CRMA Cheat Sheet 2026

The 30 highest-yield CRMA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

125 questions
150 min time limit
60% to pass
  1. Risk-based audit planning requires internal audit to prioritize the audit universe based on: The significance of risks and adequacy of controls in each auditable area.
  2. The CRMA framework recommends that risk monitoring activities be integrated into which organizational process to maximize effectiveness? Strategic planning and performance management cycles
  3. An internal auditor must suggest a policy aspect to be included in an organization's code of ethics. Which of the suggestions below would be the most effective? Ethical behavior should be included in performance evaluations.
  4. The concept of 'tone at the top' in risk governance primarily refers to: Senior leadership modeling risk-aware behavior and reinforcing accountability
  5. Which stakeholder group typically provides the most valuable input during the risk identification phase of engagement planning? Senior management and business process owners
  6. Under the COSO ERM framework, 'risk capacity' represents: The maximum risk an organization can absorb before threatening its viability.
  7. A Chief Risk Officer (CRO) reporting directly to the CEO with no board access would be MOST problematic because: It prevents independent risk escalation to the board, weakening governance
  8. What is a key risk of insufficient coordination among assurance providers at an organization? Significant risk areas left without assurance coverage, creating blind spots for the board
  9. What does 'inherent risk' represent in a risk assessment? The risk that exists before any mitigating controls are considered
  10. When external auditors assess the extent to which they can rely on internal audit's work, which professional standards guide their evaluation? PCAOB AS 2605 or equivalent standards addressing the use of the work of other auditors
  11. The COSO ERM 2017 'Review & Revision' component is most analogous to which phase of a standard management cycle? Check and Act
  12. A risk governance failure most commonly occurs when: Risk ownership is unclear and accountability is not assigned to specific roles
  13. When designing a risk monitoring program, which characteristic is MOST important for KRIs to be effective? They should be measurable, predictive, and aligned with the organization's risk appetite
  14. Which metric is MOST useful when quantitatively assessing whether an organization's actual risk-taking aligns with its stated risk appetite? Key Risk Indicators (KRIs) tracked against defined thresholds.
  15. An effective risk management governance framework includes all of the following components EXCEPT: Guaranteed prevention of all future risk-related losses.
  16. A key limitation of relying solely on management's risk self-assessments during engagement planning is: Management may understate risks to avoid scrutiny or negative attention
  17. A 'black swan' event in risk management refers to: A rare, unpredictable event with extreme consequences that is rationalized in hindsight
  18. Which of the following must be communicated even if a consulting engagement scope does not include it? Significant governance, risk, or control issues identified during the engagement
  19. A significant gap in ERM coverage is identified by internal audit. Who should receive this finding FIRST? Management, so they have an opportunity to remediate before board communication
  20. Which of the following is an example of a 'leading' risk indicator? Percentage of staff who have not completed mandatory compliance training
  21. Operational risk is defined in ERM practice as the risk of loss resulting from: Inadequate or failed internal processes, people, systems, or external events.
  22. A 'risk universe' in ERM context refers to: A comprehensive inventory of all risks that could affect the organization's objectives.
  23. Under the Basel II/III operational risk framework, the Advanced Measurement Approach (AMA) required banks to use: Their own internal models validated by regulators
  24. When communicating ERM assurance results to the board, internal audit should PRIMARILY: Provide an overall opinion on the adequacy and effectiveness of ERM processes
  25. When coordinating with external auditors, internal audit's PRIMARY objective is to: Minimize duplication of effort and maximize total assurance coverage
  26. In risk appetite assessment, what does the term 'residual risk appetite' refer to? The level of risk acceptable after controls and mitigations have been applied.
  27. Which of the following is the PRIMARY benefit of standardizing risk communication templates across business units? Enabling consistent comparison and aggregation of risk information across the enterprise
  28. Within the COSO ERM framework, which component directly addresses how governance and culture shape an organization's risk management approach? Governance and Culture
  29. Who bears primary governance responsibility for approving the organization's Enterprise Risk Management policy? The board of directors or its delegated committee
  30. When evaluating risk culture, focus groups are preferred over surveys in situations where: Rich contextual understanding of attitudes is needed and sample size is small
Turn these facts into recall: