Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

IAP > Domain II - Nature of work > Flashcards

Domain II - Nature of work Flashcards

(177 cards)

Start Studying
1
Q

Who is responsible for assessing the risks and controls within their organisation?

A

All internal auditors have a responsibility to assess the risks and controls within their organisations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which standard?

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

A

Standard 2120 Risk Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

_______ internal auditing provides organisations with timely, relevant information about the risks they face.

A

Risk-based internal auditing provides organisations with timely, relevant information about the risks they face.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When organisations decided on how to approach risks, what are their options?

A

They can then decide whether the risk is one to mitigate or avoid – or one to exploit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain what this term means?

Risk

A

The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Explain what this term means?

Risk management

A

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organisation’s objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Explain what this term means?

Risk appetite

A

The level of risk that an organisation is willing to accept.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain what this term means?

Risk responses

A

The means by which an organisation elects to manage individual risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explain what this term means?

Risk assessment

A

The overall process of of risk identification, risk analysis and risk evaluation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Explain what this term means?

Risk identification

A

The process of determining which events might occur to affect the objectives of the organisation and their root causes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explain what this term means?

Risk analysis

A

The systematic use of available information to determine the likelihood of specified events occurring and the magnitude of their consequences ie their impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explain what this term means?

Risk evaluation

A

The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Explain what this term means?

Inherent (gross) risk

A

Evaluation of risk before management undertakes any action or initiates any risk responses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain what this term means?

Retained (net) risk

A

The evaluation of risk after management action and risk responses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Name different types of risks.

A

main categories: financial, reputational and regulatory

but also strategic and operational, physically risky activities (health and safety)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When can internal auditors provide the greatest value in terms of risks?

A

When they communicate clearly both the downsides and upsides to risk. Without this information, no organisation will thrive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

There’s a range of standards and frameworks organisations can use in developing risk management processes. Describe the generic process.

A 
Set objectives
Identify risks
Analyse
Appetite?
Determine response
Monitor and report
Learning lessons
(Start at the top)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Why is setting objectives important to the risk management process?

A

Risks can only be identified, assessed and prioritised in relation to objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What can objectives be like in terms of the risk management process?

A

These objectives can be long term, high level and strategic in nature, and apply to the whole organisation; or they may be short term and operational, and apply to business units, teams, and business processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Mention 6 different risk identification tools

A

1) Questionnaires and surveys
2) Process flow analysis
3) Workshops and interviews
4) Scenario planning
5) External and internal environmental analysis
6) Event inventories

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

For an organisation to manage risks, what does it need to know first?

A

The risks it faces.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What has all risks identified by management that may impact achievement of the organisation’s objectives?

A

The risk register

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What do you need to consider when identifying risks?

A

The organisation’s environment, strategy and attitude to risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the risk if the organisation’s environment, strategy and attitude to risk are not considered while identifying risks.

