Internal Auditing Assurance Advisory Services 4th Edition 2017 by the Internal

Internal auditing assurance advisory services 4th

This preview shows page 7 - 9 out of 21 pages.

Internal Auditing: Assurance & Advisory Services , 4th Edition © 2017 by the Internal Audit Foundation, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, USA CASE STUDIES Case Study 1: Auditing Entity-Level Controls Page 7 Exhibit CS 1-1, which is taken from exhibit 4-3 in chapter 4, “Risk Management,” depicts the top-down approach to evaluating a system of internal controls. The key points to be understood from this illustration are: ■ ■ Every organization faces a variety o f risks, depending on its business objectives. Some of these business objectives may describe the desired state of operation brought about by a good system of internal con- trols. For example, controls-focused business objectives may be stated in the following terms: G o v e r n a n c e C o n t r o l s & M a n a g e m e n t - O v e r s i g h t C o n t r o l s P r o c e s s - L e v e l C o n t r o l s T r a n s a c t i o n - L e v e l EXHIBIT CS 1-1 TOP-DOWN VIEW OF ENTERPRISE RISK MANAGEMENT Inherent Risk (Gross Risk) Residual Risk (Net Risk) Entity-Level Controls Additional Mitigating & Compensating Controls Residual Risk Should Be </= Risk Appetite
Image of page 7
Internal Auditing: Assurance & Advisory Services , 4th Edition © 2017 by the Internal Audit Foundation, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, USA CASE STUDIES Case Study 1: Auditing Entity-Level Controls Page 8 ●■ ■ To establish and promote a culture of integrity, compliance, competence, and accountability; doing the right thing. ●■ ■ To reduce entity-level risks to acceptable levels. ■ ■ Risks that impact an organization’s ability to achieve its business objectives are shown in exhibit CS 1-1 as colored balls of varying sizes. This reflects the fact that some risks will have greater impact than others. Additionally, some risks are clustered together, representing the fact that while the risks indi- vidually may not be serious, when related risks are aggregated, they can become more serious. Initially, these risks are uncontrolled, or are in their inherent, or gross, risk state. Examples of risks affecting controls-focused business objectives include: ●■ ■ Inadequate understanding of management’s expectations, including risk appetite. ●■ ■ Noncompliance with laws and regulations. ●■ ■ Employees conducting themselves in an unethical manner. ●■ ■ Incentives that promote the wrong behavior. ■ ■ The system of internal controls is depicted as a funnel to illustrate the “filtering” of key risks that occurs at varying levels of that system. For example, the largest risks should be mitigated by the entity-level controls at the top of the funnel. Examples of such risks can be seen under the definitions above. Those that pass through the entity-level filters are next subjected to the process-level and transaction-level controls. Recall that controls may be considered key or secondary, depending on whether they reduce the risk associated with critical objectives. Distinguishing between key controls and secondary controls also applies to entity-level controls. Additionally, in some cases, management may deploy additional mitigat-
Image of page 8
Image of page 9

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture