Wednesday, July 1, 2026

CIA Part 1 – 2025 Syllbus..Topic: Risk Assessment – 15 Case-Based MCQ


CIA Part 1 – 2025 Syllbus..Topic: Risk Assessment – 15 Case-Based MCQ

(Answers provided at the end,first solve, then check yourself)

_Based on IIA Standards 2120, 2201, 2210 + 2019 IPPF_


*Q1. Inherent vs Residual Risk*

_Case_: CAE assesses that cyber-attack risk for the e-commerce platform is “High” before any controls. After implementing firewalls, MFA, and 24/7 SOC monitoring, risk is “Medium”. The “Medium” rating represents:  

A. Inherent risk  

B. Residual risk  

C. Risk appetite  

D. Risk tolerance  


*Answer:


*Q2. Risk Assessment in Audit Planning – Std 2201*

_Case_: During annual planning, CAE allocates 400 hours to Payroll and 40 hours to Cash. Cash has high fraud history and low controls. Payroll has strong controls, no issues 3 years. This planning approach violates:  

A. Std 2010 – Planning  

B. Std 2201 – Planning Considerations  

C. Std 2130 – Control  

D. Std 1220 – Due Professional Care  


*Answer: 


*Q3. Risk Appetite vs Risk Tolerance*

_Case_: Board states “We have zero appetite for FCPA violations”. Management accepts a distributor in a high-corruption country without due diligence to meet sales goals. This situation indicates:  

A. Risk appetite was appropriate  

B. Risk tolerance was exceeded  

C. Both appetite and tolerance were breached  

D. Only inherent risk increased  


*Answer: 


*Q4. Fraud Risk Assessment – Std 2120.A2*

_Case_: IA is planning a Procurement audit. Management says “We trust our buyers; no fraud possible”. Per Standards, the auditor MUST:  

A. Accept management’s assertion if controls look strong  

B. Independently consider fraud risk regardless of mgmt views  

C. Only assess fraud if prior incidents occurred  

D. Defer fraud assessment to external auditors  


*Answer:


*Q5. Risk Matrix – Likelihood vs Impact*

_Case_: Risk register shows “Data breach: Likelihood = Low, Impact = Critical”. CAE ranks it as “High Priority” for audit. CFO argues “Low likelihood means low priority”. CAE’s ranking is BEST supported because:  

A. Impact drives priority when critical, per risk appetite  

B. All cyber risks are always high priority  

C. Likelihood is irrelevant in risk assessment  

D. CFO lacks authority over audit plan  


*Answer: 


*Q6. Control Risk vs Detection Risk*

_Case_: Audit of Revenue: Inherent risk = High due to complex ASC 606. Control risk = High due to weak ITGC. To keep audit risk low, detection risk must be:  

A. High  

B. Low  

C. Medium  

D. Unaffected  


*Answer:


*Q7. Continuous Risk Assessment – Agile Auditing*

_Case_: Mid-year, a ransomware attack hits the industry. The approved audit plan had no IT audits. Per IIA guidance, the CAE should:  

A. Wait for next annual plan to add cyber audit  

B. Update risk assessment and adjust plan immediately per Std 2010.A1  

C. Only audit cyber if board requests it  

D. Add cyber to next year since impact unknown  


*Answer: 


*Q8. Risk Criteria – Std 2210.A1*

_Case_: IA will audit ESG reporting. Management has no formal ESG policy. Which criteria should IA use to assess risk?  

A. No audit possible without mgmt criteria  

B. COSO ERM, SASB, GRI, or industry benchmarks  

C. Only financial materiality thresholds  

D. Prior year’s audit program  


*Answer: 


*Q9. Emerging Risk – 2025 Hot Topic*

_Case_: Company implements AI for credit decisions. No one in IA understands AI algorithms. Per Std 1210.A1, the CAE should:  

A. Exclude AI from audit universe due to lack of skill  

B. Obtain competency via training or co-sourcing before auditing  

C. Rely on management’s AI vendor certification  

D. Audit only manual controls around AI  


*Answer: 


*Q10. Risk Assessment Tools – Data Analytics*

_Case_: To assess AP fraud risk, IA runs 100% data analytics for: duplicate vendors, round-dollar payments, weekend postings. This technique BEST supports:  

A. Std 2320 – Analysis and Evaluation  

B. Std 2120.A1 – Risk assessment to develop audit plan  

C. Std 2330 – Documenting Information  

D. Std 2410 – Criteria for Communicating  


*Answer:


*Q11. Inherent Limitations in Risk Assessment*

_Case_: Risk assessment rated “Inventory theft” as Low due to cameras. Theft occurred via collusion between guard and warehouse staff. This demonstrates:  

A. Failure of Std 2201  

B. Inherent limitation – collusion can override controls  

C. Management override of risk assessment  

D. Inadequate risk criteria  


*Answer: 


*Q12. Risk Universe – Completeness*

_Case_: CAE’s risk universe excludes “Climate risk” because “CFO says it’s not financial”. Under Std 2010, this is:  

A. Acceptable if CFO owns risk  

B. Deficient; risk universe must consider strategic, operations, compliance  

C. Acceptable for financial audit focus  

D. Only deficient if regulators require climate disclosure  


*Answer: 


*Q13. Residual Risk Above Appetite*

_Case_: After controls, risk of FCPA violation is “Medium” but board appetite is “Zero”. Per Std 2600, the CAE must:  

A. Accept mgmt’s risk decision silently  

B. Discuss with senior mgmt, then board if mgmt won’t act  

C. Immediately report to regulators  

D. Increase audit testing to lower risk  


*Answer:


*Q14. Risk Interdependencies*

_Case_: IT risk “System outage” and Operational risk “Manual workaround failure” both rated Medium. Combined, they could halt sales = Critical. Audit plan should:  

A. Audit each separately as Medium  

B. Consider aggregated/interdependent risk as Critical per 2201  

C. Ignore since individual risks not High  

D. Only audit if outage occurred  


*Answer:.


*Q15. Risk Assessment Documentation – Std 2330*

_Case_: CAE tells board “We used professional judgment” for risk rankings but has no matrices or rationale documented. This violates:  

A. Std 2120 – Risk Management  

B. Std 2201 – Planning Considerations  

C. Std 2330 – Documenting Information  

D. Std 2340 – Engagement Supervision  


*Answer: 


*Exam Tips for CIA Part 1 Risk Assessment Qs – 2025*


1. *Std numbers*: 2120 = risk mgmt. 2201 = planning. 2210 = objectives. 2600 = escalate risk. Memorize pairs.  

2. *Agile/Tech terms*: “Continuous risk assessment”, “data analytics”, “AI risk” = Domain III weight ↑  

3. *Never pick*: “Ignore risk if mgmt says low”, “Only audit after loss”, “Exclude due to no skill”  

4. *Always pick*: “Independent assessment”, “Update plan for emerging risk”, “Document basis”  

5. *Formula*: Audit Risk = IR × CR × DR. If 2 are High, 3rd must be Low.


www.gmsisuccess.in

CIA Part 1 – 2025 Syllabus ,Topic: Risk Assessment – 15 Case-Based MCQs with Explanations


_Based on IIA Standards 2120, 2201, 2210 + 2019 IPPF_


---


*Q1. Inherent vs Residual Risk*

_Case_: CAE assesses that cyber-attack risk for the e-commerce platform is “High” before any controls. After implementing firewalls, MFA, and 24/7 SOC monitoring, risk is “Medium”. The “Medium” rating represents:  

A. Inherent risk  

B. Residual risk  

C. Risk appetite  

D. Risk tolerance  


*Answer: B*  

*Why others wrong*:  

A. Inherent = before controls; “High” was inherent.  

C. Appetite = level willing to accept; not a rating of current risk.  

D. Tolerance = acceptable variance; not the risk level itself. Std 2120.


---


*Q2. Risk Assessment in Audit Planning – Std 2201*

_Case_: During annual planning, CAE allocates 400 hours to Payroll and 40 hours to Cash. Cash has high fraud history and low controls. Payroll has strong controls, no issues 3 years. This planning approach violates:  

A. Std 2010 – Planning  

B. Std 2201 – Planning Considerations  

C. Std 2130 – Control  

D. Std 1220 – Due Professional Care  


*Answer: B*  

*Why others wrong*:  

