Chapter 5 Flashcards

1
Q

A board’s role in organizational governance is best described as

A

The board is the focal point for all governance activities and establishes the “tone at the top.” The board is also responsible for implementing best governance practices and providing oversight of organizational activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How can a common risk language enhance an organization’s enterprise risk management (ERM) efforts?

A

ERM should be driven from the top down. Everyone in an organization has a role in effective risk management. Most organizations have layers (i.e., executives, line managers, and employees) and silos (i.e., operations, technology, quality management, and compliance). A common language cuts through the layers and breaks down silos. Without a common language, potential miscommunications and other communication issues can thwart risk management activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

According to Practice Advisory 1210.A1-1, “Obtaining External Service Providers to Support or Complement the Internal Audit Activity,” when assessing competency, the best way of checking on the reputation of an outside service provider is to do which of the following?

A

Contacting others familiar with the outside service provider’s work is a good way of determining reputation. The professional certification or license is a minimum requirement for any prospective service provider. The other responses are used to determine the provider’s independence and objectivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is not a role of the internal audit activity in best practice governance activities?

A

The internal audit activity is responsible for assessing and making recommendations for improving governance processes in the accomplishment of various organizational objectives. However, it is the role of management to ensure the timely implementation of the audit recommendations. The internal audit activity is responsible for the development of a timely procedure to monitor the disposition of the audit recommendations. The internal audit activity works with senior management and the audit committee to ensure that audit recommendations receive appropriate attention.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who is responsible for overseeing the evaluation of information security (data protection) and control?

A

Every person in an organization has a role in implementing internal controls. The audit committee oversees the evaluation of the organization’s internal control system. The CRO establishes policies related to information security, and senior managers ensure compliance with the policies. The CAE assesses (evaluates) the system of controls over information security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A section of a written code of conduct regarding conflict of interest should

A

A written statement for the items should define the issue; address expected behavior of employees, other corporate agents, and suppliers; and include provisions for activities, investments, or other interests that reflect on the entity’s integrity or reputation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The Turnbull guidance

A

The U.S. Securities and Exchange Commission (SEC) has identified the Turnbull guidance as a suitable framework for complying with U.S. requirements to report on internal controls over financial reporting, as set out in Section 404 of the Sarbanes-Oxley Act of 2002 and related SEC rules. Turnbull recommends a focus on significant risks rather than all risks, the development of risk reporting systems within existing information systems, and insists that employees be involved but have the necessary knowledge, skills, information, and authority to establish, operate, and monitor the system of internal control within their sphere of responsibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A realistic outcome of a privacy framework evaluation is

A

In conducting an evaluation of the privacy framework, Practice Advisory 2130.A1-2 recommends that the internal auditor consider the “laws, regulations, and policies relating to privacy in the jurisdictions where the organization operates.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is not an internal audit control responsibility with respect to fraud prevention, deterrence, and detection?

A

It is management’s responsibility to establish and maintain an effective control system. Translating an organization’s corruption prevention principles across operations would be a management responsibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Internal auditing’s role in the risk management process of an organization can change over time and may encompass:

A

I. No role.

II. Auditing the risk management process as part of the internal audit plan.

III. Participation on oversight committees, monitoring activities, and status reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Internal auditing’s role in the risk management process of an organization

A

Senior management and the board determine the role of internal auditing in the risk management process. Their view on internal auditing’s role is likely to be determined by factors such as the culture of the organization, ability of the internal audit staff, and local conditions and customs of the country. However, taking on management’s responsibility regarding the risk management process and the potential threat to the internal audit activity’s independence requires a full discussion and board approval.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following has responsibility for a control self-assessment (CSA)?

A

The responsibility for the CSA process is shared among all employees in an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is true of internal auditors?

A

Internal auditors do not have responsibility for internal control; management does. Internal auditors do have responsibility for monitoring controls. Internal auditors are not required to express an overall opinion on the adequacy of controls. If the CAE is asked to provide an opinion, the opinion should clearly specify evaluation criteria and scope over which the opinion applies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is not a responsibility of the chief audit executive (CAE)?

