1. How does The IIA define internal auditing?

What are the four categories of

business objectives discussed in chapter 1?

The IIA defines internal auditing as "An independent, objective assurance and
consulting activity designed to add value and improve an organization's
operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.’’

Four categories of business objectives discussed in chapter 1 are:

· Strategic objectives: The goals that management sets related to

stakeholder interests.

· Operations objectives: the effectiveness and efficiency of the entity’s

operations

· Reporting objectives: reliability, timeliness, transparency

· Compliance objectives: to adherence to laws and regulations

2. Analyze the three components of the internal audit value proposition set
forth by the IIA?

 Governing bodies and senior management rely on internal auditing for

objective assurance and insight on the effectiveness and efficiency of
governance, risk management, and internal control processes.
 Three components:

+) Assurance = Governance, Risk, and Control. Internal audit provides assurance on the
organization's governance, risk management, and control processes to help the
organization achieve its strategic, operational, financial, and compliance objectives.

+) Insight= Catalyst, Analyses, and Assessments. Internal audit is a catalyst for

improving an organization's effectiveness and efficiency by providing insight and
recommendations based on analyses and assessments of data and business process.

+) Objectivity = Integrity, Accountability, and Independence. With commitment to

integrity and accountability, internal audit provides value to governing bodies and senior
management as an objective source of independent advice.

Câu 3: How does COSO define ERM ? In the principles of the COSO ERM:
“Exercises board risk oversight”, The board of directors provides oversight of the
 strategy and carries out risk governance responsibilities to support management in
achieving strategy and business objectives. To conduct this responsibility, what
should the Board of directors do?

 COSO defines ERM as: The culture, capabilities, and practices, integrated
with strategy-setting and its execution, that organizations rely on to manage
risk in creating, preserving, and realizing value
 Board of directors should do to conduct this responsibility:

+) The board has the primary responsibility for risk oversight, and in some countries
even has fiduciary responsibility to stakeholders.

+) The board should have sufficient skills, experience, and business knowledge to carry
out its risk oversight responsibility.

+) The board should be sufficiently independent to objectively carry out its oversight
responsibility.

+) The board should understand the complexity of the organization to ensure the risk
management approach is suitable relative to the strategy and business objectives.

+) The board should ensure organizational bias or “groupthink” is minimized to ensure

effectiveness of the risk management decisions.

Câu 4: What are typical ERM responsibilities of: (a) The board of directors?; (b)
The management; (c) The internal audit function?

ERM Roles and Responsibilities

The board of directors, management, risk officers, financial officers, internal

auditors, and, indeed, every individual within an organization contribute to
effective ERM.

An overall description of these responsibilities follows.

- Board of directors. Most of board of directors responsibilities relate to the risk

governance and culture component. The board's primary role relates to principle
#1, its risk oversight responsibility. The board also helps management establish
the governance and operating models, define culture and desired behaviors,
demonstrate commitment to integrity and ethics, and assign accountability and
authority for risk management.
 - Management. Management is responsible for carrying out all activities of an
organization, including ERM. These responsibilities will vary, depending on the
level in the organization and the organization's characteristics.

+) CEO: The CEO is ultimately responsible for the effectiveness and success of
ERM. One of the most important aspects of this responsibility is ensuring that a
positive and ethical tone is set. The CEO influences the composition and conduct
of the board, provides leadership and direction to senior managers, and monitors
the organization's overall risk activities in relation to its risk appetite.

+) Senior managers in charge of the various organizational units have

responsibility for managing risks related to their specific units' objectives. They
convert the organization's overall strategy into ongoing operations activities,
identify potential risk events, assess the related risks, and implement actions to
manage those risks.

+) Staff functions, also have important supporting roles in designing and

executing effective ERM practices. These functions may design and implement
programs that help manage certain key risks across the entire organization.

- Internal auditors. The internal audit function plays an important role in

evaluating the effectiveness of - and recommending improvements to-ERM. The
IIAS International Standards for the Professional Practice of Internal Auditing
specify that the scope of the internal audit function should encompass governance,
risk management, and control systems. This includes evaluating the reliability of
reporting, effectiveness and efficiency of operations, and compliance with laws
and regulations. In carrying out these responsibilities, the internal audit function
assists management and the board by examining, evaluating, reporting on, and
recommending improvements to the adequacy and effectiveness of the
organization's ERM.

5. What is control? What is control process ? Can internal control

provide absolute assurance of the complete elimination of risk? Why?

- Control is "any action taken by management, the board, and other parties to manage
risk and increase the likelihood that established objectives and goals will be achieved.
Management plans, organizes, and directs the performance of sufficient actions to
provide reasonable assurance that objectives and goals will be achieved.

- Control processes are "the policies, procedures (both manual and automated), and
activities that are part of a control framework, designed and operated to ensure that risks
are contained within the level that an organization is willing to accept.
- Internal control can not provide absolute assurance of the complete elimination of
risk due to the inherent limitations of internal control.

Limitations may result from the:

+) Suitability of objectives established as a precondition to internal control

+) Reality that human judgment in decision-making can be faulty and subject to bias

+) Breakdowns that can occur because of human failures such as simple errors

+) Ability of management to override internal control

+) Ability of management, other personnel, and/or third parties to circumvent controls

through collusion.

+) External events beyond the organization's control.

6. What are the definitions of governance, risk management, and control provided in
this text book “Urton L. Anderson - Internal Auditing_Assurance and Advisory Services
4 Edition (2017)?
th

 Governance is the process conducted by the board of directors to authorize, direct,

and oversee management toward the achievement of the organization’s objectives.
 Risk management is the process conducted by management to understand and deal
with uncertainties (risk and opportunities) that could affect the organization’s
ability to achieve its objectives.
 Control, which is imbedded( gắn liền) in risk management, is process conducted
by management to mitigate risks to acceptable levels.

7. State the definition of governance according to standard IIA? Describe the

roles of the internal audit function in governance process?

Standard IIA describes governance as "The combination of processes and

structures implemented by the board to inform, direct, manage, and monitor the
activities of the organization toward the achievement of its objectives."

The roles of the internal audit function in governance process are:

The internal audit activity must assess and make appropriate recommendations to
improve the organization's governance processes for:

1. Making strategic and operational decisions.

2. Overseeing risk management and control.
3. Promoting appropriate ethics and values within the organization
4. Ensuring effective organizational performance management and accountability.
5. Communicating risk and control information to appropriate areas of the
organization.
6. Coordinating the activities of, and communicating information among, the board,
external and internal auditors, other assurance providers, and management.

8. How does COSO define risk? risk management. Describe the risk
management process in the enterprise?

- Risk is the possibility of an event occurring that will have an impact on the
achievement of objectives. Risk is measured in terms of impact and likelihood
(The llA Glossary).

- Risk management is "a process to identify, assess, manage, and control

potential events or situations to provide reasonable assurance regarding the
achievement of the organization's objectives (The lIA Glossary) (emphasis added).

- Risk management processes

Step 1- Identification of context

Step 2- Risk identification

Step 3- Risk analysis

Step 4- Risk response

Step 5-Risk monitoring

9. What are the three lines of defense in the Three Lines of Defense model?

The three lines of defense in the Three Lines of Defense model are:

 The first line of defense represents the internal control activities conducted by
individuals and management. These activities are comprised of both the specific
internal control activities, referred to as internal control measures in the model,
and management controls, which are those that oversee and monitor individual
activities. First line of defense controls are very important, but they are considered
the least independent and objective of the lines of defense
 The second line of defense represents other assurance activities. These activities
are conducted by individuals reporting through different lines of management than
 those directly responsible for the internal control activities.The level of
independence and objectivity is considered to be greater than the first line.But, the
level of independence and objectivity may not be sufficient to provide the desired
level of assurance.
 The third line of defense represents the most independent and objective form of
assurance. Internal audit activities typically are the only activities that report
functionally to the board and have no other management responsibilities. Thus, the
third line of defense is the most independent and objective of the three lines