A. 2010 = risk-based plan exists; issue is HOW hours allocated per 2201.  

C. 2130 = evaluate controls; planning precedes that.  

D. 1220 = skill/care; problem is risk consideration, not competence. 2201.C1 requires risk assessment to prioritize.


---


*Q3. Risk Appetite vs Risk Tolerance*

_Case_: Board states “We have zero appetite for FCPA violations”. Management accepts a distributor in a high-corruption country without due diligence to meet sales goals. This situation indicates:  

A. Risk appetite was appropriate  

B. Risk tolerance was exceeded  

C. Both appetite and tolerance were breached  

D. Only inherent risk increased  


*Answer: C*  

*Why others wrong*:  

A. Appetite = zero; action violated it.  

B. If appetite is zero, tolerance is also zero; both breached.  

D. Management action changed residual risk, not just inherent. Std 2120.A1.


---


*Q4. Fraud Risk Assessment – Std 2120.A2*

_Case_: IA is planning a Procurement audit. Management says “We trust our buyers; no fraud possible”. Per Standards, the auditor MUST:  

A. Accept management’s assertion if controls look strong  

B. Independently consider fraud risk regardless of mgmt views  

C. Only assess fraud if prior incidents occurred  

D. Defer fraud assessment to external auditors  


*Answer: B*  

*Why others wrong*:  

A. 2120.A2 requires auditor’s own fraud risk consideration.  

C. Absence of history ≠ absence of risk.  

D. IA cannot delegate Std 2120 responsibilities.


---


*Q5. Risk Matrix – Likelihood vs Impact*

_Case_: Risk register shows “Data breach: Likelihood = Low, Impact = Critical”. CAE ranks it as “High Priority” for audit. CFO argues “Low likelihood means low priority”. CAE’s ranking is BEST supported because:  

A. Impact drives priority when critical, per risk appetite  

B. All cyber risks are always high priority  

C. Likelihood is irrelevant in risk assessment  

D. CFO lacks authority over audit plan  


*Answer: A*  

*Why others wrong*:  

B. Not all cyber = high; depends on impact + appetite.  

C. Likelihood matters, but critical impact can override low likelihood.  

D. CFO input considered, but 2201 says CAE uses risk assessment. 


---


*Q6. Control Risk vs Detection Risk*

_Case_: Audit of Revenue: Inherent risk = High due to complex ASC 606. Control risk = High due to weak ITGC. To keep audit risk low, detection risk must be:  

A. High  

B. Low  

C. Medium  

D. Unaffected  


*Answer: B*  

*Why others wrong*:  

A. Audit Risk = IR × CR × DR. If IR & CR high, DR must be low to compensate.  

C. Medium DR would leave audit risk high.  

D. DR is only component auditor directly controls. Std 2310.


---


*Q7. Continuous Risk Assessment – Agile Auditing*

_Case_: Mid-year, a ransomware attack hits the industry. The approved audit plan had no IT audits. Per IIA guidance, the CAE should:  

A. Wait for next annual plan to add cyber audit  

B. Update risk assessment and adjust plan immediately per Std 2010.A1  

C. Only audit cyber if board requests it  

D. Add cyber to next year since impact unknown  


*Answer: B*  

*Why others wrong*:  

A. 2010.A1 requires updates for significant changes.  

C. CAE must act on risk, not wait for board.  

D. Waiting ignores due care 1220.A1.


---


*Q8. Risk Criteria – Std 2210.A1*

_Case_: IA will audit ESG reporting. Management has no formal ESG policy. Which criteria should IA use to assess risk?  

A. No audit possible without mgmt criteria  

B. COSO ERM, SASB, GRI, or industry benchmarks  

C. Only financial materiality thresholds  

D. Prior year’s audit program  


*Answer: B*  

*Why others wrong*:  

A. 2210.A1: Auditor must establish criteria if mgmt hasn’t.  

C. ESG risks ≠ only financial.  

D. Prior year irrelevant if business changed.


---


*Q9. Emerging Risk – 2025 Hot Topic*

_Case_: Company implements AI for credit decisions. No one in IA understands AI algorithms. Per Std 1210.A1, the CAE should:  

A. Exclude AI from audit universe due to lack of skill  

B. Obtain competency via training or co-sourcing before auditing  

C. Rely on management’s AI vendor certification  

D. Audit only manual controls around AI  


*Answer: B*  

*Why others wrong*:  

A. Cannot ignore high risk due to lack of skill; must obtain it.  

C. 1220.A2: Can’t rely solely on mgmt.  

D. Manual controls insufficient if algorithm is biased.


---


*Q10. Risk Assessment Tools – Data Analytics*

_Case_: To assess AP fraud risk, IA runs 100% data analytics for: duplicate vendors, round-dollar payments, weekend postings. This technique BEST supports:  

A. Std 2320 – Analysis and Evaluation  

B. Std 2120.A1 – Risk assessment to develop audit plan  

C. Std 2330 – Documenting Information  

D. Std 2410 – Criteria for Communicating  


*Answer: B*  

*Why others wrong*:  

A. 2320 = during fieldwork; this is planning risk ID.  

C. 2330 = documentation, not risk ID.  

D. 2410 = reporting; this is pre-engagement.


---


*Q11. Inherent Limitations in Risk Assessment*

_Case_: Risk assessment rated “Inventory theft” as Low due to cameras. Theft occurred via collusion between guard and warehouse staff. This demonstrates:  

A. Failure of Std 2201  

B. Inherent limitation – collusion can override controls  

C. Management override of risk assessment  

D. Inadequate risk criteria  


*Answer: B*  

*Why others wrong*:  

A. 2201 done; limitation is reality, not Std breach.  

C. No mgmt override; collusion at staff level.  

D. Criteria not issue; collusion beats controls. Std 2120.


---


*Q12. Risk Universe – Completeness*

_Case_: CAE’s risk universe excludes “Climate risk” because “CFO says it’s not financial”. Under Std 2010, this is:  

A. Acceptable if CFO owns risk  

B. Deficient; risk universe must consider strategic, operations, compliance  

C. Acceptable for financial audit focus  

D. Only deficient if regulators require climate disclosure  


*Answer: B*  

*Why others wrong*:  

A. CAE responsible for comprehensive universe per 2010.A1.  

C. IA scope > financial; includes strategic/operational.  

D. Std requirement, not dependent on regulation.


---


*Q13. Residual Risk Above Appetite*

_Case_: After controls, risk of FCPA violation is “Medium” but board appetite is “Zero”. Per Std 2600, the CAE must:  

A. Accept mgmt’s risk decision silently  

B. Discuss with senior mgmt, then board if mgmt won’t act  

C. Immediately report to regulators  

D. Increase audit testing to lower risk  


*Answer: B*  

*Why others wrong*:  

A. 2600 requires escalation when mgmt accepts risk above appetite.  

C. No regulator reporting duty for IA.  

D. Testing doesn’t lower residual risk; controls do.


---


*Q14. Risk Interdependencies*

_Case_: IT risk “System outage” and Operational risk “Manual workaround failure” both rated Medium. Combined, they could halt sales = Critical. Audit plan should:  

A. Audit each separately as Medium  

B. Consider aggregated/interdependent risk as Critical per 2201  

C. Ignore since individual risks not High  

D. Only audit if outage occurred  


*Answer: B*  

*Why others wrong*:  

A. Siloed view misses aggregate impact. 2201.C1.  

C. Aggregation can create High from Mediums.  

D. Risk assessment is proactive, not reactive.


---


*Q15. Risk Assessment Documentation – Std 2330*

_Case_: CAE tells board “We used professional judgment” for risk rankings but has no matrices or rationale documented. This violates:  

A. Std 2120 – Risk Management  

B. Std 2201 – Planning Considerations  

C. Std 2330 – Documenting Information  

D. Std 2340 – Engagement Supervision  


*Answer: C*  

*Why others wrong*:  

A. 2120 = evaluate risk mgmt; issue is documentation.  

B. 2201 = consider risks; done but not documented.  

D. 2340 = supervision; root issue = no workpapers. 2330.A1 requires basis for conclusions.



www.gmsisuccess.in


CMA Part 1 Case-Based MCQs – Internal Control, COSO, COBIT, SOX, FCPA, Governance Questions and Answers

CMA Part 1 Case-Based MCQs – Internal Control, COSO, COBIT, SOX, FCPA, Governance Questions and Ans

_2024-2025 Syllabus – Section E: Internal Controls

 Section A...


*1. COSO 2013 – 5 Components + 17 Principles*

 

*Case 1: Control Environment* 

_Stem_: XYZ Co’s CEO sets aggressive sales targets and publicly rewards staff who “do whatever it takes” to meet quotas. The CFO overrides journal entries at quarter-end to avoid missing targets. Which COSO component is MOST deficient? 

