Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

IIA CIA Part 1 2019 > GOVERNANCE, RISK MANAGEMENT AND CONTROL > Flashcards

GOVERNANCE, RISK MANAGEMENT AND CONTROL Flashcards

(94 cards)

Start Studying
1
Q

What are the Three Lines of Defense?

A

First Line: Operational Management
Second Line: Risk Management and Compliance Functions
Third Line: Internal Audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the definition of Organizational Governance?

A

The IIA Standards Glossary defines organizational governance as the:
“combination of processes and structures implemented by the board to inform, direct, manage, and monitor the achievement of its objectives.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the cornerstones of good Corporate

Governance?

A

1) The board of directors
2) Executive management
3) External auditors
4) Internal auditors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are major areas of responsibility of the board?

A

1) Monitoring the CEO and other senior executives.
2) Overseeing the corporation’s strategy and processes for managing the enterprise (including succession planning).
3) Monitoring the corporation’s risks and internal controls, including the ethical tone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an independent director, and how many should
a company have?

A

A majority of the directors should be independent in both fact and appearance.
An independent director has no current or prior professional or personal ties to the corporation or its management other than service as a director.
Independent directors must be able and willing to be
objective in their judgments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are common committees that the Board establishes?

A

1) Audit committee
2) Compensation committee
3) Governance committee
Each committee should have a charter, authorized by the board, that outlines how each will be organized, their duties and responsibilities, and how they report to the board. Each committee should be composed of independent directors only.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who are Stakeholders?

A

A stakeholder is an individual or entity who has a material interest in a company’s achievements, validated through some form of investment, and thereby expects a benefit in return.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Who are Internal Stakeholders?

A
  • Directors
  • Senior management
  • Employees
  • Trade unions or staff associations
  • Shareholders
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Who are External Stakeholders?

A
  • Customers
  • Suppliers
  • Contractors and subcontractors
  • Distribution networks
  • Communities
  • The general public and government
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are four levels of relationships with stakeholders and what is each level based on?

A

Based on the stakeholder’s interest and power, the company’s relationship will be to:
1) Ignore the stakeholder (weak power, low interest)
2) Keep the stakeholder informed (weak power, high interest)
3) Keep the stakeholder satisfied (strong power, low interest)
4) Treat the stakeholder as a key player (strong power,
strong interest)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the role of internal audit in Corporate Governance?

A

The IAA must assess and make appropriate recommendations to improve the organization’s governance processes for:
• Making strategic and operational decisions.
• Overseeing risk management and control.
• Promoting appropriate ethics and values within the organization.
• Ensuring effective organizational performance management and accountability.
• Communicating risk and control information to appropriate areas of the organization.
• Coordinating the activities of, and communicating
information among, the board, external and internal auditors, other assurance providers, and management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the steps in auditing
a company’s governance practices and structure?

A

1) Understand the general principles and models of organizational governance.
2) Review existing governance-related documentation.
3) Develop a preliminary audit plan.
4) Meet with decision-makers (i.e., the board).
5) Execute the approved plan.
6) If necessary, consult legal counsel.
7) Complete the process, including a formal presentation to the board and have key decision-makers sign a “statement of acknowledgement.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How is organizational culture different than organizational governance?

A

Organizational culture and its related practices are not written down or codified. Organizational culture can be rooted in the distinct personalities of company leadership or more generally in the ethnic, religious, or political context in which the business operates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the six control environments elements that organizational culture may impact?

A

1) Integrity and ethical values
2) Management’s philosophy and operating style
3) Organizational structure
4) Assignment of authority and responsibility
5) Human resource policies and practices
6) Competence of personnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the internal auditor’s role in assessing Organizational Ethics?

A

The internal audit activity must assess the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does a review of organizational ethics focus on?

A

1) Policies, including the policy for reporting ethical violations
2) Procedures
3) Effectiveness
4) Disposition of ethical issues, including if the penalties are appropriately scaled, if there is consistent application, and if there is proper documentation.
5) Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are ethics advocates and who must act as an ethics advocate?

