Risk management

avatar
Created by
NIKKI EVANS

Cards (54)

  • Risk
    Business firms face risks that reduce the chances of achieving their control objectives
    View source
  • Sources of risk
    • Internal sources (e.g. employees)
    • External sources (e.g. computer hackers)
    View source
  • Risk assessment
    1. Identifying relevant risks
    2. Analyzing the extent of exposure to those risks
    3. Managing risks by proposing effective control procedures
    View source
  • Typical sources of risk - I
    • Clerical and Operational Employees
    • Computer Programmers
    • Managers and Accountants
    View source
  • Typical sources of risk - II
    • Former Employees
    • Customers and Suppliers
    • Competitors
    • Outside Persons (e.g. Computer Hackers and Criminals)
    • Acts of Nature or Accidents
    View source
  • Types of risks
    • Unintentional errors
    • Deliberate Errors (Fraud)
    • Unintentional Losses of Assets
    • Thefts of assets
    • Breaches of Security
    • Acts of Violence and Natural Disasters
    View source
  • Factors that increase risk exposure
    • Frequency - the more frequent an occurrence of a transaction the greater the exposure to risk
    • Vulnerability - liquid and/or portable assets contribute to risk exposure
    • Size of the potential loss - the higher the monetary value of a loss, the greater the risk exposure
    View source
  • Collusion (both internal and external), which is the cooperation of two or more people for a fraudulent purpose, is difficult to counteract even with sound control procedures
    View source
  • Lack of Enforcement - Management may not prosecute wrongdoers because of the potential embarrassment
    View source
  • Computer crime poses very high degrees of risk, and fraudulent activities are difficult to detect
    View source
  • Enterprise risk management
    A process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives
    View source
  • Categories of objectives
    • Strategic - high-level goals, aligned with and supporting its mission
    • Operations - effective and efficient use of its resources
    • Reporting - reliability of reporting
    • Compliance - compliance with applicable laws and regulations
    View source
  • Achievement of strategic objectives and operations objectives is subject to external events not always within the entity's control; accordingly, for these objectives, enterprise risk management can provide reasonable assurance that management, and the board in its oversight role, are made aware, in a timely manner, of the extent to which the entity is moving toward achievement of the objectives
    View source
  • Components of enterprise risk management
    • Internal Environment
    • Objective Setting
    • Event Identification
    • Risk Assessment
    • Risk Response
    • Control Activities
    • Information and Communication
    • Monitoring
    View source
  • Determining whether an entity's enterprise risk management is "effective" is a judgment resulting from an assessment of whether the eight components are present and functioning effectively
    View source
  • Limitations of enterprise risk management include human judgment in decision making can be faulty, decisions on responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can occur because of human failures such as simple errors or mistakes, controls can be circumvented by collusion of two or more people, and management has the ability to override enterprise risk management decisions
    View source
  • Audit universe
    • Planning and Resource Allocation
    • Mergers, Acquisitions, and divestiture
    • Major initiatives
    • Market Dynamics
    • Governance
    • Communication and investor Relations
    • People/Human Resources
    • Information Technology
    • Supply Chain
    • Sales and Marketing
    • Hazards
    • Physical Assets
    • Accounting and reporting
    • Liquidity and credit
    • Market
    • Capital structure
    • Tax
    • Regulatory
    • Legal
    • Code of Conduct
    • Financial reporting
    • Compliance
    • Operations
    • Strategic
    View source
  • Roles and responsibilities
    • Chief executive officer
    • Other managers
    • Risk officer, financial officer, internal auditor, and others
    • Other entity personnel
    • Board of directors
    • External stakeholders (e.g. customers, vendors, business partners, external auditors, regulators, and financial analysts)
    View source
  • Controls
    May relate to manual AISs, to computer-based AISs, or both<|>May be grouped into General controls, Application controls, and Security measures<|>May also be grouped in terms of risk aversion: Corrective, Preventive, and Detective Controls
    View source
  • Control classifications
    • By Setting: General, Application (Input, Processing, Output)
    • By Risk Aversion: Corrective, Preventive, Detective
    View source
  • General controls
    • Organizational or Personnel Controls
    • Documentation Controls
    • Asset Accountability Controls
    • Management Practice Controls
    • Information Center Operations Controls
    • Authorization Controls
    • Access Controls
    View source
  • Organizational or personnel controls
    • Organizational independence, which separates incompatible functions, is a central control objective
    • Diligence of independent reviewers, including BOD, managers, and auditors
    • In a manual system, authorization, record-keeping, and custodial functions must be kept separate
    • In computer-based AISs the major segregation is between the systems development tasks and the data processing tasks
    View source
  • Documentation controls
    • Documentation consists of procedures manuals and other means of describing the AIS and its operations
    • Storing a copy of documentation in a fireproof vault, and having proper checkout procedures
    View source
  • Examples of asset accountability controls
    • Subsidiary ledgers
    • Reconciliations
    • Acknowledgment procedures
    • Logs and Registers
    • Reviews & Reassessments
    View source
  • Management practice controls
    • Human resource Policies and Practices
    • Commitment to Competence
    • Planning Practices
    • Audit Practices
    • Management & Operational Controls
    • Controls over Changes to Systems
    • New System Development Procedures
    View source
  • Examples of computer facility/information center controls
    • Proper Supervision over computer operators
    • Preventive Diagnostic Programs
    • Disaster Recovery Plan
    • Hardware controls (e.g. Duplicate Circuitry, Fault Tolerance, Scheduled Preventive Maintenance)
    • Software checks (e.g. Label Check, Read-Write Check)
    View source
  • Application controls
    Pertain directly to the transaction processing systems
    Ensure that all transactions are legitimately authorized and accurately recorded, classified, processed, and reported
    View source
  • Authorization controls
    • General authorization establishes the standard conditions for transaction approval and execution
    Specific authorization establishes specific criteria for particular sums, events, occurrences
    In on-line computerized systems, authorization is usually verified by the system
    View source
  • Input controls
    • Data Observation and Recording
    • Data Transcription (Batching and Converting)
    • Edit tests of Transaction Data
    • Transmission of Transaction Data
    View source
  • Controls for data observation and recording
    • Use of pre-numbered documents
    Keeping blank forms under lock and key
    Online computer systems offer features like menu screens, preformatted screens, scanners, feedback mechanisms, echo routines
    View source
  • Internal control
    A state that management strives to achieve to provide reasonable assurance that the firm's objectives will be achieved
    Encompasses all the measures and practices that are used to counteract exposures to risks
    View source
  • Objectives of the internal control structure
    • Promoting Effectiveness and Efficiency of Operations
    • Reliability of Financial Reporting
    • Safeguarding assets
    • Checking the accuracy and reliability of accounting data
    • Compliance with applicable laws and regulations
    • Encouraging adherence to prescribed managerial policies
    View source
  • Components of the internal control structure
    • Control Environment
    • Risk Assessment
    • Control Activities
    • Information & Communication
    • Monitoring
    • Activities related to Financial Reporting
    • Activities related to Information Processing
    • General Controls
    • Application Controls
    View source
  • Risk
    The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.
    View source
  • If realized
    Would affect the company
    View source
  • Factors that define impact rating
    • Financial effect
    • Reputation
    • Ability to achieve key objectives
    View source
  • Residual Risk
    Risk remaining after a risk response
    View source
  • Opportunity
    Event will occur and positively affect the achievement of objectives
    View source
  • Risk Appetite
    Amount of risk an organization is willing to accept in pursuit of value
    View source
  • Risk Tolerance
    Specific maximum risk that an organization is willing to take regarding each relevant risk
    View source