2. Risk Management

The IIA Practice Guide concerning the ISO 31000 model describes three approaches to providing assurance on risk management processes.
1. The maturity model approach is based on the principle that effective risk management processes develop as value is added at each stage of maturation.
2. The process element approach determines whether each element has been implemented
3.
The key principles approach determines the extent to which risk management creates and protects value, is fully integrated with management at all levels, etc.
Control activities
Control activities are policies and procedures to ensure the effectiveness of risk responses
Risk modeling in a consulting service
Risk modeling in a consulting service is done by ranking the engagement’s potential to (1) improve management of risks, (2) add value, and (3) improve the organization’s operations (Impl. Std. 2010.C1). Senior management assigns a weight to each item based on organizational objectives. The engagements with the appropriate weighted values are included in the annual audit plan.
qualities should be possessed by a board of directors
Directors’ attitudes are a key component of the internal environment. They must possess certain qualities to be effective.•A majority of the board should be outside directors.
•Directors generally should have years of experience either in the industry or in corporate governance.
•Directors must be willing to challenge management’s choices. Complacent directors increase the chances of adverse consequences.
Inherent risk is
Inherent risk is the risk when management has not taken action to reduce the impact or likelihood of an adverse event. Thus, it is risk in the absence of a risk response.
Risk appetite should be considered in
1.Evaluating strategies,
2.Setting related objectives, and
3.Developing risk management methods.
components of the ISO 31000 model as described in The IIA Practice Guide
1. Design of framework.
2. Continual improvement.
3. Monitoring and review.
In the risk management process, management’s view of the internal audit activity’s role is likely to be determined by
1. Ability of the internal audit staff.
2. Local conditions and customs of the country.
3. Organizational culture.
Risk exploitation
Risk exploitation seeks risk to pursue a high return on investment
Difference between traditional risk management and ERM
The enterprise risk management approach set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) attempts to approach an organization as a whole instead of focusing on any specific area or risk
Risk modeling or risk analysis is often used in conjunction with development of long-range engagement work schedules. The key input in the evaluation of risk is…
Judgment of the internal auditors. Assessing the risk of an activity entails analysis of numerous factors, estimation of probabilities and amounts of potential losses, and an appraisal of the costs and benefits of risk reduction. Consequently, in assessing the magnitude of risk associated with any factor in a risk model, informed judgment by the internal auditor is required.
Which approach is to providing assurance on the risk management process is based on the principle that effective risk management processes develop as value is added at each stage of maturation?
The maturity model approach is based on the principle that effective risk management processes develop as value is added at each stage of maturation. Accordingly, this approach determines where risk management is on the maturity curve and whether it (1) is progressing as expected, (2) adds value, and (3) meets organizational needs.
affected by external events that the entity may not be able to control
Strategic and operational matters are affected by external events that the entity may not control. Thus, ERM should provide reasonable assurance that management and the board receive timely information about whether those objectives are being achieved.
Reporting and compliance are within the entity’s control. Accordingly, ERM should provide reasonable assurance of achieving those objectives
Quantitative risk management methods are most appropriate for
The use of derivatives by the organization. The organization designs risk management processes based on its culture, management style, and business objectives. For example, the use of derivatives or other sophisticated capital market products by the organization could require the use of quantitative risk management tools. But the internal auditor determines that the methodology chosen is sufficiently comprehensive and appropriate for the nature of the organization
Risk management is the responsibility of management. The role of the internal audit activity in the risk management process may include
The internal audit activity’s role in the risk management process of an organization can change over time and may include responsibilities along a continuum that extends from (1) no role; (2) auditing the risk management process as part of the internal audit plan; (3) active, continuous support and involvement in the risk management process, such as participation on oversight committees, monitoring activities, and status reporting; and (4) managing and coordinating the process (PA 2120-1, para. 4).
When ERM is effective regarding all of the objectives, the board and management have reasonable assurance that
When ERM is effective regarding all of the objectives, the board and management have reasonable assurance that (1) reporting is reliable, (2) compliance is achieved, and (3) the extent of achievement of strategic and operations objectives is known.
Which of the following is a principal benefit of enterprise risk management (ERM)?
Preventing loss of reputation and resources.
The correct order for performing the first four phases of the enterprise risk management (ERM) process is
The correct order for performing the first four phases of the enterprise risk management (ERM) process is as follows: internal environment, objective setting, event identification, risk assessment.
Risk is measured in terms of significance and likelihood. Excessive cash disbursements due to duplicate payments to vendors are events that most likely are placed in which area of a risk map?
High significance, medium likelihood.
The function of the chief risk officer is moonmentst effective when the chief risk officer
Monitors risk as part of the enterprise risk management team.
A chief risk officer is a member of management assigned primary responsibility for enterprise risk management processes. The chief risk officer is most effective when supported by a specific team with the necessary expertise and experience related to organization-wide risk.
Internal environment
Risk response is a separate component of the COSO ERM model from the internal environment component.
Internal audit assessment
Significant risks and ongoing monitoring activities are assessed by the internal audit activity as part of the risk management process (Inter. Std. 2120). But review of previous risk evaluation reports is a means of obtaining evidence for an assessment.
Senior management has identified the trading of marketable securities as a high-risk activity. In response, a new supervisory position was created. Every evening after the close of business, this supervisor reviews every trade made during the day. After 6 months of trading marketable securities under this system, the quantified risk reported by the internal audit activity is termed
Residual risk. It is the risk after a risk response.
capability of enterprise risk management (ERM):
1.Quicker response to opportunities.
2.Better capital allocation.
3.Reduction of operational surprises and losses
Risk appetite should be considered in1.Evaluating strategies,
2.Setting related objectives, and
3.Developing risk management methods.
Increasing the net present value of investments is an operational objective. It would be determined after consideration of the entity’s risk appetite and other strategic factors.