Exam Practice Question Bank
135 questions (multiple choice + open-ended) with answers
KU Leuven · Faculty of Economics and Business
Answers are shown in red beneath each question. Cover them while practising.
RM & IC — Exam Practice Question Bank | Page 1
,Part A — Questions from the revision session (Q1-Q35)
1. [Multiple choice] An entity expects its variable interest rate to rise and locks in a fixed rate via a
hedge. According to COSO, this risk response is:
A. Reduction
B. Acceptance
C. Sharing
D. Avoidance
Answer: C — Sharing (transfer): part of the risk is transferred to the counterparty offering the fixed rate.
2. [Multiple choice] Under ISO 31000, the three tasks of risk assessment, in order, are:
A. Identification - treatment - monitoring
B. Identification - analysis - evaluation
C. Recognition - rating - ranking
D. Analysis - evaluation - response
Answer: B — Risk identification, then analysis (likelihood x consequence, incl. existing controls), then
evaluation against criteria.
3. [Open-ended] Explain the difference between inherent risk and residual risk, and how their
relationship is shown on a risk matrix.
Answer: Inherent = risk before any controls; residual (current/managed) = what remains after controls
(inherent - controls = residual). On the matrix, plot the inherent point (high) and the residual point
(lower); the arrow between them is the control-reduction effort, and a target level can also be shown.
Used to judge whether residual exposure is within risk appetite/capacity.
4. [Multiple choice] In COSO ERM 2017, in which component does an entity define its risk appetite?
A. Governance & Culture
B. Performance
C. Strategy & Objective-Setting
D. Information, Communication & Reporting
Answer: C — Strategy & Objective-Setting (principle 7). Note: in COSO ERM 2004 it was the Objective-
Setting component.
5. [Open-ended] Define double materiality (CSRD/ESRS) and name the two perspectives it consists of.
Answer: A topic is material if material from EITHER: impact materiality (outward - the company's effect
on society/environment) OR financial materiality (inward - sustainability risks/opportunities affecting
the company).
6. [Multiple choice] Which is NOT one of the three IT General Control (ITGC) families?
A. Manage Access
B. Manage Change
C. Manage Operations
D. Manage Threats
Answer: D — Manage Threats is a cybersecurity ('back door') control. The three ITGC families are
Access, Change, Operations.
RM & IC — Exam Practice Question Bank | Page 2
, 7. [Open-ended] Name and explain the four risk responses (the 4 Ts) and the likelihood/impact situation
for each.
Answer: Tolerate (accept) - low/low; Treat (reduce via controls) - high likelihood/low impact; Transfer
(share, e.g. insurance) - low likelihood/high impact; Terminate (avoid/eliminate) - high/high.
8. [Multiple choice] Which technique obtains a reliable consensus from experts giving opinions
individually and anonymously across iterative rounds?
A. Brainstorming
B. SWIFT
C. Delphi technique
D. Bow-tie analysis
Answer: C — Delphi technique (expert panel, individual & anonymous input, iterative rounds).
9. [Open-ended] Explain Agency Theory in corporate governance: who are the principals and agents,
what is the core problem, and name two governance mechanisms used to address it.
Answer: Principals = shareholders; agents = managers. Core problem = the principal-agent problem
(divergent goals, costly to verify the agent's actions) worsened by information asymmetry. Mechanisms
(any 2): board of directors, auditing, performance-based incentives.
10. [Multiple choice] What is the difference between RTO and RPO in BCM?
A. RTO = max data loss; RPO = max downtime
B. RTO = max time to restore a service; RPO = max acceptable data loss
C. Both measure downtime for different systems
D. RTO = recovery cost; RPO = recovery priority
Answer: B — RTO = maximum time to restore; RPO = maximum acceptable data loss (point you can roll
back to).
11. [Open-ended] State the three elements of the Fraud Triangle (Cressey) and explain why all three
matter for designing anti-fraud controls.
Answer: Pressure, Opportunity, Rationalisation. All three together signal high fraud likelihood; controls
attack each corner - reduce opportunity (SoD/access/audit trail), relieve pressure (realistic targets), and
reduce rationalisation (tone at the top, code of conduct, punishment).
12. [Multiple choice] Per ISA 240, the external auditor's responsibility regarding fraud is to:
A. Detect all fraud and report it to the police
B. Obtain reasonable assurance the statements are free from material misstatement from fraud or
error
C. Manage the company's anti-fraud controls
D. Make a legal determination that fraud occurred
Answer: B — Reasonable assurance on material misstatement (fraud or error). The auditor does not
detect all fraud, manage controls, or make legal determinations.
13. [Open-ended] Describe the Three Lines of Defence: what sits at each line (with an example role),
and where external audit fits.
Answer: 1st line = operational management & internal controls (risk owners, e.g. department head); 2nd
line = risk management & compliance (e.g. risk manager); 3rd line = internal audit (independent
RM & IC — Exam Practice Question Bank | Page 3