ISO 21500 & PMBOK: CISA cerification

 important points for ISO 21500 & PMBOK for CISA Certification Exam

ISO 21500 and PMBOK provide foundational project management frameworks relevant to CISA Domain 3 on information systems acquisition, development, and implementation, emphasizing governance, risk, and controls in IT projects.[1] For the CISA exam, auditors evaluate project governance using these standards to ensure alignment with business objectives and effective control design.[1][2]

## ISO 21500 Key Points

ISO 21500 offers high-level guidance on project management processes, applicable to any organization or project size.[3][3] It structures processes around five lifecycle stages: Initiating, Planning, Implementing, Controlling, and Closing, with subject groups including integration, scope, time, cost, risk, quality, resource, stakeholder, communication, and procurement.[3][1][3] The standard focuses on concepts, inputs, and outputs without detailing tools or techniques, promoting good practices like stakeholder alignment and continuous improvement.[4][5]

## PMBOK Key Points

PMBOK, particularly the 7th edition, emphasizes 6 core principles: holistic view, value focus, quality embedding, accountable leadership, sustainability integration, and empowered culture.[6] It covers 10 knowledge areas (e.g., scope, schedule, cost, quality, resource, communication, risk, procurement, stakeholder, integration) mapped to 5 process groups matching ISO 21500's lifecycle.[7][5] Inputs, Tools & Techniques, and Outputs (ITTOs) guide detailed process execution, crucial for CISA topics like feasibility analysis and SDLC controls.[7][8]

## CISA Exam Relevance

In CISA Domain 3 (12% weight), auditors assess project governance, business cases, SDLC methodologies, and post-implementation reviews using ISO 21500 and PMBOK principles.[1][2] Key exam focuses include risk management, control identification, system readiness testing, and ensuring IT projects meet objectives via structured lifecycle oversight.[1][8] ISO 21500 serves as a process-oriented international baseline, while PMBOK adds depth for auditing project alignment and efficiency.[5][9]

www.gmsisuccess.in

---

🔹 ISO 21500 – IMPORTANT POINTS FOR CISA

1️⃣ Nature of ISO 21500

• Guidance standard, NOT certifiable ❌
• Provides high-level framework for project management
• No mandatory processes, only recommended practices
• Designed for organizations & governance, not just project managers

📌 CISA Trap:

If question asks about certification, compliance, audit checklist → NOT ISO 21500

---

2️⃣ ISO 21500 Structure

ISO 21500 has 2 main dimensions:

A. Process Groups (5)

Same names as PMBOK:

1. Initiating
2. Planning
3. Implementing (≠ Executing) ⚠️
4. Controlling
5. Closing

📌 Exam Trap:
PMBOK uses Executing, ISO uses Implementing

---

B. Subject Groups (10)

(similar but not identical to PMBOK knowledge areas)

1. Integration
2. Stakeholder
3. Scope
4. Resource
5. Time
6. Cost
7. Risk
8. Quality
9. Procurement
10. Communication

📌 Key Difference:

• Stakeholder is a separate group in ISO (earlier than PMBOK 6)

---

3️⃣ Governance Focus (VERY IMPORTANT FOR CISA)

• Emphasizes:
  • Alignment with organizational strategy
  • Benefits realization
  • Sponsor accountability
  • Governance framework

📌 CISA Scenario:

Project failing due to lack of executive oversight → ISO 21500 highlights sponsor & governance weakness

---

4️⃣ Risk Management (ISO View)

• Risk is treated at project & organizational level
• Focus on:
  • Risk identification
  • Risk response
  • Continuous monitoring

📌 CISA Trap: ISO does NOT prescribe:

• Quantitative risk models
• Risk registers formats
• Probability × impact matrices

---

5️⃣ Control & Assurance Angle (CISA Favorite)

• Control occurs mainly in Controlling process group
• Focus on:
  • Performance measurement
  • Change control
  • Variance analysis

📌 Exam Logic:

ISO tells WHAT should be controlled, not HOW to control

---

6️⃣ Change Management

• Formal change control encouraged
• Emphasis on:
  • Impact assessment
  • Stakeholder communication

📌 CISA MCQ: If question mentions lack of documented change approval → governance gap

---

---

🔹 PMBOK (PMI) – IMPORTANT POINTS FOR CISA

1️⃣ Nature of PMBOK

• Best-practice framework, NOT a standard ❌
• More detailed & prescriptive than ISO
• Designed for project managers

📌 CISA Trap:

PMBOK ≠ compliance standard
PMBOK ≠ audit framework

---

2️⃣ Process Groups (PMBOK)

1. Initiating
2. Planning
3. Executing
4. Monitoring & Controlling
5. Closing

---

3️⃣ Knowledge Areas (10 – PMBOK 6)

1. Integration
2. Scope
3. Schedule
4. Cost
5. Quality
6. Resource
7. Communication
8. Risk
9. Procurement
10. Stakeholder

📌 ISO vs PMBOK:

• PMBOK = How to do
• ISO = What should exist

---

4️⃣ Key Documents (EXAM GOLD)

• Project Charter → authorizes project
• Project Management Plan → integrated baseline
• Baselines:
  • Scope baseline
  • Schedule baseline
  • Cost baseline

📌 CISA Scenario:

No approved charter → project lacks authorization → governance failure

---

5️⃣ Risk Management (PMBOK)

• Formal steps:
  1. Identify risks
  2. Qualitative analysis
  3. Quantitative analysis
  4. Plan responses
  5. Monitor risks

📌 PMBOK is more detailed than ISO

---

6️⃣ Change Control (Very Important)

• Integrated Change Control
• Change requests evaluated for:
  • Scope
  • Cost
  • Schedule
  • Quality
  • Risk

📌 CISA Trap:

Unauthorized scope changes = scope creep = control weakness

---

7️⃣ Stakeholder Management

• Identify → Analyze → Engage
• Continuous communication is critical

📌 CISA Scenario:

Project failure due to user resistance → stakeholder engagement failure

---

---

🔴 ISO 21500 vs PMBOK – COMPARISON (HIGH PROBABILITY MCQ)

Area	ISO 21500	PMBOK
Nature	International standard	Best practice guide
Certification	❌ No	❌ No
Detail level	High-level	Detailed
Focus	Governance & alignment	Project execution
Processes	Fewer, generic	Detailed
Control guidance	Conceptual	Procedural

---

🔑 ONE-LINE EXAM TAKEAWAYS

• ISO 21500 = Governance + alignment + guidance
• PMBOK = Tools + techniques + execution
• ISO tells WHAT, PMBOK tells HOW
• ISO good for audit & assurance perspective
• PMBOK good for operational control questions

---

www.gmsisuccess.in

---

🔑 KEY DIFFERENCES: ISO 21500 vs PMBOK (CISA VIEW)

