1 of 2| Updated |New edi on| 2025/2026
Which of the following are appropriate goals of risk management? Select all that apply.
A. To eliminate uncertainty.
B. To facilitate greater opera onal effec veness and efficiency.
C. To limit risk-taking as much as possible.
D. To support the a!ainment of organiza onal objec ves.
E. To facilitate well-informed decision-making.
F. To guarantee outcomes from ac vi es.
Solu on: B, D, and E
Which of the following BEST describes risk culture? Select one.
A. The system present throughout an organiza on of shared values and beliefs about risk that
shapes a'tudes, behaviors, and decisions.
B. The leadership of and commitment to risk management from the highest levels of an
organiza on.
C. The level of authority and trust awarded to managers to determine the level of risk they are
prepared to take.
D. The policies and processes that define risk ownership, responsibili es, and repor ng
requirements.
Solu on: A
Which of the following describes the highest level of risk management maturity (commonly
referred to as “risk-enabled”)? Select one.
A. When a risk strategy and policies are in place and communicated.
B. When risk management and internal control are fully embedded into opera ons.
C. When the organiza on establishes a risk commi!ee, risk management team, and risk
processes.
D. When risk appe te has been defined.
,Solu on: B
The defini on of risk taken from the IPPF glossary is as follows: “The possibility of an event
occurring that will have an impact on the achievement of objec ves.” Suppose an
organiza on has the following objec ve: To sell 1,000 units at $10 each. Which of the
following may be described as a risk for the organiza on? Select all that apply.
A. A downturn in the economy may reduce demand by 10%.
B. Overseas demand may exceed expecta on and a total of 1,100 units are sold.
C. A compe tor may offer a similar product at a lower price and a!ract customers away.
D. Foreign exchange rates may make the product cheaper for customers overseas, s mula ng
addi onal sales.
E. A new method of produc on may become available.
F. Climate change occurs less quickly than expected.
Solu on: A, B, C, and D
Which of the following provides the BEST defini on of residual risk? Select one.
A. The risk that a material error exists in the financial statements a1er audit.
B. The por on of inherent risk that remains a1er management executes its risk responses.
C. The risk that an audit may fail to detect a control deficiency.
D. Risk severity prior to implementa on of risk responses.
E. A risk that cannot be mi gated.
F. The amount of impact that can be eliminated by preventa ve measures.
Solu on: B
A code of ethical behavior and statement of organiza onal values are risk responses to the
possibility individuals may act in such a way as to cause damage to the organiza on. Which of
the following statements about these responses are true? Select one.
A. They are preventa ve measures designed to reduce likelihood.
B. They are preventa ve measures designed to reduce impact.
C. They are detec ve measures designed to alert management to instances of unethical
behavior.
,D. They form part of con ngency measures to help repair any damage that may be incurred as a
result of unethical behavior.
Solu on: A
There are a number of internal and external par es that contribute to the effec veness of risk
management, but which one has the primary responsibility for iden fying and managing
risks? Select one.
A. Members of the board.
B. Senior management.
C. Heads of risk, compliance, and control func ons.
D. The chief audit execu ve (CAE).
E. External auditors.
F. Regulators.
Solu on: B
A purchasing manager has subcontracted repairs and maintenance to a facili es management
company. This is a new rela onship and has been entered into quickly. Which of the following
is NOT an appropriate control measure to avoid the risks associated with this rela onship?
Select one.
A. A schedule of regular communica on and repor ng.
B. Financial penal es for missed targets and performance failures.
C. Stated objec ves and itemized responsibili es for each party.
D. Iden fying an alterna ve subcontractor.
Solu on: D
In the COSO Internal Control framework, there are two types of controls, namely hard and
so@. Which of the following are examples of so@ controls? Select all that apply.
A. Policies and procedures.
B. Tone at the top.
C. Risk culture.
D. Training.
, E. Role descrip on.
F. Organiza onal structure.
Solu on: B, C, and D
In the COSO Internal Control framework, there are two types of controls, namely hard and
so@. Which of the following describes characteris cs of so@ controls? Select one.
A. Controls that rely on behavior and a'tude.
B. Controls that are rela vely easy to introduce, monitor, and manage.
C. Policies, processes, and specific measures such as password protec on.
D. Controls designed, introduced, and performed by people.
Solu on: A
Which of the following techniques may be used in root cause analysis? Select all that apply.
A. Cause and effect (or fishbone) diagrams.
B. Cost-benefit analysis.
C. Fuzzy logic.
D. Five whys.
E. Waterfall model.
F. Rapid development.
Solu on: A, B, C, and D
The ISO 31000:2018 Risk Management standards links together three important aspects of an
organiza on. Which one of the following is NOT of these aspects? Select one.
A. Leadership and commitment.
B. Stakeholder engagement.
C. Value crea on and protec on.
D. Risk management processes.
Solu on: B