A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:
Correct Answer: C
Section: Volume D
Question 147
According to the Section-302 of the Sarbanes-Oxley Act of 2002, what does certification of reports implies? Each correct answer represents a complete solution. Choose three.
Correct Answer: B,C,D
Section: Volume B Explanation: Section 302 of Sarbanes-Oxley act has the tremendous impact on the risk management solution adopted by corporations. This section specifies that the reports must be certified by the CEO, CFO, or other senior officer performing similar functions. Certification of reports establishes: * The signing officer has reviewed the report. * The financial statement does not contain, to the knowledge of signing officer, any materially untrue or misleading information and represent fairly all financial conditions and results of the enterprise's operations. * The signing officers: - are responsible for establishing and maintaining internal controls - have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made - known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared - have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report - have presented in the report their conclusions about the effectiveness of their internal controls base on their evaluation as of that date * The signing officer have disclosed to external auditors, audit committee, and other directors: - all significant deficiencies in the design or operation of internal controls which could adversely affect the reliability of the reported financial data - any fraud, whether or not material, that involves management or other employees who have a significant role in the internal controls of the enterprise * The signing officer have indicated in the report any internal controls or changes to those internal controls which have been implemented since they were evaluated. Incorrect Answers: A: The signing officer has evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report, not at the time of the report.
Question 148
What is the MAIN purpose of designing risk management programs?
Correct Answer: A
is incorrect. Reducing risks to a specific return ignores the qualitative aspects of the risk which should also be considered.
Question 149
Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario development?
Correct Answer: D
Question 150
Which of the following is NOT true for risk management capability maturity level 1?
Correct Answer: B
Section: Volume A Explanation: The enterprise with risk management capability maturity level 0 makes decisions without having much knowledge about the risk credible information. In level 1, enterprise takes decisions on the basis of risk credible information. Incorrect Answers: A, C, D: An enterprise's risk management capability maturity level is 1 when: * There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk. * Any risk identification criteria vary widely across the enterprise. * Risk appetite and tolerance are applied only during episodic risk assessments. * Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms. * Risk management skills exist on an ad hoc basis, but are not actively developed. * Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.
