my frog internal audit review questions 505
3 mc Which of the following is not an appropriate governance role for an organization's board of directors? a. Evaluating and approving strategic objectives b. Influencing the organization's risk-taking philosophy c. Providing assurance directly to third parties that the organization's governance processes are effective d. Establishing broad boundaries of conduct outside of which the organization should not operate.
C
ABC utilitv company sells electricity to residential customers and is a member of an industry association that provides guidance to electric utilities, lobbies on behalf of the industry, and facilitates sharing among its members. From ABC's perspective, what type of stakeholder is this industry association? a. Directly involved in the operation of the company. b. Interested in the success of the company. c. Influences the company. d. Not a stakeholder.
C
3 What is a combined assurance model? Why do some organizations use such models?
A combined assurance model focuses on understanding the different types of assurance being provided so that, based on the level of risk being assessed and how strong the assurance is, a coordinated plan or calendar can be developed. This facilitates awareness of each assurance activity's assessments, when the assessments will occur, and how other assurance activities can rely on that work. Organizations use such models to combat "assurance fatigue." Assurance fatigue occurs as a result of different assurance activities failing to collaborate effectively. Failure to sufficiently coordinate activities results in redundant and unnecessary assurance work.
What is the difference between independence and objectivity as they pertain to internal auditors?
Independence refers to the organizational status of the internal audit function and reflects the freedom from conditions that threaten objectivity or the appearance of objectivity. Individual objectivity is an impartial, unbiased mental attitude and involves avoiding conflicts of interest, which allows internal auditors to perform engagements in such a manner that they have an honest belief in their work prod- uct and that no significant quality compromises are made.
What are the seven inherent personal qualities listed in the chapter that are common among successful internal auditors?
Inherent personal qualities that are common among successful internal auditors include integrity, passion, work ethic, curiosity, creativity, initiative, and flexibility.
What is inherent risk? What is residual risk?
Inherent risk represents the level of risk before management's application of direct or focused actions to alter its severity. Residual risk represents the level of risk after management's application of actions to alter its severity.
What is the difference between internal assurance services and internal consulting services?
Internal assurance services involve an objective examination of evidence for the purpose of providing an independent assessment on the effectiveness of governance, risk management, and control pro- cesses f or the organization. Internal consulting services are advisory and related services, the nature and scope of which are agreed to with the customer and that are intended to improve an organization's governance, risk management, and control processes without the internal auditor assuming manage- ment responsibility.
Why is it imperative that internal auditors have integrity?
Internal auditors must have integrity because the users of their work products rely on the internal auditors' professional judgments to make important business decisions. These stakeholders must have confidence that internal auditors are trustworthy.
What are the three common ways individuals enter the internal audit profession?
Many individuals now enter the internal audit profession directly out of school. Others switch to inter- nal auditing after beginning their careers in another area of the organization or in public accounting. Some organizations require prospective managers to spend time working in internal auditing as part of their management trainee program.
Do most people who work in internal auditing spend their entire careers there? Explain.
Most people who work in internal auditing do not spend their entire careers there. They instead use internal auditing as a stepping stone into financial or nonfinancial management positions, either in the organizations they have been working for or in other organizations.
In exhibit 4-3, why are some of the balls representing risks clustered together while some are not?
Some risks occur individually and some may occur at the same time, or in aggregate. Such risks may be more significant in aggregate than when assessed individually.
3 What are the three different types of stakeholders that the board must understand? Give examples of each type.
Stakeholders can be divided into the following groups: • Stakeholders Directly Involved in the Operation of the Organization's Business — Examples include employees, customers, and vendors. • Stakeholders Interested in the Organization's Business — Examples include shareholders, investors, certain regulators, and financial institutions. • Stakeholders Influencing the Organization's Business — Examples include certain regulators, financial institutions, rating agencies, industry associations, and competitors.
12 What are the 11 risk management principles identified in ISO 31000?
The 11 risk management principles identified in ISO 31000 state that risk management: ■ Creates and protects value. ■ Is an integral part of all organizational processes. ■ Is part of decision-making. ■ Explicitly addresses uncertainty. ■ Is systematic, structured, and timely. ■ Is based on the best available information. ■ Is tailored. ■ Takes human and cultural factors into account. ■ Is transparent and inclusive. ■ Is dynamic, iterative, and responsive to change. ■ Facilitates continual improvement of the organization.
