a process in
the evaluation of that process.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 115

McKeever CRMA Study System Principles of risk management processes

Operational Financial Compliance

Control 4
Environment

Risk Assessment 1

Control Activities 2

Monitoring 5

Communications 3

As can be seen from the matrix there are 15 dimensions in the COSO model.
Using the code 1- 5 as an example, the first step would be to determine what the
risk of not complying is. From this step 2 would be to prepare adequate
documentation outlining the compliance procedures (control activities and
physical documentations controls). Next step 3 would be to communicate (via
training, memos, meetings, etc.) the requirements for the written procedures.
Step 4 would be to determine if those involved understand, believe in, and can
work with the written procedures (control environment).

Step 5 is monitoring. In this case, a monitoring mechanism can determine if

those who implied that they understand and believe in the procedures actually
are complying.

Using the COSO integrated control matrix is like weaving a piece of fabric
together. It is an examination of how all of the elements that would make
effective control of a process are working together. Weaknesses in this weave
among or between these dimensions represent a control weakness which is risk.

116 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Some Ways to Identify the Effectiveness Soft Controls

• work the hard and soft controls together

• determine if there is a procedure in place

• interview, observe, and similar tools

• determine if employees understand

• determine if employees care

• determine if procedures are followed

Keeping the end objective in mind is important when using COSO. Using COSO
the end objective should not just be to do a checklist risk and control
assessment. It should encompass an analysis of multiple dimensions of the
process and an analysis of the soft issues as well as the more tangible issues.

Trying to gain an understanding of the soft issues risks and the adequacy of
controls can be a challenge. In general, the best way to determine soft issues
that may need to be addressed is to interview and talk (conversational) with the
individuals involved in the process being reviewed. Understanding how they feel
about the process they are involved in is a major step to understanding if there
are soft issues to be concerned with.

Communications and less physical testing with those involved in a process is an

excellent approach to understand the adequacy of any soft issues and concerns.

Control Activities on the other hand require more physical testing than interviews
and communications to determine the adequacy of the harder issues and risks
and controls. So develop compliance samples for testing, develop tests, testing
the sample, then integrating the results of these tests with the control
environment efforts will provide a good picture of the adequacy of controls that
are managing risks (combining an analysis of the hard and soft issues).

OFTEN WE LOOK FOR QUICK FIXES.

COSO IS NOT A QUICK FIX!

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 117

McKeever CRMA Study System Principles of risk management processes

Objectives of Integrated Control Frameworks

• evaluate the big picture

• create greater evaluation of soft controls

• generate higher quality recommendations

• create more timely corrective action

• attain greater customer and auditor understanding of business

• create more value-added coverage

Barriers to these objectives

• corporate culture

• audit culture

• what else

It is necessary to identify, understand, and remove the barriers.

• actions to remove barriers

• auditor education

• client education

Sell features, advantages, and benefits (F.A.B.)

• build trust

• give client tools

• be innovative

118 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Summary of COSO

• looks at integrated controls

• identifies fraudulent activity

• identifies root causes

• helps create understanding of people issues

• helps fix root causes, for a long-term fix

• defines internal control as a process

• recognizes that internal control is affected by people

• provides reasonable assurance

• helps achievement of objectives

• considers the big picture (entity)

• considers the little picture (activity)

COSO clearly identifies the point that to become better a business should have
internal controls inherent within its business practices. Internal controls should
be throughout the business process and should be connected among all parts of
the business process. Each part of a business process may look fine in isolation.
However, problems can arise when the parts are interconnected. COSO and
other integrated control frameworks can help identify weakness among these
interconnections.

The COSO philosophy emphasizes more coverage of efficient and effective use
of resources. It spotlights the fact that soft controls are the foundation upon
which good business is built. COSO takes this one step further to determine if
the employees understand the procedures and that the procedures work.

It Is Necessary To Ensure That An Effective Documented

Procedure Is Communicated, Understood, And Works.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 119

McKeever CRMA Study System Principles of risk management processes

Control Models
Combinations of These Models May Be The Best Tools.

Enterprise Risk Management (ERM)

The underlying premise of ERM is to provide value to the stakeholders.

This is accomplished by helping the management of the business entity better
manage their risks and controls. Therefore, the business entity management will
be better able to achieve defined objectives most efficiently and effectively.

Every entity large or small faces uncertainty, which presents both opportunity and
risk events that may inhibit the achievement of defined objectives. Value is
optimized when the entity management balances the cost of controls with the
identified risk. Some of the ERM dimensions help to achieve this balance.

Align the risk appetite and strategy of the organization with the management of
the risk:

• enhance risk response decisions

• reduce operational surprises and losses

• identify and manage multiple cross-enterprise risks

• seize opportunities

• improve the deployment of capital

While the ERM model can be a very effective risk and control management tool,
it has some limitations. ERM is managed and implemented by people. People
can make faulty decisions and judgments related to risk and control
management. Therefore, ERM is not a TOTAL solution. ERM is a tool
implemented and managed by people. ERM involves various human factors.

ERM model is three-dimensional. It encompasses eight components and four

control objectives, all overlapped with the various dimensions within the
organization to be evaluated.

120 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

The eight components of ERM are:

• internal environment

• objective setting

• event identification

• risk assessment

• risk response

• control activities

• information and communications

• monitoring

The internal environment is the tone at the top including the risk management
philosophy, the risk appetite and integrity; and the ethical values. In addition, the
internal environment is how this tone is viewed and addressed by the total
organization. These philosophies are considered soft issues.

Objective setting includes the establishment of objectives, which should be in line

with the organization’s overall mission, objectives, and risk appetite. Adequate
risk management cannot be implemented without appropriate and clear
objectives.

Event identification involves the internal and external forces / risks, which can
impact the achievement of the defined objectives. Event identification not only
includes the negative risk events, those which can impede the achievement of
objectives, but also includes the impact of lost opportunities. Not taking
advantage of an opportunity which could have a positive impact on the
organization because the opportunity was not identified can have a negative
impact on the achievement of an entity’s objectives.

Risk assessment looks at or should look at all levels of internal and external risk
including the overlapping relationship which should be addressed in terms of
likelihood and impact. The actual risk assessment should result in a
determination of the consequences. The consequences are outcomes of the risk
event happening.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 121

McKeever CRMA Study System Principles of risk management processes

Risk response addresses the identified risk. This is completed by the adequate
and appropriate application of controls. The dimensions of risk control
applications are avoiding, accepting, reducing, or sharing. Addressing the risks
can include any one or a combination of these dimensions.

Control activities are the tangible things within a business process. These can
include policies, procedures, job aids, budget reports, process error reports, and
others. Even though these tangible controls are only part of the control by
themselves, they have to be completed.

Information and communications applies to communications in all directions, not

only from the top down. Further, the communications should be relevant and
captured in a form that enables all those who need to know to carry out their
responsibilities based on the communications provided.

Monitoring is accomplished through on-going management activities along with

necessary adjustments made to enhance the achievement of the defined
objectives. There are two important parts to the monitoring component: 1)
identifying the elements to be monitored and 2) taking action. Adjustments to the
process being monitored may need changing as the environment, the objectives,
and the risks change.

In addition to these components, there are four control objectives. The

combination of the components and control objectives surrounding the
dimensions of the business process makes ERM three-dimensional.

ERM’s Four Control Objectives:

• strategic, relating to high-level goals and aligned with and supporting the
entity’s mission (this can also be directly related to external positive or
negative impacts, external risk)

• operations, relating to the effective and efficient use of the entity’s

resources

• reporting, relating to the reliability of the entity’s reporting

• compliance, relating to the entity’s compliance with applicable laws,

regulations, policies, and procedures

122 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

One of the most significant differences between the control objectives of

the COSO model and ERM is the addition of strategic thinking. Strategic
planning involves long-term thinking and high-level planning. It is wise and good
business practice to think about business processes both in the long-term and
short-term. In addition, strategic planning is a parallel to external risk. Strategic
planning addresses the impacts of external forces including competition; changes
of laws and regulations; and external forces of the economy.

ERM addresses risks from two main dimensions. One dimension is the risk
appetite. As defined in ERM, this is the amount of risk, on the broad level, that
an entity is willing to accept in pursuit of value. It reflects the entity’s risk
management philosophy and therefore influences the entity’s culture and
operating style. Risk appetite is directly related to an entity’s strategy.

The second dimension of risk, as defined in ERM, is risk tolerance. Risk

tolerances are the acceptable levels of variation relative risk to the achievement
of objectives. They are measured in more specific and quantifiable terms than
risk appetite.

Although ERM, COSO, and other risk and control models help business
professionals consciously address risk with the appropriate application of
controls they are only tools administrated by people. Therefore, a reasonable
assurance factor is part of the application of risk and control management. There
is the likelihood that, even with the use of the available tools, some risk may not
be addressed appropriately.

Risk assessment and the addressing of risk is not a science; it is

subjective. The more subjectivity that can be incorporated into risk assessment,
the less likely the reasonably assurance factor will be an issue. It is wise to
always objectively review any risk model and ask the question, “Does this make
sense”.

Communications to all that need to know and who will take action is a specific
part of the ERM. Communications Protocols should be established to identify the
appropriate information that is needed for effective decision making. Senior
managers should be apprised of risk management and control deficiencies
affecting their units. Supervisors should have concerns communicated to them
and should establish protocols for subordinates to openly communicate.

The biggest risk to an organization is reputational risk. ERM begins with an

ethical “Tone at The Top”. This means that an organization’s upper-level
management should set the tone for ethical business practices. Further, they
should set the tone for adherence by everyone in the organization.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 123

McKeever CRMA Study System Principles of risk management processes

Overview of the ERM Integrated Control Framework

Strategy Operations Reporting Compliance

Internal
Environment

Objective
Setting

Event
Identification

Risk
Assessment

Risk response

Control Activities

Information &
Communications

Monitoring

As can be seen from a comparison between the COSO model and the ERM
model, strategy or strategic planning is specifically noted in the ERM model. In
addition, risk is more specifically defined and addressed in the ERM model.

Further not noted on these matrixes, the ERM model encourages the use of
analytic tools for risk assessment as well as risk and control management.

124 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Answer the Following Question.

35. The ERM integrated control model specifies more detail in risk assessment
than does previous integrated control models. In the ERM model which of the
following most closely represents the appropriate amount of controls that should
be applied to risk?

a. risk tolerance
b. risk response
c. risk appetite
d. event identification

See Application Questions, Answers & Explanations module for answer.

A few comments about analytical models

Quantitative methods and tools can be used by the business professional; auditors;
control and risk assessment specialists; quality professionals; fraud examiners; and
others. These methods are mathematical tools that will help represent past, current, and
future trends as well as relationships.

Some General Characteristics

of
Commonly Used Quantitative Tools
A regression analysis can be used to examine the relationships among two or
more variables. The two variables are the independent and dependent variables.
The information is represented in the form of a scatter diagram. A trend line can
be developed through the scatter pattern. In cases with some inherent error,
projections of future events may also be developed.

The least squares method of analysis is a comprehensive expansion of the

regression analysis. Although, a regression analysis will provide a general
representation of the relationship between the independent and dependent
variables, it is a general and high-level view. The least squares method will
provide a more linear representation and generate a more accurate
representation of the information.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 125

McKeever CRMA Study System Principles of risk management processes

Linear programming is an analytical tool that is used to identify the best use of
scarce resources. Therefore, the optimal mix of these resources is created to
reach the objective. Linear programming can be employed to determine such
things as the best way to locate facilities, achieve optimum production, select
equipment, determine worker optimization, the best mix of advertising, and the
scheduling of events.

Gantt charts are commonly used. They are bar charts in which the bars
represent activities in a project. For example, they can depict start and
completion times. The bars may also depict the objective and the status of
achievement toward the objective.

A queuing theory analysis is a tool that depicts the distribution of waiting. It is

often used to determine the amount of time customers may wait in line to receive
service. This tool can be used to determine the cost benefit of increasing service
capability with the benefit of decreasing customer waiting time while increasing
customer satisfaction.

The sensitivity analysis tool can help test the behavior to changing conditions.
It will demonstrate how a model solution changes as a result of changes in the
problem or changing the situation.

Decision trees are useful to depict related events in the decision process. They
allow the users to see the relationship among options. Hence, facilitating the
optimization of the decision in comparison to alternatives

The gaming theory tool, as it is called, is different from other decision tools
because it is applied under conditions of conflict. This is a comprehensive
mathematical model. It compares the consequences of the actions of one entity
with the actions of the opponent who is choosing from alternatives. It can be
used in marketing strategies, recruiting of personnel, bidding for contracts, and
other events that may require the identification and impacts of one entity
compared to another.

The Critical Path Method (CPM) and PERT are two similar network analysis
tools. These tools assist in the optimization of project management. They depict
the most critical path in the project. This path if not completed as scheduled
could compromise the achievement of the overall project. CPM and PERT both
employ graphical representations.

Sampling and the use on computer-based tools provide excellent tools in the
area of risk management. Appendix 3 discusses “Some Comments about
Sampling Useful in Risk Management” in more depth.

126 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

With All of These Measurement Tools the Question Becomes

Evident:

What Do the Results of the Measurements Mean and How Will I

Know If Adjustments Will be Required?

CoCo Integrated Control Framework

The Canadian Institute of Chartered Accountants Criteria of Control Committee
(CoCo) has developed an internal control model that is similar to COSO, but with
some significant differences. Although using similar components of control, CoCo
focuses on asking three important questions:

• Do we have the right objectives?

• Do we have the appropriate control activities?

• Do we have the capability, the commitment, and the right environment in

place?

CoCo builds on the COSO foundations by identifying the same control components,
but CoCo takes COSO a step further by looking at the appropriateness of the
objectives and the control activities. Also, CoCo stresses capability and
commitment as important parts of the control environment component. CoCo
stretches the monitoring component to include elements of the learning
organization, thus allowing for a control environment that supports continuous
improvement as well as protection from the negative consequences of risk. Like
COSO, the CoCo model can be applied anywhere in the organization, at any level.
This makes it possible to aggregate the responses into an entity-wide assessment
of internal control.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 127

McKeever CRMA Study System Principles of risk management processes

CoCo is more definitive than COSO & includes the following

critical objectives:

• effectiveness and efficiency of operations

• reliability of internal and external reporting

• compliance with applicable laws, regulations, and internal policies

• expansion into a more practical business model

Components of CoCo

• purpose

• commitment

• capability

• action

• monitoring and learning

Both COSO and CoCo address the soft issues. CoCo is not intended to compete
with COSO. Both the CoCo philosophy and the COSO philosophy encourage
combining these models. The philosophies encourage using a combination of
both to make the best possible tools to help a process succeed.

CoCo indicates that the use of all of their criteria is necessary, as does the
COSO model with its 15 points.

CoCo

• is very dynamic

• leads to action in everything

• takes action which is often missed in other models

128 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

CoCo uses a complete loop bringing everything to closure with action and
constant improvement. This concept of taking action and making constant
improvement is often missed in other management philosophies and models.

CoCo encourages trust and communications. This philosophy helps identify

these two pieces as vital controls in the business. The lack of trust and
communications may lead to increased risk.

COBIT

COBIT has some great questions that can be used to populate the COSO and
CoCo models. It may be necessary to change some of the questions from
computer terms into business terms. Change them and use them. Always
remember controls are “controls” no matter what the adjective.

• an information technology control framework

• originated from information technology

• highlights that controls are the same in any environment

• controls from COBIT are applicable in general business

The Best Tool

The best tool is, most often, a combination of these tools. However, it is
first, necessary to identify what to try to accomplish. Then, combine the
tools to reach the outlined objective. But remember to be flexible in this
process. Remember that these are only some of the available control
models. Some other useful tools are Cadbury, the ISO 9000 series, and
other quality models.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 129

McKeever CRMA Study System Principles of risk management processes

Three Terms to Sell (Convince) Management of the

Value of COSO

F. A. B. - Features, Advantages, and Benefits – people “buy”

benefits.

When convincing the value of the COSO philosophy to peers, audit

management, Board of Directors, line management, or anyone else, keep in
mind that they will want to know the benefit for them. Why do they need to invest
time and money in the concept? What will they get in return?

Learning Curve

• auditor

• audit manager

• customer

• education can help

COSO is not a quick fix or a concept that can be employed

overnight.

COSO is a good, but not the only, business tool that can be
employed to help businesses succeed.

Some suggestions for education:

• one or two day session for the auditors

• half or full day session for audit managers

• one or two day session for auditors and respective customers

130 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

In order to facilitate this value-added approach, everyone must work together.

Communication Is The Key To Success.

Anticipate Negative Waves

If you get these reactions …

• did not get serious interest (buy-in)

• everyone is too busy

• it takes too long

Handle as follows…

• do not get discouraged

• you may need to introduce a few pieces at a time

• you may need to step back to evaluate – and then try again

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 131

McKeever CRMA Study System Principles of risk management processes

Answer the Following Question.

51. There are a number of risk assessment tools available which can help process
owners manage their risks. Some of the more contemporary tools are integrated
control frameworks. Which of the following integrated control frameworks
facilitates the most detail of risk?

a. COSO
b. ERM
c. CoCo
d. COBIT

See Application Questions, Answers & Explanations module for the answer.

ISO 31000:2009

The global financial crisis in 2008 demonstrated the importance of adequate and
standardized risk management philosophy. As a result, new risk management
standards have been published, including the international standard, ISO 31000
“Risk Management – Principles and Guidelines’.

The purpose of ISO 31000:2009, published November 2009, is to provide a

standard on the implementation of risk management principles and generic
guidelines on risk management between industries, subject matters, and regions.
It is intended to be applicable and adaptable for "any public, private or community
enterprise, association, group or individual." As such, the ISO 31000 intends to
provide a universally recognized and standardized risk management guideline for
practitioners and companies employing risk management processes.

ISO 31000:2009 is intended for a broad stakeholder group including:

• executive-level stakeholders
• appointment holders in the enterprise risk management group
• risk analysts and management officers
• line managers and project managers
• compliance and internal auditors
• independent practitioners

132 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

In terms of managing risk, ISO 31000:2009 more or less follows traditional risk
management guide lines and philosophies.

The ISO 31000:2009 list of risk management actions in order of preference

are:

• avoiding the risk by deciding not to start or continue with the activity that
contains the risk
• accepting or increasing the risk in order to pursue an opportunity
• removing the risk source
• changing the likelihood
• changing the consequences
• sharing the risk with another party or parties (for example insurance)
• retaining the risk because of an informed decision

Just to discuss a few of these categories: changing the likelihood and

consequences, re-examining an earlier discussion of the basic risk
assessments formulas “the annual loss expectancy equaled the probability
(likelihood) multiplied by the impact (consequences) it can be seen that changing
either the likelihood or consequences can change the anticipated risk or annual
loss expectancy.

Retaining the risk by informed decision, can be a trap. The trap is that the
words informed decision may mean different things to different people.
Further the word informed (the amount of information) to make the decision may
have different degrees acceptance to different people.

Hence the trap that individuals who accept risk may not have an adequate
amount of information to accept the risk in simple terms, they may not
understand what they are accepting.

So Even with Comprehensive Contemporary Risk

Philosophies the Human Factor is Still the Weakest Link
in the Chain.
The ISO 31000 family of risk management guide lines and philosophies is
expected to include a number of subcategories of which currently include:

• ISO 31000:2009 - Principles and Guidelines on Implementation

• ISO / IEC 31010:2009 - Risk Management - Risk Assessment Techniques
• ISO Guide 73:2009 - Risk Management - Vocabulary

An Organization’s Approach to Risk Management Should be

Systematic, Structured, and Timely.
© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 133
McKeever CRMA Study System Principles of risk management processes

The Money, the Financial Institutions

Regulation of financial institutions particularly in the United States is often
considered cumbersome. However in most cases this is very necessary.
Sometimes these regulations are referenced as “alphabet soup” because of the
many abbreviated and cumbersome names. Appendix 4 lists some “Financial
Institution Regulations Related to Risk Management”.
These regulations are so cumbersome that their necessity is debated. Some say
“yes” some say “no”. Either way they are the regulations required in the banking
industry in the United States.
But that is not all. Because of financial crises Basel III, an enhancement from
previous versions is now being implemented. Basel III provides an additional
blanket of financial regulations to banks and other qualifying financial institutions.
Basel III designed in 2010 and 2011 by the Basel Committee on Banking
Supervision is scheduled for implementation in 2013. Basel III enhances bank
capital requirements and introduces new requirements for bank leverage and
liquidity. Basel III will require an increase in tier one capital, common equity, and
capital conversation buffers. These are all increases over the previous Basel II.
Some United States banking implementation will require risk-based capital and
leverage requirements; single counterpart credit limits among larger financial
institutions; and early redemption requirements.
Interestingly enough, the Basel regulations are not law, as a law that would be
passed by a legislative body. They are however regulations that are taken very
seriously. In the United States the Federal Reserve Bank, a regulatory agency of
banks has indicated that they will implement the Basel III rules and require that
these rules would apply to banks and other financial institutions with assets in
excess of $50 billion. In addition, the Federal Reserve Bank would perform tests
annually using three economic and market scenarios.
So what is the risk of these regulations? Non-compliance is one thing risk.
Along with possible weakness in the safeguarding of assets, inefficient and
ineffective use of resources all of which could be enveloped by unreliable
information (lack of compliance again).
Some may say that all these regulations of financial institutions are appropriate.
While others would say that it is too much and may even be detrimental to the
economy. Time will tell.
But there is one thing for sure that is a lesson for risk and control professionals.
Basel I, Basel II, and now Basel III along with COSO, ERM, and all the other
control tools have been traditionally reactive and corrective to business and
government problems. The key words here are “reactive” and “corrective”.

134 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Remember the basic concept of controls:

PREVENTIVE, DETECTIVE, AND
CORRECTIVE.

Back to basics, the four components of an adequate risk

assessment are:
• identify (identify the risk)

• measure (attach some quantification to the identified risk)

• prioritize the risk (categorize the measured risk into categories or just
prioritize the identified risk into order of importance)

• act (take action on the identified measured and prioritized risk to minimize
or eliminate the risk). Action or the controls put in place to minimize or
eliminate the risk can accomplished in by taking one or a combination of,
avoid, transfer, mitigate, accept.
Whichever approach is taken it is important that some action be taken to address
the risk that has been identified, measured, prioritized. Without an appropriate
action any effort to identify, measure, prioritize risk is just a waste of time.
In addition, keep in mind that controls have a life cycle. That is controls can
outlive their usefulness and even become counterproductive. It is vitally
important that an on-going monitoring mechanism be established and
implemented. This on-going monitoring (the verb part of the control) should be
designed and implemented to allow for prompt adjustments of any controls as the
environment in which the process changes, the objectives change, and the risk
changes.
This implies that not only should there be a monitoring mechanism in place to
monitor the controls but also there should be a monitoring mechanism in place to
monitor environment in which the process changes, the objectives change, and
the risk changes.

Risk monitoring and management action plan:

Risk monitoring is the last major element of risk management - but certainly not
the least important! Risk management is a process of organizing.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 135

McKeever CRMA Study System Principles of risk management processes

The Risk Management And Monitoring Process Should

Be Continual / On-Going.

Risk management

Risk management is not complete when a basic risk management plan has been
implemented. An effective risk management plan requires monitoring the risk
with a means to review it and update it continuously.

Some thoughts:

• identify any new risks quickly and frequently

• decide where and how to handle any new apparent risks
• look for other risks that might be reduced or eliminated and that may even
be counterproductive
• check the environment and objectives as they change as so also should
the risk management effort

Some Objectives of Monitoring and Updating Changes in Risk Management

The risk monitoring and updating process occurs after the risk mitigation,
planning, and controlling processes. It must be on-going because the
environment and relative risks are dynamic.

Risk monitoring and updating tasks can vary depending on the organization, the
process, the objectives, and goals of the process. Nevertheless there are three
tasks should be integrated into design and construction of any risk management
plan:

• develop consistent and comprehensive reporting procedures

• monitor risks and contingency plans and resolution
• provide feedback of analysis, risk mitigation plans, and action for
identified risks.

136 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Reporting:
Risk reporting involves recording; maintaining; and reporting risk assessments
and status. Monitoring risk assessment results and assessing the adequacy of
existing plans to manage these identified risks are critical for the successful
management of a process. Formally documenting an on-going risk management
process is important for the following reasons:

• it provides the basis for program assessments and updates as the

environment, objectives and risks change.
• It provides formal documentation that tends to ensure more
comprehensive risk assessments than undocumented efforts.
• it provides a basis for monitoring the risk management and the allocation
actions to verify that the results of managing the risks is effective
• it provides background risk identification for new personnel
• it is a management tool facilitating rationale decisions

The Future Is Unknown

The World Is Changing As We Speak (The Environment) Hence So do the
Objectives, So Do the Risks, and So Should the Controls (Risk
Management)

Risk management integrated control frameworks teams risk assessment

workshops are all well and good. However, the constant changing of issues and
the integration of society’s cultures, philosophies, and competitive pressures
adds an entirely new dimension and need for innovative risk assessment
(emerging risks).

Successful organizations and businesses can no longer be satisfied with a

snapshot one-time picture of risk. Management, stakeholders, investors, and
regulators expect companies to manage risks holistically and to diminish or
eliminate the impact of those risks quickly.

One way to think about these emerging risks and even to begin a plan to manage
them is with strategic thinking. Remember (earlier discussed the scenario
approach) “what if this happened what would we do”. Here the thought is to
some unknown event possibly a risk that may or may not happen at some time in
the future. Going back to basics the basic control concepts of, preventive,
detective, and corrective controls it is much better to anticipate what adverse
event or prepare for even a positive event before it happens or is a major issue
than to deal with it as a major event after the fact.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 137

McKeever CRMA Study System Principles of risk management processes

Answer the Following Question.

55. Risk reporting involves recording, maintaining, and reporting risk

assessments. Which of the following is not a good reason to a risk reporting
effort?

a. it provides background risk identification for new personnel

b. it provides a basis for monitoring the risk management and the
allocation of appropriate actions which will ensure that the risks
management is effective
c. it provides the basis for program assessments and updates as the
environment, objectives and risks change
d. it is a management tool facilitating rationale decisions

See Application Questions, Answers & Explanations module for the answer.

A closer look at managing emerging risks

Emerging risks are large-scale events or circumstances that arise from situations
beyond an organization’s capacity to control. This does not mean that they are
beyond the capacity of the organization to manage (control) it means that the
organization generally had no control over the event occurring (external risks).
These types of risk, if not managed, may have impacts not only on the
organization but on multiple entities and organizations across geographic
borders, and industries (ripple down effect). For example drastic changes in oil
prices may impact multiple organizations, industries, and customers worldwide.
Another example is drastic changes in interest rates. This could also impact
multiple entities. So the importance of managing emerging risks becomes clear.

138 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

A partial list of some emerging risks:

• increasing natural resource constraints, this risk could be the result of the
lack of such resources and changes in laws and regulations limiting
access to such resources

• natural or man-made domestic and global disasters

• changes with domestic and international labor costs

• increased uncertainty and volatility in domestic and international

investment markets

• emergence of new technologies and technological competition

• technology and communication disruptions, a major risk in today’s

business environment

• risk that changes in domestic or international laws and regulations are not
understood (remember that a number of countries now have anti-bribery
laws which can be imposed on any country or company doing business in
that country)

• a realignment of power or economics in partnering or related countries, or

even within companies

• domestic or international political crises

• domestic or international pandemics or health crisis.

• economic disparity among international trading partners

• domestic or international terrorist threats

• increased competition from international or domestic markets

• an change in accepted domestic or international corruption

• a decline in the recognition or enforcement of intellectual property rights

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 139

McKeever CRMA Study System Principles of risk management processes

Managing the impacts, positive and negative, of emerging risks requires the
evaluation of past and future trends. This means the use of relevant leading
indicators to alert management to changes in the environment in which a
company or organization operates and the potential risk or opportunity exposures
in that environment. This will help management better understand its
environment so that they can identify potential exposures make more informed
risk management decisions.

Just as with the snapshot in time risk assessments, these emerging risk
assessments, and management efforts can be quantitative and qualitative.
Remember that the more subjective and objective input from as many sources as
possible will result in a more accurate risk assessment. A more accurate risk
assessment will result in a more efficient and effective risk management effort
(the application of controls).

Monitoring emerging, environment, risk, and objectives will help an organization

address unknowable risk before they become major issue as well as possibly
turn these unknowable risks into opportunities.

Addressing Emerging Risks Should Become Part of an

Organization’s Strategic Planning.

Volatility, Change, and Complexity of an Organization or Process Should

Drive the Intensity and Frequency of the Emerging Risk Effort

Remember that risk assessment changing over time is a control by itself.

Also remember that the more complex or volatile an environment or

organization the higher the risk. Therefore, the frequency and detail of risk
assessment and management (a control) should be guided by this risk.

140 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

COSO 2013 The Framework

COSO has been a familiar term and corporate governance guideline for both
process managers as well as risk and control specialists for over 20 years.
However, the world in which business and these professionals operate has
changed drastically over the past 20 years. Such things as the internet, cell
phones, immediate communications, computerization, and a working
interrelationship among cultures and global partners, unheard of and possibly
unimaginable 20 years ago, are now common place.

These changes have vastly increased the productivity and efficiency of the
common workplace. However with these advancements come new risks.
Because of these new and ever-increasing emerging risks came a need to revisit
the existing COSO integrated model.

Consequently, The Committee of Sponsoring Organizations of the Treadway

Commission elected to update the existing COSO framework to reflect these
dynamic changes in the business environment with development of COSO 2013.
The key words here are, update the existing COSO framework.

The COSO 2013 framework has been modified to maintain relevance with
current emerging risks and future (preventive control) business environments.
Further COSO 2013 is expanded to apply to public companies, privately held
companies, not for profit (NFP) agencies, and governmental entities. This is a
significant expansion from the original COSO framework.

By incorporating a perspective on the technological advances in the business

environment, communication developments, as well as an ever-increasing
regulatory atmosphere COSO 2013 provides an enhanced governance
framework.

Because COSO 2013 is an enhancement and expansion of the original COSO

framework, it is wise to revisit the core foundation and philosophy of COSO in
general.

Comment:

The original Committee of Sponsoring Organizations of the Treadway

Commission COSO integrated control model is a systematic, step-by-step
method used to evaluate and address the adequacy of controls in multiple
dimensions of a process. This COSO model was engineered and developed to
address weaknesses events in business and government (somewhat of a
reactionary control).

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 141

McKeever CRMA Study System Principles of risk management processes

The COSO 2013 integrated control model is designed with a more preventative
approach. Although there were general economic concerns while the COSO
2013 was being developed there was no specific definitive economic crisis as
was with the initiative for the original COSO model.

The Original COSO Framework Was Founded On Four Critical Underlying

Concepts:

• internal control is a process toward the achievement of organizational

objectives

• the internal control process is driven by people at all levels of the

organization

• internal control is a means to achieve objectives within one or more

separate but overlapping categories

• internal control can provide only reasonable assurance to the achievement

of organizational objectives

The original COSO model has three control objectives and five components. The
five components are applied to each of the three control objectives for a total of
15 dimensions. These 15 multiple dimensions have remained in place for
the 2013 COSO model but have been substantially expanded to become more
specific and definitive to meet contemporary business needs including new
guidance for not for profit organizations.

COSO’s original internal control framework, released in 1992, was accepted by

the SEC as a framework (not a law), although expanded with use beyond
financials, for attesting to internal control over financial reporting as required by
the Sarbanes-Oxley Act of 2002 (SOX).

The five main components of the original framework control

environment, risk assessment, control activities, information
and communication, and monitoring still remain the foundation
for the COSO 2013 framework.

142 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

What Are the Key Changes to the COSO 2013 Framework?

COSO 2013 expands the scope of the original framework and increases the level
of detail, specifically and more formally, expanding its use beyond external
financial reporting.

Although the fundamental principles of the old framework have not changed, a
clearer and more specific focus on such things as outsourcing, more complex
business structures, increased expectations around governance standards, and
technological change is evident in the COSO 2013 framework. For example, the
update has more specific perspective of the Audit Committee roles and
responsibilities. It introduces new discussion of the compensation committee,
which was not treated at all in the old framework.

COSO The original and COSO 2013

• can help get to the root cause of business problems

• can be a preventive tool

• can help ensure compliance with regulations and policies

• can be considered an industry standard

It Is Beneficial To Understand and Address

The Root Cause of Weaknesses in The Control Process.

Often the root cause of process problems resides in the attitudes, morale, ethical
values, and competency of people. These elements reside in the Control
Environment of the COSO models.

The COSO Frameworks Encourage Addressing The Adequacy

Of The Control System Within The Control Environment.

The Inherent Philosophy Of These Treadway Commission

Integrated Control Models Is To: Prevent Problems Before They
Happen.

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 143

McKeever CRMA Study System Principles of risk management processes

These Models Can Help Prevent Problems Before They Happen

By Addressing The Root Cause Of The Apparent Risk.
The framework’s value isn’t limited to public companies that will use the
framework to fulfill regulatory requirements. The framework contains objectives
for operations and compliance as well as financial reporting (the three original
COSO control objectives).

Because Of The Broadened Scope Of COSO 2013, Any Type Of

Organization, Large, Small, Midsize, Public, or Nonpublic, Can Benefit From
Applying This New Framework.

The new framework also broadens the application of internal controls in

addressing operations and reporting objectives, and clarifies the
requirements for determining what constitutes effective internal controls.

The most significant new development, which expands the scope of the COSO
2013 framework, is the inclusion of 17 specific principles spread across the five
main components (enhancing the specificity of the original COSO five
components). As in the original COSO framework, the five components need to
be functioning and functioning together for an adequate and appropriate internal
control scheme to be present.

Each principle is accompanied by explicit points of focus designed to help users

evaluate whether the principle is present and functioning (remember controls
have two parts a noun and a verb the verb is the action or is it functioning as
intended).

Some points of focus in the new integrated control framework may not apply to
all users in all situations all of the time. COSO 2013 like the original framework is
just that a framework. The essence of this model requires the user to think about
how to apply, with the objective of enhancing corporate governance, the
frameworks in each specific situation.

These New And More Definitive Dimensions Adopt A Principles

And Attributes Approach To Corporate Governance, Which
Provides More Detailed Guidance For Designing And Assessing
The Effectiveness Of Internal Controls.

144 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

The 17 specific principles contained in COSO 2013 are applied to each of the
control components:

Control environment

1. the organization demonstrates a commitment to integrity and ethical

values

2. the Board of Directors demonstrates independence of management and

exercises oversight for the development and performance of internal
control

3. with Board of Directors oversight management establishes structures,

reporting lines, and appropriate authorities and responsibilities in the
pursuit of objectives

4. the organization demonstrates a commitment to attract, develop, and

retain competent individuals in alignment with objectives

5. the organization holds individuals accountable for their internal control

responsibilities in the pursuit of objectives

Risk assessment

6. the organization specifies objectives with sufficient clarity to enable the

identification and assessment of risks relating to objectives

7. the organization identifies risks to the achievement of its objectives across

the entity and analyzes risks as a basis for determining how the risks
should be managed

8. the organization considers the potential for fraud in assessing risks to the
achievement of objectives

9. the organization identifies and assesses changes that could significantly

impact the system of internal control

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 145

McKeever CRMA Study System Principles of risk management processes

Control activities

10. the organization selects and develops control activities that contribute to
the mitigation of risks to the achievement of objectives to acceptable
levels

11. the organization selects and develops general control activities over
technology to support the achievement of objectives

12. the organization deploys control activities as manifested in policies that

establish what is expected and in relevant procedures to effect the policies

Information and communication

13. the organization obtains or generates and uses relevant, quality

information to support the functioning of the other components of internal
control

14. the organization internally communicates information, including objectives

and responsibilities for internal control, necessary to support the
functioning of other components of internal control

15. the organization communicates with external parties regarding matters

affecting the functioning of other components of internal control

Monitoring activities

16. the organization selects, develops, and performs ongoing and / or

separate evaluations to ascertain whether the components of internal
control are present and functioning

17. the organization evaluates and communicates internal control deficiencies

in a timely manner to those parties responsible for taking corrective action,
including senior management and the Board of Directors, as appropriate

146 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

Guidance for Not for Profit (NFP) Organizations:

Segregation of duties is a key component of good business practice and of

following the COSO guidelines:

A common challenge that many NFP organizations face in today’s cost-

constrained environment is the ability to adequately segregate duties over the
receipt of contributions. Because of the nature of NFP organizations, this risk is
just commonly inherent within these types of organizations.

The Following Control Actions Should Be Considered In NFP Organizations

To Diminish The Segregation Of Duties Apparent Risk.

• to the extent possible, all funds received by the organization should flow
through the normal cash receipts process

• donations received by mail should be restrictively endorsed upon receipt

and turned directly into the finance office

• a copy of every donation check and related correspondence received by

the accounting department should be forwarded to the development office

• the bank deposit should be prepared by the finance office and should
include all funds received by the organization

• the development office should use the check copy for its recordkeeping
purposes

• the finance office should post cash receipts to the general ledger to serve
as the primary record of all funds received

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 147

McKeever CRMA Study System Principles of risk management processes

Consideration: (NFP organizations)

Ideally, the development or operations office should not receive funds directly.
When this cannot be avoided, the received funds should be delivered directly to
the finance office for receipting and deposit (separation of duties).

Any correspondence included with a contribution, that identifies restrictions as to

its use, should be noted by both the finance office and the development office.

Just as with the original COSO framework, the COSO 2013 framework will help
process owners and auditors evaluate the adequacy of controls in multiple
dimensions of the process. COSO will help give a picture of how well all of the
controls in all of the dimensions are working together. COSO 2013 will by
specifying focus points and principles further help process owners and auditors
to determine how well all of the controls in all of the dimensions are working
together.

Internal Controls and The COSO Philosophy Should Not Be Built

Onto The Process; They Should Be Built Into The Process.

Companies may adopt the new framework immediately, as of today, or continue

to use the old framework until Dec. 15, 2014, at which point the updated
framework will supersede it.

The COSO board said it believes that continued use of the original framework
during the transition period from May 14, 2013 to Dec. 15, 2014 is appropriate.
However, organizations reporting externally should clearly disclose whether the
original framework or the 2013 framework was used.

SUMMARY
It Is Important to Monitor the Environment in Which a
Process, Organization, or Company Operates;
Recognize Apparent Existing and Potential Risks; and
Adjust The Controls Accordingly

148 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System
Principles of Risk Management Processes
2-1 Loss of a customer base can be due to
an increase in reputational risk. As
negative reputational risk increases
customer base can decrease. Which of the
following would be the primary action to
decrease negative reputational risk?
1. increased communication with
suppliers
2. a feedback process to suppliers
indicating their performance
3. a measurement and action to determine
if customer requirements are being met
4. identify specifically who the customers
are and their needs
2.2 Risk is best defined as:
1. inherent risk times control risk
2. the possibility of danger, injury, or loss
3. the probability of something happening
4. the possibility of danger, injury, or loss
and the probability of something
happening
© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Principles of risk management processes
Answer 3 is the correct answer. Answers
1 & 2 address supplier management so
they are not relevant to this question.
Answer 4 sounds nice but would need a
next step of what would be done with this
information. Answer 3 indicates a
measurement to evaluate customer
satisfaction. More importantly, answer 3
indicates action. Reputational risk can be
one of the most severe types of risk a
process can encounter. If allowed to
develop reputational risk can take a
tremendous amount of effort to reverse.
Answer 4 is the correct answer. This
refers to the basic concepts of how often
something can happen and what happens
when it occurs. Answers 1, 2 & 3 are
incomplete answers.
149
McKeever CRMA Study System Principles of risk management processes

2.3 The elements to manage risk in order
are:
1. measure the appropriate risk, prioritize
the risk, and act on the risk
Answer 4 is the correct answer. Answers
2 & 3 are just random combinations.
Answer 1 is only partially correct;
identifying the risk is missing from the
statement.

2. refer the risk, spread the risk, and

accept the risk

3. accept the risk, spread the risk by

buying insurance, and prevent the risk
from happening in the future

4. identify risk, measure risk, prioritize

risk, and act on the risk

2.4 Which of the following best describes
the three basic parts of a business
process?
1. in order to achieve anticipated
objectives, controls must be managed
appropriately
2. objectives must always be considered
independently
Answer 4 is the correct answer. Answers
1 & 3 could be considered correct but
using the words “appropriately” and
“timely,” cause answer 4 to be broader in
scope. The right amount of controls and
when they are applied is important in an
adequate control process. Answer 2 is not
correct because controls should not be
considered independently - they are part of
a process.

3. the management of risk will help

achieve objectives

4. appropriate and timely management of

risk, combined with the appropriate
management of controls and common
sense works best

150 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System
2.5 The best combination of ways to
identify risk is to:
1. refer to history and review the changes
that have taken place
2. refer to history and use the CARES
model to determine what controls are
in place
3. use the CARES model and determine
the adequacy of the safeguarding of
assets and the accomplishment of
objectives
4. analyze the effects of any change on
the process, develop a flowchart to
identify the points of risk in the
process, and address those risks
2.6 Which of the following would
strengthen the supplier-customer
relationship?
1. communication of the process owner
requirements to the supplier
2. explain how the process owner
requirements are determined
3. determine the inputs from the supplier
4. identify the suppliers and determine
who and what the process owner
depends on from them
© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Principles of risk management processes
Answer 2 is the correct answer. Answer 1
could be a good tool. However, it is not
the complete picture. Answer 3 only
includes one part of the control and risk
model - safeguarding of assets. Answer 4
could be considered correct. Developing a
flowchart and addressing risks are good
approaches in addressing risk. Analyzing
the effects of change is also a good
approach in addressing risk. Risk often
develops as a result of change. However,
answer 4 does not address all of the
components of risk and controls. The
CARES model in answer 2 addresses all of
the components of risk and controls,
making it the best answer.
Answer 1 is the correct answer. The first
clue that this is the correct answer is the
word communication. Remember that
communication is a two way channel.
With this answer, the communication
implies that the communication is
conveying requirements. Answer 2 may a
good approach but answer 1 is much
better. Answers 3 & 4 are acceptable but
in no way approach the benefits of
communications.
151
McKeever CRMA Study System
2.7 Some of the classifications of your
outsourced business partners could be:
consultants, distributors, brokers, freight
forwarders, and joint venture partners.
Which of the following could not cause
reputational risk to the process they are
serving?
1. brokers
2. consultants
3. joint venture partners
4. all of the above
2.8 Pervasive inherent risk is best
described as:
1. any internal risk apparent in the
business that can impact the
achievement of objectives
2. the risk of putting assets to work in
order to achieve objectives
3. the risk that the security of assets and
compliance with laws and regulations
will not be achieved
4. all of the risk that is inherent
throughout the business
152 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Principles of risk management processes
Answer 4 is correct answer. All of the
answer choices, if not managed and
controlled adequately, could cause
reputational risk to the host process
owners. This also includes distributors
and freight forwarders along with many
other categories of outsourced providers.
It is important to evaluate each situation
and establish adequate controls based on
the outsourced provider and the details of
the individual project.
Answer 2 is the correct answer. There is
always risk of putting assets to work. This
is apparent in our personal life as well as
in business. The concept of investing,
hiring staff, buying plant, and buying
equipment all have risk associated with
them. Will the anticipated rate of return be
realized? Answer 1 only addresses the
internal risk and does not address external
risk. Answer 3 is too specific. Answer 4 is
not correct because it states “all” risk,
while the question asks about pervasive
risk. There are other types of risk in
business besides pervasive risk.
McKeever CRMA Study System
2.9 The best description of risk analysis
is:
1. a method of anticipating expected loss
from the occurrence of some adverse
event
2. a method of measuring the impact of
risk on the achievement of objectives
3. a tool using mathematical models and
graphic representations to determine
the current implications of risk
4. the management of the results of the
mathematical and graphic models
2.10 There are a number of risk
assessment formulas. Most consider the
probability of a risk occurrence and the
impact of that occurrence. Which of the
following also considers the probability of
a control failure?
1. direct and total probability estimate
2. modified annual loss expectancy
3. complete annual loss expectancy
4. control loss expectancy
© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Principles of risk management processes
Answer 1 is the correct answer. Answer 2
is not correct because it only includes one
of the component measurements.
Answers 3 & 4 are not correct because risk
analysis is more than just using the
mathematical models. The most important
part of risk analysis is the subjectivity and
the thinking that is incorporated into the
model.
Answer 2 is the correct answer. The
remaining answers are just random
modifications to other risk assessment
models. The modified annual loss
expectancy considers the probability of a
risk event occurring, the probably of a
control failure, and the impact of the risk
event occurring.
153
McKeever CRMA Study System Principles of risk management processes

2.11 Which one of the following is the Answer 3 is the correct answer.
equation for direct probability estimate?

1. total risk = (external risk) (internal risk)

+ time factor

2. total risk = (probability) (impact)

3. total risk = (inherent risk) (control risk)

(audit risk)

4. direct probability estimate = total risk +

(inherent risk) (control risk) (audit risk)

2.12 Annualized loss expectancy can best Answer 3 is the correct answer. Answer 3
be described as: is the best answer because it describes
annualized loss expectancy in words and
1. ALE = P + I adds other components as may be needed.
These could include difficulty of the job,
competency of the staff, time of
2. ALE = P x I x T occurrence, and others. Answers 1 & 4 are
just random formulas. Answer 2 does not
3. ALE = P x T x I (other appropriate include additional options.
factors)

4. ALE = P + I x T

2.13 The modified annualized loss Answer 2 is the correct answer. Answers
expectancy can best be described as 1, 3 & 4 are just random formulas.
follows:

1. ALE = P x Q x Q

2. ALE = P x P x Q

3. ALE = P x I x P x Q

4. ALE = P x P + Q

154 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

2.14 Emerging risks can be identified Answer 3 is the correct answer. Strategic
similarly to external risks. How should planning is an appropriate tool when
emerging risks be managed based on this managing emerging risk. Strategic
assumption? planning helps to look into the probability
of events occurring in the future. As well,
1. evaluate the existence of existing risks strategic planning is a good tool to help
evaluate and manage external risks.
External risks are often associated with
2. identify, measure, prioritize the emerging risks. Answer 1 Is very vague as
probability of pending risks is answer 4. Hence, these answers could
probably be eliminated quickly. Answer 2
3. implement strategic planning in the risk could be a trap. This answer uses words
management process traditional and frequently used in risk
assessment. However, it is an incomplete
answer. The question asks about
4. identify, measure, prioritize, act managing risk, which includes “ACT”. This
answer does not include the word “ACT”.

2.15 Which of the following are not Answer 4 is the correct answer. It lists the
examples of effective monitoring? least effective monitoring control listed in
the answers. It is too broad to be effective
1. budgets and related operational reports and useful. Answers 1, 2 & 3 list effective
are compared monitoring tools and controls.

2. regular audits are performed and the

results are reported to management

3. exception reports are generated and

addressed appropriately

4. detail reports outlining all dimensions

of the operation are distributed to
various business units

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 155

McKeever CRMA Study System Principles of risk management processes

2.16 Which of the following are apparent
risks in a microcomputer environment?
1. storing proprietary information on
diskette and not handling it
appropriately
Answer 4 is the correct answer. All of
these risks can exist in a microcomputer
environment. However, many times, their
consequences are not considered. A Risk
Management Professional can help bring
these risks into focus for the process
owners.

2. violating copyright laws by using

unauthorized software

3. unauthorized access due to the

availability of passwords and IDs

4. all of the above

2.17 Typically risk within a process Answer 2 Is the correct answer. First
increases as complexity and volatility of a
answer 4 can be eliminated. Answer 4
process increases. However, this may be implies all external entities will be
different with emerging risks. What are the
impacted. This may or may not be true.
impacts of emerging risks? The word “all” is a caution word that
requires thinking about the answer and not
1. emerging unmanaged risks will have an answering immediately. Typically
impact on the process emerging risks will have an impact on the
involved process; interrelated and related
external entities; and internal entities.
2. emerging unmanaged risks will have an Answers 1 & 3 each list one half of the
impact on the process and external equation - the process or the external
entities entities. Both could be impacted by
emerging risks.
3. emerging unmanaged risks will have an
impact on external entities

4. emerging unmanaged risks will have an

impact on the process and all external
entities

156 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System
2.18 When monitoring is considered a
preventive control with action in place. It
can be employed when managing
emerging risk:
1. at a steady and consistent rate for
existing and potential risks
2. concurrent with the characteristics of
the environment in which a process is
operating
3. as is directed
4. when a significant change has
occurred in the environment
2.19 The simplest way to describe risk
assessment is:
1. frequency and impact
2. dollars lost versus employees
3. how often can something happen and
what happens when it occurs
4. probability divided by: 6 [1/2 probability
/ 3] * 6 [ 2 exposure / 6]
© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Principles of risk management processes
Answer 2 is the correct answer. Answer 3
can be eliminated as it is vague. Although
political guidance from management could
indicate when risk assessments and
management should occur, however, in
this question the discussion is not about
the variables of politics and management.
It is about a characteristic of the
management of emerging risk. Answer 4
can be eliminated because it implies an
“after the fact” event. The question
implies a preventive action. Understanding
that risk changes as the environment
changes a steady rate of risk assessment
monitoring is not appropriate as stated in
answer 1. So by elimination answer 2 Is
left as the correct choice. It is also the
most appropriate answer.
Answer 3 is the correct answer. Answer 1
is correct but it is not the simplest way.
Answers 1 & 3 are virtually the same thing,
but 3 is a simpler way of stating risk
assessment. Answer 2 could be a useful
ratio in business but it is not a risk
assessment model. Answer 4 just lists
random words.
157
McKeever CRMA Study System
2.20 Preventive controls help best with
both the:
1. long-term and short-term issues
2. scheduling and expenses
3. savings and checking
4. expenses and taxes
2.21 Which of the following emphasizes
the use of analytical models?
1. the new ISO 31000:2009
2. ERM
3. COSO
4. CoCo
2.22 ISO 31000:2009 is a relatively new
risk modeling tool incorporates risk
management techniques that:
1. are a completely new approach to risk
management
2. identify and change the likelihood of
apparent risk
3. facilitate the ability to accept the risk
4. are intended to provide some universal
guidelines and consistency in risk
management modeling
158 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Principles of risk management processes
Answer 1 is the correct answer. Although
preventive controls could help as listed in
answers 2, 3 & 4, the best answer is 1.
Adequate preventive controls diminish the
implications of both short-term and long-
term problems. Often, the ramifications of
long-term problems are much more
difficult to correct than short-term
problems. Therefore, it is better to prevent
them whenever possible
Answer 2 is the correct answer. Of all of
these models ERM contains the most
emphasis on the use of analytical models.
Answer 4 is the correct answer. ISO
31000:2009 is a risk management tool and
model whose intent is to provide a uniform
and consistent risk management
approach. Hence answer 1 is not correct.
Although some of the approaches of ISO,
31000:2009 change the likelihood and
facilitate the acceptance of risk as listed in
answers 2 & 3 respectively these are only
two of the many approaches of the ISO
31000:2009 risk management model.
McKeever CRMA Study System
2.23 COSO is a good tool for business
because:
1. all dimensions of a business can be
reviewed
2. it looks at risk as part of controls
3. it looks at all parts of a process:
objective, risk, and controls
4. it is easy to use and can address
issues in the short-term
2.24 COSO can be a useful tool for looking
at the relationships of a process in:
1. the entity and activity
2. across lateral boundaries of the
business
3. the soft controls
4. all of the above
© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Principles of risk management processes
Answer 1 is the correct answer. Answer 2
is not correct because this list only one of
the things that COSO can evaluate.
Answer 3 is not correct because it only
lists three dimensions. Although COSO
looks at these dimensions, it looks at
many other dimensions as well. Answer 4
is not correct because COSO can help
evaluate the adequacy of controls in both
the long-term and short-term.
Answer 4 is the correct answer. Answers
1, 2 & 3 all lists relationships of a process
where COSO can be a useful tool.
159
McKeever CRMA Study System Principles of risk management processes

2.25 The most important aspect of CoCo Answer 1 is the correct answer.
is: Consequently, answer 4 is not correct.
Answers 2 & 3 are not related to the
1. it is a continuous loop of improvement question.

2. it specifically addresses action in the

process

3. it is specific to the management of

business

4. none of the above

2.26 The Criteria on Control Committee
(CoCo) of the Canadian Institute of
Chartered Accountants:
1. is a control model that is like COSO
2. is a control model developed by a
professional organization that expands
on previous control models
Answer 2 is the correct answer. Answer 1
is not correct because CoCo is an
improvement on the COSO model. Answer
3 is not correct because CoCo and other
models work well together. Answer 4 is
not correct because, although it was
developed in Canada, it has business
applications in general no matter where
the process is located or conducted.

3. should only be used by itself because it

has unique characteristics

4. was developed for use only in Canada

160 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System Principles of risk management processes

2.27 The CoCo framework has: Answer 2 is the correct answer. CoCo has
its own criteria of controls. Answer 1, 3 &
1. 15 criteria of controls 4 are not correct since answer 2 is correct.

2. CoCo criteria of controls

3. no specific criteria of controls; it

depends on the situation

4. 25 criteria of controls

2.28 The components of CoCo are:
1. condition, criteria, cause, effect, and
recommendation
Answer 2 is the correct answer. Answer 1
lists the recommended five parts of a
finding. Answer 3 lists The IIA control
objectives model. Answer 4 is a selection
of random words.

2. purpose; commitment; capability;

action; monitoring and learning

3. compliance, accomplishment of goals,

reliability of information, effective use
of resources, and safeguarding of
assets in concert with CSA

4. purpose, accomplishment of goals,

capability, reliability of information, and
monitoring and learning as an
opportunity for communications

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 161

McKeever CRMA Study System
2.29 Which of the following is the best
example of a strategic planning tool?
1. COSO
2. COBIT
3. SWOT
4. CoCo
2.30 Benchmarking is the measuring or
comparing of an entity, process, or
objective against another real or perceived
entity, process, or objective. Which of the
following is a use of benchmarking?
1. access ideas from proven practices
2. develop an analysis of competitive
organizations
3. analyze core business functions
4. develop a comparison of all facets of
processes across similar and
dissimilar organizations
162 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Principles of risk management processes
Answer 3 is the correct answer. SWOT is
the acronym for Strengths, Weaknesses,
Opportunities, and Threats. It is a
strategic planning model. It is very useful
in determining long-term implications of
buying, selling, merging, and other
business applications. Answers 1, 2 & 4
list integrated control models.
Answer 1. Is the correct answer. The
remaining answers represent some of the
following types of benchmarking:
strategic: used when organizations need
to improve by adjusting their long-term
strategy inline with other organizations
that have succeeded.
competitive: developing an analysis of
competitive organizations
functional: used to analyze core business
functions
best practices: a comparison of all facets
of processes across similar and dissimilar
organizations
Answer 2 & 3 are not correct.
Benchmarking is a comparison of 2 items -
not an analysis of one. Answer 4 is not
correct as benchmarking, nor any other
single tool, is capable of comparison of
“all” facets of anything. The wording “all”
is a reason to eliminate that answer.
McKeever CRMA Study System Principles of risk management processes

2.31 COSO helps business leaders assess Answer 4 is the correct answer. Answers
and address the soft issues. Which of the 1, 2, & 3 all list correct statements.
following is the most correct statement?

1. soft issues are much more difficult to

convince management to address

2. soft issues are often the foundation for

a good control process

3. soft issues are not reviewed and

addressed as much as they should be

4. all of the above

2.32 A systematic method of addressing a Answer 2 is the correct answer. This

specific problem is to:
1. understand the objective, identify the
problem, and take action to resolve the
problem
model will help keep the discussion
focused on the problem. It will help make
sure that the best job is completed to the
right thing. Answers 1, 3 & 4 just list
random phrases.

2. identify the problem statement, do a

problem analysis, review alternatives,
and address recommendations

3. determine the reliability of information,

compare the information to the
objectives, and address the difference

4. discuss the issues with everyone

involved, document each point of view,
identify discrepancies, and take
ACTION

© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA 163

McKeever CRMA Study System Principles of risk management processes

2.33 Controls designed to better manage Answer 1 is the correct answer. Directive
profit margin objectives are: controls are designed to cause achieving
anticipated objectives.
1. directive controls

2. compensating controls

3. preventive controls

4. adequate financial controls

2.34 Which of the following would or
could be considered a control weakness?
1. the director of reservations reports to
the president
2. the CFO reports to the CEO
Answer 3 is the correct answer. The audit
committee should consist of independent
members. The Audit Committee needs to
maintain an independent oversight of
auditing and the internal control function.
Answers 1, 2 & 4 describe reasonable
reporting relationships that would not be
considered a control weakness.

3. the audit committee consists of the

CFO, CEO, and a major stockholder

4. the controller reports to V.P. of

Operations

164 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA

McKeever CRMA Study System
2.35 A feedback control system can best
be described as:
1. planning, organizing, staffing,
directing, and controlling
2. the achievement of objectives, awards,
and ability interviews
3. the monitoring component of a
communication system
4. detectors, comparators, and activators
2.36 To minimize the risk of personal gain Answer 3 is the correct answer.
from employees taking advantage of
transactions that they maintain
management should:
1. have an internal auditor assigned to the of each employee’s work. Answer 1 is not
organization
2. maintain a systematic and periodic
review of all purchased items
3. rotate personnel periodically
4. require an inventory and audit of all
transactions made each quarter
© 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Principles of risk management processes
Answer 4 is the correct answer. This
answer best describes a feedback control
system that will ensure that the desired
state is achieved and maintained. The
detectors identify the condition. The
comparators allow a comparison of a
reference point to determine if adjustment
is needed. The activators are the activities
to make the appropriate adjustment.
Answer 1 describes the functions of
management and does relate to the
question. Answer 2 is just a random
listing of words. Answer 3 only describes
one element of a feedback control system.
Minimizing the opportunity for long-term
relationships can be an effective control in
this case. This will also facilitate the
opportunity for review by other employees
correct as an internal auditor should not
become the internal control for an
operation. Answers 2 & 4 list actions that
are probably not practical in a large
organization.
165
McKeever CRMA Study System
2.37 In terms of communications within
the COSO and ERM models which of the
following best describes a complete and
effective communications element?
1. trust and communications
2. communications should be relevant,
adequate, and appropriate to enable
those who need to know to carry out
their tasks
3. communications is the responsibility of
both the sender and receiver
4. communications should be from the
top down
166 © 2013 Contemporary Business Concepts, LLC, Danbury Connecticut USA
Principles of risk management processes
Answer 2 is the best answer. It is from the
definitions of communications both in the
COSO and ERM models. Situations are
different addressing relevant, adequate,
and appropriate covers different
situations. The key words are “to enable
those who need to know to best carry out
their tasks”. Answer 1 & 3 list key
elements in any communications. Trust
and communication go together. However
the question asks for communications as
it related to COSO and ERM models.
Answer 4 is not correct because it implies
that communications must be from the top
down only.
McKeever CRMA Study System Assurance role of the Internal Auditor

DOMAIN III:
ASSURANCE ROLE OF
THE INTERNAL
AUDITOR (IA)

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 167

McKeever CRMA Study System Assurance role of the Internal Auditor

Domain III: Assurance role of the Internal Auditor (IA)

The objective of this module is to better prepare the participant to pass the
Certification in Risk Management Assurance Exam by discussing and
analyzing the technical dimensions of this domain while discussing
techniques to best manage multiple-choice questions.

Included are discussions of the skill requirements of a CRMA to:

A. Review the management of key risks

B. Evaluate the reporting of key risks

C. Provide assurance that risks are adequately evaluated

D. Provide assurance on risk management processes

Source: The IIA International web site

168 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Assurance role of the Internal Auditor

Assurance role of the Internal Auditor (IA)

The 1999 IIA Standards stated that each internal audit organization should
define both assurance and consulting services in terms of what is
appropriate for their own organization, and those definitions should be
formal and published in the internal audit charter.

The IIA Standards clearly identify the opportunity for internal audit to
increase its contribution to the success of an organization by using
assurance to add value and improve an organization’s operation in a
consulting role.

“Internal auditing is an …assurance activity designed to add

value and improve an organization's operations. …”

Source: 1999 IIA Standards from www.theiia.org

Internal audit helps an organization accomplish its objectives by bringing a

systematic, disciplined approach to evaluate and improve the effectiveness
of risk management, control, and governance processes.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 169

McKeever CRMA Study System Assurance role of the Internal Auditor

Assurance:

There is a large amount of overlap between consulting and assurance.

John Tongren a well-known audit consultant uses the following method to

separate consulting from assurance. The following chart will be useful for
studying this domain and domain 4.

Assurance:

The role of assurance is a natural extension of what internal auditors already

accomplish. They must offer professional services to survive in an extremely
competitive business environment. Both auditors and consultants have “some
independence” but are dependent of payment for services. Both operate on
project basis with a start and completion date (an audit is an example).

170 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Assurance role of the Internal Auditor

The review, evaluation, and management effort of key risks in a process is easier
said than done. To be effective this effort requires collaboration between and
among process owners and risk and control specialist (internal auditors) at all
levels. This means that there must be an understanding and acceptance by
process owners of how to identify, measure, prioritize key risks, and then act on
them accordingly. In addition, this effort requires an empathetic approach by the
risk and control specialist to help the process owners gain an understanding of
risk and control management. It is not only the risk and control specialist that are
or should be identifying, measuring, and prioritizing key risks.

In order to facilitate this effort (corporate governance) the process owners must
have an understanding of how to identify, measure, prioritize, and then act (the
risk management) upon key risks. In addition, the process owners must be
willing to accept responsibility to administer this corporate governance.

Unfortunately, in many cases, process owners have neither an adequate

understanding of the corporate governance necessities nor a sincere willingness
to accept responsibility to administer a complete corporate governance plan
(including the adequate administration of controls).

But, credit must be given where credit is due. Process owners, in current
business situations are being asked to be more and more responsible for
corporate governance. However, these process owners, in many cases, are
being asked to be responsible for something that they do not adequately
understand (corporate governance). So it is not the process owner’s fault that
they are reluctant to accept these new and expanding responsibilities. No one
has really explained to the process owners how to employ a sufficient corporate
governance strategy.

Traditionally this corporate governance knowledge has been with internal

auditors not the process owners. This has been misdirection. Now there is an
opportunity for internal auditors to assist the process owners in developing a
corporate governance strategy.

So one of the first steps to enhance the corporate governance strategy in

processes is to recognize opportunities to help those with a lesser understanding
of corporate governance (process owners) to manage key risks). Internal
auditors with a greater understanding of corporate governance can provide
professional, valuable services in that area.

In order to be successful there are a number of things that should be addressed,

enhancing the knowledge base of corporate governance strategies, solidifying a
belief by the process owners in adequate corporate management, and
encouraging an acceptance of responsibility of corporate governance by the
process owners.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 171

McKeever CRMA Study System Assurance role of the Internal Auditor

The internal auditor plays ever-increasing roles in corporate governance

including assurance roles in many areas including the area of risk management.
This role generally includes the management services of continual education,
self-assessment, and process improvement.

In reality these services are not easily separated from the role of consulting.

RISK MANAGEMENT
Corporate Governance Must Be Incorporated Into
The Overall Process Belief and Direction of the Process.

Before continuing, it is important to revisit some basics perspectives. The term

key risk is used frequently and implies a risk that is more significant than any
other risk. This would highlight the basic risk assessment formula, which outlines
the three steps of risk assessment. These steps are identifying the risk,
measure the risk, and then prioritize the risk. It would seem that completing
these steps and finally prioritizing would reveal the key, or most significant, risk
or the risk that is the root cause for other risks.

It is important that this key risk or most significant risk has some nomenclature to
distinguish it from the other lower prioritized risks. This could be an
alphanumeric notation or more formally a Key Risk Indicator (KRI). In simple
terms a KRI is a measure used to indicate the significance of a risk.

KRI which can indicate to a process owner what or where there is a high
probability of a risk or risks that may exceed the defined risk appetite for
that process.

Processes are all different. Therefore, each process can and should develop
its own KRI, taking into account the following steps:

• consider the different stakeholders of the organization

• make a balanced selection of risk indicators
• ensure that the selected indicators identify in detail the root cause of the
events
• choose high relevant and high probability of predicting important risks:

172 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Assurance role of the Internal Auditor

The constant monitoring of KRI can:

• provide an early warning: a proactive action can take place

• provide a backward looking view on risk events, so lessons can be
learned from past events
• provide an indication that the risk appetite and risk tolerance are achieved

Remember that risk assessment is not a science. It is not just the completion of
some arithmetic formula. Risk assessment requires thinking by the process
owners or auditors.

Thinking plus the arithmetic equals a better risk assessment.

Even though one risk has been identified as a high priority or key risk does not
mean that other risks should be disregarded.

Continuing from the first step in enhancing corporate governance and

establishing a corporate governance strategy is the education of those with a
lesser understanding of corporate governance. But where should that start?
Probably this depends on the management style and culture of the process
owners. A good starting point is to gain the highest possible support at the
highest organizational point in the organization structure (the Board of Directors
and Executive Management).

Corporate governance management faces a continual dilemma. That is a rapidly

changing relationship of internal auditing professionals with the Audit Committee.
The responsibilities of internal auditors that relate to the governance of their
organizations are most vital and result in the greatest opportunity to add value.
In order for this relationship to flourish, it is important for internal auditors as well
as the Audit Committees to be fully informed of the current legal and regulatory
environment as well as recent conclusions reported by global partners.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 173

McKeever CRMA Study System Assurance role of the Internal Auditor

This Guidance Must Start at the Top of the Organization

and Emulate Its Way Downward.

Internal Audit can provide risk management education at all levels.

Some suggestions for education:

• one-day or two-day session for the auditors

• half-day or full-day session for audit managers

• one-day or two-day session for auditors and respective customers

If this mentoring is going to be effective, it is important to stay focused on the

prime objective, which is to help the process owners better understand and to
believe in appropriate risk and control management. It is important that the risk
and control professional provide this guidance understanding their audiences.
The delivery of these risk and control concepts should not be overwhelming or
condescending to the audience. For example, if the audience has a substantial
understanding of risk and control management and just needs a refresher a basic
delivery of risk and control basics from beginning to end may not be appropriate.

174 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Assurance role of the Internal Auditor

However if the audience has little or no understanding of risk and control

management then a more step-by-step detailed approach may be appropriate.
Know the audience.

So there appears to be new roles for internal auditors, that of a corporate

governance coach, mentor, and trainer.

So where does this start? It starts with those who are risk and control experts
passing the risk knowledge, control management philosophy, and tools onto
those who have a lesser understanding or risk and control management.

With all this being said, internal auditors provide some assurance (the key word
is “some”) that risk management is adequate and appropriate within the process
where they are providing their service.

However an ultimate objective is to have more than the internal auditors

providing assurance. It is beneficial for the process owners to provide
additional assurance by means of their efforts as well.

If the process owners are to be held responsible to manage their own risks
and controls they must be educated in those concepts. The process
owners must be coached, mentored, guided, and educated in the
application of risk and control management. Only then can they be held
responsible legitimately.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 175

McKeever CRMA Study System Assurance role of the Internal Auditor

Source: John Tongren, “Exceeding Expectations for Internal Auditors”

The above graph shows the benefit of collaboration between internal audit and
clients.

IPPF Guidance- standard 2210.A3

To put this into a perspective the IPPF Guidance - standard 2210.A3, used by
internal auditors to perform their services provides some guidance, states that:

Adequate criteria are needed to evaluate governance, risk management,

and control. Internal auditors must ascertain the extent to which management
or the Board of Directors has established adequate criteria to determine whether
objectives and goals have been accomplished. If adequate, internal auditors
must use such criteria in their evaluation. If inadequate, internal auditors must
work with management and the board to develop appropriate evaluation criteria.

Summary: Internal audit, independent professional services that improves

the quality of information, or its context, for decision makers.

176 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Assurance role of the Internal Auditor

Organizations Today Do Not Need a Department of Internal

Control Experts Providing Periodic Appraisals. They Need
Internal Control Expertise Operating Continually and
Consistently Throughout the Organization. Educating the
Organization on Risk Management and Control is an Obvious
First Step Opportunity for Internal Assurance Consulting
Activities.
The contemporary concept of the new internal audit function is to hold the
process owners at all levels responsible for the adequate management of their
internal controls.

The role of internal auditors in the assurance that risk and control management is
adequate in the business processes of their oversight falls in the tradition of the
internal audit profession and the evolution of the profession itself. That word
“assurance” is a key word in this responsibility.

To put this into perspective it is necessary to first understand in simple terms

what internal audit is. Internal audit is a control by its existence and application.
Therefore the application of internal audit, like any other control, should be
determined by apparent risk. So the higher the risk in a process the more
internal audit effort should be employed in that process in terms of audit time,
resources, coaching, mentoring, and training.

Just as with any other application of controls to apparent risk there is a chance
that some risk will not be addressed adequately. A term specific to internal
audit is audit risk. This means that the audit, for whatever reason, did not
address some risk adequately. So it becomes apparent that the word
“assurance” is somewhat misleading. As no control, including internal audit, can
assure that all risk will be addressed adequately all of the time in every situation.
Therefore the importance of having not only internal audit but all process owners
adequately managing corporate governance becomes clear. The more people
understanding and addressing risk the better the results.

There is “Reasonable Assurance” So Some Risk Will Get Through the

Screen of Corporate Governance. Strengthen the Screen by Getting More
People Involved in the Corporate Governance Strategy.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 177

McKeever CRMA Study System Assurance role of the Internal Auditor

Answer the Following Question.

23. The Board of Directors of a large international company has become

concerned about an increase in risk exposure. This concern has been amplified
among the Board members with the increases in domestic and international
regulations including ISO 31000. As such and realizing the need to maintain
compliance with this ever-increasing regulatory platform The Board of Directors
has asked internal audit to establish a program which will ensure company
compliance. Which of the following approaches should internal audit pursue?

a. establish a training program to educate everyone on the regulatory

requirements and also help build a foundation of belief in the regulatory
requirement needs.
b. first establish a survey written or oral to determine which regulations
issues should be addressed first. minimizing the need to try to address
everything at once
c. determine which departments could have the greatest impact on non-
compliance and work with them first providing training, guidance,
mentoring, and coaching
d. none of the above

See Application Questions, Answers & Explanations module for the answer.

Internal Auditing Today

The internal audit responsibility has evolved over the years from its inception in
the mid-1940s from a quantitative focus, to a qualitative focus, and then to a
qualitative and to a combination of both.

Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organizations operations. Internal audit
helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management to the organization.

Internal audit today is required to apply internal control knowledge to help identify
risks that might create future problems as well as risk that have created past
problems.

178 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Assurance role of the Internal Auditor

The following graph outlines the need for internal audit to identify risk of future
problems.

Source: John Tongren, “Operational Auditing: Adding Value to Organizations”

Assess the Main Risks

Internal auditors must make a conscious effort to assess the risks that could
jeopardize the achievement of process objectives.

Assessment of risk is usually completed using past audits; interviews with the
senior-level management and other staff members; and the auditor’s judgment of
the current situation of the process.

Internal auditors should put the following questions to themselves: what could go
wrong? What is the (probability) that it would go wrong? What if it goes wrong
(impact)?

Risk and control specialist do this. The ultimate objective is to

get the process owners to think this way as well.
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 179
McKeever CRMA Study System Assurance role of the Internal Auditor

Answer the Following Question.

75. An ultimate objective is to have more process owners understand corporate
governance. Important ingredients to achieve this are the efforts of internal audit.
Realizing that in many cases process owners have a much less understanding of
corporate governance than do internal auditors which approach should internal
auditors take to improve jump start this corporate governance knowledge base for
process owners?

a. first understand the process owners knowledge base and then develop
appropriate risk and control training for the process owners
b. develop a restructure of the process organization considering
specifically at efficiency and effectiveness
c. develop policies and procedures the first time for the process owners
d. conduct an audit to determine the weak areas to address first

See Application Questions, Answers & Explanations module for the answer.

There Are Two Objectives of Internal Auditors. The First Objective Is To

Understand The Objectives of The Client. The Second Objective Is To Help
Clients Achieve Their Objectives.

Audit Objectives Have A Significant Impact on The Success of Their Efforts

As Well As The Efforts of Their Process Owners.

The Board Of Directors Is Ultimately Responsible For Organization Control.

The Audit Committee chairperson has to be able to sit down with internal
audit and say, “What do I need to be careful of? What’s happening?”

180 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Assurance role of the Internal Auditor

So reinforcing corporate governance from the top down in an organization is one

step. However, internal auditors as risk and control professionals have a number
of other tools available to both enhance and measure the effectiveness of
corporate governance including training, traditional audit, operational audits, and
self-assessment. Keep in mind that in most cases some combination of these
tools will work best as compared to just using one tool as a standalone.

To put this in some context, training could be considered a preventive tool while
the various types of audits and the self-assessment could be considered a
monitoring or detective tool. But these descriptions are not always exactly
definitive. For example what may be a preventative control in one situation may
be considered a detective control in another situation.

These tools will help ensure that key risks in a process are being addressed
adequately and appropriately.

The self-assessment process is probably the most effective tool to help address
key risks, monitor the corporate governance, and manage those key risks. In
addition the self-assessment process expands the risk and control knowledge
base of process owners’ participants. So self-assessment can be considered
two tools in one.

See domain 4 for a detailed description of the self-assessment process.

Continuous Monitoring
One of the roles that the internal auditor plays in the area of risk management is
to help process owners continually improve their processes. Internal audit can
meet process owners’ expectations by expanding the use of operational auditing
and traditional auditing skills to further apply internal audit knowledge about
controls.

Process owners with an ever-increasing list of required tasks will welcome helpful
suggestions of how to improve their processes.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 181

McKeever CRMA Study System Assurance role of the Internal Auditor

Operational Auditing

The Terminology Jungle

The expansion in the scope of internal auditing though took place in a very short
span of time, yet it manifested itself in a spurt of terms and expressions. People
started talking of operational auditing in different words. Some of the more
common expressions were:

• operational auditing
• comprehensive auditing
• value-for-money auditing
• management auditing
• operations auditing
• efficiency auditing
• effectiveness auditing
• preventive auditing
• system-oriented effectiveness auditing
• operational evaluation
• project auditing
• program auditing
• program evaluation

No doubt, there are minor differences in the precise

meaning, scope and methods of these expressions but all
these terms agree on the same basic premises:

They embrace all management levels from the point of view of

economy, efficiency, and effectiveness at the planning,
implementing, and monitoring stages.

Operational auditing helps generate appropriate information

on management accountability.

Operational auditing helps management improve efficiency

and effectiveness in the future.
182 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
McKeever CRMA Study System Assurance role of the Internal Auditor

Operational auditing does not question the rationale of executive

policies. However, it does tell where these policies have not been
able to attain the intended results.

Operational auditing appreciates the circumstances in which the

management makes decisions

A working definition of operational auditing is as follows: “Operational auditing

is an assessment of the activities of an organization to see if the resources
are being managed with due regard for economy, efficiency, and
effectiveness and that the accountability requirements are being met
reasonably.”

Operational auditing is concerned with all components contained within the

operating system of an activity including the structure process, systems
procedures, practices, operational, and the use and deployment of resources
such as people, equipment technology, materials, facilities, and information.

Most particularly operational auditing reviews the economy and efficiency of a

process. Operational auditing is concerned with the organization strategy in
business level operations and objectives.

An operational audit is a review of any part of any organization’s operating

procedures and methods for the purpose of evaluating economy, efficiency,
and effectiveness.
• Economy refers to acquisition of resources at the lowest cost keeping in
view the objectives of the organization. It implies that the resources
should be acquired at the right cost, at the right time, at the right place, in
the right quantity, and with the right quality.
• Efficiency means optimum utilization of resources keeping in view the
objectives of the organization. It implies maximizing output from given
resources or minimizing input for given outputs..
• Effectiveness refers to the achievement of objectives. It involves
assessment of outcomes of programs and projects, which are usually
external to the organization.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 183

McKeever CRMA Study System Assurance role of the Internal Auditor

Reasonable Manager Approach

Operational auditing uses the concept of a reasonable manager. The operational
auditor looks at the operations of the auditee as an ordinary good manager would.
The managers make everyday decisions in the light of imperfect information. They
undertake risks in the hope of achieving positive results. The managers are also
exposed to all sorts of pressures and compulsions both internal and external to the
organization. They have to tolerate certain amounts of political constraints. The
auditors appreciate the environments in which the managers operate. They ask the
basic question: what would a reasonable manager do in the given circumstances.

Operational auditing summary:

A major advantage of operational auditing is that it facilitates an analysis of the
overall process. In more traditional auditing reviews of apparent risk and the
effectiveness of controls more specific to individual components of a process are
analyzed. In essence, in more traditional audits each individual element of a
process was analyzed for such things as compliance. However, the
interrelationships among or between these individual process components was
often overlooked.

Comment: In many cases it is the interfaces among individual elements of a

process where risks are most apparent and controls are often lacking.
Operational auditing helps evaluate the interrelationships between or among
individual elements of a process so a more holistic analysis of risk of a process is
realized. As these holistic risks are identified a more effective and efficient
application of controls can be applied.

In operational auditing the internal auditor is the prime reviewer and reporter to
the process owners about the adequacy of the process owners’ corporate
governance. In a self-assessment process the process owners, often with the
assistance of internal audit, are the prime reviewers and reporters of the
adequacy of the process corporate governance.

184 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Assurance role of the Internal Auditor

Answer the Following Question.

70. One of the tools that can be used to provide an evaluation that key risks are
adequately evaluated is operational auditing. Which of the following would not be
a result of an operational audit?

a. operational auditing will help evaluate the interrelationships between

and among individual elements of a process
b. operational auditing will help evaluate the apparent interface between
and among individual process within an overall process
c. operational auditing can help evaluate the adequacy of controls in a
process with respect to efficiency and effectiveness
d. operational auditing can provide assurance that key risks are
adequately evaluated and addressed

See Application Questions, Answers & Explanations module for the answer.

Risk Management is The Primary Focus of Corporate

Governance.

Thoughts for Continual Risk Management:

• monitor key processes

• monitor key activities

• monitor key controls

• track transactions

• validate data accuracy

• perform routine compliance testing

Interactive risk and control evaluation tools, CSA, and

Operational Auditing cannot be effective in an environment
where participatory management philosophies are weak.
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 185
McKeever CRMA Study System Assurance role of the Internal Auditor

These types of interactive auditing tools help improve the

accountability process and strengthen the efforts towards
better key risk management.

Traditional Auditing
Traditional Auditing is considered more compliance auditing and is generally
focused on specific elements of an overall process. Typically this type of auditing
requires less time than operational auditing or self-assessment. The process
involves obtaining a document that requires compliance and compares this
document to what is actually being performed. This could be a company policy,
procedure, law, or regulation. Using observation, analysis, reconciliation, or
comparison a determination is made to identify variations from the written
guideline to what is actually being performed or transacted.

Many times, if a substantial number of items are to be analyzed a sample of the

total population of documents may be appropriate. See Appendix 3 for
additional information about Sampling for Auditors.

As a result of the analysis a comment or finding is developed depicting some

quantifiable result, such as 20 of 200 10% were not in compliance or some
quantifiable monetary value $100.00 of $1,000 was not accounted for or was not
reconcilable.

Many times, not always, these quantifiable amounts become the focus of the
report. What is missed is the weakness in the controls that allowed these
quantifiable concerns to materialize.

If the management has a system of effectiveness measurement then the auditor

reviews its reports in the following manner: Note: this could be a self-
assessment process.

• documents the management’s system of effectiveness measurements

• assesses the appropriateness of operational indicators
• verifies the results and compares them with the appropriate standards
• formulates an opinion on the effectiveness of management’s system.
• If a system of operational measurement does not exist, or is weak, the
auditor has to indicate that with appropriate recommendations (within
auditor professional independence and objectivity guidelines).

186 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Assurance role of the Internal Auditor

Note: Remember That It Is The Adequacy of Controls To Manage Risk That

Should Be Evaluated In Any Audit.

Summary:
So here are four approaches of corporate governance analysis with various
involvements from internal auditors. These approaches are: 1) risk and control
training to gain involvement by everyone, including process owners, 2) the self-
assessment process that may involve internal auditors in various capacities, 3)
operational auditing which helps evaluate how an entire process or corporate
governance is functioning, and 4) traditional auditing which focuses more on
specific elements of a process.

Remember to Involve Everyone at All Levels in Corporate Governance

People, with appropriate Power, involved in the Process

Commitment – to a shared vision Power

Collaboration – to achieve synergy 3 1

Competence – to meet expectations Process People

2

Confidence – in self and associates

Analyzing the adequacy of corporate governance is only one part of

implementing an effective corporate governance strategy. The results of any key
risk analysis must motivate the process owners into action. Hence, the
foundation of training which should incorporate a belief in corporate governance
and a strategy to address any issues identified in the analysis.

This effort is half complete with the self-assessment process because the
process owners are part of the identification and management of risk. Although
this is the case with self-assessment, some convincing may still be necessary.
With operational auditing and traditional auditing the convincing of the process
owners of what are or are not key risks and any appropriate management of
those key risks may be a challenge.

Risk Management Professionals may have to turn to selling techniques.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 187

McKeever CRMA Study System Assurance role of the Internal Auditor

BENEFITS REALIZATION

Some basic selling concepts

FAB (features, advantages, and benefits):

No matter what they are buying humans like the features and they like the
advantages but they buy the benefits. Therefore, it is incumbent upon the risk
and control professional to understand the benefits for the process owner and
report the risk issues focused toward those benefits.

It is also important that the risk and control professional understand the
perspective of the process owner when reporting the risk concerns.

WIIFM:

What is in it for me - in this case, the me is the process owner. It is important

that the risk and control professional, from the perspective of the process
owners, understand what the process owners will gain by implementing any
recommended actions to manage any identified risk.

The Risk And Control Professional, When Reporting Their Concerns

Should Focus Their Reporting On: FAB and WIIFM.

Review of Reporting:

The basic elements of risk assessment and management are: planning the
assessment, engaging in the assessment activity (self-assessment, operational
audit, traditional audit), and reporting. An outstanding effort in the assessment
activity can lose momentum in the reporting stage if the results of the
assessment are not reported with the process owner (action person) in mind. If
the reporting is not adequate the key risk issues will not be addressed
appropriately.

Assessment:

Assessment means that the auditor formulates a judgment on the basis of

relevant and reliable evidence. Evidence is a key word in establishing the
validity and credibility of written or verbal reported concerns.

Know The Audience.

188 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
McKeever CRMA Study System Assurance role of the Internal Auditor

Some approaches of reporting

Closing meetings:

The number and complexity of closing meetings in any audit can vary. Some
considerations include: planning considering the complexity of the topic; the
experience of the process owners and the review staff; any politics within the
process owner’s organizations; and the management style of the process
owner’s staff must be considered and addressed.

It is Important That Whoever is Reporting Understands the Risk and

Control Concerns in the Reporting Process Environment

The formal documenting of audit concerns is important for the following

reasons:

• it tends to ensure more comprehensive risk assessments than

undocumented efforts
• it provides a basis for monitoring mitigation
• it provides project background material for managers and auditors.
• it is a management tool
• it provides a formalized rationale for decisions

Written Reports:

The report of a self-assessment process is a product of the self-assessment

team or workshop. This report is generally not an official audit report. It
becomes an official audit report only if specifically requested by the team. But
other than this exception and special request, a report from a self-assessment
workshop is a product of the self-assessment workshop.

Operational and Traditional Audit Reports:

As with all auditing, operational audit findings

should be based on valid, relevant, and sufficient
evidence.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 189

McKeever CRMA Study System Assurance role of the Internal Auditor

The Climax of Auditor’s Efforts

The audit report is the end product of internal auditor effort. The reader only
sees the report. They never know the process and the effort through which this
report has been made possible. Therefore, the reward of the internal auditors’
efforts lies in writing a proper report. If the report does not create the desired
impact, the entire effort in auditing and writing the report is lost. For the report to
create an impact, it is necessary to consider this in advance. The best audit in
the world would be useless if no one reads its report. So the question boils down
to: how can the auditors write a report that will attract the attention of its audience
and cause an impact as well? The first obstacle is the essence of the report
itself. The audit report by its very nature is likely to contain observations that are
not palatable to process owners. It, therefore, requires a real skill to present
these observations in a manner that is persuasive and pleasant.

Proper style can make bitter facts acceptable.

A report that is presented in a proper (a relative term related to each audience)

manner is likely to contribute more towards its effectiveness than an improper
report that although factual is not presented for the audience.

In the final analysis, presentation of the report

carries more weight than its substance.
The elements of these types of audit reports are somewhat standard:

The variations in these elements are in the tone of the wording. The tone can
either be strong or softer and should be adjusted for the reader. Remember the
purpose of the report is to motivate the reader to take action on the risk concerns
identified.

The basic physical element of these types of reports are the purpose, (the
purpose is why the audit was conducted). The purpose should include some
reference to an evaluation of controls. For example, “the purpose of this audit
was to evaluate the adequacy of controls related to……”). The purpose
statement should be relatively short (a few sentences will generally suffice).

The next required or strongly recommended element is the scope. The scope
should contain more detail than the purpose statement. For example: “a review
of compliance with the company travel policy was conducted during June. A
sample of travel expense statements was developed and analyzed for receipt
compliance to determine if the controls related to travel statements were working
as intended”.

190 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Assurance role of the Internal Auditor

The next report element and an optional element is the background. The
purpose of the background statement is to provide a reader some basic
information about the function of the process. Caution: When writing a
background statement be careful not to be condescending to the reader.
Remember the risk and control professional spent a short time in the process.
Most of the readers work in that process every day. However, the background
statement should provide some basic process information to a reader not familiar
with the process.

One way to minimize any risk of being condescending to the process owner is to
ask them for help when writing the background statement. Explain to the
process owner that a background statement is necessary because other readers,
not familiar, with the process will need a perspective. By partnering with the
process owner the condescending risk from the primary process owner
decreases while a partnership increases. This may actually help with the trust
and acceptance of issues later discussed in the report.

The comments or findings

Generally there are five parts to a finding. These are: the condition, the
criteria, the cause, the effect, and the recommendation.

There is some flexibility with these parts. For example, some companies reverse
the criteria and condition statement. Also, the wording in the condition and effect
statement can be interchanged. NOTE: Readers, especially higher-level
readers, respond to numbers. So develop quantifications during the engagement
work. These numbers “quantifications” will be used in the report.

To adjust the tone, move the quantification numbers closer to the top of the
finding statement. More wording before the actual quantification creates a softer
tone.

There is no rule on exactly where the quantification should be placed in a finding

statement. What must be considered is what tone will be required to motivate
the reader to take action on the risks identified.

The cause statement states the root cause of why the controls, that are intended
to manage risk, are not functioning as intended.

Reaching the root cause of a problem can be easier stated than completed. This
may be because many professionals are not familiar with reaching the root
cause. Unfortunately, in many case professionals tend to fix the immediate
problem rather than trying to address what caused the problem.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 191

McKeever CRMA Study System Assurance role of the Internal Auditor

Trying to force this approach may not work. Humans do not like change.
So it becomes incumbent upon risk and control professionals, who may have a
better understanding of this concept, to approach those with a lesser
understanding in such a way as to overcome the barriers of change.

Conversational interviewing is a good approach to help minimize this barrier.

Interviews should be conversational not inquisitional. Incorporating a series of
“whys” in the conversations can provide a good non-intimidating realization of the
root cause of a problem.

Here is how it works. First identify the problem, then ask why the client thinks
this is happening. After some additional conversation and the answer to this why
then ask why again. Using the same techniques with additional casual
conversation then ask why again. Why did the answer to the second why
question happen. Repeat this technique until no additional answers can be
provided.

This is an easy non-intimidating method to reach the root cause. Subsequent to

this and depending on the information obtained more detailed tools may be
necessary to really reach the root cause. The “fishbone diagram” is a good next
step. This tool is a schematic of the reasons why a problem is occurring. It is
much more in depth than the “why” technique and as well results in a pictorial
representation of the root causes of a problem.

How far should auditors go in determining causes of an event?

Sometimes an event may be caused by multiple factors and the auditors may
have missed some of them. To safeguard against this possibility, the auditors
should discuss the matter with process owners.
An excellent root cause analysis reference book is “Root Cause Analysis a Tool
for Quality Management” by Paul F. Wilson, Larry D. Dell, Gaylord F. Anderson
ISBN: 0-87389-163.5 published by the American Society for Quality.

It is recommended that in every case try to establish the root cause. However,
this may not be possible for a number of reasons including budget, other risk
issues, schedules, and other reasons.

The recommendation statement should contain a recommendation, but be

careful of compromising auditor independence and objectivity. Auditors can
provide a general statement of recommendation but should not be totally specific.

Note: Whenever it is possible, obtain corrective action on risk concerns as the

audit is being conducted. Incorporate these corrective actions into the report.
This facilitates a partnership between the process owners and the auditor and
eliminates the need for follow-up. Eliminating the need for follow-up minimizes
efforts for the process owner and auditor.
192 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
McKeever CRMA Study System Assurance role of the Internal Auditor

Note: A general rule is to open the audit from the top down (highest level
appropriate) and close from the bottom up (the working levels).

This helps build trust and facilitates the selling of the issues at higher levels
which are now partly sold by the lower levels to the upper levels in their own
organization.

The final closing meeting is most often an overview for high-level management. If
all of the closing meetings from the bottom up to these higher levels has been
initiated this final meeting should be a formality. The more preparatory work and
communication during the audit engagement will help make this final meeting a
final closing of the sale and commitment.

CAUTION: Although all of the preparatory work may have been completed to
prepare for the final closing meeting something, for some reasons, may go
wrong. So always anticipate what could go wrong and prepare for the
unknown.

Remember The Purpose of All of This Work From Planning to Engagement

to Final Communication Is to Motivate The Process Owners to Take Action
on Risks That May Have Not Been Previously Brought to Their Attention.

Answer the Following Question.

60. Reporting on key risks can be in a number of formats. Whatever format it is

extremely important that the format be designed with a primary objective. This
objective is to motivate the reader into action. Which of the following reporting
elements should be interrelated throughout the report?

a. scope
b. background
c. purpose
d. findings

See Application Questions, Answers & Explanations module for the answer.

Remember the corporate governance assurance role of internal audit is to

utilize whatever tools they have available, within the scope of their
professional guidelines, to assist process owner in identifying, measuring,
prioritizing, and reporting the adequacy of corporate governance.
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 193
McKeever CRMA Study System Assurance role of the Internal Auditor

Information Technology (IT) and

Continuous Monitoring

How does internal audit continuously monitor the ever-

increasingly complex computer-based processes?
Although discussing the wide variety of IT computerized tools and techniques
available to internal audit is far too detailed to address in this CRMA Review
material. It would be inappropriate not to discuss some of these tools,
techniques, and issues.

One problem occurs because internal audit has traditionally used a historical
focus. Internal audit often felt that they could not focus on the future because
there was no data available. Hence internal audit could not audit what might
happen because there was no data to audit.

Obviously, focusing on historical data is appropriate if the focus is financial

statements which are typically based on historical data. But if the purpose of the
audit is to provide risk management assurance to management then internal
audit must find ways to access data in an “almost real-time” basis.

Internal audit must become future-focused using techniques such as continuous

monitoring to identify risks while they are occurring or even before the risks
occurs such as using embedded controls to identify “unusual” transactions or
identify a potential user attempting to perpetrate (hacking) can be very useful
tools. Future-focused auditing is much more difficult than auditing historic data.

With available low-cost IT solutions internal audit will be able to

continuously:

monitor key processes

monitor key activities

monitor key controls

perform transaction tracking

data validation in real-time or close to real time

continually perform compliance testing

194 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Assurance role of the Internal Auditor

Focusing on Key Processes, Activities, and Controls rather than doing

generalized audits of functions can drastically increase the effectiveness of the
internal assurance function of internal audit. Building continuous monitoring into
every system and process provides both the process owner and the auditor with
greatly enhanced ability to maintain quality systems on a concurrent basis.

One important key to success is to consistently

leverage IT resources.
Most internal audit functions have IT auditors or auditors who are designated to
perform IT audits. One might think that IT auditing was relatively standardized
given the existence of guidance such as COBIT but in reality there are many
different approaches and capabilities within IT auditing. Some IT auditors are
highly technical; others more application systems oriented. Some focus primarily
on IT security issues, while others identify more with IT management. Some
prefer to limit their activities to computer-assisted audit support and some
specialize in systems development activities.

The result in many cases is that the IT audit function does what it does best.
However this may not always be the best way to use assets to address the area
of assurance. In order to maximize the return on the IT audit investment it will be
necessary to leverage the IT audit investment, capitalize on the scarce skills, and
apply these skills most effectively.

Every organization has both IT technical risks and business risks that must be
addressed by internal audit. Internal audit should make certain that all technical
audits have a process improvement focus with the end goal to improve the
overall process not just to find problems at the detailed or “bits and bytes” level.
Internal audit must identify IT risks as business problems not just surface IT
problems.

Another important goal in technical IT auditing is to involve the IT process

owner directly in process improvement using tools like self-assessment.
Equipping process owners with the tools to perform self-audits can improve both
the speed and accuracy of risk and control analysis. Often the only necessity for
audit is to provide a guide for IT management to use COBIT as an ideal starting
point. Once IT management understands the value of using an integrated control
framework like COBIT to identify key risk areas then taking the next step of
looking at technical risks in detail becomes obvious.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 195

McKeever CRMA Study System Assurance role of the Internal Auditor

For years internal audit departments have struggled with the increasing
knowledge gap between IT auditors and traditional internal auditors. As IT
auditors became more technical the gap between IT auditors and traditional
internal auditors widened. The problem becomes critical when IT auditors
perform audits of business systems without knowledge of the basic business
process and internal auditors performed audits of IT business systems without
detailed knowledge of the IT processes. The obvious solution is to develop a
team auditing approach where the different skills are combined in a
complementary way rather than a competing way. Team auditing can prove
effective in technical audits, to ensure that the necessary skills are present in the
team and to achieve the proper combination of skills for successful auditing

One consideration in technical auditing is the use of external resources. This

includes outside experts typically consulting firms that specialize in technical
areas. Outsourcing audits may create a new set of risks. Combining internal
and external resources may provide improved appropriate controls
recommendations.

The second major area to consider is Audit Support where technical specialists
provide support for individual auditors and audits. Computer-assisted audit
support has been a major enhancement of many internal audit
departments. This support has also included training of internal auditors in
possible ways that computer-assisted auditing may help their audits.

The major payoff is in leveraging IT resources, moving from computer-

assisted auditing to computer-based audit. Continuous computer-assisted
auditing monitoring will result if control monitoring is imbedded directly within
business systems. In effect internal audit performs computer-assisted auditing
techniques (CAATS) continually.

There are four major benefits that can be achieved by moving from
computer-assisted to computer-based auditing (CBA). The first is a change
in focus from looking at data after the fact to having the capability to look at data
at any time and in many ways. If internal audit embeds IT audit techniques in
every critical system then internal audit can drastically enhance audit
productivity. The second is the ability to move from internal audit to using
“outside experts” to perform self-monitor or self-audit. Internal audit can
become much more effective in helping their clients succeed by routinely
detecting both existing and potential problem in process.

With the use of available computer-based data internal audit can progress from
the traditional problem of differences of opinion on what is important, which
control technique is best, or whether something is really a problem to correct
issues. Internal audit can then collaborate with process owners to reach
consensus so that embedded systems truly become intelligent. Computer-
based tools can be implemented so they can be updated as required.

196 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Assurance role of the Internal Auditor

Consistently Leverage IT Resources

From Computer → Assisted Audit Techniques

(CAATS) to Computer-Based Auditing (CBA)

Data Retrieval → Embedded Audit system

Outside Audit → Self Audit System

Periodic Audit → Continuous Monitoring

Individual Opinions → Intelligent Systems

Source: John Tongren, “Exceeding Expectations for Internal Auditors”

John Tongren a well-known audit consultant in his publication “Exceeding

Expectations for Internal Auditors” developed the above graph to illustrate the
concept of consistently leveraging IT resources that is helpful for internal
auditors.

There is a need for internal audit to monitor both business risks and IT risk. This
eliminates the audit risk of “over auditing” or “under auditing” the same
business process, redundant recommended control techniques, and unreported
risks resulting in a significant waste of resources. The goal of Integrated Audit
has been around since the 1970s.

The key question is “Who Does What?” Computer-

based auditing will significantly improve internal audit’s
abilities to provide continuous monitoring (auditing).

If it is a computer-based process then internal audit

needs to use computer-based auditing

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 197

McKeever CRMA Study System Assurance role of the Internal Auditor

Where to Go From Here?

Key Risk monitoring is the last major element of risk management - but certainly
not the least important. Risk management is a process of organizing and
planning the process and should be continual (on-going).

The development of risk management operational metrics is essential to risk

monitoring success. The establishment of a management indicator system that
provides accurate, timely, and relevant risk information in an easily understood
manner is key to risk monitoring.
Operational measures can also be project-specific rather than program-wide

Monitoring Key Risk Means Review it

and Update it Continuously

Some Key Risk Management Monitoring Steps

• determine if the existing risk management strategy is operating as

intended
• make necessary adjustments
• identify new risks as soon as possible
• decide where and how to handle that risk
• look for other risks that might be reduced or eliminated and no longer
need coverage
• check operating volumes - they change so that coverage levels need to
change

The risk monitoring and updating process occurs after the risks have been
identified (in an audit or self-assessment). Monitoring must continue for the life
of the risk management strategy. The list of risks and associated risk
management strategies will likely change as the process matures and new risks
develop or anticipated risks disappear. Action or adjustments to any changes,
(what has changed) beyond accepted limits must be enacted. Monitoring
without actions is a waste of time.

The Risk Monitoring and Updating Processes Must

Address The Management and Resolution of Necessary
Contingencies.

What if this happened what would we do?

198 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System
Assurance Role of the Internal Auditor (IA)
3.1 Process owners should have an
understanding of which of the
following to enhance their corporate
governance strategy?
1. risk identification
2. control analysis
3. prioritization
4. risk strategy
3.2 Key risk indicators can help
identify the status of:
1. risk appetite
2. control implementation needs
3. risk priority
4. control strategy implementation
3.3 CSA is a process that will ensure:
1. that business objectives are met
2. that risk is addressed
3. that appropriate controls will be
put in place
4. none of the above
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Assurance role of the Internal Auditor
Answer 1 is the correct answer.
Answer 3 is the only other answer that
could have some consideration as it
lists prioritization. However, this
answer does not indicate what kind or
where the prioritization would be. It is
not specific enough to answer the
question. Answers 2 & 4 just list
random phrases.
Answer 1 is the correct answer.
Answer 2, 3, & 4 just list random
terms. Key risk indicators can
indicate, for a process, what or where
there is a high probability of risk that
may exceed the risk appetite defined
for that process.
Answer 4 is the correct answer. The
word “ensure” is the giveaway in this
question. CSA is a control tool that
addresses risks and the achievement
of objectives. However, it is virtually
impossible to protect against all risks
all of the time. Answers 1, 2 & 3 list
objectives that no tool can “ensure”.
Therefore, answer 4 is the best
answer.
199
McKeever CRMA Study System
3.4 Key risk indicator (KRI) has
become more or less a standard with
risk assessment modeling. Which of
the following should be considered
when developing a KRI model?
1. consider the different stakeholder
that risk is addressed
2. make a balanced selection of risk
indicators including common
sense none of the above
3. ensure that the selected indicators
address the root cause of the risks
4. choose high impact and high
probability of risks
5. all of the above
3.5 An internal auditor needs to
determine the root cause of non-
compliance with a specific policy.
Which tool would be the best choice
to achieve this objective?
1. operational auditing
2. self-assessment
3. compliance audit
4. traditional audit
200 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Assurance role of the Internal Auditor
Answer 5 is the correct answer.
Answers 1, 2, 3 & 4 all list
considerations that should be
considered when developing a KRI
model. Each process is different.
Therefore, even though KRI tools have
become more or less standard they
need to be adapted to each individual
process. Take special note of answer
2 that lists “COMMON SENSE”.
Models are nice in risk assessment
but without common sense applied
they can be more of a trap than an aid.
Answer 2 is the correct answer.
Answer 1 lists an operational audit
which may also be a good tool to get
to the root cause of a problem.
However between an operational audit
and a self- assessment the self-
assessment would be the better tool
and the more likely to achieve that
goal. Answers 3 & 4 typically provide
a lesser opportunity to reach the root
cause.
McKeever CRMA Study System
3.6 Key risks as a standard identifier
can be:
1. applied in context to any situation
2. determined by a complete risk
analysis
3. interchanged among and between
processes
4. none of the above
3.7 Traditionally internal auditors
have had the responsibility for
corporate governance oversight. Now
internal auditors have a responsibility
to:
1. mentor process owners
2. train process owners
3. provide guidance about corporate
governance to responsible
process owners
4. develop a corporate governance
strategy
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Assurance role of the Internal Auditor
Answer 2 is the correct answer. By
completing a risk analysis with
identifying, measuring, and prioritizing
the key risk from a group of risks key
risks can be identified in the opinion
of the risk professionals. Answer 1 is
not correct because each situation is
different and an analysis should be
done in each individual case. Answer
3 is similar to answer 1, therefore is
not correct for the same reason that
answer 1 is not correct. Answer 4 can
be eliminated because answer 2 is
correct.
Answer 3 is the correct answer.
Answers 1 & 2 sound good but they
are not specific as to on what to
“mentor and train process owners”.
Answer 4 can be eliminated because
internal auditors should not have a
responsibility to develop policies or
strategies.
201
McKeever CRMA Study System Assurance role of the Internal Auditor

3.8 Operational auditing is a tool Answer 4 is the correct answer.

which: Answers 1, 2 & 3 all list benefits of
operational auditing.
1. facilitates an analysis of a process

2. helps evaluate the

interrelationships among and
between processes

3. facilitates a holistic approach to

process risk analysis

4. all of the above

3.9 Some of the tools available to Answer 4 is the correct answer.

enhance key risk management are:
1. control self-assessment and
operational auditing
2. operational auditing and traditional
auditing
3. risk self-assessment, operational
auditing, and traditional auditing
Answers 1, 2 & 3 can be eliminated
because what they list are not all
inclusive. Each only contains two of
the three suggested tools: self-
assessment, operational auditing, and
traditional auditing. Also risk self-
assessment and control self-
assessment are too specific. Self-
assessment as a broad term can
include both risk and control self-
assessments.

4. operational auditing, self-

assessment, and traditional
auditing

202 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System
3.10 Reporting on the adequacy of
key risk management is the
responsibility of:
1. the internal auditors
2. the process owners
3. the Board of Directors
4. the internal auditors and the
process owners
3.11 A unique difference of
operational auditing as compared to
more traditional auditing practices is
that operational auditing:
1. looks at effectiveness and
efficiency
2. looks at the management decision
process
3. avoids audits of policies and
compliance
4. provides recommendations to
process owners if process owner
decisions were not optimized
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Assurance role of the Internal Auditor
Answer 4 is the correct answer.
Internal auditors, by direction of their
professional practices, have an
obligation to report on the adequacy
of key risk management. Further, the
process owners do as well. Probably
answer 3 could be eliminated because
they would most likely be the
receivers of any report. The point
here is that reporting on the adequacy
of key risk management should not
wait for a scheduled internal audit. If
process owners understand how to
monitor their processes, they will be
able to identify concerns quickly and
respond both quickly and
appropriately.
Answer 4 is the correct answer.
Traditional auditing practices also
review efficiency and effectiveness
but usually not as in depth as an
operational audit. Hence answer 1 can
be eliminated. The question asks for a
“unique difference”. Answer 2 is very
general and may be applicable in any
type of audit. The audit looks at the
management decision process so this
answer could be eliminated. Answer 3
could be eliminated as this would be
addressed more with traditional
audits.
203
McKeever CRMA Study System
3.12 When communicating key risk
concerns in their audit report an
operational auditor should:
1. understand the reader of the report
2. present the key risk concerns in a
persuasive and pleasant manner
3. state the facts in specific terms
4. provide necessary attachments
and exhibits
3.13 When process owners are
reporting key risk concerns to upper-
level management or the Board of
Directors they should:
1. follow the guidelines used by
internal auditors as these methods
have a proven track record
2. develop a delivery methodology
that is appropriate for the those
receiving the message
3. deliver the key risk concerns in a
manner to motivate support from
these audiences
4. partner with internal auditors in the
delivery of the key risk concern
message
204 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Assurance role of the Internal Auditor
Answer 2 is the correct answer.
Answer 1 is important. It is necessary
that the auditor writing the report write
for the final reader. Now this can
present a problem as everyone is
different and how they receive
information is different. Therefore the
report author must understand the
reader’s perspective. Answer 2
includes answer 1. Answers 3 & 4
may or may not be necessary in any
type of report.
Answer 3 is the correct answer.
Answers 1 & 4 list actions that may or
may not be necessary or appropriate.
Answer 2 is a general broad
statement. The ultimate objective of
communicating any key risk concerns,
whether process owners or internal
auditors, is to motivate the recipient of
the message to take action.
Just a note: Process owners as well
as auditors, in any capacity, can and
should be monitoring key risks and
communicate any concerns.
McKeever CRMA Study System
3-14 The role of internal audit in a
self-assessment process is best
described as:
1. necessary for the process to work
because auditors have experience
in reporting
2. necessary because auditors have
the most knowledge about
objectives, risks, and controls
3. optional because management can
conduct a self-assessment
process without internal audit help
4. not necessary because
management will speak more
freely without auditors in the room
3.15 An audit report only specifying
in the finding numeric relationships,
such as 10% of inventory was
missing, would most likely be a result
of:
1. an operational audit
2. a self-assessment project
3. an environmental audit
4. none of the above
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Assurance role of the Internal Auditor
Answer 3 is the correct and the best
answer because management can
conduct a self-assessment process
without internal audit’s help. The key
is that the business clients understand
the concepts and the tools needed to
make a self-assessment process work.
Answers 1, 2 & 4 are not correct
because, although the statements may
be true in some cases, they are not
always true. In addition, the
responsibility for a self-assessment
process, if initiated by internal audit,
should be eventually migrated to the
process owners.
Answer 4 is the correct answer.
Answer 1 can be eliminated because
an operational audit would more likely,
along with numerical quantifications
identify the controls that were not in
place or not working that allowed this
to happen. The question indicates
that only the numeric values were
identified and nothing about controls
was identified. Unless specifically
requested, audit reports are not a
product for a self-assessment project.
Therefore answer 2 can be eliminated.
Answer 3 can be elimated because an
environmental audit has a specific
purpose dealing with environmental
issues and probably would not
address an inventory issue.
205
McKeever CRMA Study System
3.16 A probable benefit(s) of
identifying a root cause or key risks
is:
1. it is evidence that due diligence
has been performed in any key risk
exposure
2. multiple risks may be corrected at
the same time with the same effort
3. it will minimize the need for follow
up and monitoring
4. all of the above
3.17 The monitoring of key risks is the Answer 3 is the correct answer.
prime responsibility of:
1. internal auditors
2. external auditors
3. process owners
4. Board of Directors
206 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Assurance role of the Internal Auditor
Answer 2 is the correct answer. The
most probable result is that multiple
issues may be fixed as a fewer
number of root causes are addressed.
So instead of fixing surface items of
risk the cause is fixed. Answer 1 can
be eliminated because pursuing and
identifying a root cause of a key risk
may or may not be evidence that due
diligence was performed on an
analysis project. Answer 3 can be
eliminated. Even if a root cause is
identified and addressed, this does
not remove the need to follow up and
monitor any corrective action. With
this answer 4 can be eliminated as
well.
Answers 1 & 2 can be eliminated as
auditors in any capacity would assist
the process owners in the monitoring
of key risks. It is the process owners’
responsibility to monitor any risks.
This means that the process owners
must know how to identify the risks
and how to monitor them. Individual
process owners are the closest to
individual process components.
Answer 4 can be eliminated. Probably
it would be correct to say that the
Board of Directors may be responsible
for the adequate management of key
risks as they have the ultimate
responsibility. But it would be the
process owners, maybe with the help
of auditors, who would report to the
Board of Directors the status of any
key risks.
McKeever CRMA Study System Consulting role of the internal auditor

DOMAIN IV:
CONSULTING ROLE OF
THE INTERNAL
AUDITOR (IA)

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 207

McKeever CRMA Study System Consulting role of the internal auditor

Domain IV: Consulting role of the Internal Auditor (IA)

The objective of this module is to better prepare the participant to pass the
Certification in Risk Management Assurance Exam by discussing and
analyzing the technical dimensions of this domain while discussing
techniques to best manage multiple-choice questions.

Included are discussions of the skill requirements of a CRMA to:

A. Facilitate identification and evaluation of risks

B. Coach management in responding to risks

C. Coordinate risk management activities

D. Consolidate reporting on risks

E. Maintain and develop the risk management framework

F. Advocate for the establishment of risk management

G. Develop risk management strategy for board approval

Source: The IIA International web site

208 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

CONSULTING ROLE OF THE INTERNAL

AUDITOR (IA)

The 1999 IIA Standards states that each internal audit organization should define
both assurance and consulting services in terms of what is appropriate for their
own organization, and those definitions should be formal and published in the
internal audit charter.

The IIA Standards clearly identify the opportunity for internal audit to increase its
contribution to the success of an organization by using consulting to add value
and improve an organization’s operation in a consulting role.

“Internal auditing is a …consulting activity designed to add

value and improve an organization's operations. …”

Source: 1999 IIA Standards from www.theiia.org

Internal audit helps an organization accomplish its objectives by bringing a

systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, control, and governance processes.

Well actually, the internal auditor cannot perform two functions at the same time.
The internal auditor either functions as an internal auditor or as a consultant.
When functioning as an internal auditor the internal auditor must function within
the specific guidelines of their professional practices. When functioning as a
consultant (risk and control expert consultant) it should be known to all involved
that the internal auditor is acting as a consultant and not an internal auditor.
Further, any internal auditor acting as a consultant on a specific project should
not perform any follow-up internal audit relative to the topics on that specific
project. This is professionalism and will help maintain internal audit
independence and objectivity.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 209

McKeever CRMA Study System Consulting role of the internal auditor

Consultant:

The auditor as a consultant has long been debated. The question is: “should
internal auditors act as consultants or not”. In practice, some audit departments
say “no” and some say “yes”. In addition to further complicate this debate the
need or opportunity for internal auditors to act as consultants changes with the
needs of the business. Therefore, at any one point in time, an audit department
that says “yes” may at another time say “no”. An audit department that at one
point in time that says “no” may at another time say “yes”. This change in
opinion is most often a result of business needs and leadership.

Therefore, with all this confusion, it is probably best to understand what internal
auditors actually do, what consultants do, and how the professional practices
from the Institute of Internal Auditors provide guidance.

This definition is sometimes difficult because each person seems to have a

definition of consultant based on that person’s business and personal
experience. This definition is also difficult because of the many types of
consultants including those making a small hourly wage, those making 100s of
dollars an hour, those working for major firms, those working for small
organization, self-employed individuals, and a seemly endless number of
variations of these.

To discuss the consulting role of the internal auditor related to risk management
it is important to define what a consultant is and what a consultant does. Then a
comparison can be made between an auditor and a consultant. Taking an
increased involvement in risk management does not imply that the internal
auditor abandons auditing but that they increase their opportunities and the
benefits to the clients by increasing their use of consulting skills. One approach
to define a consultant is to use a dictionary that contains the following definition.

Dictionary definition of consultant

“ … one who offers professional advice or professional
products … “

Using this definition it is clear that internal auditors are already acting as
consultants since the only purpose of internal audit is to provide professional
advice and products (audits reports and other services) to the organization.
Providing advice related to risk management is continuing to provide that advice
and those services or to expand the internal audit role further.

210 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

In 1999 The IIA revised its standards to reflect significant changes to what
internal auditing has become. An extract of those Standards follows. See
domain 1 for more details.

Internal auditing is an independent, objective assurance

and consulting activity designed to add value and improve
an organization's operations.

Answer the Following Question.

11. When functioning in a consulting role as a risk and control specialist an

internal auditor is concerned with strengthening controls to manage risk.
Therefore, when functioning as a consultant it would not be appropriate for an
internal auditor to:

a. suggest that a follow-up audit be conducted at some time in the future

to determine if the recommended controls are adequate
b. follow up with an internal audit to ensure that the recommended
controls were implemented as specified
c. not become involved in any follow-up audit
d. schedule follow-up audits with the client in specific areas with auditors
other than those who acted as the consultants on the project
See Application Question Answers & Explanations module.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 211

McKeever CRMA Study System Consulting role of the internal auditor

There is a large amount of overlap between consulting and assurance.

John Tongren a well-known audit consultant uses a method to separate
consulting from assurance. The following chart will be useful for studying this
domain and domain 3.

The roles or full-time consultant and internal auditor have a number of

similarities. Both must offer professional services to survive in an extremely
competitive business environment. Both “require some independence”. Both
operate on a project basis with a start and completion date (an audit is an
example).

However the roles of full-time consultants and internal auditors have a number of
differences. Consultants report to whomever requests their services; auditors
report to the CAE who reports to the audit committee, the Board of Directors, and
top-level management. Consultants frequently have clients from various
organizations; an internal auditor may have many “individual clients” but all are
from the same organization. Consultants realize that payment ends when a
project ends; internal auditor projects end after each audit ends then they are
assigned a new audit (projects).

212 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

Consultants use the skills that make their employment preferred “their edge” and
continually market for additional assignments; auditors should make certain to
understand their “edge” and encourage requests for their services including risk
management.

An auditor’s strength or “edge” is excellent “situational specific” knowledge, ease

of obtaining information, available on short notice, audit terminated on short
notice if needed, “unbiased” references available, known “quality of service”,
detailed knowledge of clients or situations, and low-cost provider. Auditors must
learn to better market these skills to ensure expansion into risk management.

Answer the Following Question.

199. Internal auditors acting as consultants would provide the most benefit to a
process owner if they explained:

a. the concepts of risk to the process owner

b. the concepts of external risk to the process owner
c. the concept and relationship of risk and controls to the process owner
d. the concept of controls to the process owner

See Application Question Answers & Explanations module

CONSULTING SERVICES:

Consulting services are advisory in nature, and are generally performed at the
specific request of an engagement client. The nature and scope of the
consulting engagement are subject to agreements between or among
engagement client(s) and the consultant. As such consulting services generally
involve two parties: the person or group offering the advice (the internal auditor-
consultant) and the person or group seeking and receiving the advice (the
engagement client).

Generally when internal auditor-consultants are performing consulting services

they will have more latitude, in terms of independence and objectivity, than when
performing a traditional audit. However, when performing consulting services
internal auditors acting in a consulting capacity should still be conscious of the
objectivity and independence boundaries and not assume management
responsibility.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 213

McKeever CRMA Study System Consulting role of the internal auditor

The IIA Standards apply to individual internal auditors and internal audit
activities. All internal auditors are accountable for conforming to the Standards
related to individual objectivity, proficiency, and due professional care. In
addition, internal auditors are accountable for conforming with the Standards,
which are relevant to the performance of their job responsibilities. Chief Audit
Executives are accountable for overall conformance with the Standards.

Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization’s operations. Internal audit
helps process owners improve the effectiveness of risk management, control,
and the overall governance processes.

By providing periodic reviews, internal audit evaluates the adequacy of controls,

which are in place, or those needed to manage existing or pending risks. The
scheduling of these reviews and the intensity of the reviews themselves require
an adequate risk assessment. It is further the responsibility of internal audit to
report to appropriate management any and all weaknesses in the control
scheme. These reports should be complete, accurate, objective, and timely.

Strategic planning is an important part of any corporate governance strategy.

Strategic planning actually encompasses a look into the future by anticipating
what may impact a process due to changing environmental events. Strategic
planning parallels external risk. These are risks that can impact, either positively
or negatively, a process but which the process owner has little or no control over
the risk occurring. In this case, the process owner must be able to recognize the
probability and impact of these future, external impacts and manage them before
they are major issues.

It Is Incumbent Upon The Auditor-Consultant To Sensitize Their

Process Owner Clients About Any External Pending Risks.
Unfortunately, many process owners do not adequately address these types of
risks. This is probably because these external risks are more difficult to
understand than the more tangible internal risks. Therefore, the auditor-
consultants must help their process owners feel more comfortable with
understanding future external risks and how to manage the potential
consequences of these impacts.

NOTE: Timely Is A Relative Term. It Can Mean Different Things To Different

People. Keep In Mind That Performing An Outstanding Audit Has No
Benefit To Anyone If The Report Is Not Communicated.

214 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

Further, it is the responsibility of internal audit to follow up on any open concerns

or findings to ensure that appropriate corrective action is taken to address those
concerns.

In order to perform these responsibilities internal audit must maintain a level of

knowledge appropriate to perform due diligence in every review.

As part of this responsibility internal audit may provide recommendations

appropriate to address weaknesses in the control scheme. However, internal
audit must maintain independence and objectivity when providing such
recommendations. This means that internal audit, in an internal audit capacity,
may provide general directions for recommendations, but should not provide
specific direction. It is the process owner’s responsibility to implement specific
corrective action. Independence and objectivity should not be compromised
by the internal auditors.

In order to provide this service most effectively and efficiently internal audit
should maintain communications with the process owners, upper-level
management, and the audit committee. The frequency and depth of this
communication should be determined by the eminent risk within the organization.

Therefore, in summary the internal audit department is an independent, objective

organization which based upon eminent risk evaluates the adequacy of the
internal control scheme within an organization. Further it is the responsibility of
internal audit to report and follow up on weakness in the control scheme to
management for prompt correction. The frequency and depth of internal audit
engagements should be determined by risk evaluations and communication with
upper-level management and the audit committee.

A consultant must develop the skills and abilities that are necessary to function
as a consultant. These skills and abilities include listening, (listening means
hearing what the other person is saying and concentrating on their meaning),
analyzing, synthesizing symptoms, identify the problem, and compiling a solution
or recommended solution.

Consultants possess a particular area of expertise. In the case of internal

auditors-consultants that area of expertise is risk and control management
(corporate governance). Further, the consultant provides unbiased reviews,
analysis, and recommendations in their area of expertise for the benefit of the
client (the process owners).

Finally, it is necessary for the consultants to convince the client to believe what
they, the consultant, are saying.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 215

McKeever CRMA Study System Consulting role of the internal auditor

Summary: Consulting:

Within the guidelines of the professional practices of internal auditing published

by the Institute of Internal Auditors internal audit professionals may provide
internal audit services as well as consulting services. The services in both of
these capacities are that of a risk and control expert.

The fine line of professionalism, required by the internal auditor, is that of

independence and objectivity.

Answer the Following Question.

163. A senior manager responsible for all warehouse operations has asked the
internal auditor, (a one auditor organization) to consult with that department to
develop new inventory control policies. As part of regulatory requirements, this
auditor must conduct an inventory audit within this warehouse department twice a
year. The auditor’s response to the manager should be:

a. review the consulting guidelines of the audit department with the

manager
b. suggest that they schedule a start time to begin work on the policies
c. suggest that the external auditors conduct the inventory and the
internal auditor will work on the policy
d. suggest that an outside consultant help with the policy development

See Application Questions, Answers & Explanations module for the answer.

Internal Audit Can Only Succeed In A Consultative Role

If Internal Audit Management As Well As Executive
Management Supports Internal Audit In A Consultative
Capacity.

216 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

SELF-ASSESSMENT
Self-Assessment - What is it?

Self-Assessment is a process by which individuals assess themselves. To put

this in perspective, let us consider taking your own blood pressure. In order to
complete this task you attach the blood pressure device and the device reads the
results. If the results were 280 / 250 we could say you have just performed a
self-assessment. However, there may be an issue.

In the simplest terms, this could be called a blood pressure self-assessment. But
there are lessons to be learned. The first lesson is that you have performed a
physical task of self-assessment by measuring your blood pressure. The next
issue is determining what the results means. What does 280 / 250 mean?
Considering this, there are three things that need to be included in a self-
assessment process. The first is the physical task of the self-assessment, the
second understanding the results, and the third controlling the results with action.

In this example, we may call our self-assessment process a blood pressure self-
assessment. Self-assessment is, therefore, measuring the adequacy of risk and
control management in one's own process and taking appropriate corrective
action.

Just as in our blood pressure example, the physical task is necessary when
performing a self-assessment process. In a Self-assessment process the
physical tasks are often in the form of questionnaires / surveys or workshops.

However, it is not only important to perform the physical task of the self-
assessment process but, as in the blood pressure example, it is necessary to
understand the results and act on them appropriately.

Action must be taken to correct any deficiencies. Self-assessment is a

methodology to systematically document and evaluate risks, controls, and the
achievement of objectives. This concept can be applied in any process.

As we can be seen from the first example, the process can be applied in testing
your own blood pressure. In business, it can be applied to test the blood
pressure of the business process.

Action is probably the most important task of a self-assessment process.

Performing a self-assessment process without a commitment to action is merely
a waste of time.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 217

McKeever CRMA Study System Consulting role of the internal auditor

From a business perspective, the self-assessment process is a method by which

the people who are responsible for the business process (the process owners)
evaluate the adequacy of their risk and control management. From a common
business sense perspective, this makes sense.
The owners of the business process are responsible for their own risk and control
management. Unfortunately, in many cases, adequately addressing risk and
control management is not widely accepted in the business environment. This
low level of acceptance may be due to a number of factors including
management style; office politics; the work environment; and a lack of
understanding of risk and control management.
A self-assessment process can be a learning device. It can help the business
community and business professionals better understand the concepts of risk
and control management. In addition, it can help evaluate the accuracy of risk
and control management related to soft risks and controls.
The soft issues are often the foundation for a good business process. These soft
issues may include such things as attitude, morale, ethical values, tone at the
top, and communications. Lack of adequate controls in these areas are often the
root cause for many other business issues and areas of concern. These soft
issues can be effectively addressed in the self-assessment process.
The self-assessment process in a business process has another advantage.
That is the advantage of ownership. It is a known fact that with ownership a
certain amount of pride, possessiveness, and acceptance of responsibility
increases. This ownership, and active participation in risk and control decisions,
will result in a more solid foundation with a greater long-term effect on the risk
and control process. Conversely, an alternative is to dictate the management of
the risk and control process. This alternative approach may result in a weaker
foundation with weaker long-term effects.
Because of the perception that internal auditors maintain an in-depth
understanding of risk and control management combined with their
communications experience internal auditors will often play a vital role in the
initial implementation of a self-assessment process.

218 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

NOTE:
Although internal auditors are often called upon to perform the role of facilitator in
the self-assessment process, it is not necessary that internal audit be part of
the process or that they even participate in a self-assessment process. In
fact, as time passes, the ultimate goal is that the business professionals conduct
their own self-assessment workshops and projects. Depending upon the current
levels of experience, this transition may occur over varying lengths of time.

This opportunity for internal audit brings both opportunity and caution. The
opportunity is to assist the business process owners with their risk and control
management. The caution is that the internal audit professional must be careful
not to cross the line of objectivity and independence. The current Professional
Practices Framework published by The Institute of Internal Auditors will help
define the line of objectivity and independence required by the internal audit
professional.

The consulting section of this framework indicates that the internal audit
professional can come closer to the line of independence and objectivity than in
years past. However, internal auditors can still not cross the line of
independence and objectivity.

So the question becomes evident, how would or should an internal auditor

function in a self-assessment process function? An internal auditor functioning
as a voting member in a self-assessment process workshop is the main concern.
When an internal auditor functions as a voting member of a self-assessment
process it should be known, to everyone involved, that the internal auditor is not
acting as an internal auditor while participating as a voting member. All voting
members are equal participants bringing their specialty and expertise to the self-
assessment process. The internal auditors are bringing their risk and controls
expertise to the process.

It should also be known by everyone involved that the internal auditor (voting
member), in order to maintain independence and objectivity, will not perform any
future audits of the area being discussed in the Self-assessment process. An
auditor not involved in the Self-assessment process should perform any future
audits of the area being discussed in the workshop.

From here, we can see a fine line even when internal auditors are voting
members of a self-assessment committee. As voting members internal auditors
may provide a more detail opinion of risk and control management than if they
were functioning as internal auditors. However, it is still important that
professionalism and perception of the internal auditor and the internal audit
profession be maintained.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 219

McKeever CRMA Study System Consulting role of the internal auditor

A SELF-ASSESSMENT Overview:

• employees performing the work evaluate their own risks and controls

• self-assessment can be performed without internal audit

• self-assessment utilizes tools that may be new to auditors

• internal audit’s role can be that of facilitator

• self-assessment helps evaluate soft controls

• workshops or management may issue the reports

• self-assessment can be a learning device

• there is greater probability of buy-in about the issues

• business professionals are more involved with self-assessment than with

traditional audits

• Clients like the involvement

Some Thoughts about Workshops

Internal auditors are often called upon to facilitate CSA workshops because of
their expertise with risk and control management, along with their experience
conducting meetings and presentations. Although these professionals may be
perceived as having the basic platform skills to conduct training sessions,
presentations, and meetings, they may not be trained in specific facilitation
techniques. Conducting a CSA workshop is different than conducting a meeting,
a training session, or a presentation. It is recommended that anyone facilitating a
workshop attend appropriate facilitator training.
Pre-workshop or pre-CSA education efforts with the workshop participants may
be required to help the participants and the business process owners feel more
at ease and less resistant to change. These pre-workshop sessions should also
address business process staff members who have little or no exposure to risk
and control management.

220 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

These training sessions may include the topics of risk and control management
or the CSA process in general. Additionally, they may include interviews with
potential participants to gain an understanding of their issues and concerns. It is
incumbent upon the facilitator (possibly an internal auditor) to identify the extent
and the need for these pre-CSA efforts.
The extent and need for these pre-CSA exercises should be driven by the
experience, exposure, concerns, politics, culture, and variations in
communications of the potential participants. The facilitator will need to identify
the components and design to address the pre-CSA engagements appropriately
for each case.
In some CSA workshops, discussions are not candid enough to get to the root
cause. The more at ease the participants are during the CSA exercise, the more
candid they will be. It is the responsibility of the facilitator to put the potential
participants at ease.
The more candid the participants are about their processes, identifying
both positives and negatives, the more likely weaknesses will be
addressed.

Candidness

An Exception to The Rule

Discussion of Legal and / or Security Issues May Not Be

Appropriate In An Open Forum Workshop.

This is an exception to the candidness in a CSA workshop. Legal and security

issues should not be discussed in a general business workshop. These types of
topics can be discussed privately with the appropriate professionals or in an
appropriate workshop.

The facilitator should discuss the potential of security and / or legal issues as a
topic of conversation in the pre-meeting rule setting stage. All participants should
be made aware that if such topics come into the conversation the facilitator will
end the conversation.

It is important to identify this in the rule setting stage of the workshop so

that participants do not feel their candidness is impeded because the
exception to the rule is being implemented.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 221

McKeever CRMA Study System Consulting role of the internal auditor

Some Comments about Questionnaires

A Tool for Control Self-Assessment

Used for Obtaining Risk and Control Information

Questionnaires are one of the basic tools used in a CSA process.

Questionnaires, for the purpose in a CSA process, are used to obtain risk and
control information. They can be a very effective tool. However, they may provide
no benefit and can be counter-productive if used inappropriately.

It is important to keep the objective in mind when designing a questionnaire.

Determine what is trying to be accomplished with the questionnaire (objective)
first? Then design and administer the questionnaire accordingly. In addition, it is
important to understand the audience when designing a questionnaire. The
types and number of questions should be driven by the objective and the
audience.

A substantial amount of human communication is conducted through body

language. Even though the use of questionnaires limits this channel of
human communication, it does not mean that questionnaires are an
ineffective tool. As long as it is understood that a major piece of human
communication will be inhibited when using questionnaires, they can be
used effectively within their limitations.

Generally, questionnaires by themselves are not an adequate source of risk and

control information. However, questionnaires used in concert with other tools like
interviews and workshops can be extremely effective. Consider using multiple
tools.

Note: the amount of effort and the amount of complexity of tools used to
determine the status of risks and controls in a process are controls by
themselves. Therefore, the amount of effort and the amount of complexity of
tools used should be driven by the perceived risks in the process.

It is important for the designer of the questionnaire to use language that is

understood by the respondent (the audience). This is particularly important
because of the absence of the body language communications with
questionnaires.

222 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

Generally, the use of questionnaires is most appropriate for large audiences. For
example, where the risk and control specialists needs to obtain a general feeling
of the status of risks and controls from a large process and where it may be
impractical to have face-to-face meetings for economic, political, physical, or
timing reasons.

Avoid words that are emotionally charged. Emotions may cloud a question’s
intent and not clearly address the issue. Keep in mind, what is emotional to one
person may not be emotional to another.

Use a level of detail appropriate for the respondent. There are two objectives of a
questionnaire. The first objective is to maximize the number of responses. The
second objective is to maximize the accuracy of each response. Using a level of
detail that is appropriate for the respondent will help achieve these objectives.

Consider the opportunity for interpretation.

Be conscious of potentially influencing the respondent’s answers. Questionnaire

designers have the ability to influence the responses to serve their own particular
needs. This may be appropriate in some business circles or even some non-
business circles. However, in CSA it is important not to influence the responses.
If we, as risk and control experts and CSA professionals, are going to help the
business process, it is important that the information collected by the
questionnaire be as candid and truthful as possible.

Appendix 5 lists Some Probing Questions to Help Understand Client’s

Problems and appendix 6 lists Diagnostic Questions to Help Understand
Client’s Problems. Both of these are good job aids for developing effective
questionnaires. These job aids may also for developing questions for
conversational interviews.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 223

McKeever CRMA Study System Consulting role of the internal auditor

Questionnaires: Summary

• use as a tool for obtaining control and risk information

• use language that is clear and understandable

• avoid words that are emotionally charged

• use a level of detail appropriate for the respondent

• consider the opportunity for interpretation

• consciously avoid potentially influencing the respondent’s answers

• design every question in a logical and easy to use manner

• considerations for question designing:

o organize by subject

o sequence from general to specific

o group similar topics together

o avoid problem words

• some problem words:

o about, all, always, bad, could, ensure, few, less, more, never,
possible, several, sure

o these words can mean different things to different people and could
call for judgment

224 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

Self-Assessment Overview

SELF-ASSESSMENT Ties The Concerns, The Issues,

And The Change For Improvement Back To The Process
Owners Doing The Work!

Self-Assessment is a way to help organizations improve their ability address key

risks.

Self-Assessment is a process through which internal control effectiveness is

examined and assessed. It is a tool that provides reasonable assurance that
business objectives will be met.

Self-Assessment is a process in which management and / or workshops, not

internal auditors, perform the assessment of internal controls.

SELF-ASSESSMENT Begins With The Objectives.

Management Evaluates Their Own Controls
and Identifies Opportunities for Improvement.

Self-Assessment Benefits

• helps process owners with a better understanding of objectives, risks, and

controls

• develops ownership of results

• provides a broad coverage

• improves communications.

• helps with the appropriate analysis and reporting of controls.

• helps business process owners better understand and assume both

responsibility and accountability for effective control and risk management.

• education about the self-assessment process, as well as the concepts of

risk and control management, is a vehicle to this end

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 225

McKeever CRMA Study System Consulting role of the internal auditor

• corrective action is more effective and longer lasting because of the

ownership of the issues and the corrective actions

• by using integrated control tools as part of the SELF-ASSESSMENT

process all parts of the business are analyzed and addressed

• improves communications at all levels

• helps employees understand how to analyze, address, and report on the

adequacy of controls (perform more effective and efficient risk
assessments)

Answer the Following Question.

66. The self-assessment process can be a useful tool from two perspectives.
First self-assessment can help enhance a corporate governance knowledge base
with process owner participants. Second self-assessment develops an ownership
of apparent risks and the necessary corrective actions to mitigate those risks.
Which of the following is generally not a result of a self-assessment effort?

a. a level of enthusiasm among process owners for the acceptance of key

risk management will increase
b. an enhanced believe in risk and control management by process
owners may be realized
c. process owners, as they become more knowledgeable, can eventually
assume responsibility for their own self-assessment efforts
d. because of the involvement of multiple process owners and
perspectives there will be assurance that key risks are adequately
addressed

See Application Questions, Answers & Explanations module for the answer.

226 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

All of this requires change, the change in mindset of the clients

as well as the risk and control specialists. Humans do not like
change. Change must be managed. The risk and control
specialists must also be a change agent.

Simple terms

What is change?

• to abandon one thing for another

• to do something different

• to continue on a journey

• to pass from one owner to another

• to move from one decision to another

• to improve something

• to improve someone

Change

Do Something With What You Just Did.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 227

McKeever CRMA Study System Consulting role of the internal auditor

The Change Agent

In taking on the role of the change agent, the risk and control specialists must:

• understand the barriers of the organization

• understand what benefits can come from removing the barriers

• develop specific methods, unique to each case, that will address the
barriers and remove them

One of the responsibilities of the change agent is to identify and understand the
business environment in which they are facilitating change.

A Trap: Many change agents try to force change processes outside of the
natural cycle. This is not to say that improvements may not be warranted in
these conditions. For example, it will be more difficult to change the mindset of
the current business culture when high growth or reward is apparent.

Consider that in times of high growth, significant profits, and high activity, risk will
increase. This is the vertical position on the growth curve. Conversely, controls
during this same period are low. By definition, the word controls means hold
back, tie down, constrain. Hence, the mention of controls, during the growth
period is perceived as something that will slow down the process and / or growth.
With this in mind, trying to convince a process owner to improve or implement
controls during the high growth period may be difficult.

On the other hand, when times are bad, on the downside of the growth curve,
profits and activities are low. Because process owners see this period as a
decrease in profits and possible trouble ahead they welcome internal controls,
asking change agents for help.

Gradual Change
One of the major reasons why change fails can be attributed to attempting to
change everything at once. Consider taking smaller steps and gradually
implementing the new approach. This more gradual process of introducing
smaller change events will help build confidence and collaboration among the
participants in the change effort. People like to be an active part of success, not
risk. Less fear of the unknown will help facilitate change.

228 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

Change Requires

• new ways of thinking

• employee participation

• shared company vision

Why Is It Difficult To Change?

• fear of losing something

• belief that change does not make sense

• different view points

• concern that extraordinary effort will be required

• do not want to take on the effort

Some Ways To Facilitate Change

• education

• participation

• support

• negotiation

• manipulation…. careful

• coercion…. careful

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 229

McKeever CRMA Study System Consulting role of the internal auditor

People generally resist change. Self-assessment, as a

tool, is a different way of doing business. Therefore, to
be more successful with a self-assessment exercise, it
is important to minimize the impact of “unknowns” from
the participants’ minds. Some tools that help facilitate
change in the new process are communications,
participation in the change effort, and training.

Self-Assessment Summary
In order to actively participate in a self-assessment process it is necessary
that the participants be familiar with risk and control management
(corporate governance). Hence their training, coaching, guiding, and
mentoring are actually a part of the self-assessment process. Because
these process owners now have a better understanding of risk and control
management they are better equipped to incorporate these concepts into
their daily activities as routine. When participating in the self-assessment
process the participant process owners actually help identify apparent key
risks and the appropriate controls to manage those key risks.

Internal audit may perform a follow-up role with self-assessment. As the

process owners become more familiar with corporate governance and the
techniques of conducing self-assessments internal audit can review or
audit the self-assessment process to ensure that process owners are
adequately managing their key risks.

230 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

PROCESS IMPROVEMENT
Process improvement is a natural consequence of self-assessment. Whether it
is continuous improvement or business process reengineering - the focus is on
constantly and continually changing processes.

A process is a continuous action, operation, or series of changes taking place in

a definite manner directed to some end. Within large organizations these
processes are growing more so. Many parts are computerized (not visible) and
frequently involve more than one person and multiple departments.

An example of a process that affects all employees is payroll processing. This

process consists of a large number of parts including items such as software
calculating payroll with deductions; Human Resources Department authorizing
new employees; payment of individual’s payment to bank accounts; timecard
reader hardware; software to transmit payroll data to the general ledger software;
and too many hardware and software components to list here.

Process improvement is a natural outcome of self-assessment, whether it is

continuous improvement or business process reengineering - the focus is on
constantly and continually changing processes.

EDUCATION
A growing need for internal audit in-depth knowledge of internal controls has
created excellent opportunities for internal audit to provide education or training
to all levels of an organization from the Board of Director to direct supervisors.

The opportunities for these services are available because internal audits that
are performed throughout an organization provide unique views of risk in all of
the many areas of an organization.

In order to become involved successfully internal audit must convince (sell)

management about the value that they could contribute about risk management.

Many Board of Directors members and top-level managements expressed

concerns that internal audit would reduce their tradition audit efforts to provide
some unknown potential benefits related to risk management (consulting).

Remember the objective of the auditor-consultant is to assist the process owners

with technical expertise and tools by which the process owners can manage their
own risks and controls.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 231

McKeever CRMA Study System Consulting role of the internal auditor

Organizations today do not need a department of

internal control experts providing periodic appraisal –
they need internal control expertise operating
continually and consistently throughout the
organization.

The auditor-consultant can use a wide variety of tools and techniques both
those audit-related discussed in domain 2 and those used by consultants.

An example:

Internal audit can use the “train the trainer” concept to assist the general
population of the process owners so that they would better understand and
manage their own risks and controls.

The trainers would be from a risk management group (not internal audit). A
significant number of these professionals would be trained on an overview of risk
and control concepts and integrated control models. This would be a high-level
overview of risk and control concepts since these professional were already very
well acquainted with risk and control management. The purpose of this part of
the training is to bring the terminology of integrated control frameworks and risk
and control concepts to basic everyday language and away from the risk and
control professional jargon.

The second part of the training of these professional would be to sharpen

presentation skills, with an emphasis on knowing the audience. Each of the
processes where these trainers would be delivering the message is different so
the emphases must be that delivering is not standard in all cases. Hence, the
presenter would have to adapt to the audience in each case.

The objective of this risk and control group would be to spread the belief in risk
and control management in such a way that the process owners would embrace
the concepts and institute a risk and control management philosophy appropriate
for each individual process and begin so the process owners could manage their
own risks and controls.

232 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Consulting role of the internal auditor

The Training of Potential Trainers Would Be Conducted

by An Auditor-Consultant.

The following graph describes some of the concerns that internal audit must
overcome to successfully become involved as consultants.

With the significant changes in the current business environment internal audit
can help process owners address both current and emerging risks from
circumstances that arise from situations beyond an organization’s capacity to
control. These emerging risks do not mean that they are beyond the capacity of
the organization to manage (control) it means that the organization generally has
no control over the events occurring (external risks). These types of risks, from
such integrated organizations, if not managed may have impacts not only on the
organization but on multiple entities and organizations across geographic
borders, and industries (ripple down effect).

For example drastic changes in oil prices may impact multiple organizations,
industries, and customers worldwide. Another example is drastic changes in
interest rates. This could also impact multiple entities. So the importance of
managing emerging risks is an extremely important part of overall risk
management. See Domain 2 for a partial list of emerging risks.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 233

McKeever CRMA Study System Consulting role of the internal auditor

Some common characteristics of integrated organizations are:

• electronic network – these organizations can only exist because of today’s

computer networks.

• consumer time-value – these organizations recognize the most important

customer need is often time-based.

• value-based organization – these organizations are designed with

processes that add value as defined by the customer.

• diversified and recurring revenue streams – these organizations are ultra-

flexible in order to rapidly change products and services.

Internal audit can education process owners and top-level managers to help
them better understand these complex environments and the complex processes
that exist.

Summary:
Internal audit’s in-depth knowledge of internal controls has created
excellent opportunities for internal audit to provide education or training to
all levels of an organization from Board of Directors to direct supervisors
about many of the features of risk management including services that
internal audit can provide. These services are available because of the fact
that internal audits are performed throughout an organization providing
unique views of risks gained from a history of audits in all of the many
areas of an organization.

234 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System
Consulting Role of the Internal Auditor (IA)
4.1 The question of independence and
objectivity has been a cornerstone of
internal audit since its inception.
Therefore:
1. internal auditors can never provide
specific control direction
2. internal auditors may provide
control guidance under some
circumstances
3. because of some flexibility, internal
auditors when conducting an
internal audit may provide specific
control direction
4. internal auditors must, always, be
conscious of the independence and
objective requirement of their
professional practices
4.2 The risk formula to determine the
probability of a control failure is:
1. the modified annual loss expectancy
2. the annual loss expectancy
3. the none of these answer
4. modified risk versus control failure
probability
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Consulting role of the internal auditor
Answer 4 is the correct answer. Answer
1 can be eliminated because of the word
“never”. Answer 2 could be correct
because there are some circumstances
where internal auditors may provide
control guidance. For example, when
an internal auditor is acting as a
consultant providing more specific
control guidance. However, an
awareness and management of the
independence and objectivity is still
necessary. Also, answer 2 is not very
specific as it implies may provide
control guidance. Internal auditors
must always, whether acting as a
consultant or an internal auditor, be
aware of the required independence and
objectivity boundaries and manage
them appropriately. Answer 3 can be
eliminated because it is not appropriate
to provide specific control guidance
when conducting an internal audit.
Answer 1 is the correct answer. The
modified annual loss expectancy is the
correct answer and the formula that will
help determine the probability of a
control failure. Answer 2 is included in
answer 1 that is a broader answer.
Answer 3 is not correct as answer 1 is
correct. Answer 4 can be eliminated.
Although it may sound relative to risk
assessment this question answer just
lists a set of random words.
235
McKeever CRMA Study System
4.3 The Internal Audit Profession has
expanded its scope from many years
past when compliance audit was the
norm to today when internal auditors
now serve a consultative role. What
should be considered when selecting
internal auditors to function as
consultants:
1. focus on internal audit staff he
technical expertise from the
2. consider the technical expertise and
personalities of the internal auditors
3. draw from available internal audit
staff
4. combine internal audit staff with
subject matter experts for other
departments
236 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Consulting role of the internal auditor
Answer 2. is the correct answer.
Considering the technical capabilities
only may not be the best choice for a
consulting engagement. As well, does
technical expertise imply technical
expertise in internal auditing or in some
subject or both? Consulting is not like
traditional auditing. Answer 3 is a very
general statement not appropriate for
this question. This is also true for
answer 4.
McKeever CRMA Study System
4.4 The Internal Auditing Profession
has a specific set of standards by which
internal auditors should practice their
profession. Included in these standards
are recommendations for the protocol
and structure of internal audit reports.
When an internal auditor is acting as a
consultant the report, if any, of the
consulting effort:
1. should contain a purpose and scope
2. may contain a purpose, scope,
background, and findings comments
3. should contain a purpose, scope,
and background
4. may contain a purpose, scope, and
background
4.5 Analyzing, synthesizing, identifying
symptoms, and synthesizing a solution
or recommended solution is a
characteristic of:
1. an auditor
2. an internal auditor
3. an operational auditor
4. a consultant
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Consulting role of the internal auditor
Answer 2 is the correct answer. It is
correct that an internal auditor when
practicing the internal audit profession
should follow the internal audit
professional standards. These include
specific recommendations for the
format and sections that should be
included in a formal internal audit
report. However when an internal
auditor is acting as a consultant there is
more flexibility when developing a
report for the consulting project. As a
result answers 1 & 4 can be eliminated.
Answer 1 implies that the report should
contain a purpose and scope. This may
or may not be true. This also holds true
for answers 3 & 4. In general a report
and the report’s format for a consulting
activity, if any, would be determined by
the consulting team.
The correct answer is 4. This is a
characteristic of a consultant and an
auditor acting as an internal auditor-
consultant. Although internal auditors
especially, operational auditors, provide
similar opinions the consultant may
provide a broader scope of opinion and
include solutions.
237
McKeever CRMA Study System
4.6 Which type of risk would require the
most coaching, mentoring and
convincing to process owners by an
internal auditor-consultant?
1. internal risk
2. incorporated risk
3. external risk
4. financial risk
4.7 One good objective that will help
enhance corporate governance is to
spread risk and control concepts and
philosophy among as many process
owners as possible. One way to do this
would be to train trainers. That is to
train a few in risk and control concepts
and presentation techniques so they
can train other general process owners.
A method of selecting these trainers
would be:
1. determine presentation and public
speaking abilities
2. ensure they have a technical
competence in the topic to be
delivered
3. determine if they are really and
sincerely interested and passionate
about the topic to be delivered and
the delivery itself
4. all of the above
238 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Consulting role of the internal auditor
Answer 3 is the correct answer. The
type of risk which is most often not
understood and hence is not addressed
adequately by process owners is
external risk. Hence, the auditor-
consultant would have to spend more
time educating and convincing process
owners about the importance of
addressing external risk. Answers 1 & 4
are not correct as process owners are
usually familiar with these types of
risks. Answer 2 just list an arbitrary
term so can be eliminated.
Answer 4 is the correct answer. Also it
is probably the most important answer.
However, answer 3 should be a first
consideration. If the individuals
delivering the message are not
passionate about delivering the
message it will not work no matter how
much training they receive. Next
considerations are answers 1 & 2.
There could be someone passionate
about the message however they may
be weak in the topic or presentation
skills. However, once recognized these
two issues could be addressed with
appropriate coaching and training.
Once these have been addressed
answer 3 becomes the driving force for
success.
McKeever CRMA Study System
4.8 A process whereby advice is
provided and received by another and
further where the internal auditor
should maintain objectivity and not
assume management responsibility is
best associated with:
1. traditional audits
2. operational audits where
recommendations are provided
3. assurance auditing
4. consulting
4.9 What would be a viable approach to
convince upper-level management that
consulting for internal audit to further
benefit an organization?
1. ensure that internal audit will not
abandon traditional audit work for
consulting activities
2. convince that internal audit /
consulting is an expansion and
extension of traditional audit and
can provide additional benefits to
the organization
3. demonstrate by specific examples
the benefits of consulting
4. all of the above
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Consulting role of the internal auditor
Answer 4 is the correct answer. This is
a definition of consulting. Answers 1, 2
& 3 list areas that are well-defined in
terms of the process. Consulting does
not require specific documentation or
reporting. The consultant offers advice
without many of the constraints of other
audit assignments. That requires the
internal auditor acting as a consultant to
more be more vigilant to maintain
objectivity and avoid assuming
management responsibility
Answer 4 is the correct answer. The
consulting role of internal audit is often
new to audit management and to upper-
level organizational management.
These management groups are more
familiar with traditional audit services.
For years this was the role that internal
audit performed. Hence this was the
role that audit management and
organizational management perceived
about internal audit. So to move
management from a traditional comfort
with internal audit services to a new
area of benefit introducing consulting
may take some convincing, education,
mentoring, and demonstrations.
Answers 1, 2 & 3 list viable approaches
to do that.
239
McKeever CRMA Study System Consulting role of the internal auditor

4.10 One of the problems of providing Answer 4 is the correct answer.

internal audit / consulting to process
owners is that the benefits of the
consulting efforts will drive more
requests for consulting engagements.
Which of the following will help
stimulate these requests?
1. use employee involvement and team
building
Answers 1, 2 & 3 describe actions that
will stimulate those requests. Providing
consulting services using these
approaches successfully to provide
benefits to the client will improve the
perception and the opinion about the
internal auditor-consultant to the
process owner client. This will help
stimulate these requests.

2. use benchmarking with non-audit

departments

3. identify client expectations and

exceed them

4. all of the above

4.11 An internal auditor’s objective Answer 2 is the correct answer. This is

assessment of evidence to provide an a definition of assurance. Answers 1, 3
independent opinion or conclusion & 4 describe other roles that internal
regarding an entity’s operation, auditor perform.
function, process system, or other
subject matter is best describes the role
of:

1. consulting

2. assurance

3. traditional audit

4. continuous monitoring

240 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System
4.12 Internal auditing is an
independent, objective, assurance, and
consulting activity designed to add
value and improve and organizations
operations. In addition:
1. internal audit must follow up on
open concerns
2. consultants must follow up on open
concerns
3. consultants can provide a broader
scope of recommendations than
internal auditors
4. this definition only applies to
internal auditors
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Consulting role of the internal auditor
Answer 1 is the correct answer. It is the
responsibility of internal audit to follow
up on open concerns or findings.
Answers 2 & 3 relate only to consultants
so they are not relative to this question.
Answer 4 can be eliminated because it
is contrary to the question which
specifies internal audit and consulting
activities.
241
McKeever CRMA Study System
4.13 A caution, that must be realized by
the internal auditor-consultant, when
increasing the perception and benefit to
the process owner client is:
1. requests for consulting may
encroach into needed traditional
audit work time
2. funding for the internal audit /
consultant
3. resource allocations
4. all of the above
242 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
Consulting role of the internal auditor
Answer 4 is the correct answer. One of
the problems with doing a job well is
that this generates more requests for
work. In this case consulting. In
answer 1 substantial requests for
consulting can divert resources from
traditional needed audit work. There are
only two ways to manage this. The first
is to deny requests. This however will
discourage future requests, needs, and
benefits. The second is to hire
additional auditor-consultants. Denying
requests will deteriorate the consulting
effort. Hiring additional staff will
increase the budget. Answer 2 & 3 list
the concerns of funding and resource
allocation – always concerns. Should
the internal audit department incur the
funding for consulting engagements,
should they charge the client by the
hour, or day, or appropriately allocate to
the various process units. The funding
issue and administration is one that
many internal audit departments
struggle with. How funding is managed
should be up to the organization. One
recommendation is to keep is simple.
McKeever CRMA Study System Suggested additional resources

Suggested
Additional References

Review courses by themselves including the McKeever CRMA

Study System are generally not sufficient to ensure exam
success. This study system will certainly provide you with an
approach to significantly improve your chances of passing the
CRMA Exam.

If you would like additional information in some area of study

you might find the following list. This list includes both
publications referenced as sources in the McKeever CRMA
Study System and additional references from The IIA website –
see www.theiia.org for current list.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 243

McKeever CRMA Study System Suggested additional resources

Additional References Useful for CRMA Exam

A Structured Approach to ERM and the Requirements of The IRM
ISO 31000
Auditing the Risk Management Process (2005) IIA Bookstore
Auditor's Risk Management Guide Integrated Auditing and IIA Bookstore
ERM, 2011
COSO Enterprise Risk Management: Establishing Effective IIA Bookstore
Governance, Risk, and Compliance Processes, 2nd Edition
(2011)
Enterprise Risk Management: Today’s; Leading Research IIA Bookstore
& Best Practices for Tomorrow’s Executives, (2010)
Enterprise Risk Management: Understanding and COSO
Communicating Risk Appetite
Exceeding Expectations (2006) Pleier Corporation
GAIT for Business and IT Risk (2009) IIA Bookstore
HB 158-2011 Delivering assurance based on ISO ISO
31000:2009 Risk management = Principles and guidelines,
IIA Position Paper – The Role of Internal Auditing in IIA Bookstore
Enterprise-wide Risk Management (2009)
Improving Board Risk Oversight Through Best Practices, IIA Bookstore
2011
Internal Auditing Role in Risk Management (2011) IIA Bookstore
McKeever CCSA Study System, 2nd Edition (2009) Pleier Corporation
Operational Auditing: Adding Value to Organizations Pleier Corporation
(2007)
Operational Risk Management: A Case Study Approach to Amazon
Effective Planning and Response, Abkowitz, (2008)
Practice Guide: Assessing the Adequacy of Risk IIA Bookstore
Management Using ISO 31000 (2010)
Practice Guide: Coordinating Risk management and IIA Bookstore
assurance (2012)
Risk Appetite and Risk Tolerance – Guidance Paper The IRM
Risk Management & Internal Audit: Forging a Collaborative IIA/RIMS
Alliance
Risk Management and Risk Assessment (2003) Pleier Corporation
The Risk IT Framework ISACA
Transition: Internal Audit to Internal Assurance (2008) Pleier Corporation
Understanding and Managing Risk Attitude, Hillsoin and Amazon
Murray-Webster, 2007

244 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Suggested additional resources

Appendices

Note:

This module is designed to provide subject supplemental study material in

the areas:

1) Sarbanes-Oxley (SOX)
2) Financial Ratios Useful in Risk Management
3) Some Comments about Sampling Useful in Risk Management
4) Financial Institution Regulations Related to Risk Management
5) Some Probing Questions to Help Understand Client’s Problems
6) Diagnostic Questions to Help Understand Client’s Problem

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 245

McKeever CRMA Study System Appendix 1 Sarbanes-Oxley (SOX)

Sarbanes-Oxley (SOX)
a Process-Based Approach that can Help Mitigate Risk
The role of corporate governance and the role of those who manage corporate
governance have changed substantially over recent years.

In an effort to enhance the effectiveness and efficiency or the internal control

process within companies Sarbanes-Oxley 2002 has strengthened the roles and
responsibility of corporate managers, directors, and both internal and external
auditors.

The Sarbanes-Oxley Act is designed to address and react to business problems

while giving required guidance through strong penalties, fines, and even
imprisonment for Chief Executive Officers and Chief Financial Officers. These
leaders are held accountable under Sarbanes-Oxley requirements.

The Requirements of Sarbanes-Oxley 2002 Risk and Control Tools

Including COSO

Section 101 Establishment; administrative provisions

Section 101 Registration with the Board
Section 103 Auditing, quality control, and independence standards and rules
Section 104 Inspections of registered public accounting firms
Section 105 Investigations and disciplinary proceedings
Section 106 Foreign Public Accounting Firms
Section 107 Commissions oversight of the Board
Section 108 Accounting standards
Section 109 Funding

Title 2
Auditor Independence

Section 201 Services outside the Scope of Practice of Auditors

Section 202 Pre-approval requirements
Section 203 Audit partner rotation
Section 204 Auditor reports to Audit Committees
Section 205 Conforming amendments
Section 206 Conflicts of interests
Section 207 Study of mandatory rotation of registered public accounting firms
Section 208 Commission authority

246 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 1 Sarbanes-Oxley (SOX)

Title 3
Corporate Responsibility

Section 301 Public company Audit Committees

Section 302 Corporate responsibility for financial reports
Section 303 Improper influenced on conduct of audits
Section 304 Forfeiture of certain bonuses and profits
Section 305 Officers and Directors, Bars, and Penalties
Section 306 Insider trades during pension fund blackout periods
Section 307 Rules of professional responsibility for attorneys
Section 308 Fair funds for investors

Title 4
Enhanced Financial Disclosures

Section 401 Disclosures in periodic reports

Section 402 Enhanced conflict of interest provisions
Section 403 Disclosures of Transactions Involving Management and principal
Stockholders
Section 404 Management assessment of internal controls
Section 405 Exemption
Section 406 Code of Ethics for senior financial officers
Section 407 Disclosure of Audit Committee financial expert
Section 408 Enhanced review of periodic disclosures by issuers
Section 409 Real time issuer disclosures

Title 5
Analyst Conflicts of Interests

Section 501 Treatment of securities analysts by registered securities

associations and National Securities Exchanges

Title 6
Commission Resources and Authority

Section 601 Authorization of appropriations

Section 602 Appearance and practice for the Commission
Section 603 Federal Court authority to impose penny stock bars
Section 604 Qualifications of associated persons of brokers and dealers

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 247

McKeever CRMA Study System Appendix 1 Sarbanes-Oxley (SOX)

Title 7
Studies and Reports

Section 701 GAO Study and report regarding consolidation of public accounting
firms
Section 702 Commission
Study and Report regarding credit rating agencies
Section 703 Study and report on violators and violations
Section 704 Study of enforcement actions
Section 705 Study of investment banks

Title 8
Corporate and Criminal Fraud Accountability

Section 801 Short title

Section 802 Criminal penalties for altering documents
Section 803 Debts non-dischargeable if incurred in violation of security fraud
laws
Section 804 Statute of limitation for securities fraud
Section 805 Review of The Federal Sentencing Guidelines for obstruction of
justice and extensive criminal fraud
Section 806 Protection for employees of publicly traded companies who provide
evidence of fraud
Section 807 Criminal penalties for defrauding shareholders of publicly traded
companies

Title 9
White Collar Crime Penalty Enhancements

Section 901 Short title

Section 902 Attempts and conspiracies to commit criminal offenses
Section 903 Criminal penalties for mail and wire fraud
Section 904 Criminal Penalties for Violations of the Employee Retirement Income
Security Act of 1974
Section 905 Amendment of Sentencing Guidelines Relating to Certain White-
Collar Offenses
Section 906 Corporate Responsibility for Financial Reports

Title 10
Corporate Tax Returns

Section 1001 Sends of Senate regarding the signing of corporate tax Returns by
Chief Executive Officers

248 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 1 Sarbanes-Oxley (SOX)

Title 11
Corporate Fraud and Accountability

Section 1101 Short Title

Section 1102 Tampering with a record of otherwise impeding an official
preceding
Section 1103 Temporary freeze authority for the Securities and Exchange
Commission
Section 1104 Amendment to the Federal Sentencing Guidelines
Section 1105 Authority of the Commission to prohibit person form serving as
Officer or Directors
Section 1106 Increased criminal penalties under Securities Exchange Act of
1934
Section 1107 Retaliation against informants

Two separate certification sections under SOX specify civil and criminal
consequences (Section 302) (civil provision (Section 906) (criminal provision).

Taking a Closer Look at the Final Examinations

SOX section 302: Internal control certifications

SOX section 302 mandates a set of internal procedures designed to ensure

accurate financial disclosure. The signing officers must certify that they are
“responsible for establishing and maintaining internal controls” and “have
designed such internal controls to ensure that material information relating to the
company and their related subsidiaries is made known to such officers by others
within those entities, particularly during the period in which the periodic reports
are being prepared.” The officers must “have evaluated the effectiveness of the
internal controls as of a date within 90 days prior to the report” and “have
presented in the report their conclusions about the effectiveness of their internal
controls based on their evaluation as of that date.”

External auditors are required to issue an opinion on whether effective internal

control over financial reporting was maintained in all material respects by
management. This is in addition to the financial statement opinion regarding the
accuracy of the financial statements. The requirement to issue a third opinion
regarding management's assessment was removed in 2007.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 249

McKeever CRMA Study System Appendix 1 Sarbanes-Oxley (SOX)

SOX Section 404: Assessment of internal control

The most contentious aspect of SOX is Section 404, which requires management
and the external auditor to report on the adequacy of the company's Internal
Control over Financial Reporting (ICFR).

Under SOX section 404 management is required to produce an “internal control

report” as part of each annual Exchange Act report. The report must affirm “the
responsibility of management for establishing and maintaining an adequate
internal control structure and procedures for financial reporting.” The report must
also “contain an assessment, as of the end of the most recent fiscal year of the
effectiveness of the internal control structure and procedures of the issuer for
financial reporting.” To do this, managers are generally adopting an internal
control framework.

High- Level Overview of Some Other SOX Sections

And Their Consequences for Fraudulent Acts
Section 802, Obstruction of Justice, amends the federal obstruction of justice
statute by adding two new offenses. The first makes it unlawful to knowingly
alter, destroy, or falsify documents with the intent to impede, obstruct, or
influence any federal investigation or bankruptcy proceeding. This section
provides for the imposition of fines, and/or imprisonment up to 20 years for a
violation of the statute.

While destruction of documents with intent to obstruct a federal investigation

already was a criminal offense under existing law, that statute only applied to on-
going investigations, whereas the new offense also covers contemplated
investigations. The offenses to be examined include: obstruction of justice,
including the newly-created offenses in section 802 relating to the destruction of
documents; fraud endangering the financial security of "a substantial number of
victims; certain white-collar offenses as discussed in Title 9 of the Act; and
securities and accounting fraud, including fraud by officers and directors of
publicly traded companies.

Section 906 mandates severe penalties for corporate officers who certify the
required statements in violation of the section. For those CEOs and CFOs who
certify the statement knowing that the report accompanying the statement does
not comport with all the requirements of the section, the maximum penalties are
a $1 million fine, and/or 10 years in prison. The maximum penalties increase to a
$5 million fine, and/or 20 years in prison for corporate officers who willfully certify
the statements.

250 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 1 Sarbanes-Oxley (SOX)

The Mail Fraud Section 903 of the Act increases the maximum imprisonment
time for mail fraud and wire fraud from 5 years to 20 years.

The Mail Fraud provisions of the Act amend the existing federal mail fraud statute
by adding new offenses.

SOX section 807 adds a section relating to securities fraud. This allows for the
imposition of fines and/or a 25 year maximum term of imprisonment on anyone
who "knowingly executes, or attempts to execute, a scheme or artifice to defraud
any person in connection with any security of an issuer or to obtain, by means of
false or fraudulent pretenses, representations, or premises, any money or
property in connection with the purchase or sale of any security of an issuer.

SOX section 902 adds a section clarifying the attempt or conspiracy to commit an
offense under the federal mail fraud statute.

The Employee Retirement Income Security Act (ERISA) of 1974 Section 904
increases the maximum penalties for violation of the reporting and disclosure
provisions of from a $5,000 fine or 1 year in prison, or both, to a $100,000 fine
and/or 10 years in prison. The maximum fine for entities is increased from
$100,000 to $500,000.

SOX section 1102 amends the existing criminal obstruction of justice statute,
making it a crime to corruptly alter, destroy, or conceal a document with the intent
to impair the object's integrity or availability for use in an official proceeding or
otherwise obstruct any official proceeding. An attempt to do any of these acts is
accorded the same treatment as the act itself, meaning imposition of fines
and/or up to 20 years imprisonment.

SOX section 1106 increases the maximum penalties for violation of the 1934
Act from $1 million or 10 years imprisonment, or both, to $5 million or 20 years
imprisonment, or both. In addition, the maximum fine for an entity's violation of
the 1934 Act is increased from $2.5 million to $25 million. This enhances the
Federal Sentencing Guidelines in Sections 805, 905, and 1104. The Act
mandates the U.S. Sentencing Commission to review and amend, as appropriate,
the Federal Sentencing Guidelines and related policy statements concerning
certain offenses by January 26, 2003 to ensure that the penalties and
enhancements are adequate to deter and punish the conduct addressed by the
Act.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 251

McKeever CRMA Study System Appendix 1 Sarbanes-Oxley (SOX)

SOX section 1107 expands the portions of the obstruction of justice statute
dealing with retaliating against a witness, victim, or an informant. The new
offense makes it unlawful to "knowingly, with the intent to retaliate, take any
action harmful to any person, including interference with lawful employment or
livelihood of any person". Further, for providing to law enforcement truthful
information relating to the commission or attempted commission of any federal
offense. Such a crime is punishable by a fine and/or imprisonment for a
maximum of 10 years.

Both management and the external auditor are responsible for performing their
risk assessment, which requires management to establish the scope of its
assessment on evidence gathered on risk. There are mmandated severe
penalties for corporate officers who certify the required statements, which are in
violation of the section. For those officers who certify statements knowing that
the report does not comply with all the requirements of the section, the maximum
penalties are a $1 million fine, 10 years in prison, or both. The maximum
penalties increase to $5 million and 20 years in prison, or both, for corporate
officers who willfully certify the statement knowing that the periodic report
accompanying the statement fails to comply with all of the requirements of the
section.

252 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Types of Ratios Important in Risk Management

Income
Profitability
Liquidity
Working Capital
Bankruptcy
Long-Term Analysis
Coverage
Leverage

Income Ratios

Turnover of Total Operating Assets

Net Sales
= Turnover of Total Operating Assets Ratio
Total Operating Assets*

An increase in sales will necessitate more operating assets at some point (sales
may rise without additional investment within a given range); conversely, an
inadequate sales volume may call for reduced investment. Total operating
assets = total assets - (long-term investments + intangible assets)

Note: This ratio does not measure profitability. Remember, over-investment may
result in a lack of adequate profits.

Net Sales to Tangible Net Worth

Net Sales
= Net Sales to Tangible Net Worth Ratio
Tangible Net Worth

This ratio indicates whether investments in the business are adequately

proportionate to sales volume. It may also uncover potential credit or
management problems, usually called "overtrading" and "undertrading”.

Overtrading, or excessive sales volume transacted on a thin margin of

investment, presents a potential problem with creditors. Overtrading can come
from considerable management skill or outside creditors furnishing more funds to
carry on daily operations.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 253

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Undertrading is usually caused by management's poor use of investment money

and their general lack of ingenuity, skill, or aggressiveness.

Tangible Net Worth = owner's equity - intangible assets

Gross Margin on Net Sales

Gross Margin
= Gross Margin on Net Sales Ratio
Net Sales

Analyzing changes in this figure over several years can identify whether it is
necessary to examine company policies relating to credit extension, markups (or
markdowns), purchasing, or general merchandising (where applicable).

Gross Margin = net sales - cost of goods sold

Note:

An increase in gross margin may result from higher sales, lower cost of goods
sold, an increase in the proportionate volume of higher margin products, or any
combination of these variables.

Operating Income to Net Sales Ratio

Operating Income
= Operating Income to Net Sales Ratio
Net Sales

This ratio reveals the profitability of sales resulting from regular business as well
as buying, selling, and manufacturing operations.

Note:

Operating income derives from ordinary business operations and excludes other
revenue (losses), extraordinary items, interest on long-term obligations, and
income taxes.

Acceptance Index
Applications Accepted
= Acceptance Index
Applications Submitted

254 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Obviously, a high sales volume that comes from just two or three major accounts
is much riskier than the same volume coming from a large number of accounts.
Losing one out of three major accounts is disastrous, while losing one out of 150
is routine. A growing firm should try to spread this risk of dependency through
active sales, promotion, and credit policies. Although the quality of customers
stems from your general management policy, the quantity of newly opened
accounts is a direct reflection on sales and credit efforts.

Note:

This index of effectiveness does not apply to every type of business.

Profitability Ratios

Closely linked with income ratios are profitability ratios, which shed light upon the
overall effectiveness of management regarding the returns generated on sales
and investment.

Gross Profit on Net Sales

Net Sales - Cost of Goods Sold
= Gross Profit on Net Sales Ratio
Net Sales

Will average markup on goods normally cover expenses and, therefore, result in
a profit? If gross profit rate is continually lower than your average margin,
something is wrong! Look for downward trends in your gross profit rate. This is
a sign of future problems for your bottom line.

Note:

This percentage rate can — and will — vary greatly from business to business,
even those within the same industry. Sales, location, size of operations, and
intensity of competition are all factors that can affect the gross profit rate.

Net Operating Profit Ratios

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 255

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Net Profit on Net Sales

EAT*
= Net Profit on Net Sales Ratio
Net Sales

This ratio provides a primary appraisal of net profits related to investment. Once
basic expenses are covered, profits will rise disproportionately greater than sales
above the break-even point of operations.

* EAT= earnings after taxes

Note:

Sales expenses may be substituted out of profits for other costs to generate even
more sales and profits.

Net Profit to Tangible Net Worth

EAT
= Net Profit to Tangible Net Worth Ratio
Tangible Net Worth

This ratio acts as a complementary appraisal of net profits related to investment.

This ratio evaluates the ability of management to earn a return.

Net Operating Profit Rate Of Return

EBIT
= Net Operating Profit Rate of Return Ratio
Tangible Net Worth

Net Operating Profit Rate of Return ratio is influenced by the methods of

financing utilized. Notice that this ratio employs earnings before interest and
taxes, not earnings after taxes. Profits are taken after interest is paid to
creditors. A fallacy of omission occurs when creditors support total assets.

Note:

If financial charges are great, compute a net operating profit rate of return instead
of return on assets ratio. This can provide an important means of comparison.

256 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Management Rate of Return

Operating Income
= Management Rate of Return Ratio
Fixed Assets + Net Working Capital

This profitability ratio compares operating income to operating assets, which are
defined as the sum of tangible fixed assets and net working capital.

This rate, which may be calculated for the entire company or for each of its
divisions or operations, determines whether there is efficient use of your assets.
The percentage should be compared with a target rate of return that you have set
for the business.

Earning Power
Net Sales EAT
X = Earning Power Ratio
Tangible Net Worth Net Sales

The Earning Power Ratio combines asset turnover with the net profit rate. That
is, Net Sales to Tangible Net Worth (see "Income Ratios") multiplied by Net Profit
on Net Sales (see ratio above). Earning power can be increased by heavier
trading on assets, by decreasing costs, by lowering the break-even point, or by
increasing sales faster than the accompanying rise in costs.

Liquidity Ratios

While liquidity ratios are most helpful for short-term creditors / suppliers and
bankers, they are also important to financial managers who must meet
obligations to suppliers of credit and various government agencies. A complete
liquidity ratio analysis can help uncover weaknesses in the financial position of
your business.

Current Ratio
Current Assets*
= Current Ratio
Current Liabilities*

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 257

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Popular since the turn of the century, this test of solvency balances your current
assets against your current liabilities. The current ratio will disclose balance
sheet changes that net working capital will not disclose.

* Current Assets = net of contingent liabilities on notes receivable

* Current Liabilities = all debt due within one year of statement data

Note:

The current ratio reveals your business's ability to meet its current obligations. It
should be supplemented with the other ratios listed below.

Quick Ratio
Cash + Marketable Securities + Accounts Receivable (net)
= Quick Ratio
Current Liabilities

Also known as the "acid test," this ratio specifies whether your current assets that
could be quickly converted into cash are sufficient to cover current liabilities.
Until recently, a Current Ratio of 2:1 was considered standard. A firm that had
additional sufficient quick assets available to creditors was considered in sound
financial condition.

Note:

The Quick Ratio assumes that all assets are of equal liquidity. Receivables are
one step closer to liquidity than inventory. However, sales are not complete until
the money is in hand.

Absolute Liquidity Ratio

Cash + Marketable Securities
= Absolute Liquidity Ratio
Current Liabilities

A subsequent innovation in ratio analysis, the Absolute Liquidity Ratio eliminates

any unknowns surrounding receivables.

Note: The Absolute Liquidity Ratio only tests short-term liquidity in terms of cash
and marketable securities.

258 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Basic Defense Interval

(Cash + Receivables + Marketable Securities)
= Basic Defense Interval
(Operating Expenses + Interest + Income Taxes) / 365

If for some reason all revenues were to suddenly cease, the Basic Defense
Interval would help determine the number of days your company can cover its
cash expenses without the aid of additional financing.

Receivables Turnover
Total Credit Sales
= Receivables Turnover Ratio
Average Receivables Owing

Another indicator of liquidity, Receivables Turnover Ratio can also indicate

management's efficiency in employing those funds invested in receivables. Net
credit sales, while preferable, may be replaced in the formula with net total sales
for an industry-wide comparison.

Note:

Closely monitoring this ratio on a monthly or quarterly basis can quickly

underscore any change in collections.

Average Collection Period

(Accounts + Notes Receivable)
= Average Collection Period
(Annual Net Credit Sales) / 365

The Average Collection Period (ACP) is another litmus test for the quality of
receivables business, giving the average length of the collection period. As a
rule, outstanding receivables should not exceed credit terms by 10-15 days. If
you allow various types of credit transactions, such as a retail outlet selling both
on open credit and installment, then the ACP must be calculated separately for
each category.

Note:

Discounted notes which create contingent liabilities must be added back into
receivables.

Inventory Turnover
Cost of Goods Sold
= Inventory Turnover Ratio
Average Inventory

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 259

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Rule of Thumb: Multiply inventory turnover by gross margin percentage. If the

result is 100 percent or greater, the average inventory is not too high.

Working Capital Ratios

It is often believed that increased sales can solve any business problem. This
may be true to some degree. However, sales must be built upon sound policies
concerning other current assets and should be supported by sufficient working
capital.

There are two types of working capital: gross working capital, which is all current
assets, and net working capital, which is current assets less current liabilities.

If there is inadequate working capital, corrections can be made by lowering sales

or by increasing current assets through either internal savings (retained earnings)
or external savings (sale of stock). Following are ratios that can be used to
evaluate a business' net working capital.

Working Capital Ratio

This ratio is particularly valuable in determining a business's ability to meet

current liabilities.

Working Capital Turnover

Net Sales
= Working Capital Turnover Ratio
Net Working Capital

This ratio helps ascertain whether the business is top-heavy in fixed or slow
assets. This ratio complements Net Sales to Tangible Net Worth (see "Income
Ratios"). A high ratio could signal overtrading.

260 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Note:

A high ratio may also indicate that the business requires additional funds to
support its financial structure, top-heavy with fixed investments.

Current Debt to Net Worth

Current Liabilities
= Current Debt to Net Worth Ratio
Tangible Net Worth

Business should not have debt that exceeds invested capital. This ratio
measures the proportion of funds that current creditors contribute to operations.

Note:

For small businesses a ratio of 60 percent or above usually spells trouble.

Larger firms should start to worry at about 75 percent.

