SU 5 - Governance

Question 1

A strategy to promote the long-term viability of an organization’s operations and actions by ensuring that the current and future needs of the organization and society can be met.

Answer 1

Sustainable Development

Question 2

A concept that corporate success should be measured in three dimensions–economic, social, and environmental–not just by traditional economic profitability measures.

Answer 2

Tripple bottom line

Question 3

The tangible manifestation of culture through the actions, behaviors, and decisions of the individuals who form an organization.

Answer 3

Conduct

Question 4

The combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives.

Answer 4

Governance

Question 5

The leadership, structure, and oversight processes that ensure the organization’s IT supports the objectives and strategies of the organization.

Answer 5

IT Governance

Question 6

The conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.

Answer 6

Compliance

Question 7

Beliefs about right versus wrong that guide people’s and organizations’ decisions and actions, especially in situations that require making tradeoffs between conflicting objective.

Answer 7

Values

Question 8

Refers to how management plans to achieve the organization’s objectives.

Answer 8

Strategy

Question 9

The way firms integrate social, environmental, and economic concerns into their values, culture, decision making, strategy and operations in a transparent and accountable manner and thereby establish better practices within the firm, create wealth, and improve society.

Answer 9

Corporate Social Responsibilit (CSR)

Question 10

The values and norms that exist in an organization.

Answer 10

Culture

Question 11

The established parameters and boundaries of the audit engagement. It identifies what will be reviewed (processes, activities, and time period) and what will be excluded from the engagement.

Answer 11

Audit scope

Question 12

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives

Answer 12

Risk Management

Question 13

Any action taken by management, the board, or other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved

Answer 13

Control

Question 14

The board of directors functions like an overarching “umbrella” by providing which two broad types of governance to the organization

Answer 14

1. Startegic direction
2. Governance oversight

Question 15

4 Responsibilitities of risk owners

Answer 15

1. Evaluating risk management design against risk tolerance.
2. Assessing risk management capabilities, maturity, and operations.
3. Monitoring risks on a daily basis.
4. Providing accurate and timely information and recommendations to senior management and the board.

Question 16

The IIA’s Three Lines Model helps clarify the internal audit activity’s role in what?

Answer 16

GRC

Question 17

The Three Lines Model is a principles-based model intended to be adapted to the needs of any organization. Its six principles are:

Answer 17

1. Governance
2. Governing body roles
3. Management 1st and 2nd line roles
4. 3rd line roles
5. 3rd line idependence
6. Creating and protecting value

Question 18

Who determines risk appetite and oversees GRC

Answer 18

The board

Question 19

Who remains primarily accountable to the board and reports to it on GRC, achievement of objectives, continuous improvement, and disclosures of impairments.

Answer 19

Internal Audit Activity

Question 20

The report is principles- and outcomes-based, focusing on transparency and disclosures that require entities to explain how the principles are applied

Answer 20

King IV (2016)

Question 21

A Code of Corporate Practices and Conduct is included in the King report (7 elements)

The Duke Is Fair And Socially Responsible

Answer 21

1. Discipline. Organizations commit to disciplined behavior that is universally accepted as proper and correct.
2. Transparency. Organizations commit to make it easy for outsiders to analyze the organization’s activities.
3. Independence. Organizations are self-reliant and can manage or avoid conflict.
4. Accountability. Organizations develop ways to accept and acknowledge the positive and negative consequences of their actions.
5. Responsibility. Organizations design corrective action into all processes and consider the needs of all stakeholders in decision making.
6. Fairness. Organizations balance competing interests.
7. Social responsibility. Organizations embed corporate social responsibility programs into their core business model.

Question 22

3 key tools to achieve sustainability as per King IV

Chris Finds Innovation

Answer 22

1. Innovation
2. Fairness
3. Collaboration

Question 23

What approach allows internal audit to determine whether controls are effective in managing the risks which arise from the strategic direction that a company, through its board, has decided to adopt.

Answer 23

Risk-based Approach

Question 24

What approach merely assesses compliance with existing procedures and processes without an evaluation of whether or not the procedure or process is an adequate control.

Answer 24

Compliance based approach

Question 25

STANDARD: The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.

Answer 25

Implementation Standard 2110.A2 (Assurance Engagements)

Question 26

The leadership, structure, and oversight processes that ensure the organization’s IT supports the objectives and strategies of the organization is called?

