Question #1
Which of the following is defined as "a measure of the desirable effect of uncertainty on objectives?
- A . Risk
- B . Compliance
- C . Reward
Correct Answer: A
A
Explanation:
Risk is defined as a measure of the desirable effect of uncertainty on objectives. According to the ISO 31000 standard, risk is "the effect of uncertainty on objectives" which can be either positive (opportunity) or negative (threat). This definition encompasses the uncertainty that can impact the achievement of goals and objectives. It highlights that risk is not just about potential losses but also about potential gains that come from taking risks.
Reference: ISO 31000:2018 – Risk management C Guidelines
NIST SP 800-30 Rev. 1 – Guide for Conducting Risk Assessments
A
Explanation:
Risk is defined as a measure of the desirable effect of uncertainty on objectives. According to the ISO 31000 standard, risk is "the effect of uncertainty on objectives" which can be either positive (opportunity) or negative (threat). This definition encompasses the uncertainty that can impact the achievement of goals and objectives. It highlights that risk is not just about potential losses but also about potential gains that come from taking risks.
Reference: ISO 31000:2018 – Risk management C Guidelines
NIST SP 800-30 Rev. 1 – Guide for Conducting Risk Assessments
Question #2
The two kinds of PROACTIVE controls are
- A . training and education
- B . promoting and preventive
- C . access and system
Correct Answer: B
B
Explanation:
Proactive controls are those measures implemented to prevent undesirable events before they occur. Promoting controls are designed to encourage desired behaviors and outcomes, such as compliance with policies and procedures. Preventive controls are aimed at stopping undesirable events or actions before they happen, such as implementing security measures to prevent unauthorized access. Both types of controls are essential for effective risk management and ensuring the security and integrity of an organization’s processes and systems.
Reference: COSO Internal Control C Integrated Framework
ISO/IEC 27002:2013 – Information technology – Security techniques – Code of practice for information security controls
B
Explanation:
Proactive controls are those measures implemented to prevent undesirable events before they occur. Promoting controls are designed to encourage desired behaviors and outcomes, such as compliance with policies and procedures. Preventive controls are aimed at stopping undesirable events or actions before they happen, such as implementing security measures to prevent unauthorized access. Both types of controls are essential for effective risk management and ensuring the security and integrity of an organization’s processes and systems.
Reference: COSO Internal Control C Integrated Framework
ISO/IEC 27002:2013 – Information technology – Security techniques – Code of practice for information security controls
Question #3
Which of these is defined as "externally directing, controlling and evaluating an entity, process or resource"
- A . Governance
- B . Assurance
- C . Management
Correct Answer: A
A
Explanation:
Governance is defined as "externally directing, controlling and evaluating an entity, process, or resource". It involves establishing policies, and continuous monitoring of their proper implementation, by the members of the governing body of an organization. It ensures that the entity is operating effectively and in alignment with its objectives and regulatory requirements. Governance encompasses a wide range of activities, including strategic planning, decision-making, and oversight, all aimed at achieving the entity’s goals while managing risk and ensuring compliance.
Reference: ISO 38500:2015 – Information technology – Governance of IT for the organization OECD Principles of Corporate Governance
A
Explanation:
Governance is defined as "externally directing, controlling and evaluating an entity, process, or resource". It involves establishing policies, and continuous monitoring of their proper implementation, by the members of the governing body of an organization. It ensures that the entity is operating effectively and in alignment with its objectives and regulatory requirements. Governance encompasses a wide range of activities, including strategic planning, decision-making, and oversight, all aimed at achieving the entity’s goals while managing risk and ensuring compliance.
