GOVERNANCE, RISK MANAGEMENT AND CONTROL Flashcards

Question 1

Q

What are the Three Lines of Defense?

Answer

A

First Line: Operational Management
Second Line: Risk Management and Compliance Functions
Third Line: Internal Audit

Question 2

Q

What is the definition of Organizational Governance?

Answer

A

The IIA Standards Glossary defines organizational governance as the:
“combination of processes and structures implemented by the board to inform, direct, manage, and monitor the achievement of its objectives.”

Question 3

Q

What are the cornerstones of good Corporate

Governance?

Answer

A

1) The board of directors
2) Executive management
3) External auditors
4) Internal auditors

Question 4

Q

What are major areas of responsibility of the board?

Answer

A

1) Monitoring the CEO and other senior executives.
2) Overseeing the corporation’s strategy and processes for managing the enterprise (including succession planning).
3) Monitoring the corporation’s risks and internal controls, including the ethical tone.

Question 5

Q

What is an independent director, and how many should
a company have?

Answer

A

A majority of the directors should be independent in both fact and appearance.
An independent director has no current or prior professional or personal ties to the corporation or its management other than service as a director.
Independent directors must be able and willing to be
objective in their judgments.

Question 6

Q

What are common committees that the Board establishes?

Answer

A

1) Audit committee
2) Compensation committee
3) Governance committee
Each committee should have a charter, authorized by the board, that outlines how each will be organized, their duties and responsibilities, and how they report to the board. Each committee should be composed of independent directors only.

Question 7

Q

Who are Stakeholders?

Answer

A

A stakeholder is an individual or entity who has a material interest in a company’s achievements, validated through some form of investment, and thereby expects a benefit in return.

Question 8

Q

Who are Internal Stakeholders?

Answer

A

Directors
Senior management
Employees
Trade unions or staff associations
Shareholders

Question 9

Q

Who are External Stakeholders?

Answer

A

Customers
Suppliers
Contractors and subcontractors
Distribution networks
Communities
The general public and government

Question 10

Q

What are four levels of relationships with stakeholders and what is each level based on?

Answer

A

Based on the stakeholder’s interest and power, the company’s relationship will be to:
1) Ignore the stakeholder (weak power, low interest)
2) Keep the stakeholder informed (weak power, high interest)
3) Keep the stakeholder satisfied (strong power, low interest)
4) Treat the stakeholder as a key player (strong power,
strong interest)

Question 11

Q

What is the role of internal audit in Corporate Governance?

Answer

A

The IAA must assess and make appropriate recommendations to improve the organization’s governance processes for:
• Making strategic and operational decisions.
• Overseeing risk management and control.
• Promoting appropriate ethics and values within the organization.
• Ensuring effective organizational performance management and accountability.
• Communicating risk and control information to appropriate areas of the organization.
• Coordinating the activities of, and communicating
information among, the board, external and internal auditors, other assurance providers, and management.

Question 12

Q

What are the steps in auditing
a company’s governance practices and structure?

Answer

A

1) Understand the general principles and models of organizational governance.
2) Review existing governance-related documentation.
3) Develop a preliminary audit plan.
4) Meet with decision-makers (i.e., the board).
5) Execute the approved plan.
6) If necessary, consult legal counsel.
7) Complete the process, including a formal presentation to the board and have key decision-makers sign a “statement of acknowledgement.”

Question 13

Q

How is organizational culture different than organizational governance?

Answer

A

Organizational culture and its related practices are not written down or codified. Organizational culture can be rooted in the distinct personalities of company leadership or more generally in the ethnic, religious, or political context in which the business operates.

Question 14

Q

What are the six control environments elements that organizational culture may impact?

Answer

A

1) Integrity and ethical values
2) Management’s philosophy and operating style
3) Organizational structure
4) Assignment of authority and responsibility
5) Human resource policies and practices
6) Competence of personnel

Question 15

Q

What is the internal auditor’s role in assessing Organizational Ethics?

Answer

A

The internal audit activity must assess the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.

Question 16

Q

What does a review of organizational ethics focus on?

Answer

A

1) Policies, including the policy for reporting ethical violations
2) Procedures
3) Effectiveness
4) Disposition of ethical issues, including if the penalties are appropriately scaled, if there is consistent application, and if there is proper documentation.
5) Compliance

Question 17

Q

What are ethics advocates and who must act as an ethics advocate?

Answer

A

Ethics advocates are visible models of appropriate behavior who encourage and support the code of conduct at all times and at all levels of activity.
Management must act as ethics advocates.
All individuals in the company should be encouraged to be ethics advocates.
Internal auditors are also key ethical advocates - The IIA
Code of Ethics states that the internal auditors should be
an example of the ethical behavior that employees should practice.

Question 18

Q

What is a Code of Conduct, and who is it applicable to?

Answer

A

A Code of Conduct, or Business Conduct Policy, outlines the specific behaviors that are required of or prohibited for all employees.
The Code of Conduct should be written in clear, concise language that eliminates ambiguity or contradictory interpretation.
The Code of Conduct is applicable to all people in the
organization, regardless of position, department, or length of employment.

Question 19

Q

The code of conduct includes guidance on what topics?

Answer

A

Conflicts of interest
Confidentiality of information
Acceptance of gifts
Compliance with all applicable laws, rules, and regulations
Penalties – the Code must clearly detail the consequences for any violations

Question 20

Q

What is the role of the IAA with the Code of Conduct?

Answer

A

The Code of Conduct needs to be periodically assessed by the IAA to ensure that it is relevant and that it reflects the company’s needs. Additionally, compliance with the Code of Conduct should also be tested periodically and may even be included as part of every engagement.

Question 21

Q

What is Corporate Social Responsibility?

Answer

A

The IIA’s Practice Guide Evaluating Corporate Social Responsibility/Sustainable Development defines CSR as: “The way firms integrate social, environmental, and economic concerns into their values, culture, decision- making, strategy and operations in a transparent and accountable manner and thereby establish better practices within the firm, create wealth, and improve
society.”

Question 22

Q

What are the levels of responsibility for CSR in a company?

Answer

A

• The board has overall responsibility for CSR.
• Management is responsible for executing CSR and ensuring that there are clear objectives, performance measurement, and reporting.
• Employees must integrate CSR into their everyday activities.
• The internal auditors should understand the risks and controls related to CSR and may be responsible for
auditing CSR.

Question 23

Q

What are some of the risks associated with CSR?

Answer

A

Reputation
Compliance
Liability and lawsuits
Operational
Company stock valuation
Employment market
Consumer sales
External business relationships

Question 24

Q

What are the seven core subjects in ISO 26000?

Answer

A

1) Organizational governance
2) Human rights
3) Labor practices
4) The environment
5) Fair operating practices
6) Consumer issues
7) Community involvement and development

Question 25

Q

What are the five main aspects of CSR in ISO 26000?

Answer

A

1) A company should operate ethically and with integrity.
2) A company should treat its employees fairly and with respect.
3) A company should demonstrate respect for human rights.
4) A company should be a responsible citizen in its community.
5) A company should do what it can to sustain the
environment for future generations.

Question 26

Q

What are the four levels of the pyramid of social

responsibility?

Answer

A

1) Philanthropic responsibilities
2) Ethical responsibilities
3) Legal responsibilities
4) Economic responsibilities

Question 27

Q

What are different approaches that can be taken to auditing CSR?

Answer

A

• By element.
• By stakeholder or stakeholder group.
• By subject. For example, by workplace, marketplace, environment, and community.
• By department/function. Audit CSR separately for each department within the organization.
• By third party. Audit third parties for compliance with
CSR terms and conditions.

Question 28

Q

What are the elements of CSR that are commonly audited?

Answer

A

Governance
Ethics
Environment
Transparency
Healthy, Safety, and Security
Human Rights and Work Conditions

Question 29

Q

What are the seven steps in the CSR Process?

Answer

A

1) Set priorities and policies for areas such as ethics, labor, the environment, charity, and any other relevant CSR areas.
2) Set specific objectives and strategies to achieve the policies set by management.
3) Communicate and embed CSR into controls and decision making.
4) Track the activities related to CSR so that the results of the CSR policies and objectives can be measured, analyzed, and benchmarked.
5) Engage stakeholders to resolve any complaints and
receive feedback on the CSR issues affecting them.
6) Audit results including controls related to CSR and any public disclosures.
7) Report results.

Question 30

Q

What are the stakeholder groups in auditing CSR?

Answer

A

Employees and their families
Environmental organizations
Customers
Suppliers
Communities
Shareholders

Question 31

Q

How is risk defined n the Glossary?

Answer

A

“The possibility of an event occurring that will have an

impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.”

Question 32

Q

What are the four broad categories of risk?

Answer

A

1) Strategic risks
2) Operational risks
3) Financial risks
4) Hazard risks

Question 33

Q

What is risk capacity?

Answer

A

Risk capacity is the maximum amount of risk that an

organization can tolerate without irreparably damaging the company.

Question 34

Q

What is risk appetite?

Answer

A

Risk appetite is defined in the IIA Glossary as “the level of risk that an organization is willing to accept.”
Risk appetite is shaped by the expectations of stakeholders, regulatory and contractual requirements, and the influence of technology, capital, and human
resources.

Question 35

Q

What is risk tolerance?

Answer

A

Risk tolerance is the amount of variance in the returns from an activity that a company is willing to tolerate. The higher the risk tolerance, the greater the range of outcomes a company is willing to accept.

Question 36

Q

What are some factors that influence a company’s

risk appetite?

Answer

A

Their position in the business-development cycle.
The viewpoints of the major stakeholders.
Accounting factors.
The opportunity for fraud.
Entity-level factors – the personnel, changes in the organization’s structure, and changes in key personnel.
External factors – changes in the economy, industry, or technology.
Governmental restrictions.

Question 37

Q

What are the five steps in the risk management

process?

Answer

A

1) Risk identification
2) Risk assessment
3) Risk prioritization
4) Response planning
5) Risk monitoring

Question 38

Q

What are some event identification techniques?

Answer

A

Brainstorming sessions
Event inventories and loss event data
Interviews and self-assessment
Facilitated workshops
SWOT analysis
Risk questionnaires and risk surveys
Scenario analysis
Technology

Question 39

Q

What is Inherent Risk?

Answer

A

Inherent risk is defined as “the level of risk that resides with an event or process prior to management taking a mitigation action.”
It is the amount of risk that occurs naturally in the activities of the company.
Management cannot do anything about the existence of inherent risk; however, it can take steps to address and,
where appropriate, mitigate its effects.

Question 40

Q

What is Residual Risk?

Answer

A

Residual risk is defined as: “The level of risk that remains after management has taken action to mitigate the risk.”

Inherent risk
− Activities of management to mitigate/address the risk
= Residual risk

Question 41

Q

What two factors are used to assess the exposure to risk?

Answer

A

1) Loss frequency or probability

2) Loss severity

Question 42

Q

What is a Risk Map?

Answer

A

A visual depiction of relative risks based on their expected frequency and expected loss.

Question 43

Q

What are the four measures of potential loss?

Answer

A

1) Expected loss
2) Unexpected loss
3) Maximum probable loss
4) Maximum possible loss (also called extreme or catastrophic loss)

Question 44

Q

What is the expected loss?

Answer

A

The amount that management expects to lose to a given risk per year on average over a period of several years. Because the loss is expected, it should be included in the budget.

Question 45

Q

What is the unexpected loss?

Answer

A

The amount that could likely be lost to the risk event in a very bad year, in excess of the amount budgeted for the expected loss, up to the maximum probable loss. The business should reserve the unexpected loss amount as capital.

Question 46

Q

What is the maximum probable loss?

Answer

A

The largest loss that can occur under foreseeable circumstances. Damage greater than the maximum probable loss could occur, but, in the judgment of
management, it is very unlikely to occur.

Question 47

Q

What is the maximum possible loss?

Answer

A

The worst-case scenario. It represents the greatest possible loss from a specific risk or event.

Question 48

Q

What are the five responses to risk?

Answer

A

1) Avoiding or eliminating the risk
2) Reducing or mitigating the risk
3) Transferring or sharing the risk
4) Retaining the risk
5) Exploiting or accepting the risk

Question 49

Q

What is Enterprise Risk Management?

Answer

A

“[Enterprise risk management] is the culture, capabilities, and practices that organizations integrate with strategy- setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and
realizing value.”

Question 50

Q

What are the five components of the COSO ERM

Framework?

Answer

A

1) Governance and culture
2) Strategy and objective-setting
3) Performance
4) Review and revision
5) Information, communication, and reporting

Question 51

Q

What are the principles of the “strategy and objective setting” component of ERM?

Answer

A

1) Analyzes business context
2) Defines risk appetite
3) Evaluates alternative strategies
4) Formulates business objectives

Question 52

Q

What are the principles of the “performance” component of ERM?

Answer

A

1) Identifies risk
2) Assesses severity of risk
3) Prioritizes risks
4) Implements risk responses
5) Develops portfolio view

Question 53

Q

What are the principles of the “review and revision”

component of ERM?

Answer

A

1) Assesses substantial change
2) Reviews risk and performance
3) Pursues improvement in enterprise risk management

Question 54

Q

What are the principles of the “information, communication and reporting” component of ERM?

Answer

A

1) Leverages information systems
2) Communicates risk information
3) Reports on risk, culture, and performance

Question 55

Q

What are the three areas of principles and guidance

in ISO 31000?

Answer

A

1) Principles. The interrelated values that are foundational to the risk-management process.
2) Framework. The ways in which the risk-management plan should be integrated into “significant activities and functions.”
3) Process. A step-by-step list of procedures to design
and execute risk management.

Question 56

Q

What are the eight principles that ISO 31000 sets forth to guide risk-management procedures?

Answer

A

1) Integrated
2) Structured and comprehensive
3) Customized
4) Inclusive
5) Dynamic
6) Best available information
7) Human and cultural factors
8) Continual improvement

Question 57

Q

What are the six steps of the
risk-management process
in ISO 31000?

Answer

A

1) Communication and consultation
2) Scope, context, and criteria
3) Risk assessment
4) Risk treatment
5) Monitoring and review
6) Recording and reporting

Question 58

Q

What is the role of the IAA in the risk- management

process?

Answer

A

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Question 59

Q

What must an assessment of the risk- management

process address?

Answer

A

The internal auditor must be satisfied that the organization’s risk management processes addresses:

1) Risks that arise from business strategies and activities are identified and prioritized.
2) Management and the board set the level of risk acceptable to the organization (assess risk appetite).
3) Risk mitigation or reduction activities are designed and implemented to reduce or otherwise manage risk at acceptable levels.
4) Risk are periodically reassessed on an ongoing basis.
5) Reports are given periodically to the board and management on the risk assessment process.

Question 60

Q

How is evidence for risk-management assessments gathered?

Answer

A

Evidence to support the risk assessment is usually obtained from engagements throughout the year.
Because there is no formula to follow, the successful assessment of risk often rests with the professional judgment and experience of the internal auditors and the CAE.

Question 61

Q

What should the IAA do when there is no risk- management process?

Answer

A

The CAE must convince the board and senior management to establish one, even if it just an informal set of procedures.

Question 62

Q

In what three areas should the IAA provide assurance about the effectiveness of risk management?

Answer

A

1) The design and implementation of the risk management processes.
2) Identification of key risks and the effectiveness of their controls.
3) Assessment and reporting of risk and controls.

Question 63

Q

What are assurance engagements connected to risk management that are core roles of the IAA?

Answer

A

Giving assurance on the risk management process
Giving assurance that risks are correctly evaluated
Evaluating risk management processes
Evaluating the reporting of key risks
Reviewing the management of key risks

Question 64

Q

What are consulting engagements connected to risk management that are legitimate roles of the IAA?

Answer

A

Facilitating identification and evaluating risks
Coaching management in responding to risks
Coordinating ERM activities
Consolidated reporting on risks
Maintaining and developing the ERM framework
Championing the establishment of ERM
Developing the ERM strategy for board approval

Answer 65

A

Setting the risk appetite
Imposing risk management processes
Management assurance on risks
Taking decisions on risk responses
Implementing responses on management’s behalf
Accountability for risk management

Answer 66

A

“Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved.”

Answer 67

A

1) Operations
2) Reporting
3) Compliance

Answer 68

A

1) Directive
2) Preventive
3) Detective
4) Corrective
5) Compensating

Answer 69

A

1) Feedforward controls
2) Concurrent controls
3) Feedback controls

Answer 70

A

Economical
Meaningful
Appropriate
Congruent
Timely
Simple
Operational

Answer 71

A

1) Internal controls can provide only reasonable assurance that objectives can be achieved. Internal controls should never be promoted as a guarantee.
2) Human error, faulty judgment, collusion, and fraud can all limit the effectiveness of controls.
3) Excessive or unreasonable controls can increase bureaucracy and reduce productivity. Controls must be evaluated in terms of their cost and benefit to avoid
wasting resources.

Answer 72

A

The board of directors oversees the control system. The CEO is responsible for the “tone at the top.”
Senior managers delegate responsibility for establishing specific internal control policies and procedures.
Financial officers and their staffs are central to the exercise of control.
Internal auditors play a monitoring role.
Virtually all employees are involved in internal control. External parties such as independent auditors often provide information useful to effective internal control.

Answer 73

A

1) Setting the objectives.
2) Measuring performance against a standard.
3) Evaluating the results then correcting or regulating the performance.

Answer 74

A

1) Edit checks
2) Key verifications
3) Redundancy checks
4) Echo checks
5) Completeness checks

Answer 75

A

1) Posting checks
2) Cross-footing
3) Zero balance checks
4) Run-to-run control totals
5) Internal header and trailer labels
6) Concurrency controls
7) Key integrity checks

Answer 76

A

1) Output distribution controls
2) Output retention controls
3) Forms controls
4) Error logs

Answer 77

A

1) Authorizing a transaction.
2) Recording the transaction, preparing source documents, and maintaining journals.
3) Keeping physical custody of the related asset. For example, receiving checks in the mail.
4) The periodic reconciliation of the physical assets to the recorded amounts for those assets.

Answer 78

A

Collusion is when two or more people work together to get around the controls that are in place.

Answer 79

A

1) Control environment
2) Risk assessment
3) Control activities
4) Information and communication
5) Monitoring activities

Answer 80

A

The control environment sets the tone for the organization, influencing the control consciousness of its people. The control environment is the foundation for the other components of internal control.

Answer 81

A

Risk assessment is the identification and analysis of

relevant risks to the achievement of objectives and forms a basis for how risks should be managed.

Answer 82

A

Control activities ensure that management directives are carried out. These policies and procedures also outline the necessary steps to address risks to the organization’s objectives.

Answer 83

A

These are the systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.

Answer 84

A

These are processes used to assess the quality of internal control performance over time. This objective is accomplished through ongoing monitoring activities,
separate evaluations, or a combination of the two.

Answer 85

A

1) The organization demonstrates a commitment to integrity and ethical values.
2) The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3) Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of
objectives.
4) The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5) The organization holds individuals accountable for their internal control responsibilities in the pursuit of
objectives.

Answer 86

A

1) The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
2) The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
3) The organization considers the potential for fraud in assessing risks to the achievement of objectives.
4) The organization identifies and assesses changes that could significantly impact the system of internal control.

Answer 87

A

1) The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
2) The organization selects and develops general control activities over technology to support the achievement of objectives.
3) The organization deploys control activities through
policies that establish what is expected and procedures that put policies into action.

Answer 88

A

1) The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
2) The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
3) The organization communicates with external parties regarding matters affecting the functioning of internal control.

Answer 89

A

1) The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are
present and functioning.
2) The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as
appropriate.

Answer 90

A

Soft controls, which emphasize ideas and expectations (for example, shared values, expectations, commitment, competence, and trust) rather than specific tasks (for
example, policies and procedures).

Answer 91

A

Board’s responsibility for internal controls
Management’s responsibility for internal controls
Employees’ responsibility for internal controls
Adopting a risk-based approach
Ongoing monitoring of risks and controls

Answer 92

A

The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

Answer 93

A

1) Identify objectives and any associated risks.
2) Determine the significance of any risks.
3) Make note of the responses to these risks.
4) Identify the “key controls.”
5) Assess how well a given control is designed.
6) Test the control to ascertain the effectiveness of the design.

Answer 94

A

1) The level of control must be “appropriate for the risk it addresses.” For example, petty cash does not need as many controls as cash received from customers.
2) The costs of the control must not exceed the benefits it provides. For example, the office supply cabinet does not need 24/7 surveillance and a biometric scanner for access, but a server room certainly would.
3) No control should “create significant business concerns.” For example, regardless of how efficiently a control manages a particular risk, if the control breaks the law, it puts the company in significant legal
jeopardy.

Brainscape's Knowledge GenomeTM

GOVERNANCE, RISK MANAGEMENT AND CONTROL Flashcards

Brainscape's Knowledge Genome^TM