Domain II - Nature of work Flashcards

Question 1

Q

Who is responsible for assessing the risks and controls within their organisation?

Answer

A

All internal auditors have a responsibility to assess the risks and controls within their organisations.

Question 2

Q

Which standard?

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Answer

A

Standard 2120 Risk Management

Question 3

Q

_______ internal auditing provides organisations with timely, relevant information about the risks they face.

Answer

A

Risk-based internal auditing provides organisations with timely, relevant information about the risks they face.

Question 4

Q

When organisations decided on how to approach risks, what are their options?

Answer

A

They can then decide whether the risk is one to mitigate or avoid – or one to exploit.

Question 5

Q

Explain what this term means?

Risk

Answer

A

The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

Question 6

Q

Explain what this term means?

Risk management

Answer

A

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organisation’s objectives.

Question 7

Q

Explain what this term means?

Risk appetite

Answer

A

The level of risk that an organisation is willing to accept.

Question 8

Q

Explain what this term means?

Risk responses

Answer

A

The means by which an organisation elects to manage individual risks.

Question 9

Q

Explain what this term means?

Risk assessment

Answer

A

The overall process of of risk identification, risk analysis and risk evaluation.

Question 10

Q

Explain what this term means?

Risk identification

Answer

A

The process of determining which events might occur to affect the objectives of the organisation and their root causes.

Question 11

Q

Explain what this term means?

Risk analysis

Answer

A

The systematic use of available information to determine the likelihood of specified events occurring and the magnitude of their consequences ie their impact.

Question 12

Q

Explain what this term means?

Risk evaluation

Answer

A

The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria.

Question 13

Q

Explain what this term means?

Inherent (gross) risk

Answer

A

Evaluation of risk before management undertakes any action or initiates any risk responses.

Question 14

Q

Explain what this term means?

Retained (net) risk

Answer

A

The evaluation of risk after management action and risk responses.

Question 15

Q

Name different types of risks.

Answer

A

main categories: financial, reputational and regulatory

but also strategic and operational, physically risky activities (health and safety)

Question 16

Q

When can internal auditors provide the greatest value in terms of risks?

Answer

A

When they communicate clearly both the downsides and upsides to risk. Without this information, no organisation will thrive.

Question 17

Q

There’s a range of standards and frameworks organisations can use in developing risk management processes. Describe the generic process.

Answer

A

Set objectives
Identify risks
Analyse
Appetite?
Determine response
Monitor and report
Learning lessons
(Start at the top)

Question 18

Q

Why is setting objectives important to the risk management process?

Answer

A

Risks can only be identiﬁed, assessed and prioritised in relation to objectives.

Question 19

Q

What can objectives be like in terms of the risk management process?

Answer

A

These objectives can be long term, high level and strategic in nature, and apply to the whole organisation; or they may be short term and operational, and apply to business units, teams, and business processes.

Question 20

Q

Mention 6 different risk identification tools

Answer

A

1) Questionnaires and surveys
2) Process flow analysis
3) Workshops and interviews
4) Scenario planning
5) External and internal environmental analysis
6) Event inventories

Question 21

Q

For an organisation to manage risks, what does it need to know first?

Answer

A

The risks it faces.

Question 22

Q

What has all risks identified by management that may impact achievement of the organisation’s objectives?

Answer

A

The risk register

Question 23

Q

What do you need to consider when identifying risks?

Answer

A

The organisation’s environment, strategy and attitude to risk.

Question 24

Q

What is the risk if the organisation’s environment, strategy and attitude to risk are not considered while identifying risks.

Answer

A

Risk identiﬁcation becomes nothing more than a random generation of unpleasant consequences and missed opportunities, most of which may well be irrelevant to the organisation.

Question 25

Q

When identifying risks, what does the organisation’s environment include? Think macro and micro.

Answer

A

the macro - the external influences on the organisation (think political, economic, social, technological, legal and environmental) - and the micro - the more immediate, internal elements of the organisation (think McKinsey 7S model).

Question 26

Q

What does the organisation’s attitude to risk determine?

Answer

A

Whether it recognises any given risk and what risk management strategy it adopts to deal with the potential obstacle to meeting its objectives.

Question 27

Q

After risks are identified, what is the next step?

Answer

A

Analysing the risks.

Question 28

Q

When risks are analysed, what are the two factors that are determined during the analysis?

Answer

A

The probability (or likelihood of occurrence)
&
The consequences (or the impacts on business)

Question 29

Q

What is a reliable way of assessing the probability and consequences of a risk?

Answer

A

This can be one of the most difﬁcult areas to address as there is often no way of reliably assessing these factors.

Question 30

Q

Mention some ways of analysing risks.

Answer

A

Tools such as root causes analysis can support this analysis.

Other tools and methods include:

quantitative eg benchmarking and modelling
qualitative eg interviews and workshops
hybrid – a mix of both qualitative and quantitative approaches.

The results can be plotted in a heat map or risk matrix as illustrated in the figure. In our simple example, using RAG ratings, no arithmetic values have been applied to each risk. In some organisations, risks are quantified.

Question 31

Q

Who should set the risk appetite?

Answer

A

The board should set the risk appetite.

Question 32

Q

Why is setting a risk appetite important?

Answer

A

so that decisions about the response to risk are weighed against agreed criteria as to what is tolerable.

Question 33

Q

How is analysing and evaluating risks different?

Answer

A

Once an analysis of likelihood and impact has been completed, it should then be possible to evaluate the risks against the organisation’s risk appetite to determine what action it will take.

Question 34

Q

What is a risk before management action called?

Answer

A

Inherent or gross risk.

Question 35

Q

What is a risk after management action called?

Answer

A

Residual, retained or net risk.

Question 36

Q

What is the difference between inherent and residual risk?

Answer

A

The difference between inherent and residual risk is the measure of the effectiveness of the risk management responses and activities (including internal controls).

Question 37

Q

What is the difference between gross and net risk?

Answer

A

The difference between inherent and residual risk is the measure of the effectiveness of the risk management responses and activities (including internal controls).

Question 38

Q

What is the difference between inherent and retained risk?

Answer

A

The difference between inherent and residual risk is the measure of the effectiveness of the risk management responses and activities (including internal controls).

Question 39

Q

How do you determine response to a risk?

Answer

A

Risk responses should be evaluated to ensure they do in fact manage the risks down to the level required.

The remaining ‘residual’ risk should be assessed. It should be in line with the target residual risk. If it is reasonable, no further action is required. If it is still excessive, the organisation needs to consider what further responses it will put in place (or not).

Question 40

Q

Name the different risk response styles.

Answer

A

Accept
Avoid
Pursue
Reduce (requires controls)
Share

Question 41

Q

Why should risks be monitored?

Answer

A

to assess whether or not the risks are changing
to provide assurance that risk management is effective
to identify when further action is necessary.

Although directors, managers and other staff may have identiﬁed their risks and described how they are using controls or other means to respond to them, the board cannot be sure that the risk responses are working unless they monitor them.

Question 42

Q

What does an effective risk management system ensure?

Answer

A

that monitoring and reporting mechanisms form part of the organisation’s routine processes.

Question 43

Q

What does a risk register usually detail?

Answer

A

the risk and description of the risk

gross risk analysis

details of risk responses applied

subsequent net risk assessment

conclusion on whether level of net risk level is acceptable

information on more action to be taken

what monitoring controls are to be applied

risk owner allocated

risk action manager allocated

review date.

Question 44

Q

Explain the 3 lines of defence and their role in risk management.

Answer

A

First-line roles are those most directly focused on providing the client with products and/or services, and include the roles of support functions such as human resources, administration, IT and building services. First-line roles are responsible for managing risk.

Second-line roles centre on specific aspects of risk management, including compliance with ethical, legal and regulatory requirements, quality assurance, IT security and broader responsibilities such as enterprise risk management. Those in second-line roles often challenge those in the first line, as well as offering expertise, scrutiny and oversight.

Third-line roles, such as internal audit, are unique in being independent of management and its responsibilities. This independence enables internal audit to provide objective assurance and advice. It is impossible to be both independent of management and to assume management responsibilities (ie first and second line roles). Where internal audit has first or second line roles, independent assurance of these activities must be drawn from other sources.

Above all of this is the governing body whose roles are integrity, leadership and transparency but most of all accountability to stakeholders for organisational oversight.

Question 45

Q

Mention 5 key roles of the governing body in the 3 lines of defence model.

Answer

A

Accepts accountability to stakeholders for oversight of the organisation.

Engages with stakeholders to monitor their interests and communicate transparently on the achievement of objectives.

Nurtures a culture promoting ethical behavior and accountability.

Establishes structures and processes for governance, including auxiliary committees as required.

Delegates responsibility and provides resources to management for achieving the objectives of the organisation.

Determines organisational appetite for risk and exercises oversight of risk management (including internal control).

Maintains oversight of compliance with legal, regulatory, and ethical expectations.

Establishes and oversees an independent, objective, and competent internal audit function.

Question 46

Q

Mention key roles of the management in first line in the 3 lines of defence model.

Answer

A

Leads and directs actions (including managing risk) and application of resources to achieve the objectives of the organisation.

Maintains a continuous dialogue with the governing body, and reports on planned, actual, and expected outcomes linked to the objectives of the organisation, and risk.

Establishes and maintains appropriate structures and processes for the management of operations and risk (including internal control).

Ensures compliance with legal, regulatory, and ethical expectations.

Question 47

Q

Mention key roles of the management in second line in the 3 lines of defence model.

Answer

A

Provides complementary expertise, support, monitoring, and challenge related to the management of risk, including:

the development, implementation, and continuous improvement of risk management practices (including internal control) at a process, systems, and entity level
the achievement of risk management objectives, such as: compliance with laws, regulations, and acceptable ethical behavior; internal control; information and technology security; sustainability; and quality assurance.

Provides analysis and reports on the adequacy and effectiveness of risk management (including internal control).

Question 48

Q

Mention key roles of the 3rd line in the 3 lines of defence model.

Answer

A

Maintains primary accountability to the governing body and independence from the responsibilities of management.

Communicates independent and objective assurance and advice to management and the governing body on the adequacy and effectiveness of governance and risk management (including internal control) to support the achievement of organisational objectives and to promote and facilitate continuous improvement.

Reports impairments to independence and objectivity to the governing body and implements safeguards as required.

Question 49

Q

Mention key roles of the external assurance providers in the 3 lines of defence model.

Answer

A

legislative and regulatory expectations that serve to protect the interests of stakeholders

requests by management and the governing body to complement internal sources of assurance.

Question 50

Q

True or false?

Risk is the possibility of an event occurring that threatens the achievement of objectives.

Answer

A

False.

Risk is possibility of an event occurring that will have an impact on the achievement of objectives. This impact can be a threat but it can also be an opportunity. The latter is often referred to as ‘upside risk.’

Question 51

Q

What term is deﬁned as ‘the process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria’?

Answer

A

Risk evaluation

Question 52

Q

What term is used to describe a risk that does not take into account any response that the organisation may put in place?

Answer

A

Gross or inherent risk

Question 53

Q

Which line of defence is HR?

Question 54

Q

Which line of defence is Compliance?

Question 55

Q

Which line of defence is Internal Audit?

Question 56

Q

Mention 2 popular frameworks used for risk management.

Answer

A

COSO Enterprise Risk Management - Integrating with Strategy and Performance,

and

the ISO standard 31000:2018.

Question 57

Q

What are the 5 components set out by COSO?

Answer

A

Governance and culture
Strategy and objective-setting
Performance
Review and revision
Information, communication and reporting

Question 58

Q

Explain what Governance and culture is about according to COSO framework.

Answer

A

About: The organisation’s tone, reinforcing the importance of, and establishing oversight responsibilities for risk management. Culture pertains to ethical values, desired values, and the understanding of organisational risks.

Principles:

Exercises board risk oversight
Establishes operating structures
Defines desired culture
Demonstrates commitment to core values
Attracts, develops, and retains capable individuals

Question 59

Q

Explain what Strategy and objective-setting is about according to COSO framework.

Answer

A

About: Setting the organisational strategy, plan and risk appetite. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.

Principles:

Analyses business context
Defines risk appetite
Evaluates alternative strategies
Formulates business objectives

Question 60

Q

Explain what Performance is about according to COSO framework.