Reference: ISO 38500:2015 – Information technology – Governance of IT for the organization OECD Principles of Corporate Governance
Question #4
Producing Value and Protecting Value are trade-offs. You CANNOT do both at the same time. *
- A . True
- B . False
Correct Answer: B
B
Explanation:
The statement that producing value and protecting value are trade-offs and cannot be done at the same time is false. In fact, both can and should be pursued concurrently. Effective governance, risk management, and compliance (GRC) strategies integrate the production of value (achieving business objectives and growth) with the protection of value (safeguarding assets, ensuring compliance, and managing risks). This integrated approach ensures sustainable performance and long-term success. Organizations that balance both aspects can achieve principled performance by reliably achieving objectives, addressing uncertainty, and acting with integrity.
Reference: ISO 31000:2018 – Risk management C Guidelines
COSO Enterprise Risk Management C Integrating with Strategy and Performance
B
Explanation:
The statement that producing value and protecting value are trade-offs and cannot be done at the same time is false. In fact, both can and should be pursued concurrently. Effective governance, risk management, and compliance (GRC) strategies integrate the production of value (achieving business objectives and growth) with the protection of value (safeguarding assets, ensuring compliance, and managing risks). This integrated approach ensures sustainable performance and long-term success. Organizations that balance both aspects can achieve principled performance by reliably achieving objectives, addressing uncertainty, and acting with integrity.
Reference: ISO 31000:2018 – Risk management C Guidelines
COSO Enterprise Risk Management C Integrating with Strategy and Performance
Question #5
Which of the following is defined as "a measure of the degree to which obligations and requirements are addressed"
- A . Risk
- B . Compliance
- C . Reward
Correct Answer: B
B
Explanation:
Compliance is defined as a measure of the degree to which obligations and requirements are addressed. It involves adhering to laws, regulations, policies, and standards that are relevant to the organization. Compliance ensures that the organization meets its legal and ethical obligations, thereby avoiding legal penalties, reputational damage, and operational disruptions. Effective compliance programs involve continuous monitoring, training, and auditing to ensure all requirements are met and maintained.
Reference: ISO 19600:2014 – Compliance management systems – Guidelines
NIST SP 800-37 Rev. 2 – Risk Management Framework for Information Systems and Organizations
B
Explanation:
Compliance is defined as a measure of the degree to which obligations and requirements are addressed. It involves adhering to laws, regulations, policies, and standards that are relevant to the organization. Compliance ensures that the organization meets its legal and ethical obligations, thereby avoiding legal penalties, reputational damage, and operational disruptions. Effective compliance programs involve continuous monitoring, training, and auditing to ensure all requirements are met and maintained.
Reference: ISO 19600:2014 – Compliance management systems – Guidelines
NIST SP 800-37 Rev. 2 – Risk Management Framework for Information Systems and Organizations
Question #6
Achieving Principled Performance means to:
- A . Be an ethical performer
- B . Reliably achieve objectives, address uncertainty and act with integrity
- C . Recycle
Correct Answer: B
B
Explanation:
Achieving principled performance means reliably achieving objectives, addressing uncertainty, and acting with integrity. This concept integrates the management of performance, risk, and compliance to ensure that an organization not only meets its goals but does so ethically and sustainably. It involves creating a culture of accountability, transparency, and ethical behavior while systematically managing risks and ensuring compliance with relevant regulations and standards. Principled performance is about achieving success while maintaining high standards of integrity and responsibility.
Reference: OCEG (Open Compliance and Ethics Group) Red Book GRC Capability Model ISO 37001:2016 – Anti-bribery management systems
B
Explanation:
Achieving principled performance means reliably achieving objectives, addressing uncertainty, and acting with integrity. This concept integrates the management of performance, risk, and compliance to ensure that an organization not only meets its goals but does so ethically and sustainably. It involves creating a culture of accountability, transparency, and ethical behavior while systematically managing risks and ensuring compliance with relevant regulations and standards. Principled performance is about achieving success while maintaining high standards of integrity and responsibility.
Reference: OCEG (Open Compliance and Ethics Group) Red Book GRC Capability Model ISO 37001:2016 – Anti-bribery management systems
Question #7
Which disciplines are integrated into GRC?
- A . Audit and Assurance
- B . Governance and Oversight
- C . Strategy and Performance Management
- D . Quality and Conformance
- E . Information Privacy and Security
- F . Compliance and Ethics
- G . Risk and Decision Support
- H . All of these disciplines are integrated into GRC
Correct Answer: H
H
Explanation:
GRC (Governance, Risk, and Compliance) integrates multiple disciplines to create a cohesive approach to managing an organization’s overall governance, risk management, and compliance with regulations.
The integrated disciplines include:
Audit and Assurance: Ensuring internal controls are effective and compliance with laws and policies.
Governance and Oversight: Establishing frameworks and policies to guide the organization. Strategy and Performance Management: Aligning risk management and compliance with strategic objectives.
Quality and Conformance: Ensuring products/services meet regulatory and customer standards.
Information Privacy and Security: Protecting sensitive data and ensuring information security.
Compliance and Ethics: Adhering to legal requirements and promoting ethical behavior.
Risk and Decision Support: Identifying, assessing, and mitigating risks to support decision-making.
The integration of these disciplines ensures a comprehensive approach to managing risks and achieving organizational objectives.
Reference: OCEG GRC Capability Model (Red Book)
ISO 31000:2018 – Risk management C Guidelines
COSO Enterprise Risk Management C Integrating with Strategy and Performance
H
Explanation:
GRC (Governance, Risk, and Compliance) integrates multiple disciplines to create a cohesive approach to managing an organization’s overall governance, risk management, and compliance with regulations.
The integrated disciplines include:
Audit and Assurance: Ensuring internal controls are effective and compliance with laws and policies.
Governance and Oversight: Establishing frameworks and policies to guide the organization. Strategy and Performance Management: Aligning risk management and compliance with strategic objectives.
Quality and Conformance: Ensuring products/services meet regulatory and customer standards.
Information Privacy and Security: Protecting sensitive data and ensuring information security.
Compliance and Ethics: Adhering to legal requirements and promoting ethical behavior.
Risk and Decision Support: Identifying, assessing, and mitigating risks to support decision-making.
The integration of these disciplines ensures a comprehensive approach to managing risks and achieving organizational objectives.
Reference: OCEG GRC Capability Model (Red Book)
ISO 31000:2018 – Risk management C Guidelines
COSO Enterprise Risk Management C Integrating with Strategy and Performance
Question #8
Which one of these is most associated with a "measure of how well we are addressing opportunities"
- A . Compliance
- B . Performance
- C . Risk
Correct Answer: B
B
Explanation:
Performance is most associated with a "measure of how well we are addressing opportunities." Performance management focuses on setting goals, monitoring progress, and evaluating outcomes to ensure that an organization is effectively taking advantage of opportunities to achieve its objectives. It involves measuring and managing activities that lead to improved efficiency, effectiveness, and innovation. By addressing opportunities, organizations can enhance their performance and create value.
Reference: ISO 9001:2015 – Quality management systems C Requirements Balanced Scorecard Institute – Performance Management Framework
B
Explanation:
Performance is most associated with a "measure of how well we are addressing opportunities." Performance management focuses on setting goals, monitoring progress, and evaluating outcomes to ensure that an organization is effectively taking advantage of opportunities to achieve its objectives. It involves measuring and managing activities that lead to improved efficiency, effectiveness, and innovation. By addressing opportunities, organizations can enhance their performance and create value.
Reference: ISO 9001:2015 – Quality management systems C Requirements Balanced Scorecard Institute – Performance Management Framework
Question #9
Which one of these is most associated with a "measure of how well we are meeting obligations"
- A . Performance
- B . Risk
- C . Compliance
Correct Answer: C
C
Explanation:
Compliance is most associated with a "measure of how well we are meeting obligations."
Compliance involves adhering to laws, regulations, policies, and standards that apply to an organization. It ensures that the organization is fulfilling its legal, regulatory, and ethical obligations, thereby avoiding penalties, legal issues, and reputational damage. Compliance programs include policies, procedures, training, monitoring, and audits to ensure that all obligations are consistently met.
Reference: ISO 19600:2014 – Compliance management systems – Guidelines
NIST SP 800-37 Rev. 2 – Risk Management Framework for Information Systems and Organizations
C
Explanation:
Compliance is most associated with a "measure of how well we are meeting obligations."
Compliance involves adhering to laws, regulations, policies, and standards that apply to an organization. It ensures that the organization is fulfilling its legal, regulatory, and ethical obligations, thereby avoiding penalties, legal issues, and reputational damage. Compliance programs include policies, procedures, training, monitoring, and audits to ensure that all obligations are consistently met.
Reference: ISO 19600:2014 – Compliance management systems – Guidelines
NIST SP 800-37 Rev. 2 – Risk Management Framework for Information Systems and Organizations
Question #10
Which of these is defined as "internally directing, controlling and evaluating an entity, process or resource"
- A . Management
- B . Governance
- C . Assurance
Correct Answer: A
A
Explanation:
Management is defined as "internally directing, controlling and evaluating an entity, process or resource." Management involves overseeing the day-to-day operations of an organization, making decisions, setting policies, and ensuring that the organization’s resources are used effectively to achieve its goals. This function includes planning, organizing, leading, and controlling organizational activities to meet established objectives.
Reference: ISO 9001:2015 – Quality management systems C Requirements COSO Internal Control C Integrated Framework
A
Explanation:
Management is defined as "internally directing, controlling and evaluating an entity, process or resource." Management involves overseeing the day-to-day operations of an organization, making decisions, setting policies, and ensuring that the organization’s resources are used effectively to achieve its goals. This function includes planning, organizing, leading, and controlling organizational activities to meet established objectives.
Reference: ISO 9001:2015 – Quality management systems C Requirements COSO Internal Control C Integrated Framework
Question #11
What level of assurance is required for an assessment?
- A . Medium
- B . High
- C . Low
- D . An assessment may target any level of assurance. The key is to define this level prior to setting the purpose and parameters.
Correct Answer: D
D
Explanation:
The level of assurance required for an assessment can vary depending on the purpose, scope, and objectives of the assessment. It is crucial to define the desired level of assurance (low, medium, or high) before beginning the assessment to ensure that the approach, methodology, and resources allocated are appropriate. This helps in setting clear expectations and aligning the assessment process with the organization’s risk tolerance and regulatory requirements.
Reference: ISO 19011:2018 – Guidelines for auditing management systems
COSO Enterprise Risk Management C Integrating with Strategy and Performance
D
Explanation:
The level of assurance required for an assessment can vary depending on the purpose, scope, and objectives of the assessment. It is crucial to define the desired level of assurance (low, medium, or high) before beginning the assessment to ensure that the approach, methodology, and resources allocated are appropriate. This helps in setting clear expectations and aligning the assessment process with the organization’s risk tolerance and regulatory requirements.
Reference: ISO 19011:2018 – Guidelines for auditing management systems
COSO Enterprise Risk Management C Integrating with Strategy and Performance
Question #12
Reasonable assurance is a…
- A . low level of assurance
- B . medium level of assurance
- C . high level of assurance
Correct Answer: C
C
Explanation:
Reasonable assurance is considered a high level of assurance. It indicates that the assurance provider has conducted a thorough and rigorous evaluation, although it does not guarantee absolute certainty. Reasonable assurance is commonly used in auditing and risk management contexts to provide stakeholders with confidence that the organization is operating effectively and complying with relevant standards and regulations.
Reference: ISO 31000:2018 – Risk management C Guidelines
AICPA Auditing Standards
C
Explanation:
Reasonable assurance is considered a high level of assurance. It indicates that the assurance provider has conducted a thorough and rigorous evaluation, although it does not guarantee absolute certainty. Reasonable assurance is commonly used in auditing and risk management contexts to provide stakeholders with confidence that the organization is operating effectively and complying with relevant standards and regulations.
