Risk management - PowerPoint PPT Presentation

1 / 95
About This Presentation

Risk management


Section Topics Risk management Internal control Governance Related topics Part 1, Section 5 – PowerPoint PPT presentation

Number of Views:531
Avg rating:3.0/5.0
Slides: 96
Provided by: melissaa


Transcript and Presenter's Notes

Title: Risk management

Section Topics
  1. Risk management
  2. Internal control
  1. Governance
  2. Related topics

Part 1, Section 5
Broadened Scope of Internal Audit Work
The internal audit activity must evaluate and
contribute to the improvement of governance, risk
management, and control processes using a
systematic and disciplined approach.
Of the three functional areas, which is the most
challenging for you?
Part 1, Section 5, Introduction
What Is Risk Management?
Benefits are maximized when risk is managed from
a portfolio perspective. Enterprise risk
management (ERM) programs help realize these
Part 1, Section 5, Introduction
Fundamental Risk Management Concepts
  • Transcends traditional organizational hazard
    management mentality.
  • Encompasses both strategic and bottom-line

Process is broad and ongoing and involves
management and employees at all levels.
Part 1, Section 5, Introduction
What Is Internal Control?
Control environment The attitude and actions of
the board and management regarding the
significance of control within the organization
Control Any action taken by management, the
board, and other parties to manage risk and
increase the likelihood that established
objectives and goals will be achieved
Fundamental internal control concepts
A process effected by people at all
levels Provides reasonable, not absolute,
assurance Geared toward the achievement of
organizational mission, goals, and objectives
Part 1, Section 5, Introduction
What Is Governance?
Fundamental governance concepts
  • Starts at the top and cascades throughout the
  • Involves critical relationships among the board,
    senior management, and shareholders
  • Encompasses organizational structure and related
    legal and regulatory environment
  • Balances economic and social
  • goals
  • Extends to all stakeholders
  • and the general
  • community

The combination of processes and structures
implemented by the board in order to inform,
direct, manage and monitor the activities of the
organization toward the achievement of its
Part 1, Section 5, Introduction
Discussion Question
  • What are the benefits of using an ERM model?
    (Select all that apply.)
  • Allows business units to focus on their unique
  • Facilitates proactive risk management
  • Applies risk management within a strategic
  • Enhances the efficiency and effectiveness of
  • internal audit work

Answer II, III, and IV. Traditional risk
management done in silos increases the potential
for over- or under-management of key risks. ERM
provides a unified approach and manages
uncertainties surrounding the achievement of
organizational objectives.
Part 1, Section 5, Topic 1
Describes how to apply ERM in a strategic
setting Applicable to all industries and all
types of risk Includes four categories of
objectives (what the organization hopes to
Strategic Tied to high-level goals aligned to and support mission
Operations Related to effective and efficient resource use
Reporting Related to the reliability of reporting
Compliance Related to compliance with laws and regulations
The Committee of Sponsoring Organizations of
the Treadway Commission.
Part 1, Section 5, Topic 1
Discussion Question
What is the most likely benefit of having the
COSO ERM model in place at a company launching a
new product?
  1. Greater likelihood of the achievement of
  2. Reduced losses from uncontrollable events
  3. Increased compliance with laws and regulations
  4. Absolute assurance of a positive reputation
    within the business community

Answer A. An ERM framework cannot prevent bad
management judgments or unforeseen events. It
can, however, provide reasonable assurance that
management and the board receive timely
information about the achievement of objectives.
Part 1, Section 5, Topic 1
  • Includes eight components that
  • Describe what is needed to achieve the
  • Are derived from the way management runs an
  • Are integrated with the management process.

Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Part 1, Section 5, Topic 1
Discussion Question
  • Which of the following statements describe the
    relationship of objectives and components in the
    COSO ERM framework? (Select all that apply.)
  • All eight components are relevant to each
    objective category.
  • Each component applies to all four objective
  • The objectives and components relate to an
  • organization or to any individual units.
  • The objectives and components are most
  • effectively applied in large organizations.

Answer I, II, and III. Implementation may vary
in different-sized organizations, but the basic
concepts should be present in every organization.
Part 1, Section 5, Topic 1
Roles and Responsibilities
  • Helps set strategy and formulate high-level
  • Often delegates the monitoring and assurance
    responsibilities, reserving authority for key
  • Oversight of
  • Management.
  • The entitys risk appetite and portfolio view of
  • Significant risks and managements response.

Part 1, Section 5, Topic 1
Roles and Responsibilities
  • Leads the implementation of ERM.
  • Chief executive officer sets the tone at the
  • Senior managers convert the strategies into
  • Other managers provide tactical execution.
  • Makes every manager accountable to the next level

Part 1, Section 5, Topic 1
Roles and Responsibilities
  • Empowered by the CEO.
  • Provides central coordination across the
  • Works with other managers to
  • Establish effective risk management practices.
  • Monitor progress.
  • Assist those managers in reporting.
  • May serve an exclusive assignment or have partial

Part 1, Section 5, Topic 1
Roles and Responsibilities
  • Finance and controllership activities that are
    central to risk management execution are
  • Budgeting and planning.
  • Tracking and analyzing performance.
  • Reporting.

Financial executives
Part 1, Section 5, Topic 1
Roles and Responsibilities
  • Encompasses several parties, including
  • External auditors.
  • Legislators and regulators.
  • Business associates.
  • Out-sourcing providers.
  • Financial analysts, bond rating agencies, and
    news media.

External parties
Part 1, Section 5, Topic 1
Discussion Question
  • Identify the individual or group responsible for
    the ERM activity.

Establishing a common language and common measures Setting precedent for integrity and ethical values Formally evaluating external financial reporting objectives Providing leadership and direction to senior managers
Risk officer
External auditors
Part 1, Section 5, Topic 1
Discussion Question
  • Which of the following statements accurately
    describe ERM responsibilities? (Select all that
  • The CEO monitors activities and risks in
    relation to the risk
  • appetite.
  • Senior managers manage risks related to unit
  • The risk officer has major responsibility for
    the financial
  • statements.
  • Regulators influence activities in relation to
    the entitys risk
  • appetite.

Answer I and II. Financial officers are
responsible for the financial statements.
Regulators do not influence the entitys risk
Part 1, Section 5, Topic 1
AS/NZS 43602004
Provides an overview of risk management Includes
a generic framework Explains how to identify,
analyze, evaluate, manage, monitor, and
communicate risk Promotes embedding risk
management in an organizations culture Intends
to help manage risk effectively and efficiently
at a lower overall cost
Joint Australian/New Zealand Standard by the
Joint Technical Committee OB-007, Risk Management.
Part 1, Section 5, Topic 1
Discussion Question
  • How do the AS/NZS 43602004 and COSO ERM
    frameworks compare? (Select all that apply.)
  • Both champion the tone at top.
  • COSO ERM has a broad focus AS/NZS 43602004
  • emphasizes corporate social responsibility.
  • COSO ERM focuses on internal risks AS/NZS
  • focuses on external risks.
  • Each has slightly different terminology, but
    both concur that
  • risk management requires multidisciplinary

Answer I and IV. Both frameworks have a broad
focus AS/NZS 43602004 does not have any special
emphasis on corporate social responsibility.
AS/NZS 43602004 and COSO both attempt to help
organizations manage internal and external risks.
Part 1, Section 5, Topic 1
The Turnbull Guidance
  • Promotes a risk-based approach to internal
    control and the assessment of its effectiveness.
  • Linked to London Stock Exchange disclosure
  • Key tenets include
  • A focus on significant risks.
  • Emphasis on risk management.
  • Ongoing, continuous monitoring of risk and
  • Engaging all employees.
  • Streamlining risk management databases.

Shortened name for Internal Control Guidance
for Directors on the Combined Code.
Part 1, Section 5, Topic 1
Discussion Question
  • How do AS/NZS 43602004, the COSO ERM framework,
    and Turnbull compare? (Select all that apply.)
  • COSO and Turnbull emphasize engaging all
  • AS/NZS 43602004 focuses on the board and
  • All identify opportunities to save on costs of
  • COSO has the greatest focus on mitigating
    unwelcome events.
  • All provide objective assurance to an entitys
    board and
  • management.

Answer II and IV. All three approaches promote
engaging all employees AS/NZS 43602004 doesnt
have a special focus on the board or executives.
All three can reduce the possibility of unwelcome
events from occurring COSO doesnt have an
increased focus over the other two.
Part 1, Section 5, Topic 1
Factors That Drive Events
External factors
Internal factors
  • Economic
  • Natural environment
  • Political
  • Social
  • Technological
  • Infrastructure
  • Personnel
  • Process
  • Technology

Event identification Is synonymous with risk
identification. Identifies potential events and
determines whether they are opportunities or
Part 1, Section 5, Topic 1
Common Event Identification Techniques
Event inventories Detailed listings of common potential events
Internal analysis Detailed analysis of information
Escalation or threshold triggers Triggers alerting management to areas of concern comparison of current transactions or events with predefined criteria
Facilitated workshops and interviews Facilitator-led structured discussions to draw on collective knowledge and experience
Process flow analysis Examines the combination of inputs, tasks, and responsibilities that comprise a process
Leading event indicators Monitoring of data correlated to events
Loss event data methodologies Examination of past individual loss events to identify trends and root causes
Part 1, Section 5, Topic 1
Discussion Question
  • Identify the event identification technique.