Answer 26

IT governance (Anderson et al. in Internal Auditing)

Question 27

An IT governance framework addresses the 3 components

Answer 27

1. IT process areas. Change management, information security management, software development, IT project management, etc.
2. IT mechanisms. Standards, policies, and frameworks for directing, monitoring, and measuring IT performance and managing IT risks.
3. IT governance organizational structures. IT roles and reporting lines to meet organizational objectives and formally evaluate and prioritize requirements.

Question 28

5 areas of a general IT governance framework as per IIA’s Global Technology Audit Guide (GTAG) 17, “Auditing IT Governance”

Answer 28

1. Strategic allignment
2. Risk Management
3. Value delivery
4. Performance measurement
5. Resource management

Question 29

Role of Internal Audit in IT Governance

Answer 29

The internal audit activity must assess IT governance per Standard 2110.A2

Question 30

Refers to how management plans to achieve the organization’s objectives.

Answer 30

Strategy (Anderson et al. in Internal Auditing )

Question 31

The attitude and actions of the board and management regarding the importance of control within the organization. It provides the discipline and structure for the achievement of the primary objectives of the system of internal control. Its the foundation for the system of internal controls

Answer 31

Control Environment

Question 32

6 elements of the control environment

Management Is Assuring Humans Of Competence

Answer 32

1. Integrity and ethical values.
2. Management’s philosophy and operating style.
3. Organizational structure.
4. Assignment of authority and responsibility.
5. Human resource policies and practices.
6. Competence of personnel.

Question 33

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) — Integrated Framework

Answer 33

Internal Control Frameworks

Question 34

3 categories of objectives that an organization works to achieve using the system of internal controls as per COSO framework

COR

Answer 34

1. Operations
2. Reporting
3. Compliance objectives

Question 35

COSO’s Internal Control—Integrated Framework has five principles related to the control environment

Answer 35

1. The organization demonstrates a commitment to integrity and ethical values.
2. Sets the tone at the top.
3. Establishes standards of conduct.
4. Evaluates adherence to standards of conduct.
5. Addresses deviations in a timely manner.

Question 36

What provides behavioral guidance and rules for staff (and outsourced service providers who have been delegated responsibility for organizational processes) when taking actions or making decisions. The code clarifies the expectations of the board and senior management as to what is considered right versus wrong. It provides guidance on common gray areas or difficult decisions and highlights associated risk

Answer 36

A written code of conduct

Question 37

These are how managers in various organizational or other structures execute their assigned authorities and responsibilities, including reporting information to higher levels. These lines should be documented and understood by the relevant parties.

Answer 37

Reproting Lines

Question 38

The basis for assessing adherence to organizational ethics and values. There are stated values as well as operating values.

Answer 38

Organizational standards of conduct

Question 39

Beliefs about right versus wrong that guide people’s and organizations’ decisions and actions, especially in situations that require making tradeoffs between conflicting objectives.

Answer 39

Values

Question 40

Two types of values

Answer 40

1. Stated values. These are ideal or written values, such as written codes of ethics and/or conduct.
2. Operating values. These are cultural values that guide actual organizational behavior.

Question 41

4 steps when auding the control environment

Answer 41

1. Start with a risk assessment to help set audit scope, frequency, and rotation.
2. Take into account planning considerations as individual engagements are planned.
3. Require assessment criteria.
4. Require selection of tools and techniques to use.

Question 42

6 elements from the IPPF definition of control environment used as potential audit scope areas for a control environment risk assessment

Answer 42

1. Integrity and ethical values
2. Managment philosophy and operating style
3. Organisational structure
4. Assignment of authority and responsibility
5. HR policies an practices
6. Competence of personnel

Question 43

Who determines the frequency and rotation of control environment audits and how to integrate the results of multiple audits while avoiding duplication of effort.

Answer 43

CAE

Question 44

Best practice for CAE to determine the criteria against which the control environment will be assessed

Answer 44

Use an internal control framework the first time the control environment is audited at an organization. This can help ensure that the criteria are well rounded and complete.

Question 45

represents the invisible belief systems, values, norms, and preferences of the individuals that form an organization

Answer 45

Culture (St-Onge et al)

Question 46

represents the tangible manifestation of culture through the actions, behaviors, and decisions of these individuals.

