A.R.M. 400 CORE EXAM 1 (Complete) Questions and Answers 2023 graded A+

A.R.M. 400 CORE EXAM 1 (Complete) Questions and Answers 2023 graded A+ When communicating a decision up the organization's chain of command, consulting with outside experts can help a risk management professional do which one of the following? A. Seek feedback from stakeholders B. Stay focused on the organization's objectives C. Define the organization's risk appetite D. Enhance stakeholders' confidence in the process *ANS* D Which of the following risk management program goals is an essential goal for all public entities? A. Earning stability B. Continuity of operations C. Growth D. Survival *ANS* B The traditional definition of risk management reflects the traditional concept of risk as A. Both positive and negative. B. Negative. C. Uncontrollable. D. Strategic. *ANS* B During the past year, International Toys has undertaken four capital projects. The company has renovated and refurbished one of its aging warehouse buildings. It has purchased the most recent version of its current order processing computer software. It has added two trucks to its fleet of delivery vehicles. Lastly, it has purchased a new production machine that will allow it to launch a new product line. Which one of the following company projects is the most speculative risk? A. The two new trucks B. The warehouse refurbishment C. The software upgrade D. The new production machine *ANS* D Which one of the following statements is true regarding the basic measures that apply to risk management? A. Consequences measure the degree to which an occurrence could positively or negatively affect an organization. B. Hedging is a risk management strategy that can reduce the risk of correlation. C. Risk increases as volatility decreases. D. Longer time horizons are generally less risky that shorter ones. *ANS* A Which one of the following provides a measure of the maximum potential damage associated with an occurrence? A. Exposure B. Duration C. Underwriting risk D. Maximum probable loss *ANS* A Samuel was recently hired as a risk management professional for Parker Property Management. He has been asked by senior management to review the organization's current insurance policies to make sure that the organization is adequately protected, and also see if there are any opportunities to save on the premiums. Samuel must do which one of the following through internal communication before he will be able to complete this task? A. Determine the organization's risk appetite B. Identify all of the risks that the organization faces C. Earn the confidence of the organization's board of directors D. Become familiar with industry regulations *ANS* A Catastrophes such as recent earthquakes and the 2011 tsunami in Japan pointed out a need for many organizations to evaluate and manage their A. Supply-chain risk. B. Derivative risk. C. Compliance risk. D. Political risk. *ANS* A Risk management professionals must collaborate with data analysts during which two steps of the risk management process? A. Treat risks and monitor risk treatments B. Scan the environment and analyze risks C. Analyze risks and monitor risk treatments D. Identify risks and treat risks *ANS* C Asking a question such as "How do you think this will work out?" can help a speaker do which one of the following? A. Request feedback and determine if the message has been understood B. Gain the support of executives and decision makers C. Build trust among a diverse group of individuals D. Deliver a message that recipients don't want to hear *ANS* A Carla, the risk manager, was asked by senior management to deliver a presentation on cyber risk at an all employees meeting. Even though she was only allotted 30 minutes for her presentation, Carla felt that cyber risk was a very real risk for the corporation and she wanted employees to leave with some fear of it. She wanted to provide employees with as much technical information as possible, and familiarize them with all of the important jargon. Less than 20 minutes into her presentation, Carla could tell that many of the employees were not paying any attention to her presentation. Which one of the following steps in the communication process had Carla failed to consider? A. Pay attention to your body language B. Ask for feedback C. Analyze your audience D. Set a clear communication objective *ANS* C Before speaking with a group or individual, the speaker should think about what he or she wants the other person(s) to do as a result of the conversation. Which one of the following steps in the communication process does the speaker complete by doing this? A. Deliver a message the recipient(s) want to hear B. Set aside judgement C. Set a clear communication objective D. Analyze your audience *ANS* C Which one of the following risk management objectives is critical for a manufacturer seeking new capital from investors, stockholders, and creditors? A. Anticipate and recognize emerging risks B. Social responsibility C. Reduce the deterrent effects of hazard risks D. Eliminate downside risk *ANS* C Which one of the following data capture tools has led to an explosion of risk management innovation by allowing smart products to transmit data to each other and to central hubs? A. Blockchain B. Cloud computing C. Internet of Things D. Artificial intelligence *ANS* C Jean is the Risk Manager for a Fortune 1000 company. Her CFO has tasked her to analyze vulnerabilities in the firm's supply chain. The adequacy of suppliers to meet an organization's needs would be an example of which one of the following types of risk? A. Financial risk B. Strategic risk C. Operating risk D. Operational risk *ANS* D An organization must meet the standard of care that it owes to others in order to ensure that A. Legal obligations are satisfied. B. Post-loss goals are in place. C. Operations are efficient. D. Contracts are not breached. *ANS* A According to the law of large numbers, as the number of exposure units insured increases, A. Fewer losses are expected to occur. B. The size of the average loss declines. C. The relative accuracy of predictions about future losses increases. D. The probability of an underwriting loss increases. *ANS* C Risk can be classified as diversifiable or nondiversifiable. Which one of the following statements is true with respect to this type of risk classification? A. Diversifiable risks tend not to be correlated so they can be managed through diversification or spread of risk. B. Systemic risks are generally diversifiable. C. Private insurance tends to concentrate on nondiversifiable risks; government insurance is often suitable for diversifiable risks. D. Inflation, unemployment and natural disasters, such as hurricanes, are examples of diversifiable risk. *ANS* A The fundamental purpose of a risk management framework is to A. Maximize profits for all stakeholders. B. Integrate risk management throughout the organization. C. Define and eliminate potential losses. D. Reduce the cost of risk. *ANS* B Which one of the following is one of the five steps of the risk management process? A. Align and integrate B. Establish accountability C. Scan environment D. Allocate resources *ANS* C Which one of the following best explains how most smart products potentially improve risk management? A. They measure worker fatigue. B. They scan and inspect structures for unsafe conditions. C. They assess risks in dangerous areas. D. They generate big data to which advanced analytics can be applied. *ANS* D Clear-Rite Company specializes in the clean-up of hazardous chemical spills. Workers performing clean-up operations must use safety suits to prevent exposure to the chemicals. The suits include pulse and respiration monitors, body temperature sensors, and chemical sensors. The monitors and sensors report data to a mobile operations center which is deployed to each clean-up site. The pulse and respiration monitors and the sensors