1.

Analyze the three components of the internal audit value proposition set forth by
the IIA?

Governing bodies and senior management rely on internal auditing for

objective assurance and insight on the effectiveness and efficiency of
governance, risk management, and internal control processes.
Three components:

+) Assurance = Governance, Risk, and Control. Internal audit provides assurance on the
organization's governance, risk management, and control processes to help the
organization achieve its strategic, operational, financial, and compliance objectives.

+) Insight= Catalyst, Analyses, and Assessments. Internal audit is a catalyst for

improving an organization's effectiveness and efficiency by providing insight and
recommendations based on analyses and assessments of data and business process.

+) Objectivity = Integrity, Accountability, and Independence. With commitment to

integrity and accountability, internal audit provides value to governing bodies and senior
management as an objective source of independent advice.

2. How does COSO define ERM ? In the principles of the COSO ERM: “Exercises
board risk oversight”, The board of directors provides oversight of the strategy and
carries out risk governance responsibilities to support management in achieving
strategy and business objectives. To conduct this responsibility, what should the
Board of directors do?

COSO defines ERM as: The culture, capabilities, and practices, integrated with
strategy-setting and its execution, that organizations rely on to manage risk in
creating, preserving, and realizing value

Board of directors should do to conduct this responsibility:

+) The board has the primary responsibility for risk oversight, and in some countries even has
fiduciary responsibility to stakeholders.

+) The board should have sufficient skills, experience, and business knowledge to carry out its
risk oversight responsibility.

+) The board should be sufficiently independent to objectively carry out its oversight
responsibility.

+) The board should understand the complexity of the organization to ensure the risk
management approach is suitable relative to the strategy and business objectives.
+) The board should ensure organizational bias or “groupthink” is minimized to ensure
effectiveness of the risk management decisions.

3. What are typical ERM responsibilities of: (a) The board of directors?; (b) The
management; (c) The internal audit function?

ERM Roles and Responsibilities

The board of directors, management, risk officers, financial officers, internal

auditors, and, indeed, every individual within an organization contribute to effective
ERM.

An overall description of these responsibilities follows.

- Board of directors. Most of board of directors responsibilities relate to the risk

governance and culture component. The board's primary role relates to principle #1, its
risk oversight responsibility. The board also helps management establish the governance
and operating models, define culture and desired behaviors, demonstrate commitment to
integrity and ethics, and assign accountability and authority for risk management.

- Management. Management is responsible for carrying out all activities of an

organization, including ERM. These responsibilities will vary, depending on the level in
the organization and the organization's characteristics.

+) CEO: The CEO is ultimately responsible for the effectiveness and success of ERM.
One of the most important aspects of this responsibility is ensuring that a positive and
ethical tone is set. The CEO influences the composition and conduct of the board,
provides leadership and direction to senior managers, and monitors the organization's
overall risk activities in relation to its risk appetite.

+) Senior managers in charge of the various organizational units have responsibility for
managing risks related to their specific units' objectives. They convert the organization's
overall strategy into ongoing operations activities, identify potential risk events, assess
the related risks, and implement actions to manage those risks.

+) Staff functions, also have important supporting roles in designing and executing
effective ERM practices. These functions may design and implement programs that help
manage certain key risks across the entire organization.

- Internal auditors. The internal audit function plays an important role in evaluating the
effectiveness of - and recommending improvements to-ERM. The IIAS International
Standards for the Professional Practice of Internal Auditing specify that the scope of the
internal audit function should encompass governance, risk management, and control
systems. This includes evaluating the reliability of reporting, effectiveness and efficiency
of operations, and compliance with laws and regulations. In carrying out these
 responsibilities, the internal audit function assists management and the board by
examining, evaluating, reporting on, and recommending improvements to the adequacy
and effectiveness of the organization's ERM.

4. What is control? What is control process ? Can internal control provide absolute
assurance of the complete elimination of risk? Why?

- Control is "any action taken by management, the board, and other parties to manage risk and
increase the likelihood that established objectives and goals will be achieved. Management plans,
organizes, and directs the performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved” .

- Control processes are "the policies, procedures (both manual and automated), and activities
that are part of a control framework, designed and operated to ensure that risks are contained
within the level that an organization is willing to accept.

Internal control cannot provide absolute assurance of the complete elimination of risk.
Because: any system of internal control has the following inherent limitations:
1) Human judgment is faulty, and controls may fail because of simple errors or mistakes.
2) Management may inappropriately override internal controls, e.g., to fraudulently achieve
revenue projections or hide liabilities.
3) Manual or automated controls can be circumvented by collusion
4) The cost of internal control must not be greater than its benefits.
Bởi vì: bất kỳ hệ thống kiểm soát nội bộ nào cũng có những hạn chế cố hữu sau:
1) Sự phán đoán của con người bị sai lầm và việc kiểm soát có thể thất bại do những lỗi hoặc sai
sót đơn giản.
2) Ban quản lý có thể bỏ qua các biện pháp kiểm soát nội bộ một cách không thích hợp, ví dụ: để
đạt được dự báo doanh thu hoặc che giấu các khoản nợ một cách gian lận.
3) Việc kiểm soát thủ công hoặc tự động có thể bị phá vỡ bằng sự thông đồng
4) Chi phí của kiểm soát nội bộ không được lớn hơn lợi ích mà nó mang lại.

5. What roles and responsibilities should each of the following have in a fraud risk
management program?
a. The board of directors.
b. Management.
c. Employees.
d. The internal audit function
Answer:

a. The board of directors: Boards help set the tone at the top. Many of the specific fraud
oversight responsibilities may be carried out by committees of the board. This oversight should
generally include:
 A general understanding of fraud-related policies, procedures, incentive plans
 A comprehensive understanding of the key fraud risks.
 Oversight of the fraud risk management program, including the internal controls that
have been implemented to manage fraud risks.
 Receiving and monitoring reports that provide information about fraud incidents,
investigation status, and disciplinary actions
 The ability to retain outside counsel and experts when needed.
 Directing the internal audit function and the independent outside auditor to provide
assurance regarding fraud risk concerns.
b. Management.
 Similar to the board, management plays a very important role in setting the tone for the
organization. Beyond what management says, how it acts is instrumental in shaping
perceptions of the culture and its attitude toward fraud prevention.
 In addition, management is responsible for implementing the overall fraud risk
management program. This includes direction and oversight over the system of internal
controls, which must be designed and operated in a manner to prevent fraud incidents or
detect them timely.
 Management must also establish a system of monitoring and reporting that will enable it
to evaluate whether the fraud risk management program is operating effectively. This
helps provide management with timely and relevant information that can be reported to
the board.
c. Employees.
The day-to-day execution of the fraud risk management program, specifically the controls that
are designed to prevent and detect fraud, must involve everyone in the organization. According
to the Fraud Guide, this means that "all levels of staff, including management, should:
 Have a basic understanding of fraud and be aware of the red flags.
 Understand their roles within the internal control framework.
 Read and understand policies and procedures: As required, participate in the process of
creating a strong control environment and designing and implementing fraud control
activities, as well as participate in monitoring activities.
 Report suspicions of incidences of fraud
  Cooperate in investigations
d. The internal audit function
The internal audit function plays an important role in contributing to the overall governance of a
fraud risk management program. This is primarily evident from the independent assurance the
internal audit function provides to the board and management that the controls in place to
manage fraud risks are designed adequately and operate effectively.