CRMA Cheat Sheet 2026
The 30 highest-yield CRMA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
125 questions
150 min time limit
60% to pass
- Risk-based audit planning requires internal audit to prioritize the audit universe based on: → The significance of risks and adequacy of controls in each auditable area.
- The CRMA framework recommends that risk monitoring activities be integrated into which organizational process to maximize effectiveness? → Strategic planning and performance management cycles
- An internal auditor must suggest a policy aspect to be included in an organization's code of ethics. Which of the suggestions below would be the most effective? → Ethical behavior should be included in performance evaluations.
- The concept of 'tone at the top' in risk governance primarily refers to: → Senior leadership modeling risk-aware behavior and reinforcing accountability
- Which stakeholder group typically provides the most valuable input during the risk identification phase of engagement planning? → Senior management and business process owners
- Under the COSO ERM framework, 'risk capacity' represents: → The maximum risk an organization can absorb before threatening its viability.
- A Chief Risk Officer (CRO) reporting directly to the CEO with no board access would be MOST problematic because: → It prevents independent risk escalation to the board, weakening governance
- What is a key risk of insufficient coordination among assurance providers at an organization? → Significant risk areas left without assurance coverage, creating blind spots for the board
- What does 'inherent risk' represent in a risk assessment? → The risk that exists before any mitigating controls are considered
- When external auditors assess the extent to which they can rely on internal audit's work, which professional standards guide their evaluation? → PCAOB AS 2605 or equivalent standards addressing the use of the work of other auditors
- The COSO ERM 2017 'Review & Revision' component is most analogous to which phase of a standard management cycle? → Check and Act
- A risk governance failure most commonly occurs when: → Risk ownership is unclear and accountability is not assigned to specific roles
- When designing a risk monitoring program, which characteristic is MOST important for KRIs to be effective? → They should be measurable, predictive, and aligned with the organization's risk appetite
- Which metric is MOST useful when quantitatively assessing whether an organization's actual risk-taking aligns with its stated risk appetite? → Key Risk Indicators (KRIs) tracked against defined thresholds.
- An effective risk management governance framework includes all of the following components EXCEPT: → Guaranteed prevention of all future risk-related losses.
- A key limitation of relying solely on management's risk self-assessments during engagement planning is: → Management may understate risks to avoid scrutiny or negative attention
- A 'black swan' event in risk management refers to: → A rare, unpredictable event with extreme consequences that is rationalized in hindsight
- Which of the following must be communicated even if a consulting engagement scope does not include it? → Significant governance, risk, or control issues identified during the engagement
- A significant gap in ERM coverage is identified by internal audit. Who should receive this finding FIRST? → Management, so they have an opportunity to remediate before board communication
- Which of the following is an example of a 'leading' risk indicator? → Percentage of staff who have not completed mandatory compliance training
- Operational risk is defined in ERM practice as the risk of loss resulting from: → Inadequate or failed internal processes, people, systems, or external events.
- A 'risk universe' in ERM context refers to: → A comprehensive inventory of all risks that could affect the organization's objectives.
- Under the Basel II/III operational risk framework, the Advanced Measurement Approach (AMA) required banks to use: → Their own internal models validated by regulators
- When communicating ERM assurance results to the board, internal audit should PRIMARILY: → Provide an overall opinion on the adequacy and effectiveness of ERM processes
- When coordinating with external auditors, internal audit's PRIMARY objective is to: → Minimize duplication of effort and maximize total assurance coverage
- In risk appetite assessment, what does the term 'residual risk appetite' refer to? → The level of risk acceptable after controls and mitigations have been applied.
- Which of the following is the PRIMARY benefit of standardizing risk communication templates across business units? → Enabling consistent comparison and aggregation of risk information across the enterprise
- Within the COSO ERM framework, which component directly addresses how governance and culture shape an organization's risk management approach? → Governance and Culture
- Who bears primary governance responsibility for approving the organization's Enterprise Risk Management policy? → The board of directors or its delegated committee
- When evaluating risk culture, focus groups are preferred over surveys in situations where: → Rich contextual understanding of attitudes is needed and sample size is small
Turn these facts into recall: