SU 5 - Risk Management Flashcards
(80 cards)
1
Q
The probability that a given event will occur.
A
Likelihood
2
Q
The acceptable levels of variation relative to the achievement of objectives.
A
Risk tolerance
3
Q
The amount of risk an organization is willing to accept in pursuit of value.
A
Risk appetite
4
Q
The identification of risk, the measurement of risk, and the process of prioritizing risk or selecting alternatives based on risk.
A
Risk Assessment
5
Q
The risk derived from the environment without the mitigating effects of internal controls.
A
Inherent Risk
6
Q
A condition where the outcome can only be estimated.
A
Uncertainty
7
Q
A combination assessment of a risk’s impact and likelihood.
A
Risk rating
8
Q
The actions taken to manage risk.
A
Risk Response
9
Q
A threshold level above which items would make a difference to a decision-maker (material) and below which the items are insignificant (immaterial).
A
Materiality
10
Q
The result, effect, or consequences of an event.
A
Impact
11
Q
The possibility of an event occurring that will have an impact on the achievement of objectives; measured in terms of impact and likelihood.
A
Risk
12
Q
The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk.
A
Residual risk
13
Q
The portion of inherent risk that management can reduce through day-to-day operations and management activities.
A
Controllable risk
14
Q
A two-axis risk assessment chart or grid that places impact on one axis and likelihood on the other to create a combination assessment of a risk’s overall rating.
A
Heat map
15
Q
An organization’s approach to assess and eventually pursue, retain, or turn away from risk.
A
Risk attitude
16
Q
The method of recognizing possible threats and opportunities.
A
Risk identification
17
Q
As related to risk, an uncertain event with a positive consequence.
A
Opportunity
18
Q
An incident or occurrence resulting from internal or external sources that affects the implementation of strategy or achievement of objectives.
A
Event
19
Q
A structured, consistent, and continuous process across the whole organization for identifying, assessing, deciding on responses to, and reporting on opportunities and threats that affect the achievement of its objectives.
A
Enterprise Risk Management (ERM)
20
Q
A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of an organization’s objectives.
A
Risk management
21
Q
A spreadsheet or document that links risks to organizational objectives, provides an assessment of each risk, including its impact and probability, identifies the risk owner, and identifies the response or key control to address the risk.
A
Risk register
22
Q
Internal auditors can learn about the organization’s risk appetite by
A
- Reviewing the organization’s risk management policies
- Discussing the organization’s risk management philosophy with the board, senior management, or risk management officers.
- The chief financial officer and external auditors can also help define financial reporting risk appetite.
23
Q
A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives
A
Risk Management
24
Q
The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value. It does not refer to a function, group, or department within an entity.
A
Enterprise Risk Management (ERM)
25
when the benefits from resource investments exceed the cost of those resources. (The opposite would mean that value is being eroded.)
Value is created
26
when resources deployed in daily operations sustain the things creating the benefits, such as maintaining customer loyalty.
Values if preserved
27
It exists to help organizations understand the nature of the risks they are facing, determine the amount of risk they are willing and able to accept, and proactively respond to risks
ERM
28
Likely to be effective in creating value when the organization’s ERM capabilities are aligned with each other and are fully integrated into operations.
ERM
29
Who is responsible for supporting and championing the use of ERM and also creates demand for relevant, reliable, and timely risk analysis and reporting
The organization’s governance functions (the board and senior management)
30
Who is responsible for ensuring that risks are managed and that there is an adequate ERM system in use
The board
31
Who is important in monitoring and recommending improvements in the organization’s ERM practices.
Internal Audit Activit, but Management owns ERM, not internal auditing.
32
Process consists of identifying and categorizing risks, evaluating their impact and likelihood and doing other forms of analysis and prioritization, selecting and implementing risk responses in a timely fashion (possibly including planning for specific scenarios), and communicating and reporting on risks and responses.
A generic ERM process
33
7 Common Risk Identification Approaches
1. Event inventories: Detailed listings of potential events common to companies within a particular industry, process, etc. Eg. Lists of typically encountered events in a custom software development project
2. Internal analysis: Detailed analysis of information; data from ongoing operations or other business units, customers, suppliers, or external sources. E.g. New product launch analysis that examines internal data and events affecting the success of competitors’ products
3. Escalation or threshold triggers: Comparison of transactions/events against predefined criteria alerting management to areas of concern that may require assessment or fast response. E.g. Review of the organization’s pricing structure when competitors’ prices reach a specific threshold
4. Facilitated workshops and interviews: Facilitator-led events to draw on the knowledge and experience of management, staff, and stakeholders regarding achievement of objectives. E.g. Focus group with accounting team led by a financial controller to identify events that have an impact on the organization’s external financial reporting
5. Process flow analysis: Combination of inputs, tasks, and responsibilities in a process; internal and external factors or events that could impact process objectives. E.g Medical lab making process maps for the receipt and testing of samples and then evaluating the process maps for risks
6. Leading key indicators: Qualitative or quantitative measures that help identify upcoming changes to risks. E.g. Monitoring loan payment patterns to mitigate potential for default
7. Loss event data methodologies: Examination of past individual loss events to identify trends and root causes; assessment of whether to treat the root cause or address individual events, E.g. Insurance company examining a historical database of accident claims to identify the root cause of the accidents
34
5 Likelihood Factors
1. Probability based on history or cycles
2. Complexity of activities
3. Change or stability (e.g., employee turnover or new laws)
4. Control environment
5. Control process effectiveness
35
5 Impact Factors
1. Materiality (e.g., dollar loss)
2. Potential reputation or brand damage
3. Importance of the related objective to the organization’s mission
4. Velocity of occurrence, duration, and/or pervasiveness of the event
5. Recovery costs
36
A scale which is not quantifiable or measurable but is instead a set of general categories such as negligible, low, medium, high, and extreme.
A subjective scale
37
Scale may add a monetary value range to each level (for impact) or a percentage range (for likelihood).
An objective schale
38
Steps in creating a Heat Map
1. Each risk identified is mapped to a specific location on the heat map
2. Analysis phase to link each risk back to one or more specific business objectives
3. Further refine the risk analysis process to account for other risk factors, such as urgency of response needed and so on (not all orgz use step)
39
5 Risk Responses
1. Acceptance. No action is taken to decrease risk impact or likelihood. The organization is willing to accept the risk at the current level rather than spend resources on it (or no viable plan can be devised).
2. Avoidance. A decision is made to exit or divest of the activities giving rise to the risk (e.g., exiting a product line or country of operations).
3. Pursuit. Exploit the risk if taking such a risk is advantageous to the organization or is necessary to achieve a particular business objective (e.g., entering a new product line or region).
4. Reduction. Action is taken to reduce or mitigate the risk impact, likelihood, or both. Implementing controls is an example.
5. Sharing. The risk impact or likelihood is reduced by transferring or sharing a portion of the risk with a third party. Insurance, outsourcing, and partnering are examples.
40
STANDARD: The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
Performance Standard 2120, “Risk Management”
41
STANDARD: The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems
Implementation Standard 2120.A1 (Assurance Engagements)
42
STANDARD: The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.
Performance Standard 2010, “Planning”
43
provides a systematic way for the CAE and the internal audit activity to assess internal and external risk factors and develop an annual audit plan
A risk assessment framework for audit planning
44
Most risk-based frameworks for internal audit planning include 3 steps
1. Determine the audit universe
2. Examine organizational risk factors
3. Prioritize audits.
45
STANDARD: The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.
Implementation Standard 2010.A1 (Assurance Engagements)
46
2 major ERM models/frameworks
1. COSOs ERM Framework
2. ISO 31000
47
The purpose of this framework is to help organizations accelerate growth and enhance performance by integrating ERM at every organizational level and applying the principles of the framework to everything from strategic decision making to performance management.
The COSO (The Committee of Sponsoring Organizations of the Treadway Commission) ERM framework is called Enterprise Risk Management—Integrating with Strategy and Performance.
48
The COSO ERM framework consists of five interrelated components
1. Governance and culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, ERM. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
2. Strategy and objective setting: ERM, strategy, and objective setting work together in strategic planning. A risk appetite is established and aligned with strategy; business objectives implement strategy while forming a basis for identifying, assessing, and responding to risk.
3. Performance: Risks to achievement of strategy and objectives are identified and assessed. Risks are prioritized by severity (impact and likelihood) in the context of risk appetite. The organization selects risk responses and takes a portfolio view of the amount of risk it has assumed and reports key risks to stakeholders.
4. Review and revision: By reviewing entity performance, an organization can consider ERM component effectiveness as the organization changes and what revisions are needed.
5. Information, communication, and reporting: ERM requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization
49
The 5 components of COSO are supported by a set of 20 principles
Governance and culture:
1. Exercises board risk oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.
2. Establishes operating structures—The organization establishes operating structures in the pursuit of strategy and business objectives.
3. Defines desired culture—The organization defines the desired behaviors that characterize its desired culture.
4. Demonstrates commitment to core values—The organization demonstrates a commitment to its core values.
5. Attracts, develops, and retains capable individuals—The organization is committed to building human capital in alignment with the strategy and business objectives.
Strategy and objective setting
6. Analyzes business context—The organization considers potential effects of business context on risk profile.
7. Defines risk appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value.
8. Evaluates alternative strategies—The organization evaluates alternative strategies and potential impact on risk profile.
9. Formulates business objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy.
Performance
10. Identifies risk—The organization identifies risk that impacts the performance of strategy and business objectives.
11. Assesses severity of risk—The organization assesses the severity of risk.
12. Prioritizes risks—The organization prioritizes risks as a basis for selecting risk responses.
13. Implements risk responses—The organization identifies and selects risk responses.
14. Develops portfolio view—The organization develops and evaluates a portfolio view of risk.
Review and revision
15. Assesses substantial change—The organization identifies and assesses changes that may substantially affect strategy and business objectives.
16. Reviews risk and performance—The organization reviews entity performance and considers risk.
17. Pursues improvement in enterprise risk management—The organization pursues improvement of enterprise risk management.
Information, communication, and reporting
18. Leverages information and technology—The organization leverages the entity’s information and technology systems to support enterprise risk management.
19. Communicates risk information—The organization uses communication channels to support enterprise risk management.
20. Reports on risk, culture, and performance—The organization reports on risk, culture, and performance at multiple levels and across the entity.
50
A simple and concise international standard and framework for the systematic development of enterprise risk management. It can be used successfully by any size or type of organization because the organization can adapt the framework to the proper scope and environmental context. The purpose is to help organizations manage uncertainty. It provides a guide for managing risk based on key principles, a framework, and a process
SO 31000:2018, “Risk management—Guidelines
51
A principles-based standard intended to generate transparency and credibility within the risk management function. The principles describe characteristics of effective and efficient risk management and should be used as a foundation for establishing an organization’s ERM processes.
ISO 31000
52
The ISO 31000 framework's 6 components assist in integrating risk management into all organizational activities and functions.
1. Leadership and commitment. Oversight by top management ensures that a risk management approach is integrated into all activities, promoting the value to the organization and stakeholders.
2. Integration. Risk management should be a key aspect of governance. It should be aligned to the organizational purpose, strategy, objectives, and operations.
3. Design. The framework should be designed to fit the context of the organization and demonstrate the commitment to risk management.
4. Implementation. Success requires stakeholder engagement and awareness. The framework ensures that a risk management process is included in all activities.
5. Evaluation. To evaluate the effectiveness of the framework, auditors should measure performance against indicators and expected behaviors.
6. Improvement. Organizations should continually monitor and adapt the framework to address identified gaps and incorporate enhancements.
53
ISO 31000 is a principles-based standard intended to generate transparency and credibility within the risk management function.
The 8 principles describe characteristics of effective and efficient risk management and should be used as a foundation for establishing an organization’s ERM processes.
1. Integrated: Risk management is an integral part of all activities in an organization.
2. Structured and comprehensive: Risk management should follow a structured and comprehensive approach to provide consistent results.
3. Customized: Risk management is customized to the organization’s operating environment, culture, and objectives.
4. Inclusive: Risk management is inclusive of all stakeholders, providing improved communications and risk management awareness.
5. Dynamic: Risk management uses an iterative cycle to generate continual improvement, organizational learning, and quick response to changing environments and emerging risks.
6. Best information available: Risk management makes use of the best historical, current, and future-oriented information available. Relevant stakeholders need timely and clear information.
7 Behavioral and cultural factors: Risk management is influenced by organizational culture and staff behavior.
8. Continuous improvement: Learning and experience are used to continually improve risk management.
54
Assurance of management’s overall risk management process can use the 8 process elements of ISO 31000 as an audit approach
1. Communication and consultation. Structured and ongoing communication and consultation occur with parties affected by operations.
2. Establish context. The external environment (political, social, etc.) and internal environment (strategies, structures, ethics, etc.) are understood as a prerequisite of identifying the full range of risks.
3. Risk identification. Identifying risks uses a formal, structured process that considers risk sources, impact areas, potential events, causes, and consequences.
4. Risk analysis. A formal technique is used to consider each risk’s impact and likelihood.
5. Risk evaluation. A method is used to rank the relative importance of each risk so that a treatment priority can be established.
6. Determine risk treatment. Rational decisions are made about risk treatment (acceptance, avoidance, pursuit, reduction, and sharing).
7. Monitoring and review. Progress of treatment plans, existence and effectiveness of controls, avoidance of proscribed activities, and environment changes are monitored and reviewed.
8. Record and report. Reports are made in the appropriate frequency and level of detail to the appropriate parties.
55
Differences Between COSO ERM and ISO 31000 Components
1. Governance and culture VS Leadership and commitment (Process: communication and consultation)
2. Strategy and objective setting VS Integration, Design (Process: scope, context, criteria)
3. Performance:(Identifies risk, Assesses severity of risk, Prioritizes risks, Implements risk responses,
Develops portfolio view)
VS
Implementation (Process: risk identification), (Process: risk assessment), (Process: risk analysis),
(Process: risk treatment)
4. Review and revision VS Evaluation, Improvement (Process: monitoring and review)
5. Information, communication, and reporting VS (Process: communication and consultation), (Process: recording and reporting)
56
Internal audit activity can use one of 4 assessments approaches to assess the organization’s ERM
1. Assessments based on ongoing monitoring.
2. Assessments based on a maturity model.
3. Resource-based assessment approaches (top-down, bottom-up, or combination).
4. Assessments that rely on ISO 31000 principles and/or process elements.
57
An organization’s approach to assess and eventually pursue, retain, or turn away from risk
Risk attitude
58
Assessing an entire risk management process is a labor- and time-intensive exercise.
There are 3 approaches the CAE can develop that considers the available resources while fulfilling audit objectives.
1. Top-Down Approach
2. Bottom-up Approach
3. Combination Approach
59
Approach to considers the available resources while fulfilling audit objectives (Risk Management process assessment)
Effective methods: Interviews, Document reviews
Participants: Board members (e.g., audit and/or risk committee chairs), Senior management, Group/division management
Limitations: Low level of detail, Assessment may take a governance focus due to the participants involved, Board and senior management views may not represent remainder of organization, especially regarding culture.
Top-Down Approach
60
Approach to considers the available resources while fulfilling audit objectives (Risk Management process assessment)
Effective methods: Interviews, Surveys, Document reviews, Walkthroughs
Participants: Line managers, Supervisors
Limitations: Surveys may be confusing without a risk process/language background, Feedback may be inconsistently distributed across participants., Participants may not make time (indicative of low priority given to ERM).
Bottom-Up Approach
61
Approach to considers the available resources while fulfilling audit objectives (Risk Management process assessment)
Effective methods: Interviews with higher-level personnel, Surveys with lower-level personnel, Document reviews
Participants: Board members (e.g., audit and/or risk committee chairs), Senior management, Group/division management, Line managers
Limitations: While this approach can be more comprehensive, it could be more expensive/time-consuming, and any of the prior limitations may still apply.
Combination Approach
62
The assessment is good for strategic-level identification and evaluation of exposures. These assessments can serve as a catalyst to get the organization moving toward its desired ERM maturity level. Internal auditors performing such assessments should understand the business and its strategy as well as external environment and stakeholder risk priority changes.
Top=down assessment
63
The assessments are more likely to be limited-scope engagements because it can be difficult to assess ERM at the detail level. The scope can instead be defined based on specific objectives such as for specific locations or strategic objectives
Bottom-up assessment
64
The assessment can be used when the benefits of both methods are desired and there is budget available for its greater administrative cost.
Combination approaches
65
Risk management analytical techniques
include performing root cause analysis of detected faults or statistical analysis of incident trends.
66
Who needs to follow up on the status of risk treatment plans and related control remediation plans. Follow-up activities include ensuring that monitoring provides management with an assessment of progress against milestones and validating that plan status reports to the board are accurate and timely.
Internal Audit Activity (IAA)
67
Assessing ERM on an Engagement
A best practice when conducting an individual engagement that includes a risk assessment component is to follow the engagement planning's 7 steps as presented in Standard 2200 and further detailed in The IIA’s Practice Guide “Engagement Planning: Establishing Objectives and Scope.”
1. Understand the Context and Purpose of the Engagement
2. Gather Information to Understand the Risk Management Process
3. Conduct a Preliminary Risk Assessment - An effective way to perform and document an engagement-level risk assessment is to create a heat map (risk assessment model) of significant risk exposures including errors, fraud, and noncompliance.
4. Establish Engagement Objectives
5. Establish Engagement Scope
6. Allocate Resources - The CAE or internal auditors assigned to the engagement determine whether the quantity of resources and mix of competencies available are sufficient to perform the engagement with due professional care. Another consideration when allocating resources is the impact that the culture and control environment will have on the engagement’s requirements.
7. Document the Work Program - Documents gathered may include process maps for the process or function, the area’s risk register, and summaries of interviews and surveys.
68
STANDARD: internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review.
Implementation Standard 2210.A1 (Assurance Engagements)
69
STANDARD: Objectives must be established for each engagement.
Performance Standard 2210, “Engagement Objectives”
70
STANDARD: Objectives must be established for each engagement.
Performance Standard 2210, “Engagement Objectives”
71
STANDARD: The established scope must be sufficient to achieve the objectives of the engagement.
Performance Standard 2220, “Engagement Scope”
72
STANDARD: Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.
Performance Standard 2230, “Engagement Resource Allocation”
73
Core IA roles in regard to ERm:
1. Giving assurance on risk management processes
2. Giving assurance that risk are correctly evaluated
3. Evaluating risk management processes
4. Evaluating the reporting of key risks
5. Reviewing the management of key risks
Core internal audit roles the activity should undertake. These are all assurance activities
74
Legitimate IA roles with safeguards:
1. Facilitating identification & evaluation of risks
2. Coaching management in responding to risks
3. Coordinating ERM activities
4. Consolidated reporting on risks
5. Maintaining and developing the ERM framework
6. Championing establishment of ERM
7. Developing ERM strategy for board approval
Consulting and other non-assurance activities that are still legitimate internal audit activity roles but require some safeguards
75
Roles IA should not undertake:
1. Setting the risk appetite
2. Imposing risk management processes
3. Management assurance on risk
4. Taking decisions on risk responses
5. Implementing risk responses on management's behalf
6. Accountability for risk maangement
Roles the activity should not undertake. These are all things for which the board, senior management, or other management levels should be responsible and accountable.
76
STANDARD: During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks.
Implementation Standard 2120.C1 (Consulting Engagements)
77
STANDARD: Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s risk management processes.
Implementation Standard 2120.C2 (Consulting Engagements)
78
STANDARD: When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.
Implementation Standard 2120.C3 (Consulting Engagements)
79
Safeguards for consulting on ERM include:
1. Making it clear to management that they are responsible for risk management, including by documenting the nature of internal audit responsibilities in the internal audit charter and related policies and procedures.
2. Abstaining from actually managing any of the risks on behalf of management. Instead, the internal audit activity may challenge or support management’s decision-making process or provide other advice.
3. Recognizing any work beyond assurance activities as consulting engagements. Implementation Standards related to consulting engagements should be followed.
80
STANDARD: indicates that the CAE’s periodic reporting to senior management and the board must include significant risk exposures and control issues. An effective internal audit activity provides the board with assurance in these areas and suggests governance, risk management, and control improvement opportunities.
Performance Standard 2060, “Reporting to Senior Management and the Board,
