part 1 2 – 1 v3.0 the iia’s cia learning system tm 1.risk and control terminology 2.risk...

Part 1 2 – 1V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

1. Risk and control terminology

2. Risk elements

3. Control elements

Section Topics

Part 1, Section 2

Part 1 2 – 2V3.0


www.LearnCia.com

• Identifying and evaluating significant exposures to risk.

• Contributing to the improvement of risk management and control systems.

• Monitoring and evaluating the risk management system.

The Nature of Work for the Internal Audit Activity

Risk Control Governance

Help manage risk by: Help maintain effective controls by:• Evaluating the

effectiveness and efficiency of controls.

• Promoting the continuous improvement of the control environment.

Help assess and improve governance by:• Promoting appropriate

ethics and values.• Ensuring effective

performance management and accountability.

• Effectively communicating risk and control information.

• Effectively coordinating the activities and communicating information.

Part 1, Section 2, Introduction

Part 1 2 – 3V3.0


www.LearnCia.com

Risk and Control

“The possibility of an event occurring that will have an impact on the achievement of objectives; it is measured in terms of impact and likelihood.”

“Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.”

Risk Control

Part 1, Section 2, Topic 1

Source: Standards Glossary.

Part 1 2 – 4V3.0


www.LearnCia.com

Identify the following statements as true or false.

Answers:

Discussion Question

Risk begins with strategy formulation and objective setting.

Risk reflects a single outcome.

Risks may present threats to an organization or be the failure to achieve positive outcomes.

Business risks are uncertainties related tothe achievement of business objectives.

False

True

True

True


Part 1 2 – 5V3.0


www.LearnCia.com

Identify the terms described below.

Answers:

Discussion Question

1. The business impact that would be experienced if certain risks became realized.

2. The risk derived from the environment without the mitigating effects of internal controls.

3. The risk remaining after management takes action to reduce the impact and likelihood of anadverse event, including control activities.

4. The level of risk an organization is willing to accept.

Inherent risk

Residual risk

Risk appetite

Acceptable risk


Part 1 2 – 6V3.0


www.LearnCia.com

The list of terms provides a common language to use with the board, management, and others in all communications.

Any questions about other terms?

Terminology


Part 1 2 – 7V3.0


www.LearnCia.com

Risk Assessment Process


Part 1 2 – 8V3.0


www.LearnCia.com

Identify the following items as likelihood or impact factors.

Answers:

Discussion Question

1. Negative press about a discriminatory employment practice

2. Increasing complexity of environmental regulations

3. Length of time a plant remains shutdown after a fire

4. Probability estimates for a new productlaunch

Likelihood

Impact

Impact

Likelihood


Part 1 2 – 9V3.0


www.LearnCia.com

Risk Map for Likelihood and Impact

High Impact

Low Likelihood

High Impact

High Likelihood

Low Impact

Low Likelihood

Low Impact

High Likelihood

Low High

High

Impact

Likelihood


Part 1 2 – 10V3.0


www.LearnCia.com

Internal control can:

+ Achieve performance and profitability targets.

+ Prevent loss of resources.

+ Support reliable financial reporting.

+ Support compliance with laws and regulations, avoiding damage to reputation or other consequences.

Internal control cannot:

– Ensure organizational success or even survival.

– Ensure the reliability of financial reporting.

– Ensure absolute compliance with laws and regulations.

Benefits and Limitations of Internal Control

Helps mitigate risk and ensure that management strategies and objectives are carried out


Part 1 2 – 11V3.0


www.LearnCia.com

Types of ControlsType of Control

Description Examples

Preventive Proactive controls that deter undesirable events from occurring

• Ethical “tone at the top”• Effective empowerment• Mutual trust• Performance standards

Detective Reactive controls that detect undesirable events that have occurred

• Input controls• Processing controls• Output controls

Directive Proactive controls that cause or encourage a desirable event to occur

• Guidelines• Training programs• Incentive plans

Mitigating Controls that reduce the potential impact should an event occur

• Insurance

Compensating Controls that compensate for the lack of an expected control

• Close supervision in lieu of segregation of duties


Part 1 2 – 12V3.0


www.LearnCia.com

Identify the following items as active or passive controls.

Discussion Question

1. Independent verification of performance

2. Accounts payable transaction procedures

3. Information system controls limiting transactions

4. Plant heating, ventilation, and air conditioning system

5. Senior and operating managementstatus meetings

Answers:

Active

Passive

Active

Active

Passive


Part 1 2 – 13V3.0


www.LearnCia.com

The Control Loop


Part 1 2 – 14V3.0


www.LearnCia.com

Which of the following characterize effective controls? (Select all that apply.)I. Root cause identificationII. Efficiency in achieving intended objectivesIII. Alignment to strategic objectivesIV. Redundant controls to ensure accuracy

Answer: I, II, and III. Excessive and/or redundant controls can lead to confusion and frustration.

Discussion Question


Part 1 2 – 15V3.0


www.LearnCia.com

Reinforcing Activity 1-5Part 1, Section 2, Topics 1, 2, and 3

Risk and Control Elements

Part 1, Section 2, Topics 1, 2, and 3

Part 1 2 – 16V3.0


www.LearnCia.com

Questions?

Part 1, Section 2

End of Section 2

part 1 2 – 1 v3.0 the iia’s cia learning system tm 1.risk and control terminology 2.risk...

Documents

risk management system

risk elements

level of risk

improvement of risk

discussion question

iias cia learning system

risk assessment process

terms of impact