Internal Control And Risk Management Framework Flashcards
Why should the company have a reliable and effective internal control system and enterprise risk management framework?
To ensure the integrity, transparency, and proper governance in the conduct of its affairs.
What should be considered when have an adequate and effective internal control system and enterprise risk management framework?
Size
Risk Profile
Complexity of Operations
What should the Company have that provides an independent and objective assurance and consulting services?
Independent Internal Audit Function
According to the function of internal audit, to whom should an independent risk-based assurance be provided?
The Board, Audit Committee, and Management
According to the function of internal audit, what kind of service should be provided to the Board, Audit Committee, and Management?
an independent risk-based assurance service
According to the function of internal audit, what should be the focus of the independent risk-based assurance service?
Focused on reviewing the effectiveness of the governance and control processes in:
* promoting the right values and ethics
* ensuring effective performance management and accounting in the organization
* communicating risk and control information
* coordinating the activities and information among the Board, internal and external auditors, and Management
According to the function of internal audit, what kind of audit are contained in the annual audit plan and/or based on the Company’s risk assessment?
Regular and Special audit
According to the function of internal audit, it performs regular and special audits as contained and/or based on what?
As contained in the annual audit plan
Based on the Company’s risk assessment
According to the function of internal audit, what kind of services are performed related to governance and control as appropriate for the organization?
Consulting and Advisory Services
According to the function of internal audit, performing consulting and advisory services are related to what?
Governance and Control
What are the functions of the internal audit?
- Provides an independent risk-based assurance service
- Reviews, audits, and assesses the efficiency and effectiveness of the internal control system
- Evaluates operations or programs to ascertain which are consistent with the ebjectives
- Performs: regular and special audit; consulting and advisory services; compliance audit of relevant laws
- Evaluates specific operations at request
- Monitors and evaluates governance processes
Who appoints the Chief Audit Executive?
the Board
Who shall oversee and be responsible for the internal audit activity of the organization?
Chief Audit Executive (CAE)
It is the process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives.
Internal Control
What are the three objectives of Internal Control?
Reliability of the entity’s financial reporting
Effectiveness and efficiency of operations
Compliance with applicable laws and regulations
CECIM
What are the elements of control?
Control Environment
Entity’s risk assessment process
Control Activities
Information system, business processes, financial reporting, and communications
Monitoring of controls
Why should a Company have a separate risk management function?
To identify, assess, and monitor key risk exposures.
Who is the ultimate champion of Enterprise Risk Management (ERM) and has adequate authority, stature, resources, and support to fulfill his/her responsibilities?
Chief Risk Officer (CRO)
What are the functions of the CRO?
- Supervises the entire ERM process and spearheads the Development, Implementation, Maintenance and continuous improvement of the ERM process, and Documentation (DIMD)
- Communicates the top risks and the status of implementation to the Board Risk Oversight Committee (BROC)
- Collaborates with the CEO in updating and making recommendations
- Suggests ERM policies and related guidance
- Provide insights whether:
- Risk management processes are performing
- Risk measures reported are continuously reviewed
- Established risk policies and procedures are complied
It is the process of measuring or assessing risks and developing strategies to manage it.
Risk Management
It is a systematic approach in identifying, analyzing, and controlling areas or events with the potential for unwanted change.
Risk Management
CABBCB
Principles of Risk Management
Create Value
Address uncertainty and assumptions
Be an integral part of the organizational processes and decision making
Be dynamic, iterative, transparent, tailorable, and responsive to change
Create capability and continual improvement enhancement, considering the best available information and the human factor
Be systematic, structured and continually or periodically reassessed
EIR
Process of Risk Management
Establishing the context/coverage
Identification of Potential Risks
Risk Assessment
IADIP
Elements of Risk Management
Identification, characterization, and assessment of threats
Assessment of the vulnerability of critical assets to specific threats
Determination of risk
Identification of ways to reduce those risks
Prioritization of risk reduction measures based on a strategy
In the elements of risk, what are the examples given in the determination of risk?
The expected likelihood, consequence of specific types of attacks on a particular asset
DICEDE
What are the activities involved in the risk management function?
Defining a risk management strategy
Identifying and analyzing key risks exposures relating to EESG factors and the achievement of the organization’s strategic objectives
Communicating and reporting significant risk exposures
Evaluating and categorizing each identified risk using the company’s predefined risk categories and parameters
Developing a risk mitigation plan for the most important risks
Establishing a risk register with clearly defined, prioritized and residual risks
In the involved activity in the risk management function, what is used when evaluating and categorizing each identified risk?
Using the company’s predefined risk categories and parameters
In the involved activity in the risk management function, a risk register is established with what?
With clearly defined, prioritized and residual risks
In the involved activity in the risk management function, a risk mitigation plan is developed for what?
For most important risks to the company
In the involved activity in the risk management function, a risk mitigation plan is developed for the most important risks to the company as defined by what?
By the risk management strategy
In the involved activity in the risk management function, what are the significant risk exposures that are communicated and reported?
- Business risks
- Control Issues
- Risk Mitigation Plan
In the involved activity in the risk management function, to whom should the significant risk exposures be communicated and reported?
To the Board Risk Oversight Committee
In the involved activity in the risk management function, what are the examples of business risks?
- Strategic risk
- Compliance risk
- Operational risk
- Financial risk
- Reputational risk