Internal Audit Chpt 4
Core Values
The entity's beliefs and ideals about what is good or bad, acceptable or unacceptable, which influences the behavior of the organization.
Mission
The entity's core purpose, which establishes what it wants to accomplish and why it exists.
Strategy
The organization's plan to achieve its mission and vision and apply its core values.
Business Objectives
Those measurable steps the organization takes to achieve its strategy.
According to COSO ERM, which of the following is not an inherent challenge that arises as part of establishing strategy and business objectives? a. Ensuring culture is clearly articulated by the board b Possibility of strategy not aligning. c. Implications from the strategy chosen d. Risk to achieving the strategy
a. Ensuring culture is clearly articulated by the board
Which of the following is not a potential value driver for implementing ERM? a. Financial results will improve in the short run b. There will be fewer surprises from year to year c. There will be better information available to make risk decisions d. An organization's risk appetite can be aligned with strategic planning
a. Financial results will improve in the short run
One of the challenges of ERM in an organization that has a centralized structure is that: a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas b. Employees in these structures are inherently less risk adverse c. Managers have less incentive to implement and monitor controls d. Effective controls are more difficult to design, and consistent application is more difficult to achieve across the organization
a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas
COSO definition of risk
the possibility that an event will occur and adversely affect the achievement of a strategy and objective.
Risk Governance and Culture
1. Exercises board risk oversight 2. Establishes governance and operating model 3. Defines desired organizational behaviors 4. Demonstrates commitment to integrity and ethics 5. Enforces accountability 6. Attracts, develops, and retains talented individuals
Management's role in ERM
1. Responsible for carrying out all activities of an organization. 2. Ensuring a positive and ethical tone is set. 3.monitors the organization's overall risk activities in relation to risk appetite. 4.Mangeing risks in their units.
COSO five risk components:
1. Risk Governance and Culture 2. Risk, Strategy, and objective-Setting 3. Risk Execution 4. Risk Information, Communication, and Reporting 5. Monitoring Enterprise Risk Management Performance
Three inherent challenges that arise as part of establishing strategy and business objectives:
1. The possibility of strategy not aligning. 2. Implications from the strategy chosen. 3. Risk to executing strategy.
Internal auditors role in ERM
1. evaluate effectiveness and recommending improvements to ERM.
The board of directors ERM role
1. risk oversight responsibility 2. Helps management establish the governance and operating models, define culture and desired behaviors, demonstrate commitment to integrity and ethics, and assign accountability and authority of risk to management.
Risk Execution
12. Identifies risk in execution 13. Assesses the severity of risk. 14. Prioritizes risks 15. Identifies and selects risk responses 16. Develop portfolio view 17. Assesses risk execution
Risk Information, Communication, and Reporting
18. Uses relevant information 19.Leverages information systems 20. Communicates risk information 21. Reports on risk, culture, and performance
Monitoring ERM Performance
22. Monitoring substantial change 23Monitors ERM
Risk, Strategy, and Objective-Setting
7. Considers risk and business context 8. Defines risk appetite 9. Evaluating alternative strategies 10. Considers risk while establishing business objectives 11. Defines acceptable variation in performance.
Opportunity
An action or potential action that creates or alters goals or approaches for creating, preserving, or realizing value.
Entity Level Controls
Controls that operate across an entire entity and, as such, are not bound by, or associated with, individual processes.
Vision
The entity's aspirations for its future state or what the organization aims to achieve over time.
Enterprise Risk Management
The culture, capabilities, and practices, integrated with strategy-setting, that organizations rely on to manage risk in creating, preserving, and realizing value.
When assessing the risk associated with an activity, an internal auditor should: a. Determine how the risk should best be managed b. Provide assurance on the management of the risk c. Update the risk management process based on risk exposures d. Design controls to mitigate the identified risks
b. Provide assurance on the management of the risk
Which of the following is not an example of a risk-sharing strategy? a. Outsourcing a noncore, high-risk area b. Selling a nonstrategic business unit c. Hedging against interest rate fluctuations d. Buying an insurance policy to protect against adverse weather
b. Selling a nonstrategic business unit
An internal audit engagement was included in the approved internal audit plan. This is considered a moderately high-risk audit based on the internal audit function's risk model. It is currently on a two-year audit cycle. Which of the following will likely have the greatest impact on the scope and approach of the internal audit engagement? a. The area being audited involves the processing of a high volume of transactions. b. Certain components of the process are outsourced c. A new system was implemented during the year, which changed how the transactions are processed d. The total dollars processed in this area are material
c. A new system was implemented during the year, which changed how the transactions are processed
Which of the following risk management activities is out of sequence in terms of timing? a. Identify, asses, and prioritize risks b. Develop risk responses/treatments c. Determine key organizational objectives d. Monitor the effectiveness of risk responses/treatments
c. Determine key organizational objectives
When senior management accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE should: a. Report the unacceptable risk level immediately to the chair of the audit committee and the independent outside audit firm partner b. Resign his or her position in the organization c. Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee d. Accept senior management's position because it establishes the risk appetite for the organization
c. Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee
Enterprise risk management: a. Guarantees achievement of business objectives b. Requires establishment of risk and control activities by internal auditors c. Involves the identification of events with negative impacts on business objectives d. Includes selection of best risk response for the organization
c. Involves the identification of events with negative impacts on business objectives
Which of the following external events will most likely impact a defense contractor that relies on large government contracts for its success? a. Economic event b. Natural environment event c. Political event d. Social Event
c. Political event
An organization tracks a website hosting anonymous blogs about its industry. Recently, anonymous posts have focused on political legislation that could have a dramatic effect on this industry. Which of the following may create the greatest risk if this organization makes business decisions based on the information contained on this website? a. Appropriateness of the information b. Timeliness of the information c. Accessibility of the information d. Accuracy and reliability of the information
d. Accuracy and reliability of the information
Who is responsible for implementing ERM? a. The chief financial officer b. The chief audit executive c. The chief compliance officer d. Management throughout the organization
d. Management throughout the organization
The function of the chief risk officer is most effective when he or she: a. Manages risk as a member of senior management b. Shares the management of risk with line management c. Shares the management of risk with the CAE. d. Monitors risk as part of the ERM team.
d. Monitors risk as part of the ERM team.
The CAE is asked to lead the enterprise risk assessment as part of an organization's implementation of ERM. Which of the following would not be relevant with respect to protecting the internal audit function's independence and objectivity of its internal auditors? a. A cross-section of management is involved in assessing the impact and likelihood of each risk. b. Risk owners are assigned responsibility for each key risk c. A member of senior management presents the results of the risk assessment to the board and communicates that it represents the organization's risk profile d. The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment session.
d. The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment session.
Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual audit plan? a. To emphasize the importance of the internal audit function to the organization b. To ensure that the internal audit plan will be approved by senior management c. To make recommendations to improve the strategic plan d. To ensure that the internal audit plan supports the overall business objectives
d. To ensure that the internal audit plan supports the overall business objectives