CIA Part 1
A) 50 Case-Based MCQs
*Domain II & III: Risk Assessment & Risk Management*
*2025 IIA Global Internal Audit Standards + Practice Guides*
*Case 1-10: Risk Assessment, Risk Types, Risk Profile*
*Case 1*
CAE of TechCo is doing annual risk assessment. Identified risks: 1) Cyber breach, 2) Key employee turnover, 3) New data law non-compliance, 4) USD/INR fluctuation.
*Q1. “Cyber breach” is best classified as:*
A. Strategic risk
B. Operational risk
C. Financial risk
D. Compliance risk
*Answer:
*Q2. “New data law non-compliance” is:*
A. Strategic
B. Operational
C. Compliance
D. Reputational
*Answer:
*Q3. “USD/INR fluctuation” is:*
A. Strategic risk
B. Financial/Market risk
C. Hazard risk
D. Operational risk
*Answer:
*Q4. Risk profile of TechCo is:*
A. List of all controls
B. Composite view of types/levels of risk org faces at a point in time
C. Audit plan
D. Risk register only
*Answer:
*Q5. Inherent risk means:*
A. Risk after controls
B. Risk before considering controls/mitigation
C. Residual risk
D. Risk appetite
*Answer:
*Q6. Residual risk means:*
A. Risk before controls
B. Risk remaining after mgmt actions/controls
C. Inherent risk
D. Risk appetite
*Answer:
*Q7. CAE ranks risks using Impact x Likelihood. This is:*
A. Risk appetite
B. Risk assessment – qualitative/quantitative analysis
C. Risk register
D. Control assessment
*Answer:
*Q8. “Risk of key employee turnover” impacts ability to meet strategic goals. This is:*
A. Pure compliance risk
B. Strategic + Operational risk
C. Only financial
D. Not a risk
*Answer:
*Q9. Hazard risk example:*
A. New competitor
B. Fire in factory
C. Interest rate change
D. Failed product launch
*Answer:
*Q10. Risk assessment should be done:*
A. Once every 5 years
B. At least annually + when significant change occurs
C. Only by mgmt
D. Never by IA
*Answer:
*Case 11-20: Risk Register, Risk Map, Risk Mapping*
*Case 2*
Risk register shows: “Vendor fraud – Impact: High, Likelihood: Medium, Owner: CPO, Control: 3-way match”. CAE plots this on 5x5 heat map.
*Q11. Risk register must contain at minimum:*
A. Audit findings only
B. Risk description, assessment, owner, response, status
C. Staff names
D. Budget
*Answer:
*Q12. On 5x5 risk map, High Impact + Medium Likelihood plots as:*
A. Green zone
B. Yellow/Amber zone
C. Red zone
D. Not plotted
*Answer:
*Q13. Risk mapping helps CAE to:*
A. Assign audit staff
B. Visualize & prioritize risks for audit planning
C. Set salaries
D. Approve vendors
*Answer:
*Q14. “3-way match” control reduces which component?*
A. Impact
B. Likelihood of vendor fraud
C. Both
D. Neither
*Answer:
*Q15. If control fails, residual risk moves:*
A. Down on map
B. Up towards inherent risk
C. Off the map
D. To green
*Answer:
*Q16. Risk map limitation:*
A. Too accurate
B. Subjective scoring, ignores velocity/interdependency
C. Required by Standards
D. Replaces register
*Answer:
*Q17. Risk velocity means:*
A. Speed at which risk impacts org once it occurs
B. Likelihood
C. Impact
D. Control cost
*Answer
*Q18. CAE finds risk not in register. Should:*
A. Ignore
B. Update register + assess per Std 9.1
C. Tell external audit
D. Remove other risks
*Answer:
*Q19. Best owner for “cyber risk” in register:*
A. CAE
B. CISO/CIO – mgmt who can manage it
C. Board
D. External audit
*Answer:
*Q20. Risk map color for Low Impact + Low Likelihood:*
A. Red
B. Amber
C. Green
D. Black
*Answer:
*Case 21-30: Risk Management, Risk Strategy, Risk Appetite*
*Case 3*
Board sets “Zero tolerance for safety incidents”. Mgmt implements daily safety checks. Residual risk still “Low”.
*Q21. “Zero tolerance” reflects:*
A. Risk capacity
B. Risk appetite – level of risk org willing to accept
C. Risk tolerance
D. Inherent risk
*Answer:
*Q22. Risk tolerance is:*
A. Same as appetite
B. Acceptable variation around risk appetite
C. Unlimited
D. Set by IA
*Answer:
*Q23. Risk capacity means:*
A. Max risk org can bear without threat to existence
B. Desired risk
C. Residual risk
D. Control level
*Answer:
*Q24. Four risk responses per COSO:*
A. Avoid, Accept, Reduce, Share/Transfer
B. Ignore, Delay, Hide, Accept
C. Assess, Audit, Report, Close
D. High, Med, Low, Zero
*Answer:
*Q25. “Buy cyber insurance” is:*
A. Avoid
B. Reduce
C. Share/Transfer
D. Accept
*Answer:
*Q26. “Stop selling in high-risk country” is:*
A. Accept
B. Avoid
C. Share
D. Reduce
*Answer:
*Q27. “Install firewall” is:*
A. Avoid
B. Accept
C. Reduce/Mitigate
D. Transfer
*Answer:
*Q28. Board accepts “Medium” cyber risk due to cost. This is:*
A. Avoid
B. Accept – within appetite
C. Transfer
D. Violation
*Answer
*Q29. Risk strategy must align with:*
A. Audit plan only
B. Organizational objectives & strategy
C. Staff preference
D. External audit
*Answer:
*Q30. CAE role in risk management per Std 9.1:*
A. Own risks
B. Provide assurance on effectiveness of risk mgmt processes
C. Set appetite
D. Manage risks
*Answer:
*Case 31-40: Risk Maturity Model*
*Case 4*
CAE assesses ERM. Finds: Risks identified ad-hoc, no formal register, no appetite statement, mgmt reacts to events.
*Q31. This ERM maturity level is:*
A. Optimized
B. Managed
C. Defined
D. Initial/Ad-hoc
*Answer
*Q32. “Optimized” maturity means:*
A. No process
B. Risk mgmt embedded, continuous improvement, quantitative
C. Only policies exist
D. Firefighting
*Answer:
*Q33. Risk Maturity Model helps:*
A. Set audit fees
B. Benchmark org’s ERM vs best practice, guide improvement
C. Punish mgmt
D. Replace audit
*Answer:
*Q34. At “Defined” level, org has:*
A. No documentation
B. Formal policy, process, roles defined, but not fully consistent
C. Continuous monitoring
D. Predictive analytics
*Answer
*Q35. IA can use maturity model to:*
A. Replace risk assessment
B. Provide advice to mgmt on improving ERM per Std 9.1
C. Rate individuals
D. Set strategy
*Answer:
*Q36. Key attribute of “Managed” level:*
A. Ad-hoc
B. Processes measured, controlled, some metrics
C. Optimized
D. None
*Answer:
*Q37. Moving from Initial to Defined requires:*
A. Nothing
B. Documented policy, risk register, assigned owners
C. AI tools
D. CAE approval
*Answer:
*Q38. Which is NOT a risk maturity model:*
A. COSO ERM
B. ISO 31000
C. RIMS RMM
D. IFRS 9
*Answer: .
*Q39. Board asks CAE “How mature is our ERM?”. CAE should:*
A. Refuse
B. Assess using model + provide opinion per Std 9.1
C. Ask consultant
D. Say “good”
*Answer:
*Q40. Optimized org uses:*
A. Gut feel
B. Key Risk Indicators + Predictive analytics + integrated GRC
C. Spreadsheets only
D. No reporting
*Answer:
*Case 41-50: Mixed – Application*
*Case 5*
New product launch risk: Impact High, Likelihood High, Velocity Fast. No control
*Q41. Inherent risk plots where on 5x5 map?*
A. Green
B. Amber
C. Red – top right
D. Bottom left
*Answer:
*Q42. Velocity “Fast” means CAE should:*
A. Audit annually
B. Prioritize + continuous monitoring
C. Ignore
D. Defer 3 years
*Answer:
*Q43. Mgmt decides to launch anyway. This is:*
A. Avoid
B. Accept – outside appetite? If Board approves, must document
C. Transfer
D. Reduce
*Answer:
*Q44. CAE adds risk to risk register. Next step:*
A. Close
B. Validate controls + assess residual risk
C. Delete old risks
D. Email CEO
*Answer:
*Q45. Emerging risk example:*
A. Last year’s fire
B. AI regulation not yet passed but expected
C. Paid invoice
D. Closed audit
*Answer:
*Q46. Top-down risk assessment starts with:*
A. Transaction testing
B. Strategic objectives, then risks to objectives
C. Control testing
D. Staff interviews only
*Answer:
*Q47. Bottom-up risk assessment starts with:*
A. Board strategy
B. Process-level risks rolled up
C. Appetite
D. Audit plan
*Answer:
*Q48. Best practice: Combine top-down + bottom-up because:*
A. Not needed
B. Ensures strategic + operational risks captured
C. Wastes time
D. Only top-down allowed
*Answer:
*Q49. Risk universe includes:*
A. Only auditable areas
B. All potential risks from all sources across org
C. Past risks only
D. External risks only
*Answer:
*Q50. Per 2025 Standards, CAE must consider risk when developing audit plan per:*
A. Std 4.2 Proficiency
B. Std 9.4 Internal Audit Plan – based on risk assessment
C. Std 6.1 Mandate
D. Std 11.1 Communication
*Answer:
www.GMSIsuccess.in
B) Below are 20 advanced, case‑based MCQs on risk assessment and related topics aligned to the CIA Part 1 (2025) syllabus. Each question is written as a short case requiring analysis, and each answer cites an authoritative source. Use these for practice and exam-style reasoning.
Instructions: choose the best answer for each question. Each question’s answer and rationale follow it.
1) Case: A multinational manufacturer centralizes risk reporting but local plants still keep separate risk registers that are rarely consolidated into the corporate register. Senior management receives an aggregated report quarterly that shows low residual risk across most categories. Which audit finding is most likely accurate?
A. Risk registers are complete and residual risks are low.
B. Risk aggregation and reporting processes are weak, causing understatement of enterprise risk.
C. Quarterly reporting frequency is sufficient for enterprise risk management.
D. Local registers should be eliminated to improve control.
Answer:
2) Case: An organization’s ERM maturity assessment shows strong risk identification but poor linkage between risk appetite and risk response. Which maturity gap does this represent?
A. Culture and tone at the top.
B. Risk measurement and analytics.
C. Strategy alignment and risk appetite integration.
D. Risk event reporting.
Answer:
3) Case: The CAE plans a risk‑based audit plan. Management has a formal risk map showing inherent and residual risk scored by likelihood and impact, but no documented rationale for controls effectiveness. What should the auditor do first?
A. Use the risk map as-is and schedule audits by highest residual risk.
B. Request the risk register and test control effectiveness asserted by management.
C. Ignore the risk map and conduct a full-scope financial audit.
D. Recommend outsourcing risk scoring.
Answer:
4) Case: A bank’s risk owner for cyber risk is the CIO, but risk treatment decisions (budget, vendor selection) are made by business unit heads without CIO involvement. What control weakness does this show?
A. Segregation of duties.
B. Lack of clear accountability and authority of the risk owner.
C. Over-reliance on technology controls.
D. Poor IT governance only.
Answer:
5) Case: During audit planning, you see the organization’s risk strategy prioritizes reputation, regulatory, and financial risks. The audit resource allocation focuses largely on operational efficiency risks. What is the auditor’s best conclusion?
A. Audit plan is well diversified.
B. Audit resource allocation is not aligned with the organization’s risk strategy.
C. Operational risks are always higher priority than reputation.
D. No action—audit independence prevents alignment.
Answer:
6) Case: A company’s risk register lists dozens of low-likelihood risks each with high impact, without inherent/residual scoring or owner assignment. What is the primary deficiency?
A. Overestimation of risk likelihood.
B. Lack of structured risk scoring and ownership.
C. Too many risks listed—register should contain only top 10.
D. Use of qualitative rather than quantitative methods.
Answer:
7) Case: The board sets a conservative risk appetite but management interprets it as permissive and funds many high-risk initiatives. Which monitoring mechanism would best detect and prevent this divergence?
A. Annual external audit only.
B. Structured KRIs linked to appetite thresholds and regular reporting to the board.
C. Ad hoc CEO briefings.
D. Informal discussions in management meetings.
Answer:
8) Case: In a maturity assessment the organization scores high on processes but low on risk culture. What audit approach best addresses this?
A. Focus only on process testing since processes are mature.
B. Expand audits to include behavior indicators, tone at the top, and training effectiveness.
C. Remove culture from scope since it’s hard to measure.
D. Outsource culture assessment.
Answer:
9) Case: Management’s risk map shows a manufacturing safety hazard scored high. Controls exist but there are frequent near-misses. As an auditor, what evidence best tests control effectiveness?
A. Review the map and accept the residual scoring.
B. Examine incident logs, root cause analyses, and control monitoring records.
C. Interview managers only.
D. Compare to industry accident rates only.
Answer
10) Case: A small nonprofit uses a single spreadsheet for its risk register with no version control, and several owners email updates. What is the key audit recommendation?
A. Continue with the spreadsheet but increase email frequency.
B. Implement a controlled risk register (tool/process) and formal change/version controls.
C. Eliminate the register—too risky to maintain.
D. Move to a paper-based binder.
Answer:
11) Case: An insurer’s enterprise risk management program uses scenario analysis and stress testing for tail risks, but auditors find inconsistent documentation of assumptions. What is the likely impact?
A. Better risk insights.
B. Reduced comparability and questionable reliability of stress results.
C. No impact—stress testing is qualitative.
D. Only actuarial teams are affected.
Answer:
12) Case: A risk owner receives a high-impact risk notification but lacks budget authority to implement remediation. Which principle is breached?
A. Risk tolerance.
B. Risk-ownership accountability (authority to act).
C. Risk identification.
D. Control self-assessment.
Answer:
13) Case: The audit team wants to prioritize audits using a risk map that shows clustering of high likelihood/low impact risks in one quadrant and low likelihood/high impact in another. For enterprise focus, which risks should get priority?
A. High likelihood/low impact only.
B. Low likelihood/high impact only.
C. Both—consider risk appetite, detectability, and potential aggregation effects.
D. Neither—prioritize based on management preference.
Answer:
14) Case: A company’s risk maturity model scores low on integration with strategy but high on tools and processes. Management claims tooling will fix it. As an auditor, what observation is most appropriate?
A. Tools alone won’t ensure strategic integration; governance and incentives must align.
B. Tools will automatically drive integration.
C. Low strategic integration is irrelevant if tools exist.
D. Recommend buying more tools.
Answer:
15) Case: During walkthroughs you find the risk register’s treatment status field marked “implemented” but no post‑implementation testing exists. What is the correct audit conclusion?
A. Treatments are effective because they’re implemented.
B. Implementation without testing does not demonstrate control effectiveness; further testing is required.
C. Audit should accept management’s word.
D. Close the audit—no further work.
Answer:
16) Case: A company uses qualitative scoring only. Senior leaders ask auditors whether quantitative scoring is necessary. What’s the sound audit perspective?
A. Qualitative suffices always.
B. Quantitative methods add rigor for measurable risks but qualitative is acceptable when metrics are absent; selection should match the risk type and data availability.
C. Quantitative is mandatory per IIA.
D. Remove scoring entirely.
Answer:
17) Case: The audit plan lists a top‑risk process but the named risk owner is a recently hired VP with no documentation of handover. What should the audit focus on?
A. Evaluate the transition governance, documentation of responsibilities, and competence of the new owner.
B. Ignore ownership and audit the process.
C. Recommend immediate removal of the VP.
D. Defer audit until the owner is fully settled.
Answer:
18) Case: Enterprise stress testing identifies capital adequacy concerns under extreme scenarios, but the risk strategy lacks predefined triggers for capital actions. What gap exists?
A. Inadequate scenario complexity.
B. Missing risk appetite thresholds and actionable contingency plans.
C. Too conservative capital planning.
D. Missing external audit signoff.
Answer:
19) Case: A risk-based audit methodology ranks area A as medium risk, but area A experienced a major control failure last quarter. What should the auditor do now?
A. Reassess risk scoring, increase audit coverage, and investigate root causes of the control failure.
B. Keep the original ranking—past events are irrelevant.
C. Reduce audit coverage since issues were already found.
D. Close the file.
Answer:
20) Case: Board members receive a condensed risk heat map but request narrative examples and aggregated KRI trends to understand context. As internal audit leader, what should you provide?
A. Only the heat map—boards prefer visuals.
B. Heat map plus concise narratives, KRI trend charts, and movement analysis linking risks to strategy.
C. Raw data only.
D. Verbal summary in the next meeting only.
Answer:
www.GMSIsuccess.in
For online exam software MCQ test Click link 🖇️
www.finzo.pw
No comments:
Post a Comment