In Enterprise Risk Management, the primary responsibility of the board is to

Set the risk culture

Identify risks faced by the organization
Provide independent assessment of the ERM
Manage risk at source

Who is the ultimate champion of Enterprise Risk Management in an organization?

BOD
CEO
CRO
BROC

Which risk response reflects a change from acceptance to sharing?

An insurance policy on a manufacturing plant was not renewed

Management purchased insurance on previously uninsured property
Management sold a manufacturing plant
After employees stole numerous inventory items, management implemented mandatory background
checks on all employee

Which of the following is closely related to traditional risk management instead of risk management?

Rapid response to opportunities

Organization-level view of risk
Emphasis on specific functions
Achieving financial goals

Which of the following members of an organization has ultimate ownership responsibility of the
enterprise risk management, provides leadership and direction to senior managers, and monitors the
entity’s overall risk activites in relation to its risk appetite?

Chief risk office

Chief executive officers
Internal auditors
Chief financial officer

Management of Hot Chili Company has decided to respond to a particular risk by hedging the risk
with futures contracts. This is an example of risk

Avoidance
Acceptance
Reduction
Sharing

Enterprise Risk Management can help achieve the organization achieve its objective, but ERM
cannot________
Reduce operational surprises
Provide integrated responses to multiple risks
Eliminate all risks
Identify opportunities

Ariel, Inc. is considering establishing an enterprise risk management system. Which of the following is
not a limitation of such a system?

Business objectives are not usually articulated

The system may break down
Collusion among two or more individuals can result in system failure
Enterprise risk management is subject to management override

In the risk management process, management’s view of the internal audit activity’s role is likely to be
determined by all of the following factors except

Organizational culture
Preferences of the independent auditor
Ability of the internal auditing staff
Local conditions and customs of the country

In any entity-wide risk management assessment, the Chief Audit Executive should include risk
associated with which kind of the following activities?

Environmental
Health
Safety
All of the answers are correct

Substantial risk exposures or material control weaknesses discovered during a formal consulting
engagement should be brought to the attention of management. In some situations, the internal
auditor’s concerns also should be communicated to

Executive management
Audit committee
Board of directors
All of the answers are correct

Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks.
Regarding the risks associated with issuing checks, which of the following risk management
techniques does this represent?

Controlling
Accepting
Transferring
Avoiding
Risk management is the responsibility of management. The role of the internal audit activity in the
risk management process may include which of the following?
I. Monitoring activities.
II. Evaluating the risk management process as part of the engagement plan.
III. Participation on oversight committees, monitoring of activities, and status reporting.
IV. Managing and coordinating the process.

I only
II only
I, II, and III only
I, II, III, and IV

If management has not established a risk management process for the organization, the internal
auditors should suggest establishment of such a process. The function that the internal auditors
preferably should perform in the initial establishment of a risk management process is

A proactive role that supplements traditional assurance activities

Assumption of ownership risks
Responsibility for the management of the risk identified.
An oversight role to determine that adequate and effective processes are in place.

The internal audit activity should assist the organization by identifying and evaluating significant
exposures to risk and contributing to the improvement of risk management and control systems. With
respect to assessing the adequacy of risk management processes, internal auditors most likely should

Recognize that organizations should use similar techniques for managing risk
Become satisfied that the key objective or risk management processes are being met.
Determine the level of risk acceptable to the organization
Treat the evaluation of risk management processes in the same manner as the risk analysis used to plan
engagements.

Internal audit should review the means of physically safeguarding assets from losses arising from

Misapplication of accounting principles.

Procedures that are not cost justified.
Exposure to the elements.
Underusage of physical facilities

The first phase of the risk management process is to identify and catalog the auditable activities of the
organization. Which of the following would not be considered an auditable activity?

General ledger account balances.

Statutory laws and regulations as they affect the organization.
Computerized information systems.
The agenda established by the audit committee for one of its quarterly meetings.

Depending on the size and complexity of the organization’s business activities, risk management
processes can be all of the following except
Formal or informal.
Embedded in the business units or centralized at the corporal level
Quantitative or subjective
All of the above

Which of the following statements is false regarding risk management assessment as the term is used
in internal auditing?

As a result of an engagement or preliminary survey, the chief audit executive may revise the level of
assessed risk of an engagement client at any time, making appropriate adjustments to the work
schedule.
Risk assessment is a judgemental process of assigning monetary amounts to the perceived level of risk
found in an activity being evaluated. These amounts allow a chief audit executive to select
engagement clients most likely to result in identifiable savings.
The chief audit executive should incorporate information from a variety of sources into risk assessment
process, including discussion with the board, management, external auditors, review of regulations, and
analysis of financial/operating data.
Risk assessment is a systematic process of assessing and integrating professional judgments about
events that could affect the achievement of organizational objectives. It provides a means of organizing
work schedule.

