Governance, risk management, control

Question 1

Principles of Three lines Model

Answer 1

1. Governance
2. Governing body roles
3. Management and first and second line roles
4. Third line roles
5. Third line independence
6. Creating and protecting value

Question 2

Risk-based decision making

Answer 2

A considered process that includes analysis, planning, action, monitoring, and review, and takes account of potential impacts of uncertainty on objectives.

Question 3

Assurance

Answer 3

Statement intended to increase the level of stakeholders’ confidence about an organization’s governance, risk management, and control processes over an issue, condition, subject matter, or activity under review when compared to established criteria.

Question 4

The governance of an organization requires appropriate structures and processes that enable:

Answer 4

• Accountability by a governing body to stakeholders for organizational oversight through integrity, leadership, and transparency.
• Actions (including management risk) by management to achieve the objectives of the organization through risk-based decision-making and application of resources.
• Assurance and advice by an independent internal audit function to provide clarity and confidence and to promote and facilitate continuous improvement through rigorous inquiry and insightful communication.

Question 5

The governing body ensures:

Answer 5

• Appropriate structures and processes are in place for effective governance
• Organizational objectives and activities are aligned with the prioritized interests of stakeholders
• Delegates responsibility and provides resources to management to achieve the objectives of the organization while ensuring legal, regulatory, and ethical expectations are met
• Establishes and oversees and independent, objective, and competent internal audit function to provide clarity and confidence on progress toward the achievement of objectives

Question 6

Direction and oversight of second line roles may be designed to secure a degree of independence from

Answer 6

those with first line roles - and even from the most senior levels of management- by establishing primary accountability and reporting lines to the governing body.

Question 7

IT governance board (scope, members)

Answer 7

Scope: Set business and IT strategy and investment plans
Members: CEO, CFO, CIO(information), plus CAE as nonvoting advisor on risk/control

Question 8

IT steering committee
(scope, members)

Answer 8

Scope: Ensures IT strategic alignment.
Members: IT senior management and business unit owners

Question 9

IT portfolio office (scope, members)

Answer 9

Scope: Develop IT architecture design.

Members: IT and business program/project managers

Question 10

IT portfolio office (scope, members)

Answer 10

Scope: Develop IT architecture design.

Members: IT and business program/project managers

Question 11

IT architecture office (scope, members)

Answer 11

Scope: Determine IT architecture design.

Members: CIO, CISO(information security), COO(operating), IT infrastructure managers

Question 12

Technology council (scope, members)

Answer 12

Scope: Evaluate technology opportunities.

Members: CIO, CTO(technology), and business unit owners

Question 13

Cybersecurity and data protection council (scope, members)

Answer 13

Scope: Evaluate risk and strategies to protect organization’s information assets.

Members: CIO, CTO, CISO, CRO(risk), CFO, COO(operating), business unit owners, and CAE as nonvoting advisor on risk/controls

Question 14

Directors (of board) attitudes are a key component of the internal environment. They must possess certain qualities to be effective:

Answer 14

• A majority of the board be outsourced directors
• Directors generally should have years of experience either in the industry or in corporate governance
• Directors must be willing to challenge management’s choices. Complacent directors increase the chances of adverse consequences.

Question 15

Components of COSO ERM framework

Answer 15

1. Governance and culture
2. Strategy and objective setting
3. Performance
4. Review and revision
5. Information, communication, and reporting

Question 16

Governance and culture (Component of COSO ERM Framework)

Answer 16

Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, ERM. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.

Question 17

Strategy and objective setting (Component of COSO ERM Framework)

Answer 17

ERM, strategy, and objective setting work together in strategic planning. A risk appetite is established and aligned with strategy, business objectives implement strategy while forming a basis for identifying, assessing, and responding to risk.

Question 18

Performance (Component of COSO ERM Framework)

Answer 18

Risks to achievement of strategy and objectives are identified and assessed. Risks are prioritized by severity (impact and likelihood) in the context of risk appetite. The organization selects risk responses and takes a portfolio view of the amount of risk it has assumed and reports key risks to stakeholders.

Question 19

Review and revision (Component of COSO ERM Framework)

Answer 19

By reviewing entity performance, an organization can consider ERM component effectiveness as the organization changes and what revisions are needed.

Question 20

Information, communication, and reporting (Component of COSO ERM Framework)
ERM requires…

Answer 20

a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

Question 21

Governance principles

Answer 21

• Board membership
• Board qualifications
• Board independence
• Transparent structure
• Measurable strategy
• Strategic structure
• Governing policy
• Clear lines
• Effective interaction
• Management oversight
• Compensation policies
• Control environment
• Internal audit
• Risk management
• External audit
• Key information disclosure
• Governance disclosure
• Conflict of interest

Question 22

An organization has the ethical responsibility to be ethical in its practices, given local and global standards. Ethical responsibility has a broad scope and includes:

Answer 22

1. Treatment of employees
2. Truthful advertising
3. Providing a clean and safe workplace
4. Managing waste, and consumption.

Question 23

Social responsible (4) as identified by Archie B. Carroll

Answer 23

1. economic responsibility
2. legal responsibility
3. ethical responsibility
4. philanthropic responsibility

Question 24

The benefits of using ISO 14000 can include

Answer 24

1. reduced cost of waste management
2. savings in consumption of energy and materials
3. lower distribution costs
4. improved corporate image among regulators, customers, and the public

Question 25

Typical CSR stakeholder groups are

Answer 25

1. customers
2. employees and their families
3. environmental groups
4. neighboring communities
5. shareholders
6. suppliers

Question 26

When evaluating a code of conduct, it is important to consider two items:

Answer 26

comprehensiveness and compliance. The code should address the ethical issues that the employees are expected to encounter and provide suitable guidance.

