Governance, risk management, control Flashcards

1
Q

Principles of Three lines Model

A
  1. Governance
  2. Governing body roles
  3. Management and first and second line roles
  4. Third line roles
  5. Third line independence
  6. Creating and protecting value
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk-based decision making

A

A considered process that includes analysis, planning, action, monitoring, and review, and takes account of potential impacts of uncertainty on objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Assurance

A

Statement intended to increase the level of stakeholders’ confidence about an organization’s governance, risk management, and control processes over an issue, condition, subject matter, or activity under review when compared to established criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The governance of an organization requires appropriate structures and processes that enable:

A
  • Accountability by a governing body to stakeholders for organizational oversight through integrity, leadership, and transparency.
  • Actions (including management risk) by management to achieve the objectives of the organization through risk-based decision-making and application of resources.
  • Assurance and advice by an independent internal audit function to provide clarity and confidence and to promote and facilitate continuous improvement through rigorous inquiry and insightful communication.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The governing body ensures:

A
  • Appropriate structures and processes are in place for effective governance
  • Organizational objectives and activities are aligned with the prioritized interests of stakeholders
  • Delegates responsibility and provides resources to management to achieve the objectives of the organization while ensuring legal, regulatory, and ethical expectations are met
  • Establishes and oversees and independent, objective, and competent internal audit function to provide clarity and confidence on progress toward the achievement of objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Direction and oversight of second line roles may be designed to secure a degree of independence from

A

those with first line roles - and even from the most senior levels of management- by establishing primary accountability and reporting lines to the governing body.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

IT governance board (scope, members)

A

Scope: Set business and IT strategy and investment plans
Members: CEO, CFO, CIO(information), plus CAE as nonvoting advisor on risk/control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

IT steering committee
(scope, members)

A

Scope: Ensures IT strategic alignment.
Members: IT senior management and business unit owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

IT portfolio office (scope, members)

A

Scope: Develop IT architecture design.

Members: IT and business program/project managers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

IT portfolio office (scope, members)

A

Scope: Develop IT architecture design.

Members: IT and business program/project managers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

IT architecture office (scope, members)

A

Scope: Determine IT architecture design.

Members: CIO, CISO(information security), COO(operating), IT infrastructure managers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Technology council (scope, members)

A

Scope: Evaluate technology opportunities.

Members: CIO, CTO(technology), and business unit owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Cybersecurity and data protection council (scope, members)

A

Scope: Evaluate risk and strategies to protect organization’s information assets.

Members: CIO, CTO, CISO, CRO(risk), CFO, COO(operating), business unit owners, and CAE as nonvoting advisor on risk/controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Directors (of board) attitudes are a key component of the internal environment. They must possess certain qualities to be effective:

A
  • A majority of the board be outsourced directors
  • Directors generally should have years of experience either in the industry or in corporate governance
  • Directors must be willing to challenge management’s choices. Complacent directors increase the chances of adverse consequences.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Components of COSO ERM framework

A
  1. Governance and culture
  2. Strategy and objective setting
  3. Performance
  4. Review and revision
  5. Information, communication, and reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Governance and culture (Component of COSO ERM Framework)

A

Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, ERM. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Strategy and objective setting (Component of COSO ERM Framework)

A

ERM, strategy, and objective setting work together in strategic planning. A risk appetite is established and aligned with strategy, business objectives implement strategy while forming a basis for identifying, assessing, and responding to risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Performance (Component of COSO ERM Framework)

A

Risks to achievement of strategy and objectives are identified and assessed. Risks are prioritized by severity (impact and likelihood) in the context of risk appetite. The organization selects risk responses and takes a portfolio view of the amount of risk it has assumed and reports key risks to stakeholders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Review and revision (Component of COSO ERM Framework)

A

By reviewing entity performance, an organization can consider ERM component effectiveness as the organization changes and what revisions are needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Information, communication, and reporting (Component of COSO ERM Framework)
ERM requires…

A

a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Governance principles

A
  • Board membership
  • Board qualifications
  • Board independence
  • Transparent structure
  • Measurable strategy
  • Strategic structure
  • Governing policy
  • Clear lines
  • Effective interaction
  • Management oversight
  • Compensation policies
  • Control environment
  • Internal audit
  • Risk management
  • External audit
  • Key information disclosure
  • Governance disclosure
  • Conflict of interest
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

An organization has the ethical responsibility to be ethical in its practices, given local and global standards. Ethical responsibility has a broad scope and includes:

A
  1. Treatment of employees
  2. Truthful advertising
  3. Providing a clean and safe workplace
  4. Managing waste, and consumption.
23
Q

Social responsible (4) as identified by Archie B. Carroll

A
  1. economic responsibility
  2. legal responsibility
  3. ethical responsibility
  4. philanthropic responsibility
24
Q

The benefits of using ISO 14000 can include

A
  1. reduced cost of waste management
  2. savings in consumption of energy and materials
  3. lower distribution costs
  4. improved corporate image among regulators, customers, and the public
25
Q

Typical CSR stakeholder groups are

A
  1. customers
  2. employees and their families
  3. environmental groups
  4. neighboring communities
  5. shareholders
  6. suppliers
26
Q

When evaluating a code of conduct, it is important to consider two items:

A

comprehensiveness and compliance. The code should address the ethical issues that the employees are expected to encounter and provide suitable guidance.

27
Q

The three principles related to the review and revision component of the COSO ERM framework are the organization..

