CGFM FINAL EXAM 2026 UPDATED QUESTIONS AND
SOLUTIONS GRADED A+
✔✔IC Standard 1: Control Environment - 5 Principles - ✔✔Five principles of Control
Environment:
1) Commitment to integrity and ethical values
2) Independence of oversight body and mgmt
3) Establish structures, reporting lines, and responsibilities
4) retain competent individuals in alignment with objectives
5) individuals held accountable for their I/C responsibilities
* Most important component of Internal Control
✔✔Control Environment - Commitment to Integrity - ✔✔Demonstrated by:
* code of conduct that reflects organizational core values
* employees understand what is ethical by mgmt communications and actions
* employees know how to act if they see unethical behavior
* management does not routinely override controls
* management emphasizes long-term goals instead of short term gains
* management actively discourages unethical behavior
✔✔Control Environment - Commitment to Competence - ✔✔Demonstrated by:
* clearly defined KSA's assigned to job functions
* ambiguous and unrealistic job descriptions revised when necessary
* periodic EE evaluations and counseling
* EE training and development programs
* Appropriate levels of supervision
* promotions/compensation consistent with evaluation results
✔✔Control Environment - Mgmt Philosophy and Operating Style - ✔✔* overly
aggressive = values short term over long term and results over integrity
* turn over in key positions a red flag
* should support a strong audit committee
* mgmt should accomplish objectives within budget constraints
✔✔Control Environment - HR Policies and Practices - ✔✔* run background checks on
potential new EE's
* counsel EE's with poor performance appraisals
* recognize high performers
* conduct ethics training programs that reinforce entity core values
* take appropriate actions for policy violations
,✔✔IC Standard 2: Risk Assessment - 4 Principles - ✔✔4 Principles of Risk
Assessment:
1) Specify objectives with reasonable clarity
2) Identifies risks to achievement of objectives
3) Consider potential for fraud
4) Identify changes that could impact system of I/C
* Evaluate risk by rating likelihood of occurrence and severity of impact.
Vulnerable items = cash, small-size/high dollar items, personal data, prescription drugs
✔✔Inherent Risks - ✔✔* sensitive items impacting health, safety, and security
* vulnerable items that are easily converted to cash
* programs with large amounts of funding
* programs that are funded through third-party intermediaries
* social programs impacting vulnerable populations
* changing environment
* complex calculations
* diverse organizations
* programs that disperse cash or its equivalent
✔✔IC Standard 3: Control Activities - 3 Principles - ✔✔organizations selects those
activities that:
1) contribute to the mitigation of risk
2) contribute to technology that supports objectives
3) use policies and procedures to create action and lay out expectations
✔✔Control Activities Include: - ✔✔* Separation of Duties
* Reporting
* Physical controls of vulnerable assets
* Mgmt review of performance
* Managing human capital
* Restricting access to resources and records
✔✔Misuse in government environment - ✔✔loss of public esteem and credibility often at
greater risk than monetary losses.
✔✔General IT Controls - ✔✔back-up and recovery procedures, contingency and
disaster planning, control over system acquisition and implementation, access security,
documentation and authorization in system development and maintenance
, ✔✔IC Standard 4: Information and Communication - 3 Principles - ✔✔flow of info up,
down, and across the entity
1) quality info used to support the internal control function
2) information is communicated internally, including objectives and responsibilities
3) information is communicated with external parties
✔✔IC Standard 5 : Monitoring - 2 Principles - ✔✔1) ongoing and separate evaluations
2) deficiencies communicated timely to those responsible for corrective action and at
least one mgmt level above them
* supervision most common monitoring acitivty
✔✔Enterprise Risk Management (ERM) - ✔✔Issued by COSO in Sept 2004
broader in scope with a focus on risk
addition of 4th category - strategic objectives
introduces risk appetite and risk tolerance
growing in emphasis for government financial managers
✔✔Risk Appetite - ✔✔used as a guidepoint for setting objectives - defines how much
the entity is willing to risk in pursuit of its mission
✔✔Risk Tolerance - ✔✔
✔✔8 Components to ERM (3 additional from IC triangle model) - ✔✔1) Internal
Environment (same as Control Environment)
2) OBJECTIVE SETTING - New
3) EVENT IDENTIFICATION - New
4) RISK ASSESSMENT - New
5) Risk Response
6) Control Activities
7) Information and Communication
8) Monitoring
✔✔ERM - OBJECTIVE SETTING - ✔✔process to clearly set forth the entities mission
✔✔ERM - EVENT IDENTIFICATION - ✔✔determining which events may impact the
entities ability to achieve objectives both positively (opportunities) and negatively (risks)
✔✔ERM -RISK RESPONSE, 4 ways to address risk: - ✔✔1) avoidance
SOLUTIONS GRADED A+
✔✔IC Standard 1: Control Environment - 5 Principles - ✔✔Five principles of Control
Environment:
1) Commitment to integrity and ethical values
2) Independence of oversight body and mgmt
3) Establish structures, reporting lines, and responsibilities
4) retain competent individuals in alignment with objectives
5) individuals held accountable for their I/C responsibilities
* Most important component of Internal Control
✔✔Control Environment - Commitment to Integrity - ✔✔Demonstrated by:
* code of conduct that reflects organizational core values
* employees understand what is ethical by mgmt communications and actions
* employees know how to act if they see unethical behavior
* management does not routinely override controls
* management emphasizes long-term goals instead of short term gains
* management actively discourages unethical behavior
✔✔Control Environment - Commitment to Competence - ✔✔Demonstrated by:
* clearly defined KSA's assigned to job functions
* ambiguous and unrealistic job descriptions revised when necessary
* periodic EE evaluations and counseling
* EE training and development programs
* Appropriate levels of supervision
* promotions/compensation consistent with evaluation results
✔✔Control Environment - Mgmt Philosophy and Operating Style - ✔✔* overly
aggressive = values short term over long term and results over integrity
* turn over in key positions a red flag
* should support a strong audit committee
* mgmt should accomplish objectives within budget constraints
✔✔Control Environment - HR Policies and Practices - ✔✔* run background checks on
potential new EE's
* counsel EE's with poor performance appraisals
* recognize high performers
* conduct ethics training programs that reinforce entity core values
* take appropriate actions for policy violations
,✔✔IC Standard 2: Risk Assessment - 4 Principles - ✔✔4 Principles of Risk
Assessment:
1) Specify objectives with reasonable clarity
2) Identifies risks to achievement of objectives
3) Consider potential for fraud
4) Identify changes that could impact system of I/C
* Evaluate risk by rating likelihood of occurrence and severity of impact.
Vulnerable items = cash, small-size/high dollar items, personal data, prescription drugs
✔✔Inherent Risks - ✔✔* sensitive items impacting health, safety, and security
* vulnerable items that are easily converted to cash
* programs with large amounts of funding
* programs that are funded through third-party intermediaries
* social programs impacting vulnerable populations
* changing environment
* complex calculations
* diverse organizations
* programs that disperse cash or its equivalent
✔✔IC Standard 3: Control Activities - 3 Principles - ✔✔organizations selects those
activities that:
1) contribute to the mitigation of risk
2) contribute to technology that supports objectives
3) use policies and procedures to create action and lay out expectations
✔✔Control Activities Include: - ✔✔* Separation of Duties
* Reporting
* Physical controls of vulnerable assets
* Mgmt review of performance
* Managing human capital
* Restricting access to resources and records
✔✔Misuse in government environment - ✔✔loss of public esteem and credibility often at
greater risk than monetary losses.
✔✔General IT Controls - ✔✔back-up and recovery procedures, contingency and
disaster planning, control over system acquisition and implementation, access security,
documentation and authorization in system development and maintenance
, ✔✔IC Standard 4: Information and Communication - 3 Principles - ✔✔flow of info up,
down, and across the entity
1) quality info used to support the internal control function
2) information is communicated internally, including objectives and responsibilities
3) information is communicated with external parties
✔✔IC Standard 5 : Monitoring - 2 Principles - ✔✔1) ongoing and separate evaluations
2) deficiencies communicated timely to those responsible for corrective action and at
least one mgmt level above them
* supervision most common monitoring acitivty
✔✔Enterprise Risk Management (ERM) - ✔✔Issued by COSO in Sept 2004
broader in scope with a focus on risk
addition of 4th category - strategic objectives
introduces risk appetite and risk tolerance
growing in emphasis for government financial managers
✔✔Risk Appetite - ✔✔used as a guidepoint for setting objectives - defines how much
the entity is willing to risk in pursuit of its mission
✔✔Risk Tolerance - ✔✔
✔✔8 Components to ERM (3 additional from IC triangle model) - ✔✔1) Internal
Environment (same as Control Environment)
2) OBJECTIVE SETTING - New
3) EVENT IDENTIFICATION - New
4) RISK ASSESSMENT - New
5) Risk Response
6) Control Activities
7) Information and Communication
8) Monitoring
✔✔ERM - OBJECTIVE SETTING - ✔✔process to clearly set forth the entities mission
✔✔ERM - EVENT IDENTIFICATION - ✔✔determining which events may impact the
entities ability to achieve objectives both positively (opportunities) and negatively (risks)
✔✔ERM -RISK RESPONSE, 4 ways to address risk: - ✔✔1) avoidance