Funded Debt to Net Working Capital

Long-Term Debt
= Funded Debt to Net Working Capital Ratio
Net Working Capital

Funded debt (long-term liabilities) = all obligations due more than one year from
the balance sheet date

Note:

Long-term liabilities should not exceed net working capital.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 261

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Bankruptcy Ratios

Ratios can help predict bankruptcy before it's too late for a business to take
corrective action and for creditors to reduce potential losses. With careful
planning, predicted futures can be avoided before they become reality. The first
five bankruptcy ratios in this Module can detect potential financial problems up to
three years prior to bankruptcy. The sixth ratio, Cash Flow to Debt, is known as
the best single predictor of failure.

Working Capital to Total Assets

Net Working Capital

= Working Capital to Total Assets Ratio
Total Assets

This liquidity ratio, which records net liquid assets relative to total capitalization,
is the most valuable indicator of a looming business disaster. Consistent
operating losses will cause current assets to shrink relative to total assets.

Note:

A negative ratio, resulting from negative net working capital, warns of potential
serious future problems.

Retained Earnings to Total Assets

Retained Earnings
= Retained Earnings to Total Assets Ratio
Total Assets

New firms will likely have low figures for this ratio, which designates cumulative
profitability. Indeed, businesses less than three years old fail most frequently.

Note: A negative ratio serves as a warning portends of problems. However,

results can be distorted by manipulated retained earnings (earned surplus) data.

EBIT to Total Assets

EBIT
= EBIT to Total Assets Ratio
Total Assets

How productive are your business' assets? Asset values come from earning
power. Therefore, whether or not liabilities exceed the true value of assets
(insolvency) depends upon earnings generated.

262 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Note:

Maximizing rate of return on assets does not mean the same as maximizing
return on equity. Different degrees of leverage affect these separate
conclusions.

Sales to Total Assets

Total Sales
= Sales to Total Assets Ratio
Total Assets

See "Turnover Ratio" under "Profitability Ratios".

This ratio which uncovers management's ability to function in competitive

situations, while not excluding intangible assets, is inconclusive if studied by
itself. But when viewed alongside Working Capital to Total Assets, Retained
Earnings to Total Assets, and EBIT to Total Assets, it can confirm whether the
business is in imminent danger.

Note:

A result of 200 percent is more reassuring than one of 100 percent.

Equity to Debt
Market Value of Common + Preferred Stock
= Equity to Debt Ratio
Total Current + Long-Term Debt

This ratio shows how much a business' assets can decline in value before it
becomes insolvent.

Note:

Those businesses with ratios above 200 percent are safest.

Cash Flow to Debt

Cash Flow
= Cash Flow to Debt Ratio
Total Debt

Also, refer to "Debt Cash Flow Coverage Ratio" in the section on "Coverage
Ratios."
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 263
McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Since debt does not materialize as a liquidity problem until its due date, the
closer to maturity, the greater liquidity should be. Other ratios useful in predicting
insolvency include Total Debt to Total Assets (see "Leverage Ratios" below) and
Current Ratio (see "Liquidity Ratios").

Cash flow = Net Income + Depreciation

Note:

Because there are various accounting techniques of determining depreciation,

use this ratio for evaluating one company may not compare to other companies.

Long-Term Analysis

Current Assets to Total Debt

Current Assets
= Current Assets to Total Debt Ratio
Current + Long-Term Debt

This ratio determines the degree of protection linked to short-term and long-term
debt. More net working capital protects short-term creditors.

Note:

A high ratio (significantly above 100 percent) shows that if liquidation losses on
current assets are not excessive, long-range debtors can be paid in full from
working capital.

Stockholders' Equity Ratio

Stockholders' Equity
= Stockholders' Equity Ratio
Total Assets

Relative financial strength and long-term liquidity are approximated with this
calculation. A low ratio points to trouble, while a high ratio suggests that there
will be less difficulty meeting fixed interest charges and maturing debt
obligations.

Total Debt to Net Worth

Current + Deferred Debt
= Total Debt to Net Worth Ratio
Tangible Net Worth

264 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Rarely should a business' total liabilities exceed its tangible net worth. If it does,
creditors assume more risk than stockholders. A business handicapped with
heavy interest charges will likely lose out to its better financed competitors.

Coverage Ratios

Times Interest Earned

EBIT
= Times Interest Earned Ratio
I

EBIT = earnings before interest and taxes

I = dollar amount of interest payable on debt

The Times Interest Earned Ratio shows how many times earnings will cover
fixed-interest payments on long-term debt.

Total Coverage Ratios

EBIT s
+ = Total Coverage Ratio
I 1-h

I = interest payments
s = payment on principal figured on income after taxes (1 - h)

This ratio goes one step further than Times Interest Earned, because debt
obliges the borrower to not only pay interest but to make payments on the
principal as well.

Leverage Ratios

This group of ratios calculates the proportionate contributions of owners and

creditors to a business, sometimes a point of contention between the two parties.
Creditors like owners to participate to secure creditors’ margin of safety, while
management enjoys the greater opportunities for risk shifting and multiplying
return on equity that debt offers.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 265

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Note:

Although leverage can magnify earnings, it exaggerates losses.

Equity Ratio
Common Shareholders' Equity
= Equity Ratio
Total Capital Employed

The ratio of common stockholders' equity (including earned surplus) to total

capital of the business shows how much of the total capitalization actually comes
from the owners.

Note: Residual owners of the business supply slightly more than one half of the
total capitalization.

Debt to Equity Ratio

Debt + Preferred Long-Term
= Debt to Equity Ratio
Common Stockholders' Equity

A high ratio here means less protection for creditors. A low ratio, on the other
hand, indicates a wider safety cushion (i.e. creditors feel the owners’ funds can
help absorb possible losses of income and capital).

Total Debt to Tangible Net Worth

If business is growing, track this ratio for insight into the distributive source of
funds used to finance expansion.

Debt Ratio
Current + Long-Term Debt
= Debt Ratio
Total Assets

What percentage of total funds is provided by creditors? Although creditors tend

to prefer a lower ratio, management may prefer to lever operations, producing a
higher ratio.

266 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 2 Types of Ratios Important in Risk Management

Common-Size Statement

When performing a ratio analysis of financial statements, it is helpful to adjust the

figures to common-size numbers. To do this, change each line item on a
statement to a percentage of the total. For example, on a balance sheet, each
figure is shown as a percentage of total assets, and on an income statement,
each item is expressed as a percentage of sales.

This technique is quite useful when you are comparing one business to another
business or to averages from an entire industry, because differences in size are
neutralized by reducing all figures to common-size ratios. Industry statistics are
frequently published in common-size form.

When comparing your company with industry figures, make sure that the
financial data for each company reflect comparable price levels and that it was
developed using comparable accounting methods, classification procedures, and
valuation bases.

Such comparisons should be limited to companies engaged in similar business

activities. When the financial policies of two companies differ, these differences
should be recognized in the evaluation of comparative reports. For example, one
company leases its properties while the other purchases such items; one
company finances its operations using long-term borrowing while the other relies
primarily on funds supplied by stockholders and by earnings. Financial
statements for two companies under these circumstances are not wholly
comparable.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 267

McKeever CRMA Study System Appendix 3 Some Comments about Sampling

Some Comments about Sampling

The purpose of sampling is to determine the characteristics of a large
population or universe by looking at a portion of that population or
universe.

For example, when doctors take a sample of blood, doctors are able
to make determinations about the health of their patient from the
sampled blood taken. The doctors do not have to draw all of the
blood from the patient to make determinations about the patient’s
health. When people sample food they may take a taste of the meal
to determine if it meets their taste specifications. Generally, people
do not have to eat the entire meal to determine if they liked it or not.

Sampling is the ability to make determinations about a large

population or universe by looking at a portion of that population or
universe.

The question is how can the sample be designed so that the sampler
can be comfortable that the sample represents the population or
universe?

Note:

The purpose of this job aid is to provide the auditor with sampling tool
options for the most common internal audit sampling technique,
attribute sampling.

The intent of this job aid is not to transform internal auditors into
statisticians.

The underlying assumptions of statistical modeling can be found in

most statistics text books. For the purpose of the internal auditing
professions Larry Sawyer’s book, The Practice of Internal Auditing is
extremely useful and easy to understand. David McNamee’s CD-
ROM publication “Risk Management and Risk Assessment” contains
a section called "Simple Samples for Auditors" that is useful to learn
about the basics of sampling.

268 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 3 Some Comments about Sampling

Note:

There are two steps necessary when developing a sample. The first
step is to develop the sample size. This can be done statistically or
judgmentally. The second step is to select the chosen sample items
from the population or universe.

Generally judgmental sampling is the easiest to develop and yields a

relatively small number of items in the resulting sample (less audit
work). The selection method is often judgmental as well, for
example: all of the bills processed last Tuesday or all of the bills
processed in the first work hour of the last four Tuesdays.

Rule:

When attempting to project a sample of a population or universe to

the population from where the sampled originated the size of the
sample must be large enough to represent the originating population
or universe and everything in the sample must have an equal and
unbiased opportunity for selection.

Therefore, the results of a judgmental sample should not be projected

to the population or universe. This is because the sample size is
mathematically small compared to the population or universe and
opportunity for an unbiased selection for all items in the sample may
not have been adequate.

There are some exceptions to this. For example, in stop and go

sampling it is only necessary to identify one or a few errors in the
sample to determine if the universe has the same error
characteristics.

An example of this would be a sample of tax computations, drawn

from a payroll database that indicated calculation errors. If the
database program is not correct it is not necessary to look at a larger
sample. It can be determined that; if the database program is not
correct then all of the tax computations are incorrect.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 269

McKeever CRMA Study System Appendix 3 Some Comments about Sampling

Some common sense needs to be applied however. Further

investigation may be required. For example, it may be necessary to
determine if the calculations are incorrect on certain days, or certain
times, or certain weeks.

The application of sampling requires common sense. There is no

right or wrong in the sampling method chosen. What is right or wrong
is the appropriate sampling tool for the objective to be achieved.

Statistical Sampling:

Statistical sample is the result of a statistical calculation. Statistical

sampling yields a larger sample size than a judgmental sample.
Consequently, with some level of confidence, the sample
characteristics will more closely reflect the characteristics of the
universe.

In addition, the sample selection with a statistical sample has a more

scientific and unbiased approach. One of two methods of selection is
used with statistical sampling. These selection methods are random
selection and interval selection.

In order to satisfy the capability of projecting to the population or

universe two points must be considered: the sample size needs to be
large enough to represent the population or universe. With statistic
sampling the sample size is developed mathematically, therefore, will
more closely reflect the population or universe from where it was
drawn. In addition, everything in the population or universe must be
to have an equal and unbiased chance of being selected in the
sample. An appropriate selection process will satisfy this
requirement.

Therefore, when using statistical sampling it is more appropriate and

possible, within prescribed parameters, to project the characteristics
of the sample to the entire population or universe from which the
sample was taken.

270 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 3 Some Comments about Sampling

There are a number of statistical models that can be used. Each

model is a tool and serves a specific purpose. It is important to
determine the objective of the sample and then to select the right tool
for the job.

For the purposes of this job aid attribute sampling statistical model
will be discussed. Attribute sampling is the most common statistical
sampling tool used by internal auditors.

Testing for attributes is testing for a characteristic. For example, is

the sampled item green or blue, or is the document approved
correctly or not, or is the amount correct or not. The tests conducted
on the sample are conducted to determine if internal controls are
working or not. The test was not to determine the value of the
documents but just if the document was processed as required.

There are other statistical models that can be used when testing for
other than yes or no characteristics.

The Practice of Modern Internal Auditing by Lawrence B. Sawyer is a

good reference for using sampling and how the various sampling
tools can be used effectively and efficiently.

Now to Develop an Attribute Sample Model:

The first objective should be to determine any characteristics about

the universe. Next, consider the following three components:
• the confidence level
• the precision
• the error rate
The relationship of these three components, when applied in a
statistical formula, will determine the sample size with some
mathematical confidence.

The universe size from which the sample is to be drawn has little, but
some, impact on the sample size. So do not be afraid of developing
a statistical sample from a large population or universe. It is the three
components that will impact the sample size.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 271

McKeever CRMA Study System Appendix 3 Some Comments about Sampling

Rule of Thumb:

The more confident, the more precise, and the higher the error rate
the higher the sample size. The impact on the sample size is driven
by these components in their respective order.
Consider this; the more confident and precise the opinion, the larger
the sample size. Basically, if 100% confidence is required 100% of
the universe would have to be tested. So anything less than 100% of
the population or universe being tested will have some amount of
inherent error in the opinion. That means there is a chance that the
opinion about the universe, derived from the characteristics of the
sample, is not true.

A combination of time and acceptance of a possible wrong opinion

are two components that can drive the development of sample size.
Time becomes an issue in the amount of audit work necessary. The
larger the sample size the more audit work. Also how solid does the
opinion need to be? The more creditable you want the opinion the
larger the sample size.

Rule of Thumb:

The amount of audit work, hence the larger the sample size should
be driven by the identified risk.

A 95% confident + or - 5% precise will have a larger sample size than

90% confidence + or - 5% precision also a 90% confidence with a
+ or - 10% precision would develop a smaller sample size. The error
rate is developed from the characteristics of accepted and anticipated
errors.

To determine the error rate for the statistical sample formula take a
judgmental sample, perform the required tests on the judgmental
sample, and determine the error rate. Apply this error rate to the
statistical formula. If the error rate can not be determined by the
judgmental method use a 50% default as an error rate (maximum).
More errors in the population require a larger sample size. Document
the methodology in the work papers.

272 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 3 Some Comments about Sampling

Math Stuff:

The bell shaped curve, normal characteristics is a part of the

statistical sample model. Within the bell shaped curve is a standard
deviation from the center. Consequently, standard deviation must be
considered in the development of the sampling model. The standard
deviation converts to a Z factor. The Z factors for a number of
confidence levels are represented on the next page.

The purpose of this job aid is to take some of the fear out of statistical
sampling and to outline some of the basic rules of sampling as an
available tool in the internal audit profession. Again Larry Sawyer’s
book is a good reference.

Sample Size (for an unknown population or universe)

ne = Z2p(q)
e2

ne = sample size
z = confidence level
p = anticipated error rate
q = 1- p
e = precision

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 273

McKeever CRMA Study System Appendix 3 Some Comments about Sampling

Z Factor this means that a standard deviation of plus or minus 1.96

= 95% confidence.

+/- 1.0 = 68.26% +/- 2.33 = 98% +/- 3.30 = 99.9%

+/- 1.65 = 90% +/- 2.58 = 99%

+ /- 1.96 = 95% +/- 3.0 = 99.73%

Note:

Some Math behind the Scenes:

The Z factor or standard deviation is a way to measure the amount of
variability among the components of a data set. In simpler terms the
standard deviations is the amount of deviation from the mean
(average).

To calculate the standard deviation:

• find the average of the data set

• take each number and subtract the average from it
• square each of the differences
• add up all the results from the square of the differences
• divide the sum of the squares from the sum of the results of the
square of the differences ( previous step)
• take the square root of the of the sum of the squares
(previous step)

274 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Appendix 3 Some Comments about Sampling

Forget It the Auditor Will Never Use a Statistical Sample!

What the Auditor Needs To Know

How confident and how precise do the auditors want their opinion?
In addition, what will be the anticipated estimated error rate? Simply
stated the error rate can be related to the difficulty of the task being
sampled. For example, what is the likelihood that the persons
performing the task will make an error while performing the task?
Next what is the likelihood that the auditor testing the sample will
make an error when testing the sample? This concern can also be
related to the difficulty of the task. When the auditor is performing a
simple test on the sample it is less likely that the auditor will make an
error in the test. The error risk will increase with the complexity of the
test being conducted.

After the sample size has been determined the selection of the
sample from the universe has to be completed. Remember one of
the rules of statistical sampling and of being able to project the tested
opinion to the universe is that everything in the universe has an equal
and unbiased chance of being selected.

There are two basic methods for satisfying this rule. The first is to
select the sample randomly, preferably from a random table
generator. The second method is by interval selection. Although not
as independent as random table selection, the interval selection, if
done correctly, can provide adequate independence of the sample
selection. Interval selection is a good tool if a random table generator
or table is not available.

The first step in interval selection is to divide the sample size into the
universe the result is the interval. Next pick a random UN-biased
starting point this can be accomplished by using a serial number
character from a dollar bill, a random selection of a phone number in
a phone book, etc. Start with the number identified from this method
and pick every item on the interval. Starting with the number one is
fine. However using a random UN-biased starting point starting
point will add an extra level of independence to the selection process.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 275

McKeever CRMA Study System Appendix 3 Some Comments about Sampling

Point To Remember:

Before any sampling tools are applied, determine the objective of the
sample and the characteristics of the universe from which the sample
is to be drawn.

Some Words About Stratifying The Sample.

It may be appropriate, in some cases, to stratify the sample universe

or population. This is a useful variation of the sampling tools in cases
where there are significant disparities among the elements of the
universe or population. These disparities can include characteristics
such as the amounts of revenue, amounts of expenses, size of the
organization, amount of sales, and other significant differences.

The Consideration

When the overall population or universe disparities will distort the

sample results it may be appropriate to stratify. This should be a
conscious decision.

The disparities should be understood prior to the establishment of the

sample methodology. If there is a concern that the disparities will
distort the ultimate opinion then stratification will be appropriate.

Each stratum becomes a population or universe unto itself.

Therefore individual sample methodologies can be applied to
individual stratum. Also, different sample parameters can be applied
to each individual stratum. This can include a mix of both statistical
techniques and judgmental techniques. The decision to apply
statistical, with varied parameters, and or judgmental sampling
techniques to individual strata should be driven by the risk in each
strata.

Important Note:

Risk should be considered when deciding to develop multiple strata.

Therefore, the size of the sample, more audit work, should be driven by the
need and appropriateness of audit work based on risk. Once strata have
been established they cannot be melded back to one population or
universe. Audit opinions will be rendered on each individual stratum.
276 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
McKeever CRMA Study System Appendix 4 Financial Institution Regulations

The Money, the Financial Institutions

Regulation of financial institutions particularly in the United States is often
considered cumbersome. However in most cases is very necessary.
Sometimes these regulations are referenced as “alphabet soup” because of the
many abbreviated and cumbersome names. Here are just a few names
contained in that “alphabet soup”:

These regulations are so cumbersome that their necessity is debated. Some say
yes some say no. Either way they are the regulations required in the banking
industry in the United States.

Regulation B) Equal Credit Opportunity Act

Part 1003 (Regulation C) Home Mortgage Disclosure

Part 1004 (Regulation D) Alternative Mortgage Transaction Parity

Part 1005 (Regulation E) Electronic Fund Transfers (Updated 8/7/12)

Part 1006 (Regulation F) Fair Debt Collection Practices Act

S.A.F.E. Mortgage Licensing Act—Federal Registration of Residential

Part 1007 (Regulation G)
Mortgage Loan Originators

S.A.F.E. Mortgage Licensing Act—State Compliance and Bureau

Part 1008 (Regulation H)
Registration System

Disclosure Requirements for Depository Institutions Lacking Federal

Part 1009 (Regulation I)
Deposit Insurance

Part 1013 (Regulation M) Consumer Leasing

Part 1014 (Regulation N) Mortgage Acts and Practices—Advertising

Part 1015 (Regulation O) Mortgage Assistance Relief Services

Part 1016 (Regulation P) Privacy of Consumer Financial Information

Part 1022 (Regulation V) Fair Credit Reporting

Part 1024 (Regulation X) Real Estate Settlement Procedures Act

Part 1026 (Regulation Z) Truth in Lending

Part 1030 (Regulation DD) Truth in Savings

SELECTED Federal Reserve Board (FRB) REGULATIONS

Part 201 (Regulation A) Extensions of Credit by Federal Reserve Banks

Part 204 (Regulation D) Reserve Requirements of Depository Institutions

Part 206 (Regulation F) Limitations on Interbank Liabilities

Part 207 (Regulation G) Disclosure and Reporting of CRA-Related Agreements

Part 208 (Regulation H) Membership of State Banking Institutions in the Federal Reserve System

Part 209 (Regulation I) Issue and Cancellation of Federal Reserve Bank Capital Stock

Collection of Checks and Other Items by Federal Reserve Banks and

Part 210 (Regulation J)
Funds Transfers through Fedwire

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 277

McKeever CRMA Study System Appendix 4 Financial Institution Regulations

Part 211 (Regulation K) International Banking Operations

Part 212 (Regulation L) Management Official Interlocks

Part 214 (Regulation N) Relations with Foreign Banks and Bankers

Loans to Executive Officers, Directors, and Principal Shareholders of

Part 215 (Regulation O)
Member Banks

Exceptions for Banks from the Definition of Broker in the Securities

Part 218 (Regulation R)
Exchange Act of 1934

Reimbursement for Providing Financial Records; Recordkeeping

Part 219 (Regulation S)
Requirements for Certain Financial Records

Part 220 (Regulation T) Credit by Brokers and Dealers

Credit by Bankers and Persons other than Broker Dealers for the
Part 221 (Regulation U)
Purpose of Purchasing or Carrying Margin Stock

Part 222 (Regulation V) Fair Credit Reporting Act

Part 223 (Regulation W) Transactions Between Member Banks and Their Affiliates

Part 224 (Regulation X) Borrowers of Securities Credit

Part 225 (Regulation Y) Bank Holding Companies and Change in Bank Control

Part 227 (Regulation AA) Unfair or Deceptive Acts or Practices

Part 228 (Regulation BB Community Reinvestment

Part 229 (Regulation CC) Availability of Funds and Collection of Checks

Part 231 (Regulation EE) Netting Eligibility for Financial Institution

Part 232 (Regulation FF) Obtaining and Using Medical Information in Connection with Credit

Part 233 (Regulation GG) Prohibition on Funding of Unlawful Internet Gambling

Part 235 (Regulation II) Debit Card Interchange Fees and Routing

Part 238 (Regulation LL) Savings and Loan Holding Companies

Part 239 (Regulation MM) Mutual Holding Companies

Part 241 (Regulation OO) Supervised Securities Holding Company Registration

Part 243 (Regulation QQ) Resolution Plans

SELECTED Federal Deposit Insurance Corporation (FDIC)

REGULATIONS
Part 328 Advertisement of Membership

Part 330 Deposit Insurance Coverage

Part 370 Temporary Liquidity Guarantee Program

OTHER IMPORTANT LAWS AND REGULATIONS

• Fair Credit Reporting Act (FCRA)
• Electronic Signatures in Global and National Commerce (E-SIGN) Act
• Garnishment of Accounts Containing Federal Benefit Payments (31 CFR Part 212)
• Defense Department Regulation: Limitations on Terms of Consumer Credit
Extended to Service Members and Dependents (32 CFR Part 232)
• Right to Financial Privacy Act (RFPA)
• Service members Civil Relief Act (SCRA)

278 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

 McKeever CRMA Study System Appendix 5 Some Probing Questions

Some Probing Questions

These questions will help the interviewer understand the client’s

problems.
• What is the major problem? (Get to the root cause)
• What problems do you face that are shared throughout the
industry?
• What problems do you have that are unique to this geographic
area?
• In what ways has inadequate planning affected the fortunes of
this organization?
• In what ways is this organization made less profitable by
government laws or regulations?
• How are your sales as compared to similar industries?
• What is the pattern of staff turnover?
• How long have specific management persons or technical
employees been in this organization?
• How far in advance do you make decisions about expansion or
reduction?
• What is the greatest area of potential growth that did not
materialize in the last two years?
• How do you know that you are getting a payback on training?
• How is the communications in your organization?
• How do you plan to deal with the capital crunch?
• What new products or services do you see as vital in the next
five – ten years?
• What is the biggest problem you have to deal with?

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 279

McKeever CRMA Study System Appendix 6 Diagnostic Questions

Diagnostic Questions

• What is the problem? LISTEN

• How did it originate?

• When did it originate?

• How can the problem be observed?

• What caused the problem? Find root causes, do not just look
at the surface

• What factors confuse the issue?

• What do others think the problems are? Find out from the
others?

• What would you be willing to give up to solve the problem?

• What will prevent resolution?

280 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

Application
Questions

Notes:

This module is designed to work with the Application Questions, Answers

& Explanations module.

Read and consider each questions in any sequence..

Answer that question the best that you can.

Then check your answer and read the explanation for that question in the
Application Questions, Answers & Explanations module.

This process both reinforces your understanding of the material and

improves your test-taking technique.

There are over 80 additional questions within the domain material.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 281

McKeever CRMA Study System Application Questions

1. Today’s business environment is very fluid. As a result, the objectives, risks,

and controls are constantly changing. Therefore, it is important that when
establishing controls to:

a. address changes in risks and controls as a result of the changing

environmental issues and implement adequate controls to satisfy the
long-term consequences
b. establish a recurring process to address developing risks
c. conduct periodic self-assessment workshops to address the adequacy
of controls
d. schedule meetings with the Board of Directors to stay informed about
current changes in the environment

2. Which, in the correct sequence, are the four necessary steps in risk
management?

a. prioritize, identify, measure, and act

b. act, identify, prioritize, and measure
c. act, prioritize, identify, and measure
d. identify, measure, prioritize, and act

3. The We Make It For You Company provides custom-made products and parts
on demand for a number of domestic and international companies. In general, the
parts are made to specification and then shipped to the ordering company for
inclusion in their final products. In terms of risk which of the following categories
of risk would or should most, concern the We Make It for You Company?

a. country risk
b. transaction risk
c. credit risk
d. reputation risk

4. In order to establish a sincere risk management culture within a company

upper-level management should communicate their tone and risk management
philosophy to everyone. The best communication channel to achieve this would
be by:

a. weekly broadcasts to all employees

b. demonstrating their upper-level sincerity by their actions
c. publishing the upper-level management risk management philosophy in
the company newspaper
d. communicating the risk management philosophy at meetings in person
with employees

282 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

5. The purpose of The Institute of Internal Auditors' Code of Ethics is to promote

an ethical culture in the profession of internal auditing.

Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization's operations. As such, it
helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk and control
management, and the governance processes.

Which of the following are not excerpts from the professional practice guidelines
for internal auditors?

a. shall not accept anything that may impair or be presumed to impair their
professional judgment.
b. internal auditors make a balanced assessment of all the relevant
circumstances and are not unduly influenced by their own interests or
by others in forming judgments.
c. this participation includes those activities or relationships that may be
in conflict with the interests of the organization.
d. none of the above

6. During a recent risk assessment exercise, utilizing a team of process owners, a

discussion of how to address the interrelationship risk among the processes
began to escalate. It seems that the process owners could not agree on the risks
that should be addressed. What was most likely a reason for this lack of focus?

a. the process owners do not understand the consequences of risk

b. the process owners do not understand the overall objectives of the
processes
c. the process owners should identify, measure, and prioritize the risks
d. the process owners should work in smaller teams to discuss risks in
the individual processes then work as a group

7. One of the most significant differences between the control objectives of the
COSO model and the ERM model is:

a. effective and efficient usage

b. strategic thinking
c. compliance with applicable laws
d. probability

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 283

McKeever CRMA Study System Application Questions

8. The Senior Vice President of Operations reports directly to the Chairman and
President of Products Inc. This is a family-owned company which has grown
substantially over the past few years. Now named Products International its
growth can be attributed mostly to the purchase of three international companies.
These newly-purchased companies provide similar products as the parent
company and were also looking to expand to international markets. As all of
these companies provide generally the same products which type of operating
system is Products International?

a. product differentiation environment

b. open
c. conglomerate
d. closed

9. Which of these methods would be appropriate if the potential risks of a project

outweighed the potential benefit?

a. sharing
b. avoiding
c. prioritizing
d. accepting

10. There are four basic tasks necessary when conducting a risk management
exercise. These tasks are: identify the risk, measure the risk, prioritize the risk,
and act on the risk. Which of the following would not be considered part of the
act task?

a. share
b. avoid
c. prioritize
d. accept

11. When functioning in a consulting role as a risk and control specialist an

internal auditor is concerned with strengthening controls to manage risk.
Therefore, when functioning as a consultant it would not be appropriate for an
internal auditor to:

a. suggest that a follow-up audit be conducted at some time in the future

to determine if the recommended controls are adequate
b. follow up with an internal audit to ensure that the recommended
controls were implemented as specified
c. not become involved in any follow-up audit
d. schedule follow-up audits with the client in specific areas with auditors
other than those who acted as the consultants on the project

284 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

12. Which of the following are risks related to ecommerce?

a. customer expectations
b. reputation
c. information integrity
d. all of the above

13. At a recent conference a panel of Audit Committee members was asked if that
conference was addressing the areas that concern Audit Committees.

One member reviewed a copy of the program and stated the program was generally
addressing those issues. That member stated a concern about a session called
“Internal Auditors as Consultants”. He stated, “I am not certain that I want my
internal auditors to become consultants “.

As a CAE, how would you answer that concern?

a. ignore that audit committee member

b. agree with that audit committee member
c. explain that modern internal auditors should become internal consultants
d. explain that contemporary internal auditors add consulting skills to audits
to provide a more comprehensive service to their clients

14. A customer is very upset with a person who treated him very rudely. The
customer stated that they would never shop at that store or any other store in that
chain in the future. What type of risk is this?

a. information integrity
b. reputation
c. customer expectations
d. all of the above

15. Objectives are a very important element for the success of any process. Which
of the following would most likely be the root cause of risk among and within
various processes when consequences are not adequately considered?

a. there is no evidence of an analysis of risk probability and impact

b. an adequate risk assessment had not been completed
c. this is not an issue because each process probably has different
functions and objectives
d. communications is weak

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 285

McKeever CRMA Study System Application Questions

16. Organizational objectives have been mostly applied in the Management by

Objectives (MBO) approach to objective achievement. The MBO approach
facilitates the communication between management and their subordinate.
Therefore, organizational objectives, in order to be effective, should:

a. be maintained and functional between a subordinate and their manager

b. be emulated and migrated
c. combine all of the efforts of the individual departments for an end goal
d. be only used in a highly open and communicative organization

17. Stakeholders in a company can take many forms. They can range from the
Board of Directors to every employee at any level within the company. External
stakeholders can be stockholders or other investors, customers, suppliers,
contractors, and others. Internal stakeholders consist of executives; upper-level,
middle-level, and lower-level management; and non-management employees. In
terms of ethics and the ethical tone, who should establish and monitor the ethical
tone for the external stakeholders and their relationship with the company?

a. the investor community including the Security and Exchange

Commission
b. the company attorneys who develop the contracts with the external
stakeholders
c. the Board of Directors of the company but the middle-level and lower-
level management of the company should provide the monitoring for
compliance
d. the Board of Directors of the company

18. A private school recently experienced flooding. The administrator quickly

emailed the parents of all students to go to a different school location where the
teachers would meet the students.

What risk was addressed by having this current and functioning business
continuity and contingency plan?

a. information integrity
b. reputation
c. customer expectations
d. all of the above

286 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

19. Which of these risk factors should be considered in performing a risk

assessment?

a. subjective risk factors.

b. objective or historical risk factors.
c. calculated risk factors
d. all of the above

20. Which of these is an effective way to identify soft controls?

a. determine if employees care

b. determine if procedures are sincerely followed
c. determine if there is a procedure in place
d. all of the above

21. Which of the following is not an objective of integrate control frameworks?

a. generate higher quality recommendations

b. a standard format for risk assessment
c. determine if there is a procedure in place
d. create greater evaluation of soft controls

22. Which of the following would be the best organizational culture to implement
organizational objectives when there were concerns with wrongdoing activities?

a. role
b. power
c. achievement
d. person / support

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 287

McKeever CRMA Study System Application Questions

23. The Board of Directors of a large international company has become

concerned about an increase in risk exposure. This concern has been amplified
among the Board members with the increases in domestic and international risk
and control models including ISO 31000. As such and realizing the need to
maintain compliance with this ever-increasing regulatory platform The Board of
Directors asked internal audit to establish a program which will ensure company
compliance. Which of the following approaches should internal audit pursue?

a. establish a training program to educate everyone about the regulatory

requirements and also help build a foundation of belief in the regulatory
requirement needs
b. first establish a survey written or oral to determine which regulations
issues should be addressed first. Minimizing the need to try to address
everything at once
c. determine which departments could have the greatest impact on non-
compliance and work with them first providing training, guidance,
mentoring, and coaching
d. none of the above

24. Which of the following is (are) risk(s) of outsourcing?

a. expected benefits are not always measurable

b. outsource vendor substandard performance may affect the company’s
operations
c. perceived cost advantages may not realized
d. critical and sensitive data may be inadvertently disclosed
e. all of the above

25. There are a number of risk mitigation scenarios. In simple terms some of
these scenarios generally are: risk acceptance (the process owner accepts the
risks and the consequences of the risk), risk transfer (means that some of the risk
is transferred to another entity or process (an example is insurance), and risk
reduction (decreasing the impacts of risk by applying controls at the right time in
the right amount). What is a description of risk contingency?

a. taking the necessary steps to comply with required laws and

regulations
b. implementing adequate planning to address risk should it occur
c. in terms of negative risk reducing the magnitude of an adverse impact
d. implementing specific controls to target specific financial risks

288 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

26. The Manufacturer of Technical Things Company manufactures highly-

technical electronic products. Further, they operate in a highly-competitive
market. The company realizes that competition occurs from many international as
well as domestic sources. Because of this working environment, this company
performs risk assessments in many dimensions every two or three months. A
new CEO has just arrived at this company from a company that works in a much
more closed environment. The new CEO immediately wants to reduce time spent
on the risk assessment process, indicating that it is a waste of time. Further
suggesting that once or no more than twice a year would be adequate to perform
risk assessments. The new CEO suggested that the company resources could be
better used in other areas than sitting around in a room doing risk assessments
every month. As the risk officer, you should.

a. demonstrate to the new CEO the impending risks of the international

competition
b. tell the new CEO that this company is not like his previous company
c. agree with the new CEO it does make sense from an efficiency point of
view
d. try to convince the new CEO that frequent risk assessments in our
company’s type of environment is very appropriate if we are to succeed

27. The IIA Code of Ethics applies to which of the following:

a. each IIA individual member

b. any person with any IIA certification
c. members of any organization with IIA affiliation
d. both individuals and entities that provide internal auditing services

28. The Rules of Conduct of The IIA Code of Ethics covers which of the following:

a. competency
b. confidentiality
c. integrity
d. objectivity
e. all of the above

29. Product and service quality risk can best be defined as:

a. resulting from not adhering to product design specifications and not

following manufacturing best practices
b. resulting from providing poor or delayed service to customers leading
dissatisfied customer perception
c. non-compliance with contractual agreements resulting in dissatisfied
customers
d. producing inferior products or services resulting in increased cost of
rework

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 289

McKeever CRMA Study System Application Questions

30. While auditing development of your company’s new ecommerce system

which of the following would define potential risks?

a. dependency on a sole or primary service provider

b. failure to achieve a coherent customer interface including web site
c. inadequate number of trained customer service representatives
available by the time the system is running
d. all of the above

31. The newest software that you sold in 30 countries has a serious flaw that
miscalculates sales. Consequently the software sometimes ships duplicate
orders without charging the customer. This risk is an example of:

a. country risk
b. transaction risk
c. credit risk
d. reputation risk

32. The COSO integrated control model incorporates five components and three
control objectives. These 15 dimensions of a process allow for developing an
analysis of the process. Which of the following dimensions describes an
understanding of a Code of Ethics or Code of Conduct document?

a. control activities and security of assets

b. monitoring of wrongdoing activities
c. communications of financial requirements
d. control environment

33. An example of a control risk would not be:

a. inexperienced audit department

b. establishing information technology backup controls
c. physical security system that is intermittently operating
d. weak oversight by the Board of Directors

34. Which of the following risk categories would have the most impact and the
longest impact if the risk occurred?

a. information technology risk in a payroll processing facility

b. environmental risk in an oil refinery
c. reputation risk
d. technology risk

290 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

35. The ERM integrated control model specifies more detail in risk assessment
than does previous integrated control models. In the ERM model which of the
following most closely represents the appropriate amount of controls that should
be applied to risk?

a. risk tolerance
b. risk response
c. risk appetite
d. event identification

36. The risk management term for susceptibility to loss is.

a. impact
b. exposure
c. threat
d. probability

37. Ethics is not extremely definitive. Therefore, establishing a definition,

communicating that definition to all necessary employees, and then monitoring
compliance for adherence to the communication would:

a. be an adequate control to manage ethics

b. be a sufficient foundation
c. provide adequate guidance to inhibit potential fraudulent issues
d. be a form of a preventive control

38. Which of these is a way that can help to identify risk?

a. gather information about the business processes under review

b. determine what is being said about your products or services
c. search for business process information in similar industries
d. all of the above

39. Which of the following is true about ISO 31000:2009?

a. intended for all stakeholders

b. intended for only executive-level stakeholders
c. intended for a broad stakeholder group
d. none of the above

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 291

McKeever CRMA Study System Application Questions

40. The IIA control objectives do not include which of the following control
objectives?

a. compliance with laws, regulations, policies, and procedures

b. tone at the top
c. efficient and effective use of resources
d. reliability of all information

41. A strategy to cause new competitive entrants to spend heavily to overcome

existing customer loyalties is best described as:

a. capital requirements
b. differentiation of product
c. switching costs
d. cost disadvantage

42. Due professional care is a philosophy to which professionals should adhere.

This includes business managers, auditors, and other professionals. However, in
order to adhere to this philosophy these professionals should understand what
due professional care actually means. Which of the following does not represent
the due professional care philosophy?

a. competency
b. reasonably prudent
c. infallibility
d. due diligence

43. Business regulations, operating requirements, laws and regulations as well as

professional guidelines for professionals such as attorneys, accountants, internal
auditors have become more complex and necessary as business has become
more complex. One way to avoid these regulation complexities and their
associated paperwork would be to operate a business in a closed environment.
Which of the following would not be a concern, in a publicly traded company, if
the company operated in a closed environment?

a. Foreign Corrupt Practice Act

b. Federal Sentencing Guideline
c. Sarbanes-Oxley
d. none of the above

292 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

44. As the CAE you met with the Audit Committee recently. One of the Audit
Committee members described an article they read recently about the
“assurance” function of internal auditors and asked the question whether or not
all the SOX efforts performed in the last few years was the same as the
“assurance” function. You answered that:

a. SOX and assurance are the same

b. the assurance function is a narrower perspective
c. the assurance function is a broader perspective
d. the assurance in risk management is performed by the insurance
department

45. The Rental For You And Save Company, providing day-to-day items for short-
term use, has been in business for 22 years. This company provides products for
short-term use such as lawn furniture, household furniture, electronics, and even
tools. The company’s objective is to help customers who may need such items
for short-term use and who realize that it is not worthwhile to purchase such
items. The average rental time is one month. Contracts are signed with the
renters to return the items in the same condition as they were rented.

Although the number of times an item can be rented can vary depending on the
product, the average number of rental times for all items is currently 14.4 times.
Prior to five years ago, the average number of times for the rental of all items was
19.8 times. In general, the more wear and tear on rented items the fewer times
they can be rented. In order to maintain company success the average time
objective for all items rented is 13.6 times. There has been a steady decrease
from 19.8 to 14.4 over the past five years. Management began to become very
concerned with this trend particularly when the number reached 14.4 times. This
difference between the 13.8 objective and the old number of 19.8 compared to the
13.8 objective versus the new number of 14.4 times can best be described as:

a. risk development
b. risk assessment
c. a statistical process SPC risk variation range
d. risk tolerance

46. Which of the following is usually considered an emerging risk?

a. technology and communication

b. natural resource constraints
c. political crises
d. all of the above

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 293

McKeever CRMA Study System Application Questions

47. Management’s basic responsibilities include:

a. planning, staffing, organizing

b. monitoring, staffing, risk management, and directing
c. planning, directing, staffing, controlling, organizing
d. does not include the controlling element

48. A balanced score card is a tool familiar to quality professionals and process
owners alike. What are two characteristics of a balanced score card?

a. provide a pictorial representation of a process and align individual

goals
b. identify and align individual strategic initiatives and align department
and individual goals
c. a schedule to conduct periodic performance reviews and develop
process owner objectives
d. clarify the organization’s mission and schedule budgetary and financial
reviews

49. Providing risk management assurance requires a continual monitoring of risk

in an ever-changing environment but as well a flexible approach to audit planning.
Which of the following should be considered when providing an appropriate,
efficient, and effective risk management assurance audit plan?

a. is the current risk assessment significantly different than the prior one
b. is the plan aligned with risk concerns of the Board of Directors and top
management
c. is the audit staff challenged and able to address new technologies,
business strategies, and products and services
d. all of the above

294 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

50. Outsourcing, staffing projects with outside consultants, has become common
practice in recent years. There can be substantial cost savings as well as a
decrease in administrative activities when hiring staff members who will only be
need for specific short-term projects. Therefore, there can be benefits to
outsource when used correctly. Many times these types of outsourced projects
require an exchange of information technology between and among the host
company and the consultant and from the consultant and the host company.
Which of the following controls would not be a consideration when outsourcing?

a. IT controls should include how data is exchanged, received, and

validated
b. IT controls should include confidentiality and conflict of interest
considerations
c. there should be an adequate and appropriate contract monitoring
scheme in place
d. the legal department should be the sole designer and r of legal
contracts regarding any outsourcing activity

51. There are a number of risk assessment tools available which can help process
owners manage their risks. Some of the more contemporary tools are integrated
control frameworks. Which of the following integrated control frameworks
facilitates the most detail of risk?

a. COSO
b. ERM
c. CoCo
d. COBIT

52. Focusing on Key Processes, Activities, and Controls rather than doing
generalized audits of functions can drastically increase the effectiveness of the
internal assurance function of internal audit. Building continuous monitoring into
every system and process provides both the process owner and the auditor with
greatly enhanced ability to maintain quality systems on a concurrent basis. One
important key to success is to consistently leverage IT resources. Continuous
audit utilizing IT techniques would facilitate:

a. data validation in real or near real time

b. continual performing compliance testing
c. monitor the process, activities, and controls
d. all of the above

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 295

McKeever CRMA Study System Application Questions

53. On occasion IT expertise may not be readily available within a particular

process. Therefore, it may be necessary to acquire external IT expertise.
However, this approach may yield additional risks because of the possible
necessity of exchanging electronically formatted information. Although there
could be significant potential exposure risks they could be addressed by a team
including legal professionals, process owners, auditors, and even other
professionals including security professionals. As a control team to manage this
possible exposure risk who would be addressing the potential concerns a
discussion of least concern for this team would be:

a. the possible need for an audit clause in the contract

b. the work hours of the external IT experts
c. the background of the external IT experts
d. the budgeted commitments of the external IT experts

54. A significant shift to a new vision of compliance and ethics has emerged over
the past few years. This shift has enhanced greater efficiency in processing and
management of information, effectiveness in ensuring corporate governance and
the agility to address rapidly changing business environments. This new vision of
ethics and compliance includes; an enhanced alignment with stakeholder
demands for transparency and accountability; an increased opportunity to take
advantage of emerging technologies; and:

a. will improve process relationships with stakeholders

b. will help align internal risks
c. will allow practitioners to better target their resources
d. none of the above answers include all of the elements of the new vision
of ethics and compliance

55. Risk reporting involves recording, maintaining, and reporting risk

assessments. Which of the following is not a good reason to complete a risk
reporting effort?

a. it provides background risk identification for new personnel

b. it provides a basis for monitoring the risk management and the
allocation of appropriate actions which will ensure that risk
management is effective
c. it provides the basis for program assessments and updates as the
environment, objectives and risks change
d. it is a management tool facilitating rationale decisions

296 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

56. An organization must establish and implement controls to control, safeguard,

and secure physical assets and intellectual property. Which types of controls
would be most applicable to secure and control intellectual property?

a. edit checks of data entered & controlling access to data files

b. a periodic accounting of physical assets comparing to control records
and files
c. limiting access to valuable assets
d. a periodic inventory of files

57. Supervisory internal controls should be integrated into the normal operations
of processes. These should include management and supervisory activities such
as:

a. comparisons of what should be done and what is actually done

b. oversight of other activities of process members
c. reconciliations
d. all of the above

58. Identifying threats that could harm or adversely impact a process would be:

a. identifying the critical success factors in risk assessment

b. an element in the risk management cycle
c. estimating the likelihood of the threats
d. an element in the risk assessment process

59. Cost-effective preventive controls in IT systems can help deter or reduce

outage impacts in IT systems. Which of the following would not fall into this
category?

a. multiple off-site storage locations

b. fire suppressions systems in the IT facility
c. frequently scheduled data backups
d. heat resistant and waterproof containers for backup media

60. Reporting on key risks can be in a number of formats. Whatever format, it is

extremely important that the format be designed with a primary objective. This
objective is to motivate the reader into action. Which of the following reporting
elements should be interrelated throughout the report?

a. scope
b. background
c. purpose
d. findings

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 297

McKeever CRMA Study System Application Questions

61. Which of the following is a meaningful reason for using benchmarking?

a. develop best practices

b. develop performance measures
c. maintain a competitive advantage
d. all of the above

62. The CFO of a medium-size company has just been told by the Board of
Directors that the company has to decrease operating budgets by 10% across the
board. The company’s operating budget is currently $124,000,000. There are 5
departments within the company that will be impacted by the decrease.
Departments 1 and 3 receive 25% of the budget cut each. One department
receives 20% of the budget cut. Two departments receive 15% of the budget cut
each. The CFO immediately initiates two budget-cutting policies. The first is to
eliminate all food for staff meetings. The next is to cut all training effective at the
end of the month. It is estimated that cutting these two items immediately will
achieve 6% of the necessary budget cuts. So a further cut of 4% is required. The
actions that this CFO has implemented are:

a. corrective
b. reactive
c. directive
d. preventive

63. The constant monitoring of Key Risk Indicators can provide:

a. an indication that the risk appetite and risk tolerance are achieved
b. a backward looking view on risk events, so lessons can be learned from
past events
c. an early warning: a proactive action can take place
d. all of the above

64. Which section of SOX requires the auditor to document and test the
effectiveness of internal controls of IT systems?

a. 301
b. 302
c. 906
d. 404

298 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

65. Which of the following would be helpful to determine whether or not a

company has risk?

a. industry surveys
b. professional associations
c. history
d. other professionals
e. all of the above

66. The self-assessment process can be a useful tool from two perspectives.
First self-assessment can help enhance a corporate governance knowledge base
with process owner participants. Second self-assessment develops an ownership
of apparent risks and the necessary corrective actions to mitigate those risks.
Which of the following is generally not a result of a self-assessment effort?

a. a level of enthusiasm among process owners for the acceptance of key

risk management will increase
b. an enhanced belief in risk and control management by process owners
may be realized
c. process owners, as they become more knowledgeable, can eventually
assume responsibility for their own self-assessment efforts
d. because of the involvement of multiple process owners and
perspectives there will be assurance that key risks are adequately
addressed

67. During a risk-based workshop eight of the attendees classified a particular

risk as “HIGH” and six classified it as “LOW”. As the facilitator the best approach
would be:

a. classify that risk a “MEDIUM” to be fair

b. classify that risk a “HIGH” using the majority classification
c. clarify the definitions of “HIGH” “MEDIUM” and “LOW”
d. change the subject

68. SOX was instituted as a reactionary control to address integrity issues in

business. This meant enhancing existing controls that were apparent in the FCPA.
These enhanced controls:

a. require CFOs to certify financial documentation

b. require the audit committee to oversee public auditors
c. require CEOs to oversee the compensation and independence of the
external auditors
d. require that the CEO comply with section 301 to address the annual
evaluation of internal controls

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 299

McKeever CRMA Study System Application Questions

69. During an audit it is observed that a number of expense vouchers have been
pre-signed by an approving level authority and are stored in an unsecured desk
drawer. The auditor challenged the supervisor of the department who indicated
that the approving individual traveled often so they had these vouchers pre-
approved for efficiency reasons. That way there would not be a delay in securing
payment because the approving person was on the road. Convincing and explain
to the supervisor that because of audit, good management, and security reasons
this was not a good policy and must be corrected. Correcting this issue in the
future on these documents is what type of a control?

a. detective control
b. preventive control
c. corrective control
d. administrative control

70. One of the tools that can be used to provide an evaluation that key risks are
adequately evaluated is operational auditing. Which of the following would not be
a result of an operational audit?

a. operational auditing will help evaluate the interrelationships between

and among individual elements of a process
b. operational auditing will help evaluate the apparent interface between
and among individual process within an overall process
c. operational auditing can help evaluate the adequacy of controls in a
process with respect to efficiency and effectiveness
d. operational auditing can provide assurance that key risks are
adequately evaluated and addressed

71. Which of the following is not true about self-assessment?

a. improves communications at all levels.

b. helps employees understand how to address and report on the
adequacy of controls
c. clarifies that internal audit is responsible for internal controls
d. none of the above

72. When an internal control in the Accounts Payable Department failed that
would be best categorized as what type of risk?

a. an audit risk since internal audit missed it during an audit

b. an intentional internal human control risk
c. a control risk
d. none of the above

300 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

73. The first step in risk assessment should be:

a. risk management
b. prioritize
c. measure
d. identification

74. One local organization owns 15 fast food breakfast and lunch mini
restaurants. These restaurants have been strategically located in high-density
geographic locations.

They cater to many of the employees of the various businesses in the area. This
operation has grown from two such restaurants two generations ago to its current
status. The CEO of the company has an MBA. The CEO has become concerned
with the physical location of three of the restaurants. It seems that there are
vacant building lots within walking distant of these three restaurants. The specific
concern of the CEO, who does not own these empty, building lots, is what if a
competitor built a similar restaurant on the lots in these high-traffic areas.

The CEO has asked internal audit for advice. After some discussion the CEO and
internal audit agreed that the strategy of the company should be:

a. manage the bargaining power of suppliers minimizing the risk of sole

source suppliers
b. develop a differentiation of product
c. anticipate the threat of substitute products by competitors
d. all of the above

75. An ultimate objective is to have more process owners understand corporate

governance. Important ingredients to achieve this are the efforts of internal audit.
Realizing that in many cases process owners have a much less understanding of
corporate governance than do internal auditors which approach should internal
auditors take to improve this corporate governance knowledge base for process
owners?

a. first understand the process owner’s knowledge base and then develop
appropriate risk and control training for the process owners
b. develop a restructure of the process organization considering
specifically efficiency and effectiveness
c. develop policies and procedures the first time for the process owners
d. conduct an audit to determine the weak areas to address first

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 301

McKeever CRMA Study System Application Questions

76. An atmosphere of mutual trust and open communications to discuss risk

among management and employees would be which component of COSO?

a. communications
b. control environment
c. risk tolerance
d. control activities

77. Identifying risk can be a complex and often debatable task. The most
important question to ask when prioritizing risk would not be:

a. what is the cost if the risk occurred

b. what would be the probability and the cost if the risk occurred
c. what is the risk tolerance
d. what is the risk appetite

78. The Code of Conduct in a large company had been historically written by the
corporate security department. As time passed it was decided that the legal
department would be the developer and authors of the new Code of Conduct. As
part of the internal control process of this company it was traditional that internal
audit would audit the effectiveness of any major design or changes in the Code of
Conduct. Hence was the case here after the legal department published the code
of conduct, and some time had passed. The internal audit department should
have included in the scope of the audit of the Code of Conduct:

a. obtain a list of all employees who had a review of the Code of Conduct
b. compare the list of all employees who had a review of the code of
conduct to those who should have had the review
c. interview a sampling at various levels and departments to determine if
they understand the new code of conduct and how they feel about it
d. all of the above

302 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

79. A medium-size company with multiple working locations and approximately

9,000 employees has recently instituted a fraud or ethics hotline. This company
manufactures complex components for private and governmental organizations.

The company went to great efforts to advertise the new hotline showing support
from higher-level management in the advertising. The telephone number for the
hotline is toll free no charge for calling and has been proclaimed to not be able to
identify any caller. The company felt that if the hotline was going to work
anonymity is vitally important. Employees must feel no threat if they feel the need
to call the hotline with information of ethical concern.

A record of inbound calls was retrieved (only the total numbers of calls not a
record of actual originating calling numbers). It was determined that only three
calls were received in 12 months. Further because there was no originating
number record it was assumed that at least one maybe two of these calls were
test calls from security.

It was determined that the fraud or ethics hotline was not being utilized as
intended.

Which of the ERM components is most applicable for this situation?

a. control activities
b. internal environment
c. information and communications
d. monitoring

80. The senior managers of a medium-size company have expressed concern

about the working relationships among various business units within the
company. New senior managers that entered the company six years ago
recognized the opportunities for new markets and aggressively went after those
markets. As a result, the company has grown from a $2 Million gross income to a
$12 Million gross income in five years. The organization’s overall philosophy has
changed from one of complacence to an aggressively competitive organization.
This new excitement of success and business outlook has enhanced the
competitiveness among departments. Hence, this competiveness has caused
uncertainty about the continued future success of the company. In the words of
one Vice President, “It seems now that the numbers are what is strived for not the
vision”. Which of the following would be the best model to help re-focus the
company toward an overall picture and the portfolio of success inhibitors?

a. COSO
b. a risk model that will completely address the probability and the impact
of the risk upon the vision and objectives
c. an expanded control model that will help address the entire organization
including all of the internal and external risk, and the strategic plan
d. control models that will ensure that preventive and corrective controls
are adequately in place to address the vision
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 303
McKeever CRMA Study System Application Questions

81. As part of SOX compliance, a business unit within a large organization has
gathered staff to develop risk models. This organization used benchmarking
results from another organization to develop their model. Because of the nature
of the business, it is planned that one specific business unit within the
organization will be addressed. This business unit is relatively small but serves
as an important function within the organization. This all-encompassing
documentation is representative of:

a. ERM
b. COSO
c. the good risk model
d. none of the above

82. Data mining is much more effective than sampling. In sampling, generally,
not all of the data is available for review. Simply stated there is not time to review
all of the data so a sample is developed to extract a portion of the overall data.
With data mining all of the data, for a specific period, can be reviewed. The
computer will do this very accurately and effectively.

Data mining means downloading the data to be reviewed into a software package
that will manipulate the data as required. The prime consideration with data
mining should be:

a. perform a reasonable test to make sure all of the data required was
downloaded
b. sort the data by key interests for example date, name, address, payroll
code
c. download as much data as possible
d. none of the above because data mining should consider all of these
concerns in the software

83. The best reason to incorporate computer-based auditing is that:

a. it makes it easier to audit

b. it makes audit more effective
c. it detects more real or potential problems
d. it helps provide better service to clients

304 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

84. Duplicate payments within the accounts payable process is an on-going

problem. Duplicate payments to vendors can be accidental or intentional. Paying
duplicate payments by intent is fraud. One way to detect duplicate payments is
acquiring accounts payable data for a period into a database manager and sorting
by common fields like vendor name, invoice date, vendor address, and amount.
When unusual indications appear then further comparisons may be required such
as determining the department that authorized the payment and the accounts
payable person that processed the payment.

Which of the following controls would be the best inhibitor to minimize the
possibility of duplicate payments before they happen?

a. a strong Code of Ethics with required review by all employees quarterly

b. routine and periodic reviews of accounts payable data by management
c. swift and decisive action such as reprimanding any employee caught
processing a duplicate payment as this is also a violation of the strong
Code of Ethics as well
d. an obvious communication to employees by management that analysis
of vendor payments is routinely and periodically performed
e. answers a. and c.
f. answers b. and d.

85. Codes of Conduct or Codes of Ethics are internal organizational documents.

They act as guidance for the behavior of members of the organization. Many times
these documents contain ethical guidelines. These guidelines specify guidance in
terms of the personal and professional conduct of organizational members. These
ethical guidelines most often include:

a. the requirements of acceptable ethical behavior

b. a committed structure of social and ethical culture that is in the best
interest of the organization
c. avoidance of any behavior legal or otherwise that can adversely impact
the reputation of the organization
d. all of the above

86. Risk includes the possibility of something, either positive or negative,

happening to an organization. Risk management is an appropriate step to
minimize the outcome of negative risk. Which of the following describes risk
management?

a. risk management = risk assessment + risk mitigation – positive risk

implication
b. risk management = risk evaluation + risk mitigation + the net of any
positive risk
c. risk management = risk mitigation + risk assessment
d. risk management = risk assessment + risk evaluation + risk mitigation

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 305

McKeever CRMA Study System Application Questions

87. In performing a risk assessment at a major Canadian Bank which of the

following integrated control framework would probably work best?

a. CoCo
b. ERM
c. COSO
d. combination of above

88. Which of these is not an element of risk assessment?

a. risk measurement
b. risk prioritization
c. risk shifting
d. risk Identification

89. A television editorial said that your non-profit organization spends 80% of
contributions for telemarketing. What type of risk is this?

a. information integrity
b. reputation
c. customer expectations
d. all of the above

90. An adequate risk assessment should be completed by using:

a. subjectivity
b. multiple inputs from stakeholders
c. formulas
d. all of the above

91. Which of the following are objectives of risk monitoring and updating?

a. identify any new risks and systematically track them to best understand
the impact of the consequences
b. effectively manage these risks and the contingency plan
c. decide how to manage any new risks
d. all of the above

306 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

92. What risk assessment term best describes the tangible outcomes of risk on
the decisions, events, or processes?

a. risk
b. consequences
c. exposure
d. threat

93. An effective risk management process requires significant success factors.

Some of these success factors are full support of the process unit’s team, senior
management support, an on-going evaluation process, and competence of the
process unit’s team. What additional success factors would be appropriate to
complete an effective risk management process?

a. an awareness, belief in the process, and cooperation of the process

unit’s team to comply with risk management procedures
b. an establishment of a specialty risk management team or department to
oversee risk management within various processes
c. to design a standardization of the development of risk management
policies and procedures to be complied with in all departments
d. a specific and detailed intervention by the Board of Directors who are
now responsible, by law, for the details or the risk management process

94. The applicability and enforcement of The IIA Code of Ethics includes:

a. only conduct covered specifically

b. unacceptable conduct for an IIA certificate holder
c. any unacceptable conduct
d. only conduct that is illegal in a specific country

95. Your Store sold an item on its ecommerce site accepting a stolen credit card
issued by a bank in another country. This risk is an example of:

a. country risk
b. transaction risk
c. credit risk
d. reputation risk

96. The risk management term for the likelihood of risk is.

a. impact
b. exposure
c. threat
d. probability

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 307

McKeever CRMA Study System Application Questions

97. Your company decided to take advantage of the international marketplace.

Part of this effort is to partner with companies in host countries. This an excellent
example of addressing risk by:

a. sharing
b. avoiding
c. prioritizing
d. accepting

98. Who is interested in an organization’s risk management?

a. all process owners

b. all stakeholders
c. everyone
d. all management

99. Which of the following is the most important component of COSO?

a. risk assessment
b. information and communication
c. control environment
d. control activities

100. Companies or processes that do not find a position in the industry where
they can best defend itself against competitive forces or can influence an
alignment with the competitive forces is an example of:

a. weak internal controls

b. weak strategic planning
c. weak executive support
d. weak risk assessment

101. Establishing objectives to prevent lawbreaking and scandals, to develop a

Code of Ethics specifying acceptable conduct including the rights of the
corporation and necessary compliance with laws and regulations, to include clear
standards and penalties for violations, to ensure supervision to compliance to the
standards would be efforts to address which type of risk?

a. legal risk
b. regulatory risk
c. ethical risk
d. reputational risk

308 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

102. When auditing the adequacy of policies and procedures the most important
factor about policies and procedures is that they are:

a. in writing and understood

b. followed in all circumstances
c. followed in all but clearly defined situations
d. working effectively

103. As a risk and control specialist in a multinational corporation named Serve All
Communications Inc. the executive committee has asked for your input on a major
acquisition. This acquisition will mean that the company will be acquiring a current
competitive telecommunications company that in addition to being a direct
competitor also provides products and services which could complement Serve All
Communications Inc’s product and service base.

From the executive point of view, this would address two issues. The first is that the
merger would eliminate a competitive element. The second is that it would allow
Serve All Communications Inc. to expand its product and service base. The merger
would cost Serve All Communications Inc. $12,600,000 and involve the possible
relocation of facilities costing an additional $5,000,000. In addition because of
duplication of work between the two company’s decisions of layoffs and relocations
of staff is a concern. This could cause social, geographic, and other labor issues.

Financing for this project will be 35% from internal funds and 65% from new equities
including both common and preferred stock which will become available to
shareholders.

This is a major project. As the risk and control specialists you should recommend
to the executive committee that they consider:

a. an equity ratio analysis, common shareholders’ equity divided by total

capital employed
b. a SWOT analysis
c. an equity to debt ratio including: market value of common plus preferred
stock divided by total current plus long term debt
d. other professionals
e. an ERM analysis

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 309

McKeever CRMA Study System Application Questions

104. Product or service differentiation can be interpreted differently by each person.

In the case of business, no matter what business, that is the person that is receiving
the products or services. In either case a product feature is a property that is
possessed by the product or service to meet or exceed customer needs and provide
customer satisfaction. In summary product or service differentiation is a feature that
will cause a customer or client to acquire products or services from one company as
opposed to another. Adequate consideration for product or service differentiation
can be a tool to manage competition and gain competitive advantage.

Which of the following would be considered the most important product or service
differentiation effort?

a. pricing
b. availability of product or service
c. product design
d. customer service
e. all of the above

105. Three new members of a Board of Directors have recently been elected. At one
of the first meetings to discuss a methodology to enhance an internal control
philosophy, which has become somewhat weakened over recent years, the
conversation focused on the design of posters which would emulate an enhanced
control philosophy. Some of the Board of Directors members suggested a local
graphic designer to design the posters. Another member suggested that the posters
be supplemented by pamphlets, which could also be designed by the same local
graphic designer. One of the new Board members is also a member of the audit
committee and has substantial experience on Board Audit Committees as well as
being a CAE for a number of companies. In addressing this new control philosophy
effort this new member should indicate:

a. that to maintain objectivity the graphic work should be put out to bid
b. the graphics work is not the only thing that should be considered
c. the cost of the graphics could be expensive so considerations should be
given to in-house designs
d. the graphics should be designed with a company-focus not generic
e. all of the above

106. The Accounts Payable (AP) Manager asked you as an audit manager to
conduct a meeting to discuss how to more efficiently process payables. The AP
Manager indicated that no audit report would be required only a verbal report that
would be distributed only to attendees at the meeting.

As a CIA your best decision would to be to:

a. refuse the offer since there would be no audit report

b. refuse the offer since this is not an audit
c. accept this readily
d. accept but specify this would not be an audit
310 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
McKeever CRMA Study System Application Questions

107. Which of the following techniques will most likely provide continuous
monitoring?

a. computer-assisted auditing
b. operational auditing
c. embedded audit applications
d. all of the above

108. Section 302 of Sarbanes-Oxley requires that external auditors issue a financial
opinion regarding the accuracy of financial statements. Which section of Sarbanes-
Oxley requires that external auditors issue an opinion on whether effective internal
control over financial reporting was maintained in all material respects by
management?

a. section 806
b. section 802
c. section 404
d. none of the above

109. The Federal Sentencing Guideline, The Foreign Corrupt Practice Act, and
Sarbanes-Oxley are designed to provide regulatory guidance to companies. This
means that companies should comply with internal control and risk management
processes, making and keeping accounting records that accurately and fairly reflect
the transactions of the company. With the addition of the anti-bribery provisions of
these regulations a number of countries have also enacted anti-bribery provisions.

Which one of these regulatory initiatives states that audit committees are
responsible for the hiring, compensation, and overseeing of public auditors?

a. Sarbanes-Oxley
b. Foreign Corrupt Practice Act
c. Federal Sentencing Guideline
d. the anti-bribery provision enacted in 1977 as part of the foreign corrupt
practice act

110. The Board of Directors and other top-level management must design,
communicate, and emulate the corporate governance and ethical tone throughout
the organization. It is also their responsibility to:

a. implement this tone within individual departments

b. monitor the effectiveness of the tone within the organization
c. provide specific guidance to departmental managers
d. develop policies and procedures to be followed by the individual
business units

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 311

McKeever CRMA Study System Application Questions

111. What does an operational auditing of an organization’s operating procedures

and methods address?

a. efficiency
b. effectiveness
c. economy
d. all of the above

112. Successful companies harness employee energy and enthusiasm. They

develop a climate for trust, encouragement, and productivity. Through people this
culture must be emulated from the very highest levels to the very lower levels within
the company. Which of the following would be an effective way to harness
employee energy and enthusiasm?

a. provide adequate training on the processes that are important to the

employees
b. communicate with the employees and hear what they have to say
c. show an interest in the employees work
d. all of the above

113. Although the Board of Directors members often are members of Boards of
Directors of a number of different companies their main focus should be:

a. the internal controls of the company that they are addressing at any point
in time
b. to identify the internal risks and the external risks pertinent to the
company that they are addressing at any point in time
c. to develop and communicate the policies and procedures relative to the
internal and external controls of the company they are addressing at any
point in time
d. to develop a communication channel for the communication of corporate
governance for the company that they are addressing at any point in time

114. Successful companies establish a mission or vision statement, objectives, and

goals. These are often designed at high levels within the organization and should be
communicated downward in the organization. Then employees can Identify
customers’ needs each month to identify and address the satisfied customers as
well as the not satisfied customers. With this information reports to the planning
organization can be provided every month with follow up for the effectiveness of
results. This scenario is an example of:

a. an objective
b. a goal
c. a mission statement
d. a combined mission and vision statement

312 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

115. Although a goal statement is somewhat specific which statement is even more
specific for an issue requiring an immediate correction?

a. strategic planning
b. corporate memo
c. tactical planning
d. all of the above

116. A product or service deficiency is a product or services failure that results in

product or service dissatisfaction as perceived or real by the customer. Quality is
important not only to establish prescribed parameters but it is also to communicate
quality and measure its effectiveness. Less customer dissatisfaction can lead to:

a. stabilization in market share

b. less need for unnecessary expenses
c. less expense to recapture markets
d. all of the above

117. Your company noticed a decrease in market share (loss of customers). A

decision was made at higher levels of management to initiate a sales task force to
recapture the customers who had moved to the competition. The plan would include
major discounts offered to the lost customers to return. In addition, substantial
rewards (vacations and household appliances including wide screen televisions)
would be awarded to the sales team that recaptured the most lost customers. What
type of control was the major control weakness in this situation?

a. operational controls
b. preventive controls
c. corrective controls
d. sales and marketing controls

118. As a risk and control expert you have been asked to attend a meeting to
address major issues in the company. The attendees, with the help of the
moderator, are listing pages and pages of recommendations with proposed fixes for
the issues. This is the first meeting of the team and no prior discussion has taken
place to address these issues. As the risk and control expert your comment to the
attendees should be:

a. ask what is the cost of employing all of these fix items

b. can we divide the many items on the lists to process owner responsibility
c. can we prioritize the items on the list and schedule a discussion on the
top 15 items for the next meeting
d. none of the above

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 313

McKeever CRMA Study System Application Questions

119. Volatility in business contributes to the extensive nature of risk. These

changes include such items as changes in regulations, external competitive forces,
rapid expansion, rapid reduction, new staff, new systems, and new locations. In
simple terms the more activity such as those mentioned here the more the risk will
increase. Considering a company with these types of activities what would be the
best consideration of how often a risk assessment in the company should be
conducted?

a. once a month
b. it depends on the risk appetite and the actuality of frequency and impact
of influencing volatile activities
c. once a quarter is sufficient. risk assessment is a control it is important not
to over control
d. it depends on the management philosophy regarding risk appetite and
risk tolerance

120. It is sometimes said that the shortest distance between two points is a straight
line. One of the consequences of not moving along a straight line between two
points is inefficient use of resources. For example, measuring the distance along a
straight line between two points would reveal one distance. If the distance was
measured drifting on and off the line in either direction (detective control) and then
correcting (corrective control) to get back on the straight line to reach the final point
the distance traveled on the adjusted line would be longer than the straight line
(inefficient use of resources). The more predominate the drift from the straight line
the more inefficient reaction would be required. Further, there may a risk of not
reaching the final point within a specified time or even running out of fuel before
reaching the final point. Drifting on and off the straight line is an example of:

a. inadequate risk management

b. inadequate objective management
c. inadequate control management
d. inadequate risk reaction

121. The achievement organizational culture is most similar to which management

style?

a. autocratic
b. supportive
c. collegial
d. custodial

314 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

122. Sarbanes-Oxley (SOX) has 11 major titles each with a number of subsections.
Two of the most important subsections are 302 and 404. Which subsections are
most related to the protection of informants and the protection for employees of
publicly traded companies who provide evidence of fraud?

a. sections 806 & 1107

b. section 1106 & 802
c. sections 302 & 404
d. sections 106 & 203

123. In order to have an adequate risk management and risk environment it is

necessary that there be an inherent belief in the “right way to do things”. The
“right way to do things” simply means the actions to achieve objectives are
ethical, efficient, and effective. This inherent belief must be part of the nature of
all those involved within the process at all levels and in all functions. Which of
the following specifically requires an evaluation of company-level entity level
controls utilizing the components of the COSO framework?

a. Foreign corrupt Practice Act

b. Public Company Accounting Oversight board auditing standard 5
c. Sarbanes-Oxley
d. Public Company Accounting Oversight Board auditing standard 2

124. What are the elements that often drive fraudulent acts?

a. need or want
b. opportunity
c. rationalization
d. all of the above

125. In terms of ethics, ethics is:

a. definitive
b. not definitive
c. definitive by most cultures
d. all of the above

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 315

McKeever CRMA Study System Application Questions

126. It was recently discovered that a well-respected employee had stolen some
cash from the cash draw in a department. There has never been a history of this
employee doing any such act in the 20 years employment with the company. This
employee has been considered ethical and had been trusted with many company
valuable materials. The root cause of this event was most likely:

a. an opportunity
b. a life environmental change in the employee’s life situation
c. a need
d. all of the above

127. Conducting an adequate risk assessment can be a complex process. There are
a number of mathematical models tools that can help in conducting a risk
assessment. These include the annual loss expectancy, which is the product of the
probability and the impact of the potential risk. The result of multiplying these two
elements is the annual loss expectancy. Another mathematical model is the
absolute risk model. This considers the probability, the impact, and adds the time
into the equation. Therefore, the product of multiplying all three of these elements
will result in the absolute risk assessment. Which of the following would be
considered the most important tool when developing an appropriate and adequate
risk assessment?

a. the direct probability estimate model

b. the modified annual loss expectancy model
c. the annual loss expectancy model
d. none of the above

128. Management has some basic functions. They are:

a. staffing, planning, organizing, controlling, supervising

b. organizing, developing, staffing, monitoring, planning
c. planning, organizing, staffing, directing, and controlling
d. all of the above

129. The term empowerment is commonly used in business. This simply means
that a person with some power is willing to delegate some of that power to a
subordinate. An example of this is allowing the subordinate to make some routine
decisions normally made by the person with the power. However, a consideration
often not considered with empowerment is that not everyone may want to give up
some power and not everyone may want to receive some power. The
recommended stage(s) of instituting empowerment in an organization are:

a. identify the employees or situation requiring additional power

b. engage the empowerment practices
c. establish a feedback process with the empowered employees to
reinforce their success and sense of accomplishment
d. all of the above
316 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA
McKeever CRMA Study System Application Questions

130. Motivation of employees has been a continual effort of managers for years.
The risk of not motivating employees adequately, appropriately, and timely can
result in a decrease in productivity because of attitude, morale, and just human
psychological issues. To manage employees’ efforts effective managers need to
adjust to changes while constantly monitor the morale and attitude of their
employees. There are a number of managerial tools that have been implemented
by managers over the years. Increasing responsibility, recognition, and
opportunities for growth and achievement is best defined as:

a. job employee alignment

b. job simplification
c. job adjustment
d. job enrichment

131. In terms of internal stakeholders in a company, everyone with a relationship

to a company is some type of stakeholder. The Board of Directors and the Audit
Committee are some of the upper-level stakeholders, who now have enhanced
responsibilities under the Sarbanes-Oxley law, One of the questions that these
stakeholders should be asking, that may not have been adequately asked in the
past, is:

a. how are we going to manage the bad press

b. is there a methodology to identify and minimize controls that no longer
serve their initial purpose
c. what are the budget implications for the next reporting cycle
d. have we considered every possible risk for the new facility

132. External suppliers can cause substantial risk to the success of companies in
a number of ways. The most predominant root cause issue of external suppliers
delaying shipments or providing poor quality of required component parts could
be:

a. suppliers supplying highly technical complex components

b. suppliers involved in a conflict of interest
c. suppliers supplying without a contract
d. suppliers that are the only source

133. When working with external vendors which of the following would be the
least likely to discuss with the external vendors?

a. the Code of Conduct

b. the contract
c. the organization chart
d. the bonus structure of staff

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 317

McKeever CRMA Study System Application Questions

134. The Code of Conduct or Code of Ethics is an appropriate reference when

contracting with external vendors. In these cases which of the following is the
least likely to be included in the Code of Conduct or Code of Ethics:

a. a right to audit clause

b. a conflict of interest clause
c. the company ethical policies
d. none of the above

135. A schedule of authorizations is an internal company document that details

what payments and what types of payments can be authorized by what levels
within the company. The level of persons within the company authorized to make
payments should be indicated in the schedule of authorizations by:

a. title
b. pay grade indicator
c. organization
d. responsibility

136. One of the most important key considerations for the administration of third-
party relationships is:

a. compliance with laws

b. the number of employees on the third-party payroll
c. the location of the third party
d. gain third-party agreement on compliance with of laws, regulations,
relative code of conduct, and ethical standards

137. One of the responsibilities of The Board of Directors is to oversee

relationships with vendor third parties. As such, they should adopt a risk
management process for third-party relationships that should include:

a. risk assessment to identify the company’s needs and requirements

b. due diligence to select third-party providers
c. written contracts that outline duties, obligations, and responsibilities of
the parties involved
d. all of the above

318 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

138. The best description of strategic risk is:

a. risk to earnings or capital arising from an obligator’s failure to meet the

terms of any contract
b. risk arising from public opinion
c. risk to earnings and capital arising from adverse business decisions or
improper implementation of appropriate business decisions
d. risk to earnings or capital arising from problems with product or service
delivery

139. The key dimensions of establishing objectives are specific, measureable,

accomplishable, results-orientated, and time-bound. What is the main reason why
measurable is important?

a. because it is necessary to know the status of a project

b. because projects must utilize human intervention
c. because measurable mechanisms must have a noun and a verb, the
measuring device and action on what is measured
d. without measurement it would not be possible to know the status of a
project

140. Measuring or comparing an entity’s process or objectives against real or

perceived processes or objectives of another entity is best described as:

a. entity integration
b. establishing goals and objectives
c. process measurements
d. benchmarking

141. Some common uses of benchmarking are:

a. access ideas from proven practices

b. develop best practices
c. maintain a competitive advantage
d. all of the above

142. Best practices benchmarking:

a. helps develop an analysis of competitive organizations

b. is used to analyze core business functions
c. is used when organization need to improve by realigning with other
organizations that have succeeded
d. is a comparison of all facets of processes across similar and dissimilar
organizations

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 319

McKeever CRMA Study System Application Questions

143. One form of benchmarking is to compare graphical relationships from

different situations. One method of accomplishing this graphically is:

a. compare similar real or perceived relationships

b. compare relationships that are related but not the same
c. compare related components of different entities
d. compare as many relationships as possible to achieve the best average
analysis

144. Residual risk is most related to:

a. control risk
b. audit risk
c. competitive risk
d. managerial risk

145. A caution when using risk mapping is:

a. the elements of risk represented

b. the colors used
c. the terminology used
d. the mapping legend

146. One of the ways to manage risk after it has been identified, measured, and
prioritized is to control the risk. What is another way to manage risk?

a. apply a monitoring mechanism to manage the risk

b. share or avoid the risk
c. reevaluate the risk
d. all of the above

147. When an organization is identifying what they do, who their clients are, and
how they intend to succeed they are:

a. establishing a mission
b. establishing objectives
c. establishing the ground work to establish business objectives
d. establishing a focus to develop a mission

320 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

148. Frequent and highly volatile changes in the business environment should
require:

a. corresponding changes in risk assessments

b. corresponding changes in control applications
c. corresponding changes in objectives
d. all of the above

149. The adequacy and effectiveness of an organization’s activities related to risk

and control management should be a consideration of:

a. the organization
b. internal auditors when planning an engagement of that organization or
activity
c. the external auditors when planning a financial based audit of the
organization or activity
d. the controllers

150. Providing an opportunity to make significant improvements to an

organization's existing risk management and control process would most likely be
a function of:

a. internal auditors
b. management
c. external auditors
d. Audit Committee

151. External vendors can receive or supply various services, various products,
subcomponents, advice, and training. Because of the increasing potential risk
when employing external vendors, it is wise to have legal advice when designing a
contract with an external vendor. These contracts should:

a. always include an appropriate audit clause

b. always include a generic audit clause
c. always include a right to audit usage of sub component supplied to the
vendor
d. always include a right to hold payment for poor quality components
from the vendor to the contractee

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 321

McKeever CRMA Study System Application Questions

152. The lack of quality and collaboration among departments can cause
inefficient use of resources, a risk that can be costly. What is a term used for
managing this risk?

a. differentiation
b. communication
c. integration
d. tone at the top

153. Providing education about why a change is necessary, involving those who
will be affected by the change in the change process itself, and supporting the
change effort can all help facilitate change. What are two approaches for change
that should be implemented with caution?

a. negotiation & manipulation

b. coercion & collusion
c. coercion & manipulation
d. negotiation & coercion

154. There are a number of advantages in the monitoring of Key Risk Indicators.
One of these advantages is that Key Risk Indicators can provide an indication of
the achievement of the risk appetite and tolerance. Another advantage of
constant monitoring of Key Risk Indicators is:

a. they can provide an early warning system

b. they do not require an action plan to adjust for identified risk
c. they can help to provide a opportunity for adjustment
d. they can provide an early warning system so preventive controls may
be implement appropriately

155. How long after a self-assessment workshop should an internal auditor who
participated in a self-assessment workshop conduct a follow-up audit?

a. never
b. when requested and agreed upon between the CAE and the process
owner senior management
c. generally between 6 and 12 months
d. it depends on the severity of the issues identified and discussed in the
workshop

322 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

156. The facilitator of a self-assessment project must outline the rules of the
workshop before the workshop actually begins. What are two of the most
important rules to be communicated by the facilitator, in a general business
workshop, before the actual workshop begins?

a. when the workshop will begin and end as well as how agreement will be
reached
b. who will be expected to attend each workshop meeting as well as how
the report will be drafted and distributed
c. how the report will be distributed and how fraud, security, or propriety
issues will be discussed
d. how agreement will be reached and that fraud, security, or propriety
issues will not be discussed

157. The word evidence is often mistakenly only associated with fraudulent or
wrongdoing activities. This is not always the case. Evidence developed in the
risk and control assessment process can be an effective guide for the appropriate
application of risk identification, risk management, risk prioritization, and the
application of appropriate controls. Which type of evidence would most likely be
associated with a Delphi Technique risk assessment?

a. sufficient evidence
b. opinion evidence
c. relevant evidence
d. circumstantial evidence

158. How many questions should be included in a typical risk and control
questionnaire or survey?

a. the maximum number possible

b. the minimum number necessary
c. only a few for introduction personal purposes
d. generally no more than two or three pages maximum

159. Which type of risk is most representative of a lack of harmony of employees

working together for a common goal?

a. communications risk
b. strategic risk
c. environmental risk
d. information & technology risk

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 323

McKeever CRMA Study System Application Questions

160. Internal auditor-consultants have a unique knowledge and experience about

corporate governance. Therefore it is advisable, and may even be legally required
in some cases, that organizations incorporate this expertise and knowledge within
their organizations. This knowledge and experience is a specialty of internal
auditors-consultants. With this knowledge and experience at their immediate
disposal what should be the ultimate objective of internal auditors-consultants in
relation to their clients?

a. maintain this expertise and knowledge within this specialty group

b. develop a scheduled internal control review program
c. provide scheduled and periodic reviews of processes, depending on
risk
d. assist process owners to assume their own risk and control
management with advice from internal auditors-consultants

161. Less than perfect knowledge about current or pending circumstances in a

process is a challenge that process owners address every day. This situation is
best defined as what type of risk?

a. probabilistic risk
b. environmental risk
c. external risk, the impact from external uncontrollable sources
d. inherent risk

162. An internal auditor has just completed an audit of a warehouse, which

contained valuable material. It was found that the warehouse access was not
secured. What would be an appropriate recommendation, in the audit report, to
secure the warehouse access?

a. place a guard at the access door with a log book to record the time and
date of who entered and exited
b. obtain a key access pass thru lock in the door hardware section at the
hardware store across the street and install it on the access door
c. install video cameras so as to monitor who enters and exits and the
time and date of access and exit
d. provide a mechanism that will physically secure the access door with
monitoring and recording the date, time, and name of who entered and
exited

324 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

163. A senior manager responsible for all warehouse operations has asked the
internal auditor, (a one auditor organization) to consult with that department to
develop new inventory control policies. As part of regulatory requirements, this
auditor must conduct an inventory audit within this warehouse department twice a
year. The auditor’s response to the manager should be:

a. review the consulting guidelines of the audit department with the

manager
b. suggest that they schedule a start time to begin work on the policies
c. suggest that the external auditors conduct the inventory and the
internal auditor will work on the policy
d. suggest that an outside consultant help with the policy development

164. Why would it be necessary for an internal auditor or risk and control
specialist to be a team participant on a self-assessment project?

a. because, of all the participants, they would have the only understanding
of risk and control management
b. because they would be the facilitator of the workshop
c. it is not necessary
d. it is important that they are always in attendance to make sure controls
are addressed adequately

165. Which combination of evidence is most related to each other?

a. primary evidence and corroborative evidence

b. secondary evidence and conclusive evidence
c. secondary evidence and opinion evidence
d. primary evidence and documentary evidence

166. Self-assessment projects typically utilize two main tools. They are the
facilitated workshop and questionnaires. When should questionnaires, in a self-
assessment project, be used as a primary tool?

a. always since they work well in conjunction with other tools

b. when an assessment from a large group is needed
c. never because they eliminate the body language element of
communications
d. only if they can gather all of the information necessary

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 325

McKeever CRMA Study System Application Questions

167. A newly-assigned operations manager of a multinational corporation

manufacturing facility is attempting to develop Key Risk Indicators (KRI) for
multiple processes. As such this operations manager should make sure that
which of the following is always included when developing these KRI indexes?

a. the different stakeholders of the organization

b. choose high relevant and high probability of predicting risks
c. make a balanced indicator of risk indicators
d. none of the above

168. Developing collaboration and sharing of ideas among risk and control
specialists and process owners can have a tremendous benefit to a process. The
adequate management of internal and emerging risks can contribute greatly to the
necessary compliance and success of a process. The amount of time for the
benefits to be realized may vary depending on each specific situation. However,
over time a collaborative risk and control scheme may help reduce actual risks by
less intrusive methods such as directed internal and external audits. These can
be of particular importance in highly-integrated, interrelated, and diverse
organizations. Organizations that are ultra-flexible in order to rapidly change
products and services is a definition of:

a. a company heavily reliant on electronic networking

b. a value-based organization
c. a diversified & recurring revenue stream organization
d. a consumer time value organization

169. Providing consulting and self-assessment can be a new approach to risk and
control management for both the client and the risk and control specialists.
These new approaches may require a change in thinking for all involved. What is
the most significant reason why humans do not like to change?

a. they do not want to take on the effort

b. all of these answers
c. they fear of losing something
d. they believe the change does not make sense

326 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

170. A discussion at a Board of Directors meeting in a large and growing

multinational corporation that has recently further expanded into new
international markets has become focused on who primarily owns and has
responsibility for internal controls. This corporation traditionally has had
fragmentation and ownership issues. Specifically process owners take seriously
ownership of their areas of responsibility and tend not to share information or
synergize with other process owners. In this case, who would be primarily
responsible for the ownership of internal controls within the company?

a. The Board of Directors has this primary responsibility of internal

controls in this situation
b. every employee
c. the managers of the processes should take ownership and share their
perspectives with other process owners
d. the executive managers should take ownership and remove the
ownership barriers to improve communications

171. The self-assessment process can improve processes in a number of ways.

What is the most important benefit of self-assessment?

a. it helps develop an integrated control model

b. it helps build a relationship among process owners
c. it helps with the appropriate analysis and reporting of controls
d. it encourages internal auditors to obtain facilitator training

172. Conducting an internal audit can be extensive depending on the complexity

of the process, the politics of the process staff, and the audit staff itself. However
even as the audit is brought to conclusion, with professional and satisfactory
results, all of this professional effort can be lost if the concerns identified during
the audit are not reported or communicated effectively. The objective of the audit
is to motivate the reader or readers of reports to correct the issues identified
during the audit. Which of the following would be the most effective way an
auditor could motivate the readers?

a. present a clear concise audit report with adequate evidence to support

the findings and concerns
b. present an oral presentation of the concerns to upper-level
management
c. present the concerns to lower-level management then to upper-level
management
d. present all the levels of detail to lower-level management and upper-
level management

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 327

McKeever CRMA Study System Application Questions

173. Process owners attending a self-assessment workshop for the first time may
require some pre-workshop training that should include:

a. all of these answers

b. self-assessment overview
c. risk overview
d. control overview

174. Which of the following is the best example of risks that business process
owners must manage but have little control of when the risk will occur or the
impact of the risk?

a. new employees
b. changes in socially accepted norms
c. changes in process IT systems
d. an increase in required security

175. The generally accepted elements of reporting finding are the condition, the
criteria, the cause, the effect, and the recommendation. It is important with the
contemporary reporting approach that internal auditors or reviewers try to identify
and recommend corrective action for the actual root cause of the issues they have
identified. Therefore, in reference to the root cause the review / audit should:

a. identify the root cause when is feasible

b. always identify the root cause
c. never identify the root cause since this is managements responsibility
d. only identify the root cause of the most significant issues

176. Because much of the body language of communications is eliminated with

questionnaires developing risk and control questionnaires can be a challenge
unto itself. A primary consideration when developing a survey is to maintain a
clear focus on the objective of the questionnaire. What is another important
consideration when developing a questionnaire?

a. all of these answers

b. avoid controversial words
c. make it easy for the buyer to buy
d. use a level of content appropriate for the respondent

328 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

177. A multinational corporation whose reputation is critical not only to the

corporation but to the world economy is about to perform a risk assessment to
manage its reputational risk. The least concern of this risk assessment process in
this company should be:

a. the timing of the risk occurrence

b. the impact of the risk occurrences
c. the probability of risk occurrences
d. the cost-benefit of the cost of controls vs. the risk

178. An internal auditor who participated in a self-assessment workshop was

asked by the team leader to design and write the self-assessment report. As such
who will have final responsibility and ownership of the report?

a. the workshop
b. the internal auditor who wrote the report because it is not a formal audit
report
c. the self-assessment team leader
d. the internal audit department

179. Generally there are three considerations when identifying risk. They are
exposure analysis, environmental analysis, and threat scenarios. Which one of
these three considerations would not be appropriate when conducting a risk
identification process?

a. exposure analysis
b. environmental analysis
c. threat scenario
d. none of these

180. In terms of control(s) where can self-assessment provide a particular

advantage?

a. physical security
b. attitude and morale
c. the development of policies and procedures
d. the correction of fraud or inappropriate acts

181. Employees are considered assets or at least should be considered assets in

an organization. Putting these assets to work is most represented by what term:

a. human risk
b. communications risk
c. inherent risk
d. union risk

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 329

McKeever CRMA Study System Application Questions

182. With a contemporary view of corporate governance professional internal

auditors-consultants need to practice salesmanship. The products these
professionals are selling include the philosophy and concepts of risk and control
management (corporate governance). Internal auditors-consultants are, or should
be, selling these concepts to process owners with the intent that the process
owners will take some or an increased responsibility for their own corporate
governance. How should these professionals deliver this message?

a. in such a way that the process owners will embrace the concepts
b. conduct corporate governance presentations at the higher levels and
then work down to the lower levels as appropriate
c. dictate the consequences of not implementing an adequate corporate
governance scheme
d. develop a risk and control training program appropriate for each
specific audience

183. The Enterprise Risk Management (ERM) model is an expanded and enhanced
model of COSO and other previously developed integrated control models. Like
the previously developed models, ERM was developed and implemented as a
reactionary control tool. ERM includes a larger number and many more detailed
components and control objectives than COSO and previous models. As a result
ERM:

a. as a tool by itself can identify control to rectify all risks

b. is not the only element necessary to rectify control weaknesses
c. in combination with other control models can rectify all control
weaknesses
d. using the strategic management element contained in the model can
adjust for all future and external risks

184. Because of an increasing number of laws and regulations added to the

increased responsibility of the Board of Directors of a large manufacturing
company the Board of Directors has become concerned about compliance.
Consequently, they have created a team of internal auditors, risk and control
specialists, process owners, and legal professionals to review and ensure that the
controls are in place to ensure compliance. The Board of Directors has asked this
team of professionals to review and suggest improvements in the control scheme
of all the process and sub-process as well as the interrelation among these
process units. This is a complex company with multi-level, multi-functional, and
multi-geographic implications. What should be the primary and clear focus of this
professional team to address the adequacy of controls in these processes?

a. the adequacy of controls

b. the immediate status of controls
c. the long-term need for controls
d. answers b. & c.

330 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

185. Risk is a measure of the uncertainty in events as a result of changes in the

condition of the business environment. The focus of management is how to
address the consequences of the risk. In terms of impact which of the following
would have more of an impact than the others?

a. the type of threat

b. duration of the consequences
c. the effectiveness of controls
d. the assets at risk

186. When developing a questionnaire it is most important to:

a. repeat the questions

b. not overload the recipient
c. ask for general information first like organization, department, location
d. develop the questionnaire on a few pages but for the purpose of space
incorporate multiple questions into one question

187. The Delphi Technique, in risk evaluation, is a tool that is most similar to:

a. a financial transaction analysis

b. a self-assessment
c. a process compliance analysis
d. a income balance sheet reconciliation

188. The manager of the risk and control review team requested to team members
that the concerns or findings in their reports be quantified in monetary value,
numbers, or percentages. What are the most primary advantages and
disadvantages of these types of quantifications?

a. they provide specific evidence – they can be hard to dispute

b. they get attention – they can become the primary focus
c. they provide support for the conclusion – they get attention
d. they are not specific – they may not be correct

189. Three common approaches when performing a risk assessment are

calculating the risk factors, using historical data, and subjective analysis. Which
of the following would be the best approach when conducting a risk assessment
of the operations in a process?

a. multiplying the probability times the impact times the time to determine
the annual loss expectancy
b. conducting a risk self-assessment to discuss a subjective and objective
view of the potential risk
c. reviewing industry historical risk events
d. none of the above
© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 331
McKeever CRMA Study System Application Questions

190. What is the primary component of a self-assessment project?

a. identify if the objectives of the process are adequate and working

b. identify and take action on the issues identified
c. identify if the controls of the process are adequate, appropriate, and
working
d. identify any risks or issues that may impede the accomplishment of
process objectives

191. What type of risk best describes a risk that will require additional control
considerations?

a. service
b. reputation
c. outsourcing
d. residual

192. A SWOT analysis is a tool that would have a most applicable use:

a. in a risk assessment
b. in a feasibility assessment
c. in a control adequacy assessment
d. in a financial compliance assessment

193. It is important to understand the management style of the process owners

where a self-assessment is planned. Which management style would be most
conducive for a successful self-assessment?

a. autocratic
b. custodial
c. management by objectives
d. collegial

194. What is the main focus of a self-assessment activity on a project?

a. gather a team of subject matter experts to discuss issues

b. identify issues and address measures to address the issues
c. gather subject matter experts from every process to get the broadest
input
d. all of these answer choices

332 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

195. The Public Company Accounting Oversight Board was initiated after
Sarbanes-Oxley. As with anything, the laws and regulations for business are
improved with new laws and regulations. ISO 31000 is one of the most recent
documentations. The purpose of ISO 31000 is to:

a. provide a standardized international risk and control philosophy

b. enhance the integration of ERM and COSO
c. provide an integration vehicle to incorporate existing models
d. strengthen existing financial and banking regulations

196. Written reporting of risk and control concerns will help ensure more
comprehensive risk assessments than undocumented reports. In addition, written
reporting can become a management tool facilitating management decisions.
How many written reports should be presented in a typical internal audit?

a. one final report with distribution as required in the internal audit charter
b. two reports consisting of one with an executive summary for high-level
management and one more detailed for the individual process owners
c. two reports consisting of one with an executive summary and one
interim detailed report for line management
d. as many informal and formal reports as is necessary to motivate
management to address the issues

197. COSO, ERM, CoCo, and other control models have one main common
element. What is the main common element integrated within all of these models?

a. strategic planning
b. action
c. integration
d. a feedback mechanism

198. It is most important when internal auditors, a control by their existence, are
performing a risk assessment include some subjectivity, some objectivity, and
human thought intervention. It is still important to utilize and understand the
available risk assessment mathematical formulas. What mathematical risk
assessment formula would most represent the situation when internal audit did
not provide an adequate or complete appraisal or report to management?

a. annualized loss expectancy

b. absolute ranking
c. modified annual loss expectancy
d. relative ranking or matrix model

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 333

McKeever CRMA Study System Application Questions

199. Internal auditors acting as consultants would provide the most benefit to a
process owner if they explained:

a. the concepts of risk to the process owner

b. the concepts of external risk to the process owner
c. the concept and relationship of risk and controls to the process owner
d. the concept of controls to the process owner

200. Generally speaking where could an internal auditor provide the most
understanding of risk for process owners?

a. all of these answers

b. strategic management & external risk
c. general risk
d. risk appetite

201. Some ways to manage risk are to control the risk, share the risk, or avoid the
risk. The best example of controlling a risk is:

a. not making an investment

b. purchasing catastrophic loss business insurance to manage a major
disaster
c. implementing an IT system with an appropriate disaster recovery
system
d. none of these are an example to control risk

202. COSO is an integrated control model. COSO has become not only a useful
tool in the management of risks and controls but is recommended for use by
some contemporary risk and control laws and guidelines. There are five
components in the COSO model and three control objectives. Combined these
can help evaluate 15 process dimensions. In addition, there are a number of
subcomponents within these components and control objectives. Tone at the
Top, a crucially important subcomponent, is one of these subcomponents. Tone
at the Top is a subcomponent of which of the COSO control objectives?

a. operations
b. compliance
c. financial
d. none of the above

334 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

203. Internal auditors have an opportunity to bring additional value to process

owners by providing corporate governance, consulting, and advisory services.
Operating in the consulting capacity internal auditors have a greater latitude to
provide advice. When internal auditors function as consultants they must be
most aware of:

a. process owners
b. management
c. external auditors
d. perception

204. Continuous monitoring of risks and controls is a key element of:

a. compliance testing
b. traditional auditing
c. assurance
d. self-assessment

205. Human risk (people risk) includes fatigue, memory lapses, inattention,
collusion, unacceptable behavior, sabotage, and negative morale. Which of the
following categories of risk is also most closely related to the human factor?

a. service risk
b. environmental risk
c. contract risk
d. communications risk

206. A senior Vice President has heard that the internal audit department of the
company can provide consulting services, which would replace actual internal
audits. This Vice President asked the CAE how internal audits could be replaced
with an internal audit consulting project. A most appropriate response from the
CAE would most likely be:

a. answers c. & d.
b. internal audit cannot provide consulting services but they could
recommend a group that does
c. first the consulting activity would not necessarily replace the need for
actual internal audits
d. an internal auditor would work with the vice presidents department
providing guidance and direction

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 335

McKeever CRMA Study System Application Questions

207. Service risk and quality of product are very much related to each other. They
are both focused upon providing the best quality product or service to the
customer or client. Which of the following categories of risk would not be an
ingredient of providing quality product or service perceived by a customer?

a. contract risk
b. outsourced risk
c. marketing or sales risk
d. none of the above

208. The main advantage of operational auditing as compared to more traditional

auditing is:

a. all of these answers

b. operational auditing is broader in scope and does not require detailed
analyses such as statistical sampling and analytical models
c. operational auditing can provide specific guidance to management for
the implementation of controls
d. operational auditing helps to look at the risks and controls in
interrelationships among processes

209. The self-assessment process is a great client-focused approach to analyze

and address risk and control issues. Because process owners are involved, the
likelihood of risk and control issues being adequately addressed increases. As
such, a self-assessment process will provide:

a. absolute risk and control assurance

b. reasonable risk and control assurance
c. process owner risk and control assurance
d. subjective risk and control assurance

210. Risk communications can best be described as:

a. developing and communicating a corporate governance philosophy

b. communicating the risk threats and controls
c. communicating a risk management philosophy
d. demonstrating high level support of the risk management philosophy

336 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

211. The best involvement of corporate governance should be:

a. with process owner management

b. with the board of directors
c. with the board of directors, the executive management, the process
owner management, and the audit team
d. with everyone

212. Audit reports, as well as and risk and control specialists reports, are
typically edited multiple times by multiple levels of management before
publication. This can significantly delay the time from completion of the
assessment field work to the publication of the report. What would significantly
help to decrease this editing time?

a. control the findings to the six most significant findings

b. publish and executive summary first then more detailed report later if
needed
c. decrease the number of signatures required on the report
d. peer reviews

213. A complete COSO review requires extensive resource including time, effort
to complete, and analysis. Fraud investigations most often require swift and
decisive actions. These two statements are opposite of each other.
Consequently:

a. COSO should not be used in any type of fraud work

b. COSO can be used to develop evidence and disseminate the swift and
decisive action
c. COSO should only be used as an operational internal control tool
d. COSO could be used to help prevent fraudulent acts in the future

214. Contemporary internal auditors:

a. should be comfortable with selling techniques

b. should be comfortable with financial perspectives and financial ratios
c. should be comfortable with human interactions
d. all of the above

215. An organization’s success is most dependent upon:

a. the products or services provided

b. their overhead costs
c. their ability to deliver products or services
d. their customer-driven focus

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 337

McKeever CRMA Study System Application Questions

216. The prime commonality of Basel lll, COSO, CoCo, COBIT, ISO 31000, and
ERM is:

a. they all have the same purpose

b. they all work in harmony with each other
c. they were all reactive to risk and control issue
d. they all require extensive paperwork

217. COBIT is primarily an information technology integrated control framework.

As such, it should be or can be used in conjunction with general business
integrated control frameworks such as COSO and ERM to analyze the information
technology perspective of process risk and control adequacy. As such COBIT:

a. elements should only be implemented in total not as individual parts

b. should be used to address information technology control issues in a
business analysis
c. can be used to analyze business controls
d. should be used to supplement business analytical tools such as control
models and quality analysis tools

218. The main purpose of ISO 31000: 2009 is to provide a standard for the
implementation of risk management principles and a generic guideline for risk
management. As such, ISO 31000: 2009 is intended to be a:

a. universal guideline applicable to any public private or community

enterprise, association, group, or individual
b. universal risk and control model applicable to all international business
situations
c. universally accepted risk and control management law applicable
across international boundaries
d. universal regulation for public or private companies in an international
relationship

338 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

219. In order to have an effective risk and control philosophy the tone for
corporate governance must have a foundation at the highest levels in an
organization. However, a concern of risk and control specialists including internal
auditors attempting to assist in solidifying this corporate governance philosophy
is that these higher levels of management may not fully understand all of the
elements of a corporate governance strategy. Therefore, it becomes important
that these risk and control specialists educate these higher levels of management
in the details of corporate governance and the implications of effective and
ineffective corporate governance. Appropriate risk and control education may be
necessary. With this in mind, the best approach for the risk and control specialist
should be to:

a. provide a multi-day detailed risk and control education program to

these high-level managers
b. provide a few hours of risk and control education but be prepared for a
longer session as requested
c. provide one day of detail risk education and then one day of control
training to these high-level managers
d. provide a quick overview of corporate governance and their legal
implications to the high-level managers

220. Operational auditing:

a. will provide guidance without questioning management decisions in

detail
b. will provide an assessment to see if resources are being adequately
and appropriately managed
c. will provide reasonable assurance that accountability requirements are
being met
d. all of the above

221. The ERM model expanded previous integrated control models into more
definitive areas of analysis. In addition, ERM included two perspectives that had
not been mentioned in much detail in previous models. These are strategic
management and the use of analytical models. Both of these perspectives can
help address the changing environment in which a process operates. Which
analytical model is most associated with the changing environment?

a. a sensitivity analysis tool

b. a queuing theory analysis
c. a critical path method analysis
d. a gaming theory tool

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 339

McKeever CRMA Study System Application Questions

222. CoCo designed by the Canadian Institute of Chartered Accountants has an

added element not specifically apparent in prior integrated control models. This
element is a complete feedback loop including monitoring and action. In addition
to this addition what is one other important key element in the CoCo model that
was not in previous models?

a. the appropriateness of objectives and control activities

b. the six critical objectives
c. monitoring and action
d. the seven components

223. Emerging risks are best defined as:

a. new risks to the environment

b. significant external risks
c. risks related to new products or services
d. risks that can be anticipated and controlled

224. An audit manager from a multinational corporation was asked to speak at a

high school career day program. The purpose of the presentation was to provide
an overview of various career opportunities. A student asked the audit manager
what exactly is an internal auditor’s function. The best answer the audit managers
could provide would be:

a. we analyze the financials

b. we add value to an organization
c. we look for fraud
d. we pursue questionable activities

225. An effective review, evaluation, and management of key risks is a process

that requires:

a. all of these answers

b. collaboration among process owners and risk and control specialist
c. an understanding by process owners of the risk management process
d. an empathetic approach by internal auditors toward process owners

226. Basel lll is:

a. a risk and control model designed to supplement ISO 31000: 2009

b. a grouping of banking and financial regulations
c. a series of banking and financial regulations which will streamline
existing banking and financial regulations
d. all of these answers

340 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

227. Continuous monitoring of the ever-changing environment for efficiency,

effectiveness, and economy is critically important in effective management.
Reviewing of the relative risks and controls of that environment is a valuable
service to management. Which of the following would be the best approach to
address this continuous monitoring?

a. preventive auditing
b. program auditing
c. program evaluation
d. all of these answers

228. A main concern of process owners when implementing a continuous

monitoring process of office telephone usage is:

a. excessive paperwork
b. rebuttal by employees
c. communications budget issues
d. not understanding the data provided

229. Internal audit is an independent professional service that improves the

quality of information or its context for decision makers. The contemporary
concept of the new internal audit function is to hold the process owners at all
levels responsible for the adequate management of their internal controls. To this
end, internal audit provides oversight, guidance, and review of the adequacy of
internal controls. When internal audit exercises these responsibilities by
scheduling internal audits or consulting activities the internal audit functions
prime consideration should be to:

a. schedule audits based how long it has been since the last audit of a
specific process
b. perform an appropriate risk assessment to determine what areas and to
what extent to audit or review
c. assign the number and the expertise of the auditors based on the
location of the audit to be conducted
d. determine when the audit will be conducted based on the availability of
the client

230. The reporting dimension of any operational audit should include face-to-face
closing meetings as well as a written report. An operational audit should include
how many closing meetings?

a. the number that is appropriate

b. the number that the client decides
c. the number that the auditor decided
d. the number that is dependent upon the availability of upper-level
management

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 341

McKeever CRMA Study System Application Questions

231. Internal audit has evolved over the years. Consequently the main
contemporary responsibility of internal audit is to:

a. review appropriate and an adequate amount of data to determine what

control weakness have occurred
b. develop an appropriate statistical sample to minimize the possibility of
an audit risk
c. interview an adequate number of employees to ensure that there is an
ample understanding of policies, procedures, and other controls
d. help identify what risks may occur as well as what risk have occurred

232. It is advantageous for process owners to implement their own internal

control scheme. Information technology systems can assist with this objective.
By implementing an internal control, monitoring scheme process owners can
continuously monitor the process for deviations from accepted risk norms.

What is a main caution of implementing an ongoing monitoring scheme?

a. there is none as this will provide an ongoing internal control monitoring

methodology
b. the system is not formally updated with program changes
c. the system is not updated with a program change
d. the system does not provide usable reports

233. One of the purposes of the written audit or review report is to motivate the
reader (process owners) into action to correct issues identified during the audit or
review. Which of the following would be the best standard approach to motivate a
reader of such a report?

a. establish a very firm tone with back-up evidence

b. establish a softer tone however with supporting evidence
c. establish a tone appropriate for the situation with adequate and
supporting evidence of the conclusions
d. none of these answers

234. What would be the most effective and efficient second layer of controls when
process owners have implemented their own continuous monitoring information
technology system?

a. implement periodic control reviews of the monitoring system

b. make sure the process owners have adequate information technology
training
c. utilize external information technology experts
d. make sure the system is operational

342 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Study System Application Questions

235. The manager of a department was concerned with the stationary budget. The
amount spent on copy paper seemed too excessive and was growing. Comparing
the amount of copy paper usage to other similar departments this department’s
amount was 157% higher than similar departments. How could the manager
incorporate a continuous monitoring information technology scheme for the use
of the copy paper?

a. hold all the copy paper in the office and have employees ask for it as
they needed it
b. allocate a reasonable amount of copy paper to each employee when
they exceeded that they would have to sign for additional paper
c. tell all the employees of the problem and limit the ordering of copy
paper
d. incorporate an employee code identifier into the copy machine

236. With a global perspective operational auditing is concerned with:

a. the details of management’s decisions

b. the organization’s strategy to achieve objectives
c. the development of the organization’s budgeting
d. the integration of management decisions with overall financial results

237. If management has a system of effective measurements in place then an

auditor or risk and control review specialist may approach the review by
assessing the appropriateness of operational indicators. What should be the
main focus of the reviewer?

a. key risk indicators

b. operational indicators
c. the measurements
d. internal controls

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 343

McKeever CRMA Study System Application Questions

238. The contemporary professional internal auditor must be able to both look at
historical data and to provide insight into potential risks. Utilizing information
technology tools can assist in this effort. What would be a primary advantage of
utilizing information tools when analyzing data in real time (current)?

a. the ability to use information technology to develop analytical models

b. the ability to represent the concerns in a graphic representation with
analytical support
c. the ability to search substantial data
d. the ability to continually monitor key process

239. Including a background of the topic audited or reviewed in a report can be

helpful when developing a perspective of the topic reviewed. How much detail
should the background contain?

a. an amount necessary for the readers to develop a perspective of the

topic audited
b. a balance of information for those familiar with the topic and those not
familiar with the topic audited
c. a substantial amount of detail so that anyone reading the background
can extract what they need
d. a minimum amount of detail so as not to be condescending to the
reader

344 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

Application
Questions,
Answers
&
Explanations
Note:

This module is designed to work with both the Application Questions

module and Domain modules.

Review each question you see in either module.

Answer that question the best that you can.

Then check your answer and read the explanation for that question in this
module.

This process both reinforces your understanding of the material and

improves your test-taking technique.

There are over 80 additional questions within the domain material.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 345

McKeever CRMA Exam Application Questions, Answers & Explanations

1. Today’s business environment is very fluid. As a result, the objectives, risks, and
controls are constantly changing. Therefore, it is important that when establishing
controls to:

a. address changes in risks and controls as a result of the changing

environmental issues and implement adequate controls to satisfy the
long-term consequences
b. establish a recurring process to address developing risks
c. conduct periodic self-assessment workshops to address the adequacy of
controls
d. schedule meetings with the Board of Directors to stay informed about current
changes in the environment

Answer a. is the correct answer. It is correct to say that today’s business

environment is constantly changing therefore the company’s objectives, risks,
and controls are constantly changing as well. Controls that would be put in place
at one point in time and left in place permanently may not be appropriate in the
long term. Although this might work in some cases, it would probably only work
in very few cases, it is not likely that a control would not and should not change to
address current business situations. Remember as the environment changes so
do the objectives and so do the risks and so does the controls. Companies with
higher risks would need to change their controls more often. Answer c. does not
address this question. So answer c. could be quickly eliminated. Answer b. only
addresses risk. The question asks about controls. Answer d. is vague. This
answer implies that the meeting would provide information about changes in the
environment but does not indicate what would be done with that information.

2. Which, in the correct sequence, are the four necessary steps in risk management?

a. prioritize, identify, measure, and act

b. act, identify, prioritize, and measure
c. act, prioritize, identify, and measure
d. identify, measure, prioritize, and act

Answer d. is the correct answer. Risk management requires identifying risk before
taking action. Risk management requires measuring and prioritizing risk so that
correct action can be taken.

346 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

3. The We Make It For You Company provides custom-made products and parts on
demand for a number of domestic and international companies. In general, the parts are
made to specification and then shipped to the ordering company for inclusion in their
final products. In terms of risk which of the following categories of risk would or should
most, concern the We Make It for You Company?

a. country risk
b. transaction risk
c. credit risk
d. reputation risk

Answer d. is the correct answer. The parts (subcomponents) provided by the We

Make It for You Company may be critical for the development of the final products
of their customers. Poor quality of these subcomponents not only would cause
additional costs to reproduce the subcomponents but could also result in other
financial reproductions such as personal injury and even legal action. As a result,
reputational risk is the issue in this case. These negative implications would most
likely result in loss of business for the We Make It for You Company and even the
possibility of going out of business completely. Remember the information about
negative reputational risk issues spreads quickly. It is important to maintain
quality.

4. In order to establish a sincere risk management culture within a company upper-level

management should communicate their tone and risk management philosophy to
everyone. The best communication channel to achieve this would be by:

a. weekly broadcasts to all employees

b. demonstrating their upper-level sincerity by their actions
c. publishing the upper-level management risk management philosophy in the
company newspaper
d. communicating the risk management philosophy at meetings in person with
employees

Answer b. is the correct answer. Although all of the answers would be good
methods to communicate the company’s risk management philosophy the best
answer is answer b. Actions speak louder than words. All of the tangible
communications media as suggested in the answers will mean nothing if the
lower-level employees do not believe that the upper-level management really and
sincerely believe in what they are communicating.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 347

McKeever CRMA Exam Application Questions, Answers & Explanations

5. The purpose of The Institute of Internal Auditors' Code of Ethics is to promote an

ethical culture in the profession of internal auditing.

Internal auditing is an independent, objective assurance and consulting activity designed

to add value and improve an organization's operations. As such, it helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk and control management, and the governance
processes.

Which of the following are not excerpts from the professional practice guidelines for
internal auditors?

a. shall not accept anything that may impair or be presumed to impair their
professional judgment.
b. internal auditors make a balanced assessment of all the relevant
circumstances and are not unduly influenced by their own interests or by
others in forming judgments.
c. this participation includes those activities or relationships that may be in
conflict with the interests of the organization.
d. none of the above

Answer d. is the correct answer. Answer a., b. & c. are excerpts from The Institute
of Internal Auditors professional practices

6. During a recent risk assessment exercise, utilizing a team of process owners, a

discussion of how to address the interrelationship risk among the processes began to
escalate. It seems that the process owners could not agree on the risks that should be
addressed. What was most likely a reason for this lack of focus?

a. the process owners do not understand the consequences of risk

b. the process owners do not understand the overall objectives of the
processes
c. the process owners should identify, measure, and prioritize the risks
d. the process owners should work in smaller teams to discuss risks in the
individual processes then work as a group

Answer b. is the correct answer. Answers c. & d. are not relevant to this question.
Answer a. would seem like a reasonable choice especially since the word risk is
included in the answer statement. However, the question implies that an
interrelationship of risk among processes is being discussed and not agreed
upon. This would mean that there was a lack of understanding of the overall
objectives. Now answer a. is very specific. However, it only implies that the team
does not understand the consequences of risk. It does not indicate that this is the
risk relative to the interrelationship among processes. Watch the wording and
think about the answers before making a quick choice.

348 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

7. One of the most significant differences between the control objectives of the COSO
model and the ERM model is:

a. effective and efficient usage

b. strategic thinking
c. compliance with applicable laws
d. probability

Answer b. is the correct answer. ERM adds an objective of strategic thinking as a

control objective. Answers a. & c. list 3 additional control objects covered by both
ERM and COSO. Answers d. lists an item that is not a control objective.

8. The Senior Vice President of Operations reports directly to the Chairman and
President of Products Inc. This is a family-owned company which has grown
substantially over the past few years. Now named Products International its growth can
be attributed mostly to the purchase of three international companies. These newly-
purchased companies provide similar products as the parent company and were also
looking to expand to international markets. As all of these companies provide generally
the same products which type of operating system is Products International?

a. product differentiation environment

b. open
c. conglomerate
d. closed

Answer b. is the correct answer. An open system must interact with the
environment. This is a more likely situation in today’s environment. Open
systems can be very complex and require innovative and proactive management.
Open systems have to find and obtain needed resources, interpret and act on
environmental changes (external risks), dispose of outputs, control and
coordinate internal and external activities, and manage environmental changes.
Sometimes they work closely with competitors and international markets.
Answers a. & c. are not relevant to this question. Answer d. can be eliminated
because it is the exact opposite of an open system as it is described in the
question.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 349

McKeever CRMA Exam Application Questions, Answers & Explanations

9. Which of these methods would be appropriate if the potential risks of a project

outweighed the potential benefit?

a. sharing
b. avoiding
c. prioritizing
d. accepting

Answer b. is the correct answer. There are some potential projects where this
might be the case. In this case the best approach would be to avoid that project
and invest resources into a project with less risk or greater potential benefits.
Answers a., c. & d. are other methods to address risk but not the best for this
situation.

10. There are four basic tasks necessary when conducting a risk management exercise.
These tasks are: identify the risk, measure the risk, prioritize the risk, and act on the risk.
Which of the following would not be considered part of the act task?

a. share
b. avoid
c. prioritize
d. accept

Answer c. is the correct answer. Prioritizing is not an act to address risk. It is one
of the acts to help determine risk. Answers a., b. & d. are all actions to deal with
risk.

11. When functioning in a consulting role as a risk and control specialist an internal
auditor is concerned with strengthening controls to manage risk. Therefore, when
functioning as a consultant it would not be appropriate for an internal auditor to:

a. suggest that a follow-up audit be conducted at some time in the future to

determine if the recommended controls are adequate
b. follow up with an internal audit to ensure that the recommended
controls were implemented as specified
c. not become involved in any follow-up audit
d. schedule follow-up audits with the client in specific areas with auditors other
than those who acted as the consultants on the project

Answer b. is the correct answer. An internal auditor acting as a consultant on a

project should not be part of any follow-up audit. This will help maintain the
internal audit independence and objectivity. Answers a., c. & d. are appropriate.

350 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

12. Which of the following are risks related to ecommerce?

a. customer expectations
b. reputation
c. information integrity
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. are all risks related to
ecommerce.

13. At a recent conference a panel of Audit Committee members was asked if that
conference was addressing the areas that concern Audit Committees.

One member reviewed a copy of the program and stated the program was generally
addressing those issues. That member stated a concern about a session called “Internal
Auditors as Consultants”. He stated, “I am not certain that I want my internal auditors to
become consultants “.

As a CAE, how would you answer that concern?

a. ignore that audit committee member

b. agree with that audit committee member
c. explain that modern internal auditors should become internal consultants
d. explain that contemporary internal auditors add consulting skills to audits
to provide a more comprehensive service to their clients

Answer d. is the correct answer. The role of auditors in the ever-changing complex
business world requires the use of a wide variety of skills including those that
successful consultant use. Using the skills including education, self-assessment,
and process improvement will enable internal audit to contribute more value to the
organization while continuing its own unique contributions. Answers a., b. & c. are
not the best answers because they would ignore an opportunity to expand internal
audit’s influence.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 351

McKeever CRMA Exam Application Questions, Answers & Explanations

14. A customer is very upset with a person who treated him very rudely. The customer
stated that they would never shop at that store or any other store in that chain in the future.
What type of risk is this?

a. information integrity
b. reputation
c. customer expectations
d. all of the above

Answer b. is the correct answer. This is an example of the negative risk of customer
expectations. Answers a., c. & d. are not examples.

15. Objectives are a very important element for the success of any process. Which of the
following would most likely be the root cause of risk among and within various processes
when consequences are not adequately considered?

a. there is no evidence of an analysis of risk probability and impact

b. an adequate risk assessment had not been completed
c. this is not an issue because each process probably has different functions and
objectives
d. communications is weak

Answer d. is the correct answer. Answers a., b. & c. are not relevant to this question.

16. Organizational objectives have been mostly applied in the Management by

Objectives (MBO) approach to objective achievement. The MBO approach facilitates
the communication between management and their subordinate. Therefore,
organizational objectives, in order to be effective, should:

a. be maintained and functional between a subordinate and their manager

b. be emulated and migrated
c. combine all of the efforts of the individual departments for an end goal
d. be only used in a highly open and communicative organization

Answer c. is the correct answer. This question can be somewhat misleading. The
first part of the question outlines MBO. However, the question is actually in the
last sentence. The question asks about organizational objectives not MBO. Be
careful of misleading information in the questions. Look for the question
statement and answer the question asks.

352 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

17. Stakeholders in a company can take many forms. They can range from the Board
of Directors to every employee at any level within the company. External stakeholders
can be stockholders or other investors, customers, suppliers, contractors, and others.
Internal stakeholders consist of executives; upper-level, middle-level, and lower-level
management; and non-management employees. In terms of ethics and the ethical tone,
who should establish and monitor the ethical tone for the external stakeholders and their
relationship with the company?

a. the investor community including the Security and Exchange Commission

b. the company attorneys who develop the contracts with the external
stakeholders
c. the Board of Directors of the company but the middle-level and lower-level
management of the company should provide the monitoring for compliance
d. the Board of Directors of the company

Answer d. is the correct answer. This question contains a substantial amount of

background information which is not relevant to the actual question. The specific
question is in the last sentence of the question. This question asks who should
establish and monitor the ethical tone (key words “ethical tone”). Now the Board
of Directors would probably not do the specific monitoring of ethics but would or
should ask for reports from lower-level management on the effectiveness of
ethical standards and tone. The Board of Directors is responsible to set the tone
and to make sure the tone is emulated and followed within the organization.

18. A private school recently experienced flooding. The administrator quickly emailed
the parents of all students to go to a different school location where the teachers would
meet the students.

What risk was addressed by having this current and functioning business continuity and
contingency plan?

a. information integrity
b. reputation
c. customer expectations
d. all of the above

Answer c. is the correct answer. If this private school failed to deliver a quality
education despite flooding the school would have failed to meet customer
expectations causing parents to consider other schools. Answer c. is broader in
scope than answer a. & b. Answer a. & b. are not correct therefore answer d. is
also not correct

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 353

McKeever CRMA Exam Application Questions, Answers & Explanations

19. Which of these risk factors should be considered in performing a risk assessment?

a. subjective risk factors.

b. objective or historical risk factors.
c. calculated risk factors
d. all of the above

Answer d. is the correct answer. A risk assessment should consider all of these
factors. Answers a., b. & c. all list factors to consider.

20. Which of these is an effective way to identify soft controls?

a. determine if employees care

b. determine if procedures are sincerely followed
c. determine if there is a procedure in place
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. all list some of the ways to
identify the effectiveness of soft controls. “Sincerely” is the key word in answer
b. Further, in order for answer b. to be effective answer c. would have to be
completed.

21. Which of the following is not an objective of integrate control frameworks?

a. generate higher quality recommendations

b. a standard format for risk assessment
c. determine if there is a procedure in place
d. create greater evaluation of soft controls

Answer b. is the correct answer. Integrated control frameworks provide a

“framework” - not a standard format. Each organization creates its own formatted
solution. Answers a., c. & d. all list an objective of integrate control frameworks.

22. Which of the following would be the best organizational culture to implement
organizational objectives when there were concerns with wrongdoing activities?

a. role
b. power
c. achievement
d. person / support

Answer b. is the correct answer. Wrongdoing activities require swift and decisive
actions. Answer a., b. & c. do not provide swift and decisive actions.

354 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

23. The Board of Directors of a large international company has become concerned
about an increase in risk exposure. This concern has been amplified among the Board
members with the increases in domestic and international risk and control models
including ISO 31000. As such and realizing the need to maintain compliance with this
ever-increasing regulatory platform The Board of Directors has asked internal audit to
establish a program which will ensure company compliance. Which of the following
approaches should internal audit pursue?

a. establish a training program to educate everyone about the regulatory

requirements and also help build a foundation of belief in the regulatory
requirement needs
b. first establish a survey written or oral to determine which regulations issues
should be addressed first. Minimizing the need to try to address everything at
once
c. determine which departments could have the greatest impact on non-
compliance and work with them first providing training, guidance,
mentoring, and coaching
d. none of the above

Answer c. is the correct answer. This answer implies some risk identification,
prioritization, and then some action to address the concerns. Answer a. implies
education for everyone; this is a clue that this answer is not correct because of
the word “all”. Not everyone may need the training. Answer b. is not relevant to
this question. Answer d. is not correct because answer c. is correct.

24. Which of the following is (are) risk(s) of outsourcing?

a. expected benefits are not always measurable

b. outsource vendor substandard performance may affect the company’s
operations
c. perceived cost advantages may not realized
d. critical and sensitive data may be inadvertently disclosed
e. all of the above

Answer e. is the correct answer. Answers a., b., c. & d. are examples of
outsourcing risk.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 355

McKeever CRMA Exam Application Questions, Answers & Explanations

25. There are a number of risk mitigation scenarios. In simple terms some of these
scenarios generally are: risk acceptance (the process owner accepts the risks and the
consequences of the risk), risk transfer (means that some of the risk is transferred to
another entity or process (an example is insurance), and risk reduction (decreasing the
impacts of risk by applying controls at the right time in the right amount). What is a
description of risk contingency?

a. taking the necessary steps to comply with required laws and regulations
b. implementing adequate planning to address risk should it occur
c. in terms of negative risk reducing the magnitude of an adverse impact
d. implementing specific controls to target specific financial risks

Answer b. is the correct answer. This is one of the basic risk philosophies (“what
if this happened and what would we do”). In this case thought is given to the
possibility of a risk event occurring and anticipating how to manage that risk
should it occur. This is very much like a preventive control. Waiting until a risk
event occurred and then managing it could mean crisis management, which often
times in not efficient and effective. Answers a. can be eliminated because it only
mentions laws and regulations. This can be eliminated because it only mentions
one type of risk issues. Generally, there are many other types of risks apparent in
a process. Answer c. are more like a corrective control. In addition, answer c.
only mentions negative risk. Considering what could happen can also apply to
positive risk. For example, a positive risk could be anticipating that some
investment would double or triple in value in some period of time. This could
have an impact on operations or other financial or legal obligations.

26. The Manufacturer of Technical Things Company manufactures highly-technical

electronic products. Further, they operate in a highly-competitive market. The company
realizes that competition occurs from many international as well as domestic sources.
Because of this working environment, this company performs risk assessments in many
dimensions every two or three months. A new CEO has just arrived at this company
from a company that works in a much more closed environment. The new CEO
immediately wants to reduce time spent on the risk assessment process, indicating that
it is a waste of time. Further suggesting that once or no more than twice a year would
be adequate to perform risk assessments. The new CEO suggested that the company
resources could be better used in other areas than sitting around in a room doing risk
assessments every month. As the risk officer, you should.

a. demonstrate to the new CEO the impending risks of the international

competition
b. tell the new CEO that this company is not like his previous company
c. agree with the new CEO it does make sense from an efficiency point of view
d. try to convince the new CEO that frequent risk assessments in our
company’s type of environment is very appropriate if we are to succeed

Answer d. is the most politically astute approach. Answers a., b. & c. will not
contribute to successful risk management.

356 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

27. The IIA Code of Ethics applies to which of the following:

a. each IIA individual member

b. any person with any IIA certification
c. members of any organization with IIA affiliation
d. both individuals and entities that provide internal auditing services

Answer d. is the correct answer. The IIA Code of Ethics applies to both
individuals and entities that provide internal auditing service. Answers a., b. & c.
are only partially correct.

28. The Rules of Conduct of The IIA Code of Ethics covers which of the following:

a. competency
b. confidentiality
c. integrity
d. objectivity
e. all of the above

Answer e. is the correct answer. Answers a., b., c. & d. list items that are covered
in The Rules of Conduct of The IIA Code of Ethics.

29. Product and service quality risk can best be defined as:

a. resulting from not adhering to product design specifications and not following
manufacturing best practices
b. resulting from providing poor or delayed service to customers leading
dissatisfied customer perception
c. non-compliance with contractual agreements resulting in dissatisfied
customers
d. producing inferior products or services resulting in increased cost of
rework

Answer d. is the correct answer. Producing inferior products or services is a

function of poor quality. Further poor quality can decrease customer loyalty and
perception. In addition, poor quality can cause increased cost to the process
because of recalls, rework, and additional marketing to satisfy unhappy
customers. Good quality control is a preventive control. Answers a. & b. could be
functions of producing inferior products or services. Answer c. can be eliminated
because it is not an appropriate answer for this question. Remember the question
asks for the best answer. This means that there could be a number of good
answers but the correct answer would be the best answer. Generally, the best
answer is the most inclusive or the bigger picture answer.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 357

McKeever CRMA Exam Application Questions, Answers & Explanations

30. While auditing development of your company’s new ecommerce system which of
the following would define potential risks?

a. dependency on a sole or primary service provider

b. failure to achieve a coherent customer interface including web site
c. inadequate number of trained customer service representatives available by
the time the system is running
d. all of the above

Answer d. is the correct answer. In addition to technology risks, answers a., b. &
c. are some of the potential risks an internal auditor should review when auditing
an ecommerce system during development or during a major upgrade.

31. The newest software that you sold in 30 countries has a serious flaw that
miscalculates sales. Consequently the software sometimes ships duplicate orders
without charging the customer. This risk is an example of:

a. country risk
b. transaction risk
c. credit risk
d. reputation risk

Answer d. is the correct answer. When a company transacts business and has a
major problem with quality of product or service there is a risk that the company
will suffer bad publicity causing loss of sales and customers. Answers a., b. & c.
are not applicable.

32. The COSO integrated control model incorporates five components and three control
objectives. These 15 dimensions of a process allow for developing an analysis of the
process. Which of the following dimensions describes an understanding of a Code of
Ethics or Code of Conduct document?

a. control activities and security of assets

b. monitoring of wrongdoing activities
c. communications of financial requirements
d. control environment

Answer d. is the correct answer. Key words in the question are “describes and
understanding”. Right away this suggests the control environment of the COSO
model. Answers a., b. & c. are other dimensions of the COSO model.

358 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

33. An example of a control risk would not be:

a. inexperienced audit department

b. establishing information technology backup controls
c. physical security system that is intermittently operating
d. weak oversight by the Board of Directors

Answer b. is the correct answer. Although this answer seems specific for
information technology in this case this is appropriate for this question. The
question asks “which is NOT a control risk”. Simply stated a control risk is a risk
because of controls not functioning as intended. Therefore, there are two ways to
reach the correct answer in this question. The first way is to recognize the correct
answer immediately. The second way is to determine the answers that would be a
control risk. In this case, answers a., c. & d. all are control risks. However, based
on the wording in the answer choice they imply that they are not working.
Remember if controls do not work risk increases.

34. Which of the following risk categories would have the most impact and the longest
impact if the risk occurred?

a. information technology risk in a payroll processing facility

b. environmental risk in an oil refinery
c. reputation risk
d. technology risk

Answer c. is the correct answer although the remaining answers would have or
could have a significant impact on an organization should they occur. However,
reputational risk would have the longest and most impact. The remaining
answers could also cause reputational risk. However, the term “reputational risk”
in these answers is broader in scope than the other answers. In most cases in
these types of questions, the all encompassing answer is the best choice. In
other words, what type of risk would be or could be a result of the remaining
answers.

35. The ERM integrated control model specifies more detail in risk assessment than
does previous integrated control models. In the ERM model which of the following most
closely represents the appropriate amount of controls that should be applied to risk?

a. risk tolerance
b. risk response
c. risk appetite
d. event identification

Answer b. is the correct answer. This is really a definition question. However, the
word “risk” in the answer could be a point of confusion. Risk response in the
ERM model is simply responding to risk with controls.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 359

McKeever CRMA Exam Application Questions, Answers & Explanations

36. The risk management term for susceptibility to loss is.

a. impact
b. exposure
c. threat
d. probability

Answer b. is the correct answer and the definition of “probability” as used in risk
management. Answers a., c. & d. list 3 additional terms used in risk management.

37. Ethics is not extremely definitive. Therefore, establishing a definition,

communicating that definition to all necessary employees, and then monitoring
compliance for adherence to the communication would:

a. be an adequate control to manage ethics

b. be a sufficient foundation
c. provide adequate guidance to inhibit potential fraudulent issues
d. be a form of a preventive control

Answer d. is the correct answer. The first sentence in the question is not true.
Ethics is not extremely definitive. It can have different interpretations for different
people in different situations and cultures. Therefore, it is important that whatever
ethical guidelines or interpretation is established that everyone involved have the
same understanding. Answers a., b. & c. can be eliminated quickly because of
some key words in the answer choices. The word “adequate” in answers a. & c. is
the eliminating factor in these answer choices. As was indicated in the
discussion ethics can mean different things to different people and different
cultures. Therefore, what is adequate in one situation may not be in another.
Further just establishing an ethics foundation may not and probably would not be
sufficient to inhibit fraudulent activity. Answer b. can be eliminated because of
the word “sufficient”. Inhibiting fraudulent activity is complex and requires
multiple efforts from different dimensions including constant monitoring and
adjusting.

38. Which of these is a way that can help to identify risk?

a. gather information about the business processes under review

b. determine what is being said about your products or services
c. search for business process information in similar industries
d. all of the above

Answer d. is the correct answer. All of these are ways to identify risks. Active
Internet users continue to post a great deal of information including the evaluation
of products / services and comparisons of companies. The Internet also offers
opportunities for companies to reply to problems which will help lessen a loss
caused by bad publicity or incorrect posting.

360 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

39. Which of the following is true about ISO 31000:2009?

a. intended for all stakeholders

b. intended for only executive-level stakeholders
c. intended for a broad stakeholder group
d. none of the above

Answer c. is the correct answer. Answer a. is not correct because of the word
“all” as ISO 31000:2009 is not intended for all stakeholders. Stop to consider
carefully any time the question includes the word ”all”. Answer b. is not correct
because executive-level stakeholders are only one applicable group. Answer d. is
not correct because answer c. is correct.

40. The IIA control objectives do not include which of the following control objectives?

a. compliance with laws, regulations, policies, and procedures

b. tone at the top
c. efficient and effective use of resources
d. reliability of all information

Answer b. is the correct answer. Tone at the top of an organization is extremely

important and is not implied in the IIA control objectives. Answers a., c. & d. are
included. Tone at the top is an element in the control environment which is a
component of COSO.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 361

McKeever CRMA Exam Application Questions, Answers & Explanations

41. A strategy to cause new competitive entrants to spend heavily to overcome existing
customer loyalties is best described as:

a. capital requirements
b. differentiation of product
c. switching costs
d. cost disadvantage

Answer b. is the correct answer. Differentiation creates a barrier to competitive

entry by forcing entrants to spend heavily to overcome existing customer
loyalties. This can include substantial start up costs. Such start-up costs,
(building a brand name) could be very risky because there is no salvage value if
the start up effort fails.

Differentiation means that the existing business must distinguish itself with its
clients and customers in such a way that pending new competitive entrants would
have a substantial barrier to overcome and win potential customers. Such
differentiations can be based on name loyalty, cost of product or services, quality
of product or services, and customer care and service. The remaining answers
are all subcategories of differentiation of product.

Answer a. is not correct because capital requirements require new entrants to

invest large sums of money to get into the existing market. The risk is that it may
not work and the investment would be lost. Answer c. is not correct. Switching
costs is created by the presence of one time costs facing the new entrant such as
employee training, new equipment, and the cost of developing a relationship with
the new supplier. Answer d. is not correct. Cost disadvantage means that
existing firms may have a cost advantage from suppliers for economics of scale,
which a new entrant may not have. All of these can enhance differentiation of
product because of availability of cost and access of materials from suppliers.

362 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

42. Due professional care is a philosophy to which professionals should adhere. This
includes business managers, auditors, and other professionals. However, in order to
adhere to this philosophy these professionals should understand what due professional
care actually means. Which of the following does not represent the due professional
care philosophy?

a. competency
b. reasonably prudent
c. infallibility
d. due diligence

Answer c. is the correct answer. Although due professional care is a philosophy

by which professionals should adhere to humans behave as humans. Humans
sometimes make mistakes. So no matter how much due professional care is
taken in any process there is still a chance that something may go wrong. There
are two ways to determine the answer to this question. The first is to recognize
the correct answer quickly. The second is to determine that answers a., b. & d. all
represent due professional care. The answer that is left is what does not
represent due professional care.

43. Business regulations, operating requirements, laws and regulations as well as

professional guidelines for professionals such as attorneys, accountants, internal
auditors have become more complex and necessary as business has become more
complex. One way to avoid these regulation complexities and their associated
paperwork would be to operate a business in a closed environment. Which of the
following would not be a concern, in a publicly traded company, if the company operated
in a closed environment?

a. Foreign Corrupt Practice Act

b. Federal Sentencing Guideline
c. Sarbanes-Oxley
d. none of the above

Answer d. is the correct answer. A closed environment, in business, means that

the business is operating with virtually no contact with any environment outside
the business itself. This is an unlikely situation in today’s business world. The
question asks which of the following answers would not apply to a business
operating in this situation. The correct answer is “none of the above”. All of
these laws or regulations in answers a., b. & c. would still apply in a closed
business situation.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 363

McKeever CRMA Exam Application Questions, Answers & Explanations

44. As the CAE you met with the Audit Committee recently. One of the Audit
Committee members described an article they read recently about the “assurance”
function of internal auditors and asked the question whether or not all the SOX efforts
performed in the last few years was the same as the “assurance” function. You
answered that:

a. SOX and assurance are the same

b. the assurance function is a narrower perspective
c. the assurance function is a broader perspective
d. the assurance in risk management is performed by the insurance department

Answer c. is the correct answer. The role of auditors in the assurance function is
a very broad coverage of management’s issues. Assurance typically covers the
functions of risk management, continuous monitoring, and benefits realization.
Answer a. is not correct because SOX efforts are clearly compliance efforts within
the traditional role of internal audits. Answer a. is not correct because SOX and
assurance are different tasks that internal audits perform. Answer b. is not
correct because answer a. is correct. Answer d. is not correct because assurance
is performed by a number of departments including internal audit.

45. The Rental For You And Save Company, providing day-to-day items for short-term
use, has been in business for 22 years. This company provides products for short-term
use such as lawn furniture, household furniture, electronics, and even tools. The
company’s objective is to help customers who may need such items for short-term use
and who realize that it is not worthwhile to purchase such items. The average rental
time is one month. Contracts are signed with the renters to return the items in the same
condition as they were rented.

Although the number of times an item can be rented can vary depending on the product,
the average number of rental times for all items is currently 14.4 times. Prior to five
years ago, the average number of times for the rental of all items was 19.8 times. In
general, the more wear and tear on rented items the fewer times they can be rented. In
order to maintain company success the average time objective for all items rented is
13.6 times. There has been a steady decrease from 19.8 to 14.4 over the past five
years. Management began to become very concerned with this trend particularly when
the number reached 14.4 times. This difference between the 13.8 objective and the old
number of 19.8 compared to the 13.8 objective versus the new number of 14.4 times can
best be described as:

a. risk development
b. risk assessment
c. a statistical process SPC risk variation range
d. risk tolerance

Answer d. is the correct answer. This is a definition question. Answers a., b. & c.
are not relevant to this question. Be careful of the substantial background
information and all the numbers. Consider the actual question which is in the last
sentence. Also eliminate the answers that are not relevant.

364 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

46. Which of the following is usually considered an emerging risk?

a. technology and communication

b. natural resource constraints
c. political crises
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. list 3 of the emerging risks
that should be addressed in any risk management effort.

47. Management’s basic responsibilities include:

a. planning, staffing, organizing

b. monitoring, staffing, risk management, and directing
c. planning, directing, staffing, controlling, organizing
d. does not include the controlling element

Answer c. is the correct answer c. Management’s basic responsibilities include

planning, organizing, staffing, directing, and controlling. Answers a. & b. are
incomplete. Answer d. can be eliminated right away because controlling is a
responsibility of management as well as everyone else.

48. A balanced score card is a tool familiar to quality professionals and process owners
alike. What are two characteristics of a balanced score card?

a. provide a pictorial representation of a process and align individual goals

b. identify and align individual strategic initiatives and align department
and individual goals
c. a schedule to conduct periodic performance reviews and develop process
owner objectives
d. clarify the organization’s mission and schedule budgetary and financial
reviews

Answer b. is the correct answer. A balanced score card can help represent the
overall strategic plan. It also shows how that plan is interconnect and
communicated to departments and individuals within the process. Answers a., c.
& d. are random phrases.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 365

McKeever CRMA Exam Application Questions, Answers & Explanations

49. Providing risk management assurance requires a continual monitoring of risk in an

ever-changing environment but as well a flexible approach to audit planning. Which of
the following should be considered when providing an appropriate, efficient, and
effective risk management assurance audit plan?

a. is the current risk assessment significantly different than the prior one
b. is the plan aligned with risk concerns of the Board of Directors and top
management
c. is the audit staff challenged and able to address new technologies, business
strategies, and products and services
d. all of the above

Answer d. is the correct answer. All of the comments in answers a., b. & c. are
points of interest or should be points of interest for consideration when planning
an efficient and effective risk management assurance plan.

50. Outsourcing, staffing projects with outside consultants, has become common
practice in recent years. There can be substantial cost savings as well as a decrease in
administrative activities when hiring staff members who will only be need for specific
short-term projects. Therefore, there can be benefits to outsource when used correctly.
Many times these types of outsourced projects require an exchange of information
technology between and among the host company and the consultant and from the
consultant and the host company. Which of the following controls would not be a
consideration when outsourcing?

a. IT controls should include how data is exchanged, received, and validated

b. IT controls should include confidentiality and conflict of interest considerations
c. there should be an adequate and appropriate contract monitoring scheme in
place
d. the legal department should be the sole designer and r of legal
contracts regarding any outsourcing activity

Answer d. is the correct answer. Although a contract is a legal document and

should have legal design by legal professional, it is wise to have additional input
into the design of an outsourced contract. Other professionals provide additional
insight to the design of the contract just as the legal professional provides legal
insight. For example, internal auditors may provide insight about internal controls
which may not be considered by the legal professionals. Examples might be a
right to audit clause and periodic reviews of the consultants work. Process
owners who will be engaging the consultant would provide specific insight for the
needs, restrictions, and overall objectives of the consultant work. Answers a., b.
& c. are all controls and should all be considered in a contract with a consultant.
The question asks which of the following would not be a consideration. Answer d.
specifies that legal professionals would be the only designer of a contract. This is
not the best option for designing a contract.

366 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

51. There are a number of risk assessment tools available which can help process
owners manage their risks. Some of the more contemporary tools are integrated control
frameworks. Which of the following integrated control frameworks facilitates the most
detail of risk?

a. COSO
b. ERM
c. CoCo
d. COBIT

Answer b. is the correct answer. ERM subcategorizes risk into risk appetite and
risk tolerance. The models in answers a., c. & d. only mention risk as a category.

52. Focusing on Key Processes, Activities, and Controls rather than doing generalized
audits of functions can drastically increase the effectiveness of the internal assurance
function of internal audit. Building continuous monitoring into every system and process
provides both the process owner and the auditor with greatly enhanced ability to
maintain quality systems on a concurrent basis. One important key to success is to
consistently leverage IT resources. Continuous audit utilizing IT techniques would
facilitate:

a. data validation in real or near real time

b. continual performing compliance testing
c. monitor the process, activities, and controls
d. all of the above

Answer d. is the correct answer. The utilization of IT tools and techniques by

internal auditors, process management, or a combination of audit and process
management teams would help facilitate all of answer a., b. & c. choices.
Implementing a continuous monitoring process of risk and controls will greatly
enhance the adequacy of risk and control management by helping to identify risk
issues early.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 367

McKeever CRMA Exam Application Questions, Answers & Explanations

53. On occasion IT expertise may not be readily available within a particular process.
Therefore, it may be necessary to acquire external IT expertise. However, this approach
may yield additional risks because of the possible necessity of exchanging electronically
formatted information. Although there could be significant potential exposure risks they
could be addressed by a team including legal professionals, process owners, auditors,
and even other professionals including security professionals. As a control team to
manage this possible exposure risk who would be addressing the potential concerns a
discussion of least concern for this team would be:

a. the possible need for an audit clause in the contract

b. the work hours of the external IT experts
c. the background of the external IT experts
d. the budgeted commitments of the external IT experts

Answer b. is the correct answer. This question has a substantial amount of

wording most of which is just general information. The only real significant
information in all of the background information is the implication that an external
IT expert is going to be used. With that said the real question is in the last
sentence. The last sentence implies a discussion about the parameters of using
an external IT expert. The key wording in this question statement is the words
“least concern”. This implies that there is no wrong answer. However, the
question is asking for an answer that is less important than all the others. The
question implies not that it is not important but that it is just less important. Of all
of the choices, answer b., although important, is the least important of the
choices.

54. A significant shift to a new vision of compliance and ethics has emerged over the
past few years. This shift has enhanced greater efficiency in processing and
management of information, effectiveness in ensuring corporate governance and the
agility to address rapidly changing business environments. This new vision of ethics and
compliance includes; an enhanced alignment with stakeholder demands for
transparency and accountability; an increased opportunity to take advantage of
emerging technologies; and:

a. will improve process relationships with stakeholders

b. will help align internal risks
c. will allow practitioners to better target their resources
d. none of the above answers includes all of the elements of the new vision of
ethics and compliance

Answer c. is the correct answer. Answer a. can be eliminated because

stakeholders are already itemized in the question. The question asks for
something additional to what the question list. Answer b. can also be eliminated
because although it may sound good it is really a very general and vague answer.
It is really just random words. The question mentions improved efficiency and
effectiveness in processing and the ability to better manage a changing business
environment. All of that is implied in answer c.

368 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

55. Risk reporting involves recording, maintaining, and reporting risk assessments.
Which of the following is not a good reason to complete a risk reporting effort?

a. it provides background risk identification for new personnel

b. it provides a basis for monitoring the risk management and the
allocation of appropriate actions which will ensure that risk
management is effective
c. it provides the basis for program assessments and updates as the
environment, objectives and risks change
d. it is a management tool facilitating rationale decisions

Answer b. is the correct answer. The key word to select this answer is the word
“ensure”. The question asks what is not a good reason. Risk reporting does not
ensure anything. Another way to select the best answer is to pick the answers
that are a good reason. It can be determined that answers a., c. & d. will be
benefits of risk reporting.

56. An organization must establish and implement controls to control, safeguard, and
secure physical assets and intellectual property. Which types of controls would be most
applicable to secure and control intellectual property?

a. edit checks of data entered & controlling access to data files

b. a periodic accounting of physical assets comparing to control records and
files
c. limiting access to valuable assets
d. a periodic inventory of files

Answer a. is the correct answer. Answers b., c. & d. would be more applicable to
controls over physical assets. Note that answer d. mentions files. It does not
mention digital files. These could be an inventory of paper files. So be careful of
assumptions in the wording.

57. Supervisory internal controls should be integrated into the normal operations of
processes. These should include management and supervisory activities such as:

a. comparisons of what should be done and what is actually done

b. oversight of other activities of process members
c. reconciliations
d. all of the above

Answer d. is the correct answer. These are all good supervisory controls. They
should be incorporated into the routine supervisory efforts. In addition they
should be visible to all process members as a routine supervisory responsibility.
Interestingly there may even be a side benefit to these types of controls. Process
members will in many cases feel more important and responsible when the
supervisor is taking interest in their work, hence increasing morale and process
member efforts.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 369

McKeever CRMA Exam Application Questions, Answers & Explanations

58. Identifying threats that could harm or adversely impact a process would be:

a. identifying the critical success factors in risk assessment

b. an element in the risk management cycle
c. estimating the likelihood of the threats
d. an element in the risk assessment process

Answer d. is the correct answer. Answer a. discusses success factors not

threats. This is a viable part of risk assessment however is not appropriate for
this question. Answer b. is too broad for this question. Answer c. is also an
element in the risks assessment process. However the question asks about
identifying threats. The risk assessment process is actually part of risk
management. Contrary to some previous discussion where the more global
answer is correct in this case, it is not. The question asks specifically about
identifying threats.

59. Cost-effective preventive controls in IT systems can help deter or reduce outage
impacts in IT systems. Which of the following would not fall into this category?

a. multiple off-site storage locations

b. fire suppressions systems in the IT facility
c. frequently scheduled data backups
d. heat resistant and waterproof containers for backup media

Answer a. is the correct answer. The question asks about cost-effective

preventive controls. Further, it asks which of the following “would not fall into
this category”. Answer a. is correct because it is not specific as to how many
backup locations. For example if one backup location was sufficient, it would not
be cost-effective to have ten backup locations. Answers b., c. & d. are relatively
inexpensive and could be effective preventive controls. Although answer b. could
involve some cost it is more relative to this question than answer a.

370 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

60. Reporting on key risks can be in a number of formats. Whatever format, it is

extremely important that the format be designed with a primary objective. This objective
is to motivate the reader into action. Which of the following reporting elements should
be interrelated throughout the report?

a. scope
b. background
c. purpose
d. findings

Answer c. is the correct answer. The purpose is the objective of why the report is
being developed. The purpose statement should include some reference to
determine the adequacy of controls. Hence the findings and scope should refer
back to the purpose statement. For example, the purpose of this audit was to
determine the adequacy of controls related to some process. The scope and
findings in answers a. & d. should reference that purpose statement. There
should not be findings for one process and the purpose for another process. The
background in answer b. should be a brief outline of what the process is and what
function it serves.

61. Which of the following is a meaningful reason for using benchmarking?

a. develop best practices

b. develop performance measures
c. maintain a competitive advantage
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. all list purposes of using
benchmarking. The word “meaningful” should not confuse you.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 371

McKeever CRMA Exam Application Questions, Answers & Explanations

62. The CFO of a medium-size company has just been told by the Board of Directors
that the company has to decrease operating budgets by 10% across the board. The
company’s operating budget is currently $124,000,000. There are 5 departments within
the company that will be impacted by the decrease. Departments 1 and 3 receive 25%
of the budget cut each. One department receives 20% of the budget cut. Two
departments receive 15% of the budget cut each. The CFO immediately initiates two
budget-cutting policies. The first is to eliminate all food for staff meetings. The next is to
cut all training effective at the end of the month. It is estimated that cutting these two
items immediately will achieve 6% of the necessary budget cuts. So a further cut of 4%
is required. The actions that this CFO has implemented are:

a. corrective
b. reactive
c. directive
d. preventive

Answer b. is the correct answer. First, there is substantial extra information in the
question. Some traps in the wording may sound like it was preventive answer d.
In addition, the CFO instituted a policy to cut 6% immediately so this could be
considered directive answer c. Finally, it is implied in the question that there
might be a substantial crisis in the company. Hence, answer a. corrective sounds
good. However, here is the issue. The CFO took immediate action as implied
without much analysis by just cutting training and food. It appears that the CFO
only thought about an immediate cut and did not think about the long-term
implications of these cuts. For example, it is very unusual that cutting food at staff
meetings would be a major saving for the company. If anything, it may cause a
morale problem. Therefore, the immediate cut may cause a greater future problem.
Also training cuts require more analysis. If the cuts were for superfluous training
nice to have but really not a core benefit for the company possibly cutting may be
worthwhile. If the training had a substantial benefit to the company then cutting it
arbitrarily is not wise. It appears that the CFO just cut arbitrarily without any
discussion or analysis just to get some numbers for the Board of Directors. In the
short term this may work. However, in the long term this may create greater
problems than the company is currently realizing. The issue here is to think about
major adjustments and not make them arbitrarily. In this case, this was reactive -
reactive to political pressures. Answer d. does apply as it appears the current
financial control have failed to prevent this problem.

372 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

63. The constant monitoring of Key Risk Indicators can provide:

a. an indication that the risk appetite and risk tolerance are achieved
b. a backward looking view on risk events, so lessons can be learned from past
events
c. an early warning: a proactive action can take place
d. all of the above

Answer d. is the correct answer. Answers a. b. & c. list some of the key benefits
of monitoring Key Risk Indicators.

64. Which section of SOX requires the auditor to document and test the effectiveness of
internal controls of IT systems?

a. 301
b. 302
c. 906
d. 404

Answer d. is the correct answer. Section 301 focuses on public company audit
committees. Section 302 focuses on the quarterly disclosure of financial
statements as certified by the CEOs and CFOs. Section 906 mandates severe
penalties for corporate officers who certify the required statements in violation of
the section who certify the statements knowing that the report accompanying the
statement does not comport with all the requirements of the section. Hence
section 404 is the correct answer.

65. Which of the following would be helpful to determine whether or not a company has
risk?

a. industry surveys
b. professional associations
c. history
d. other professionals
e. all of the above

Answer e. is the correct answer. All of these resources would be helpful in

determining whether a company has risk. Answers a., b., c. & d. list some but not
all of the resources.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 373

McKeever CRMA Exam Application Questions, Answers & Explanations

66. The self-assessment process can be a useful tool from two perspectives. First self-
assessment can help enhance a corporate governance knowledge base with process
owner participants. Second self-assessment develops an ownership of apparent risks
and the necessary corrective actions to mitigate those risks. Which of the following is
generally not a result of a self-assessment effort?

a. a level of enthusiasm among process owners for the acceptance of key risk
management will increase
b. an enhanced belief in risk and control management by process owners may
be realized
c. process owners, as they become more knowledgeable, can eventually
assume responsibility for their own self-assessment efforts
d. because of the involvement of multiple process owners and
perspectives there will be assurance that key risks are adequately
addressed

Answer d. is the correct answer. The key word to answer the question of which
will not be a result of a self-assessment effort is “assurance”. There is little that
will assure the total mitigation of all risk all of the time in any process. Answers
a., b. & c. are generally results of a self-assessment effort.

67. During a risk-based workshop eight of the attendees classified a particular risk as
“HIGH” and six classified it as “LOW”. As the facilitator the best approach would be:

a. classify that risk a “MEDIUM” to be fair

b. classify that risk a “HIGH” using the majority classification
c. clarify the definitions of “HIGH” “MEDIUM” and “LOW”
d. change the subject

Answer c. is the correct answer. You should discuss further and address both the
use of these three terms and why the classifications vary. Answers a. & b. might
lessen the interest of some attendees. Answers d. will not solve the difficulty.
Sometimes it is appropriate to decide to address an issue later. However that
should be a decision of participants not the facilitator. Additional discussion in
such a wide opinion vote would probably be appropriate. In many cases,
additional discussion in such a situation may actually cause further thinking by
the attendees and may result in a more accurate final result and decision.

374 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

68. SOX was instituted as a reactionary control to address integrity issues in business.
This meant enhancing existing controls that were apparent in the FCPA. These
enhanced controls:

a. require CFOs to certify financial documentation

b. require the audit committee to oversee public auditors
c. require CEOs to oversee the compensation and independence of the external
auditors
d. require that the CEO comply with section 301 to address the annual
evaluation of internal controls

Answer b. is the correct answer. This is a specific requirement in the SOX

legislation. The certification of financials is a requirement of both the CEO and
CFO not just the CFO. The Audit Committee is responsible for the overseeing,
compensation, and independence of the external auditors not the CEO. This
helps with independence. Section 301 of SOX focuses on the public company
audit committees. Hence, the CEO is not involved with this section.

69. During an audit it is observed that a number of expense vouchers have been pre-
signed by an approving level authority and are stored in an unsecured desk drawer.
The auditor challenged the supervisor of the department who indicated that the
approving individual traveled often so they had these vouchers pre-approved for
efficiency reasons. That way there would not be a delay in securing payment because
the approving person was on the road. Convincing and explain to the supervisor that
because of audit, good management, and security reasons this was not a good policy
and must be corrected. Correcting this issue in the future on these documents is what
type of a control?

a. detective control
b. preventive control
c. corrective control
d. administrative control

Answer b. is the correct answer. The key words in the last sentence of the
question statement are “in the future”. Now there could be some consideration of
these answers. Answer a. can be eliminated because adequate detective controls
are not in place to detect problems. Some consideration could be that it is a
detective control because it was detected by the auditor. Answer c. can be
eliminated. It could be a corrective control because with the cooperation of the
supervisor the auditor was able to correct this risk. Answer d. can be eliminated.
Although there are things called administrative controls this answer is not
specific to this question. So it can be seen from this discussion that the
definitions of preventive, detective, and corrective controls sometimes overlap
depending on the perspective. In real business the specific definitions are
probably not as important as getting the issue corrected. Now for this question
the key words are “in the future”. This implies that this risk concern would be
eliminated in the future or would be prevented from reoccurring in the future.
Hence, answer b. is the best choice. Read the question.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 375

McKeever CRMA Exam Application Questions, Answers & Explanations

70. One of the tools that can be used to provide an evaluation that key risks are
adequately evaluated is operational auditing. Which of the following would not be a
result of an operational audit?

a. operational auditing will help evaluate the interrelationships between and

among individual elements of a process
b. operational auditing will help evaluate the apparent interface between and
among individual process within an overall process
c. operational auditing can help evaluate the adequacy of controls in a process
with respect to efficiency and effectiveness
d. operational auditing can provide assurance that key risks are
adequately evaluated and addressed

Answer d. is the correct answer. Operational auditing although a good tool will
not provide assurance that key risk are adequately evaluated and addressed. The
key word here is “assurance”. Another way to select the correct answer is to
recognize the word “help” in the remaining answers. Comparing the word “help”
to “assurance” it can be seen that operational auditing will help address risk
issues as answers a., b. & c. list but not “assure” that they are fixed all of the time
in all cases.

71. Which of the following is not true about self-assessment?

a. improves communications at all levels.

b. helps employees understand how to address and report on the adequacy of
controls
c. clarifies that internal audit is responsible for internal controls
d. none of the above

Answer c. is the correct answer. This the exact opposite of what self-assessment
does. Self-assessment clarifies that process owners are responsible for internal
controls within their process - NOT internal audit. Be certain to read all answers
carefully before selecting one. Answers a. & b. are not correct because they list
items that are true about self-assessment. Answer d. is not correct because
answer c. is correct.

72. When an internal control in the Accounts Payable Department failed that would be
best categorized as what type of risk?

a. an audit risk since internal audit missed it during an audit

b. an intentional internal human control risk
c. a control risk
d. none of the above

Answer c. is the correct answer. This is the definition of control risk. Answer a. is
not correct because an audit risk is that internal audit reached wrong conclusions
and someone relied on those conclusions. Answer b. is just a random set of
words. Answer d. is not correct because answer c. is correct.

376 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

73. The first step in risk assessment should be:

a. risk management
b. prioritize
c. measure
d. identification

Answer d. is the correct answer. The first step in any successful risk assessment
must be to identify risks. This step is necessary before any prioritization or
measuring can occur. Answers a. is not correct because risk assessment is a part
of risk management. Answers b. & c. are not correct because of the same reason
that answer d. is correct.

74. One local organization owns 15 fast food breakfast and lunch mini restaurants.
These restaurants have been strategically located in high-density geographic locations.

They cater to many of the employees of the various businesses in the area. This
operation has grown from two such restaurants two generations ago to its current status.
The CEO of the company has an MBA. The CEO has become concerned with the
physical location of three of the restaurants. It seems that there are vacant building lots
within walking distant of these three restaurants. The specific concern of the CEO is
since the company does not own these empty, building lots what if a competitor built a
similar restaurant on the lots in these high-traffic areas.

The CEO has asked internal audit for advice. After some discussion the CEO and
internal audit agreed that the strategy of the company should be:

a. manage the bargaining power of suppliers minimizing the risk of sole source
suppliers
b. develop a differentiation of product
c. anticipate the threat of substitute products by competitors
d. all of the above

Answer d. is the correct answer. The issue is that there is a possibility that a
competitor could impact the profits of this restaurant. There is an unknown factor
of the vacant land where a competitor could develop a competitive restaurant.

The question implies that this company controls the sales in that area for their
product. If they do not control the land there is an unknown. So the CEO should
anticipate what could happen (if the competitors developed in the area) and what
would we do the CEO do. Answers a., b. & c. all list items that should be
considered including minimizing control by (sole source) suppliers, differentiation
of product by price or quality, all this by anticipating the competitors actions.
Managing this competitive risk should not be completed the day the competitor
appears with a grand opening (crisis management). Good strategic management
dictates anticipating what could happen and having a plan in place before the
crisis occurs.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 377

McKeever CRMA Exam Application Questions, Answers & Explanations

75. An ultimate objective is to have more process owners understand corporate

governance. Important ingredients to achieve this are the efforts of internal audit.
Realizing that in many cases process owners have a much less understanding of
corporate governance than do internal auditors which approach should internal auditors
take to improve this corporate governance knowledge base for process owners?

a. first understand the process owner’s knowledge base and then develop
appropriate risk and control training for the process owners
b. develop a restructure of the process organization considering specifically
efficiency and effectiveness
c. develop policies and procedures the first time for the process owners
d. conduct an audit to determine the weak areas to address first

Answer a. is the correct answer. Answers b. & c. can be eliminated quickly

because internal auditors should not become involved in this level of process
detail. It may compromise the internal audit independence and objectivity.
Although answer d. could be a good choice to help understand the process
owner’s knowledge base an internal audit should not be the only tool to gain an
understanding of the process owner’s knowledge base.

76. An atmosphere of mutual trust and open communications to discuss risk among
management and employees would be which component of COSO?

a. communications
b. control environment
c. risk tolerance
d. control activities

Answer b. is the correct answer. The key phrase in the question is “an
atmosphere of mutual trust”. However, the question can be somewhat misleading
in that it mentions communications and risk. Answer b. might appear the answer.
However, it is the control environment that includes the soft control elements
such as mutual trust. Answer c. list the term risk tolerance that is not included in
the COSO model but is included in the ERM model. Answer d. lists control
activities and is too general a statement.

378 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

77. Identifying risk can be a complex and often debatable task. The most important
question to ask when prioritizing risk would not be:

a. what is the cost if the risk occurred

b. what would be the probability and the cost if the risk occurred
c. what is the risk tolerance
d. what is the risk appetite

Answer a. is the correct answer. This answer implies that the only concern when
prioritizing risk is the cost if the risk occurred. This is a common mistake. The
concept is that there could be risk that if it occurs could cost a substantial amount
but might only occur very rarely. Alternatively, there could be risk that occurred
often and when it occurred only cost a small amount. In reality, the higher
occurrence and lower cost risk could actually have a greater impact as a risk. It is
wise to consider both the probability and cost of risk when prioritizing risk.
Answer b. is a good question to ask. Answers c. & d. also list questions to ask
before any prioritization can occur.

78. The Code of Conduct in a large company had been historically written by the
corporate security department. As time passed it was decided that the legal department
would be the developer and authors of the new Code of Conduct. As part of the internal
control process of this company it was traditional that internal audit would audit the
effectiveness of any major design or changes in the Code of Conduct. Hence was the
case here after the legal department published the code of conduct, and some time had
passed. The internal audit department should have included in the scope of the audit of
the Code of Conduct:

a. obtain a list of all employees who had a review of the Code of Conduct
b. compare the list of all employees who had a review of the Code of Conduct
to those who should have had the review
c. interview a sampling at various levels and departments to determine if they
understand the new Code of Conduct and how they feel about it
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. list items that should be part
of the audit. However, answer c. lists one of the more important parts of the audit.
A written Code of Conduct is nice. However, answer c. describes an action that
will help to determine if the new document actually works. This could be a
considered a control environment element in the COSO model. Answers a. & b.
describe actions that could be considered control activities in the COSO model.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 379

McKeever CRMA Exam Application Questions, Answers & Explanations

79. A medium-size company with multiple working locations and approximately 9,000
employees has recently instituted a fraud or ethics hotline. This company manufactures
complex components for private and governmental organizations.

The company went to great efforts to advertise the new hotline showing support from
higher-level management in the advertising. The telephone number for the hotline is toll
free no charge for calling and has been proclaimed to not be able to identify any caller.
The company felt that if the hotline was going to work anonymity is vitally important.
Employees must feel no threat if they feel the need to call the hotline with information of
ethical concern.

A record of inbound calls was retrieved (only the total numbers of calls not a record of
actual originating calling numbers). It was determined that only three calls were
received in 12 months. Further because there was no originating number record it was
assumed that at least one maybe two of these calls were test calls from security.

It was determined that the fraud or ethics hotline was not being utilized as intended.

Which of the ERM components is most applicable for this situation?

a. control activities
b. internal environment
c. information and communications
d. monitoring

Answer b. is the correct answer. There are some substantial clues to the correct
answer in the extensive background information about the company. First, it
appears that this is a complex company, many employees, multiple locations, and
complex work. Generally the more complex an operation the higher is the
opportunity for risk. It is unlikely that there are no employee issues of concern.

Next, there was extensive advertising by senior management about the fraud or
ethics hotline. Further, the physical hotline seems to be working physically
because tests of the line indicated it was functioning. The core issue here seems
to be one of trust among the employees. It may be that they do not trust that the
hotline is not able to identify them or that they are afraid of repercussions no
matter what the higher level management says. Trust is in the internal
environment of ERM the softer issues. Answer a. lists control activities that
would be the harder issues like the physical phone itself. Answer c. lists
information and communications that could be categorized by the advertising
from management but does not seem to be the problem. Answer d. lists
monitoring that could be the information about the numbers of calls. However,
that would have little to do with why no one was calling with concerns. However,
the underlying reason why no one was calling the hotline is an issue of trust in the
internal environment.

380 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

80. The senior managers of a medium-size company have expressed concern about the
working relationships among various business units within the company. New senior
managers that entered the company six years ago recognized the opportunities for new
markets and aggressively went after those markets. As a result, the company has
grown from a $2 Million gross income to a $12 Million gross income in five years. The
organization’s overall philosophy has changed from one of complacence to an
aggressively competitive organization. This new excitement of success and business
outlook has enhanced the competitiveness among departments. Hence, this
competiveness has caused uncertainty about the continued future success of the
company. In the words of one Vice President, “It seems now that the numbers are what
is strived for not the vision”. Which of the following would be the best model to help re-
focus the company toward an overall picture and the portfolio of success inhibitors?

a. COSO
b. a risk model that will completely address the probability and the impact of the
risk upon the vision and objectives
c. an expanded control model that will help address the entire organization
including all of the internal and external risk, as well as the strategic
plan
d. control models that will ensure that preventive and corrective controls are
adequately in place to address the vision

Answer c. is the correct answer and the one that best matches this situation.

There is a substantial amount of “fluff” (extra material) in this question. However,

there are some keys that can be identified which can help with the selection of the
best answer. There are suggestions that the organization has grown at a rapid
rate in a short time.

Risk increases proportionally with volatility and change. There are concerns of
increased competition and less teamwork among departments. This is systemic
of a substantial decrease in communications. Communication is a major
component in both the COSO and ERM models. Communication is an
interrelationship issue woven throughout the organization. COSO addresses this
interrelationship of communication. Answer a. is not correct as it lists COSO
However, COSO does not expand on the effective interrelationship requirement.
Finally, the question suggests a concern for vision and strategic management.
Strategic management is not specifically addressed in the COSO model. Strategic
management is specifically emphasized in the ERM model.

This answer is a definition of the expanded COSO model now named Enterprise
Risk Management (ERM). ERM addresses the portfolio of risk including the risks
among sub-functions of an organization, along with the internal and external
risks. It also includes the COSO philosophy and the basic risk model of
probability and impact. ERM adequately addresses controls in all dimensions,
hard and soft.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 381

McKeever CRMA Exam Application Questions, Answers & Explanations

In essence ERM looks at all types of risk that can impact the achievement of
objectives. The term “portfolio of risk” is defined specifically in the ERM model
documentation. In addition, the ERM documentation addresses the strategic plan
of an organization. Strategic planning includes the impacts on success by
external forces, such as competition, technology changes, and rapid growth.

ERM does not replace nor is it intended to replace COSO or other existing risk and
control models. It is intended to enhance these other models and the perspective
of risk and control management.

Answer b. is not correct because of the wording “completely address”. Answer d.

is not correct because of the wording “ensure”. No risk or control model can
“completely address” or “ensure” against risk.

81. As part of SOX compliance, a business unit within a large organization has gathered
staff to develop risk models. This organization used benchmarking results from another
organization to develop their model. Because of the nature of the business, it is planned
that one specific business unit within the organization will be addressed. This business
unit is relatively small but serves as an important function within the organization. This
all-encompassing documentation is representative of:

a. ERM
b. COSO
c. the good risk model
d. none of the above

Answer d. is the correct answer. There is no representation in the answers that it

is an effective or ineffective risk model.

Answer a. lists ERM. The ERM philosophy indicates that the corporate
governance documentation for an organization should vary depending upon its
size and complexity. The question indicates that the organization developed their
model from another organization’s model. Further, that it is very comprehensive
documentation. The ERM philosophy indicates that the corporate governance
documentation should be appropriate for the size and complexity of the
organization. In this case, it is a business unit within the entire organization. It is
not the ERM philosophy.

Answer b. list COSO. It is not a COSO model; there is no representation of any of

the COSO components, its control objectives, or the COSO philosophy.

Answer c. is not correct as it is just lists a few risk words that are too general to
answer this question.

382 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

82. Data mining is much more effective than sampling. In sampling, generally, not all of
the data is available for review. Simply stated there is not time to review all of the data
so a sample is developed to extract a portion of the overall data. With data mining all of
the data, for a specific period, can be reviewed. The computer will do this very
accurately and effectively.

Data mining means downloading the data to be reviewed into a software package that
will manipulate the data as required. The prime consideration with data mining should
be:

a. perform a reasonable test to make sure all of the data required was
downloaded
b. sort the data by key interests for example date, name, address, payroll code
c. download as much data as possible
d. none of the above because data mining should consider all of these concerns
in the software

Answer a. is the correct answer.

Data mining is a tremendous tool for analyzing data. Its power is in the
manipulating capability. A tremendous amount of data can be analyzed quickly
and accurately. In addition better than sampling, an entire universe may be
analyzed instead of a portion of the universe as would be in a sample.

This question asks for a prime consideration when data mining. The word
“prime” is the key in answering the question. This is another red flag (prime) word
like “best”. A word like this implies that there is could be more than one good
answer. In this particular question the odds of selecting the correct answer can
be increased by elimination. Answer c. indicated download as much data as
possible. It is best to decide what data is required, for example payroll data,
inventory data, or security data and select only the necessary and required fields
of information. So eliminate answer c. With that in mind answer d. can be
eliminated.

Answers, a. & b. are actually priorities of the tasks necessary in data mining.
Realizing that the data has to be acquired (answer a.) before it is manipulated
(answer b.), answer a. qualifies as the prime concern or the first concern.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 383

McKeever CRMA Exam Application Questions, Answers & Explanations

83. The best reason to incorporate computer-based auditing is that:

a. it makes it easier to audit

b. it makes audit more effective
c. it detects more real or potential problems
d. it helps provide better service to clients

Answer d. is the correct answer. Answers a., b. & c. are not correct because these
are only partial answers and from an internal audit perspective. The main reason
for including computer-based auditing in IT systems, as in all auditing effort, is to
provide better service to audit clients.

Remember that the word “best” means that there could be more than one good
answer. However, the question asks for the “best” of the possible good answers.

84. Duplicate payments within the accounts payable process is an on-going problem.
Duplicate payments to vendors can be accidental or intentional. Paying duplicate
payments by intent is fraud. One way to detect duplicate payments is acquiring
accounts payable data for a period into a database manager and sorting by common
fields like vendor name, invoice date, vendor address, and amount. When unusual
indications appear then further comparisons may be required such as determining the
department that authorized the payment and the accounts payable person that
processed the payment.

Which of the following controls would be the best inhibitor to minimize the possibility of
duplicate payments before they happen?

a. a strong Code of Ethics with required review by all employees quarterly

b. routine and periodic reviews of accounts payable data by management
c. swift and decisive action such as reprimanding any employee caught
processing a duplicate payment as this is also a violation of the strong Code
of Ethics as well
d. an obvious communication to employees by management that analysis of
vendor payments is routinely and periodically performed
e. answers a. and c.
f. answers b. and d.

Answer f. is the correct answer. The word “best” means there might be more that
1 correct answer. Answer a. lists a good answer but just reviewing the Code of
Ethics with employees is not enough, as the Code of Ethics must work. Answer b.
lists a good answer as periodic reviews are probably appropriate. Answer c.
describes and excellent approach setting the example but really does not fix the
root cause of the problem. Answer c. describes good supplements to the review
itself of performing an independent review and communicating that the review is
in place. Since answer a. is not correct answer e. can be eliminated. Answers b.
& d. combined would be the “best” inhibitor (control) from the choices given.

384 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

85. Codes of Conduct or Codes of Ethics are internal organizational documents. They
act as guidance for the behavior of members of the organization. Many times these
documents contain ethical guidelines. These guidelines specify guidance in terms of the
personal and professional conduct of organizational members. These ethical guidelines
most often include:

a. the requirements of acceptable ethical behavior

b. a committed structure of social and ethical culture that is in the best interest
of the organization
c. avoidance of any behavior legal or otherwise that can adversely impact the
reputation of the organization
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. list items that should be
included in an organization’s Code of Conduct or Code of Ethics.

86. Risk includes the possibility of something, either positive or negative, happening to
an organization. Risk management is an appropriate step to minimize the outcome of
negative risk. Which of the following describes risk management?

a. risk management = risk assessment + risk mitigation – positive risk

implication
b. risk management = risk evaluation + risk mitigation + the net of any
positive risk
c. risk management = risk mitigation + risk assessment
d. risk management = risk assessment + risk evaluation + risk
mitigation

Answer d. is the correct answer. Answers a., b. & c. just list are random or partial
representations of the entire risk management process. Risk assessment
includes the identification and evaluation of risks and risk consequences and
recommendations to manage the risks (controls). Risk evaluation is the continual
process of a comprehensive and successful risk management process. Risk
mitigation is the process of implementing risk reducing measures that will
address and manage either positive or negative risk implications.

87. In performing a risk assessment at a major Canadian Bank which of the following
integrated control framework would probably work best?

a. CoCo
b. ERM
c. COSO
d. combination of above

Answer d. is the correct answer. Usually a combination of these tools will work
best. Do not pick an answer based on the country where the framework was
developed such as CoCo in Canada, COSO in the USA, or Cadbury in the UK.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 385

McKeever CRMA Exam Application Questions, Answers & Explanations

88. Which of these is not an element of risk assessment?

a. risk measurement
b. risk prioritization
c. risk shifting
d. risk Identification

Answer c. is the correct answer. Answers a., b. & d. list elements of risk
assessment.

89. A television editorial said that your non-profit organization spends 80% of
contributions for telemarketing. What type of risk is this?

a. information integrity
b. reputation
c. customer expectations
d. all of the above

Answer b. is the correct answer. This is an example of the risk of reputation.

Answers a. & c. are not correct as they list different types of risk. Hence answer
d. is not correct.

90. An adequate risk assessment should be completed by using:

a. subjectivity
b. multiple inputs from stakeholders
c. formulas
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. list items to use. The more
combinations of input subjective and use of the simple formulas applied in a risk
assessment the more accurate the results will be. An accurate risk assessment is
important so that the most appropriate application of controls can be applied.

91. Which of the following are objectives of risk monitoring and updating?

a. identify any new risks and systematically track them to best understand the
impact of the consequences
b. effectively manage these risks and the contingency plan
c. decide how to manage any new risks
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. list important parts of risk
monitoring and updating.

386 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

92. What risk assessment term best describes the tangible outcomes of risk on the
decisions, events, or processes?

a. risk
b. consequences
c. exposure
d. threat

Answer b. is the correct answer. This is a definition of the term “consequences”.

Answers a., c. & d. list other risk assessment terms but are not correct for this
question.

93. An effective risk management process requires significant success factors. Some of
these success factors are full support of the process unit’s team, senior management
support, an on-going evaluation process, and competence of the process unit’s team.
What additional success factors would be appropriate to complete an effective risk
management process?

a. an awareness, belief in the process, and cooperation of the process

unit’s team to comply with risk management procedures
b. an establishment of a specialty risk management team or department to
oversee risk management within various processes
c. to design a standardization of the development of risk management policies
and procedures to be complied with in all departments
d. a specific and detailed intervention by the Board of Directors who are now
responsible, by law, for the details or the risk management process

Answer a. is the correct answer. Without a sincere awareness, belief, and

cooperation by those involved in any risk management process the process will
fail. Without this, no matter how much training or policies and procedures are
implemented, a risk management philosophy and process will be ineffective.
Answer b. is not correct as establishing a risk management team will not be totally
effective unless the process owner units believe in the guidance of the risk
management team. Answer c. can be eliminated because a standardize risk
management policy and procedure for all process units is probably not
appropriate. Although there could be an overall corporate risk policy, individual
risk policies for specific business functions may be appropriate because each
business function may have different risk exposures and functions. Answer d. is
not correct as the Board of Directors does not have the detailed knowledge to take
action at the level that process owners can. Caution: Even though there may be a
necessity for individual process risk policies they should all be able to
consolidate with common measurements and language to an overall risk policy
compliance and reporting mechanism at a corporate level.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 387

McKeever CRMA Exam Application Questions, Answers & Explanations

94. The applicability and enforcement of The IIA Code of Ethics includes:

a. only conduct covered specifically

b. unacceptable conduct for an IIA certificate holder
c. any unacceptable conduct
d. only conduct that is illegal in a specific country

Answer c. is the correct answer. The IIA Code of Ethics specifically states
because a particular conduct is not mentioned in the Rules of Conduct does not
prevent it from being unacceptable or discreditable.

