IIA CIA v6-0 Part1 Section V

Essentials of
Internal Auditing
Section V
Section V: Governance, Risk
Management, and Control
• Topic A: Organizational Governance • Topic F: Globally Accepted Risk
• Topic B: The Impact of Organizational Management Frameworks
Culture on the Overall Control • Topic G: The Effectiveness of Risk
Environment and Individual Management
Engagement Risks and Controls • Topic H: The Internal Audit Activity’s
• Topic C: Ethics and Compliance Issues Role in the Risk Management Process
and Violations • Topic I: Types of Controls and
• Topic D: Corporate Social Management Control Techniques
Responsibility • Topic J: Internal Control Frameworks
• Topic E: Risk Management • Topic K: The Effectiveness and
Fundamentals Efficiency of Internal Controls
www.LearnCIA.com
v6.0 Part 1, Section V V-2
Broadened Scope of Internal Audit
Performance Standard 2100,
“Nature of Work”
“The internal audit activity must evaluate and contribute to

the improvement of the organization’s governance, risk
management, and control processes using a systematic,
disciplined, and risk-based approach. Internal audit
credibility and value are enhanced when auditors are
proactive and their evaluations offer new insights and
consider future impact.”
www.LearnCIA.com
v6.0 Part 1, Section V, Section Introduction V-3
Complementary COSO Frameworks
COSO ERM: Integrating with COSO Internal Control—
Strategy and Performance Integrated Framework
• Framework to ensure that ERM • Three objectives categories:
starts with strategy, is embedded operations, reporting, compliance
in organization • 17 principles in 5 integrated
• 20 principles in 5 components: components:
– Governance and culture – Control environment
– Strategy and objective setting – Risk assessment
– Performance –
Control
Control activities
– Review and revision – Information and
Risk
– Information, communication, communication

and reporting – Monitoring activities
www.LearnCIA.com
v6.0 Part 1, Section V, Section Introduction V-4
What Is Governance?
Fundamental Governance Concepts
“Combination of processes • Starts at the top and cascades down
and structures • Critical relationships among the board,
implemented by the board senior management, and shareholders
to inform, direct, manage, • Encompasses organizational structure
and monitor the activities and related legal and regulatory
of the organization toward environment
the achievement of its • Balances economic and social goals
objectives.” • Extends to all stakeholders, including all
employees and external parties such as
suppliers, the community
www.LearnCIA.com
v6.0 Part 1, Section V, Topic A V-5
Common Initiatives in Governance
www.LearnCIA.com
Practice Question
Which is a principle of effective governance?
A. Balance direct and indirect costs versus the benefits
of risk responses.
B. Establish a governing policy for the operation of key activities
of the organization.
C. Ensure that management is not involved in oversight so strong internal
controls can be objective.
D. Analyze critical success factors from an industry and entity perspective.
www.LearnCIA.com
Practice Question
Which is a principle of effective governance?
A. Balance direct and indirect costs versus the benefits
of risk responses.
B. Establish a governing policy for the operation of key activities
of the organization.
C. Ensure that management is not involved in oversight so strong internal
controls can be objective.
D. Analyze critical success factors from an industry and entity perspective.
Answer: B. A relates to risk management, D to internal control. C would be correct if it

read “Ensure appropriate oversight of and by management, including establishment
and maintenance of a strong set of internal controls.”
www.LearnCIA.com
Discussion Question
Identify who is responsible for the
following governance activities.
1. Deploys strategies aligned to organizational
objectives and goals
2. Oversees organizational activities but does not
have managerial responsibilities
3. Provides assurance on external financial
reporting activities
4. Provides advice on potential improvements to
governance structures and processes
www.LearnCIA.com
Discussion Question
Identify who is responsible for the
following governance activities.
Answers:
Operations 1. Deploys strategies aligned to organizational
management objectives and goals
Board 2. Oversees organizational activities but does not
have managerial responsibilities
External auditor 3. Provides assurance on external financial
reporting activities
Internal auditor 4. Provides advice on potential improvements to
governance structures and processes
www.LearnCIA.com
Governance and
Organizational Maturity
Less maturity More maturity
Internal audit: Internal audit reviews:
• Performs discrete audits. • Efficiency and effectiveness of company-
• Advises regarding optimal wide governance components.
structure and practices. • Transparency and disclosure (reporting)
• Compares governance practices practices.
against regulations and other • Governance best practices.
compliance requirements. • Compliance with applicable regulations
and governance codes.
www.LearnCIA.com
Internal Audit Assurance Activities to
Promote Corporate Values
Self-Assessment Methods Audit Programs
Evaluate: • Assess various activities to ensure
• Employees’ understanding of that values are understood and
organizational values. upheld.
• Alignment of individual goals and • For example:
objectives to corporate values. – Diversity goals
• Whether employees uphold values. – Internal ethics function
• Whether employees perceive others as effectiveness
exemplifying those values.
www.LearnCIA.com
Control Environment
• Importance of control • Background against
• Discipline and structure which controls operate
– Leadership
– Integrity and ethics
– Ethics
– Philosophy and operating style
– Values and beliefs
– Organizational structure
– Authority and responsibility
– HR policies/practices
– Competence of staff
www.LearnCIA.com
v6.0 Part 1, Section V, Topic B V-13
Culture and Governance
• Organization must ensure:
– Compliance with laws and regulations.
– Satisfaction of generally accepted business norms, ethics, and social
expectations.
– Overall benefit to society and to stakeholders.
– Full and truthful reporting transparency.
• Culture impacts values, roles, and behavior that will be articulated
and tolerated.
• Effectiveness of governance process largely depends on
organization’s culture.
www.LearnCIA.com
Culture Impact on
Engagement Risks/Controls
• Culture influences staff autonomy, hierarchical interactions, rule/policy
explicitness, and rewards.
• Risk universe
– If formal functional area authority, define by functional area.
– If more cross-functional, define by business process.
• Culture can impact quality (completeness, bias) of ERM as audit planning
input.
• If few formal controls, get most important in writing; if many formal
controls, ensure that most important get emphasis.
• Educate to change culture, e.g., downplays need for corrective action.
www.LearnCIA.com
Compliance Frameworks
Compliance: Act of adhering to, and ability to demonstrate
adherence to, mandated requirements (laws and regulations)
and voluntary requirements (contract obligations and
policies).
Examples:
• ISO 19600, “Compliance management systems” (uses plan-
do-check-act methodology to be comprehensive and improve)
• U.S. Federal Sentencing Guidelines for Organizations
(compliance principles)
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-16
Environmental and Social Compliance
• Organization must comply with laws and
requirements of countries in which it operates.
• ISO 14001 standards
• Sample U.S. agencies:
– Environmental Protection Agency (EPA)
– Occupational Safety and Health Administration (OSHA)
www.LearnCIA.com
Areas Providing Safeguards
Environmental health and safety (EH&S)
Environmental monitoring and reporting
Supply chain management
Facility management
Human resources management
Privacy management
www.LearnCIA.com
Environmental Health and Safety
(EH&S) Guideline Areas
• Environmental
• Occupational health and safety
• Community health and safety
• Construction and decommissioning
• Specific industry-sector guidelines
. . . achievable by new facilities using existing
technologies at reasonable costs (IFC guidelines).
www.LearnCIA.com
Supply Chains and Facilities
Supply Chain Management Facility Management
• Complementary economic, • More efficient or reliable

