Cialana John Carlo A.

2018053911

Operations Auditing

1. What are objectives? What three categories of objectives are set forth in the
COSO framework?

- The COSO framework is one of the most widely used and significant models
used to design, implement, maintain, and evaluate internal control before we get
into the question's objectives.It is acknowledged as the industry standard for
evaluating an organization's internal control effectiveness.The three goals of the
COSO Framework are as follows:
● First is the Operation - These pertain to the entity's operational efficacy and
efficiency, including financial and operational performance goals and asset loss
prevention.
● Second is the Reporting - These apply to both internal and external financial and
non-financial reporting, and they cover reliability, timeliness, transparency, and
any other criteria that are specified by regulators, standard-setters, or the entity's
policies.
● Last one is the Compiance - These involve adhering to the rules and laws that
the company must follow.

2. What does the control environment comprise?

- The guidelines by which the board of directors can carry out its governance
oversight responsibilities, the organizational structure and delegation of authority,
the method for finding, developing, and keeping qualified personnel, and the
stringency surrounding performance indicators, rewards, and incentives to
encourage performance accountability are all aspects of the organization's moral
character and ethics.

3. What are control activities? What types of control activities are present in a
well-designed system of internal controls?

- actions taken by management, the board, and other parties to cut down on risk
and make it more likely that the goals and objectives that have been set will be
achieved. The actions under control are as follows:
 ● Performance reviews and follow-up activities.
● Authorizations (approvals).
● IT access control activities.
● Documentation (rigorous and comprehensive).
● Physical access control activities.
● IT application (input, processing, output) control activities.
● Independent verifications and reconciliations.

4. When are monitoring activities most effective? Who performs monitoring

activities? What distinguishes separate evaluations from ongoing monitoring
activities?

- when a layered strategy is utilized. The aforementioned daily management

activities in a specific area make up the first layer. The second layer is a
separate, non-independent evaluation of the area's internal controls that
management conducts on a regular basis to make sure that any problems are
found and fixed promptly. The results of management's self-evaluation of the
effectiveness of controls in their area are validated (in terms of accuracy and
reliability) by an independent assessment carried out by an outside area or
function, typically the internal audit function.

5. How does internal auditors’ perspective of internal control differ from

management’s perspective?

- Like management, internal auditors look at internal control in terms of how it

helps the company achieve its goals.Internal auditors are tasked with
independently confirming that the organization's controls are appropriately
designed and functioning as intended by management, whereas management is
accountable for the system of internal controls as a whole.The likelihood of
achieving an organization's goals is increased by this independent validation,
which takes into account all of the entity's systems, processes, operations,
functions, and activities.In addition, internal auditors can provide management
with insight into internal controls that may be considered for elimination because
they are redundant or the benefits they provide do not outweigh the costs of
implementing them. They are also well-positioned to provide their perspective on
the costs versus benefits of specific control activities.
6. How does COSO define risk? How does ISO define risk?

- The COSO definition of risk is "...the possibility that an event will occur and
adversely affect the achievement of an objective," while the ISO definition is
"effect of uncertainty on objectives."

7. What are the five COSO ERM components?

- The five COSO components - control environment, risk assessment, information

and communication, monitoring activities, and existing control activities - are
often abbreviated as C.R.I.M.E. :
● In Control Environment: What procedures and policies has management
established to direct the organization?What kind of tone has management set in
the company to make sure that everyone knows that it is their job to make sure
your controls work well and produce the expected results?
● In Risk Assessment: How does your company evaluate risk to identify threats to
achieving its objectives?
● Information and Communication: What expectations are communicated by
management to both internal and external users?How can you guarantee that
those individuals will acknowledge that they comprehend what you are asking of
them?
● Monitoring Activities: How does management keep an eye on the organization
as a whole?When something doesn't work right, how can you tell and fix it as
soon as possible?
● Lastly, Existing Control Activities: What controls are currently in place?Did they
remain in place and function as intended over time?

8. How does COSO define risk appetite?

- "The types and amount of risk that an organization is willing to accept on a broad
level in pursuit of value" is the definition of risk appetite in the COSO Enterprise
Risk Management—Integrating with Strategy and Performance1 standard.There
are a few important points in this definition.

9. What are some ERM assurance activities the internal audit function may
perform? What are some ERM consulting activities the internal audit function
may perform if appropriate safeguards are implemented? What ERM activities
should the internal audit function not perform?

Assurance activities the internal audit function may perform:

 ● Giving assurance on the risk management processes.
● Giving assurance that risks are correctly evaluated.
● Evaluating risk management processes.
● Evaluating the reporting of key risks.
● Reviewing the management of key risks.

Consulting activities the internal audit function may perform if appropriate safeguards
are implemented:

● Facilitating identification and evaluation of risks.

● Coaching management in responding to risks.
● Coordinating ERM activities.
● Consolidating the reporting on risks.
● Maintaining and developing the ERM framework.
● Championing the establishment of ERM.
● Developing ERM strategy for board approval.

Activities should the internal audit function not perform:

● Setting the risk appetite.

● Imposing risk management processes.
● Management assurance on risks [that is, being the sole source for

management’s assurance that risks are effectively managed—this would be

considered performing a management function].

● Taking [making] decisions on risk responses.

● Implementing risk responses on management’s behalf.
● Accountability for risk management

10. What are COSO’s five categories of risk response?

- There are five components to COSO:environment control, risk assessment,

information and communication, activities of monitoring, and current control
activities