A

Risk identification becomes nothing more than a random generation of unpleasant consequences and missed opportunities, most of which may well be irrelevant to the organisation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
When identifying risks, what does the organisation's environment include? Think macro and micro.
the macro - the external influences on the organisation (think political, economic, social, technological, legal and environmental) - and the micro - the more immediate, internal elements of the organisation (think McKinsey 7S model).
26
What does the organisation's attitude to risk determine?
Whether it recognises any given risk and what risk management strategy it adopts to deal with the potential obstacle to meeting its objectives.
27
After risks are identified, what is the next step?
Analysing the risks.
28
When risks are analysed, what are the two factors that are determined during the analysis?
``` The probability (or likelihood of occurrence) & The consequences (or the impacts on business) ```
29
What is a reliable way of assessing the probability and consequences of a risk?
This can be one of the most difficult areas to address as there is often no way of reliably assessing these factors.
30
Mention some ways of analysing risks.
Tools such as root causes analysis can support this analysis. Other tools and methods include: quantitative eg benchmarking and modelling qualitative eg interviews and workshops hybrid – a mix of both qualitative and quantitative approaches. The results can be plotted in a heat map or risk matrix as illustrated in the figure. In our simple example, using RAG ratings, no arithmetic values have been applied to each risk. In some organisations, risks are quantified.
31
Who should set the risk appetite?
The board should set the risk appetite.
32
Why is setting a risk appetite important?
so that decisions about the response to risk are weighed against agreed criteria as to what is tolerable.
33
How is analysing and evaluating risks different?
Once an analysis of likelihood and impact has been completed, it should then be possible to evaluate the risks against the organisation's risk appetite to determine what action it will take.
34
What is a risk before management action called?
Inherent or gross risk.
35
What is a risk after management action called?
Residual, retained or net risk.
36
What is the difference between inherent and residual risk?
The difference between inherent and residual risk is the measure of the effectiveness of the risk management responses and activities (including internal controls).
37
What is the difference between gross and net risk?
The difference between inherent and residual risk is the measure of the effectiveness of the risk management responses and activities (including internal controls).
38
What is the difference between inherent and retained risk?
The difference between inherent and residual risk is the measure of the effectiveness of the risk management responses and activities (including internal controls).
39
How do you determine response to a risk?
Risk responses should be evaluated to ensure they do in fact manage the risks down to the level required. The remaining 'residual' risk should be assessed. It should be in line with the target residual risk. If it is reasonable, no further action is required. If it is still excessive, the organisation needs to consider what further responses it will put in place (or not).
40
Name the different risk response styles.
``` Accept Avoid Pursue Reduce (requires controls) Share ```
41
Why should risks be monitored?
- to assess whether or not the risks are changing - to provide assurance that risk management is effective - to identify when further action is necessary. Although directors, managers and other staff may have identified their risks and described how they are using controls or other means to respond to them, the board cannot be sure that the risk responses are working unless they monitor them.
42
What does an effective risk management system ensure?
that monitoring and reporting mechanisms form part of the organisation’s routine processes.
43
What does a risk register usually detail?
the risk and description of the risk gross risk analysis details of risk responses applied subsequent net risk assessment conclusion on whether level of net risk level is acceptable information on more action to be taken what monitoring controls are to be applied risk owner allocated risk action manager allocated review date.
44
Explain the 3 lines of defence and their role in risk management.
First-line roles are those most directly focused on providing the client with products and/or services, and include the roles of support functions such as human resources, administration, IT and building services. First-line roles are responsible for managing risk. Second-line roles centre on specific aspects of risk management, including compliance with ethical, legal and regulatory requirements, quality assurance, IT security and broader responsibilities such as enterprise risk management. Those in second-line roles often challenge those in the first line, as well as offering expertise, scrutiny and oversight. Third-line roles, such as internal audit, are unique in being independent of management and its responsibilities. This independence enables internal audit to provide objective assurance and advice. It is impossible to be both independent of management and to assume management responsibilities (ie first and second line roles). Where internal audit has first or second line roles, independent assurance of these activities must be drawn from other sources. Above all of this is the governing body whose roles are integrity, leadership and transparency but most of all accountability to stakeholders for organisational oversight.
45
Mention 5 key roles of the governing body in the 3 lines of defence model.
Accepts accountability to stakeholders for oversight of the organisation. Engages with stakeholders to monitor their interests and communicate transparently on the achievement of objectives. Nurtures a culture promoting ethical behavior and accountability. Establishes structures and processes for governance, including auxiliary committees as required. Delegates responsibility and provides resources to management for achieving the objectives of the organisation. Determines organisational appetite for risk and exercises oversight of risk management (including internal control). Maintains oversight of compliance with legal, regulatory, and ethical expectations. Establishes and oversees an independent, objective, and competent internal audit function.
46
Mention key roles of the management in first line in the 3 lines of defence model.
Leads and directs actions (including managing risk) and application of resources to achieve the objectives of the organisation. Maintains a continuous dialogue with the governing body, and reports on planned, actual, and expected outcomes linked to the objectives of the organisation, and risk. Establishes and maintains appropriate structures and processes for the management of operations and risk (including internal control). Ensures compliance with legal, regulatory, and ethical expectations.
47
Mention key roles of the management in second line in the 3 lines of defence model.
Provides complementary expertise, support, monitoring, and challenge related to the management of risk, including: - the development, implementation, and continuous improvement of risk management practices (including internal control) at a process, systems, and entity level - the achievement of risk management objectives, such as: compliance with laws, regulations, and acceptable ethical behavior; internal control; information and technology security; sustainability; and quality assurance. Provides analysis and reports on the adequacy and effectiveness of risk management (including internal control).
48
Mention key roles of the 3rd line in the 3 lines of defence model.
Maintains primary accountability to the governing body and independence from the responsibilities of management. Communicates independent and objective assurance and advice to management and the governing body on the adequacy and effectiveness of governance and risk management (including internal control) to support the achievement of organisational objectives and to promote and facilitate continuous improvement. Reports impairments to independence and objectivity to the governing body and implements safeguards as required.
49
Mention key roles of the external assurance providers in the 3 lines of defence model.
legislative and regulatory expectations that serve to protect the interests of stakeholders requests by management and the governing body to complement internal sources of assurance.
50
True or false? Risk is the possibility of an event occurring that threatens the achievement of objectives.
False. Risk is possibility of an event occurring that will have an impact on the achievement of objectives. This impact can be a threat but it can also be an opportunity. The latter is often referred to as 'upside risk.'
51
What term is defined as ‘the process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria’?
Risk evaluation
52
What term is used to describe a risk that does not take into account any response that the organisation may put in place?
Gross or inherent risk
53
Which line of defence is HR?
1st line
54
Which line of defence is Compliance?
2nd line
55
Which line of defence is Internal Audit?
3rd line
56
Mention 2 popular frameworks used for risk management.
COSO Enterprise Risk Management - Integrating with Strategy and Performance, and the ISO standard 31000:2018.
57
What are the 5 components set out by COSO?
``` Governance and culture Strategy and objective-setting Performance Review and revision Information, communication and reporting ```
58
Explain what Governance and culture is about according to COSO framework.
About: The organisation’s tone, reinforcing the importance of, and establishing oversight responsibilities for risk management. Culture pertains to ethical values, desired values, and the understanding of organisational risks. Principles: 1. Exercises board risk oversight 2. Establishes operating structures 3. Defines desired culture 4. Demonstrates commitment to core values 5. Attracts, develops, and retains capable individuals
59
Explain what Strategy and objective-setting is about according to COSO framework.
About: Setting the organisational strategy, plan and risk appetite. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk. Principles: 6. Analyses business context 7. Defines risk appetite 8. Evaluates alternative strategies 9. Formulates business objectives
60
Explain what Performance is about according to COSO framework.
About: Risks that may impact the achievement of objectives need to be identified and assessed. Risks are prioritised by severity in the context of risk appetite. The organisation then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders. Principles: 10. Identifies risk 11. Assesses severity of risk 12. Prioritises risks 13. Implements risk responses 14. Develops portfolio view
