16) What is the most common way risk is measured?

A) Speed of onset and vulnerability

B) Likelihood and impact

C) Impact and vulnerability

D) Duration and impact

E) Time to identify and likelihood

17) Which of the following is true about IT controls?

A) Cost effectiveness is not a consideration in developing and implementing IT controls

B) What IT controls need to be in place are standard across companies

C) COSO is the universally accepted framework for IT controls

D) Development and implementation of controls typically lag identification of vulnerabilities

E) Internal audit should take the lead in designing and implementing IT controls

18) Which of the following is an audit objective of an ethics program review?

A) To conduct a planning meeting with the audit client

B) To gain an understanding of procedures for hiring and training

C) To document the ethics and code of conduct program

D) To determine if the ethics program is following laws and regulations

E) To issue an audit report

19) Which of the following is not within the scope of an internal auditing review of IT governance

A) Alignment between the business and IT

B) Adequacy and reporting of IT metrics

C) Segregation of duties in the accounts payable department

D) How adaptable IT is to changes in the business

E) None of the above

20) What is residual risk?

A) Impact of risk

B) Risk that is under control

C) Risk that is not managed

D) The inherent risk in the environment

E) None of the above