Chapter 5 Flashcards
A board’s role in organizational governance is best described as
The board is the focal point for all governance activities and establishes the “tone at the top.” The board is also responsible for implementing best governance practices and providing oversight of organizational activities.
How can a common risk language enhance an organization’s enterprise risk management (ERM) efforts?
ERM should be driven from the top down. Everyone in an organization has a role in effective risk management. Most organizations have layers (i.e., executives, line managers, and employees) and silos (i.e., operations, technology, quality management, and compliance). A common language cuts through the layers and breaks down silos. Without a common language, potential miscommunications and other communication issues can thwart risk management activities.
According to Practice Advisory 1210.A1-1, “Obtaining External Service Providers to Support or Complement the Internal Audit Activity,” when assessing competency, the best way of checking on the reputation of an outside service provider is to do which of the following?
Contacting others familiar with the outside service provider’s work is a good way of determining reputation. The professional certification or license is a minimum requirement for any prospective service provider. The other responses are used to determine the provider’s independence and objectivity.
Which of the following is not a role of the internal audit activity in best practice governance activities?
The internal audit activity is responsible for assessing and making recommendations for improving governance processes in the accomplishment of various organizational objectives. However, it is the role of management to ensure the timely implementation of the audit recommendations. The internal audit activity is responsible for the development of a timely procedure to monitor the disposition of the audit recommendations. The internal audit activity works with senior management and the audit committee to ensure that audit recommendations receive appropriate attention.
Who is responsible for overseeing the evaluation of information security (data protection) and control?
Every person in an organization has a role in implementing internal controls. The audit committee oversees the evaluation of the organization’s internal control system. The CRO establishes policies related to information security, and senior managers ensure compliance with the policies. The CAE assesses (evaluates) the system of controls over information security.
A section of a written code of conduct regarding conflict of interest should
A written statement for the items should define the issue; address expected behavior of employees, other corporate agents, and suppliers; and include provisions for activities, investments, or other interests that reflect on the entity’s integrity or reputation.
The Turnbull guidance
The U.S. Securities and Exchange Commission (SEC) has identified the Turnbull guidance as a suitable framework for complying with U.S. requirements to report on internal controls over financial reporting, as set out in Section 404 of the Sarbanes-Oxley Act of 2002 and related SEC rules. Turnbull recommends a focus on significant risks rather than all risks, the development of risk reporting systems within existing information systems, and insists that employees be involved but have the necessary knowledge, skills, information, and authority to establish, operate, and monitor the system of internal control within their sphere of responsibility.
A realistic outcome of a privacy framework evaluation is
In conducting an evaluation of the privacy framework, Practice Advisory 2130.A1-2 recommends that the internal auditor consider the “laws, regulations, and policies relating to privacy in the jurisdictions where the organization operates.”
Which of the following is not an internal audit control responsibility with respect to fraud prevention, deterrence, and detection?
It is management’s responsibility to establish and maintain an effective control system. Translating an organization’s corruption prevention principles across operations would be a management responsibility.
Internal auditing’s role in the risk management process of an organization can change over time and may encompass:
I. No role.
II. Auditing the risk management process as part of the internal audit plan.
III. Participation on oversight committees, monitoring activities, and status reporting
Internal auditing’s role in the risk management process of an organization
Senior management and the board determine the role of internal auditing in the risk management process. Their view on internal auditing’s role is likely to be determined by factors such as the culture of the organization, ability of the internal audit staff, and local conditions and customs of the country. However, taking on management’s responsibility regarding the risk management process and the potential threat to the internal audit activity’s independence requires a full discussion and board approval.
Which of the following has responsibility for a control self-assessment (CSA)?
The responsibility for the CSA process is shared among all employees in an organization.
Which of the following is true of internal auditors?
Internal auditors do not have responsibility for internal control; management does. Internal auditors do have responsibility for monitoring controls. Internal auditors are not required to express an overall opinion on the adequacy of controls. If the CAE is asked to provide an opinion, the opinion should clearly specify evaluation criteria and scope over which the opinion applies.
Which of the following is not a responsibility of the chief audit executive (CAE)?
Practice Advisory 2120-1 states that risk management is a key responsibility of senior management and the board, not the CAE. To achieve its business objectives, management ensures that sound risk management processes are in place and functioning. Boards have an oversight role to determine that appropriate risk management processes are in place and that these processes are adequate and effective. In this role, they may direct the internal audit activity to assist them by examining, evaluating, reporting, and/or recommending improvements to the adequacy and effectiveness of management’s risk processes.
To minimize potential financial losses associated with physical assets, the assets should be insured in an amount that is
The types and amounts of insurance should be supported by periodic appraisals. The other options are either not appropriate or do not provide an adequate and accurate reflection of the value of an asset.