IIA-CRMA Certification in Risk Management Assurance (CRMA) Exam Questions and Answers

The audit report included a well-supported recommendation for a reduction in staff even though such a reduction might adversely impact morale.

The auditor tested samples of transactions to test the cash function's process flows.

After determining that the cash function internal controls were strong, the audit report assured senior management that fraud was not present.

The auditor discovered an instance of potential fraud and reported it immediately to management, but did not alert authorities outside the organization.

Assess the actions necessary to reduce the likelihood and/or impact of risk to tolerable levels.

Assess the likelihood and/or impact of risk on the achievement of organizational objectives.

Assess the amount of risk an organization can accept while pursuing its objectives.

Assess alternative strategies to reduce or eliminate major risks.

The relative complexity, materiality, or significance of matters to which assurance procedures are applied.

The extent of assurance services necessary to ensure that all risks are identified.

The cost of providing the assurance services in relation to potential benefits.

The probability of significant errors, irregularities or instances of noncompliance.

1 and 3.

1 and 4.

2 and 3.

2 and 4.

Which sampling methodology to select for testing.

Which fields to examine on each invoice.

Whether an individual expenditure is allowable.

What level of noncompliance is acceptable.

Customers' orders are recorded promptly.

Goods shipped are matched with valid customer orders.

Goods returned are inspected for damage by the receiving department for proper disposition.

Sales department approval is required for credit sales transactions.

A physical security control over a data center.

A system development life cycle control.

A program change management control.

An input control over data integrity.

Impose risk management processes.

Coordinate risk management activities.

Implement risk responses on management's behalf.

Review the management of key risks.

Invoices are not being mailed to customers.

An employee is tampering with customer checks.

Employees are submitting fraudulent expense reports.

The customer service department is not forwarding complaints to the accounts receivable department.

A Bedford analysis of orders filled to average delivery times.

Decision trees rating actual performance against requirements.

Queuing theory to assess potential bottlenecks in the process.

A program evaluation and review technique chart.

Restrict data-table access from management and line supervisors who have the authority to determine pay rates.

Require a supervisor in the department, who has the ability to change the table, to compare the changes to a signed management authorization.

Ensure that adequate edit and reasonableness checks are built into the automated system.

Require a manager, who is independent of the system and who cannot change the table, to authorize and sign-off on any employee pay changes.

Several recent, large expenditures to a new vendor have not been documented.

A manager has bragged about multiple extravagant vacations taken within the last year, which are excessive relative to the manager's salary.

A weak control environment has been accepted by management to encourage creativity.

New employees occasionally fail to meet established project deadlines due to staffing shortages.

Accepting the money would be prohibited only if it were non-customary.

Accepting the money would violate the IIA Code of Ethics.

Because the CIA is not acting as an internal auditor, accepting the money would be governed only by the organization's code of conduct.

Because the contract was signed before the money was offered, accepting the money would not violate the IIA Code of Ethics.

The government's independent auditor.

The external auditors from an accounting firm.

The internal audit activity.

The agency's chief compliance officer.

1 and 2 only

1 and 3 only

2 and 3 only

1, 2, and 3

Resource management.

Coordination.

Due professional care.

Engagement supervision.

Competence.

Flexibility.

Objectivity.

Independence.

Corrective control.

Preventive control.

Detective control.

Compensating control.

They assist in the implementation of recommendations.

They provide support for communication to third parties.

They demonstrate compliance with auditing standards.

They contribute to development of the internal audit staff.

An internal auditor reports both functionally and administratively to the chief financial officer (CFO).

An internal auditor, who was an accounts receivable intern for the organization three years prior, performs an audit of the accounts receivable cycle.

According to policy, the internal auditor must obtain approval from the CFO prior to requesting information for internal audit purposes.

An internal auditor performs an audit in a department that is led by the auditor's close friend.

Control environment.

Control activities.

Information and communication.

Monitoring activities.

Authority and responsibility to resolve issues.

Framework to plan, execute and monitor activities.

Integrated responses to multiple risks.

Knowledge and skills needed to perform activities.

Requiring employees to attend ethics training.

Performing background checks on employees.

Implementing a control self-assessment.

Performing a surprise audit.

The scope and frequency of internal and external assessments as well as the qualifications and independence of the assessor.

The scope and cost of the QAIP. frequency of internal and external assessments, and conclusions of the assessor.

The scope, findings, risks, recommendations, and agreed-upon improvement actions.

The number and types of people involved in the assessment, costs, and duration of the QAIP

Condition section.

Criteria section.

Effect section.

Cause section.

Having an occupational health officer on the engagement team.

Determining that the claims have been classified properly.

Placing reliance on medical reports from the injured worker's doctor.

Reviewing claims to ensure all accidents actually occurred in the workplace.

1 only. |

1 and 4 only.

1, 3, and 4 only.

1,2, 3, and 4.

1 and 4.

1 and 3.

2 and 3.

3 and 4.

4 only.

1 and 2 only.

3 and 4.

1,2, and 3.

To enable Triple Bottom Line reporting capability.

To facilitate the conduct of risk assessment.

To achieve and maintain sustainable development.

To fulfill regulatory and compliance requirements.

Conduct anti-fraud training.

Perform background investigations.

Implement process controls.

Activate a whistleblower hotline.

The audit committee and senior management.

The audit committee and the external auditors.

Senior management and management of the audited area.

Senior management and the external auditors.

Definition of Internal Auditing.

MA Standards.

Internal audit charter.

The IIA's Code of Ethics.

External auditors.

Chief risk officer.

Operations management.

Board of directors.

Observation of the facility during operations.

Questioning of facility management, including the facility safety officer.

Analysis of facility operating reports, focusing on instances when breakdowns occurred.

Review of records involving safety violations, filed by facility production employees.

Assessing the risk factors.

Aligning risk appetite and strategy.

Enhancing risk response decisions.

Reducing operational surprises and losses.

An internal auditor assessed the effectiveness of controls over payroll software, which he had helped implement with a previous employer.

An internal auditor participated in an audit of controls around absenteeism, despite providing some consultation on controls in this area earlier in the year.

An internal auditor performed an assurance engagement for the effectiveness of accounts payable access controls, one of which he previously helped to design.

An internal auditor, previously employed in the quality assurance operations area, performed a consulting engagement for the operations manager.

The external assessment results are reported upon completion in confidence directly to the board, and senior management is advised only of the recommendations and improvement action plans.

The results of self-assessments with independent external validation are shared with the board upon completion, and monitoring of recommended improvements must be reported monthly.

The external assessment results are communicated upon completion to senior management and the board, but action plans for recommended improvements do not have to be reported.

The requirements for reporting quality assessment results are the same for external assessments and self-assessments with independent external validation.