Title: Risk management
1Section Topics
- Risk management
- Internal control
- Governance
- Related topics
Part 1, Section 5
2Broadened Scope of Internal Audit Work
The internal audit activity must evaluate and
contribute to the improvement of governance, risk
management, and control processes using a
systematic and disciplined approach.
Of the three functional areas, which is the most
challenging for you?
Part 1, Section 5, Introduction
3What Is Risk Management?
Benefits are maximized when risk is managed from
a portfolio perspective. Enterprise risk
management (ERM) programs help realize these
benefits.
Part 1, Section 5, Introduction
4Fundamental Risk Management Concepts
- Transcends traditional organizational hazard
management mentality. - Encompasses both strategic and bottom-line
objectives.
Process is broad and ongoing and involves
management and employees at all levels.
Part 1, Section 5, Introduction
5What Is Internal Control?
Control environment The attitude and actions of
the board and management regarding the
significance of control within the organization
Control Any action taken by management, the
board, and other parties to manage risk and
increase the likelihood that established
objectives and goals will be achieved
Fundamental internal control concepts
A process effected by people at all
levels Provides reasonable, not absolute,
assurance Geared toward the achievement of
organizational mission, goals, and objectives
Part 1, Section 5, Introduction
6What Is Governance?
Fundamental governance concepts
- Starts at the top and cascades throughout the
organization - Involves critical relationships among the board,
senior management, and shareholders - Encompasses organizational structure and related
legal and regulatory environment - Balances economic and social
- goals
- Extends to all stakeholders
- and the general
- community
The combination of processes and structures
implemented by the board in order to inform,
direct, manage and monitor the activities of the
organization toward the achievement of its
objectives
Part 1, Section 5, Introduction
7Discussion Question
- What are the benefits of using an ERM model?
(Select all that apply.) - Allows business units to focus on their unique
risks - Facilitates proactive risk management
- Applies risk management within a strategic
context - Enhances the efficiency and effectiveness of
basic - internal audit work
Answer II, III, and IV. Traditional risk
management done in silos increases the potential
for over- or under-management of key risks. ERM
provides a unified approach and manages
uncertainties surrounding the achievement of
organizational objectives.
Part 1, Section 5, Topic 1
8COSO ERM Model
Describes how to apply ERM in a strategic
setting Applicable to all industries and all
types of risk Includes four categories of
objectives (what the organization hopes to
achieve)
Strategic Tied to high-level goals aligned to and support mission
Operations Related to effective and efficient resource use
Reporting Related to the reliability of reporting
Compliance Related to compliance with laws and regulations
The Committee of Sponsoring Organizations of
the Treadway Commission.
Part 1, Section 5, Topic 1
9Discussion Question
What is the most likely benefit of having the
COSO ERM model in place at a company launching a
new product?
- Greater likelihood of the achievement of
objectives - Reduced losses from uncontrollable events
- Increased compliance with laws and regulations
- Absolute assurance of a positive reputation
within the business community
Answer A. An ERM framework cannot prevent bad
management judgments or unforeseen events. It
can, however, provide reasonable assurance that
management and the board receive timely
information about the achievement of objectives.
Part 1, Section 5, Topic 1
10COSO ERM Model
- Includes eight components that
- Describe what is needed to achieve the
objectives. - Are derived from the way management runs an
enterprise. - Are integrated with the management process.
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring
Part 1, Section 5, Topic 1
11Discussion Question
- Which of the following statements describe the
relationship of objectives and components in the
COSO ERM framework? (Select all that apply.) - All eight components are relevant to each
objective category. - Each component applies to all four objective
categories. - The objectives and components relate to an
entire - organization or to any individual units.
- The objectives and components are most
- effectively applied in large organizations.
Answer I, II, and III. Implementation may vary
in different-sized organizations, but the basic
concepts should be present in every organization.
Part 1, Section 5, Topic 1
12COSO ERM Model
Roles and Responsibilities
- Helps set strategy and formulate high-level
objectives. - Often delegates the monitoring and assurance
responsibilities, reserving authority for key
decisions. - Oversight of
- Management.
- The entitys risk appetite and portfolio view of
risk. - Significant risks and managements response.
Part 1, Section 5, Topic 1
13COSO ERM Model
Roles and Responsibilities
- Leads the implementation of ERM.
- Chief executive officer sets the tone at the
top. - Senior managers convert the strategies into
operations. - Other managers provide tactical execution.
- Makes every manager accountable to the next level
up.
Management
Part 1, Section 5, Topic 1
14COSO ERM Model
Roles and Responsibilities
- Empowered by the CEO.
