CRMA Exam Prep Free practice test →

Free CRMA Practice Questions

10 free, exam-style Certification in Risk Management Assurance (CRMA) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CRMA practice test to study every exam domain.

Question 1

An organization is implementing enterprise risk management for the first time and asks the internal audit activity to help. Which requested task represents a role internal audit should NOT undertake because it would impair its objectivity?

  1. Facilitating management workshops to identify, analyze, and prioritize the organization's key risks
  2. Deciding the organization's risk appetite and which risks to accept
  3. Evaluating whether the new risk management process operates effectively
  4. Advising management on leading practices for designing a risk framework
Show answer & explanation

Correct answer: B - Deciding the organization's risk appetite and which risks to accept

Question 2

An organization assigns its compliance department - a second-line function - to also perform assurance over the effectiveness of risk management and to report the results to the audit committee as objective assurance. Under the IIA Three Lines Model, the PRIMARY concern with this arrangement is that:

  1. compliance functions are prohibited from reporting to the audit committee
  2. the compliance department lacks sufficient knowledge of operational risks
  3. a second-line function lacks the independence needed to provide third-line assurance
  4. assurance over risk management can only be provided by the organization's external auditors
Show answer & explanation

Correct answer: C - a second-line function lacks the independence needed to provide third-line assurance

Question 3

A company's board states it is willing to pursue moderate financial risk to achieve its growth strategy. Separately, IT management sets a maximum acceptable downtime of four hours for the customer-billing system. The four-hour downtime limit is BEST described as the organization's risk:

  1. appetite
  2. capacity
  3. tolerance
  4. exposure
Show answer & explanation

Correct answer: C - tolerance

Question 4

Within the COSO Enterprise Risk Management (2017) framework, identifying risks, assessing their severity, and prioritizing them are activities performed under which component?

  1. Governance and Culture
  2. Strategy and Objective-Setting
  3. Review and Revision
  4. Performance
Show answer & explanation

Correct answer: D - Performance

Question 5

Under ISO 31000:2018, the risk assessment phase comprises risk identification, risk analysis, and risk evaluation. Which activity involves comparing the estimated level of risk against the risk criteria to decide whether the risk is acceptable or requires treatment?

  1. Risk evaluation
  2. Risk analysis
  3. Risk identification
  4. Risk treatment
Show answer & explanation

Correct answer: A - Risk evaluation

Question 6

A chief audit executive concludes that senior management has accepted a level of residual risk that may be unacceptable to the organization. After discussing the matter with senior management, the issue remains unresolved. According to the Standards, the CAE should:

  1. implement additional controls to reduce the risk to an acceptable level
  2. document senior management's decision and take no further action
  3. report the unresolved risk to the appropriate external regulator
  4. communicate the matter to the board for resolution
Show answer & explanation

Correct answer: D - communicate the matter to the board for resolution

Question 7

An internal auditor wants employees across 40 geographically dispersed branch offices to assess the design and operation of controls within their own units. Given the need for broad coverage at a reasonable cost, which control self-assessment approach is MOST appropriate?

  1. A structured questionnaire distributed to staff in each branch
  2. Facilitated control self-assessment workshops held at every branch office
  3. One-on-one interviews with managers at each of the 40 locations
  4. Direct observation of controls at each branch by the audit team
Show answer & explanation

Correct answer: A - A structured questionnaire distributed to staff in each branch

Question 8

Which of the following metrics functions as a Key Risk Indicator (KRI) rather than a Key Performance Indicator (KPI)?

  1. Total sales revenue compared with the quarterly target
  2. Percentage of staff with overdue mandatory security training
  3. Average customer satisfaction score for the period
  4. The number of new products the company launched during the year
Show answer & explanation

Correct answer: B - Percentage of staff with overdue mandatory security training

Question 9

When establishing the annual internal audit plan, the chief audit executive should determine engagement priorities PRIMARILY on the basis of:

  1. the operational areas that have not undergone any audit within the past three years
  2. a documented risk assessment, with senior management and board input
  3. the specific audit requests submitted by operational management
  4. the current availability and technical expertise of the audit staff
Show answer & explanation

Correct answer: B - a documented risk assessment, with senior management and board input

Question 10

A company cannot fully prevent the possibility of a data breach, so it purchases a cyber-insurance policy to cover potential financial losses. This response BEST illustrates which risk treatment strategy?

  1. Risk avoidance
  2. Risk mitigation
  3. Risk acceptance
  4. Risk transfer
Show answer & explanation

Correct answer: D - Risk transfer

Ready for the real thing?

Practice hundreds more CRMA questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing