REGUNAYAN, MARCO PAULC.

CBET – 01 – 502E PROF. MACRINA VIOLETA MUTUC

CHAPTER 3: Risk Assessments

1. What are the benefits of the internal audit function establishing a risk-based plan
when identifying the priorities of the internal audit activity?

The audit strategy of the internal audit department, which defines the audits to be carried
out by the internal audit feature, must be focused on defining and assessing the organization's
risks. Having now articulated management’s responsibility for internal controls and how internal
audit might play a role in assisting management to fulfill that responsibility, some specific
benefits of the internal audit function establishing a risk-based plan:
 Management has identified, assessed and responded to risks above and below the risk
appetite.
 The responses to risks are effective but not excessive in managing inherent risks within
the risk appetite.
 Where residual risks are not in line with the risk appetite, action is being taken to remedy
that.
 Risk management processes, including the effectiveness of responses and the completion
of actions, are being monitored by management to ensure they continue to operate
effectively.
 Risks, responses and actions are being properly classified and reported.

(page 24)

2. Describe three ways that internal auditors can better identify the risks related to the
area under review.

Three ways that internal auditors can better identify the risks related to the area under review:
1. It is helpful to involve individuals with an extensive understanding of the program or
procedure that will be evaluated in the risk identification exercise. At this point in the
process, their knowledge and expertise can be very beneficial and it will be equally
relevant in subsequent steps as well.
2. Using a prepared list is another way of recognizing related risks. There are many
available models and lists, mostly arranged by industry. Auditors should still recognize
their organizations' peculiarities when using them and ensure that the list is tailored
accordingly.
3. With simple observation, you may be able to recognize areas where things are not being
done correctly. Abnormally high costs in one department may also suggest an
unmitigated risk. With data and trend analysis, you can identify the root causes of
occurrences. Incidents and near-misses are key indicators of problem areas that need to
be addressed by the risk management team.

(page 64)
 3. What are three internal and three external factors affecting a typical organization?
How do these factors affect the future prospects of the organization?

It is imperative for internal auditors to remember that there are internal and external
constraints in organizations.
Internal constraints typically include:
1. Equipment - the types of equipment available and the ways they are used limit the ability
of the process to produce more high quality goods and deliver services.
2. People - lack of skilled and motivated workers limits the productive capacity of any
process. Attitudes and other mental models (e.g., feeling defeated, victimized, or
hopeless) embraced by workers can lead to behaviors that become a constraint on the
process.
3. Policies - written and unwritten policies can prevent the process from producing more of
higher quality goods and services.
External constraints typically include:
1. The slowest operation in a process,
2. The synchronization of activities within or between processes, and
3. Robbing materials and other resources within or between processes or units.

(pages 65-66)

4. Describe an event that has transformed or disrupted an industry and include: (1)
An example of an organization that benefited from that opportunity and (2) an
example of another organization that mismanaged it and suffered losses as a result.

The COVID-19 pandemic has significantly disrupted the operations of almost all industries
across the world economy. However, amid the enforcement of social distancing and quarantine
measures, a handful of lucky industries are set to outperform in these difficult economic
conditions.
Operators in the Online Food Ordering and Delivery Platforms industry, such as Grab and
Food Panda, are likely to benefit from a surge in restaurant registrations for their delivery
platforms. Food outlets that previously were hesitant to engage in online delivery are now
anticipated to embrace this revenue channel in an effort to continue operating.
The travel & tourism industry is severely affected by the coronavirus outbreak. With
COVID-19 being a pandemic, people are avoiding travel to different countries and cities, which
has negatively impacted the travel business and has affected  the tourism benefits of the affected
countries. 

5. List three organizations that provide lists of common vulnerabilities useful during a
risk assessment.

In technological circles, the common vulnerabilities and exposures (CVE) is a list of

information security vulnerabilities and exposures that provides common names for known cyber
security issues.
1. Application Security, Inc. - is committed to delivering solutions that are compatible and
interoperable with the IT security environment at large. In the vulnerability management
 marketplace, that means speaking CVE. We've kept our SHATTER knowledgebase, the
world's most comprehensive list of database vulnerabilities and misconfigurations, up-to-
date with CVE references since 2004.
2. Backbone Security.com, Inc. - aim to provide their customers with the best information
available on how to protect their infrastructure. By integrating CVE into our product, we
are providing up-to-date vulnerability information that can be used to enable a network
administrator to defend their enterprise data and resources.
3. Beijing Venustech Cybervision Co., Ltd.'s - provides users with a series of network
security products, which along with our own independent intellectual property, are
compliant with the international standard, CVE. Beyond products, we deliver our
customers life-cycle services including consulting, design, implementation, maintenance,
and training.

(page 74)

6. List three of the benefits of CSA programs.

1. CSAs are designed to address this gap. They consist of questionnaires and other forms
that process owners complete that identify the major activities in their programs and
processes, the objectives, risks and controls, the individuals that perform key tasks and
controls, and the major challenges affecting these programs and processes.
2. An effective CSA program can help reduce audit fatigue and limit the amount of effort
required for extensive audit testing of internal controls.
3. CSAs help strengthen the internal control environment, which in turn, heightens the level
of assurance for all stakeholders involved.

(page 75)

7. Describe three risks that are unique to each of the following two manufacturing
approaches: made to order (MTO) and made to stock (MTS).

Risks that is unique to MTO:

1. Irregular sale demands
2. Material stock falling behind
3. Customer wait times

Risks that is unique to MTS:

1. Unpredictable nature of consumer trends
2. Either having too much or not enough stock
3. Difficulty in making accurate sales forecasts

8. Explain why internal auditors should consider bottlenecks, long cycle times,
redundancies, and reprocessing as operational risks.

Internal auditors should consider bottlenecks, long cycle times, redundancies, and
reprocessing as operational risks because it affects the effectiveness and efficiency of operations
and programs of the company. Effectiveness is the process of evaluating the degree to which the
organization, program, or process is achieving its goals and objectives and efficiency relates to
the use of inputs and other resources toward the achievement of goals and objectives in some
form of productive activity. The internal audit activity must evaluate the adequacy and
effectiveness of controls in responding to risks within the organization’s governance, operations,
and information systems

(pages 86-87)

9. What are the risk implications of outsourcing? Explain why management must
remain vigilant even if a process and related activities have been outsourced to
another organization.

Key risks associated with outsourcing:

 Outsourcing is not aligned to the strategic objectives of the organization. Outsourcing
the wrong element of operations can only be of detriment to the services provided by
the organization. This ultimately impacts the organization's performance and
reputation.
 An outsourced provider of services increases the potential for loss or theft of personal
and other confidential data. Third party loss of confidential data arising through data
transfer resulting in fraudulent activities undertaken from lost/stolen data.
 The supplier selection process fails to appoint a competent and experienced
outsourced provider to deliver a robust service. Supplier is unable to provide the
service within the terms of the contract and quality expected by the organization's
customers and regulators resulting in reductions in profit penalties and/or fines.

10. What are some of the practices expected of organizations to fight corruption and
support efforts to decrease institutional corruption?

To fight corruption successfully, the following conditions are necessary:

 Companies of all sizes and ownership are exposed to the risk of corruption and other
corporate misconduct. They have a responsibility to prevent and detect corruption
through strong corporate governance frameworks and to promote a culture of
integrity.
 Technology and innovations will play a key role in promoting transparency and
avoiding corruption in the coming years. In the legal sector, innovations such as plea
bargains, which were an essential instrument in the Lava Jato case for the persecution
of the politicians involved in the scheme, could be adopted.
 Active participation of employees is fundamental to prevent corruption and promote
transparency. Now, with social networks and increased access to information, there is
an enormous potential to strengthen integrity in their organizations.
REFERENCES:

An Effective Control Self-Assessment (CSA) Program | Workiva. (n.d.). Workiva. Retrieved

September 22, 2020, from https://www.workiva.com/blog/4-factors-effective-control-
self-assessment-csa

CVE - Organizations Participating (Archived). (n.d.). Common Vulnerabilities and Exposures.

Retrieved September 22, 2020, from https://cve.mitre.org/compatible/organizations.html

Five Industries Set to Outperform Due to COVID-19 | IBISWorld Industry Insider. (n.d.).
IBISWorld. Retrieved September 22, 2020, from https://www.ibisworld.com/industry-
insider/coronavirus-insights/five-industries-set-to-outperform-due-to-covid-19/

Make to Order Vs Make to Stock: The Final Workflow Showdown. (n.d.). Katana. Retrieved
September 22, 2020, from https://katanamrp.com/blog/make-to-order-vs-make-to-stock/

Murdock, H. (2016). Operational Auditing: Principles and Techniques for a Changing World
(Internal Audit and IT Audit) (1st ed.). Auerbach Publications.

Oberoi, A. (2020, July 17). 7 Industries most Affected by Coronavirus (COVID-19). Daffodil.
https://insights.daffodilsw.com/blog/7industries-that-are-affected-by-coronavirus-covid-
19

Outsourced services | Supply chains | Audting business functions | Technical guidance | IIA.
(n.d.). Chartered Institute of Internal Auditors. Retrieved September 22, 2020, from
https://www.iia.org.uk/resources/auditing-business-functions/supply-chains/outsourced-
services/

Plata, G. (n.d.). How could we end corruption? Inter-American Development Bank. Retrieved
September 22, 2020, from https://www.iadb.org/en/improvinglives/how-could-we-end-
corruption

https://global.theiia.org/standards-guidance/topics/Documents/201501GuidetoRBIA.pdf