- Provides central coordination across the
organization. - Works with other managers to
- Establish effective risk management practices.
- Monitor progress.
- Assist those managers in reporting.
- May serve an exclusive assignment or have partial
responsibility.
Part 1, Section 5, Topic 1
15COSO ERM Model
Roles and Responsibilities
- Finance and controllership activities that are
central to risk management execution are - Budgeting and planning.
- Tracking and analyzing performance.
- Reporting.
Financial executives
Part 1, Section 5, Topic 1
16COSO ERM Model
Roles and Responsibilities
- Encompasses several parties, including
- External auditors.
- Legislators and regulators.
- Business associates.
- Out-sourcing providers.
- Financial analysts, bond rating agencies, and
news media.
External parties
Part 1, Section 5, Topic 1
17Discussion Question
- Identify the individual or group responsible for
the ERM activity.
Answers
Establishing a common language and common measures Setting precedent for integrity and ethical values Formally evaluating external financial reporting objectives Providing leadership and direction to senior managers
Risk officer
Board
External auditors
CEO
Part 1, Section 5, Topic 1
18Discussion Question
- Which of the following statements accurately
describe ERM responsibilities? (Select all that
apply.) - The CEO monitors activities and risks in
relation to the risk - appetite.
- Senior managers manage risks related to unit
objectives. - The risk officer has major responsibility for
the financial - statements.
- Regulators influence activities in relation to
the entitys risk - appetite.
Answer I and II. Financial officers are
responsible for the financial statements.
Regulators do not influence the entitys risk
appetite.
Part 1, Section 5, Topic 1
19AS/NZS 43602004
Provides an overview of risk management Includes
a generic framework Explains how to identify,
analyze, evaluate, manage, monitor, and
communicate risk Promotes embedding risk
management in an organizations culture Intends
to help manage risk effectively and efficiently
at a lower overall cost
Joint Australian/New Zealand Standard by the
Joint Technical Committee OB-007, Risk Management.
Part 1, Section 5, Topic 1
20Discussion Question
- How do the AS/NZS 43602004 and COSO ERM
frameworks compare? (Select all that apply.) - Both champion the tone at top.
- COSO ERM has a broad focus AS/NZS 43602004
- emphasizes corporate social responsibility.
- COSO ERM focuses on internal risks AS/NZS
43602004 - focuses on external risks.
- Each has slightly different terminology, but
both concur that - risk management requires multidisciplinary
skills.
Answer I and IV. Both frameworks have a broad
focus AS/NZS 43602004 does not have any special
emphasis on corporate social responsibility.
AS/NZS 43602004 and COSO both attempt to help
organizations manage internal and external risks.
Part 1, Section 5, Topic 1
21The Turnbull Guidance
- Promotes a risk-based approach to internal
control and the assessment of its effectiveness. - Linked to London Stock Exchange disclosure
requirements. - Key tenets include
- A focus on significant risks.
- Emphasis on risk management.
- Ongoing, continuous monitoring of risk and
control. - Engaging all employees.
- Streamlining risk management databases.
Shortened name for Internal Control Guidance
for Directors on the Combined Code.
Part 1, Section 5, Topic 1
22Discussion Question
- How do AS/NZS 43602004, the COSO ERM framework,
and Turnbull compare? (Select all that apply.) - COSO and Turnbull emphasize engaging all
employees - AS/NZS 43602004 focuses on the board and
executives. - All identify opportunities to save on costs of
control. - COSO has the greatest focus on mitigating
unwelcome events. - All provide objective assurance to an entitys
board and - management.
Answer II and IV. All three approaches promote
engaging all employees AS/NZS 43602004 doesnt
have a special focus on the board or executives.
All three can reduce the possibility of unwelcome
events from occurring COSO doesnt have an
increased focus over the other two.
Part 1, Section 5, Topic 1
23Factors That Drive Events
External factors
Internal factors
- Economic
- Natural environment
- Political
- Social
- Technological
- Infrastructure
- Personnel
- Process
- Technology
Event identification Is synonymous with risk
identification. Identifies potential events and
determines whether they are opportunities or
threats.
Part 1, Section 5, Topic 1
24Common Event Identification Techniques
Event inventories Detailed listings of common potential events
Internal analysis Detailed analysis of information
Escalation or threshold triggers Triggers alerting management to areas of concern comparison of current transactions or events with predefined criteria
Facilitated workshops and interviews Facilitator-led structured discussions to draw on collective knowledge and experience
Process flow analysis Examines the combination of inputs, tasks, and responsibilities that comprise a process
Leading event indicators Monitoring of data correlated to events
Loss event data methodologies Examination of past individual loss events to identify trends and root causes
Part 1, Section 5, Topic 1
25Discussion Question
- Identify the event identification technique.
