Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Internal Auditing > Chapter 4: Risk Management > Flashcards

Chapter 4: Risk Management Flashcards

1
Q

According to COSO ERM, which of the following is not an inherent challenge that arises as part of establishing strategy and business objectives?

a. Ensuring culture is clearly articulated by the board.
b. Possibility of strategy not aligning.
c. Implications from the strategy chosen.
d. Risk to achieving the strategy.

A

A is the best answer. Setting and communicating culture is not part of establishing strategy and business objectives. Also, while the board has a role in setting the culture, management is primarily responsible for communicating it throughout the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following external events will most likely impact a defense contractor that relies on large government contracts for its success?

a. Economic event.
b. Natural environment event.
c. Political event.
d. Social event.

A

C is the best answer. While any or all of those events may impact a defense contractor’s success, a change in government or political agendas is most likely to have a significant impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is not an example of a risk-sharing strategy?

a. Outsourcing a noncore, high-risk area.
b. Selling a nonstrategic business unit.
c. Hedging against interest rate fluctuations.
d. Buying an insurance policy to protect against adverse weather.

A

B is the best answer. Selling a business unit is a risk avoidance strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An organization tracks a website hosting anonymous blogs about its industry. Recently, anonymous posts have focused on potential legislation that could have a dramatic effect on this industry. Which of the following may create the greatest risk if this organization makes business decisions based on the information contained on this website?

a. Appropriateness of the information.
b. Timeliness of the information.
c. Accessibility of the information.
d. Accuracy and reliability of the information.

A

D is the best answer. While there are risks with the other factors, an anonymous website may not be accurate and reliable enough to support business decisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following risk management activities is out of sequence in terms of timing?

a. Identify, assess, and prioritize risks.
b. Develop risk responses/treatments.
c. Determine key organizational objectives.
d. Monitor the effectiveness of risk responses/treatments.

A

C is the best answer. Key organizational objectives must be determined before the risks that threaten the achievement of the objectives can be identified, assessed, and prioritized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who is responsible for implementing ERM?

a. The chief financial officer.
b. The chief audit executive.
c. The chief compliance officer.
d. Management throughout the organization.

A

D is the best answer. ERM must be implemented by management throughout an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is not a potential value driver for implementing ERM?

a. Financial results will improve in the short run.
b. There will be fewer surprises from year to year.
c. There will be better information available to make risk decisions.
d. An organization’s risk appetite can be aligned with strategic planning.

A

A is the best answer. While there may be long-term financial benefits from ERM, organizations should not expect to see such benefits in the short run.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is the best reason for the CAE to consider the organization’s strategic plan in developing the annual internal audit plan?

a. To emphasize the importance of the internal audit function to the organization.
b. To ensure that the internal audit plan will be approved by senior management.
c. To make recommendations to improve the strategic plan.
d. To ensure that the internal audit plan supports the overall business objectives.

A

D is the best answer. It is important to align the internal audit plan with the organization’s business objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When senior management accepts a level of residual risk that the CAE believes is unacceptable to the organization, the CAE should:

a. Report the unacceptable risk level immediately to the chair of the audit committee and the independent outside audit firm partner.
b. Resign his or her position in the organization.
c. Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee.
d. Accept senior management’s position because it establishes the risk appetite for the organization.

A

C is the best answer. The chief audit executive (CAE) must first verify that he or she fully understands management’s reasons for accepting that level of risk. If he or she is still not comfortable, the audit committee is the next higher authority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The CAE is asked to lead the enterprise risk assessment as part of an organization’s implementation of ERM. Which of the following would not be relevant with respect to protecting the internal audit function’s independence and the objectivity of its internal auditors?

a. A cross-section of management is involved in assessing the impact and likelihood of each risk.
b. Risk owners are assigned responsibility for each key risk.
c. A member of senior management presents the results of the risk assessment to the board and communicates that it represents the organization’s risk profile.
d. The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment session.

A

D is the best answer. Utilizing an outside consultant does not necessarily eliminate the impairment of the internal auditor’s objectivity. The function may still be perceived to have responsibility for perform-ing a management function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An internal audit engagement was included in the approved internal audit plan. This is considered a moderately high-risk audit based on the internal audit function’s risk model. It is currently on a two-year audit cycle. Which of the following will likely have the greatest impact on the scope and approach of the internal audit engagement?

a. The area being audited involves the processing of a high volume of transactions.
b. Certain components of the process are outsourced.
c. A new system was implemented during the year, which changed how the transactions are processed.
d. The total dollars processed in this area are material.

A

C is the best answer. The significant change in the underlying system will have a great impact on the current audit. The other factors will influence the overall risk rating of the audit project, but will typi-cally have less impact on the scope and approach toward the audit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When assessing the risk associated with an activity, an internal auditor should:

a. Determine how the risk should best be managed.
b. Provide assurance on the management of the risk.
c. Update the risk management process based on risk exposures.
d. Design controls to mitigate the identified risks.

A

B is the best answer. Assurance services involve the internal auditor’s objective assessment of manage-ment’s risk management activities and the degree to which they are effective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

One of the challenges of ERM in an organization that has a centralized structure is that:

a. It may be difficult to raise awareness of the impact of work actions on other employees or work areas.
b. Employees in these structures are inherently less risk averse.
c. Managers have less incentive to implement and monitor controls.
d. Effective controls are more difficult to design, and consistent application is more difficult to achieve across the organization.

A

A is the best answer. In a centralized structure, most communication is vertical, up and down a hierar-chical chain of command. This impedes communication and awareness across functional lines, which can be an obstacle for ERM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The function of the chief risk officer is most effective when he or she:

a. Manages risk as a member of senior management.
b. Shares the management of risk with line management.
c. Shares the management of risk with the CAE.
d. Monitors risk as part of the ERM team.

A

D is the best answer. The chief risk officer (CRO) is most effective when supported by a specific team with the necessary expertise and experience related to organizational risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Enterprise risk management:

a. Guarantees achievement of business objectives.
b. Requires establishment of risk and control activities by internal auditors.
c. Involves the identification of events with negative impacts on business objectives.
d. Includes selection of best risk response for the organization.

A

C is the best answer. A is incorrect because ERM does not guarantee business objectives can be achieved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How does COSO define risk?

A

The COSO exposure draft defined risk as “The possibility that events will occur and affect the achievement of a strategy and objectives.”

17
Q

How does ISO define risk?

A

ISO defines risk as “effect of uncertainty on objectives.”

18
Q

What are the five fundamental points embedded in the COSO and ISO definitions of risk?

A

The five fundamental points embedded in the COSO and ISO definitions of risk are:
■ Risk begins with strategy formulation and setting of business objectives.
■ Risk involves uncertainty, which COSO refers to as “The state of not knowing how potential events may or may not manifest.”
■ Risk does not represent a single point estimate (for example, the most likely outcome). Rather, it represents a range of possible outcomes.
■ Risks may relate to preventing bad things from happening (risk mitigation), or failing to ensure good things happen (that is, exploiting or pursuing opportunities).
■ Risks are inherent in all aspects of life—that is, wherever uncertainty exists, one or more risks exist

19
Q

According to COSO, what are the fundamental concepts emphasized in its definition of enterprise risk management (ERM)?

A

■ Recognizing culture and capabilities, which are key aspects of ERM.
■ Applying practices, which are the procedures and tasks employed by the organization to ensure effective risk management.
■ Integrating with strategy-setting and its execution, which involves management considering the implications of each strategy to the organization’s risk profile.
■ Managing risk to strategy and business objectives provides management and the board of direc-tors with a reasonable expectation that they can achieve the overall strategy and business objectives.
■ Linking to creating, preserving, and realizing value means that, ultimately, the success of risk management is determined by value.

20
Q

How does COSO define mission, vision, and core values?

A

COSO’s definitions are:
■ Mission: The entity’s core purpose, which establishes what it wants to accomplish and why it exists.
■ Vision: The entity’s aspirations for its future state or what the organization aims to achieve over time.
■ Core Values: The entity’s beliefs and ideals about what is good or bad, acceptable or unaccept-able, which influence the behavior of the organization.

21
Q

How does COSO define strategy and business objectives?

A

COSO defines strategy as “The organization’s plan to achieve its mission and vision and to apply its core values.” It defines business objectives as “Those measurable steps the organization takes to achieve its strategy.”

22
Q

What are the five COSO ERM components?

A

The five COSO ERM components are:
■ Risk Governance and Culture.
■ Risk, Strategy, and Objective-Setting.
■ Risk in Execution.
■ Risk Information, Communication, and Reporting.
■ Monitoring Enterprise Risk Management Performance.

23
Q

How does COSO define risk appetite?

A

COSO defines risk appetite as “the types and amount of risk, on a broad level, an organization is will-ing to accept in pursuit of value.”

24
Q

What is inherent risk?

A

Inherent risk represents the level of risk before management’s application of direct or focused actions to alter its severity.

25
Q

What is residual risk?

A

Residual risk represents the level of risk after management’s application of actions to alter its severity.

26
Q

What are COSO’s five categories of risk response?

A 
COSO’s five categories of risk response are:
■ Accept.
■ Avoid.
■ Pursue.
■ Reduce.
■ Share

Internal Auditing (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions