• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/61

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

61 Cards in this Set

  • Front
  • Back
  • 3rd side (hint)
Objectives
Strategic
Compliance
Operations
Reporting
..
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring
..
Entity Level
Division
Business Unit
Subsidary
Coso Cube
Event
An incident or occurrence from internal or external sources that affects achievement of objectives.
Risk
The possibility that an event will occur and adversely affect the achievement of objectives.
Opportunity
The possibility that an event will occur and positively affect the achievement of objectives
Risk Management Philosophy
Board of directors
Risk appetite
Human resource standards
Assignment of authority and responsibility
Integrity and Ethical Values
Corporate Structure
Commitment to Competence
What influences internal Environment
Board of directors
Internal auditors
External auditors
Risk officer
Regulators and Legislators
Management
Financial executives
Who influences internal environment
Objectives are set
at the strategic level
Risk Tolerance
The acceptable levels of Risk Size and Variation relative to the achievement of objectives, which must align with organization’s risk appetite
Inherent Risk
the combination of internal and external risk factors in their pure, uncontrolled state, or, the gross risk that exists, assuming there are no internal controls in place.
Control
any action taken by management the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved
Monitoring
a process that assesses the presence and functioning of governance, risk, management, and control over time,
there are three types 1 Ongoing 2 Separate 3 Combination
Business process Outsourcing
the act of transferring some of an organizations business processes to an out side provider to achieve cost reductions, operating effectiveness, or operating efficiency while improving service quality.
Compensating Controls
activity that, if key controls do not fully operate effectively, may help to reduce the related risk. will not, by itself, reduce risk to an acceptable level.
Production blocking-
This happens when there is only one person recording the information from the brainstorming session and they are unable to write as fast as the ideas are thought of.
Evaluation apprehension-
This happens when a person does not share an idea because of fear of how other members of the group would evaluate their idea
Cognitive narrowing/cognitive inertia
Essentially very similar ideas, these problems occur as the discussion begins to become more and more focused as the group members feel that certain boundaries have been set in the idea generation process. So prior discussions of fraud help set the limits of where the audit team thinks fraud will occur in the future even though anywhere is possible.
Social loafing-
The person is willing to not contribute to the group because he feels that he does not need to for the group to be successful.
Social matching
The people in the group conform to the lowest member’s contribution level. They feel that they either need to fit in or that it is socially acceptable to perform less than optimal level. (social norm)
Distraction conflict-
Essentially tied to production blocking, it says that when the ideas of others are being presented, your mind is taken away from the original ideas that popped into your head as you are distracted with their comments. You then forget your original ideas.
Group think
group pressure leads to a reduction in individual mental efficiency and moral judgment and results in unwillingness to question the perceived authority of other members of the group. Essentially a group thinks the same because of the pressure other people feel to conform to their superior’s mentality.
Event Inventories
These are detailed listings of potential events common to companies within a particular industry, or to a particular process or activity common across industries. Software products can generate relevant lists of generic potential events, which some entities use as a starting point for event identification.
For example, a company undertaking a software development project draws on an inventory detailing generic events related to software development projects.
Internal Analysis
This may be done as part of a routine business planning cycle process, typically via a business unit’s staff meetings. Internal analysis sometimes utilizes information from other stakeholders (customers, suppliers, other business units) or subject matter expertise outside the unit (internal or external functional experts or internal audit staff).
For example, a company considering introduction of a new product utilizes its own historical experience, along with external market research identifying events that have affected the success of competitors’ products
Escalation of threshold triggers
These triggers alert management to areas of concern by comparing current transactions, or events, with predefined criteria. Once triggered, an event may require further assessment or an immediate response.
For example, a company’s management monitors sales volume in markets targeted for new marketing or advertising programs and redirects resources based on results. Another company’s management tracks competitors’ pricing structures and considers changes in its own prices when a specified threshold is met.
Facilitated Workshops and Interviews
These techniques identify events by drawing on accumulated knowledge and experience of management, staff, and other stakeholders through structured discussions. The facilitator leads a discussion about events that may affect achievement of entity or unit objectives.
For example, a financial controller conducts a workshop with members of the accounting team to identify events that have an impact on the entity’s external financial reporting objectives. By combining the knowledge and experience of team members, important events are identified that otherwise might be missed.
Process Flow Analysis
This technique considers the combination of inputs, tasks, responsibilities, and outputs that combine to form a process. By considering the internal and external factors that affect inputs to or activities within a process, an entity identifies events that could affect achievement of process objectives.
For example, a medical laboratory maps its processes for receipt and testing of blood samples. Using process maps, it considers the range of factors that could affect inputs, tasks, and responsibilities, identifying risks related to sample labeling, handoffs within the process, and personnel shift changes.
Leading Event Indicators
By monitoring data correlated to events, entities identify the existence of conditions that could give rise to an event.
For example, financial institutions have long recognized the correlation between late loan payments and eventual loan default, and the positive effect of early intervention. Monitoring payment patterns enables the potential for default to be mitigated by timely action.
Loss Event Data Methodologies
Repositories of data on past individual loss events are a useful source of information for identifying trends and root causes. Once a root cause has been identified, management may find that it is more effective to assess and treat it than to address individual events.
For example, a company operating a large fleet of automobiles maintains a database of accident claims and through analysis finds that a disproportionate percentage of accidents, I number and monetary, amount are linked to staff drivers in particular units, geographies, and age bracket. This analysis equips management to identify root causes of events and take action.
Facilitator
Assign a “contrarian”
Anonymous respondents
Tracking contributions
Solutions to group event identification problems
share, reduce, avoid, accept
risk responses
objectives
Before identifying events, you must understand
Existing Risk Profile
Risk Capacity
Risk Tolerance
Desired Level of Risk
Elements of Risk Appetite
Right
Choose the
Avoidance
exit the activity giving rise to the risk
Reduction
Action taken to reduce likelihood or impact or both
Sharing
Reducing risk likelihood or impact by transferring or otherwise
Acceptance
No action is taken to affect risk likelihood or impact
Earnings
Revenue
Customers Gained/Lost
Common Metrics to measure risks
Portfolio View of Risk Management
Roll up risk assessment to the entity-level
Pay attention to risks that span boundaries that may not have been accurately assessed by an individual group
1. Establish a foundation
2. Design and Execute
3. Assess and Report
Three broad elements needed for monitoring to be effective
Ongoing monitoring activities
Separate evaluations
Types of monitoring
Process flowcharting, risk and control matrices, risk and control reference manuals, benchmarking using internal, industry, or peer information, computer assisted audit techniques, risk and control self-assessment workshops, questionnaires, facilitated sessions
Methodologies and tools for monitoring
ongoing evaluations
happen regularly, such as manger reviewing operating reports
separate evaluations
happen periodically or trigger by some event
direct information,
substantiates the operation of controls. it is obtained by observing controls in operation, reperforming them, or other wise evaluating their operation directly, and can be useful in both ongoing monitoring and seperate evaluations. Relevant because it provides an unobstruced view of control operation
indirect information
may indicate a change or failure in operation of controls. relates to or is produced by the process in which the conttrols reside.

1. operating statistics
2. key risk indicators
3. key perfomance indicators
4. comparative industry metrics.
Objectives
What an entity desire to achieve
strategy
how management plans to achieve the organizations objectives
bottom up approach
begins by looking at all processes directly and then aggregates the identified processes across the organization
top-down approach
begins at the enity level with the organization's objective, and then identifies the key processes critical to the success of each of the organizations objectives
key performance indicator
a metric or other form of measuring whether a process or individual tasks are operating within prescribed tolerances
process map
pictorial representation of inputs, steps, workflows and outputs
risk
the possibility that an event will occur and adversely affect the achievement of objectives
risk assesment
the identification and anaylisis typically in terms of impact and likelihood of relevant risks to the achievement of an organizations's objectives, forming a basis for determining how the risks should be managed.
assurance engagement
An objective examination of evidence for the purpose of providing an independent assessment on governance risk management and control processes for the organization
Enterprise risk management is a process, effected by the entity’s board of directors,
management, and other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives
Enterprise Risk Managment
Based on established practices or benchmarks
Developed consistently across the organization
Provide an unambiguous and intuive view of the highlighted risk
Allow for measurable comparisons across me and business units
Provide opportunies to assess the performance of risk owners on a mely basis
Consume resources efficiently
Well designed (KRI) key risk indicators
Integrity and ethical values
Board of Directors
managements philosophy and operating style
Organizational Structure
Financial reporting Competencies
Authority and Responsibility
Human Resources
main principles Control Enviroment
Financial Reporting Objectives
Financial Reporting Risks
Fraud Risk
main principles Risk Assesment
Integration with risk Assesment
Selection and development of control activities
Policies and procedures
information technology
main principles Control Activities
Financial reporting information
internal control information
internal communication
external communication
main principles Information and communication
Ongoing and seperate evaluations
Reporting Deficiencies
main principles Monitoring