IIA IIA-CRMA Exam Dumps

Certification in Risk Management Assurance (CRMA) Exam

865 Reviews

Exam Code	IIA-CRMA
Exam Name	Certification in Risk Management Assurance (CRMA) Exam
Questions	283 Questions Answers With Explanation
Update Date	04, 30, 2026
Price	Was : $81 Today : $45 Was : $99 Today : $55 Was : $117 Today : $65

Add To Cart

Demo Questions

Question # 1

Which segregation of duties would best reduce the risk of payroll fraud?

A.  Human resources personnel add employees, and payroll personnel process hours and enter employee bank account numbers. Paychecks are automatically deposited in the employee's bank account.
B. Human resources personnel add employees, payroll personnel process hours, and human resources personnel deliver paychecks to employees.
C. Human resources personnel add employees, review and submit payroll hours to the payroll department for processing, and deliver paychecks to employees.
D. Human resources personnel add employees and enter employee bank information. Payroll personnel process hours, and paychecks are automatically deposited in the employee's bank account.

Show Answer

Question # 2

Given the highly technical and legal nature of privacy issues, which of the following statements best describes the internal audit activity's responsibility with regard to assessing an organization's privacy framework?

A. If an organization does not have a mature privacy framework, the internal audit activity should assist in developing and implementing an appropriate privacy framework.
B. Because the audit committee is ultimately responsible for ensuring that appropriate control processes are in place to mitigate risks associated with personal information, the internal audit activity is C. required to conduct privacy assessments.
C. The internal audit activity may delegate to nonaudit IT specialists the responsibility of determining whether personal information has been secured adequately and data protection controls are sufficient.
D. The internal audit activity should have appropriate knowledge and competence to conduct an asses .......framework.

Show Answer

Question # 3

According to the COSO enterprise risk management (ERM) framework, which of the following is not part of the new paradigm in ERM?

A. Assessing the risk factors.
B. Aligning risk appetite and strategy.
C. Enhancing risk response decisions.
D. Reducing operational surprises and losses.

Show Answer

Question # 4

During an audit engagement, the internal auditor discussed a risk mitigation recommendation with the manager of the area under review. The manager disagreed with the risk assessment and recommendation. The two failed to come up with an alternative solution, and the auditor decided to proceed with including the original recommendation in the engagement report. Which of the following is especially important in dealing with this type of situation?

A. Soft skills in communication, negotiation, and collaboration.
B. Technical skills in the area under review.
C. Professional qualifications and certification in internal auditing.
D. Confidentiality and independence.

Show Answer

Question # 5

Which of the following actions would be characterized as a preventive control to safeguard inventory from the risk of theft?1. Locking doors and physically securing inventory items.2. Independently observing the receipt of materials. 3. Conducting monthly inventory counts.4. Requiring the use of employee ID badges at all times.  

A. 1 and 3. 
B. 1 and 4. 
C. 2 and 3. 
D. 2 and 4.

Show Answer

Question # 6

Evidence discovered during the course of an engagement suggests that multiple incidents of fraud have occurred. There do not appear to be sufficient controls in place to prevent reoccurrence. Which of the following is the internal auditor's most appropriate next step?

A. Immediately notify management of the area under review and the other internal auditors involved in the engagement.
B. Discuss the situation with the engagement supervisor to determine whether fraud investigation experts are required to investigate the matter properly.
C. Fully document in the workpapers the evidence that has been discovered and recommend appropriate controls to address the fraud.
D. Provide the evidence that was discovered to local law enforcement for possible prosecution of the suspected fraud. 

Show Answer

Question # 7

Which of the following statements is true regarding assurance services provided to clients outside of the organization?

A. Assurance services for outside clients are not covered under the internal audit charter.
B. Assurance services for outside clients must be approved on a case-by-case basis by the board of directors.
C. The nature of assurance services for outside clients should be defined in the internal audit charter.
D. The nature of assurance services for outside clients is the same as for internal clients.

Show Answer

Question # 8

Which of the following would be the most appropriate first step for the board to take when developing an effective system of governance?

A. Determine the organization's overall risk appetite.
B. Establish a governance committee.
C. Delegate authority to members of senior management.
D. Identify key stakeholders and their expectations.

Show Answer

Question # 9

Which of the following is most likely to function as a directive control? 

A. Security dogs.
B. Alert employees.
C. Insurance claims.
D. Cycle counts.

Show Answer

Question # 10

What is the additional advantage of facilitated workshops, in comparison with structured interviews, used when testing the effectiveness of entity-level controls?

A. During facilitated workshops, people more openly say things to internal auditors than during private interviews.
B. Internal auditors do not need other sources of information, as the data gathered during facilitated workshops is sufficient.
C. Facilitated workshops create a synergy of discussion that can bring multiple perspectives to the same issue.
D. The testimonial evidence obtained during facilitated workshops is generally considered more reliable.

Show Answer

Question # 11

According to The MA Global Internal Audit Competency Framework, which of the following areas of training would best assist the internal audit activity in improving its use of tools and techniques?

A. Negotiation and conflict resolution.   
B. Project management.   
C. Financial accounting.   
D.  Ethics and fraud.   

Show Answer

Question # 12

An organization has implemented a software system that requires a supervisor to approve transactions that would cause treasury dealers to exceed their authorized limit. This is an example of which of the following types of controls?

A. Preventive controls. 
B. Detective controls. 
C. Soft controls. 
D. Directive controls.

Show Answer

Question # 13

Which of the following controls could an internal auditor reasonably conclude is effective by observing the physical controls of a large server room? 

A. Adequate signs are in place to assist in locating safety equipment.   
B. Servers are secured individually to their racks by locks.   
C. Foam fire extinguishers are operable to protect against electrical fires.   
D. Swipe card access is required to gain access to the server room.   

Show Answer

Question # 14

According to IIA guidance, which of the following statements is true regarding the reporting of results from an external quality assessment of the internal audit activity?

A. The external assessment results are reported upon completion in confidence directly to the board, and senior management is advised only of the recommendations and improvement action plans.
B. The results of self-assessments with independent external validation are shared with the board upon completion, and monitoring of recommended improvements must be reported monthly.
C. The external assessment results are communicated upon completion to senior management and the board, but action plans for recommended improvements do not have to be reported.
D. The requirements for reporting quality assessment results are the same for external assessments and self-assessments with independent external validation.

Show Answer

Question # 15

A government agency maintains a system of internal control, according to the COSO model, and has made a change to its employee performance reviews and rewards program. This change relates to which of the following components of COSO's internal control framework?

A. Control environment.   
B. Control activities.   
C. Information and communication.   
D. Monitoring activities.   

Show Answer

Question # 16

The chief audit executive (CAE) of a small internal audit activity (IAA) performs all high-risk engagements on the annual audit plan to make use of his knowledge and experience and to maximize the efficient use of audit resources. Which of the following statements is most relevant regarding this practice?

A. The CAE's work may be reviewed by any other experienced staff member within the IAA.   
B. The CAE's work should be reviewed by an individual with the appropriate background and knowledge.   
C. The CAE may self-review his work, provided he discloses this practice in the final report.   
D. The CAE should avoid performing engagements to ensure he is able to review all audit work objectively.  

Show Answer

Question # 17

Forty-five percent of an organization's customer payments are submitted online. Eight percent of online payments are rejected. Executive management decides to outsource its online payment services to a contractor that will assume 75 percent of the total value of rejected payments. The organization estimates $1.25 million customer payments due during the contract period.Which of the following represents the organization's residual risk for online customer payments due? 

A. $11, 250
B. $25, 000
C. $33, 750
D. $45, 000

Show Answer

Question # 18

Which of the following is not an objective of internal control? 

A. Compliance.   
B. Accuracy.   
C. Efficiency  
D.  Validation.  

Show Answer

Question # 19

Which of the following statements accurately describes the responsibility of the internal audit activity regarding IT governance? 1. The internal audit activity does not have any responsibility because IT governance is the responsibility of the board and senior management of the organization. 2. The internal audit activity must assess whether the IT governance of the organization supports the organization's strategies and objectives. 3. The internal audit activity may assess whether the IT governance of the organization supports the organization's strategies and objectives. 4. The internal audit activity may accept requests from management to perform advisory services regarding how the IT governance of the organization supports the organization's strategies and objectives

A. 1 only.   
B. 4 only.   
C. 2 and 4.    
D. 3 and 4.   

Show Answer

Question # 20

According to IIA guidance, which of the following statements is true regarding periodic internal assessments of the internal audit activity? 

A. Internal assessments are conducted to benchmark the internal audit activity's performance against industry best practices.
B. Internal assessments must be performed at least once every five years by a qualified assessor.
C. An internal auditor may perform a peer review of a colleague's workpapers, as long as the auditor wasn't involved in the audit under review.
D. Follow-up to ensure appropriate improvements are implemented is a recommended, but not mandatory, element of internal assessments.

Show Answer

Question # 21

Which of the following best describes the misdirection of payments on accounts receivable to an employee's bank account?

A. Fraud open on the books.   
B. Fraud hidden in the books.   
C. Fraud off the books.   
D. Fraud on the balance sheet.   

Show Answer

Question # 22

Which of the following actions should the audit committee take to promote organizational independence for the internal audit activity?

A. Delegate final approval of the risk-based internal audit plan to the chief audit executive (CAE).
B. Approve the annual budget and resource plan for the internal audit activity.
C. Assist the CAE with hiring objective and competent internal audit staff.
D. Encourage the CAE to communicate and coordinate with the external auditor.

Show Answer

Question # 23

According to the International Professional Practices Framework, which of the following are allowable activities for an internal auditor? 1. Advocating the establishment of a risk management function. 2. Identifying and evaluating significant risk exposures during audit engagements. 3. Developing a risk response for the organization if there is no chief risk officer. 4. Benchmarking risk management activities with other organizations. 5. Documenting risk mitigation strategies and techniques.

A. 4 and 5 only.
B. 1.2, and 3 only.
C. 1.2. 4. and 5 only.
D. 2. 3. 4. and 5 only.

Show Answer

Question # 24

The chief audit executive (CAE) is planning to conduct an internal assessment of the internal audit activity (IAA). Part of this assessment will include benchmarking. According to IIA guidance, which of the following qualitative metrics would be appropriate for the CAE to use? 1. Average client customer satisfaction score for a given year. 2. Client survey comments on how to improve the IAA. 3. Auditor interviews once an audit has been completed. 4. Percentage of audits completed within 90 days.

A. 1 and 2.   
B. 1 and 3.   
C. 2 and 3.   
D. 3 and 4.   

Show Answer

Question # 25

A new internal audit activity is creating its first charter. According to IIA guidance, which of the following objectives would be appropriate for inclusion in the charter?

A. Continuously monitor the organization's overall risk activities in relation to its risk appetite.
B. Evaluate the adequacy and effectiveness of the organization's governance activities.
C. Oversee the establishment and administration of an effective risk management program.
D. Assist management in implementing recommended control improvements.

Show Answer