Answer 46

Conduct (St-Onge et al)

Question 47

Root cause of many control environment issues.

Answer 47

Poor organizational culture. A toxic culture can erode the effectiveness of other control layers.

Question 48

5 characteristics of healthy organizational cultures

Answer 48

1. Positive tone at the top. The board and senior management define, proactively model, and enforce accountability for desired organizational values, including in their strategies.
2. Clear communication. Management sets explicit expectations in all communications, daily interactions, and meetings with employees, customers, and third parties.
3. Open dialogue. Management listens to feedback or constructive criticism and has tools like ethics hotlines or open-door policies to encourage dialogue.
4. Employee engagement. Objective-setting and strategy discussions are inclusive, such as by listening to personal objectives and evaluating how they align to strategy.
5. Incentives aligned with core values. Compensation and incentives align with the organization’s core values and risk appetite.

Question 49

4 Key areas for an ethical climate assessment to address

Answer 49

1. Whether ethical values are consistent among policy statements.
2. Whether any policies lack ethics statements and, if so, whether they should be added.
3. Whether ethics statements are consistently expressed to enable staff to have a cohesive, easily understood picture of expected behavior.
4. Whether statements are specific and concrete enough to be meaningful.

Question 50

A common tool for ethical climate assessments.

Answer 50

An entity-wide employee survey

Question 51

The internal audit activity may be involved in ethics- and compliance-related issues, alleged violations, and dispositions in two ways.

Answer 51

First, the internal audit activity may assess whether the escalation and resolution process is effective.

Second, as a result of entity-wide, or specific audit engagement area effectiveness assessments, the activity may need to evaluate deficiencies and communicate results, including making recommendations.

Question 52

“adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.”

Answer 52

Compliance

Question 53

When evaluating ethical deficiencies, the internal audit activity should focus on identifying the root causes of exceptions, 5 examples of potential root causes

Answer 53

1. Emphasis on results, especially those that are short-term
2. Excessive focus on the bottom line (such as sales revenues and profit goals)
3. High-pressure sales tactics
4. Ruthless negotiations
5. Aggressive incentives that are tied to reported financial and nonfinancial information

Question 54

esponsible for investigating alleged violations of ethics, compliance, or business conduct practices and making recommendations for resolution of misconduct, including disciplinary action.

Answer 54

Management

Question 55

A voluntary initiative to practice and transparently report on the organization’s efforts toward good corporate citizenship with its employees and within the community. It is a pledge to develop the organization in sustainable ways by including not only economic but also social and environmental objectives in its values, culture, strategies, decisions, and operations.

Answer 55

Corporate social responsibility (CSR)

Question 56

A strategy to promote the long-term viability of an organization’s operations and actions by ensuring that the current and future needs of the organization and society can be met. This is done in part by safeguarding, sustaining, and enhancing the human and natural resources the organization uses.

Answer 56

Sustainable development

Question 57

Strategy of triple bottom line creates three balanced measures of success.

Answer 57

1. Economic. This is the traditional bottom line for a business (i.e., profit or loss), but some CSR programs also enhance profitability
2. Environmental. This is the responsible and compliant use of natural resources and protection of the natural environment
3. Social responsibility. This is fair treatment of and reinvestment in employees, indigenous peoples, and communities

Question 58

Key goal of a triple-bottom-line strategy

Answer 58

To fully integrate all three areas into the organization’s business model and strategy rather than making them afterthoughts

Question 59

8 risks associated with CSR activities.

Answer 59

1. Reputation
2. Compliance
3. Liability
4. Operational
5. Stock market
6. Employment market
7. Sale market
8. External business relationships

Question 60

Who has overall responsibility for the effectiveness of the governance, risk management, and control (GRC) components of CSR programs, including determining which CSR controls will be needed

Answer 60

The board

Question 61

Who is responsible for performing a risk assessment related to CSR and for determining what components and priorities are important to their organization

Answer 61

Board and management (The organization may create an executive position responsible for CSR programs.)

Question 62

It include developing CSR strategies, objectives, policies, procedures, controls, and key performance indicators/performance targets (e.g., emissions, safety incidents, employee satisfaction).

Answer 62

CSR business activities

Question 63

Voluntary CSR standards to determine what to report, provide assurance on the validity of the report, and help ensure that the information is comparable for benchmarking

Answer 63

1. The CSR reporting standards of the Global Reporting Initiative (GRI).
2. The SA8000 Standard of Social Accountability International.
3. The AA1000 standards for assurance of CSR reports of AccountAbility.

Question 64

Developed to help with assessments and to help set CSR goals for the organization. The following maturity levels might be used:

1. No CSR objectives or strategies.
2. CSR strategy is to be in compliance with laws and contracts.
3. Some divisions acknowledge specific CSR risks with stand-alone strategies. The goal is to exceed compliance requirements; reporting is selective.
4. CSR governance, strategies, and performance measures are integrated, and public reporting occurs.
5. CSR is a primary feature of the organization’s mission, vision, principles, decision-making processes, and performance measures. Public formal reports are produced, and stakeholders are kept engaged.

Answer 64

A CSR maturity model

Question 65

5 Assurance Methods of Auditing CSR

Answer 65

1. Audit by element: Perform separate audit engagements for each CSR element: governance; environment; ethics; community involvement; health, safety, and security; transparency; and working conditions and human rights.
2. Audit by stakeholder: Perform separate audit engagements to assess effectiveness of delivering value to each stakeholder group, such as employees and their families, customers, the environment, and so on. The basis for determining effectiveness is fulfillment of each group’s needs.
3. Audit by common subject: Perform audits by common subject area: workplace, marketplace, community, and environment. Auditing by workplace could bundle together issues such as employer of choice, health and safety, diversity and equality, environmental management practices, training and development, ethics, governance, and human rights.
4. Audit by internal control: Perform audits using internal controls over risk management, data gathering, measuring, and CSR reporting activities. Performing the same audit tests for each area audited ensures that results are comparable. At year end, an overall report on CSR could be made based on all areas audited.
5. Audit by risk-management-based priority: Perform audits using a risk-management-based approach, selecting the areas of a CSR program identified as being most significant in terms of risk impact and likelihood, with direction provided by the board and senior management. This method can be combined with any of the prior methods.

Question 66

Recommendations on CSR programs should be reported to who

Answer 66

The organization may consider recommendations on CSR programs to be sensitive information, and so the CAE should consult with management regarding report distribution.

Question 67

The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

Answer 67

Risk

Question 68

A key element of risk

Answer 68

The notion that it always involves uncertainty

Question 69

an action or potential action that creates or alters goals or approaches for creating, preserving, or realizing value

Answer 69

Opportunity

Question 70

4 fundamental concepts of risk

Answer 70

1. Achieving strategic and operational objectives and succeeding in business requires putting the organization’s assets and resources at some degree of risk.
2. Risks taken should be commensurate with the potential reward.
3. Risks are not single-point estimates. Rather, there will be a range of possible outcomes associated with a risk, such as from worst case to most likely to best case.
4. Risk management should reduce the likelihood of negative events and increase the likelihood of positive events.

Question 71

The occurrence or realization of a risk (threat or opportunity). Also called an issue.

Answer 71

An event

Question 72

the level of risk that the organization is willing to accept.

Answer 72

Risk appetite

Question 73

The boundaries of acceptable outcomes related to achieving business objectives.

Answer 73

Risk tolerance

Question 74

The combination of internal and external risk factors in their pure, uncontrolled state, or the gross risk that exists assuming there are no internal controls in place

Answer 74

Inherent risk

Question 75

The portion of inherent risk that management can reduce through day-to-day operations and management activities

Answer 75

Controllable risk

Question 76

The portion of inherent risk that remains after management executes its risk responses (sometimes referred to as net risk).” Note that responses include application of internal controls or other risk management measures

Answer 76

Residual risk

Question 77

6 considerations related to risk appetite

Answer 77

1. The purpose of setting a risk appetite is to limit risks to organizational objectives to an acceptable level. This is done by comparing the cost to the benefits of control.
2. Because the future is uncertain, there is no way to completely eliminate risk. (Some amount of residual risk will remain.)
3. Risk appetite helps the board and management prioritize potential strategies and resource allocations.
4. Risk appetite can be defined at a high level and at increasing levels of detail.
5. Risk appetite can differ between business units or products (with higher risk being acceptable for areas with higher potential for reward).
6. Risk appetite can change based on changes in the external environment.