IA UNIVERSE - LINES OF DEFENSE - HOLISTIC VIEW OF RISK Flashcards
The responsibility and accountability for setting org objectives resides with whom?
Sr. Management & Governing Bodies (BOD/Audit committee)
First Line of Defense
- Operational management
- own and management risks
- responsible for implementing corrective actions to address process and control deficeinces
Second Line of Defense
- Functions to oversee risk management
- Risk Management and Compliance
- limited independence - headed by entity chief risk officer
- primarily reports to sr. management
- monitors effectiveness on internal controls and
compliance with laws
Third Line of Defense
- Provides independent assurance - internal audit function
- greater independence
- reports to governing body - chair of audit committee
IA Universe - Components of Audit = companys objectives
- organization divided among units which are audited
- risk units audited annually
IA Universe Orientations (how units audited)
By:
- Horizontal audit - front to back (across departments)
- Business Profit Centers - aligned w/ management org.
structure - Corporate functions - accounting, HR, IT, marketing
Note: view IA universe in relation to managing business risk
What are the types of IA engagements
Assurance & Advisory
What are the deliverables for assurance engagements
- Audit opinion as to the adequacy and operating effectiveness of controls
- individual audits are rated and tracked until improvements are realized
What are the deliverables for advisory engagements
- Advice from IA but not assesment opinions
What does assurance engagements assess
The design/adequacy and operating effectiveness of
1) Entity controls
2) Business process controls
3) IT controls
4) business performance
What are examples of entity controls
- management override
- risk assessment process
- results of operation
- period end financial reporting process
What are examples of Business process controls
- effecitiveness of operation
- compliance w/ laws
- reliabilty of external finanical and management internal reporting
What are examples of IT controls
- user/system access
- application controls
What are examples of business performance controls
- customer satisfaction, life cycle, employee turnover
- reliability of metrics used in balance scorecard
what are types of advisory engagements
- consulting services to sr. mngmnt, process owners,
operational managment - facilitate self assesment activities
- conduct in house training
Governance, Risk, & Control
Governance is the combination of processes
and structures implemented to inform, direct,
manage and monitor the activities of the
organization toward the achievement of its
objectives.
• Board provides oversight and management
executes the day-to-day activities that help
ensure effective governance is achieved
Risk owner - first line of defence
Who are the external governance groups
- external auditors
- general regulators (SEC)
- industry specific regulators
COSO ERM (enterprise risk management) components
C - control environment R - risk assessment & responses I - information & communication M - Monitoring E - Control activities
O - objective settings
E - event identification
What are the two major types of risk
- inherent risk
- residual risk - also known as control risk
what are some risk reponses (how to deal w/ risk)
test quesiton
S - Sharing - purchase insurance/hedging/outsourcing
A - Avoidance - divest or exist activity
A - Acceptance - cae agrees w/ mngmnt - tell IA (must doc.)
R - Reduction - strengthen controls
List control activities
S- Segregation of Duties I - Information controls P - Performance indicators P - Physical controls D - Direct functional activity management T - Top level reviews
What is the role of IA in enterprise risk management (ERM)
IA function:
- monitors, examines, evaluates, and reports on enterprise risk management; in addition they recommend improvements to ERM processes
What are the core internal audit roles in ERM
E - Evaluating the reporting of key risks
G - Giving assurance on risk management process
G - Giving assurance that risks are evaluated
E - Evaluate risk of management processes
R - Reviewing the management of key risks
What are the roles internal audit should not undertake
M - Management assurance on risk I - Imposing risk management processes S - Setting the risk appetite T - Taking decisions on risk responses I - implementing risk responses on managements behalf A - Accountability for risk management
What are legitimate internal audit roles with safeguards
- Facilitate identification and evaluation of risks
- Coaching management in responding to risks
- Coordinating ERM activities
- Consolidated reporting on risks
- Maintaining & developing the ERM framework
- Championing establishment of ERM
- Developing ERM strategy for board approval
