CORES Cheat Sheet 2026

The 30 highest-yield CORES facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

100 questions
90 min time limit
70.00% to pass
  1. Which governance principle ensures that individuals cannot both authorize and execute a transaction without a separate review? Segregation of duties
  2. Which document outlines steps to recover operations after a disaster? Business Continuity Plan (BCP)
  3. In the context of CORES certification, what is the most important consideration when implementing vendor & third-party risk oversight? Ensuring alignment with established standards, stakeholder needs, and best practices
  4. Which of the following is an example of an operational risk event? IT system outage
  5. Which body is primarily responsible for approving a firm's operational risk appetite statement? The Board of Directors
  6. Which of the following is a compliance-related law in finance? Sarbanes-Oxley Act (SOX)
  7. Which approach is used when a risk cannot be eliminated? Risk transfer
  8. Why is it important to test the business continuity plan regularly? To ensure the plan works during an actual event
  9. Under U.S. banking regulation, which guidance specifically articulates supervisory expectations for internal audit functions at large financial institutions? SR 03-5: Amended Interagency Guidance on the Internal Audit Function
  10. What is the primary purpose of a Risk Appetite Statement (RAS) in an operational risk framework? To define the amount and type of risk the organization is willing to accept
  11. Which of the following best describes a key competency required for scenario analysis & stress testing in CORES practice? Strong analytical skills combined with effective communication and ethical judgment
  12. In the Three Lines of Defense model, which line is primarily responsible for owning and managing operational risks on a day-to-day basis? Business units and operational management
  13. In the context of CORES certification, what is the most important consideration when implementing loss data collection & analysis? Ensuring alignment with established standards, stakeholder needs, and best practices
  14. Under sound operational risk governance, how often should the risk appetite statement typically be reviewed? At least annually and after significant business or risk profile changes
  15. What is the role of compliance audits? To check compliance and mitigate risks
  16. Which technique is commonly used to prioritize risks? Heat maps
  17. What is the primary purpose of risk mitigation planning? To reduce the impact or likelihood of risks
  18. Which of the following best describes a key competency required for risk culture & awareness training in CORES practice? Strong analytical skills combined with effective communication and ethical judgment
  19. Which quantitative method is commonly used in operational risk to estimate potential losses at a given confidence level over a specified time horizon? Value at Risk (VaR)
  20. Which governance document formally defines the scope, objectives, and methodology of an organization's operational risk management program? Operational risk management policy
  21. Which element is essential for making operational risk reports 'actionable'? Recommendations or suggested actions tied to each identified risk or control gap
  22. A heat map in operational risk reporting typically displays risks according to which two dimensions? Likelihood (probability) and impact (severity)
  23. The 'audit universe' in internal audit planning refers to: A comprehensive inventory of all auditable entities, processes, and systems
  24. Which document typically outlines specific risk mitigation steps? Risk mitigation plan
  25. Under the IIA's Three Lines Model (2020 update), which body is positioned OUTSIDE the three lines and provides governing oversight? Governing body (Board)
  26. What is the function of a communication plan during a crisis? To ensure timely and accurate communication
  27. The concept of 'risk ownership' in operational risk governance means: Business unit managers are accountable for managing the risks within their areas
  28. A risk-based internal audit approach prioritizes audit resources based on: The relative risk exposure and significance of auditable entities
  29. Which operational risk framework component ensures that risk management policies are consistently applied across all business lines? Risk governance structure
  30. What is the purpose of a risk assessment in continuity planning? To identify potential risks to operations
Turn these facts into recall: