In summary, management's approach to risk management, regardless of whether or not an organization has implemented ERM, will have a significant influence on both the internal audit charter and annual internal audit plan.
1. Assess whether the organization's strategies and business objectives, which are the starting point for risk management, are sufficiently articulated and understood throughout the organization.
2. Provide insights on the nature and effectiveness of the control environment to give management and the board comfort that there are no pervasive entity-level factors that could undermine the effectiveness of risk management.
3. Facilitate determination of the organization's risk appetite and levels of acceptable variation in performance to ensure such risk criteria are determined, supported by the board, and understood throughout the organization.
4. Brainstorm possible risk events and supplement management's list of such events.
5. Facilitate the assessment and prioritization of risks to help management ensure the right risks are subject to treatment.
6. Advise on other risk assessment criteria beyond impact and likelihood, such as velocity and volatility, which may influence the prioritization of risks.
7. Advise on the choice of risk responses/treatments to help management evaluate whether the chosen options will best manage the priority risks.
8. Assist management with monitoring the external and internal environments to help identify new or emerging risks.
9. Provide audit results in a format that helps management understand the design adequacy and operating effectiveness of risk management activities.
10. Conduct an overall assessment of the risk management system (framework and pro- cess) to provide assurance regarding the system's design adequacy and operating effectiveness.
EXHIBIT 4-5
10
OPPORTUNITIES FOR THE 11\ITERNAL AUDIT FUNCTION TO PROVIDE INSIGHT RELATING TORISK
MANAGEMENT4-24 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES
An organization's strategic plan and inherent risks will have a direct and profound impact on both the charter of an internal audit function as well as its annual audit plan. Changes in management direction, objectives, emphasis, and focus also may impact the annual internal audit plan. The CAE must consider risks when priori- tizing and scheduling the upcoming internal audit engagements.
The skillsets and broad experience levels that internal auditors possess position them to play a valuable role in ERM. The internal audit function may take on a variety of roles relative to ERM, some of which are consistent with the assurance activities as outlined in its charter, and some of which may be consulting services provided to assist the organization in improving its governance, risk manage- ment, and control processes. However, an internal audit function must estab- lish appropriate safeguards to ensure that it does not take on roles that could be equivalent to management's responsibilities, thus impairing the objectivity of internal auditors.
ISO 31000 provides a holistic view of risk management, consisting of principles, a framework, and a process for risk management. It is gaining global acceptance and, in general, aligns with COSO ERM.
ERM performance. COSO outlines 23 principles in the exposure draft that sup- port these components.
RISK MANAGEMENT 4-25 16. What are some ERM assurance activities the
internal audit function may perform? What are some ERM consulting activities the internal audit function may perform if appropriate safeguards are implemented? What ERM activities should the internal audit function not perform?
15. In exhibit 4-3, why are some of the balls
representing risks clustered together while some are not?
14. What five activities are included in the ISO 31000 risk management process?
13. What are the five components of the ISO 31000 risk management framework?
12. What are the 11 risk management principles identified in ISO 31000?
11. What are typical ERM responsibilities of:
a. The board of directors?
b. Management?
c. The chiefrisk officer?
d. Financial executives?
e. The internal audit function?
f. The independent outside auditors?
10. In what forms might risk information be communicated?
9. What are COSO's five categories of risk response?
8. What is inherent risk? What is residual risk?
7. How does COSO define risk appetite?
6. What are the five COSO ERM components?
5. How does COSO define strategy and business objectives?
4. How does COSO define mission, vision, and core values?
3. According to COSO, what are the fundamental concepts emphasized in its definition of enterprise risk management (ERM)?
2. What are the five fundamental points embedded in the COSO and ISO definitions of risk?
1. How does COSO define risk? How does ISO define risk?
9. When senior management accepts a level ofresidual risk that the CAE believes is unacceptable to the organization, the CAE should:
a. Report the unacceptable risk level immediately to the chair of the audit committee and the independent outside audit firm partner.
b. Resign his or her position in the organization.
c. Discuss the matter with knowledgeable members of senior management and, if not resolved, take it to the audit committee.
d. Accept senior management's position because it establishes the risk appetite for the organization.
8. Which of the following is the best reason for the CAE to consider the organization's strategic plan in developing the annual internal audit plan?
a. To emphasize the importance of the internal audit function to the organization.
b. To ensure that the internal audit plan will be approved by senior management.
c. To make recommendations to improve the strategic plan.
d. To ensure that the internal audit plan supports the overall business objectives.
7. Which of the following is not a potential value driver for implementing ERM?
a. Financial results will improve in the short run.
b. There will be fewer surprises from year to year.
c. There will be better information available to make risk decisions.
d. An organization's risk appetite can be aligned with strategic planning.
6. Who is responsible for implementing ERM?
a. The chief financial officer.
b. The chief audit executive.
c. The chief compliance officer.
d. Management throughout the organization.
c. Determine key organizational objectives.
d. Monitor the effectiveness ofrisk responses/
treatments.
4-26 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES
5. Which of the following risk management activities is out of sequence in terms of timing?
a. Identify, assess, and prioritize risks.
b. Develop risk responses/treatments.
a. Appropriateness of the information.
b. Timeliness of the information.
c. Accessibility of the information.
d. Accuracy and reliability of the information.
4. An organization tracks a website hosting anonymous blogs about its industry. Recently, anonymous posts have focused on potential legislation that could have a dramatic effect on this industry. Which of the following may create the greatest risk if this organization makes business decisions based on the information contained on this website?
3. Which of the following is not an example of a risk- sharing strategy?
a. Outsourcing a noncore, high-risk area.
b. Selling a nonstrategic business unit.
c. Hedging against interest rate fluctuations.
d. Buying an insurance policy to protect against adverse weather.
2. Which of the following external events will most likely impact a defense contractor that relies on large government contracts for its success?
a. Economic event.
b. Natural environment event.
c. Political event.
d. Social event.
1. According to COSO ERM, which of the following is not an inherent challenge that arises as part of establishing strategy and business objectives?
a. Ensuring culture is clearly articulated by the board.
b. Possibility of strategy not aligning.
c. Implications from the strategy chosen.
d. Risk to achieving the strategy.
Select the best answer for each of the following questions.
tv1ULTIPLE-CHOICE
QUESTIONS
RISK MANAGEMENT 4-27 15. Enterprise risk management:
a. Guarantees achievement of business objectives.
b. Requires establishment ofrisk and control activities by internal auditors.
c. Involves the identification of events with negative impacts on business objectives.
d. Includes selection of best risk response for the organization.
a. Manages risk as a member of senior management.
b. Shares the management of risk with line management.
c. Shares the management of risk with the CAE.
d. Monitors risk as part of the ERM team.
14. The function of the chiefrisk officer is most effective when he or she:
13. One of the challenges of ERM in an organization that has a centralized structure is that:
a. It may be difficult to raise awareness of the itnpact of work actions on other employees or work areas.
b. Employees in these structures are inherently less risk averse.
c. Managers have less incentive to implement and monitor controls.
d. Effective controls are more difficult to design, and consistent application is more difficult to achieve across the organization.
a. Determine how the risk should best be managed.
b. Provide assurance on the management of the risk.
c. Update the risk management process based on risk exposures.
d. Design controls to mitigate the identified risks.
12. When assessing the risk associated with an activity, an internal auditor should:
11. An internal audit engagement was included in the approved internal audit plan. This is considered a moderately high-risk audit based on the internal audit function's risk model. It is currently on a two- year audit cycle. Which of the following will likely have the greatest impact on the scope and approach of the internal audit engagement?
a. The area being audited involves the processing of a high volume of transactions.
b. Certain components of the process are outsourced.
c. A new system was implemented during the year, which changed how the transactions are processed.
d. The total dollars processed in this area are material.
10. The CAE is asked to lead the enterprise risk assessment as part of an organization's implementation of ERM. Which of the following would not be relevant with respect to protecting the internal audit function's independence and the objectivity of its internal auditors?
a. A cross-section of management is involved in assessing the impact and likelihood of each risk.
b. Risk owners are assigned responsibility for each key risk.
c. A member of senior management presents the results of the risk assessment to the board and communicates that it represents the organization's risk profile.
d. The internal audit function obtains assistance from an outside consultant in the conduct of the formal risk assessment session.
MULTIPLE-CHOICE
QUESTIONS
Think about the reasons you decided to take this course and answer each of those questions with a focus on achieving your desired level of success.
a. What are we trying to accomplish (what are our objectives)?
b. What could stop us from accomplishing them (what are the risks, how bad could they be, and how likely are they to occur)?
c. What options do we have to make sure those things do not happen (what are the risk management strategies, that is, responses)?
d. Do we have the ability to execute those options (have we designed and executed control activities to carry out the risk management strategies)?
e. How will we know that we have accomplished what we wanted to accomplish ( does the
information exist to evidence success, and can we monitor performance to verify that success)?
8. It may be easier for some to understand ERM by thinking about five "everyday questions" that can be used to apply risk management thinking:
4-28 INTERNAL AUDITING, ASSURANCE & ADVISORY SERVICES
7. One of your classmates, I. M. Motivated, consistently carries a very heavy class load. In addition to his already heavy class load, he is contemplating applying for an internal audit internship at a local company. Discuss the opportunities and risks that are relevant to his decision.
6. Risk assessment most commonly focuses on two criteria-impact and likelihood. As an organization's risk assessment process evolves, what other criteria might be valuable to consider and why?
5. For an organization that has not implemented ERM, describe steps the internal audit function can take to initiate an ERM program without impairing the function's independence and/or objectivity.
4. The ISO 31000 risk management framework includes five components, the first of which is "mandate and commitment." Explain what mandate and commitment means. Discuss why mandate and commitment is critical to risk management success.
3. Define inherent risk and residual risk. Which of the two types of risk should have a greater impact on the annual internal audit plan?
2. How does effective ERM help achieve strategy?
1. Describe the difference between risk-taking philosophy, risk appetite, and acceptable
variation in performance. Give examples of each.
RISK MANAGEMENT 4-29 Utilize the KnowledgeLeader website and perform the following:
A. Authenticate to the KnowledgeLeader website using your username and password.
B. Perform research on these two globally recognized risk management frameworks. Compare and con- trast these frameworks. How do they differ? How are they similar?
C. Submit a brief write-up indicating the results of your research to your instructor.
In 2009, the International Organization for Standard- ization issued its standard ISO 31000:2009 (ISO 31000), the first globally recognized standard related to risk management. ISO 31000 was developed to provide a globally accepted way of viewing risk management, tak- ing into consideration principles, frameworks, models, and practices that were evolving around the world. ISO 31000 includes three sections-principles, framework, and process.
manage risk. The resulting risk management framework expanded on the previously issued Internal Control - Integrated Framework, incorporating all key aspects of that framework in the broader ERM framework. COSO updated its Internal Control - Integrated Framework in 2013 and released an update to the 2004 ERM frame- work in 2017. COSO defines ERM as the culture, capabil- ities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.
CASE 3
Knowledgeleader Practice Case:
Alternative Risk Management Frameworks
Background Information
In the United States, COSO published its Enterprise Risk Management - Aligning Risk with Strategy and Performance (COSO ERM, or ERM framework) in 2017.
In 2004, COSO identified a need for a robust frame- work to help companies effectively identify, assess, and Your organization has implemented a robust ERM pro- gram similar to the one outlined in this chapter. The audit committee has asked you to assess the design adequacy and operating effectiveness of the program. Because the audit committee members are familiar with COSO ERM, they would like you to assess the veracity of the ERM pro- gram relative to the five components of ERM. Based on this request, develop a list of steps you would follow to test each of the ERM components. Include at least two work steps for each component.
CASE 2
COSO provides a variety of guidance relevant to the internal audit profession. The purpose of this case is to become more familiar with COSO and its guidance. Visit www.coso.org and answer the following questions.
A. Based on the statement on COSO's home page, what is the organization dedicated to?
B. What is COSO's mission (can be found on the About Us page)?
C. What are the five sponsoring organizations?
D. What type of internal control guidance does COSO offer? Much of this guidance is discussed in chapter 6.
E. Download an article from the Resources page spec- ified by your instructor. What did you find interest- ing about this article?
CASE 1
5·1 We all have objectives in life. You may want to earn your degree by next May. You
may want to get a job as an internal auditor when you graduate. You may want to get a master of business administration (MBA) degree before you are 30.
• Standard 2010 - Planning
• Standard 2120 - Risk lv1anagement
• Standard 2200 - Engagement Planning
• Standard 2201 - Planning Considerations
• Standard 2210 - Engagement Objectives