Basis	ISO 21500	PMBOK (PMI)
Nature	International guidance standard	Best-practice framework / guide
Certification	❌ Not certifiable	❌ PMBOK itself not certifiable
Primary Focus	Governance & strategic alignment	Project execution & management
Audience	Organization, sponsors, governance bodies	Project managers & teams
Level of Detail	High-level (WHAT)	Detailed (HOW)
Prescriptiveness	Non-prescriptive	More prescriptive
Compliance Use	Reference for governance & assurance	Not a compliance or audit standard
Orientation	Enterprise-level	Project-level
Control Perspective	Conceptual control framework	Procedural controls

---

⚠️ MOST TESTED DIFFERENCES (EXAM GOLD)

1️⃣ Implementing vs Executing

• ISO 21500 → Implementing
• PMBOK → Executing

📌 Very common MCQ trap

---

2️⃣ Stakeholder Management

• ISO 21500: Stakeholder is a core subject group from start
• PMBOK: Became a separate knowledge area later (PMBOK 5+)

📌 ISO stresses early stakeholder governance

---

3️⃣ Governance Emphasis

• ISO 21500:

  • Sponsor accountability
  • Benefits realization
  • Alignment with organizational strategy

• PMBOK:

  • Focus on deliverables, schedules, cost, scope

📌 CISA answer prefers ISO when governance fails

---

4️⃣ Change Management

• ISO 21500:

  • Change control conceptually required
  • No tools or formats prescribed

• PMBOK:

  • Integrated Change Control
  • Change requests, CCB, impact analysis

📌 ISO = principle, PMBOK = procedure

---

5️⃣ Risk Management

• ISO 21500:

  • Risk at organizational & project level
  • High-level approach

• PMBOK:

  • Detailed steps
  • Qualitative & quantitative techniques

📌 CISA exam: ISO = risk governance, PMBOK = risk execution

---

6️⃣ Documentation

• ISO 21500:

  • Mentions required concepts
  • No mandated documents

• PMBOK:

  • Specific documents:
    • Project Charter
    • PM Plan
    • Baselines
    • Registers

---

🧠 ONE-LINE MEMORY TRICKS (CISA)

• ISO 21500 = WHAT should exist
• PMBOK = HOW to do it
• ISO = Governance
• PMBOK = Management
• ISO = Assurance friendly
• PMBOK = Operations friendly

---

🎯 EXAM SCENARIO QUICK RULE

If question talks about audit, oversight, governance, strategic alignment → ISO 21500
If question talks about tools, techniques, procedures, documents → PMBOK

---

www.gmsisuccess.in

Below are CISA-style WRONG OPTIONS explained for ISO 21500 vs PMBOK.
These are classic traps used in the exam — read the reason for rejection, not just the correct answer.

---

🔴 TRAP 1: “ISO 21500 is a certifiable project management standard”

❌ Why this option is WRONG

• ISO 21500 is guidance only
• It cannot be audited for compliance
• No certification exists (unlike ISO 9001 / 27001)

✅ Correct logic

• ISO 21500 provides high-level guidance, not requirements

📌 Examiner trick: ISO name = assumed certifiable

---

🔴 TRAP 2: “PMBOK is an international standard like ISO 21500”

❌ Why this option is WRONG

• PMBOK is not an ISO standard
• Issued by PMI, not ISO
• Cannot be used as a compliance benchmark

✅ Correct logic

• PMBOK is a best-practice framework

📌 CISA angle: Standards ≠ frameworks

---

🔴 TRAP 3: “ISO 21500 prescribes detailed tools and techniques for project control”

❌ Why this option is WRONG

• ISO 21500 does not prescribe:
  • Risk matrices
  • Earned value formulas
  • Change control formats

✅ Correct logic

• ISO states what should be managed, not how

📌 Trap keyword: “prescribes”, “mandates”, “detailed”

---

🔴 TRAP 4: “PMBOK is mainly focused on governance and strategic alignment”

❌ Why this option is WRONG

• Governance is secondary in PMBOK
• PMBOK focuses on:
  • Scope
  • Schedule
  • Cost
  • Execution control

✅ Correct logic

• ISO 21500 → governance focus
• PMBOK → execution focus

📌 CISA bias: Governance = ISO

---

🔴 TRAP 5: “Both ISO 21500 and PMBOK can be used as audit criteria”

❌ Why this option is WRONG

• Neither provides audit-ready control requirements
• ISO → guidance
• PMBOK → practices

✅ Correct logic

• They can be reference frameworks, not audit standards

📌 CISA examiner likes this distinction

---

🔴 TRAP 6: “Executing process group is common to both ISO 21500 and PMBOK”

❌ Why this option is WRONG

• ISO uses Implementing
• PMBOK uses Executing

✅ Correct logic

• Same concept, different terminology

📌 High-frequency MCQ

---

🔴 TRAP 7: “ISO 21500 defines mandatory project documents”

❌ Why this option is WRONG

• ISO does not mandate:
  • Project charter
  • Baselines
  • Registers

✅ Correct logic

• PMBOK defines specific documents
• ISO mentions concepts only

---

🔴 TRAP 8: “Stakeholder management originated in PMBOK, not ISO”

❌ Why this option is WRONG

• ISO emphasized stakeholders early
• PMBOK formally separated it later

✅ Correct logic

• ISO → early governance involvement
• PMBOK → structured stakeholder processes

---

🔴 TRAP 9: “ISO 21500 is more detailed than PMBOK”

❌ Why this option is WRONG

• ISO is high-level
• PMBOK is detailed and procedural

✅ Correct logic

• Detail = PMBOK
• Principle = ISO

---

🔴 TRAP 10: “PMBOK ensures benefits realization at organizational level”

❌ Why this option is WRONG

• Benefits realization is not PMBOK’s primary focus
• PMBOK ends at project deliverables

✅ Correct logic

• Benefits realization → ISO / governance framework

---

🧠 FINAL EXAM SHORTCUT

If an option uses these words, be careful:

Word	Likely WRONG for
Certifiable	ISO 21500
Mandatory	ISO 21500
Audit standard	Both
Governance focus	PMBOK
Detailed tools	ISO 21500

---

🎯 ONE-LINE RULE

ISO = guidance, governance, alignment
PMBOK = procedures, tools, execution

www.gmsisuccess.in

Comprehensive mocktest CMA Part 2..

 US CMA Part 2 …Mocktest 

Comprehensive…Difficult level.. moderate difficult

Section A...

## Investment Appraisal (NPV/IRR)

1. A project has cash flows where NPV at 8% is positive and at 10% is negative. The IRR is closest to?  

   a) 7% b) 9% c) 11% d) 12%  

   **Answer: 

2. Methods using discounted cash flows for capital investments include?  

   a) Payback only b) NPV and IRR c) Average rate of return d) All of the above  

   **Answer: 

3. All projects with positive NPV should be?  

   a) Rejected b) Selected c) Compared to IRR only d) Ignored  

   **Answer: 

## CVP & BEP Analysis

4. Ray Co. sells routers at $60/unit, variable cost $35/unit, fixed costs $150,000. BEP in units?  

   a) 5,000 b) 6,000 c) 7,000 d) 4,000  

   **Answer: 

5. Contribution margin ratio for Ray Co.?  

   a) 35% b) 41% c) 50% d) 58%  

   **Answer: 

6. BEP in revenue for Ray Co.?  

   a) $300,000 b) $360,000 c) $210,000 d) $600,000  

   **Answer: 

7. Company sells at $50/unit, budgeted 600,000 units, sales $30M, COS $20M (75% var), SG&A $7.5M (40% var). BEP units?  

   a) 475,000 b) 449,910 c) 500,000 d) 300,000  

   **Answer: 

## Marginal Analysis (Make/Buy, Special Orders)

8. Relevant costs for special order include?  

   a) All fixed costs b) Incremental variable costs c) Sunk costs d) Allocated overhead  

   **Answer:

9. Make-or-buy decision focuses on?  

   a) Total costs b) Avoidable costs c) Historical costs d) Fixed costs only  

   **Answer: 

## Mergers & Business Combinations

10. Firm A ($4M value) + Firm B ($1M) merge to $7M. Synergy?  

    a) -$1M b) $1M c) -$2M d) $2M  

    **Answer: 

11. Bargain purchase in acquisition recognized as?  

    a) Negative goodwill b) Goodwill c) Gain in earnings d) Deferred gain  

    **Answer: 

12. Leveraged buyout uses?  

    a) Equity only b) Debt secured by assets c) Preferred stock d) Bonds only  

    **Answer: 

13. Equity carve-out is?  

    a) Full sale b) Spin-off c) IPO of subsidiary shares d) Liquidation  

    **Answer: 

## Working Capital & Inventory Management

14. Reducing inventory lowers?  

    a) Ordering costs only b) Financing costs and improves liquidity c) Sales d) Fixed costs  

    **Answer:

15. EOQ considers?  

    a) Carrying and ordering costs b) Sales only c) Fixed costs d) Taxes  

    **Answer: 

16. Cash conversion cycle shortened by?  

    a) Higher inventory b) Lower DIO c) Longer payables d) Higher receivables  

    **Answer: 

## Cash Management & Receivables

17. Receivables factoring without recourse transfers?  

    a) Credit risk to factor b) All risk to seller c) No risk d) Ownership only  

    **Answer: 

18. Optimal cash management minimizes?  

    a) Opportunity costs b) Holding + transaction costs c) All costs d) Risk only  

    **Answer:

## Ratios (Cash Flow, Turnover, Profitability, Liquidity)

19. Cash flow ratio = ?  

    a) OCF / Current liabilities b) Current assets / CL c) Inventory / Sales d) Debt / Equity  

    **Answer:

20. Accounts receivable turnover = ?  

    a) Sales / Avg AR b) AR / Sales c) COGS / Inventory d) Assets / Sales  

    **Answer: 

21. Quick ratio excludes?  

    a) Cash b) Inventory c) Receivables d) Marketable securities  

    **Answer: 

22. DuPont analysis decomposes ROE into?  

    a) Profit margin x Asset turnover x Equity multiplier b) Only margins c) Leverage only d) Liquidity  

    **Answer: 

## Leverage (Operating, Financial)

23. Operating leverage measures?  

    a) Fixed operating costs impact b) Debt levels c) Equity ratio d) Taxes  

    **Answer: 

24. Financial leverage from?  

    a) Debt in capital structure b) Fixed costs c) Variable costs d) Inventory  

    **Answer: 

## Bond Valuation & Capital Structure

25. Bond coupon > market rate sells at?  

    a) Discount b) Par c) Premium d) Zero  

    **Answer:

26. Optimal capital structure minimizes?  

    a) WACC b) Debt c) Equity d) Risk only  

    **Answer: 

27. Capital gearing refers to?  

    a) Debt/Equity mix b) Inventory c) Cash d) Sales  

    **Answer: 

## Ethics & IMA Guidelines

28. IMA principles include?  

    a) Honesty, fairness, objectivity, responsibility b) Accountability only c) Profit only d) Risk  

    **Answer: 

29. Ethical dilemma resolution: Follow IMA steps including?  

    a) Discuss with supervisor b) Resign immediately c) Ignore d) Report publicly first  

    **Answer: 

30. Violates objectivity if?  

    a) Personal interests influence judgment b) Equal treatment c) Honesty d) Competence  

    **Answer:

## Relevant Costs & Risk

31. Relevant costs are?  

    a) Future, incremental b) Sunk c) Allocated d) Historical  

    **Answer

32. Fraud risk assessment part of?  

    a) Internal controls b) External audit only c) Taxes d) Sales  

    **Answer:

33. Risk strategy includes?  

    a) Avoid, accept, mitigate, transfer b) Ignore c) Only insure d) Only diversify  

    **Answer:

## Foreign Currency & Rates

34. Spot rate vs. forward rate: Forward hedges?  

    a) Future transactions b) Past c) Spot only d) Equity  

    **Answer: 

35. Foreign exchange risk managed by?  

    a) Forwards, options b) Spot only c) Ignore d) Debt  

    **Answer: 

## CAPM, WACC, DuPont

36. WACC uses?  

    a) After-tax cost of debt b) Pre-tax only c) Equity only d) Preferred only  

    **Answer: 

37. CAPM: Required return = Rf + beta*(Rm-Rf)  

    a) True b) False c) Only equity d) Debt  

    **Answer:

38. DuPont ROE = ?  

    a) PM x AT x EM b) Current ratio c) Debt ratio d) Quick  

    **Answer: 

SECTION B:

## CVP & BEP Analysis (1-10)

1. Contribution margin ratio is 0.4, fixed costs $280,000. BEP in dollars?  

   a) $700,000 b) $112,000 c) $1,120,000 d) $812,000  

   **Answer:

2. BEP units 2,000, fixed costs $50,000. CM per unit?  

   a) $25 b) $4 c) $250 d) $0.04  

   **Answer: 

3. Fixed costs increase impacts BEP by?  

   a) Decreasing it b) Increasing units/revenue c) No change d) Halving it  

   **Answer: 

4. Variable cost ratio increase requires?  

   a) Lower selling price b) Higher to maintain CM c) Ignore d) Fixed adjustment  

   **Answer: 

5. Target profit formula?  

   a) Fixed / CM b) (Fixed + target) / CM c) Variable / sales d) Sales / fixed  

   **Answer

6. BEP = Fixed / (Sales price - VC/unit). True?  

   a) Yes b) No, uses total sales c) Only revenue d) Ignores fixed  

   **Answer:

7. CM = Sales price - VC/unit. Used in?  

   a) BEP only b) CVP broadly c) Pricing d) Inventory  

   **Answer:

8. Sales $60/unit, VC $35, fixed $150K. BEP units?  

   a) 6,000 b) 5,000 c) 7,000 d) 4,000  

   **Answer:

9. CM ratio impact on BEP?  

   a) Inverse b) Direct c) None d) Squared  

   **Answer:

10. Fixed cost rise by 20%, BEP?  

    a) Rises 20% b) Falls c) Unchanged d) Doubles  

    **Answer:

## Marginal Analysis: Make or Buy, Further Process (11-18)

11. Product X: Split-off $60K, further $80K revenue, process cost $14K. Process further?  

    a) No b) Yes, +$6K c) Break even d) Lose  

    **Answer:

12. Beracyl: 60K gal × $3 extra rev = $180K, process cost $115K. Process?  

    a) No b) Yes, +$65K c) Split-off d) Ignore  

    **Answer

13. Mononate further process loses $5K. Decision?  

    a) Process b) Sell split-off c) Both d) Neither  

    **Answer:

14. Make-or-buy: Consider?  

    a) Avoidable costs b) All fixed c) Sunk d) Total historical  

    **Answer: 

15. Further processing: Balance?  

    a) Incremental rev vs. costs b) Fixed only c) Total costs d) Sales volume  

    **Answer:

16. Special order relevant?  

    a) Incremental costs b) Full overhead c) Past costs d) All capacity  

    **Answer:

17. Idle capacity rent in make-buy?  

    a) Ignore b) Opportunity cost c) Fixed d) Variable  

    **Answer:

18. Sell or process further: Joint products at?  

    a) Split-off evaluate incremental b) Always process c) Ignore joint d) Total  

    **Answer: 

## Risk Types, Assessment, Heat Map (19-25)

19. Risk mapping visualizes?  

    a) Probability vs. magnitude b) Costs only c) Profits d) Time  

    **Answer: 

20. Business risk?  

    a) Lower profit/loss b) Natural disasters c) Debt decisions d) Fixed/variable  

    **Anwer

21. Hazard risks?  

    a) Storms, floods b) Financial c) Strategic d) Operational  

    **Answer:

22. Risk ranking after?  

    a) Identification b) Mitigation c) Transfer d) Ignore  

    **Answer: 

23. Residual risk?  

    a) After mitigation b) Inherent c) Expected d) Maximum  

    **Answer:

24. Risk response: Avoid, retain, reduce?  

    a) Mitigate, transfer b) Only insure c) Accept all d) Exploit none  

    **Answer: 

25. Heat map is?  

    a) Qualitative risk tool b) Quantitative c) Financial only d) CVP  

    **Answer: 

## ROCE, ROI & Mixed (26-30)

26. ROI = ?  

    a) Operating income / Avg assets b) Net income / Equity c) EBIT / Capital d) Sales / Assets  

    **Answer:

27. ROCE = ?  

    a) EBIT / Capital employed b) Similar ROI c) Net / Equity d) Cash flow  

    **Answer: 

28. Risk aversion prefers?  

    a) Certain over uncertain b) High risk high return c) No preference d) Ignore  

    **Answer: 

29. Expected loss: 40% $1M + 60% $300K?  

    a) $580K b) $1M c) $300K d) $700K  

    **Answer: 

30. ERM integrates?  

    a) Governance, strategy, performance b) Silos only c) Finance d) Operations alone  

    **Answer:

www.gmsisuccess.in

Absorption costing, Variable Costing and Supervariable Costing

 ABSORPTION, VARIABLE COSTING AND SUPERVARIABLE COSTING 

1️⃣ ABSORPTION COSTING (Full Costing)

🔹 Core Concept

All manufacturing costs (Variable + Fixed) are absorbed by units produced

🔹 Cost Components

• Direct Material ✔
• Direct Labour ✔
• Variable MOH ✔
• Fixed MOH ✔ (Product cost)

🔹 Income Statement Format

Sales
– COGS (includes fixed MOH)
= Gross Profit
– Selling & Admin (fixed + variable)
= Operating Income

🔹 Exam-Critical Points

• Required for external financial reporting (US GAAP) ✔
• Inventory valuation includes fixed MOH
• Profits depend on production level, not sales
• Over/under-absorption of fixed overhead possible
• Encourages overproduction to increase profit (exam favorite)

🔹 Profit Relationship (KEY MCQ)

• If Production > Sales → Higher profit
• If Production < Sales → Lower profit

2️⃣ VARIABLE COSTING (Marginal Costing)

🔹 Core Concept

Only variable manufacturing costs are product costs

🔹 Cost Components

• Direct Material ✔
• Direct Labour ✔
• Variable MOH ✔
• Fixed MOH ❌ (Period cost)

🔹 Income Statement Format (Contribution Format)

Sales
– Variable Costs
= Contribution Margin
– Fixed Costs (MOH + S&A)
= Operating Income

🔹 Exam-Critical Points

• Fixed MOH expensed fully in the period
• Inventory valued at variable manufacturing cost only
• Profit depends on sales volume, not production
• Used for CVP analysis, internal decision-making
• NOT allowed for external reporting (US GAAP)

🔹 Profit Relationship

• If Production = Sales → Same profit as absorption
• If Production > Sales → Lower profit
• If Production < Sales → Higher profit

🔹 Profit Difference Formula (VERY IMPORTANT)

Difference in Profit = Change in Inventory × Fixed MOH per unit

3️⃣ ACTIVITY-BASED COSTING (ABC)

🔹 Core Concept

Costs are traced to activities → then to products using cost drivers

🔹 Steps (Exam Order Sensitive)

1. Identify activities
2. Create cost pools
3. Select cost drivers
4. Compute activity rates
5. Assign costs to products

🔹 Key Terms to Remember

• Cost Pool
• Cost Driver
• Cost Hierarchy:
• Unit-level
• Batch-level
• Product-level
• Facility-level

🔹 Exam-Critical Points

• Improves cost accuracy in multi-product, complex environments
• Reduces cost distortion
• Helps identify non-value-added activities
• Fixed costs may be treated as variable in long run
• Better than traditional costing when:
• High overhead
• Diverse products
• Different consumption of resources

🔹 ABC vs Traditional (MCQ Favorite)

Basis	Traditional	ABC
Allocation	Volume based	Activity based
Accuracy	Low	High
Overhead	Single rate	Multiple rates

4️⃣ SUPER-VARIABLE COSTING (Throughput Costing)

🔹 Core Concept

Only Direct Material is product cost

🔹 Cost Treatment

Cost	Treatment
Direct Material	Product cost
Direct Labour	Period cost
MOH (Variable & Fixed)	Period cost

🔹 Throughput Formula

Throughput = Sales – Direct Material

🔹 Exam-Critical Points

• Based on Theory of Constraints (TOC)
• Focus on bottleneck (constraint)
• Goal: Maximize throughput per constrained resource
• Extremely short-term decision tool
• Lowest inventory valuation

🔹 Comparison Snapshot

Method	Inventory Value	Profit Volatility
Absorption	Highest	High
Variable	Medium	Moderate
ABC	Accurate	Depends
Super-Variable	Lowest	Sales driven

🔥 ULTRA-IMPORTANT COMPARATIVE SUMMARY (MEMORISE)

Aspect	Absorption	Variable	ABC	Super-Variable
Fixed MOH	Product	Period	Activity based	Period
GAAP Allowed	✔	❌	✔	❌
Inventory Value	Highest	Lower	Accurate	Lowest
Best Used For	External reports	CVP decisions	Cost accuracy	Constraint decisions
Profit Depends On	Production	Sales	Activities	Sales & bottleneck

🎯 COMMON US CMA EXAM TRAPS

• Profit differences due to inventory change
• Misclassification of fixed MOH
• ABC driver selection errors
• Confusing variable costing with throughput costing
• Ignoring constraint in TOC questions

www.gmsisuccess.in

Illustration question ⁉️

🔢 PART A: ABSORPTION vs VARIABLE COSTING (Profit Difference)

MCQ 1

A company produces 10,000 units and sells 8,000 units.
Fixed manufacturing overhead = $40,000.
Selling price = $25/unit.
Variable manufacturing cost = $12/unit.
Variable selling expense = $2/unit.
Fixed selling expense = $10,000.

What is the difference in profit between absorption and variable costing?

✅ Calculation

Fixed MOH per unit = 40,000 ÷ 10,000 = $4/unit
Inventory increase = 10,000 – 8,000 = 2,000 units

Profit difference = Change in inventory × Fixed MOH per unit
= 2,000 × 4 = $8,000

✔ Answer:

Absorption costing profit is $8,000 higher

MCQ 2

If sales exceed production by 1,500 units and fixed MOH per unit is $6, then absorption costing profit is:

A. $9,000 higher
B. $9,000 lower
C. Same
D. Cannot be determined

✅ Calculation

1,500 × 6 = $9,000

Since Sales > Production → Absorption profit is LOWER

✔ Answer:

B. $9,000 lower

🔢 PART B: ABSORPTION vs VARIABLE (Operating Income)

MCQ 3

Production = 12,000 units
Sales = 10,000 units
Selling price = $30
Variable manufacturing cost = $14/unit
Fixed manufacturing overhead = $60,000

Find absorption costing operating income.

✅ Calculation

Fixed MOH per unit = 60,000 ÷ 12,000 = $5

Absorption cost per unit = 14 + 5 = $19

Sales = 10,000 × 30 = 300,000
COGS = 10,000 × 19 = 190,000

Operating Income = 300,000 – 190,000 = $110,000

✔ Answer:

$110,000

🔢 PART C: ACTIVITY-BASED COSTING (ABC)

MCQ 4

A company has the following overhead:

Activity	Cost	Driver	Units
Machine setups	$90,000	Setups	300
Quality inspection	$60,000	Inspections	1,200

Product A uses:

• 60 setups
• 240 inspections

Calculate ABC overhead assigned to Product A.

✅ Calculation

Setup rate = 90,000 ÷ 300 = $300/setup
Inspection rate = 60,000 ÷ 1,200 = $50/inspection

Overhead:

• Setups = 60 × 300 = 18,000
• Inspections = 240 × 50 = 12,000

Total ABC overhead = 30,000

✔ Answer:

$30,000

MCQ 5 (ABC vs Traditional – Trick)

Traditional costing allocates $150,000 overhead using machine hours (30,000 hours).
Product X uses 3,000 hours.

ABC assigns only $90,000 overhead to Product X.

Traditional overhead assigned to Product X is:

✅ Calculation

Traditional rate = 150,000 ÷ 30,000 = $5/hour

Product X overhead = 3,000 × 5 = $15,000

✔ Answer:

$15,000
👉 Product X is overcosted under ABC? ❌
👉 Product X is undercosted under traditional? ❌
👉 ABC reveals higher actual cost.

🔢 PART D: SUPER-VARIABLE (THROUGHPUT) COSTING

MCQ 6

Selling price per unit = $80
Direct material = $30/unit
Direct labour = $20/unit
Variable MOH = $10/unit
Fixed cost = $50,000
Sales = 2,000 units

Find throughput income.

✅ Calculation

Throughput per unit = 80 – 30 = $50

Total throughput = 2,000 × 50 = 100,000

Throughput income = 100,000 – Fixed costs
= $50,000

✔ Answer:

$50,000

MCQ 7 (TOC – Bottleneck Decision)

Machine hours are limited to 4,000 hours.

Product	Throughput/unit	Hours/unit
A	$60	4
B	$45	2

Which product should be prioritized?

✅ Calculation

Throughput per constrained hour:

• A = 60 ÷ 4 = 15
• B = 45 ÷ 2 = 22.5

✔ Answer:

Product B

🔢 PART E: MIXED COSTING COMPARISON

MCQ 8

Which costing method shows the highest closing inventory value?

A. Variable costing
B. Absorption costing
C. Throughput costing
D. ABC

✔ Answer:

B. Absorption costing

🔥 EXAM GOLD FORMULAS (MEMORISE)

• Profit Difference = Δ Inventory × Fixed MOH/unit
• Throughput = Sales – Direct Material
• ABC Rate = Cost Pool ÷ Cost Driver Units
• Contribution = Sales – Variable Costs

www.gmsisuccess.in

 

Risk Assessment..notes helpful for CIA Part 1& US CMA Part 2 students

 

Below is a high-yield, exam-oriented revision sheet for Risk Assessment, integrating both US CMA Part 2 and CIA Part 1 perspectives. I’ve clearly highlighted what each exam emphasizes, along with keywords, traps, and must-remember frameworks.

---

1. Meaning of Risk Assessment (Exam-Ready Definition)

Risk Assessment =

A systematic process of identifying, analyzing, and prioritizing risks that may prevent an organization from achieving its objectives.

Key Exam Angle

• CIA Part 1 → Governance, internal control, assurance focus
• CMA Part 2 → Decision-making, performance, financial & strategic risk focus

---

2. Types of Risks – VERY IMPORTANT (Both Exams)

A. Strategic Risk

• Poor business strategy
• Wrong market entry
• Failure to adapt to technology
• M&A failure

Exam keyword: Long-term objectives, external environment

---

B. Operational Risk

• Process inefficiencies
• Supply chain disruption
• System failure
• Human error

CIA loves: segregation of duties, process controls
CMA loves: impact on cost, productivity, margins

---

C. Financial Risk (CMA Part 2 Heavy Area)

• Liquidity risk
• Credit risk
• Market risk (interest rate, forex)
• Cash flow volatility

Red flag: High leverage + unstable cash flows

---

D. Compliance Risk (CIA Part 1 Favorite)

• Violation of laws & regulations
• Non-compliance with policies
• Regulatory penalties

Exam keyword: Regulatory environment, legal exposure

---

E. Reputational Risk

• Loss of public trust
• Brand damage
• Ethical failures

Often tested as a consequence, not a primary risk

---

3. Risk Assessment Process – Must Memorize Steps

Step 1: Risk Identification

Methods:

• Brainstorming
• Interviews
• SWOT analysis
• Process mapping
• Past loss data

CIA focus: involvement of management & auditors
CMA focus: identification linked to objectives

---

Step 2: Risk Analysis

Analyze:

• Likelihood (Probability)
• Impact (Severity)

Tools:

• Risk matrix (heat map)
• Sensitivity analysis
• Scenario analysis

📌 Exam trick:
High impact + low probability ≠ ignore (e.g., fraud, disaster)

---

Step 3: Risk Evaluation / Prioritization

• Rank risks
• Focus on residual risk
• Align with risk appetite

Keyword: Risk tolerance vs risk appetite

---

4. Inherent Risk vs Residual Risk (EXAM GOLD)

Type	Meaning
Inherent Risk	Risk before controls
Residual Risk	Risk after controls

📌 CIA exam trap:
If controls are weak → residual risk remains high

---

5. Risk Responses / Risk Treatment (Frequently Tested)

Four Classic Responses (Remember: T-A-R-A)

1. Terminate (Avoid)
   – Exit risky activity

2. Treat (Reduce/Mitigate)
   – Implement controls

3. Transfer (Share)
   – Insurance, outsourcing

4. Tolerate (Accept)
   – When cost of control > benefit

CMA Part 2 loves decision logic
CIA Part 1 loves control-based mitigation

---

6. Risk Appetite & Risk Tolerance (Very Confusing Area)

• Risk Appetite → Overall level of risk organization is willing to accept
• Risk Tolerance → Acceptable deviation from objectives

📌 CIA exam wording:
Board sets risk appetite, management operates within risk tolerance

---

7. Enterprise Risk Management (ERM) – COSO Framework

COSO ERM Components (CMA + CIA)

1. Governance & Culture
2. Strategy & Objective Setting
3. Performance
4. Review & Revision
5. Information, Communication & Reporting

📌 CIA emphasis: governance & board oversight
📌 CMA emphasis: strategy alignment & performance impact

---

8. Role of Internal Auditor in Risk Assessment (CIA Part 1 CORE)

Internal Auditors:

• Evaluate effectiveness of risk management
• Provide assurance, not ownership
• Must remain independent & objective

❌ Exam trap:
Internal auditors do NOT set risk appetite

---

9. Risk Assessment & Internal Control Link (CIA Favorite)

• Risk assessment drives control design
• Poor risk assessment = ineffective controls
• Controls must address key risks, not all risks

📌 Keyword: Reasonable assurance, not absolute assurance

---

10. Continuous Risk Assessment (Modern Exam Trend)

• Ongoing, not annual
• Driven by:
  • Technology
  • Big data
  • Automation
  • Cyber risks

CIA loves: continuous auditing
CMA loves: real-time decision support

---

11. Common Exam Traps & How to Avoid Them

Trap	Correct Thinking
Eliminating all risk	Impossible
High probability = highest priority	Impact also matters
Auditor managing risk	Auditor evaluates only
Risk = only financial	Risk is multidimensional

---

12. One-Line Power Statements for Revision

• “Risk assessment aligns risks with objectives.”
• “Residual risk determines acceptability.”
• “Risk appetite is strategic; tolerance is operational.”
• “Controls mitigate risk, they do not eliminate it.”
• “ERM integrates risk into decision-making.”

---

13. How Questions Differ in Exams

CIA Part 1

• Governance driven
• Control effectiveness
• Auditor independence
• Ethical & compliance risk

CMA Part 2

• Strategy & performance
• Financial outcomes
• Risk-return trade-off
• Decision making

---

www.gmsisuccess.in

Below is a complete, exam-oriented MASTER NOTE covering CIA Part 1 + US CMA Part 2 for Risk, Internal Control, COSO, COBIT, AIS, Application Controls, Fraud Risk & Risk Measurement.
This is structured exactly the way scenario-based MCQs and essays are framed in the exams.

---

1. TYPES OF RISK (VERY HIGH EXAM WEIGHT)

1. Strategic Risk

Meaning: Risk arising from wrong or ineffective business strategy.

Examples (Must Quote in Exam):

• Entering a declining market
• Failure to adopt digital technology
• Poor merger/acquisition decision
• Loss of competitive advantage

CIA Focus: Board oversight & governance
CMA Focus: Impact on long-term profitability

---

2. Operational Risk

Meaning: Risk from internal processes, people, and systems.

Examples:

• Production breakdown
• Supply chain disruption
• System downtime
• Human error

CIA Focus: Internal controls
CMA Focus: Cost inefficiency & productivity loss

---

3. Financial Risk

• Liquidity risk
• Credit risk
• Market risk (interest, forex)
• Solvency risk

CMA Part 2 HEAVY AREA

---

4. Compliance Risk

• Violation of laws/regulations
• Non-compliance with policies

CIA Part 1 Favorite

---

5. Reputational Risk

• Brand damage
• Loss of stakeholder trust

Often tested as impact of other risks

---

2. INTERNAL CONTROL & RISK (CORE CIA AREA)

Relationship:

Internal control exists to manage risk, not eliminate it.

Internal Control Objectives:

• Effectiveness & efficiency of operations
• Reliability of financial reporting
• Compliance with laws

📌 Exam Trap:
Internal control provides reasonable assurance, not absolute assurance.

---

3. RISK CONCEPT IN COSO FRAMEWORK

COSO Internal Control – Risk Assessment Component

Risk Assessment includes:

1. Specify objectives
2. Identify risks
3. Analyze risks
4. Manage fraud risk
5. Identify significant change

📌 CIA loves fraud risk here

---

COSO ERM – Risk View (CMA + CIA)

Key Concepts:

• Risk appetite (set by Board)
• Risk tolerance (operational limits)
• Inherent risk vs residual risk

📌 CMA exam: ERM aligns risk with strategy
📌 CIA exam: Governance & oversight

---

4. RISK CONCEPT IN COBIT (IT GOVERNANCE)

COBIT focuses on IT-related risks.

Key Risk Areas:

• Data security risk
• System availability risk
• Data integrity risk
• Compliance risk (IT laws)

COBIT Goal:

Ensure IT risks are managed to support business objectives.

📌 CIA Exam Point: COBIT supports internal control over IT.

---

5. APPLICATION CONTROLS & RISK (VERY IMPORTANT)

Application Controls manage:

• Input risk
• Processing risk
• Output risk

---

Input Controls

Risks:

• Unauthorized data entry
• Incomplete data

Controls:

• Authorization checks
• Edit checks
• Validity checks

---

Processing Controls

Risks:

• Incorrect processing
• Data corruption

Controls:

• Run-to-run totals
• Reasonableness tests

---

Output Controls

Risks:

• Unauthorized access
• Inaccurate reports

Controls:

• Distribution controls
• Reconciliation

📌 CIA loves linking control weakness → risk

---

6. ACCOUNTING INFORMATION SYSTEMS (AIS) & RISK

Major AIS Risks:

• Unauthorized access
• Data manipulation
• Loss of data
• System failure

Controls:

• Segregation of duties
• Access controls
• Audit trails
• Backup & recovery

📌 Exam trap:
Strong IT controls reduce risk of misstatement, not business risk.

---

7. STRATEGIC vs OPERATIONAL RISK – EXAM COMPARISON

Basis	Strategic Risk	Operational Risk
Nature	Long-term	Day-to-day
Level	Board/Top mgmt	Middle/Operational mgmt
Example	Wrong market entry	Machine breakdown
Control	Policy & governance	Procedures & controls

---

8. FRAUD RISK MANAGEMENT (CIA PART 1 CORE)

Fraud Risk = Intentional deception for gain

Types:

• Asset misappropriation
• Financial statement fraud
• Corruption

---

Fraud Risk Management Steps:

1. Identify fraud risks
2. Assess likelihood & impact
3. Design preventive controls
4. Implement detective controls
5. Monitor & respond

📌 CIA Keyword:
Internal auditors evaluate fraud risk management effectiveness.

---

Common Fraud Controls:

• Segregation of duties
• Authorization
• Whistleblower mechanisms
• Continuous monitoring

---

9. HOW TO MEASURE RISK (EXAM GOLD)

1. Qualitative Methods

• Risk ranking
• Risk heat map
• High / Medium / Low

2. Quantitative Methods (CMA Part 2 Focus)

• Expected value
• Sensitivity analysis
• Scenario analysis
• Probability-weighted outcomes

Risk Formula:

Risk Exposure = Probability × Impact

---

10. INHERENT RISK vs RESIDUAL RISK

Risk Type	Meaning
Inherent Risk	Before controls
Residual Risk	After controls

📌 CIA exam trap: Weak controls → high residual risk

---

11. COMMON EXAM TRAPS (VERY IMPORTANT)

❌ Auditor managing risk
✅ Auditor evaluates risk management

❌ Eliminating all risks
✅ Managing within risk appetite

❌ Risk = only financial
✅ Risk includes strategic, operational, IT, fraud

---

12. ONE-LINE EXAM ANSWERS (MEMORIZE)

• “Risk assessment aligns risks with organizational objectives.”
• “Controls mitigate risk but do not eliminate it.”
• “COBIT addresses IT-related risks.”
• “Application controls ensure data accuracy, completeness, and authorization.”
• “Fraud risk requires both preventive and detective controls.”

---

www.gmsisuccess.in

Below are VERY TOUGH, LENGTHY, EXAM-LEVEL SCENARIO-BASED MCQs integrating CIA Part 1 + US CMA Part 2 on Risk, Internal Control, COSO, COBIT, AIS, Application Controls & Fraud Risk.
These are written in the exact style of real exam questions, with logic-based distractors.

---

MCQ 1: ERM, Risk Appetite & Governance (CIA + CMA)

A diversified manufacturing company operates in multiple countries and uses a centralized ERP system. The board has approved a formal risk appetite statement emphasizing stable earnings and regulatory compliance, while allowing moderate operational risk to pursue growth.

During an internal audit, it was observed that management continued expanding into high-risk jurisdictions without updating compliance procedures or conducting a revised risk assessment. Senior management argues that growth is aligned with the organization’s strategic objectives.

Which of the following represents the MOST significant weakness from a governance and risk perspective?

A. Management accepted operational risks exceeding its risk tolerance
B. The board failed to design adequate internal controls
C. Management did not align risk assessment with the approved risk appetite
D. Internal audit failed to identify inherent risks early

✅ Correct Answer: C

Why:

• Board already set risk appetite
• Management expanded without reassessing compliance risk
• Misalignment between strategy & risk appetite → COSO ERM failure

Exam Keyword: Risk appetite vs strategy alignment

---

MCQ 2: Inherent vs Residual Risk & Controls (CIA Part 1 Core)

An organization processes high-value electronic payments through an automated system. Strong authorization controls exist, but system access rights are not reviewed periodically, and terminated employees’ access is not promptly removed.

Which risk classification is MOST appropriate for unauthorized payment after employee termination?

A. Inherent risk remains high due to transaction value
B. Residual risk is high due to ineffective access controls
C. Detection risk is low due to automation
D. Control risk is eliminated through authorization

✅ Correct Answer: B

Why:

• Controls exist but are ineffective
• Risk after controls remains high → residual risk

CIA Exam Trap: Authorization ≠ access management

---

MCQ 3: Application Controls & AIS Risk (CIA Favorite)

A retail company implemented an automated sales system. Input validation checks ensure all sales entries are complete and authorized. However, no controls exist to verify whether data processed by the system is correctly transferred to the general ledger.

Which risk is MOST likely to occur?

A. Unauthorized data entry
B. Incomplete sales transactions
C. Processing errors leading to misstated financial reports
D. Fraudulent override of input controls

✅ Correct Answer: C

Why:

• Input controls are strong
• Weak processing/interface controls
• Risk of incorrect posting to GL

Keyword: Processing control failure → misstatement

---

MCQ 4: Fraud Risk Management (CIA Part 1 Heavy)

An organization experienced repeated inventory shortages. Management increased physical security and implemented periodic inventory counts. However, the shortages continued.

Internal audit discovered that the same employee was responsible for inventory custody, recording, and reconciliation.

Which action would be the MOST effective fraud risk response?

A. Increase frequency of inventory counts
B. Install additional surveillance cameras
C. Segregate inventory custody and recordkeeping duties
D. Purchase insurance coverage for inventory losses

✅ Correct Answer: C

Why:

• Root cause = lack of segregation of duties
• Preventive control is superior to detective or transfer

CIA Exam Keyword: Preventive > Detective

---

MCQ 5: COSO Risk Assessment & Significant Change

A technology company rapidly adopted cloud-based accounting systems to support remote work. Management did not update its risk assessment or internal controls, assuming existing policies were sufficient.

Which COSO risk assessment principle was MOST clearly violated?

A. Risk identification
B. Fraud risk assessment
C. Identification and assessment of significant change
D. Objective setting

✅ Correct Answer: C

Why:

• Technology change = significant change
• Requires reassessment of risk

CIA loves: Change management risk

---

MCQ 6: COBIT, IT Risk & Governance (CIA + CMA)

An organization outsourced its data center operations to a third party. While cost savings were achieved, no service-level agreements (SLAs) or monitoring controls were implemented.

Which risk is MOST increased?

A. Strategic risk due to loss of market share
B. Operational risk related to IT availability and data integrity
C. Financial reporting risk due to valuation errors
D. Reputational risk due to employee dissatisfaction

✅ Correct Answer: B

Why:

• COBIT focuses on IT availability & integrity
• Outsourcing without controls increases IT operational risk

---

MCQ 7: Risk Measurement & Decision Making (CMA Part 2 Focus)

Management is evaluating two mutually exclusive projects:

Project	Probability of Loss	Potential Loss
A	10%	₹1,000,000
B	40%	₹200,000

Risk appetite allows a maximum expected loss of ₹100,000.