A meeting of cross-functional managers to relate events to objectives Mapping of cash receipts to identify risks related to timely deposits Monitoring daily, weekly, and monthly Internet site traffic Tracking manufacturing equipment failures
Facilitated workshop
Process flow analysis
Leading event indicators
Loss event data methodologies
Part 1, Section 5, Topic 1
Discussion Question
  • Which of the following statements describe the
    internal audit activity role in an organization
    lacking an organization-wide macro risk
    assessment process? (Select all that apply.)
  • They can facilitate or enable risk management
  • processes.
  • They should not assume responsibility for the
  • identified.
  • They should rely on quantitative techniques to
  • and evaluate risks.

Answer I and II. Organizations typically use a
combination of qualitative and quantitative
Part 1, Section 5, Topic 1
Quantitative Risk Assessment
Technique Description Examples
Benchmarking Compares performance measures and results for specific events or processes. Identifies improvement opportunities. May also be used to assess likelihood and impact of potential events across an industry. Internal Competitive/industry Best-in-class
Probabilistic models Associate a range of events and the resulting impact with likelihood. Likelihood and impact are assessed based on historical data or simulated outcomes of future behavior. Value at risk (VAR) Cash flow at risk Earnings at risk Loss distributions Back-testing
Non-probabilistic models Use subjective assumptions in estimating the impact of events without quantifying an associated likelihood. Base assessments on historical or simulated data and assumptions of future behavior. Sensitivity analysis Scenario analysis Stress tests
Part 1, Section 5, Topic 1
Discussion Question
  • What are the risk/control implications of an
    organizations structure on the following areas?

Possible answers
Development of goals and objectives
Everyone must understand the objectives related
to their area.
Should be an iterative process that includes
entity, departments, functions.
Risk response
Should cut across all levels and keep everyone
tracking toward the objectives.
Control activities
Everyone must receive the information they need
in a timely manner.
Information and communication
Part 1, Section 5, Topic 1
Risk Management Responses
Avoidance Action is taken to exit the activities giving rise to risk. Example Exiting a product or selling a division.
Reduction Action is taken to reduce the risk likelihood or impact or both. Example Diversifying product offerings or reallocating funds.
Sharing Action is taken to reduce risk likelihood or impact by transferring or otherwise sharing a portion of the risk. Example Purchasing insurance, hedging, or out-sourcing.
Acceptance No action is taken to affect likelihood or impact. Example Accepting risk that conforms to risk tolerances.
Part 1, Section 5, Topic 1
Discussion Question
Inherent risk is BEST described as the risk
  1. remaining after managements risk response.
  2. management finds to be acceptable with the
    entitys risk tolerance.
  3. derived from the environment without the
    mitigating effects of internal controls.
  4. having the lowest likelihood and potential impact.

Answer C. Inherent risk is derived from the
environment without the mitigating effects of
internal controls.
Part 1, Section 5, Topic 1
Risk Assessment Pitfalls
  • Limiting risk assessments to financial hazards
  • Blindly selecting risks from a generic risk
  • Internal auditors developing risks in a vacuum
  • Identifying too many risks
  • Overcomplicating risk quantification

Part 1, Section 5, Topic 1
Risk Monitoring
  • Takes into account that ERM processes change over
  • Allows management to determine if ERM remains
  • Many activities have built-in provisions for
  • Most ongoing monitoring is performed on a
    real-time basis during the regular course of
  • Focus directly on ERM effectiveness.
  • Often conducted as self-assessments.
  • Necessity is the judgment of management.

Deficiencies and areas for improvement identified
by ongoing monitoring, separate evaluations, and
audit results.
Part 1, Section 5, Topic 1
Discussion Question
What is the internal audit activitys role when
ongoing monitoring identifies an ERM deficiency?
  • Report the information to the board if it
    involves an illegal or improper act.
  • Educate the individual or group responsible about
    the purpose of ERM and internal control.
  • Assess if the deficiency will impact achievement
  • of business objectives.
  • Follow up with management and check on their
  • response and/or corrective action.

Answer D. Internal auditors should determine
that corrective action is achieving desired
results or that senior management or the board
has assumed the risk of not taking corrective
Part 1, Section 5, Topic 1
The Internal Audit Activitys Role in ERM
  • A continuum that ranges from
  • No role, to
  • Auditing the risk management process as part of
    the internal audit plan, to
  • Providing insight and historical data on risk
    events identified by internal audit findings, to
  • Active, continuous support and involvement in
    the risk management process, to
  • Managing and coordinating the risk management

Part 1, Section 5, Topic 1
The Internal Audit Activitys Role in ERM
  • Risk management processes (e.g., their design
    and how well they are working).
  • Management of key risks, including the
    effectiveness of the controls and other
  • The assessment of risks and reporting of risk
    and control status.

Part 1, Section 5, Topic 1
Discussion Question
Effectiveness is present if management has
planned and designed a system that provides
reasonable assurance that objectives and goals
will be achieved efficiently and economically.
  1. True
  2. False

Answer B. This statement describes adequacy.
Effectiveness is present if management directs
processes to provide reasonable assurance that
the organizations objectives and goals will be
Part 1, Section 5, Topic 1
The Internal Audit Activitys Role in ERM
Possibilities include
  • Educating management about risk and control.
  • Promoting ERM in the entity.
  • Providing advice, facilitating workshops, and
    coaching on risk and control.
  • Acting as the central point for coordinating,
    monitoring, and reporting on risks.
  • Supporting related management activity.

Part 1, Section 5, Topic 1
Discussion Question
  • Which of the following statements accurately
    describe managements acceptance of risk? (Select
    all that apply.)
  • The CAE must discuss unacceptable levels of
    residual risk with the board.
  • Management is responsible for deciding
    appropriate actions to be taken in response to
    reported engagement observations and
  • The CAE is responsible for assessing management
    action for the timely resolution of reported
    engagement observations and recommendations.
  • Senior management and the board may decide not to
  • correct a reported condition because of cost or
    other considerations.

Answer All of the above (Performance Standard
2600 and Practice Advisory 2060-1)
Part 1, Section 5, Topic 1
Business Continuity Planning
  • Before a disaster
  • Evaluate the entitys readiness.
  • Assist with the risk analysis.
  • Evaluate the plan.
  • Perform periodic assurance engagements to ensure
    that plan is up to date.
  • Observe and provide feedback on tests of the
  • Verify that plans are adequate to ensure timely
    resumption of operations and processes.
  • After a disaster
  • Monitor effectiveness of the recovery and control
    of operations.
  • Participate in the organizational learning
    processlessons learned from the disaster and the

Internal audits roles
Part 1, Section 5, Topic 1
  • Reinforcing Activity 1-13
  • Part 1, Section 5, Topic 1
  • Risk Management

Part 1, Section 5, Topic 1
Key Elements
  • Tangible policies, procedures, and activities

Less tangible behavioral aspects (ethical values)
Designed by management
Part 1, Section 5, Topic 2
Discussion Question
  • Identify the area/individual responsible for the
    internal control task.

Design, apply, and provide ongoing monitoring of the control processes. Establish and maintain organizational governance processes. Provide varying degrees of assurance about the effectiveness of risk management and control processes. Develop an annual audit plan.
Operational managers
The board
Internal and external auditors
Part 1, Section 5, Topic 2
Discussion Question
  • Which of the following are characteristics of an
    internal control framework? (Select all that
  • Defines control in terms of managing risks to
  • Facilitates absolute assurance about control
  • Cuts across all levels of an organization
  • Helps an organization establish an effective
  • control system

Answer I, III, and IV. An internal control
framework provides reasonable assurance.
Part 1, Section 5, Topic 2
COSO Internal Control Framework
5 interrelated components
3 objectives
  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations
  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring

The Committee of Sponsoring Organizations of
the Treadway Commission.
Part 1, Section 5, Topic 2
Discussion Question
Which of the following statements is true about
the COSO internal control framework?
  • The framework is best applied in manufacturing
    and service industries.
  • All five components are applicable to the
    achievement of each of the objectives.
  • The synergy and linkage among the objectives form
    the integrated framework.
  • The audit committee has overall responsibility
  • for the establishment, administration, and
  • assessment of the framework.

Answer B
Part 1, Section 5, Topic 2
The CoCo Internal Control Framework
4 interrelated components
3 objectives
  • Effectiveness and efficiency of operations
  • Reliability of internal and external reporting
  • Compliance with applicable laws and regulations
    and internal policies
  • Purpose
  • Commitment
  • Capability
  • Monitoring and learning

The Criteria of Control developed by the
Canadian Institute of Chartered Accountants
Part 1, Section 5, Topic 2
The Cadbury Model
  • Elements include
  • Control environment.
  • Identification and evaluation of risks and
    control objectives.
  • Information and communication.
  • Control procedures.
  • Monitoring and corrective action.

Published by The Institute of Chartered
Accountants in England and Wales (ICAEW) in 1994
in 1999, the ICAEW issued the Turnbull guidance.
Part 1, Section 5, Topic 2
Discussion Question
  • Identify if the internal controls are hard or

Senior managements commitment to social responsibility Centralized decision-making and a formal approval process A consistent customer focus that all employees understand and feel passionate about Six Sigma continuous improvement methodology
Part 1, Section 5, Topic 2
COSOs Control Environment Factors
Factor Example
Integrity and ethical values Employees understand acceptable/ unacceptable behavior.
Commitment to competence Analysis indicates that employees have requisite knowledge and skills.
Board of directors or audit committee A process exists to regularly communicate key information.
Managements philosophy and operating style Management avoids excessive focus on short-term reported results.
Organizational structure Established reporting relations are effective.
Assignment of authority and responsibility Authority and responsibility are assigned to employees throughout the entity.
Human resource policies and practices Employees understand that ineffective performance has remedial consequences.
Part 1, Section 5, Topic 2
  • Reinforcing Activity 1-14
  • Part 1, Section 5, Topic 2
  • Internal Control

Part 1, Section 5, Topic 2
Control Self-assessment (CSA)
  • A variety of assessment techniques performed by
    people involved in an area or process.

Management and/or work teams directly responsible
for a business function
  • Participate in the assessment.
  • Evaluate risk.
  • Develop action plans.
  • Assess the likelihood of achieving objectives.

Part 1, Section 5, Topic 2
Discussion Question
A large company and a small company in the same
industry both face new regulations. Which of the
following statements is true?
  1. Basic concepts to deal with this internal control
    component should be present in both
  2. The larger organization will be better attuned to
    risks because of increased access to information.
  3. The smaller organization will be more nimble in
    its response because of less bureaucracy.
  4. Both can implement identical controls as long as
    their objectives and strategies are similar.

Answer A. Regardless of size, basic concepts
should be present in both. Specific control
measures will vary.
Part 1, Section 5, Topic 2
Discussion Question
Which of the following characteristics
differentiates control in an organization with
authoritarian leadership from an empowered
  • Written policies and documentation will be more
    prevalent with authoritarian leadership.
  • Vision and values set by an authoritarian leader
    have a greater influence on control than in an
    empowered environment.
  • Incidents of control breakdowns are more likely
    in an empowered environment.
  • Face-to-face interactions with key personnel have
  • significance in the empowered environment.

Answer A. An authoritarian leader makes
decisions, and subordinates carry them out.
Part 1, Section 5, Topic 2
Models of Management
Autocratic Custodial Supportive Collegial

People are motivated by a call for obedience. People are motivated by material rewards and the offer of happiness and security. People are motivated by opportunities for growth and achievement. People are motivated by teamwork and contribution.
Part 1, Section 5, Topic 2
Organizational Continuum
Part 1, Section 5, Topic 2
Discussion Question
Can an internal auditor serve as a change agent
during an assurance engagement?
  1. Yes, in nearly every situation
  2. Yes, if it involves assisting management to
    improve a control process by providing advice
  3. Only if the internal auditor can objectively
    correct an ineffective process
  4. No, not under any circumstances

Answer B. Many assurance engagements are
actually blended engagements and offer the
opportunity for an internal auditor to educate
and work with upper management. For example, an
internal auditor may assist management via
on-the-job training or the results of an
engagement might be used to help develop a
substantive risk and control culture.
Part 1, Section 5, Topic 2
Discussion Question
  • Why is it important for an internal auditor to
    understand conflict management and conflict
    resolution? (Select all that apply.)
  1. The internal auditor can prevent a potential
    control breakdown by proactively managing
    conflict during an engagement.
  2. Conflict can be the root cause of control
  3. The internal auditor needs to remain unbiased and
    be careful not to take sides.
  4. Collaboration and problem-solving are the
    preferred way to gain true conflict resolution.

Answer II, III, and IV. Internal auditors need
to understand several reasons for dealing with
conflict management.
Part 1, Section 5, Topic 2
Discussion Question
  • Which of the following statements describe the
    significance of the 2130 series of Implementation
    Standards and related Practice Advisory guidance?
    (Select all that apply.)
  • They specify that the internal audit activity
    includes some type
  • of value-added activity in assurance
  • They describe specific requirements for internal
  • performing the assurance function.
  • They specify how internal auditors can assess
  • compliance.
  • They ensure that the internal audit activity
  • the linkage to organizational goals and
  • through appropriate established criteria.

Answer II and IV.
Part 1, Section 5, Topic 2
Discussion Question
Internal auditors are responsible for all of the
following when providing compliance assurance
  1. understanding all current regulations and
  2. monitoring compliance activities.
  3. providing insights into the ramifications of
  4. informing senior management of indications of
    significant noncompliance.

Answer B. Management and the internal audit
activity both have important roles. It is
managements responsibility to implement policies
and monitor compliance.
Part 1, Section 5, Topic 2
Providing Control Assurance
Practice Advisory 2130-1
  • Aggregates many individual assessments to
    evaluate overall effectiveness.
  • Three key considerations are
  • Were significant discrepancies or weaknesses
    discovered from the audit work performed and
    other assessment information gathered?
  • If so, were corrections or improvements made
    after the discoveries?
  • Do the discoveries and their consequences lead to
    the conclusion that a pervasive condition exists
    resulting in an unacceptable level of business

Part 1, Section 5, Topic 2
Discussion Question
The audit committee reports to senior management
and the board on the state of the risk management
and control processes, usually once a year.
  1. True
  2. False

Answer B. The CAE is responsible for the report,
which should refer to major work performed by
internal audit and to other important sources of
information that were used to formulate the
overall assurance judgment.
Part 1, Section 5, Topic 2
Providing Control Assurance
Implementation Standard 2130.A2
  • Whether goals and objectives in place are aligned
    with the overall organizational strategy

Implementation Standard 2130.A3
Whether operation and program results are
consistent with established goals and objectives
Implementation Standard 2210.A3
If management criteria are sufficient to
determine if goals and objectives are being met
Part 1, Section 5, Topic 2
Opinions on the Adequacy of Internal Controls
Opinion Description Meaning
Positive assurance Provides highest level of assurance. Controls are satisfactory or unsatisfactory, effective or ineffective, meet expectations or dont meet expectations, etc.
Negative assurance Indicates no evidence of inadequate internal controls. Provides limited assurance that sufficient evidence was gathered to determine whether controls were inadequate.
Qualified Provides an opinion with qualifications that contradict the overall opinion. Controls were satisfactory, with the exception of (for example) accounts payable controls, which require significant improvement.
Part 1, Section 5, Topic 2
Discussion Question
All of the following are important considerations
for assessing reporting mechanisms to the board
  1. adequacy.
  2. accuracy.
  3. reliability.
  4. conciseness.

Answer D. The board is the focal point for key
organizational activities. Adequate and effective
communications are critical.
Part 1, Section 5, Topic 2
Common Initiatives in Governance
Part 1, Section 5, Topic 3
Discussion Question
  • Which of the following principles best exemplify
    effective governance? (Select all that apply.)
  • Balancing the direct and indirect costs of risk
    responses against the benefits they create
  • Having the board chair be a nonexecutive leader
    and the board hierarchy reflect a balance of
    power between the CEO and independent directors
  • Ensuring that executive compensation is in line
    with organizational goals and objectives
  • Identifying and analyzing critical success
  • from an industry and entity perspective

Answer II and III. I is more indicative of risk
management, and IV is more related to internal
Part 1, Section 5, Topic 3
Governance and Culture
  • Influences overall effectiveness of the
    governance process
  • Impacts the values, roles, and behaviors

Determines how the entity meets its social
Part 1, Section 5, Topic 3
Discussion Question
  • Identify who is responsible for the following
    governance activities.

Deploys strategies aligned to organizational objectives and goals Oversees organizational activities but does not have any direct responsibilities Provides assurance on financial reporting activities Provides advice on potential improvements to governance structures and processes

Operations management
The board
External auditor
Internal auditor
Part 1, Section 5, Topic 3
Governance and Organizational Maturity
  • Internal audit
  • Performs discrete audits.
  • Provides advice regarding optimal structure and
  • Compares current governance against regulations
    and other compliance requirements.
  • Internal audit
  • Evaluates efficiency and effectiveness of
    company-wide governance components.
  • Analyzes the transparency and disclosure
    (reporting) practices.
  • Compares governance best practices.
  • Identifies compliance with applicable regulations
    and governance codes.

Part 1, Section 5, Topic 3
Internal Audit Assurance Activities to Promote
Self-assessment methods
Audit programs
  • Evaluate
  • Employees understanding of values.
  • Alignment of individual goals and objectives to
    corporate values.
  • Whether employees uphold values.
  • Whether employees perceive others as exemplifying
    those values.
  • Assess various activities to ensure that values
    are understood and upheld.

Part 1, Section 5, Topic 3
How Internal Auditors Assess the Ethical Climate
  • Evaluate the completeness of ethics policies and
  • Review how well personnel practices support an
    ethical climate.
  • Determine whether appropriate communications are
  • Occurring.
  • Understood.
  • Embraced.
  • Determine if explicit strategies support and
    enhance the ethical culture.
  • Evaluate processes that enable employees to
    communicate concerns about inappropriate
  • Determine if the appropriate process exists to
    ensure that allegations of misconduct are
    investigated and resolved, findings are properly
    reported, and corrective action is taken to
    improve controls.
  • Evaluate board oversight responsibilities and
    monitoring activities.

Part 1, Section 5, Topic 3
Discussion Question
  • A survey designed to assess the organizational
    ethical climate should include which of the
    following characteristics? (Select all that
  • Have top management support
  • Be field-tested
  • Ensure ease of response
  • Include space for open comments

Answer All of the above. Other important
considerations are keeping the survey to a
reasonable length and, if possible, providing
analysis by an independent firm and assuring
respondents confidentiality.
Part 1, Section 5, Topic 3
Assessing Ethics Compliance
  • Sources include

Discovery of violations and reported compliance
complaints from whistleblowers.
Trend analysis of past internal audits.
Part 1, Section 5, Topic 3
Discussion Question
A code of conduct related to conflicts of
interest should include
  1. a description of expected behavior for employees,
    other corporate agents, and suppliers.
  2. a discussion of industry best practices.
  3. provisions for reporting alleged misconduct.
  4. mention of what constitutes plausible exceptions
    to the policy.

Answer A. Codes of conduct are intended to
provide a proactive statement on the
organizations position on acceptable employee
Part 1, Section 5, Topic 3
Best Practices for Fostering an Ethical Climate
  • Tone at the top
  • A written code of ethics, kept current
  • An ethics message delivered via multiple
    communication media
  • Employee ethics interviews
  • Employee and stakeholder ethics attitude surveys
  • Ethics training
  • Open communications
  • Employee involvement
  • Diversity and institutional fairness
  • Whistleblower hotlines for reporting incidents
  • A compliance-supporting culture

Part 1, Section 5, Topic 3
Assessing the Ethical Climate of the Board
  • Board structure, objectives, and dynamics
  • Board committee functions
  • Board policy manual
  • Processes for maintaining awareness of governance
  • Board education and training
  • Internal audit
  • Assesses areas identified.
  • As warranted, assists in and/or makes
    recommendations for improvements.

Part 1, Section 5, Topic 3
  • Reinforcing Activity 1-15
  • Part 1, Section 5, Topic 3
  • Governance

Part 1, Section 5, Topic 3
Fraud Awareness and Fraud Prevention
  • Fraud prevention
  • Discourage acts
  • Limit exposure

Part 1, Section 5, Topic 4
Fraud Prevention and Control
Control Elements Internal Auditing Responsibilities
Control environment Code of conduct, ethics policy, or fraud policy. Ethics and whistleblower hotlines. Hiring and promotion guidelines and practices. Oversight. Investigation of reported issues and remediation of confirmed violations. Assess aspects of the control environment. Conduct proactive fraud audits and investigations. Communicate results of fraud audits. Provide support for remediation efforts. Possibly own the whistleblower hotline.
Fraud risk assessment Identify and assess fraud-related risks. Assess segregation of duties. Evaluate managements fraud risk assessment.
Control activities Establish and implement effective control practices. Establish an affirmation or certification process. Assess the design and operating effectiveness of fraud-related controls. Ensure that audit plans and programs address fraud risk. Evaluate the design of facilities. Review proposed changes to laws, regulations, or systems and their impacts on controls.
Part 1, Section 5, Topic 4
Fraud Prevention and Control
Fraud Prevention and Control
Control Elements Internal Auditing Responsibilities
Information and communication Documentation and dissemination of policies, guidance, and results. Opportunities to discuss ethical dilemmas. Communication channels. Training. Considerations of the impact and use of technology for fraud deterrence. Assess the operating effectiveness of information and communication systems and practices. Support training.
Monitoring Ongoing and periodic performance assessments. Consideration of computer technology for fraud deterrence. Assess monitoring activities and related computer software. Conduct investigations. Support the audit committees oversight. Support the development of fraud indicators. Hire and train employees.
Part 1, Section 5, Topic 4
Discussion Question
Whistleblower hotline anonymity implies that the
callers name and identity will be communicated
only to those with an essential or authorized
need to know.
  1. True
  2. False

Answer B. This statement describes
confidentiality. Confidentiality can be promised
only within the limits allowed by law, and
callers should know who might learn their
identity. Anonymity provides both secrecy and
nondisclosure of the callers identity.
Part 1, Section 5, Topic 4
  • Can encompass
  • Personal privacy.
  • Privacy of space.
  • Privacy of communication.
  • Privacy of information.

Part 1, Section 5, Topic 4
Discussion Question
  • Identify the US privacy legislation.

Establishes rights to obtain information from federal agencies Gives parents control over online information collected from their children Addresses the security and privacy of health data Protects consumers personal financial information held by financial institutions
Financial Modernization Act
Part 1, Section 5, Topic 4
OECD GuidanceCore Principles
  • Collection limitation
  • Data quality
  • Purpose specification
  • Use limitation
  • Security safeguards
  • Openness

Individual participation Accountability
Part 1, Section 5, Topic 4
Discussion Question
  • Which of the following are reasonable
    expectations for an internal auditor evaluating a
    privacy framework? (Select all that apply.)
  1. Identify the types and appropriateness of
    information the organization gathers.
  2. Identify any significant risks along with the
    appropriate recommendations.
  3. Evaluate whether the use of the information
    collected is in accordance with its intended use.
  4. Evaluate the maturity of the framework and help
    make improvements to mitigate significant risks.

Answer I, II, and III. Due to the highly
technical and legal nature of privacy, it may be
necessary to secure the services of third-party
Part 1, Section 5, Topic 4
Security Vulnerabilities
Information security
Physical security
  • Universal considerations
  • Confidentiality
  • Integrity
  • Availability
  • Examples
  • Natural disasters
  • Service disruptions
  • Human error
  • Theft and vandalism
  • Terrorism
  • Sabotage

Part 1, Section 5, Topic 4
Risk Management Steps
Part 1, Section 5, Topic 4
Internal Audit Assessment of Security Risks
  • Analysis of reported incidents
  • Review of exposure statistics
  • Mapping key processes
  • Periodic inspections
  • Periodic process and product audits
  • Assessments of management system effectiveness
  • Scenario analysis

Part 1, Section 5, Topic 4
Discussion Question
  • Which of the following are reasonable
    expectations for an internal auditor evaluating
    information security? (Select all that apply.)
  • Assess the effectiveness of preventive,
    detective, and mitigation measures against past
  • Recommend, as appropriate, enhancements to or
    implementation of new controls and safeguards.
  • Confirm that the board has been appropriately
    informed of all corrective measures.
  • Report to management and the board on the level
  • of compliance with security rules, significant
  • violations, and their disposition.

Answer All of the above (Practice Advisory
Part 1, Section 5, Topic 4
Discussion Question
ISO/IEC 270022007 guidelines on information
security contain best practices that help
organizations achieve high-level compliance.
  1. True
  2. False

Answer A. The focus of ISO/IEC 270022007 is
information security controls. It helps
organizations develop security standards and
effective security management practices, address
legal and regulatory concerns, and better manage
Part 1, Section 5, Topic 4
CAE Assessment of Outside Service Providers
Independence and objectivity
  • Relevant credentials
  • Appropriate professional organization membership
    and adherence to a code of ethics
  • Professional reputation
  • Relevant experience
  • Pertinent education and training
  • Knowledge and experience in the industry
  • Any financial interests
  • Any personal or professional affiliation
  • Any internal relationships with the organization
    or the activities being reviewed

Part 1, Section 5, Topic 4
Discussion Question
  • Which of the following are appropriate
    considerations for an internal auditor evaluating
    key performance indicators (KPIs)? (Select all
    that apply.)
  • Are they the right measures?
  • Are the measures in line with short-term
  • goals?
  • Are the measures operating effectively?
  • Are employees behaving professionally in
  • the achievement of objectives?

Answer I and III. Usually, KPIs measure
outcomes. Sometimes they measure process
Part 1, Section 5, Topic 4
Discussion Question
The CAE believes that a special management
request for an engagement that was not part of
the annual audit plan should be fulfilled because
it deals with a high-risk security breach. The
CAE should
  • secure board approval of the audit plan change.
  • secure permission from the audit committee to
    postpone another engagement.
  • out-source the engagement since it was not
    included in the annual plan.
  • co-source the engagement with external security
  • specialists.

Answer A. Audit plans are intended to be
flexible, but any significant changes to the plan
must be presented to the board for approval.
Part 1, Section 5, Topic 4
Discussion Question
  • Identify who is responsible for the following
    activities related to an external audit.

External auditors
Assessing the effectiveness of financial reporting controls Establishing a time line to address audit findings Oversight for external auditors Acting on audit findings Performance assessment of the external auditors

Audit committee
Audit committee
Part 1, Section 5, Topic 4
End of Section 5
  • Questions?

Part 1, Section 5, Topic 4
Write a Comment
User Comments (0)
About PowerShow.com