CIA Part 1 – 2025 Syllbus..Topic: Risk Assessment – 15 Case-Based MCQ
(Answers provided at the end,first solve, then check yourself)
_Based on IIA Standards 2120, 2201, 2210 + 2019 IPPF_
*Q1. Inherent vs Residual Risk*
_Case_: CAE assesses that cyber-attack risk for the e-commerce platform is “High” before any controls. After implementing firewalls, MFA, and 24/7 SOC monitoring, risk is “Medium”. The “Medium” rating represents:
A. Inherent risk
B. Residual risk
C. Risk appetite
D. Risk tolerance
*Answer:
*Q2. Risk Assessment in Audit Planning – Std 2201*
_Case_: During annual planning, CAE allocates 400 hours to Payroll and 40 hours to Cash. Cash has high fraud history and low controls. Payroll has strong controls, no issues 3 years. This planning approach violates:
A. Std 2010 – Planning
B. Std 2201 – Planning Considerations
C. Std 2130 – Control
D. Std 1220 – Due Professional Care
*Answer:
*Q3. Risk Appetite vs Risk Tolerance*
_Case_: Board states “We have zero appetite for FCPA violations”. Management accepts a distributor in a high-corruption country without due diligence to meet sales goals. This situation indicates:
A. Risk appetite was appropriate
B. Risk tolerance was exceeded
C. Both appetite and tolerance were breached
D. Only inherent risk increased
*Answer:
*Q4. Fraud Risk Assessment – Std 2120.A2*
_Case_: IA is planning a Procurement audit. Management says “We trust our buyers; no fraud possible”. Per Standards, the auditor MUST:
A. Accept management’s assertion if controls look strong
B. Independently consider fraud risk regardless of mgmt views
C. Only assess fraud if prior incidents occurred
D. Defer fraud assessment to external auditors
*Answer:
*Q5. Risk Matrix – Likelihood vs Impact*
_Case_: Risk register shows “Data breach: Likelihood = Low, Impact = Critical”. CAE ranks it as “High Priority” for audit. CFO argues “Low likelihood means low priority”. CAE’s ranking is BEST supported because:
A. Impact drives priority when critical, per risk appetite
B. All cyber risks are always high priority
C. Likelihood is irrelevant in risk assessment
D. CFO lacks authority over audit plan
*Answer:
*Q6. Control Risk vs Detection Risk*
_Case_: Audit of Revenue: Inherent risk = High due to complex ASC 606. Control risk = High due to weak ITGC. To keep audit risk low, detection risk must be:
A. High
B. Low
C. Medium
D. Unaffected
*Answer:
*Q7. Continuous Risk Assessment – Agile Auditing*
_Case_: Mid-year, a ransomware attack hits the industry. The approved audit plan had no IT audits. Per IIA guidance, the CAE should:
A. Wait for next annual plan to add cyber audit
B. Update risk assessment and adjust plan immediately per Std 2010.A1
C. Only audit cyber if board requests it
D. Add cyber to next year since impact unknown
*Answer:
*Q8. Risk Criteria – Std 2210.A1*
_Case_: IA will audit ESG reporting. Management has no formal ESG policy. Which criteria should IA use to assess risk?
A. No audit possible without mgmt criteria
B. COSO ERM, SASB, GRI, or industry benchmarks
C. Only financial materiality thresholds
D. Prior year’s audit program
*Answer:
*Q9. Emerging Risk – 2025 Hot Topic*
_Case_: Company implements AI for credit decisions. No one in IA understands AI algorithms. Per Std 1210.A1, the CAE should:
A. Exclude AI from audit universe due to lack of skill
B. Obtain competency via training or co-sourcing before auditing
C. Rely on management’s AI vendor certification
D. Audit only manual controls around AI
*Answer:
*Q10. Risk Assessment Tools – Data Analytics*
_Case_: To assess AP fraud risk, IA runs 100% data analytics for: duplicate vendors, round-dollar payments, weekend postings. This technique BEST supports:
A. Std 2320 – Analysis and Evaluation
B. Std 2120.A1 – Risk assessment to develop audit plan
C. Std 2330 – Documenting Information
D. Std 2410 – Criteria for Communicating
*Answer:
*Q11. Inherent Limitations in Risk Assessment*
_Case_: Risk assessment rated “Inventory theft” as Low due to cameras. Theft occurred via collusion between guard and warehouse staff. This demonstrates:
A. Failure of Std 2201
B. Inherent limitation – collusion can override controls
C. Management override of risk assessment
D. Inadequate risk criteria
*Answer:
*Q12. Risk Universe – Completeness*
_Case_: CAE’s risk universe excludes “Climate risk” because “CFO says it’s not financial”. Under Std 2010, this is:
A. Acceptable if CFO owns risk
B. Deficient; risk universe must consider strategic, operations, compliance
C. Acceptable for financial audit focus
D. Only deficient if regulators require climate disclosure
*Answer:
*Q13. Residual Risk Above Appetite*
_Case_: After controls, risk of FCPA violation is “Medium” but board appetite is “Zero”. Per Std 2600, the CAE must:
A. Accept mgmt’s risk decision silently
B. Discuss with senior mgmt, then board if mgmt won’t act
C. Immediately report to regulators
D. Increase audit testing to lower risk
*Answer:
*Q14. Risk Interdependencies*
_Case_: IT risk “System outage” and Operational risk “Manual workaround failure” both rated Medium. Combined, they could halt sales = Critical. Audit plan should:
A. Audit each separately as Medium
B. Consider aggregated/interdependent risk as Critical per 2201
C. Ignore since individual risks not High
D. Only audit if outage occurred
*Answer:.
*Q15. Risk Assessment Documentation – Std 2330*
_Case_: CAE tells board “We used professional judgment” for risk rankings but has no matrices or rationale documented. This violates:
A. Std 2120 – Risk Management
B. Std 2201 – Planning Considerations
C. Std 2330 – Documenting Information
D. Std 2340 – Engagement Supervision
*Answer:
*Exam Tips for CIA Part 1 Risk Assessment Qs – 2025*
1. *Std numbers*: 2120 = risk mgmt. 2201 = planning. 2210 = objectives. 2600 = escalate risk. Memorize pairs.
2. *Agile/Tech terms*: “Continuous risk assessment”, “data analytics”, “AI risk” = Domain III weight ↑
3. *Never pick*: “Ignore risk if mgmt says low”, “Only audit after loss”, “Exclude due to no skill”
4. *Always pick*: “Independent assessment”, “Update plan for emerging risk”, “Document basis”
5. *Formula*: Audit Risk = IR × CR × DR. If 2 are High, 3rd must be Low.
www.gmsisuccess.in
CIA Part 1 – 2025 Syllabus ,Topic: Risk Assessment – 15 Case-Based MCQs with Explanations
_Based on IIA Standards 2120, 2201, 2210 + 2019 IPPF_
---
*Q1. Inherent vs Residual Risk*
_Case_: CAE assesses that cyber-attack risk for the e-commerce platform is “High” before any controls. After implementing firewalls, MFA, and 24/7 SOC monitoring, risk is “Medium”. The “Medium” rating represents:
A. Inherent risk
B. Residual risk
C. Risk appetite
D. Risk tolerance
*Answer: B*
*Why others wrong*:
A. Inherent = before controls; “High” was inherent.
C. Appetite = level willing to accept; not a rating of current risk.
D. Tolerance = acceptable variance; not the risk level itself. Std 2120.
---
*Q2. Risk Assessment in Audit Planning – Std 2201*
_Case_: During annual planning, CAE allocates 400 hours to Payroll and 40 hours to Cash. Cash has high fraud history and low controls. Payroll has strong controls, no issues 3 years. This planning approach violates:
A. Std 2010 – Planning
B. Std 2201 – Planning Considerations
C. Std 2130 – Control
D. Std 1220 – Due Professional Care
*Answer: B*
*Why others wrong*:
A. 2010 = risk-based plan exists; issue is HOW hours allocated per 2201.
C. 2130 = evaluate controls; planning precedes that.
D. 1220 = skill/care; problem is risk consideration, not competence. 2201.C1 requires risk assessment to prioritize.
---
*Q3. Risk Appetite vs Risk Tolerance*
_Case_: Board states “We have zero appetite for FCPA violations”. Management accepts a distributor in a high-corruption country without due diligence to meet sales goals. This situation indicates:
A. Risk appetite was appropriate
B. Risk tolerance was exceeded
C. Both appetite and tolerance were breached
D. Only inherent risk increased
*Answer: C*
*Why others wrong*:
A. Appetite = zero; action violated it.
B. If appetite is zero, tolerance is also zero; both breached.
D. Management action changed residual risk, not just inherent. Std 2120.A1.
---
*Q4. Fraud Risk Assessment – Std 2120.A2*
_Case_: IA is planning a Procurement audit. Management says “We trust our buyers; no fraud possible”. Per Standards, the auditor MUST:
A. Accept management’s assertion if controls look strong
B. Independently consider fraud risk regardless of mgmt views
C. Only assess fraud if prior incidents occurred
D. Defer fraud assessment to external auditors
*Answer: B*
*Why others wrong*:
A. 2120.A2 requires auditor’s own fraud risk consideration.
C. Absence of history ≠ absence of risk.
D. IA cannot delegate Std 2120 responsibilities.
---
*Q5. Risk Matrix – Likelihood vs Impact*
_Case_: Risk register shows “Data breach: Likelihood = Low, Impact = Critical”. CAE ranks it as “High Priority” for audit. CFO argues “Low likelihood means low priority”. CAE’s ranking is BEST supported because:
A. Impact drives priority when critical, per risk appetite
B. All cyber risks are always high priority
C. Likelihood is irrelevant in risk assessment
D. CFO lacks authority over audit plan
*Answer: A*
*Why others wrong*:
B. Not all cyber = high; depends on impact + appetite.
C. Likelihood matters, but critical impact can override low likelihood.
D. CFO input considered, but 2201 says CAE uses risk assessment.
---
*Q6. Control Risk vs Detection Risk*
_Case_: Audit of Revenue: Inherent risk = High due to complex ASC 606. Control risk = High due to weak ITGC. To keep audit risk low, detection risk must be:
A. High
B. Low
C. Medium
D. Unaffected
*Answer: B*
*Why others wrong*:
A. Audit Risk = IR × CR × DR. If IR & CR high, DR must be low to compensate.
C. Medium DR would leave audit risk high.
D. DR is only component auditor directly controls. Std 2310.
---
*Q7. Continuous Risk Assessment – Agile Auditing*
_Case_: Mid-year, a ransomware attack hits the industry. The approved audit plan had no IT audits. Per IIA guidance, the CAE should:
A. Wait for next annual plan to add cyber audit
B. Update risk assessment and adjust plan immediately per Std 2010.A1
C. Only audit cyber if board requests it
D. Add cyber to next year since impact unknown
*Answer: B*
*Why others wrong*:
A. 2010.A1 requires updates for significant changes.
C. CAE must act on risk, not wait for board.
D. Waiting ignores due care 1220.A1.
---
*Q8. Risk Criteria – Std 2210.A1*
_Case_: IA will audit ESG reporting. Management has no formal ESG policy. Which criteria should IA use to assess risk?