61
Explain what Review and revision is about according to COSO framework.
About: By reviewing entity performance, an organization can consider how well the risk management components are functioning in light of substantial changes and what revisions are needed. Principles: 15. Assesses substantial change 16. Reviews risk and performance 17. Pursues improvement in enterprise risk management
62
Explain what Information, communication and reporting is about according to COSO framework.
About: Risk management requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organisation. Principles: 18. Leverages information and technology 19. Communicates risk information 20. Reports on risk, culture, and performance
63
What is ISO 31000:2018?
ISO 31000:2018 Risk management – Guidelines is a risk management standard. It is designed to be applied to a range of industries and contexts. The standard provides principles, a framework and a process for managing risk.
64
What are the 3 main components of ISO 31000:2018?
Risk Assessment Value Creation and Protection Leadership and Commitment
65
True or false? The COSO risk management framework places greater emphasis on controls than ISO31000:2018.
This statement is largely true. COSO has an internal control framework as well as a risk management one. The former is aligned with COSO's risk management framework.
66
Which three areas form ISO 31000:2018?
The ISO 31000:2018 standard comprises the three components - principles, framework and processes. In addition, there are a further two related standards: ISO Guide 73 Risk management - vocabulary IEC 31010 Risk management - risk assessment techniques.
67
What are the 3 areas internal auditors normally provide assurance on?
Internal auditors will normally provide assurances on three areas: 1. Risk management processes, both their design and how well they are working 2. Management of those risks classified as ‘key’, including the effectiveness of the controls and other responses to them 3. The reliability of risk assessments and the reporting of risk and control statuses.
68
What are the core roles of internal audit in regards to Enterprise Risk Management?
- Giving assurance on the risk management process - Giving assurance that risks are correctly evaluated - Evaluating risk management processes - Evaluating the reporting of key risks - Reviewing the management of key risks
69
What are the legitimate roles of internal audit with safeguards in regards to Enterprise Risk Management?
- Facilitating the identification and evaluation of risks - Coaching management in responding to risks - Coordinating of risk management activities - Consolidating reporting on risks - Maintaining and developing the risk management framework - Championing the establishment of risk management - Developing the risk management strategy for board's approval
70
What are roles IA should NOT take in regards to Enterprise Risk Management?
- Setting the risk appetite - Imposing risk management processes - Management assurance on risks - Taking decisions on risk responses - Implementing risk responses on management's behalf - Accountability for risk management
71
What are the key factors to take into account when determining internal auditing's role?
whether the activity raises any threats to the internal audit activity’s independence and objectivity and whether it is likely to improve the organisation’s risk management, control and governance processes.
72
Explain what maturity model means.
It is a gauge by which to measure an organisation's current state of and progress towards mastery of a given area.
73
What does risk maturity mean?
The extent to which a risk management approach has been adopted and applied, as planned, by management across the organisation to identify, assess, decide on responses to and report on opportunities and threats that affect the achievement of the organisation's objectives.
74
What does risk appetite mean?
The level of risk that an organisation is willing to accept.
75
What does risk-based internal auditing mean?
Risk-based internal auditing is a methodology that links IA to an organisations' overall risk management framework. It allows IA to provide assurance to the board that risk management processes are managinig risks effectively, in relation to the risk appetite.
76
What is the primary methodology IA should be using in organisations?
Risk based internal auditing.
77
True or false? | Of importance to RBIA is understanding the level of risk maturity within the organisation.
True. The internal audit approach should reflect where the organisation is in terms of maturity and support its journey towards a fully embedded framework. .
78
What does the risk maturity of an organisation determine?
- type of assurances that internal audit can provide - framework that will be used for audit planning, critically the source of risk information internal audit will use in planning - type of consulting services that internal audit can provide.
79
What are the levels of risk maturity?
Initial, repeatable, defined, managed and optimised
80
Describe what it means if an organisation's risk maturity is at the initial level?
No formal approach to risk management
81
What should the IA approach be if the organisation's risk maturity is at the initial level?
Report that no formal risk management in place Consultancy to champion risk management Use alternative framework to determine internal audit plane Assurance on control processes.
82
Describe what it means if an organisation's risk maturity is at the repeatable level?
Scattered silo-based approach to risk management
83
What should the IA approach be if the organisation's risk maturity is at the repeatable level?
Report poor risk management Consultancy to champion risk management Use alternative framework to determine internal audit plan Assurance on control processes.
84
Describe what it means if an organisation's risk maturity is at the defined level?
Risk management strategy and policies in place and communicated Risk appetite and tolerance levels defined.
85
What should the IA approach be if the organisation's risk maturity is at the defined level?
Report on risk management deficiencies Consultancy to embed risk management Start with management view of risk and supplement Assurance on risk management policies and control processes.
86
Describe what it means if an organisation's risk maturity is at the managed level?
Enterprise wide approach to risk management developed and communicated.
87
What should the IA approach be if the organisation's risk maturity is at the managed level?
Management view of risk drives internal audit plan Assurance on risk management processes and mitigation Consulting to improve risk management
88
Describe what it means if an organisation's risk maturity is at the optimised level?
Risk management fully embedded into processes and systems
89
What should the IA approach be if the organisation's risk maturity is at the optimised level?
Management view of risk drives internal audit plan Assurance on risk management processes and mitigation Consulting as required.
90
Standard 2120 Risk Management states: The internal audit activity must evaluate the ________ and contribute to the improvement of risk management processes. What text is missing?
Effectiveness
91
An assessment of risk maturity finds that risk management and internal control is fully embedded into the organisations' processes and systems. What is the level of the organisation's risk maturity?
Optimised
92
When do you need a control?
When you’re not prepared to tolerate a risk.
93
What is the purpose of controls?
to manage risk
94
What happens is a control doesn't have an associated risk?
It actively diverts first-line attention from areas that rightly deserve it more = pointless.
95
To conduct a truly, risk-based audit, what should an internal audit engagement start with?
A clear understanding of the risks facing the organisation.
96
If you don't understand what the controls you’re assessing are meant to mitigate, ____________
You can’t provide a service of value to the organisation.
97
Standard 2130 sets out _____________.
internal audit’s responsibilities in maintaining controls
98
The internal audit activity must assist the organisation in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. How is this different if it is assurance service or consulting service?
2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organisation’s governance, operations, and information systems regarding the: * achievement of the organisation’s strategic objectives * reliability and integrity of financial and operational information * effectiveness and efficiency of operations and programmes * safeguarding of assets * compliance with laws, regulations, policies, procedures, and contracts. 2130.C1 – Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organisation’s control processes.
99
In one word, what is described here: "Any action taken by management, the board and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organises and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved."
Control(s)
100
In two words what is described here: The policies, procedures (both manual and automated) and activities that are part of a control framework, designed and operated to ensure that risks are contained within the level that an organisation is willing to accept.
Control processes
101
In two words what is described here: The attitude and actions of the board and management regarding the importance of control within the organisation. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements: integrity and ethical value, management's philosophy and operating style, organisational structure, assignment of authority and responsibility, human resource policies and practices, and competence of personnel.
Control environment
102
When do directive and preventative controls occur and what should they do?
before an ‘unwanted event’, and should reduce the number of them.
103
When do detective and corrective controls occur and what should they do?
after an unwanted event, alerting those responsible to the problem and helping them put things right.
104
Give an example of directive control?
Accounting manuals, documented procedures, training and supervision.
105
Give an example of preventative control?
Segregation of duties, access controls and authorisation.
106
Give example of detective control?
Exception reports, reconcilitations, control totals and error reports.
107
Give example of corrective controls?
Error, incident and complaint handling procedures and virus isolation.
108
What do directive control direct people to do?
to perform tasks in the way best designed to mitigate risk.
109
What preventive controls can also be physical?
security fences, staffed gates and entrances, and locks can all be effective controls
110
Other than categorising controls as directive, prevetive, detective and corrective, what are other ways can you categorise controls?
Macro and micro-level, key and secondary controls, active and passive controls
111
When a control is at macro-level, what does this mean?
they mitigate organisation-wide risk.
112
What are the two subcategories of macro-level controls?
governance and management controls. Examples include tone at the top, codes of ethics, board sub-committees, risk management frameworks and IT general controls.
113
When a control is at micro-level, what does this mean?
These include activity, process and task-level controls.
114
We can categorise controls by their degree of importance to mitigating risk - also known as....
Key and secondary controls
115
How do key controls operate?
These must operate effectively to reduce risk to the desired level.
116
How do secondary controls operate?
These are not essential to mitigating the risk but can help the activity, process or transaction to run more efficiently.
117
If controls are categorised based on the level of human interventions, this would be called...
Active and passive controls.
118
What are active controls?
Active (manual) control: These are controls that require human action.
119
What are passive controls?
Passive (automated) control: These are controls that operate without human action.
120
What are the two types of control failures that can happen?
inadequate controls and ineffective controls
121
Explain what is an inadequate control.
Inadequate controls are either non-existent or poorly designed – even if executed correctly, they still wouldn’t mitigate the targeted risk.
122
Explain what is an ineffective control.
Ineffective controls, on the other hand, are those that exist and are adequately designed – but performed incorrectly or not at all.
123
What are the possible control failures for the following control: Individual swipe cards to a room with file containing personal information.
If the control process doesn’t include regular review of individuals’ access, it is inadequate. If staff share swipe cards, knowing this is forbidden, then the process is ineffective.
124
What are the possible control failures for the following control: Complaints procedures for customers.
If the organisation’s complaints procedure is too complex, either for customers or for staff, then it is inadequate as a control. If, however, staff do not follow the procedure, thinking they can resolve matters more quickly for the customer by skipping steps, then the control is ineffective.
125
If during fieldwork, it comes to light that people are not following procedures or processes they know they should, what should you ask first?
Why don't you? If, in this instance, staff are correct, and they can reduce the risks arising from customer dissatisfaction more efficiently, then that is positive. It shows that staff members are mindful of risks and keen to improve controls. Rather than criticising staff for not following a possibly over-engineered control process, why not encourage them to update it with their improvements? By giving credit where due, internal auditors show their keenness to work positively with colleagues throughout the organisation.
126
If you find that a control process is inadequate, should you test it for effectiveness anyway?
No. It's a waste of time. Even if staff perform the process accurately, its inadequacy means that it still wouldn’t mitigate the risk to the desired level. With very few exceptions, an inadequate controls means you stop there – you have a finding.
127
Which are elements of the control environment? Assignment of authority and responsibility Correctly checked Integrity and ethical values Correctly checked Organisational structure
All three are elements of the control environment. There are a further elements: management's philosophy and operating style, assignment of authority and responsibility, human resource policies and practices and competence of personnel.
128
What type of control is variance analysis?
Hard control. Hard controls are quantitative and objective. A comparison of budget and actual figures through the process of variance analysis identifies how well an organisation is performing against targets. Budgets often use monetary and numerical targets. Automated and passive control is incorrect. Automated and passive controls work without human intervention such as a warning within a computer system which might indicate that an expense heading has exceeded a specific level. Soft controls are qualitative and subjective; this is incorrect.
129
Name the 6 frameworks, standards and regulations that have implications for organisational control.
1) COSO Internal Control - Integrated Framework 2) CoCo (Criteria of Control) model 3) King Report on Corporate Governance 4) Sarbanes Oxley (SOX) Act 5) COBIT 2019 6) Basel III standards
130
Explain CoCo model.
CoCo's philosophy is that control comprises those elements of an organisation (including its resources, systems, processes, culture, structure and tasks) that, taken together, support people in the achievement of the organisation's objectives. CoCo has 20 so-called criteria of control group into four areas: Purpose Commitment Capability Monitoring and learning.
131
What does the King Report on Corporate Governance focus on?
outcomes, placing accountability on the governing body (eg the board) to attain the governance outcomes of an ethical culture, good performance and effective control within the organisation and legitimacy with stakeholders.
132
What is the aim of the Sarbanes Oxley (SOX) act?
to increase transparency in the financial reporting by corporations to protect investors by improving the accuracy and reliability of corporate disclosures through a formalised system of checks and balances.
133
What is COBIT 2019?
a framework for the governance and management of enterprise information and technology aimed at the whole organisation. COBIT distinguishes between governance and management, setting out: the components to create and sustain a governance systems the design factors to build a governance system that fits the organisation.
134
What are the Basel III standards designed to do?
to strengthen the regulation, supervision and risk management of banks. A key aspect of the reform are the so-called pillars: Enhanced minimum capital and liquidity requirements Enhanced supervisory review process for firm-wide risk management and capital planning Enhanced risk disclosure and market discipline.
135
Which one of the risk frameworks is the most widely-used?
COSO
136
What does the COSO framework explain?
That there is a direct relationship between organisational structure, objectives and components (3 types of objectives and five components).
137
What are the five components of COSO?
``` Control environment Risk assessment Control activities Information and communication Monitoring ```
138
What are the 3 objectives of COSO?
Operations Reporting Compliance
139
Organisations must comply with laws and regulations including company law, tax law and environmental protection regulations. What category of internal control objectives does this requirement form part of? Operations Reporting Compliance
Compliance
140
True or false? COBIT is a technical (IT) framework to manage business technologies.
False. COBIT is a framework for the governance and management of enterprise and information and technology. It is not limited to IT and IT functions. COBIT sets out components that describe what decisions should be taken, how and by whom.
141
What is fraud to organisations?
A significant loss which can lead to loss of confidence in the organisation or even lead to its collapse.
142
Explain the term Fraud. What does it mean?
Any illegal act characterised by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organisations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.
143
Explain the term Fraud risk. What does it mean?
The probability that fraud will occur and the potential severity or consequences to the organisation when it occurs.
144
Explain the term Fraud red flag. What does it mean?
1. Indicators that fraud is taking place. 2. Conditions that consistently contribute to fraud.
145
What types and categories of fraud are there?
Fraud benefiting individuals | Fraud benefiting the organisation
146
What are examples of fraud benefiting individuals?
``` embezzlement espionage theft of assets unauthorised use of information accepting bribes and kickbacks. ```
147
What are examples of fraud benefiting the organisation?
misrepresentation of financial and non-financial data transfer pricing sale or assignment of fictitious or misrepresented assets illegal payments to facilitate business activities.
148
Fraud red flags can mean two things. What are those two things?
First, indicators that suggest fraud may be occurring. Second, conditions that could give rise to fraud.
149
Is a fraud red flag is proof that fraud is taking place.
No, it is a signal that something is not as it should be and should be investigated further.
150
If we consider fraud red flags from the perspective of macro environment, what does this mean?
This refers to the environment external to the organisation. It's worth remembering organisations are influenced by this environment, and can influence it too. The PESTLE (political, economic, social, technological, legal and environmental) tool is useful in analysing potential macro environmental fraud risks.
151
If we consider fraud red flags from the perspective of micro environment, what does this mean?
Refers to the environment within the boundaries of the organisation. The organisation has greater influence on this environment. We can categorise micro environment factors into a number of factors, as the figure below illustrates.
152
Give an example of a fraud red flag in management?
- Lack of expertise in the area of work (consider qualifications, experience and whether professional standards are applied in the work). - Poor supervision and oversight over the work the manager does. - Key managers who are too controlling and do not delegate work. - Key managers who delegate a lot of work without providing appropriate supervision.
153
Give an example of a fraud red flag in organisational culture?
- Lack of clear values in relation to ethics. - An acceptance of low-level fraud - Tone at the top that sets the wrong climate
154
Give an example of a fraud red flag in staff?
- High turnover and low staff morale - Large number of complaints about particular members of staff - Unclear reporting lines and a lack of accountability - Remuneration policies that encourage damaging work practices - Employees who are reluctant to take leave or when they do, take leave for very short periods
155
Give an example of a fraud red flag in processes?
- Poor physical security - Poor access controls - Poor filing of or missing documents - higher than usual or expected - Unrealistic targets e.g. sales - Roles and responsibilities that are not appropriately segregated
156
Give an example of a fraud red flag in Finance?
- High levels of cash only transactions - Unexplained rises in expenses - Large number of refunds to customers - Changes in levels of inventory eg excessive shrinkage - High level of adjustments in the book of accounts - Unexplained growth in sales, particularly in relation to specific customers
157
Give an example of a fraud red flag in a Macro Environment (External)?
- Economic downturns that add pressure for organisations and individuals to perform - Industries with low regulatory oversight or where some aspects of fraud are regarded as being acceptable - Countries with high corruption ratings
158
What does PESTLE stand for and what is it useful for?
The PESTLE (political, economic, social, technological, legal and environmental) tool is useful in analysing potential macro environmental fraud risks.
159
What are the three conditions that need to exist for a person to violate trust and commit fraud (and therefore enable)?
Pressure Rationalisation Opportunity
160
Explain why pressure is an element in creating the perfect conditions for a person to commit fraud.
This factor is sometimes referred to as motive. An individual is likely to be under some kind of pressure to commit fraud. This could be financial eg debts. Motives may include grievance against the business or greed.
161
Explain why opportunity is an element in creating the perfect conditions for a person to commit fraud.
There must be an opportunity to enable the individual to commit fraud. This may arise from poor controls. For instance, if the person ordering items is also the person who authorises and receives them, this gives rise to the potential for skimming.
162
Explain why rationalisation is an element in creating the perfect conditions for a person to commit fraud.
Individuals who commit fraud usually rationalise their behaviour. They may suggest that they were only borrowing items, that it is common organisational practise to take items, that they were 'owed' the items for overtime and so forth.
163
What are the five principles of managing fraud?
1. Fraud risk governance 2. Fraud risk assessment 3. Fraud prevention 4. Fraud detection 5. Fraud investigation and corrective action
164
What does good fraud risk governance look like?
As part of an organisation’s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.
165
What does good fraud risk assessment look like?
Fraud risk exposure should be assessed periodically by the organisation to identify specific potential schemes and events that the organisation needs to mitigate.
166
What does good fraud prevention look like?
Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organisation.
167
What does good fraud detection look like?
Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.
168
What do good fraud investigation and corrective action look like?
A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.
169
What is the role of the Board in terms of fraud?
Corporate policy on the non-tolerance of fraud, dealing with its occurrence and laying down responsibilities and measures to mitigate risk Notifying appropriate regulatory authorities of relevant transgressions Ratifying policy, mitigation strategy and response plan Corporate ethos, setting the right ethics and policies Risk and threat assessment Adequate and effective internal control Adequate and effective internal audit.
170
What is the role of Line Management in terms of fraud?
Managing, controlling, reporting and taking action on the risk of fraud including: having processes in place to deter and detect fraud applying adequate controls to prevent transgressions leading investigations overseeing investigations conducted by specialists on their behalf dealing effectively with issues raised by staff (including taking appropriate action to deal with reported or suspected illegal activity) involving the police where necessary.
171
What is the role of Staff in terms of fraud?
Operating procedures to safeguard the organisation's assets Alerting management when they believe that the possibility of fraud exists Reporting immediately to management when they suspect that an illegal act has been committed.
172
What is the role of Internal Audit in terms of fraud?
Independent assurance on the effectiveness of the processes put in place to manage fraud risk.
173
What is the role of Audit Committee in terms of fraud?
Review arrangements by which staff can raise concerns in confidence about improprieties Arrangements are in place for investigation and follow up of any concerns raised in relation to fraud.
174
What is the difference between fraud and improper activities?
Fraud involves intentional deception. Improper activities may not be illegal but breach organisational policies. Further, it does not involve intentional deception.
175
True or false? Internal audit has a key role in detecting and investigating fraud.
False It is not internal audit's job to detect or investigate fraud . Internal audit’s primary responsibilities are to: carry out audit engagements using due professional care and in such a way as to be alert to the possibility of fraud and misconduct review procedures to safeguard assets so as to ensure that cost-effective measures are in place to prevent, detect or deter fraud ensure that the prevention, detection and deterrence of fraud are also taken into account when new systems are designed or changes made to existing systems.
176
True or false? Internal auditors must be able to evaluate the risk of fraud.
True. International Standard 1210.A2 states that: Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. (emphasis added)
177
True or false? Internal auditors should be alert to the potential for fraud to occur.
True. The statement is true and is supported by a variety of standards, eg 2210.A2 which states that: Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

IAP (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions