CRMA- CERTIFICATION IN RISK
MANAGEMENT ASSURANCE PART 1
OF 2 CORRECT 100%
Which of the following are appropriate goals of risk management? Select all that apply.
A. To eliminate uncertainty.
B. To facilitate greater operational effectiveness and efficiency.
C. To limit risk-taking as much as possible.
D. To support the attainment of organizational objectives.
E. To facilitate well-informed decision-making.
F. To guarantee outcomes from activities. - ANSWERSolution: B, D, and E
Which of the following BEST describes risk culture? Select one.
A. The system present throughout an organization of shared values and beliefs about
risk that shapes attitudes, behaviors, and decisions.
B. The leadership of and commitment to risk management from the highest levels of an
organization.
C. The level of authority and trust awarded to managers to determine the level of risk
they are prepared to take.
D. The policies and processes that define risk ownership, responsibilities, and reporting
requirements. - ANSWERSolution: A
Which of the following describes the highest level of risk management maturity
(commonly referred to as "risk-enabled")? Select one.
A. When a risk strategy and policies are in place and communicated.
B. When risk management and internal control are fully embedded into operations.
C. When the organization establishes a risk committee, risk management team, and risk
processes.
D. When risk appetite has been defined. - ANSWERSolution: B
The definition of risk taken from the IPPF glossary is as follows: "The possibility of an
event occurring that will have an impact on the achievement of objectives." Suppose an
organization has the following objective: To sell 1,000 units at $10 each. Which of the
following may be described as a risk for the organization? Select all that apply.
A. A downturn in the economy may reduce demand by 10%.
B. Overseas demand may exceed expectation and a total of 1,100 units are sold.
C. A competitor may offer a similar product at a lower price and attract customers away.
D. Foreign exchange rates may make the product cheaper for customers overseas,
stimulating additional sales.
E. A new method of production may become available.
F. Climate change occurs less quickly than expected. - ANSWERSolution: A, B, C, and
D
,Which of the following provides the BEST definition of residual risk? Select one.
A. The risk that a material error exists in the financial statements after audit.
B. The portion of inherent risk that remains after management executes its risk
responses.
C. The risk that an audit may fail to detect a control deficiency.
D. Risk severity prior to implementation of risk responses.
E. A risk that cannot be mitigated.
F. The amount of impact that can be eliminated by preventative measures. -
ANSWERSolution: B
A code of ethical behavior and statement of organizational values are risk responses to
the possibility individuals may act in such a way as to cause damage to the
organization. Which of the following statements about these responses are true? Select
one.
A. They are preventative measures designed to reduce likelihood.
B. They are preventative measures designed to reduce impact.
C. They are detective measures designed to alert management to instances of unethical
behavior.
D. They form part of contingency measures to help repair any damage that may be
incurred as a result of unethical behavior. - ANSWERSolution: A
There are a number of internal and external parties that contribute to the effectiveness
of risk management, but which one has the primary responsibility for identifying and
managing risks? Select one.
A. Members of the board.
B. Senior management.
C. Heads of risk, compliance, and control functions.
D. The chief audit executive (CAE).
E. External auditors.
F. Regulators. - ANSWERSolution: B
A purchasing manager has subcontracted repairs and maintenance to a facilities
management company. This is a new relationship and has been entered into quickly.
Which of the following is NOT an appropriate control measure to avoid the risks
associated with this relationship? Select one.
A. A schedule of regular communication and reporting.
B. Financial penalties for missed targets and performance failures.
C. Stated objectives and itemized responsibilities for each party.
D. Identifying an alternative subcontractor. - ANSWERSolution: D
In the COSO Internal Control framework, there are two types of controls, namely hard
and soft. Which of the following are examples of soft controls? Select all that apply.
A. Policies and procedures.
B. Tone at the top.
C. Risk culture.
D. Training.
, E. Role description.
F. Organizational structure. - ANSWERSolution: B, C, and D
In the COSO Internal Control framework, there are two types of controls, namely hard
and soft. Which of the following describes characteristics of soft controls? Select one.
A. Controls that rely on behavior and attitude.
B. Controls that are relatively easy to introduce, monitor, and manage.
C. Policies, processes, and specific measures such as password protection.
D. Controls designed, introduced, and performed by people. - ANSWERSolution: A
Which of the following techniques may be used in root cause analysis? Select all that
apply.
A. Cause and effect (or fishbone) diagrams.
B. Cost-benefit analysis.
C. Fuzzy logic.
D. Five whys.
E. Waterfall model.
F. Rapid development. - ANSWERSolution: A, B, C, and D
The ISO 31000:2018 Risk Management standards links together three important
aspects of an organization. Which one of the following is NOT of these aspects? Select
one.
A. Leadership and commitment.
B. Stakeholder engagement.
C. Value creation and protection.
D. Risk management processes. - ANSWERSolution: B
You are the CAE for a defense contractor in the aerospace sector. Senior management
and the board are very concerned about information security risks. Which one of the
following framework or set of standards would you recommend? Select one.
A. COSO ERM - Integrating with Strategy and Performance.
B. ISO 31000 Risk Management.
C. IIA GAIT for Business and IT Risk.
D. The National Institute of Standards and Technology NIST 800-37. -
ANSWERSolution: D
Which of the following terms is closest in meaning to risk appetite?
A. Existing risk profile.
B. Risk capacity.
C. Risk tolerance.
D. Attitudes toward risk. - ANSWERSolution: B
Which of the following is the best approach for an internal auditor to use when
benchmarking risk management processes? Select one.
A. Meet with a competitor organization and exchange information about risk
management processes.
MANAGEMENT ASSURANCE PART 1
OF 2 CORRECT 100%
Which of the following are appropriate goals of risk management? Select all that apply.
A. To eliminate uncertainty.
B. To facilitate greater operational effectiveness and efficiency.
C. To limit risk-taking as much as possible.
D. To support the attainment of organizational objectives.
E. To facilitate well-informed decision-making.
F. To guarantee outcomes from activities. - ANSWERSolution: B, D, and E
Which of the following BEST describes risk culture? Select one.
A. The system present throughout an organization of shared values and beliefs about
risk that shapes attitudes, behaviors, and decisions.
B. The leadership of and commitment to risk management from the highest levels of an
organization.
C. The level of authority and trust awarded to managers to determine the level of risk
they are prepared to take.
D. The policies and processes that define risk ownership, responsibilities, and reporting
requirements. - ANSWERSolution: A
Which of the following describes the highest level of risk management maturity
(commonly referred to as "risk-enabled")? Select one.
A. When a risk strategy and policies are in place and communicated.
B. When risk management and internal control are fully embedded into operations.
C. When the organization establishes a risk committee, risk management team, and risk
processes.
D. When risk appetite has been defined. - ANSWERSolution: B
The definition of risk taken from the IPPF glossary is as follows: "The possibility of an
event occurring that will have an impact on the achievement of objectives." Suppose an
organization has the following objective: To sell 1,000 units at $10 each. Which of the
following may be described as a risk for the organization? Select all that apply.
A. A downturn in the economy may reduce demand by 10%.
B. Overseas demand may exceed expectation and a total of 1,100 units are sold.
C. A competitor may offer a similar product at a lower price and attract customers away.
D. Foreign exchange rates may make the product cheaper for customers overseas,
stimulating additional sales.
E. A new method of production may become available.
F. Climate change occurs less quickly than expected. - ANSWERSolution: A, B, C, and
D
,Which of the following provides the BEST definition of residual risk? Select one.
A. The risk that a material error exists in the financial statements after audit.
B. The portion of inherent risk that remains after management executes its risk
responses.
C. The risk that an audit may fail to detect a control deficiency.
D. Risk severity prior to implementation of risk responses.
E. A risk that cannot be mitigated.
F. The amount of impact that can be eliminated by preventative measures. -
ANSWERSolution: B
A code of ethical behavior and statement of organizational values are risk responses to
the possibility individuals may act in such a way as to cause damage to the
organization. Which of the following statements about these responses are true? Select
one.
A. They are preventative measures designed to reduce likelihood.
B. They are preventative measures designed to reduce impact.
C. They are detective measures designed to alert management to instances of unethical
behavior.
D. They form part of contingency measures to help repair any damage that may be
incurred as a result of unethical behavior. - ANSWERSolution: A
There are a number of internal and external parties that contribute to the effectiveness
of risk management, but which one has the primary responsibility for identifying and
managing risks? Select one.
A. Members of the board.
B. Senior management.
C. Heads of risk, compliance, and control functions.
D. The chief audit executive (CAE).
E. External auditors.
F. Regulators. - ANSWERSolution: B
A purchasing manager has subcontracted repairs and maintenance to a facilities
management company. This is a new relationship and has been entered into quickly.
Which of the following is NOT an appropriate control measure to avoid the risks
associated with this relationship? Select one.
A. A schedule of regular communication and reporting.
B. Financial penalties for missed targets and performance failures.
C. Stated objectives and itemized responsibilities for each party.
D. Identifying an alternative subcontractor. - ANSWERSolution: D
In the COSO Internal Control framework, there are two types of controls, namely hard
and soft. Which of the following are examples of soft controls? Select all that apply.
A. Policies and procedures.
B. Tone at the top.
C. Risk culture.
D. Training.
, E. Role description.
F. Organizational structure. - ANSWERSolution: B, C, and D
In the COSO Internal Control framework, there are two types of controls, namely hard
and soft. Which of the following describes characteristics of soft controls? Select one.
A. Controls that rely on behavior and attitude.
B. Controls that are relatively easy to introduce, monitor, and manage.
C. Policies, processes, and specific measures such as password protection.
D. Controls designed, introduced, and performed by people. - ANSWERSolution: A
Which of the following techniques may be used in root cause analysis? Select all that
apply.
A. Cause and effect (or fishbone) diagrams.
B. Cost-benefit analysis.
C. Fuzzy logic.
D. Five whys.
E. Waterfall model.
F. Rapid development. - ANSWERSolution: A, B, C, and D
The ISO 31000:2018 Risk Management standards links together three important
aspects of an organization. Which one of the following is NOT of these aspects? Select
one.
A. Leadership and commitment.
B. Stakeholder engagement.
C. Value creation and protection.
D. Risk management processes. - ANSWERSolution: B
You are the CAE for a defense contractor in the aerospace sector. Senior management
and the board are very concerned about information security risks. Which one of the
following framework or set of standards would you recommend? Select one.
A. COSO ERM - Integrating with Strategy and Performance.
B. ISO 31000 Risk Management.
C. IIA GAIT for Business and IT Risk.
D. The National Institute of Standards and Technology NIST 800-37. -
ANSWERSolution: D
Which of the following terms is closest in meaning to risk appetite?
A. Existing risk profile.
B. Risk capacity.
C. Risk tolerance.
D. Attitudes toward risk. - ANSWERSolution: B
Which of the following is the best approach for an internal auditor to use when
benchmarking risk management processes? Select one.
A. Meet with a competitor organization and exchange information about risk
management processes.