A. Risk Assessment 

B. Control Environment 

C. Monitoring Activities 

D. Information & Communication 

*Interpret*: “Tone at top” + management override = Control Environment Principle 1: Integrity & Ethical Values 

*Answer: B*

 

*Case 2: Inherent Limitations* 

_Stem_: ABC Co implemented segregation of duties for cash receipts. However, the AR clerk and cashier colluded to steal customer payments and cover it with fake credit memos. This scheme was not detected for 8 months. This represents which inherent limitation of internal control? 

A. Cost vs benefit 

B. Human error 

C. Collusion 

D. Management override 

*Interpret*: Two employees working together to defeat SOD = Collusion beats controls 

*Answer: C*

 

*Case 3: Benefits vs Limitations* 

_Stem_: After implementing COSO framework, Controller claims “Our new controls will eliminate all fraud risk”. The CAE should respond that internal control can only provide: 

A. Absolute assurance 

B. Reasonable assurance 

C. Complete assurance 

D. Guaranteed prevention 

*Interpret*: COSO states “reasonable assurance” only due to collusion, override, cost/benefit 

*Answer: B*

 

---

 

*2. COBIT 2019 – IT Governance*

 

*Case 4: COBIT Domains* 

_Stem_: IT Manager implements automated access reviews every 90 days to remove terminated employee IDs from the ERP. This control aligns with which COBIT 2019 governance objective? 

A. DSS05 – Manage Security Services 

B. APO13 – Manage Security 

C. BAI09 – Manage Assets 

D. MEA03 – Manage Compliance 

*Interpret*: Managing user access = DSS05: Manage Security Services, Principle: Logical access 

*Answer: A*

 

*Case 5: COBIT vs COSO* 

_Stem_: Board asks if COBIT 2019 replaces COSO 2013 for overall internal control. Best response: 

A. Yes, COBIT is newer and more comprehensive 

B. No, COBIT is IT governance; COSO is enterprise-wide internal control 

C. Yes, but only for public companies 

D. No, COSO is only for financial reporting 

*Interpret*: COBIT = IT. COSO = entity-wide. Complementary, not replacement 

*Answer: B*

 

---

 

*3. SOX Requirements – Section 302 & 404*

 

*Case 6: SOX 302 Certification* 

_Stem_: CEO and CFO of a U.S. public company review the 10-K. The CFO knows of a material weakness in inventory controls but signs anyway because “it will be fixed next quarter”. This violates: 

A. SOX Section 404 

B. SOX Section 302 

C. FCPA accounting provisions 

D. COSO Principle 15 

*Interpret*: 302 = CEO/CFO certify reports + disclose deficiencies. Knowingly signing false = 302 violation 

*Answer: B*

 

*Case 7: SOX 404 Internal Control Report* 

_Stem_: External auditor tests controls and finds a “material weakness” in revenue. Management’s 404 report must: 

A. State controls are effective despite weakness 

B. Conclude internal control over financial reporting is NOT effective 

C. Omit the weakness if under $5M impact 

D. Be signed by audit committee only 

*Interpret*: Material weakness = adverse opinion. No materiality threshold for control deficiency 

*Answer: B*

 

---

 

*4. FCPA – Foreign Corrupt Practices Act*

 

*Case 8: FCPA Books & Records* 

_Stem_: US Co’s Brazil subsidiary pays $50,000 to a customs official to expedite goods. Local books record it as “consulting fees”. Which FCPA provision is violated? 

A. Anti-bribery only 

B. Accounting provisions only 

C. Both anti-bribery and accounting provisions 

D. Neither, if under $100,000 

*Interpret*: Bribe = anti-bribery. False “consulting” = books & records violation. No $ limit 

*Answer: C*

 

*Case 9: FCPA Internal Controls* 

_Stem_: Which FCPA requirement BEST aligns with COSO? 

A. Prohibition of bribes to foreign officials 

B. Requirement to maintain accurate books and system of internal accounting controls 

C. Disclosure of payments in 10-K 

D. 5-year statute of limitations 

*Interpret*: FCPA accounting provisions = accurate books + internal controls = COSO objective 

*Answer: B*

 

---

 

*5. Governance – Board vs Management Roles*

 

*Case 10: Governance Structure* 

_Stem_: The audit committee of a public company approves the internal audit plan and hires the CAE. The CEO directs the CAE to cancel an audit of executive travel expenses. Which governance principle is violated? 

A. Management’s responsibility for risk management 

B. Board oversight independence 

C. Internal audit’s organizational independence per IIA Std 1110 

D. SOX 301 audit committee responsibility 

*Interpret*: CAE should report functionally to board/AC. CEO directing cancels independence 

*Answer: C*

 

*Case 11: Three Lines Model* 

_Stem_: In the Three Lines Model, who owns risk and controls for the sales process? 

A. Internal Audit – 3rd line 

B. Compliance – 2nd line 

C. Sales Department – 1st line 

D. Board of Directors 

*Interpret*: 1st line = operational mgmt owns risk. 2nd = oversight. 3rd = independent assurance 

*Answer: C*

 

---

 

*6. Data Analytics + Tech Controls – 2024 Syllabus*

 

*Case 12: ITGC vs Application Control* 

_Stem_: ERP automatically blocks invoice posting if PO quantity is exceeded. A programmer changes the code without testing and tolerance is now 500%. This is a failure of: 

A. Application control 

B. IT General Control – Change Management 

C. Preventive control 

D. Detective control 

*Interpret*: Unauthorized code change = ITGC weakness. App control itself was bypassed due to ITGC fail 

*Answer: B*

 

*Case 13: Data Analytics Benefit* 

_Stem_: Internal audit uses data analytics to test 100% of journal entries for keywords “reverse”, “accrual”, “adjust” posted on weekends. This provides what benefit over sampling? 

A. Lower cost 

B. Complete population coverage + anomaly detection 

C. Elimination of all fraud 

D. Compliance with SOX 404 

*Interpret*: Data analytics = 100% test vs sample. Finds anomalies, not guarantee 

*Answer: B*

 

---

 

*7. How to Attack Case-Based IC Qs – 2024 Method*

 

1. *Find the control word*: “segregation”, “override”, “collusion”, “access”, “certify” → tags the topic

2. *Map to framework*: COSO 5 components, COBIT domains, SOX 302/404, FCPA provisions

3. *COSO default*: If Q mentions “tone”, “ethics”, “board” → Control Environment 

   If “risk ID”, “fraud risk” → Risk Assessment 

   If “policies”, “approvals” → Control Activities 

   If “reports”, “ERP” → Info & Communication 

   If “audits”, “reviews” → Monitoring

4. *Eliminate absolutes*: “Eliminates all risk” “Guarantees prevention” = always wrong

5. *SOX/FCPA rule*: SOX = US public co only. FCPA = any US co or issuer, anywhere

 

*8. High-Yield Terms to Know for Cases*

 

*COSO*: Control environment, risk appetite, inherent risk, residual risk, preventive vs detective, material weakness, significant deficiency 

*COBIT*: DSS05, APO13, BAI09, MEA, ITGC, application control, change management 

*SOX*: 302 certification, 404 management report + auditor attestation, 301 audit committee, 806 whistleblower 

*FCPA*: Anti-bribery, books & records, internal accounting controls, facilitating payments exception 

*Governance*: Three Lines Model, fiduciary duty, ERM, tone at the top

 Section B....

case-based MCQs with full explanation of why 3 options are wrong? 

15 Case-Based MCQs – Internal Control, COSO, COBIT, SOX, FCPA, Governance.


*Q1. COSO Control Environment*

_Case_: CEO frequently overrides the credit approval policy to land large sales before quarter-end. The CFO adjusts the allowance for doubtful accounts to keep net income on target. Which COSO principle is MOST violated? 

A. Risk Assessment – Principle 7: Identifies risks 

B. Control Environment – Principle 1: Commitment to integrity 

C. Control Activities – Principle 10: Selects controls 

D. Monitoring – Principle 16: Conducts evaluations 

 

*Answer: B* 

*Why others wrong*: 

A. Risk was identified; issue is mgmt ignoring controls, not ID failure. 

C. Control exists but is overridden; design ≠ issue. 

D. No mention of monitoring failure; tone at top is root cause.

 

---

 

*Q2. COSO Risk Assessment*

_Case_: ABC Co expanded to Brazil without assessing local bribery laws or currency controls. Six months later they paid $200K in fines for FCPA violations. Which COSO component failed FIRST? 

A. Control Activities 

B. Risk Assessment 

C. Information & Communication 

D. Monitoring Activities 

 

*Answer: B* 

*Why others wrong*: 

A. Can’t design controls if risk not identified first. 

C. Info not the issue; risk never assessed to communicate. 

D. Monitoring can’t catch unidentified risks.

 

---

 

*Q3. COSO Control Activities – Segregation of Duties*

_Case_: The AP clerk can add vendors, approve invoices, and print checks. To mitigate fraud, which SOD is MOST critical to separate? 

A. Vendor setup from invoice approval 

B. Invoice approval from check printing 

C. Check printing from bank reconciliation 

D. All three must be separate per COSO 

 

*Answer: A* 

*Why others wrong*: 

B. Still allows fake vendor + fake invoice combo. 

C. Recon is detective, not preventive for this fraud. 

D. COSO allows cost/benefit; A is highest risk pair.

 

---

 

*Q4. COSO Monitoring Activities*

_Case_: Internal audit performs an inventory count annually but mgmt never reviews variances or follows up. Inventory shrinkage increased 300%. This is a failure of: 

A. Control Activities 

B. Monitoring Activities 

C. Risk Assessment 

D. Control Environment 

 

*Answer: B* 

*Why others wrong*: 

A. Count was performed = activity existed. 

C. Risk of shrinkage was known; issue is no response. 

D. No evidence of bad tone; issue is no follow-up.

 

---

 

*Q5. Inherent Limitations – Collusion*

_Case_: Warehouse manager and shipping clerk collude to ship goods to a fake customer and write off as “damaged”. Physical counts match book. Which limitation made this possible? 

A. Management override 

B. Cost vs benefit 

C. Collusion 

D. Human error 

 

*Answer: C* 

*Why others wrong*: 

A. No senior mgmt involved; two employees colluded. 

B. SOD was in place; cost not the issue. 

D. Intentional fraud, not mistake.

 

---

 

*Q6. COBIT 2019 – DSS05*

_Case_: IT disabled password expiration for executives “for convenience”. A terminated VP’s account was used to alter sales data 90 days post-termination. This violates which COBIT objective? 

A. APO13 – Manage Security 

B. DSS05 – Manage Security Services 

C. BAI09 – Manage Assets 

D. MEA03 – Manage Compliance 

 

*Answer: B* 

*Why others wrong*: 

A. APO13 = plan security; issue is operating security. 

C. Account ≠ asset mgmt; it’s logical access. 

D. MEA = evaluate; failure was in execution.

 

---

 

*Q7. COBIT – ITGC vs Application*

_Case_: ERP has a 3-way match control: PO-GR-Invoice. IT migrates to cloud and the control stops working, but no one tests it post-migration. This is: 

A. Application control failure only 

B. ITGC change management failure 

C. COSO monitoring failure 

D. SOX 404 scope exclusion 

 

*Answer: B* 

*Why others wrong*: 

A. App control failed BECAUSE ITGC failed; root cause = change mgmt. 

C. COSO monitoring is broader; specific ITGC issue here. 

D. SOX 404 includes ITGC; can’t exclude.

 

---

 

*Q8. SOX 302 – Certification*

_Case_: CFO signs 10-Q but internal audit just reported a material weakness in revenue recognition not yet disclosed. CFO says “We’ll fix it before 10-K”. SOX 302 requires: 

A. Disclosure of weakness in 10-Q now 

B. Can delay until 10-K if remediation planned 

C. Only CEO must disclose, not CFO 

D. Disclosure only if auditor agrees 

 

*Answer: A* 

*Why others wrong*: 

B. 302 = current report; no delay allowed. 

C. Both CEO + CFO certify per 302. 

D. Mgmt’s responsibility, not auditor’s permission.

 

---

 

*Q9. SOX 404 – Material Weakness*

_Case_: External auditor concludes controls over financial reporting are ineffective due to material weakness. Management believes financials are fairly stated. Management’s 404 report should: 

A. State controls are effective because statements are right 

B. State controls are NOT effective due to material weakness 

C. Not issue a report if they disagree with auditor 

D. Issue report with “except for” qualification 

 