environmental, and social insulation, heating, cooling,
interests and lighting
• Lighter, less packaging • Better aesthetics
• Design for environment • Lower total cost
• International labor practices
• Reputation protection
www.LearnCIA.com
Privacy
• Personal • Privacy of
privacy communication
• Privacy of • Privacy of
space information
www.LearnCIA.com
Key U.S. Privacy Laws/Regulations
Legislation Description
Financial Modernization Act Protects consumer financial data held by financial
(Gramm-Leach-Bliley) institutions, including collection, disclosure,
safeguards, and protection from “pretexting”
Health Insurance Portability Protects consumer health data, including medical
and Accountability Act record disclosure, electronic transmission, patient
(HIPAA) copies/corrections, and employer use in job
interviews
Freedom of Information Act Allows citizen/noncitizen to request government
(FOIA) information, with exceptions and related acts
Children’s Online Privacy Parental control over child information collection/use,
Protection Act (COPPA) including need for consent, privacy policy
www.LearnCIA.com
OECD Guidelines
Eight Core Principles:
• Collection limitation • Security safeguards
• Data quality • Openness
• Purpose specification • Individual participation
• Use limitation • Accountability
www.LearnCIA.com
Internal Audit and Privacy Compliance
Consider:
• Privacy laws, regulations, and other standards.
• If information security and data protection controls exist and
are reviewed for appropriateness.
• Level of maturity of privacy practices.
– Facilitate program development/implementation. (But taking
responsibility for doing so impairs objectivity.)
– Evaluate needs and risk exposures.
– Assurance on effectiveness of privacy policies, practices, controls.
www.LearnCIA.com
Practice Question
Which is a reasonable expectation for an internal auditor
evaluating a privacy framework?
A. Identify types of information gathered without making
judgments as to appropriateness.
B. Identify significant risks and make appropriate changes to the privacy
program.
C. Evaluate whether information collected is in accordance with intended use.
D. Evaluate framework maturity and help make improvements to mitigate
significant risks without using outside contractors.
www.LearnCIA.com
Practice Question
Which is a reasonable expectation for an internal auditor
evaluating a privacy framework?
A. Identify types of information gathered without making
judgments as to appropriateness.
B. Identify significant risks and make appropriate changes to the privacy
program.
C. Evaluate whether information collected is in accordance with intended use.
D. Evaluate framework maturity and help make improvements to mitigate
significant risks without using outside contractors.
Answer: C. Identifying appropriateness is reasonable. Auditors compromise objectivity

by making changes to a program. (They should make recommendations instead.) Due to
the highly technical and legal nature of privacy, it may be necessary to secure the
services of third-party experts.
www.LearnCIA.com
Internal Audit Role in
Governance and Ethics
It is the responsibility of internal auditing

to develop a clear picture of the current
ethical climate and propose controls
designed to sustain or improve it.
www.LearnCIA.com
How Internal Auditors
Assess the Ethical Climate
 Completeness of ethics policies  Evaluating whistleblower
and codes processes
 How well personnel practices  If appropriate misconduct
support an ethical climate investigation and resolution
 Whether appropriate processes exist, including
communications are occurring, reporting findings and corrective
understood, embraced action
 If explicit strategies support  Evaluating board oversight
and enhance the ethical responsibilities and monitoring
culture activities
www.LearnCIA.com
Practice Question
A survey designed to assess the organizational
ethical climate should include which characteristic?
A. Be kept secret from top management
B. Be field-tested
C. Ensure thoroughness of response such as avoiding use
of Likert scales
D. Avoid providing space for open comments
www.LearnCIA.com
Practice Question
A survey designed to assess the organizational
ethical climate should include which characteristic?
A. Be kept secret from top management
B. Be field-tested
C. Ensure thoroughness of response such as avoiding use
of Likert scales
D. Avoid providing space for open comments
Answer: B. Other important considerations are keeping the survey to a

reasonable length and, if possible, providing analysis by an independent
firm and assuring respondents’ confidentiality.
www.LearnCIA.com
Practice Question
A code of conduct related to conflicts of interest
should include
A. a description of the expected behavior for employees,
other corporate agents, and suppliers.
B. a discussion of industry best practices.
C. provisions for reporting alleged misconduct.
D. lists of what constitute plausible exceptions to the policy.
www.LearnCIA.com
Practice Question
A code of conduct related to conflicts of interest
should include
A. a description of the expected behavior for employees,
other corporate agents, and suppliers.
B. a discussion of industry best practices.
C. provisions for reporting alleged misconduct.
D. lists of what constitute plausible exceptions to the policy.
Answer: A. Codes of conduct are intended to provide a proactive

statement on the organization’s position on ethics and compliance
issues.
www.LearnCIA.com
Best Practices for
Fostering an Ethical Climate
• Setting “tone at the top” • Ethics training
• A written code of ethics, kept • Open communications
current • Employee involvement
• Ethics messaging delivered via • Diversity and institutional
multiple communication fairness
media • Whistleblower hotlines for
• Employee ethics interviews reporting incidents
• Employee and stakeholder • A compliance-supporting
ethics attitude surveys culture
www.LearnCIA.com
Assessing Ethical Climate of the Board
 Assist in/make Assessment Opportunities:
recommendations • Board structure, objectives,
for improvement. dynamics
 Ensure that • Board committee functions
safeguards exist
• Board policy manual
for auditor
independence/ • Processes for maintaining awareness
objectivity. of governance requirements
• Board education and training
www.LearnCIA.com
Triple Bottom Line and Sustainability
www.LearnCIA.com
v6.0 Part 1, Section V, Topic D V-35
Corporate Social Responsibility (CSR)
What Is CSR?
“The way firms integrate social,
environmental, and economic concerns into
their values, culture, decision making,
strategy and operations in a transparent and
accountable manner and thereby establish
better practices within the firm, create
Practice Guide wealth, and improve society.”
www.LearnCIA.com
Corporate Social Responsibility (CSR)
Fundamental Concepts:
• It is a philosophy that must be championed from the
top down.
• Change management is needed to ensure that
objectives are reinforced and brought into the
organization’s culture and incentive structures.
• Organizations set their own priorities.
www.LearnCIA.com
Discussion Question
Which CSR stakeholders have the
needs listed below?
1. Safety, transparency and honesty, price
optimization
2. Fair pay, living wage, respect, support systems,
safety and security
3. Fair negotiations, relationships, contractual
compliance
4. Transparency, honesty, longevity, reputation, legal
compliance, optimization of return, governance
www.LearnCIA.com
Discussion Question
Which CSR stakeholders have the
needs listed below?
Answers:
Customers 1. Safety, transparency and honesty, price
optimization
Employees 2. Fair pay, living wage, respect, support systems,
(and families) safety and security
Suppliers 3. Fair negotiations, relationships, contractual
compliance
Shareholders 4. Transparency, honesty, longevity, reputation, legal
compliance, optimization of return, governance
www.LearnCIA.com
Risks Addressed by CSR
• Strategic • Reporting
• Reputation • Staffing
• Compliance • Marketing
• Liability • Supply chain
• Operational partner
www.LearnCIA.com
Practice Question
The board resists the CAE’s advice to create a CSR policy and
begin planning a CSR program, saying that the organization
cannot fulfill its obligations to its shareholders and to society
and the environment at the same time. How could the CAE
best respond?
A. Creation of a policy and program may be delayed now but should be
considered in the future.
B. Implementing a CSR policy should not require a significant investment of
time or money.
C. Not having a CSR policy could pose significant risks to the organization.
D. Having a CSR policy is a matter of compliance.
www.LearnCIA.com
Practice Question
The board resists the CAE’s advice to create a CSR policy and
begin planning a CSR program, saying that the organization
cannot fulfill its obligations to its shareholders and to society
and the environment at the same time. How could the CAE
best respond?
A. Creation of a policy and program may be delayed now but should be
considered in the future.
B. Implementing a CSR policy should not require a significant investment of
time or money.
C. Not having a CSR policy could pose significant risks to the organization.
D. Having a CSR policy is a matter of compliance.
Answer: C
www.LearnCIA.com
Determine
priorities/objectives.
Set detailed
Make
recommendations. CSR objectives,
performance targets,
implementation
Process strategies.
Manage and
Analyze results. measure against
targets.
www.LearnCIA.com
CSR Frameworks and Reporting
CSR Frameworks CSR Reporting
• ISO 26000:2010, “Social • From required filings to
responsibility” brochures, web pages, and
– Terms and characteristics annual reports
– Principles and practices • Qualify as socially responsible
– Core issues and subjects investment?
– Integrating and promoting • Bad and good news?
• Global Reporting Initiative • Internal audit assurance
– Widely popular voluntary
reporting framework and KPIs
www.LearnCIA.com
Methods of Auditing CSR
• Element • Internal control
• Stakeholder • Risk-management-
• Common subject based priority
www.LearnCIA.com
What Is Risk Management?
“A process to identify, assess, manage, and control
potential events or situations, to provide reasonable
assurance regarding the achievement of the organization’s
objectives.”
www.LearnCIA.com
v6.0 Part 1, Section V, Topic E V-46
What Is Enterprise
Risk Management (ERM)?
“The culture, capabilities, and practices, integrated with strategy-
setting and performance, that organizations rely on to manage
risk in creating, preserving, and realizing value.”
— COSO Enterprise Risk Management:
Integrating with Strategy and Performance
www.LearnCIA.com
Understanding Risk
• Risk begins with strategy formulation and objective
setting.
• Risk represents a range of possibilities.
• Risk may be preventing bad things from happening or
failing to ensure that good things happen.
• Risks are inherent in all aspects of life; risks associated
with conducting business are considered business risks.
www.LearnCIA.com
Key Risk Terminology
Acceptable The business impact that would be experienced if certain risks
risk became realized; loss is acceptable (no new controls).
Inherent The risk derived from the environment without the mitigating
risk effects of internal controls.
Residual Risk remaining after management takes action to reduce the

risk impact and likelihood of an adverse event, including control.
Risk
The level of risk an organization is willing to accept.
appetite
www.LearnCIA.com
Discussion Question
Standardized risk terminology
provides a common language to
use with the board, management,
and others in all communications.
Any questions about other terms?
www.LearnCIA.com
Risk Assessment Process
Objectives
Events Inherent risk
Responses Residual risk
www.LearnCIA.com
Common Likelihood and Impact Factors
Likelihood Factors Impact Factors
• Probability estimates based on • Materiality (e.g., dollar loss)
history or cycles • Potential reputation or brand
• Complexity of activities damage
• Change or stability (e.g., employee • Importance of the related
turnover or new laws) objective to the organization’s
• Control environment (e.g., integrity mission
and ethics) • Velocity of occurrence, duration,
• Control process effectiveness and/or pervasiveness of the event
• Recovery costs
www.LearnCIA.com
Risk Map for Likelihood and Impact
High
High impact High impact
Low likelihood High likelihood
Impact
Low impact Low impact
Low likelihood High likelihood
Low High
Likelihood
www.LearnCIA.com
Establishing a Framework
for Assessing Risk
Performance Standard Interpretation:
2010, “Planning”: • CAE accounts for organization’s ERM
CAE “must establish a framework and risk appetite per
risk-based plan to activity/area.
determine the priorities • If no framework, CAE uses judgment
of the internal audit and gets senior management/board
activity, consistent with input.
the organization’s goals.”
• CAE reviews and adjusts plan for
changes (business, risk, control, etc.).
www.LearnCIA.com
Establishing a Framework
for Assessing Risk
Determine Examine
Prioritize
audit organizational
audits.
universe. risk factors.
www.LearnCIA.com
Practice Question
What is the most likely benefit of having the COSO ERM
model in place at a company launching a new product?
A. Better knowledge of whether objectives are being
achieved
B. Reduced losses from uncontrollable events
C. Increased compliance with laws and regulations
D. Absolute assurance of a positive reputation within the
business community
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-56
Practice Question
What is the most likely benefit of having the COSO ERM
model in place at a company launching a new product?
A. Better knowledge of whether objectives are being
achieved
B. Reduced losses from uncontrollable events
C. Increased compliance with laws and regulations
D. Absolute assurance of a positive reputation within the
business community
Answer: A. An ERM framework cannot prevent bad management judgments or
unforeseen events. It can, however, provide reasonable assurance that
management and the board receive timely information about the achievement
of objectives.
www.LearnCIA.com
COSO’s ERM Framework
Enterprise Risk Management—
Integrating with Strategy and Performance
• Helps organizations • Integrates ERM in

design and implement strategy development
effective enterprise-wide and achievement
risk management • Supports organization’s
• Principles-based mission, vision, and core
guidance values
www.LearnCIA.com
COSO ERM Components
Governance and Governance sets tone, reinforcing oversight over ERM.
culture Culture pertains to ethics, behaviors, and risk insight.
Strategy and Establish risk appetite aligned with strategy. Use
objective setting business objectives to enact strategy; risk process basis.
Performance Risks to achievement of strategy/objectives; severity in
context of risk appetite; portfolio view.
Review, revision How well ERM functions over time, given changes.
Information, Continually obtain and share internal and external
communication, information up, down, and across organization.
and reporting
www.LearnCIA.com
COSO’s ERM Framework: 20 Principles
Governance and culture Performance
1. Exercises board risk 10. Identifies risk.
oversight. 11. Assesses risk severity.
2. Establishes operating 12. Prioritizes risk.
structures. 13. Implements responses.
3. Defines desired culture. 14. Develops portfolio view.
4. Commits to core values. Review, revision
5. Gets capable individuals. 15. Assesses substantial change.
Strategy/objective setting 16. Reviews risk and performance.
6. Analyzes business context. 17. Improves ERM.
7. Defines risk appetite. Information, communication, reporting
8. Evaluates alternatives. 18. Leverages information and technology.
9. Formulates objectives. 19. Communicates risk information.
20. Reports on risk, culture, performance.
www.LearnCIA.com
Practice Question
According to the principles of COSO’s ERM framework,
what should be done just before formulating business
strategies?
A. Develop a portfolio view of various strategies.
B. Assess the severity of risk and set priorities.
C. Evaluate alternative strategies and their impact on
the risk profile.
D. Define the desired elements in the culture.
www.LearnCIA.com
Practice Question
According to the principles of COSO’s ERM framework,
what should be done just before formulating business
strategies?
A. Develop a portfolio view of various strategies.
B. Assess the severity of risk and set priorities.
C. Evaluate alternative strategies and their impact on
the risk profile.
D. Define the desired elements in the culture.
Answer: C. Strategy and objective setting involves analyzing the
business context, defining the risk appetite, evaluating alternative
strategies, and then formulating business objectives.
www.LearnCIA.com
COSO ERM Model
Roles and Responsibilities:
• Risk oversight of ERM culture,
capabilities, and practices
• Know how well management has
The established effective ERM
board • Awareness and agreement with risk
appetite
• Risk portfolio review vs. risk appetite
• Being appraised of most significant risks
and if management is responding well
www.LearnCIA.com
COSO ERM Model
• Leads implementation of ERM.
• Chief executive officer sets “tone at the
Manage- top.”
ment • Senior managers convert strategies into
operations.
• Other managers provide tactical
execution.
• Every manager is accountable to the
next level up.
www.LearnCIA.com
Three Lines of Defense
Governing body/board/audit committee
Senior management
External audit
Regulator
1st line of defense 2nd line of defense 3rd line of defense
Operational Financial control
management Security
Manage- Internal Risk management Internal
ment control
controls measures Quality audit
Inspection
Compliance
www.LearnCIA.com
COSO ERM Model
• Empowered by CEO.
• Provides central coordination across
organization.
Risk • Works with other managers to:
officer – Establish effective risk management practices.
– Monitor progress.
– Assist managers in reporting.
• May serve in an exclusive assignment or
have partial responsibility.
www.LearnCIA.com
COSO ERM Model
Finance and controllership
activities that are central to risk
Financial management execution:
executives • Budgeting and planning
• Tracking and analyzing
performance
• Reporting
www.LearnCIA.com
COSO ERM Model
Several parties, including:
• External auditors.
External • Legislators and regulators.
parties • Business associates.
• Out-sourcing providers.
• Financial analysts, bond rating
agencies, and news media.
www.LearnCIA.com
Discussion Question
Identify the individual or group
responsible for the ERM activity.
1. Reviewing operation of ERM in each business unit
2. Setting precedents for integrity and ethical values
3. Formally evaluating organization’s achievement of

external financial reporting objectives
4. Choosing strategy and setting business objectives,

considering risk appetite of organization
www.LearnCIA.com
Discussion Question
Identify the individual or group
responsible for the ERM activity.
Answers:
Risk officer 1. Reviewing operation of ERM in each business unit
Board 2. Setting precedents for integrity and ethical values
External 3. Formally evaluating organization’s achievement of

auditors external financial reporting objectives
CEO 4. Choosing strategy and setting business objectives,

considering risk appetite of organization
www.LearnCIA.com
Practice Question
Which is true of ERM responsibilities?
A. The CEO guides development and performance of ERM
processes across the organization and delegates to
management.
B. Senior managers operate as the first line of defense by owning and
managing risks.
C. The risk officer has major responsibility for the financial statements.
D. External auditors influence activities in relation to the entity’s risk
appetite.
www.LearnCIA.com
Practice Question
Which is true of ERM responsibilities?
A. The CEO guides development and performance of ERM
processes across the organization and delegates to
management.
B. Senior managers operate as the first line of defense by owning and
managing risks.
C. The risk officer has major responsibility for the financial statements.
D. External auditors influence activities in relation to the entity’s risk
appetite.
Answer: A. Operational managers are the first line of defense. Financial

officers are responsible for the financial statements. External auditors do
not influence the entity’s risk appetite.
www.LearnCIA.com
ISO 31000 Principles
Risk Management:
• Is an integral part of all activities in an organization.
• Should follow a structured and comprehensive approach.
• Is customized to the organization’s operating environment, culture, and
objectives.
• Is transparent, auditable, and inclusive of all stakeholders.
• Treats uncertainty in a structured, orderly, unambiguous, and timely fashion.
• Makes use of the best information available.
• Is influenced by organizational culture and staff behavior.
• Iterates for continual improvement, organizational learning, and the ability to
quickly respond to change.
www.LearnCIA.com
ISO 31000 Framework Components
• Leadership and • Implementation

commitment • Evaluation
• Integration • Improvement
• Design
www.LearnCIA.com
ISO 31000 Implementation Phase
www.LearnCIA.com
COSO ERM and ISO 31000 Components
COSO ERM Components ISO 31000 Components
Governance and culture Leadership and commitment
(Process: communication and consultation)
Strategy and objective setting Integration
Design
(Process: scope, context, criteria)
Performance Implementation
• Identifies risk (Process: risk identification)
• Assesses severity of risk (Process: risk assessment)
• Prioritizes risks (Process: risk analysis)
• Implements risk responses (Process: risk treatment)
• Develops portfolio view
Review and revision Evaluation
Improvement
(Process: monitoring and review)
Information, communication, (Process: communication and consultation)
reporting (Process: recording and reporting)
www.LearnCIA.com
The Turnbull Guidance*
• Promotes a risk-based approach to internal control and the
assessment of its effectiveness
• Linked to London Stock Exchange disclosure requirements
• Key tenets:
– Focus on significant risks
– Emphasis on risk management
– Ongoing, continuous monitoring of risk and * Short for “Guidance on
control Risk Management,
– Engaging all employees Internal Control and
Related Financial and
– Streamlining risk management databases Business Reporting”
www.LearnCIA.com
Discussion Question
What are the risk/control implications of an
organizational structure on these areas?
1. Development of goals and

objectives
2. Risk response
3. Review and revision
4. Information, communication,
reporting
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-78
Discussion Question
What are the risk/control implications of an
organizational structure on these areas?
Possible answers:
Everyone must understand the objectives 1. Development of goals and
related to their area. objectives
Should be an iterative process that includes 2. Risk response

entity, departments, functions.
Assurance of risk effectiveness involves 3. Review and revision
ongoing monitoring, separate evaluations.
Everyone must receive the information they 4. Information, communication,
need in a timely manner. reporting
www.LearnCIA.com
Risk Identification: What Drives Risks
Key Risk Identification Management Actions:
• Identify potential factors that could affect ability to
achieve strategy and business objectives.
• Determine if potential events are opportunities or
threats.
External factors: Economic, Internal factors:

environmental, political, social, Infrastructure, personnel,
legal, technological process, technological
www.LearnCIA.com
Risk Identification Techniques
Technique Description
Event inventories Detailed listings of common potential events
Internal analysis Detailed analysis of information
Escalation or threshold Triggers alert management to issues; compare current
triggers transactions or events to predefined criteria
Facilitated workshops and Facilitator-led structured discussions to draw on
interviews collective knowledge and experience
Process flow analysis Inputs, tasks, and responsibilities in a process
Leading key indicators Monitor measures to identify changes to existing risks
Loss event data Examine past individual loss events to identify trends and
methodologies root causes
www.LearnCIA.com
Discussion Question
Identify the event identification
technique.
1. A meeting of cross-functional managers to relate

events to unit objectives
2. Mapping of cash receipts to identify risks related to
timely deposits
3. Monitoring daily, weekly, and monthly Internet site
traffic
4. Tracking manufacturing equipment failures
www.LearnCIA.com
Discussion Question
Identify the event identification
technique.
Answers:
Facilitated 1. A meeting of cross-functional managers to relate
workshop events to unit objectives
Process flow 2. Mapping of cash receipts to identify risks related to
analysis timely deposits
Leading key 3. Monitoring daily, weekly, and monthly Internet site
indicators traffic
Loss event data 4. Tracking manufacturing equipment failures
methodologies
www.LearnCIA.com
Practice Question
Which is an internal audit activity role in an organization
lacking an organization-wide macro risk assessment
process?
A. They can facilitate or support risk management processes.
B. They should assume responsibility for the risks identified.
C. They should rely only on quantitative techniques to
identify and evaluate risks.
D. They cannot proceed without a formal process.
www.LearnCIA.com
Practice Question
Which is an internal audit activity role in an organization
lacking an organization-wide macro risk assessment
process?
A. They can facilitate or support risk management processes.
B. They should assume responsibility for the risks identified.
C. They should rely only on quantitative techniques to
identify and evaluate risks.
D. They cannot proceed without a formal process.
Answer: A. Organizations typically use a combination of qualitative and
quantitative techniques. In some cases, it may be necessary to proceed
without a formalized risk management framework or assessment.
www.LearnCIA.com
Quantitative Risk Assessment
Technique Description Examples
Benchmarking • Compares performance measures and results for Internal, competitive/
specific events or processes. industry, best-in-class
• Identifies improvement opportunities.
• Likelihood/impact of potential events in industry.
Probabilistic • Associate a range of events and the resulting impact Value at risk (VAR), cash
models with likelihood based on assumptions. flow at risk, earnings at
• Likelihood and impact are assessed based on risk, loss distributions,
historical data or simulated outcomes of future back-testing
behavior.
Non- • Use subjective assumptions in estimating event Sensitivity analysis,
probabilistic impact without quantifying associated likelihood. scenario analysis, stress
models • Base assessments on historical or simulated data and tests
assumptions of future behavior.
www.LearnCIA.com
Risk Assessment Pitfalls
• Limiting risk assessments to financial hazards
• Blindly selecting risks from a generic risk
framework
• Internal auditors developing risks in a vacuum
• Identifying too many risks
• Overcomplicating risk quantification
www.LearnCIA.com
Risk Responses
No action is taken to affect likelihood or impact.
Accept Example: Accepting risk that conforms to risk tolerances.
Action taken to exit the activities giving rise to risk.

Avoid Example: Exiting a product line or selling a division.
Action taken to increase risk to get improved performance.

Pursue Example: Developing new products and services.
Action taken to reduce the risk likelihood or impact or both.

Reduce Example: Diversifying product offerings or reallocating funds.
Action taken to reduce likelihood/impact by transferring risk.

Share Example: Joint ventures/partnerships, purchasing insurance.
www.LearnCIA.com
Practice Question
Inherent risk is BEST described as the risk
A. remaining after management’s risk response.
B. that management finds to be acceptable with the
entity’s risk tolerance.
C. derived from the environment without the mitigating
effects of internal controls.
D. having the lowest likelihood and potential impact.
www.LearnCIA.com
Practice Question
Inherent risk is BEST described as the risk
A. remaining after management’s risk response.
B. that management finds to be acceptable with the
entity’s risk tolerance.
C. derived from the environment without the mitigating
effects of internal controls.
D. having the lowest likelihood and potential impact.
Answer: C. Inherent risk is the risk derived from the
environment, strategy, tactics, and operations without the
mitigating effects of internal controls.
www.LearnCIA.com
Risk Monitoring
• Takes into account that ERM processes change over time.
• Management can determine if ERM remains effective.
Ongoing • Many activities have built-in provisions for self-

monitoring monitoring.
• Often performed on a real-time basis during the
regular course of business.
Separate • Focus directly on ERM effectiveness.
evaluations • Often conducted as self-assessments.
• Necessity is the judgment of management.
Reporting • Deficiencies/improvement areas identified by ongoing
deficiencies monitoring, separate evaluations, and audit results.
www.LearnCIA.com
Practice Question
What is the internal audit activity’s role when ongoing monitoring
identifies an ERM deficiency?
A. Report the information to the board if it involves an illegal or
improper act.
B. Educate the individual or group responsible about the purpose
of ERM and internal control.
C. Assess if the deficiency will impact achievement of business
objectives.
D. Follow up with management and check on their response and/or
corrective action.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic H V-92
Practice Question
What is the internal audit activity’s role when ongoing monitoring
identifies an ERM deficiency?
A. Report the information to the board if it involves an illegal or
improper act.
B. Educate the individual or group responsible about the purpose
of ERM and internal control.
C. Assess if the deficiency will impact achievement of business
objectives.
D. Follow up with management and check on their response and/or
corrective action.
Answer: D. Internal auditors should determine that corrective action is achieving

desired results or that senior management or the board has assumed the risk of not
taking corrective action.
www.LearnCIA.com
Internal Audit Activity’s Role in ERM
A continuum that ranges from:
• No role, to
• Auditing ERM process as part of internal audit plan, to
• Providing insight and historical data on risk events
identified by internal audit findings, to
• Consulting on establishment or improvement of risk
management processes.
No role Process assurance Value-added findings Consulting
www.LearnCIA.com
Provide assurance on:
• Risk management processes (e.g.,
their design and how well they are
working).
Assurance
• Management of key risks, including
roles the effectiveness of the controls and
other activities.
• The assessment of risks and reporting
of risk and control status.
www.LearnCIA.com
Possibilities include:
• Educating management about risk and
control.
• Promoting ERM in the organization.
Consulting • Providing advice, facilitating workshops,
roles and training on risk and control.
• Acting as the central point for coordinating,
monitoring, and reporting on risks.
• Supporting related management activity.
www.LearnCIA.com
Auditing Risk Management Process:
ISO 31000 Approaches
Process Element Key Principles Maturity Model
• Communication and • Creates, protects value • Value brought by risk
consultation • Integral to activities management process
• Scope, context, criteria • Structured, comprehensive • Gradual evolution
• Risk identification • Customized toward effective
• Risk analysis treatment
• Transparent, auditable,
• Risk evaluation inclusive • Growth against evolving
objectives
• Risk treatment • Uncertainty handling
• Where ERM process is
• Monitor and review • Best information
on maturity curve
• Record and report • Culture, staff behavior
• Iterative cycle
www.LearnCIA.com
Assessing ERM Maturity
www.LearnCIA.com
Gathering Evidence
(Implementation Guide 2120)
• Research internal and external • Assess risk monitoring reporting lines.
events/trends. • Review reporting adequacy and
• Review strategic plans and policies timeliness.
and talk to board and senior • Review risk analysis and response
management about alignment. completeness.
• Review prior risk assessments from • Review, observe, and directly test
many sources for unremediated management’s self-assessment process.
risks. • Discuss ERM weaknesses with senior
• Interview mid-level management management and board.
on alignment at business unit level. • Conduct risk assessment and
• Evaluate mitigation, monitoring, independently perform gap analysis.
and communication effectiveness.
www.LearnCIA.com
Practice Question
Which correctly describes management’s acceptance of risk?
A. The CAE must discuss unacceptable residual risk levels
with the board even if management resolves the issue.
B. The CAE is responsible for deciding appropriate actions to be taken in
response to reported engagement observations and recommendations.
C. Management is responsible for assessing board action on timely
resolution of reported engagement observations and
recommendations.
D. Senior management and the board may decide not to correct a
reported condition because of cost or other considerations.
www.LearnCIA.com
Practice Question
Which correctly describes management’s acceptance of risk?
A. The CAE must discuss unacceptable residual risk levels
with the board even if management resolves the issue.
B. The CAE is responsible for deciding appropriate actions to be taken in
response to reported engagement observations and recommendations.
C. Management is responsible for assessing board action on timely
resolution of reported engagement observations and
recommendations.
D. Senior management and the board may decide not to correct a
reported condition because of cost or other considerations.
Answer: D. See Performance Standard 2600 and Implementation Guide 2600.
www.LearnCIA.com
What Is Internal Control?
Control “Any action taken by management, the board, and other
parties to manage risk and increase the likelihood that
established objectives and goals will be achieved”
Control Provides discipline and structure for achievement of primary
environment objectives of the system of internal control
Internal • Ongoing process effected by people at all organizational
control levels
• Management and board receive reasonable, not absolute
assurance
• Transcends policy and is geared toward achieving
organizational objectives
• Flexible and adaptable to organization’s structure
www.LearnCIA.com
v6.0 Part 1, Section V, Topic I V-102
Controls
Entity-Level Process-Level Transaction-Level
• Apply to entire • Established by • Specific to individual
organization process owner transactions
• To ensure that • To ensure that • To ensure that
organizational process objectives transaction
objectives are achieved are achieved objectives are
• Mitigate risks that • Address process- achieved
threaten entire level risks • Address transaction-
organization specific risks
• Governance and
management oversight
controls
www.LearnCIA.com
Key Controls vs. Secondary Controls
Key “Controls that must operate

effectively to reduce a significant risk
Controls
to an acceptable level”
Secondary “Controls that help the process run

Controls smoothly but are not essential”
www.LearnCIA.com
Controls by Function
Type Description Examples
Preventive Deter undesirable events from occurring Reward based on KPI
Detective Detect undesirable events that have Reconciliations, exceptions
occurred
Corrective Correction of errors/irregularities Audit trails, backup process
Directive Cause/encourage desirable event Guidelines, incentives
Mitigating Reduce potential impact of event Insurance
Compensating Compensate for lack of expected control Supervision in lieu of
segregation of duties
Redundant Extra control objective/secondary Spillover pool
control
www.LearnCIA.com
Active vs. Passive Controls
Active Control Passive Control
(Manual) (Automated)
A task that prevents or detects A task that operates without
a deviation from the approved human intervention. It works
procedure. It works by some by just being there.
type of conscious intervention.
Example: Manager’s review of Example: Thermostat set to
transaction maintain the temperature of
a room
www.LearnCIA.com
Discussion Question
Identify these internal controls as
“hard” or “soft.”
1. Senior management’s commitment to social

responsibility
2. Centralized decision making and a formal
approval process
3. A consistent customer focus that all employees
understand and feel passionate about
4. Six Sigma continuous improvement methodology
www.LearnCIA.com
Discussion Question
Identify these internal controls as
“hard” or “soft.”
Answers:
Soft 1. Senior management’s commitment to social
responsibility
Hard 2. Centralized decision making and a formal
approval process
Soft 3. A consistent customer focus that all employees
understand and feel passionate about
Hard 4. Six Sigma continuous improvement methodology
www.LearnCIA.com
IT Controls
IT General Application or
Controls Technical Controls
• Entity-level general IT process • Process- or transaction-level
controls controls
– Change management • Usually specific to a given
– Deployment application
– Access security – Input controls
– Operations – Processing controls
• Apply to most information – Output controls
systems in general
www.LearnCIA.com
Benefits, Limitations of Internal Control
Internal control can help: Internal control cannot:
• Reach performance and • Ensure organizational success
profitability targets. or even survival.
• Prevent loss of resources. • Ensure the reliability of
• Support reliable financial financial reporting.
reporting. • Ensure absolute compliance
• Support compliance with laws, with laws, regulations, and
regulations, and policies/ policies/procedures.
procedures.
www.LearnCIA.com
Internal Controls: Key Elements
Tangible Less tangible
policies, Designed by behavioral
procedures, management aspects
activities (ethical values)
Goals are to:

• Contain risks within risk tolerances.
• Help achieve business objectives at the lowest costs.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic J V-111
Internal Control Frameworks
Model Developed by . . .
COSO’s Internal Control – Committee of Sponsoring Organizations
Integrated Framework of the Treadway Commission
Cadbury model Institute of Chartered Accountants in
England and Wales (ICAEW)
Criteria of Control (CoCo) model CPA Canada
King Report on Corporate South Africa’s King Committee on
Governance Corporate Governance
COBIT 5 ISACA
Basel III standards Basel Committee on Banking
Supervision (BCBS)
www.LearnCIA.com
COSO’s Internal Control—
Integrated Framework
Control objectives
5 interrelated
components
Organizational levels
of responsibility
www.LearnCIA.com
COSO’s 17 Principles of Internal Control
Control environment Control activities
1. Demonstrates commitment to integrity 10. Selects and develops control activities
and ethical values 11. Selects and develops general controls
2. Exercises oversight responsibilities over technology
3. Establishes structure, authority, and 12. Deploys through policies and procedures
responsibility Information and communication
4. Demonstrates commitment to 13. Uses relevant information
competence 14. Communicates internally
5. Enforces accountability 15. Communicates externally
Risk assessment Monitoring
6. Specifies suitable objectives 16. Conducts ongoing and/or separate
7. Identifies and analyzes risk evaluations
8. Assesses fraud risk 17. Evaluates and communicates
9. Identifies and analyzes significant deficiencies
change
www.LearnCIA.com
Practice Question
Which statement about the COSO internal control
framework is true?
A. The framework is best applied in manufacturing and service
industries.
B. All five components are applicable to the achievement of each of the
objectives.
C. The synergy and linkage among the objectives form the integrated
framework.
D. The audit committee has overall responsibility for the establishment,
administration, and assessment of the framework.
www.LearnCIA.com
Practice Question
Which statement about the COSO internal control
framework is true?
A. The framework is best applied in manufacturing and service
industries.
B. All five components are applicable to the achievement of each of the
objectives.
C. The synergy and linkage among the objectives form the integrated
framework.
D. The audit committee has overall responsibility for the establishment,
administration, and assessment of the framework.
Answer: B. Synergy and linkage between the control components form

the integrated framework. Management establishes the framework.
www.LearnCIA.com
Alternative Control Frameworks
The Cadbury Model Criteria of Control (CoCo)
• Board responsible for full • Control: resources, systems,
internal control spectrum processes, culture, structure and
• Components tasks, taken together, support
– Control environment achieving objectives
– Identification and evaluation • Components
of risks and control objectives – Purpose
– Information and – Commitment
communication – Capability
– Control procedures – Monitoring and learning
– Monitoring and corrective
action
www.LearnCIA.com
King Report on Corporate Governance
• Governance requires integrated • Ethical foundation for effective
approach leadership
• Code of Corporate Practices and – Innovation, fairness, and
Conduct collaboration for sustainability
– Discipline – Risk-based auditing
– Transparency – Principle- and outcomes-based
(not rules-based)
– Independence
– Focus on transparency,
– Accountability
disclosures
– Responsibility
– Fairness
– Social responsibility
www.LearnCIA.com
COBIT 5 Framework
Principles, policies, and frameworks
Processes
Organizational structures
7 enabling
Culture, ethics, and behavior
processes
Information
Services, infrastructure, and applications
People, skills, and competencies
www.LearnCIA.com
COBIT 5 Framework’s 5 Key Principles
1. Meeting
stakeholder
needs
5. Separating
governance 2. Covering
from enterprise
end-to-end
management COBIT 5
Principles
3. Applying
4. Enabling single
holistic integrated
approach framework
www.LearnCIA.com
Basel III Standards (Banking Sector)
• Voluntary banking reform • Three pillars
• Minimum capital 1. Calculations of regulatory
requirements capital requirements for
credit, market, and
• Absorb shocks operational risk
• Improve risk 2. Capital adequacy review
management and process and risk/
governance response process
3. Disclosure requirements
• Strengthen transparency on capital and risk
and disclosures management
www.LearnCIA.com
The Control Loop
1.
Objective
4.
2.
Corrective
Action Standard
3.
Findings
www.LearnCIA.com
v6.0 Part 1, Section V, Topic K V-122
Practice Question
Which characterizes effective systems of
internal control?
A. Symptom identification/correction
B. Timely identification of deviations
C. Alignment to audit objectives
D. Qualitative standards for controls
www.LearnCIA.com
Practice Question
Which characterizes effective systems of
internal control?
A. Symptom identification/correction
B. Timely identification of deviations
C. Alignment to audit objectives
D. Qualitative standards for controls
Answer: B. Root cause identification (not symptoms). Alignment is
to organizational strategic objectives. If possible, standards should
be quantitative, for example, five days rather than “a reasonable
time interval.”
www.LearnCIA.com
Discussion Question
Identify the area/individual responsible
for the internal control task.
1. Design, apply, and provide ongoing monitoring

of control processes.
2. Oversee evaluation of internal control system,
including IT security and control.
3. Provide varying degrees of assurance about the
effectiveness of risk management and control
processes.
4. Develop an annual audit plan.
www.LearnCIA.com
Discussion Question
Identify the area/individual responsible
for the internal control task.
Answers:
Operational managers 1. Design, apply, and provide ongoing monitoring
of control processes.
Audit committee 2. Oversee evaluation of internal control system,
including IT security and control.
Internal and external 3. Provide varying degrees of assurance about the
auditors effectiveness of risk management and control
processes.
CAE 4. Develop an annual audit plan.
www.LearnCIA.com
Control Self-Assessment (CSA)
What it is . . . A variety of assessment techniques performed by
people involved in an area or process.
How it is Management and/or work teams directly responsible
done . . . for a business function:
• Participate in the assessment.
• Evaluate risk.
• Develop action plans.
• Assess the likelihood of achieving objectives.
Benefits to be • Valuable information on internal control
gained… • A positive influence on the control environment
www.LearnCIA.com
Practice Question
A large company and a small company in the same industry
both face new regulations. Which statement is true?
A. Basic concepts to deal with this internal control component
should be present in both organizations.
B. The larger organization will be better attuned to risks, since its top-
down philosophy can disregard tactics used.
C. The smaller organization will be more nimble in its response because
of less need for soft controls.
D. Both can implement identical controls as long as their objectives and
strategies are similar.
www.LearnCIA.com
Practice Question
A large company and a small company in the same industry
both face new regulations. Which statement is true?
A. Basic concepts to deal with this internal control component
should be present in both organizations.
B. The larger organization will be better attuned to risks, since its top-
down philosophy can disregard tactics used.
C. The smaller organization will be more nimble in its response because
of less need for soft controls.
D. Both can implement identical controls as long as their objectives and
strategies are similar.
Answer: A. Regardless of size, basic concepts should be present in both.
Specific control measures will vary.
www.LearnCIA.com
End of Section V
Questions?
www.LearnCIA.com
v6.0 Part 1, Section V V-130

IIA CIA v6-0 Part1 Section V

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IIA CIA v6-0 Part1 Section V

Uploaded by

Copyright:

Available Formats

Essentials of

“The internal audit activity must evaluate and contribute to

– Information, communication, communication

Answer: B. A relates to risk management, D to internal control. C would be correct if it

Environmental monitoring and reporting

Supply chain management

Human resources management

• Complementary economic, • More efficient or reliable

Answer: C. Identifying appropriateness is reasonable. Auditors compromise objectivity

It is the responsibility of internal auditing

Answer: B. Other important considerations are keeping the survey to a

Answer: A. Codes of conduct are intended to provide a proactive

Residual Risk remaining after management takes action to reduce the

Any questions about other terms?

Events Inherent risk

Responses Residual risk

• Helps organizations • Integrates ERM in

1. Reviewing operation of ERM in each business unit

2. Setting precedents for integrity and ethical values

3. Formally evaluating organization’s achievement of

4. Choosing strategy and setting business objectives,

Board 2. Setting precedents for integrity and ethical values

External 3. Formally evaluating organization’s achievement of

CEO 4. Choosing strategy and setting business objectives,

Answer: A. Operational managers are the first line of defense. Financial

• Leadership and • Implementation

1. Development of goals and

3. Review and revision

Should be an iterative process that includes 2. Risk response

External factors: Economic, Internal factors:

1. A meeting of cross-functional managers to relate

Action taken to exit the activities giving rise to risk.

Action taken to increase risk to get improved performance.

Action taken to reduce the risk likelihood or impact or both.

Action taken to reduce likelihood/impact by transferring risk.

Ongoing • Many activities have built-in provisions for self-

Answer: D. Internal auditors should determine that corrective action is achieving

Answer: D. See Performance Standard 2600 and Implementation Guide 2600.

Key “Controls that must operate

Secondary “Controls that help the process run

1. Senior management’s commitment to social

Goals are to:

Answer: B. Synergy and linkage between the control components form

Services, infrastructure, and applications

People, skills, and competencies

1. Design, apply, and provide ongoing monitoring

You might also like