According to COSO, what are the fundamental concepts emphasized in its definition of enterprise risk management (ERM)?
The COSO ERM exposure draft explains that its definition of enterprise risk management (ERM) emphasizes its focus on risk through: ■ Recognizing culture and capabilities, which are key aspects of ERM. ■ Applying practices, which are the procedures and tasks employed by the organization to ensure effective risk management. ■ Integrating with strategy-setting and its execution, which involves management considering the implications of each strategy to the organization's risk profile. ■ Managing risk to strategy and business objectives provides management and the board of direc- tors with a reasonable expectation that they can achieve the overall strategy and business objec- tives. ■ Linking to creating, preserving, and realizing value means that, ultimately, the success of risk management is determined by value.
4 How does COSO define risk? How does ISO define risk?
The COSO exposure draft defined risk as "The possibility that events will occur and affect the achievement of a strategy and objectives." ISO defines risk as "effect of uncertainty on objectives."
What are the three parts of the CIA exam?
The Certified Internal Auditor (CIA) exam tests a candidate's expertise in three parts: ■ Internal Audit Basics. ■ Internal Audit Practice. ■ Internal Audit Knowledge Elements.
What are some ERM assurance activities the internal audit function may perform? What are some ERM consulting activities the internal audit function may perform if appropriate safeguards are implemented? What ERM activities should the internal audit function not perform?
The ERM assurance activities that the internal audit function may perform include: ■ Giving assurance on the risk management processes. ■ Giving assurance that risks are correctly evaluated. ■ Evaluating risk management processes. ■ Evaluating the reporting of key risks. ■ Reviewing the management of key risks. ERM consulting activities that the internal audit function may perform if appropriate safeguards are implemented include: ■ Facilitating identification and evaluation of risks. ■ Coaching management in responding to risks. ■ Coordinating ERM activities. ■ Consolidating the reporting on risks. ■ Maintaining and developing the ERM framework. ■ Championing establishment of ERM. ■ Developing ERM strategy for board approval. The following should not be undertaken by the internal audit function, as these roles represent management responsibilities that would impair the internal audit function's independence and objectivity: ■ Setting the risk appetite. ■ Imposing risk management processes. ■ Management assurance on risks. ■ Taking decisions on risk responses. ■ Implementing risk responses on management's behalf. ■ Accountability for risk management.
How many core competencies are included in The IIA's Global Internal Auditor Competency Framework and for what general job levels are they recommended?
The Global Internal Auditor Competency Framework outlines 10 core competencies recommended for each broad job level, namely internal audit staff, internal audit management, and the CAE.
3 What is The IIA's definition of governance? How does this deinition relate to the figure in exhibit 3-3
The IIA defines governance as "The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives." The strategic direction aspect of governance illustrated in exhibit 3-3 encompasses the information and direction the board provides to help ensure the organization is successful. The governance oversight aspect of governance illustrated in exhibit 3-3 focuses on the board's role in managing and monitoring the organization's operations.
3. How is The IIA's leadership organization structured?
The IIA headquarters' executive leadership team is headed by the president and CEO. Hundreds of volunteers, including The IIA's Global Board of Directors, also provide IIA leadership. The 38-member Global Board of Directors oversees the affairs of The IIA. The board's Executive Committee comprises the chairman of the board, the senior vice chairman, five vice chairmen, a secretary, and the two most recent former chairmen of the board. The board also includes the North American Board, which holds specific authority and oversight of North American activities, directors-at-large, ex-officio directors, institute directors, and The IIA president as an ex-officio member.
How does The IIA define internal auditing?
The IIA's definition: "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."
What is the major objective of the Internal Audit Foundation?
The Internal Audit Foundation exists to help audit leaders, practitioners, students, and academics experience continuous growth in their careers to propel them to become respected as trusted advisers as well as thought leaders within the industry.
3 What is the OECD's definition of corporate governance?
The Organisation for Economic Co-operation and Development (OECD) defines corporate governance as follows: "Corporate governance involves a set of relationships between a company's management, its board, its shareholders, and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of obtaining those objectives and monitoring performance are determined."
3 Why are there arrows flowing in both directions between the different elements of governance depicted in exhibit 3-2?
The arrows represent the flow of information throughout the governance structure. The board provides direction to senior management to guide them in carrying out the risk management activities. Senior management in turn provides direction to lower levels of management who are responsible for the internal control activities. However, lower-level managers are accountable to senior management with regard to the success of those internal control activities; senior management is accountable to provide the board assurances regarding the effectiveness of risk management activities. The arrows in the figure depict that flow of direction and accountability from one layer to the next.
3 In governance, what are the key responsibilities of: a. The board of directors? b. Senior management? c. Risk owners?
The responsibilities of each group are as follows: a. Board of directors • Establishing a governance committee. - This committee could be a new committee or an expansion of responsibilities for an existing committee (for example, many public companies have expanded the responsibilities of the nominating committee to become a nominating and governance committee). - It should be made up of independent directors. - The committee should have the responsibilities outlined above. • Articulating requirements for reporting to the board. - The board should delegate to management the authority to operate the business within the board's tolerable limits relative to unacceptable outcomes. Management must have the authority to make day-to-day business decisions, but also must have a clear understanding of the board's tolerance limits within which to manage the business. - As part of its oversight role, the board also must establish reporting thresholds for management—that is, which outcomes must be approved by the board, reported directly to the board, or summarized for the board as part of quarterly meetings. • Reevaluating governance expectations periodically (probably annually). - Key stakeholder expectations may evolve and change. Therefore, the board must identify those changes and reevaluate its governance direction. - As a result of those changes, the board's tolerance levels also should be reevaluated. b. Senior management • Ensuring that the full scope of direction and authority delegated by the board is properly understood. Senior management must understand the board's governance expectations, the amount of authority the board has delegated to management, its tolerance levels relative to unacceptable outcomes, and requirements for reporting to the board. • Identifying the processes and activities within the organization that are an integral part of executing the governance direction provided by the board. That is, senior management must determine: - Where in the organization to manage the specific risks that could result in unacceptable outcomes. - Who will be responsible for managing those risks (risk owners). - How those risks will be managed. • Evaluating what other business considerations or factors might create a justification for delegating a lower tolerance level to risk owners than that delegated from the board. For example, the board may specify that management must maintain controls to ensure there are no control weaknesses beyond a certain level of severity. However, senior management, desiring to avoid the situation where multiple significant control deficiencies aggregate to an unacceptable level, may specify to risk owners that controls be maintained to ensure there are no control deficiencies exceeding a lower level of severity. • Ensuring that sufficient information is gathered from the risk owners to support its reporting requirements to the board. c. Risk owners • Evaluating whether the risk management activities are designed adequately to manage the related risks within the tolerance levels specified by senior management. Although senior management may provide direction relative to the risk management activities, the risk owners typically will determine the specific tasks that are necessary to carry out those activities. • Assessing the ongoing capabilities of the organization to execute those risk management activities. This assessment should evaluate the maturity of the procedures in place, the competence and experience of the people performing those procedures, the sufficiency of any enabling technologies (for example, computer systems), and the availability of external and internal information to support decision-making. • Determining whether the risk management activities are currently operating as designed— that is, whether the people and systems are executing the processes consistently with the desired objectives. • Conducting day-to-day monitoring activities to identify, in a timely manner, whether anomalies or divergences from expected outcomes have occurred. • Ensuring that the information needed by senior management and the board is accurate and readily available, and is provided to senior management on a timely basis.
What are the three components of the internal audit value proposition set forth by The IIA?
The three components of the internal audit value proposition are assurance, insight, and objectivity.
What are the three fundamental phases in the internal audit engagement process?
The three fundamental phases in the internal audit engagement process are planning the engagement, performing the engagement, and communicating engagement outcomes.
3 What are the three lines of defense in the Three Lines of Defense model?
The three lines of defense in the Three Lines of Defense Model are as follows: • The first line of defense represents the internal control activities conducted by individuals and management. These activities are comprised of both the specific internal control activities, referred to as internal control measures in the model, and management controls, which are those that oversee and monitor the individual activities. The second line of defense represents other assurance activities such as those listed in exhibit 3- 5. These activities are conducted by individuals reporting through different lines of management than those directly responsible for the internal control activities. The third line of defense represents the assurance internal audit functions provide. Since internal audit functions typically report functionally to the board and have no other management responsibilities, they are in the best position to provide independent and objective assurance.
What are the two categories of guidance included in the IPPF?
The two categories of guidance included in the International Professional Practices Framework (IPPF) are mandatory guidance, which includes the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing, and recommended guidance, which includes implementation guidance and supplemental guidance.
Which of the following is the premier certification sponsored by The IIA? a. Certification in Control Self-Assessment b. Certified Internal Auditor. c. Certification in Risk Management Assessment. d. Certified Information Systems Auditor
B
What is the relationship between auditing and accounting?
"The relationship of auditing to accounting is close, yet their natures are very different; they are business associates, not parent and child. Accounting includes the collection, classification, summa- rization, and communication of financial data; it involves the measurement and communication of business events and conditions as they affect and represent a given enterprise or other entity. The task of accounting is to reduce a tremendous mass of detailed information to manageable and under- standable proportions. Auditing does none of these things. Auditing must consider business events and conditions too, but it does not have the task of measuring or communicating them. Its task is to review the measurements and communications of accounting for propriety. Auditing is analytical, not constructive; it is critical, investigative, concerned with the basis for accounting measurements and assertions. Auditing emphasizes proof, the support for financial statements and data. Thus auditing has its principal roots, not in accounting which it reviews, but in logic on which it leans heavily for ideas and methods." — Mautz and Sharaf, The Philosophy of Auditing
Which of the following would not be considered a first line of defense in the Three Lines of Defense model? a. A divisional controller conducts a peer review of compliance with financial control standards. b. An accounts payable clerk reviews supporting documents before processing an invoice for payment. c. An accounting supervisor conducts a monthly review to ensure all reconciliations were completed properly d. A production line worker inspects finished goods to ensure the company's quality standards are met.
A
Within the context of internal auditing, assurance services are best defined as: a. Objective examinations of evidence for the purpose of providing independent assessments. b. Advisory services intended to add value and improve an organization's operations. c. Professional activities that measure and communicate financial and business data d. Objective evaluations of compliance with policies, plans, procedures, laws, and regulations.
A
Which of the following is not an example of a risk-sharing strategy? a. Outsourcing a noncore, high-risk area. b. Selling a nonstrategic business unit. c. Hedging against interest rate fluctuations. d. Buying an insurance policy to protect against adverse weather.
B
AVF Company's new CFO has asked the company's CAE to meet with him to discuss the role of the internal audit function. The CAE should inform the CFO that the overall responsibility of internal audit is to: a. Serve as an independent assurance and consulting activity designed to add value and improve the company's operations. b. Assess the company's methods for safeguarding its assets and, as appropiate, veify the existence of the assets. c. Review the integity of inancial and operating information and the methods used to accumulate and report information. d. Determine whetner tiie company's system of internal controls provides reasonable assurance that information is effectively and efficiently communicated to management.
A
According to COSO ERM, which of the following is not an inherent challenge that arises as part of establishing strategy and business objectives? a. Ensuring culture is clearly articulated by the board. b. Possibility of strategy not aligning c. Implications from the strategy chosen. d. risk to achieving the strategy
A
Independent outside auditors provide financial reporting assurance services primarily for: a. The beneit of third parties. b. Management. c. Board of directors. d. The CEO.
A
One of the challenges of ERM in an organization that has a centralized structure is that: a. It may be dificult to raise awareness of the impact of work actions on other employees or work areas. b. Employees in these structures are inherently less risk averse. c. Managers have less incentive to implement and monitor controls. d. Effective controls are more difficult to design, and consistent application is more difficult to achieve across the organization
A
Which of the following are typically governance responsibilities of senior management? I. Delegating its tolerance levels to risk managers. II. Monitoring day-to-day performance of specific risk management activities. III. Establishing a governance committee of the board. IV. Ensuring that suficient information is gathered to support reporting to the board. a. I and IV. b. II and III. c. I, II, and IV. d. I, II, III, and IV
A
Which of the following is not a potential value driver for implementing ERM? a. Financial results will improve in the short run b. There will be fewer surprises from year to year c. There will be better information available to make risk decisions d. An organization's risk appetite can be aligned with strategic planning.
A
Which of the following is one of the 5 Cs essential to success as an internal auditor? a. courage b. consistency c. collaboration d. candidness
A
Which of the following represents the best governance structure? categories: 1 operating mgmt, 2 executive mgmt, 3 internal auditing a. 1 Responsibility for risk, 2 Oversight role, 3 Advisory role b. 1 Oversight role, 2 Responsibility for risk, 3 Advisory role c. 1 Responsibility for risk, 2 Advisory role, 3 Oversight role d. 1 Oversight role, 2 Advisory role, 3 Responsibility for risk
A
Which of the following would be considered a first line in the three lines of defense model? a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date. b. A divisional compliance and ethics oficer conducting a review of employee training records to ensure that all marketing and sales staff have completed the required FCPA training. c. The external audit team observes the counting of inventory on December 31. d. An internal audit team conducting an engagement to provide assurance on the company's Sarbanes-Oxley compliance with internal controls over financial reporting.
A
What are the four categories of business objectives discussed in this chapter?
According to the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) ERM Framework, the four categories of business objectives introduced in this chapter are: ■ Strategic objectives, which pertain to the value creation choices management makes on behalf of the organization's stakeholders. ■ Operations objectives, which pertain to the effectiveness and efficiency of the organization's opera- tions, including performance and profitability goals and safeguarding resources against loss. ■ Reporting objectives, which pertain to the reliability of internal and external reporting of financial and nonfinancial information. ■ Compliance objectives, which pertain to adherence to applicable laws and regulations.
The Internal Audit Foundation exists to help audit leaders, practitioners, students, and academics experience continuous growth in their careers to propel them to become: a. Strong assurance providers. b. Trusted advisors. c. Independent outside auditors. d. CAEs.
B
What types of business events tend to drive new legislation and guidance? a. Economic downturns b. Fraud or other corporate wrongdoing. c. Elections or other political changes. d. Economic growth.
B
When assessing the risk associated with an activity, an internal auditor should: a. Determine how the risk should best be managed. b. Provide assurance on the management of the risk. c. update the risk mgmt process based on risk exposures d. Design controls to mitigate the identified risks.
B
Which of the following is not a role of the internal audit function in best practice governance activities? a. Support the board in enterprisewide risk assessment b. Ensure the timely implementation of audit recommendations. c. Monitor compliance with the corporate code of conduct d. Discuss areas of signiicant risks.
B
Which of the following would be considered a second line of defense in the Three Lines of Defense model? a. An accounts payable supervisor conducting a weekly review to ensure all payments were issued by the required payment date. b. A divisional compliance and ethics oficer conducting a review of employee training records to ensure that all marketing and sales staff have completed the required FCPA training. c. A shift supervisor inspecting a sample of finished goods to ensure quality standards are met d. An internal audit team conducting an engagement to provide assurance on the company's Sarbanes-Oxley compliance with internal controls over inancial reporting.
B
While planning an internal audit, the internal auditor obtains knowledge about the auditee to among other things: a. Develop an attitude of professional skepticism about management's assertions. b. Develop an understanding of the auditee's objectives and risks. c. Make constructive suggestions to management concerning internal control improvements. d. Evaluate whether misstatements in the auditee's performance reports should be communicated to senior management and the audit commitee.
B
Who is responsible for establishing the strategic objectives of an organization? a. The board of directors b. Senior management c. Consensus among all levels of management. d. The board and senior management jointly.
B
Who is ultimately responsible for identifying new or emerging key risk areas that should be covered by the organization's governance process? a. The board of directors. b. Senior management. c. Risk owners d. The internal audit function.
B
An internal audit engagement was included in the approved internal audit plan. This is considered a moderately high-risk audit based on the internal audit function's risk model. It is currently on a two year audit cycle. Which of the following will likely have the greatest impact on the scope and approach of the internal audit engagement? a. The area being audited involves the processing of a high volume of transactions. b. Certain components of the process are outsourced c. A new system was implemented during the year, which changed how the transactions are processed. d. The total dollars processed in this area are material.
C
Companies in industries that are heavily regulated may be subject to audits by the regulator's auditors. While not specifically covered in the Three Lines of Defense model, such auditors would most likely be considered: a. Part of the 1st line of defense. b. Part of the 2nd line of defense. c. Part of the 3rd line of defense. d. not a line of defense
C
Enterprise risk management: a. Guarantees achievement of business objectives. b. Requires establishment of risk and control activities by internal auditors. c. Involves the identification of events with negative impacts on business objectives d. Includes selection of best risk response for the organization.
C
Internal auditors must have competent interpersonal skills. Which of the following does not represent an attribute of interpersonal skills? a. Communication. b. Leadership. c. Project management. d. Team capabilities.
C
The internal audit function should not: a. Assess the organization's governance and risk management processes. b. Provide advice about how to improve the organization's governance and risk management processes. c. Oversee the organization's governance and risk management processes d. coordinate its governance and risk management related activities with those of the independent outside auditor.
C
When senior management accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE should: a. Report the unacceptable risk level immediately to the chair of the audit committee and the independent outside audit firm partner. b. Resign his or her position in the organization c. Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee. d. Accept senior management's position because it establishes the risk appetite for the organization.
C
Which of the following external events will most likely impact a defense contractor that relies on large government contracts for its success? a. Economic event. b. Natural environment event. c. Political event. d social event
C
Which of the following is a framework that can help individual internal auditors and internal audit functions assess their current competency levels and identify areas for improvement? a. Internal Control - Integrated Framework. b. International Professional Practices Framework c. The Global Internal Auditor Competency Framework. d. Enterpise Risk Management Framework
C
Which of the following is recommended guidance within the IPPF? a. The Deinition of Internal Auditing. b. The Standards c. Supplemental guidance d. none of above
C
Which of the following risk management activities is out of sequence in terms of timing? a. Identify, assess, and prioritize risks. b. Develop risk responses/treatments. c. Determine key organizational objectives d. Monitor the effectiveness of risk responses/ treatments
C
How does COSO define risk appetite?
COSO defines risk appetite as "the types and amount of risk, on a broad level, an organization is will- ing to accept in pursuit of value."
How does COSO define strategy and business objectives?
COSO defines strategy as "The organization's plan to achieve its mission and vision and to apply its core values." It defines business objectives as "Those measurable steps the organization takes to achieve its strategy."
How does COSO define mission, vision, and core values?
COSO's definitions are: ■ Mission: The entity's core purpose, which establishes what it wants to accomplish and why it exists. ■ Vision: The entity's aspirations for its future state or what the organization aims to achieve over time. ■ Core Values: The entity's beliefs and ideals about what is good or bad, acceptable or unaccept- able, which influence the behavior of the organization.
What are COSO's ive categories of risk response?
COSO's five categories of risk response are: ■ Accept. ■ Avoid. ■ Pursue. ■ Reduce. ■ Share.
In what forms might risk information be communicated?
Communications may be in the form of: ■ Electronic messaging. ■ External/third-party materials. ■ Informal/verbal updates. ■ Training and seminars. ■ Written internal documents.
What is co-sourcing? Why might an organization choose to co-source its internal audit function?
Cosourcing means that an organization is supplementing its in-house internal audit function to some extent via the services of third-party vendors. Common situations in which an organization will cosource its internal audit function include circumstances in which the third-party vendor has spe- cialized audit knowledge and skills that the organization does not have in-house and circumstances in which the organization has insufficient in-house internal audit resources to fully complete its planned engagements.
. The CAE is asked to lead the enterprise risk assessment as part of an organizations implementation of ERM. Which of the following would not be relevant with respect to protecting the internal audit functions independence and the objectivity of its internal auditors? a. A cross-section of management is involved in assessing the impact and likelihood of each risk b. Risk owners are assigned responsibility for each key risk c. A member of senior management presents consistent application is more difficult to achieve the results of the risk assessment to the board and communicates that it represents the organization's risk profile. d. The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment session.
D
4. The function of the chief risk officer is most effective when he or she: a. Manages risk as a member of senior management. b. Shares the management of risk with line mgmt. c. Shares the management of risk with the CAE. d. Monitors risk as pat of the ERM team.
D
An organization tracks a website hosting anonymous blogs about its industry. Recently, anonymous posts have focused on potential legislation that could have a dramatic effect on this industry. Which of the following may create the greatest risk if this organization makes business decisions based on the information contained on this website? a. Appropriateness of the information. b. Timeliness of the information c. Accessibility of the information. d. Accuracy and reliability of the information
D
Assurance, Insight, and Objectivity comprise: a. The mission of internal auditing b. The three lines of defense model c. The objectives of internal auditing. d. The value proposition.
D
Which of the following are components of the definition of internal auditing? a. Independence and objectivity. b. A systematic and disciplined approach. c. Helping the organization accomplish its objectives d. all of the above
D
Which of the following is mandatory guidance within the IPPF? a. Implementation guidance. b. Supplemental guidance. c. The value proposition d. The core principles.
D
Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual internal audit plan? a. To emphasize the importance of the internal audit function to the organization b. To ensure that the internal audit plan will be approved by senior management. adverse weather. c. To make recommendations to improve the strategic plan. d. To ensure that the internal audit plan supports the overall business objectives.
D
Which of the following is the ultimate position of a career internal auditor? a. CEO b. CFO c. CRO d. CAE
D
Which of the following statements is not true about business objectives? a. Business objectives represent targets of performance b. Establishing meaningful business objectives is a prerequisite to effective internal control. c. Establishing meaningful business objectives is a key component of the management process. d. Business objectives are management's means of employing resources and assigning responsibilities
D
Which of the following statements regarding corporate governance is NOT correct? a. Corporate control mechanisms include internal and external mechanisms. b. The compensation scheme for management is part of the corporate control mechanisms. c. The dilution of shareholders' wealth resulting from employee stock options or employee stock bonuses is an accounting issue rather than a corporate governance issue. d. The internal audit function of a company has more responsibility than the board for the company's corporate governance.
D
Who is responsible for implementing ERM? a. The chief financial oficer. b. The chief audit executive. c. The chief compliance oficer d. Management throughout the organization
D
What are some of the factors that have fueled the dramatic increase in demand for internal audit services over the past 30 years?
Factors that have fueled the dramatic increase in demand for internal audit services over the past 30 years include globalization, increasingly complex corporate structures, e-commerce and other techno- logical advances, and a global economic downturn.
What are the deinitions of governance, risk management, and control provided in this chapter?
Governance is the process conducted by the board of directors to authorize, direct, and oversee man- agement toward the achievement of the organization's objectives. Risk management is the process conducted by management to understand and deal with uncertainties (risks and opportunities) that could affect the organization's ability to achieve its objectives. Control, as defined in this chapter, is the process conducted by management to mitigate risks to acceptable levels. Please see the textbook glos- sary for separate definitions of controls, internal control, and system of internal controls.
3 What are some key U.S. regulations that have been written in response to adverse business events?
Key U.S. regulations that have been written in response to adverse business events include, for example, the legislation and guidance presented in exhibit 3-6: Securities Act of 1933, Securities Exchange Act of 1934, Foreign Corrupt Practices Act of 1977, Report of the National Commission on Fraudulent Financial Reporting (1987), Federal Deposit Insurance Corporation Improvement Act of 1991, U.S. Sarbanes-Oxley Act of 2002, U.S. Stock Exchange Listing Standards, and the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.
What options does an individual have if he or she chooses to be a career internal auditor?
Options that an individual has if he or she chooses to be a career internal auditor include progressing upward through the ranks of a single organization's internal audit function into internal audit man- agement, advancing up the ladder by moving from one organization to another, or moving upward through the various levels in a firm that provides internal assurance and consulting services to other organizations.
3 In addition to the internal audit function, what other internal functions may provide independent assurance to the board or senior management?
Other examples mentioned in the chapter include an environmental and safety function, quality assurance groups, and trading control activities.
What is the difference between the two areas of governance depicted in exhibit 3-3?
The first broad area of governance is strategic direction. The board is responsible for providing strategic direction and oversight relative to the establishment of key business objectives, consistent with the organization's business model. Directors bring varied and diverse business experience to the board and, thus, are in a position to provide the strategic direction and oversight of that direction that will help the organization be successful. The board can also influence the organization's risk-taking philosophy and establish broad boundaries of conduct based on the organization's overall risk appetite and cultural values. Providing strategic direction, overseeing the objective-setting process, and monitoring progress toward meeting the goals and objectives of the organization are key reasons for the board's existence. The second broad area of governance is governance oversight. This area involves the board understanding the needs of stakeholders, providing direction and authority to senior managers, who in turn empower risk owners to carry out that direction, reporting of risk management effectiveness up from risk owners to senior management to the board, and internal and external activities, most notably the internal and external auditors, providing assurances to senior management and the board as to the effectiveness of governance activities.
What are the five COSO ERM components?
The five COSO ERM components are: ■ Risk Governance and Culture. ■ Risk, Strategy, and Objective-Setting. ■ Risk in Execution. ■ Risk Information, Communication, and Reporting. ■ Monitoring Enterprise Risk Management Performance.
What are the character traits, known as the 5 Cs, that are required for success in the internal audit profession?
The five Cs are: Competence, Credibility, Connectivity, Communication, and Courage.
What five activities are included in the ISO 31000 risk management process?
The five activities included in the ISO 31000 risk management process are: ■ Establish the context. ■ Assess the risks. ■ Treat the risks. ■ Monitor the risks. ■ Establish a communication and consultation process.
What are the five components of the ISO 31000 risk management framework?
The five components of the ISO 31000 risk management framework are: ■ Mandate and commitment. ■ Design of framework for managing risk. ■ Implementing the risk management framework and process. ■ Monitoring the framework. ■ Continually improving the framework.
What are the five fundamental points embedded in the COSO and ISO deinitions of risk?
The five fundamental points embedded in the COSO and ISO definitions of risk are: ■ Risk begins with strategy formulation and setting of business objectives. ■ Risk involves uncertainty, which COSO refers to as "The state of not knowing how potential events may or may not manifest." ■ Risk does not represent a single point estimate (for example, the most likely outcome). Rather, it represents a range of possible outcomes. ■ Risks may relate to preventing bad things from happening (risk mitigation), or failing to ensure good things happen (that is, exploiting or pursuing opportunities). ■ Risks are inherent in all aspects of life—that is, wherever uncertainty exists, one or more risks exist.
3 What role does the internal audit function play in governance?
The internal audit function's governance responsibilities may include any or all of the following: • Evaluating whether the various risk management activities are designed adequately to manage the risks associated with unacceptable outcomes. • Testing and evaluating whether the various risk management activities are operating as designed. • Determining whether the assertions made by the risk owners to senior management regarding the effectiveness of the risk management activities accurately reflect the current state of risk management effectiveness. • Determining whether the assertions made by senior management to the board regarding the effectiveness of the risk management activities provide the board with the information it desires about the current state of risk management effectiveness. • Evaluating whether risk tolerance information is communicated timely and effectively from both the board to senior management and from senior management to the risk owners. • Assessing whether there are any other risk areas that are currently not included in the governance process, but should be (for example, a risk for which risk tolerance and reporting expectations have not been delegated to a specific risk owner).
What is the primary difference between internal and external financial reporting assurance services?
The primary difference between internal financial reporting assurance services and external financial reporting assurance services is the audience. Internal auditors provide financial reporting assurance services primarily for the benefit of management and the board of directors. Independent outside audi- tors provide financial reporting assurance services primarily for the benefit of third parties.
What types of procedures might an internal auditor use to test the design adequacy and operating effectiveness of governance, risk management, and control processes?
The types of procedures an internal auditor might use to test the design adequacy and operating effec- tiveness of governance, risk management, and control processes include: ■ Inquiring of managers and employees. ■ Observing activities. ■ Inspecting resources and documents. ■ Reperforming control activities. ■ Performing trend and ratio analysis. ■ Performing data analysis using computer-assisted audit techniques. ■ Gathering corroborating information from independent third parties. ■ Performing direct tests of events and transactions.
3 What types of outcomes might a board need to consider to understand stakeholders' expectations?
While outcomes may be categorized in many different ways, the chapter summarized them as being financial, compliance, operations, or strategic outcomes.