*Answer: B* 

*Why others wrong*: 

A. 404 = controls, not financials. Can have clean statements + bad controls. 

C. Public co must issue mgmt report per 404. 

D. “Except for” is auditor language; mgmt says effective or not.

 

---

 

*Q10. FCPA – Accounting Provisions*

_Case_: US Co hides $1M bribe to foreign minister by debiting “Marketing Expense” and crediting Cash. This violates FCPA because: 

A. Bribe exceeds $10,000 threshold 

B. Books must accurately reflect transactions 

C. Foreign minister is not “foreign official” 

D. Only SEC registrants need accurate books 

 

*Answer: B* 

*Why others wrong*: 

A. FCPA has no dollar threshold for books/records. 

C. Minister = foreign official under FCPA. 

D. Accounting provisions apply to all issuers, not just SEC.

 

---

 

*Q11. FCPA – Internal Controls*

_Case_: Subsidiary in Asia has no approval matrix; sales reps can authorize $500K discounts verbally. Which FCPA requirement is MOST at risk? 

A. Anti-bribery provision 

B. System of internal accounting controls 

C. Quarterly certification 

D. Whistleblower provision 

 

*Answer: B* 

*Why others wrong*: 

A. No bribe mentioned yet; control weakness is issue. 

C. FCPA doesn’t require quarterly certs; SOX does. 

D. Whistleblower = SOX 806, not FCPA.

 

---

 

*Q12. Governance – Three Lines*

_Case_: Compliance department reports to CFO and is told to “go easy” on sales audits before IPO. Under Three Lines Model, which line is compromised? 

A. 1st Line – Sales owns risk 

B. 2nd Line – Compliance independence 

C. 3rd Line – Internal Audit 

D. Board oversight 

 

*Answer: B* 

*Why others wrong*: 

A. Sales is 1st line but issue is oversight, not ownership. 

C. IA not mentioned; compliance = 2nd line. 

D. Board not in case; immediate issue is 2nd line pressure.

 

---

 

*Q13. ERM – Risk Appetite vs Tolerance*

_Case_: Board sets “zero tolerance for FCPA violations” but mgmt accepts $2M in high-risk agent commissions without due diligence to meet sales targets. This shows: 

A. Risk appetite exceeded 

B. Risk tolerance exceeded 

C. Both appetite and tolerance breached 

D. COSO Principle 6 failure only 

 

*Answer: C* 

*Why others wrong*: 

A. Appetite = zero; tolerance also zero if appetite zero. Breach = both. 

B. Can’t exceed tolerance without exceeding appetite here. 

D. Principle 6 = specify objectives; broader issue is breach.

 

---

 

*Q14. Data Analytics + Internal Control*

_Case_: Company uses RPA bot to post AP invoices. Bot has no exception report and was coded to accept duplicate invoice numbers. Month-end close had $3M duplicate payments. This is primarily a failure of: 

A. COSO Control Activities – Principle 10: Selects controls 

B. COSO Information & Communication – Principle 13: Quality info 

C. IT Application Control – Input/edit checks 

D. COBIT MEA03 – Monitor compliance 

 

*Answer: C* 

*Why others wrong*: 

A. Control was selected but coded wrong; specific app control fail. 

B. Info quality is output; issue is input control. 

D. MEA = monitoring; design failure came first.

 

---

 

*Q15. Benefits of Internal Control*

_Case_: After COSO implementation, controller tells board “We now have zero risk of financial misstatement”. CAE should clarify that internal control provides: 

A. Elimination of inherent risk 

B. Reasonable assurance, not absolute 

C. Guarantee against collusion 

D. Compliance with SOX 404 only 

 

*Answer: B* 

*Why others wrong*: 

A. Inherent risk always exists; controls reduce residual. 

C. Collusion is specific inherent limitation. 

D. COSO benefits > SOX; applies to all entities.

 

---

 

*How to Use These for Exam Prep*

 

1. *For each Q you miss*: Write “Rule tested” + “Why I picked wrong” + “Trap type” 

2. *Trap types*: Absolute words, SOX vs FCPA mix-up, COSO component confusion, ITGC vs App control 

3. *2024-2025 focus*: Expect 3-4 cases on data analytics, RPA, cyber, ESG controls in Section E/F 

 

www.gmsisuccess.in