A.  

To associate rewards with favorable conduct and compound or accelerate benefits

B.  

To escalate incidents for investigation and identify them as in-house or external

C.  

To ensure protection of anonymity and non-retaliation for reporters

D.  

To preserve records and other evidence for investigation

A.  

It refers to how opportunities, obstacles, and obligations are linked and influenced by each other

B.  

It refers to the use of modeling and analysis of interrelated data to predict future events

C.  

It refers to the categorization of opportunities, obstacles, and obligations based on their level of importance

D.  

It refers to the process of conducting brainstorming sessions with stakeholders to identify opportunities, obstacles, and obligations

A.  

By measuring changes in the organization's market share and competitive position.

B.  

By evaluating the return on investment from undertaking LEARN activities.

C.  

By assessing the efficiency of using financial, physical, human, and information capital to learn.

D.  

By analyzing the organization's budget allocation and resource utilization.

A.  

Norms are customs, rules, or expectations that a group socially reinforces.

B.  

Norms are the typical ways that the business operates.

C.  

Norms are the regular employees of an organization as opposed to contractors brought in for unusual (not normal) projects.

D.  

Norms are the normal or typical financial targets set by the organization.

A.  

Share

B.  

Accept

C.  

Control

D.  

Avoid

A.  

They encourage adverse conduct

B.  

They are not tax-deductible

C.  

They decrease employee satisfaction

D.  

They violate anti-harassment laws

A.  

To determine if, when, how, and what to disclose regarding unfavorable events

B.  

To provide timely incentives to employees for favorable conduct

C.  

To uncover root causes of favorable and unfavorable events and improve proactive, detective, and responsive actions and controls

D.  

To establish a tiered approach for responding to unfavorable events

A.  

By identifying and understanding the concerns and needs of both the organizations and specific people within them

B.  

By requiring stakeholders to sign non-disclosure agreements then having conversations

C.  

By conducting background checks on all stakeholders

D.  

By hosting annual stakeholder appreciation events where executives can ask them what they want

A.  

To prevent stakeholders from providing feedback in the future

B.  

To ensure pathways comply with mandatory requirements in the locale where the inquiry originates and the organization operates

C.  

To avoid the need for analyzing information and findings

D.  

To eliminate the use of informal pathways for gathering information

A.  

True

B.  

False

A.  

Market segmentation, pricing strategies, and promotional activities

B.  

Research and Design activity, innovations in materials, mechanical efficiency, and the rate of technological change

C.  

How the organization uses technology for employee recruitment, onboarding processes, and performance appraisals

D.  

How the organization uses financial forecasting, budgeting, and cost control

A.  

Reactive Actions & Controls and Passive Actions & Controls

B.  

Prevent/Deter Actions & Controls and Promote/Enable Actions & Controls

C.  

Centralized Actions & Controls and Decentralized Actions & Controls

D.  

Quantitative Actions & Controls and Qualitative Actions & Controls

A.  

To ensure that the organization complies with all industry-specific regulations

B.  

To provide confidence to management, governing authorities, and stakeholders by objectively and competently evaluating subject matter

C.  

To facilitate communication and collaboration between different departments within the organization

D.  

To provide legal protection to the organization in case of disputes or litigation

A.  

Financial statements and accounting records

B.  

Identifiable statements, conditions, events, or activities for which there is evidence

C.  

Policies, procedures, and guidelines

D.  

Training programs, workshops, and seminars

A.  

Shareholder

B.  

Stakeholder

C.  

Executive Team

D.  

Customer

A.  

Financial audits and budget reviews.

B.  

Employee performance evaluations and appraisals.

C.  

Market research and customer surveys.

D.  

Lessons learned, root-cause analysis, after-action reviews, and other evaluative activities.

A.  

KPIs help govern, manage, and provide assurance about performance related to an objective; KRIs help govern, manage, and provide assurance about risk related to an objective; KCIs help govern, manage, and provide assurance about compliance related to an objective

B.  

KPIs are financial metrics, KRIs are operational metrics, and KCIs are customer-related metrics, all of which are used to determine executive bonuses

C.  

KPIs are long-term goals, KRIs are short-term goals, and KCIs are intermediate goals, all of which are used to determine what decision-making criteria is required

D.  

KPIs are used to measure the efficiency of business processes; KRIs are used to assess the risk assessment processes; and KCIs are used to evaluate the impact of changes, regulations and other obligations

A.  

Accountable

B.  

Visionary

C.  

Versatile

D.  

Intradisciplinary

A.  

To identify and address any potential conflicts of interest that may compound or accelerate enforcement actions against the company.

B.  

To enhance the brand image and reputation of the organization.

C.  

To accelerate and compound the impact of favorable events to increase benefits and promote the future occurrence.

D.  

To accelerate and compound the benefits of reducing costs.

A.  

Uncontrolled Risk

B.  

Inherent Risk

C.  

Vulnerability

D.  

Residual Risk

A.  

These notifications are always more reliable than traditional paper-based methods

B.  

These notifications often (though not always) alert the organization sooner than other methods, especially when human methods fail or are delayed

C.  

Use of this type of notification is only beneficial for large organizations with complex structures

D.  

These notifications eliminate the need for any human involvement in the assignment of follow-up tasks

A.  

Because it generates financial reports for stakeholders.

B.  

Because it contributes to employee performance evaluations.

C.  

Because it is a required task for external regulatory compliance.

D.  

Because it helps management and the governing authority understand progress toward objectives and whether opportunities, obstacles, and obligations are addressed.

A.  

By evaluating subject matter so that information consumers can trust what is stated or claimed

B.  

By implementing new technologies and software systems

C.  

By conducting market research and analyzing customer feedback

D.  

By organizing team-building activities and workshops

A.  

Monetary compensation, bonuses, profit-sharing, and gain-sharing.

B.  

Employee training, mentorship programs, and skills development.

C.  

Flexible work hours, remote work options, and casual dress codes.

D.  

Team-building activities, company retreats, and social events.

A.  

Compliance is a measure of the degree to which obligations are proven to be addressed, and it is measured by assessing requirements, actions & controls to address requirements, and evidence of effectiveness.

B.  

Compliance is the ability to avoid legal disputes, and it is measured by the number of lawsuits and enforcement actions filed against the organization.

C.  

Compliance is the financial success of the organization, and it is measured by revenue and profit margins.

D.  

Compliance is the level of stakeholder satisfaction measured through stakeholder surveys and feedback.

A.  

Audit & Assurance

B.  

Governance & Oversight

C.  

Risk & Decisions

D.  

Compliance & Ethics

A.  

To define the learning objectives for the workforce

B.  

To evaluate the effectiveness of the education program

C.  

To develop new content for the education program based on questions asked

D.  

To allow them to seek guidance about future conduct, ask general questions, and have the option for anonymity

A.  

To decrease the likelihood of unfavorable events

B.  

To identify areas in the organization where compliance issues may arise

C.  

To promote collaboration and teamwork among employees

D.  

To ensure compliance with industry-specific regulations

A.  

Linking with superior-level objectives is important for ensuring that employees receive appropriate compensation and benefits based on meeting objectives

B.  

Linking with superior-level objectives is essential to ensure organizational alignment and to ensure that subordinate units contribute to the most important objectives and priorities of the organization

C.  

Linking with superior-level objectives is essential to ensure that the same exact objectives are used by all levels and units in their day-to-day jobs

D.  

Linking with superior-level objectives is necessary to reduce the number of objectives and simplify the organization’s structure

A.  

GRC Professionals apply maturity only to the highest level of the GRC Capability Model.

B.  

GRC Professionals apply maturity at all levels of the GRC Capability Model to assess preparedness to perform practices and support continuous improvement.

C.  

GRC Professionals use maturity to evaluate the performance of individual employees.

D.  

GRC Professionals use maturity to determine the budget allocation for GRC programs.

A.  

Directly managing the most critical aspects of the organization's operations to ensure they achieve established objectives

B.  

Designing every strategic plan that applies at any level of the organization

C.  

Negotiating contracts with all organization executives, as well as all suppliers and vendors

D.  

Balancing the competing needs of stakeholders to guide, constrain, and conscribe the organization to reliably achieve objectives, address uncertainty, and act with integrity

A.  

Assigning a single owner to each objective ensures clear accountability and authority to ensure successful achievement

B.  

Assigning a single owner to each objective ensures that the owner receives recognition and rewards for achieving the objective

C.  

Assigning a single owner to each objective allows the owner to delegate tasks to other employees to achieve the objective

D.  

Assigning a single owner to each objective allows the owner to make unilateral decisions without consulting other stakeholders, which is necessary to keep plans for achieving the objective on track

A.  

They are used to provide incentives to employees for favorable conduct

B.  

They are used to ensure the protection of anonymity and non-retaliation for reporters

C.  

They uncover root causes of events and help improve proactive, detective, and responsive actions and controls

D.  

They are used to escalate incidents for investigation and identify them as in-house or external

A.  

Opportunities are addressed by expanding the product portfolio; obstacles are addressed by changing objectives

B.  

Opportunities are addressed through aggressive marketing and sales strategies; obstacles are addressed through cost-cutting measures

C.  

Opportunities are addressed using performance management systems and key performance indicators (KPIs); obstacles are addressed using risk management systems and key risk indicators (KRIs)

D.  

Opportunities are addressed through decisions made at the unit or department level; obstacles are addressed at the governing body level

A.  

The IACM is designed to provide a financial model for maximizing profits while addressing risk and compliance considerations

B.  

The IACM is designed to provide a method for deciding whether to outsource responsibility for some or all governance, management, and assurance activities

C.  

The IACM is designed to provide a framework for eliminating all risks and achieving perfect compliance

D.  

The IACM provides a comprehensive model to consider the full range actions and controls used for the governance, management, and assurance of performance, risk, and compliance

A.  

Mapping objectives not only at the enterprise level but also across all units shows how they impact one another and how resources may be best allocated

B.  

Mapping objectives not only at the enterprise level but also across all units is important for determining the compensation and bonuses of employees based on their contributions to achieving objectives

C.  

Mapping objectives not only at the enterprise level but also across all units is important for creating a visual representation of the organization’s hierarchy and reporting structure

D.  

Mapping objectives not only at the enterprise level but also across all units is important for identifying redundant objectives and eliminating them from the organization’s strategic plan

A.  

Learning Objective

B.  

Educational Needs

C.  

Skill Gap

D.  

Skill Set

A.  

To provide incentives to employees for favorable conduct.

B.  

To compound and accelerate the impact of favorable events.

C.  

To maintain employee and other stakeholder confidence in the system’s effectiveness.

D.  

To escalate incidents for investigation and identify them as in-house or external.

A.  

Indicators are used to determine if the objectives must be changed in response to changes in the external or internal context.

B.  

Indicators measure quantitative or qualitative progress toward an objective.

C.  

Indicators are used to evaluate the appropriateness of the organization’s selection of objectives.

D.  

Indicators are used to calculate the return on investment for various projects and initiatives.

A.  

Developing marketing strategies and driving sales growth to meet objectives established by the governing body

B.  

Indirectly guiding, controlling, and evaluating an entity by constraining and conscribing resources

C.  

Conducting audits and providing assurance on the effectiveness of controls

D.  

Implementing operational processes and overseeing day-to-day activities

A.  

The duality of compliance refers to the distinction between domestic and international regulations that an organization must follow.

B.  

The duality of compliance refers to the trade-off between investing in compliance measures and allocating resources to other business areas.

C.  

The duality of compliance involves addressing both compliance with obligations and compliance-related risks. Compliance involves meeting mandatory and voluntary obligations, while compliance-related risks involve addressing the risk of negative outcomes associated with non-compliance.

D.  

The duality of compliance refers to the balance between financial gains and ethical considerations in business decisions.

A.  

It allows the organization to reduce its staff time addressing changes in the external context

B.  

It helps the organization avoid the need for hiring consultants or law firms to recommend how to respond to changes in the external context

C.  

It eliminates the need for supply chain management and procurement activities on an ongoing basis and only requires response to defined events in the supply chain

D.  

It ensures that the organization remains responsive and adaptable to changes in the external context that may impact its operations and objectives

A.  

Likelihood is a measure of the chance of an event occurring, while impact is the location of the event within the organization.

B.  

Likelihood is a measure of the chance of an event occurring, while impact is the category or type of risk or reward from the event.

C.  

Likelihood is a measure of the chance of an event occurring, while impact measures the economic and non-economic consequences of the event.

D.  

Likelihood is the chance of an event occurring after controls are put in place, while impact measures the economic and non-economic consequences of the event.

A.  

As a "pushing" mechanism where individuals push information to external sources.

B.  

As a "pulling" mechanism where individuals pull information from people and systems for follow-up and action.

C.  

As a mechanism that relies solely on technology-based tools.

D.  

As a centralized process managed by a single department.

A.  

To the degree to which an Assurance Provider can adhere to industry standards and best practices in performing audits.

B.  

To the degree to which an Assurance Provider can provide accurate and reliable information to stakeholders on which they can form an opinion about the subject matter themselves.

C.  

The degree to which an Assurance Provider can be impartial, disinterested, independent, and free to conduct necessary activities to form an opinion about the subject matter.

D.  

To the degree to which an Assurance Provider can minimize costs and maximize efficiency in performing audits.

A.  

Sensemaking involves analyzing the organization’s supply chain to identify potential bottlenecks and make any necessary changes in how it is managed.

B.  

Sensemaking involves evaluating the organization’s sense of all aspects of its culture so that improvements can be made.

C.  

Sensemaking involves conducting financial audits to make sense of the financial condition of the organization and ensure compliance with accounting standards.

D.  

Sensemaking involves continually watching for and making sense of changes in the internal context that have a direct, indirect, or cumulative effect on the organization.

A.  

Anonymity should never be afforded, as it encourages false reporting.

B.  

Anonymity should be afforded where legally permitted or required.

C.  

Anonymity should only be afforded to stakeholders who are not employees of the organization.

D.  

Anonymity should be afforded only when the issue raised is of minor importance.

A.  

To deliver compliance training to employees

B.  

To measure the degree to which obligations and requirements are addressed

C.  

To ensure adherence to ethical standards and codes of conduct

D.  

To monitor and evaluate the effectiveness of internal controls and procedures

A.  

Allocating financial resources and evaluating their use to manage the organization’s budget better.

B.  

Providing the governing body with opinions on how well its objectives are being met based on expertise and experience.

C.  

Designing and monitoring the organization’s information technology systems to be accurate and reliable so management can be assured of meeting established objectives.

D.  

Objectively and competently evaluating subject matter to provide justified conclusions and confidence.

A.  

Reducing the frequency of communication to avoid information overload.

B.  

Selecting the appropriate sender, recipient, intention, message, cadence, and channel.

C.  

Ensuring external communications are always formal while most internal communication can be more informal.

D.  

Using only one communication channel for all types of messages so that sending and receipt can be tracked.

A.  

The internal context and culture determine the organization's financial performance.

B.  

The internal context and culture describe the capabilities and resources used to meet stakeholder needs.

C.  

The internal context and culture define the organization's risk appetite and tolerance levels.

D.  

The internal context and culture outline the organization's compliance requirements.

A.  

The ability to rapidly expand and scale the organization’s operations in response to change

B.  

The ability to quickly re-learn context and culture when things change

C.  

The ability to adapt the organization’s mission and vision to changing market conditions

D.  

The ability to effectively manage risks and respond to compliance issues that are identified

A.  

To determine the organization’s expansion and growth plans without internal conflict

B.  

To establish the organization’s brand identity and image without conflict

C.  

To ensure that the organization has sufficient staff to take on defined tasks

D.  

To help subordinate units understand and define ways to contribute to the organization’s success, reducing the risk of strategic misalignment and engagement decay

A.  

Proactive

B.  

Versatile

C.  

Collaborative

D.  

Assertive

A.  

To assist assurance personnel in providing assurance services

B.  

To assess new products and services for the market

C.  

To analyze financial statements and prepare budgets

D.  

To create a positive organizational culture and work environment

A.  

To preserve records and other evidence for investigation

B.  

To ensure confidentiality of the information and determine privilege

C.  

To apply consistent discipline to individuals at fault

D.  

To maximize benefit and promote future occurrence of favorable events

A.  

They conduct activities to evaluate claims and statements about subject matter to enhance confidence.

B.  

They oversee the implementation of the organization's compliance program and policies.

C.  

They conduct financial audits and issue audit reports.

D.  

They develop the organization’s risk management strategy and framework.

A.  

Integrity is the absence of any legal disputes or conflicts within an organization

B.  

Integrity is the ability to achieve financial success as promised to shareholders

C.  

Integrity is the process of complying with all government regulations

D.  

Integrity is the state of being whole and complete by fulfilling obligations, honoring promises, and cleaning up the mess if a promise was broken

A.  

By establishing a single point for referral regardless of the topic or type

B.  

By prioritizing, substantiating, validating, and routing notifications based on topic, type, and severity

C.  

By disregarding any notifications that do not meet specific criteria or thresholds so the remainder can be more efficiently routed

D.  

By requiring that all notifications be reviewed by the general counsel before any action is taken

A.  

The end result of alignment is a detailed budget and financial forecast

B.  

The end result of alignment is a comprehensive risk assessment report

C.  

The end result of alignment is an integrated plan of action

D.  

The end result of alignment is a detailed organizational chart with lines of reporting

A.  

Allowing unrestricted access to notification and follow-up information by the notifier so that they can see the organization is responding appropriately

B.  

Knowing that any legal or regulatory requirements related to data privacy do not apply to hotline reports

C.  

Ensuring pathways comply with mandatory requirements in the locale where the notification originates and the organization operates

D.  

Knowing that confidentiality and anonymity rights are the same thing

A.  

The Second Line is responsible for conducting external audits and providing assurance to stakeholders

B.  

The Second Line is responsible for making strategic decisions and setting the overall direction of the organization, deciding on objectives and issuing decision-making guidance

C.  

The Second Line establishes performance, risk, and compliance programs for the First Line, and provides oversight through frameworks, standards, policies, tools, and techniques

D.  

The Second Line focuses on the day-to-day operational activities of the organization to address risk and compliance requirements

A.  

Vision, Mission, Strategy, and Tactics

B.  

Input, Process, Output, and Feedback

C.  

Planning, Execution, Monitoring, and Control

D.  

Effectiveness, Efficiency, Responsiveness, and Resilience

A.  

Information

B.  

People

C.  

Technology

D.  

Policy

A.  

The level of assurance is based on the financial performance of the organization being evaluated.

B.  

The level of assurance is a function of the assurance objectivity and assurance competence of the assurance provider.

C.  

The level of assurance is determined by the number of years of experience of the assurance provider.

D.  

The level of assurance is established by the governing authority based on regulatory requirements.

A.  

These criteria are performance metrics used to assess the efficiency of the organization's operations.

B.  

These criteria are standards for the ethical conduct of employees and stakeholders.

C.  

These criteria are guidelines for the allocation of resources within the organization.

D.  

These criteria are benchmarks used to evaluate subject matter that yield consistent and meaningful results.

A.  

Value creation and value protection

B.  

Value production and value preservation

C.  

Value measurement and value analysis

D.  

Value assessment and value reporting

A.  

Distributors, resellers, and franchisees.

B.  

Competitors, employees, and board members.

C.  

Marketing agencies, legal advisors, and auditors.

D.  

Customers, shareholders, creditors and lenders, government, and non-governmental organizations.

A.  

Likelihood measures the chance of an event occurring, and impact measures the economic and non-economic consequences

B.  

Likelihood measures the number of obstacles, and impact measures the number of opportunities

C.  

Likelihood measures the financial gain, and impact measures the financial loss

D.  

Likelihood and impact are irrelevant in measuring the effect of uncertainty

A.  

Risk

B.  

Harm

C.  

Obstacle

D.  

Threat

A.  

Developing a strategic plan to achieve the organization’s long-term goals for improving ethical culture

B.  

Conducting a survey of employees every few years on their views about the organization’s commitment to ethical conduct

C.  

Implementing a performance appraisal system to evaluate employee performance

D.  

Analyzing the climate and mindsets about how the workforce generally demonstrates integrity

A.  

To ensure that the organization's supply chains aren't disrupted

B.  

To ensure that the capability remains relevant in light of changing circumstances, especially changes in the internal and external context

C.  

To ensure that the organization’s brand image is positive

D.  

To ensure that the organization's stock price or value remains stable

A.  

IAPP (International Association of Privacy Professionals)

B.  

AICPA (American Institute of Certified Public Accountants)

C.  

ISACA (Information Systems Audit and Control Association)

D.  

IFAC (International Federation of Accountants)

E.  

IMA (Institute of Management Accountants)

F.  

SCCE (Society of Corporate Compliance and Ethics)

G.  

ACFE (Association of Certified Fraud Examiners)

A.  

When the organization experiences rapid growth and expansion

B.  

Only when mandated by external regulatory authorities

C.  

Are never necessary, as management actions and controls are adequately provided by the application of the IACM

D.  

When management actions and controls do not provide enough information or guidance to constrain and conscribe the organization

A.  

The Fourth Line, which is the Governing Authority (Board)

B.  

The Fourth Line, which is the Executive Team

C.  

The Fourth Line, which is the Human Resources department

D.  

The Third Line, which may include internal audit, external audit, or outside experts

A.  

Quality, Safety, Compliance, and Sustainability.

B.  

Effective, Efficient, Agile, and Resilient.

C.  

Leadership, Collaboration, Innovation, and Diversity.

D.  

Revenue, Profit, Market Share, and Growth.

A.  

By avoiding any actions that could lead to uncertainty

B.  

By focusing on immediate goals and actions that don't present uncertainty

C.  

By obtaining risk insurance

D.  

By using design options such as Avoid, Accept, Share, and Control

A.  

Dynamic

B.  

Versatile

C.  

Stable

D.  

Accountable

A.  

To maximize profits and shareholder value

B.  

To improve communication and collaboration

C.  

To eliminate waste and increase efficiency

D.  

To enhance customer satisfaction and loyalty

A.  

Noncompliance

B.  

Compliance

C.  

Violation

D.  

Deviation

A.  

Quality, Productivity, Flexibility, and Durability

B.  

Accuracy, Precision, Speed, and Stability

C.  

Effectiveness, Efficiency, Responsiveness, and Resilience

D.  

Compliance, Consistency, Adaptability, and Robustness