Question 27

The three principles related to the review and revision component of the COSO ERM framework are the organization..

Answer 27

1. identifies and assesses changes that substantially affect strategy and business objectives
2. reviews entity performance results and considers risk
3. pursues improvement of ERM

Question 28

Inherent risk is

Answer 28

the risk when management does not act to alter its severity. Severity is measured as a combination of impact and likelihood.

Question 29

Sharing reduces the severity of the risk by transferring some risk to another party. Examples are

Answer 29

insurance, hedging, joint ventures, outsourcing, and contractual agreements with customers, vendors, or other business partners.

Question 30

Risk capacity is

Answer 30

the maximum amount of risk an entity is able to bear and remain solvent. The organization considers its mission, vision, culture, prior strategies, and risk capacity to set its risk appetite. In setting risk appetite, the optimal balance of opportunity and risk is sought. Risk appetite is rarely set above risk capacity.

Question 31

Risk appetite should be considered in

Answer 31

1. Aligning with development of strategy
2. Aligning with business objectives
3. Prioritizing risks
4. Implementing risk responses

Question 32

Risk committee may be created that

Answer 32

• Identifies key risks
• Connect them to risk management processes
• Delegates them to risk owners
• Considers whether tolerance levels delegated to risk owners are consistent with the organization’s risk appetite.

Question 33

Inherent risk is

Answer 33

the risk when management does not act to alter its severity. Severity commonly is measured as a combination of impact and likelihood.

Question 34

ERM Governance and Culture
Setting tone and establishes responsibilities.

Answer 34

1. Exercises Board Risk Oversight
2. Establishes Operating Structures
3. Defines Desired Culture
4. Demonstrates Commitment to Core Values
5. Attract, Develops, and Retains Capable Individuals

Question 35

ERM Strategy and Objective setting
Strategy must support the organization’s mission, vision, and core values.

Answer 35

6. Analyzes Business Context
7. Defines Risk Appetites
8. Evaluates Alternative Strategies
9. Formulates Business Objectives

Question 36

ERM Performance
ERM practices that support the organization’s decisions in pursuit of value.

Answer 36

10. Identifies risk
11. Assesses severity of risk
12. Prioritizes risk
13. Implements risk responses
14. Develops portfolio view

Question 37

ERM Review and revision
The organization reviews and revises its current ERM capabilities and practices based on changes in strategy and business objectives.

Answer 37

15. Assesses substantial change
16. Reviews risk and performance
17. Pursues improvement in Enterprise Risk Management

Question 38

ERM Information, Communication and Reporting
The organization must capture, process, manage, and communicate timely and relevant information to identify risks that could affect strategy and business objectives.

Answer 38

18. Leverages Information and Technology
19. Communicates risk information
20. Reports on risk, culture, and performance.

Question 39

Core Internal Audit’s role in regard to ERM (assurance)

Answer 39

• Giving assurance on the risk management processes
• Giving assurance that risks are correctly evaluated
• Evaluating risk management processes
• Evaluating the reporting of key risks
• Reviewing the management of key risks

Question 40

Legitimate internal audit roles with safeguards (ERM)

Answer 40

• Facilitating identification and evaluation of risks
• Coaching management in responding to risks
• Coordinating ERM activities
• Consolidated reporting on risks
• Maintaining and developing the ERM framework
• Championing established of ERM
• Developing ERM strategy for board approval.

Question 41

Roles internal audit should not undertake (ERM)

Answer 41

• Setting the risk appetite
• Imposing risk management processes
• Management assurance on risks
• Taking decisions on risk responses
• Implementing risk responses on management’s behalf
• Accountability for risk management

Question 42

Internal control is a…
(by COSO)

Answer 42

process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

Question 43

Audit plan should include higher-risk governance processes. It should define

Answer 43

1. the nature of the work
2. the governance processes
3. the nature of the assessments e.g., consideration of specific risks, processes, or activities

Question 44

Risk modeling is a method of..

Answer 44

risk assessment and prioritization. It ranks and validates risk priorities when setting the priorities of engagements in the audit plan. Risk factors may be weighed based on professional judgments to determine their relative significance, but the weights need not be quantified.

Question 45

COSO’s Internal Control- Integrated Framework (components)

Answer 45

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring activities

Question 46

COSO’s Internal Control- Integrated Framework (structure level)

Answer 46

• Entity level
• Division
• Operating unit
• Function

Question 47

COSO’s Internal Control- Integrated Framework (categories of objectives)

Answer 47

• Operating
• Reporting
• Compliance

Question 48

The COSO internal control framework establishes a direct relationship between:

Answer 48

• Organizational objectives (what the entity strives to achieve)
• The framework components (which represent what is needed to achieve the objectives)
• The entity structure (the various levels where control is applied)

Question 49

Safeguarding assets examples

Answer 49

loss prevention, detection, reporting, efficient use and waste reduction, and intellectual property (IP) protection.

Question 50

COBIT governance system principles

Answer 50

1. Provide stakeholder value
2. Holistic approach
3. Dynamic governance system
4. Governance distinct from management
5. Tailored to enterprise needs
6. End-to-end governance system

Question 51

COBIT Governance framework principles

Answer 51

1. Based on conceptual model
2. Open and flexible
3. Aligned to major standards

Question 52

COSO outlines the CEO’s responsibilities as including guiding..

Answer 52

the development and performance of ERM processes across the organization and delegating to management.