A

Practice Advisory 2120-1 states that risk management is a key responsibility of senior management and the board, not the CAE. To achieve its business objectives, management ensures that sound risk management processes are in place and functioning. Boards have an oversight role to determine that appropriate risk management processes are in place and that these processes are adequate and effective. In this role, they may direct the internal audit activity to assist them by examining, evaluating, reporting, and/or recommending improvements to the adequacy and effectiveness of management’s risk processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

To minimize potential financial losses associated with physical assets, the assets should be insured in an amount that is

A

The types and amounts of insurance should be supported by periodic appraisals. The other options are either not appropriate or do not provide an adequate and accurate reflection of the value of an asset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The function of the chief risk officer (CRO) is most effective when the CRO

A

The chief risk officer is most effective when working with other executives and managers in establishing effective risk management in their areas of responsibility. This risk officer can work with other managers in establishing effective risk management practices, monitoring progress, and assisting those managers in reporting. Senior management has an oversight role. The CAE is not responsible for managing risk. Risk knowledge at the line level would be specific only to that area of the organization.

17
Q

Which factors determine the extent of assurance activities that internal audit provides in support of organizational governance?

A

The extent of internal audit governance assurance activities depends on the internal audit charter (which specifies the internal audit function’s role in governance assurance) and the specific direction from the board regarding current or ongoing expectations to perform such activities.

18
Q

Which factors determine the extent of assurance activities that internal audit provides in support of organizational governance?

A

The extent of internal audit governance assurance activities depends on the internal audit charter (which specifies the internal audit function’s role in governance assurance) and the specific direction from the board regarding current or ongoing expectations to perform such activities.

19
Q

Internal auditors can be considered as leading agents for change within an organization. Which of the following is not a good way to promote this concept?

A

The directive would “direct” rather than “sell” and thus would not be an appropriate choice.

20
Q

Which of the following goals sets risk management strategies at the optimum level?

A

Maximize shareholders values. This is a comprehensive approach and will relate to risk management strategies across the enterprise.

21
Q

Which of the following Committee of Sponsoring Organizations of the Treadway Commission (COSO) risk management responses would apply to a situation in which an organization moved from List A to List B by canceling their insurance because the costs were greater than the item’s replacement cost?

A

Sharing reduces risk likelihood or impact by transferring or otherwise sharing a portion of the risk. Common risk-sharing techniques include purchasing insurance products. Acceptance is taking no action to affect likelihood or impact.

22
Q

COCO Model

A

purpose, commitment, capability, and monitoring and learning?

23
Q

How can internal audit add value to the enterprise risk management (ERM) process?

A

Providing the audit committee and executive management with assurances that the ERM process is efficient, effective, and operating as it was intended
Using the output of the ERM process to develop its risk-based audit plan and to identify unexpected high-risk areas as circumstances change -
Both correct choices reflect The IIA definition of internal auditing and the role of internal auditors in helping “an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

24
Q

An organization is introducing enterprise risk management (ERM) to management and employees. All of the following would support a successful startup of ERM projects except

A

implement ERM software. Providing ERM training and education, encouraging management to discuss risk concerns, and recognizing quick victories enhance the probability of a successful ERM project. Focusing on ERM software can distract from the primary objective for implementing ERM (i.e., enhancing risk management and control) and create the impression that ERM is “just another IT project.”

25
Q

An adequate system of internal controls is most likely to detect an irregularity perpetrated by

A

A good system of internal controls is likely to expose an irregularity if it is perpetrated by one employee, without the aid of others. Management can often override controls, singularly or in groups. A group has a better chance of successfully perpetrating an irregularity than does an individual employee.

26
Q

Which of the following is not true of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) - Integrated Framework?

A

Takes a more focused approach than traditional risk management
ERM takes a broader portfolio approach than traditional risk management and deals with risks and opportunities affecting the creation or preservation of organizational value

27
Q

An organization is changing to a quality assurance program that incorporates quality throughout the process. This is very different from its years of dependence on quality control at the end of the process. This type of change is a

A

cultural change because it involves a change in attitudes and mindset.

28
Q

In organizations without a risk management process, internal auditors should do which of the following?

A

Avoid responsibility for managing identified risks. Internal auditors can facilitate or enable risk management processes, but they should not own or be responsible for the management of the risks identified. Management, not internal auditing, is responsible for establishing a risk management process including high-level risk assessments.

29
Q

A primary benefit of using risk assessment and risk maps in enterprise risk management (ERM) is

A

standardized view of organizational risk emerges. A risk framework provides a master list that enables all risks identified in the organization to be tracked and categorized. An important step in ERM is to assess risks identified, and the ranking provides a standardized view of risks

30
Q

Which of the following represents the best governance structure

A

Operating management is responsible for risk management, executive management is responsible for oversight, and internal auditors serve in the capacity of oversight and advisory roles.

31
Q

Many organizations use electronic funds transfer to pay their suppliers instead of issuing checks. Regarding the risks associated with issuing checks, which of the following risk management techniques does this represent?

A

By eliminating checks, the organization avoids all risk associated with them

32
Q

Which of the following best describes an internal auditor’s purpose in reviewing the organization’s existing risk management, control, and governance processes?

A

The purpose stated in Practice Advisory 2120-1 is to provide reasonable assurance that the processes will enable the organization’s objectives and goals to be met efficiently and economically.

33
Q

A statement indicating that an organization will not enter into an emerging market where trading partners have a high probability of work stoppages and supply chain disruptions reflects

A

Risk Appetite -Risk appetite is a high-level statement that broadly describes the level of risk that management deems acceptable. Risk tolerance is the acceptable level of variation relative to the achievement of objectives. Management selects risk responses—avoiding, accepting, reducing, or sharing risk—developing a set of actions to align risks with the entity’s risk tolerance and risk appetite.

34
Q

The auditor has recognized that a problem exists because the organizational unit has been too narrow in its definition of goals. The goals of the unit focus on profits, but the overall organizational goals are much broader. The auditor also recognizes that the audit client will resist any recommendations about adopting broader goals. The best course of action would be to

A

The auditor is responsible to the organization, not just the audit client, and should therefore report the problem to the audit client. Subtly mixing the suggested solution with the problem definition might be a strategy to get buy-in from the client, but it will not be suitable in every case and can easily be seen as manipulative.

35
Q

A control self-assessment can be used for all of the following except

A

judging the effectiveness of individuals responsible for specific control functions.
- Because the assessment is performed by the individuals performing the control tasks, it is less likely that individual performance issues will be highlighted by this method.

36
Q

Which of the following best exemplifies a “soft control” in a compliance and ethics program?

A

Employee responsibilities for reporting misconduct
Employee responsibilities are inherently subjective compared to the process, policy, procedure examples. Generally speaking, hard controls are more scientific in nature and soft controls are more humanistic.

37
Q

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) - Integrated Framework, the chief executive officer (CEO) is usually responsible for all of the following except

A

Establishing a common risk language would generally be the responsibility of the risk officer

38
Q

Which of the following is true of risk management techniques?

Because residual risk cannot be controlled, it should not be allowed to influence decisions.

Internal auditors should avoid risk matrices in favor of developing risks without outside influences.

Risk assessments should focus on financial hazards rather than soft issues.

Precise, detailed quantifications of risks can needlessly complicate risk assessments

A

Precise, detailed quantifications of risks can needlessly complicate risk assessments. Unless complex risk quantification is merited (e.g., derivatives), it’s best to keep the quantification and prioritization of risks simple. Rather than the traditional financial hazards, less tangible soft issues (e.g., human resources) are of increasing importance in risk assessments. Residual risk (the risk that remains after control is applied) must be considered in decision making. Internal auditors can use risk matrices as a tool to improve risk assessment; they should not develop risks in a vacuum.