10) Controls may deteriorate over time for several reasons. A change in the way product is sourced, which can significantly impact internal controls, is best categorized as a A. Organizational size change B. Process change C. Technology change D. Physical safeguard change E. Human element change 11) Which of the following is not a legitimate role for internal auditing in cloud computing? A) Reviewing personnel transition and end-user training plans B) Providing assurance on IT general controls C) Reviewing service level agreements D) Ongoing monitoring of vendor performance E) Implementing the cloud computing strategy 12) Which of the following is not a category of objectives of internal control per the COSO Internal Control Framework? A) Achievement of strategic objectives B) Reliability of financial reporting C) Effectiveness and efficiency of operations D) Compliance with laws and regulations E) All of the above are categories of objectives of internal control 13) The amount of time from when a risk event occurs until its impact is felt is called. A) Likelihood B) Vulnerability C) Qualitative risk D) Speed of onset E) Impact 14) Which of the following is not a correct statement: A) If general controls are weak, it may not be possible to rely on application controls B) Weaknesses in the IT environment at the entity level may result in a conclusion that there is a significant deficiency or material weakness. C) Weaknesses in application controls at the process level may result in a conclusion that there is a significant deficiency or material weakness. D) Applications are less prone to mistakes than human beings, if designed, operated, maintained and secured effectively E) Internal controls downstream from the risk are considered preventive controls 15) The internal audit activity's role in the risk management process of an organization may not encompass: A) Auditing the risk management process as part of the internal audit plan. B) Facilitating identification of risks C) Accountability for risk management D) Participation on oversight committees, monitoring activities, and status reporting. E) All of the above are prohibited activities .