A
  1. identifies and assesses changes that substantially affect strategy and business objectives
  2. reviews entity performance results and considers risk
  3. pursues improvement of ERM
28
Q

Inherent risk is

A

the risk when management does not act to alter its severity. Severity is measured as a combination of impact and likelihood.

29
Q

Sharing reduces the severity of the risk by transferring some risk to another party. Examples are

A

insurance, hedging, joint ventures, outsourcing, and contractual agreements with customers, vendors, or other business partners.

30
Q

Risk capacity is

A

the maximum amount of risk an entity is able to bear and remain solvent. The organization considers its mission, vision, culture, prior strategies, and risk capacity to set its risk appetite. In setting risk appetite, the optimal balance of opportunity and risk is sought. Risk appetite is rarely set above risk capacity.

31
Q

Risk appetite should be considered in

A
  1. Aligning with development of strategy
  2. Aligning with business objectives
  3. Prioritizing risks
  4. Implementing risk responses
32
Q

Risk committee may be created that

A
  • Identifies key risks
  • Connect them to risk management processes
  • Delegates them to risk owners
  • Considers whether tolerance levels delegated to risk owners are consistent with the organization’s risk appetite.
33
Q

Inherent risk is

A

the risk when management does not act to alter its severity. Severity commonly is measured as a combination of impact and likelihood.

34
Q

ERM Governance and Culture
Setting tone and establishes responsibilities:

A
  1. Exercises Board Risk Oversight
  2. Establishes Operating Structures
  3. Defines Desired Culture
  4. Demonstrates Commitment to Core Values
  5. Attract, Develops, and Retains Capable Individuals
35
Q

ERM Strategy and Objective setting
Strategy must support the organization’s mission, vision, and core values.

A
  1. Analyzes Business Context
  2. Defines Risk Appetites
  3. Evaluates Alternative Strategies
  4. Formulates Business Objectives
36
Q

ERM Performance
ERM practices that support the organization’s decisions in pursuit of value.

A
  1. Identifies risk
  2. Assesses severity of risk
  3. Prioritizes risk
  4. Implements risk responses
  5. Develops portfolio view
37
Q

ERM Review and revision
The organization reviews and revises its current ERM capabilities and practices based on changes in strategy and business objectives.

A
  1. Assesses substantial change
  2. Reviews risk and performance
  3. Pursues improvement in Enterprise Risk Management
38
Q

ERM Information, Communication and Reporting
The organization must capture, process, manage, and communicate timely and relevant information to identify risks that could affect strategy and business objectives.

A
  1. Leverages Information and Technology
  2. Communicates risk information
  3. Reports on risk, culture, and performance.
39
Q

Core Internal Audit’s role in regard to ERM (assurance)

A
  • Giving assurance on the risk management processes
  • Giving assurance that risks are correctly evaluated
  • Evaluating risk management processes
  • Evaluating the reporting of key risks
  • Reviewing the management of key risks
40
Q

Legitimate internal audit roles with safeguards (ERM)

A
  • Facilitating identification and evaluation of risks
  • Coaching management in responding to risks
  • Coordinating ERM activities
  • Consolidated reporting on risks
  • Maintaining and developing the ERM framework
  • Championing established of ERM
  • Developing ERM strategy for board approval.
41
Q

Roles internal audit should not undertake (ERM)

A
  • Setting the risk appetite
  • Imposing risk management processes
  • Management assurance on risks
  • Taking decisions on risk responses
  • Implementing risk responses on management’s behalf
  • Accountability for risk management
42
Q

Internal control is a…
(by COSO)

A

process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

43
Q

Audit plan should include higher-risk governance processes. It should define

A
  1. the nature of the work
  2. the governance processes
  3. the nature of the assessments e.g., consideration of specific risks, processes, or activities
44
Q

Risk modeling is a method of..

A

risk assessment and prioritization. It ranks and validates risk priorities when setting the priorities of engagements in the audit plan. Risk factors may be weighed based on professional judgments to determine their relative significance, but the weights need not be quantified.

45
Q

COSO’s Internal Control- Integrated Framework (components)

A
  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring activities
46
Q

COSO’s Internal Control- Integrated Framework (structure level)

A
  • Entity level
  • Division
  • Operating unit
  • Function
47
Q

COSO’s Internal Control- Integrated Framework (categories of objectives)

A
  • Operating
  • Reporting
  • Compliance
48
Q

The COSO internal control framework establishes a direct relationship between:

A
  • Organizational objectives (what the entity strives to achieve)
  • The framework components (which represent what is needed to achieve the objectives)
  • The entity structure (the various levels where control is applied)
49
Q

Safeguarding assets examples

A

loss prevention, detection, reporting, efficient use and waste reduction, and intellectual property (IP) protection.

50
Q

COBIT governance system principles

A
  1. Provide stakeholder value
  2. Holistic approach
  3. Dynamic governance system
  4. Governance distinct from management
  5. Tailored to enterprise needs
  6. End-to-end governance system
51
Q

COBIT Governance framework principles

A
  1. Based on conceptual model
  2. Open and flexible
  3. Aligned to major standards
52
Q

COSO outlines the CEO’s responsibilities as including guiding..

A

the development and performance of ERM processes across the organization and delegating to management.

53
Q

Risk monitoring:

A
  1. track identified risks
  2. evaluates current risk response plans
  3. monitors residual risks
  4. identifies new risks
54
Q

Risk modeling is a

A

method of risk assessment and prioritization. It ranks and validates risk priorities when setting the priorities of engagements in the audit plan. Risk factors may be weighed based on professional judgments to determine their relative significance, but the weights need not be quantified.