Answers
A meeting of cross-functional managers to relate events to objectives Mapping of cash receipts to identify risks related to timely deposits Monitoring daily, weekly, and monthly Internet site traffic Tracking manufacturing equipment failures
Facilitated workshop
Process flow analysis
Leading event indicators
Loss event data methodologies
Part 1, Section 5, Topic 1
26Discussion Question
- Which of the following statements describe the
internal audit activity role in an organization
lacking an organization-wide macro risk
assessment process? (Select all that apply.) - They can facilitate or enable risk management
- processes.
- They should not assume responsibility for the
risks - identified.
- They should rely on quantitative techniques to
identify - and evaluate risks.
Answer I and II. Organizations typically use a
combination of qualitative and quantitative
techniques.
Part 1, Section 5, Topic 1
27Quantitative Risk Assessment
Technique Description Examples
Benchmarking Compares performance measures and results for specific events or processes. Identifies improvement opportunities. May also be used to assess likelihood and impact of potential events across an industry. Internal Competitive/industry Best-in-class
Probabilistic models Associate a range of events and the resulting impact with likelihood. Likelihood and impact are assessed based on historical data or simulated outcomes of future behavior. Value at risk (VAR) Cash flow at risk Earnings at risk Loss distributions Back-testing
Non-probabilistic models Use subjective assumptions in estimating the impact of events without quantifying an associated likelihood. Base assessments on historical or simulated data and assumptions of future behavior. Sensitivity analysis Scenario analysis Stress tests
Part 1, Section 5, Topic 1
28Discussion Question
- What are the risk/control implications of an
organizations structure on the following areas?
Possible answers
Development of goals and objectives
Everyone must understand the objectives related
to their area.
Should be an iterative process that includes
entity, departments, functions.
Risk response
Should cut across all levels and keep everyone
tracking toward the objectives.
Control activities
Everyone must receive the information they need
in a timely manner.
Information and communication
Part 1, Section 5, Topic 1
29Risk Management Responses
Avoidance Action is taken to exit the activities giving rise to risk. Example Exiting a product or selling a division.
Reduction Action is taken to reduce the risk likelihood or impact or both. Example Diversifying product offerings or reallocating funds.
Sharing Action is taken to reduce risk likelihood or impact by transferring or otherwise sharing a portion of the risk. Example Purchasing insurance, hedging, or out-sourcing.
Acceptance No action is taken to affect likelihood or impact. Example Accepting risk that conforms to risk tolerances.
Part 1, Section 5, Topic 1
30Discussion Question
Inherent risk is BEST described as the risk
- remaining after managements risk response.
- management finds to be acceptable with the
entitys risk tolerance. - derived from the environment without the
mitigating effects of internal controls. - having the lowest likelihood and potential impact.
Answer C. Inherent risk is derived from the
environment without the mitigating effects of
internal controls.
Part 1, Section 5, Topic 1
31Risk Assessment Pitfalls
- Limiting risk assessments to financial hazards
- Blindly selecting risks from a generic risk
framework - Internal auditors developing risks in a vacuum
- Identifying too many risks
- Overcomplicating risk quantification
Part 1, Section 5, Topic 1
32Risk Monitoring
- Takes into account that ERM processes change over
time. - Allows management to determine if ERM remains
effective.
- Many activities have built-in provisions for
self-monitoring. - Most ongoing monitoring is performed on a
real-time basis during the regular course of
business.
- Focus directly on ERM effectiveness.
- Often conducted as self-assessments.
- Necessity is the judgment of management.
Deficiencies and areas for improvement identified
by ongoing monitoring, separate evaluations, and
audit results.
Part 1, Section 5, Topic 1
33Discussion Question
What is the internal audit activitys role when
ongoing monitoring identifies an ERM deficiency?
- Report the information to the board if it
involves an illegal or improper act. - Educate the individual or group responsible about
the purpose of ERM and internal control. - Assess if the deficiency will impact achievement
- of business objectives.
- Follow up with management and check on their
- response and/or corrective action.
Answer D. Internal auditors should determine
that corrective action is achieving desired
results or that senior management or the board
has assumed the risk of not taking corrective
action.
