Question

1. ERM specialists should not have the authority and responsibility to both identify specific enterprise risks and actually help implement corrective actions to minimize those identified risks. T/F
2. An enterprise risk function generally should be a corporate-level function with authority covering the entire enterprise. T/F
3. A Risk Assessment Review (RAR) is designed to improve on the risk environment and enhance internal controls. T/F
4. After existing in a published draft form for some time, the Committee of Sponsoring Organizations’ enterprise risk management (COSO ERM) became “official” in very late 1999. T/F
5. An ERM specialist with strong IT skills may assess system access vulnerabilities in the firewall perimeter surrounding an area of IT network operations. T/F
6. The Institute of Internal Auditors’ (IIA) professional standards do not allow internal auditors to act as consultants as well as reviewers. T/F
7. The development and release of International Organization for Standardization (ISO) guidelines standards is usually a rapid process involving minimal levels of documented controls and procedures. T/F
8. Auditing software packages provide many ways to present and display your results, such as ACL’s “Crystal Reports.” T/F
9. COSO internal controls were launched before the pervasive use of Internet technology and applications. T/F
10. Analytical skills are not required when carrying out an auditing project if specialized auditing software is used. T/F

Answer 1

1. FALSE. Enterprise resource manager is the person who has the authority and the responsibility to identify the risks and take the corrective actions.

2. TRUE. Enterprise risk is associated with whole of the organisation. Thus it is a corporate level function.

3. TRUE. Risk assessment review is done so that the various risky areas can be identified and the corrective action can be taken.

4.FALSE. COSO ERM framework published in 1992 and amended in 1994.

5.FALSE. An ERM specialist cannot assess the system access vulnerabilities.

6.TRUE. As per IIA standards a professional cannot act in both the reviewer and consultant capacity.

7.TRUE. The ISO guidelines are the predefined standards for documented controls and procedures.

8.TRUE. Auditing software packages help to present the data in different formats and reports.

9.TRUE. COSO internal controls were launched in 1992.

10.FALSE. Analytical skills are required to carry out the audit.