CIA Exam: Part 1 Question and Answers
Acceptable Risk - A type of risk that revolves around the business impact that would
be experienced if certain risks became realized. The loss is deemed to be acceptable;
no additional controls are warranted.
Acceptable Risk Level - A risk level derived from an organizations' legal and regulatory
compliance responsibilities, its threat profile, and its business drivers and impacts.
Adequate Control - A level of control that is present if management has planned and
organized (designed) in a manner that provides reasonable assurance that the
organization's risk have been managed effectively and that the organization's goals and
objectives will be achieved efficiently and economically.
Audit Risk - The risk that internal auditors may arrive at the wrong conclusions and
opinions of the work that they have undertaken.
Compliance - Conformity and adherence to policies, plans, procedures, laws,
regulations, contracts, or other requirements.
Control Deficiency - A condition that warrants attention as a potential or real
shortcoming that leaves an organization excessively at risk.
Control Environment - The attitude and actions of the board and management
regarding the significance of control within the organization. The control environment
provides the discipline and structure for the achievement of the primary objectives of the
system of internal control.
Elements of the Control Environment - 1) Integrity and ethical values
2) Management's philosophy and operating style
3) Organizational structure
4) Assignment of authority and responsibility
5) Human Resource policies and practices
6) Competence of personnel
Control Process - The policies, procedures, and activities that are part of a control
framework, designed to ensure that risks are contained within the risk tolerances
established by the risk management process.
Control Risk - The potential that control activities will fail to reduce controllable risk to
an acceptable level.
Enterprise risk management (ERM) - A structured, consistent, and continuous process
across the whole organization for identifying, assessing, deciding on responses to, and
reporting on opportunities and threats that affect the achievement of its objectives.
, Event - An incident or occurrence resulting from internal or external sources that
affects the implementation of strategy or achievement of objectives.
Impact - The result, effect, or consequences of an event.
Inherent Limitations - Limitations of risk management, control, and governance related
to human judgement, resource limitations, and the need to balance the costs of controls
in relation to expected benefits; considers the reality of breakdowns occurring and the
possibility of management override and collusion.
Inherent Risk (or Absolute Risk) - The risk derived from the environment without the
mitigating effects of internal controls
Likelihood - The probability that a given event will occur.
Opportunity - As related to risk, an uncertain event with a positive consequence.
Pervasive Risk - The type of risk found throughout the environment.
Residual Risk - The risk remaining after management takes action to reduce the
impact and likelihood of an adverse event, including control activities in responding to a
risk.
Risk Appetite - The level of risk an organization is willing to accept.
Risk Assessment (or Risk Analysis) - The identification and measurement of risk and
the process of prioritizing risk.
Risk Classification - The assignment of risk into categories, such as financial risk,
operational risk, strategic risk, or reputation risk.
Risk Identification - The method of recognizing possible threats and opportunities.
Risk Management - A process to identify, assess, manage, and control potential
events or situations, to provide reasonable assurance regarding the achievement of the
organization's objectives.
Risk Prioritization - Ranking risks, formally or informally, from the highest to the lowest.
Risk Response - The actions taken to manage risk.
Risk Tolerance - The acceptable levels of variation relative to the achievement of
objectives.
Uncertainty - A condition where the outcome can only be estimated.
Acceptable Risk - A type of risk that revolves around the business impact that would
be experienced if certain risks became realized. The loss is deemed to be acceptable;
no additional controls are warranted.
Acceptable Risk Level - A risk level derived from an organizations' legal and regulatory
compliance responsibilities, its threat profile, and its business drivers and impacts.
Adequate Control - A level of control that is present if management has planned and
organized (designed) in a manner that provides reasonable assurance that the
organization's risk have been managed effectively and that the organization's goals and
objectives will be achieved efficiently and economically.
Audit Risk - The risk that internal auditors may arrive at the wrong conclusions and
opinions of the work that they have undertaken.
Compliance - Conformity and adherence to policies, plans, procedures, laws,
regulations, contracts, or other requirements.
Control Deficiency - A condition that warrants attention as a potential or real
shortcoming that leaves an organization excessively at risk.
Control Environment - The attitude and actions of the board and management
regarding the significance of control within the organization. The control environment
provides the discipline and structure for the achievement of the primary objectives of the
system of internal control.
Elements of the Control Environment - 1) Integrity and ethical values
2) Management's philosophy and operating style
3) Organizational structure
4) Assignment of authority and responsibility
5) Human Resource policies and practices
6) Competence of personnel
Control Process - The policies, procedures, and activities that are part of a control
framework, designed to ensure that risks are contained within the risk tolerances
established by the risk management process.
Control Risk - The potential that control activities will fail to reduce controllable risk to
an acceptable level.
Enterprise risk management (ERM) - A structured, consistent, and continuous process
across the whole organization for identifying, assessing, deciding on responses to, and
reporting on opportunities and threats that affect the achievement of its objectives.
, Event - An incident or occurrence resulting from internal or external sources that
affects the implementation of strategy or achievement of objectives.
Impact - The result, effect, or consequences of an event.
Inherent Limitations - Limitations of risk management, control, and governance related
to human judgement, resource limitations, and the need to balance the costs of controls
in relation to expected benefits; considers the reality of breakdowns occurring and the
possibility of management override and collusion.
Inherent Risk (or Absolute Risk) - The risk derived from the environment without the
mitigating effects of internal controls
Likelihood - The probability that a given event will occur.
Opportunity - As related to risk, an uncertain event with a positive consequence.
Pervasive Risk - The type of risk found throughout the environment.
Residual Risk - The risk remaining after management takes action to reduce the
impact and likelihood of an adverse event, including control activities in responding to a
risk.
Risk Appetite - The level of risk an organization is willing to accept.
Risk Assessment (or Risk Analysis) - The identification and measurement of risk and
the process of prioritizing risk.
Risk Classification - The assignment of risk into categories, such as financial risk,
operational risk, strategic risk, or reputation risk.
Risk Identification - The method of recognizing possible threats and opportunities.
Risk Management - A process to identify, assess, manage, and control potential
events or situations, to provide reasonable assurance regarding the achievement of the
organization's objectives.
Risk Prioritization - Ranking risks, formally or informally, from the highest to the lowest.
Risk Response - The actions taken to manage risk.
Risk Tolerance - The acceptable levels of variation relative to the achievement of
objectives.
Uncertainty - A condition where the outcome can only be estimated.
