1. The three types of risk are normally considered when using a risk-based audit approach are __________, __________ and __________ risk

.2. The likelihood of a significant loss occurring before taking into account any risk-reducing factors is known as ________ risk.

3. The likelihood that the control processes established to limit or manage inherent risk are ineffective is known as ____________ risk

4. Enterprise risks come in a variety of forms including _______, ________, and _____________.

5. COSO has defined the ERM Framework as encompassing ___________, ___________, and _________________.

6. During the risk assessment, IT auditors develop an understanding of the operations business in order to facilitate the ________ and ___________ of significant risks to and from the information systems.

7. Three common categories of risk are ____________, ________________, and _________________ risk.

8. Under the NIST SP 800 30 framework, _______ refers to the magnitude of harm that could be caused by a threats exercise of vulnerability.

9. Six risk-mitigation strategies include __________, _____________, _____________, ___________, _______________, and ________________.

10. ____________ specifies the measure of risk in terms of both qualitative and quantitative estimations, while _________________ involves the comparing and prioritization of risk level based on risk-evaluation criteria and risk-acceptance criteria.

11. Common risks to IT architectures and components include: _____________________, ____________________, ___________________, _____________________, ____________________, ___________________, and _____________________.

12. In using Cascarinos Cube, the intention is to determine whether the accumulation of controls intended to mitigate a particular risk to a particular component, would be adequate to:______________________________________________.

13. If the controls identified and located in the Cube function as intended, management may gain the assurance that risk is being controlled to the desired level in an ___________ and __________ manner.

14. In gathering audit evidence, the auditor must ensure that it is _____________, _______________, _______________, and _____________.

15. Evidence derived from computations, comparisons to standards, past operations, and similar operations is known as ____________________ evidence

1. Standards for the professional practice of internal auditing include _____________ standards, _____________ standards, and ____________ standards.

2. IT management processes, as defined in the COBIT Framework include _____________objectives, _____________ practices, _____________ guidelines, and _____________guidelines.

3. COSO defined five components that would assist management in achieving internal control objectives. These include: Sound _____________ Environment, Sound _____________Assessment, Sound _____________ and _____________ Systems, Sound _____________ Control Activities, and Process Effective _____________.

4. ______________ and ___________ are the statement of corporate intent.

5. _____________ are high-level and detailed generic statements of minimum good control.6. _____________ are practical rationales and how-to-implement guidance for the control objectives.

7. _____________ provide guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance, and substantiate the risk of controls not being met

.8. _____________ provide guidance on how to assess and improve IT process performance, using maturity models, metrics, and critical success factors.

9. Internal control was defined by the Committee of Sponsoring Organizations (COSO) as a broadly defined process, effected by _____________.

10. For a sound control environment to be effective, proper assignment of authority and responsibility coupled with the proper _____________ of available resources is required.

11. Authorization, reviews of operating performance, security of assets, and segregation of duties are examples of sound _____________ activities.

12. To ensure the effectivity of the control process, the entire control system must be _____________ to assess the quality of the systems performance over time.

13. Within each of the ISO17799 areas, key controls are identified to be considered _____________ and additional controls considered _____________ dependent on the level of risk sustainable by the organization.14. Within the NIST handbook, security and planning in the computer-system life cycle are seen as _____________ controls.

.