Which of the following is the best source for an audit team to use to identify common risks faced by a
company?

Checklist or reminder lists.

Flowcharts.
Research reported in professional journals and textbooks.
Questionnaires.

Which of the following are true regarding internal auditors and the adequacy of the organization’s risk
management process?
I. Internal auditors must have an understanding of the risk assessment and the tools used to make the
assessment.
II. Internal auditors should determine the level of risks acceptable to the organization.
III. Internal auditors need to be satisfied that the key objectives or risk management processes are
being met.
IV. Internal auditors should evaluate management’s risk processes the same way they analyze risk
when planning an engagement.

I,II,III ans IV
I and III only
I and II only
I, II and III only

What is residual risk?

Impact of risk.
Risk that is under control.
Risk that is not managed.
Underlying risk in the environment.

Which of the following statements are true concerning risk assessment?

I. Risk assessments may be revised based on new information.
II. The engagement work schedule will be based on risk assessment.
III. Risk assessment is based on internal auditor’s professional judgment about events that could
affect the achievement of organizational objectives.
IV. The primary purpose of risk assessment is to help management identify areas of cost savings.

I and III only

II, III, and IV only
I, II, III, and IV
I, II, and III only

The risk assessment process includes identifying and analyzing activities of the organization. Which of
the following would not be considered an auditable activity?

The agenda established by the audit committee.

Accounts receivable account balances.
Statutory laws and regulations as they affect the organization.
Management information systems.

Which of the following comments are correct regarding the assessment of risk associated with the
two projects?
I. Activities requested by the audit committee should always be considered higher risk than those
requested by management.
II. Activities with higher peso budgets should always be considered higher risk than those with lower
peso budgets.
III. Risk should always be measured by the potential peso of adverse exposure to the organization.

I and III
I only
II only
III only

Risk assessment is a process that involves identifying the risks and vulnerabilities that an organization is
exposed to in order to identify events that may occur and affect the entity negatively. How is a
particular risk assessed or measured?

By the amount of the expected loss

By the probability of a loss occurring
By the amount of a loss, if a loss does occur
By the loss frequency and the loss severity

Risk evaluation involves comparing the results of the risk analysis (level of risk) with the established
risk criteria (against predetermined target risk level and tolerable threshold).
Risk evaluation
Risk assessment
Risk response
Risk analysis

A company has decided to self-insure for its employees’ medical insurance. This is an example of

Retaining the risk

Transferring the risk
Reducing the risk
Exploiting the risk

This is a kind of risk acceptance which sets aside particular funds in a reserve dedicated to defraying
the expense involved should a particular sort of loss happen.

Insurance
Self-insurance
Mutual insurance
Captive insurance

Which of the following best defines control?

Control provides reasonable assurance that objectives will be achieved

Controls are statements of what the organization chooses to accomplish
Control is provided when cost-effective measures are taken to restrict deviations to a tolerable level
Control accomplishes objectives and goals in an accurate, timely, and economical fashion

Directors, management, external auditors, and internal auditors all play important roles in creating
proper control processes. Senior management is primarily responsible for

Establishing and maintaining an organizational culture

Reviewing the reliability and integrity of financial and operational information
Ensuring that external and internal auditors oversee the administration of the system of risk
management and control processes
Implementing and monitoring controls designed by the board of directors

Which of the following is not a type of control?

Preventive
Reactive
Detective
Directive

Internal controls should be designed to provide reasonable assurance that

Operations are performed efficiently

Management’s plans have not been circumvented by worker collusion
The internal audit activity’s guidance and oversight of management’s performance is accomplished
economically and efficiently
Management's planning, organizing, and directing processes are properly evaluated

Internal control procedures are not designed to provide reasonable assurance that

Transactions are executed in accordance with management’s authorization

Access to assets is permitted only in accordance with management’s authorization
Risk will be eliminated
The recorded accountability for assets is compared with the existing assets at reasonable intervals

Internal Control is better effected by

Police and procedures

Corporate governance manual
Manual of Internal control
Individual employee

Internal control can ensure organization success

Internal control can provide absolute assurance that organizational objectives will be achieved.

True, True
True, False
False, False
False, True

An adequate and effective system of internal control provides reasonable assurance that objectives
and goals will be achieved. Controls may be preventive, detective, or directive. Which of the following
is a detective control for the procurement function?

Goods received are counter and compared with quantities on purchase order and receiving reports
The procurements function is organizationally separate from receiving, disbursing, and accounting
Review and approval of each procurement action required prior to the final issuance of a purchase order
Prenumbered standard purchase order forms include all relevant terms required to be used in all
applicable instances.

Internal auditors regularly evaluate controls. Which of the following best describes the concept of
control as recognized by internal auditors?

Management regularly discharges personnel who do not perform up to expectations

Management takes action to enhance the likelihood that established goals and objectives will be
achieved
Control represents specific procedures that accountants and internal auditors design to ensure the
correctness of processing
Control procedures should be designed from the “bottom up” to ensure attention to detail

Internal control cannot provide absolute assurance because of certain limitations. Which of the
following is not a limitation to internal control?
Suitability of objectives established as a precondition to internal control
Ability of management to override internal control
Business context that affects the organizations risk profile
Unwillingness of employee to follow internal control procedures

To minimize potential financial losses associated with physical assets, the assets should be insured n
an amount that is:

Supported by periodic appraisals

Determined by the board of directors
Automatically adjusted by an economic indicator such as the consumer price index
Equal to the book value of the individual assets

When an organization has strong internal control, management can expect various benefits. The
benefit least likely to occur is

Reduced cost of an external audit

Elimination of employee fraud
Improvements in the reliability and integrity of information for decision-making purposes
Some assurance of compliance with governmental regulations

Which of the following controls over computer processing is of least concern during an external audit
of financial statements?

The edit and validation routines in a computer program

Procedures requiring control totals for input data
Performance standards for computer processing
Run-to-run control totals for major applications

Which of the following is an example of a feedback control?

Preventive maintenance
Inspection of completed goods
Close supervision of production-line workers
Measuring performance against a standard

Controls provide assurance to management that desired actions will be accomplished when objectives
are established in writing and

Standards are adopted, results are compared with the standard, and corrective actions are
undertaken
Are communicated to employees in writing and are updated by operating personnel as conditions
change
Policies and procedures for activities are set out in manuals for use by properly trained personnel
Internal reviews as to the proprietary and effectiveness of the objectives are undertaken on a periodic
basis by the internal audit activity
Internal control can provide only reasonable assurance that the organization’s objectives and goals
will be met efficiently and effectively. One factor limiting the likelihood of achieving those objectives
is that

The internal auditor’s primary responsibility is the detection of fraud

The audit committee is active and independent
The cost of internal control should not exceed its benefits
Management monitors performance

Which of the following statement about internal control is correct?

Properly maintained internal controls reasonably assure that collusion among employees cannot occur
Establishing and maintaining internal control is the internal auditor’s responsibility
Exceptionally strong control allows the auditor to eliminate substantive test
The cost-benefit relationship should be considered in designing internal control

An adequate system of internal controls is most likely to detect a fraud perpetrated by a

Single employee
Single manager
Group of employees in collusion
Group of managers in collusion

Two organizations have recently merged, The audit committee has asked the internal auditors from
both organizations to assess the risk that should be addressed after the merger. Oer manager has
suggested that the engagement teams jointly examine the organization's culture and the “tone of the
top” to identify control risks associated with the proposed merger. Which of the following statement
is true?

The organizational culture is not a part of the control environment and therefore should not be
considered for a proposed engagement
Although the organizational culture could be considered part of the control environment, the
assessment of such an environment would be highly subjective and therefore not useful
Differences in the organizational culture should be systematically identified because the differences may
present a major risk to the success of the merger. However, identifying differences is not appropriate
activity because it is political and subjective
None of the answers are correct.

Which of the following involves managerial functions as a control?

Monitoring performances
Use of an organizational policies manual
Maintenance of a quality assurance program
Establishment of an internal audit activity

Which of the following is a responsibility that should not be assigned to only one employee?

Access to securities in the company’s safe deposit box

Custodianship of the cash working fund
Reconciliation of bank statement
Custodianship of tools and small equipment

Audit evidence concerning segregation of duties ordinarily is best obtained by

Substantive testing
Observation
Flowchart analysis
Inspection

An example of the specific transaction authorization is the

Approval of a construction budget for a new warehouse

Setting of automatic reorder points
Establishment of a customer’s credit limits
Establishment of sales prices

The internal auditors recognizes that certain limitations are inherent in any system of internal
controls. Which one of the following scenarios is the result of an inherent limitation of internal
control?

The comptroller both makes and records cash deposits

A Security guard allows one of the warehouse employees to remove assets from the premised
without authorization
The organization sells to customers on account, without credit approval
An employee who is unable to read, is assigned custody of the organization’s computer tape library and
run manuals that are used during the third shift

Which of the following is correct about internal control?

Accounting and internal control systems provide management with conclusive evidence that objectives
are reached
One of the inherent limitations of accounting and internal control systems is the possibility that the
procedure may become inadequate due to changes in conditions, and compliance with procedures
may deteriorate
Most internal controls tend to be directed at non-routine transactions
Management does not consider costs of the accounting and internal control systems

Which of the following statement is an example of an inherent limitation of internal control?

Errors may arise from mistakes in judgments

The effectiveness of control procedure depends on segregation of duties
Procedures are designed to assure that transactions are executed as management authorities
Computers process large numbers of transactions.