Risk Assessment (a) Flashcards Preview

CITP > Risk Assessment (a) > Flashcards

Flashcards in Risk Assessment (a) Deck (9):
1

Describe the 6 steps to an effective Risk Assessment:

6 R's!

1. Recognize
- Use formal process to ID relevent, material risks that could adversely affect entity
2. Rate
- Assess level of risk for each individual risk ID'd and rate significance of impact
- Significance can be high, medium or low impact or a percentage
3. Rank
- 2 methods to Rank:
(a) Risk Score = Significance factor x likelihood
(b) Plot in a Risk Scorecard
- More efficient and effective application of risk assessment
4. Respond
- Develop responses and mitigating controls to higher risks
- Link specific risk and assessed level of that risk (ex: take high-powered control to mitigate high risk)
5. Report
- Document via Risk Assessment Report
6. Review
- Regular review needed to monitor risks and mitigation effectiveness

2

What are the 3 "COSO ERM Model" (Enterprise Risk Mgmt) Dimensions?

1. Risk Components
2. Risk Mgmt Objectives
3. Entity/Unit Level Components

3

Name the 8 "Risk Components" under the COSO ERM Model:

IO EAR CIM

(1) Internal Environment
(2) Objective Setting
(3) Event ID
(4) Risk Assessment
(5) Risk Response
(6) Control Activities
(7) Information and Communication
(8) Monitoring

4

Name the 4 "Risk Mgmt Objectives" under the COSO ERM Model:

(1) Strategic
(2) Operations
(3) Reporting
(4) Compliance

5

Name the 4 "Entity/Unit Level Components" under the COSO ERM Model:

(1) Subsidiary
(2) Business Unit
(3) Division
(4) Entity Level

6

Name the 3 Risk-Based Audit (RBA) Phases:

(1) Risk Assessment
- ID risks associated w/ financial reporting process
- Gather evidence about IT-related IR to make assessment on RMM
- Gather evidence about controls to assess level of CR
(2) Audit Planning
(3) Further Audit Procedures

7

Under a Risk-Based Audit (RBA), what is involved in the "Risk Assessment" Phase?

"Risk Assessment" 1 of 3 RBA Phases:
- Risks associated w/ financial reporting process are ID'd here
- Gather evidence about IT-related IR to make assessment on RMM
- Gather evidence about controls to assess level of CR
- Typically occur in last quarter of fiscal yr

8

Under a Risk-Based Audit (RBA), what is involved in the "Further Audit Procedures" Phase?

"Further Audit Procedures" (FAP) 3 of 3 RBA Phase:
- RBA standards require FAP developed from FS risk assessment, where FAP linked to specific risks
- Level of substantive procedures (or other FAP) s/b appropriate for level of risk (high RMM, FAP needs more powerful (re-perform))

9

Name 4 processes under the "IT Risk Assessment":

(1) Applications
- Document key systems and apps
(2) Data Storage (Integrity, Security and Reliability)
- Databases and DBA
(3) Communications
(4) Data Transfers
- Special type of communications