Chapter 15
Provide the process of risk assessment in correct sequence (i.e., seven steps). The last step is to base on the results of the cost/benefit analysis, determine whether to reduce the risk by implementing a control, or to accept, share, or avoid the risk. Instructions
1. identify risk for the firm 2. estimate the likelihood of each risk occuring 3. estimate the impact 4. identify controls to mitigate the risk 5. estimate the costs and benefits of implementing the controls 6. perform a cost/benefit analysis for each risk and corresponding controls
In the COSO ERM framework component Blank 1Blank 1 objective , Incorrect Unavailable Blank 2Blank 2 setting , Incorrect Unavailable, firms identify events affecting achievement of their objectives.
1: event 2: identification
The COSO ERM framework indicates that an effective internal control system should consist of four categories of objectives
Blank 1: strategic Blank 2: reporting or report Blank 3: compliance
Select correct statements about the COBIT framework.
COBIT 2019 includes the main points of COSO ERM 2017. COBIT is a generally accepted framework for IT governance and management. COBIT 2019 enables IT to be governed in a holistic manner by taking in IT responsibility and considering the IT-related interests of stakeholders.
Select the principles related to information communication and reporting the COSO ERM 2017 framework.
Communicate risk information Leverage information and technology
Select the principles related to performance in the COSO ERM 2017 framework.
Develop portfolio view Prioritize risks
Which of the five domains of COBIT 2019 is about IT governance?
EDM
COSO ERM framework indicates that:
ERM provides reasonable assurance regarding the achievement of the firm's objectives. ERM manages risk to be within the firm's risk appetite.
rue or false: COBIT is one of the generally accepted internal control frameworks for enterprises. COSO is a generally accepted framework for IT governance and management.
F
Select correct statement regarding information technology governance and corporate governance.
Information technology governance is a subset of corporate governance. Information technology governance is the responsibility of management.
What is enterprise risk management (ERM)?
It involves a company's board of directors, management, and other personnel in the process. It aims to provide reasonable assurance regarding the achievement of objectives. It is applied in strategy setting and across the enterprise.
match
OSO matches Choice, a general internal control framework that can be applied to all firms a general internal control framework that can be applied to all firms COSO ERM matches Choice, a framework expands from internal control to risk management that can be applied to all firms a framework expands from internal control to risk management that can be applied to all firms COBIT matches Choice, a comprehensive framework for IT governance and management a comprehensive framework for IT governance and management ITIL matches Choice, a framework focusing on IT infrastructure and IT service management a framework focusing on IT infrastructure and IT service management ISO 27000 series matches Choice, a framework for information security management a framework for information security management
Select a correct statement on the monitoring component of the COSO ERM framework.
The ERM components and internal control process should be monitored continuously and modified as necessary. It is the process of evaluating the quality of internal control design and operation and the effectiveness of the ERM model.
Management selects risk responses and develops a set of actions to align risks with the entity''s risk tolerances and risk appetite. The four options to respond to risks are: reducing, sharing, avoiding, and risks.
accept
Input controls ensure the authorization, entry, and verification of data entering the system. Authorization of data entry is accomplished by using an matrix.
access control matrix
IT controls are a subset of a firm's internal controls and are categorized as IT general and controls. Listen to the complete question
application
Identify physical control activities based on the COSO internal control framework.
authorization matches Choice, to ensure transactions are valid to ensure transactions are valid segregation of duties matches Choice, to prevent fraud and mistakes to prevent fraud and mistakes supervision matches Choice, to compensate imperfect segregation of duties to compensate imperfect segregation of duties accounting documents and records matches Choice, to maintain audit trails and accuracy of the financial data to maintain audit trails and accuracy of the financial data access control matches Choice, to ensure only authorized personnel have access to physical assets and information to ensure only authorized personnel have access to physical assets and information independent verification matches Choice, to double check for errors and misrepresentations to double check for errors and misrepresentations
IT Governance Institute (ITGI) developed a control framework for the governance and management of enterprise IT. This framework, , provides management with an understanding of risks associated with IT and bridges the gap between business among risks, control needs, and technical issues.
cobit
COBIT control objectives provide high-level requirements to be considered for effective control of IT processes. Four of the seven key criteria of business requirements for information in COBIT are similar to COSO control objectives: effectiveness, efficiency,
compliance Blank 2: reliability or reliable
COBIT control objectives provide high-level requirements to be considered for effective control of IT processes. Three of the seven key criteria of business requirements for information in COBIT are about security and people often call them CIA: confidentiality, , and .
integrity Blank 2: availability
The IT Infrastructure Library (ITIL) is a de facto standard in Europe for the best practices in IT infrastructure management and service delivery. ITIL adopts a - approach to IT services.
life cycle
In the COSO ERM framework,____ is the process of evaluating the quality of internal control design and operation and the effectiveness of the ERM model.
monitoring
Control activities are the policies and procedures that help ensure that necessary actions are taken to address risks to achieving the firm's objectives. There are two categories of control activities: controls and controls
physical : IT
During the objective setting stage, management should have a ____ in place to set strategic, operations, reporting, and compliance objectives.
process
The process, , is to identify and analyze risks systematically to determine the firm's risk response and control activities. It allows a firm to understand the extent to which potential events might affect corporate objectives.
risk assessment
Internal and external events affecting achievement of a firm's objectives must be identified. When using COSO ERM framework, management must distinguish between Blank 1Blank 1 g , Incorrect Unavailable and Blank 2Blank 2 h , Incorrect Unavailable after identifying all possible events.
risks or opportunities
True or false: The internal environment of the COSO ERM framework provides the discipline and structure for all other components of enterprise risk management. It is the most critical component in the framework.
true