that are part of the protective gear are called A. Magnetometers. B. Drone technologies. C. Wearable technologies. D. Accelerometers. *ANS* C Data Entry Company (DEC) offers customers data entry services. A customer can hire DEC to enter survey data to be analyzed. Many DEC employees spend long hours entering data on a computer. DEC has experienced neck strain and wrist pain complaints from their employees, increasing the company's workers compensation costs. DEC investigated the complaints of its data-entry employees. DEC adopted curved keyboards for data entry, wrist-rests for those entering data, and uniform chair heights and display monitor heights to reduce neck strain claims. The science of designing work spaces based on the health concerns of those who will operate in the work space is called A. Big data. B. Accelerometer technology. C. Predictive analytics. D. Ergonomics. *ANS* D Which one of the following statements about the use of drones is true? A. The use of drones is limited to military applications. B. Space and weight limitations prevent drones from being equipped with sensors and cameras. C. Drones may be equipped with cameras that relay data in real-time. D. The reliance on humans to operate drones severely limits their application for commercial uses. *ANS* C Many auto manufacturers have automated a portion of their assembly lines by introducing a smart product. The smart product performs repetitive tasks, such as making the same weld on each vehicle frame as it passes the smart product. These smart products, which can be fixed or mobile, reduce repetitive motion injuries that humans might suffer. They can also be used to perform dangerous tasks and in heavy-lifting jobs. These smart products are called A. Wearables. B. Automated sensors. C. Robots. D. Drones. *ANS* C Take Your Order (TYO) is a company that specializes in taking product orders for vendors. The manufacturer of a product can run a television or internet ad for a product with a toll-free number. Customer calls for the products are routed to TYO, where one hundred operators are available to receive the calls. Each operator is assigned a cubicle with a computer terminal, video display monitor, and a telephone. TYO experienced high workers compensation claims from its operators, claiming neck strain, eye strain, and wrist pain. In an effort to reduce such injuries, TYO evaluated each operator's work area. The height of chairs and video monitors were adjusted, curved computer keyboards and wrist-rests were provided, and the telephones were replaced with audio headsets. Workers compensation costs dropped significantly. The science of designing work spaces based on interaction between people and the equipment in the work space is called A. Smart systems. B. Artificial intelligence. C. Data analytics. D. Ergonomics. *ANS* D A municipal water plant installed water flow sensors and water pressure sensors on the water pipes leaving the plant. The sensors make sure water is flowing properly and that there are no leaks or clogs which could produce a loss. These types of sensors are A. Thermal sensors. B. Mechanical sensors. C. Biochemical sensors. D. Radiant sensors. *ANS* B In addition to metal detectors, many airports have installed a second type of scanning technology for checked baggage and cargo. The checked bags and cargo pass through a portal with scanners programmed to detect and test for explosive trace fumes. These scanners, which detect explosives based on air samples, are an example of what type of sensor used for risk assessment and control? A. Radiant sensors. B. Thermal sensors. C. Biochemical sensors. D. Mechanical sensors. *ANS* C AMRM Insurance Company sells insurance in Virginia, North Carolina, South Carolina, and Georgia. The company has compiled a policyowner data base that can be used to send text messages when hurricanes approach. The company provides early warnings, storm updates from the National Weather Service, and hurricane safety measures. The company credits the system with reduced hurricane claims. The use of the texting system is an example of A. Preventive analytics. B. Artificial intelligence. C. Sensor networks. D. Experience rating. *ANS* A In an effort to reduce expenses, increase profitability, and reduce human errors; ABC Insurance Company decided to automate most of its personal lines underwriting function. The company now uses standardized application forms that are submitted electronically to one of the company's regional offices. At each regional office, a computer with a scanner reads the applications. The computer has been programmed with acceptable answers to the questions. If the answers on the application are all acceptable, the policy is automatically issued. Rejected applications are automatically forwarded to a human underwriter who reviews them. The use of this technology has reduced the company's expense ratio by two and a half percent, and reduced the time it takes to issue a policy. ABC Insurance Company's use of computers to evaluate applications electronically is an application of A. Radiant sensors. B. Actuator technology. C. Risk management information systems. D. Artificial intelligence. *ANS* D Autonomous Vehicle Applications (AVA) is a start-up company that develops safety technologies that can be sold to companies that are producing autonomous vehicles. One technology AVA is developing allows an autonomous vehicle to detect, extract, and analyze images; and then to respond to the images. For example, the technology would detect a presence in a crosswalk, extract the image, and a computer would analyze the image. When the image was determined to be a human being, the vehicle would slow down or stop until the crosswalk was clear. This technology, which is designed to capture and analyze images, and to act on the recognition of the image; is called A. Visual acuity. B. Computer vision. C. Accelerometer technology. D. Transducer technology. *ANS* B Which one of the following uses infrared light to detect nearby objects? A. Wearables B. Drones C. Robots D. Lidar *ANS* D Last year, three Metro City firemen died responding to a fire at a chemical plant, when they were overcome by toxic fumes. In response, Metro City is purchasing advanced first responder gear. It includes special flame retardant suits with chemical and explosive fume sensors, air quality sensors, and heat sensors. Responders will also wear special watches that will track a responder's pulse, respiration, and blood pressure; and helmets that include video cameras. All of these sensors will feed data to a computer in real-time. The computer will analyze the data and issue threat levels and evacuation orders, if necessary. The protective gear Metro City will purchase and the data transmission and analysis capability illustrate the use of A. Insurtech. B. Smart products. C. Risk management information systems. D. Catastrophe modeling. *ANS* B The emerging technologies applied to risk assessment and control link the physical domain to the virtual domain. Together, these domains linked by the emerging technologies create a A. Connected ecosystem. B. Risk management information system. C. Smart system. D. Risk management matrix. *ANS* A Precision Electronic Components manufactures circuit boards, microchips, and other electronic products. Given the precision necessary for their products, the manufacturing environment must be controlled. Temperature, humidity, static electricity and other factors must be monitored. After losing several batches of products due to human monitoring failures and imprecise adjustments, the company moved to a system of sensors. The sensors monitor and regulate temperature, humidity, static electricity, and other factors. The sensors transmit data to and from each other, and the manufacturing environment is continuously adjusted to assure production is successful. The network of sensors transmitting data and the