66. What is a common mistake when developing proactive technology controls? *

• Using detective controls at the same time as preventive controls
• Allowing access to the technology control without evaluating role based need
• Using the same preventive technology control for more than one point of failure
• Determining ways that a control may be circumvented or manipulated

67. When conducting an internal review and investigation of allegations or indications of misconduct, management must *

• Immediately schedule external legal investigation to ensure independence in the review and investigation of the reported event.
• Understand the facts, circumstances, root causes and appropriate resolution to such allegations or indications of misconduct.
• Ensure that the investigation does not interfere with any business operations of the organization.
• Make sure there are not too many channels of various types for reporting such incidents.

68. Which of the following are the three key management actions and controls described in the Notification element of the GRC Capability Model (Red Book)? *

• Capture notifications, investigation, and remediation
• Detective controls, filter and route, and code of conduct
• Capture notifications, respond and resolve, and inform and integrate
• Capture notifications, filter and route notifications, and adhere to data protection requirements

69. What is a Policies and Procedures Matrix? *

• A graph depicting each policy and procedure followed by each business unit
• A table indicating policies that are required by law mapped to each legal requirement
• A table correlating each policy to its owner, related requirements, related procedures, training, reports, controls and evidence of compliance
• A list of polices including the procedures for implementing each policy

70. Which of the following groups should be provided with repeated and consistent education about expected organizational conduct to increase the skills and motivation needed to help the organization achieve Principled Performance? *

• Senior Management, the GRC capability support team, and the extended enterprise
• Organizational Board, senior management, workforce, and the extended enterprise
• Organizational leaders, champions, and the extended enterprise
• Organizational learning and development team, and the extended enterprise

71. Which of the following is NOT an appropriate step in the establishment of incentives? *

• Designate rewards for units that demonstrate reduced compliance failures
• Develop reward programs that recognize individuals for exhibiting desired conduct
• Establish compensation plans for compliance oversight roles that include incentives tied to increased revenue
• Avoid bonus incentives that encourage or reward misconduct

72. With respect to third-party investigations and inquiries regarding allegations of misconduct, an organization must *

• Be prepared to respond to all requests from external investigators as long as it is not suspected to lead to civil or criminal investigations.
• Cooperate with external investigators by answering any requests.
• Be prepared to respond to a third-party investigation, while minimizing the business disruption of the investigation.
• Not cooperate with the external investigation if they feel the investigation is frivolous.

73. What are proactive actions and controls? *

• Specified process steps or actions that will reduce the likelihood and impact of undesirable events, activities or behavior
• Technology and processes that help the organization to correct any detected instances of misconduct before an adverse impact arises
• Specified process steps or actions that will allow the organization to identify misconduct as it occurs
• Technology controls that detect the opportunity for misconduct or adverse events and prevent them from occurring

74. Which of these is a correct statement? *

• A code of conduct always should specify that confidentiality will always be maintained for anyone reporting misconduct and provide a method for anonymous reporting
• A code of conduct should address compliance with laws, conflicts of interest, use of corporate property, requirements and methods for reporting of misconduct, and other factors
• A code of conduct should be established only for management as required by law
• A well written code of conduct may suffice to demonstrate that an organization has an effective compliance program

75. Which of the following is NOT a required step in developing a policy management system? *

• Determine what policies are required by mandates or are desired based on internal values and objectives
• Purchase a policy management technology solution
• Compile a list of existing policies and identify redundancies or conflicts
• Establish a standard template for policies

76. Which of the following is NOT true? *

• An organization should always have only one code of conduct
• A code of conduct may be required by law, regulation or other authority for certain roles or positions in the organization.
• The code of conduct will be ineffective if it is written at a level of language its intended audience does not understand
• The code of conduct may contain guidelines for responsible decision-making when the code, other guidance or law is unclear

77. Which of the following statements is FALSE? *

• Awareness and education requirements should be defined for each set of procedures
• Employees should always receive formal training on the procedures they are expected to follow
• The organization should have a process for updating procedures when circumstances change
• Some preventive procedures should be imposed on the extended enterprise

78. Which of the following is NOT a key management action and control related to Inquiry? *

• Establish and integrated approach to self-assessment.
• Report information and findings.
• Establish multiple pathways to obtain information.
• Adhere to data protection requirements.

79. Monitoring senior management's override of control activities is a responsibility requiring: *

• Board perspective and independence
• Review and correction by the Chief Legal Officer
• Investigation by the Chief Ethics Officer
• Reporting to senior management by the Chief Risk Officer

80. When preparing to undertake an internal investigation related to compliance or ethical issues, an organization must *

• Immediately disclose the issue to the Board, independent auditors, or other applicable regulatory agencies.
• Ensure the investigation does not interfere with any relevant business processes.
• Ensure that a completion due date for the investigation is set and adhered to in order that results are able to be reported on a timely basis.
• Define internal management that is responsible for oversight of the investigation.