Which project(s) fall within risk appetite?

A. Project A only
B. Project B only
C. Both A and B
D. Neither A nor B

✅ Correct Answer: C

Calculation:

• A → 10% × 1,000,000 = ₹100,000
• B → 40% × 200,000 = ₹80,000

Both within appetite

CMA Keyword: Expected value

---

MCQ 8: Strategic vs Operational Risk (Tricky)

A company decides to discontinue a profitable product line to focus on innovative but untested technology. Production inefficiencies later increase costs during implementation.

Which risks are involved?

A. Strategic only
B. Operational only
C. Strategic followed by operational
D. Compliance followed by financial

✅ Correct Answer: C

Why:

• Decision = strategic risk
• Implementation issues = operational risk

Very common exam pattern

---

MCQ 9: Internal Audit Role & Risk Ownership (CIA Trap)

During ERM implementation, management asked internal audit to determine acceptable risk levels for new product launches.

What is the MOST appropriate internal audit response?

A. Accept responsibility to support ERM
B. Recommend risk limits but not approve them
C. Determine risk appetite jointly with management
D. Refuse involvement in ERM activities

✅ Correct Answer: B

Why:

• Advisory allowed
• Ownership not allowed

CIA Keyword: Assurance, not ownership

---

MCQ 10: Application Controls vs General Controls (Very Tricky)

Strong application controls exist in a payroll system. However, system programmers can directly modify production programs without approval.

Which conclusion is MOST appropriate?

A. Payroll risk is low due to strong application controls
B. General control weakness undermines application controls
C. Fraud risk is eliminated through automation
D. Processing controls compensate for access weaknesses

✅ Correct Answer: B

Why:

• General controls override application controls
• Classic CIA exam favorite

---

Final Exam Tip (IMPORTANT)

Always identify:

1. Type of risk
2. Control weakness
3. Framework violated (COSO / COBIT)
4. Who owns the risk

 ✔  www.gmsisuccess.in

Below is a high-yield, exam-oriented revision note on Risk Register, Risk Assessment Techniques, and Risk Heat Map — exactly the way they are tested in US CMA (Part 2) and CIA (Part 1 & Part 2) exams.
I’ll focus on definitions + examiner traps + scenario-based logic.

---

1️⃣ Risk Register (VERY FREQUENTLY TESTED)

📌 What is a Risk Register?

A formal documented list of identified risks with:

• Description of risk
• Root cause
• Impact & likelihood
• Risk owner
• Existing controls
• Residual risk
• Risk response (accept / mitigate / transfer / avoid)

➡ CIA view: Governance & risk oversight tool
➡ CMA view: Enterprise risk management & strategic decision-making tool

---

🔑 Key Exam Keywords

Phrase in question	Meaning
“Documented list of risks”	Risk Register
“Assigned responsibility”	Risk owner
“After controls applied”	Residual risk
“Risk response strategy”	Accept / Avoid / Reduce / Share

---

⚠️ Exam Traps

• ❌ Risk register does NOT eliminate risk
• ❌ It is not a control activity itself
• ❌ It is not limited to financial risks only

---

🧠 CIA-Style MCQ Logic

Which document helps management track, prioritize, and assign accountability for risks?

✅ Risk Register

---

2️⃣ Risk Assessment Techniques (HIGH-SCORING AREA)

📌 Definition

Techniques used to identify, analyze, and evaluate risks based on likelihood and impact.

---

🔥 COMMONLY TESTED TECHNIQUES

(A) Brainstorming

• Group-based risk identification
• Best for early stage ERM
• Weakness: subjective bias

🧠 Exam trick:

“Initial identification of emerging risks” → Brainstorming

---

(B) Risk & Control Self-Assessment (RCSA) ⭐⭐

• Used by management, not auditors
• Identifies key risks + effectiveness of controls

➡ CIA LOVES THIS

❌ Trap: Internal auditors facilitate, not own RCSA

---

(C) SWOT Analysis

Element	Risk Type
Strength	Internal
Weakness	Internal
Opportunity	External
Threat	External

🧠 CMA exam frequently links SWOT to strategic risk

---

(D) Scenario Analysis / Stress Testing

• “What-if” analysis
• Used for low probability, high impact risks

Examples:

• Cyber attack
• Liquidity crisis
• Pandemic

➡ Highly tested in CIA Part 2

---

(E) Delphi Technique

• Anonymous expert opinions
• Avoids group pressure

🧠 Keyword: “Independent expert judgment”

---

(F) Quantitative Risk Assessment

Uses:

• Expected value
• Probability × Impact
• Sensitivity analysis

➡ CMA numerical MCQs

---

3️⃣ Risk Heat Map (VERY COMMON MCQs)

📌 What is a Risk Heat Map?

A visual tool plotting:

• X-axis → Likelihood
• Y-axis → Impact

Color-coded:

• 🔴 High risk
• 🟡 Medium risk
• 🟢 Low risk

---

🧠 Exam Focus Points

• Used for prioritization, not identification
• Shows inherent vs residual risk
• Supports risk appetite decisions

---

⚠️ Examiner Traps

Wrong belief	Why wrong
Heat map reduces risk	It only visualizes
Heat map replaces risk register	No
Heat map shows controls	Controls affect residual risk only

---

CIA-Style Question Logic

Management wants a visual comparison of risks based on severity

✅ Risk Heat Map

---

4️⃣ Link to COSO ERM (VERY IMPORTANT)

COSO Component	Related Tool
Risk Identification	Brainstorming, SWOT
Risk Assessment	Quantitative / Qualitative
Risk Response	Risk Register
Monitoring	Heat Map, KRIs

---

5️⃣ ULTRA-TRICKY SCENARIO QUESTIONS (EXAM LEVEL)

🧠 Q1 (CIA Style)

Management completes a workshop where department heads evaluate risks and rate existing controls.

✅ RCSA

---

🧠 Q2 (CMA Style)

Which tool helps compare residual risks across departments?

✅ Risk Heat Map

---

🧠 Q3 (TRAP)

Which activity ensures risks are eliminated?

❌ None (Risk management reduces, not eliminates risk)

---

🧠 Q4

Who owns the risk register?

✅ Management, not internal auditors

---

6️⃣ QUICK EXAM MEMORY TABLE 🧠

Tool	Purpose	Exam Favourite
Risk Register	Documentation & accountability	⭐⭐⭐⭐
RCSA	Control effectiveness	⭐⭐⭐⭐
Heat Map	Prioritization	⭐⭐⭐
Scenario Analysis	Extreme risks	⭐⭐⭐
SWOT	Strategic risk	⭐⭐⭐

---

🎯 FINAL EXAM TIP (VERY IMPORTANT)

If question says:

• “Visual” → Heat Map
• “Documented list” → Risk Register
• “Management assessment” → RCSA
• “What-if / crisis” → Scenario analysis

---

www.gmsisuccess.in