CRMA· IIA
Certification in Risk Management Assurance (IIA)
IIA’s CRMA specialises audit on risk management (ERM, COSO ERM 2017, Three Lines Model). Single 10-week exam path.
Term DefinitionRisk
Inherent Risk
The level of risk before any controls or mitigations are applied.
Inherent risk represents an organization's gross exposure to a risk, absent any controls. It is the starting point of any risk assessment. Inherent risk is compared with residual risk to measure control effectiveness. The gap between inherent and residual risk represents the 'value of controls'. In practice, inherent risk is often estimated using industry benchmarks and internal history, since it is not directly observable.
📌 Key points
- Starting point of assessment — gross exposure with no controls in place
- Estimated, not measured — based on benchmarks and historical experience
- Inherent-to-residual gap = added value of controls in place
- Used to justify investments in controls and remediation
- In SOX audits, inherent risk assessment drives which accounts to test
Related certifications
These certifications cover the concept of "Inherent Risk" in depth.
CIA· IIA
Certified Internal Auditor (IIA, 3 Parts)
The IIA CIA certification covers this concept in Part 1 (framework, IPPF) and Part 2 (audit practice). 60+ lessons and 1,258 original questions.
CISA· ISACA
Certified Information Systems Auditor (ISACA)
ISACA’s CISA targets IS audit. 5 domains, ITAF and COBIT, 2,300+ questions with AuditBot explanations.
🔗 Related concepts
RiskRiskRiskControls
Residual Risk
The level of risk remaining after controls and mitigations have been applied.
Risk Appetite
The level of risk an organization is prepared to accept in pursuit of its objectives.
Risk Register
A centralized document listing all identified risks of an organization.
Control Objective
A statement of what a control aims to ensure.
📖 Related articles
Master this concept and more
Start your GRC certification journey today.