Professional Documents
Culture Documents
Internal Auditing
Section V
Section V: Governance, Risk
Management, and Control
• Topic A: Organizational Governance • Topic F: Globally Accepted Risk
• Topic B: The Impact of Organizational Management Frameworks
Culture on the Overall Control • Topic G: The Effectiveness of Risk
Environment and Individual Management
Engagement Risks and Controls • Topic H: The Internal Audit Activity’s
• Topic C: Ethics and Compliance Issues Role in the Risk Management Process
and Violations • Topic I: Types of Controls and
• Topic D: Corporate Social Management Control Techniques
Responsibility • Topic J: Internal Control Frameworks
• Topic E: Risk Management • Topic K: The Effectiveness and
Fundamentals Efficiency of Internal Controls
www.LearnCIA.com
v6.0 Part 1, Section V V-2
Broadened Scope of Internal Audit
Performance Standard 2100,
“Nature of Work”
www.LearnCIA.com
v6.0 Part 1, Section V, Section Introduction V-3
Complementary COSO Frameworks
COSO ERM: Integrating with COSO Internal Control—
Strategy and Performance Integrated Framework
• Framework to ensure that ERM • Three objectives categories:
starts with strategy, is embedded operations, reporting, compliance
in organization • 17 principles in 5 integrated
• 20 principles in 5 components: components:
– Governance and culture – Control environment
– Strategy and objective setting – Risk assessment
– Performance –
Control
Control activities
– Review and revision – Information and
Risk
www.LearnCIA.com
v6.0 Part 1, Section V, Section Introduction V-4
What Is Governance?
Fundamental Governance Concepts
“Combination of processes • Starts at the top and cascades down
and structures • Critical relationships among the board,
implemented by the board senior management, and shareholders
to inform, direct, manage, • Encompasses organizational structure
and monitor the activities and related legal and regulatory
of the organization toward environment
the achievement of its • Balances economic and social goals
objectives.” • Extends to all stakeholders, including all
employees and external parties such as
suppliers, the community
www.LearnCIA.com
v6.0 Part 1, Section V, Topic A V-5
Common Initiatives in Governance
www.LearnCIA.com
v6.0 Part 1, Section V, Topic A V-6
Practice Question
Which is a principle of effective governance?
A. Balance direct and indirect costs versus the benefits
of risk responses.
B. Establish a governing policy for the operation of key activities
of the organization.
C. Ensure that management is not involved in oversight so strong internal
controls can be objective.
D. Analyze critical success factors from an industry and entity perspective.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic A V-7
Practice Question
Which is a principle of effective governance?
A. Balance direct and indirect costs versus the benefits
of risk responses.
B. Establish a governing policy for the operation of key activities
of the organization.
C. Ensure that management is not involved in oversight so strong internal
controls can be objective.
D. Analyze critical success factors from an industry and entity perspective.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic A V-8
Discussion Question
Identify who is responsible for the
following governance activities.
1. Deploys strategies aligned to organizational
objectives and goals
2. Oversees organizational activities but does not
have managerial responsibilities
3. Provides assurance on external financial
reporting activities
4. Provides advice on potential improvements to
governance structures and processes
www.LearnCIA.com
v6.0 Part 1, Section V, Topic A V-9
Discussion Question
Identify who is responsible for the
following governance activities.
Answers:
Operations 1. Deploys strategies aligned to organizational
management objectives and goals
Board 2. Oversees organizational activities but does not
have managerial responsibilities
External auditor 3. Provides assurance on external financial
reporting activities
Internal auditor 4. Provides advice on potential improvements to
governance structures and processes
www.LearnCIA.com
v6.0 Part 1, Section V, Topic A V-10
Governance and
Organizational Maturity
Less maturity More maturity
Internal audit: Internal audit reviews:
• Performs discrete audits. • Efficiency and effectiveness of company-
• Advises regarding optimal wide governance components.
structure and practices. • Transparency and disclosure (reporting)
• Compares governance practices practices.
against regulations and other • Governance best practices.
compliance requirements. • Compliance with applicable regulations
and governance codes.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic A V-11
Internal Audit Assurance Activities to
Promote Corporate Values
Self-Assessment Methods Audit Programs
Evaluate: • Assess various activities to ensure
• Employees’ understanding of that values are understood and
organizational values. upheld.
• Alignment of individual goals and • For example:
objectives to corporate values. – Diversity goals
• Whether employees uphold values. – Internal ethics function
• Whether employees perceive others as effectiveness
exemplifying those values.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic A V-12
Control Environment
• Importance of control • Background against
• Discipline and structure which controls operate
– Leadership
– Integrity and ethics
– Ethics
– Philosophy and operating style
– Values and beliefs
– Organizational structure
– Authority and responsibility
– HR policies/practices
– Competence of staff
www.LearnCIA.com
v6.0 Part 1, Section V, Topic B V-13
Culture and Governance
• Organization must ensure:
– Compliance with laws and regulations.
– Satisfaction of generally accepted business norms, ethics, and social
expectations.
– Overall benefit to society and to stakeholders.
– Full and truthful reporting transparency.
• Culture impacts values, roles, and behavior that will be articulated
and tolerated.
• Effectiveness of governance process largely depends on
organization’s culture.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic B V-14
Culture Impact on
Engagement Risks/Controls
• Culture influences staff autonomy, hierarchical interactions, rule/policy
explicitness, and rewards.
• Risk universe
– If formal functional area authority, define by functional area.
– If more cross-functional, define by business process.
• Culture can impact quality (completeness, bias) of ERM as audit planning
input.
• If few formal controls, get most important in writing; if many formal
controls, ensure that most important get emphasis.
• Educate to change culture, e.g., downplays need for corrective action.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic B V-15
Compliance Frameworks
Compliance: Act of adhering to, and ability to demonstrate
adherence to, mandated requirements (laws and regulations)
and voluntary requirements (contract obligations and
policies).
Examples:
• ISO 19600, “Compliance management systems” (uses plan-
do-check-act methodology to be comprehensive and improve)
• U.S. Federal Sentencing Guidelines for Organizations
(compliance principles)
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-16
Environmental and Social Compliance
• Organization must comply with laws and
requirements of countries in which it operates.
• ISO 14001 standards
• Sample U.S. agencies:
– Environmental Protection Agency (EPA)
– Occupational Safety and Health Administration (OSHA)
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-17
Areas Providing Safeguards
Environmental health and safety (EH&S)
Facility management
Privacy management
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-18
Environmental Health and Safety
(EH&S) Guideline Areas
• Environmental
• Occupational health and safety
• Community health and safety
• Construction and decommissioning
• Specific industry-sector guidelines
. . . achievable by new facilities using existing
technologies at reasonable costs (IFC guidelines).
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-19
Supply Chains and Facilities
Supply Chain Management Facility Management
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-21
Key U.S. Privacy Laws/Regulations
Legislation Description
Financial Modernization Act Protects consumer financial data held by financial
(Gramm-Leach-Bliley) institutions, including collection, disclosure,
safeguards, and protection from “pretexting”
Health Insurance Portability Protects consumer health data, including medical
and Accountability Act record disclosure, electronic transmission, patient
(HIPAA) copies/corrections, and employer use in job
interviews
Freedom of Information Act Allows citizen/noncitizen to request government
(FOIA) information, with exceptions and related acts
Children’s Online Privacy Parental control over child information collection/use,
Protection Act (COPPA) including need for consent, privacy policy
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-22
OECD Guidelines
Eight Core Principles:
• Collection limitation • Security safeguards
• Data quality • Openness
• Purpose specification • Individual participation
• Use limitation • Accountability
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-23
Internal Audit and Privacy Compliance
Consider:
• Privacy laws, regulations, and other standards.
• If information security and data protection controls exist and
are reviewed for appropriateness.
• Level of maturity of privacy practices.
– Facilitate program development/implementation. (But taking
responsibility for doing so impairs objectivity.)
– Evaluate needs and risk exposures.
– Assurance on effectiveness of privacy policies, practices, controls.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-24
Practice Question
Which is a reasonable expectation for an internal auditor
evaluating a privacy framework?
A. Identify types of information gathered without making
judgments as to appropriateness.
B. Identify significant risks and make appropriate changes to the privacy
program.
C. Evaluate whether information collected is in accordance with intended use.
D. Evaluate framework maturity and help make improvements to mitigate
significant risks without using outside contractors.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-25
Practice Question
Which is a reasonable expectation for an internal auditor
evaluating a privacy framework?
A. Identify types of information gathered without making
judgments as to appropriateness.
B. Identify significant risks and make appropriate changes to the privacy
program.
C. Evaluate whether information collected is in accordance with intended use.
D. Evaluate framework maturity and help make improvements to mitigate
significant risks without using outside contractors.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-26
Internal Audit Role in
Governance and Ethics
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-27
How Internal Auditors
Assess the Ethical Climate
Completeness of ethics policies Evaluating whistleblower
and codes processes
How well personnel practices If appropriate misconduct
support an ethical climate investigation and resolution
Whether appropriate processes exist, including
communications are occurring, reporting findings and corrective
understood, embraced action
If explicit strategies support Evaluating board oversight
and enhance the ethical responsibilities and monitoring
culture activities
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-28
Practice Question
A survey designed to assess the organizational
ethical climate should include which characteristic?
A. Be kept secret from top management
B. Be field-tested
C. Ensure thoroughness of response such as avoiding use
of Likert scales
D. Avoid providing space for open comments
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-29
Practice Question
A survey designed to assess the organizational
ethical climate should include which characteristic?
A. Be kept secret from top management
B. Be field-tested
C. Ensure thoroughness of response such as avoiding use
of Likert scales
D. Avoid providing space for open comments
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-31
Practice Question
A code of conduct related to conflicts of interest
should include
A. a description of the expected behavior for employees,
other corporate agents, and suppliers.
B. a discussion of industry best practices.
C. provisions for reporting alleged misconduct.
D. lists of what constitute plausible exceptions to the policy.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-33
Assessing Ethical Climate of the Board
Assist in/make Assessment Opportunities:
recommendations • Board structure, objectives,
for improvement. dynamics
Ensure that • Board committee functions
safeguards exist
• Board policy manual
for auditor
independence/ • Processes for maintaining awareness
objectivity. of governance requirements
• Board education and training
www.LearnCIA.com
v6.0 Part 1, Section V, Topic C V-34
Triple Bottom Line and Sustainability
www.LearnCIA.com
v6.0 Part 1, Section V, Topic D V-35
Corporate Social Responsibility (CSR)
What Is CSR?
“The way firms integrate social,
environmental, and economic concerns into
their values, culture, decision making,
strategy and operations in a transparent and
accountable manner and thereby establish
better practices within the firm, create
Practice Guide wealth, and improve society.”
www.LearnCIA.com
v6.0 Part 1, Section V, Topic D V-36
Corporate Social Responsibility (CSR)
Fundamental Concepts:
• It is a philosophy that must be championed from the
top down.
• Change management is needed to ensure that
objectives are reinforced and brought into the
organization’s culture and incentive structures.
• Organizations set their own priorities.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic D V-37
Discussion Question
Which CSR stakeholders have the
needs listed below?
1. Safety, transparency and honesty, price
optimization
2. Fair pay, living wage, respect, support systems,
safety and security
3. Fair negotiations, relationships, contractual
compliance
4. Transparency, honesty, longevity, reputation, legal
compliance, optimization of return, governance
www.LearnCIA.com
v6.0 Part 1, Section V, Topic D V-38
Discussion Question
Which CSR stakeholders have the
needs listed below?
Answers:
Customers 1. Safety, transparency and honesty, price
optimization
Employees 2. Fair pay, living wage, respect, support systems,
(and families) safety and security
Suppliers 3. Fair negotiations, relationships, contractual
compliance
Shareholders 4. Transparency, honesty, longevity, reputation, legal
compliance, optimization of return, governance
www.LearnCIA.com
v6.0 Part 1, Section V, Topic D V-39
Risks Addressed by CSR
• Strategic • Reporting
• Reputation • Staffing
• Compliance • Marketing
• Liability • Supply chain
• Operational partner
www.LearnCIA.com
v6.0 Part 1, Section V, Topic D V-40
Practice Question
The board resists the CAE’s advice to create a CSR policy and
begin planning a CSR program, saying that the organization
cannot fulfill its obligations to its shareholders and to society
and the environment at the same time. How could the CAE
best respond?
A. Creation of a policy and program may be delayed now but should be
considered in the future.
B. Implementing a CSR policy should not require a significant investment of
time or money.
C. Not having a CSR policy could pose significant risks to the organization.
D. Having a CSR policy is a matter of compliance.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic D V-41
Practice Question
The board resists the CAE’s advice to create a CSR policy and
begin planning a CSR program, saying that the organization
cannot fulfill its obligations to its shareholders and to society
and the environment at the same time. How could the CAE
best respond?
A. Creation of a policy and program may be delayed now but should be
considered in the future.
B. Implementing a CSR policy should not require a significant investment of
time or money.
C. Not having a CSR policy could pose significant risks to the organization.
D. Having a CSR policy is a matter of compliance.
Answer: C
www.LearnCIA.com
v6.0 Part 1, Section V, Topic D V-42
Determine
priorities/objectives.
Set detailed
Make
recommendations. CSR objectives,
performance targets,
implementation
Process strategies.
Manage and
Analyze results. measure against
targets.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic D V-43
CSR Frameworks and Reporting
CSR Frameworks CSR Reporting
• ISO 26000:2010, “Social • From required filings to
responsibility” brochures, web pages, and
– Terms and characteristics annual reports
– Principles and practices • Qualify as socially responsible
– Core issues and subjects investment?
– Integrating and promoting • Bad and good news?
• Global Reporting Initiative • Internal audit assurance
– Widely popular voluntary
reporting framework and KPIs
www.LearnCIA.com
v6.0 Part 1, Section V, Topic D V-44
Methods of Auditing CSR
• Element • Internal control
• Stakeholder • Risk-management-
• Common subject based priority
www.LearnCIA.com
v6.0 Part 1, Section V, Topic D V-45
What Is Risk Management?
“A process to identify, assess, manage, and control
potential events or situations, to provide reasonable
assurance regarding the achievement of the organization’s
objectives.”
www.LearnCIA.com
v6.0 Part 1, Section V, Topic E V-46
What Is Enterprise
Risk Management (ERM)?
“The culture, capabilities, and practices, integrated with strategy-
setting and performance, that organizations rely on to manage
risk in creating, preserving, and realizing value.”
— COSO Enterprise Risk Management:
Integrating with Strategy and Performance
www.LearnCIA.com
v6.0 Part 1, Section V, Topic E V-47
Understanding Risk
• Risk begins with strategy formulation and objective
setting.
• Risk represents a range of possibilities.
• Risk may be preventing bad things from happening or
failing to ensure that good things happen.
• Risks are inherent in all aspects of life; risks associated
with conducting business are considered business risks.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic E V-48
Key Risk Terminology
Acceptable The business impact that would be experienced if certain risks
risk became realized; loss is acceptable (no new controls).
Inherent The risk derived from the environment without the mitigating
risk effects of internal controls.
Risk
The level of risk an organization is willing to accept.
appetite
www.LearnCIA.com
v6.0 Part 1, Section V, Topic E V-49
Discussion Question
Standardized risk terminology
provides a common language to
use with the board, management,
and others in all communications.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic E V-50
Risk Assessment Process
Objectives
www.LearnCIA.com
v6.0 Part 1, Section V, Topic E V-51
Common Likelihood and Impact Factors
Likelihood Factors Impact Factors
• Probability estimates based on • Materiality (e.g., dollar loss)
history or cycles • Potential reputation or brand
• Complexity of activities damage
• Change or stability (e.g., employee • Importance of the related
turnover or new laws) objective to the organization’s
• Control environment (e.g., integrity mission
and ethics) • Velocity of occurrence, duration,
• Control process effectiveness and/or pervasiveness of the event
• Recovery costs
www.LearnCIA.com
v6.0 Part 1, Section V, Topic E V-52
Risk Map for Likelihood and Impact
High
High impact High impact
Low likelihood High likelihood
Impact
Low impact Low impact
Low likelihood High likelihood
Low High
Likelihood
www.LearnCIA.com
v6.0 Part 1, Section V, Topic E V-53
Establishing a Framework
for Assessing Risk
Performance Standard Interpretation:
2010, “Planning”: • CAE accounts for organization’s ERM
CAE “must establish a framework and risk appetite per
risk-based plan to activity/area.
determine the priorities • If no framework, CAE uses judgment
of the internal audit and gets senior management/board
activity, consistent with input.
the organization’s goals.”
• CAE reviews and adjusts plan for
changes (business, risk, control, etc.).
www.LearnCIA.com
v6.0 Part 1, Section V, Topic E V-54
Establishing a Framework
for Assessing Risk
Determine Examine
Prioritize
audit organizational
audits.
universe. risk factors.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic E V-55
Practice Question
What is the most likely benefit of having the COSO ERM
model in place at a company launching a new product?
A. Better knowledge of whether objectives are being
achieved
B. Reduced losses from uncontrollable events
C. Increased compliance with laws and regulations
D. Absolute assurance of a positive reputation within the
business community
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-56
Practice Question
What is the most likely benefit of having the COSO ERM
model in place at a company launching a new product?
A. Better knowledge of whether objectives are being
achieved
B. Reduced losses from uncontrollable events
C. Increased compliance with laws and regulations
D. Absolute assurance of a positive reputation within the
business community
Answer: A. An ERM framework cannot prevent bad management judgments or
unforeseen events. It can, however, provide reasonable assurance that
management and the board receive timely information about the achievement
of objectives.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-57
COSO’s ERM Framework
Enterprise Risk Management—
Integrating with Strategy and Performance
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-58
COSO ERM Components
Governance and Governance sets tone, reinforcing oversight over ERM.
culture Culture pertains to ethics, behaviors, and risk insight.
Strategy and Establish risk appetite aligned with strategy. Use
objective setting business objectives to enact strategy; risk process basis.
Performance Risks to achievement of strategy/objectives; severity in
context of risk appetite; portfolio view.
Review, revision How well ERM functions over time, given changes.
Information, Continually obtain and share internal and external
communication, information up, down, and across organization.
and reporting
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-59
COSO’s ERM Framework: 20 Principles
Governance and culture Performance
1. Exercises board risk 10. Identifies risk.
oversight. 11. Assesses risk severity.
2. Establishes operating 12. Prioritizes risk.
structures. 13. Implements responses.
3. Defines desired culture. 14. Develops portfolio view.
4. Commits to core values. Review, revision
5. Gets capable individuals. 15. Assesses substantial change.
Strategy/objective setting 16. Reviews risk and performance.
6. Analyzes business context. 17. Improves ERM.
7. Defines risk appetite. Information, communication, reporting
8. Evaluates alternatives. 18. Leverages information and technology.
9. Formulates objectives. 19. Communicates risk information.
20. Reports on risk, culture, performance.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-60
Practice Question
According to the principles of COSO’s ERM framework,
what should be done just before formulating business
strategies?
A. Develop a portfolio view of various strategies.
B. Assess the severity of risk and set priorities.
C. Evaluate alternative strategies and their impact on
the risk profile.
D. Define the desired elements in the culture.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-61
Practice Question
According to the principles of COSO’s ERM framework,
what should be done just before formulating business
strategies?
A. Develop a portfolio view of various strategies.
B. Assess the severity of risk and set priorities.
C. Evaluate alternative strategies and their impact on
the risk profile.
D. Define the desired elements in the culture.
Answer: C. Strategy and objective setting involves analyzing the
business context, defining the risk appetite, evaluating alternative
strategies, and then formulating business objectives.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-62
COSO ERM Model
Roles and Responsibilities:
• Risk oversight of ERM culture,
capabilities, and practices
• Know how well management has
The established effective ERM
board • Awareness and agreement with risk
appetite
• Risk portfolio review vs. risk appetite
• Being appraised of most significant risks
and if management is responding well
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-63
COSO ERM Model
Roles and Responsibilities:
• Leads implementation of ERM.
• Chief executive officer sets “tone at the
Manage- top.”
ment • Senior managers convert strategies into
operations.
• Other managers provide tactical
execution.
• Every manager is accountable to the
next level up.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-64
Three Lines of Defense
Governing body/board/audit committee
Senior management
External audit
Regulator
1st line of defense 2nd line of defense 3rd line of defense
Operational Financial control
management Security
Manage- Internal Risk management Internal
ment control
controls measures Quality audit
Inspection
Compliance
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-65
COSO ERM Model
Roles and Responsibilities:
• Empowered by CEO.
• Provides central coordination across
organization.
Risk • Works with other managers to:
officer – Establish effective risk management practices.
– Monitor progress.
– Assist managers in reporting.
• May serve in an exclusive assignment or
have partial responsibility.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-66
COSO ERM Model
Roles and Responsibilities:
Finance and controllership
activities that are central to risk
Financial management execution:
executives • Budgeting and planning
• Tracking and analyzing
performance
• Reporting
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-67
COSO ERM Model
Roles and Responsibilities:
Several parties, including:
• External auditors.
External • Legislators and regulators.
parties • Business associates.
• Out-sourcing providers.
• Financial analysts, bond rating
agencies, and news media.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-68
Discussion Question
Identify the individual or group
responsible for the ERM activity.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-69
Discussion Question
Identify the individual or group
responsible for the ERM activity.
Answers:
Risk officer 1. Reviewing operation of ERM in each business unit
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-70
Practice Question
Which is true of ERM responsibilities?
A. The CEO guides development and performance of ERM
processes across the organization and delegates to
management.
B. Senior managers operate as the first line of defense by owning and
managing risks.
C. The risk officer has major responsibility for the financial statements.
D. External auditors influence activities in relation to the entity’s risk
appetite.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-71
Practice Question
Which is true of ERM responsibilities?
A. The CEO guides development and performance of ERM
processes across the organization and delegates to
management.
B. Senior managers operate as the first line of defense by owning and
managing risks.
C. The risk officer has major responsibility for the financial statements.
D. External auditors influence activities in relation to the entity’s risk
appetite.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-73
ISO 31000 Framework Components
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-74
ISO 31000 Implementation Phase
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-75
COSO ERM and ISO 31000 Components
COSO ERM Components ISO 31000 Components
Governance and culture Leadership and commitment
(Process: communication and consultation)
Strategy and objective setting Integration
Design
(Process: scope, context, criteria)
Performance Implementation
• Identifies risk (Process: risk identification)
• Assesses severity of risk (Process: risk assessment)
• Prioritizes risks (Process: risk analysis)
• Implements risk responses (Process: risk treatment)
• Develops portfolio view
Review and revision Evaluation
Improvement
(Process: monitoring and review)
Information, communication, (Process: communication and consultation)
reporting (Process: recording and reporting)
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-76
The Turnbull Guidance*
• Promotes a risk-based approach to internal control and the
assessment of its effectiveness
• Linked to London Stock Exchange disclosure requirements
• Key tenets:
– Focus on significant risks
– Emphasis on risk management
– Ongoing, continuous monitoring of risk and * Short for “Guidance on
control Risk Management,
– Engaging all employees Internal Control and
Related Financial and
– Streamlining risk management databases Business Reporting”
www.LearnCIA.com
v6.0 Part 1, Section V, Topic F V-77
Discussion Question
What are the risk/control implications of an
organizational structure on these areas?
2. Risk response
4. Information, communication,
reporting
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-78
Discussion Question
What are the risk/control implications of an
organizational structure on these areas?
Possible answers:
Everyone must understand the objectives 1. Development of goals and
related to their area. objectives
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-79
Risk Identification: What Drives Risks
Key Risk Identification Management Actions:
• Identify potential factors that could affect ability to
achieve strategy and business objectives.
• Determine if potential events are opportunities or
threats.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-80
Risk Identification Techniques
Technique Description
Event inventories Detailed listings of common potential events
Internal analysis Detailed analysis of information
Escalation or threshold Triggers alert management to issues; compare current
triggers transactions or events to predefined criteria
Facilitated workshops and Facilitator-led structured discussions to draw on
interviews collective knowledge and experience
Process flow analysis Inputs, tasks, and responsibilities in a process
Leading key indicators Monitor measures to identify changes to existing risks
Loss event data Examine past individual loss events to identify trends and
methodologies root causes
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-81
Discussion Question
Identify the event identification
technique.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-82
Discussion Question
Identify the event identification
technique.
Answers:
Facilitated 1. A meeting of cross-functional managers to relate
workshop events to unit objectives
Process flow 2. Mapping of cash receipts to identify risks related to
analysis timely deposits
Leading key 3. Monitoring daily, weekly, and monthly Internet site
indicators traffic
Loss event data 4. Tracking manufacturing equipment failures
methodologies
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-83
Practice Question
Which is an internal audit activity role in an organization
lacking an organization-wide macro risk assessment
process?
A. They can facilitate or support risk management processes.
B. They should assume responsibility for the risks identified.
C. They should rely only on quantitative techniques to
identify and evaluate risks.
D. They cannot proceed without a formal process.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-84
Practice Question
Which is an internal audit activity role in an organization
lacking an organization-wide macro risk assessment
process?
A. They can facilitate or support risk management processes.
B. They should assume responsibility for the risks identified.
C. They should rely only on quantitative techniques to
identify and evaluate risks.
D. They cannot proceed without a formal process.
Answer: A. Organizations typically use a combination of qualitative and
quantitative techniques. In some cases, it may be necessary to proceed
without a formalized risk management framework or assessment.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-85
Quantitative Risk Assessment
Technique Description Examples
Benchmarking • Compares performance measures and results for Internal, competitive/
specific events or processes. industry, best-in-class
• Identifies improvement opportunities.
• Likelihood/impact of potential events in industry.
Probabilistic • Associate a range of events and the resulting impact Value at risk (VAR), cash
models with likelihood based on assumptions. flow at risk, earnings at
• Likelihood and impact are assessed based on risk, loss distributions,
historical data or simulated outcomes of future back-testing
behavior.
Non- • Use subjective assumptions in estimating event Sensitivity analysis,
probabilistic impact without quantifying associated likelihood. scenario analysis, stress
models • Base assessments on historical or simulated data and tests
assumptions of future behavior.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-86
Risk Assessment Pitfalls
• Limiting risk assessments to financial hazards
• Blindly selecting risks from a generic risk
framework
• Internal auditors developing risks in a vacuum
• Identifying too many risks
• Overcomplicating risk quantification
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-87
Risk Responses
No action is taken to affect likelihood or impact.
Accept Example: Accepting risk that conforms to risk tolerances.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-88
Practice Question
Inherent risk is BEST described as the risk
A. remaining after management’s risk response.
B. that management finds to be acceptable with the
entity’s risk tolerance.
C. derived from the environment without the mitigating
effects of internal controls.
D. having the lowest likelihood and potential impact.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-89
Practice Question
Inherent risk is BEST described as the risk
A. remaining after management’s risk response.
B. that management finds to be acceptable with the
entity’s risk tolerance.
C. derived from the environment without the mitigating
effects of internal controls.
D. having the lowest likelihood and potential impact.
Answer: C. Inherent risk is the risk derived from the
environment, strategy, tactics, and operations without the
mitigating effects of internal controls.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-90
Risk Monitoring
• Takes into account that ERM processes change over time.
• Management can determine if ERM remains effective.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic G V-91
Practice Question
What is the internal audit activity’s role when ongoing monitoring
identifies an ERM deficiency?
A. Report the information to the board if it involves an illegal or
improper act.
B. Educate the individual or group responsible about the purpose
of ERM and internal control.
C. Assess if the deficiency will impact achievement of business
objectives.
D. Follow up with management and check on their response and/or
corrective action.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic H V-92
Practice Question
What is the internal audit activity’s role when ongoing monitoring
identifies an ERM deficiency?
A. Report the information to the board if it involves an illegal or
improper act.
B. Educate the individual or group responsible about the purpose
of ERM and internal control.
C. Assess if the deficiency will impact achievement of business
objectives.
D. Follow up with management and check on their response and/or
corrective action.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic H V-93
Internal Audit Activity’s Role in ERM
A continuum that ranges from:
• No role, to
• Auditing ERM process as part of internal audit plan, to
• Providing insight and historical data on risk events
identified by internal audit findings, to
• Consulting on establishment or improvement of risk
management processes.
No role Process assurance Value-added findings Consulting
www.LearnCIA.com
v6.0 Part 1, Section V, Topic H V-94
Internal Audit Activity’s Role in ERM
Provide assurance on:
• Risk management processes (e.g.,
their design and how well they are
working).
Assurance
• Management of key risks, including
roles the effectiveness of the controls and
other activities.
• The assessment of risks and reporting
of risk and control status.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic H V-95
Internal Audit Activity’s Role in ERM
Possibilities include:
• Educating management about risk and
control.
• Promoting ERM in the organization.
Consulting • Providing advice, facilitating workshops,
roles and training on risk and control.
• Acting as the central point for coordinating,
monitoring, and reporting on risks.
• Supporting related management activity.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic H V-96
Auditing Risk Management Process:
ISO 31000 Approaches
Process Element Key Principles Maturity Model
• Communication and • Creates, protects value • Value brought by risk
consultation • Integral to activities management process
• Scope, context, criteria • Structured, comprehensive • Gradual evolution
• Risk identification • Customized toward effective
• Risk analysis treatment
• Transparent, auditable,
• Risk evaluation inclusive • Growth against evolving
objectives
• Risk treatment • Uncertainty handling
• Where ERM process is
• Monitor and review • Best information
on maturity curve
• Record and report • Culture, staff behavior
• Iterative cycle
www.LearnCIA.com
v6.0 Part 1, Section V, Topic H V-97
Assessing ERM Maturity
www.LearnCIA.com
v6.0 Part 1, Section V, Topic H V-98
Gathering Evidence
(Implementation Guide 2120)
• Research internal and external • Assess risk monitoring reporting lines.
events/trends. • Review reporting adequacy and
• Review strategic plans and policies timeliness.
and talk to board and senior • Review risk analysis and response
management about alignment. completeness.
• Review prior risk assessments from • Review, observe, and directly test
many sources for unremediated management’s self-assessment process.
risks. • Discuss ERM weaknesses with senior
• Interview mid-level management management and board.
on alignment at business unit level. • Conduct risk assessment and
• Evaluate mitigation, monitoring, independently perform gap analysis.
and communication effectiveness.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic H V-99
Practice Question
Which correctly describes management’s acceptance of risk?
A. The CAE must discuss unacceptable residual risk levels
with the board even if management resolves the issue.
B. The CAE is responsible for deciding appropriate actions to be taken in
response to reported engagement observations and recommendations.
C. Management is responsible for assessing board action on timely
resolution of reported engagement observations and
recommendations.
D. Senior management and the board may decide not to correct a
reported condition because of cost or other considerations.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic H V-100
Practice Question
Which correctly describes management’s acceptance of risk?
A. The CAE must discuss unacceptable residual risk levels
with the board even if management resolves the issue.
B. The CAE is responsible for deciding appropriate actions to be taken in
response to reported engagement observations and recommendations.
C. Management is responsible for assessing board action on timely
resolution of reported engagement observations and
recommendations.
D. Senior management and the board may decide not to correct a
reported condition because of cost or other considerations.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic H V-101
What Is Internal Control?
Control “Any action taken by management, the board, and other
parties to manage risk and increase the likelihood that
established objectives and goals will be achieved”
Control Provides discipline and structure for achievement of primary
environment objectives of the system of internal control
Internal • Ongoing process effected by people at all organizational
control levels
• Management and board receive reasonable, not absolute
assurance
• Transcends policy and is geared toward achieving
organizational objectives
• Flexible and adaptable to organization’s structure
www.LearnCIA.com
v6.0 Part 1, Section V, Topic I V-102
Controls
Entity-Level Process-Level Transaction-Level
• Apply to entire • Established by • Specific to individual
organization process owner transactions
• To ensure that • To ensure that • To ensure that
organizational process objectives transaction
objectives are achieved are achieved objectives are
• Mitigate risks that • Address process- achieved
threaten entire level risks • Address transaction-
organization specific risks
• Governance and
management oversight
controls
www.LearnCIA.com
v6.0 Part 1, Section V, Topic I V-103
Key Controls vs. Secondary Controls
www.LearnCIA.com
v6.0 Part 1, Section V, Topic I V-104
Controls by Function
Type Description Examples
Preventive Deter undesirable events from occurring Reward based on KPI
Detective Detect undesirable events that have Reconciliations, exceptions
occurred
Corrective Correction of errors/irregularities Audit trails, backup process
Directive Cause/encourage desirable event Guidelines, incentives
Mitigating Reduce potential impact of event Insurance
Compensating Compensate for lack of expected control Supervision in lieu of
segregation of duties
Redundant Extra control objective/secondary Spillover pool
control
www.LearnCIA.com
v6.0 Part 1, Section V, Topic I V-105
Active vs. Passive Controls
Active Control Passive Control
(Manual) (Automated)
A task that prevents or detects A task that operates without
a deviation from the approved human intervention. It works
procedure. It works by some by just being there.
type of conscious intervention.
Example: Manager’s review of Example: Thermostat set to
transaction maintain the temperature of
a room
www.LearnCIA.com
v6.0 Part 1, Section V, Topic I V-106
Discussion Question
Identify these internal controls as
“hard” or “soft.”
www.LearnCIA.com
v6.0 Part 1, Section V, Topic I V-109
Benefits, Limitations of Internal Control
Internal control can help: Internal control cannot:
• Reach performance and • Ensure organizational success
profitability targets. or even survival.
• Prevent loss of resources. • Ensure the reliability of
• Support reliable financial financial reporting.
reporting. • Ensure absolute compliance
• Support compliance with laws, with laws, regulations, and
regulations, and policies/ policies/procedures.
procedures.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic I V-110
Internal Controls: Key Elements
Tangible Less tangible
policies, Designed by behavioral
procedures, management aspects
activities (ethical values)
www.LearnCIA.com
v6.0 Part 1, Section V, Topic J V-111
Internal Control Frameworks
Model Developed by . . .
COSO’s Internal Control – Committee of Sponsoring Organizations
Integrated Framework of the Treadway Commission
Cadbury model Institute of Chartered Accountants in
England and Wales (ICAEW)
Criteria of Control (CoCo) model CPA Canada
King Report on Corporate South Africa’s King Committee on
Governance Corporate Governance
COBIT 5 ISACA
Basel III standards Basel Committee on Banking
Supervision (BCBS)
www.LearnCIA.com
v6.0 Part 1, Section V, Topic J V-112
COSO’s Internal Control—
Integrated Framework
Control objectives
5 interrelated
components
Organizational levels
of responsibility
www.LearnCIA.com
v6.0 Part 1, Section V, Topic J V-113
COSO’s 17 Principles of Internal Control
Control environment Control activities
1. Demonstrates commitment to integrity 10. Selects and develops control activities
and ethical values 11. Selects and develops general controls
2. Exercises oversight responsibilities over technology
3. Establishes structure, authority, and 12. Deploys through policies and procedures
responsibility Information and communication
4. Demonstrates commitment to 13. Uses relevant information
competence 14. Communicates internally
5. Enforces accountability 15. Communicates externally
Risk assessment Monitoring
6. Specifies suitable objectives 16. Conducts ongoing and/or separate
7. Identifies and analyzes risk evaluations
8. Assesses fraud risk 17. Evaluates and communicates
9. Identifies and analyzes significant deficiencies
change
www.LearnCIA.com
v6.0 Part 1, Section V, Topic J V-114
Practice Question
Which statement about the COSO internal control
framework is true?
A. The framework is best applied in manufacturing and service
industries.
B. All five components are applicable to the achievement of each of the
objectives.
C. The synergy and linkage among the objectives form the integrated
framework.
D. The audit committee has overall responsibility for the establishment,
administration, and assessment of the framework.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic J V-115
Practice Question
Which statement about the COSO internal control
framework is true?
A. The framework is best applied in manufacturing and service
industries.
B. All five components are applicable to the achievement of each of the
objectives.
C. The synergy and linkage among the objectives form the integrated
framework.
D. The audit committee has overall responsibility for the establishment,
administration, and assessment of the framework.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic J V-117
King Report on Corporate Governance
• Governance requires integrated • Ethical foundation for effective
approach leadership
• Code of Corporate Practices and – Innovation, fairness, and
Conduct collaboration for sustainability
– Discipline – Risk-based auditing
– Transparency – Principle- and outcomes-based
(not rules-based)
– Independence
– Focus on transparency,
– Accountability
disclosures
– Responsibility
– Fairness
– Social responsibility
www.LearnCIA.com
v6.0 Part 1, Section V, Topic J V-118
COBIT 5 Framework
Principles, policies, and frameworks
Processes
Organizational structures
7 enabling
Culture, ethics, and behavior
processes
Information
www.LearnCIA.com
v6.0 Part 1, Section V, Topic J V-119
COBIT 5 Framework’s 5 Key Principles
1. Meeting
stakeholder
needs
5. Separating
governance 2. Covering
from enterprise
end-to-end
management COBIT 5
Principles
3. Applying
4. Enabling single
holistic integrated
approach framework
www.LearnCIA.com
v6.0 Part 1, Section V, Topic J V-120
Basel III Standards (Banking Sector)
• Voluntary banking reform • Three pillars
• Minimum capital 1. Calculations of regulatory
requirements capital requirements for
credit, market, and
• Absorb shocks operational risk
• Improve risk 2. Capital adequacy review
management and process and risk/
governance response process
3. Disclosure requirements
• Strengthen transparency on capital and risk
and disclosures management
www.LearnCIA.com
v6.0 Part 1, Section V, Topic J V-121
The Control Loop
1.
Objective
4.
2.
Corrective
Action Standard
3.
Findings
www.LearnCIA.com
v6.0 Part 1, Section V, Topic K V-122
Practice Question
Which characterizes effective systems of
internal control?
A. Symptom identification/correction
B. Timely identification of deviations
C. Alignment to audit objectives
D. Qualitative standards for controls
www.LearnCIA.com
v6.0 Part 1, Section V, Topic K V-123
Practice Question
Which characterizes effective systems of
internal control?
A. Symptom identification/correction
B. Timely identification of deviations
C. Alignment to audit objectives
D. Qualitative standards for controls
Answer: B. Root cause identification (not symptoms). Alignment is
to organizational strategic objectives. If possible, standards should
be quantitative, for example, five days rather than “a reasonable
time interval.”
www.LearnCIA.com
v6.0 Part 1, Section V, Topic K V-124
Discussion Question
Identify the area/individual responsible
for the internal control task.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic K V-127
Practice Question
A large company and a small company in the same industry
both face new regulations. Which statement is true?
A. Basic concepts to deal with this internal control component
should be present in both organizations.
B. The larger organization will be better attuned to risks, since its top-
down philosophy can disregard tactics used.
C. The smaller organization will be more nimble in its response because
of less need for soft controls.
D. Both can implement identical controls as long as their objectives and
strategies are similar.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic K V-128
Practice Question
A large company and a small company in the same industry
both face new regulations. Which statement is true?
A. Basic concepts to deal with this internal control component
should be present in both organizations.
B. The larger organization will be better attuned to risks, since its top-
down philosophy can disregard tactics used.
C. The smaller organization will be more nimble in its response because
of less need for soft controls.
D. Both can implement identical controls as long as their objectives and
strategies are similar.
Answer: A. Regardless of size, basic concepts should be present in both.
Specific control measures will vary.
www.LearnCIA.com
v6.0 Part 1, Section V, Topic K V-129
End of Section V
Questions?
www.LearnCIA.com
v6.0 Part 1, Section V V-130