Answer

A

About: Risks that may impact the achievement of objectives need to be identified and assessed. Risks are prioritised by severity in the context of risk appetite. The organisation then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.

Principles:

Identifies risk
Assesses severity of risk
Prioritises risks
Implements risk responses
Develops portfolio view

Question 61

Q

Explain what Review and revision is about according to COSO framework.

Answer

A

About: By reviewing entity performance, an organization can consider how well the risk management components are functioning in light of substantial changes and what revisions are needed.

Principles:

Assesses substantial change
Reviews risk and performance
Pursues improvement in enterprise risk management

Question 62

Q

Explain what Information, communication and reporting is about according to COSO framework.

Answer

A

About: Risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organisation.

Principles:

Leverages information and technology
Communicates risk information
Reports on risk, culture, and performance

Question 63

Q

What is ISO 31000:2018?

Answer

A

ISO 31000:2018 Risk management – Guidelines is a risk management standard. It is designed to be applied to a range of industries and contexts. The standard provides principles, a framework and a process for managing risk.

Question 64

Q

What are the 3 main components of ISO 31000:2018?

Answer

A

Risk Assessment
Value Creation and Protection
Leadership and Commitment

Answer 62

A

This statement is largely true. COSO has an internal control framework as well as a risk management one. The former is aligned with COSO’s risk management framework.

Answer 63

A

The ISO 31000:2018 standard comprises the three components - principles, framework and processes.

In addition, there are a further two related standards:

ISO Guide 73 Risk management - vocabulary
IEC 31010 Risk management - risk assessment techniques.

Answer 64

A

Internal auditors will normally provide assurances on three areas:

Risk management processes, both their design and how well they are working
Management of those risks classified as ‘key’, including the effectiveness of the controls and other responses to them
The reliability of risk assessments and the reporting of risk and control statuses.

Answer 65

A

Giving assurance on the risk management process
Giving assurance that risks are correctly evaluated
Evaluating risk management processes
Evaluating the reporting of key risks
Reviewing the management of key risks

Answer 66

A

Facilitating the identification and evaluation of risks
Coaching management in responding to risks
Coordinating of risk management activities
Consolidating reporting on risks
Maintaining and developing the risk management framework
Championing the establishment of risk management
Developing the risk management strategy for board’s approval

Answer 67

A

Setting the risk appetite
Imposing risk management processes
Management assurance on risks
Taking decisions on risk responses
Implementing risk responses on management’s behalf
Accountability for risk management

Answer 68

A

whether the activity raises any threats to the internal audit activity’s independence and objectivity and whether it is likely to improve the organisation’s risk management, control and governance processes.

Answer 69

A

It is a gauge by which to measure an organisation’s current state of and progress towards mastery of a given area.

Answer 70

A

The extent to which a risk management approach has been adopted and applied, as planned, by management across the organisation to identify, assess, decide on responses to and report on opportunities and threats that affect the achievement of the organisation’s objectives.

Answer 71

A

The level of risk that an organisation is willing to accept.

Answer 72

A

Risk-based internal auditing is a methodology that links IA to an organisations’ overall risk management framework. It allows IA to provide assurance to the board that risk management processes are managinig risks effectively, in relation to the risk appetite.

Answer 73

A

Risk based internal auditing.

Answer 74

A

True. The internal audit approach should reflect where the organisation is in terms of maturity and support its journey towards a fully embedded framework. .

Answer 75

A

type of assurances that internal audit can provide
framework that will be used for audit planning, critically the source of risk information internal audit will use in planning
type of consulting services that internal audit can provide.

Answer 76

A

Initial, repeatable, defined, managed and optimised

Answer 77

A

No formal approach to risk management

Answer 78

A

Report that no formal risk management in place

Consultancy to champion risk management

Use alternative framework to determine internal audit plane

Assurance on control processes.

Answer 79

A

Scattered silo-based approach to risk management

Answer 80

A

Report poor risk management

Consultancy to champion risk management

Use alternative framework to determine internal audit plan

Assurance on control processes.

Answer 81

A

Risk management strategy and policies in place and communicated

Risk appetite and tolerance levels defined.

Answer 82

A

Report on risk management deficiencies

Consultancy to embed risk management

Start with management view of risk and supplement

Assurance on risk management policies and control processes.

Answer 83

A

Enterprise wide approach to risk management developed and communicated.

Answer 84

A

Management view of risk drives internal audit plan

Assurance on risk management processes and mitigation

Consulting to improve risk management

Answer 85

A

Risk management fully embedded into processes and systems

Answer 86

A

Management view of risk drives internal audit plan

Assurance on risk management processes and mitigation

Consulting as required.

Answer 87

A

Effectiveness

Answer 88

A

Optimised

Answer 89

A

When you’re not prepared to tolerate a risk.

Answer 90

A

to manage risk

Answer 91

A

It actively diverts first-line attention from areas that rightly deserve it more = pointless.

Answer 92

A

A clear understanding of the risks facing the organisation.

Answer 93

A

You can’t provide a service of value to the organisation.

Answer 94

A

internal audit’s responsibilities in maintaining controls

Answer 95

A

2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organisation’s governance, operations, and information systems regarding the:

achievement of the organisation’s strategic objectives
reliability and integrity of financial and operational information
effectiveness and efficiency of operations and programmes
safeguarding of assets
compliance with laws, regulations, policies, procedures, and contracts.

2130.C1 – Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organisation’s control processes.

Answer 96

A

Control(s)

Answer 97

A

Control processes

Answer 98

A

Control environment

Answer 99

A

before an ‘unwanted event’, and should reduce the number of them.

Answer 100

A

after an unwanted event, alerting those responsible to the problem and helping them put things right.

Answer 101

A

Accounting manuals, documented procedures, training and supervision.

Answer 102

A

Segregation of duties, access controls and authorisation.

Answer 103

A

Exception reports, reconcilitations, control totals and error reports.

Answer 104

A

Error, incident and complaint handling procedures and virus isolation.

Answer 105

A

to perform tasks in the way best designed to mitigate risk.

Answer 106

A

security fences, staffed gates and entrances, and locks can all be effective controls

Answer 107

A

Macro and micro-level,
key and secondary controls,
active and passive controls

Answer 108

A

they mitigate organisation-wide risk.

Answer 109

A

governance and management controls. Examples include tone at the top, codes of ethics, board sub-committees, risk management frameworks and IT general controls.

Answer 110

A

These include activity, process and task-level controls.

Answer 111

A

Key and secondary controls

Answer 112

A

These must operate effectively to reduce risk to the desired level.

Answer 113

A

These are not essential to mitigating the risk but can help the activity, process or transaction to run more efficiently.

Answer 114

A

Active and passive controls.

Answer 115

A

Active (manual) control: These are controls that require human action.

Answer 116

A

Passive (automated) control: These are controls that operate without human action.

Answer 117

A

inadequate controls and ineffective controls

Answer 118

A

Inadequate controls are either non-existent or poorly designed – even if executed correctly, they still wouldn’t mitigate the targeted risk.

Answer 119

A

Ineffective controls, on the other hand, are those that exist and are adequately designed – but performed incorrectly or not at all.

Answer 120

A

If the control process doesn’t include regular review of individuals’ access, it is inadequate.

If staff share swipe cards, knowing this is forbidden, then the process is ineffective.

Answer 121

A

If the organisation’s complaints procedure is too complex, either for customers or for staff, then it is inadequate as a control.

If, however, staff do not follow the procedure, thinking they can resolve matters more quickly for the customer by skipping steps, then the control is ineffective.

Answer 122

A

Why don’t you?

If, in this instance, staff are correct, and they can reduce the risks arising from customer dissatisfaction more efficiently, then that is positive. It shows that staff members are mindful of risks and keen to improve controls. Rather than criticising staff for not following a possibly over-engineered control process, why not encourage them to update it with their improvements? By giving credit where due, internal auditors show their keenness to work positively with colleagues throughout the organisation.

Answer 123

A

No. It’s a waste of time. Even if staff perform the process accurately, its inadequacy means that it still wouldn’t mitigate the risk to the desired level. With very few exceptions, an inadequate controls means you stop there – you have a finding.

