Domain 5

Domain 5 – Governance, Risk Management and Control
Question 1
Which of the following can help determine whether an organization's risk management
framework is current and complete?
b) Risk
a) volatility
d) Risk
c) discovery
f) Risk
e) maturity
h) Risk
g) agility
Risk maturity deals with whether an organization is using a proper risk management
framework to manage organization's risks. It seeks to determine whether that framework is
old or new, complete or incomplete, mature or immature, fully implemented or partially
implemented. Moreover, it asks whether the current maturity fits with the current business.
Question 2
A manager's or an investor's risk-on and risk-off concepts are related to which of the
following?
a) Risk agility and risk
resilience
b) Risk shifting and risk
sharing
c) Risk outcomes and risk
severity
d) Risk tolerance and risk
perceptions
Risk-on and risk-off concepts indicate that the behavior of managers or investors changes
according to their risk tolerances and risk perceptions. Low risk perception leads to higher
risk-taking investments and vice versa.
Question 3
Which of the following can help a corporation to identify its business assets with high-risk
concentrations?
a) Risk
parity
b) Risk
pyramid
c) Risk
volatility
d) Risk
matrix
The chief risk officer can develop a risk pyramid for a specific asset or a group of assets
within his or her own organization that identifies any assets with high risk concentrations.
The pyramid will have three sections: bottom (low risk), medium (medium risk), and top
(high risk).
Question 4
Which of the following is both an upside risk and a downside risk?
a) Strength, weaknesses, opportunities, threat (SWOT)
analysis
b) Research and development
c) Business impact analysis
d) Vulnerability analysis
Upside risks are opportunities to benefit and downside risks are threats to success. The
words “strengths and opportunities” in SWOT are upside risks; the words “weaknesses and
threats” in SWOT are downside risks, which are called hybrid risks.
Question 5
Which of the following is not an upside risk?
a) Marketing
surveys
b) Economic
analysis
c) Sales
prospecting
d) Test
marketing
Upside risks are opportunities to benefit, and downside risks are threats to success.
Economic analysis shows both good news and bad news at a point in time, meaning both
upside and downside risks (i.e., hybrid risks).
Question 6
Which of the following risk response accepts increased risk to achieve increased
performance?
a) Pursue
b) Accept
c) Share
d) Transfer
The “Pursue” response means management takes action that accepts increased risk to
achieve increased performance by adopting aggressive growth strategies (e.g., introducing
new products and services and expanding facilities and operations). This increased
performance can result from a greater change in organizational strategies, policies,
procedures, practices, and programs.
Question 7
Which of the following is a downside risk?
a) Threat analysis
b) Business continuity
planning
c) Technological
analysis
d) Environmental
analysis
Upside risks are opportunities to benefit, and downside risks are threats to success. Threat
analysis is a downside risk.
Question 8
Risk is not based on:
a) Probabilities.
b) Chances.
c) Certainties.
d) Likelihoods.
Risk is not based on certainties; a risk might occur or might not occur. Its occurrence is
uncertain.
Question 9
According to the IIA Standard 2100: Nature of Work, which of the following is a form of
self-insurance?
a) Captive
insurance
b) Derivatives
c) Reinsurance
d) Co-
insurance
Captive insurance is a form of self-insurance where a noninsurance firm is created for the
purpose of accepting the risk of the parent firm that owns an insurer.
Question 10
When planning a risk management audit, internal auditors focus primarily on which of the
following first?
a) Risk management
framework
b) Risk management plans
c) Risk management
procedures
d) Risk management
policies
Focusing first on the risk management framework is like separating trees from the forest,
which gives a big-picture perspective on the entire risk management program. The
framework is the primary focus for internal auditors.
Question 11
Risk registers do not document which of the following?
a) Residual
risks
b) Current
risks
c) Unchanged
risks
d) Strategic
risks
Risk registers do not document risks at the strategic level (high level) because risk registers
deal with low-level risks, including operational-level and functional-level risks.
Question 12
According to the assurance line-of-defense model, risk owners are:
a) Risk
monitors.
b) Risk
overseers.
c) Risk
creators.
d) Risk
evaluators
Risk creators are risk owners because, based on their risk appetite, they take more or less
risk to run their business function or operation.
Question 13
Regarding risk management, which of the following should be the least concern to a chief
risk officer (CRO) of an organization?
a) Risk immunity
b) Key risk
indicators
c) Derisking
efforts
d) Value-at-risk
amounts
Risk immunity is of least concern to the CRO. It raises a question whether a business
function, activity, or operation is subject to risk, exposure, threat, or vulnerability. Two
possible outcomes can occur: immune to risk (risk resistant) or not immune to risk (risk
prone). Note that no business function is immune to risk.
Question 14
Residual risks are not:
b) Mitigated
a) risks.
d) Unmanaged
c) risks.
e) f) Net risks.
h) Unaddressed
g) risks.
It is true that residual risks are not mitigated risks.
Question 15
Which of the following statement is not true about residual risks?
a) Residual risks are unidentified
risks.
b) Residual risks are unmanaged
risks.
c) Residual risks are
unaddressed risks.
d) Residual risks are
uncontrolled risks.
This not a true statement. Residual risks are those risks that are identified and ignored
because management do not want to manage, address, or control them.
Question 16
Regarding a board's awareness of organizational culture, surveys found that board
members have the least understanding of culture at which of the following levels?
a) Tone at the top level
b) Culture at the top
level
c) Culture at the middle
level
d) Culture at the
bottom level
Board members have the least understanding of an organization's culture at the bottom
level because board members are far removed from frontline employees working in
frontline functions or operations. Usually board members do not visit frontline offices,
retail stores, warehouses, distribution centers, or factories; or they may visit only
infrequently. In a way, board members are disconnected from the frontline employees, thus
they would not know or understand the culture of lower-level employees. Surveys are one
of the ways to obtain this understanding.
Question 17
Which one of the following item considers all the other three items in concert?
a) Vulnerabilities
b) Threats
c) Risks
d) Controls
Vulnerabilities → Threats → Risks → Controls
Question 18
Residual risks are not:
a) Uncovered
risks.
b) Untreated
risks.
c) Uncommitted
risks.
d) Unknown
risks.
Residual risks are risks that are known to both auditors and managers.
Question 19
Which are the following are the most risky situations?
I. Residual value
II. Residual interests
III. Residual risk
IV. Residual data
a) I
andII
b) III
only
c) II
and
IV
d) III
and
IV
Residual risk and residual data are the most risky situations. Residual risk is leftover,
unmanaged, or unaddressed risk that still remains after all controls and mitigations are
applied. It can be most risky if it is big in size. Residual data is leftover data remaining on
storage media after it is erased. Since residual data can be recovered by hackers, additional
disposal techniques should be applied to protect the sensitive electronic data in storage.
Until then, residual data can be most risky.
Question 20
Which of the following is a legal tool for derisking?
a) Risk sharing
b) Incorporation
c) Risk transfer
d) Risk
reduction
Incorporation is a legal term in use when an individual wants to register a business in a

state to conduct business. Organizations can also incorporate to do their business.
Incorporation is a legal tool for derisking.
Question 21
Which of the following is not a legal tool for derisking?
a) Hold-harmless
agreements
b) New contracts
c) Recontracting
d) Risk shifting
Risk shifting is risk transferring from one party to another, but the risk still remains. This
is not a legal tool for derisking.
Question 22
Essentially, derisking means
a) Downsizing
risks.
b) Postponing
risks.
c) Ignoring
risks
d) Eliminating
risks
Derisking means downsizing risks to bring down the risk-severity levels.
Question 23
Which of the following type of organization would have the highest amount of de-risking
to do?
a) Proprietorship
b) Partnership
c) Public
corporation
d) Private
corporation
A proprietorship poses a high risk because the owner is legally responsible for all risks.
Hence, de-risking amount would be higher.
Question 24
Derisking does not mean:
a) Risk
volatility.
b) Risk
securitization
c) Rik
diversification
d) Risk
modification
Risk volatility increases risks due to unexpected variations in risk outcomes. It is not a
good method of derisking.
Question 25
Which of the following is the best way to link de-risking opportunity to an organization's
structure?
a) Legal
structure.
b) Capital
structure
c) Tall
structure
d) Flat
structure
A legal structure such as incorporation provides derisking opportunities aligned with an
organization's structure. For example, a public corporation is less risky than a private
corporation.
Question 26
Which of the following is the most important element of corporate social responsibility?
a) Legal responsibilities
b) Sustainability
responsibilities
c) Economic
responsibilities
d) Ethical responsibilities
Sustainability responsibilities deal with issues related to environment, social, and
governance affecting an entire organization.
Question 27
Which of the following deals with issues related to outside of a corporation's boundaries?
a) Governance audit
b) Risk management
audit
c) Control audit
d) Sustainability
audit
A sustainability audit deals with issues outside a corporation's boundaries, such as
environment, social, and governance affecting an entire organization.
Question 28
From an internal auditing viewpoint, which of the following is referred to when the board
members and senior managers are focusing on improving environmental, social, and
governance issues?
a) Environmental
audit
b) Social audit
c) Governance
audit
d) Sustainability
audit
A sustainability audit addresses the full scope of environmental, social, and governance
issues.
Question 29
Shareholders are not interested in investing to address which of the following?
a) Environmental
risks
b) Standard risks
c) Social risks
d) Governance
risks
An insurance company can label a person as a standard risk saying that she is insurable at
a standard rate. Risk management will address standard risks, not shareholders, because
they are not interested in standard risks.
Question 30
How can conducting a SWOT (strengths, weaknesses, opportunities, and threats) analysis
is an example of which of the following type of risks?
a) Upside
risks
b) Downside
risks
c) Hybrid
risks
d) Wrong-
way risks
Upside risks are opportunities to benefit, and downside risks are threats to success. SWOT
analysis deals with both upside risks (i.e., strengths and opportunities) and downside risks
(i.e., weaknesses and threats). Hence, it represents hybrid risks.
Question 31
In risk management, expenditures on research and development projects are examples of
which of the following?
a) Upside
risk
b) Downside
risk
c) Cross risk
d) Add-on
risk
Spending money on research and development (R&D) projects is a strength and

opportunity, leading to an upside risk. This is the major goal of R&D projects. Upside risks
are opportunities to benefit, and downside risks are threats to success.
Question 32
In risk management, vulnerabilities facing organizations is an example of which of the
following?
a) Upside
risk
b) Downside
risk
c) Cross risk
d) Add-on
risk
Downside risks are negative things happening to organizations. Vulnerabilities are
negative things because they lead to threats, which, in turn, lead to risks. Upside risks are
opportunities to benefit, and downside risks are threats to success.
Question 33
Relatively speaking, which of the following should be a major concern for internal
auditors?
a) Audit risk indicators
b) Risk management risk
indicators
c) Finance risk indicators
d) Governance risk
indicators
Governance risk indicators should be of a major concern to internal auditors because these
risk indicators affect the entire organization as they show the board of directors’
effectiveness or ineffectiveness in performing their oversight functions and fulfilling their
fiduciary duties. Audit risk indicators become a part of governance risk indicators.
Question 34
Regarding executive compensation, say-on-pay deals with which of the following?
a) Board of directors
b) Shareholders
c) Finance committee
d) Compensation
committee
Shareholders and investors are voicing their concerns about excessive executive
compensation through the say-on-pay theme via the proxy process. The goal is to influence,
modify, and decrease executives’ total compensation packages.
Question 35
Which of the following items should be analyzed and focused on first?
a) Vulnerabilities
b) Threats
c) Risks
d) Controls
Question 36
A company's risk appetite is not related to which of the following?
a) Size of the company
b) Competitors’ risk
aggressiveness
c) Complexity of the
company
d) Management's risk
tolerance
Risk appetites vary with each company or organization. A company's risk appetite is related
to its size, complexity, and management's risk tolerance and has nothing to do with a
competitor's risk aggressiveness. The larger the size of a company, the greater its
complexity; the higher management's risk tolerance, the bigger the risk appetite, and vice
versa.
Question 37
Financially distressed companies most frequently use which of the following that can be
risky?
a) Risk
management
b) Risk shifting
c) Risk
avoidance
d) Risk sharing
Risk shifting is the diverting or transferring of risk from one party to another party. It is
used most frequently by companies facing a situation of financial distress. For example, a
company taking large amount of debt now can shift risk from shareholders to debt holders
so that the latter face more risk than the former.
Question 38
Which of the following risk elements must be aligned for effective enterprise risk
management (ERM)?
a) Risk profiles and risk
registers
b) Risk maps and risk culture
c) Risk appetite and risk
tolerance
d) Risk immunity and risk
sensitivity
The risk appetite of an organization is the total amount of or level of risk that it is willing
to accept. Risk tolerance is the maximum amount of or the rate of risk that an organization
is willing to accept before changing its mind. The level and the amount of risk that is
accepted must be aligned with each other due to their common goal of containing and
managing risk.
Question 39
Which of the following is very useful in developing succession plans for executives and
senior management of a corporation?
a) Depth charts
b) Organization
charts
c) Responsibility
charts
d) Accountability
charts
Depth charts provide snapshots of available internal management staff and their readiness
to take on increased leadership roles when the time comes. So, depth charts are very useful
in succession plans of key management positions.
Question 40
The Committee of Sponsoring Organization's (COSO's) enterprise risk management
(ERM) framework links which of the following?
a) Strategy to
performance
b) Strategy to
mission
c) Strategy to
objectives
d) Strategy to goals
Linking strategy to performance is the ultimate end outcome of any management strategies
and programs. ERM is no different; strategy is the starting point and performance is the
ending point. Performance is counted in terms of measurable outcomes.
Question 41
Which of the following is a valid and meaningful relationship in risk management?
a) Risk appetite < Risk tolerance < Risk
universe
b) Risk culture < Risk appetite > Risk
tolerance
c) Risk attitude > Risk appetite > Risk
universe
d) Risk profile < Risk acceptance < Risk
avoidance
Risk appetite should be equal to or less than risk tolerance and they should be less than or
equal to risk universe. This is a valid and meaningful relationship. In other words, risk
universe is the upper limit and risk appetite cannot be greater than the risk universe.
Question 42
An organization's risk management framework or risk model is not complete until it
addresses which of the following?
a) Role of root
causes
b) Role of chief risk
officer
c) Role of risk
specialists
d) Role of risk
generalists
Root causes can indicate what things or activities can increase or decrease risks. Root
causes show a solid link between causes and effects that can improve and complete a risk
model.
Question 43
Which of the following is a valid and meaningful relationship in risk management?
a) Risk culture = Risk profile = Risk
maturity
b) Residual risk = Tolerable risk = Risk
appetite
c) Risk attitude = Risk discovery = Risk
avoidance
d) Risk profile = Risk registers = Risk
acceptance
Residual risk can be less than or equal to the tolerable risk or risk appetite but cannot be
greater than them.
Question 44
The chairperson of the board of directors of a publicly held corporation should be
concerned most about with which of the following?
a) Shadow
suppliers
b) Shadow
contractors
c) Shadow
vendors
d) Shadow
directors
A shadow director is an outsider who does not sit on the board but exerts considerable
influence over the board's outcomes, such as strategies, plans, policies, programs,
procedures, and practices. Shadow directors work in the background and behind the scenes.
Example of shadow directors include lobbyists, activists, consultants, investors, creditors,
friends, and family members. This is a major concern.
Question 45
What is the major concern about interlocking directors?
a) Conflicts of
interest
b) Lack of experience
c) Lack of knowledge
d) Overcommitment
of time
Interlocking directors work in as executives or on the boards of several companies. There
is a room for conflicts of interest when dealing with conflicting objectives and goals
between companies and their directors. For example, they can leak a company's sensitive
information to other companies. It is like pleasing too many bosses for one employee.
Question 46
What is the real reason for the shortage of board of directors in the United States?
a) Not too many retired directors are available.
b) Not too many retired executives are available.
c) Not too many qualified directors are available.
d) Not too many directors are willing to face legal
liabilities.
Boards of directors in the United States have a major challenge in dealing with complex
laws, rules, and regulations dealing with governance issues and addressing stakeholder
issues. Because the corporate landscape is big and complex, boards of directors are afraid
of possible legal liabilities and potential lawsuits against them, which is the real reason for
the shortage of directors.
Question 47
The highest standards of independence apply to which of the following committee
members?
a) Compensation
committee
b) Audit committee
c) Nominating
committee
d) Governance
committee
A board's standards require that fully independent directors serve on the audit,
compensation, nominating, and governance committees. Moreover, the highest standards
of independence specifically apply to the audit committee due to its work dealing with
financial statements and internal controls. This means that the audit committee should
consist of all independent directors.
Question 48
U.S. corporate directors are most concerned about with which of the following:
a) Personal reputation
risk
b) Corporate
reputation risk
c) Product reputation
risk
d) Service reputation
risk
Due to intense legal and ethical environments that exist in U.S. corporations, board
members are most concerned about their own personal reputation risk associated with
lawsuits and misconduct allegations.
Question 49
Items below represent both assets and liabilities of a company. Which of the following
poses a highest risk to the company if it is a liability?
a) Culture
b) Board of
directors
c) Policies
d) Procedures
Because the board of directors are at the highest level of a corporation due to their
oversight, fiduciary, and stewardship roles, all stakeholders expect board members to be
the greatest asset of the corporation. The risk is highest if the board is a liability as it affects
the entire functioning of the corporation.
Question 50
Which of the following should be the long-term strategy for enterprise risk management
(ERM) at the board level?
a) Integrating risk and
incentives
b) Integrating risk and
remuneration
c) Integrating risk and job
promotion
d) Integrating risk and
resilience
Resilience is the ability to anticipate and respond to changes. This is shown as: Risks →
Change → Strategy. As the scope and nature of risks change, so does the strategy. Risk
agility is the resilience to manage risks.
Question 51
A risk area that is untapped that can uncover hidden value or risk is called:
a) Green
space.
b) Blue
space.
c) White
space.
d) Red
space
When a new risk area surfaces that is undiscovered, unfounded, unidentified, or unearthed,
it is called white space. However, the new risk area can turn out to be either a value provider
or risk prone.
Question 52
A risk policy gap can occur when an organization's risk policy does not properly align with
a) Risk appetite
b) Risk culture
c) Risk
identification
d) Risk
prioritization
Risk policy is derived from risk strategy, which focuses on risk appetite.
Question 53
Traditional risk management efforts were focused most on handling which of the
following?
a) Interconnected
risks
b) Interrelated
risks
c) Siloed risks
d) Cross-
functional risks
Traditional risk management efforts were narrowly focused on well-defined independent
business areas and treated each department or function inside its own boundaries.
Consequently, it treated siloed risks, meaning risks in one department or function only.
These risks present a narrow and limited view of risks.
Question 54
The best view of a corporation's risk is that it is a:
a) Strategic
constraint.
b) Strategic
opportunity.
c) Strategic
uncertainty.
d) Strategic
roadblock.
If a corporation's senior management and board looks at risks facing the corporation in
terms of new avenues to explore and new business opportunities to seek then they can add
value to shareholders and stockholders. Here, risks are turned into opportunities, which
reflects a positive outlook.
Question 55
Which of the following is not applicable to newly hired board of directors?
a) Orientation
b) Onboarding
c) Job
previews
d) Induction
Job previews are given to regular employees when they are hired, not to the board
members. Job previews explain a company's policies, procedures, products, services, and
benefits to new employees.
Question 56
The best way to define an organization's culture is through its:
a) Personality.
b) Standards.
c) Procedures.
d) Practices.
Culture is a unique and major component of every organization's personality, image, and
reputation as seen by outsiders. In other words, culture is personality.
Question 57
An organization's culture can be logically compared with which of the following
chemistry-related terms?
a) Oxygen
b) Carbon
monoxide
c) Carbon
dioxide
d) Sulfur
dioxide
Culture is like oxygen, which people (employees such as managers and nonmanagers) and
organizations need to function or survive. Oxygen or culture is invisible, powerful, and
silent. Culture is taken for granted until it becomes a problem to solve or an issue to deal
with. Culture lives in people like oxygen lives in people.
Question 58
A corporation's new or updated business strategy can be made more effective before it is
released internally when it is:
a) Time-
tested.
b) Trust-
tested.
c) Truth-
tested.
d) Stress-
tested.
A corporation's business strategy, whether it is new or updated strategy, must be stress-
tested before it is released internally to make it more effective. Stress testing means: (1)
playing out several scenarios and situations; (2) testing several parameters and
assumptions; and (3) pushing boundary limits to determine their effect on expected
outcomes. Stress testing is better than desk checking, which is a superficial reading given
to the strategy document with no boundaries tested, thus giving a false sense of success.
Question 59
The outputs of which one of the following item can be fed into the other three items in a
useful way?
a) Operational
engagement
b) Compliance
engagement
c) Consulting
engagement
d) Financial
engagement
Consulting engagements are advisory in nature and provide great insights to clients.
Because of their broad scope of work, consulting auditors can share their work observations
and results with other auditors, such as assurance auditors, compliance auditors, financial
auditors, performance auditors, IT auditors, and the like. This is in line with
IIA Standard 2130, Control.
Question 60
According to the IIA's Standard 2120, Risk Management, which of the following can
create a greatest risk to an internal audit function?
a) Control
risks
b) Audit
risks
c) Detection
risks
d) Sampling
risks
According to the IIA's Standard 2120, Risk Management, risks to an internal audit
department or function can fall into three broad categories—audit failures, false assurances,
and reputation risks—all of which deal with audit risks.
Question 61
Shareholders and investors prefer to see a corporation's environmental, social, and
governance performance information presented in which of the following documents?
a) Compensation discussion and
analysis
b) Management's discussion and
analysis
c) Internal auditors’ discussion and
analysis
d) External auditors’ discussion and
analysis
Shareholders and investors of a corporation prefer to see a corporation's environmental,
social, and governance performance information presented in the management's discussion
and analysis document.
Question 62
An organization's risk assessment process does not include which of the following?
a) Risk
identification
b) Risk
monitoring
c) Risk analysis
d) Risk
evaluation
Risk monitoring is a major component of total risk management process (RMP), where the
risk assessment process is another major component of the RMP. Risk management = Risk
assessment + Risk mitigation + Risk financing + Risk monitoring
Question 63
Which of the following defines the proper role of risk management function within an
organization?
a) Creating the organizational structures for risk
management
b) Providing assurance on the management of risk
c) Building a risk-aware culture
d) Promoting risk awareness within functional
operations
Building a risk-aware culture within an organization is the proper role of the risk
management function, which includes the chief risk officer.
Question 64
Which of the following can do the most in building a robust risk management process and
in coordinating between the internal audit function and the risk management function?
a) Common
objectives
b) Shared resources
c) Open
communications
d) Diverse skill sets
A serious commitment to openly communicate can enable the common practices and better
understanding between internal auditors and risk management staff. Examples of open
communications include in-person and group meetings; traditional correspondence through
reports and memos; and electronic communications through videoconferencing, telephone,
texting, emails, and facsimiles. Open communications combined with common objectives,
shared resources, and diverse skill sets can build a robust risk management process.
Question 65
Which of the following should estimate the value-at-risk (VAR) amount?
a) Internal audit
management
b) Risk management
c) Senior management
d) Functional
management
Risk management should estimate the VAR, which is an estimate of the maximum amount
of loss that can occur in a given time period (e.g., one year) and at a given confidence level
(e.g., 95%). It is the sole responsibility of risk management and no other.
Question 66
Management controls are:
a) Fully open
systems.
b) Partially open
systems.
c) Fully closed
systems.
d) Partially closed
systems.
Management controls are a part of fully closed control systems because management
always wants feedback on their plans and actions.
Question 67
Which of the following is the major concern of the board of directors of a publicly held
corporation in the United States?
a) Lack of onboarding program for new
directors
b) Lack of skilled and competent directors
c) Lack of good corporate reputation
d) Presence of interlocking directors
Lack of good corporate reputation should be the major concern to the directors because
their own reputation depends on the reputation of the corporation they represent. A bad
reputation cannot be fixed or managed that easily.
Question 68
Piercing the corporate veil is based on which of the following?
a) Bedrock
doctrine
b) Deep rock
doctrine
c) Brick rock
doctrine
d) Stone rock
doctrine
The deep rock doctrine means that a corporation and its shareholders have deep pockets of
money to pay for lawsuits against the corporation and losses to corporate victims.
Question 69
Value at risk (VAR) needs which of the following?
a) Risk
capital
b) Risk
capacity
c) Risk
culture
d) Risk
criteria
The amount of VAR is the amount of risk capital (i.e., capital at risk) needed to withstand
a particular loss.
Question 70
The chief risk officer of an organization should use which of the following methods to
evaluate the adequacy of the value-at-risk (VAR) amount?
a) Pilot
testing
b) White-box
testing
c) Back-
testing
d) Black-box
testing
Back-testing is comparing the actual VAR amount with the estimated or forecasted VAR
amount and determining the reasons and root causes for the differences.
Question 71
Which of the following is a forbidden activity for the internal audit function to undertake
in an enterprise risk management (ERM) program?
a) Setting the risk appetite
b) Facilitating the identification of risks
c) Facilitating the evaluation of risks
d) Giving assurance on the risk management
process
Setting the risk appetite is the responsibility of the board of directors, senior management,
and the chief risk officer. It is a forbidden activity for the internal audit function.
Question 72
Which of the following is a forbidden activity for the internal audit function to undertake
in an enterprise risk management (ERM) program?
a) Coordinating the ERM activities
b) Accountability for the risk management
program
c) Championing the establishment of the ERM
program
d) Evaluating the risk management process
Taking accountability for the risk management program is the responsibility of the board
of directors, senior management, and the chief risk officer. It is a forbidden activity for the
internal audit function.
Question 73
The biggest limitation of internal control in any organization is:
a) Policies.
b) Procedures
c) People
d) Processes
People are the biggest limitation of internal control in any organization because they are
the weakest link in the work chain, due to their common, built-in human weaknesses (e.g.,
unmotivated, bad attitude, selfish, greedy, and jealousy).
Question 74
Risk appetite is closely linked with which of the following?
a) Risk
avoidance
b) Risk
elimination
c) Risk
tolerance
d) Risk
transfer
The risk appetite of an organization is the total amount or level of risk that it is willing to
accept. Risk tolerance is the maximum amount or rate of risk that an organization is willing
to accept before changing its mind. The level of risk and the amount of risk that is accepted
are closely linked.
Question 75
When risks in aggregate are less than the risks in disaggregation, it is called:
a) Risk isolation.
b) Risk
unification.
c) Risk
diversification.
d) Risk
segregation.
This question deals with whole versus parts. Risk diversification is the extent to which the
combined impact of risks inherent to assets and liabilities is less than the sum of the impacts
of each risk considered in isolation. Risk diversification is an example of a derisking
approach.
Question 76
Which of the following is the major problem facing an organization's risk assessment
exercise?
a) Risk
discovery
b) Risk
appetite
c) Risk
culture
d) Risk
tolerance
Risk discovery is the ability to uncover or unearth all the potential risks lingering in the
risk universe. This is because what is unknown now can hurt later. Risk discovery is a
challenging process.
Question 77
A major focus of a risk committee is on which of the following?
a) Risk culture and risk
profiles
b) Risk maturity and risk
sensitivity
c) Risk attitudes and risk
behaviors
d) Risk appetite and risk
tolerance
The risk appetite of an organization is the total amount or level of risk that it is willing to
accept. Risk tolerance is the maximum amount or rate of risk that an organization is willing
to accept before changing its mind. The major focus of the risk committee must be the level
of risk and the amount of risk.
Question 78
Which of the following items should be eliminated first?
a) Vulnerabilities
b) Threats
c) Risks
d) Controls
Question 79
Members of the board of directors of a corporation are not legally bound by which of the
following to perform their job duties?
a) Due process
b) Duty of care
c) Duty of
loyalty
d) Duty of
obedience
Due process means following rules and principles so that an individual is always treated
fairly and uniformly with basic rights protected. Due process mainly applies to
governmental policy. As such, members of board of directors are not bound by due process
to do their daily job duties.
Question 80
Which of the following can insulate the board of directors of a corporation from liability
for the breach of duty of care?
a) The Golden Rule
b) The business
judgment rule
c) The behavioral rule
d) The common
business rule
The business judgment rule is a legal presumption that the directors and officers of a
corporation have exercised due care by acting on an informed basis, in good faith, and in
the honest belief that their actions are in the best interests of the corporation. Unless a
plaintiff can give persuasive evidence against at least one of the criteria, corporate directors
and officers are insulated from liability for breach of the duty of care. However, this rule
allows a reasonable doubt to occur in the minds of managers and executives when taking a
specific action or decision. The doubt is whether a decision is right or wrong.
Question 81
Which of the following is unrelated to risk appetite?
a) Risk
registers
b) Risk
taking
c) Risk
culture
d) Risk
tolerance
Risk registers are risk logs and provide a centralized record of all types of current risks
within an organization. Hence, risk registers are not related to risk appetite because risk
registers do not deal with risk taking.
Question 82
In risk governance framework, risk appetite is positioned at which level of the framework's
hierarchy?
a) Top
b) Middle
c) Bottom
d) Very
bottom
Risk appetite is positioned at the middle level of the framework. A risk governance
framework is part of a corporate governance framework through which the board and
senior management establish and make risk-based decisions.
Question 83
Regarding risk management, key risk indicators show the relationship between which of
the following?
a) Relative risk and absolute
risk
b) Risk and volatility
c) Standard risk and
substandard risk
d) Impaired risk and
unimpaired risk
Risk and volatility are the key risk indicators because volatility in business increases risk,
thus showing a solid relationship.
Question 84
Which of the following deals with the risk-return concept?
a) Portfolio
risk
b) Pure risk
c) Speculative
risk
d) Static risk
The risk-return concept states that high-risk investments should receive high returns for
holding on to the high-risk investment and vice versa. A portfolio risk considers a firm's
risk and return when the firm is investing in acquisition or expansion projects. For example,
the firm can compare the net present value between new projects and existing projects.
Question 85
Which one of the following item leads to the other three items?
a) Best practices
b) Leading
practices
c) Legacy
practices
d) Promising
practices
Legacy practices are the old and inefficient and ineffective procedures and processes found
across most or all departments or functions of an organization due to their age. A report
should be developed to capture legacy practices in order to communicate and share their
unsuccessful stories (mission failures) and unpleasant experiences (lessons learned) with
other departments and functions for a possible avoidance of the same problems and moving
to promising practices, leading practices, or even best practices.
Legacy practices → Promising practices → Leading practices → Best practices
Question 86
When lower-level management's actions are carried out without a proper authorization
from higher-level management, it is called:
a) De
jure.
b) Ultra
vires.
c) De
facto.
d) Intra
vires.
Actions taken without a proper authorization are called ultra vires (i.e., beyond the power).
These actions can be construed by law as invalid actions.
Question 87
Value at risk (VAR) is directly related to which of the following?
a) Risk
appetite
b) Risk
profile
c) Risk
register
d) Risk
discovery
Risk appetite is directly related to VAR, meaning that the higher the risk appetite level, the
larger the amount of VAR, implying more value is at risk.
Question 88
Which of the following is not directly related to risk appetite?
a) Risk matrix
b) Risk attitude
c) Risk culture
d) Risk-return
trade-off
A risk matrix is a tool for ranking and displaying risks with their maximum and minimum
values. It has nothing to do with the risk appetite.
Question 89
The U.S. Securities and Exchange Commission (SEC) and the U.S. Sarbanes-Oxley Act
(SOX) did not recommend which of the following to become the financial expert
representing the audit committee of a publicly held corporation?
a) Internal auditor
b) External auditor
c) Principal financial
officer
d) Principal accounting
officer
Both the SEC and SOX do not recommend that the internal auditor be the financial expert
sitting on the audit committee.
Question 90
According to the U.S. Securities and Exchange Commission (SEC) and the U.S. Sarbanes-
Oxley Act (SOX), what is the proper term for when a chief executive officer (CEO) and
chief financial officer (CFO) need to give up their bonuses and incentives based on
financial results that later had to be restated or proved to be fraudulent?
a) Pushback
provision
b) Claw back
provision
c) Pullback
provision
d) Rollback
provision
The claw back provision requires that the CEO and CFO of a corporation give up bonuses
and incentives received based on financial results of their company that later had to be
restated or were found to be fraudulent. There is a bad intent on the part of the company
management.
Question 91
According to the U.S. Securities and Exchange Commission (SEC) and the U.S. Sarbanes-
Oxley Act (SOX), what is the term used when a company misrepresents the dates on which
stock options were granted to executives and employees?
a) End-of-year
dating
b) Backdating
c) End-of-month
dating
d) End-of-quarter
dating
Backdating is a management fraud, resulting in an artificially low exercise price for stock
options granted to executives and employees that could lead to financial restatements.
Backdating represents a bad intent of unnecessarily favoring executives and employees in
reducing their tax burden by manipulating the stock options issue date. Both the SEC and
SOX enforcers have ended the backdating of stock options.
Question 92
Internal controls are:
a) Open systems.
b) Closed
systems.
c) Stand-alone
systems.
d) Ad hoc
systems.
Closed systems are much stronger than open systems due because closed systems have a
feedback mechanism. In a feedback mechanism, actual outputs are fed back to the input
end for comparison with the desired output. Hence, internal controls are closed systems.
Question 93
Regarding compliance management, compliance costs are not:
a) Data collection
costs.
b) Data analysis
costs.
c) Data reporting
costs.
d) Data evidence
costs.
Data evidence costs are noncompliance costs, meaning organizations show the data to
regulatory authorities as a proof of evidence when regulators criticize the organizations for
noncompliance with laws, rules, and regulations.
Question 94
Regarding corporate social responsibility, which of the following should be the ultimate
goal of corporations?
a) Social goal
b) Environmental
goal
c) Sustainability
goal
d) Philanthropic
goal
A sustainability goal refers to a corporation's strategies that allow it to thrive and sustain
for a long time in business after considering economic, environmental, social, and
governance requirements. Sustainability responsibility goes much beyond the normal
corporate social responsibility consisting of legal, ethical, economic, and philanthropic
requirements. The sustainability goal is the ultimate goal.
Question 95
Regarding risk management, derisking does not mean:
a) Risk
elimination.
b) Risk mitigation.
c) Risk
management.
d) Risk-return
balancing.
Derisking means risk lessening, not risk elimination, because risks cannot be eliminated
completely. There will always be some residual risks or leftover risks in life and business.
Question 96
Control self-assessments are done better when they are:
a) Auditor
controlled.
b) Auditor
facilitated.
c) Auditor
planned.
d) Auditor
designed.
Internal auditors simply act as facilitators in the control self-assessment exercises. They
wear a different hat from the regular auditors. This is done to ensure auditor independence
and objectivity.
Question 97
Regarding liability insurance of corporate directors and officers(D&Os), which of the
following is the major concern to directors and officers?
a) Accepted
coverage
b) Minimum
coverage
c) Reasonable
insurance
d) Under-coverage
Being under covered is the major concern because directors and officers are operating
under the heavy scrutiny of regulatory and legal environment. Hence, they are exposed to
lawsuits against them and against the corporation. They need more coverage to protect
themselves personally and financially.
Question 98
You are an owner and chief executive of a business entity with a small workforce and
centralized operations without established formal lines of responsibility and detailed
operating policies. Given this scenario, what can you conclude about your entity's control
environment?
a) Small entities can be poorly controlled.
b) Small entities can have funding problems.
c) Small entities can have an appropriate control
environment.
d) Small entities can have ineffective boards of
directors.
Owner-owned entities can have appropriate control environments because of the owners’
vested interest in the business. An informally managed company may control operations
largely by face-to-face contact with key managers. In contrast, a more formally managed
company may rely more on written policies, performance indicators, and exception reports.
Both approaches are good.
Question 99
A strong control environment in an organization is related to which of the following items?
I. Autocratic management style

II. Empowered management style
III. Formal structure
IV. Informal structure
V. I
and
II
VI. I
and
III
VII. II
and
III
VIII. II
and
IV
Items I and III are related to strong controls; items II and IV are related to weak controls.
If management style is autocratic and the level of formality is highly structured, a strong
control environment can be expected. Similarly, if management style is empowered and
the level of formality is loose or informal, a weak control environment can be expected.
Question 100
Which of the following factors influence the control environment and tone at the top of an
entity?
I. An entity's history and culture

II. An entity's board of directors
III. An entity's internal and external auditors
IV. An entity's audit committee
a) I
and
II
b) III
and
IV
c) II,
III,
and
IV
d) I,
II,
III,
and
IV
An entity's history and culture influence the control environment. This, in turn, influences
the control consciousness of its people. Effectively controlled entities strive to have
competent people, instill an enterprise-wide attitude of integrity and control consciousness,
and set a positive tone at the top. They establish appropriate policies and procedures, often
including a written code of conduct, which foster shared values and teamwork in pursuit
of the entity's objectives. In addition, an entity's board of directors, internal and external
auditors, and audit committee members significantly influence the tone at the top.
Question 101
A better way of determining whether the board of directors or audit committee members
are independent of management is which of the following?
a) Experience and stature of directors and members
b) Interaction of audit committee members with internal and external
auditors
c) Directors and members putting difficult and probing questions to
management
d) Sufficiency and timeliness of information provided by management to
directors and members for monitoring
Even though all the four choices indicate independence of directors and audit committee
members from management to some extent, the real indication is their ability to ask
difficult and probing questions of management (i.e., a hard factor). This is in contrast to
asking easy and superficial questions and rubber-stamping everything management says
and acts (i.e., a soft factor).
Indicative factors include the board or audit committee's independence from management,
experience and stature of its members, extent of its involvement and scrutiny of activities,
and appropriateness of its actions. Another factor is the degree to which difficult questions
are raised and pursued with management regarding plans or performance levels. Interaction
of the board or audit committee with internal and external auditors is another factor
affecting the control environment.
Question 102
A control weakness is said to exist when the audit committee of the board consists of which
of the following?
I. The current CEO of a company

II. A retired CEO of the same company
III. The current CFO of the same company
IV. A major stockholder of the same company
a) I and
III
b) I, II,
and III
c) I, III,
and IV
d) I, II,
III, and
IV
The audit committee of the board should be independent of management. It is control
weakness when the audit committee of the board consists of the CEO, the chief financial
officer, and a major stockholder. A retired CEO of the same company can be assumed to
be independent of the company because he or she has no stake in the company. A major
stockholder is not independent of the company because he or she has a stake in the
company.
Question 103
The chief risk officer of an organization has compiled the following data on four major
assets with their associated probability of ruin.
Assets Probability of Ruin
Asset 1 1.00
Asset 2 0.25
Asset 3 0.75
Asset 4 0.50
The value of which of the following assets is exposed to the greatest risk?
a) Asset
1
b) Asset
2
c)Asset
3
d) Asset
4
The probability of ruin is the likelihood of liabilities exceeding assets of an organization
for a given time period. This means that an asset with the highest probability of ruin is
exposed to the greatest value at risk (VAR: i.e., an asset's value is reduced). The VAR is
equal to 100 minus the probability of ruin. For Asset 1, the VAR is 99.00 (i.e., 100 – 1.00),
which is the lowest asset value.
Question 104
Which of the following statements is not true about risk registers and risk profiles?
a) Risk profiles provide a mechanism for prioritizing risk treatment
efforts.
b) Risk registers change and risk profiles do not change over a time
period.
c) Risk registers show current risks and residual risks.
d) Risk ownership is derived from risk profiles.
This choice is not a true statement because both risk registers and risk profiles change over
a time period due to changes in business conditions.
Question 105
Residual risk means:
a) Risk
mitigation.
b) Risk
transfer.
c) Risk
avoidance.
d) Risk
acceptance.
Residual risk means risk acceptance or risk retention. It is a deliberate action taken by
senior or functional (operational) management to accept the remaining risk (i.e., residual
risk). Whether to accept the residual risk really depends on the potential impact of the risk
to the delivery of critical services to customers or clients.
Question 106
Which of the following can increase residual risk?
I. Risk pursuance
II. Risk acceptance
III. Risk sharing
IV. Risk transferring
a) a) I
only
b) II
b) only
c) I
c) and II
d) III
d) and
IV
Risk pursuance and risk acceptance increase the residual risk. Risk pursuance seeks
increased performance. When that performance did not materialize, residual risk can
increase. By definition, risk acceptance means residual risk and move in the same direction.
Question 107
Which of the following risk responses can bring new risks to an organization?
a) Avoid
b) Share
c) Transfer
d) Shift
Avoiding risks means removing the risk, which, in turn, means forgoing business
opportunities, such as entering into new markets with new products and services and
expanding facilities and operations. Risk avoidance increases lost business opportunities
in sales, revenues, and profits, thus introducing new risks to an organization.
Question 108
A production manager of a manufacturing company has submitted a funding request for a
capital investment project to purchase new machinery in the plant with associated cost
savings and increased productivity. The total cost of the new machinery including its
installation exceeds the capital budget amount and the company's risk appetite level. Which
of the following should approve the funding request for this investment project?
a) A senior manager
b) The chief executive
officer
c) The board of
directors
d) The chief financial
officer
This capital investment project can increase overall risks to the company if the new
machinery does not work as expected. Before accepting a major risk that is outside the
company's risk appetite level, the production manager needs to obtain approval from the
board of directors and no one else.
Question 109
The severity of a risk can be reduced with which of the following?
I. Insurance policy
II. Hedging
III. Outsourcing
IV. Risk sharing
a) I only
b) I and
III
c) III only
d) I, II,
III, and
IV
Risk severity deals with measurement of risk in terms of impact and likelihood of events
and the time it takes to recover from such events. For example, events with a high severity
rate take a longer time to recover from, and vice versa. Risk sharing means transferring
risk to others. All four choices reduce the severity of a risk.
Question 110
Which of the following represents a major risk to a corporation?
a) A management
director
b) A guest director
c) A visiting
director
d) A loaned director
A management director is a member of the board of directors of an organization who also
holds management responsibilities within the organization. Hence, a management director
is not an independent director because of his or her dual responsibilities as a board member
and as a management person. Therefore, a management director represents a major risk to
a corporation.
Question 111
Which of the following is an uncommon attribute of the board of directors and the internal
auditors?
a) Experience
b) Independence
c) Objectivity
d) Reputation
The experience attribute between the board of directors and the internal auditors is very
uncommon and very different due to the nature of their jobs.
Question 112
Which of the following scenarios of a publicly held corporation's board of directors creates
a minor risk?
a) A director is an interlocking director

b) A director is a majority shareholder
c) The CEO is the chairperson of the board
d) The CAE is the chairperson of the audit
committee
An interlocking director is the one working on several other company boards, thus
representing a conflict-of-interest situation. This choice poses a minor risk compared to the
other three choices.
Question 113
Which of the following is not a gatekeeper of a corporation?
a) Corporate
attorneys
b) Corporate
accountants
c) Corporate
management
d) External auditors
Corporate management is not a gatekeeper of a corporation because gatekeepers protect
management from its wrongdoings. Gatekeepers are in a way police officers who prevent
corporate management wrongdoing, such as manipulating earnings (earnings
management), financial restatements and misstatements, capitalizing expenses, deferring
or misclassifying expenses, hiding liabilities, engaging in off-balance sheet transactions,
and involvement in other types of financial fraud to increase stock market price and to
receive big bonuses by corporate management. Gatekeepers watch management for actions
or inactions and intervene when necessary with advice to protect them.
Question 114
Which of the following scenarios can pose little or no risk to a publicly-held corporation?
a) A senior manager is over-boarding with other companies
b) A new director is onboarding with her company
c) An audit committee member is over-boarding with other
companies
d) A senior director is over-boarding with other companies
Onboarding poses a little or no risk to a corporation. An onboarding program for the first-
time directors and new directors is an educational and training program with the essential
information needed to understand a company and start contributing value to the company.
It is an orientation program.
Question 115
Which of the following paired items have a direct relationship with each other?
a) Sampling errors and
confidence level
b) Risk appetite and value-at-risk
c) Sampling risk and reliability
level
d) Audit risk and audit assurance
Risk appetite and value-at-risk have a direct relationship with each other. As the risk
appetite increases, the value-at-risk increases.
Question 116
Which of the following paired items have an inverse relationship with each other?
a) Audit reliance and audit
assurance
b) Risk and return
c) Risk appetite and residual
risk
d) Risk agility and risk
resiliency
Risk appetite and residual risk have an inverse relationship with each other. As the risk
appetite decreases, the residual risk increases.
Question 117
a) De-risking and residual risk
b) Sample size and sampling risk
c) Probability of ruin and value of an
asset
d) Time-to-contain and cost of data
breach
Time-to-contain and cost of data breach have a direct relationship with each other. As the
time-to-contain a data breach increases, the cost of data breach increases.
Question 118
Which of the following paired items have an inverse relationship with each other?
a) Click fraud rate and click-to-
conversion time
b) Risk universe and audit universe
c) Competence and Judgment
d) Proficiency and competence
Click fraud rate and click-to-conversion time have an inverse relationship with each other.
As the click fraud rate increases, the click-to-conversion time decreases.
Question 119
a) Production volume and production
costs
b) Audit risk scores and audit cycle
frequency
c) Tolerable error and sample size
d) Precision limits and sample size
Production volume and production costs have a direct relationship with each other. As the
production volume increases, the associated production costs would also increase.
Question 120
How best to quantify the information value that is at risk?
a) The cost of using information
b) The cost of protecting
information
c) The cost of not using
information
d) The cost of not protecting
information
The cost of not protecting information is the best way to quantify the information value at
risk because it will indicate what the consequences would be if the information is not
protected at all. Examples of these consequences are greater vulnerability to threats and
attacks and increased damages resulting from such attacks. These damages could be
financial, physical (buildings, equipment, and inventory), non-physical (e.g., loss of
intellectual property), and human (death resulting from wrongly prescribed and dispensed
medication based on incorrect medical records).
Question 121
The charter of a newly formed internal auditing department contains the following
statement: “The organizational status of the internal auditing department will be sufficient
to permit the accomplishment of its audit responsibilities.” Select the best reporting lines
from the following relationships, which would promote the accomplishment of the
intended organizational status. Solid line to:
a) Board of directors, dotted line to vice president of
finance.
b) President, dotted line to board of directors.
c) Controller, dotted line to board of directors.
d) Vice president of finance, dotted line to board of
directors.
Direct reporting to top executive and dotted line reporting to board is called dual reporting
(IIA Standard 1110 – Organizational Independence).
Question 122
According to the IIA Standards, the purpose of an internal auditor's review for
effectiveness of the system of internal control is to ascertain if:
a) The system is functioning as intended.
b) The system is functioning efficiently and
economically.
c) The organization's goals and objectives have been
achieved.
d) Financial and operating data are reliable.
IIA Standard 2130 – Control states that effectiveness of the system of internal control is to
ascertain whether the system is functioning as intended.
Question 123
According to the IIA Standards, the role of internal auditing in the investigation of fraud
includes all of the following except:
a) Assessing the probable level and extent of complicity in the fraud
within the organization.
b) Designing the procedures to follow in attempting to identify the
perpetrators, extent of the fraud, techniques used, and cause of the
fraud.
c) Coordinating activities with management personnel, legal counsel, and
other appropriate specialists throughout the investigation.
d) Interrogating suspected perpetrators of the fraud.
Internal auditors normally are not trained in the interrogation of suspected perpetrators and
therefore should leave such activity to security or law enforcement specialists (IIA
Standard 1220 – Due Professional Care; IIA Standard 2210 – Engagement Objectives).
Question 124
According to the IIA Standards, internal auditors should review the means of physically
safeguarding assets from losses arising from:
a) Misapplication of accounting
principles.
b) Procedures that are not cost
justified.
c) Exposure to the elements.
d) Underutilization of physical
facilities.
Internal auditors should review the means used to safeguard assets from various types of
losses, such as those resulting from theft, fire, improper, or illegal activities, and exposure
to elements (IIA Standard 2120 – Risk Management; IIA Standard 2130 – Control).
Question 125
As an internal auditor for a multinational chemical company, you have been assigned to
perform an operational audit at a local plant. This plant is similar in age, sizing, and
construction to two other company plants that have been recently cited for discharge of
hazardous wastes. In addition, you are aware that chemicals manufactured at the plant
release toxic by-products.
Identify your responsibility for detection of a hazardous waste discharge problem.
a) You have no responsibility; it is the concern of the appropriate
governmental agency.
b) You are responsible for ensuring compliance with company policies
and procedures.
c) Operational audits do not require a determination of compliance with
laws and regulations.
d) You are required by the Standards to determine compliance with laws
and regulations.
Determination of compliance is required by IIA Standard 2120 – Risk Management and IIA
Standard 2130 – Control.
Question 126
Adequate internal controls are most likely to be present if:
a) Management has planned and organized in a manner that provides
reasonable assurance that the organization's objectives will be achieved
efficiently and effectively.
b) Management has exercised due professional care in the design of
operating and functional systems.
c) Operating and functional systems are designed, installed, and
implemented in compliance with law.
d) Management has designed, installed, and implemented efficient
operating and functional systems.
The purpose of the review for adequacy of the system of internal control is to ascertain
whether the system established provides reasonable assurance that the organization's
objectives and goals will benefit efficiently and effectively (IIA Standard 2130 – Control).
Question 127
A company's management accountants prepared a set of reports for top management. These
reports detail the funds expended and the expenses incurred by each department for the
current reporting period. The function of internal auditing would be to:
a) Ensure against any and all noncompliance of reporting procedures.
b) Review the expenditure items and match each item with the expenses
incurred.
c) Determine if there are any employees expending funds without
authorization.
d) Identify inadequate controls that increase the likelihood of
unauthorized expenditures.
Internal auditors are responsible for identifying inadequate controls, for appraising
managerial effectiveness, and for pinpointing common risks (IIA Standard 2130 –
Control).
Question 128
During the year-end physical inventory process, the auditor observed over $1.2 million
worth of items staged in the shipping area and marked "Sold—Do Not Inventory." The
customer had been on credit hold for three months because of bankruptcy proceedings, but
the sales manager had ordered the shipping supervisor to treat the inventory as sold for
physical inventory purposes. The auditor noted the terms of sale were "FOB Warehouse."
After confirming no change in corporate policy, the auditor should:
a) Recommend that the inventory staged in the shipping area be counted
and included along with the rest of the physical inventory results.
b) Make test counts and trace the results to appropriate records to ensure
that the cost is properly relieved from inventory.
c) Follow up with appropriate procedures to ensure that the inventory
staged in the shipping area appears on related invoicing documentation.
d) Request copies of the signed bills of lading to include with working
papers for this physical inventory.
Given these circumstances, excluding the inventory from the physical count would inflate
revenues and profitability for the current period. The physical inventory process is a
periodic control to ensure that sales-related controls are effective (IIA Standard 2120 – Risk
Management; IIA Standard 2130 – Control).
Question 129
All of the following provide effective relationship in the organization's governance
framework except:
a) Organizational
processes.
b) Governance.
c) Risk management.
d) Internal controls.
Governance does not exist as a set of distinct and separate organizational processes and
structures. Rather, there are effective relationships among governance, risk management,
and internal controls (IIA Standard 2110 – Governance).
Question 130
Which of the following internal audit assessments belong to specific governance
processes?
a) Whistleblower process.
b) Risk management audit process.
c) Internal control over financial
reporting.
d) Fraud risks.
Internal audit assessments regarding governance processes are likely to be based on
information obtained from numerous audit assignments over time. The internal auditor
should consider (1) the results of audits of specific governance processes (e.g., the
whistleblower process, the strategy management process) and (2) governance issues arising
from audits that are not specifically focused on governance (e.g., audits of the risk
management process, internal control over financial reporting, and fraud risks)
(IIA Standard 2110 – Governance).
Question 131
Internal auditors' failure to do the right audits, failure to test the real risks, and failure to
use the right controls can lead to which of the following?
a) Business risk.
b) Audit failures.
c) Audit false
assurance.
d) Audit
reputation risk.
Every organization will experience control breakdowns, some resulting in audit failures.
The internal audit activity could be a contributing factor due to (1) lack of an effective risk
assessment process to identify key audit areas during the strategic risk assessment as well
as areas of high risk during the planning of individual audits—as a result, failure to do the
right audits and/or time wasted on the wrong audits and (2) failure to design effective
internal audit procedures to test the “real” risks and the right controls (IIA Standard 2120
– Risk Management).
Question 132
Ensuring internal audit teams have the right competencies with right level of work
experience and designing effective internal audit procedures can reduce the risk of which
of the following?
a) Business risk.
b) Audit failures.
c) Audit false
assurance.
d) Audit
reputation risk.
Audit failures result due to (1) failure to evaluate both the design adequacy and the control
effectiveness as part of internal audit procedures and (2) use of audit teams that do not have
the appropriate level of competence based on experience or knowledge of high-risk areas
(IIA Standard 2120 – Risk Management).
Question 133
If internal auditors are used as “loaned resources” to a business unit, this could lead to
a) Business risk.
b) Audit failures.
c) Audit false
assurance.
d) Audit
reputation risk.
Using internal auditors as “loaned” resources may create false assurance. If internal
auditors are used to augment the staffing of a project or initiative, document their role and
scope of their involvement as well as future objectivity and independence issues
(IIA Standard 2120 – Risk Management).
Question 134
Reinforcing the code of conduct and ethical behavior standards for all internal auditors can
protect which of the following?
a) Business risk.
b) Audit failures.
c) Audit false
assurance.
d) Audit
reputation risk.
A leading practice to protect the reputation of internal audit's “brand” name is to reinforce
the code of conduct and ethical behavior standards for all internal auditors (IIA Standard
2120 – Risk Management).
Question 135
Clearly communicating the scope inclusions and exclusions in the audit risk assessment,
internal audit plan, and audit engagement can mitigate the risk which of the following?
a) Business risk.
b) Audit failures.
c) Audit false
assurance.
d) Audit
reputation risk.
Frequent and clear communication is a key strategy to manage false assurance. Some
leading practices include (1) proactively communicating the role and the mandate of the
internal audit activity to the audit committee, senior management, and other key
stakeholders; (2) clearly communicating what is covered in the risk assessment, internal
audit plan and internal audit engagement; and (3) explicitly communicating what is not in
the scope of the risk assessment and internal audit plan (IIA Standard 2120 – Risk
Management).
Question 136
Requiring a “project acceptance” process in place when internal auditors are involved in a
business unit's project can mitigate the risk which of the following?
a) Business risk.
b) Audit failures.
c) Audit false
assurance.
d) Audit
reputation risk.
A project acceptance process can mitigate the risk of false assurance. Require a “project
acceptance” process to assess the level of risk related to each project and internal audit's
role in the project. The assessment may consider: scope of the project, role of the internal
audit activity, reporting expectations, competencies required, and independence of internal
auditors (IIA Standard 2120 – Risk Management).
Question 137
When an organization is involved in a string of financial restatements and regulatory
investigations, this would negatively impact which of the following?
a) Business risk.
b) Audit failures.
c) Audit false
assurance.
d) Audit
reputation risk.
A string of significant financial restatements and regulatory investigations would
negatively impact the reputation of the internal audit activity. The audit committee and the
board might ask if the internal audit activity has the right talent and quality assurance and
improvement program to support the organization (IIA Standard 2120 – Risk
Management).
Question 138
An internal auditor is auditing the financial operations of an organization. Which of the
following is not specified by the IIA Standards for inclusion in the scope of the audit?
a) Reviewing the reliability and integrity of financial and operational
information.
b) Reviewing the compliance with laws, regulations, policies, procedures,
and contracts.
c) Appraising the effectiveness and efficiency of operations and
programs.
d) Reviewing the financial decision-making process.
This element of the audit is not included in IIA Standard 2130 – Control.
Question 139
Risk is measured in terms of which of the following?
a) Costs and
prices.
b) Costs and
benefits.
c) Impact and
likelihood.
d) Profit and loss.
Risk is the possibility of an event occurring that will have an impact on the achievement
of objectives. Risk is measured in terms of impact and likelihood (IIA Standard 2120—
Risk Management).
Question 140
In publicly held companies, management often requires the internal auditing department's
involvement with quarterly financial statements that are made public and/or used
internally. Which one of the following is generally not a reason for such involvement?
a) Management may be concerned about its reputation in the financial
markets.
b) Management may be concerned about potential penalties that could
occur if quarterly financial statements that are made public are
misstated.
c) The Standards state that internal auditors should be involved with
reviewing quarterly financial statements.
d) Management may perceive that having quarterly financial information
examined by the internal auditors enhances its value for internal
decision making.
This choice does not exist in IIA Standard 2100 – Nature of Work.
Question 141
During a purchasing audit, the internal auditor finds that the largest blanket purchase order
is for tires, which are expensed as vehicle maintenance items. The fleet manager
requisitions tires against the blanket order for the company's 400-vehicle service fleet based
on a visual inspection of the cars and trucks in the parking lot each week. Sometimes the
fleet manager picks up the tires but always signs the receiving report for payment. Vehicle
service data are entered into a maintenance database by the mechanic after the tires are
installed. Which would be the best course of action for the auditor in these circumstances?
a) Determine whether the number of tires purchased can be reconciled to
maintenance records.
b) Count the number of tires on hand and trace them to the related
receiving reports.
c) Select a judgmental sample of requisitions and verify that the fleet
manager signs each one.
d) Compare the number of tires purchased under the blanket purchase
order with the number of tires purchased in the prior year for
reasonableness.
Based on the control weakness and the potential for fraud, the auditor should look for other
indicators of fraud or verify that no fraud has occurred (IIA Standard 2130 – Control).
Question 142
Which of the following management control systems measures performance in terms of
operating profits minus the cost of capital invested in tangible assets?
a) Open-book management
system.
b) Economic value-added
system
c) Activity-based costing
system.
d) Market value-added
system.
The economic value-added system is a new system to measure corporate performance in
terms of operating profits minus the cost of capital invested in tangible assets (IIA Standard
2130—Control).
Question 143
Control has been described as a closed system consisting of six elements. Identify one of
the six elements.
a) Setting performance standards.
b) Adequately securing data files.
c) Approval of audit charter.
d) Establishment of independent audit
function.
Setting performance standards is one of the six elements (IIA Standard 2130—Control).
Question 144
An organization’s policies and procedures are part of its overall system of internal controls.
The control function performed by policies and procedures is:
a) Feed-forward
control.
b) Implementation
control.
c) Feedback control.
d) Application
control.
Policies and procedures provide guidance on how an activity should be performed to best
ensure that an objective is achieved (i.e., feed-forward). (IIA Standard 2130—Control.)
Question 145
The comment card filled out by a customer in a restaurant is a control device used by
management to improve the level of service and the quality of food. Controls of this type
are classified as:
a) Feed-forward
controls.
b) Steering
controls.
c) Concurrent
controls.
d) Feedback
controls.
Controls that evaluate the final product or output are feedback controls (IIA Standard
2130—Control).
Question 146
The three basic components of all organizational control systems are:
a) Objectives, standards, and an evaluation-reward
system.
b) Plans, budgets, and organizational policies and
procedures.
c) Statistical reports, audits, and financial controls.
d) Inputs, objectives, and an appraisal system.
These are the three basic components of a control system (IIA Standard 2130—Control).
Question 147
The internal auditing function of an organization is an integral part of the organization’s
overall system of internal control. Select the type of control provided when an auditing
function conducts a systems development review.
a) Feedback control.
b) Strategic plans.
c) Policies and
procedures.
d) Feed-forward
control.
A feed-forward control provides information on potential problems so that corrective
action can be taken in anticipation of rather than as a result of a problem (IIA Standard
2130—Control).
Question 148
The internal auditing function of an organization is an integral part of the organization’s
overall system of internal control. Select the type of control emphasized by an operational
audit.
a) Feedback control.
b) Strategic plans.
c) Policies and
procedures.
d) Feed-forward
control.
A feed-forward control provides information on potential problems so that corrective
action can be taken in anticipation of rather than as a result of a problem (IIA Standard
2130—Control).
Question 149
Internal auditors can evaluate the management function of controlling by determining if:
a) The grouping of activities in a department meets departmental
objectives.
b) Management is provided with prompt feedback on performance
variances.
c) Employee turnover rates are analyzed for trends and investigations are
made for adverse trends.
d) Anticipated problems are discussed, identified, and evaluated with
possible solutions provided.
Verifying that the prompt feedback on variances is provided to management is one way
internal auditors facilitate the management function of controlling (IIA Standard 2130—
Control).
Question 150
When planning the controls review of the end user computing (EUC) application, the
internal auditor chose to include the general control environment in the scope. Which one
of the following statements regarding general controls is the auditor most likely to find
true?
a) The effectiveness of the general controls is influenced by the
application controls.
b) Identifying the person or function responsible for the general controls
may be easier here than in a traditional mainframe environment.
c) The need for specific general controls is relatively constant across EUC
environments.
d) General controls must be in place before application controls can be
relied on.
The relationship between the application controls and the general controls is such that
general controls are needed to support the functioning of application controls, and both are
needed to ensure complete and accurate information processing (IIA Standard 2130—
Control).
Question 151
A payroll clerk with authorized access to the local area network (LAN) was able to directly
update personnel files independent of the application programs. The best control to prevent
a clerk from doing this would be to:
a) Restrict access to LAN workstations by such means as automatic
lockup after a predefined period of keyboard inactivity.
b) Restrict access to and monitor installation of software products or tools
having powerful update capabilities.
c) Use password security to authenticate users as they attempt to log on
to the LAN.
d) Establish a security policy for the department that prohibits direct
updating of data files.
Sophisticated software packages may inadvertently threaten data security by allowing users
to bypass existing system level security (IIA Standard 2130—Control).
Question 152
The auditor used the reporting capabilities of the fourth-generation (4GL) to analyze the
data files for unusual activity such as excessive overtime hours, unusual fluctuations in pay
rates, or excessive vacation time. The application controls being verified by this analysis
are:
a) Edit and validation controls.
b) Rejected and suspense item controls.
c) Controls over update access to the
database.
d) Programmed balancing controls.
Edit or validation routines should be present in the application to reject or flag these
unusual items (IIA Standard 2130—Control).
Question 153
A comprehensive management control system that considers both financial and
nonfinancial measures relating to a company’s critical success factors is called a(n):
a) Balanced scorecard
system.
b) Economic value-added
system.
c) Activity-based costing
system.
d) Market value-added
system.
The balanced scorecard system is a comprehensive management control system that
balances the traditional accounting (financial) measures with the operational (nonfinancial)
measures (IIA Standard 2130—Control).
Question 154
Which of the following input controls or edit checks would catch certain types of errors
within the payment amount field of a transaction?
a) Record
count.
b) Echo
check.
c) Check
digit.
d) Limit
check.
A limit test is a test of whether a field amount fits within a predetermined upper and/or
lower limit. It can catch only certain errors (i.e., those that exceed the acceptable range).
(IIA Standard 2130—Control.)
Question 155
When assessing application controls, which one of the following input controls or edit
checks is most likely to be used to detect a data input error in the customer account number
field?
a) Limit
check.
b) Validity
check.
c) Control
total.
d) Hash
total.
A validity test can compare the value of a customer account number field with a master file
containing valid customer accounts (IIA Standard 2130—Control).
Question 156
An internal auditor is reviewing the adequacy of existing policies and procedures
concerning end user computing activities. The auditor is testing:
a) An application
control.
b) An organizational
control.
c) An environmental
control.
d) A system control.
Policies and procedures are part of the administration of end user computing, which is
defined at an organizational level (IIA Standard 2130—Control).
Question 157
To ensure the completeness of a file update, the user department retains copies of all
unnumbered documents submitted for processing and checks these off individually against
a report of transactions processed. This is an example of the use of:
a) Established batch
totals.
b) One-for-one
checking.
c) Computer sequence
checks.
d) Computer matching.
One-for-one checking is as described (IIA Standard 2130—Control).
Question 158
Rejection of unauthorized modifications to application systems could be accomplished
through the use of:
a) Programmed
checks.
b) Batch controls.
c) Implementation
controls.
d) One-for-one
checking.
Implementation controls are designed to ensure that only authorized program procedures
are introduced into the system (IIA Standard 2130—Control).
Question 159
The best control for detecting processed data totals that do not agree with input totals is:
a) Run-to-run
checking.
b) Existence
checking.
c) Key
verification.
d) Prerecorded
inputs.
During each program run in a series, the computer accumulates the totals of transactions
that have been processed and reconciles them with the totals forwarded from the previous
program run (IIA Standard 2130—Control).
Question 160
To ensure that goods received are the same as those shown on the purchase invoice, a
computerized system should:
a) Match selected fields of the purchase invoice to goods
received.
b) Maintain control totals of inventory value.
c) Calculate batch totals for each input.
d) Use check digits in account numbers.
Computer matching of fields such as goods received number, product code, supplier code,
and quantity assures agreement between goods received and goods invoiced (IIA Standard
2130—Control).
Question 161
Which of the following controls would be most efficient in reducing common data input
errors?
a) Keystroke verification.
b) Set of well-designed edit
checks.
c) Balancing and
reconciliation.
d) Batch totals.
A combination of edit checks, resulting in exception reports, would be the most efficient
way of reducing errors (IIA Standard 2130—Control).
Question 162
To ensure that a computer file is accurately updated in total for a particular field, the best
control is:
a) Computer
matching.
b) Check digit.
c) Transaction
log.
d) Run-to-run
totals.
Run-to-run totals are used to ensure completeness of update (IIA Standard 2130—
Control).
Question 163
To ensure that a particular data field is properly maintained, manual postings of batch totals
for that field to a control account:
a) Are of no value in file maintenance.
b) Should be compared periodically to the computer
master file.
c) Stand alone as a control.
d) Should be used in combination with hash totals.
To be of benefit, manual postings of batch totals must be agreed to the master file
(IIA Standard 2130—Control).
Question 164
An exception report for management is an example of which of the following?
a) Preventive
control.
b) Detective
control.
c) Corrective
control.
d) Directive
control.
Detecting an exception in a business transaction or process is detective in nature, but
reporting it is an example of corrective control. Both preventive and directive controls do
not either detect or correct an error; they simply stop if possible (IIA Standard 2130—
Control).
Question 165
A new auditor is being briefed on various types of audits by the audit supervisor. The
supervisor states that some areas within the organization are more difficult to audit because
the controls generally are not as clearly defined as in other departments. Select the type of
control that is usually most difficult to assess.
a) Operational.
b) Hardware.
c) Accounting.
d) Physical
security.
Operational controls frequently are not supported by clear criteria or standards. There is no
firm external procedural framework for operational controls such as generally accepted
accounting principles provide for accounting controls (IIA Standard 2130—Control).
Question 166
Due to its vulnerability to fraud, the trust department of a bank required that an officer
other than the trust officer verifies income distribution orders and sign disbursement
checks. Which type of control is typified by such segregation of duties?
a) Input.
b) Auditing.
c) Corrective.
d) Operating.
Operating controls include all those that promote safe, accurate, and timely processing of
the bank’s transactions—for example, dual control, joint custody, rotation of employees,
and segregation of duties (IIA Standard 2130—Control).
Question 167
Monitoring is an important component of internal control. Which of the following items
would not be an example of monitoring?
a) Management regularly compares divisional performance with budgets
for the division.
b) Data processing management regularly generates exception reports for
unusual transactions or volumes of transactions and follows up with
investigation as to causes.
c) Data processing management regularly reconciles batch control totals
for items processed with batch controls for items submitted.
d) Management has asked internal auditing to perform regular audits of
the control structure over cash processing.
This is an example of a processing control procedure (IIA Standard 2130—Control).
Question 168
An adequate system of internal controls is most likely to detect an irregularity perpetrated
by a:
a) Group of employees in
collusion.
b) Single employee.
c) Group of managers in
collusion.
d) Single manager.
A good system of internal controls is likely to expose an irregularity if one employee
perpetrates it without the aid of others (IIA Standard 2130—Control).
Question 169
Controls can be classified according to the function they are intended to perform; for
example, to discover the occurrence of an unwanted event (detective), to avoid the
occurrence of an unwanted event (preventive), or to ensure the occurrence of a desirable
event (directive). Which of the following is a directive control?
a) Performing monthly reconciliation of bank statements.
b) Requiring dual signatures on all disbursements over a specific dollar
amount.
c) Recording every transaction on the day it occurs.
d) Requiring all members of the internal auditing department to be
Certified Internal Auditors.
This is a directive control. The control is designed to encourage a desirable event to occur—
that is, to enhance the professionalism and level of expertise of the internal auditing
department (IIA Standard 2130—Control).
Question 170
According to the Committee of Sponsoring Organizations (COSO) report, which of the
following is the most important component of internal control?
a) Risk
assessment.
b) Control
environment.
c) Control
activities.
d) Monitoring.
According to the COSO’s report, five components of internal control include control
environment, risk assessment, control activities, information and communication, and
monitoring. Control environment is the foundation on which everything rests and is the
basis for assessing integrity and ethical values, management’s philosophy, and operating
style (soft controls). (IIA Standard 2130—Control.)
Question 171
When evaluating control self-assessment, most of the time should be spent on reviewing
hard controls in which of the following areas?
a) Organizational
level.
b) Activity level.
c) Process level.
d) Department
level.
Most of the time, hard controls should be evaluated at the activity level; this is in addition
to the soft controls. The focus of the hard controls should be on detailed documentation
and testing of control activities. Activity level includes process level, functional level, and
department level (IIA Standard 2130—Control).
Question 172
Which of the COSO components include many soft controls?
I. Control environment
II. Risk assessment
III. Control activities
IV. Information and communication
V. Monitoring
a) I and
II.
b) I and
III.
c) II and
V.
d) I, III,
and
IV.
The two of the five components of the COSO “control environment and risk assessment”
includes many soft controls that are intangibles, such as evaluating tone at the top,
management's philosophy, operating style, integrity, and the organization's ethical climate
Question 173
COSO users adopt which of the following control evaluation processes?
a) Single-
tiered.
b) Two-
tiered.
c) Three-
tiered.
d) Four-
tiered.
COSO users often adopt a two-tiered control evaluation process. This includes entity-wide
assessment (organizational level) followed by process or activity level (second tier).
(IIA Standard 2130—Control.)
Question 174
The COSO-based audit approach should not override which of the following?
a) a) Risk-based approach.
b) Transaction-based
b) approach.
c) Management-based
c) approach.
d) Audit committee–based
d) approach.
The COSO-based audit approach should not override the risk-based audit approach where
the latter should receive high priority. Where there are gaps, the two approaches should be
reconciled (IIA Standard 2130—Control).
Question 175
Which of the following management practices involves concentrating on areas that deserve
attention and placing less attention on areas operating as expected?
a) Management by objectives
(MBO).
b) Responsibility accounting.
c) Benchmarking.
d) Management by exception
(MBE).
Management by exception involves the actions described in the question (IIAStandard
2130—Control).
Question 176
According to the COSO report, audit plan changes as
I. Risks change.
II. Audit resources change.
III. Board change.
IV. Policies change.
a) I only.
b) I and II.
c) III and
IV.
d) I, II, III,
and IV.
The audit plan changes throughout the year as risks and audit resources change
Question 177
According to the COSO report, the annual audit plan should be based on which of the
following?
I. Control model
II. Risk model
III. Resource model
IV. Management model
a) I
only.
b) II
only.
c) I and
II.
d) III
and
IV.
The annual audit plan should be based on the control model. This should not replace a
risk-based model (IIA Standard 2130—Control).
Question 178
According to the COSO report, the internal control framework consists of which of the
following?
a) Processes, people, objectives.
b) Profits, products, processes.
c) Costs, revenues, margins.
d) Return on investment, earnings per share, market
share.
The core of any business is its people—their individual attributes, including integrity,
ethical values, and competence and the environment in which they operate. They are the
engine that drives the entity and the foundation on which everything else rests. The entity
will have its objectives and the processes to achieve those objectives (IIA Standard 2130—
Control).
Question 179
According to the COSO report, an entity's internal control system is built into all of the
following basic management processes except:
a) Planning.
b) Execution.
c) Monitoring.
d) Risk.
According to the COSO report, there is a synergy and linkage among planning, execution,
and monitoring, forming an integrated system that reacts dynamically to changing
conditions. However, risk to an entity comes from internal and external sources, which
must be identified, analyzed, measured, and managed. Risk varies with time, competition,
and other factors (IIA Standard 2130—Control).
Question 180
According to the COSO report, the correct sequence is
a) Risks, objectives,
actions.
b) Actions,
objectives, risks.
c) Objectives, risks,
actions.
d) Objectives,
actions, risks.
According to the COSO report, objectives provide the organization’s targets. To be in
control, risks potentially affecting the achievement of an entity’s objectives must be
identified and analyzed. Then actions must be put in place to mitigate the identified risks
Question 181
According to the COSO report, the core of an organization is which of the following?
a) Products.
b) Processes.
c) People.
d) Profits.
According to the COSO report, the core of an organization is people. Profits result from
products and processes, and it is the people who make things happen (IIA Standard 2130—
Control).
Question 182
According to the COSO report, the effectiveness of an internal control system depends on
a) Authorization of the
process.
b) Approval of the
process.
c) Condition of the
process.
d) Description of the
process.
Deficiencies in an entity’s internal control system can surface from any of a number of
sources. A “deficiency” may represent a perceived, potential, or real shortcoming, or an
opportunity to strengthen the internal control system to provide a greater likelihood that
the entity’s objectives will be achieved. The condition of the process is either deficient or
not (IIA Standard 2130—Control).
Question 183
According to the COSO report, an entity's objectives are based on all of the
following except:
a) Preferences.
b) Profits.
c) Value
judgments.
d) Management
style.
Objective setting begins at the entity level, encompassing mission and value statements,
preferences, and management style, which leads to overall strategy. Profits are the result
of specific goals, where goals are derived from objectives (IIA Standard 2130—Control).
Question 184
An effective relationship between risk level and internal control level is which of the
following?
a) Low risk and strong
controls.
b) High risk and weak
controls.
c) Medium risk and weak
controls.
d) High risk and strong
controls.
According to the COSO report, there is a direct relationship between the risk level and the
control level. That is, high-risk situations require stronger controls, low-risk situations
require weaker controls, and medium-risk situations require medium controls
Question 185
The concept of control should be viewed as:
a) Accomplishing an
objective.
b) Limiting an
operation.
c) Blocking a process.
d) Inhibiting a person.
Controls should facilitate the achievement of an organization’s goals, and they should not
limit operational practices, processes, and people’s actions. According to the COSO report,
a control is defined as the policies, practices, and organizational structure designed to
provide reasonable assurance that business objectives will be achieved and that undesired
events could be prevented or detected and corrected (IIA Standard 2130—Control).
Question 186
Organizational procedures allow employees to anticipate problems. This type of control is
known as:
a) Feedback
control.
b) Strategic control.
c) Feed-forward
control.
d) Performance
appraisal.
Procedures provide guidance on how tasks should be accomplished (IIA Standard 2130—
Control).
Question 187
The purpose of control is to:
a) Control employee behavior.
b) Determine who is in charge of a department.
c) Ensure that the goals of a firm are being achieved.
d) Determine whether an operation is a cost or profit
center.
The purpose of a control mechanism is to ensure that goals of a firm are being achieved
Question 188
Which of the following levers of control create positive and inspirational forces in an
organization?
I. Belief systems
II. Interactive control systems
III. Boundary systems
IV. Diagnostic control systems
a) I
and
II
b) II
and
III
c) III
and
IV
d) II
and
IV
Belief systems and interactive control systems create positive and inspirational forces.
Boundary systems and diagnostic control systems create negative forces such as rules and
constraints (IIA Standard 2130—Control).
Question 189
Usually control decisions do not include:
a) What measures to implement.
b) How to evaluate performance.
c) What type of punishments to
impose.
d) What type of incentives to use.
Control involves the use of incentives and rewards and to motivate employees in order to
help them accomplish organizational goals and objectives. Controls should be seen as
positive actions, not so much as negative actions (punishments). People prefer positive
things rather than negative things (IIA Standard 2130—Control).
Question 190
Senior managers most often use which of the following to achieve their business
objectives?
a) Hard controls, third-party reviews, and
hard skills.
b) Soft controls, self-assessments, and soft
skills.
c) Soft controls, third-party reviews, and soft
skills.
d) Hard controls, self-assessments, and hard
skills.
Generally speaking, senior managers most often use soft skills and soft controls to achieve
their business objectives. Self-assessment is a tool to implement soft control (IIA Standard
2130—Control).
Question 191
According to the COSO report, for a policy to be implemented, it need not be:
a) Written.
b) Thoughtful.
c) Clear.
d) Consistent.
Many policies and controls are informal and undocumented yet are regularly performed
and highly effective. However, the unwritten policy must be thoughtful, clear, and
consistent for others to understand and implement it (IIA Standard 2130—Control).
Question 192
According to the COSO report, which of the following is not a precondition to internal
control?
a) Objective
setting
b) Strategic
planning
c) Risk
management
d) Monitoring
Monitoring comes after developing strategic plans, setting objectives, and conducting risk
assessment. Monitoring will assess the current performance of controls and their adequacy
over time (IIA Standard 2130—Control).
Question 193
According to the COSO report, an effective internal control system requires an ultimate:
a) User.
b) Sponsor.
c) Owner.
d) Customer.
An effective control system requires an ultimate owner. The only truly effective owner of
the control system is the chief executive officer (CEO). The CEO is the only person who
can establish the right tone at the top of the organization and who has the power to ensure
that all parts of the enterprise effectively communicate and coexist. The ownership
responsibility cannot be delegated to an accountant or an auditor (IIA Standard 2130—
Control).
Question 194
According to the COSO report, the threshold level for a “reportable condition” is:
a) Higher than that of a material weakness.
b) A yardstick for determining whether the internal control system is
effective.
c) Lower than that of a material weakness.
d) A yardstick for determining whether the internal control system is
ineffective.
Auditors are required to communicate only those findings meeting a specified threshold
of seriousness or importance. Reportable conditions are defined as “significant deficiencies
in the design or operation of the internal control structure, which could adversely affect the
organization’s ability to record, process, summarize, and report financial data consistent
with the assertions of management in the financial statements.” (IIA Standard 2130—
Control.)
Question 195
Auditors regularly evaluate controls and control procedures. Which of the following best
describes the concept of control as recognized by internal auditors?
a) Management regularly discharges personnel who do not perform up to
expectations.
b) Management takes action to enhance the likelihood that established
goals and objectives will be achieved.
c) Control represents specific procedures that accountants and auditors
design to ensure the correctness of processing.
d) Control procedures should be designed from the bottom up to ensure
attention to detail.
This is the definition of control contained in the IIA Standard 2130 (IIA Standard 2130—
Control).
Question 196
Which group has the primary responsibility for the establishment, implementation, and
monitoring of adequate controls in the posting of accounts receivable?
a) External auditors.
b) Accounts
receivable staff.
c) Internal auditors.
d) Accounting
management.
Management is responsible for controls (IIA Standard 2130—Control).
Question 197
As part of a total quality control program, a firm not only inspects finished goods but also
monitors product returns and customer complaints. Which type of control best describes
these efforts?
a) Feedback
control.
b) Feed-forward
control.
c) Production
control.
d) Inventory
control.
Feedback control makes sure past mistakes are not repeated (IIA Standard 2130—Control).
Question 198
Corporate directors, management, external auditors, and internal auditors all play
important roles in creating a proper control environment. Top management is primarily
responsible for:
a) Establishing a proper environment and specifying an overall internal
control structure.
b) Reviewing the reliability and integrity of financial information and the
means used to collect and report such information.
c) Ensuring that external and internal auditors adequately monitor the
control environment.
d) Implementing and monitoring controls designed by the board of
directors.
This is the best description of top management’s responsibility (IIA Standard 2130—
Control).
Question 199
Corporate management has a role in the maintenance of internal control. In fact,
management sometimes is a control. Which of the following involves managerial functions
as a control device?
a) Supervision of employees.
b) Use of a corporate policies manual.
c) Maintenance of a quality control
department.
d) Internal auditing.
The best form of control over the performance of individuals is supervision. This is a
managerial function (IIA Standard 2130—Control).
Question 200
One particular type of control is frequently criticized because corrective action takes place
after the fact. What type of control exhibits that trait?
a) Automatic
control.
b) Feedback
control.
c) Strategic
control.
d) Feed-forward
control.
Feedback controls can allow costs to build up due to their back end position (IIA Standard
2130—Control).
Question 201
The operations manager of a company notified the treasurer of that organization 60 days
in advance that a new, expensive piece of machinery was going to be purchased. This
notification allowed the treasurer to make an orderly liquidation of some of the company’s
investment portfolio on favorable terms. Select the type of control that this example
describes.
a) Feedback.
b) Strategic.
c) Budgetary.
d) Feed-
forward.
Feed-forward control provides for the active anticipation of problems so that they can be
resolved in a timely manner (IIA Standard 2130—Control).
Question 202
To be successful, large companies must develop means to keep the organization focused
in the proper direction. Organization control systems help keep companies focused. These
control systems consist of which of the following components?
a) Budgeting, financial ratio analysis, and cash
management.
b) Objectives, standards, and an evaluation-reward
system.
c) Role analysis, team building, and survey feedback.
d) Coaching, protection, and challenging assignments.
These items are the basic components of complex organizational control systems in large
companies (IIA Standard 2130—Control).
Question 203
An audit committee should be designed to enhance the independence of both internal and
external audit functions and to insulate the audit functions from undue management
pressures. Using these criteria, audit committees should be composed of:
a) A rotating subcommittee of the board of directors or its equivalent.
b) Only members from the relevant outside regulatory agencies.
c) Members from all important constituencies, specifically including representatives from
banking, labor, regulatory agencies, shareholders, and officers.
d) Only external members of the board of directors or its equivalent.
Audit committees should be made up of external members of the board of directors or other
similar oversight committees.
Question 204
Which of the following features of a large manufacturing company's organization structure
would be a control weakness?
a) The IT department is headed by a vice president who reports directly

to the president.
b) The chief financial officer is a vice president who reports to the chief
executive officer.
c) The audit committee of the board consists of the chief executive
officer, the chief financial officer, and a major stockholder.
d) The controller and treasurer report to the chief financial officer.
This is a strength since it prevents the information technology operation from being
dominated by a user.
Question 205
Audit committees have been identified as a major factor in promoting independence of
both internal and external auditors. Which of the following is the most important limitation
on the effectiveness of audit committees?
a) Audit committees may be composed of independent directors.
However, those directors may have close personal and professional friendships with manage
b) Audit committee members are compensated by the organization and thus
favor a stockholder's view.
c) Audit committees devote most of their efforts to external audit concerns and
do not pay much attention to internal auditing and the overall control environment.
d) Audit committee members do not normally have degrees in the accounting or
auditing fields.
This is a major limitation that has hampered the effective operation of audit committees.
Question 206
Who should have the least influence on the appointment of the director of internal audit?
a) The controller.
b) The audit
committee.
c) The external
auditor.
d) The chief executive
officer.
The controller is an auditee and as such should have the least influence. The highest levels
of management and the audit committee are directly involved in the appointment.
Question 207
During discussions with top management, the director of internal auditing identified
several strategic business issues to consider in preparing the annual audit schedule. Which
of the following does not represent a strategic issue for this purpose?
a) A monthly budgeting process will be implemented.
b) An international marketing campaign will be started to develop product
recognition and also to leverage the new corporate-based advertising
department.
c) Joint venture candidates will be sought to provide manufacturing and
sourcing capabilities in European and Asian markets.
d) A human resources database will be established to ensure consistent
administration of policies and to improve data retention.
This is an operating decision to facilitate the budgeting process and improve information.
Question 208
Audit committees are most likely to participate in approving:
a) Staff promotions and salary increases.
b) Internal audit report findings and
recommendations.
c) Audit work schedules.
d) Appointment of the internal audit director.
The independence of the internal auditing department is enhanced when the audit
committee participates in naming its director.
Question 209
Audit committees are responsible for:
a) Selecting the director of internal auditing.
b) Developing the internal auditing plan and
budget.
c) Reviewing and approving the internal audit
charter.
d) Selecting the independent accountants.
This is an oversight activity. It will ensure that internal auditors are carrying out their
responsibilities.
Question 210
To avoid creating conflict between the chief executive officer (CEO) and the audit
committee, the internal auditing director should:
a) Submit copies of all audit reports to the CEO and audit committee.
b) Strengthen independence through organizational status.
c) Discuss all pending reports to the CEO with the audit committee.
d) Request board establishment of policies covering internal auditing
relationships with the audit committee.
The action the internal auditing director should take to avoid conflict between the CEO and
the audit committee (IIA Standards).
Question 211
Which of the following would not be an appropriate member of an audit committee?
a) The vice president of the local bank used by the company
b) An academic specializing in business administration
c) A retired executive of a firm that had been associated with the
corporation
d) The firm's vice president of operations
Audits may be conducted in the member's area of control and responsibility. Thus, the
potential member is not independent of the audit function. The potential member is also
not an outside director.
Question 212
Which of the following establishes a corporation's governance mechanism?
a) Stockholders.
b) Corporate
bylaws.
c) Board of
directors.
d) Corporate
officers.
A corporation's governance mechanism is established by a firm's bylaws, which are a set
of internal rules or policies. Bylaws describe the powers of the corporation and the duties
and responsibilities of the board of directors and officers, and how to treat stockholders
(IIA Standard 2110—Governance).
Question 213
Which of the following is the major reason for agency problems to exist?
a) Owner
interest.
b) Self-interest.
c) Community
interest.
d) Corporate
interest.
Agency problems develop when the interests of the shareholders are not aligned with the
interests of the manager, and the manager (who is simply a hired agent with the
responsibility of representing the owner's (principal's) best interest) begins to pursue self-
interest instead. The other three choices have no influence on the agency problems
Question 214
Which type of social responsibility encompasses those activities and practices that are
expected or prohibited by societal members even though they are not codified into law?
a) Ethical responsibilities.
b) Legal responsibilities.
c) Philanthropic responsibilities. Philanthropic responsibilities include
donating money and property to social programs
d) Economic responsibilities.
Because laws are important but not adequate, ethical responsibilities encompass those
activities and practices that are expected or prohibited by societal members even though
they are not codified into law. Ethical responsibilities embody the full scope of norms,
standards, and expectations that reflect a belief of what consumers, employees,
shareholders, and the community regard as fair, just, and in keeping with the respect for or
protection of stakeholders' moral rights.
Question 215
Some profit-making corporations strive to do all of the following except:
a) Make a profit.
b) Obey the law.
c) Donate money and
property.
d) Be ethical.
Some profit-making corporations strive to make a profit, obey the law, be ethical, and be a
good corporate citizen whenever it is possible or needed. However, donating money and
property is a part of philanthropic responsibility, which is a voluntary action done by some
profit-making corporations but not all.
Question 216
Regarding socially conscious investing, the concept of social screening is:
a) No longer used by investment firms.
b) Used by some firms in a positive way or a negative way.
c) Not practiced in real life except in classrooms.
d) A trade-off between social performance and economic
performance.
The concept of social screening is the backbone of the socially conscious investing
movement. Investors seeking to put their money into socially responsible firms want to
screen out those firms they consider to be socially irresponsible or to actively invest in
those firms they think of as being socially responsible.
Question 217
Which of the following refers to corporate behavior in response to market forces or legal
constraints?
a) Social
obligation.
b) Social
responsibility.
c) Social
responsiveness.
d) Social attitude.
A three-stage schema for classifying corporate behavior was proposed in responding to
social or societal needs: social obligation, social responsibility, and social responsiveness.
Social obligation is corporate behavior in response to market forces or legal constraints.
Question 218
The aim of which of the following is to prevent or minimize agency problems?
a) Market forces and agency
costs.
b) Bylaws and charter.
c) Code of conduct and code of
honor.
d) Governance policies and
practices.
Both market forces and agency costs are aimed to prevent or minimize agency problems.
There is a principal–agent relationship within a corporation, meaning shareholders and
investors are the principals and corporate management is the agent of the corporation. An
example of market forces is large institutional shareholders who use their voting rights to
put pressure on company management to perform better. An example of agency costs is
executive salaries, which is a controversial topic.
Market forces and agency costs works as checks and balances in the principal–agent
relationships, which, in turn, minimize the agency problems. The other three choices are
not related to agency problems because they are related to corporate establishment and
formation (IIA Standard 2110—Governance).
Question 219
Which of the following is not an example of agency cost?
a) Cost of threat of takeover.
b) Cost of management
compensation.
c) Costs imposed by lenders.
d) Costs due to minimum liquidity
levels.
The cost of a threat of takeover is a part of market forces, not agency costs. The costs listed
in the other three choices are examples of agency costs. Examples of market forces include
large shareholders and threat of takeover, which motivate company management to act in
the best interest of the corporation owners, not in its own best interest, where the latter
leads to agency problems. Examples of agency costs include cost of management
compensation (e.g., stock options and cash bonuses) and costs imposed by lenders (e.g.,
minimum liquidity levels, merger and acquisition activities, restrictions on risky
investments, executive salaries, and dividend payments). (IIA Standard 2110—
Governance.)
Question 220
Which of the following does not properly refer to corporate governance?
a) How a firm is directed.
b) How a board is
compensated.
c) How a firm is
administered.
d) How a firm is
controlled.
The scope of corporate governance deals with how a firm is directed, administered, and
controlled in both in the shortrun and the long run. The scope of corporate governance
comes from the scope of corporate charter, which is an internal document describing the
basic purpose of a corporation's existence in terms of mission, vision, goals, objectives,
and authority. How board members are compensated is decided by shareholders and current
practices and is outside the scope of corporate governance (IIA Standard 2110—
Governance).
Question 221
Corporate governance framework should not be concerned with which of the following?
a) Roles of stakeholders.
b) Rights of stakeholders.
c) Perks to board of
directors.
d) Accountability of
stakeholders.
Corporate governance is not concerned with perks to board of directors because the chief
executive officer often controls the board perks, such as director compensation, travel and
hotel accommodations, and committee assignments. Board members who rock the boat
may find they are left out in the cold. However, the corporate governance framework is
fully concerned with roles, rights, and accountability of stakeholders. The framework
should protect and facilitate the exercise of stakeholders' roles, rights, and accountability
Question 222
All of the following are the paramount duty of the board of directors of a public corporation
except:
a) Selecting the chief executive officer.
b) Hiring senior managers.
c) Overseeing the chief executive officer and senior managers in the
ethical operation of the corporation.
d) Engaging an independent accounting firm to audit the financial
statements prepared by management.
It is the paramount duty of the board of directors of a public corporation to select the best
chief executive officer (CEO) who is highly qualified to run the corporation. The CEO, in
turn, hires senior managers, not the board of directors. The ethics committee of the board
oversees the CEO and senior managers in the ethical operation. The audit committee of the
board is responsible for engaging an independent accounting firm. The flow of duties is:
Board →CEO→Senior Managers (IIA Standard 2110—Governance).
Question 223
Which of the following is not a proper role or function expected of the board of directors
of a corporation?
a) Having
integrity.
b) Being honest.
c) Micromanaging.
d) Oversight.
A board of directors that micromanages gets involved in each and every detail of how the
chief executive and company officers are handling day-to-day activities. This is not the
proper role or function (IIA Standard 2110—Governance).
Question 224
Which of the following are the reasons for lack of independence of a company's board of
directors?
I. Inside directors have close ties to the chief executive officer (CEO).
II. Inside directors are family and friends of the CEO.
III. The CEO controls the board processes.
IV. The number of inside directors is greater than the number of outside directors.
a) I
only.
b) I and
II.
c) IV
only.
d) I, II,
III,
and
IV.
All four items listed are the reasons for lack of independence of a company's board of
directors. Board independence from management is a crucial aspect of good corporate
governance. It is here that the difference between inside directors and outside directors
becomes most pronounced. Outside directors are independent from the firm and its top
managers. In contrast, inside directors have some sort of ties to the firm and its
management. To varying degrees, each of the inside directors is beholden to the CEO and
therefore might be hesitant to speak out when necessary (IIA Standard 2110—
Governance).
Question 225
The practice of obtaining critical information from a company in good faith and then using
that information for one's own personal financial gain is called:
a) Financial
trading.
b) Insider
trading.
c) Shareholder
trading.
d) Investor
trading.
That is the definition of insider trading. Insider trading perpetrated by corporate executives
and managers should be prohibited and reported to the board through whistle-blowing
activity. The other three choices can result from insider trading as outcomes or tools
Question 226
Which one of the following items can come after the other three items are in place in an
effort to improve corporate governance?
a) Changing the composition of boards of
directors.
b) Changing the structure of the board of
directors.
c) Shareholders ‘assuming an active role in
governance.
d) Changing the functioning of boards of
directors.
First, one needs to fix problems and issues internally (i.e., within the board of a
corporation). The listed problems and issues can be related to composition, structure, and
effective functioning of the board of directors. Later, shareholders (outsiders)—on their
own initiative or on the initiative of management or the board—could assume a more active
role in governance. In reality, there are too many shareholders for all to assume an active
role. However, it is possible for major (institutional) shareholders to assume an active role
Question 227
A corporation must be managed on which of the following principles?
a) Corporate
governance.
b) Corporate
control.
c) Corporate law.
d) Corporate ethics.
For a corporation to be legitimate, its governance principles must correspond to the will
of the general public. Therefore, a corporation must be managed on the principles of
corporate governance defining the roles of shareholders, directors, and officers/mangers in
corporate decision making and accountability. Corporate control, law, and ethics become
a part of corporate governance (IIA Standard 2110—Governance).
Question 228
Which of the following are not agents of a corporation?
a) Managerial
employees.
b) Shareholders.
c) Nonmanagerial
employees.
d) Outside contractors.
Shareholders are owners and investors (principals) of a corporation, not agents of a
corporation (IIA Standard 2110—Governance).
Question 229
The triple bottom line, which focuses on a broader stakeholder view of corporate
governance, does not address which of the following?
a) Financial
objectives.
b) Social objectives.
c) Environmental
objectives.
d) Technical
objectives.
In the corporate world, the triple bottom line is a broader perspective considering
stakeholders beyond shareholders. A firm's strategy and related investments will have
financial objectives, social objectives, and environmental objectives—objectives that make
up the triple bottom line (IIA Standard 2110—Governance).
Question 230
Which of the following corporate governance guidelines can be used to solve the agency
problem?
a) Duty of reimbursement.
b) Board of directors'
compensation.
c) Management
compensation.
d) Duty of compensation.
There is a principal–agent relationship within a corporation, meaning that shareholders
and investors are the principals and corporate management is the agent of the corporation.
Members of corporate management are agents of a corporation. The board of directors
needs to motivate these agents to perform better (e.g., financially, operationally, or
strategically) through management compensation plans. The board of directors'
compensation is a small matter and cannot solve agency problems; management
compensation, however, is a big matter and can solve agency problems. The scope of
management compensation includes several components, such as incentive plans (stock
options), performance plans (performance shares), and cash bonuses. Directors, who are
few in number, resolve the principal–agent problems through corporate management, who
are many in number. The duty of compensation and the duty of reimbursement are the
principal's duties to pay the agents in a principal–agent relationship (IIA Standard 2110—
Governance).
Question 231
Which of the following is an example of a formal role played by the board of directors of
corporations?
a) To provide leads for acquisition and merger
candidates.
b) To influence the industry regulators.
c) To establish executive management
compensation.
d) To act as conduits of information from external
sources.
Establishing the executive management compensation is a formal role while all the other
three roles are informal. The scope of executive management compensation is complex and
controversial as it includes several components such as incentive plans (stock options),
performance plans (performance shares), and cash bonuses (IIA Standard 2110—
Governance).
Question 232
Corporate ownership is heavily dispersed in which of the following countries?
a) Canada.
b) United
States.
c) Germany.
d) Japan.
Corporate ownership is heavily dispersed in the United States (IIA Standard 2110—
Governance).
Question 233
Owners and workers sit on the board of directors in which of the following countries?
a) Canada.
b) United
States.
c) France.
d) United
Kingdom.
In France, owners and workers sit on the board of directors to voice their concerns. Only
owners (e.g., shareholders, investors, and others) sit on the board in Canada, the United
States, and the United Kingdom (IIA Standard 2110—Governance).
Question 234
Internal controls cannot do which of the following?
a) Ensure safeguarding of
assets.
b) Promote operational
efficiency.
c) Increase sales or revenues.
d) Ensure reliable accounting
records.
A key responsibility of a business manager or owner is to control operations. Internal
control is the organizational plan and all the related measures designed to safeguards assets,
encourage employees to follow company policy, promote operational efficiency, and
ensure accurate and reliable accounting records. However, internal controls cannot increase
sales or revenues, which is the functional responsibility of marketing and senior
management (IIA Standard 2110—Governance).
Question 235
Which of the following is the ultimate function of corporate governance?
a) Providing the organization structure and
resources.
b) Establishing the rules and procedures.
c) Monitoring the organization's performance
continuously.
d) Assigning rights and responsibilities to all
employees.
The ultimate function of corporate governance focuses on survival, performance, growth,
and competitive advantage continuously (IIA Standard 2110—Governance).
Question 236
An effective relationship between risk level and internal control level is which of the
following?
a) Low risk and strong
controls.
b) High risk and weak
controls.
c) Medium risk and weak
controls.
d) High risk and strong
controls.
There is a direct relationship between the risk level and the control level. That is, high-risk
situations require stronger controls, low-risk situations require weaker controls, and
medium-risk situations require medium controls. Note that all risk situations require a
minimum base of controls as the basic foundation of controls (IIA Standard 2110—
Governance).
Question 237
What is the correct term to use when employees are able to freely bring their concerns
about illegal or unethical practices to the board of directors of a company?
a) Insider
trading.
b) Self-
dealing.
c) Whistle-
blowing.
d) Asset
fraud.
Whistle-blowing is when stakeholders, including individual employees and their
representative bodies, freely communicate their concerns about illegal or unethical
practices to the board of directors. The rights of whistle-blowers should not be
compromised for doing this. A corporate whistle-blower program can act as a means of
collecting employee concerns, improving internal communication, collecting information
regarding emerging issues before they become crises, and enhancing the organization's
overall system of internal controls (IIA Standard 2110—Governance).
Question 238
Corporate governance is mostly concerned with which of the following?
a) Warehouse employee disciplinary actions.
b) Code of conduct for office employees.
c) Plant union employee rights and obligations.
d) The relative roles, rights, and accountability of
stakeholders.
Corporate governance refers to the methods by which a firm is being governed, directed,
administered, or controlled and to the goals for which it is being governed. Corporate
governance is concerned with the relative roles, rights, and accountability of such
stakeholder groups as owners, boards of directors, managers, employees, unions, suppliers,
and others who assert to be stakeholders. This is a high-level concern and a major goal of
corporate governance (IIA Standard 2110—Governance).
Question 239
Which of the following is the universal responsibility of the board of directors of
corporations?
a) To ensure that all executives are acting in shareholders' best
interests.
b) To oversee the work of top executives.
c) To hire and fire top executives.
d) To approve the company's strategy.
Because shareholders are the owners and investors of a corporation and because
shareholders elect the board of directors, the directors have the universal responsibility of
ensuring that all executives are acting in shareholders' best interests (IIA Standard 2110—
Governance).
Question 240
Corporate governance has a strong bearing on the ability of business firms to:
a) Survive continuously.
b) Facilitate growth.
c) Create a competitive
advantage.
d) Perform better.
Creating a competitive advantage should come first, and the items listed in the other three
choices can come later based on the competitive advantage created. The competitive
advantage can come in several ways, such as developing and marketing new products and
services; producing and delivering quality products and services using quality suppliers
and vendors; and having talented, skilled, and competent employees. This competitive
advantage will have a strong bearing on the ability of business firms to survive
continuously; facilitate growth; and perform better than competitors financially,
operationally, or strategically (IIA Standard 2110—Governance).
Question 241
Which of the following committees typically is responsible for assessing the adequacy of
internal control systems and the integrity of financial statements?
a) Audit committee.
b) Nominating
committee.
c) Compensation
committee.
d) Governance
committee.
The audit committee is typically responsible for assessing the adequacy of internal control
systems and the integrity of financial statements (e.g., balance sheet and income statement).
The audit committee oversees the process that produces reliable and credible financial
statements while ensuring the company has effective and adequate internal controls. Audit
committee members are members of the board of directors.
Question 242
Which of the following is an ideal statement about disclosures of corporate performance?
a) Disclosures are directly related to the job or position held.
b) Disclosures are directly related to the amount of compensation
received.
c) Disclosures should include both mandatory and voluntary
reporting.
d) Disclosures should include all conflict-of-interest statements.
The accounting standard-setting bodies (e.g., FASB, AICPA, and SEC in the United States
and the IASB worldwide) require corporations to disclose financial information, but
corporations should do more than mandatory disclosures, such as making voluntary
disclosures in financial and operational areas (IIA Standard 2110—Governance).
Question 243
Which of the following codes of governance is specifically linked to the U.S. Sarbanes-
Oxley Act of 2002?
a) Shareholder equality.
b) Board and management accountability.
c) Financial reporting disclosure and
transparency.
d) Auditor and director independence.
Codes of governance are governance standards to which firms around the globe should
adhere. Codes of governance are aimed at four main issues: shareholder equality in
upholding all shareholders rights; accountability by the board and management; disclosure
and transparency through accurate and timely financial and nonfinancial reporting; and
independence of auditors and board directors. The financial reporting disclosure and
transparency issue specifically links the Sarbanes-Oxley Act of 2002 to the codes of
governance (IIA Standard 2110—Governance).
Question 244
Which of the following is the major element of implementation of the Section 302 of the
Sarbanes-Oxley Act requiring quarterly financial certification by chief executive officer
(CEO) and chief financial officer (CFO) of a public company?
a) Disclosure
controls.
b) Disclosure
procedures.
c) Disclosure
committee.
d) Disclosure
process.
Section 302 of the Sarbanes-Oxley Act requires CEOs and CFOs to personally certify a
public company's quarterly financial reports. To implement this section, the Securities and
Exchange Commission introduced the term “disclosure controls and procedures,” which
limits the evaluation to internal controls over financial reporting and over significant
(material) nonfinancial disclosures. The major element of the disclosure process is
installing a disclosure committee in which knowledgeable and high-level people come
together to rigorously examine financial information and other disclosures as they are being
prepared (IIA Standard 2110—Governance).
Question 245
Which of the following directly follows the state charter in the corporation's hierarchy of
authority?
a) Shareholders.
b) Board of
directors.
c) Management.
d) Employees.
The hierarchy of a corporation's authority starts with the state charter then flows to
shareholders, board of directors, management, and then employees in that order
Question 246
Which of the following represents the best way for corporate management to model
appropriate legal and ethical behavior in a corporation?
a) To enforce a strict code of ethics and code of honor.
b) To set an example of appropriate legal and ethical behavior.
c) To train employees about appropriate legal and ethical behavior.
d) To make employees read and sign a code of conduct and conflict of
interest statements.
Research in moral development of corporate management strongly suggests that honesty
is reinforced when proper examples are set—sometimes referred to as the tone at the top.
Corporate management cannot act one way and expect others in the organization to behave
differently. Management must reinforce through its own actions that dishonest,
questionable, unethical, or illegal behavior will not be tolerated. This is called modeling
appropriate management behavior. The items listed in the other three choices are passive
in nature and do not have the strong teeth to properly implement them (IIA Standard
2110—Governance).
Question 247
All of the following were the strong reasons for the recent financial meltdowns, risky
investments, and fraudulent schemes/scams occurred in the U.S. financial industry except:
a) Governance
lapses.
b) Operational
lapses.
c) Legal lapses.
d) Ethical
lapses.
In general, operational lapses include producing, marketing, and delivering inferior-quality
products and services to customers. This is not the real reason for the recent financial
problems because members of U.S corporate management are highly competent and
qualified, can fix these operational problems, and can fulfill their operational
responsibilities in good faith.
The strong reasons lie in governance, legal, and ethical lapses. Corporate management's
greed comes into play when deposits of innocent bank customers are placed in risky
investments, such as subprime real estate mortgages, hedge funds, and derivatives. The
whole society bears these risks, yet corporate management receives only small penalties
and punishments for bad and reckless investments.
An example of a fraudulent scheme includes banks illegally and unethically manipulating
interest rates on the money they borrow from other banks, thus deceiving bank customers
and the public. These fraudulent actions occur due to collusion between bank's senior
management.
All of these are examples of highly illegal, unethical, and grossly negligent actions on the
part of the U.S. corporate management and of not following U.S. regulatory and legislative
controls. The boards of directors in these corporations should be blamed for these lapses
because they were not fulfilling their fiduciary responsibilities and were ineffective in
managing and controlling corporate management (IIA Standard 2110—Governance).
Question 248
Effective whistle-blower programs can help organizations meet the requirements of
Section 301 of the Sarbanes-Oxley Act's Audit Committees. Which of the following
is not an element of the whistle-blower program?
a) Collecting employee concerns.
b) Improving internal communication.
c) Collecting information about emerging
issues.
d) Improving external communication.
The whistle-blower program can act as a means of collecting employee concerns,
improving internal communication, collecting information regarding emerging issues
before they become crises, and enhancing the organization's overall system of internal
controls. The program does not improve external communications because it focuses on
internal communication. The other responses are incorrect because they all help the
organization to meet the requirements of the act. They help to improve the implementation
of whistle-blower program because they focus on improving internal communication
Question 249
The major issue embedded in the structure of modern corporations that has contributed to
the corporate governance problem has been:
a) Separation of purchase from lease.
b) Separation of suppliers from producers.
c) Separation of ownership from control.
d) Separation of employees from independent
contractors.
The major issue in the structure of modern corporations that has contributed to the
corporate governance problem has been the separation of ownership from control.
Stockholders are owners, and the board of directors, officers, and managers control the
corporation on a day-to-day basis. This means that no one shareholder or group of
shareholders owns enough shares to exercise control, so shareholders perceive themselves
to be investors rather than owners. The other choices are incorrect because they are not
major issues compared to the separation of ownership from control (IIA Standard 2110—
Governance).
Question 250
The most effective way of releasing the whistle-blower program throughout the
organization is to have:
a) Hard-copy memos.
b) E-mails.
c) Face-to-face meetings.
d) Computer-based training
programs.
While a hard-copy memo, an e-mail, video conferencing, voice conferencing, or even
preparing a computer-based training program is a viable option to release the whistle-
blower program throughout the organization, the most effective way is to have face-to-face
meetings with employees. This shows management's commitment to the program
Question 251
The train-the-trainer approach is implemented in which phase of the whistle-blower
program?
a) Assessment.
b) Building.
c) Program release.
d) Performance
monitoring.
The building phase trains operators. The train-the-trainer approach is widely used in other
settings and is practical in whistle-blower programs (IIA Standard 2110—Governance).
Question 252
The selection of the facilitator is made in which phase of the whistle-blower program?
a) Assessment.
b) Building.
c) Program release.
d) Performance
monitoring.
The selection of the facilitator for the whistle-blower program release sessions is made in
the program release phase. Choosing a sympathetic and knowledgeable facilitator will
increase employee acceptance of the program and put employees at ease (IIA Standard
2110—Governance).
Question 253
Employee surveys are conducted in which phase of the whistle-blower program?
a) Assessment.
b) Building.
c) Program release.
d) Performance
monitoring.
Performance monitoring requires verifying compliance with the program's protocol to
ensure quality control. Surveys should be conducted to obtain feedback and to make sure
that employees remain aware that the program is in place and working effectively
Question 254
According to Section 404 of the Sarbanes-Oxley Act's Management Assessment of Internal
Controls, assessment and assertion of an organization's control environment should focus
on which of the following?
a) Integrated
controls.
b) Discrete
controls.
c) Soft controls.
d) Hard
controls.
The control environment of an organization does not exist as series of discrete controls,
like the steps in a transaction processing system. It is an integrated whole. The individual
pieces contribute to the whole, but it is the interaction among the pieces that make up the
control environment. Thus, the organization's assessment and assertion of the control
environment should be treated as a whole and in an integrated manner (IIA Standard
2110—Governance).
Question 255
Which of the following is not an example of ethical dilemma facing a business manager
involving a conflict between the:
a) Part versus whole.
b) Individual versus
organization.
c) Organization versus
society.
d) Individual versus
family.
Ethics deals with deciding and acting on what is right or wrong in a particular situation.
Basically, ethics is concerned with knowing what is good and bad and separating them.
Most ethical dilemmas involve a conflict between the needs of the part and those of the
whole—the individual versus the organization or the organization versus society as a
whole. The ethical dilemma between an individual and his or her family is outside of a
business situation.
Question 256
The method by which a company exists and describes the basic terms of its existence is
called which of the following?
a) Corporate
governance.
b) Corporate
charter.
c) Corporate
ownership.
d) Corporate ethics.
The method by which a firm is governed, directed, administered, or controlled and the
goals for which it is being governed are based on the corporate charter. The hierarchy of a
corporation's authority starts with the state charter, then flows to shareholders, the board of
directors, management, and finally employees. The charter, which is an internal document,
describes the basic purpose of a corporation's existence in terms of mission, vision, goals,
objectives, and authority.
Question 257
Which of the following helps business managers faced with tough ethical choices?
a) Descriptive ethics
approach.
b) Principles approach.
c) Normative approach.
d) Ethical tests
approach.
Managers faced with tough ethical choices often benefit from a normative approach—one
based on norms and values—to guide their decision making. Normative ethics are
concerned with supplying and justifying a coherent moral system of thinking and judging.
It asks this question: What ought to be? The normative approach includes utilitarian,
individualism, moral rights, and justice approaches. An application of the normative
approach can occur when a decision is made to recruit, hire, train, and promote both men
and women equally.
Question 258
Which of the following statements is not true about ethics and law?
a) Ethical behavior resides above the legal
behavior.
b) Law embodies notions of ethics.
c) Law addresses all ethical questions.
d) Law and ethics have clear roles to play in the
society.
The generally accepted view of ethics is that ethical behavior resides above the legal
behavior. Note that in many respects, the law and ethics overlap because the law embodies
notions of ethics. That is, the law may be seen as a reflection of what society thinks are
minimal standards of conduct and behavior. It is important to note that the law does not
address all realms in which ethical questions might be raised. Thus, there are clear roles
for both law and ethics to play in the society. To rephrase it, not all unethical actions are
illegal and not all illegal actions are unethical, depending on local cultures and legal
jurisdictions.
Question 259
Business managers can use which of the following to understand the interactions among
the law, ethics, and economics?
a) Venn diagram.
b) Pareto diagram.
c) Affinity diagram.
d) Cause-and-effect
diagram.
Business managers can use the Venn diagram to understand the interactions (i.e.,
connections and disconnections) among law, ethics, and economics (profits). A firm's
legal, ethical, and economic goals can be depicted in a Venn diagram showing how certain
decisions address these goals.
Question 260
In the United States, Dumpster diving is:
a) Legal and
unethical.
b) Legal and
ethical.
c) Illegal and
ethical.
d) Illegal and
unethical.
The U.S. Supreme Court has ruled that taking trash is actually legal since no expectation
of privacy exists for any item that has been discarded. However, it is unethical to do,
especially when used to damage a person. Note that some individual state laws may take a
different view on the issue of Dumpster diving.
Question 261
Board of directors and officers of a corporation must use which of the following?
a) Duty of ordinary care and duty of
utmost care.
b) Duty of slight care and duty of ordinary
care.
c) Due care and due diligence.
d) Due process and due professional care.
Corporate directors and officers of a corporation must perform their duties in good faith
and in a nonnegligent manner (due care). This requires due care and due diligence, which
are part of due process. “Due care” means reasonable care that promotes the common good.
It is maintaining minimal and customary practices. Due care implies reasonable care and
competence, not infallibility or extraordinary performance. The business judgment rule is
a legal presumption that the directors and officers of the corporation have exercised due
care by acting on an informed basis, in good faith, and in the honest belief that their actions
are in the best interests of the corporation. Unless a plaintiff can give persuasive evidence
against at least one of the criteria, corporate directors and officers are insulated from
liability for breach of the duty of care.
Due diligence requires organizations to develop and implement an effective system of
controls, policies, and procedures to prevent and detect violation of policies and laws. In
other words, due diligence is the care that a reasonable person exercises under the
circumstances to avoid harm to other persons or to their property (IIA Standard 2110—
Governance).
Question 262
Which of the following is expected of board of directors and officers of a public
corporation?
a) Duty of slight
care.
b) Duty of
ordinary care.
c) Duty of utmost
care.
d) Duty of loyalty.
Directors and officers of a corporation have a duty not to act adversely to the interests of
the corporation and to subordinate their personal interests to those of the corporation and
its shareholders. This is called the duty of loyalty. Under the duty of loyalty, a corporation
can sue a director or an officer to recover secret profit made on a business transaction
Question 263
Abusive acts can be:
a) Legal but
unethical.
b) Ethical but
illegal.
c) Legal and
ethical.
d) Illegal and
unethical.
Abuse occurs when the conduct of an activity or function falls short of expectations for
prudent behavior. Abuse is distinguished from noncompliance in that abusive conditions
may not directly violate laws or regulations. Abusive activities may be within the letter of
the laws and regulations but violate their spirit or the more general standards of impartial
behavior, and more specifically of ethical behavior. This means that abusive acts can be
legal but unethical.
Question 264
Regarding ethical principles, which of the following properly defines the Golden Rule?
a) It states that one should put oneself in others' shoes. It includes not
knowingly doing harm to others.
b) Itstates that when ends are of overriding importance, unscrupulous
means may be used to reach the ends.
c) It states that justice is defined as the interest of the stronger, meaning
that stronger people have an upper hand over the weaker people.
d) It is similar to the utilitarian ethic and the organization ethic.
This choice best defines the Golden Rule.
Question 265
Regarding ethical principles, which of the following properly defines the professional
principle?
a) It states that a true person will do things in such a way that he or she
can explain them before a committee of peers.
b) It means that employees do things for the good of the organization.
c) It means that greatest good should be done for the greatest number.
d) It is applying knowledge, skills, and sound judgment in the use of
organization's resources.
This choice best defines the professional principle.
Question 266
Regarding key ethical principles, the prudent person concept is related to which of the
following?
a) Goal-congruence
principle.
b) Professional principle.
c) Golden Rule.
d) Might-equals-right
principle.
The prudent person, who is not infallible or perfect, has the ability to govern and discipline
him- or herself by the use of reason; does not neglect duty; and applies knowledge, skills,
and sound judgment in the use of the organization's resources. Because of this, the prudent
person concept is related to the goal-congruence principle.
Question 267
Which of the following is not a proper role of corporate board of directors?
a) Guardian.
b) Governance.
c) Guarantor.
d) Guidance.
The board of directors, either individually or collectively, is not a guarantor of a
corporation because the board is a small group of individuals elected by shareholders to
govern and oversee the management of the business. The board provides governance,
guidance, guardian, and oversight roles. The board members are not guarantors for
shareholders, management, employees, customers, and suppliers. The board cannot
become a guarantor for loans taken by the corporation. This is not a proper role for the
board (IIA Standard 2110—Governance).
Question 268
Which of the following is a legal activity?
a) Obtaining competitive
intelligence.
b) Industrial espionage.
c) Economic espionage.
d) Corporate espionage.
Obtaining competitive intelligence is a legal activity as along it does not involve covert
actions. Usually competitive intelligence is gathered through media research, marketing
and sales staff, financial and marketing data, and buying information from publicly
available research institutions.
Question 269
Which of the following is legally appropriate?
a) Welcome computer screens.
b) Computer prelogging
questionnaires.
c) Unwelcome computer screens.
d) Computer postlogging
questionnaires.
Using prelogging questionnaires before a person is given access to a computer system is
legal because the organization has the right to give permission only to individuals who are
fit to be given access. Situations listed in the other three choices are not legal, depending
on the legal jurisdiction, because they could lead to questionable practices.
Question 270
Which of the following is not an element of the board's overseeing of legal and ethical
conduct?
a) Conflicts of interest.
b) Business resiliency.
c) Related party
transactions.
d) Compliance
program.
Business resiliency is a part of overseeing the business operations, not legal and ethical
conduct per se. In overseeing legal and ethical conduct of a corporation, the board of
directors is concerned with conflicts of interest among board members and officers, related
party transactions, and the compliance program (IIA Standard 2110—Governance).
Question 271
Regarding the roles of chief executive officers and senior executives, a corporation should
have a code of conduct with effective reporting and enforcement mechanisms as a part of
a) Compliance
program.
b) Strategic plans.
c) Operating
plans.
d) Risk program.
Items such as code of conduct or code of ethics statements, conflict-of-interest statements,
employment contracts, user access agreements to computer systems, and rules of behavior
during access to computer systems are all part of compliance program. The other three
choices can be a part of the overall compliance program. Compliance auditors usually
review and evaluate adherence to laws, rules, and regulations in corporations (IIA Standard
2110—Governance).
Question 272
The determination of whether a corporate director or officer has met his or her duty of care
is measured:
a) Before a decision is made.
b) At the time a decision is
made.
c) After a decision is made.
d) At the time a decision is not
made.
The duty of care requires good faith, with the care that an ordinary prudent person in a like
position would use under similar circumstances, and in a manner to be in the best interest
of the corporation. Duty of care refers to using care and diligence when acting on behalf of
the corporation. Under the duty of care, a director or an officer is personally liable to the
corporation and its shareholders for any damages caused by the fiduciary breach.
Question 273
Ethics, whether business or personal, are not based on which of the following?
a) Individuals.
b) Groups.
c) Situations.
d) Cultures.
Ethics are based on individual beliefs, social concepts and norms, situations, and cultures,
not on groups. A group is a collection of individuals.
Question 274
If managerial ethics are the standards of behavior that guide managers in their work, which
of the following will be difficult to assess?
a) Behavior toward employees.
b) Behavior toward the
organization.
c) Behavior among employees.
d) Behavior toward economic
agents.
Behavior among employees is difficult to assess due to intra- and interpersonality
differences. Situations listed in the other three choices are relatively easier to assess.
Question 275
Corporate management often questions the value of compliance to laws, rules, and
regulations in terms of:
I. Direct costs.
II. Direct benefits.
III. Indirect costs.
IV. Indirect benefits.
a) I
and
II.
b) I
and
IV.
c) II
and
III.
d) III
and
IV.
Corporate management says it costs a significant amount of resources to comply with the
often-confusing, conflicting, and duplicate laws, rules, and regulations in terms of record-
keeping and monitoring activities. Management can see the direct costs and benefits (items
I and II) to some extent but cannot assess the indirect costs and benefits (items III and IV).
Question 276
Which of the following is not one of the three models of management ethics?
a) Immoral
management.
b) Moral
management.
c) Amoral
management.
d) Ethical
management.
The three models of management ethics include immoral management, moral management,
and amoral management. Ethical management, which is not one of the three models of
management ethics, is too broad as it includes categories such as social ethics, public ethics,
personal ethics, business ethics, and descriptive ethics.
Question 277
Which of the following is not true of the role that law plays in affecting societal values?
a) Law represents a minimum ethic of behavior.
b) Law represents the codification of what the society considers right and
wrong.
c) Law addresses only the grossest violations of society's sense of right
and wrong.
d) Law encompasses all the ethical standards of behavior.
Although law and ethics overlap, ethical behavior is thought to reside above behavior
required by the law. Law sets the minimum standards of behavior. Note that law does not
cover all the ethical standards of behavior. The other choices are incorrect because they are
true statements.
Question 278
Courts may treat self-dealing by the directors and officers of a corporation as unacceptable
under which of the following situations?
a) Self-interest.
b) Terms of the
bargain.
c) Process for the
bargain.
d) Material economic
benefit.
Regarding self-dealing, corporate directors and officers may pursue business transactions
that benefit themselves as long as they can prove the transaction, although self-interested,
was nevertheless intrinsically “fair” to the corporation (i.e., the transaction is initiated and
completed at an arm's-length distance). A plaintiff must start by alleging the director or
officer stood to gain a material economic benefit. The burden then shifts to the defendant
to show the fairness of the transaction. The court considers both the terms and the process
for the bargain (i.e., both a fair price and fair dealing). However, if the director shows that
full disclosure was made to disinterested directors or disinterested shareholders, the burden
remains on the plaintiff (IIA Standard 2110—Governance).
Question 279
Which of the following is not an example of illegal acts?
a) Irregularities.
b) Noncompliance.
c) Abuse.
d) Fraud.
Illegal acts are a type of noncompliance; specifically, they are violations of laws, rules, or
regulations. They are failures to follow requirements of law or implementing regulations,
including intentional noncompliance (e.g., irregularities), unintentional noncompliance
(e.g., errors), and criminal/civil acts.
Abuse is not illegal because abuse is distinguished from noncompliance in that abusive
conditions may not directly violate laws or regulations.
Question 280
Regarding business ethics, which of the following represents the legal behavior expected
of employees of an organization?
a) Floor.
b) Ceiling.
c) Floor first,
ceiling last.
d) Ceiling first,
floor last.
The law is a floor on an employee's expected legal behavior. It is good to respond to the
spirit as well as the letter of law, assuming that the law is the floor and ethics is the ceiling
on employee behavior, and is operating above the minimum required between the floor and
the ceiling.
Question 281
Regarding business ethics, noncompliance with laws, rules, and regulations represents
I. Legal and ethical.