Reference: ISO 31000:2018 – Risk management C Guidelines
AICPA Auditing Standards
Question #13
Which two factors drive the potential level of assurance that an assurance provider may target?
- A . Competence and Objectivity
- B . Independence and Freedom
- C . Freedom and Disinterest
Correct Answer: A
A
Explanation:
The two factors that drive the potential level of assurance an assurance provider may target are competence and objectivity. Competence refers to the assurance provider’s knowledge, skills, and experience necessary to perform the assessment effectively. Objectivity refers to the assurance provider’s impartiality and independence from the area being assessed, ensuring that the assessment is unbiased and credible. Both factors are essential for providing a reliable and accurate assurance.
Reference: IIA Standards for the Professional Practice of Internal Auditing ISO 19011:2018 – Guidelines for auditing management systems
A
Explanation:
The two factors that drive the potential level of assurance an assurance provider may target are competence and objectivity. Competence refers to the assurance provider’s knowledge, skills, and experience necessary to perform the assessment effectively. Objectivity refers to the assurance provider’s impartiality and independence from the area being assessed, ensuring that the assessment is unbiased and credible. Both factors are essential for providing a reliable and accurate assurance.
Reference: IIA Standards for the Professional Practice of Internal Auditing ISO 19011:2018 – Guidelines for auditing management systems
Question #14
What are the common attributes of an assurance professional?
- A . Independence, objectivity and diligence
- B . Objectivity, competence and fallibilism
- C . Objectivity, independence and freedom
Correct Answer: A
A
Explanation:
The common attributes of an assurance professional are independence, objectivity, and diligence. Independence ensures that the assurance professional is free from any influence or conflict of interest that could affect their judgment. Objectivity refers to the ability to provide an unbiased and impartial assessment. Diligence involves a thorough and careful approach to the assurance process, ensuring that all relevant aspects are evaluated and reported accurately. These attributes are essential for maintaining the credibility and reliability of assurance activities.
Reference: IIA Standards for the Professional Practice of Internal Auditing ISO 19011:2018 – Guidelines for auditing management systems
A
Explanation:
The common attributes of an assurance professional are independence, objectivity, and diligence. Independence ensures that the assurance professional is free from any influence or conflict of interest that could affect their judgment. Objectivity refers to the ability to provide an unbiased and impartial assessment. Diligence involves a thorough and careful approach to the assurance process, ensuring that all relevant aspects are evaluated and reported accurately. These attributes are essential for maintaining the credibility and reliability of assurance activities.
Reference: IIA Standards for the Professional Practice of Internal Auditing ISO 19011:2018 – Guidelines for auditing management systems
Question #15
Which of these roles is allowed to conduct assurance?
- A . Operators
- B . Management
- C . Risk Management
- D . Internal Controls
- E . Senior Management
- F . Board
- G . Information Security
- H . Internal Audit
- I . Compliance
- J . Any and all of these roles can conduct assurance activities given the proper purpose and parameters.
Correct Answer: J
J
Explanation:
Any and all of the listed roles can conduct assurance activities provided they have the appropriate purpose and parameters defined. Assurance activities are not limited to a specific function but can be performed by various roles within an organization, such as Internal Audit, Compliance, Risk Management, and Information Security, among others. The key is that these roles must operate with the proper scope, authority, and independence to provide credible and reliable assurance.
Reference: COSO Internal Control C Integrated Framework
ISO 31000:2018 – Risk management C Guidelines
J
Explanation:
Any and all of the listed roles can conduct assurance activities provided they have the appropriate purpose and parameters defined. Assurance activities are not limited to a specific function but can be performed by various roles within an organization, such as Internal Audit, Compliance, Risk Management, and Information Security, among others. The key is that these roles must operate with the proper scope, authority, and independence to provide credible and reliable assurance.
Reference: COSO Internal Control C Integrated Framework
ISO 31000:2018 – Risk management C Guidelines