autonomous corrective actions without human interaction is called A. Sensitivity analysis. B. Computer-directed manufacturing. C. Web-based manufacturing. D. The Internet of Things. *ANS* D It is necessary to assess the risk appetite of a business supplier prior to doing business because understanding the risk appetite allows the organization to A. Ascertain whether the relationship is a good fit. B. Negotiate better prices and delivery times. C. Better control its production. D. Leverage its payments to the supplier to the organization's advantage *ANS* A An organization evaluates key stakeholders' attitude toward risk in order to A. Understand what risks are acceptable and to develop an effective enterprise-wide risk management program. B. Understand acceptable risks and gauge its ability to attract new shareholders. C. Understand acceptable risks and gauge its ability to raise capital. D. Understand the risk appetite in order to determine what information is disseminated. *ANS* A A speaker imparts information in verbal communications by A. Using appropriate facial expressions and gestures while other parties express their opinions and concerns. B. Expressing facts and emotions quickly, inviting written questions for discussion at a future session. C. Having good listening skills and expressing facts and emotions through words and sometimes visual displays. D. Listening and verbally responding with anecdotes of prior meetings, leveraging humor as opposed to facts for discussion. *ANS* C Which one of the following should be part of an organization's standard operating procedures (SOPs) concerning external stakeholder communications? A. Instructions to always use written communication, rather than verbal or nonverbal communication B. Instructions regarding what types of information can and cannot be released C. Instructions requiring the use of formal, rather than informal communication D. Instructions to avoid the use of social media *ANS* B North American Furnishings has been in business for 18 years. The organization's primary objectives are profitability and bottom-line results. It always sets aggressive goals. North American Furnishings values its customer bases. Which one of the following types of corporate culture exists at North American Furnishings? A. Hierarchy B. Clan C. Market D. Adhocracy *ANS* C After opening its third store, Shoehorn Shoes decided to purchase new inventory tracking software for all of its stores. Which one of the following external or internal environments does this decision relate to? A. Operations environment B. Physical environment C. Economic environment D. Product environment *ANS* A Senior management of CAZ Company decides to cut its involvement with the local youth association and no longer allow its employees to work with kids during business hours. Additionally, they will no longer fund the Youth House. Which one of the following best describes how this action may affect its risk management profile? A. Corporation may increase its external social risk by negating any goodwill the community has for the company. B. Corporation may increase its financial exposure by not having tax credits to offset its profits or losses. C. Corporation may decrease its external political risk by removing itself from any community involvement. D. Corporation may decrease its operations environment as the staff will have more time to devote to the company. *ANS* A Which one of the following organizational policies or practices is based on a code of ethics? A. An annual compliance audit of each field underwriting office that is conducted by the home office staff B. The designation of 2 workdays a year for employees to participate in local civic and volunteer activities C. A company policy that offers a 10 percent discount to teachers and members of the military D. A disclosure requirement regarding any potential conflict of interest an accountant might have in working with specific clients *ANS* D Which one of the following statements is correct regarding an organization's code of ethics? A. The code of ethics should provide an organization with a set of parameters within which it should operate, with little room for interpretation. B. The code of ethics should provide a list of dos and don'ts that employees can use as a framework in making day-to-day decisions. C. The code of ethics should include principles and concepts that are dynamic enough to remain relevant in a rapidly changing business environment. D. The code of ethics should primarily consider the social and ethical needs of its external stakeholders. *ANS* C Green Corporation suffered severe losses due to tornados at its northern facility. The Board of Directors issued a statement that the current costs outweighed any sustainable profits in the near term. The risk manager can best assist the Board in its long term decision making by A. Following the directives of the board of directors preserving his/her position with the company. B. Offering a white paper on the merits of shutting down the facility, laying off the staff and shifting the work to other locations. C. Playing no role since the risk manger's focus is on preventing loss rather than reviewing senior management decisions. D. Providing data on the frequency of wind storms, and work with the risk center and risk owner at that location to find alternatives to protect the facility. *ANS* D Parker International tends to communicate only the information that stakeholders need to complete their tasks and achieve goals. The management style at Parker International is A. Directive. B. Delegating. C. Responsive. D. Supportive. *ANS* A A risk management professional is identifying the organization's key stakeholders as part of the enterprise risk management program. Which one of the following would be considered an internal stakeholder? A. Unions B. Suppliers C. General public D. Stockholders *ANS* D Which one of the following statements is correct regarding risk owners? A. Generally, external stakeholders should not be considered to be risk owners. B. Generally, the stakeholder who is most affected by or creates a risk should be its risk owner. C. The risk owner is usually a member of the senior management team. D. The risk owner should be given full authority to make decisions without management involvement. *ANS* B Shelton Manufacturing recently signed a contract with a new customer which will require them to increase production by 20 percent. The organization has decided to form a risk center to identify and assess the risks involved with this new contract, and manage them efficiently. Which one of the following individuals should be the risk owner? A. Production manager B. Sales manager C. Senior manager D. New customer *ANS* A One advantage that a national organization would derive from creating risk centers is that it A. May allow risks to be managed on a small scale thereby relieving the organization from focusing attention on it. B. Allows more independence for the risk centers so that they are not burdened with procedures. C. May segregate risks to protect the larger organization if the risk center fails. D. Allows for participation by operational managers who may contribute to the risk analysis. *ANS* D A vehicle manufacturer found that the exhaust system in certain models was not working properly. Some exhaust gases were releasing into the vehicle body. Rather than recalling the vehicles, they were shipped to South American markets. The manufacturer A. Is socially responsible because it shipped the vehicles out of the country thereby avoiding any US casualties. B. Is socially responsible because it does not force any individual to buy the vehicle. C. Has ignored its social responsibility as well as the risks involved with these actions. D. Has decided to transfer the risk to South American markets avoiding financial penalties. *ANS* C Lucy is a chef at a restaurant. She is growing tired of working such long hours and not reaping the financial benefits. Lucy has been saving money with the goal of opening her own restaurant. She recently talked to a financial advisor about the options market as a way to grow her savings quickly. The financial advisor explained that it is a risky choice, but could potentially allow her to reach her goal of owning a restaurant in the near future. Lucy has decided to invest her savings in the options market. Which one of the following types of risk attitude does Lucy exhibit? A. Risk optimizing B. Risk managed C. Risk obsessed D. Risk seeking *ANS* D Which one of the following best explains how a risk-managed organization views a proposed new product line? A. It determines the rewards of a new alternative and may underemphasize the impacts, variances and negative effects. B. It weighs the risk-reward relationship while realistically evaluating potential outcomes and consequences. C. It attempts to join with another organization for a joint venture taking little of the actual risk on itself. D. It seeks methods of transferring the potential risks or avoids the risk totally. *ANS* B The main advantage of a formal internal communication system is that A. Employees do not have direct access to each other. B. Formal internal communications takes time which may resolve issues. C. Individuals know to whom to report. D. It is easily accessed. *ANS* C BD Company has made widgets for over 79 years using the same production techniques for fear of the huge costs from potential consumer lawsuits if production is changed and product quality suffers. With respect to its risk attitude, this organization would be classified as A. Risk seeking. B. Risk naïve. C. Risk avoiding. D. Risk optimizing. *ANS* C The service representatives for Tauton Insurance will be eligible for a bonus only if the customer retention rate is increased by 5%. This is an example of which one of the following standards? A. A critical success factor derived from a strategic objective B. A severe risk tolerance level C. A key performance indicator based on financial ratios D. A corrective measure linked with an identified tolerance level *ANS* D Key risk indicators (KRIs) help organizations identify issues that can lead to losses. Effective KRIs are based on a company's A. Organizational structure. B. Product or industry. C. Strategic objectives. D. Sales volume. *ANS* C An organization's goals and objectives are met by establishing and attaining measurable standards for the many activities it pursues. Which one of the following statements is correct with respect to those standards? A. A key performance indicator (KPI) answers the question, "What will make our organization a success?" B. Generally, an organization's risk tolerance has little impact on its critical success factors (CSFs) and key performance indicators (KPIs). C. Organizations with key performance indicators (KPIs) established for critical success factors (CSFs) will typically achieve organizational goals. D. For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable. *ANS* D Organizations use key risk indicators (KRIs) to plan for and respond to risk. Which one of the following statements is correct with respect to KRIs? A. A KRI can reveal an upward trend in the level of a risk that, if it continues, will exceed the designated risk threshold for that risk. B. KRIs are effective internal indicators of changes such as budget variances; however they are not effective external indicators. C. An organization's risk criteria, predefined tolerance ranges that measure variances from expected outcomes, are based on risk thresholds. D. Risk criteria relating to an organization's strategic risks generally do not serve as the bases for KRIs, which tend to be operational in focus. *ANS* A Organizations use key risk indicators (KRIs) to plan for and respond to A. Failure. B. Risk. C. Questions. D. Emergencies. *ANS* B Which one of the following statements is true regarding the business process management (BPM) life cycle model? A. The model is driven by the collaboration of human and technological input. B. The model is designed to review one business process at a time. C. The model is primarily used by organizations in the manufacturing sector. D. The model is ineffective unless all five steps are completed on a continuous basis. *ANS* A Carbon Manufacturing Company just hired a new chief risk officer (CRO) and one of his first tasks was to recommend updated key risk indicators (KRIs) to the chief executive officer (CEO). The CEO was especially interested in KRIs measuring the company's profitability. One area of measurement that the new CRO might want to use is A. Personnel changes. B. Customer invoices. C. Customer orders. D. Aged accounts receivable. *ANS* D The business process management (BPM) life cycle incorporates five steps. Which one of the following best describes the first step in the BPM process? A. Critical processes that support achievement of the organization's goals are selected for analysis. B. Processes are modeled to identify the organization's response to what-if scenarios. C. Processes are designed or redesigned by considering workflows and affected personnel. D. Processes are tracked so that statistics on their performance can be gathered. *ANS* C For an organization, a key performance indicator (KPI) measures the performance of a specific activity at a predetermined level or amount. Which one of the following is an example of a KPI based on a ratio? A. Customer-focused website B. High employee morale C. Safe transport of customer goods D. Inventory turnover *ANS* D North American Furnishings is using business process management to help it identify risks that threaten its processes. Which one of the following risks would be considered an internal risk? A. The loss of available materials due to tornadoes B. The loss of skilled craftspeople due to retirement C. The drop in demand due to rising interest rates D. The rise in the cost of materials due to new forestry regulations *ANS* B Which one of the following is an example of an internal key risk indicator (KRI) that a contractor might monitor? A. Cost of lumber B. Interest rates C. Availability of skilled labor D. Budget variances *ANS* D One of the strategic objectives for Cromley Insurance Group is customer satisfaction. Which one of the following is a critical success factor (CSF) that would help refine this strategic objective? A. High profitability B. Increase retention ratio by 5% C. Reduce claim activity by 4 to 6% D. High customer retention *ANS* D Which one of the following answers the question, "What shows we are a success?" A. Risk tolerance level B. Strategic objective C. Critical success factor D. Key performance indicator *ANS* D Successful organizations have goals and objectives. A financial or nonfinancial measurement that defines how successfully an organization is progressing toward its long-term goals is referred to as A. An objective gauge (OG). B. A critical success factor (CSF). C. A key performance indicator (KPI). D. An operating standard (OS). *ANS* C An organization has established a key performance indicator to "reduce employee injuries by 6%." Which one of the following would indicate a low risk tolerance for this KPI? A. Reduce employee injuries by 2% B. Reduce employee injuries by 4% C. Reduce employee injuries by 5 to 6% D. Employee injury rate remains unchanged *ANS* C Which one of the following is a main characteristic of effective key risk indicators (KRIs)? A. They define the boundaries of risk tolerance. B. They are lagging in nature. C. They are based on quantifiable information. D. They measure progress toward achieving objectives. *ANS* C One of the strategic objectives for Cromley Insurance Group is customer satisfaction. Which one of the following is a critical success factor (CSF) that would help refine this strategic objective? A. High customer retention B. Reduce