Professional Documents
Culture Documents
Revision kiểm nội bộ
Revision kiểm nội bộ
The IIA defines internal auditing as "An independent, objective assurance and
consulting activity designed to add value and improve an organization's
operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.’’
2. Analyze the three components of the internal audit value proposition set
forth by the IIA?
+) Assurance = Governance, Risk, and Control. Internal audit provides assurance on the
organization's governance, risk management, and control processes to help the
organization achieve its strategic, operational, financial, and compliance objectives.
Câu 3: How does COSO define ERM ? In the principles of the COSO ERM:
“Exercises board risk oversight”, The board of directors provides oversight of the
strategy and carries out risk governance responsibilities to support management in
achieving strategy and business objectives. To conduct this responsibility, what
should the Board of directors do?
COSO defines ERM as: The culture, capabilities, and practices, integrated
with strategy-setting and its execution, that organizations rely on to manage
risk in creating, preserving, and realizing value
Board of directors should do to conduct this responsibility:
+) The board has the primary responsibility for risk oversight, and in some countries
even has fiduciary responsibility to stakeholders.
+) The board should have sufficient skills, experience, and business knowledge to carry
out its risk oversight responsibility.
+) The board should be sufficiently independent to objectively carry out its oversight
responsibility.
+) The board should understand the complexity of the organization to ensure the risk
management approach is suitable relative to the strategy and business objectives.
Câu 4: What are typical ERM responsibilities of: (a) The board of directors?; (b)
The management; (c) The internal audit function?
+) CEO: The CEO is ultimately responsible for the effectiveness and success of
ERM. One of the most important aspects of this responsibility is ensuring that a
positive and ethical tone is set. The CEO influences the composition and conduct
of the board, provides leadership and direction to senior managers, and monitors
the organization's overall risk activities in relation to its risk appetite.
- Control is "any action taken by management, the board, and other parties to manage
risk and increase the likelihood that established objectives and goals will be achieved.
Management plans, organizes, and directs the performance of sufficient actions to
provide reasonable assurance that objectives and goals will be achieved.
- Control processes are "the policies, procedures (both manual and automated), and
activities that are part of a control framework, designed and operated to ensure that risks
are contained within the level that an organization is willing to accept.
- Internal control can not provide absolute assurance of the complete elimination of
risk due to the inherent limitations of internal control.
+) Reality that human judgment in decision-making can be faulty and subject to bias
+) Breakdowns that can occur because of human failures such as simple errors
6. What are the definitions of governance, risk management, and control provided in
this text book “Urton L. Anderson - Internal Auditing_Assurance and Advisory Services
4 Edition (2017)?
th
The internal audit activity must assess and make appropriate recommendations to
improve the organization's governance processes for:
8. How does COSO define risk? risk management. Describe the risk
management process in the enterprise?
- Risk is the possibility of an event occurring that will have an impact on the
achievement of objectives. Risk is measured in terms of impact and likelihood
(The llA Glossary).
9. What are the three lines of defense in the Three Lines of Defense model?
The three lines of defense in the Three Lines of Defense model are:
The first line of defense represents the internal control activities conducted by
individuals and management. These activities are comprised of both the specific
internal control activities, referred to as internal control measures in the model,
and management controls, which are those that oversee and monitor individual
activities. First line of defense controls are very important, but they are considered
the least independent and objective of the lines of defense
The second line of defense represents other assurance activities. These activities
are conducted by individuals reporting through different lines of management than
those directly responsible for the internal control activities.The level of
independence and objectivity is considered to be greater than the first line.But, the
level of independence and objectivity may not be sufficient to provide the desired
level of assurance.
The third line of defense represents the most independent and objective form of
assurance. Internal audit activities typically are the only activities that report
functionally to the board and have no other management responsibilities. Thus, the
third line of defense is the most independent and objective of the three lines