A. No audit possible without mgmt criteria
B. COSO ERM, SASB, GRI, or industry benchmarks
C. Only financial materiality thresholds
D. Prior year’s audit program
*Answer: B*
*Why others wrong*:
A. 2210.A1: Auditor must establish criteria if mgmt hasn’t.
C. ESG risks ≠ only financial.
D. Prior year irrelevant if business changed.
---
*Q9. Emerging Risk – 2025 Hot Topic*
_Case_: Company implements AI for credit decisions. No one in IA understands AI algorithms. Per Std 1210.A1, the CAE should:
A. Exclude AI from audit universe due to lack of skill
B. Obtain competency via training or co-sourcing before auditing
C. Rely on management’s AI vendor certification
D. Audit only manual controls around AI
*Answer: B*
*Why others wrong*:
A. Cannot ignore high risk due to lack of skill; must obtain it.
C. 1220.A2: Can’t rely solely on mgmt.
D. Manual controls insufficient if algorithm is biased.
---
*Q10. Risk Assessment Tools – Data Analytics*
_Case_: To assess AP fraud risk, IA runs 100% data analytics for: duplicate vendors, round-dollar payments, weekend postings. This technique BEST supports:
A. Std 2320 – Analysis and Evaluation
B. Std 2120.A1 – Risk assessment to develop audit plan
C. Std 2330 – Documenting Information
D. Std 2410 – Criteria for Communicating
*Answer: B*
*Why others wrong*:
A. 2320 = during fieldwork; this is planning risk ID.
C. 2330 = documentation, not risk ID.
D. 2410 = reporting; this is pre-engagement.
---
*Q11. Inherent Limitations in Risk Assessment*
_Case_: Risk assessment rated “Inventory theft” as Low due to cameras. Theft occurred via collusion between guard and warehouse staff. This demonstrates:
A. Failure of Std 2201
B. Inherent limitation – collusion can override controls
C. Management override of risk assessment
D. Inadequate risk criteria
*Answer: B*
*Why others wrong*:
A. 2201 done; limitation is reality, not Std breach.
C. No mgmt override; collusion at staff level.
D. Criteria not issue; collusion beats controls. Std 2120.
---
*Q12. Risk Universe – Completeness*
_Case_: CAE’s risk universe excludes “Climate risk” because “CFO says it’s not financial”. Under Std 2010, this is:
A. Acceptable if CFO owns risk
B. Deficient; risk universe must consider strategic, operations, compliance
C. Acceptable for financial audit focus
D. Only deficient if regulators require climate disclosure
*Answer: B*
*Why others wrong*:
A. CAE responsible for comprehensive universe per 2010.A1.
C. IA scope > financial; includes strategic/operational.
D. Std requirement, not dependent on regulation.
---
*Q13. Residual Risk Above Appetite*
_Case_: After controls, risk of FCPA violation is “Medium” but board appetite is “Zero”. Per Std 2600, the CAE must:
A. Accept mgmt’s risk decision silently
B. Discuss with senior mgmt, then board if mgmt won’t act
C. Immediately report to regulators
D. Increase audit testing to lower risk
*Answer: B*
*Why others wrong*:
A. 2600 requires escalation when mgmt accepts risk above appetite.
C. No regulator reporting duty for IA.
D. Testing doesn’t lower residual risk; controls do.
---
*Q14. Risk Interdependencies*
_Case_: IT risk “System outage” and Operational risk “Manual workaround failure” both rated Medium. Combined, they could halt sales = Critical. Audit plan should:
A. Audit each separately as Medium
B. Consider aggregated/interdependent risk as Critical per 2201
C. Ignore since individual risks not High
D. Only audit if outage occurred
*Answer: B*
*Why others wrong*:
A. Siloed view misses aggregate impact. 2201.C1.
C. Aggregation can create High from Mediums.
D. Risk assessment is proactive, not reactive.
---
*Q15. Risk Assessment Documentation – Std 2330*
_Case_: CAE tells board “We used professional judgment” for risk rankings but has no matrices or rationale documented. This violates:
A. Std 2120 – Risk Management
B. Std 2201 – Planning Considerations
C. Std 2330 – Documenting Information
D. Std 2340 – Engagement Supervision
*Answer: C*
*Why others wrong*:
A. 2120 = evaluate risk mgmt; issue is documentation.
B. 2201 = consider risks; done but not documented.
D. 2340 = supervision; root issue = no workpapers. 2330.A1 requires basis for conclusions.
www.gmsisuccess.in

