Apply COSO ERM Framework
Help Questions
CPA Information Systems and Controls (ISC) › Apply COSO ERM Framework
Under the COSO ERM 2017 framework, which of the following represents the first component?
Information and Communication
Governance and Culture
Risk Assessment
Control Activities
Explanation
The COSO ERM 2017 framework has five components. Governance and Culture is the foundational first component, setting oversight responsibilities and cultural expectations around risk. Answer A is correct. Risk Assessment (B) is a term from COSO ICIF. Control Activities (C) and Information and Communication (D) are components of COSO ICIF, not the primary ERM components.
In the context of COSO ERM, risk appetite is best defined as:
The maximum financial loss the organization can sustain before becoming insolvent.
The level of risk remaining after controls have been applied.
The amount and type of risk an organization is willing to accept in pursuit of its objectives.
The specific risk events that management has identified as possible.
Explanation
Risk appetite represents the organization's willingness to accept risk in pursuit of value creation. It reflects strategy and guides risk tolerance decisions. Answer C is correct. Maximum financial loss (A) describes risk capacity. Identified risk events (B) describe a risk inventory. Risk after controls (D) describes residual risk.
Under the COSO ERM framework, which of the following best describes 'residual risk'?
Risks arising from external environmental factors beyond management's control.
The risk remaining after management has implemented responses to reduce inherent risk.
The risk identified during an initial risk assessment before any analysis.
The aggregate of all risks across the organization's business units.
Explanation
Residual risk is what remains after risk responses have been applied to inherent risk. Answer D is correct. Preliminary identified risk (A) is closer to inherent risk. External environmental factors (B) describe a source of risk. Portfolio-level aggregate risk (C) is a distinct concept.
Under COSO ERM, which of the following is an example of a risk transfer response strategy?
Purchasing insurance to shift the financial impact of a potential loss to a third party.
Reporting risk information to the board of directors.
Identifying all risks that could affect the achievement of organizational objectives.
Setting the organization's overall risk appetite.
Explanation
Risk transfer - such as purchasing insurance - is one of the five risk response strategies under COSO ERM 2017 (avoid, accept, reduce, share/transfer, and pursue). Answer A is correct. Identifying risks (B) is part of Risk Assessment. Setting risk appetite (C) is Governance and Culture. Reporting to the board (D) is Information, Communication, and Reporting.
A risk that falls within an organization's risk tolerance and requires no immediate action is best described under COSO ERM as:
An inherent risk requiring additional controls.
An accepted risk that is monitored but requires no additional response.
A risk that must be transferred to a third party.
A key risk indicator requiring escalation.
Explanation
Under COSO ERM, 'accept' is a valid risk response for risks within established tolerance. No additional action is required beyond monitoring. Answer D is correct. Inherent risks requiring controls (A) have not been assessed against tolerance. KRI escalation (B) implies the risk is moving outside tolerance. Transfer (C) is an active response.
The 'Performance' component of COSO ERM 2017 primarily involves:
Setting the organization's mission, vision, and core values.
Identifying, assessing, prioritizing, and responding to risks that affect the achievement of strategy and business objectives.
Communicating risk information to internal and external stakeholders.
Reviewing whether the ERM framework itself is operating effectively.
Explanation
The Performance component covers the core risk management process: identification, assessment, prioritization, and response. Answer C is correct. ERM effectiveness review (A) is Review and Revision. Mission and values (B) are Governance and Culture. Stakeholder communication (D) is Information, Communication, and Reporting.
Under COSO ERM, which of the following best describes 'inherent risk'?
Risk that arises from the organization's internal audit function.
Risk that remains after management implements its risk response strategies.
Risk that is transferred to a third party through insurance or contracts.
The risk level existing before management applies any controls or risk responses.
Explanation
Inherent risk is the raw, uncontrolled risk level absent any management actions. Answer D is correct. Residual risk (A) is what remains after responses. Internal audit is a control function, not a risk source (B). Transferred risk (C) is a specific risk response outcome.
A manufacturer qualifies a second supplier to reduce supply chain disruption risk. Under COSO ERM, this response is classified as:
Transfer
Avoid
Accept
Reduce (Mitigate)
Explanation
Qualifying a second supplier reduces the likelihood and/or impact of supply chain disruption - a risk reduction (mitigation) response. Answer B is correct. Accept (A) means taking no action. Avoid (C) would mean exiting the activity entirely. Transfer (D) shifts financial consequences to another party.
An organization maintains a risk register with identified risks, likelihood, impact, current controls, and risk owners. In COSO ERM, maintaining this register primarily supports which component?
Governance and Culture - by establishing accountability for risks.
Review and Revision - by providing historical data for trend analysis.
Information, Communication, and Reporting - by distributing risk data to stakeholders.
Performance - specifically risk identification, assessment, and prioritization.
Explanation
A risk register is the primary tool in the Performance component, documenting and prioritizing risks. Answer A is correct. While it may support governance (B), review (C), and reporting (D), its primary purpose is in the Performance component's risk identification and assessment activities.
Under COSO ERM, a 'key risk indicator' (KRI) is best described as:
A metric that provides early warning when a risk is increasing or approaching the risk tolerance threshold.
A financial ratio used to assess an organization's solvency.
A benchmark used to compare the organization's risk profile to industry peers.
A control test result indicating whether a specific control is operating effectively.
Explanation
KRIs are forward-looking metrics that signal when risk levels are changing, enabling proactive management before tolerance is breached. Answer A is correct. Solvency ratios (B) are financial metrics. Control test results (C) are key control indicators. Benchmarks (D) are comparative measures, not KRIs.