1.  Which of the following would be least likely to be an audit comment from a risk management audit?
A) There is insufficient integration of risk management into the business
B) The internal auditing department is not following the IPPF
C) Strategic planning activities do not apply risk assessment properly
D) Risk management does not lead to more effective internal controls
E) Risk ownership is not properly defined

8) Which of the following is not true about a risk assessment process?

A) All risks require continual monitoring
B) It is about measuring and prioritizing risks
C) It requires analysis of interaction among risks
D) Risk assessment should be done before developing risk responses
E) All of the above are true

22) According to the IPPF which of the following is not true about objectivity.

A) Auditors cannot subordinate their judgment on audit matters to others
B) Internal auditing must report to the CEO
C) It requires impartiality
D) Conflict of interests can exist even if there is no unethical result
E) An internal auditor can never provide assurance services for an activity which he previously had responsibility

23) Which of the following would not be part of a corporate risk assessment audit?

A) Evaluate whether there is a clearly defined risk management policy
B) Evaluate whether risk management is integrated with the business planning process
C) Evaluate whether the risk management policy is understood
D) Test the internal controls relating to computer security
E) All of the above would be part of a risk assessment

24) Which of the following is not a section of the Performance Standards?

A) Objectivity
B) Risk management
C) Engagement scope
D) Disseminating results
E) None of the above

25) Which of the following is true about ERM?

A) The COSO ERM Framework is the only approved ERM framework in the U.S.
B) 90% of all corporations have implemented the entire COSO ERM Framework
C) The COSO ERM Framework is part of the COSO Internal Controls Framework
D) An effective ERM process will guarantee the enterprise will achieve its business objectives
E) None of the above is true

26) In determining the adequacy of IT controls, which of the following is not applicable

A)  Complexity of the IT infrastructure
B)  The organization’s risk appetite
C)  The benefits provided by the controls versus the costs
D)  Whether the system is connected to the Internet
E)  All are applicable

27) What is residual risk?

A)  Impact of risk
B)  Aggregate risk
C)  Risk that remains after the implementation of internal controls
D)  The inherent risk in the environment
E)  The organization’s risk tolerance

28) Which of the following is not an example of an IT general control?

A) IT governance
B) System development process
C) Backup and recovery
D) Edit checks in the accounts payable application
E) Program change management

29) What is a way management can gain assurance over controls when an activity is outsourced to a third party?

A) Obtain a report by an independent party on controls at the outsourcer
B) Have terms in the contract governing the nature of services and performance measures
C) Have an audit rights clause in the contract
D) Determine if the outsourcer has any relevant certifications
E) All of the above

30) Which of the following is true about the IPPF?

A)  By law in the U.S. internal auditing departments must comply with all the IIA Standards.
B)  Interpretations are not considered to be mandatory guidance
C)  The Code of Ethics is part of the Standards
D)  Independence as defined in the IPPF is a concept dealing with an unbiased mental attitude
E)  All of the above are not true

31) According to the IPPF, an internal auditor assigned to an audit engagement:

A)  Must be an expert in the area being audited
B)  Must be proficient and exercise due professional care
C)  Cannot have a relative working anywhere in the company
D)  Must be a Certified Internal Auditor
E)  Is responsible for detecting fraud

32)  Which of the following do not have to be considered in a risk assessment?

A)    Risk responses
B)    The effectiveness of risk management at key vendors
C)    Resiliency
D)    Velocity of impact
E)    Persistence of the impact

36) Which of the following is the primary responsibility of internal auditing?

A)    Daily monitoring of IT access security logs
B)    Annual IT internal control assessments
C)    Continuous monitoring of all IT controls
D)    Establishing the IT risk appetite and responses
E)    Both B and C

38) Which are the following is not true?

A)    The NYSE rules do not allow the internal auditing function to be outsourced
B)    There is no law in the United States requiring publicly-held companies to have an internal auditing function
C)    Although not required some privately-held companies have an internal audit function
D)    It is not a requirement to have the CPA or CIA certification to work in internal auditing
E)    The role of an internal auditing department varies by organization

42) Which of the following about how internal auditing adds value is not true?

A) Different levels in the organization have different opinions as to how internal auditing can best add value
B) What is considered value add in one organization may not be considered value add in another organization
C) For any organization consulting is considered to be higher value add than assurance services
D) How internal auditing can best add value changes over time
E)  Internal auditing is limited by resources, staff size and expertise in where and how they can add value

43) Which of the following is true?

A) Within the finance professional there is a universally accepted definition of the term “risk.”
B)  Inherent and residual risk are one and the same concept
C)  The concept of risk management did not exist until the 1990s
D)  Risk begins at the transactional level in an organization
E)  Risk is inherent in every business