11) Risk management should

A) Focus on loss minimization only

B) Not be an objective by itself

C) Be driven by internal audit

D) Be rules-based so it is the same throughout the organization

E) Should be software driven

12) What is typically the weakest link in internal controls?

A) Technology

B) The human elements

C) Lack of funding

D) Lack of a risk assessment

E) No internal audit department

13) Which of the following is not likely to cause a system of internal controls to become ineffective?   

A) Mergers and acquisitions

B) Implementation of new technologies

C) Hiring a new external audit firm regulated by the PCAOB

D) Outsourcing business functions

E) All of the above

14) Risk appetite

A) Can be different for compliance vs. strategic objectives

B) Is the same as an organization’s risk tolerance

C) Is strictly a quantitative measure

D) Tends to be the same for all companies in the same industry

E)  Does not change over time

15) Separation of duties controls for application systems are typically applied by

A) IT governance

B) Physical security

C) Logging

D) Access security

E) System software