Part 1, Section 5, Topic 1
34The Internal Audit Activitys Role in ERM
- A continuum that ranges from
- No role, to
- Auditing the risk management process as part of
the internal audit plan, to - Providing insight and historical data on risk
events identified by internal audit findings, to - Active, continuous support and involvement in
the risk management process, to - Managing and coordinating the risk management
process.
Part 1, Section 5, Topic 1
35The Internal Audit Activitys Role in ERM
- Risk management processes (e.g., their design
and how well they are working). - Management of key risks, including the
effectiveness of the controls and other
activities. - The assessment of risks and reporting of risk
and control status.
Part 1, Section 5, Topic 1
36Discussion Question
Effectiveness is present if management has
planned and designed a system that provides
reasonable assurance that objectives and goals
will be achieved efficiently and economically.
- True
- False
Answer B. This statement describes adequacy.
Effectiveness is present if management directs
processes to provide reasonable assurance that
the organizations objectives and goals will be
achieved.
Part 1, Section 5, Topic 1
37The Internal Audit Activitys Role in ERM
Possibilities include
- Educating management about risk and control.
- Promoting ERM in the entity.
- Providing advice, facilitating workshops, and
coaching on risk and control. - Acting as the central point for coordinating,
monitoring, and reporting on risks. - Supporting related management activity.
Part 1, Section 5, Topic 1
38Discussion Question
- Which of the following statements accurately
describe managements acceptance of risk? (Select
all that apply.)
- The CAE must discuss unacceptable levels of
residual risk with the board. - Management is responsible for deciding
appropriate actions to be taken in response to
reported engagement observations and
recommendations. - The CAE is responsible for assessing management
action for the timely resolution of reported
engagement observations and recommendations. - Senior management and the board may decide not to
- correct a reported condition because of cost or
other considerations.
Answer All of the above (Performance Standard
2600 and Practice Advisory 2060-1)
Part 1, Section 5, Topic 1
39Business Continuity Planning
- Before a disaster
- Evaluate the entitys readiness.
- Assist with the risk analysis.
- Evaluate the plan.
- Perform periodic assurance engagements to ensure
that plan is up to date. - Observe and provide feedback on tests of the
plan. - Verify that plans are adequate to ensure timely
resumption of operations and processes.
- After a disaster
- Monitor effectiveness of the recovery and control
of operations. - Participate in the organizational learning
processlessons learned from the disaster and the
recovery.
Internal audits roles
Part 1, Section 5, Topic 1
40- Reinforcing Activity 1-13
- Part 1, Section 5, Topic 1
- Risk Management
Part 1, Section 5, Topic 1
41Key Elements
- Tangible policies, procedures, and activities
Less tangible behavioral aspects (ethical values)
Designed by management
Part 1, Section 5, Topic 2
42Discussion Question
- Identify the area/individual responsible for the
internal control task.
Answers
Design, apply, and provide ongoing monitoring of the control processes. Establish and maintain organizational governance processes. Provide varying degrees of assurance about the effectiveness of risk management and control processes. Develop an annual audit plan.
Operational managers
The board
Internal and external auditors
CAE
Part 1, Section 5, Topic 2
43Discussion Question
- Which of the following are characteristics of an
internal control framework? (Select all that
apply.) - Defines control in terms of managing risks to
objectives - Facilitates absolute assurance about control
efficiency - Cuts across all levels of an organization
- Helps an organization establish an effective
internal - control system
Answer I, III, and IV. An internal control
framework provides reasonable assurance.
Part 1, Section 5, Topic 2
44COSO Internal Control Framework
5 interrelated components
3 objectives
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
The Committee of Sponsoring Organizations of
the Treadway Commission.
Part 1, Section 5, Topic 2
45Discussion Question
Which of the following statements is true about
the COSO internal control framework?
- The framework is best applied in manufacturing
and service industries. - All five components are applicable to the
achievement of each of the objectives. - The synergy and linkage among the objectives form
the integrated framework. - The audit committee has overall responsibility
- for the establishment, administration, and
- assessment of the framework.
Answer B
Part 1, Section 5, Topic 2
46The CoCo Internal Control Framework
4 interrelated components
3 objectives
- Effectiveness and efficiency of operations
- Reliability of internal and external reporting
- Compliance with applicable laws and regulations
and internal policies
- Purpose
- Commitment
- Capability
- Monitoring and learning
The Criteria of Control developed by the
Canadian Institute of Chartered Accountants
(CICA).
Part 1, Section 5, Topic 2
47The Cadbury Model
- Elements include
- Control environment.
- Identification and evaluation of risks and
control objectives. - Information and communication.
- Control procedures.
- Monitoring and corrective action.
Published by The Institute of Chartered
Accountants in England and Wales (ICAEW) in 1994
in 1999, the ICAEW issued the Turnbull guidance.
Part 1, Section 5, Topic 2
48Discussion Question
- Identify if the internal controls are hard or
soft.
Answers
Senior managements commitment to social responsibility Centralized decision-making and a formal approval process A consistent customer focus that all employees understand and feel passionate about Six Sigma continuous improvement methodology
Soft
Hard
Soft
Hard
Part 1, Section 5, Topic 2
49COSOs Control Environment Factors
Factor Example
Integrity and ethical values Employees understand acceptable/ unacceptable behavior.
Commitment to competence Analysis indicates that employees have requisite knowledge and skills.
Board of directors or audit committee A process exists to regularly communicate key information.
Managements philosophy and operating style Management avoids excessive focus on short-term reported results.
Organizational structure Established reporting relations are effective.
Assignment of authority and responsibility Authority and responsibility are assigned to employees throughout the entity.
Human resource policies and practices Employees understand that ineffective performance has remedial consequences.
Part 1, Section 5, Topic 2
50- Reinforcing Activity 1-14
- Part 1, Section 5, Topic 2
- Internal Control
Part 1, Section 5, Topic 2
51Control Self-assessment (CSA)
- A variety of assessment techniques performed by
people involved in an area or process.
Management and/or work teams directly responsible
for a business function
- Participate in the assessment.
- Evaluate risk.
- Develop action plans.
- Assess the likelihood of achieving objectives.
Part 1, Section 5, Topic 2
52Discussion Question
A large company and a small company in the same
industry both face new regulations. Which of the
following statements is true?
- Basic concepts to deal with this internal control
component should be present in both
organizations. - The larger organization will be better attuned to
risks because of increased access to information. - The smaller organization will be more nimble in
its response because of less bureaucracy. - Both can implement identical controls as long as
their objectives and strategies are similar.
Answer A. Regardless of size, basic concepts
should be present in both. Specific control
measures will vary.
Part 1, Section 5, Topic 2
53Discussion Question
Which of the following characteristics
differentiates control in an organization with
authoritarian leadership from an empowered
environment?
- Written policies and documentation will be more
prevalent with authoritarian leadership. - Vision and values set by an authoritarian leader
have a greater influence on control than in an
empowered environment. - Incidents of control breakdowns are more likely
in an empowered environment. - Face-to-face interactions with key personnel have
less - significance in the empowered environment.
Answer A. An authoritarian leader makes
decisions, and subordinates carry them out.
Part 1, Section 5, Topic 2
54Models of Management
Autocratic Custodial Supportive Collegial
People are motivated by a call for obedience. People are motivated by material rewards and the offer of happiness and security. People are motivated by opportunities for growth and achievement. People are motivated by teamwork and contribution.
Part 1, Section 5, Topic 2
55Organizational Continuum
Part 1, Section 5, Topic 2
56Discussion Question
Can an internal auditor serve as a change agent
during an assurance engagement?
- Yes, in nearly every situation
- Yes, if it involves assisting management to
improve a control process by providing advice - Only if the internal auditor can objectively
correct an ineffective process - No, not under any circumstances
Answer B. Many assurance engagements are
actually blended engagements and offer the
opportunity for an internal auditor to educate
and work with upper management. For example, an
internal auditor may assist management via
on-the-job training or the results of an
engagement might be used to help develop a
substantive risk and control culture.
Part 1, Section 5, Topic 2
57Discussion Question
- Why is it important for an internal auditor to
understand conflict management and conflict
resolution? (Select all that apply.)
- The internal auditor can prevent a potential
control breakdown by proactively managing
conflict during an engagement. - Conflict can be the root cause of control
breakdowns. - The internal auditor needs to remain unbiased and
be careful not to take sides. - Collaboration and problem-solving are the
preferred way to gain true conflict resolution.
Answer II, III, and IV. Internal auditors need
to understand several reasons for dealing with
conflict management.
Part 1, Section 5, Topic 2
58Discussion Question
- Which of the following statements describe the
significance of the 2130 series of Implementation
Standards and related Practice Advisory guidance?
(Select all that apply.) - They specify that the internal audit activity
includes some type - of value-added activity in assurance
engagements. - They describe specific requirements for internal
auditors - performing the assurance function.
- They specify how internal auditors can assess
ethics - compliance.
- They ensure that the internal audit activity
considers - the linkage to organizational goals and
objectives - through appropriate established criteria.
Answer II and IV.
Part 1, Section 5, Topic 2
59Discussion Question
Internal auditors are responsible for all of the
following when providing compliance assurance
EXCEPT
- understanding all current regulations and
legislation. - monitoring compliance activities.
- providing insights into the ramifications of
noncompliance. - informing senior management of indications of
significant noncompliance.
Answer B. Management and the internal audit
activity both have important roles. It is
managements responsibility to implement policies
and monitor compliance.
Part 1, Section 5, Topic 2
60Providing Control Assurance
Practice Advisory 2130-1
- Aggregates many individual assessments to
evaluate overall effectiveness. - Three key considerations are
- Were significant discrepancies or weaknesses
discovered from the audit work performed and
other assessment information gathered? - If so, were corrections or improvements made
after the discoveries? - Do the discoveries and their consequences lead to
the conclusion that a pervasive condition exists
resulting in an unacceptable level of business
risk?
Part 1, Section 5, Topic 2
61Discussion Question
The audit committee reports to senior management
and the board on the state of the risk management
and control processes, usually once a year.
- True
- False
Answer B. The CAE is responsible for the report,
which should refer to major work performed by
internal audit and to other important sources of
information that were used to formulate the
overall assurance judgment.
Part 1, Section 5, Topic 2
62Providing Control Assurance
Implementation Standard 2130.A2
- Whether goals and objectives in place are aligned
with the overall organizational strategy
Implementation Standard 2130.A3
Whether operation and program results are
consistent with established goals and objectives
Implementation Standard 2210.A3
If management criteria are sufficient to
determine if goals and objectives are being met
Part 1, Section 5, Topic 2
63Opinions on the Adequacy of Internal Controls
Opinion Description Meaning
Positive assurance Provides highest level of assurance. Controls are satisfactory or unsatisfactory, effective or ineffective, meet expectations or dont meet expectations, etc.
Negative assurance Indicates no evidence of inadequate internal controls. Provides limited assurance that sufficient evidence was gathered to determine whether controls were inadequate.
Qualified Provides an opinion with qualifications that contradict the overall opinion. Controls were satisfactory, with the exception of (for example) accounts payable controls, which require significant improvement.
Part 1, Section 5, Topic 2
64Discussion Question
All of the following are important considerations
for assessing reporting mechanisms to the board
EXCEPT
- adequacy.
- accuracy.
- reliability.
- conciseness.
Answer D. The board is the focal point for key
organizational activities. Adequate and effective
communications are critical.
Part 1, Section 5, Topic 2
65Common Initiatives in Governance
Part 1, Section 5, Topic 3
66Discussion Question
- Which of the following principles best exemplify
effective governance? (Select all that apply.)
- Balancing the direct and indirect costs of risk
responses against the benefits they create - Having the board chair be a nonexecutive leader
and the board hierarchy reflect a balance of
power between the CEO and independent directors - Ensuring that executive compensation is in line
with organizational goals and objectives - Identifying and analyzing critical success
factors - from an industry and entity perspective
Answer II and III. I is more indicative of risk
management, and IV is more related to internal
control.
Part 1, Section 5, Topic 3
67Governance and Culture
- Influences overall effectiveness of the
governance process
- Impacts the values, roles, and behaviors
Determines how the entity meets its social
responsibilities
Part 1, Section 5, Topic 3
68Discussion Question
- Identify who is responsible for the following
governance activities.
Answers
Deploys strategies aligned to organizational objectives and goals Oversees organizational activities but does not have any direct responsibilities Provides assurance on financial reporting activities Provides advice on potential improvements to governance structures and processes
Operations management
The board
External auditor
Internal auditor
Part 1, Section 5, Topic 3
69Governance and Organizational Maturity
- Internal audit
- Performs discrete audits.
- Provides advice regarding optimal structure and
practices. - Compares current governance against regulations
and other compliance requirements.
- Internal audit
- Evaluates efficiency and effectiveness of
company-wide governance components. - Analyzes the transparency and disclosure
(reporting) practices. - Compares governance best practices.
- Identifies compliance with applicable regulations
and governance codes.
Part 1, Section 5, Topic 3
70Internal Audit Assurance Activities to Promote
Values
Self-assessment methods
Audit programs
- Evaluate
- Employees understanding of values.
- Alignment of individual goals and objectives to
corporate values. - Whether employees uphold values.
- Whether employees perceive others as exemplifying
those values.
- Assess various activities to ensure that values
are understood and upheld.
Part 1, Section 5, Topic 3
71How Internal Auditors Assess the Ethical Climate
- Evaluate the completeness of ethics policies and
codes. - Review how well personnel practices support an
ethical climate. - Determine whether appropriate communications are
- Occurring.
- Understood.
- Embraced.
- Determine if explicit strategies support and
enhance the ethical culture. - Evaluate processes that enable employees to
communicate concerns about inappropriate
behavior. - Determine if the appropriate process exists to
ensure that allegations of misconduct are
investigated and resolved, findings are properly
reported, and corrective action is taken to
improve controls. - Evaluate board oversight responsibilities and
monitoring activities.
Part 1, Section 5, Topic 3
72Discussion Question
- A survey designed to assess the organizational
ethical climate should include which of the
following characteristics? (Select all that
apply.) - Have top management support
- Be field-tested
- Ensure ease of response
- Include space for open comments
Answer All of the above. Other important
considerations are keeping the survey to a
reasonable length and, if possible, providing
analysis by an independent firm and assuring
respondents confidentiality.
Part 1, Section 5, Topic 3
73Assessing Ethics Compliance
Discovery of violations and reported compliance
complaints from whistleblowers.
Trend analysis of past internal audits.
Part 1, Section 5, Topic 3
74Discussion Question
A code of conduct related to conflicts of
interest should include
- a description of expected behavior for employees,
other corporate agents, and suppliers. - a discussion of industry best practices.
- provisions for reporting alleged misconduct.
- mention of what constitutes plausible exceptions
to the policy.
Answer A. Codes of conduct are intended to
provide a proactive statement on the
organizations position on acceptable employee
behavior.
Part 1, Section 5, Topic 3
75Best Practices for Fostering an Ethical Climate
- Tone at the top
- A written code of ethics, kept current
- An ethics message delivered via multiple
communication media - Employee ethics interviews
- Employee and stakeholder ethics attitude surveys
- Ethics training
- Open communications
- Employee involvement
- Diversity and institutional fairness
- Whistleblower hotlines for reporting incidents
- A compliance-supporting culture
Part 1, Section 5, Topic 3
76Assessing the Ethical Climate of the Board
- Board structure, objectives, and dynamics
- Board committee functions
- Board policy manual
- Processes for maintaining awareness of governance
requirements - Board education and training
- Internal audit
- Assesses areas identified.
- As warranted, assists in and/or makes
recommendations for improvements.
Part 1, Section 5, Topic 3
77- Reinforcing Activity 1-15
- Part 1, Section 5, Topic 3
- Governance
Part 1, Section 5, Topic 3
78Fraud Awareness and Fraud Prevention
Rationalization
Motive
- Fraud prevention
- Discourage acts
- Limit exposure
Opportunity
Part 1, Section 5, Topic 4
79Fraud Prevention and Control
Control Elements Internal Auditing Responsibilities
Control environment Code of conduct, ethics policy, or fraud policy. Ethics and whistleblower hotlines. Hiring and promotion guidelines and practices. Oversight. Investigation of reported issues and remediation of confirmed violations. Assess aspects of the control environment. Conduct proactive fraud audits and investigations. Communicate results of fraud audits. Provide support for remediation efforts. Possibly own the whistleblower hotline.
Fraud risk assessment Identify and assess fraud-related risks. Assess segregation of duties. Evaluate managements fraud risk assessment.
Control activities Establish and implement effective control practices. Establish an affirmation or certification process. Assess the design and operating effectiveness of fraud-related controls. Ensure that audit plans and programs address fraud risk. Evaluate the design of facilities. Review proposed changes to laws, regulations, or systems and their impacts on controls.
Part 1, Section 5, Topic 4
80Fraud Prevention and Control
Fraud Prevention and Control
Control Elements Internal Auditing Responsibilities
Information and communication Documentation and dissemination of policies, guidance, and results. Opportunities to discuss ethical dilemmas. Communication channels. Training. Considerations of the impact and use of technology for fraud deterrence. Assess the operating effectiveness of information and communication systems and practices. Support training.
Monitoring Ongoing and periodic performance assessments. Consideration of computer technology for fraud deterrence. Assess monitoring activities and related computer software. Conduct investigations. Support the audit committees oversight. Support the development of fraud indicators. Hire and train employees.
Part 1, Section 5, Topic 4
81Discussion Question
Whistleblower hotline anonymity implies that the
callers name and identity will be communicated
only to those with an essential or authorized
need to know.
- True
- False
Answer B. This statement describes
confidentiality. Confidentiality can be promised
only within the limits allowed by law, and
callers should know who might learn their
identity. Anonymity provides both secrecy and
nondisclosure of the callers identity.
Part 1, Section 5, Topic 4
82Privacy
- Can encompass
- Personal privacy.
