ACC 451 Chapter 4
Terms in this set (37)
What are the common categories of risk response?
-Exiting/divesting of the risky activities
-Dropping a product line
-Reduce risk likelihood or impact
-Transferring a portion of risk
-Risk is small enough we are able to handle it
What are examples of commonly implemented control activities?
Policies/Procedures to carry out management's risk responses:
-Direct functional/activity management
-Information processing controls
-Segregation of duties
Preventive, detective, and corrective controls
Use Exhibit 4-3 to identify the components of the systems of internal control that filter key risks occur at varying level of organization.
1. Entry-level Controls
2. Process Level Controls
3. Transaction level controls
4. Compensation Controls
Identify CAE's options when senior management accepts a level of residual risk that the CAE believes is unacceptable to the organization.
1. CAE must first discuss matter with knowledgeable members of senior management
2. If still uncomfortable, audit committee is the next higher authority
According to IIA Practice Advisory 2010-1: Linking the Audit Plan to Risk and Exposures, how should the IAF's audit plan be determined?
1. Develop/update the audit universe
-Subdivisions of an org that exist to manage one or more business risks
2. Prepare the internal audit plan
-based on an assessment of risk and exposures that may affect the organization (inherent risks)
3. Set key audit objectives
-Provide management with info to mitigate the negative consequences associated with accomplishing the org's objectives as well
-Provide an assessment of the effectiveness of management's risk management activities
What ERM assurance activities are considered as the IAF's core roles to perform?
1. Evaluating risk management processes
2. Evaluating the reporting of key risks
3. Reviewing the management of key risks
4. Giving assurance on the risks management process
Identify the types of ERM activities the IAF should NOT perform.
1. Setting the risk appetite
2. Imposing risk management processes
3. Managing assurance on risks
4. Taking decisions on risk responses
5. Implementing risk responses on management's behalf
6. Accountability (be responsible) for risk management
How does COSO define risk? How does ISO define risk?
Possibility that an event will occur and adversely affect the achievement of an objective.
What are the four fundamental points embedded in the COSO and ISO definitions of risk?
-Risk begins with strategy formulation and objective setting
-Risk does not represent a single point in time
-Risks may relate to risk mitigation or exploiting opportunities
-Risks are inherent in all aspects of life
Describe the top-down view of risk using Exhibit 4-3.
-Variety of risks (varying colors)
-Some risks are bigger than others (different size of balls)
-Some risks occur individually while others occur in aggregate/interdependence (clustered balls)
-Inherent risk= These risks have not attempted to be controlled (combo of int/ext risk factors with no controls set up)
-Residual risk= portion of inherent risk that remains after internal controls are in place
Who is ultimately responsible for identifying new or emerging key risk areas that should be covered by the organization's governance process?
Hasn't been controlled
Risk has been treated and controlled, should be within risk appetite
Which types of risk should have a greater impact on the annual internal audit plan?
According to COSO Cube, what are the fundamental concepts in its definition of ERM and its ERM framework (Exhibit 4-2)?
-Effected by people
-Applied when setting an org's strategy
Applied across the org
Focused on taking an entity-level portfolio view of risk
-Designed to identify potential events that could affect the org
-Means to enable risk management within the appetite
-Able to provide reasonable assurance to management and BOD
-Geared toward achievement of objectives in one or more separate but overlapping categories
Explain why the internal environment and mandate and commitment is critical to risk management success.
The success of an ERM initiative depends on solid support from the top of the organization to ensure that objectives are aligned with the organization's objectives. Sufficient resources should be ivested in the initiative and allocated appropriately. Top-down commitment from the board and senior management must be sustained.
Risk Management philosophy
A set of shared beliefs characterizing how the entity considers risk in everything it does, from strategy development/implementation to its day-to-day.
Acceptable levels of variation relative to achievement
What are the 4 types of objectives in COSO's ERM - Integrated Framework? Include a description of each.
1. Strategic-high-level goals that are aligned with/supporting org's missions
2. Operations- broad goals promoting the effective/efficient use of resource
3. Reporting - goals focusing on reliability of reporting
4. Compliance- goals enforcing compliance
If an organization was unable to effectively manage the risks around the objectives in one of those categories, for which category would the impact on the organization be the greatest?
What are events that could stop us from accomplishing our objectives?
External- less control
-Natural environment events
Internal- what you have, what people you use, how you design tech (direct control)
-Infrastructure factors ($ to prevent maintenance)
Risk assessment most commonly focuses on two criteria. What are the two common factors used when assessing risks?
Impact & Likelihood
The risk that exists before management takes any steps to control the likelihood or impact of a risk is
A manufacturing company has identified the following risk: "Failure of employees to conduct required quality control procedures may result in a high level of customer returns." To which type of objective does this risk most directly relate?
Which of the following external events will most likely impact a defense contractor that relies on large government contracts for its success?
According to COSO ERM, all of the following are elements of an organization's internal environment EXCEPT:
Setting organizational objectives
Which of the following is NOT a potential value driver for implementing ERM?
a. Financial results will improve in the short run.
b. There will be fewer surprises from year to year.
c. There will be better information available to make risk decisions.
d. An organization's risk appetite can be aligned with strategic planning.
a. Financial results will improve in the short run
In assessing organizational risk in a manufacturing firm, which of the following would have the most long-range impact on the organization:
An internal auditor engagement was included in the approved internal audit plan. This is considered a moderately high-risk audit based on the internal audit function's risk model. It is currently on a two-year audit cycle. Which of the following will likely have the greatest impact on the scope and approach of the internal audit engagement?
A new system was implemented during the year, which changed how the transactions are processed.
Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual audit plan?
To ensure that the internal audit plan supports the overall business objectives. Correct
When senior management accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE should:
Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee.
An organization tracks a website hosting anonymous blogs about its industry. Recently, anonymous posts have focused on potential legislation that could have a dramatic affect on this industry.
Which of the following may create a greatest risk if this organization makes business decisions based on the information contained on this website?
a. Timeliness of the information.
b. Accessibility of the information.
c. Appropriateness of the information.
d. Accuracy and reliability of the information.
d. Accuracy and reliability of information
A risk that a new competitor will significantly reduce the market share of an organization's product likely relates to which type of objective?
The CAE is asked to lead the enterprise risk assessment as part of an organization's implementation of ERM.
Which of the following would NOT be relevant with respect to protecting the internal audit function's independence and the objectivity of its internal auditors?
The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment session.
Which of the following is not an example of a risk-sharing strategy?
Selling a nonstrategic business unit
Who is responsible for implementing ERM?
Management throughout the organization
Which of the following risk management activities is out of sequence in terms of timing?
Determine key organizational objectives
(Correct order is Determine key organizational objectives. Identify, assess, and prioritize risks. Develop risk responses/treatments. Monitor the effectiveness of risk responses/treatments)