81. When establishing procedures for investigating complaints or reports, an organization must *

• Define policies and procedures designed to make sure that the confidentiality of all reported information is protected.
• Define policies and procedures to ensure that the Board is aware of all compliance or ethical issues.
• Define policies and procedures that ensure that such complaints or reports are never handled directly by line management.
• Define categories of issues that are significant enough to be escalated to senior management and/or outside counsel immediately upon validation.

82. Which of the following statements is FALSE? *

• Legal experts should review and approve policies that are intended to satisfy or address legal mandates
• It is important to define the intended audience for each policy and its objective before drafting the policy
• Policies never should be imposed on supply chain partners or any entity outside of the organization
• Policies may be interrelated or dependent, so a change to one may affect another

83. Management implements various actions and controls to help ensure the organization meets its objectives, manages risks appropriately and is in compliance with applicable mandatory and voluntary boundaries. The OCEG Red Book version 3.0 discusses three specific categories of actions and controls. Which of the following is not a category of actions and controls described in the Red Book? *

• Proactive
• Mitigating
• Responsive
• Detective

84. Which one of the following enables individuals to know what is expected, to reduce the likelihood of errors, and to be conformable about reporting misconduct or GRC capability flaws? *

• Code of conduct
• Education
• Policies
• Detective actions and controls

85. One step in developing a crisis response and business continuity plan is *

• Identifying all potential events, regardless of impact or likelihood.
• Assessing the effectiveness of each preventive process control activity.
• Remediating related systems and processes.
• Identifying events with crisis level impact.

86. Organizations must establish responsive control activities in order to respond to undesirable consequences that result from adverse events and conditions. Examples of these include: *

• Education, policies, and incentives
• Hotlines, exit interviews, and surveys
• Investigations, crisis response, and third-party investigations
• Communication, education, and investigations

87. Detective controls should *

• Discourage errors or prevent irregularities from occurring
• Detect actual adverse events and indications of opportunity for any potential adverse events
• Establish mechanisms for identifying and analyzing risks
• Set the tone for the organization, influencing the control consciousness of its people

88. Which of the following is true regarding GRC awareness and education about expected conduct? *

• It is important to take attendance at all training programs by having employees sign in at the beginning of the class to make sure all employees have completed and understand the curriculum.
• It is important to develop strong education programs so that organizations can use them for many years, not wasting valuable resources on changing them frequently.
• The ability to seek guidance prior to or at decision-making time is critical in an effective GRC capability, but, for legal purposes, the organization must always ensure they document the names of the individuals seeking guidance.
• Awareness, education and ongoing support enable individuals to know what is expected, reduce the likelihood of errors and criminal behavior, and be comfortable about reporting misconduct or GRC capability flaws.

89. Which of the following statements is true? *

• Procedures for the organization should be exactly the same in every location where the organization operates
• Formal procedures should only include those that are legally mandated because this limits liability for the organization to legal obligations
• The organization should have a system to track and correct conflicts and inconsistencies in established or utilized procedures
• Required procedures should not be imposed upon partners in the extended enterprise beyond the organization itself because this may increase liability for the organization

90. Which of the following is true regarding developing, implementing and managing policies? *

• When writing policies, an organization cannot be too stringent in their effort to comply with laws and regulations.
• Policies and procedures must be written to ensure that employees have guidelines for all decisions.
• Having evidence that formal policies are communicated and enforced protects the organization when violations occur.
• Although some policies will be informal in nature and do not have to be formally documented, employees will still be responsible to follow them.

91. Which of the following is typically helpful for low likelihood and high impact risks that, should they materialize, would require financial resources beyond the organization's means? *

• Risk financing
• Risk optimization
• Risk governance
• Risk evaluation

92. Which of the following statements is FALSE? *

• The GRC capability should include methods of obtaining evidence of completion and understanding of education provided
• Formal education and training should only be provided to the workforce when required by legal mandates to reduce liability
• Education and training enables individuals in the organization to know what is expected and feel comfortable about reporting misconduct or flaws in the GRC capability
• The board, management, workforce and extended enterprise partners should receive education tailored to each audience for specific purposes

93. In the context of the GRC Capability Model, the word "promote" refers to which of the following? *

• Organizational GRC plan and activities
• Undesirable organizational events
• Organizational risk management activities
• Desirable organizational conduct

94. Who should be informed of all notification pathways to report suspicions or incidents of noncompliance or unethical conduct and/or to identify concerns about GRC capability weaknesses? *

• Senior management
• Stakeholders and workforce
• Board and compliance leaders
• Customers and business partners

95. When developing the code of conduct, an organization should *

• Ensure there is never more than one code of conduct.
• Address the organizational mission, vision, values, key policies and expected business conduct of the Board, the workforce and the extended enterprise.
• Ensure there is no option to waive and depart from the code of conduct.
• Ensure there is a separate code of conduct for each legal or other mandate.