- Privacy of space.
- Privacy of communication.
- Privacy of information.
Part 1, Section 5, Topic 4
83Discussion Question
- Identify the US privacy legislation.
Answers
Establishes rights to obtain information from federal agencies Gives parents control over online information collected from their children Addresses the security and privacy of health data Protects consumers personal financial information held by financial institutions
FOIA
COPPA
HIPAA
Financial Modernization Act
Part 1, Section 5, Topic 4
84OECD GuidanceCore Principles
- Collection limitation
- Data quality
- Purpose specification
- Use limitation
- Security safeguards
- Openness
Individual participation Accountability
Part 1, Section 5, Topic 4
85Discussion Question
- Which of the following are reasonable
expectations for an internal auditor evaluating a
privacy framework? (Select all that apply.)
- Identify the types and appropriateness of
information the organization gathers. - Identify any significant risks along with the
appropriate recommendations. - Evaluate whether the use of the information
collected is in accordance with its intended use. - Evaluate the maturity of the framework and help
make improvements to mitigate significant risks.
Answer I, II, and III. Due to the highly
technical and legal nature of privacy, it may be
necessary to secure the services of third-party
experts.
Part 1, Section 5, Topic 4
86Security Vulnerabilities
Information security
Physical security
- Universal considerations
- Confidentiality
- Integrity
- Availability
- Examples
- Natural disasters
- Service disruptions
- Human error
- Theft and vandalism
- Terrorism
- Sabotage
Part 1, Section 5, Topic 4
87Risk Management Steps
Part 1, Section 5, Topic 4
88Internal Audit Assessment of Security Risks
- Analysis of reported incidents
- Review of exposure statistics
- Mapping key processes
- Periodic inspections
- Periodic process and product audits
- Assessments of management system effectiveness
- Scenario analysis
Part 1, Section 5, Topic 4
89Discussion Question
- Which of the following are reasonable
expectations for an internal auditor evaluating
information security? (Select all that apply.)
- Assess the effectiveness of preventive,
detective, and mitigation measures against past
attacks. - Recommend, as appropriate, enhancements to or
implementation of new controls and safeguards. - Confirm that the board has been appropriately
informed of all corrective measures. - Report to management and the board on the level
- of compliance with security rules, significant
- violations, and their disposition.
Answer All of the above (Practice Advisory
2130.A1-1).
Part 1, Section 5, Topic 4
90Discussion Question
ISO/IEC 270022007 guidelines on information
security contain best practices that help
organizations achieve high-level compliance.
- True
- False
Answer A. The focus of ISO/IEC 270022007 is
information security controls. It helps
organizations develop security standards and
effective security management practices, address
legal and regulatory concerns, and better manage
compliance.
Part 1, Section 5, Topic 4
91CAE Assessment of Outside Service Providers
Competency
Independence and objectivity
- Relevant credentials
- Appropriate professional organization membership
and adherence to a code of ethics - Professional reputation
- Relevant experience
- Pertinent education and training
- Knowledge and experience in the industry
- Any financial interests
- Any personal or professional affiliation
- Any internal relationships with the organization
or the activities being reviewed
Part 1, Section 5, Topic 4
92Discussion Question
- Which of the following are appropriate
considerations for an internal auditor evaluating
key performance indicators (KPIs)? (Select all
that apply.) - Are they the right measures?
- Are the measures in line with short-term
financial - goals?
- Are the measures operating effectively?
- Are employees behaving professionally in
- the achievement of objectives?
Answer I and III. Usually, KPIs measure
outcomes. Sometimes they measure process
characteristics.
Part 1, Section 5, Topic 4
93Discussion Question
The CAE believes that a special management
request for an engagement that was not part of
the annual audit plan should be fulfilled because
it deals with a high-risk security breach. The
CAE should
- secure board approval of the audit plan change.
- secure permission from the audit committee to
postpone another engagement. - out-source the engagement since it was not
included in the annual plan. - co-source the engagement with external security
- specialists.
Answer A. Audit plans are intended to be
flexible, but any significant changes to the plan
must be presented to the board for approval.
Part 1, Section 5, Topic 4
94Discussion Question
- Identify who is responsible for the following
activities related to an external audit.
Answers
External auditors
Assessing the effectiveness of financial reporting controls Establishing a time line to address audit findings Oversight for external auditors Acting on audit findings Performance assessment of the external auditors
Management
Audit committee
Management
Audit committee
Part 1, Section 5, Topic 4
95End of Section 5
Part 1, Section 5, Topic 4