Answer 124

A

All three are elements of the control environment. There are a further elements: management’s philosophy and operating style, assignment of authority and responsibility, human resource policies and practices and competence of personnel.

Answer 125

A

Hard control.

Hard controls are quantitative and objective. A comparison of budget and actual figures through the process of variance analysis identifies how well an organisation is performing against targets. Budgets often use monetary and numerical targets.

Automated and passive control is incorrect. Automated and passive controls work without human intervention such as a warning within a computer system which might indicate that an expense heading has exceeded a specific level.

Soft controls are qualitative and subjective; this is incorrect.

Answer 126

A

1) COSO Internal Control - Integrated Framework
2) CoCo (Criteria of Control) model
3) King Report on Corporate Governance
4) Sarbanes Oxley (SOX) Act
5) COBIT 2019
6) Basel III standards

Answer 127

A

CoCo’s philosophy is that control comprises those elements of an organisation (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the organisation’s objectives.

CoCo has 20 so-called criteria of control group into four areas:

Purpose
Commitment
Capability
Monitoring and learning.

Answer 128

A

outcomes, placing accountability on the governing body (eg the board) to attain the governance outcomes of an ethical culture, good performance and effective control within the organisation and legitimacy with stakeholders.

Answer 129

A

to increase transparency in the financial reporting by corporations to protect investors by improving the accuracy and reliability of corporate disclosures through a formalised system of checks and balances.

Answer 130

A

a framework for the governance and management of enterprise information and technology aimed at the whole organisation. COBIT distinguishes between governance and management, setting out:

the components to create and sustain a governance systems
the design factors to build a governance system that fits the organisation.

Answer 131

A

to strengthen the regulation, supervision and risk management of banks. A key aspect of the reform are the so-called pillars:

Enhanced minimum capital and liquidity requirements
Enhanced supervisory review process for firm-wide risk management and capital planning
Enhanced risk disclosure and market discipline.

Answer 132

A

That there is a direct relationship between organisational structure, objectives and components (3 types of objectives and five components).

Answer 133

A

Control environment
Risk assessment
Control activities
Information and communication
Monitoring

Answer 134

A

Operations
Reporting
Compliance

Answer 135

A

Compliance

Answer 136

A

False.

COBIT is a framework for the governance and management of enterprise and information and technology. It is not limited to IT and IT functions. COBIT sets out components that describe what decisions should be taken, how and by whom.

Answer 137

A

A significant loss which can lead to loss of confidence in the organisation or even lead to its collapse.

Answer 138

A

Any illegal act characterised by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organisations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.

Answer 139

A

The probability that fraud will occur and the potential severity or consequences to the organisation when it occurs.

Answer 140

A

Indicators that fraud is taking place. 2. Conditions that consistently contribute to fraud.

Answer 141

A

Fraud benefiting individuals

Fraud benefiting the organisation

Answer 142

A

embezzlement
espionage
theft of assets
unauthorised use of information
accepting bribes and kickbacks.

Answer 143

A

misrepresentation of financial and non-financial data
transfer pricing
sale or assignment of fictitious or misrepresented assets
illegal payments to facilitate business activities.

Answer 144

A

First, indicators that suggest fraud may be occurring. Second, conditions that could give rise to fraud.

Answer 145

A

No, it is a signal that something is not as it should be and should be investigated further.

Answer 146

A

This refers to the environment external to the organisation. It’s worth remembering organisations are influenced by this environment, and can influence it too. The PESTLE (political, economic, social, technological, legal and environmental) tool is useful in analysing potential macro environmental fraud risks.

Answer 147

A

Refers to the environment within the boundaries of the organisation. The organisation has greater influence on this environment. We can categorise micro environment factors into a number of factors, as the figure below illustrates.

Answer 148

A

Lack of expertise in the area of work (consider qualifications, experience and whether professional standards are applied in the work).
Poor supervision and oversight over the work the manager does.
Key managers who are too controlling and do not delegate work.
Key managers who delegate a lot of work without providing appropriate supervision.