95. Your Store sold an item on its ecommerce site accepting a stolen credit card issued
by a bank in another country. This risk is an example of:

a. country risk
b. transaction risk
c. credit risk
d. reputation risk

Answer b. is the correct answer. This loss was caused by a transaction (risk).
Use of ecommerce in many cases increases that type of risk. Some amount of
transaction risks exist also with sales in physical locations. This type of risk
always exists any time exchanges are made of money, product, or service.
Answers a., c. & d. list other types of risks.

96. The risk management term for the likelihood of risk is.

a. impact
b. exposure
c. threat
d. probability

Answer d. is the correct answer and the definition of “probability” as used in risk
management. Answers a., b. & c. list 3 additional terms used in risk management.

97. Your company decided to take advantage of the international marketplace. Part of
this effort is to partner with companies in host countries. This is an excellent example of
addressing risk by:

a. sharing
b. avoiding
c. prioritizing
d. accepting

Answer a. is the correct answer. Answers b., c. & d. are other methods to address
risk but not correct for this situation or question.

388 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

98. Who is interested in an organization’s risk management?

a. all process owners

b. all stakeholders
c. everyone
d. all management

Answer b. is the correct answer. The key word is “interested”. All stakeholders
includes all with interest in an organization including people who are not process
owners such as Board of Director members, suppliers, and stockholder. The
question does not ask about only those who are involved directly with the risk
management process. Answers a. & d. are not correct as they list only those
directly responsible for risk management in their area of responsibility. Answer c.
is not correct as it includes people who are not stakeholders and have no interest
in an organization’s success. Although we use the phase that “all are responsible
for risk management” the word “all” is only applicable within an organization.

99. Which of the following is the most important component of COSO?

a. risk assessment
b. information and communication
c. control environment
d. control activities

Answer c. is the correct answer. The core of any business is the individual
attributes its people including integrity, ethical values, competence, and the
environment in which they operate. This environment includes the tone set by
upper-level management. Answers a., b. & d. list other COSO components that all
rely on the environment.

100. Companies or processes that do not find a position in the industry where they can
best defend itself against competitive forces or can influence an alignment with the
competitive forces is an example of:

a. weak internal controls

b. weak strategic planning
c. weak executive support
d. weak risk assessment

Answer b. is the correct answer. Dealing with competitive forces is a function of

strategic planning. Answers a., c. & d are very general and by themselves may or
may not have anything to do with the issue discussed in the question.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 389

McKeever CRMA Exam Application Questions, Answers & Explanations

101. Establishing objectives to prevent lawbreaking and scandals, to develop a Code of

Ethics specifying acceptable conduct including the rights of the corporation and
necessary compliance with laws and regulations, to include clear standards and
penalties for violations, to ensure supervision to compliance to the standards would be
efforts to address which type of risk?

a. legal risk
b. regulatory risk
c. ethical risk
d. reputational risk

Answer d. is the correct answer. Although answers a., b. & c. could be considered
specific types of risks they are too specific for this question. The key words are in
the first sentence of the question “prevent scandals”. Scandals are damaging to
reputation. Another consideration for the selection of the correct answer is that
legal, regulatory, and ethical risks could all cause reputational risk. In this case
and in these answer choices reputational risk is broader in scope and could be a
result of all or any of the remaining answers. So in order to select any or all of the
remaining answers the choice would have to be all of the above which is not an
option in these answers. Hence reputational risk is the best option.

102. When auditing the adequacy of policies and procedures the most important factor
about policies and procedures is that they are:

a. in writing and understood

b. followed in all circumstances
c. followed in all but clearly defined situations
d. working effectively

Answer d. is the correct answer. The most important requirement for the
adequacy of policies and procedures is that they work effectively. Answer a. is
partially correct in that policies and procedures to be effective must be
understood and believed in. Answers b. & c. are not correct because of the use of
the word “all”. Further they are very specific.

390 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

103. As a risk and control specialist in a multinational corporation named Serve All
Communications Inc. the executive committee has asked for your input on a major
acquisition. This acquisition will mean that the company will be acquiring a current
competitive telecommunications company that in addition to being a direct competitor
also provides products and services which could complement Serve All Communications
Inc’s product and service base.

From the executive point of view, this would address two issues. The first is that the
merger would eliminate a competitive element. The second is that it would allow Serve
All Communications Inc. to expand its product and service base. The merger would cost
Serve All Communications Inc. $12,600,000 and involve the possible relocation of
facilities costing an additional $5,000,000. In addition because of duplication of work
between the two company’s decisions of layoffs and relocations of staff is a concern.
This could cause social, geographic, and other labor issues.

Financing for this project will be 35% from internal funds and 65% from new equities
including both common and preferred stock which will become available to shareholders.

This is a major project. As the risk and control specialists you should recommend to the
executive committee that they consider:

a. an equity ratio analysis, common shareholders’ equity divided by total capital

employed
b. a SWOT analysis
c. an equity to debt ratio including: market value of common plus preferred stock
divided by total current plus long term debt
d. other professionals
e. an ERM analysis

Answer b. is the correct answer. A SWOT analysis outlines the Strengths,

Weaknesses, Opportunities, and Threats. This will help provide an overall picture
of the feasibility to proceed with the project or not. Financial ratios may be
included in some discussion of a SWOT analysis. However, the SWOT analysis is
a good first step. Note that a number of issues including funding, staffing, and
business advantage were outlined. These fit nicely in the SWOT analysis model.

Answer a. lists an equity ratio for common stockholder analysis. It will indicate
how much of the total capitalization will actually come from owners if the
acquisition occurs. Answer c. lists a financial ratio that will indicate how much
business assets can decline in value before they become insolvent. Both of these
ratios would possibly be useful in a more detail analysis. However, they should
probably be addressed during or after a SWOT analysis is initiated.

Answer d. could probably be eliminated quickly because it is an integrated control

model. Although ERM incorporates strategic planning, (a look into the future as
well as a look at external risk) in its model ERM would probably not be sufficient
to analyze this project at this early stage.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 391

McKeever CRMA Exam Application Questions, Answers & Explanations

104. Product or service differentiation can be interpreted differently by each person. In

the case of business, no matter what business, that is the person that is receiving the
products or services. In either case a product feature is a property that is possessed by
the product or service to meet or exceed customer needs and provide customer
satisfaction. In summary product or service differentiation is a feature that will cause a
customer or client to acquire products or services from one company as opposed to
another. Adequate consideration for product or service differentiation can be a tool to
manage competition and gain competitive advantage.

Which of the following would be considered the most important product or service
differentiation effort?

a. pricing
b. availability of product or service
c. product design
d. customer service
e. all of the above

Answer d. is the correct answer. It is easy to become distracted with these

answers. All of the answers seem important to product or service differentiation
and are important.

Answers a., b., c. & d. are all correct. Hence answer e. may be considered a
choice. However, the question asks for the “most” important. When a word like
“most” is used that means that many or all of the answers are good answers.
However, “most” means the best of the good answers. Customer service is a key
to product differentiation.
Initially most companies will try to provide the best service and quality to their
clients or customers. However, things happen and things go wrong. Providing
excellent customer service can rectify those things that went wrong. In some
cases providing excellent customer service and going above and beyond to
rectify a problem with a client or customer can actually have a more positive effect
that if nothing went wrong in the first place. Unfortunately, many companies do
not understand this. The customer service staff is often the lowest paid and least
trained employees in an organization.

One company was going to cut their customer service staff by 20%. A comment
was made why would you require upset customers to wait another 15 o 20
minutes beyond the 10 minutes or so they are waiting now for assistance. Upset
customers or clients want quick and effective response to address their unhappy
issues. Customer service can either establish a positive or negative perception
quickly. Remember it is easier to keep the customer or clients you have than to
find new ones.

105. Three new members of a Board of Directors have recently been elected. At one of
the first meetings to discuss a methodology to enhance an internal control philosophy,

392 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

which has become somewhat weakened over recent years, the conversation focused on
the design of posters which would emulate an enhanced control philosophy. Some of
the Board of Directors members suggested a local graphic designer to design the
posters. Another member suggested that the posters be supplemented by pamphlets,
which could also be designed by the same local graphic designer. One of the new
Board members is also a member of the audit committee and has substantial experience
on Board Audit Committees as well as being a CAE for a number of companies. In
addressing this new control philosophy effort this new member should indicate:

a. that to maintain objectivity the graphic work should be put out to bid
b. the graphics work is not the only thing that should be considered
c. the cost of the graphics could be expensive so considerations should be
given to in-house designs
d. the graphics should be designed with a company-focus not generic
e. all of the above

Answer b. is the correct answer. The issue is that there is a need to stimulate an
enhanced internal control philosophy throughout the company. It seems that the
Board of Directors is focused on graphic advertising to accomplish this. The one
Board of Directors member who has audit and internal control experience should
suggest that other methods to promote and stimulate the integral control
philosophy should be used. The tone must be set by the high-level managers and
emulated not only by posters and signs but by actions and conversation. Posters
and signs are not sufficient to stimulate and emulate a control philosophy.
Answers a., b. & c. list actions that will not accomplish the desired results.
Therefore answer e. is also not correct.

106. The Accounts Payable (AP) Manager asked you as an audit manager to conduct a
meeting to discuss how to more efficiently process payables. The AP Manager indicated
that no audit report would be required only a verbal report that would be distributed only
to attendees at the meeting.

As a CIA your best decision would to be to:

a. refuse the offer since there would be no audit report

b. refuse the offer since this is not an audit
c. accept this readily
d. accept but specify this would not be an audit

Answer d. is the correct answer. This is a case of process improvement one of

the areas covered by “consulting” (The IIA Standards). Answers a. & b. imply that
an audit and audit report are always necessary. Consulting assignments are not
an audit and therefore do not require an audit report in the formal sense. Answer
c. is partially true as an assignment like this could expand the role of internal
audit and create a satisfied client but it must be made clear that this is not an
audit. Therefore, answer d. is a better answer. This is an example that requires
reading all potential answers before selecting one.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 393

McKeever CRMA Exam Application Questions, Answers & Explanations

107. Which of the following techniques will most likely provide continuous monitoring?

a. computer-assisted auditing
b. operational auditing
c. embedded audit applications
d. all of the above

Answer c. is the correct answer. Incorporating auditing software into systems

provides continuous monitoring. Answer a. describes the use of computer
software periodically that uses only historic data. Answer b. lists operational
auditing which may or may be used as part of continuous monitoring. The
question says “always”. Answer d. is not correct because answers a. & b. are not
correct.

108. Section 302 of Sarbanes-Oxley requires that external auditors issue a financial
opinion regarding the accuracy of financial statements. Which section of Sarbanes-
Oxley requires that external auditors issue an opinion on whether effective internal
control over financial reporting was maintained in all material respects by management?

a. section 806
b. section 802
c. section 404
d. none of the above

Answer d. is the correct answer. Answers a., b. & c. list sections that do not
specifically require external auditors to issue an opinion on whether effective
internal control over financial reporting was maintained in all material respects by
management. This requirement is part of section 302. Appendix 1 in the
workbook can be helpful with the descriptions of each section of Sarbanes-Oxley.

394 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

109. The Federal Sentencing Guideline, The Foreign Corrupt Practice Act, and
Sarbanes-Oxley are designed to provide regulatory guidance to companies. This means
that companies should comply with internal control and risk management processes,
making and keeping accounting records that accurately and fairly reflect the transactions
of the company. With the addition of the anti-bribery provisions of these regulations a
number of countries have also enacted anti-bribery provisions.

Which one of these regulatory initiatives states that audit committees are responsible for
the hiring, compensation, and overseeing of public auditors?

a. Sarbanes-Oxley
b. Foreign Corrupt Practice Act
c. Federal Sentencing Guideline
d. the anti-bribery provision enacted in 1977 as part of the foreign corrupt
practice act

Answer a. is the correct answer. Sarbanes-Oxley enacted as law in the United

States in 2002 enhanced many of the stipulations of previous laws such as the
Federal Sentencing guideline, that answers b. and c. list, and The Foreign Corrupt
Practice Act, that answer c. lists. In addition, Sarbanes-Oxley includes additional
requirements and regulations not specified in detail in prior laws. One of these
new requirements is the requirement that Audit Committees are responsible for
the hiring, compensation, and overseeing of public auditors.

110. The Board of Directors and other upper-level management must design,
communicate, and emulate the corporate governance and ethical tone throughout the
organization. It is also their responsibility to:

a. implement this tone within individual departments

b. monitor the effectiveness of the tone within the organization
c. provide specific guidance to departmental managers
d. develop policies and procedures to be followed by the individual business
units

Answer b. is the correct answer. It is the responsibility of upper-level

management and the Board of Directors to establish a corporate governance and
ethical tone and emulate this tone throughout their organization. Further it is their
responsibility to monitor the effectiveness of this tone throughout the
organization. These upper-level managers establish the tone. However, they are
generally not involved in the detail implementation with specific process units.
The detail implementation is delegated to the process owner, middle-level
managers, and lower-level managers. Although there may be needs for minor
adjustments in the implementation at the lower levels, it is important that the
meaning of the tone is not distorted so that it maintains the core meaning that is
intended. This why it is important the upper-level managers and the Board of
Directors monitor their intent as their tone is implemented at the lower-level
process units.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 395

McKeever CRMA Exam Application Questions, Answers & Explanations

111. What does an operational auditing of an organization’s operating procedures and

methods address?

a. efficiency
b. effectiveness
c. economy
d. all of the above

Answer d. is the correct answer. An operational audit is a review of any part of

any organization’s operating procedures and methods for the purpose of
evaluating economy, efficiency, and effectiveness. Answers a., b. & c. each list a
purpose of operational auditing.

112. Successful companies harness employee energy and enthusiasm. They develop a
climate for trust, encouragement, and productivity. Through people this culture must be
emulated from the very highest levels to the very lower levels within the company.
Which of the following would be an effective way to harness employee energy and
enthusiasm?

a. provide adequate training on the processes that are important to the

employees
b. communicate with the employees and hear what they have to say
c. show an interest in the employees work
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. each list an effective way. It
has been proven that when management listens to employees and shows an
interest in the employees work then energy, enthusiasm, and productivity
increase. The Hawthorne study is one evidential event of this. It is important that
management listen to the employees. This has two benefits. First, management
may realize some actual hands-on issues that they may not have been aware of
previously. Second, the fact that management is listening to the employees and
showing and interest will actually stimulate morale. Providing appropriate and
adequate training in the processes that employees must function helps build
knowledge, thinking, and confidence in the employees.

396 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

113. Although the Board of Directors members often are members of Boards of
Directors of a number of different companies their main focus should be:

a. the internal controls of the company that they are addressing at any point in
time
b. to identify the internal risks and the external risks pertinent to the
company that they are addressing at any point in time
c. to develop and communicate the policies and procedures relative to the internal
and external controls of the company they are addressing at any point in time
d. to develop a communication channel for the communication of corporate
governance for the company that they are addressing at any point in time

Answer b. is the correct answer. Answer a. is not all inclusive. It only mentions
internal controls. Although Board of Directors needs to communicate concerns
about the internal controls of the company internal controls are not the only issue
they should be concerned with. Further, this answer implies that it is the internal
controls relative to the specific company. The Board of Directors should be
interested in and communicate the concerns about any and all internal and
external risks / internal controls which may impact the company they are
representing. Answer c. can be eliminated because the Board of Directors would
generally not be involved in developing specific policies and procedures. This
also holds true for answer d. It is unlikely that, although Board of Directors may
want a communication channel established that they would be the ones to
establish that tool.

114. Successful companies establish a mission or vision statement, objectives, and

goals. These are often designed at high levels within the organization and should be
communicated downward in the organization. Then employees can identify customers’
needs each month to identify and address the satisfied customers as well as the not
satisfied customers. With this information reports to the planning organization can be
provided every month with follow-up for the effectiveness of results. This scenario is an
example of:

a. an objective
b. a goal
c. a mission statement
d. a combined mission and vision statement

Answer b. is the correct answer. A goal has much more detail and specifics than
the objectives or mission statements. This is a detailed statement. Mission
statements are very broad. Therefore, answers a., c. & d. can be eliminated.
Dealing with this issue an objective statement might be that “our objective is to
satisfy our customer needs and to correct deficiencies as soon as possible”.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 397

McKeever CRMA Exam Application Questions, Answers & Explanations

115. Although a goal statement is somewhat specific which statement is even more
specific for an issue requiring an immediate correction?

a. strategic planning
b. corporate memo
c. tactical planning
d. all of the above

Answer c. is the correct answer. Tactical planning addresses issues in a short

term, generally one year or less. Answer a. can be eliminated as strategic
planning is generally one year or longer and does not address any issues that
require immediate correction. Answer b. can be eliminated. It is vague and not
applicable for this question. The question asks about a statement with more level
of detail and requiring an immediate correction. Answer d. is not correct because
answer c. is correct.

116. A product or service deficiency is a product or services failure that results in

product or service dissatisfaction as perceived by the customer. Quality is important not
only to establish prescribed parameters but it is also to communicate quality and
measure its effectiveness. Less customer dissatisfaction can lead to:

a. stabilization in market share

b. less need for unnecessary expenses
c. less expense to recapture markets
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. all lists the results of
customer dissatisfaction. Providing quality products or services will increase
market share (increase sales and customer base) hence increase revenue,
decrease costs by a loss of customer base (market share), decreased time dealing
with dissatisfied customers, and decrease the cost of rework. It is wise to do the
job correctly the first time. Remember that complaints from dissatisfied
customers spread much faster than praise from satisfied customers - answer c.
This is the risk of success (positive risk) or the risk of failure (negative risk).

398 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

117. Your company noticed a decrease in market share, (loss of customers). A

decision was made at higher levels of management to initiate a sales task force to
recapture the customers who had moved to the competition. The plan would include
major discounts offered to the lost customers to return. In addition, substantial rewards
(vacations and household appliances including wide screen televisions) would be
awarded to the sales team that recaptured the most lost customers. What type of
control was the major control weakness in this situation?

a. operational controls
b. preventive controls
c. corrective controls
d. sales and marketing controls

Answer b. is the correct answer. The question asks for the major type of control
weakness. Answer a. is not correct. The situation may have been more global
and caused by upper-level management decisions (the root cause of why the
customers left). This would not be addressed by operational controls. Answer c.
can be eliminated because the question asks for the major control weakness. The
new efforts of the sales task force might be considered a corrective control but
that is not what the question asks. Answer d. lists sales and marketing controls
that might have some consideration. Weakness of these controls may or may not
be the case. Further, this answer is specific to sales and marketing. The main
issue here is that the task force’s the effort would not be required, at least in this
magnitude, if adequate preventive controls were in place to provide quality to the
customers so they would not change in the first place. This situation is common.
Teams are awarded for winning back customers for the company that the
company itself caused to change to the competition. This is not a wise situation.
It is easier to keep a customer by providing adequate quality as perceived by the
customer than it is to win back a customer.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 399

McKeever CRMA Exam Application Questions, Answers & Explanations

118. As a risk and control expert you have been asked to attend a meeting to address
major issues in the company. The attendees, with the help of the moderator, are listing
pages and pages of recommendations with proposed fixes for the issues. This is the
first meeting of the team and no prior discussion has taken place to address these
issues. As the risk and control expert your comment to the attendees should be:

a. ask what is the cost of employing all of these fix items

b. can we divide the many items on the lists to process owner responsibility
c. can we prioritize the items on the list and schedule a discussion on the top 15
items for the next meeting
d. none of the above

Answer d. is the correct answer. It appears, because of no prior discussion, that

this group has immediately started fixing items of concern (controls) without
having a clear focus on what they are trying to accomplish. In addition, they have
not performed a risk assessment including risk identification, measurement, and
prioritization. After these steps had been accomplished an application of the
controls could be applied to the most significant risks rather than randomly.
Without the focus of risk they fix things that sound good but which may have little
impact on the issues of concern to the company. The risk and control expert
should say, let us step back and consider what exactly we are trying to
accomplish. Next the risk and control expert should suggest a risk assessment
effort to identify and prioritize in order of risk significance in the opinion of the
attendees. Then the risk and control expert could suggest that they identify the
most significant risk items and fix those items (controls). This is a very common
trap. People with a lesser understanding of risk and control management will tend
to start immediately fixing issues without thinking about what they are trying to
fix. As a result, they may do a great job on the wrong thing. It is incumbent on
risk and control experts to help those with a lesser understanding of risk and
control management to better understand the steps necessary to achieve an
appropriate and adequate risk assessment and corrective action effort. Answers
a., b. & c. list items to discuss later.

400 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

119. Volatility in business contributes to the extensive nature of risk. These changes
include such items as changes in regulations, external competitive forces, rapid
expansion, rapid reduction, new staff, new systems, and new locations. In simple terms
the more activity such as those mentioned here the more the risk will increase.
Considering a company with these types of activities what would be the best
consideration of how often a risk assessment in the company should be conducted?

a. once a month
b. it depends on the risk appetite and the actuality of frequency and
impact of influencing volatile activities
c. once a quarter is sufficient. risk assessment is a control it is important not to
over control
d. it depends on the management philosophy regarding risk appetite and risk
tolerance

Answer b. is the correct answer. Answers a. & c. could probably be eliminated

because, especially in a company experiencing such volatility, to schedule risk
assessments at specific times as opposed to concurrent with changes in the
business environment may not be wise. Issues could be missed in between the
scheduled risk assessments. One alternative to this would be to schedule risk
assessments in a specific time and then do interim risk assessments between the
schedules to make any adjustments necessary because of volatile issues.
However, the answers do not indicate interim risk assessments. This leaves
answers b. & d. as potential answers. The word “depends” in these answers is a
key in the correct direction. Risk assessment frequency and depth should depend
upon those forces that can impact the risk. Answer d. is not correct because of
the problem that it implies that the risk assessment should be driven by the
management philosophy regarding risk appetite and tolerance. Sometimes
management does not understand the consequences and implications of risk. If
this were the case then risk assessment scheduling and depth may not be
appropriate and adequate. Answer b. is correct because it covers the main points
of risk assessment decisions. These include the risk appetite (how much risk is
willing to be accepted) and the frequency and impact of the issues that may
impact the risk to the company.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 401

McKeever CRMA Exam Application Questions, Answers & Explanations

120. It is sometimes said that the shortest distance between two points is a straight line.
One of the consequences of not moving along a straight line between two points is
inefficient use of resources. For example, measuring the distance along a straight line
between two points would reveal one distance. If the distance was measured drifting on
and off the line in either direction (detective control) and then correcting (corrective
control) to get back on the straight line to reach the final point the distance traveled on
the adjusted line would be longer than the straight line (inefficient use of resources).
The more predominate the drift from the straight line the more inefficient reaction would
be required. Further, there may a risk of not reaching the final point within a specified
time or even running out of fuel before reaching the final point. Drifting on and off the
straight line is an example of:

a. inadequate risk management

b. inadequate objective management
c. inadequate control management
d. inadequate risk reaction

Answer b. is the correct answer. Although there are a number of key words used
in the question such as “types of controls” and “risk” the issue is that a clear
focus on the objective was not maintained. Without a clear focus of the end
objective efforts will tend to drift and cause inefficiencies. Answers a. or c. could
be considered as correct. However, the objective should be first in priority, then
the risk that will stop or slow down the achievement of the objective, and then the
controls to manage the risk. In this case, the risk is drifting from the straight line
and reaching or not reaching the objective as planned. The controls are making
adjustments to get back on the center line. However, before drifting or correcting
it is necessary to know what the final achievement point is (the objective).
Objectives, risk, and controls in that order must be addressed in that order.
Answer d. does not address the problem.

402 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

121. The achievement organizational culture is most similar to which management style?

a. autocratic
b. supportive
c. collegial
d. custodial

Answer c. is the correct answer.

The organizational culture of collegial is founded on teamwork. The manager is

often part of the team instead of a superior. The results can be self-discipline,
responsibility, and self-fulfillment.

In the collegial organizational culture there is a great deal of emphasis on

achievement including these considerations:

• there is a high emphasis on team commitment and the belief in the

organization’s mission
• although the work is exhausting, it is generally an extremely satisfying
creative environment
• flexibility and high levels of worker autonomy are present
• work is organized by the requirement of the task
• there is flexibility, the employee acts in the way considered suitable for the
tasks

Answers a., b. & C. list other management styles.

122. Sarbanes-Oxley (SOX) has 11 major titles each with a number of subsections.
Two of the most important subsections are 302 and 404. Which subsections are most
related to the protection of informants and the protection for employees of publicly traded
companies who provide evidence of fraud?

a. sections 806 & 1107

b. section 1106 & 802
c. sections 302 & 404
d. sections 106 & 203

Answer a. is the correct answer. Subsections 806 & 1107 respectively are the
protection of informants and protection for employees of publicly traded
companies who provide evidence of fraud. Appendix 1 in the workbook provides
a description of all SOX titles and subsections, including 806 & 1107 that are the
most relative to this question. Answers b., c. & d. list other subsections but can
be eliminated because of the word “most” in the question.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 403

McKeever CRMA Exam Application Questions, Answers & Explanations

123. In order to have an adequate risk management and risk environment it is

necessary that there be an inherent belief in the “right way to do things”. The “right way
to do things” simply means the actions to achieve objectives are ethical, efficient, and
effective. This inherent belief must be part of the nature of all those involved within the
process at all levels and in all functions. Which of the following specifically requires an
evaluation of company-level entity level controls utilizing the components of the COSO
framework?

a. Foreign corrupt Practice Act

b. Public Company Accounting Oversight board auditing standard 5
c. Sarbanes-Oxley
d. Public Company Accounting Oversight Board auditing standard 2

Answer b. is the correct answer. To augment the original Sarbanes-Oxley

documentation The Public Accounting Oversight Board on July 25, 2007 approved
Auditing Standard 5 which specified the use of the COSO Integrated Control
Model in the evaluation of internal controls. Prior to this, uses of integrated
control models were only implied. Answers a., b. & c. list other standards.

124. What are the elements that often drive fraudulent acts?

a. need or want
b. opportunity
c. rationalization
d. all of the above

Answer d. is the correct answer. These are the three basic elements that can
result in fraudulent acts. Answers a. & b. list elements that are somewhat self-
explanatory. If a human feels as though they need or want something then the
need or want may be the driver to get it. Then the opportunity to get it reveals
itself and maybe by devious means the human may move to satisfy these needs
or wants. Answer c lists the element of rationalization that becomes interesting.
In most cases, after a devious or fraudulent act has been committed the human
will think of reasons why it was all right to perpetrate the fraudulent act. For
example a person may steal from a company then when confronted will say well I
should have received the promotion and did not get it so I deserve what I stole.
Generally, the need, the opportunity, and a reason in the person’s mind why it
would be or was all right to conduct the fraudulent act are all necessary for the
fraudulent act to occur. Often the rationalization begins to formulate in the
perpetrator’s mind even before the act is completed.

404 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

125. In terms of ethics, ethics is:

a. definitive
b. not definitive
c. definitive by most cultures
d. all of the above

Answer b. is the correct answer. Answers a. & c. can be eliminated as these are
not true. Answer d. can be eliminated because it could not be correct because
answers a. & b. contradict each other. There are some academic explanations of
ethics but these are vague, not tangible, and open to interpretation. Example of
these are 1) ethics is the underlying platform from which fraud may be perpetrated
and 2) ethical values are the inherent believes of right and wrong within a person
or group of persons. What is clear is that what is considered ethical by one
person or group of persons may be different than what is considered so by
another person or group of persons.

126. It was recently discovered that a well-respected employee had stolen some cash
from the cash draw in a department. There has never been a history of this employee
doing any such act in the 20 years employment with the company. This employee has
been considered ethical and had been trusted with many company valuable materials.
The root cause of this event was most likely:

a. an opportunity
b. a life environmental change in the employees life situation
c. a need
d. all of the above

Answer b. is the correct answer. If this employee has never had any questionable
issues in the past, something probably changed in that person’s life situation
causing them to take the money. This could create a need. The question asks for
the most likely root cause. Answer a. could probably be eliminated because the
question implies that this employee has had many opportunities in the past and
there were not issues. Answer c. may list a valid cause but this answer does not
indicate what kind of need. The need in this answer may not be a need relative to
the need for the cash that was taken. With answers a. or c. eliminated answer d.
can be eliminated as well.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 405

McKeever CRMA Exam Application Questions, Answers & Explanations

127. Conducting an adequate risk assessment can be a complex process. There are a
number of mathematical models tools that can help in conducting a risk assessment.
These include the annual loss expectancy, which is the product of the probability and the
impact of the potential risk. The result of multiplying these two elements is the annual
loss expectancy. Another mathematical model is the absolute risk model. This
considers the probability, the impact, and adds the time into the equation. Therefore, the
product of multiplying all three of these elements will result in the absolute risk
assessment. Which of the following would be considered the most important tool when
developing an appropriate and adequate risk assessment?

a. the direct probability estimate model

b. the modified annual loss expectancy model
c. the annual loss expectancy model
d. none of the above

Answer d. is the correct answer. Answer a., b. & c. list mathematical models that
are appropriate tools when developing a risk assessment, and there are many
more than those mentioned in the question and answers, but they are not the
most important tool. Mathematical models provide a benchmark and an indicator.
The most important tool is not a mathematical tool at all it is human subjectivity.
The knowledge, wisdom, experiences, and different points of view from people are
the most important tools in risk assessment. The mathematical model numbers
are fine but then the question should be asked of people using these models do
these numbers make sense.

Note: Answer a. lists the direct probability estimate model that includes the
inherent risk, control risk, and audit risk. Answer b. lists the modified annual loss
expectancy that includes the probability of the threat, the probability of control
failure, and the maximum impact in money. Answer c. list the annual loss
expectancy model that is explained in the question.

128. Management has some basic functions. They are:

a. staffing, planning, organizing, controlling, supervising

b. organizing, developing, staffing, monitoring, planning
c. planning, organizing, staffing, directing, and controlling
d. all of the above

Answer d. is the correct answer. Answer c lists the textbook answer. Answer a.
lists all of the textbook items with one change, supervising. The trap here is that
supervising is a directing control. Hence is the same as directing. Answer b. lists
the word monitoring that is a proactive control which should include two parts not
only the physical media to monitor but the action to react to what is monitored.
Hence the trap here is that the word “monitoring” is definitely a control hence
satisfies the controlling part in the textbook answer. Read the question and the
answers. With this type of question and answer wording it is easy to get off track
and select the not correct answer. Think!

406 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

129. The term empowerment is commonly used in business. This simply means that a
person with some power is willing to delegate some of that power to a subordinate. An
example of this is allowing the subordinate to make some routine decisions normally
made by the person with the power. However, a consideration often not considered with
empowerment is that not everyone may want to give up some power and not everyone
may want to receive some power. The recommended stage(s) of instituting
empowerment in an organization are:

a. identify the employees or situation requiring additional power

b. engage the empowerment practices
c. establish a feedback process with the empowered employees to reinforce
their success and sense of accomplishment
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. all list the recommended
stages of instituting empowerment in an organization. Identify where or who
should be empowered. Empowering for the sake of empowering is a major risk.
In actuality, it can cause more negative risks or impacts than if the empowerment
did not take place. For example, if someone was given power and did not want it
or was not comfortable with the new power their morale could decrease. On the
other hand, if someone was told to empower someone else and did not want to
give up some power they may feel that they lost some control. Hence, their
morale and attitude could decrease. It is important to know what or who is
involved in the empowerment process and assess the appropriateness of that
effort.

130. Motivation of employees has been a continual effort of managers for years. The
risk of not motivating employees adequately, appropriately, and timely can result in a
decrease in productivity because of attitude, morale, and just human psychological
issues. To manage employees’ efforts effective managers need to adjust to changes
while constantly monitor the morale and attitude of their employees. There are a
number of managerial tools that have been implemented by managers over the years.
Increasing responsibility, recognition, and opportunities for growth and achievement is
best defined as:

a. job employee alignment

b. job simplification
c. job adjustment
d. job enrichment

Answer d. is the correct answer. Increasing responsibility, recognition, and

opportunities for growth and achievement is best defined as job enrichment.
Answers a. & c. just list random phrases. Answer b. lists job simplification that is
the reduction of the number and difficulty of tasks performed by employees.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 407

McKeever CRMA Exam Application Questions, Answers & Explanations

131. In terms of internal stakeholders in a company, everyone with a relationship to a

company is some type of stakeholder. The Board of Directors and the Audit Committee
are some of the upper-level stakeholders, who now have enhanced responsibilities
under the Sarbanes-Oxley law. One of the questions that these stakeholders should be
asking, that may not have been adequately asked in the past, is:

a. how are we going to manage the bad press

b. is there a methodology to identify and minimize controls that no longer
serve their initial purpose
c. what are the budget implications for the next reporting cycle
d. have we considered every possible risk for the new facility

Answer b. is the correct answer. The question asks “what had probably not been
asked in the past”. Answers a., c. & d. list general and typical questions that
would have probably been asked in previous conversations at Board of Directors
meetings. Answer b. describes the potential problem. In many cases, controls
are installed as additions to existing controls. However, little effort is employed to
address the adequacy and appropriateness of existing controls. Not addressing
the adequacy and appropriateness of existing controls can create an inefficiency
of effort and a waste of funds and resources. For example, a warehouse
maintains storage of valuable material and was appropriately secured by an
armed guard, security cameras, and key access 24 hours a day seven days a week
at a substantial cost. This is a very appropriate control for that condition.
However, a few years ago all of the valuable material was moved to an off-site
storage facility at an additional substantial cost. If nothing were done to
discontinue the old storage facility controls there would be controls that no longer
served their purpose, costs a substantial amount, provided no benefit, and were
an inefficient use of resources. Answer b. lists control question that is often
missed in a discussion about the appropriateness of existing controls.

408 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

132. External suppliers can cause substantial risk to the success of companies in a
number of ways. The most predominant root cause issue of external suppliers delaying
shipments or providing poor quality of required component parts could be:

a. suppliers supplying highly technical complex components

b. suppliers involved in a conflict of interest
c. suppliers supplying without a contract
d. suppliers that are the only source

Answer d. is the correct answer. Be careful of working with only one supplier
(sole source). Sometimes a sole source suppler is necessary because there is
only one suppler that can supply the goods and services needed. Unfortunately,
sole source suppliers are often chosen without that consideration. The trap with
sole source suppliers is that they have the receiver of the goods or services in a
difficult situation. If the sole source suppler provides poor quality or delays
shipments, they can influence the success of the receiver of the goods or
services. If the receiver of the goods or services has no other suppler their
success could be compromised in terms of reputational risk. Answer a. might be
considered because of the comment of highly technical and complex
components, because the more complex something is the higher the risk. That is
true but that is not what the question asks. Answers b. & c. list items could be
issues but these answers are very general and the question specifically asks “the
predominant root cause”.

133. When working with external vendors which of the following would be the least likely
to discuss with the external vendors?

a. the Code of Conduct

b. the contract
c. the organization chart
d. the bonus structure of staff

Answer d. is the correct answer. Would this ever be appropriate to discuss with
an external vendor? The answer is yes. However, this type of discussion would
probably be very specific and relative to the work that the external vendor was
performing for the company. Therefore, this topic of discussion is the exception
rather than the rule. Answer a. is correct as it is wise to review the Code of
Conduct with the external vendor as the vendor should be expected to comply
with the company’s Code of Conduct and ethics. Answer b. lists an appropriate
action of discussing the contract when working with external vendors. Legal
professionals should be involved in the design and even the review of the
contract with the vendor. Answer c. lists discussion of the organization chart that
may or may not be necessary. The vendor does need knowledge of parts of the
organizational structure needed to effectively complete the work required.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 409

McKeever CRMA Exam Application Questions, Answers & Explanations

134. The Code of Conduct or Code of Ethics is an appropriate reference when

contracting with external vendors. In these cases which of the following is the least likely
to be included in the Code of Conduct or Code of Ethics:

a. a right to audit clause

b. a conflict of interest clause
c. the company ethical policies
d. none of the above

Answer a. is the correct answer. A right to audit clause is appropriate when

working with many external vendors. The right to audit clause and the specifics
of that clause should be included in the contract with the external vendor. That
clause should be specific as to what can be audited and be relative to the work the
external vendor is providing. So answer a. is the least likely to be included in a
code of conduct or Code of Ethics. Answers b. & c. list items that are likely to be
included in the Code of Conduct or Code of Ethics. Answer d. is not correct
because answer a. is correct.

135. A schedule of authorizations is an internal company document that details what

payments and what types of payments can be authorized by what levels within the
company. The level of persons within the company authorized to make payments
should be indicated in the schedule of authorizations by:

a. title
b. pay grade indicator
c. organization
d. responsibility

Answer b. is the correct answer. Some pay grade indicators noted by the
company is the best control for appropriate payment of specific amounts of funds.
Answer a. lists a method used by many companies. The problem with this is that
some departments use expanded titles for administrative purposes. For example,
some staff members, who work with specific customers, may have a tile of Vice
President. However, in reality their pay grade may be in reality a different salary
grade. A Vice President with that corporate designation would have a higher pay
grade. Whatever the internal pay code it is higher or different for a real Vice
President than a first-level manager Vice President. This is an important but
simple control. It is not appropriate for a first-level manager to approve fund
payments that they are not authorized to approve for that level of approval.
Answers c. & d. list methods that may be appropriate for information purposes on
payments and budget reasons but would have a less importance for the actual
authorization of payments. An exception might be that one department is
authorized to make a payment for a particular service or product and another
department is not. Therefore, department identification could identify
inappropriate payments. However, the question asks about the levels within the
company authorized to make payments. The key word here is “levels”. Do not
read into the question and answers.

410 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

136. One of the most important key considerations for the administration of third-party
relationships is:

a. compliance with laws

b. the number of employees on the third-party payroll
c. the location of the third party
d. gain third-party agreement on compliance with of laws, regulations,
relative code of conduct, and ethical standards

Answer d. is the correct answer. Answers a., b. & c. list relationships may be of
consideration but they may or may not be necessary considerations. For
example, the location of the vendor may be a consideration in some cases but not
in others. The question asks for “the most important”. This means that all
answers could be correct individually but the correct answer is the best of the
correct.

137. One of the responsibilities of The Board of Directors is to oversee relationships

with vendor third parties. As such, they should adopt a risk management process for
third-party relationships that should include:

a. risk assessment to identify the company’s needs and requirements

b. due diligence to select third-party providers
c. written contracts that outline duties, obligations, and responsibilities of the
parties involved
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. all list items for The Board of
Directors to adopt as part of a risk management process to oversee third-party
vendor relationships.

138. The best description of strategic risk is:

a. risk to earnings or capital arising from an obligator’s failure to meet the terms
of any contract
b. risk arising from public opinion
c. risk to earnings and capital arising from adverse business decisions or
improper implementation of appropriate business decisions
d. risk to earnings or capital arising from problems with product or service
delivery

Answer c. is the correct answer. Answer a. lists the description of credit risk.
Answer b. lists the description of reputational risk. Answer d. lists the description
of transaction risk.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 411

McKeever CRMA Exam Application Questions, Answers & Explanations

139. The key dimensions of establishing objectives are specific, measureable,

accomplishable, results-orientated, and time-bound. What is the main reason why
measurable is important?

a. because it is necessary to know the status of a project

b. because projects must utilize human intervention
c. because measurable mechanisms must have a noun and a verb, the
measuring device and action on what is measured
d. without measurement it would not be possible to know the status of a project

Answer b. is the correct answer and the main reason measurement is important.
Humans can make errors and misinterpret direction. Therefore, measurements or
monitoring of a project is necessary. Answers a. & d. list the same issue.
Although important, they are not the underlying main reason for measuring or
monitoring. Answer c. sounds good and is true, measuring or monitoring actions
require a noun and verb. However, this is not the correct answer for this question.

140. Measuring or comparing an entity’s process or objectives against real or perceived

processes or objectives of another entity is best described as:

a. entity integration
b. establishing goals and objectives
c. process measurements
d. benchmarking

Answer d. is the correct answer. This question describes benchmarking. Answer

a. lists a term used to describe entities or companies working together. Answer b.
lists a good business approach but is not relative to this question. Answer c. just
lists a random phrase for this question.

141. Some common uses of benchmarking are:

a. access ideas from proven practices

b. develop best practices
c. maintain a competitive advantage
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. list common uses of
benchmarking However, there is a caution. Many people or organizations will
benchmark against other entities or organizations and then will implement
whatever those entities implemented. The only thing that gets changed is the
company logo. The caution is that just because something worked somewhere
else does not mean it will work where it is being benchmarked. Benchmarking
should be used as a tool to gather information and to help stimulate ideas that are
best suited for the organization or entity doing the benchmarking. Also, be
careful of the term “best practices”. This is a very vague term that is often
misused. Remember what is a “best practice” in one place may not be a best
practice in another place.

412 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

142. Best practices benchmarking:

a. helps develop an analysis of competitive organizations

b. is used to analyze core business functions
c. is used when organization need to improve by realigning with other
organizations that have succeeded
d. is a comparison of all facets of processes across similar and dissimilar
organizations

Answer d. is the correct answer. Answer a. describes competitive benchmarking.

Answer b. describes functional benchmarking. Answer c. describes strategic
benchmarking.

143. One form of benchmarking is to compare graphical relationships from different

situations. One method of accomplishing this graphically is:

a. compare similar real or perceived relationships

b. compare relationships that are related but not the same
c. compare related components of different entities
d. compare as many relationships as possible to achieve the best average
analysis

Answer b. is the correct answer. This concept of graphic representation

compares items that are related but not the same such as distance driven as
compared to fuel consumption. The two items are not the same but are directly
related to each other. A discrepancy would occur if fuel consumption increased
and distance driven stayed the same or decreased over the same period of time.
Answer a., c. & d. list random phrases.

144. Residual risk is most related to:

a. control risk
b. audit risk
c. competitive risk
d. managerial risk

Answer a. is the correct answer. Control risk is the risk that results when applied
controls failed to reduce risk to an acceptable level. Residual risk is the risk that
still exists after controls were put in place. Answer b. lists audit risk that means
the auditor did not perform an adequate audit possibly because of considerations
such as scope, sampling, and budgeted time. In any event, management relied on
an opinion from audit and the opinion was not complete or adequate. Answers c.
& d. list situation they are really general terms, although they could be specific
types of risk in a specific situation.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 413

McKeever CRMA Exam Application Questions, Answers & Explanations

145. A caution when using risk mapping is:

a. the elements of risk represented

b. the colors used
c. the terminology used
d. the mapping legend

Answer c. is the correct answer. Risk mapping is an excellent risk analysis tool
when use appropriately. It identifies risk into categories and then further defines
them by color such as red the highest risk, yellow a concern, and green a lower
risk. This uses the concept that information is easer to view graphically rather
than just words. The trap is the use of the names for the categories. Most often,
the categories are named high, medium, and low. However, these terms can mean
different things to different people. It is important that specific definitions of
these terms be identified and communicated to everyone involved. For example, a
high could mean over 1,000,000,000, a medium would mean 500,000 to
1,000,000,000, and a low could mean zero to 5000,000. Answers a., b. & d. list
items that are easily addressed.

146. One of the ways to manage risk after it has been identified, measured, and
prioritized is to control the risk. What is another way to manage risk?

a. apply a monitoring mechanism to manage the risk

b. share or avoid the risk
c. reevaluate the risk
d. all of the above

Answer b. is the correct answer. Sharing or avoiding the risk is a way of

managing the risk. Answer a. is not correct because it describes actually
controlling the risk which was already given in the question. Answer c. may be
appropriate if there was a question about the validity of the risk assessment.
However, it is not the answer to this question. Hence, answer d. cannot be
correct.

147. When an organization is identifying what they do, who their clients are, and how
they intend to succeed they are:

a. establishing a mission
b. establishing objectives
c. establishing the ground work to establish business objectives
d. establishing a focus to develop a mission

Answer c. is the correct answer. The question outlines that they are not at the
point of establishing the objectives yet. Answers a. & d. are not relevant to this
question. Answer b. is not correct since to establish effective business objectives
an organization must establish a mission.

414 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

148. Frequent and highly volatile changes in the business environment should require:

a. corresponding changes in risk assessments

b. corresponding changes in control applications
c. corresponding changes in objectives
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. list items that are required.
Changes in the work environment require changes in objectives, risks, and
controls. The more volatile the work environment is the more frequent and
intense these three components should be addressed.

149. The adequacy and effectiveness of an organization’s activities related to risk and
control management should be a consideration of:

a. the organization
b. internal auditors when planning an engagement of that organization or
activity
c. the external auditors when planning a financial based audit of the
organization or activity
d. the controllers

Answer b. is the correct answer. Answers a. & d. list considerations that may be
appropriate to some degree however they are too broad for this question. Answer
c. list consideration related to external auditors and financial audits. The work by
external auditors, especially when focused on a financial audit, would probably
not be concerned with the adequacy and effectiveness of an organization’s
operational risk and control management. The question implies a broader scope
than financial audits.

150. Providing an opportunity to make significant improvements to an organization's

existing risk management and control process would most likely be a function of:

a. internal auditors
b. management
c. external auditors
d. Audit Committee

Answer a. is the correct answer. The key words are “providing an opportunity to
make significant improvements to an organization's existing risk management and
control processes”. Answers b., c. & d., list other organizations that by their
functions would be part of the existing risk and control processes. Internal audit
has the opportunity to assess those existing risk and control process and
recommend improvements.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 415

McKeever CRMA Exam Application Questions, Answers & Explanations

151. External vendors can receive or supply various services, various products,
subcomponents, advice, and training. Because of the increasing potential risk when
employing external vendors, it is wise to have legal advice when designing a contract
with an external vendor. These contracts should:

a. always include an appropriate audit clause

b. always include a generic audit clause
c. always include a right to audit usage of sub component supplied to the
vendor
d. always include a right to hold payment for poor quality components from the
vendor to the contractee

Answer a. is the correct answer. Generally, there is a caution about the word
“always” when used in multiple-choice questions. In this case, the word “always”
is used in every answer choice possibly causing some additional consideration.
Answers a., b., c. & d. list some type of audit of the activity between the contractee
and the contractor. Answer b. could really be eliminated because a generic audit
clause may not be appropriate in all case. However, for ease of work in
developing contracts this is sometimes the case. Answers c. & d. also can be
eliminated because they are specific to physical components. As is mentioned in
the question there can be many types of vendor services. Some vendor services,
like training, do not generally contain any or at least a small amount of physical
components. Answers c. & d. would be more relevant to a manufacturing
environment. So by elimination answer a. results as the correct or best answer.

152. The lack of quality and collaboration among departments can cause inefficient use
of resources, a risk that can be costly. What is a term used for managing this risk?

a. differentiation
b. communication
c. integration
d. tone at the top

Answer c. is the correct answer. Integration means bringing the individual units
together to an appropriate degree to work in harmony. The key word here is an
appropriate degree. Some differentiation is good. Answer a. lists differentiation
that, in this context, means that individual departments are working
autonomously. That is they are working as individual units. Although this can be
good to some degree, because it stimulates thinking and innovation, excessive
autonomy can be counterproductive. Managing differentiation can become
difficult because of psychological and independence issues in individual
departments. In the context of the question, integration is the opposite of
differentiation. Answer b. lists communication that could be appropriate to
facilitate the integration but as an answer is not specific enough to be a good
answer choice. Although individual departments may work to some degree as
individual units their efforts should be directed to the overall organization goals
so that the entire organization is all working in the same direction. Answer d.
follows the same thought process as communications.

416 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

153. Providing education about why a change is necessary, involving those who will be
affected by the change in the change process itself, and supporting the change effort
can all help facilitate change. What are two approaches for change that should be
implemented with caution?

a. negotiation & manipulation

b. coercion & collusion
c. coercion & manipulation
d. negotiation & coercion

Answer c. is the correct answer. The question asks for two approaches of change
that should be approached with caution. Although coercion and manipulation
may be used they should be used on rare occasions and when the consequences
of these approaches have be thoroughly anticipated. Answers a. & d. list
negotiation that can approach these same issues if not managed properly. In
negotiation if one side feels like they have lost then resentment will be a
consequence which may impact the success of the objective. Answer b. lists
items that require less caution than answer c. These caution areas may be used
but with a specific not arbitrary purpose.

154. There are a number of advantages in the monitoring of Key Risk Indicators. One
of these advantages is that Key Risk Indicators can provide an indication of the
achievement of the risk appetite and tolerance. Another advantage of constant
monitoring of Key Risk Indicators is:

a. they can provide an early warning system

b. they do not require an action plan to adjust for identified risk
c. they can help to provide a opportunity for adjustment
d. they can provide an early warning system so preventive controls may
be implement appropriately

Answer d. is the correct answer. Answers a. & c. list incomplete statements.

They do not state the purpose of an early warning system and adjustment.
Answer b. lists an item that is contrary to the entire risk management philosophy.
Most controls especially monitoring controls require two parts to be effective.
These parts are: 1) a noun which is the physical monitoring tool and 2) a verb
which is the action taken on what is monitored. Particularly with a monitoring
control, a noun without a verb is not adequate.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 417

McKeever CRMA Exam Application Questions, Answers & Explanations

155. How long after a self-assessment workshop should an internal auditor who
participated in a self-assessment workshop conduct a follow-up audit?

a. never
b. when requested and agreed upon between the CAE and the process owner
senior management
c. generally between 6 and 12 months
d. it depends on the severity of the issues identified and discussed in the
workshop

Answer a. is the correct answer. The question is very specific. It is not

appropriate for an auditor who participated in a self-assessment workshop to
conduct any follow-up audit of the department or process involved in discussion
in that workshop. A different auditor should conduct any follow-up audit.
Answers b. & d. can be eliminated as a different auditor should conduct any
follow-up audit regardless of time after a self-assessment workshop is conducted.
Answer c. is not correct because a specific time for follow-up audits is probably
not appropriate in all cases.

156. The facilitator of a self-assessment project must outline the rules of the workshop
before the workshop actually begins. What are two of the most important rules to be
communicated by the facilitator, in a general business workshop, before the actual
workshop begins?

a. when the workshop will begin and end as well as how agreement will be
reached
b. who will be expected to attend each workshop meeting as well as how the
report will be drafted and distributed
c. how the report will be distributed and how fraud, security, or propriety issues
will be discussed
d. how agreement will be reached and that fraud, security, or propriety
issues will not be discussed

Answer d. is the correct answer. These are the two most important things that
everyone participating must understand and agree with before the self-
assessment project meeting begins. Answers a., b. & c. list items that must be
outlined.

418 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

157. The word evidence is often mistakenly only associated with fraudulent or
wrongdoing activities. This is not always the case. Evidence developed in the risk and
control assessment process can be an effective guide for the appropriate application of
risk identification, risk management, risk prioritization, and application of appropriate
controls. Which type of evidence would most likely be associated with a Delphi
Technique risk assessment?

a. sufficient evidence
b. opinion evidence
c. relevant evidence
d. circumstantial evidence

Answer b. is the correct answer. The Delphi Technique incorporates a group of

subject matter experts to openly discuss the issues at hand. In many cases, this
open discussion is that of the opinion of the subject matter experts. Answer a.
lists sufficient evidence a component of evidence that simply means that the
evidence was complete enough to satisfy the needs of those requiring the
evidence. Answer b. lists circumstantial evidence that is not substantial enough
to support a fact. By itself, circumstantial evidence is not adequate to support a
conclusion. Answer c. lists relevant evidence that is also a component of
evidence and means that the evidence was relevant to the conversation. Answer
d. lists circumstantial evidence that is not substantial enough to support a fact.
By itself, circumstantial evidence is not adequate to support a conclusion.

158. How many questions should be included in a typical risk and control questionnaire
or survey?

a. the maximum number possible

b. the minimum number necessary
c. only a few for introduction personal purposes
d. generally no more than two or three pages maximum

Answer b. is the correct answer. It is wise to keep the questionnaire or survey to

a minimum with easy to read type size. Generally, two or three pages are a good
idea. Additional questionnaires can always be sent (just do not overburden the
recipients with repeated surveys - use common sense). Sometimes an initial
survey then followed by meetings or interviews where additional information can
be obtained to supplement the questionnaire or survey will facilitate a follow-up
questionnaire or survey. Answer a. lists a item that Is not a wise choice as
keeping it small and simple (especially with initial questionnaires) is probably the
best approach. Answer c. lists an item that may or may not be appropriate. In
many cases, obtaining introduction and personal information may not be
appropriate. Answer d. list to use a specific number of pages. The size of the
questionnaire or survey should not be determined by page numbers but by the
purpose of the questionnaire and the audience. Page numbers may be a
consideration but should not be the main consideration.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 419

McKeever CRMA Exam Application Questions, Answers & Explanations

159. Which type of risk is most representative of a lack of harmony of employees working
together for a common goal?

a. communications risk
b. strategic risk
c. environmental risk
d. information & technology risk

Answer b. is the correct answer. This is a definition question. The definition of

strategic risk is described in the question. Answer a. lists communications risk that
is the lack of communications among employees at all levels. It does not
necessarily mean that they are not working toward a common goal. Answer c. lists
environmental risk that is not relevant to this question. This type of risk is non-
compliance with environmental laws and regulations. Answer d. lists information
technology risk. This type of risk results from the inability of information technology
systems to provide appropriate, accurate, secure, and timely information to those
who need it. This risk is also not relevant to this question.

160. Internal auditor-consultants have a unique knowledge and experience about

corporate governance. Therefore it is advisable, and may even be legally required in
some cases, that organizations incorporate this expertise and knowledge within their
organizations. This knowledge and experience is a specialty of internal auditors-
consultants. With this knowledge and experience at their immediate disposal what
should be the ultimate objective of internal auditors-consultants in relation to their
clients?

a. maintain this expertise and knowledge within this specialty group

b. develop a scheduled internal control review program
c. provide scheduled and periodic reviews of processes, depending on risk
d. assist process owners to assume their own risk and control
management with advice from internal auditors-consultants

Answer d. is the correct answer. The ultimate objective of internal auditor-

consultants is to assist process owners with the knowledge and tools necessary
for the process owners to address and manage their own risk and control issues.
It is unlikely that risk and control specialists will be less busy because they have
migrated responsibility of risk and control management to process owners.
Answers a., b. & c. list opposites of the ultimate objective.

420 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

161. Less than perfect knowledge about current or pending circumstances in a process
is a challenge that process owners address every day. This situation is best defined as
what type of risk?

a. probabilistic risk
b. environmental risk
c. external risk, the impact from external uncontrollable sources
d. inherent risk

Answer a. is the correct answer. This is a definition question. The definition of

probabilistic risk is described in the first sentence of the question. Answer b. lists
environmental risk that is the risk of not complying with environmental laws and
regulations. Answer c. lists a partial definition of external risk. This may be a
consideration as an answer because it implies unknown risk which is also implied
in the question. However, answer c. is only considering external issues whereas
probabilistic risk may consider both internal and external risk. Answer d. lists
inherent risk that is the risk of putting assets to work.

162. An internal auditor has just completed an audit of a warehouse, which contained
valuable material. It was found that the warehouse access was not secured. What
would be an appropriate recommendation, in the audit report, to secure the warehouse
access?

a. place a guard at the access door with a log book to record the time and date
of who entered and exited
b. obtain a key access pass thru lock in the door hardware section at the
hardware store across the street and install it on the access door
c. install video cameras so as to monitor who enters and exits and the time and
date of access and exit
d. provide a mechanism that will physically secure the access door with
monitoring and recording the date, time, and name of who entered and
exited

Answer d. is the correct answer. Answer d. describes the overall objective. There
are a number of mechanisms and devices that will achieve this objective. It will be
up to the process owner to satisfy this objective and decide on a guard, a log, a
camera, a lock, other devices, or combination of these. Answers a., b. & c.
describe actions that are too specific. Some guidance from the internal auditor
may be necessary for acceptance of adequate devices. An internal auditor,
providing internal audit services and possibly even consulting services, should
not be that specific.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 421

McKeever CRMA Exam Application Questions, Answers & Explanations

163. A senior manager responsible for all warehouse operations has asked the internal
auditor, (a one auditor organization) to consult with that department to develop new
inventory control policies. As part of regulatory requirements, this auditor must conduct
an inventory audit within this warehouse department twice a year. The auditor’s
response to the manager should be:

a. review the consulting guidelines of the audit department with the manager
b. suggest that they schedule a start time to begin work on the policies
c. suggest that the external auditors conduct the inventory and the internal
auditor will work on the policy
d. suggest that an outside consultant help with the policy development

Answer d. is correct and the best answer. Answer a. describes an action that is
too general a response for the question. There is no mention of what are the
guidelines. Answer b. can be eliminated quickly because the auditor will still have
to conduct the inventory audit. Developing a policy and then auditing the policy is
not the best approach for an auditor. Answer c. lis an action that may not be
appropriate because the question indicates that it is a requirement that the
internal auditor conduct the inventory audit. Be careful of assuming anything
when reading the answers.

164. Why would it be necessary for an internal auditor or risk and control specialist to be
a team participant on a self-assessment project?

a. because, of all the participants, they would have the only understanding of
risk and control management
b. because they would be the facilitator of the workshop
c. it is not necessary
d. it is important that they are always in attendance to make sure controls are
addressed adequately

Answer c. is the correct answer. Answer a. can be eliminated because an

advantage of self-assessment is that the participants from prior or current training
will develop an understanding of risk and control management. Answer b. can be
eliminated because although the professionals mentioned in the question may be
acting as a facilitator in the workshop the question asks about a team participant
not the facilitator. These professionals can act in either the role of a team
participant or a facilitator but not both at the same time. The facilitator should not
actively participate in team discussions. They should facilitate the conversation.
Answer d. can be eliminated because they do not always need to be in attendance.
The reverse of this answer is answer c. the correct answer.

422 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

165. Which combination of evidence is most related to each other?

a. primary evidence and corroborative evidence

b. secondary evidence and conclusive evidence
c. secondary evidence and opinion evidence
d. primary evidence and documentary evidence

Answer d. is the correct answer. Primary evidence is generally original

documents. This is the strongest type of evidence. Documentary evidence is
documents that are related to the process being examined. Answer a. can be
eliminated. Although primary is a strong type of evidence corroborative evidence
needs something else as a comparison. Answer b. can be eliminated. Although
conclusive evidence is strong, answer b. also lists secondary evidence that is
weaker than primary evidence. This combination would or could add some
question into the validity of the conclusive evidence. One way to validate the
conclusive evidence would be to employ corroborative (some original
documentation or other validation) evidence to validate the conclusive evidence.
Answer c. can be eliminated. It is probably the weakest of all the answers.
Secondary evidence with some validity would now lose that validity with weak
opinion evidence.

166. Self-assessment projects typically utilize two main tools. They are the facilitated
workshop and questionnaires. When should questionnaires, in a self-assessment
project, be used as a primary tool?

a. always since they work well in conjunction with other tools

b. when an assessment from a large group is needed
c. never because they eliminate the body language element of communications
d. only if they can gather all of the information necessary

Answer b. is the correct answer. There are two ways to identify the correct
answer. The first is to realize that questionnaires can be a useful tool when trying
to obtain an assessment from a large group or when it is impractical to physically
interact with all the participants. This could be because of physical constraints
such as budget, location, time, or other logistics. The second way to arrive at the
correct answer is to eliminate the remaining answers. Answers a., c. & d. can be
eliminated because of the words “always”, “never”, and “only”. Questionnaires
are a tool. They can be developed in various formats and for various purposes.
They may or may not be used with other tools. They may or may not be used at
all.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 423

McKeever CRMA Exam Application Questions, Answers & Explanations

167. A newly-assigned operations manager of a multinational corporation manufacturing

facility is attempting to develop Key Risk Indicators (KRI) for multiple processes. As
such this operations manager should make sure that which of the following is always
included when developing these KRI indexes?

a. the different stakeholders of the organization

b. choose high relevant and high probability of predicting risks
c. make a balanced indicator of risk indicators
d. none of the above

Answer d. is the correct answer. Answers a., b. & c. list very appropriate items for
process owner consideration when developing KRIs. However, the question asks
what should always be considered. A major consideration, none of the answers
list, is to understand the business situation and environment. Then develop KRIs
and adjust using such things as the answers list to interrelate with the specific
business situation. Risk assessment is not the same in all situations.

168. Developing collaboration and sharing of ideas among risk and control specialists
and process owners can have a tremendous benefit to a process. The adequate
management of internal and emerging risks can contribute greatly to the necessary
compliance and success of a process. The amount of time for the benefits to be realized
may vary depending on each specific situation. However, over time a collaborative risk
and control scheme may help reduce actual risks by less intrusive methods such as
directed internal and external audits. These can be of particular importance in highly-
integrated, interrelated, and diverse organizations. Organizations that are ultra-flexible
in order to rapidly change products and services is a definition of:

a. a company heavily reliant on electronic networking

b. a value-based organization
c. a diversified & recurring revenue stream organization
d. a consumer time value organization

Answer c. is the correct answer. This is a direct definition question. There is

substantial information provided in the actual question. Most of the information
provided in the question is actually true but has little or nothing to do with the
actual question. Be careful of extra words in the question. The wording may
sound good but may not be relevant to the actual question. Answers a., b. and d.
are not correct. The second to last sentence begins to include some information
about the actual question which is in the very last sentence. Remember when a
question contains substantial wording find the actual question statement. It is
generally near the end of the wording. Answer the question statement with the
best answer of those provided.

424 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

169. Providing consulting and self-assessment can be a new approach to risk and
control management for both the client and the risk and control specialists. These new
approaches may require a change in thinking for all involved. What is the most
significant reason why humans do not like to change?

a. they do not want to take on the effort

b. all of these answers
c. they fear of losing something
d. they believe the change does not make sense

Answer b. is the correct answer. Answers a., c. & d. list reasons why humans do
not like to change from their comfort zone to a new zone. Hence, all of these
answers should be considered and addressed when a change agent (risk and
control specialists) is trying to implement something new (change).

170. A discussion at a Board of Directors meeting in a large and growing multinational

corporation that has recently further expanded into new international markets has
become focused on who primarily owns and has responsibility for internal controls. This
corporation traditionally has had fragmentation and ownership issues. Specifically
process owners take seriously ownership of their areas of responsibility and tend not to
share information or synergize with other process owners. In this case, who would be
primarily responsible for the ownership of internal controls within the company?

a. The Board of Directors has this primary responsibility of internal controls in

this situation
b. every employee
c. the managers of the processes should take ownership and share their
perspectives with other process owners
d. the executive managers should take ownership and remove the ownership
barriers to improve communications

Answer b. is the correct answer. Although there are some communications

issues the responsibility for ownership of internal controls should reside with
every employee. Answer a. is not correct. The Board of Directors should provide
oversight of internal controls but they are not the only group responsible for the
ownership of internal controls. Answers c. & d list communications issues that
should be addressed by the managers. Weaknesses in teamwork and
communications can be a weakness in internal controls itself and can generate
risk.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 425

McKeever CRMA Exam Application Questions, Answers & Explanations

171. The self-assessment process can improve processes in a number of ways. What
is the most important benefit of self-assessment?

a. it helps develop an integrated control model

b. it helps build a relationship among process owners
c. it helps with the appropriate analysis and reporting of controls
d. it encourages internal auditors to obtain facilitator training

Answer c. is the best answer. Answer c. list a definite benefit of self-assessment

and it the best description of a benefit from the answers provided. The question
asks for the most important benefit. Answers a., b. & d. list very general
statements that possibly could be benefits of a self-assessment process.
However, they are very general statements and may require some interpretation to
be recognized as a benefit in all cases.

172. Conducting an internal audit can be extensive depending on the complexity of the
process, the politics of the process staff, and the audit staff itself. However even as the
audit is brought to conclusion, with professional and satisfactory results, all of this
professional effort can be lost if the concerns identified during the audit are not reported
or communicated effectively. The objective of the audit is to motivate the reader or
readers of reports to correct the issues identified during the audit. Which of the following
would be the most effective way an auditor could motivate the readers?

a. present a clear concise audit report with adequate evidence to support the
findings and concerns
b. present an oral presentation of the concerns to upper-level management
c. present the concerns to lower-level management then to upper-level
management
d. present all the levels of detail to lower-level management and upper-level
management

Answer c. is the correct answer. Answer a. could be considered as the correct

answer. However, answer c. is more specific about how this would be presented.
Answer b. does not address the need to include lower-level management. With
some exceptions, it is best to open the audit from the top down (higher levels) and
close from the bottom up (lower levels). By working with the lower-level
management and motivating them first, they will in turn help motivate the upper-
level management. This is also professional courtesy. Now some exception
might be in a fraud case. In this case, it may be appropriate to work with high-
level management and not the lower-level management. This depends on the
specifics of the fraud situation. Answer d. could probably be eliminated quickly
because it would probably not be necessary to present all of the details of the
audit. Doing this could be overwhelming and intimidating. It would probably be
more appropriate to present an adequate amount of information to convince the
process owners to address the issues. Remember the purpose is to motivate to
action the reader or readers of reports.

426 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

173. Process owners attending a self-assessment workshop for the first time may
require some pre-workshop training that should include:

a. all of these answers

b. self-assessment overview
c. risk overview
d. control overview

Answer a. is the correct answer. Depending on the prior experience of the

process owners in these topics and the level in management, these topics should
be presented appropriately to the potential workshop participants. Answers b., c.
& d. list items that will facilitate a successful self-assessment workshop.

174. Which of the following is the best example of risks that business process owners
must manage but have little control of when the risk will occur or the impact of the risk?

a. new employees
b. changes in socially accepted norms
c. changes in process IT systems
d. an increase in required security

Answer b. is the correct answer. This is an example of an external risk. A simple

definition of external risk is that risk which process owners must consider and
manage but will have little control of when those risks will occur or the impact of
those risks. Answers a., c. & d. list examples of internal risks.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 427

McKeever CRMA Exam Application Questions, Answers & Explanations

175. The generally accepted elements of reporting finding are the condition, the criteria,
the cause, the effect, and the recommendation. It is important with the contemporary
reporting approach that internal auditors or reviewers try to identify and recommend
corrective action for the actual root cause of the issues they have identified. Therefore,
in reference to the root cause the review or audit should:

a. identify the root cause when is feasible

b. always identify the root cause
c. never identify the root cause since this is managements responsibility
d. only identify the root cause of the most significant issues

Answer a. is the correct answer. Answers b. & c. can be eliminated quickly

because of the words “always” and “never”. Reading and understanding the
information in the question actually can eliminate these answers. Answer d. is not
appropriate because the root cause should be considered for identification and
identified when possible for all findings. However, there is some judgment that
must, as well, be considered. The auditor or reviewer should decide if the effort to
identify the root cause is worthwhile. Remember identifying the root cause is an
audit or review action. Audit or review actions are controls. Controls should be
driven by the apparent risk. Therefore, in a very insignificant or low risk concern
the auditor or reviewer may decide not to pursue the root cause unless there may
be a case where a low risk concern could be worthy of a root cause analysis.
Judgment is required in the situation. Hence, answer a. is the best answer.

176. Because much of the body language of communications is eliminated with

questionnaires developing risk and control questionnaires can be a challenge unto itself.
A primary consideration when developing a survey is to maintain a clear focus on the
objective of the questionnaire. What is another important consideration when
developing a questionnaire?

a. all of these answers

b. avoid controversial words
c. make it easy for the buyer to buy
d. use a level of content appropriate for the respondent

Answer a. is the correct answer. Answers b., c. & d. list important considerations
when developing a questionnaire. Remember that some words may be
controversial for some people and not for others. It is best to avoid any words
that may be controversial. Answer c. lists a concept of sales techniques. The
respondent is the buyer. Do not make the buyer work to interpret or answer the
questions in the questionnaire. Keep the questionnaire simple. Understand
recipients’ knowledge and background. Use terms appropriate for the recipients.

428 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

177. A multinational corporation whose reputation is critical not only to the corporation
but to the world economy is about to perform a risk assessment to manage its
reputational risk. The least concern of this risk assessment process in this company
should be:

a. the timing of the risk occurrence

b. the impact of the risk occurrences
c. the probability of risk occurrences
d. the cost-benefit of the cost of controls vs. the risk

Answer d. is the correct answer. The key words in the question are “the least
concern”. In addition, the question states that the reputation is most important to
the corporation as well as the world economy. This means that no matter what
the cost that reputational risk should be managed. In most other situations, the
cost- benefit would be a primary factor of consideration. However, in some
extraordinary circumstances, cost-benefit is ignored and the risk must be
managed no matter what the cost. Another situation could be a life threatening
situation. Again the cost of managing the risk may be a lesser consideration than
in normal circumstances. These types of risk assessments should be the
exception rather than the rule and should be conscious decisions. Answers a. , b.
& c. list less concern.

178. An internal auditor who participated in a self-assessment workshop was asked by

the team leader to design and write the self-assessment report. As such who will have
final responsibility and ownership of the report?

a. the workshop
b. the internal auditor who wrote the report because it is not a formal audit report
c. the self-assessment team leader
d. the internal audit department

Answer a. is the correct answer. Sometimes a participating internal auditor (either

as a voting member or facilitator) will be asked to draft and write the self-
assessment report. This is because of internal audit’s real or perceived
experience in developing reports. However, any self-assessment report, unless
specifically requested otherwise, is a product of the workshop team. Although an
internal auditor may draft and even write the report the distribution, content,
format, ownership, and responsibility for the report is that of the workshop team.
Hence answers b., c. & d. can be eliminated.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 429

McKeever CRMA Exam Application Questions, Answers & Explanations

179. Generally there are three considerations when identifying risk. They are exposure
analysis, environmental analysis, and threat scenarios. Which one of these three
considerations would not be appropriate when conducting a risk identification process?

a. exposure analysis
b. environmental analysis
c. threat scenario
d. none of these

Answer d. is the correct answer. Answers a., b. & c. are viable risk identification
models. Utilizing any one of these individually or in some combination depends
upon the probability and impact of the risk situation, the process where the risk is
to be identified, and the timing of the impact of the potential risk.

180. In terms of control(s) where can self-assessment provide a particular advantage?

a. physical security
b. attitude and morale
c. the development of policies and procedures
d. the correction of fraud or inappropriate acts

Answer b. is the correct answer. Attitude and morale are considered soft
controls. Answers a., c. & d. list items that are considered hard controls. A note
with answer d. is that fraud and inappropriate acts should not be discussed in a
general business self-assessment. A special self-assessment for that specific
purpose would be more appropriate. Discussion in self-assessment workshops
helps to address soft issues, controls, or risks. Remember that poor attitude or
morale is actually a risk.

430 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

181. Employees are considered assets or at least should be considered assets in an

organization. Putting these assets to work is most represented by what term:

a. human risk
b. communications risk
c. inherent risk
d. union risk

Answer c. is the correct answer. Inherent risk is the risk of putting assets to work.
These assets can be employees or other assets such as inventory, plant and
equipment, or technology. Now there is some debate over this term inherent risk.
One definition is that described here. Another definition is that inherent risk is
that risk which is apparent after all controls have been removed from the process.
Not to debate which definition is correct but to prevent a trap which is to make
sure that everyone involved in any conversation utilizing the term inherent risk are
all using the same definition. Answer a. lists human risk that is the issues relative
to people and the interaction among people. Answer b. lists communication risk
that is risk caused as a result of inappropriate or inadequate communications
among people. Answer d. lists union risk that is risk as a result of the influences
and relationship between process owners and respective unions. Now in the case
of the question putting employees to work as a general statement may or may not
involve unions.

182. With a contemporary view of corporate governance professional internal auditors-

consultants need to practice salesmanship. The products these professionals are selling
include the philosophy and concepts of risk and control management (corporate
governance). Internal auditors-consultants are, or should be, selling these concepts to
process owners with the intent that the process owners will take some or an increased
responsibility for their own corporate governance. How should these professionals
deliver this message?

a. in such a way that the process owners will embrace the concepts
b. conduct corporate governance presentations at the higher levels and then
work down to the lower levels as appropriate
c. dictate the consequences of not implementing an adequate corporate
governance scheme
d. develop a risk and control training program appropriate for each specific
audience

Answer a. is the correct and best answer. Answers b. & d. could be a

consideration. However, they would probably be best implemented after some
conscious consideration of the audience. Answer c. can or should be quickly
eliminated. Dictating is not effective in selling concepts and securing a sincere
belief in a topic. Answer a. is a broad statement, which implies addressing all
situations. The ultimate objective is to have the process owners embrace and
sincerely believe in the concepts. Without this sincerity any implementation of
the concepts will be short-lived.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 431

McKeever CRMA Exam Application Questions, Answers & Explanations

183. The Enterprise Risk Management (ERM) model is an expanded and enhanced
model of COSO and other previously developed integrated control models. Like the
previously developed models, ERM was developed and implemented as a reactionary
control tool. ERM includes a larger number and many more detailed components and
control objectives than COSO and previous models. As a result ERM:

a. as a tool by itself can identify control to rectify all risks

b. is not the only element necessary to rectify control weaknesses
c. in combination with other control models can rectify all control weaknesses
d. using the strategic management element contained in the model can adjust
for all future and external risks

Answer b. is the correct answer. Answers a., c. & d. could probably be eliminated
quickly because of the word “all”. It is a rare occurrence where anything can
eliminate all of the risks. ERM like any of the other control models is only a tool.
Human intervention is a key element in the interpretation and analysis of the data
incorporated into these models. Human subjectivity, opinion, and objectivity
should be a major part of the use of these models.

184. Because of an increasing number of laws and regulations added to the increased
responsibility of the Board of Directors of a large manufacturing company the Board of
Directors has become concerned about compliance. Consequently, they have created a
team of internal auditors, risk and control specialists, process owners, and legal
professionals to review and ensure that the controls are in place to ensure compliance.
The Board of Directors has asked this team of professionals to review and suggest
improvements in the control scheme of all the process and sub-process as well as the
interrelation among these process units. This is a complex company with multi-level,
multi-functional, and multi-geographic implications. What should be the primary and
clear focus of this professional team to address the adequacy of controls in these
processes?

a. the adequacy of controls

b. the immediate status of controls
c. the long-term need for controls
d. answers b. & c.

Answer d. is the correct answer. It would be wise for this team to review and
determine the adequacy of controls as they relate to the current environment.
However, process improvement is not only looking at the current situation.
Today’s business, and as implied in the question, is constantly changing.
Therefore, process improvement requires an assessment of the current control
situation as well as an anticipation of future control needs. An effective
constantly and continuous process improvement scheme requires constantly and
continuous changing risk and control management. Answer a. is too general.
Read the entire set of answers because some questions have answers that are
combinations of answers.

432 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

185. Risk is a measure of the uncertainty in events as a result of changes in the

condition of the business environment. The focus of management is how to address the
consequences of the risk. In terms of impact which of the following would have more of
an impact than the others?

a. the type of threat

b. duration of the consequences
c. the effectiveness of controls
d. the assets at risk

Answer b. is the correct answer. The duration of the consequences of the risk
event occurring is the most significant of the answers. The duration of that threat,
depending on the length of time that the threat occurred could have a more
significant impact on the consequences than the other answers. Answers a., b. &
c. list items that would all have impacts less that the duration of consequences.

186. When developing a questionnaire it is most important to:

a. repeat the questions

b. not overload the recipient
c. ask for general information first like organization, department, location
d. develop the questionnaire on a few pages but for the purpose of space
incorporate multiple questions into one question

Answer b. is the correct answer. Answers a., c. & d. list other important
considerations when developing a questionnaire. Many times questionnaires
contain many pages, many questions, and small print. These types of
questionnaires are generally ineffective. Most readers will lose interest after a few
questions. Hence, answers of many questions become just random selections.
As a result, the conclusions drawn from the questionnaire become inaccurate.
Keep the questionnaire simple containing a few pages, readable type size, and
one question at a time. Remember there are two objectives of questionnaires.
The first objective is to increase the number of responses. The second objective
is to increase the accuracy of the answers. Keep the questions simple and
address one question at a time. With multiple questions incorporated into one
question and only one answer choice which question would be answered. It is
also wise, unless it is absolutely necessary, not ask for personal information such
as name, department, and organization. Anonymity is often an important
consideration with questionnaires. Once the perception of anonymity is broken
the credibility of the questionnaires will be compromised.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 433

McKeever CRMA Exam Application Questions, Answers & Explanations

187. The Delphi Technique, in risk evaluation, is a tool that is most similar to:

a. a financial transaction analysis

b. a self-assessment
c. a process compliance analysis
d. a income balance sheet reconciliation

Answer b. is the correct answer. The purpose of a Delphi Technique is to

minimize any bias in a risk assessment. Consequently, this tool will help enhance
objectivity and subjectivity in the risk assessment. The tool functions by
including a group of subject matter experts and stimulating a candid discussion
about the risk or risks of concern. With everyone respecting each other’s ideas
and opinions, the final outcome decision on the potential risk is much more
objective. This is very similar to a risk self-assessment effort. The remaining
answers are more or less random phrases. Answers a. & d. especially focus on
finances. The question asks about operations. So these answers could probably
be eliminated quickly. Answer c. lists a tool used for compliance issues. This is
more specific than operations in general.

188. The manager of the risk and control review team requested to team members that
the concerns or findings in their reports be quantified in monetary value, numbers, or
percentages. What are the most primary advantages and disadvantages of these types
of quantifications?

a. they provide specific evidence – they can be hard to dispute

b. they get attention – they can become the primary focus
c. they provide support for the conclusion – they get attention
d. they are not specific – they may not be correct

Answer b. is the correct answer. These types of quantifications get attention.

Auditors, or risk and control review specialists, should begin to develop these
types of notations during the field work. The negative part of this is that the
quantifications can become the primary focus of attention. In some cases, this
may be good. However, addressing weaknesses in controls, that may have
allowed the quantifications to materialize, may be overlooked because the
attention is focused on the quantification of what happened, hence not correcting
the issue in the future. Answer a. is not correct because of required assumptions
it is possible that the quantification may not be correct. Answer c. lists two
advantages but no disadvantage as the question asks. Answer d. is only partly
true that they may not be correct. The first part of the answer is just a random
phrase.

434 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

189. Three common approaches when performing a risk assessment are calculating the
risk factors, using historical data, and subjective analysis. Which of the following would
be the best approach when conducting a risk assessment of the operations in a
process?

a. multiplying the probability times the impact times the time to determine the
annual loss expectancy
b. conducting a risk self-assessment to discuss a subjective and objective view
of the potential risk
c. reviewing industry historical risk events
d. none of the above

Answer d. is the correct answer. This question and the answers may require
some thought. Answers a., b. & c. list good approaches to risk assessment.
However, the question asks for the “best approach”. The best approach is a
combination of all of these answers. This is especially true when the question
asks about a risk assessment in the operations component of the process. A risk
assessment in operations would be wide-spread in perspective. Answer a.
describes using the numbers that would not be enough. Answer b. describes an
approach that is important in any risk assessment. Hence, of all three of the
answers answer b. would probably be the most important. The depth of this
would be dependent upon each situation. Answer c. approach would probably
have little or no impact.

190. What is the primary component of a self-assessment project?

a. identify if the objectives of the process are adequate and working

b. identify and take action on the issues identified
c. identify if the controls of the process are adequate, appropriate, and working
d. identify any risks or issues that may impede the accomplishment of process
objectives

Answer b. is the correct answer. This question sounds simple but the answers
can cause some debate and may require some extra thought. The question asks
for the primary component. That means that there might be more than one good
answer. The correct answer is the best or most important of the good answers.
Do not answer fast. Answers a., c. & d. list components of a self-assessment
project. However if all of these are accomplished and no appropriate action is
taken then the self-assessment project will be a waste of time.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 435

McKeever CRMA Exam Application Questions, Answers & Explanations

191. What type of risk best describes a risk that will require additional control
considerations?

a. service
b. reputation
c. outsourcing
d. residual

Answer d. is the correct answer. Residual risk is the remaining risk after
management’s response to risk by the addition of adequate and appropriate
controls. This implies that some risk had been addresses by internal controls but
not all risk was controlled. So either this residual risk is being accepted or will
require additional application of controls. In either case, this is an additional
control consideration. Answers a. & b. list risks that can be controlled by
providing services that are viewed by customers and potential customers as
excellent. Answer c. lists outsourcing risk from the outsourced vendor who has
provided inferior quality products or services. This results in increased negative
reputation to both the outsourced vendor as well as the organization doing the
outsourcing. This can be controlled to some degree by selecting the best
outsourcing partner, using more than one supplier, and carefully developing
contracts with legal support. Reading the question is important. The question
asks for additional control considerations. This implies that control
considerations had been already applied but more may be needed. The remaining
answers do not imply that any control considerations were applied at all.

192. A SWOT analysis is a tool that would have a most applicable use:

a. in a risk assessment
b. in a feasibility assessment
c. in a control adequacy assessment
d. in a financial compliance assessment

Answer b. is the correct answer. A SWOT analysis tool is most applicable when
analyzing the feasibility of proceeding or not proceeding with a project. The
SWOT, by discussion of a group of subject matter experts, identifies the
Strengths, Weaknesses, Opportunities, and Threats of the proposed project. For
example, what are the Strengths, Weaknesses, Opportunities, and Threats of
making a substantial investment in a new facility? Answers a., c. & d. list items
where SWOT might have a use. Answer b. list feasibility analysis where SWOT
would almost always be an applicable tool.

436 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

193. It is important to understand the management style of the process owners where a
self-assessment is planned. Which management style would be most conducive for a
successful self-assessment?

a. autocratic
b. custodial
c. management by objectives
d. collegial

Answer d. is the correct answer. A collegial management style is founded on

teamwork. The manager is often part of the team instead of a superior. The
results can be self-discipline, responsibility, and self-fulfillment. In order for a
self-assessment project to succeed the team, including management, must be
open and candid with each other and be willing to discuss openly issues and
concerns with fear of reprisal. Answer a. lists an autocratic management style
which is just the opposite of collegiality. In this case, the manager-superior has
total control of the subordinates. Decisions are made by the manager and
responsibility is in the hands of the manager as well. Hence open discussion by
subordinates in a self-assessment workshop would not work. Answer b. lists a
custodial style that is an environment where everyone in the workplace is happy.
The thought was if everyone was happy productivity would increase. This was
popular in the 1930s but never really progressed to any degree. Answer c. lists
management by objectives (MBO) that involves an interaction between managers
and subordinates to jointly plan objectives. MBO does not necessarily stimulate
an open and candid environment.

194. What is the main focus of a self-assessment activity on a project?

a. gather a team of subject matter experts to discuss issues

b. identify issues and address measures to address the issues
c. gather subject matter experts from every process to get the broadest input
d. all of these answer choices

Answer b. is the correct answer. Answer a. is very general and does indicate what
issues will be discussed. Answer c. implies subject matter experts from every
process. A self-assessment project should be kept to the least number of subject
matter experts that would be necessary to accomplish the objective. The more
participants are in attendance the more complex process. As such the less likely
anything productive will be accomplished. Answer d. is not correct because
answer b. is correct.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 437

McKeever CRMA Exam Application Questions, Answers & Explanations

195. The Public Company Accounting Oversight Board was initiated after Sarbanes-
Oxley. As with anything, the laws and regulations for business are improved with new
laws and regulations. ISO 31000 is one of the most recent documentations. The
purpose of ISO 31000 is to:

a. provide a standardized international risk and control philosophy

b. enhance the integration of ERM and COSO
c. provide an integration vehicle to incorporate existing models
d. strengthen existing financial and banking regulations

Answer a. is the correct answer. Answers b. & c. just list random statements.
Answer d. describes the new Basel III model.

196. Written reporting of risk and control concerns will help ensure more comprehensive
risk assessments than undocumented reports. In addition, written reporting can become
a management tool facilitating management decisions. How many written reports should
be presented in a typical internal audit?

a. one final report with distribution as required in the internal audit charter
b. two reports consisting of one with an executive summary for high-level
management and one more detailed for the individual process owners
c. two reports consisting of one with an executive summary and one interim
detailed report for line management
d. as many informal and formal reports as is necessary to motivate
management to address the issues

Answer d. is the correct answer. Answers a., b. & c. may appear correct and may
actually be part of some internal policy for reporting. However, they may only be
effective in some situations. There should be flexibility in reporting. The delivery
of reports should be a combination of verbal reports, formal written reports, and
informal reports. There should be no surprises in the last and final report.
Management should already know what the issues are and hopefully are already
addressing them before the final report is published. Interim status reports are
very appropriate. The detail and frequency and to whom reports are delivered
should be dependent upon the complexity of the audit and the involved
management style or politics.

438 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

197. COSO, ERM, CoCo, and other control models have one main common element.
What is the main common element integrated within all of these models?

a. strategic planning
b. action
c. integration
d. a feedback mechanism

Answer c. is the correct answer. This is actually given in the question itself. So
sometimes, it is wise to look at the obvious. Do not disregard something because
it appears in the question. Sometimes the answer to the question is in the
question. Answer a. lists strategic planning that is specifically mentioned only in
ERM. Answers b. & d. list action and a feedback mechanism that are specifically
mentioned in CoCo. The commonality of all of these models is that they
encourage the integration of multiple dimensions of a process.

198. It is most important when internal auditors, a control by their existence, are
performing a risk assessment include some subjectivity, some objectivity, and human
thought intervention. It is still important to utilize and understand the available risk
assessment mathematical formulas. What mathematical risk assessment formula would
most represent the situation when internal audit did not provide an adequate or complete
appraisal or report to management?

a. annualized loss expectancy

b. absolute ranking
c. modified annual loss expectancy
d. relative ranking or matrix model

Answer c. is the correct answer. One of the components of the modified annual
loss expectancy is the probability of a control failure. Internal audit is a control by
its very nature and existence. In this case, that control did not work as intended.
The actual formula that specifically includes audit risk (internal audit not
functioning as intended) is the direct probability estimate formula. However, this
formula is not included in the answers. Hence, the next best thing to recognize a
control failure from the answers given is answer c. Answers a. & b. list the same
formula with different names. Answer d. lists a method that groups risks and
represents them on a matrix often by category of high, medium, and low and by
color green, yellow, and red.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 439

McKeever CRMA Exam Application Questions, Answers & Explanations

199. Internal auditors acting as consultants would provide the most benefit to a process
owner if they explained:

a. the concepts of risk to the process owner

b. the concepts of external risk to the process owner
c. the concept and relationship of risk and controls to the process owner
d. the concept of controls to the process owner

The correct answer is b. Answers a., c. & d. list items that would all be useful and
helpful information for any process owner. However, the most beneficial
information would be providing an understanding of external (or so called
emerging) risks. Most process owners have a lesser understanding of external
risk than they do of general risk concepts. As a result, external risks are generally
not managed as well as they should be.

200. Generally speaking where could an internal auditor provide the most
understanding of risk for process owners?

a. all of these answers

b. strategic management & external risk
c. general risk
d. risk appetite

Answer b. is the correct answer. Strategic management and external risk are
similar in concept. Both have to deal with the positive impacts, negative impacts,
and external forces (external risks). Generally, many process owners have a
lesser understanding of external risks than of internal risks. However, external
risk can have as much or more of an impact on a process than internal risks. An
increased understanding by process owners of external risk and how to manage
them is a major step to process success. Answer a., c. & d. list important items
but answer b. lists where the internal auditor or risk and control specialists can
provide the most benefit in helping increase process owners risk management.

440 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

201. Some ways to manage risk are to control the risk, share the risk, or avoid the risk.
The best example of controlling a risk is:

a. not making an investment

b. purchasing catastrophic loss business insurance to manage a major disaster
c. implementing an IT system with an appropriate disaster recovery
system
d. none of these are an example to control risk

Answer c. is the correct answer. Answer a. lists an example of avoiding risk.

Answer b. lists an example of sharing risk. Since answer c. is the correct answer
d. is not correct.

202. COSO is an integrated control model. COSO has become not only a useful tool in
the management of risks and controls but is recommended for use by some
contemporary risk and control laws and guidelines. There are five components in the
COSO model and three control objectives. Combined these can help evaluate 15
process dimensions. In addition, there are a number of subcomponents within these
components and control objectives. Tone at the Top, a crucially important
subcomponent, is one of these subcomponents. Tone at the Top is a subcomponent of
which of the COSO control objectives?

a. operations
b. compliance
c. financial
d. none of the above

Answer d. is the correct answer. Tone at the Top is not a subcomponent of the
COSO control objectives. It is part of the control environment component.
Answers a., b. & c. list control objectives not control environments.

203. Internal auditors have an opportunity to bring additional value to process owners
by providing corporate governance, consulting, and advisory services. Operating in the
consulting capacity internal auditors have a greater latitude to provide advice. When
internal auditors function as consultants they must be most aware of:

a. process owners
b. management
c. external auditors
d. perception

Answer d. is the correct and best answer. Answer a., b. & c. list important items
also requiring awareness. The perception of auditor independence and objectivity
is the important point in the question. In every capacity the internal auditor must
manage this.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 441

McKeever CRMA Exam Application Questions, Answers & Explanations

204. Continuous monitoring of risks and controls is a key element of:

a. compliance testing
b. traditional auditing
c. assurance
d. self-assessment

Answer c. is the correct answer. Answers a. & b. list key elements of traditional
audit activities. Answer d. lists self-assessment that is a key element of
consulting activities.

205. Human risk (people risk) includes fatigue, memory lapses, inattention, collusion,
unacceptable behavior, sabotage, and negative morale. Which of the following
categories of risk is also most closely related to the human factor?

a. service risk
b. environmental risk
c. contract risk
d. communications risk

Answer d. is the correct answer. Communications risk is the result of a lack of

effective communications among employees at all levels. Answer b. lists service
risk that is the result of providing good or poor service to a customer or client.
Answer b. lists environmental risk results from non-compliance with
environmental laws and regulations. Answer c. lists contract risk that is the result
of non-compliance with the terms and conditions of agreed upon contracts.
Although all of the risks mentioned are important they do not answer this
question. Appropriate and effective communications among employees at all
levels will help manage the human risk factors.

442 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

206. A senior Vice President has heard that the internal audit department of the
company can provide consulting services, which would replace actual internal audits.
This Vice President asked the CAE how internal audits could be replaced with an
internal audit consulting project. A most appropriate response from the CAE would most
likely be:

a. answers c. & d.
b. internal audit cannot provide consulting services but they could recommend a
group that does
c. first the consulting activity would not necessarily replace the need for actual
internal audits
d. an internal auditor would work with the vice presidents department providing
guidance and direction

Answer a. is the correct and best answer. Answer b. could probably be eliminated
quickly. Generally, contemporary internal audit departments can provide
consulting services. Answers c. & d. described responses that combined would
provide a good general description of the internal audit consulting service. It is
important to inform any process owner that internal audit consulting services will
not, unless in specific situations, eliminate the need for an actual internal audit.
Probably any consulting service would have a follow-up audit. Answer d. is what
the internal auditor acting in a consulting capacity would be providing.

207. Service risk and quality of product are very much related to each other. They are
both focused upon providing the best quality product or service to the customer or client.
Which of the following categories of risk would not be an ingredient of providing quality
product or service as perceived by a client?

a. contract risk
b. outsourced risk
c. marketing or sales risk
d. none of the above

Answer d. is the correct answer. Be careful of the wording. The question asks
which would not be an ingredient of providing quality. Answer a., b. & c. list
ingredients of providing quality product or service. Answer a. lists contract risk
that can include such things as payment agreements, delivery times, quality of
services or products, and costs. Answer b. lists outsourced risk that occurs when
the outsourced vendor provides inferior quality products or services.
Answer c. lists marketing or sales risk that is the selling of services or products to
a clients or customers with the anticipation by the clients or customers that they
will receive value for money with the perceived quality as promised in the sale.
Hence, all of the answers are relative to providing quality products or services.
Hence, answer d. is correct.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 443

McKeever CRMA Exam Application Questions, Answers & Explanations

208. The main advantage of operational auditing as compared to more traditional

auditing is:

a. all of these answers

b. operational auditing is broader in scope and does not require detailed
analyses such as statistical sampling and analytical models
c. operational auditing can provide specific guidance to management for the
implementation of controls
d. operational auditing helps to look at the risks and controls in
interrelationships among processes

Answer d. is the correct answer. Answers b. & c. can be quickly eliminated

because they are simply not true. Hence, answer a. is eliminated. One of the
major control weaknesses in an organization is the interrelations among
individual processes. This may be in the form of weakness in communications;
policies and procedures; inter-organizational issues; and even management and
human issues. In any event, this is where most of the weaknesses (risks) are
prevalent. Operational auditing will assist in identifying and addressing these
weaknesses.

209. The self-assessment process is a great client-focused approach to analyze and

address risk and control issues. Because process owners are involved, the likelihood of
risk and control issues being adequately addressed increases. As such, a self-
assessment process will provide:

a. absolute risk and control assurance

b. reasonable risk and control assurance
c. process owner risk and control assurance
d. subjective risk and control assurance

Answer b. is the correct answer. Self-assessment is a control management

process. Like any other control, a control will only provide “reasonable
assurance” that all risks are addressed adequately. Hence, answer a. can be
eliminated. Answers c. & d. list just general random phrases.

210. Risk communications can best be described as:

a. developing and communicating a corporate governance philosophy

b. communicating the risk threats and controls
c. communicating a risk management philosophy
d. demonstrating high level support of the risk management philosophy

Answer b. is the correct answer. Answers a., c. & d. appear correct but they are
general answers for a specific question. Further, all of the answers except b. are
almost the same thing. Risk communications by definition is effectively
communicating to everyone the risk and threat situation and the controls to
manage them. This can include crisis management options, disaster planning,
and recovery operations plans.

444 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

211. The best involvement of corporate governance should be:

a. with process owner management

b. with the board of directors
c. with the board of directors, the executive management, the process owner
management, and the audit team
d. with everyone

Answer d. is the correct answer. Answers a., b. & c. lists groups certainly
involved in corporate governance. However, all of these answers only include
management. They exclude non-management members. Everyone should be
involved in corporate governance, not just management.

212. Audit reports, as well as and risk and control specialists reports, are typically edited
multiple times by multiple levels of management before publication. This can
significantly delay the time from completion of the assessment field work to the
publication of the report. What would significantly help to decrease this editing time?

a. control the findings to the six most significant findings

b. publish and executive summary first then more detailed report later if needed
c. decrease the number of signatures required on the report
d. peer reviews

Answer d. is the correct answer. Answer a. can be eliminated. It is not practical

to limit based on the number of findings of some pre-determined criteria. Answer
b. is not really definitive. It could be appropriate to publish an executive summary
for high-level management and a detailed report for lower levels. In some cases,
these can be combined. However, this would probably not decrease the editing
time. Answer c. lists what would probably not decrease the edit time either. It
may in some cases, but not all cases. This may or not be the reason for
substantial editing. Peer reviews of the report will be the most help to decrease
edit time. Managers edit the reports. If most of the writing and grammar issues
are addressed among peers then there will be less for the managers to edit.
Hence, the edit time is decreased.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 445

McKeever CRMA Exam Application Questions, Answers & Explanations

213. A complete COSO review requires extensive resource including time, effort to
complete, and analysis. Fraud investigations most often require swift and decisive
actions. These two statements are opposite of each other. Consequently:

a. COSO should not be used in any type of fraud work

b. COSO can be used to develop evidence and disseminate the swift and
decisive action
c. COSO should only be used as an operational internal control tool
d. COSO could be used to help prevent fraudulent acts in the future

Answer d. is the correct answer. Fraudulent or wrongdoing acts require swift and
decisive action. COSO is not the best tool to disseminate that swift and decisive
action. COSO is a long-term tool. However, COSO can be used to identify the
root cause of the fraudulent act and help to identify controls that may prevent the
reoccurrence of the fraudulent act. Therefore answers a. & b. are not correct.
Answer c. is not correct because by identifying the control objectives of COSO
Operational, Financial, and Compliance it can be seen that COSO looks beyond
just operations.

214. Contemporary internal auditors:

a. should be comfortable with selling techniques

b. should be comfortable with financial perspectives and financial ratios
c. should be comfortable with human interactions
d. all of the above

Answer d. is the correct answer. Answer a., b. & c. all list requirements of a
contemporary internal auditor. A contemporary internal auditor should be
comfortable evaluating the adequacy of internal controls, risks, and financial
representations. A contemporary internal auditor must also be comfortable, but
not necessarily an expert, with selling techniques and human interactions.

446 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

215. An organization’s success is most dependent upon:

a. the products or services provided

b. their overhead costs
c. their ability to deliver products or services
d. their customer-driven focus

Answer d. is the correct answer. Answers a., b. & c. list items that certainly could
have an impact on the success or failure of an organization, the question asks for
“the most dependent upon”. Answer d. indicates focus. This means how directed
the organization is to the end goal and objective. This focus may be to provide
the best product or service or to specialize in a certain product or service.
Sometimes organizations that try to provide all products to everyone are not
successful. Whereas organizations that specialize and remain focused on that
specialty are successful. These organizations are good at what they do. Being
customer-driven is a key factor to organizational success. Knowing what the
customer wants and needs at any point in time is critical to success. Further, it is
important that an organization monitor and adapt to changing customer needs
quickly. Successful organizations consider their customers their most important
stakeholders.

216. The prime commonality of Basel lll, COSO, CoCo, COBIT, ISO 31000, and ERM
is:

a. they all have the same purpose

b. they all work in harmony with each other
c. they were all reactive to risk and control issue
d. they all require extensive paperwork

Answer c. is the correct answer. All of these models were reactionary to risk and
control financial, business, and or government issues. Answers a., b. & d. are not
necessarily true.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 447

McKeever CRMA Exam Application Questions, Answers & Explanations

217. COBIT is primarily an information technology integrated control framework. As

such, it should be or can be used in conjunction with general business integrated control
frameworks such as COSO and ERM to analyze the information technology perspective
of process risk and control adequacy. As such COBIT:

a. elements should only be implemented in total not as individual parts

b. should be used to address information technology control issues in a
business analysis
c. can be used to analyze business controls
d. should be used to supplement business analytical tools such as control
models and quality analysis tools

Answer c. is the correct answer. Although COBIT is primarily an information

technology integrated control analysis model it can be used as a business tool.
Simply changing some information technology terminology to business
terminology allows COBIT’s use as a business tool. Remember that “controls are
controls” and “risk is risk” no matter what the environment. By simply changing
the focus of these types of tools they can be reapplied to different situations.
Answer a. can be eliminated since any of the control models can be used in total
or as individual parts. Consequently, answers b. & d. can be eliminated.

218. The main purpose of ISO 31000: 2009 is to provide a standard for the
implementation of risk management principles and a generic guideline for risk
management. As such, ISO 31000: 2009 is intended to be a:

a. universal guideline applicable to any public private or community

enterprise, association, group, or individual
b. universal risk and control model applicable to all international business
situations
c. universally accepted risk and control management law applicable across
international boundaries
d. universal regulation for public or private companies in an international
relationship

Answer a. is the correct answer. Answer b. can be eliminated because although

ISO 31000: 2009 is intended to address a wide range of business and individual
application in an international setting it is unlikely that it is applicable to every
situation. Answers c. & d. can be eliminated quickly because ISO 31000: 2009 is
neither a law nor a regulation. It is a guideline.

448 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

219. In order to have an effective risk and control philosophy the tone for corporate
governance must have a foundation at the highest levels in an organization. However, a
concern of risk and control specialists including internal auditors attempting to assist in
solidifying this corporate governance philosophy is that these higher levels of
management may not fully understand all of the elements of a corporate governance
strategy. Therefore, it becomes important that these risk and control specialists educate
these higher levels of management in the details of corporate governance and the
implications of effective and ineffective corporate governance. Appropriate risk and
control education may be necessary. With this in mind, the best approach for the risk
and control specialist should be to:

a. provide a multi-day detailed risk and control education program to these high-
level managers
b. provide a few hours of risk and control education but be prepared for a
longer session as requested
c. provide one day of detail risk education and then one day of control training
to these high-level managers
d. provide a quick overview of corporate governance and their legal implications
to the high-level managers

Answer b. is the correct answer. Helping these high-level managers have a better
and contemporary understanding of corporate governance is a specialty in itself.
First, it is important to understand everything about that audience. Even the
smallest seemingly insignificant point can be important in the success or failure
of the delivery of the topic. Answers a. & c. can be eliminated because most of
the time these high-level managers do not have the time for a multi-day program
nor do they generally need that level of detail. A few scheduled hours of
education is probably most appropriate. This program must be focused on
important topics that quickly gain the attention of the audience. That is why it is
important to understand as much as possible about the audience. Also, be
prepared to continue longer than scheduled. This would be at the invitation of the
audience. The high-level managers may have more questions or topics for
discussion. Therefore, it is wise to reserve time after the scheduled program if
this should occur. Answer d. could be eliminated quickly because of the legal
implications. Legal professionals should address these types of topics but not
risk and control specialists including internal auditors.

220. Operational auditing:

a. will provide guidance without questioning management decisions in detail

b. will provide an assessment to see if resources are being adequately and
appropriately managed
c. will provide reasonable assurance that accountability requirements are being
met
d. all of the above

Answer d. is the correct answer. Answers a., b. & c. list items that operational
auditing will help to facilitate.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 449

McKeever CRMA Exam Application Questions, Answers & Explanations

221. The ERM model expanded previous integrated control models into more definitive
areas of analysis. In addition, ERM included two perspectives that had not been
mentioned in much detail in previous models. These are strategic management and the
use of analytical models. Both of these perspectives can help address the changing
environment in which a process operates. Which analytical model is most associated
with the changing environment?

a. a sensitivity analysis tool

b. a queuing theory analysis
c. a critical path method analysis
d. a gaming theory tool

Answer a. is the correct answer. This is a definition question. There is

substantial information in the question but the actual question is in the last
sentence of the question. Answer b. is a tool to identify the distribution of
waiting. Answer c. is most useful for project management. Answer d. is relative
to comparing conflict between or among entities and will help identify the
alternatives of the conflict.

222. CoCo designed by the Canadian Institute of Chartered Accountants has an added
element not specifically apparent in prior integrated control models. This element is a
complete feedback loop including monitoring and action. In addition to this addition what
is one other important key element in the CoCo model that was not in previous models?

a. the appropriateness of objectives and control activities

b. the six critical objectives
c. monitoring and action
d. the seven components

Answer a. is the correct answer. Answers b. & d. can be eliminated because CoCo
has three critical objectives not six. They are effectiveness and efficiency of
operations; reliability of internal and external reporting; and compliance with
applicable laws, regulations, and internal policies. There are five components in
CoCo. They are purpose, commitment, capability, action, monitoring, and
learning, not seven as is indicated in answer d. Answer c. is already described in
the question. The question asks for something additional (read the question).
Answer a. lists a key additional element of CoCo.

450 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

223. Emerging risks are best defined as:

a. new risks to the environment

b. significant external risks
c. risks related to new products or services
d. risks that can be anticipated and controlled

Answer b. is the correct answer. Answers a. & c. just list random phrases.
Answers d. could be considered. However, answer d. defines a broad definition of
risk including more than just emerging risks. The question asks specifically for a
definition of emerging risk. It is important to read what the question asks and
answer with the best answer provided.

224. An audit manager from a multinational corporation was asked to speak at a high
school career day program. The purpose of the presentation was to provide an overview
of various career opportunities. A student asked the audit manager what exactly is an
internal auditor’s function. The best answer the audit managers could provide would be:

a. we analyze the financials

b. we add value to an organization
c. we look for fraud
d. we pursue questionable activities

Answer b. is the correct answer. Answer a. could be correct but it is very specific
and is only one dimension of internal auditor activities. Answers c. & d. have the
same narrow focus. In general, internal auditors do not pursue questionable
activities. Internal auditors may gather the detail and facts but the face-to-face
investigation is best left to professional fraud investigators. Generally internal
auditors, unless specifically requested, do not look for fraud. They may
encounter it and have to pursue it as stated in answer d.

225. An effective review, evaluation, and management of key risks is a process that
requires:

a. all of these answers

b. collaboration among process owners and risk and control specialist
c. an understanding by process owners of the risk management process
d. an empathetic approach by internal auditors toward process owners

Answer a. is the correct answer. Answers b., c. & d. list appropriate and
necessary ingredients for an effective review, evaluation, and management of key
risks.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 451

McKeever CRMA Exam Application Questions, Answers & Explanations

226. Basel lll is:

a. a risk and control model designed to supplement ISO 31000: 2009

b. a grouping of banking and financial regulations
c. a series of banking and financial regulations which will streamline existing
banking and financial regulations
d. all of these answers

Answer b. is the correct answer. Answer a. can be eliminated because Basel lll
does not supplement ISO 31000: 2009. Answer c. can be eliminated because,
although Basel lll is a series of strongly recommended financial and banking
regulations it will not eliminate or diminish existing banking regulations (the so
called alphabet soup regulations). Basel lll will only enhance prior versions of the
Basel regulations. Hence, answer d. can be eliminated.

227. Continuous monitoring of the ever-changing environment for efficiency,

effectiveness, and economy is critically important in effective management. Reviewing
of the relative risks and controls of that environment is a valuable service to
management. Which of the following would be the best approach to address this
continuous monitoring?

a. preventive auditing
b. program auditing
c. program evaluation
d. all of these answers

Answer d. is the correct answer. Operational auditing is the more typical and the
most used term of a type of audit that will provide continuous monitoring
methodologies to address efficiency, effectiveness, and economy. Answers a., b.
& c. list other terms meaning the same as operational auditing.

228. A main concern of process owners when implementing a continuous monitoring

process of office telephone usage is:

a. excessive paperwork
b. rebuttal by employees
c. communications budget issues
d. not understanding the data provided

Answer b. is the correct answer. Part of establishing the effectiveness of a

control like this is to let all employees involved know that the system is in place
for monitoring telephone usage. Answers a., c. & d. list items that could be of
concern but the biggest issue will be rebuttal from employees. People do not like
change. This is change. The concern of the employees will be that the privacy of
their telephone usage will now be available to management.

452 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

229. Internal audit is an independent professional service that improves the quality of
information or its context for decision makers. The contemporary concept of the new
internal audit function is to hold the process owners at all levels responsible for the
adequate management of their internal controls. To this end, internal audit provides
oversight, guidance, and review of the adequacy of internal controls. When internal
audit exercises these responsibilities by scheduling internal audits or consulting activities
the internal audit functions prime consideration should be to:

a. schedule audits based how long it has been since the last audit of a specific
process
b. perform an appropriate risk assessment to determine what areas and to
what extent to audit or review
c. assign the number and the expertise of the auditors based on the location of
the audit to be conducted
d. determine when the audit will be conducted based on the availability of the
client

Answer b. is the correct answer. This question contains substantial background

information but the actual question is in the last sentence. Also, the answers
could or should require some extra thought. Answers a., c. and d. could all be
considerations when scheduling an internal audit. However, answer b. lists the
prime consideration that internal audit is a control by its very existence.
Therefore, like any other control the application and the intensity of the control
should be determined by the risk. Therefore, an appropriate risk assessment
should be conducted when scheduling and staffing an internal audit. After that
then the other items listed answers a., c. and d. may be considered.

230. The reporting dimension of any operational audit should include face-to-face
closing meetings as well as a written report. An operational audit should include how
many closing meetings?

a. the number that is appropriate

b. the number that the client decides
c. the number that the auditor decided
d. the number that is dependent upon the availability of upper-level
management

Answer a. is the correct answer. Answers b. & c. could actually be combined.

The final closing meeting and any interim closing meetings should be based on an
agreement between or among the audit or review team and the client (within
reason). Answer d. can be eliminated because, with the exception of specific
circumstances, lower-level management or process owners would probably get
closing meetings first before upper-level management. Remember it is wise to
open the audit or review from the top down and close from the bottom up. The
appropriateness and depth of closing reporting meetings should depend on the
complexity and severity of concerns; the management, and political environment;
and the best use of resources.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 453

McKeever CRMA Exam Application Questions, Answers & Explanations

231. Internal audit has evolved over the years. Consequently the main contemporary
responsibility of internal audit is to:

a. review appropriate and an adequate amount of data to determine what

control weakness have occurred
b. develop an appropriate statistical sample to minimize the possibility of an
audit risk
c. interview an adequate number of employees to ensure that there is an ample
understanding of policies, procedures, and other controls
d. help identify what risks may occur as well as what risk have occurred

Answer d. is the correct answer. Internal audit responsibility is not only to

identify what risks or controls were in the past but what may occur in the future.
Hence, answer a. is not appropriate. Answers a., b. & c. list items very likely
necessary to conduct an adequate audit. However, they would be acts conducted
during the audit.

232. It is advantageous for process owners to implement their own internal control
scheme. Information technology systems can assist with this objective. By
implementing an internal control, monitoring scheme process owners can continuously
monitor the process for deviations from accepted risk norms.

What is a main caution of implementing an ongoing monitoring scheme?

a. there is none as this will provide an ongoing internal control monitoring

methodology
b. the system is not formally updated with program changes
c. the system is not updated with a program change
d. the system does not provide usable reports

Answer b. is the correct answer. When ad hoc program updates or changes are
made to the system and are not formally updated then problems may occur when
the next change is made. For example, after an ad hoc change which is not
formally documented any issue which caused the ad hoc change will reoccur.
Answer a. can be eliminated after the explanation of the answer. Although answer
c. lists what could be a real problem it would not be the main concern. Answer d.
lists a common problem as many reports provided by information technology
systems have outlived their usefulness. They are inefficient controls. However
the main concern and caution is listed in answer b.

454 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

233. One of the purposes of the written audit or review report is to motivate the reader
(process owners) into action to correct issues identified during the audit or review.
Which of the following would be the best standard approach to motivate a reader of such
a report?

a. establish a very firm tone with back-up evidence

b. establish a softer tone however with supporting evidence
c. establish a tone appropriate for the situation with adequate and
supporting evidence of the conclusions
d. none of these answers

Answer c. is the correct answer. Answers a. & b. list good answers in some
cases. However, either one by itself may not be appropriate in all cases. The tone
of the reporting communications both verbal and written should be adjusted for
each person to be motivated. Everyone thinks and responds differently to
information. The writer or communicator must understand the personality and
communication needs of the receiver. Answer d. ca be eliminated since answer c.
is correct

234. What would be the most effective and efficient second layer of controls when
process owners have implemented their own continuous monitoring information
technology system?

a. implement periodic control reviews of the monitoring system

b. make sure the process owners have adequate information technology
training
c. utilize external information technology experts
d. make sure the system is operational

Answer a. is the correct answer. The question asks for the most effective and
efficient approach. Answers b. & c. list items that may or may not be necessary.
For example, such training may not be necessary for the process owners. They
may only need to interpret the information provided and not necessarily
understand how the system technically processes that data. They may only need
some training about part of system operation or implementation. Answer d. is
obviously not correct as this would actually be a first level of controls.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 455

McKeever CRMA Exam Application Questions, Answers & Explanations

235. The manager of a department was concerned with the stationary budget. The
amount spent on copy paper seemed too excessive and was growing. Comparing the
amount of copy paper usage to other similar departments this department’s amount was
157% higher than similar departments. How could the manager incorporate a
continuous monitoring information technology scheme for the use of the copy paper?

a. hold all the copy paper in the office and have employees ask for it as they
needed it
b. allocate a reasonable amount of copy paper to each employee when they
exceeded that they would have to sign for additional paper
c. tell all the employees of the problem and limit the ordering of copy paper
d. incorporate an employee code identifier into the copy machine

Answer d. is the correct answer. Answers a., b. & c. list physical controls that are
good controls but not information technology controls as the question asks.

236. With a global perspective operational auditing is concerned with:

a. the details of management’s decisions

b. the organization’s strategy to achieve objectives
c. the development of the organization’s budgeting
d. the integration of management decisions with overall financial results

Answer b. is the correct answer. Answers a. & c. describe levels of detail at which
operational auditing and internal auditors should not get involved. From a broad
perspective, operational auditing is concerned with an organization’s strategy to
achieve its objectives efficiently, effectively, and economically. Answer d. lists
just a random phrase and further would be more detailed than would be
appropriate for an internal auditor.

456 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA

McKeever CRMA Exam Application Questions, Answers & Explanations

237. If management has a system of effective measurements in place then an auditor or

risk and control review specialist may approach the review by assessing the
appropriateness of operational indicators. What should be the main focus of the
reviewer?

a. key risk indicators

b. operational indicators
c. the measurements
d. internal controls

Answer d. is the correct answer. Internal auditors especially, and risk and control
review specialists as well, should be evaluating the adequacy of internal controls.
Without adequate internal controls, any measurements may be meaningless.
Answers a., b. & c. are not correct if measurement may be meaningless. Further it
is wise when reporting to indicate in the purpose statement of the report that the
“purpose of the review was to determine the adequacy of internal controls related
to” some process.

238. The contemporary professional internal auditor must be able to both look at
historical data and to provide insight into potential risks. Utilizing information technology
tools can assist in this effort. What would be a primary advantage of utilizing information
tools when analyzing data in real time (current)?

a. the ability to use information technology to develop analytical models

b. the ability to represent the concerns in a graphic representation with
analytical support
c. the ability to search substantial data
d. the ability to continually monitor key process

Answer d. is the correct answer. Answers a. & b. list the use of information tools
to analyze or report on existing data (historical data) only. The question asks for
uses of information technology tools to analyze data in real time. Answer c. does
not include “real time” monitoring.

© 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA 457

McKeever CRMA Exam Application Questions, Answers & Explanations

239. Including a background of the topic audited or reviewed in a report can be helpful
when developing a perspective of the topic reviewed. How much detail should the
background contain?

a. an amount necessary for the readers to develop a perspective of the topic

audited
b. a balance of information for those familiar with the topic and those not
familiar with the topic audited
c. a substantial amount of detail so that anyone reading the background can
extract what they need
d. a minimum amount of detail so as not to be condescending to the reader

Answer b. is the correct answer. The purpose of the background in the written
report is to provide a perspective of the topic audited or reviewed to the reader.
However, it is important not to be condescending to the process owners where
the audit or review was conducted. Process owners work in the process every
day and know the process. The auditor or reviewer was there for a few days or
weeks. However, the background should be sufficient for those who do not work
in the process to provide information so they can somewhat understand how the
process functions. A way to facilitate this balance is for the auditor or reviewer to
work with the process owners explaining that their help in writing the background
would be appreciated and that the purpose is to help those not familiar with the
process to gain a general understanding of the process. Answer a. is a good
answer but the word “balance” in answer b. makes answer b. a better answer.
Answers c. & d. could be eliminated based on the answer explanation.

458 © 2013 Contemporary Business Concepts, LLC, Danbury, Connecticut USA