CRMA Certification in Risk Management Assurance
1. An organization has calculated that for every day its call center is not available, it loses
$250,000. The director of telecommunications has identifiedexternal threats as the most
serious risks to the call center and has asked a consultancy firm to set up a duplicate offsite call
center with backup hardwareand software. In reacting to the possibility of call center closure
and incurringfinancial losses, which risk response best describes the approach taken? Select
one.
A. Accept (or tolerate).
B. Mitigate (or reduce).
C. Pursue (or exploit).
D. Avoid (or terminate).
E. Share (or transfer).: Solution: B
2. Which of the following best describes a control risk self-assessment exercise? Select one.
A. Examining how well controls are working in managing key risks.
B. Using standardized checklists to assist risk identification.
C. Reviewing processes systematically to identify vulnerabilities and threats.
D. Determining the cost-effectiveness of controls.: Solution: A
3. Which of the following procedures form part of the content of risk report-ing?
I. Changes to the risk profile or the level of severity of risks.
II. Systematic checks of risk mitigation plans.
III. Weaknesses identified in the system of internal control.
IV. Updates on actions that have been taken with respect to risk treatments.Select one.
A. I, II, and IV only.
B. I, III, and IV only.
C. I, II, and III only.
D. II, III, and IV only.: Solution: B
4. Which of the following best describes the internal auditors' role whenproviding assurance
on risk management reporting? Select one.
,A. Creating a report on the organization's key risks.
B. Reviewing the accuracy and timeliness of key risk reports.
C. Providing key risk reports to the board or audit committee.
D. Providing key risk reports to external auditors.: Solution: B
5. In accordance with Standard 2450 - Overall Opinions, an overall audit opinion must be
supported by information. What specific requirements mustthis information satisfy? Select all
that apply.
A. First-hand.
B. Recent.
C. Relevant.
D. Reliable.
E. Sufficient.
F. Useful.: Solution: C, D, E, and F
6. What actions must CAEs take if they believe the residual risk level remainsat an
unacceptable level? Select all that apply.
A. Determine how the risk should be managed.
B. Discuss the matter with senior management.
C. Update the risk management processes based on actual risk exposure.
D. Design controls that can be implemented to reduce severity to an accept-able level.
E. Report the matter to the board.
F. Seek a second opinion from a third party.: Solution: B and E
7. From The IIA's ERM fan diagram, which of the following fall in the sectionof "roles
internal audit should not undertake"? Select all that apply.
A. Evaluating risk management processes.
B. Setting the risk appetite.
C. Accepting accountability for risk management.
D. Coordinating ERM activities.
E. Championing the establishment of ERM.
,F. Maintaining and developing the ERM framework.: Solution: B and C
8. From The IIA's ERM fan diagram, which of the following fall in the sectionof "legitimate
internal audit roles with safeguards"? Select all that apply.
A. Giving assurance that risks are effectively evaluated.
B. Giving assurance on risk management processes.
C. Coaching management in responding to risks.
D. Consolidated reporting on risks.
E. Imposing risk management processes.
F. Making decisions on risk responses.: Solution: C and D
9. From The IIA's ERM fan diagram, which one falls in the section of "coreinternal audit
roles with respect to ERM"? Select all that apply.
A. Evaluating the reporting of key risks.
B. Facilitating identification and evaluation of risks.
C. Developing risk management strategy for board approval.
D. Management assurance on risk.
E. Implementing risk responses on management's behalf.
F. Evaluating the reporting of key risks.: Solution: A and F
10. An internal auditor is using a process elements activity approach to assess the
organization's risk management processes. One of the key processelements under review is a
requirement for structured and ongoing communication. Which of the following techniques is
likely to provide the most relevantand useful evidence? Select one.
A. Documented review of board and audit committee meetings.
B. Interviews with those impacted by organizational operations.
C. Interviews with individuals with responsibilities for risk management.
D. Results from previous audits.: Solution: C
11. An internal auditor is using a key principles approach to assess the organization's risk
management processes. One of the key principles under review is that "risk management is
transparent and inclusive." Which of the following techniques is likely to provide the most
relevant and useful evidence? Selectone.
, A. Ongoing observations made by the CAE from participating ex officio in risk
council meetings.
B. Review of risk management literature for best practices.
C. Process mapping of the organization's risk identification activities.
D. Results from previous audits.: Solution: A
12. An auditor becomes aware of a new regulation. To the best of the auditor'sknowledge,
management has not considered the implications of the new regulation for the organization, its
goals, and its activities. What should the auditor do? Select one.
A. Notify the board that management has not addressed the associated risks.
B. Perform a risk assessment and determine the appropriate risk responses.
C. Notify management of the regulatory requirement and potential compliancerisks, and offer
advice.
D. Perform an audit of the compliance activity.: Solution: C
13. When assessing the adequacy and effectiveness of risk criteria used in risk management,
which of the following activities should internal auditors perform as part of their consulting
role? Select one.
A. Determine appropriate criteria based on possible risk events and out-comes.
B. Challenge management's choice and use of risk criteria.
C. Align decisions with risk tolerance.
D. Communicate risk criteria to the organization.: Solution: B
14. Members of the internal audit activity have been asked to assume a numberof additional
advisory roles related to ERM. Which of the following may be applied as appropriate
safeguards for organizational independence and/or individual objectivity for assurance
services? Select all that apply.
A. Conforming to the requirements of the IPPF.
B. Using "cooling off" periods such that internal auditors do not provide assur- ance on areas of
the organizations where they have recently had responsibilityor provided consultation.
C. Deferring professional development opportunities to free up time for addi- tional
responsibilities related to ERM.
