Professional Documents
Culture Documents
Control Frameworks
“You can’t win just by playing defense.”
2. Risk Assessment
Risks are those events that can jeopardize the organization’s ability to achieve its
objectives.
Risk assessment is the process of identifying, assessing, and measuring risks to the
organization, program, or process under review.
Involves a dynamic and iterative process of identifying, analyzing, and deciding how
best to respond to these risks in relation to the achievement of objectives.
Risks are typically assessed along two dimensions:
1. Likelihood, or the probability that these events occur
2. Impact, or the consequence if these events occurred
Management specifies objectives within three separate but related categories:
Reporting: It includes the reliability, timeliness, transparency, or other terms set by
regulators, the organization’s policies or other recognized standard setters.
Compliance: These are related to adherence to laws and regulations to which the
organization is subject.
Operations: This includes operational and financial performance goals, safeguarding
assets against loss, damage or obsolescence, and making sure resources are obtained
economically.
Business and Process Risk
This is the risk that the organization’s processes are not effectively obtaining, managing,
and disposing their assets, that the organization is not performing effectively and
efficiently in meeting customer needs, is not creating value or is diluting value by
suffering the degradation of financial, physical, and information assets.
◾ Capacity risk
◾ Execution risk
◾ Supply chain risk
◾ Human resources risk
◾ Product or service failure risk
◾ Product development risk
◾ Cycle time risk
◾ Health and safety risk
◾ Leadership risk
◾ Outsourcing risk
◾ Competitor risk
◾ Catastrophic loss risk
◾ Industry risk
◾ Organization structure risk
◾ Integrity and fraud risk
◾ Trademark erosion risk
◾ Reputation risk
◾ Data integrity
◾ Infrastructure risk
◾ Commerce risk
◾ Access risk
◾ Availability risk
Financial Risks
Financial risks can result in poor cash flows, currency and interest rate fluctuations, and
an inability to move funds quickly and without loss of value to where they are needed.
◾ Resources risk
◾ Commodity prices risk
◾ Foreign currency risk
◾ Liquidity risk
◾ Market risk
Environmental Risks
Environmental risk relates to the actual or potential threat of negative effects on the
environment by emissions, wastes, and resource depletion.
◾ Energy and other resources risk
◾ Natural disaster risk
◾ Pollution risk
◾ Transportation risk
◾ Pandemic risk
Political Risks
It has to do with the complications organizations may encounter as a result of political
decisions.
◾ Regulations and legislation risk
◾ Public policy risk
◾ Instability risk
Social Risk
Social risk relates to dynamics where an issue affects stakeholders who can form
negative perceptions that can cause some form of damage to the organization.
◾ Demographics risk
◾ Privacy risk
◾ CSR
◾ Mobility
The SMARTER Model for Effective Goals
The SMARTER model is very useful when developing organizational and personal
goals. SMARTER is a mnemonic that helps you remember the elements of well-
developed goals. It is very effective, and two enhancements that add the letters “E” and
“R” make it even more effective.
Effects of Risk
• Loss of assets • Negative publicity
• Erroneous decisions • Customer dissatisfaction
• Fraudulent financial or operational reporting • Erroneous record keeping and
accounting • Noncompliance with rules and regulations • Purchase
of resources uneconomically
• Failure to accomplish established goals
3. Control Activities
Controls are actions established through policies and procedures that mitigate the
likelihood and/ or impact of risks. Controls are performed at all levels of the
organization, at various stages within processes and over the technological
infrastructure of the organization.
The fourth component in the COSO IC/IF model refers to the flow of
information in an organization.
Communication helps to improve motivation, builds trust, creates a shared
identity and corporate culture, and engenders engagement.
5. Monitoring Activities
The COBIT Framework addresses more than technical subjects, but also
includes critical managerial and accounting/financial activities such as:
ISO
(INTERNATIONAL ORGANIZATION FOR STANDARDIZATION)
ISO is an independent, nongovernmental organization.
The organization is based in Geneva, Switzerland.
It brings together experts to share knowledge and develop voluntary
standards that support innovation and provide solutions to global and
business challenges.
Internal auditors should become familiar with ISO standards as they drive
the decisions, goals, and operational practices of the management team at
many organizations. They can help internal auditors supplement their audit
programs by incorporating the wealth of knowledge that these standards
contain.
Popular standards include:
ISO 9000 Quality management
ISO 14000 Environmental management
ISO 3166 Country codes
ISO 26000 Social responsibility
ISO 50001 Energy management
ISO 31000 Risk management
ISO 22000 Food safety management
ISO 27001 Information security management
ISO 45001 Occupational health and safety
ISO 37001 Anti-bribery management systems
ITIL
(INFORMATION TECHNOLOGY INFRASTRUCTURE LIBRARY)
In terms of service, the five ITIL 2011 volumes provide the following
guidance:
1. ITIL service strategy: Understanding organizational objectives and
customer needs
2. ITIL service design: Turning the service strategy into a plan for
delivering the business objectives
3. ITIL service transition: Developing and improving capabilities for
introducing new services into supported environments
4. ITIL service operation: Managing services in supported environments
5. ITIL continual service improvement: Enhancing service delivery and
making large-scale improvements.
CMMI
(CAPABILITY MATURITY MODEL INTEGRATION)
Administered and marketed by Carnegie Mellon University.
CMMI states that it can improve the key capabilities within project and
work management, process management, support infrastructure,
people management, product development, service delivery and
management, supplier management, and data management.