A

Ethics advocates are visible models of appropriate behavior who encourage and support the code of conduct at all times and at all levels of activity.
Management must act as ethics advocates.
All individuals in the company should be encouraged to be ethics advocates.
Internal auditors are also key ethical advocates - The IIA
Code of Ethics states that the internal auditors should be
an example of the ethical behavior that employees should practice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a Code of Conduct, and who is it applicable to?

A

A Code of Conduct, or Business Conduct Policy, outlines the specific behaviors that are required of or prohibited for all employees.
The Code of Conduct should be written in clear, concise language that eliminates ambiguity or contradictory interpretation.
The Code of Conduct is applicable to all people in the
organization, regardless of position, department, or length of employment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The code of conduct includes guidance on what topics?

A
  • Conflicts of interest
  • Confidentiality of information
  • Acceptance of gifts
  • Compliance with all applicable laws, rules, and regulations
  • Penalties – the Code must clearly detail the consequences for any violations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the role of the IAA with the Code of Conduct?

A

The Code of Conduct needs to be periodically assessed by the IAA to ensure that it is relevant and that it reflects the company’s needs. Additionally, compliance with the Code of Conduct should also be tested periodically and may even be included as part of every engagement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is Corporate Social Responsibility?

A

The IIA’s Practice Guide Evaluating Corporate Social Responsibility/Sustainable Development defines CSR as: “The way firms integrate social, environmental, and economic concerns into their values, culture, decision- making, strategy and operations in a transparent and accountable manner and thereby establish better practices within the firm, create wealth, and improve
society.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the levels of responsibility for CSR in a company?

A

• The board has overall responsibility for CSR.
• Management is responsible for executing CSR and ensuring that there are clear objectives, performance measurement, and reporting.
• Employees must integrate CSR into their everyday activities.
• The internal auditors should understand the risks and controls related to CSR and may be responsible for
auditing CSR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are some of the risks associated with CSR?

A
  • Reputation
  • Compliance
  • Liability and lawsuits
  • Operational
  • Company stock valuation
  • Employment market
  • Consumer sales
  • External business relationships
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are the seven core subjects in ISO 26000?

A

1) Organizational governance
2) Human rights
3) Labor practices
4) The environment
5) Fair operating practices
6) Consumer issues
7) Community involvement and development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What are the five main aspects of CSR in ISO 26000?
1) A company should operate ethically and with integrity. 2) A company should treat its employees fairly and with respect. 3) A company should demonstrate respect for human rights. 4) A company should be a responsible citizen in its community. 5) A company should do what it can to sustain the environment for future generations.
26
What are the four levels of the pyramid of social | responsibility?
1) Philanthropic responsibilities 2) Ethical responsibilities 3) Legal responsibilities 4) Economic responsibilities
27
What are different approaches that can be taken to auditing CSR?
• By element. • By stakeholder or stakeholder group. • By subject. For example, by workplace, marketplace, environment, and community. • By department/function. Audit CSR separately for each department within the organization. • By third party. Audit third parties for compliance with CSR terms and conditions.
28
What are the elements of CSR that are commonly audited?
* Governance * Ethics * Environment * Transparency * Healthy, Safety, and Security * Human Rights and Work Conditions
29
What are the seven steps in the CSR Process?
1) Set priorities and policies for areas such as ethics, labor, the environment, charity, and any other relevant CSR areas. 2) Set specific objectives and strategies to achieve the policies set by management. 3) Communicate and embed CSR into controls and decision making. 4) Track the activities related to CSR so that the results of the CSR policies and objectives can be measured, analyzed, and benchmarked. 5) Engage stakeholders to resolve any complaints and receive feedback on the CSR issues affecting them. 6) Audit results including controls related to CSR and any public disclosures. 7) Report results.
30
What are the stakeholder groups in auditing CSR?
* Employees and their families * Environmental organizations * Customers * Suppliers * Communities * Shareholders
31
How is risk defined n the Glossary?
“The possibility of an event occurring that will have an | impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.”
32
What are the four broad categories of risk?
1) Strategic risks 2) Operational risks 3) Financial risks 4) Hazard risks
33
What is risk capacity?
Risk capacity is the maximum amount of risk that an | organization can tolerate without irreparably damaging the company.
34
What is risk appetite?
Risk appetite is defined in the IIA Glossary as “the level of risk that an organization is willing to accept.” Risk appetite is shaped by the expectations of stakeholders, regulatory and contractual requirements, and the influence of technology, capital, and human resources.
35
What is risk tolerance?
Risk tolerance is the amount of variance in the returns from an activity that a company is willing to tolerate. The higher the risk tolerance, the greater the range of outcomes a company is willing to accept.
36
What are some factors that influence a company’s | risk appetite?
* Their position in the business-development cycle. * The viewpoints of the major stakeholders. * Accounting factors. * The opportunity for fraud. * Entity-level factors – the personnel, changes in the organization’s structure, and changes in key personnel. * External factors – changes in the economy, industry, or technology. * Governmental restrictions.
37
What are the five steps in the risk management | process?
1) Risk identification 2) Risk assessment 3) Risk prioritization 4) Response planning 5) Risk monitoring
38
What are some event identification techniques?
* Brainstorming sessions * Event inventories and loss event data * Interviews and self-assessment * Facilitated workshops * SWOT analysis * Risk questionnaires and risk surveys * Scenario analysis * Technology
39
What is Inherent Risk?
Inherent risk is defined as “the level of risk that resides with an event or process prior to management taking a mitigation action.” It is the amount of risk that occurs naturally in the activities of the company. Management cannot do anything about the existence of inherent risk; however, it can take steps to address and, where appropriate, mitigate its effects.
40
What is Residual Risk?
Residual risk is defined as: “The level of risk that remains after management has taken action to mitigate the risk.” Inherent risk − Activities of management to mitigate/address the risk = Residual risk
41
What two factors are used to assess the exposure to risk?
1) Loss frequency or probability | 2) Loss severity
42
What is a Risk Map?
A visual depiction of relative risks based on their expected frequency and expected loss.
43
What are the four measures of potential loss?
1) Expected loss 2) Unexpected loss 3) Maximum probable loss 4) Maximum possible loss (also called extreme or catastrophic loss)
44
What is the expected loss?
The amount that management expects to lose to a given risk per year on average over a period of several years. Because the loss is expected, it should be included in the budget.
45
What is the unexpected loss?
The amount that could likely be lost to the risk event in a very bad year, in excess of the amount budgeted for the expected loss, up to the maximum probable loss. The business should reserve the unexpected loss amount as capital.
46
What is the maximum probable loss?
The largest loss that can occur under foreseeable circumstances. Damage greater than the maximum probable loss could occur, but, in the judgment of management, it is very unlikely to occur.
47
What is the maximum possible loss?
The worst-case scenario. It represents the greatest possible loss from a specific risk or event.
48
What are the five responses to risk?
1) Avoiding or eliminating the risk 2) Reducing or mitigating the risk 3) Transferring or sharing the risk 4) Retaining the risk 5) Exploiting or accepting the risk
49
What is Enterprise Risk Management?
“[Enterprise risk management] is the culture, capabilities, and practices that organizations integrate with strategy- setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.”
50
What are the five components of the COSO ERM | Framework?
1) Governance and culture 2) Strategy and objective-setting 3) Performance 4) Review and revision 5) Information, communication, and reporting
51
What are the principles of the “strategy and objective setting” component of ERM?
1) Analyzes business context 2) Defines risk appetite 3) Evaluates alternative strategies 4) Formulates business objectives
52
What are the principles of the “performance” component of ERM?
1) Identifies risk 2) Assesses severity of risk 3) Prioritizes risks 4) Implements risk responses 5) Develops portfolio view
53
What are the principles of the “review and revision” | component of ERM?
1) Assesses substantial change 2) Reviews risk and performance 3) Pursues improvement in enterprise risk management
54
What are the principles of the “information, communication and reporting” component of ERM?
1) Leverages information systems 2) Communicates risk information 3) Reports on risk, culture, and performance
55
What are the three areas of principles and guidance | in ISO 31000?
1) Principles. The interrelated values that are foundational to the risk-management process. 2) Framework. The ways in which the risk-management plan should be integrated into “significant activities and functions.” 3) Process. A step-by-step list of procedures to design and execute risk management.
56
What are the eight principles that ISO 31000 sets forth to guide risk-management procedures?
1) Integrated 2) Structured and comprehensive 3) Customized 4) Inclusive 5) Dynamic 6) Best available information 7) Human and cultural factors 8) Continual improvement
57
What are the six steps of the risk-management process in ISO 31000?
1) Communication and consultation 2) Scope, context, and criteria 3) Risk assessment 4) Risk treatment 5) Monitoring and review 6) Recording and reporting
58
What is the role of the IAA in the risk- management | process?
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
59
What must an assessment of the risk- management | process address?
The internal auditor must be satisfied that the organization’s risk management processes addresses: 1) Risks that arise from business strategies and activities are identified and prioritized. 2) Management and the board set the level of risk acceptable to the organization (assess risk appetite). 3) Risk mitigation or reduction activities are designed and implemented to reduce or otherwise manage risk at acceptable levels. 4) Risk are periodically reassessed on an ongoing basis. 5) Reports are given periodically to the board and management on the risk assessment process.
60
How is evidence for risk-management assessments gathered?
Evidence to support the risk assessment is usually obtained from engagements throughout the year. Because there is no formula to follow, the successful assessment of risk often rests with the professional judgment and experience of the internal auditors and the CAE.
61
What should the IAA do when there is no risk- management process?
The CAE must convince the board and senior management to establish one, even if it just an informal set of procedures.
62
In what three areas should the IAA provide assurance about the effectiveness of risk management?
1) The design and implementation of the risk management processes. 2) Identification of key risks and the effectiveness of their controls. 3) Assessment and reporting of risk and controls.
63
What are assurance engagements connected to risk management that are core roles of the IAA?
* Giving assurance on the risk management process * Giving assurance that risks are correctly evaluated * Evaluating risk management processes * Evaluating the reporting of key risks * Reviewing the management of key risks
64
What are consulting engagements connected to risk management that are legitimate roles of the IAA?
* Facilitating identification and evaluating risks * Coaching management in responding to risks * Coordinating ERM activities * Consolidated reporting on risks * Maintaining and developing the ERM framework * Championing the establishment of ERM * Developing the ERM strategy for board approval
65
What are consulting engagements connected to risk management that the IAA should not undertake?
* Setting the risk appetite * Imposing risk management processes * Management assurance on risks * Taking decisions on risk responses * Implementing responses on management’s behalf * Accountability for risk management
66
How does the IIA Glossary define Control?
“Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.”
67
Internal control provides reasonable assurance about the achievement of objectives in what three areas?
1) Operations 2) Reporting 3) Compliance
68
What are five types of controls?
1) Directive 2) Preventive 3) Detective 4) Corrective 5) Compensating
69
What are the three timings of controls?
1) Feedforward controls 2) Concurrent controls 3) Feedback controls
70
What are characteristics of effective controls?
* Economical * Meaningful * Appropriate * Congruent * Timely * Simple * Operational
71
What are the limitations of internal controls?
1) Internal controls can provide only reasonable assurance that objectives can be achieved. Internal controls should never be promoted as a guarantee. 2) Human error, faulty judgment, collusion, and fraud can all limit the effectiveness of controls. 3) Excessive or unreasonable controls can increase bureaucracy and reduce productivity. Controls must be evaluated in terms of their cost and benefit to avoid wasting resources.
72
Who is responsible for internal controls?
The board of directors oversees the control system. The CEO is responsible for the “tone at the top.” Senior managers delegate responsibility for establishing specific internal control policies and procedures. Financial officers and their staffs are central to the exercise of control. Internal auditors play a monitoring role. Virtually all employees are involved in internal control. External parties such as independent auditors often provide information useful to effective internal control.
73
What are the three main elements of the control process?
1) Setting the objectives. 2) Measuring performance against a standard. 3) Evaluating the results then correcting or regulating the performance.
74
What are input controls in an automated control system?
1) Edit checks 2) Key verifications 3) Redundancy checks 4) Echo checks 5) Completeness checks
75
What are processing controls in an automated control system?
1) Posting checks 2) Cross-footing 3) Zero balance checks 4) Run-to-run control totals 5) Internal header and trailer labels 6) Concurrency controls 7) Key integrity checks
76
What are output controls in an automated control | system?
1) Output distribution controls 2) Output retention controls 3) Forms controls 4) Error logs
77
What four duties should always be segregated?
1) Authorizing a transaction. 2) Recording the transaction, preparing source documents, and maintaining journals. 3) Keeping physical custody of the related asset. For example, receiving checks in the mail. 4) The periodic reconciliation of the physical assets to the recorded amounts for those assets.
78
What is collusion?
Collusion is when two or more people work together to get around the controls that are in place.
79
What are the five components of internal control?
1) Control environment 2) Risk assessment 3) Control activities 4) Information and communication 5) Monitoring activities
80
What is the Control Environment in the COSO Model?
The control environment sets the tone for the organization, influencing the control consciousness of its people. The control environment is the foundation for the other components of internal control.
81
What is Risk Assessment in the COSO Model?
Risk assessment is the identification and analysis of | relevant risks to the achievement of objectives and forms a basis for how risks should be managed.
82
What are Control Activities in the COSO Model?
Control activities ensure that management directives are carried out. These policies and procedures also outline the necessary steps to address risks to the organization’s objectives.
83
What is Information and Communication in the COSO Model?
These are the systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
84
What is Monitoring in the COSO Model?
These are processes used to assess the quality of internal control performance over time. This objective is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.
85
What are the five principles of the Control Environment under the COSO Model?
1) The organization demonstrates a commitment to integrity and ethical values. 2) The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3) Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4) The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5) The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
86
What are the four principles of Risk Assessment under the COSO Model?
1) The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 2) The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 3) The organization considers the potential for fraud in assessing risks to the achievement of objectives. 4) The organization identifies and assesses changes that could significantly impact the system of internal control.
87
What are the three principles of | the Control Activities under the COSO Model?
1) The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 2) The organization selects and develops general control activities over technology to support the achievement of objectives. 3) The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
88
What are the three principles of Information and Communication under the COSO Model?
1) The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 2) The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 3) The organization communicates with external parties regarding matters affecting the functioning of internal control.
89
What are the two principles of Monitoring | activities under the COSO Model?
1) The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 2) The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
90
What type of controls do both COSO and CoCo | emphasize?
Soft controls, which emphasize ideas and expectations (for example, shared values, expectations, commitment, competence, and trust) rather than specific tasks (for example, policies and procedures).
91
What are the key tenets of the Turnbull Report?
* Board’s responsibility for internal controls * Management’s responsibility for internal controls * Employees’ responsibility for internal controls * Adopting a risk-based approach * Ongoing monitoring of risks and controls
92
What is the role of the IAA in the company’s control | system?
The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
93
What are the steps in the evaluation of the effectiveness of controls?
1) Identify objectives and any associated risks. 2) Determine the significance of any risks. 3) Make note of the responses to these risks. 4) Identify the “key controls.” 5) Assess how well a given control is designed. 6) Test the control to ascertain the effectiveness of the design.
94
What three criteria can help the IAA measure the effectiveness of a specific control?
1) The level of control must be “appropriate for the risk it addresses.” For example, petty cash does not need as many controls as cash received from customers. 2) The costs of the control must not exceed the benefits it provides. For example, the office supply cabinet does not need 24/7 surveillance and a biometric scanner for access, but a server room certainly would. 3) No control should “create significant business concerns.” For example, regardless of how efficiently a control manages a particular risk, if the control breaks the law, it puts the company in significant legal jeopardy.

IIA CIA Part 1 2019 (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions