Risk management

1
Section Topics

1. Risk management
2. Internal control

1. Governance
2. Related topics

Part 1, Section 5
2
Broadened Scope of Internal Audit Work
The internal audit activity must evaluate and
contribute to the improvement of governance, risk
management, and control processes using a
systematic and disciplined approach.
Of the three functional areas, which is the most
challenging for you?
Part 1, Section 5, Introduction
3
What Is Risk Management?
Benefits are maximized when risk is managed from
a portfolio perspective. Enterprise risk
management (ERM) programs help realize these
benefits.
Part 1, Section 5, Introduction
4
Fundamental Risk Management Concepts

• Transcends traditional organizational hazard
  management mentality.
• Encompasses both strategic and bottom-line
  objectives.

Process is broad and ongoing and involves
management and employees at all levels.
Part 1, Section 5, Introduction
5
What Is Internal Control?
Control environment The attitude and actions of
the board and management regarding the
significance of control within the organization
Control Any action taken by management, the
board, and other parties to manage risk and
increase the likelihood that established
objectives and goals will be achieved
Fundamental internal control concepts
A process effected by people at all
levels Provides reasonable, not absolute,
assurance Geared toward the achievement of
organizational mission, goals, and objectives
Part 1, Section 5, Introduction
6
What Is Governance?
Fundamental governance concepts

• Starts at the top and cascades throughout the
  organization
• Involves critical relationships among the board,
  senior management, and shareholders
• Encompasses organizational structure and related
  legal and regulatory environment
• Balances economic and social
• goals
• Extends to all stakeholders
• and the general
• community

The combination of processes and structures
implemented by the board in order to inform,
direct, manage and monitor the activities of the
organization toward the achievement of its
objectives
Part 1, Section 5, Introduction
7
Discussion Question

• What are the benefits of using an ERM model?
  (Select all that apply.)
• Allows business units to focus on their unique
  risks
• Facilitates proactive risk management
• Applies risk management within a strategic
  context
• Enhances the efficiency and effectiveness of
  basic
• internal audit work

Answer II, III, and IV. Traditional risk
management done in silos increases the potential
for over- or under-management of key risks. ERM
provides a unified approach and manages
uncertainties surrounding the achievement of
organizational objectives.
Part 1, Section 5, Topic 1
8
COSO ERM Model
Describes how to apply ERM in a strategic
setting Applicable to all industries and all
types of risk Includes four categories of
objectives (what the organization hopes to
achieve)
Strategic Tied to high-level goals aligned to and support mission
Operations Related to effective and efficient resource use
Reporting Related to the reliability of reporting
Compliance Related to compliance with laws and regulations
The Committee of Sponsoring Organizations of
the Treadway Commission.
Part 1, Section 5, Topic 1
9
Discussion Question
What is the most likely benefit of having the
COSO ERM model in place at a company launching a
new product?

1. Greater likelihood of the achievement of
   objectives
2. Reduced losses from uncontrollable events
3. Increased compliance with laws and regulations
4. Absolute assurance of a positive reputation
   within the business community

Answer A. An ERM framework cannot prevent bad
management judgments or unforeseen events. It
can, however, provide reasonable assurance that
management and the board receive timely
information about the achievement of objectives.
Part 1, Section 5, Topic 1
10
COSO ERM Model

• Includes eight components that
• Describe what is needed to achieve the
  objectives.
• Are derived from the way management runs an
  enterprise.
• Are integrated with the management process.

Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring
Part 1, Section 5, Topic 1
11
Discussion Question

• Which of the following statements describe the
  relationship of objectives and components in the
  COSO ERM framework? (Select all that apply.)
• All eight components are relevant to each
  objective category.
• Each component applies to all four objective
  categories.
• The objectives and components relate to an
  entire
• organization or to any individual units.
• The objectives and components are most
• effectively applied in large organizations.

Answer I, II, and III. Implementation may vary
in different-sized organizations, but the basic
concepts should be present in every organization.
Part 1, Section 5, Topic 1
12
COSO ERM Model
Roles and Responsibilities

• Helps set strategy and formulate high-level
  objectives.
• Often delegates the monitoring and assurance
  responsibilities, reserving authority for key
  decisions.
• Oversight of
• Management.
• The entitys risk appetite and portfolio view of
  risk.
• Significant risks and managements response.

Part 1, Section 5, Topic 1
13
COSO ERM Model
Roles and Responsibilities

• Leads the implementation of ERM.
• Chief executive officer sets the tone at the
  top.
• Senior managers convert the strategies into
  operations.
• Other managers provide tactical execution.
• Makes every manager accountable to the next level
  up.

Management
Part 1, Section 5, Topic 1
14
COSO ERM Model
Roles and Responsibilities

• Empowered by the CEO.
• Provides central coordination across the
  organization.
• Works with other managers to
• Establish effective risk management practices.
• Monitor progress.
• Assist those managers in reporting.
• May serve an exclusive assignment or have partial
  responsibility.

Part 1, Section 5, Topic 1
15
COSO ERM Model
Roles and Responsibilities

• Finance and controllership activities that are
  central to risk management execution are
• Budgeting and planning.
• Tracking and analyzing performance.
• Reporting.

Financial executives
Part 1, Section 5, Topic 1
16
COSO ERM Model
Roles and Responsibilities

• Encompasses several parties, including
• External auditors.
• Legislators and regulators.
• Business associates.
• Out-sourcing providers.
• Financial analysts, bond rating agencies, and
  news media.

External parties
Part 1, Section 5, Topic 1
17
Discussion Question

• Identify the individual or group responsible for
  the ERM activity.

Answers
Establishing a common language and common measures Setting precedent for integrity and ethical values Formally evaluating external financial reporting objectives Providing leadership and direction to senior managers
Risk officer
Board
External auditors
CEO
Part 1, Section 5, Topic 1
18
Discussion Question

• Which of the following statements accurately
  describe ERM responsibilities? (Select all that
  apply.)
• The CEO monitors activities and risks in
  relation to the risk
• appetite.
• Senior managers manage risks related to unit
  objectives.
• The risk officer has major responsibility for
  the financial
• statements.
• Regulators influence activities in relation to
  the entitys risk
• appetite.

Answer I and II. Financial officers are
responsible for the financial statements.
Regulators do not influence the entitys risk
appetite.
Part 1, Section 5, Topic 1
19
AS/NZS 43602004
Provides an overview of risk management Includes
a generic framework Explains how to identify,
analyze, evaluate, manage, monitor, and
communicate risk Promotes embedding risk
management in an organizations culture Intends
to help manage risk effectively and efficiently
at a lower overall cost
Joint Australian/New Zealand Standard by the
Joint Technical Committee OB-007, Risk Management.
Part 1, Section 5, Topic 1
20
Discussion Question

• How do the AS/NZS 43602004 and COSO ERM
  frameworks compare? (Select all that apply.)
• Both champion the tone at top.
• COSO ERM has a broad focus AS/NZS 43602004
• emphasizes corporate social responsibility.
• COSO ERM focuses on internal risks AS/NZS
  43602004
• focuses on external risks.
• Each has slightly different terminology, but
  both concur that
• risk management requires multidisciplinary
  skills.

Answer I and IV. Both frameworks have a broad
focus AS/NZS 43602004 does not have any special
emphasis on corporate social responsibility.
AS/NZS 43602004 and COSO both attempt to help
organizations manage internal and external risks.
Part 1, Section 5, Topic 1
21
The Turnbull Guidance

• Promotes a risk-based approach to internal
  control and the assessment of its effectiveness.
• Linked to London Stock Exchange disclosure
  requirements.
• Key tenets include
• A focus on significant risks.
• Emphasis on risk management.
• Ongoing, continuous monitoring of risk and
  control.
• Engaging all employees.
• Streamlining risk management databases.

Shortened name for Internal Control Guidance
for Directors on the Combined Code.
Part 1, Section 5, Topic 1
22
Discussion Question

• How do AS/NZS 43602004, the COSO ERM framework,
  and Turnbull compare? (Select all that apply.)
• COSO and Turnbull emphasize engaging all
  employees
• AS/NZS 43602004 focuses on the board and
  executives.
• All identify opportunities to save on costs of
  control.
• COSO has the greatest focus on mitigating
  unwelcome events.
• All provide objective assurance to an entitys
  board and
• management.

Answer II and IV. All three approaches promote
engaging all employees AS/NZS 43602004 doesnt
have a special focus on the board or executives.
All three can reduce the possibility of unwelcome
events from occurring COSO doesnt have an
increased focus over the other two.
Part 1, Section 5, Topic 1
23
Factors That Drive Events
External factors
Internal factors

• Economic
• Natural environment
• Political
• Social
• Technological

• Infrastructure
• Personnel
• Process
• Technology

Event identification Is synonymous with risk
identification. Identifies potential events and
determines whether they are opportunities or
threats.
Part 1, Section 5, Topic 1
24
Common Event Identification Techniques
Event inventories Detailed listings of common potential events
Internal analysis Detailed analysis of information
Escalation or threshold triggers Triggers alerting management to areas of concern comparison of current transactions or events with predefined criteria
Facilitated workshops and interviews Facilitator-led structured discussions to draw on collective knowledge and experience
Process flow analysis Examines the combination of inputs, tasks, and responsibilities that comprise a process
Leading event indicators Monitoring of data correlated to events
Loss event data methodologies Examination of past individual loss events to identify trends and root causes
Part 1, Section 5, Topic 1
25
Discussion Question

• Identify the event identification technique.

Answers
A meeting of cross-functional managers to relate events to objectives Mapping of cash receipts to identify risks related to timely deposits Monitoring daily, weekly, and monthly Internet site traffic Tracking manufacturing equipment failures
Facilitated workshop
Process flow analysis
Leading event indicators
Loss event data methodologies
Part 1, Section 5, Topic 1
26
Discussion Question

• Which of the following statements describe the
  internal audit activity role in an organization
  lacking an organization-wide macro risk
  assessment process? (Select all that apply.)
• They can facilitate or enable risk management
• processes.
• They should not assume responsibility for the
  risks
• identified.
• They should rely on quantitative techniques to
  identify
• and evaluate risks.

Answer I and II. Organizations typically use a
combination of qualitative and quantitative
techniques.
Part 1, Section 5, Topic 1
27
Quantitative Risk Assessment
Technique Description Examples
Benchmarking Compares performance measures and results for specific events or processes. Identifies improvement opportunities. May also be used to assess likelihood and impact of potential events across an industry. Internal Competitive/industry Best-in-class
Probabilistic models Associate a range of events and the resulting impact with likelihood. Likelihood and impact are assessed based on historical data or simulated outcomes of future behavior. Value at risk (VAR) Cash flow at risk Earnings at risk Loss distributions Back-testing
Non-probabilistic models Use subjective assumptions in estimating the impact of events without quantifying an associated likelihood. Base assessments on historical or simulated data and assumptions of future behavior. Sensitivity analysis Scenario analysis Stress tests
Part 1, Section 5, Topic 1
28
Discussion Question

• What are the risk/control implications of an
  organizations structure on the following areas?

Possible answers
Development of goals and objectives
Everyone must understand the objectives related
to their area.
Should be an iterative process that includes
entity, departments, functions.
Risk response
Should cut across all levels and keep everyone
tracking toward the objectives.
Control activities
Everyone must receive the information they need
in a timely manner.
Information and communication
Part 1, Section 5, Topic 1
29
Risk Management Responses
Avoidance Action is taken to exit the activities giving rise to risk. Example Exiting a product or selling a division.
Reduction Action is taken to reduce the risk likelihood or impact or both. Example Diversifying product offerings or reallocating funds.
Sharing Action is taken to reduce risk likelihood or impact by transferring or otherwise sharing a portion of the risk. Example Purchasing insurance, hedging, or out-sourcing.
Acceptance No action is taken to affect likelihood or impact. Example Accepting risk that conforms to risk tolerances.
Part 1, Section 5, Topic 1
30
Discussion Question
Inherent risk is BEST described as the risk

1. remaining after managements risk response.
2. management finds to be acceptable with the
   entitys risk tolerance.
3. derived from the environment without the
   mitigating effects of internal controls.
4. having the lowest likelihood and potential impact.

Answer C. Inherent risk is derived from the
environment without the mitigating effects of
internal controls.
Part 1, Section 5, Topic 1
31
Risk Assessment Pitfalls

• Limiting risk assessments to financial hazards
• Blindly selecting risks from a generic risk
  framework
• Internal auditors developing risks in a vacuum
• Identifying too many risks
• Overcomplicating risk quantification

Part 1, Section 5, Topic 1
32
Risk Monitoring

• Takes into account that ERM processes change over
  time.
• Allows management to determine if ERM remains
  effective.

• Many activities have built-in provisions for
  self-monitoring.
• Most ongoing monitoring is performed on a
  real-time basis during the regular course of
  business.

• Focus directly on ERM effectiveness.
• Often conducted as self-assessments.
• Necessity is the judgment of management.

Deficiencies and areas for improvement identified
by ongoing monitoring, separate evaluations, and
audit results.
Part 1, Section 5, Topic 1
33
Discussion Question
What is the internal audit activitys role when
ongoing monitoring identifies an ERM deficiency?

• Report the information to the board if it
  involves an illegal or improper act.
• Educate the individual or group responsible about
  the purpose of ERM and internal control.
• Assess if the deficiency will impact achievement
• of business objectives.
• Follow up with management and check on their
• response and/or corrective action.

Answer D. Internal auditors should determine
that corrective action is achieving desired
results or that senior management or the board
has assumed the risk of not taking corrective
action.
Part 1, Section 5, Topic 1
34
The Internal Audit Activitys Role in ERM

• A continuum that ranges from
• No role, to
• Auditing the risk management process as part of
  the internal audit plan, to
• Providing insight and historical data on risk
  events identified by internal audit findings, to
• Active, continuous support and involvement in
  the risk management process, to
• Managing and coordinating the risk management
  process.