claim activity by 4 to 6% C. Increase retention ratio by 5% D. High profitability *ANS* A Which one of the following terms refers to information used as a basis for measuring the significance of a risk? A. Risk criteria B. Risk tolerance C. Risk appetite D. Risk threshold *ANS* A Which one of the following is an example of an external key risk indicator (KRI) that a manufacturer might monitor? A. Amount of budget variances B. Number of employee injuries C. Age of accounts payable D. Cost of raw materials *ANS* D Which one of the following measures the progress an organization has made toward attaining its goals within a specific amount of time? A. Key performance indicator B. Risk tolerance level C. Critical success factor D. Key risk indicator *ANS* A Organizations use key risk indicators (KRIs) to plan for and respond to risk. Which one of the following statements is correct with respect to KRIs? A. To best manage risk, an organization should have as many KRIs as possible. B. To be effective, KRIs should be detailed and specific. C. KRIs are based on quantifiable information and support management decisions. D. KRIs are usually only established for the executive level within an organization. *ANS* C Key risk indicators (KRIs) can be established for various levels within an organization. Which one of the following levels of an organization usually has the most detailed KRIs? A. Department level B. Board of director level C. Business-unit level D. Senior management level *ANS* A Some best practices models call for the formation of a risk committee with a risk management focus at the organization's executive management level. Which one of the following statements best describes one of the responsibilities of an executive-level risk committee? A. To monitor the organization's compliance with established risk limits and how noncompliance is addressed B. To oversee exposures of the organization's critical risks and advise the board on risk strategy. C. To approve the organization's risk management strategies, including their design and implementation. D. To assist the board in establishing the organization's risk appetite and risk tolerance levels *ANS* C Which one of the following statements is true regarding separation of ownership and control in corporations? A. The incentive for managers and non-management board members to pursue their own interests at the expense of shareholders gives rise to agency costs. B. Corporate governance is not concerned with the separation of ownership and control. C. Shareholders retain decision-making authority while managers control business operations. D. Limited liability of shareholders impedes the separation of ownership and control in corporations. *ANS* A Corporate governance is evolving towards the separation of oversight and control for boards of directors. This separation may be accomplished by A. Requiring a company executive to chair each board committee. B. Requiring the majority of the directors to be outside directors. C. Requiring the audit committee to be comprised of inside directors. D. Using company-appointed board members rather than shareholder-elected board members. *ANS* B Rufus owns 1500 shares in the ARM Corporation. Recently, ARM has shouldered significant liabilities due to pollution problems. Generally, Rufus' liability as a shareholder would be limited to which one of the following? A. The value of their shares B. Treble damages C. The amount of assets they have D. The amount of insurance coverage they have *ANS* A Karen Williams, a retired chief financial officer of a bank, was invited to join the board of directors of ABC Property and Liability Insurance Company. She was asked to serve on the Audit Committee and the Risk Committee of the ABC board. Which of the following statements is true regarding Karen's service on the ABC board of directors? A. The entire board retains oversight responsibility over risks that are assigned to Karen's Audit Committee. B. The work of Karen's Risk Committee is limited to a review of the insurance company's underwriting results and the company's investment portfolio. C. Karen's Audit Committee takes precedence over the board of directors with regard to oversight responsibility. D. As a board member, Karen is expected to be a disinterested party, only questioning the management team when new corporate initiatives fail. *ANS* A Max is a new investor and the only stocks he owns are his 1,500 shares of Large Corporation. Large operates in a volatile high-tech sector. Max could readily trim his risk of owning shares by A. Concentrating his investments in one sector. B. Diversifying his insurance coverage. C. Diversifying his investment across many corporations. D. Concentrating his investments in one company. *ANS* C One of the categories of agency costs associated with managing the relationship between management and shareholders is A. Implementation costs. B. Monitoring costs. C. Acquisition costs. D. Commission costs. *ANS* B Which one of the following statements is true regarding the roles of a risk champion and a chief risk officer? A. A chief risk officer usually has less influence on corporate decision making than a risk champion. B. A chief risk officer is more likely to have a dedicated staff to assist with the responsibilities of his or her job. C. A risk champion is a member of the board of directors who has been selected to concentrate his or her efforts on assessing the risks faced by an organization. D. A chief risk officer reports to a risk champion, who in turn interacts with the company executives and the board of directors. *ANS* B The board of directors must use a thorough understanding of the organization's overall risk philosophy to determine the amount of risk the organization is willing to seek or accept in the pursuit of long-term objectives. This amount of risk is called the organization's A. Probable maximum loss. B. Retention level. C. Risk appetite. D. Maximum possible loss. *ANS* C A corporate board of director's chair person is elected by A. The board of directors. B. The shareholders. C. Executive management. D. Proxies. *ANS* A Which one of the following statements is correct with respect to the role of a board of directors in risk oversight? A. Increasing pressure on boards of directors to provide greater enterprise-wide risk oversight comes from sources such as investors, rating agencies, and regulators. B. A 2012 survey of executives revealed that practically all boards have formally assigned risk oversight responsibility to a board committee. C. A board's risk management strategy and broad objectives typically have little effect in setting the tone for risk management across the entire organization. D. Financial services organizations are far less subject to regulatory pressure for increased transparency and risk oversight than are corporations in nonfinancial business sectors *ANS* A Which of the following statements best describes the risk governance role and responsibility of a corporate board of directors? A. To set the organization's risk appetite and to stay informed of the most significant risks to the organization and management's responses. B. To convert strategy into operational objectives and to identify and assess the impact of risks on the achievement of the objectives. C. To establish risk management policies, to define risk management roles and responsibilities, and to set risk management implementation goals. D. To assign risk management procedures for day-to-day functions and internal controls. *ANS* A Corporate governance is defined as A. The reporting chain of command within an organization. B. A diagram of reporting relationships and levels of authority within an organization. C. The mechanisms and procedures that determine how corporations are run. D. A body of law that specifies how corporations are legally formed and chartered. *ANS* C The fees paid to external auditors to verify the corporation's financial statements are an example of A. A bonding cost. B. A fiduciary cost. C. A monitoring cost. D. An incentive alignment cost. *ANS* C Organizations are increasingly creating chief risk officer (CRO) positions. Which one of the following statements is correct with respect to CROs? A. The CRO's rank and importance to the board of directors are equal to those of the organization's other executive officers. B. Typically, a CRO analyzes, measures, and monitors risk; compiles reports; and facilitates risk workshops without the need for staff. C. CROs' roles are relatively standardized from industry to industry; they focus primarily on measuring and controlling risk. D. A 2012 survey indicated that, in companies with annual revenue greater than $20 billion, fewer than 20% had created a CRO position. *ANS* A One corporate governance issue is accountability of directors. One method to increase accountability of directors is to A. Include more inside directors. B. Decrease the independence of audit and compensation committees. C. Conduct regular meetings of outside directors without management being present. D. Ensure that the chief executive officer serves as board chairman. *ANS* C Which one of the following statements regarding the structure and role of a board of directors is true? A. The board of directors must be comprised of ten directors, with an equal number of inside and outside directors. B. Members of the board elect a director to be chairman of the board. C. The board is responsible for the day-to-day decisions at a corporation. D. Members of the board are appointed by the president of the company. *ANS* B Which one of the following is the term used for a person—usually a manager—who advocates for and supports a specific aspect of the risk management process in an organization? A. Risk manager B. Risk champion C. Chief risk officer (CRO) D. Internal auditor *ANS* B All of the following are true regarding the composition of boards of directors, EXCEPT: A. Corporate boards are uniform in size with 13 directors. B. Boards include both inside directors and outside directors. C. Directors elect the chairman of the board. D. Outside directors serve on the compensation committee. *ANS* A Which one of the following statements regarding corporate governance and risk oversight is true? A. Nonfinancial organizations are subject to greater regulatory pressure for transparency and astute risk management than financial organizations. B. Some board of directors delegate risk oversight tasks to board committees, such as the audit committee, risk committee, and compensation committee. C. Board oversight should be limited to past history and current conditions, and should avoid consideration of uncertain future events. D. Corporate governance and risk oversight have no impact on the value of the organization. *ANS* B A privacy impact assessment (PIA) is A. A tool used to identify and assess privacy risks. B. An example of metadata that defines key data attributes. C. A collaborative tool that facilitates workflows. D. Proprietary software used to detect malware. *ANS* A Which one of the following functions of a data management program would allow accounting transactions to automatically update an organization's financial statements? A. Data governance B. Data access C. Data preparation D. Data integration *ANS* D Which one of the following statements is correct regarding the personal data and privacy positions of the European Union (EU) and the U.S.? A. Class-action lawsuits over privacy are commonplace in the EU, but rare in the U.S. B. The U.S. has a stronger cultural expectation of privacy than the EU. C. U.S. companies are required to comply with the EU's General Data Protection Regulation (GDPR) only if they have employees in the EU. D. The EU has one all-encompassing data protection framework and the U.S. has several more targeted privacy laws. *ANS* D Which one of the following defines individual risk? A. Individual risk varies according to the type of business. B. Individual risk may be categorized as operational. C. Individual risk is defined by the data governance committee. D. Individual risk is reputational in nature. *ANS* A Metadata contains A. Accounting ledger entries as well as big data. B. Both material limitations and sampling methodology. C. Information about data as well as rules about that data. D. A combination of structured and unstructured data. *ANS* C Which one of the following defines the duties of a data steward? A. A data steward measures data compliance. B. A data steward is an experienced business analyst. C. A data steward provides technological support. D. A data steward is a project manager. *ANS* B Which one of the following data governance tools allows the data governance committee to look at data relationships and interdependencies across the organization? A. External compliance guidelines B. Internal coding procedures C. Enterprise data models D. Project management programs *ANS* C Internal data entry processes that capture accounting transactions, customer data or other operational transactions are called A. Data capture. B. Data quality. C. Data integration. D. Data governance. *ANS* A Which one of the following provides the frame of reference needed so data can be used appropriately for analysis and decision-making? A. Metadata B. Data lineage C. Data custodian D. Data virtualization *ANS* A Under the General Data Protection Regulation (GDPR), a data controller's role is to A. Represent the business aspects of data governance. B. Define the metrics used to measure an organization's overall data quality. C. Define how and for what purpose personal data should be processed. D. Manage the flow of data for the rest of the organization. *ANS* C Encrypting data to block its use if stolen is an example of a A. Software-based security solution. B. Cyber-threat inventory approach. C. Incident response plan. D. Hardware-based security solution. *ANS* A Data governance provides A. Definitions, standards and procedures for how data is used. B. The internal data entry processes needed to capture accounting transactions. C. A road map that details where data is located. D. A dynamic view of data without needing to move it between systems. *ANS* A In terms of data quality principles, validity is defined as A. The accuracy of data within predefined and accepted parameters or values. B. The process of tracing data from its source to its destination. C. The true value of data relative to the business information being analyzed. D. The extent that each dataset contains all elements necessary for business needs. *ANS* A Encrypting data is an example of A. An enterprise risk management program B. A regulatory compliance program. C. A data governance program. D. A data security program. *ANS* D Cyber extortion is another name for A. Phishing. B. Bitcoin C. Ransomware. D. Social engineering. *ANS* C Donna's Dog Treats has been very successful in the Boston area and would like to expand to new cities. Donna knows that she cannot make this decision based on customer advice and blind faith. She has collected internal financial and operational data as well as external data from reliable sources. Donna has hired an analyst to review the data quality. The analyst is reviewing the data to see if it includes the demographics for each target city that Donna is considering. Which one of the following data-quality principles is being evaluated? A. Comprehensiveness B. Appropriateness C. Reasonableness D. Validity *ANS* A To gain a competitive advantage, maintain profitability, and satisfy customers an organization must A. Be able to trust its data. B. Pay attention to the marketplace. C. Adopt current accounting rules. D. Have an effective risk management program. *ANS* A Malware is defined as A. Software designed to cause damage. B. Software technology used to encrypt data. C. A hardware-based security breach. D. A tool for managing data security. *ANS* A Which one of the following is an example of a data governance tool? A. Metadata B. Risk Management C. Data integration D. External Policy *ANS* D A data governance committee (DGC) A. Is cross-functional. B. Cleanses big data. C. Reports to risk management. D. Is comprised of IT architects. *ANS* A In accordance with the Three Lines of Defense Model, how does risk management act as the second line of defense? A. Risk management alerts internal audit of potential threats within a department and works with internal audit to neutralize the threat. B. Risk management supports and monitors operational management's implementation of risk management practices. C. Risk management provides oversight to the operational management's assessment of risk and internal controls. D. Risk management has authority to initiate activity demanding an external audit should a risk be deemed imminent. *ANS* B Which one of the following best describes why many purchasers require an ISO 9001 certification prior to buying a business? A. To have an outside audit company attest to its conclusive audit. B. To ensure that internal standards and controls are in place. C. To transfer liability should the financial statements prove erroneous. D. To obligate the seller to perform audits for conformance prior to the sale. *ANS* B It is necessary to define functions that should be performed by internal audit rather than the enterprise risk management (ERM) team because A. Internal audit and risk managers share responsibilities for governance and compliance for the organization. B. ERM is all encompassing and if not controlled will absorb internal audit functions. C. The Institute of Internal Auditors (IIA) guidelines are used to avoid confusion in an organization and clarify financial compliance issues. D. Clarification of functions helps avoid redundancy and foster a strong working relationship. *ANS* D Many banks are using technology to search for and detect cyber-security threats locally and in the cloud. This application of technology, in which machines learn from humans, illustrates the use of A. Machine learning. B. Data analytics. C. Artificial intelligence. D. Risk management information systems. *ANS* C Which one of the following best describes how the modern approach to internal auditing differs from the traditional approach? A. The modern approach uses a systems-based technique, evaluating current controls and threats to the organization, and considers the materiality of risks, but does not consider an organization's business objectives. B. The modern approach uses many systems-based techniques, determines activity based on the organization's business objectives, materiality of the risk and key threats to achieving business objectives rather than evaluating current controls. C. The traditional approach confines itself to review of current system controls, compliance with those controls and any potential to bypass those controls rather than the materiality of the risk. D. The traditional approach uses systems-based controls, determines materiality of potential risks to the organization's achievement of its objectives rather than reviewing adherence to regulations. *ANS* B Which one of the following describes the role of internal audit according to the Federation of European Risk Management Associations (FERMA) and the European Commission of Institutes of Internal Audit (ECIIA) model? A. Internal audit is the first line of defense providing the original risk assessment, control environment as well as maintaining effective internal controls. B. Internal audit is the second line of defense providing support for the implementation of controls, particularly with law and regulations. C. Internal audit is the third line of defense providing assurance to the board and senior management on organizational effectiveness of risk management and assessment efforts. D. Internal audit is the fourth line of defense providing oversight to the organization as a whole, reporting to the board and senior management on compliance by the various departments with regulations. *ANS* C Which one of the following best describes how internal audit supports enterprise risk management (ERM)? A. ERM provides the assessments that internal audit uses to test the viability of controls. B. Internal audit implements the risk assessments provided by ERM. C. ERM implements risk management activities and internal audit assesses the results. D. Internal audit finds risks overlooked by ERM. *ANS* C Emerging technologies such as artificial intelligence and machine learning are being applied by some businesses as part of their internal audit and control process. A key benefit of such applications is A. Reduced labor costs in the risk management department. B. Gaining an historical perspective on inefficient and ineffective internal control measures. C. Detection of fraud and inefficient practices in real time. D. Greater ability to quantify losses. *ANS* C The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control—Integrated Framework provides A. Guidance on assessing risk and evaluating internal controls to government agencies but not to other organizations. B. Common standards designed to increase effectiveness and efficiency of operations and reliability of financial reporting while ensuring compliance with applicable laws and regulations. C. International standards to help ensure that organizations meet the needs of customers and stakeholders while also complying with statutory and regulatory requirements. D. Not a system of controls, but a framework for auditors to provide independent, objective, and reasonable assurances that management has adopted a system of controls that is effective and functioning as intended. *ANS* B Which one of the following best describes why the Institute for Internal Auditors (IIA) has designed standards addressing the need for internal audit to evaluate the effectiveness of risk management? A. Audits are objective and independent of the politics of an organization. A pronouncement assists the auditor by defining review criteria. B. Audits may be self-serving to an organization depending on the experience level of an auditor. By indicating specific criteria, an auditor should be able to conduct a valid audit. C. Audits are conducted under diverse legal and cultural environments. Requiring an auditor to validate particular points ensures that auditors and their activities meet their responsibilities. D. Audits are conducted annually in many organizations. Requiring an auditor to validate the findings of prior years provides a comfort level to stakeholders. *ANS* C Which one of the following best describes how internal audit compliments a risk management initiative? A. Internal audit tests controls for risks identified by risk managers. Risk management and internal audit are similar in that they are both charged with protecting the assets of an organization. B. Internal audit tests the controls initiated by the risk management team. The risk management team reviews the results and responds to internal audit on the control assessment. C. Risk managers identify, assess and prioritize risks. Internal audit develops a risk-based auditing plan that addresses material risks to an organization. D. Risk managers identify, assess and prioritize risks with the assistance of internal audit. Internal audit requires that the controls for the risks are tested. *ANS* C Which one of the following best explains how the role of the internal auditor changed with the passage of the Sarbanes-Oxley Act of 2002? A. The internal auditor must adapt to the ever changing environment of risk control through the use of electronic reconciliation programs. B. The internal auditor must adopt a stakeholder orientation by anticipating, monitoring and assessing business and operational risk. C. The internal auditor must adopt the attitude of an external auditor, carefully reviewing and critiquing the finances of an organization. D. The internal auditor must be able to recognize current fraud risks as well computer theft of intellectual property. *ANS* B An auditor identifies risks under the risk-based approach by A. Reviewing the organization, department by department to determine if the controls overlap asking, "Is the redundancy needed?" B. Reviewing prior audits, comparing results and asking, and "Has the control environment changed?" C. Looking at each objective, testing each control by asking, "Does this seem appropriate?" D. Looking at each objective and its controls identifying risks by asking, "What might go wrong?" *ANS* D Which one of the following is true regarding internal audit involvement with enterprise risk management (ERM) efforts? A. Internal audit is not becoming more involved with ERM efforts because internal audit must remain independent and objective. B. Internal audit is responsible for the organization's compliance with all governance issues, including ERM compliance. C. Internal audit is responsible for reviewing controls in an organization which includes ERM programs. D. Internal audit is increasingly asked to evaluate organizational risks, including strategic, financial and hazard risks. *ANS* D Colossal Casualty Insurance Company decided to conduct an internal audit of the company's operations. As part of the internal audit, several fictitious claims were submitted to the claims department to see if the claims would be approved and paid. Which one of the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) components of internal control was examined by this internal audit test? A. Control environment. B. Information and communication. C. Monitoring activities. D. Risk assessment. *ANS* A An independent auditor has been given the task of evaluating internal controls at Westside Company (Westside). The auditor has determined that Westside's board of directors has endorsed a framework requiring management to have documented internal reporting controls to ensure efficient operations, accuracy of financial statements, and compliance with regulations. The framework is applied at the entity and divisional levels, but not the operating unit or functional levels. The program is new so it has not yet been monitored. The auditor is likely to report that A. The selected method does not align with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework. It must also be applied at the operating unit level, but not the functional level. Regular monitoring must be implemented. B. The selected method aligns with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework because it is applied at the entity level. Monitoring will be required after the framework has been in place for one year. C. The selected method does not align with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework because it must also be applied at the operating unit and functional levels and it must be monitored. D. The selected method aligns with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework because it is applied at the entity level. Monitoring is not a requirement. *ANS* C Cheryl Babson works in internal control at Software Company. She contacted company security and asked them to immediately go to the office of a software engineer and to detain him. As part of the internal control process, Cheryl had scanning software installed at the company that randomly searched all e-mails and text messages sent from on-site, searching for key words. The scanning software detected the words: "gun," "bomb," "revenge," and "kill" in communications sent from the engineer's office. Company security found a loaded assault rifle, two loaded handguns, and a pipe bomb in the engineer's office. He confessed to planning a workplace attack at the company cafeteria later that day. The emerging technology Cheryl deployed is called A. Blockchain Technology. B. Natural language processing. C. Computer simulation. D. Radio frequency identification. *ANS* B Developing a risk-based audit plan requires a risk assessment. Under the model of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework, which one of the following explains how risk assessment is addressed? A. It expands the risk assessment concept by comparing it to competitor audits. B. It expands the risk assessment concept by identifying five interrelated components of internal control. C. It is narrower and it provides concrete steps which are recommended and differ by industry. D. It is essentially the same as the traditional model, but is codified in steps that are reported. *ANS* B Martin Pruitt was hired by Regional Bank Company (RBC) to strengthen the company's internal control efforts. Martin implemented a computer scanning program to detect fraud. The scanning program flagged a suspicious account. When Martin investigated the account, he learned that someone in the bank's technology department had created the account. When the bank credits monthly interest on depositor accounts, any fractional cents are rounded-down to the nearest cent. The technology department official programmed the system so that any fractional cents lost due to rounding were deposited to the account owned by the technology department official. The scanning program Martin Pruitt implemented used computers to learn from the data analyzed. This application of emerging technology illustrates the use of A. Risk management information systems. B. Artificial intelligence. C. Computer simulation. D. Machine learning. *ANS* D The importance of strong control environments with independent oversight have become increasingly important A. As organizations became more complex. B. Because international trade is dependent upon consistent accounting processes. C. As business complied with the provisions of the Sarbanes Oxley Act. D. Because the Federation of European Risk Management Associations (FERMA) made it a requirement for international trade. *ANS* A Which one of the following statements is true with regard to the application of emerging technologies such as artificial intelligence and machine learning to internal auditing of an organization? A. There should be no improvement given that the same practices are subject to internal audit with or without the application of emerging technology. B. Deviations from desired practices and procedures will be more quickly identified by emerging technologies, and auditors can focus on designing and implementing new systems. C. While the application of such technologies may be beneficial, the cost of implementation makes the use of emerging technologies unrealistic. D. Although such techniques are applicable to the risk management function, they are not applicable to internal audit. *ANS* B The Auditing Standard No. 5 (AS 5) calls for a specific fraud assessment because A. Of the financial scandals of the late twentieth century; there is now an obligation to detect fraud. B. The failure to prevent or detect fraudulent misstatements is higher than the risk of failing to prevent or detect other types of errors. C. Failure to detect fraud through regular transactions in an organization remains the highest risk. D. Fraud within an organization remains the most serious threat to the economic well-being of society. *ANS* B Preventive controls assist the overall control environment of an organization by A. Detecting errors or inconsistencies after they occur. B. Addressing reconciliation of accounting errors. C. Reducing risk of unauthorized actions. D. Comparing different sets of data and investigating any differences. *ANS* C One internal control integrated framework consists of five essential components: the control environment, risk assessment, control activities, information and communication, and monitoring activities. When these components are applied across the organization, they create a "cube." This framework is the A. Financial Accounting S