Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
18 Cards in this Set
- Front
- Back
|
Explain enterprise risk management
|
“a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
|
|
|
How do risk models help identify specific risks and set appropriate tolerance limits
|
Risk models enable management to identify the risks faced by the enterprise, establish risk tolerances (risk limits) for these risks and test controls to ensure that the uncontrolled risks remain within the organization’s established risk tolerances.
|
|
|
Explain the role of the internal auditor in the risk management process
|
Internal auditing includes assisting the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. The internal auditor should monitor and evaluate the effectiveness of the organization’s risk management system.
|
|
|
How does the role of the internal auditor change when there is no established risk management
|
If an organization has not established a risk management process, the internal auditor should bring this to the attention of management together with suggestions for establishing such a process.
If requested, internal auditors can play a proactive role in assisting with the initial establishment of a risk management process for the organization. Internal auditors can facilitate or enable risk management processes but they should not “own” or be responsible for the management of the risks identified. |
|
|
Explain how auditors use risk assessment to assist in audit planning
|
The risk assessment process requires that an auditor assess and integrate professional judgments about probable adverse conditions and/or events from various information sources. The process implies establishing the consequences of risk realization and determining risk reduction strategies using a cost-benefit analysis approach. The risk assessment process assists an auditor in planning by establishing audit priorities and developing an audit work schedule for an enterprise.
|
|
|
Compare risk assessment approach to traditional approaches to internal auditing
|
In the conventional paradigm of internal auditing, the audit focus was on the control system — the internal controls in place to mitigate the various risks faced by the business. Controls were tested and recommendations made to address identified control weaknesses. In contrast, risk-based auditing begins with the organizational objectives, then considers the risks and examines the methodologies to mitigate those risks.
|
|
|
Explain the definition, nature, and criteria of control as set out by the CoCo board
|
CoCo defines control as “those elements of an organization (including its resources, systems, processes, culture, structure, and tasks) that, taken together, support people in the achievement of the organization’s objectives.”
1. Control is effected by people at all levels of the organization. 2. Managers who are accountable for their operations must also have control of those operations. 3. Control must be flexible enough to adapt to changing conditions, both internally and externally. (As risks change, controls must also change.) 4. Organizations must balance autonomy, integration, consistency, and change to effect controls. 5. Controls can never provide absolute assurance, only reasonable assurance, because they must be cost-effective and have inherent limitations (faulty decision making, human errors, management overriding controls, collusion). CoCo goes on to define three categories of control objectives: - Effectiveness and efficiency of operations - Reliability of internal and external reporting - Compliance with applicable laws and regulations and internal policies |
|
|
Inherent limitations of control
|
1. Controls must be cost-effective.
2. There are inherent limitations to control. These include: the decision-making processes may be faulty (or based on incomplete or uncertain information). controls tend to be directed at routine, recurring transactions. some human error is inevitable. there is always the possibility of collusive circumvention of controls. there is always the possibility of management over-ride of controls. |
|
|
Compare the CoCo control framework with other frameworks (COSO)
|
- Coco is much broader than COSO
- Coco recognizes "soft controls" such as trust - COSO defines internal control in a more restricted manner |
|
|
Describe the impact of the development of control frameworks on internal auditing
|
The development of control frameworks has led to a broader understanding of control and management’s responsibility for controlling the activities that they manage. It has brought management more into the control assessment
process and created greater control-consciousness in management. It has recognized the existence and potential effectiveness of “soft” controls and included them in evaluation. |
|
|
Outline the steps in using a control framework as the basis of assessing control in an organization.
|
1. Understand the control framework to be used.
2. Determine existing control strengths and weaknesses. 3. Define key issues and reportable conditions. 4. Validate testimonial evidence. 5. Complete the assessment. 6. Identify and recommend corrective action. |
|
|
Explain the control self-assessment process
|
Control self-assessment (CSA) recognizes that controls consist of all processes directed toward the achievement of organizational goals and that the responsibility for controls rests not with the company’s internal and external auditors, but with those who manage and operate the business processes. Control self- assessment is an alternative method to help provide assurance regarding an organization’s risk management and control processes. It is a methodology that uses facilitated team workshops, surveys, or management- produced analysis (or some combination of these) to collaboratively assess and evaluate control procedures.
Control self-assessment (CSA) consists of the following phases: 1. Identify business objectives and customize the process for the participating workshop team. 2. Conduct one or more workshops with management and staff from the unit being assessed. 3. Prepare a summary report and provide feedback. 4. Analyze and review results, comparing them with those from other workshops. 5. Report results to management. 6. Report summary results to the audit committee. 7. Provide follow-up and assistance in dealing with the issues identified. |
|
|
Identify the advantages and disadvantages of the control self-assessment process
|
Advantages of control self-assessment include:
increases management and employee awareness of controls; brings the focus of those who know the processes to bear on control issues; gains acceptance of recommendations; provides potential cost savings in later years. Disadvantages of control self-assessment include: lack of objectivity and independence of evaluations; costly to implement (in the first few years); may become mechanical in time; requires an open management style to be effective. |
|
|
Outline the IIA performance standards on governance
|
the IIA defines governance as “the combination of processes and structures implemented by the board in order to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.”
Standard 2110 states that “the internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization; Ensuring effective organizational performance management and accountability; Communicating risk and control information to appropriate areas of the organization; and Coordinating the activities of and communicating information among the board, external and internal auditors and management.” |
|
|
What are the governance responsibilities of the board of directors or equivalent body in the private sector
|
1. approve and monitor mission, vision and strategy;
2. approve and monitor the organization’s ethical values; 3. monitor management control; 4. evaluate the performance of senior management; 5. oversee external communications; 6. assess the board’s own effectiveness. |
|
|
What is the role of internal audit in corporate governance
|
promoting appropriate ethics and values within the organization;
ensuring effective organizational performance management and accountability; effectively communicating risk and control information to appropriate areas of the organization; effectively coordination the activities of and communicating information among the board, external and internal auditors and management. |
|
|
Explain the role of the audit committee of the board of directors.
|
1. oversight of published financial information including annual financial reports, interim reports, public disclosure documents, etc.
2. oversight of the internal auditing function 3. oversight of the internal financial controls 4. oversight of the corporate Code of Conduct 5. liaison with the organization’s external auditors |
|
|
Interpret the Sarbanes-Oxley Act of 2002, and explain how it has affected the corporate governance process.
|
The Sarbanes-Oxley Act of 2002 was passed by the US Congress to address investor concerns after the Enron collapse.
Among the changes was the creation of a board to oversee audit and assurance of publicly traded entities. CEOs and CFOs must now attest to their belief in the accuracy of published financial information. External auditors (in the United States) will have to provide opinions on the controls over financial reporting within their publicly traded audit clients. These changes have increased the responsibility of boards and their audit committees and have resulted in much greater significance being placed on the internal audit functions within those companies affected by the law. |