Part 1, Section 5, Topic 1
35
The Internal Audit Activitys Role in ERM

• Risk management processes (e.g., their design
  and how well they are working).
• Management of key risks, including the
  effectiveness of the controls and other
  activities.
• The assessment of risks and reporting of risk
  and control status.

Part 1, Section 5, Topic 1
36
Discussion Question
Effectiveness is present if management has
planned and designed a system that provides
reasonable assurance that objectives and goals
will be achieved efficiently and economically.

1. True
2. False

Answer B. This statement describes adequacy.
Effectiveness is present if management directs
processes to provide reasonable assurance that
the organizations objectives and goals will be
achieved.
Part 1, Section 5, Topic 1
37
The Internal Audit Activitys Role in ERM
Possibilities include

• Educating management about risk and control.
• Promoting ERM in the entity.
• Providing advice, facilitating workshops, and
  coaching on risk and control.
• Acting as the central point for coordinating,
  monitoring, and reporting on risks.
• Supporting related management activity.

Part 1, Section 5, Topic 1
38
Discussion Question

• Which of the following statements accurately
  describe managements acceptance of risk? (Select
  all that apply.)

• The CAE must discuss unacceptable levels of
  residual risk with the board.
• Management is responsible for deciding
  appropriate actions to be taken in response to
  reported engagement observations and
  recommendations.
• The CAE is responsible for assessing management
  action for the timely resolution of reported
  engagement observations and recommendations.
• Senior management and the board may decide not to
• correct a reported condition because of cost or
  other considerations.

Answer All of the above (Performance Standard
2600 and Practice Advisory 2060-1)
Part 1, Section 5, Topic 1
39
Business Continuity Planning

• Before a disaster
• Evaluate the entitys readiness.
• Assist with the risk analysis.
• Evaluate the plan.
• Perform periodic assurance engagements to ensure
  that plan is up to date.
• Observe and provide feedback on tests of the
  plan.
• Verify that plans are adequate to ensure timely
  resumption of operations and processes.

• After a disaster
• Monitor effectiveness of the recovery and control
  of operations.
• Participate in the organizational learning
  processlessons learned from the disaster and the
  recovery.

Internal audits roles
Part 1, Section 5, Topic 1
40

• Reinforcing Activity 1-13
• Part 1, Section 5, Topic 1
• Risk Management

Part 1, Section 5, Topic 1
41
Key Elements

• Tangible policies, procedures, and activities

Less tangible behavioral aspects (ethical values)
Designed by management
Part 1, Section 5, Topic 2
42
Discussion Question

• Identify the area/individual responsible for the
  internal control task.

Answers
Design, apply, and provide ongoing monitoring of the control processes. Establish and maintain organizational governance processes. Provide varying degrees of assurance about the effectiveness of risk management and control processes. Develop an annual audit plan.
Operational managers
The board
Internal and external auditors
CAE
Part 1, Section 5, Topic 2
43
Discussion Question

• Which of the following are characteristics of an
  internal control framework? (Select all that
  apply.)
• Defines control in terms of managing risks to
  objectives
• Facilitates absolute assurance about control
  efficiency
• Cuts across all levels of an organization
• Helps an organization establish an effective
  internal
• control system

Answer I, III, and IV. An internal control
framework provides reasonable assurance.
Part 1, Section 5, Topic 2
44
COSO Internal Control Framework
5 interrelated components
3 objectives

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring

The Committee of Sponsoring Organizations of
the Treadway Commission.
Part 1, Section 5, Topic 2
45
Discussion Question
Which of the following statements is true about
the COSO internal control framework?

• The framework is best applied in manufacturing
  and service industries.
• All five components are applicable to the
  achievement of each of the objectives.
• The synergy and linkage among the objectives form
  the integrated framework.
• The audit committee has overall responsibility
• for the establishment, administration, and
• assessment of the framework.

Answer B
Part 1, Section 5, Topic 2
46
The CoCo Internal Control Framework
4 interrelated components
3 objectives

• Effectiveness and efficiency of operations
• Reliability of internal and external reporting
• Compliance with applicable laws and regulations
  and internal policies

• Purpose
• Commitment
• Capability
• Monitoring and learning

The Criteria of Control developed by the
Canadian Institute of Chartered Accountants
(CICA).
Part 1, Section 5, Topic 2
47
The Cadbury Model

• Elements include
• Control environment.
• Identification and evaluation of risks and
  control objectives.
• Information and communication.
• Control procedures.
• Monitoring and corrective action.

Published by The Institute of Chartered
Accountants in England and Wales (ICAEW) in 1994
in 1999, the ICAEW issued the Turnbull guidance.
Part 1, Section 5, Topic 2
48
Discussion Question

• Identify if the internal controls are hard or
  soft.

Answers
Senior managements commitment to social responsibility Centralized decision-making and a formal approval process A consistent customer focus that all employees understand and feel passionate about Six Sigma continuous improvement methodology
Soft
Hard
Soft
Hard
Part 1, Section 5, Topic 2
49
COSOs Control Environment Factors
Factor Example
Integrity and ethical values Employees understand acceptable/ unacceptable behavior.
Commitment to competence Analysis indicates that employees have requisite knowledge and skills.
Board of directors or audit committee A process exists to regularly communicate key information.
Managements philosophy and operating style Management avoids excessive focus on short-term reported results.
Organizational structure Established reporting relations are effective.
Assignment of authority and responsibility Authority and responsibility are assigned to employees throughout the entity.
Human resource policies and practices Employees understand that ineffective performance has remedial consequences.
Part 1, Section 5, Topic 2
50

• Reinforcing Activity 1-14
• Part 1, Section 5, Topic 2
• Internal Control

Part 1, Section 5, Topic 2
51
Control Self-assessment (CSA)

• A variety of assessment techniques performed by
  people involved in an area or process.

Management and/or work teams directly responsible
for a business function

• Participate in the assessment.
• Evaluate risk.
• Develop action plans.
• Assess the likelihood of achieving objectives.

Part 1, Section 5, Topic 2
52
Discussion Question
A large company and a small company in the same
industry both face new regulations. Which of the
following statements is true?

1. Basic concepts to deal with this internal control
   component should be present in both
   organizations.
2. The larger organization will be better attuned to
   risks because of increased access to information.
3. The smaller organization will be more nimble in
   its response because of less bureaucracy.
4. Both can implement identical controls as long as
   their objectives and strategies are similar.

Answer A. Regardless of size, basic concepts
should be present in both. Specific control
measures will vary.
Part 1, Section 5, Topic 2
53
Discussion Question
Which of the following characteristics
differentiates control in an organization with
authoritarian leadership from an empowered
environment?

• Written policies and documentation will be more
  prevalent with authoritarian leadership.
• Vision and values set by an authoritarian leader
  have a greater influence on control than in an
  empowered environment.
• Incidents of control breakdowns are more likely
  in an empowered environment.
• Face-to-face interactions with key personnel have
  less
• significance in the empowered environment.

Answer A. An authoritarian leader makes
decisions, and subordinates carry them out.
Part 1, Section 5, Topic 2
54
Models of Management
Autocratic Custodial Supportive Collegial

People are motivated by a call for obedience. People are motivated by material rewards and the offer of happiness and security. People are motivated by opportunities for growth and achievement. People are motivated by teamwork and contribution.
Part 1, Section 5, Topic 2
55
Organizational Continuum
Part 1, Section 5, Topic 2
56
Discussion Question
Can an internal auditor serve as a change agent
during an assurance engagement?

1. Yes, in nearly every situation
2. Yes, if it involves assisting management to
   improve a control process by providing advice
3. Only if the internal auditor can objectively
   correct an ineffective process
4. No, not under any circumstances

Answer B. Many assurance engagements are
actually blended engagements and offer the
opportunity for an internal auditor to educate
and work with upper management. For example, an
internal auditor may assist management via
on-the-job training or the results of an
engagement might be used to help develop a
substantive risk and control culture.
Part 1, Section 5, Topic 2
57
Discussion Question

• Why is it important for an internal auditor to
  understand conflict management and conflict
  resolution? (Select all that apply.)

1. The internal auditor can prevent a potential
   control breakdown by proactively managing
   conflict during an engagement.
2. Conflict can be the root cause of control
   breakdowns.
3. The internal auditor needs to remain unbiased and
   be careful not to take sides.
4. Collaboration and problem-solving are the
   preferred way to gain true conflict resolution.

Answer II, III, and IV. Internal auditors need
to understand several reasons for dealing with
conflict management.
Part 1, Section 5, Topic 2
58
Discussion Question

• Which of the following statements describe the
  significance of the 2130 series of Implementation
  Standards and related Practice Advisory guidance?
  (Select all that apply.)
• They specify that the internal audit activity
  includes some type
• of value-added activity in assurance
  engagements.
• They describe specific requirements for internal
  auditors
• performing the assurance function.
• They specify how internal auditors can assess
  ethics
• compliance.
• They ensure that the internal audit activity
  considers
• the linkage to organizational goals and
  objectives
• through appropriate established criteria.

Answer II and IV.
Part 1, Section 5, Topic 2
59
Discussion Question
Internal auditors are responsible for all of the
following when providing compliance assurance
EXCEPT

1. understanding all current regulations and
   legislation.
2. monitoring compliance activities.
3. providing insights into the ramifications of
   noncompliance.
4. informing senior management of indications of
   significant noncompliance.

Answer B. Management and the internal audit
activity both have important roles. It is
managements responsibility to implement policies
and monitor compliance.
Part 1, Section 5, Topic 2
60
Providing Control Assurance
Practice Advisory 2130-1

• Aggregates many individual assessments to
  evaluate overall effectiveness.
• Three key considerations are
• Were significant discrepancies or weaknesses
  discovered from the audit work performed and
  other assessment information gathered?
• If so, were corrections or improvements made
  after the discoveries?
• Do the discoveries and their consequences lead to
  the conclusion that a pervasive condition exists
  resulting in an unacceptable level of business
  risk?

Part 1, Section 5, Topic 2
61
Discussion Question
The audit committee reports to senior management
and the board on the state of the risk management
and control processes, usually once a year.

1. True
2. False

Answer B. The CAE is responsible for the report,
which should refer to major work performed by
internal audit and to other important sources of
information that were used to formulate the
overall assurance judgment.
Part 1, Section 5, Topic 2
62
Providing Control Assurance
Implementation Standard 2130.A2

• Whether goals and objectives in place are aligned
  with the overall organizational strategy

Implementation Standard 2130.A3
Whether operation and program results are
consistent with established goals and objectives
Implementation Standard 2210.A3
If management criteria are sufficient to
determine if goals and objectives are being met
Part 1, Section 5, Topic 2
63
Opinions on the Adequacy of Internal Controls
Opinion Description Meaning
Positive assurance Provides highest level of assurance. Controls are satisfactory or unsatisfactory, effective or ineffective, meet expectations or dont meet expectations, etc.
Negative assurance Indicates no evidence of inadequate internal controls. Provides limited assurance that sufficient evidence was gathered to determine whether controls were inadequate.
Qualified Provides an opinion with qualifications that contradict the overall opinion. Controls were satisfactory, with the exception of (for example) accounts payable controls, which require significant improvement.
Part 1, Section 5, Topic 2
64
Discussion Question
All of the following are important considerations
for assessing reporting mechanisms to the board
EXCEPT

1. adequacy.
2. accuracy.
3. reliability.
4. conciseness.

Answer D. The board is the focal point for key
organizational activities. Adequate and effective
communications are critical.
Part 1, Section 5, Topic 2
65
Common Initiatives in Governance
Part 1, Section 5, Topic 3
66
Discussion Question

• Which of the following principles best exemplify
  effective governance? (Select all that apply.)

• Balancing the direct and indirect costs of risk
  responses against the benefits they create
• Having the board chair be a nonexecutive leader
  and the board hierarchy reflect a balance of
  power between the CEO and independent directors
• Ensuring that executive compensation is in line
  with organizational goals and objectives
• Identifying and analyzing critical success
  factors
• from an industry and entity perspective

Answer II and III. I is more indicative of risk
management, and IV is more related to internal
control.
Part 1, Section 5, Topic 3
67
Governance and Culture

• Influences overall effectiveness of the
  governance process

• Impacts the values, roles, and behaviors

Determines how the entity meets its social
responsibilities
Part 1, Section 5, Topic 3
68
Discussion Question

• Identify who is responsible for the following
  governance activities.

Answers
Deploys strategies aligned to organizational objectives and goals Oversees organizational activities but does not have any direct responsibilities Provides assurance on financial reporting activities Provides advice on potential improvements to governance structures and processes

Operations management
The board
External auditor
Internal auditor
Part 1, Section 5, Topic 3
69
Governance and Organizational Maturity

• Internal audit
• Performs discrete audits.
• Provides advice regarding optimal structure and
  practices.
• Compares current governance against regulations
  and other compliance requirements.

• Internal audit
• Evaluates efficiency and effectiveness of
  company-wide governance components.
• Analyzes the transparency and disclosure
  (reporting) practices.
• Compares governance best practices.
• Identifies compliance with applicable regulations
  and governance codes.

Part 1, Section 5, Topic 3
70
Internal Audit Assurance Activities to Promote
Values
Self-assessment methods
Audit programs

• Evaluate
• Employees understanding of values.
• Alignment of individual goals and objectives to
  corporate values.
• Whether employees uphold values.
• Whether employees perceive others as exemplifying
  those values.

• Assess various activities to ensure that values
  are understood and upheld.

Part 1, Section 5, Topic 3
71
How Internal Auditors Assess the Ethical Climate

• Evaluate the completeness of ethics policies and
  codes.
• Review how well personnel practices support an
  ethical climate.
• Determine whether appropriate communications are
• Occurring.
• Understood.
• Embraced.
• Determine if explicit strategies support and
  enhance the ethical culture.
• Evaluate processes that enable employees to
  communicate concerns about inappropriate
  behavior.
• Determine if the appropriate process exists to
  ensure that allegations of misconduct are
  investigated and resolved, findings are properly
  reported, and corrective action is taken to
  improve controls.
• Evaluate board oversight responsibilities and
  monitoring activities.

Part 1, Section 5, Topic 3
72
Discussion Question

• A survey designed to assess the organizational
  ethical climate should include which of the
  following characteristics? (Select all that
  apply.)
• Have top management support
• Be field-tested
• Ensure ease of response
• Include space for open comments

Answer All of the above. Other important
considerations are keeping the survey to a
reasonable length and, if possible, providing
analysis by an independent firm and assuring
respondents confidentiality.
Part 1, Section 5, Topic 3
73
Assessing Ethics Compliance

• Sources include

Discovery of violations and reported compliance
complaints from whistleblowers.
Trend analysis of past internal audits.
Part 1, Section 5, Topic 3
74
Discussion Question
A code of conduct related to conflicts of
interest should include

1. a description of expected behavior for employees,
   other corporate agents, and suppliers.
2. a discussion of industry best practices.
3. provisions for reporting alleged misconduct.
4. mention of what constitutes plausible exceptions
   to the policy.

Answer A. Codes of conduct are intended to
provide a proactive statement on the
organizations position on acceptable employee
behavior.
Part 1, Section 5, Topic 3
75
Best Practices for Fostering an Ethical Climate

• Tone at the top
• A written code of ethics, kept current
• An ethics message delivered via multiple
  communication media
• Employee ethics interviews
• Employee and stakeholder ethics attitude surveys

• Ethics training
• Open communications
• Employee involvement
• Diversity and institutional fairness
• Whistleblower hotlines for reporting incidents
• A compliance-supporting culture

Part 1, Section 5, Topic 3
76
Assessing the Ethical Climate of the Board

• Board structure, objectives, and dynamics
• Board committee functions
• Board policy manual
• Processes for maintaining awareness of governance
  requirements
• Board education and training

• Internal audit
• Assesses areas identified.
• As warranted, assists in and/or makes
  recommendations for improvements.

Part 1, Section 5, Topic 3
77

• Reinforcing Activity 1-15
• Part 1, Section 5, Topic 3
• Governance

Part 1, Section 5, Topic 3
78
Fraud Awareness and Fraud Prevention
Rationalization
Motive

• Fraud prevention
• Discourage acts
• Limit exposure

Opportunity
Part 1, Section 5, Topic 4
79
Fraud Prevention and Control
Control Elements Internal Auditing Responsibilities
Control environment Code of conduct, ethics policy, or fraud policy. Ethics and whistleblower hotlines. Hiring and promotion guidelines and practices. Oversight. Investigation of reported issues and remediation of confirmed violations. Assess aspects of the control environment. Conduct proactive fraud audits and investigations. Communicate results of fraud audits. Provide support for remediation efforts. Possibly own the whistleblower hotline.
Fraud risk assessment Identify and assess fraud-related risks. Assess segregation of duties. Evaluate managements fraud risk assessment.
Control activities Establish and implement effective control practices. Establish an affirmation or certification process. Assess the design and operating effectiveness of fraud-related controls. Ensure that audit plans and programs address fraud risk. Evaluate the design of facilities. Review proposed changes to laws, regulations, or systems and their impacts on controls.
Part 1, Section 5, Topic 4
80
Fraud Prevention and Control
Fraud Prevention and Control
Control Elements Internal Auditing Responsibilities
Information and communication Documentation and dissemination of policies, guidance, and results. Opportunities to discuss ethical dilemmas. Communication channels. Training. Considerations of the impact and use of technology for fraud deterrence. Assess the operating effectiveness of information and communication systems and practices. Support training.
Monitoring Ongoing and periodic performance assessments. Consideration of computer technology for fraud deterrence. Assess monitoring activities and related computer software. Conduct investigations. Support the audit committees oversight. Support the development of fraud indicators. Hire and train employees.
Part 1, Section 5, Topic 4
81
Discussion Question
Whistleblower hotline anonymity implies that the
callers name and identity will be communicated
only to those with an essential or authorized
need to know.

1. True
2. False

Answer B. This statement describes
confidentiality. Confidentiality can be promised
only within the limits allowed by law, and
callers should know who might learn their
identity. Anonymity provides both secrecy and
nondisclosure of the callers identity.
Part 1, Section 5, Topic 4
82
Privacy

• Can encompass
• Personal privacy.
• Privacy of space.
• Privacy of communication.
• Privacy of information.

Part 1, Section 5, Topic 4
83
Discussion Question

• Identify the US privacy legislation.

Answers
Establishes rights to obtain information from federal agencies Gives parents control over online information collected from their children Addresses the security and privacy of health data Protects consumers personal financial information held by financial institutions
FOIA
COPPA
HIPAA
Financial Modernization Act
Part 1, Section 5, Topic 4
84
OECD GuidanceCore Principles

• Collection limitation
• Data quality
• Purpose specification
• Use limitation
• Security safeguards
• Openness

Individual participation Accountability
Part 1, Section 5, Topic 4
85
Discussion Question

• Which of the following are reasonable
  expectations for an internal auditor evaluating a
  privacy framework? (Select all that apply.)

1. Identify the types and appropriateness of
   information the organization gathers.
2. Identify any significant risks along with the
   appropriate recommendations.
3. Evaluate whether the use of the information
   collected is in accordance with its intended use.
4. Evaluate the maturity of the framework and help
   make improvements to mitigate significant risks.

Answer I, II, and III. Due to the highly
technical and legal nature of privacy, it may be
necessary to secure the services of third-party
experts.
Part 1, Section 5, Topic 4
86
Security Vulnerabilities
Information security
Physical security

• Universal considerations
• Confidentiality
• Integrity
• Availability

• Examples
• Natural disasters
• Service disruptions
• Human error
• Theft and vandalism
• Terrorism
• Sabotage

Part 1, Section 5, Topic 4
87
Risk Management Steps
Part 1, Section 5, Topic 4
88
Internal Audit Assessment of Security Risks

• Analysis of reported incidents
• Review of exposure statistics
• Mapping key processes
• Periodic inspections
• Periodic process and product audits
• Assessments of management system effectiveness
• Scenario analysis

Part 1, Section 5, Topic 4
89
Discussion Question

• Which of the following are reasonable
  expectations for an internal auditor evaluating
  information security? (Select all that apply.)

• Assess the effectiveness of preventive,
  detective, and mitigation measures against past
  attacks.
• Recommend, as appropriate, enhancements to or
  implementation of new controls and safeguards.
• Confirm that the board has been appropriately
  informed of all corrective measures.
• Report to management and the board on the level
• of compliance with security rules, significant
• violations, and their disposition.

Answer All of the above (Practice Advisory
2130.A1-1).
Part 1, Section 5, Topic 4
90
Discussion Question
ISO/IEC 270022007 guidelines on information
security contain best practices that help
organizations achieve high-level compliance.

1. True
2. False

Answer A. The focus of ISO/IEC 270022007 is
information security controls. It helps
organizations develop security standards and
effective security management practices, address
legal and regulatory concerns, and better manage
compliance.
Part 1, Section 5, Topic 4
91
CAE Assessment of Outside Service Providers
Competency
Independence and objectivity

• Relevant credentials
• Appropriate professional organization membership
  and adherence to a code of ethics
• Professional reputation
• Relevant experience
• Pertinent education and training
• Knowledge and experience in the industry

• Any financial interests
• Any personal or professional affiliation
• Any internal relationships with the organization
  or the activities being reviewed

Part 1, Section 5, Topic 4
92
Discussion Question

• Which of the following are appropriate
  considerations for an internal auditor evaluating
  key performance indicators (KPIs)? (Select all
  that apply.)
• Are they the right measures?
• Are the measures in line with short-term
  financial
• goals?
• Are the measures operating effectively?
• Are employees behaving professionally in
• the achievement of objectives?

Answer I and III. Usually, KPIs measure
outcomes. Sometimes they measure process
characteristics.
Part 1, Section 5, Topic 4
93
Discussion Question
The CAE believes that a special management
request for an engagement that was not part of
the annual audit plan should be fulfilled because
it deals with a high-risk security breach. The
CAE should

• secure board approval of the audit plan change.
• secure permission from the audit committee to
  postpone another engagement.
• out-source the engagement since it was not
  included in the annual plan.
• co-source the engagement with external security
• specialists.

Answer A. Audit plans are intended to be
flexible, but any significant changes to the plan
must be presented to the board for approval.
Part 1, Section 5, Topic 4
94
Discussion Question

• Identify who is responsible for the following
  activities related to an external audit.

Answers
External auditors
Assessing the effectiveness of financial reporting controls Establishing a time line to address audit findings Oversight for external auditors Acting on audit findings Performance assessment of the external auditors

Management
Audit committee
Management
Audit committee
Part 1, Section 5, Topic 4
95
End of Section 5

• Questions?

Part 1, Section 5, Topic 4