3.

Risk Response
a) Risk Avoidance - ends the activity
Ex. Risk of having a pipeline sabotaged can be
avoided by selling the pipeline
b) Risk Retention - accepts the risk
Ex. self-insurance; sinking funds
Risk Management Framework
c.) Risk Reduction
ISO 31000:2018 Risk Management – Guidelines
lowers the level of risk
- Published by the International Organization for
Ex. Risk of system penetration can be reduced by
Standardization (ISO)
maintaining a robust information security function
- Provides principles and guidelines for effective risk
within the entity
management.
d.) Risk Sharing
- Provides foundations for discussing risk management
transfer some loss potential
and undertaking a critical review of an organization’s
Ex. Risk of car crash can be accepted through
risk management process
insurance
e.) Risk Exploitation
pursue a high return on investment
Ex. Risk of winning or losing a lottery

4. Risk Monitoring
- Tracks identified risks
- Evaluates current risk response
- Monitors residual risks
- Identifies new risks

Practice Question
Which of the following is the correct order of steps in the
risk management process?
1. Identify risks
2. Monitor risk responses
1. Risk Identification 3. Formulate risk responses
- Performed for the entire entity 4. Assess and prioritize risks
- Audit/ Risk Universe 5. Identify context
- Brainstorming, SWOT, scenario analysis A. 5, 1, 4, 3, 2.
B. 1, 4, 3, 2, 5.
2. Risk Assessment and Prioritization C. 1, 3, 5, 4, 2.
- Probabilities and potential effects of the risk events D. 1, 5, 4, 3, 2.
identified are used to prioritize risks A chief audit executive is reviewing the following
Involves enterprise-wide risk map:
- Estimate significance/impact
- Assess likelihood
- Consider means to manage
Risk Modeling
- Qualitative methods – listing, ranking and mapping
- Quantitative methods – probabilistic models, weighted

Which of the following is the correct prioritization of risks,
considering limited resources in the internal audit
activity?
A. Risk B, Risk C, Risk A, Risk D.
B. Risk C, Risk A, Risk D, Risk B.
C. Risk C, Risk A, Risk B, Risk D.
D. Risk A, Risk B, Risk C, Risk D.
Which risk response reflects a change from acceptance
to sharing?
A. An insurance policy on a manufacturing plant was not
renewed.
B.Management purchased insurance on previously
uninsured property.
C. Management sold a manufacturing plant.
D. After employees stole numerous inventory items,
management implemented mandatory background
checks on all employees.
Many organizations use electronic funds transfer to pay
their supplier instead of issuing checks. Regarding the
risk associated with issuing checks, which of the
following risk management techniques does this
represent?
A. Avoiding
B. Transferring
C. Controlling
D. Accepting
Inherent risk
A. The risk when management has not taken action to
reduce the impact or likelihood of an adverse event
B. The risk after management takes action to reduce the
impact or likelihood of an adverse event
C. A potential event that will adversely affect the
organization
D. Risk response
What is Control?
Control – any action taken by management, the board
and other parties to manage risk and increase the
likelihood that established objectives and goals will be
achieved.
• Direct responsible
• Guidance, direction and oversight
• Frontline Personnel – minimum of what is expected
• Auditor– evaluate and monitor
Internal Control
A process effected by an entity’s board of directors,
management and other personnel designed to provide
reasonable assurance of the achievement of objectives.
Four basic purposes of internal control
(1) Safeguard assets.
(2) Promote operating efficiency.
(3) Ensure financial statement reliability.
(4) Encourage compliance with management directives.
CoCo Internal Control Framework
- Guidance on Control (commonly referred to as CoCo
based on its original title Criteria of Control)
- Published by the Canadian Institute of Chartered
Accountants (CICA)
Purpose
• The model starts with the need for a clear direction
and sense of purpose.
• This includes objectives, mission, vision and strategy;
risks and opportunities; policies; planning; and
performance targets and indicators.
• It is essential to have a clear driver for the control
criteria and since controls are about achieving
objectives, it is right that people work to the corporate
purpose. Much work can be done here in setting
objectives and getting people to have a stake in the
future direction of the organization. The crucial link
between controls and performance targets is
established here as controls must fit in with the way
an organization measures and manages performance
to make any sense at all.
Commitment
• The people within the organization must understand
and align themselves with the organization's identity
and values.
• This includes ethical values, integrity, human resource
policies, authority, responsibility and accountability,
and mutual trust.
• Many control systems fail to recognize the need to get
people committed to the control ethos as a natural part
of the way an organization works.
• Where people spend their time trying to 'beat the
system', there is normally a lack of commitment to the
control criteria.
• The hardest part in getting good control is getting
people to feel part of the arrangements.