IIA-CRMA Practice Exam Questions with Answers Certification in Risk Management Assurance (CRMA) Exam Certification

Restrict data-table access from management and line supervisors who have the authority to determine pay rates.

Require a supervisor in the department, who has the ability to change the table, to compare the changes to a signed management authorization.

Ensure that adequate edit and reasonableness checks are built into the automated system.

Require a manager, who is independent of the system and who cannot change the table, to authorize and sign-off on any employee pay changes.

Creating an audit trail.

Placing controls on physical access to inventory.

Reconciling purchase orders with approvals.

Reviewing expense accounts for irregularities.

To depict the areas of responsibility for departments in an organization.

To plan and control complex projects, such as internal audits.

To represent the frequencies of adverse conditions in a given process.

To identify the possible causes of adverse conditions.

Major shareholders of the organization.

Large customers of the organization.

Former members of management.

Former financial consultants.

Senior management should approve the charter before it is submitted to the board.

The charter should describe the purpose and authority of the internal audit activity, consistent with the Standards.

The charter should define the consulting services that the internal audit activity is permitted to perform.

The CEO periodically should assess whether the terms of the charter continue to be adequate.

1 and 2.

1 and 3.

2 and 4.

3 and 4.

Suppliers' reports of over shipments.

Warehouse receiving logs.

Purchase requisitions and purchase orders.

Observation and inspection of inventory.

1 only

2 only

3 only

1 and 2 only

1 and 3.

1 and 4.

2 and 3.

2 and 4.

Obtain specific answers and maximize efficiency.

Gather factual data on several different topics.

Determine agreement or disagreement with a stated viewpoint.

Obtain information based on the person's own perspective.

A physical security control over a data center.

A system development life cycle control.

A program change management control.

An input control over data integrity.

Several recent, large expenditures to a new vendor have not been documented.

A manager has bragged about multiple extravagant vacations taken within the last year, which are excessive relative to the manager's salary.

A weak control environment has been accepted by management to encourage creativity.

New employees occasionally fail to meet established project deadlines due to staffing shortages.

Which sampling methodology to select for testing.

Which fields to examine on each invoice.

Whether an individual expenditure is allowable.

What level of noncompliance is acceptable.

Management may be concerned about its reputation in the financial markets.

Management is following best-practice protocol, as stipulated by the Standards, which states that internal auditors must review quarterly financial statements.

Management may be concerned about potential penalties that could occur if quarterly financial statements are misstated.

Management may perceive that having quarterly financial information examined by the internal auditors enhances the information's value to internal decision making.

Corrective control.

Preventive control.

Detective control.

Directive control.

To determine audit priorities in the new job, the auditor uses the audit risk approach that the auditor's previous employer used, without receiving permission to do so.

At the new organization, the auditor is asked to develop forms to implement probability-proportional-to-size sampling. Although unsure of how to perform this type of sampling, the auditor proceeds without asking for assistance.

In preparing for an audit at the previous organization, the auditor had conducted a great deal of research on the Internet at home to identify best practices for the management of a treasury function. The auditor has retained much of the research and uses it to conduct an audit of the new employer's treasury function.

In the first week at the new organization, the auditor discovers a high fraud risk surrounding the organization's database and suggests that the information technology department implement a new password system to prevent fraudulent actions before they occur.

The bottom of the pyramid responsibility.

Innovative responsibility.

Ethical responsibility.

Discretionary responsibility.

Act as an adviser to the committee responsible for reviewing violations of the code.

Review and adjudicate all violations of the code of conduct.

Lead the committee responsible for the oversight of the code.

Implement a system of procedures to inform all employees of the code.

When an internal auditor releases required information to a regulator, resulting in a significant loss through fines and penalties for the organization, he fails to add value.

When an internal auditor limits the scope of the audit engagement after learning that management is hiding relevant information, he demonstrates integrity.

When an internal auditor disagrees with the treatment received by workers in the organization's foreign subsidiary and alters the audit program to highlight the issue, he fails to demonstrate objectivity.

When an internal auditor continues with an audit engagement, despite the audit client's claims that the work performed is unnecessary and redundant he fails to demonstrate competency.

The practice of surprise audits and the implementation of an employee support program.

Hiring an employee with a prior fraud conviction and yearly management review.

Occasional accounting department overrides and discontinuation of the anonymous fraud hotline due to infrequent use.

A veteran employee in upper management experiencing financial difficulties and recently implemented enhanced controls.

Determine the organization's overall risk appetite.

Establish a governance committee.

Delegate authority to members of senior management.

Identify key stakeholders and their expectations.

Segregation of duties.

Exception reports.

Incentive compensation plans.

Automated reconciliations.

The internal audit activity's responsibility for imposing risk management processes.

The internal audit activity's responsibility for the organization's governance framework.

The nature of consulting services provided by the internal audit activity.

The budgeting process for the internal audit activity.

When planning assurance and consulting engagements, internal auditors must consider the strategies and objectives of the activity being reviewed.

Internal auditors determine the engagement objectives, scope, and work program for both assurance and consulting services.

Internal auditors must not provide assurance or consulting services for an activity for which they had responsibility within the previous year.

Both assurance and consulting services generally involve the internal auditor, the area under review, senior management, and the board.

The CAE's work may be reviewed by any other experienced staff member within the IAA.

The CAE's work should be reviewed by an individual with the appropriate background and knowledge.

The CAE may self-review his work, provided he discloses this practice in the final report.

The CAE should avoid performing engagements to ensure he is able to review all audit work objectively.

1 and 2 only

3 and 4 only

1, 2, and 4 only

1, 2, 3, and 4

Quality assessments and cultural biases of the internal audit activity.

Rotational assignments and familiarity of the internal audit activity.

Employee incentives and self review of the internal audit activity.

Organizational positioning and scope control of the internal audit activity.

Residual.

Net.

Inherent.

Accepted.

Graph A only

Graph B only

Both A and B.

Neither A nor B.

Requiring employees to attend ethics training.

Performing background checks on employees.

Implementing a control self-assessment.

Performing a surprise audit.

Leadership.

Documentation.

Analysis.

Reporting.

The external auditor may make full use of the work, as the audit charter is very specific as to the work the internal audit activity may undertake.

The external auditor may use the work, as the board has approved the charter, thus taking responsibility for any deficiencies.

The external auditor must disregard the work, as the scope of the charter may introduce bias and result in a lack of due professional care.

The external auditor may use the work with caution, due to the internal audit activity's scope and responsibility restrictions.

Authority and responsibility to resolve issues.

Framework to plan, execute and monitor activities.

Integrated responses to multiple risks.

Knowledge and skills needed to perform activities.

1 and 2.

1 and 3.

2 and 3.

3 and 4.

Assurance services for outside clients are not covered under the internal audit charter.

Assurance services for outside clients must be approved on a case-by-case basis by the board of directors.

The nature of assurance services for outside clients should be defined in the internal audit charter.

The nature of assurance services for outside clients is the same as for internal clients.

From sharing to reduction.

From acceptance to reduction.

From sharing to avoidance.

From acceptance to avoidance.

Usage of IT system policy.

Risk management framework.

Acceptance of gifts policy.

Personal responsibility policy.