Answer 149

A

Lack of clear values in relation to ethics.
An acceptance of low-level fraud
Tone at the top that sets the wrong climate

Answer 150

A

High turnover and low staff morale
Large number of complaints about particular members of staff
Unclear reporting lines and a lack of accountability
Remuneration policies that encourage damaging work practices
Employees who are reluctant to take leave or when they do, take leave for very short periods

Answer 151

A

Poor physical security
Poor access controls
Poor filing of or missing documents - higher than usual or expected
Unrealistic targets e.g. sales
Roles and responsibilities that are not appropriately segregated

Answer 152

A

High levels of cash only transactions
Unexplained rises in expenses
Large number of refunds to customers
Changes in levels of inventory eg excessive shrinkage
High level of adjustments in the book of accounts
Unexplained growth in sales, particularly in relation to specific customers

Answer 153

A

Economic downturns that add pressure for organisations and individuals to perform
Industries with low regulatory oversight or where some aspects of fraud are regarded as being acceptable
Countries with high corruption ratings

Answer 154

A

The PESTLE (political, economic, social, technological, legal and environmental) tool is useful in analysing potential macro environmental fraud risks.

Answer 155

A

Pressure
Rationalisation
Opportunity

Answer 156

A

This factor is sometimes referred to as motive. An individual is likely to be under some kind of pressure to commit fraud. This could be financial eg debts. Motives may include grievance against the business or greed.

Answer 157

A

There must be an opportunity to enable the individual to commit fraud. This may arise from poor controls. For instance, if the person ordering items is also the person who authorises and receives them, this gives rise to the potential for skimming.

Answer 158

A

Individuals who commit fraud usually rationalise their behaviour. They may suggest that they were only borrowing items, that it is common organisational practise to take items, that they were ‘owed’ the items for overtime and so forth.

Answer 159

A

Fraud risk governance
Fraud risk assessment
Fraud prevention
Fraud detection
Fraud investigation and corrective action

Answer 160

A

As part of an organisation’s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.

Answer 161

A

Fraud risk exposure should be assessed periodically by the organisation to identify specific potential schemes and events that the organisation needs to mitigate.

Answer 162

A

Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organisation.

Answer 163

A

Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.

Answer 164

A

A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.

Answer 165

A

Corporate policy on the non-tolerance of fraud, dealing with its occurrence and laying down responsibilities and measures to mitigate risk
Notifying appropriate regulatory authorities of relevant transgressions
Ratifying policy, mitigation strategy and response plan
Corporate ethos, setting the right ethics and policies
Risk and threat assessment
Adequate and effective internal control
Adequate and effective internal audit.

Answer 166

A

Managing, controlling, reporting and taking action on the risk of fraud including:

having processes in place to deter and detect fraud
applying adequate controls to prevent transgressions
leading investigations
overseeing investigations conducted by specialists on their behalf
dealing effectively with issues raised by staff (including taking appropriate action to deal with reported or suspected illegal activity)
involving the police where necessary.

Answer 167

A

Operating procedures to safeguard the organisation’s assets
Alerting management when they believe that the possibility of fraud exists
Reporting immediately to management when they suspect that an illegal act has been committed.

Answer 168

A

Independent assurance on the effectiveness of the processes put in place to manage fraud risk.

Answer 169

A

Review arrangements by which staff can raise concerns in confidence about improprieties
Arrangements are in place for investigation and follow up of any concerns raised in relation to fraud.

Answer 170

A

Fraud involves intentional deception. Improper activities may not be illegal but breach organisational policies. Further, it does not involve intentional deception.

Answer 171

A

False

It is not internal audit’s job to detect or investigate fraud . Internal audit’s primary responsibilities are to:

carry out audit engagements using due professional care and in such a way as to be alert to the possibility of fraud and misconduct
review procedures to safeguard assets so as to ensure that cost-effective measures are in place to prevent, detect or deter fraud
ensure that the prevention, detection and deterrence of fraud are also taken into account when new systems are designed or changes made to existing systems.

Answer 172

A

True.

International Standard 1210.A2 states that:

Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. (emphasis added)

Answer 173

A

True.

The statement is true and is supported by a variety of standards, eg 2210.A2 which states that:

Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

Brainscape's Knowledge GenomeTM

Domain II - Nature of work Flashcards

Brainscape's Knowledge Genome^TM