II. Legal and unethical.
III. Illegal and ethical.
IV. Illegal and unethical.
a) I
only.
b) II
only.
c) III
only.
d) III or
IV.
Noncompliance is a failure to follow requirements or a violation of prohibitions, contained
in laws, rules, regulations, contracts, governmental grants, or organization's policies and
procedures. Both law and ethics have to do with what is deemed appropriate or acceptable,
but law reflects society's codified ethics. Therefore, if a person breaks a law or violates a
regulation, he or she is also behaving unethically in some jurisdictions.
It is important to note that the law does not address all realms in which ethical questions
might be raised. Thus, there are clear roles for both law and ethics to play in the society.
To rephrase it, not all unethical actions are illegal and not all illegal actions are unethical,
depending on local cultures and legal jurisdictions.
Question 282
Which of the following does not fully describe business ethics?
a) Making decisions with the only criterion of
making profit.
b) Knowing the difference between right and wrong.
c) Agreeing with prevailing norms or standards of
society.
d) Making decisions in accordance with what ought
to be.
Making profit is only one dimension of business ethics, not a full description. Examples of
the question what ought to be included: (1) How we treat our aging employees whose
productivity is declining? (2) How safe can we make our products, knowing fully well that
we cannot pass all the costs on to the consumer?(3) How clean an environment should we
aim for? (4) How should we treat our longtime employees when the company is downsizing
or moving the plant to a foreign country?
Question 283
Which of the elements of moral judgment refers to the ability to perceive that a web of
competing economic relationships is, at the same time, a web of moral or ethical
relationships?
a) Moral imagination.
b) Moral identification and ordering.
c) Moral evaluation.
d) Tolerance of moral disagreement and
ambiguity.
The six major elements or capacities that are essential to making moral judgments include:
(1) moral imagination, (2) moral identification and ordering, (3) moral evaluation, (4)
tolerance of moral disagreement and ambiguity, (5) integration of managerial and moral
competence, and (6) a sense of moral obligation and integrity.
Moral imagination refers to the ability to perceive that a web of competing economic
relationships is, at the same time, a web of moral or ethical relationships. Developing moral
imagination means not only becoming sensitive to ethical issues in business decision
making but also developing the perspective of searching out subtle places where people are
likely to be detrimentally affected by decision making or behaviors of managers. A sense
of moral obligation requires the intuitive or learned understanding that moral fibers—a
concern for fairness, justice, and due process to people, groups, and communities—are
woven into the fabric of managerial decision making and are the integral components that
hold systems together.
Question 284
At which level of corporate legitimacy do we refer to individual business firms achieving
and maintaining legitimacy by conforming to societal expectations?
a) Macro level.
b) Micro level.
c) Divisional
level.
d) Departmental
level.
Corporate legitimacy states that what is at stake is the existence and form of business as an
institution in the society. This is a micro-level view because it deals with a single firm in
the society (IIA Standard 2110—Governance).
Question 285
Regarding international business ethics, child labor, low pay, poor working conditions, and
worker abuse are all characteristics of:
a) Opportunistic
countries.
b) Developed
countries.
c) Less developed
countries.
d) Developing
countries.
Although sweatshops, characterized by child labor, low pay, poor working conditions,
worker abuse, and health and safety violations, have existed for decades, they have grown
in number in the past few years as global competition has heated up and corporations have
gone to the far reaches of the world to lower their production and marketing costs and to
increase their productivity. Opportunistic countries, whether developed or not, are using
sweatshops and are taking advantage of decreased costs and increased productivity.
Question 286
Regarding international business ethics, which of the following would best illustrate a
grease payment?
a) An advertising agency gives money to a car manufacturer so that the
latter brings in business.
b) A chemical company gives money to a potential buyer to convince the
latter to buy this company's chemicals.
c) The manager in charge of an emergency shipment of medical supplies
gives money to a dock official to expedite the unloading and delivery
of the supplies.
d) Company A gives money to Company B as a “bonus” if the latter signs
a contract with the former.
The Foreign Corrupt Practices Act in the United States and laws in other countries do not
prohibit so-called grease payments, or minor facilitating payments, to officials for the
primary purpose of getting them to do whatever they are supposed to do anyway. Such
payments are commonplace in many countries. Corruption in international business
continues to be a major problem. It starts with outright bribery of government officials and
the giving of questionable political contributions.
Question 287
Which of the following is the major contributor to the corporate governance problems?
a) Separation of ownership from control.
b) Control over the proxy process.
c) Principal–agent relationships.
d) Shareholder as an investor rather than an
owner.
The major condition embedded in the structure of modern corporations that has contributed
to the corporate governance problem has been the separation of ownership from control. In
the pre-corporate period, owners typically were the managers themselves. As the public
corporation grew and stock ownership became widely dispersed, a separation of ownership
from control became the prevalent condition.
Other factors that added to management's power were corporate laws and traditions that
gave the management group control over the proxy process—the method by which the
shareholders elected boards of directors; the principal and agent relationships; the
shareholders who were owners in a technical sense but who perceived themselves to be
investors rather than owners (IIA Standard 2110—Governance).
Question 288
Which of the following attempt to assess the underlying moral justifications for corporate
actions and the consequent results of those actions?
a) Business impact statements.
b) Environmental impact
statements.
c) Ethical impact statements.
d) Security impact statements.
Ethical impact statements attempt to assess the underlying moral justification for corporate
actions and the consequent results of those actions. The information derived from these
actions would permit the multinational corporation to modify or change its business
practices if the impact statement suggested that such changes would be necessary or
desirable. The other three choices are important but are not relevant to the ethical impact
statements.
Question 289
Which of the following is not included in seven moral guidelines for multinational
corporations (MNCs) in their international operations?
a) MNCs should do no intentional direct harm.
b) MNCs should pay extra taxes since they generate more money than
most of the local companies in the host country.
c) MNCs should produce more good than bad for the host country.
d) MNCs should cooperate with local government in the development and
enforcement of tax system or health and safety standards.
The seven moral guidelines to improve MNC operations include: (1) MNCs should do no
intentional, direct harm; (2) MNCs should produce more good than bad for the host
country; (3) MNCs should contribute by their activities to the host country's development;
(4) MNCs should respect the human rights of their employees; (5) MNCs should pay their
fair share of taxes; (6) MNCs should respect the local culture and work with it, not against
it; and (7) MNCs should cooperate with local government in the development and
enforcement of just background institutions.
Question 290
Regarding information technology security, the prudent person concept is related to which
of the following?
a) Due care and due
permissions.
b) Due care and due rights.
c) Due care and due
diligence.
d) Due care and due
privileges.
The prudent person concept states that reasonable people always act reasonably under the
same conditions. Because people are fallible, courts and laws require that people use
reasonable care all the time. The prudent person or prudent man concept is related to due
care and due diligence.
Due care is maintaining reasonable care, which promotes the common good. It is
maintaining minimal and customary practices. Due care requires that managers have a duty
to provide for information security to ensure that the type of control, the cost of control,
and the deployment of control are appropriate for the computer system being managed.
Due care means having the right policies and procedures, access controls, firewalls, and
other reasonable security measures in place.
Due diligence requires organizations to be vigilant and diligent. It requires managers to
develop and implement an effective security program to prevent and detect violations of
policies and laws. It ensures that managers have taken minimum and necessary steps in
their power and authority to prevent and detect violations of policies and laws. Good
housekeeping in a data center is an example of due diligence.
Courts will find computer owners responsible for their insecure systems. Courts will not
find liability every time a computer is hijacked. Rather, courts expect organizations to
become reasonably prudent computer owners taking due care (reasonable care) to ensure
adequate security. Computer owners need not take super care, great care, or extraordinary
care.
Question 291
Which of the following is the highest priority for a socially responsible corporation?
a) Be a profitable
firm.
b) Be a
wholesome
firm.
c) Be an ethical
firm.
d) Be a legal firm.
A socially responsible firm should strive to be a wholesome firm (highest priority), be
ethical, obey the law, and make a profit (lowest priority). Note that these priorities are a
reverse of the profit maximization goal of most business corporations. In terms of depicting
a firm's pyramid of corporate social responsibility, the top layer represents the good
corporate citizen and the bottom (base) layer represents a profitable firm.
Question 292
Which of the following addresses the economic, legal, ethical, and philanthropic
responsibilities of a corporation?
a) Due diligence
audit.
b) Ethics audit.
c) Governance
audit.
d) Social audit.
A social audit is a systematic analysis and testing of an organization's success in achieving
its social responsibility. It is a systematic attempt to identify, measure, monitor, and
evaluate an organization's performance with respect to its social efforts, goals, and
programs. The social audit is a systematic and structured review of identifying issues and
problems in the understanding and fulfilling of economic, legal, ethical, and philanthropic
responsibilities, and making recommendations to resolve such issues and problems.
Question 293
Which of the following summarizes philosophies and theories about human rights?
a) Goal congruence
principle.
b) Equitable principle.
c) The Golden Rule
principle.
d) Deep rock doctrine.
The Golden Rule principle or the ethic of reciprocity states that one must do unto others as
one would be treated themselves; the principle being that reciprocal recognition and respect
of rights ensure that one's own rights will be protected. This principle can be found in all
the world's major religions in only slightly differing forms.
The equitable principle and the deep rock doctrine are the same in that they refer to when
insiders who become creditors of a company are subordinated to other creditors when the
company goes insolvent (become illiquid or bankrupt).
Question 294
Regarding human rights, which of the following is referred to when people accept rules
from legitimate authority in exchange for security and economic advantage?
a) Social contract.
b) Economic
contract.
c) Security
contract.
d) Employment
contract
Human rights are based on several theoretical approaches and one of them is described as
a sociological pattern of rule setting. These approaches include the notion that individuals
in a society accept rules from legitimate authority in exchange for security and economic
advantage (a social contract). The other three choices are derivatives of the social contract.
Question 295
Obeying the Foreign Corrupt Practices Act is a part of which of the following faces of
corporate citizenship?
a) Ethical responsibility.
b) Economic
responsibility.
c) Legal responsibility.
d) Philanthropic
responsibility.
The four faces of corporate citizenship include economic responsibility, legal
responsibility, ethical responsibility, and philanthropic responsibility. All these four faces
are required of business by the society at large. Obeying the Foreign Corrupt Practices Act
is a part of the legal responsibility along with obeying all laws and adhering to all
regulations, fulfilling all contractual obligations, and honoring warranties and guarantees.
Question 296
Which of the following properly defines the roles and interactions of business policy of
an organization?
a) Business policy → Business strategy →Business ethics →Social
responsibility.
b) Business strategy →Business policy → Business ethics →Social
responsibility.
c) Business policy →Business ethics →Business strategy →Social
responsibility.
d) Business law →Business policy→Business ethics→Business strategy.
Business objectives and goals are derived from a company's vision and mission statements
(ends). Business strategy is designed to achieve those objectives and goals (means).
Business policy is a part of strategy execution and implementation in that the policy
supports the strategy. Note that business strategy precedes business policy, whereas
business ethics succeeds business policy. Also, note that business ethics precedes social
responsibility.
Question 297
Which of the following represents a positive outcome of the proxy process?
a) Power, authority, and control flowing upward from
management.
b) Power, authority, and control flowing downward from
shareholders.
c) Power, authority, and control flowing horizontally from
management.
d) Power, authority, and control flowing diagonally from
shareholders.
The proxy process is the method by which the shareholders elect boards of directors
Question 298
Regarding social responsibility, increased pressure is put on corporations to do more good
on which of the following neglected or abused areas?
a) Health and the
environment.
b) Customers and
employees.
c) Creditors and
contractors.
d) Suppliers and vendors.
Business corporations are under pressure to fulfill their voluntary or discretionary
responsibilities and contribute financial resources to improve employee health and the
environment (less pollution and waste) to improve the quality of life. The pressure also
includes helping a community's health and the environment in which it lives.
Question 299
Which of the following provides the highest level of socially responsible practices?
a) Proactive stance.
b) Accommodative
stance.
c) Defensive stance.
d) Obstructionist
stance.
The proactive stance provides the highest level of socially responsible practices in terms
of fulfilling economic, legal, ethical, and philanthropic responsibilities.
Question 300
Regarding workforce diversity management, which of the following paradigms concretely
connects the diversity to work approaches?
a) The discrimination-and-fairness
paradigm.
b) The equal opportunity paradigm.
c) The access-and-legitimacy
paradigm.
d) The learning-and-effectiveness
paradigm.
The learning-and-effectiveness paradigm incorporates aspects of the other three paradigms
but goes beyond them by concretely connecting diversity to work approaches. This
paradigm works effectively because it taps diversity's true benefits in terms of making
mental connections, legitimating open discussion, working against forms of dominance and
subordination that inhibit full contribution, and ensuring that organizational trust stays
intact.
Question 301
Social responsibility must be considered as a factor in which of the following?
a) Operational
planning.
b) Strategic
planning.
c) Functional
planning.
d) Business unit
planning.
Strategic planning is the highest-level of planning performed by the chief executive officer
(CEO) and senior managers of a corporation. Social responsibility cannot be delegated to
lower-level managers because it requires the attention of CEO and senior managers due to
its focus on economic, legal, ethical, and philanthropic responsibilities. The other three
choices come under the umbrella of strategic planning.
Question 302
Which of the following identifies and mitigates an organization's social networking risks?
a) Social costs.
b) Social media
audit.
c) Social
contacts.
d) Social
benefits.
The social media audit deals with identifying and mitigating an organization's social
networking risks in areas such as governance, policies and procedures, and operational
practices, and not so much on technical issues. Some examples of tools and platforms used
in social media audit include blogs, micro-blogs, image- and video-sharing sites, social
networking sites, location-based sites, professional networking sites, and social
bookmarking sites. The other three choices can be a part of the scope of the social media
audit.
Question 303
Reflecting a society's view of codified ethics is a part of which of the following faces of
corporate citizenship?
a) Ethical responsibility.
b) Economic
responsibility.
c) Legal responsibility.
d) Philanthropic
responsibility.
The four faces of corporate citizenship include economic responsibility, legal
responsibility, ethical responsibility, and philanthropic responsibility. The society at large
requires all these four faces of business.
Legal responsibilities reflect a society's view of codified ethics in the sense that they
embody basic notions of fair practices as established by a country's lawmakers. It is
business's responsibility to society to comply with these laws.
Question 304
Which of the following helps to keep corporate executives and managers in line regarding
mergers and acquisitions?
a) The market for corporate
culture.
b) The market for corporate
control.
c) The market for corporate
ethics.
d) The market for corporate
law.
Merging with other companies or acquiring other companies provides big control over the
greatest amount of resources and takes on a major and active role. For this reason, most
companies are in the market for corporate control and power obtained through mergers and
acquisitions. Mergers and acquisitions give the executives and managers more
responsibilities, more income, and more prestige in the company and society. The other
three choices play only minor and passive roles.
Question 305
Which of the following are not gatekeepers of a corporation?
a) Accountants.
b) Auditors.
c) Managers and
executives.
d) Lawyers.
Corporate managers and executives are not gatekeepers of a corporation. Gatekeepers
include accountants, auditors (internal and external), attorneys, investment securities
analysts, credit-rating agencies, and investment bankers. These gatekeepers are in a way
police officers to prevent corporate management's wrongdoing. Some examples of such
wrongdoing include manipulating earnings (earnings management), financial restatements,
capitalizing expenses, deferring or misclassifying expenses, hiding liabilities, making risky
investments in hedge funds and derivatives, engaging in off-balance sheet transactions, and
involving in other types of financial fraud to increase stock price and to receive big bonuses
by corporate managers and executives.
Usually the gatekeepers inform and advise the board of directors and the corporate
management about the proper conduct of business. However, these gatekeepers fully ignore
when directors and managers are involved in wrongdoing and when they are not fulfilling
their agent role to the fullest extent. Ideally, these gatekeepers should be serving investors,
creditors, stockholders, and the general public, not the board of directors and the corporate
management. These gatekeepers should assume independent monitoring or watchdog role
and avoid conflicts of interest situations that can compromise their independence and
objectivity.
Question 306
Which of the following is often the major culprit in organizational decline?
a) Competitors.
b) Employees.
c) Management.
d) Investors.
Out of all the parties listed, organizational decline results from management complacency
(often the major culprit), unsteady economic growth, resource shortages, competition, and
weak demand for products and services. The parties listed in the other three choices are the
victims of an organization's decline.
Question 307
Expressed as a percentage, what is the degree of objective risk if a company owns 1,000
cars, has averaged 30 collision losses per year, the collision losses will very likely range
between 35 and 45, and last year's loss experience was 25?
a) 25%.
b) 30%.
c) 33.3%.
d) 40%.
Objective risk is probable variation of actual from expected losses divided by expected
losses. (45 – 35)/30 = 10/30 = 33.3%. The loss experience information is not relevant here
(IIA Standard 2120—Risk Management).
Question 308
The purchase of insurance is a common form of:
a) Risk
retention.
b) Risk
transfer.
c) Risk
avoidance.
d) Loss
control.
The most widely used form of risk transfer is insurance (IIA Standard 2120—Risk
Management).
Question 309
Risk transfer is most likely ideal for a risk with a:
a) High degree of diversification and a low potential
severity.
b) Low expected frequency and a low potential
severity.
c) High expected frequency and a high potential
severity.
d) Low expected frequency and a high potential
severity.
Risk transfer often is the optimal choice for risks that have a low expected frequency but a
high potential severity (IIA Standard 2120—Risk Management).
Question 310
Which of the following is not an example of risk retention?
a) Use of credit.
b) Use of reserve
funds.
c) Incorporation.
d) Self-
insurance.
Incorporating an organization is an example of risk transfer. The other three choices are
examples of risk retention (IIA Standard 2120—Risk Management).
Question 311
Which of the following does not have to be present in order to start a self-insurance
program?
a) A weak general financial condition so that the savings of insurance
premiums will be material to the firm.
b) A sufficient number of exposure units to enable accurate loss
prediction.
c) The establishment of a fund for the specific purpose of prefunding
expected losses.
d) Accurate records of past losses.
The following conditions are suggestive of the types of situations where self-insurance by
a business is both possible and feasible: (1) The firm should have a sufficient number of
objects so situated that they are not subject to simultaneous destruction; (2) The firm must
have accurate records or have access to satisfactory statistics to enable it to make good
estimates of expected losses; (3) The firm must make arrangements for administering the
plan and managing the self-insurance fund; and (4) The general financial condition of the
firm should be satisfactory, and the firm's management must be willing and able to deal
with large and unusual losses (IIA Standard 2120—Risk Management).
Question 312
Regarding risk management, captive insurers combine which of the following?
I. Risk retention.
II. Risk transfer.
III. Risk mapping.
IV. Risk profiling.
a) I
and
II.
b) II
and
III.
c) III
and
IV.
d) I
and
IV.
Captive insurers combine risk retention and risk transfer. Captive insurers are a form of
funded risk retention (IIA Standard 2120—Risk Management).
Question 313
Which of the following is not an example of risk retention?
a) Self-insurance.
b) Using a disclaimer of warranties clause on product
packaging.
c) Unplanned retention.
d) Use of a reserve fund to prefund physical damage to
company cars.
Using a disclaimer of warranties clause on product packaging is an example of risk
avoidance (IIA Standard 2120—Risk Management).
Question 314
The first step in selecting available risk management techniques is to:
a) Implement appropriate loss control measures.
b) Select the optimal mix of risk retention and risk
transfer.
c) Avoid risks if possible.
d) Determine the availability of risk management
tools.
The steps for selecting among available risk-management techniques for a given situation
may be summarized as: (1) avoid risks if possible, (2) implement appropriate loss control
measures, and (3) select the optimal mix of risk retention and risk transfer (IIA Standard
2120—Risk Management).
Question 315
Which of the following is not an example of risk transfer?
a) Diversification.
b) Hedging.
c) Self-insurance.
d) Hold-harmless
agreements.
Self-insurance is an example of risk retention. Risk transfer methods include
diversification, hedging, and hold-harmless agreements (IIA Standard 2120—Risk
Management).
Question 316
Which statement is true about risk management?
a) Capital budgeting and statistical analysis cannot be used to select the
best mix of risk retention and transfer.
b) Deductibles and self-insurance cannot be used together.
c) Capital budgeting and statistical analysis can be used to select the best
mix of risk retention and transfer.
d) Risk transfer is the same thing as insurance.
Both capital budgeting and statistical procedures may be used in selecting an appropriate
retention level (a mix consisting of risk retention and transfer), with insurance purchased
for losses in excess of that level (IIA Standard 2120—Risk Management).
Question 317
A tool that generally is not used to manage subjective risk is:
a) Obtaining more information.
b) Group discussion.
c) Systematically identifying and analyzing appropriate methods for
dealing with risks.
d) Severity reduction.
Severity reduction is used to manage objective risk due to its quantitative nature. Because
objective and subjective risks are often both present in the same situation, some
consideration must also be given to managing subjective risk. In one sense, the techniques
applied to objective risk should also affect subjective risk (IIA Standard 2120—Risk
Management).
Question 318
Which of the following are steps in the four-step risk management process?
a) Select risk-management techniques and purchase insurance on selected
risks.
b) Select risk-management techniques and identify risks.
c) Select risk-management techniques, purchase insurance on selected
risks, and identify risks.
d) Identify risks and analyze severity of expected losses.
The risk-management process involves identifying risks, evaluating risks, selecting risk-
management techniques, and implementing and reviewing decisions (IIA Standard 2120—
Risk Management).
Question 319
Regarding risk management, “high” and “low” loss frequency and severity are:
a) Considered the same for all firms.
b) Defined differently for different firms.
c) Identifiable by industry standards.
d) Unimportant when considering risk
avoidance.
What constitutes “high” and “low” loss frequency and severity must be established on an
individual basis. What is low loss severity for a multimillion-dollar company may be quite
high for a small firm or an individual. In this regard, concepts such as total assets, net
worth, and expected future income all are relevant (IIA Standard 2120—Risk
Management).
Question 320
Regarding risk management, insurance should be purchased for losses in excess of the
firm's:
a) Risk
avoidance
level.
b) Short-term
assets.
c) Expected
losses.
d) Retention
level.
Because in many situations both risk retention and risk transfer will be used in varying
degrees, it is important to determine the appropriate mix of these two risk-management
techniques. Both capital budgeting methods and statistical procedures may be used in
selecting an appropriate retention level, with insurance purchased for losses in excess of
that level (IIA Standard 2120—Risk Management).
Question 321
All of the following conditions are suggestive of the types of situations where self-
insurance by a business is both possible and feasible except:
a) Objects at risk are not subject to simultaneous destruction.
b) The firm must administer the plan with existing, in-house personnel.
c) The firm has accurate records or has access to satisfactory statistics
regarding the probability of loss.
d) The firm is in satisfactory financial condition.
Self-insurance can be contracted out to a third-party administrator so there is no need to
have an in-house staff to administer it. The following conditions are suggestive of the types
of situations where self-insurance by a business is both possible and feasible: (1) The firm
should have a sufficient number of objects so situated that they are not subject to
simultaneous destruction; (2) The firm must have accurate records or have access to
satisfactory statistics to enable it to make good estimates of expected losses; (3) The firm
must make arrangements for administering the plan and managing the self-insurance fund;
and (4) The general financial condition of the firm should be satisfactory, and the firm's
management must be willing and able to deal with large and unusual losses (IIA Standard
Question 322
Which of the following best represents the business impact analysis as a risk management
tool?
a) This analysis involves the assignment of probability estimates to
alternative outcomes and summing the products of the various
outcomes.
b) This analysis can be applied to any business function, operation, or
mission and the results are then integrated into business strategies,
plans, policies, and procedures.
c) This analysis is conducted after identifying all possible controls and
evaluating their feasibility and effectiveness for each proposed control
to determine which controls are required and appropriate for their
circumstances.
d) This analysis indicates how much change in outputs will occur in
response to a given change in inputs.
This is the best definition of business impact analysis (IIA Standard 2120—Risk
Management).
Question 323
BIK Corporation is determining its objective risk resulting from fire incidents among its
four warehouses. Each warehouse has same area (one million square feet) and each
warehouse has a total of 100 minor and major fire incidents per year. Corporate risk
management department estimated the actual number of fire incidents as a range during the
next year with outcome probabilities, as shown in the following table.
Warehouse Fire Incidents Outcome Probability
1 95-105 Most likely
2 80-120 Most likely
3 70-80 Most likely
4 80-85 Most likely
Which of the following warehouse has the highest degree of objective risk?
a) Warehouse
1.
b) Warehouse
2.
c) Warehouse
3.
d) Warehouse
4.
The correct answer is intuitive and does not require any calculations. Because all four
warehouses have the same outcome probabilities and same space area, one needs to look
at the number of fire incidents, and select the warehouse with the highest range of fire
incidents.
Question 324
Which of the following best represents the fit-gap analysis as a risk management tool?
a) This analysis determines the difference between the actual outcome
and the expected outcome.
b) This analysis is used for managing uncertainty as it may be subdivided
into sequential decision analysis and irreversible investment theory.
c) This analysis deal with quantitative data in terms of dollars and ratios.
d) This analysis involves assigning weights to responses to questions
addressing areas that may introduce elements of risk.
Fit-gap analysis compares the actual outcomes and expected outcomes and determines
whether these outcomes fit with each other or any gap left between them (IIA Standard
Question 325
The price of crude oil per barrel today is $105.00 and there is a 25% probability of the price
rising to $115.00 in the next year, a 25% chance it will fall to $100.00, and a 50% chance
of a slight increase to $110.00. Which of the following is the future price of one barrel of
crude oil using an expected value approach and rounding up the answer?
a) $108.00.
b) $109.00.
c) $113.00.
d) $115.00.
Expected value approach involves the assignment of probability estimates to alternative
outcomes and summing the product of the various outcomes.
$115 × 0.25 + $100 × 0.25 + $110 × 0.50 = $28.75 + $25.00 + $55.00 = $108.75 = $109.00
Question 326
Regarding quantitative methods in risk management, which of the following correctly
describes exposure factor?
a) This risk metric provides a percentage measure of potential loss up to
100% of the value of the asset.
b) This risk metric deal with the chance or likelihood of expected
monetary loss attributable to a threat event.
c) This risk metric is central in the cost-benefit analysis of risk mitigation
and in ensuring proportionality in resources allocated to protection of
assets.
d) This risk metric presents the expected monetary cost of a threat event.
This best describes the exposure factor (IIA Standard 2120—Risk Management).
Question 327
If SLE is single-loss exposure value, ALE is annualized loss expectancy, and ARO is
annualized rate of occurrence, which of the following equation correctly computes the
SLE?
a) SLE = Asset value × Threat
frequency.
b) ALE = Exposure factor ×
Probability of loss.
c) SLE = Asset value × Exposure
factor.
d) ALE = ARO × SLE.
This is the best equation to calculate the single-loss exposure value.
Question 328
If SLE is single-loss exposure value, ALE is annualized loss expectancy, and ARO is
annualized rate of occurrence, which of the following equation correctly calculates the
ALE?
a) SLE = Asset value × Threat
frequency.
b) ALE = Exposure factor ×
Probability of loss.
c) SLE = Asset value × Exposure
factor.
d) ALE = ARO × SLE.
This is the best equation to calculate the annualized loss expectancy.
Question 329
Risk is defined as:
a) Uncertainty concerning loss.
b) The probable variation of actual from expected
experience.
c) The long-run chance of occurrence or relative frequency
of loss.
d) A specific contingency that may cause loss.
Risk means uncertainty. Risk regarding the possibility of loss can be especially
problematic. It is when there is uncertainty about the occurrence of a loss that risk becomes
an important problem (IIA Standard 2120—Risk Management).
Question 330
When performing risk analysis, annual loss exposure is calculated as:
a) Impact multiplied by frequency of
occurrence.
b) Impact minus frequency of occurrence.
c) Impact plus frequency of occurrence.
d) Impact divided by frequency of
occurrence.
Annual loss exposure is calculated as impact multiplied by frequency of occurrence.
Question 331
The costs and benefits of control techniques should be measured in monetary terms where
possible. Which of the following is the most effective means to measure the cost of
addressing relatively frequent threats?
a) Single-occurrence
losses.
b) Annual loss
expectancy.
c) Fatal losses.
d) Catastrophic
losses.
Annual loss expectancy best describes the answer.
Question 332
Regarding risk management tools, all of the following are examples of qualitative methods
except:
a) Checklists.
b) Self-
assessments.
c) Subjective
scoring.
d) Intuitive
approach.
Subjective scoring is an example of quantitative method in risk management.
Question 333
Regarding risk management tools, subject matter experts (SMEs) participate in which of
the following?
a) Focus
groups.
b) Interviews.
c) Surveys.
d) Delphi
technique.
In the Delphi technique, SMEs present their own view of risks independently and
anonymously, which are then centrally compiled. The process is repeated until consensus
is obtained.
Question 334
Regarding risk management tools, the Delphi technique is a method used to avoid which
of the following?
a) Group shift.
b) Group
dynamics.
c) Groupthink.
d) Group
culture.
The Delphi technique is a method used to avoid groupthink, as the subject matter experts
do not meet face-to-face to make decisions. Groupthink is related to norms and describes
situations in which group pressures for conformity deter the group from critically
appraising unusual, minority, or unpopular views.
Question 335
Which of the following is the scope of traditional corporate risk management?
I. Treats risk as downside phenomenon.

II. Treats risk as both upside and downside phenomenon.
III. Focuses on partial portfolio of risks such as financial and hazard risks.
IV. Focuses on total portfolio of risks such as financial, hazard, strategic, and
operational risks.
a) I
only.
b) I and
III.
c) II
only.
d) II
and
IV.
Items I and III are examples defining the scope of traditional corporate risk management
focusing on a partial portfolio of risks using a silo approach whereas items II and IV are
examples of scope of enterprise risk management (ERM). The scope of ERM is much
broader than the traditional view as it focuses on the total portfolio of risks (IIA Standard
Question 336
Which of the following is not a part of scorecard approach in improving the enterprise risk
management (ERM) process?
a) An establishment of
metrics.
b) A timeframe for
managing risks.
c) A review for validity of
metrics.
d) A link to shareholder
value.
Scorecards are a part of improving the ERM process. Scorecards include establishment of
metrics, a timeframe for managing risks, and a link to shareholder value. A review for
validity of metrics is a part of monitoring, which is another part of the ERM approach along
with action plans (IIA Standard 2120—Risk Management).
Question 337
Regarding alternative risk transfer (ART) tools, which of the following best describes the
function of captive insurance method?
a) It involves the creation of bonds, or derivatives contracts, options,
swaps, futures, which have a payout or price movement that is linked
to an insurance risk.
b) It combines a pure risk with a financial risk.
c) It spreads risk over time, as opposed to across a pool of similar
exposures.
d) It combines risk transfer and risk retention.
This best describes the function of captive insurance method. ART methods are alternative
to traditional insurance and reinsurance coverage, provides risk-bearing companies with
coverage and protection they need through convergence of insurance and financial markets.
The scope of ART methods includes risk securitization (e.g., catastrophe options,
earthquake bonds, catastrophe bonds, and catastrophe equity puts), dual-trigger or
multiple-trigger insurance, financial reinsurance, industry loss warranties, weather
derivatives, intellectual property insurance, and enterprise-wide risk insurance coverage
Question 338
Which of the following financial and accounting practices is not a risk for public
corporations?
a) Financial
engineering.
b) Earnings
management.
c) Creative
accounting.
d) Off the books
accounts.
The scope of financial engineering involves creating new financial instruments (e.g.,
derivative securities) or combining existing derivatives to accomplish specific hedging
goals (i.e., to reduce financial risk).
Question 339
Which of the following can be applied to insurance and reinsurance areas as part of a
company's risk management program?
a) Insurance
engineering.
b) Hedge
engineering.
c) Financial
engineering.
d) Securities
engineering.
Financial engineering can be applied to insurance and reinsurance areas using captive
insurance methods and alternative risk transfer methods, as part of a company's risk
management and risk mitigation strategy (IIA Standard 2120—Risk Management).
Question 340
Risk can be categorized as:
a) Objective-subjective and perils-hazards.
b) Objective-subjective, physical-moral-morale, and pure-speculative.
c) Static-dynamic, subjective-objective, and pure-speculative.
d) Objective-subjective, physical-moral-morale, pure-speculative, and
perils-hazards.
Risks can be classified into three types: static versus dynamic, subjective versus objective,
and pure versus speculative.
Question 341
Which of the following factors cause most to business risks for corporations?
I. Sales or revenues variability.

II. Operating leverage.
III. A project's stand-alone risks.
IV. A project's corporate risks.
a) I
and
II.
b) II
and
III.
c) I
and
III.
d) III
and
IV.
Sales or revenue variability and operating leverage (items I and II) cause most to business
risks for a corporation. Operating leverage is defined in terms of the way a given change
in sales volume affects net operating income or earnings before interest and taxes. When
these two items are combined either in a positive direction (up) or negative direction
(down), the negative direction one causes the most risk.
A project's stand-alone risk is measured by the variability of the project's expected returns.
A project's corporate risk is measured by the project's impact on the firm's earnings
variability. It does not consider the effects of stockholders' diversification. The effects of
items III and IV are narrow as they are limited to a specific project, and they are not as
broad as the items I and II where the latter items affect the entire corporation (IIA Standard
Question 342
Which of the following alternative risk-transfer tools are more commonly used than the
others in practice?
a) Captive insurance methods and financial insurance
contracts.
b) Multiple-trigger policies and risk securitization.
c) Multiline insurance contracts and captive insurance
methods.
d) Multiyear insurance contracts and multiple-trigger
policies.
Multiple-trigger policies and securitization tools are more commonly used than the others
listed. Multiple-trigger policies reflect the source of the risk, which is not as important as
the impact of the risk on a firm's earnings. Here, a pure risk is combined with a financial
risk. The policy is triggered, and payment is made, only upon the occurrence of an adverse
event.
Risk securitization involves the creation of securities such as bonds, or derivatives
contracts, options, swaps, and futures, which have a payout or price movement that is
linked to an insurance risk. Examples include catastrophe options, earthquake bonds,
catastrophe bonds, and catastrophe equity puts (IIA Standard 2120—Risk Management).
Question 343
DPS Company had fire 20 losses in 2011, 21 in 2010, 43 in 2009, 38 in 2008, and 29 in
2007. What is the standard deviation of losses?
a) 9.11.
b) 43.00.
c) 30.20.
d) 82.96.
Standard deviation is a measure of dispersion, or spread, of a data distribution from its
expected value; the square root of the variance. In other words, variance is the standard
deviation squared. The standard deviation is a calculated measure of variability that shows
how much the data are spread around the mean. The variance is computed as follows:
First, calculate the average of the five years losses: (20 + 21 + 43 + 38 + 29)/5 = 151/5
=30.2
Next, calculate the variance by adding the squares of each deviation from the average
(mean) and then dividing the result by five, as shown below:
(20 – 30.2) (20 – 30.2) + (21 – 30.2) (21 – 30.2) + (43 – 30.2) (43 – 30.2) + (38 – 30.2) (38
– 30.2) + (29–30.2) (29–30.2)
104.04 + 84.64 + 163.84 + 60.84+ 1.44 = 414.8/5 = 82.96
Last, calculate the standard deviation by taking the square root of the variance, which is
9.11 (i.e., square root of 82.96).
Question 344
Which of the following defines the relationship between revenues and costs?
a) Natural hedges.
b) Perfect hedge.
c) Corporate hedging.
d) Stockholders homemade
hedging.
Hedging is taking a position opposite to the exposure or risk in order to minimize risk. This
can be done with financial derivatives such as futures contracts, forward contracts, options,
or swaps. Natural hedges are created from the natural relationship that exists between
revenues (prices) and costs of a business unit. A perfect hedge is not possible because the
final elements used to hedge do not move in concert. It has been proven that the value
created for stockholders through corporate hedging does not duplicate or equal the value
created for stockholders through their own homemade hedging (i.e., using diversification
or other ways).
Question 345
An organization's information systems are facing potential risks, threats, and
vulnerabilities. Which of the following are the best ways to mitigate such risks, threats,
and vulnerabilities?
I. Use the least-cost approach.

II. Implement the most appropriate controls.
III. Focus on minimizing adverse impact.
IV. Use the best-of-breed approach.
a) I and II.
b) I, II,
and III.
c) II and
IV.
d) I, II, III,
and IV.
Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-
reducing security controls recommended from the risk assessment process. Because the
elimination of all risk is usually impractical or close to impossible, management should use
the least-cost approach and implement the most appropriate controls to decrease risk to an
acceptable level, with minimal adverse impact on the organization's resources. The best-
of-breed approach uses appropriate technologies from among the various vendor security
products, along with the appropriate risk mitigation options and nontechnical and
administrative security measures (IIA Standard 2120—Risk Management).
Question 346
For risk mitigation strategies, which of the following is not a proper action to take when
there is a likelihood that a vulnerability can be exploited in information systems?
a) Implement assurance
techniques.
b) Apply layered protections.
c) Apply administrative
controls.
d) Implement architectural
design.
Assurance is the grounds for confidence that the set of intended security controls in an
information system are effective in their application. Assurance techniques include
trustworthiness and predictable execution, which may not be effective or timely.
Question 347
Which of the following has been determined to be a reasonable level of risk?
a) Minimum
risk.
b) Acceptable
risk.
c) Residual
risk.
d) Total risk.
Acceptable risk is the level of residual risk that has been determined to be a reasonable
level of potential loss or disruption for a specific computer system (IIA Standard 2120—
Risk Management).
Question 348
Regarding information system security, the aim of risk analysis is to strike a(n):
a) Technical balance between the impact of risks and the cost of
protective measures.
b) Operational balance between the impact of risks and the cost of
c) Economic balance between the impact of risks and the cost of
d) Legal balance between the impact of risks and the cost of protective
measures.
The aim of a risk analysis is to help information technology management strike an
economic balance between the impact of risks and the cost of protective measures. It list
risks first and protective measures second. This is based on the economic concept which
states that one should not spend ten dollars on protective measures to address a one dollar
risk.
Question 349
To estimate the losses likely to occur when a threat is realized or a vulnerability is
exploited, which of the following loss categories allow management the best means to
estimate their potential losses?
a) Single occurrence loss, actual
loss.
b) Expected loss, catastrophic
loss.
c) Catastrophic loss, actual loss.
d) Expected loss, single
occurrence loss.
Two loss categories are usually identified, including (i) losses caused by threats with
reasonably predictable occurrence rates, referred to as expected losses expressed as dollars
per year and are computed as the product of occurrence rate, loss potential, and
vulnerability factor, and (ii) losses caused by threats with a very low rate of occurrence
(low-probability) that is difficult to estimate but the threat would cause a very high loss if
it were to occur (high-consequence risk), referred to as a single occurrence loss and is
expressed as the product of loss potential, vulnerability factor, and asset value. A
catastrophic loss is referred to as a loss greater than its equity. An actual loss is the amount
of assets or lives lost. Both catastrophic loss and actual loss do not enter into risk
assessment because they are not estimable.
Question 350
With respect to information security, residual risk is calculated as which of the following?
a) Major vulnerabilities minus minor
vulnerabilities.
b) Major threats minus minor threats.
c) Probable risks minus possible risks.
d) Potential risks minus countermeasures
applied.
Residual risk is the remaining risk after all security measures (i.e., countermeasures,
security controls, and safeguards) are applied. Potential risks include all possible and
probable risks. Countermeasures cover some, but not all risks. Therefore, the residual risk
is potential risks minus countermeasures applied.
Question 351
Risk managers do not use which of the following approaches to identify risks?
a) Contract
analysis.
b) Statistical
analysis.
c) Financial
engineering.
d) Onsite
inspections.
Flowcharts, contract analysis, statistical analysis, onsite inspections, and others are used to
identify risks. Financial engineering is used to reduce financial risk. This includes options,
calls, and puts (IIA Standard 2120—Risk Management).
Question 352
In terms of information systems security, a risk is defined as which of the following
combinations?
a) Attack plus
vulnerability.
b) Threat plus attack.
c) Threat plus
vulnerability.
d) Threat plus breach.
Vulnerability is a weakness in security policy, procedure, personnel, management,
administration, hardware, software, or facilities affecting security that may allow harm to
an information system. The presence of vulnerability does not in itself cause harm. It is a
condition that may allow the information system to be harmed by an attack. A threat is any
circumstance or event with the potential to cause harm to a system in the form of
destruction or modification of data or denial-of-service.
An attack is an attempt to violate data security. A risk is the probability that a particular
threat can exploit a particular vulnerability of a system. An exposure is an instance of
vulnerability in which losses may result from the occurrence of one or more attacks.
A breach is the successful circumvention or disablement of a security control, with or
without detection, which if carried to completion, could result in a penetration of the
system.
A countermeasure is any action, control, device, procedure, technique, or other measure
that reduces the vulnerability of a threat to a system.
Question 353
Which of the following security risk assessment techniques uses a group of experts as the
basis for making decisions or judgments?
a) Risk assessment
audits.
b) Delphi method.
c) Expert systems.
d) Scenario-based
threats.
The Delphi method uses a group decision-making technique. The rationale for using this
technique is that it is sometimes difficult to get a consensus on the cost or loss value and
the probabilities of loss occurrence. Group members do not meet face-to-face. Rather, each
group member independently and anonymously writes down suggestions and submits
comments that are then centrally compiled. This process of centrally compiling the results
and comments is repeated until full consensus is obtained.
Question 354
Which of the following components of the enterprise risk management (ERM) framework
addresses processes and people in an organization?
a) Strategic
risks.
b) Operational
risks.
c) Financial
risks.
d) Hazard
risks.
The operational risk is related to the organization's internal systems, products, services,
processes, technology, and people (IIA Standard 2120—Risk Management).
Question 355
Which of the following is not the goal of enterprise risk management (ERM) initiatives?
a) Integrating risks.
b) Creating shareholder
value.
c) Protecting shareholder
value.
d) Enhancing shareholder
value.
The ERM approach is more than just integrating risks, where risks are a part of uncertainty.
The goal of an ERM initiative is to create, protect, and enhance shareholder value by
managing the uncertainties that could influence in achieving the organization's objectives
Question 356
The scope of enterprise risk management (ERM) encompasses which of the following?
I. Creating opportunities.
II. De-risking opportunities.
III. Analyzing strengths.
IV. Focusing on weaknesses.
a) I and
II.
b) I and
III.
c) III
and
IV.
d) I, III,
and
IV.
According to the IIA Research Foundation, ERM defines risk as any event or action that
could adversely influence an organization's ability to achieve its objectives. ERM
encompasses the more traditional view of potential hazards (threats) as well as
opportunities. Management must consider de-risking the opportunities when creating and
evaluating new opportunities. Risks and opportunities move together, and the key is to
determine if the potential of a given opportunity exceed the risks.
Question 357
The enterprise risk management (ERM) focuses on which of the following?
a) Value-added potential.
b) Risk management
process.
c) Asset management
principles.
d) Management
accountability.
According to the IIA Research Foundation, the chief audit executives of the study
companies understand the value-added potential of ERM, which made them very effective
ERM champions. ERM adds value because it is both inward-looking and forward-thinking
Question 358
The role and focus of the internal audit function in enterprise risk management (ERM) with
the objective of improving corporate governance includes which of the following?
I. Follow-up on ERM scorecards.

II. Internal controls for ERM.
III. The IIA's Standards on ERM.
IV. Follow-up on ERM metrics.
a) I
and
II.
b) II
and
III.
c) I
and
IV.
d) III
and
IV.
Traditionally, the internal audit's role has been to provide reliable, overall assessment of
risks and internal control effectiveness. In light of ERM implementation in improving
corporate governance, internal auditors now (1) take a more business-oriented approach to
audit company's operations, (2) change their audit approach to focus on business risk, (3)
perform more effective follow-up on open ERM scorecards and metrics to increase
management accountability, and (4) review formal action plans developed by management
as part of the ERM implementation. Scorecards, metrics, and formal action plans are key
part of the ERM infrastructure.
Question 359
Which of the following attributes of the internal audit department can hinder the
implementation of enterprise risk management (ERM) in the auditor's organization?
I. Control-based audit approach.

II. Use of traditional auditing tools.
III. Consultant role.
IV. Facilitation skills.
a) I
and
II.
b) II
and
III.
c) I
and
IV.
d) III
and
IV.
In order to meet the ERM implementation challenge, the internal auditor should (1) use a
risk-based audit approach (not a control-based approach), (2) be a consultant to the ERM
implementation team (not as a policeman), (3) focus on future events (not past events), and
(4) acquire competent skills to become an ERM facilitator (not use traditional accounting
and auditing tools and skills).
Question 360
From enterprise risk management viewpoint, control processes are implemented in which
of the following?
a) Risk
assessment.
b) Risk
mitigation.
c) Risk
financing.
d) Risk
monitoring
Controls are implemented in the risk mitigation phase in order to reduce the effects of risks
Question 361
From enterprise risk management (ERM) viewpoint, the scope of traditional risk
management includes:
a) Insurance.
b) Earnings
growth.
c) Revenue growth.
d) Corporate
governance.
Traditionally, risk management has been focused more narrowly in terms of scope of risks,
types of risk management strategies, and the impact and nature of risk. The strategies have
concentrated on insurance solutions primarily. Now the focus of ERM is broad, covering
areas such as earnings growth, revenue growth, and corporate governance (IIA Standard
Question 362
In the past, John's Car Repair Shop has averaged 5 injuries among its 30 employees per
year. What is the probability of an employee injury this year?
a) 0.1667.
b) 16.67.
c) 6.67.
d) 1.67.
This question is based on probability calculation, which ranges from 0 to 1. The probability
of an employee being injured is defined as the chance of injury in terms of number of
injuries divided by the number of employees. 5/30 equals 0.1667 (IIA Standard 2120—
Risk Management).
Question 363
In implementing enterprise risk management (ERM), most organizations are following
a(n):
a) Layered
approach.
b) Total risk
approach.
c) Early wins
approach.
d) Pilot project
approach.
Most organizations are seeking early wins that will help build momentum and promote
further development toward their ideal ERM process (IIA Standard 2120—Risk
Management).
Question 364
From enterprise risk management viewpoint, all of the following can oversee risk
management activities except:
a) Chief financial
officer.
b) Chief executive
officer.
c) Chief audit
executive.
d) Chief risk
officer.
According to the IIA survey respondents, 30% felt that chief audit executive is responsible
for overseeing enterprise risk management or compliance activities. The chief financial
officer was second with 24% and the chief risk officer was third with 21%. The chief
executive officer was not involved in this activity.
Question 365
Organizations do not view enterprise risk management (ERM) as a(n):
a) Analytical tool.
b) Risk mapping tool.
c) Optimization software tool.
d) Performance management
system tool.
The IIA survey indicated that some organizations see ERM as an analytical tool rather than
as a performance management system. Other tools of importance include risk mapping or
optimization software.
Question 366
According to the IIA survey regarding enterprise risk management, which of the following
is ranked as the highest business issue today?
a) Earnings
consistency.
b) Expense
control.
c) Earnings
growth.
d) Revenue
growth.
Earnings growth received the highest rating. Similarly, revenue growth was the second
highest ranked business issue. Expense control or reduction was ranked as the third most
important issue today; however, few years from now earnings consistency will be viewed
to be the third most important issue.
Question 367
Enterprise resource management (ERM) is seen as providing immediate value in which of
the following areas?
I. Capital management.
II. Earnings consistency.
III. Contingency planning.
IV. Expense control.
a) I
only.
b) II
only.
c) I and
III.
d) II
and
IV.
The IIA survey respondents indicated that capital management and contingency plans
provide significant and immediate value. They also believed that ERM could assist with
earnings consistency and expense control.
Question 368
Which of the following is the major barrier to implementing enterprise risk management
program?
a) Unclear benefits.
b) Lack of tools.
c) Organizational turf
battles.
d) Organizational
culture.
The IIA survey respondents indicated that organizational culture is the top barrier followed
by unclear benefits to senior management, lack of formalized process, organizational turf
battles, and lack of tools.
Question 369
Comprehensive risk assessment does not exist in which of the following functions?
a) Human
resources.
b) Finance.
c) Operations.
d) Internal
audit.
The IIA survey respondents reported that most internal auditing, finance, and operations
functions have a formal, comprehensive risk assessment process in place. In contrast, only
21% of respondents reported that risk assessment activity related to the human resource
function.
Question 370
Risk management has evolved from which of the following?
a) Operations
research.
b) Decision theory.
c) Insurance
management.
d) Management
science.
Risk management has evolved from insurance management. The strategic factor in the
transition from insurance management to risk management was the evolution of decision
theory, operations research, and management science disciplines. The other choices use a
scientific approach to decision making. Decision theory provides a basis for judging the
goodness or badness of decisions before the outcome is known. Decision theory has its
roots in operations research and management science (IIA Standard 2120—Risk
Management).
Question 371
Risk management is concerned primarily with:
a) Dynamic
risks.
b) Pure risks.
c) Speculative
risks.
d) Fundamental
risks.
Pure risks are those in which there is a chance of loss or no loss only. Pure risks are of
several types, including personal risks, property risks, liability risks, and performance risks.
Examples include personal risks (death, sickness, or disability), property risks (damage to
or destruction of property, and the loss of use of property that has been damaged), liability
risks (liability suits arising out of automobiles), performance risks (risks resulting from
human failure of a contractor to complete a project, default of a debtor). Risk management
deals with both insurable and uninsurable risks. Although the major focus of most risk
managers is on insurable risks, the more appropriate realm of risk management is pure risk.
The risk manager cannot ignore those pure risks that are not insurable (e.g., shoplifting
losses in a retail store that are rarely insurable).
Question 372
John, the general manager of John's Car Repair Shop, wants to know more about the 5
injuries among her 30 employees. One loss was a wrist sprain that has a probability of 0.06.
Another was a back sprain with a probability of 0.07. Yet another was over-inhalation of a
hazardous substance with a probability of 0.02. The other two were slips and falls with a
probability of 0.13. If the amounts of the losses were $700, $3,000, $2,500, $950, and
$1,000, respectively, what is the expected value of an employee injury loss for that year?
a) $500.50.
b) $432.00.
c) $555.50.
d) $513.50.
The expected value is defined as the probability of loss multiplied by the amount of loss.
0.06 × $700 + 0.07 × $3,000 + 0.02 × $2,500 + 0.13 × $950 + 0.13 × $1,000 = $42 + $210
+ $50 + $123.50 + $130 = $555.50 (IIA Standard 2120—Risk Management).
Question 373
A business firm with an inventory of obsolete stock that is over-insured might represent
a) A moral
hazard.
b) A morale
hazard.
c) A physical
hazard.
d) A legal
hazard.
A hazard is a condition that increases the probability of loss from a peril. Examples include
faulty wiring and improper storage of flammables. Moral hazard is a dishonest tendency,
and examples include businesses that are losing money, obsolete inventory that is over-
insured, and false claims to defraud an insurer.
Question 374
Which of the following techniques for dealing with risk may represent a special variation
of other techniques?
a) Risk
financing.
b) Risk
retention.
c) Risk
sharing.
d) Risk
transfer.
Risk sharing is viewed as a special case of risk transfer, in which the risk is transferred
from the individual to the group. It may also be a form of risk retention, depending on the
success of the risk-sharing arrangement. Both risk retention and risk transfers are part of
risk financing (IIA Standard 2120—Risk Management).
Question 375
Risk avoidance should be used in those instances in which:
a) The severity of loss is high.
b) The severity and frequency of loss are
high.
c) The frequency of loss is high.
d) The frequency or severity cannot be
determined.
Risk situations that have high severity and high frequency should be either avoided or
reduced. Risk reduction is appropriate when it is possible to reduce either the severity or
the frequency to a manageable level. Otherwise, the risk should be avoided, reduced, or
transferred (IIA Standard 2120—Risk Management).
Question 376
The term “enterprise risk management” (ERM) refers to:
a) Risks related to financial derivatives and futures.
b) Market risk, financial risk, and operational risks.
c) Pure, financial, operational, strategic, and
speculative risks.
d) Dynamic risks, static risks, and pure risks.
ERM is a broad concept that includes many areas, such as pure risks, financial risks,
operational risks, strategic risks, and speculative risks. Pure risks are those in which there
is a chance of loss or no loss only (e.g., default of a debtor, disability). Financial risks
include credit risk and interest rate risk. Operational risks include risks related to systems,
processes, technology, and people. Strategic risks include reputation risk and leadership
risk. Speculative risks involve the chance of loss or gain (e.g., hedging, options, and
derivatives).
Question 377
The two broad approaches to dealing with risk management are:
a) Risk retention and risk
transfer.
b) Risk avoidance and risk
transfer.
c) Risk avoidance and risk
reduction.
d) Risk control and risk
financing.
Risk management is broken down into two major categories: risk control ad risk financing.
Risk control focuses on minimizing the risk of loss to which the organization is exposed.
Risk financing concentrates on arranging the availability of funds to meet the losses that
do occur (IIA Standard 2120—Risk Management).
Question 378
Which of the following steps in the risk management process is most likely to be
overlooked?
a) Evaluation of risks.
b) Determination of
objectives.
c) Identification of risks.
d) Selection of risk
treatments.
Despite its importance, determining the objectives of the program is the first step in the
risk management process that is most likely to be overlooked. Consequently, the risk
management efforts of many firms are fragmented and inconsistent. The risk management
process properly handles the other choices.
Question 379
The ultimate goal of risk management is to:
a) Minimize insurance expenditures.
b) Minimize uninsured losses.
c) Minimize the adverse effects of losses and uncertainty connected with
pure risks.
d) Eliminate financial and operational losses.
Risk management is concerned with pure risk. Minimizing the adverse effects of losses
and uncertainty connected with pure risks is necessary. Risk management is a process that
involves managing the pure risks (IIA Standard 2120—Risk Management).
Question 380
Risk retention is most appropriate for situations in which there is a:
a) Low frequency and a high
severity.
b) High frequency and a high
severity.
c) Low frequency and a low
severity.
d) High frequency and a low
severity.
Risk retention is most appropriate for situations in which there is a low probability of
occurrence (frequency) with a low potential severity. They seldom occur, and, when they
do happen, the financial impact is small or negligible. Severity dictates whether a risk
should be retained. If the potential severity is more than the organization can afford,
retention is not recommended. Frequency determines whether the risk is economically
insurable. The higher the probabilities of loss, the higher the expected value of loss and the
higher the cost of transfer.
Question 381
Insurance is most appropriate for situations in which there is a:
a) Low frequency and a high
severity.
b) High frequency and a high
severity.
c) Low frequency and a low
severity.
d) High frequency and a low
severity.
Insurance is most appropriate for situations in which there is a low frequency and a high
severity. The high severity implies a catastrophic impact if the loss should occur, and a low
probability (frequency) implies a low expected value and a low cost of transfer.
Question 382
Regarding enterprise resource management (ERM) framework, the cost of financing risk
is a(n):
a) Marginal
cost.
b) Opportunity
cost.
c) Average
cost.
d) Interest cost
Financing involves paying for the losses out of current income or existing assets, by
earmarking funds or by the purchase of insurance. The cost of financing losses is the
amount of funds that is paid for the losses that occur. The cost of risk for retained risks is
the opportunity cost on the funds that must be earmarked and that cannot be used for other
purposes (IIA Standard 2120—Risk Management).
Question 383
The three most commonly used methods of loss control are:
a) Risk retention, risk avoidance, and risk transfer.
b) Self-insurance, diversification, and risk transfer.
c) Frequency reduction, severity reduction, and cost
reduction.
d) Insurance transfers, frequency reduction, and severity
reduction.
Common methods of loss control include reducing the probability of losses or decreasing
the cost of losses that do occur. Probability of losses is related to frequency and severity.
Cost reduction is also a method of controlling losses (IIA Standard 2120—Risk
Management).
Question 384
From an enterprise risk management viewpoint, the term “hazard” refers to:
a) The same thing as risk.
b) The same thing as exposure.
c) A condition that increases the chance
of loss.
d) Uncertainty regarding loss.
A hazard is a condition that increases the probability (chance) of loss from a peril. Perils
are causes of loss, and examples include fire and flood. Uncertainty can exist where there
is no risk. Risk or exposure is the possibility of loss (IIA Standard 2120—Risk
Management).
Question 385
When creating new businesses, organizations must consider:
a) Delinking
opportunities.
b) Desizing
opportunities.
c) Derisking
opportunities.
d) Desourcing
opportunities.
As organizations think about the future and actually create the future potential of their
business, they must consider derisking opportunities. In capitalizing on opportunities, the
goal is to be a market leader but yet reduce risk (i.e., risk lessening).
Question 386
Which of the following enterprise risk management (ERM) frameworks address market
risk?
a) Strategic
risks.
b) Operational
risks.
c) Financial
risks.
d) Hazard
risks.
Financial risk includes risks from volatility in foreign currencies, interest rates, and
commodities. It also includes credit risk, liquidity risk, and market risk.
Question 387
Regarding enterprise risk management (ERM), which of the following are more difficult
to identify and assess?
I. Hazard risks.
II. Financial risks.
III. Strategic risks.
IV. Operational risks.
a) I
only.
b) II
only.
c) I and
II.
d) III
and
IV.
ERM integrates the management of all risks, including the more traditional hazard and
financial risks, with operational and strategic risks. The latter two risks are new and are
more difficult to identify, assess, and evaluate (IIA Standard 2120—Risk Management).
Question 388
Enterprise risk management (ERM) should encompass which of the following?
I. Hazards.
II. Opportunities.
III. Strengths.
IV. Weaknesses.
a) I
only.
b) II
only.
c) I and
II.
d) III
and
IV.
It is important to emphasize that the uncertainties could have a potential upside or downside
so that ERM encompasses the more traditional view of potential hazards as well as
opportunities. Hazard risks include both insurable and uninsurable risks (IIA Standard
Question 389
Which of the following is best to manage the enterprise-wide risk management program?
a) Chief Risk Officer.
b) Board of Directors.
c) Chief Financial
Officer.
d) Chief Governance
Officer.
Risk is pervasive throughout an organization as it can arise from any business function or
process at any time without warning. Because of this widespread exposure, no single
functional department management, other than the board of directors, can oversee the ERM
program. This approach also supports the idea that risks cannot be identified, measured,
and monitored on a piecemeal basis. A holistic approach is needed (IIA Standard 2120—
Risk Management).
Question 390
Self-insurance differs from the establishment of a reserve fund in that:
a) Establishing a reserve fund is a form of risk retention.
b) Self-insurance involves prefunding of expected losses through a fund
specifically designed for that purpose.
c) Self-insurance requires the existence of a group of exposure units large
enough to allow accurate loss prediction.
d) Self-insurance requires the formation of a subsidiary company.
Self-insurance by a firm is possible and feasible when it has accurate records or has access
to satisfactory statistics to enable it to make good estimate of expected losses. The general
financial condition of the firm should be satisfactory and the firm's management must be
willing and able to deal with large and unusual losses (IIA Standard 2120—Risk
Management).
Question 391
When dealing with employees, which of the following is not an example of possible
negative actions of management if whistle-blowing employees report management
misconduct?
a) Reduced duties.
b) Coercion of political
activity.
c) Reassignment of work
location.
d) Reshuffling of work
schedules.
Coercion of political activity is one of the prohibited personnel practices. The other three
choices are examples of management's negative actions if whistle-blowing employees
report misconduct of management.
Question 392
Which of the following was not a major shareholder initiative?
a) Rise of shareholder activist groups.
b) Shareholder-initiated golden
parachutes.
c) Shareholder resolutions and annual
meetings.
d) Shareholder lawsuits.
Shareholders do not initiate golden parachutes; management does. A golden parachute is a
contract in which a corporation agrees to make payments to key management and senior
officers in the event of a change in the control of the corporation (IIA Standard 2110—
Governance).
Question 393
When dealing with stakeholders, which of the following ethical and legal principles is not
applicable?
a) Due
process.
b) Due
diligence.
c) Due care.
d) Duty of
loyalty.
Duty of loyalty is expected of members of the board of directors and officers of a

corporation; they have a duty not to act adversely to the interests of the corporation and a
duty to subordinate their personal interests to those of the corporation and its shareholders.
These duties do not apply to stakeholders (IIA Standard 2110—Governance).
Question 394
Which of the following is the ultimate goal of shareholder and investor communications?
a) Honesty.
b) Consistency.
c) Clarity.
d) Effectiveness.
Management honesty is the ultimate goal of shareholder and investor communications,
although the communications should provide consistency, clarity, candor, and
effectiveness. Corporations should consider candor, need for timely disclosure, and
effective use of technology. However, the ultimate goal of shareholder and investor
communications is honest, intelligible, meaningful, and timely and broadly disseminated
information (IIA Standard 2110—Governance).
Question 395
When handling suppliers and vendors, what kind of chain is involved when a purchasing
manager's actions are linked to performance?
a) Accountability
chain.
b) Value chain.
c) Supply chain.
d) Performance
chain.
When dealing with suppliers, vendors, and contractors, senior management should
establish an accountability chain in the purchasing department so that a purchasing
manager's actions are linked to performance.
Question 396
When handling related parties, which of the following is the most difficult type of
transaction?
a) Misreported sales between affiliates.
b) Unspecified intercompany
transactions.
c) Personal loans to the current chief
executive.
d) A close family who is a major
shareholder.
Transactions involving the major shareholders (e.g., close family and relations) either
directly or indirectly are potentially the most difficult type of transactions (IIA Standard
2110—Governance).
Question 397
When handling government regulators and authorities, which of the following is the major
problem when designing government policy measures?
a) Overregulation.
b) Unenforceable laws.
c) Imbalance between costs and
benefits.
d) Deterring dishonest behavior.
In order to avoid overregulation, unenforceable laws, and unintended consequences that

may impede or distort business dynamics, policy measures should be designed with a view
to their overall costs and benefits. Such assessments should take into account the need for
effective enforcement, including the ability of authorities to deter dishonest behavior and
to impose effective sanctions for violations (IIA Standard 2110—Governance).
Question 398
When handling purchasing agents/buyers and marketing/salespeople, illegal and unethical
practices should be linked to which of the following?
I. A company's purchasing rules.

II. A company's purchasing manual.
III. A code of professional ethics.
IV. A company's codes of conduct statement.
a) I and II.
b) II and
III.
c) III and
IV.
d) I, II, III,
and IV.
Purchasing agents/buyers and marketing/salespeople may become members of a
professional association in their field that issues a code professional ethics for their
members to follow. A code of professional ethics usually formalizes the set of ethical
standards. A corporation should establish a policy prohibiting marketing and salespeople
from distributing gifts and favors in the process of acquiring new customers and retaining
current customers. This policy should be referred to and linked to the company's codes of
conduct statement.
Question 399
When handling suppliers and vendors, which of the following is the most difficult to detect
in vendor fraud?
a) Overcharging for purchasing goods.
b) Collusion between buyers and
vendors.
c) Shipping inferior-quality goods.
d) Not shipping goods when payment is
made.
Collusion occurs between two or more people, whether they are internal or external to a
company. Usually parties involved in collusion cover up their actions very carefully and
do not leave any traces of their actions.
Question 400
When dealing with stakeholders, which of the following can prevent collusion among
buyers, vendors, suppliers, and contractors?
a) Rotate buyers.
b) Install a fraud hotline.
c) Install limits on buyers'
authority.
d) Provide ethical training.
Rotating buyers and requiring them to take vacations are some ways to prevent collusion
among buyers, vendors, suppliers, and contractors. The other choices are examples of good
actions but are not as effective as rotating the buyers.
Question 401
Companies that strive to be responsible to their stakeholders usually concentrate first on
a) Customers.
b) Employees.
c) Investors.
d) Local
communities.
For most companies, customers always come first because the focus of business is on
customers. Customers, employees, investors, and local communities are examples of
stakeholders.
Question 402
Which of the following is the major monitoring device available to shareholders?
a) Company officers.
b) Company nonofficers.
c) Company board of
directors.
d) Company employees.
Shareholders resolve their issues in part through the board of directors because
shareholders elect the board to oversee the company's business. For this reason, a
company's board of directors is the major monitoring device available to shareholders
Question 403
Who are the ultimate owners of a corporation?
a) Shareholders.
b) Board of
directors.
c) Management.
d) Employees.
Shareholders and investors are the ultimate owners of a corporation. They invest their
money and expect financial growth from that investment. They take risk and expect good
returns to compensate their risk. These returns can be financial, nonfinancial, or both
Question 404
Which of the following refers to when shareholder interests are not aligned with the
interests of the manager and the manager begins to pursue self-interest instead?
a) Inside directors.
b) Agency problem.
c) Outside directors.
d) Executive reporting
structure.
Agency problems develop when the interests of the shareholders are not aligned with the
interests of the manager, and the manager (who is simply a hired agent with the
responsibility of representing the owner's best interest) begins to pursue self-interest
instead. A corporation is the principal and employees are the agents of that corporation;
this principal–agent relationship can lead to conflict-of-interest situations (IIA Standard
2110—Governance).
Question 405
Regarding shareholder communication with the board of directors, which of the following
committees is best to facilitate that communication?
a) Audit committee.
b) Governance
committee.
c) Nominating
committee.
d) Compensation
committee.
The governance committee plays a leadership role in shaping the governance of a
corporation. It facilitates effective communication with shareholders and investors about
the board's structure and duties, governance principles and practices, code of ethics,
financial condition, operating performance, risk profile, proxy statements, annual reports,
and notification of formal shareholder meetings. All of these communications should
provide consistency, clarity, and candor. So, the governance committee acts as the strong
link between shareholders/investors, the board, and the chief executive officer
Question 406
Which of the following is not yet established in all public corporations to increase the
relationships with investors and shareholders?
a) Audit committee.
b) Governance
committee.
c) Nominating
committee.
d) Compensation
committee.
Because governance committees are new, they are not yet established in all public
corporations. They do exist in proactive and progressive companies. This committee plays
a leadership role in shaping the governance of a corporation. It also selects and
recommends to the board qualified director candidates for election by the corporation's
shareholders. Because of its unique duties, the governance committee is the best to foster
relationships among investors, shareholders, board, and the chief executive officer
Question 407
What is the ultimate goal of a corporation's shareholders and investors?
a) To elect the best candidates for the board of
directors.
b) To increase value to shareholders and investors.
c) To select the best candidate as the chief executive
officer.
d) To improve communications with the board and
the CEO.
The ultimate goal of a corporation's shareholders and investors is to increase their value in
terms of stock appreciation, dividend growth, wealth maximization, and quality products
and services. This is achieved when a corporation treats its employees well, serves its
customers well, fosters good relationships with suppliers and vendors, maintains an
effective compliance program and strong governance practices, and has a good reputation
for civic responsibility. The items listed in the other three choices are important too, but
they are only tangential to the goal (IIA Standard 2110—Governance).

Domain 5

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Domain 5

Încărcat de

Drepturi de autor:

Formate disponibile

Domain 5 – Governance, Risk Management and Control

Incorporation is a legal term in use when an individual wants to register a business in a

Spending money on research and development (R&D) projects is a strength and

I. Autocratic management style

I. An entity's history and culture

I. The current CEO of a company

a) A director is an interlocking director

a) The IT department is headed by a vice president who reports directly

I. Legal and ethical.

I. Treats risk as downside phenomenon.

I. Sales or revenues variability.

I. Use the least-cost approach.

I. Follow-up on ERM scorecards.

I. Control-based audit approach.

Duty of loyalty is expected of members of the board of directors and officers of a

In order to avoid overregulation, unenforceable laws, and unintended consequences that

I. A company's purchasing rules.

S-ar putea să vă placă și