Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CIA Part 1 > 4-Risk Management > Flashcards

4-Risk Management Flashcards

(101 cards)

Start Studying
1
Q

Define risk management.

A

Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

List the five processes of risk management.

A 
Identification of context
Risk identification
Risk assessment and prioritization (i.e., risk analysis)
Risk response
Risk monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the three levels at which risk identification should be performed?

A

Entity level
Division level
Business level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Give examples of methods used for risk identification.

A 
Event inventories
Questionnaires and surveys
Leading event indicators and escalation triggers
Facilitated workshops and interviews
Process flow analysis
Loss event data methodologies
Brainstorming
SWOT analysis
Scenario analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

List the three risk assessment processes.

A

Assessing the significance of an event
Assessing the event’s likelihood
Considering the means of managing the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Give examples of qualitative and quantitative risk assessment methods.

A

Qualitative Quantitative
Risk listing Probabilistic models
Risk ranking
Risk map (e.g., heat map, risk matrix)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

List the four risk monitoring processes.

A

Tracking identified risks
Evaluating current risk response plans
Monitoring residual risks
Identifying new risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the risk management responsibilities of (1) the board, (2) management, and (3) the internal audit activity?

A

Party Responsibility
The board Overseeing and determining that risk management processes are in place, adequate, and effective
Management Ensuring that sound risk management processes are functioning
Internal audit activity Assurance: Examining, evaluating, reporting, or recommending improvements Consulting:
Identifying, evaluating, and implementing risk management methods and controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

_____________________ determine the internal audit activity’s role in risk management.

A

Senior management and the board

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define (1) culture, (2) capabilities, and (3) practices in the context of Enterprise Risk Management.

A

Culture
The attitudes, behaviors, and understanding about risk, both positive and negative, that influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization
Capabilities
The skills needed to carry out the entity’s mission and vision
Practices
The collective methods used to manage risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define (1) mission, (2) vision, and (3) core values in the context of the culture component of Enterprise Risk Management.

A

Term Definition
Mission The organization’s core purpose
Vision The organization’s aspirations for what it intends to achieve over time
Core values The organization’s essential beliefs about what is acceptable or unacceptable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define (1) strategy and (2) business objectives in the context of Enterprise Risk Management.

A

Strategy
How the organization will achieve its mission and vision and apply its core values

Business objectives
Steps taken to achieve the strategy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Define (1) risk inventory, (2) risk capacity, and (3) risk appetite in the context of Enterprise Risk Management.

A

Risk inventory
All identified risks that affect strategy and business objectives
Risk capacity
The maximum amount of risk the organization can assume
Risk appetite
The amount and types of risk the organization is willing to accept in pursuit of value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When is value (1) created, (2) preserved, (3) realized, and (4) eroded?

A

Value is:
Created when the benefits obtained from the resources used exceed their costs.
Preserved when the value of resources used is sustained.
Realized when benefits are transferred to stakeholders.
Eroded when management’s strategy does not produce expected results or management does not perform day-to-day tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the responsibilities of (1) the board and (2) management regarding Enterprise Risk Management (ERM)?

A

Party Responsibility
The board Oversight of ERM culture, capabilities, and practices
Management Day-to-day managing of risk (the CEO has ultimate responsibility for ERM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the three lines in the Three Line Model?

A

First line Principal owners of risk
Second line Supporting (business-enabling) functions
Third line Assurance function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Categorize the five components of the COSO ERM framework into (1) the supporting aspect and (2) the common process.

A

Supporting Aspect Common Process
Governance and culture Strategy and objective-setting
Information, communication, and reporting Performance
Review and revision

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the five principles of the Governance and Culture component of the COSO ERM framework?

A

The board exercises risk oversight.
The organization establishes operating structures.
The organization defines the desired culture.
The organization demonstrates commitment to core values.
The organization attracts, develops, and retains capable individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the four principles of the Strategy and Objective Setting component of the COSO ERM framework?

A

The organization analyzes business context and its effect on the risk profile.
The organization defines risk appetite.
The organization evaluates alternative strategies and their effects on the risk profile.
The organization establishes business objectives that align with and support strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

List and define the three types of business contexts.

A

Dynamic
New, emerging, and changing risks can appear at any time
Complex
A context may have many interdependencies and interconnections
Unpredictable
Change occurs rapidly and in unanticipated ways

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the four criteria for business objectives?

A

Specific
Measurable
Observable
Obtainable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the five principles of the Performance component of the COSO ERM framework?

A

The organization identifies risks that affect the performance of strategy and business objectives.
The organization assesses the severity of risk.
The organization prioritizes risks at all levels.
The organization identifies and selects risk responses, recognizing that risk may be managed but not eliminated.
The organization develops and evaluates its portfolio view of risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the two measurements of the severity of risk?

A

Impact

Likelihood

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

List the five categories of risk responses.

A 
Acceptance (retention)
Avoidance
Pursuit
Reduction (mitigation)
Sharing (transfer)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What are the four levels of risk views?
``` Risk view (minimal integration) Risk category view (limited integration) Risk profile view (partial integration) Portfolio view (full integration) ```
26
What are the three principles of the Review and Revision component of the COSO ERM framework?
The organization identifies and assesses changes that may substantially affect strategy and business objectives. The organization reviews entity performance results and considers risk. The organization pursues improvement of ERM.
27
What are the three principles of the Information, Communication, and reporting component of the COSO ERM framework?
The organization leverages its information systems to support ERM. The organization uses communication channels to support ERM. The organization reports on risk, culture, and performance at multiple levels and across the entity.
28
Give examples of the limitations of ERM.
``` Faulty human judgment Cost-benefit considerations Simple errors or mistakes Collusion Management override of ERM practices ```
29
List the eight principles of the ISO 31000 Risk Management Framework.
``` Integrated Structured and comprehensive Customized Inclusive Dynamic Best available information Human and cultural factors Continual improvement ```
30
List the six components of the ISO 31000 Risk Management Framework.
``` Leadership and commitment Integration Design Implementation Evaluation Improvement ```
31
List the six risk management processes in the ISO Risk Management Framework.
``` Communication and consultation Scope, context, criteria Risk assessment Risk treatment Monitoring and review Recording and reporting ```
32
What are the responsibilities of (1) the board, (2) management, and (3) the internal audit activity defined in the ISO 31000 Risk Management Framework?
Party Responsibility The board Overseeing risk management Ensuring that risks are managed and the risk management system is effective Management Setting the organization’s risk attitude Identifying and managing risks Internal audit activity Providing assurance regarding the entire risk management system
33
The ISO Risk Management Framework describes what three approaches to providing assurance on the risk management process?
The key principles approach The process element approach The maturity model
34
What are the five maturity levels defined by the capability maturity model (CMM)?
Level 1 Initial: Few processes are defined. Level 2 Repeatable: Basic processes are established. Level 3 Defined: Standards are developed. Level 4 Managed: Performance measures are defined. Level 5 Optimizing: Continuous improvement is enabled.
35
What are the five maturity levels defined by the Capability Maturity Model Integration (CMMI) Development V2.0?
Level 0 Incomplete: Whether work can be completed is not known. Level 1 Initial: Work can be completed, but not on time or within the budget. Level 2 Managed: Projects are planned, implemented, managed, and monitored. Level 3 Defined: Standards for projects are defined throughout the organization. Level 4 Quantitatively managed: The organization quantifies performance improvement goals to meet stakeholder needs. Level 5 Optimizing: The organization pursues continuous improvement, responds to change, and innovates.
36
ERM is expected to manage risks effectively and to help create, preserve, and realize value when
The components, principles, and supporting controls are present and functioning.
37
How is risk defined in the Glossary?
“The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.”
38
What are the fourbroad categories of risk?
Strategic risks Operational risks Financial risks Hazard risks
39
What is risk capacity?
Risk capacity is the maximum amount of risk that an organization can tolerate without irreparably damaging the company.
40
What is risk appetite?
Risk appetite is defined in the IIA Glossary as “the level of risk that an organization is willing to accept.” Risk appetite is shaped by the expectations of stakeholders, regulatory and contractual requirements, and the influence of technology, capital, and human resources.
41
What is risk tolerance?
Risk tolerance is the amount of variance in the returns from an activity that a company is willing to tolerate. The higher the risk tolerance, the greater the range of outcomes a company is willing to accept.
42
What are some factorsthat influence a company’srisk appetite?
Their position in the business-development cycle. The viewpoints of the major stakeholders. Accounting factors. The opportunity for fraud. Entity-level factors – the personnel, changes in the organization’s structure, and changes in key personnel. External factors – changes in the economy, industry, or technology. Governmental restrictions.
43
What are the five steps in the risk management process?
``` Risk identification Risk assessment Risk prioritization Response planning Risk monitoring ```
44
What are some eventidentification techniques?
``` Brainstorming sessions Event inventories and loss event data Interviews and self-assessment Facilitated workshops SWOT analysis Risk questionnaires and risk surveys Scenario analysis Technology ```
45
What is inherent risk?
SMA:ERMF defines inherent risk as “the level of risk that resides with an event or process prior to management taking a mitigation action.” It is the amount of risk that occurs naturally in the activities of the company. Management cannot do anything about the existence of inherent risk; however, it can take steps to address and, where appropriate, mitigate its effects.
46
What is residual risk?
SMA: ERMF defines residual risk as: “The level of risk that remains after management has taken action to mitigate the risk.” Inherent risk − Activities of management to mitigate/address the risk = Residual risk
47
What two factors are used to assess the exposure to risk?
Loss frequency or probability | Loss severity
48
What is a risk map?
A visual depiction of relative risks based on their expected frequency and expected loss.
49
What are the fourmeasures of potential loss?
Expected loss Unexpected loss Maximum probable loss Maximum possible loss (also called extreme or catastrophic loss)
50
What is the expected loss?
The amount that management expects to lose to a given risk per year on average over a period of several years. Because the loss is expected, it should be included in the budget.
51
What is the unexpected loss?
The amount that could likely be lost to the risk event in a very bad year, in excess of the amount budgeted for the expected loss, up to the maximum probable loss. The business should reserve the unexpected loss amount as capital.
52
What is the maximumprobable loss?
The largest loss that can occur under foreseeable circumstances. Damage greater than the maximum probable loss could occur, but, in the judgment of management, it is very unlikely to occur.
53
What is the maximumpossible loss?
The worst-case scenario. It represents the greatest possible loss from a specific risk or event.
54
What are the fiveresponses to risk?
``` Avoiding or eliminating the risk Reducing or mitigating the risk Transferring or sharing the risk Retaining the risk Exploiting or accepting the risk ```
55
What is Enterprise Risk Management?
“[Enterprise risk management] is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.” Definition from COSO
56
What are the five components of the COSO ERM Framework?
``` Governance and culture Strategy and objective-setting Performance Review and revision Information, communication, and reporting ```
57
What are the principles of the “governance and culture” component of ERM?
``` Exercises board risk oversight. Establishes operating structures. Defines desired culture. Demonstrates commitment to core values. Attracts, develops, and retains capable individuals. ```
58
What are the principles of the “strategy and objective setting” component of ERM?
Analyzes business context Defines risk appetite Evaluates alternative strategies Formulates business objectives
59
What are the principles of the “performance”component of ERM?
``` Identifies risk Assesses severity of risk Prioritizes risks Implements risk responses Develops portfolio view ```
60
What are the principles of the “review and revision”component of ERM?
Assesses substantial change Reviews risk and performance Pursues improvement in enterprise risk management
61
What are the principles of the “information, communication and reporting” component of ERM?
Leverages information systems Communicates risk information Reports on risk, culture, and performance
62
What are the three areas of principles and guidance in ISO 31000?
Principles. The interrelated values that are foundational to the risk-management process. Framework. The ways in which the risk-management plan should be integrated into “significant activities and functions.” Process. A step-by-step list of procedures to design and execute risk management.
63
What are the eight principles that ISO 31000 sets forth to guide risk-management procedures?
``` Integrated Structured and comprehensive Customized Inclusive Dynamic Best available information Human and cultural factors Continual improvement ```
64
What are the six steps of therisk-management processin ISO 31000?
``` Communication and consultation Scope, context, and criteria Risk assessment Risk treatment Monitoring and review Recording and reporting ```
65
What is the role of the IAA in the risk-management process?
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Standard 2120
66
What must an assessmentof the risk-managementprocess address?
The internal auditor must be satisfied that the organization’s risk management processes addresses: Risks that arise from business strategies and activities are identified and prioritized. Management and the board set the level of risk acceptable to the organization (assess risk appetite). Risk mitigation or reduction activities are designed and implemented to reduce or otherwise manage risk at acceptable levels. Risk are periodically reassessed on an ongoing basis. Reports are given periodically to the board and management on the risk assessment process.
67
How is evidence forrisk-managementassessments gathered?
Evidence to support the risk assessment is usually obtained from engagements throughout the year. Because there is no formula to follow, the successful assessment of risk often rests with the professional judgment and experience of the internal auditors and the CAE.
68
What should the IAA do when there is no risk-management process?
The CAE must convince the board and senior management to establish one, even if it just an informal set of procedures.
69
In what three areas should the IAA provide assurance about the effectiveness of risk management?
The design and implementation of the risk management processes. Identification of key risks and the effectiveness of their controls. Assessment and reporting of risk and controls.
70
What are consulting engagements connected to risk management that are core roles of the IAA?
Giving assurance on the risk management process Giving assurance that risks are correctly evaluated Evaluating risk management processes Evaluating the reporting of key risks Reviewing the management of key risks
71
What are consulting engagements connected to risk management that are legitimate roles of the IAA?
Facilitating identification and evaluating risks Coaching management in responding to risks Coordinating ERM activities Consolidated reporting on risks Maintaining and developing the ERM framework Championing the establishment of ERM Developing the ERM strategy for board approval
72
What are consulting engagements connected to risk management that the IAA should not undertake?
``` Setting the risk appetite Imposing risk management processes Management assurance on risks Taking decisions on risk responses Implementing responses on management’s behalf Accountability for risk management ```
73
How does the IIA Glossary define control?
“Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.”
74
Internal control provides reasonable assurance about the achievement of objectives in what three areas?
Operations Reporting Compliance
75
What are five types of controls?
``` Directive Preventive Detective Corrective Compensating ```
76
What are the threetimings of controls?
Feedforward controls Concurrent controls Feedback controls
77
What are characteristics of effective controls?
``` Economical Meaningful Appropriate Congruent Timely Simple Operational ```
78
What are the limitations of internal controls?
Internal controls can provide only reasonable assurance that objectives can be achieved. Internal controls should never be promoted as a guarantee. Human error, faulty judgment, collusion, and fraud can all limit the effectiveness of controls. Excessive or unreasonable controls can increase bureaucracy and reduce productivity. Controls must be evaluated in terms of their cost and benefit to avoid wasting resources.
79
Who is responsible forinternal controls?
The board of directors oversees the control system. The CEO is responsible for the “tone at the top.” Senior managers delegate responsibility for establishing specific internal control policies and procedures. Financial officers and their staffs are central to the exercise of control. Internal auditors play a monitoring role. Virtually all employees are involved in internal control. External parties such as independent auditors often provide information useful to effective internal control.
80
What are the three main elements of the control process?
Setting the objectives. Measuring performance against a standard. Evaluating the results then correcting or regulating the performance.
81
What are input controls in an automated control system?
``` Edit checks Key verifications Redundancy checks Echo checks Completeness checks ```
82
What are processing controls in an automated control system?
``` Posting checks Cross-footing Zero balance checks Run-to-run control totals Internal header and trailer labels Concurrency controls Key integrity checks ```
83
What are output controls in an automated control system?
Output distribution controls Output retention controls Forms controls Error logs
84
What four duties shouldalways be segregated?
1) Authorizing a transaction. 2) Recording the transaction, preparing source documents, and maintaining journals. 3) Keeping physical custody of the related asset. For example, receiving checks in the mail. 4) The periodic reconciliation of the physical assets to the recorded amounts for those assets.
85
What is collusion?
Collusion is when two or more people work together to get around the controls that are in place.
86
What are the five components of internal control?
``` Control environment Risk assessment Control activities Information and communication Monitoring activities ```
87
What is the control environmentin the COSO Model?
The control environment sets the tone for the organization, influencing the control consciousness of its people. The control environment is the foundation for the other components of internal control.
88
What is risk assessmentin the COSO Model?
Risk assessment is the identification and analysis of relevant risks to the achievement of objectives and forms a basis for how risks should be managed.
89
What are control activitiesin the COSO Model?
Control activities ensure that management directives are carried out. These policies and procedures also outline the necessary steps to address risks to the organization’s objectives.
90
What is information and communicationin the COSO Model?
These are the systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
91
What is monitoringin the COSO Model?
These are processes used to assess the quality of internal control performance over time. This objective is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.
92
What are the five principles of the control environment under the COSO Model?
The organization demonstrates a commitment to integrity and ethical values. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
93
What are the four principles ofrisk assessment under theCOSO Model?
The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. The organization considers the potential for fraud in assessing risks to the achievement of objectives. The organization identifies and assesses changes that could significantly impact the system of internal control.
94
What are the three principles ofthe control activities under the COSO Model?
The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. The organization selects and develops general control activities over technology to support the achievement of objectives. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
95
What are the three principles of information and communication under the COSO Model?
The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. The organization communicates with external parties regarding matters affecting the functioning of internal control.
96
What are the two principles of monitoring activitiesunder the COSO Model?
The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
97
What type of controls do both COSO and CoCo emphasize?
Soft controls, which emphasize ideas and expectations (for example, shared values, expectations, commitment, competence, and trust) rather than specific tasks (for example, policies and procedures).
98
What are the key tenets of the Turnbull Report?
Board’s responsibility for internal controls Management’s responsibility for internal controls Employees’ responsibility for internal controls Adopting a risk-based approach Ongoing monitoring of risks and controls
99
What is the role of the IAA in the company’s control system?
The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Standard 2130
100
What are the steps inthe evaluation of theeffectiveness of controls?
Identify objectives and any associated risks. Determine the significance of any risks. Make note of the responses to these risks. Identify the “key controls.” Assess how well a given control is designed. Test the control to ascertain the effectiveness of the design.
101
What three criteria can help the IAA measure the effectiveness of a specific control?
The level of control must be “appropriate for the risk it addresses.” For example, petty cash does not need as many controls as cash received from customers. The costs of the control must not exceed the benefits it provides. For example, the office supply cabinet does not need 24/7 surveillance and a biometric scanner for access, but a server room certainly would. No control should “create significant business concerns.” For example, regardless of how efficiently a control manages a particular risk, if the control breaks the law, it puts the company in significant legal jeopardy.

CIA Part 1 (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions