IA UNIVERSE - LINES OF DEFENSE - HOLISTIC VIEW OF RISK

Question 1

The responsibility and accountability for setting org objectives resides with whom?

Answer 1

Sr. Management & Governing Bodies (BOD/Audit committee)

Question 2

First Line of Defense

Answer 2

• Operational management
• own and management risks
• responsible for implementing corrective actions to address process and control deficeinces

Question 3

Second Line of Defense

Answer 3

• Functions to oversee risk management
• Risk Management and Compliance
• limited independence - headed by entity chief risk officer
• primarily reports to sr. management
• monitors effectiveness on internal controls and
  compliance with laws

Question 4

Third Line of Defense

Answer 4

• Provides independent assurance - internal audit function
• greater independence
• reports to governing body - chair of audit committee

Question 5

IA Universe - Components of Audit = companys objectives

Answer 5

• organization divided among units which are audited

- risk units audited annually

Question 6

IA Universe Orientations (how units audited)

Answer 6

By:
- Horizontal audit - front to back (across departments)

• Business Profit Centers - aligned w/ management org.
  structure
• Corporate functions - accounting, HR, IT, marketing

Note: view IA universe in relation to managing business risk

Question 7

What are the types of IA engagements

Answer 7

Assurance & Advisory

Question 8

What are the deliverables for assurance engagements

Answer 8

• Audit opinion as to the adequacy and operating effectiveness of controls
• individual audits are rated and tracked until improvements are realized

Question 9

What are the deliverables for advisory engagements

Answer 9

• Advice from IA but not assesment opinions

Question 10

What does assurance engagements assess

Answer 10

The design/adequacy and operating effectiveness of

1) Entity controls
2) Business process controls
3) IT controls
4) business performance

Question 11

What are examples of entity controls

Answer 11

• management override
• risk assessment process
• results of operation
• period end financial reporting process

Question 12

What are examples of Business process controls

Answer 12

• effecitiveness of operation
• compliance w/ laws
• reliabilty of external finanical and management internal reporting

Question 13

What are examples of IT controls

Answer 13

• user/system access

- application controls

Question 14

What are examples of business performance controls

Answer 14

• customer satisfaction, life cycle, employee turnover

- reliability of metrics used in balance scorecard

Question 15

what are types of advisory engagements

Answer 15

• consulting services to sr. mngmnt, process owners,
  operational managment
• facilitate self assesment activities
• conduct in house training

Question 16

Governance, Risk, & Control

Answer 16

Governance is the combination of processes
and structures implemented to inform, direct,
manage and monitor the activities of the
organization toward the achievement of its
objectives.

•  Board provides oversight and management
executes the day-to-day activities that help
ensure effective governance is achieved

Risk owner - first line of defence

Question 17

Who are the external governance groups

Answer 17

• external auditors
• general regulators (SEC)
• industry specific regulators

Question 18

COSO ERM (enterprise risk management) components

Answer 18

C - control environment
R - risk assessment & responses
I - information & communication
M - Monitoring
E - Control activities

O - objective settings
E - event identification

Question 19

What are the two major types of risk

Answer 19

• inherent risk

- residual risk - also known as control risk

Question 20

what are some risk reponses (how to deal w/ risk)

test quesiton

Answer 20

S - Sharing - purchase insurance/hedging/outsourcing
A - Avoidance - divest or exist activity
A - Acceptance - cae agrees w/ mngmnt - tell IA (must doc.)
R - Reduction - strengthen controls

Question 21

List control activities

Answer 21

S- Segregation of Duties
I - Information controls
P - Performance indicators
P - Physical controls
D - Direct functional activity management
T - Top level reviews

Question 22

What is the role of IA in enterprise risk management (ERM)

Answer 22

IA function:
- monitors, examines, evaluates, and reports on enterprise risk management; in addition they recommend improvements to ERM processes

Question 23

What are the core internal audit roles in ERM

Answer 23

E - Evaluating the reporting of key risks
G - Giving assurance on risk management process
G - Giving assurance that risks are evaluated
E - Evaluate risk of management processes
R - Reviewing the management of key risks

Question 24

What are the roles internal audit should not undertake

Answer 24

M - Management assurance on risk
I   - Imposing risk management processes
S  - Setting the risk appetite
T  - Taking decisions on risk responses
I    - implementing risk responses on managements behalf
A  - Accountability for risk management

Question 25

What are legitimate internal audit roles with safeguards

Answer 25

• Facilitate identification and evaluation of risks
• Coaching management in responding to risks
• Coordinating ERM activities
• Consolidated reporting on risks
• Maintaining & developing the ERM framework
• Championing establishment of ERM
• Developing ERM strategy for board approval