D. Deferring planned assurance engagements to free up time for more advi-sory engagements.
E. Reporting the outcomes of advisory work to senior management.
1. An organization has calculated that for every day its call center is not available, it loses
$250,000. The director of telecommunications has identifiedexternal threats as the most
serious risks to the call center and has asked a consultancy firm to set up a duplicate offsite call
center with backup hardwareand software. In reacting to the possibility of call center closure
and incurringfinancial losses, which risk response best describes the approach taken? Select
one.
A. Accept (or tolerate).
B. Mitigate (or reduce).
C. Pursue (or exploit).
D. Avoid (or terminate).
E. Share (or transfer).: Solution: B
2. Which of the following best describes a control risk self-assessment exercise? Select one.
A. Examining how well controls are working in managing key risks.
B. Using standardized checklists to assist risk identification.
C. Reviewing processes systematically to identify vulnerabilities and threats.
D. Determining the cost-effectiveness of controls.: Solution: A
3. Which of the following procedures form part of the content of risk report-ing?
I. Changes to the risk profile or the level of severity of risks.
II. Systematic checks of risk mitigation plans.
III. Weaknesses identified in the system of internal control.
IV. Updates on actions that have been taken with respect to risk treatments.Select one.
A. I, II, and IV only.
B. I, III, and IV only.
C. I, II, and III only.
D. II, III, and IV only.: Solution: B
4. Which of the following best describes the internal auditors' role whenproviding assurance
on risk management reporting? Select one.
,A. Creating a report on the organization's key risks.
B. Reviewing the accuracy and timeliness of key risk reports.
C. Providing key risk reports to the board or audit committee.
D. Providing key risk reports to external auditors.: Solution: B
5. In accordance with Standard 2450 - Overall Opinions, an overall audit opinion must be
supported by information. What specific requirements mustthis information satisfy? Select all
that apply.
A. First-hand.
B. Recent.
C. Relevant.
D. Reliable.
E. Sufficient.
F. Useful.: Solution: C, D, E, and F
6. What actions must CAEs take if they believe the residual risk level remainsat an
unacceptable level? Select all that apply.
A. Determine how the risk should be managed.
B. Discuss the matter with senior management.
C. Update the risk management processes based on actual risk exposure.
D. Design controls that can be implemented to reduce severity to an accept-able level.
E. Report the matter to the board.
F. Seek a second opinion from a third party.: Solution: B and E
7. From The IIA's ERM fan diagram, which of the following fall in the sectionof "roles
internal audit should not undertake"? Select all that apply.
A. Evaluating risk management processes.
B. Setting the risk appetite.
C. Accepting accountability for risk management.
D. Coordinating ERM activities.
E. Championing the establishment of ERM.
,F. Maintaining and developing the ERM framework.: Solution: B and C
8. From The IIA's ERM fan diagram, which of the following fall in the sectionof "legitimate
internal audit roles with safeguards"? Select all that apply.
A. Giving assurance that risks are effectively evaluated.
B. Giving assurance on risk management processes.
C. Coaching management in responding to risks.
D. Consolidated reporting on risks.
E. Imposing risk management processes.
F. Making decisions on risk responses.: Solution: C and D
9. From The IIA's ERM fan diagram, which one falls in the section of "coreinternal audit
roles with respect to ERM"? Select all that apply.
A. Evaluating the reporting of key risks.
B. Facilitating identification and evaluation of risks.
C. Developing risk management strategy for board approval.
D. Management assurance on risk.
E. Implementing risk responses on management's behalf.
F. Evaluating the reporting of key risks.: Solution: A and F
10. An internal auditor is using a process elements activity approach to assess the
organization's risk management processes. One of the key processelements under review is a
requirement for structured and ongoing communication. Which of the following techniques is
likely to provide the most relevantand useful evidence? Select one.
A. Documented review of board and audit committee meetings.
B. Interviews with those impacted by organizational operations.
C. Interviews with individuals with responsibilities for risk management.
D. Results from previous audits.: Solution: C
11. An internal auditor is using a key principles approach to assess the organization's risk
management processes. One of the key principles under review is that "risk management is
transparent and inclusive." Which of the following techniques is likely to provide the most
relevant and useful evidence? Selectone.
, A. Ongoing observations made by the CAE from participating ex officio in risk
council meetings.
B. Review of risk management literature for best practices.
C. Process mapping of the organization's risk identification activities.
D. Results from previous audits.: Solution: A
12. An auditor becomes aware of a new regulation. To the best of the auditor'sknowledge,
management has not considered the implications of the new regulation for the organization, its
goals, and its activities. What should the auditor do? Select one.
A. Notify the board that management has not addressed the associated risks.
B. Perform a risk assessment and determine the appropriate risk responses.
C. Notify management of the regulatory requirement and potential compliancerisks, and offer
advice.
D. Perform an audit of the compliance activity.: Solution: C
13. When assessing the adequacy and effectiveness of risk criteria used in risk management,
which of the following activities should internal auditors perform as part of their consulting
role? Select one.
A. Determine appropriate criteria based on possible risk events and out-comes.
B. Challenge management's choice and use of risk criteria.
C. Align decisions with risk tolerance.
D. Communicate risk criteria to the organization.: Solution: B
14. Members of the internal audit activity have been asked to assume a numberof additional
advisory roles related to ERM. Which of the following may be applied as appropriate
safeguards for organizational independence and/or individual objectivity for assurance
services? Select all that apply.
A. Conforming to the requirements of the IPPF.
B. Using "cooling off" periods such that internal auditors do not provide assur- ance on areas of
the organizations where they have recently had responsibilityor provided consultation.
C. Deferring professional development opportunities to free up time for addi- tional
responsibilities related to ERM.
D. Deferring planned assurance engagements to free up time for more advi-sory engagements.
E. Reporting the outcomes of advisory work to senior management.
