RISK ASSESSMENT AND RISK MANAGEMENT
WRITTEN ASSIGNMENT WEEK 3
Read the case study from the Internal Audit Foundation about Auditing Entity-Level Controls.
From the case study, do the following analysis from your own words (use APA format):
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Submit a 2-3 pages case analysis, (excluding the title page and reference page) double-spaced in Times New Roman font which is no greater than 12-points in size. Paper and all citations should be in APA format. Send it to maggrabillo@rtu.edu.ph
After sending through email, kindly post in rich text format your case analysis by commenting in to this post.
Deadline for accomplishment: November 06, 2021
1. What is the importance of Entity Level Controls to effective risk management and control access to the whole organization?
ReplyDeleteEntity-Level Controls are controls that function profoundly throughout the enterprise to minimize risks confronting the company as a whole and to guarantee that organizational objectives are met. A code of ethics, risk assessment practices, prevention of fraud, numerous control programs, human resources procedures, and variance analysis are just some few instances of these measures (Fitzgerald, 2020). These controls are significant to the overall success of the organizations as businesses with weak and poor controls may experience unwanted problems and circumstances that may possibly affect the goal of achieving their organizational goals. These controls have a huge impact to the organization as it ensures that management instructions affecting the entire organization are implemented and maintained.
The corporate culture and principles of the organization are defined by these regulations. The way people work and how operational processes are created and executed are all influenced by entity-level restrictions (Colby, 2021). These controls are extremely important to organizations as they both use preventative and detective measures. If issues arise, these controls would determine the proper and appropriate way of addressing such. It also has a huge impact on companies as they help them assess the influence of certain functions on internal company operations and adjusts their control scheme as necessary.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
WorldCom, situated in Ashburn, Virginia, was a big American telecommunications firm. WorldCom was revealed to have overstated its assets by about $11 billion in 2002, making it by far one of the biggest accounting scams ever.
By capitalizing rather than expensing line costs, the corporation underreported them, and by creating bogus entries, it exaggerated its earnings. When the corporation's internal audit department discovered about $3.8 billion in bogus accounts, the matter became public and caused widespread attention. The company's CEO, Bernie Ebbers, was sentenced to 25 years in jail for all the financial crimes he committed. Over 30,000 jobs were lost as a result of the fraud, and investors lost over $180 billion (CFI, 2015).
LEYCO, PATRICIA DENISE P. (2019-101438)
3. What is residual risk and why is it important for internal auditors to identify, measure and analyze this risk?
ReplyDeleteThe vulnerability or susceptibility that persists after all risk management and restoration measures have been accomplished is referred to as residual risk. Even with a well-designed exposure sanitation program, residual risks will still exist. Considering residual risks would always be present, the method of managing them entails establishing an appropriate risk level and then adopting programs and solutions to eliminate any risks below it (Kost, 2021). It is critical for internal auditors to identify, measure and analyze this risk as it could cause the organization to fail. Immediate and appropriate actions should be made to minimize these risks. There should be an implementation of security procedures to lessen or totally eradicate the negative effects of a threat. One must not think small of residual risks as they can still potential cause harm to the organization. Organizations must have strong capability in controlling this risk to be able to make wise and sound corporate decisions that would determine the success of the company.
References:
CFI. (2015). Top Accounting Scandals. https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Colby, L. (2021). Entity Level Controls: Impact on an Organization and the Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls/
Fitzgerald, N. (2020). Entity Level Controls and Associated Risks. https://www.google.com/amp/s/blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place%3fhs_amp=true
Kost, E. (2021). What is Residual Risk and Why It Matters in 2021. https://www.upguard.com/blog/residual-risk
LEYCO, PATRICIA DENISE P. (2019-101438)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity level controls are used to identify whether an organization's values, systems, rules, and processes might encourage or discourage fraud. They refer to the management style of the entity, as expressed in the corporate culture, values, philosophy, and operating style, as well as the organizational structure and rules and procedures in place (Murdock, 2017). Entity-level controls, their existence and application, are critical components of any organization. They lay the groundwork for the organization's everyday operations (people and processes), as well as how it is perceived and interacts with external stakeholders. Entity-level controls are also an important aspect of an audit since they analyze the organization's general tone at the top and serve as the foundation for lower-level operational controls. To provide for an overall strong control environment, all five components – control environment, risk assessment, monitoring, communication & information, and control actions – must be applied (Colby, 2021).
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Some of the worst accounting scandals in history occurred in the last two decades. Hundreds of billions of dollars were lost as a result of these financial disasters, which wrecked businesses and people's lives. Enron Corporation is one of the most well-known financial scandals that failed to demonstrate sufficient entity-level controls.
According to CFI, one of the most famous financial scandals in history is the scandal about Enron Corporation. Enron Corporation was energy, commodities, and Services Company based in Houston, Texas. In 2001, it was revealed that the corporation had been utilizing accounting loopholes to hide billions of dollars in bad debt while inflating the company's revenues, in one of the most contentious accounting scandals in the last decade. Enron's stock price plummeted from roughly $90 to under $1 in a year as a result of the scandal, costing shareholders over $74 billion. The company's CEO, Jeff Skillings, and former CEO, Ken Lay, hid billions of dollars in debt off the balance sheet, according to an SEC probe. Furthermore, they had forced Arthur Andersen, the company's auditor, to disregard the problem. The two were found guilty partly due to former Enron employee Sherron Watkins' evidence. Lay, on the other hand, died before completing his sentence. Jeff Skillings was given a sentence of 24 years behind bars. The controversy led to Enron's bankruptcy and Arthur Andersen's demise. After the fact, the convictions were as contentious as the company's demise, with prosecutor Andrew Weissman indicting not just individuals, but the whole Arthur Andersen accounting firm, thus putting the firm out of business. When the conviction was ultimately overturned, it was little consolation to the 20,000 people who had lost their jobs.
Batjer, Jennalyn P.
2019-101439
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteThe risk that remains after risk treatment is referred to as residual risk. You won't be able to totally eliminate all risks after identifying and mitigating the ones you find unacceptable since it's simply not possible - as a result, certain risks will remain at a certain level, which is what residual risks are (Kosutic, n.d.). Based on what we tackled in the last meeting, it is important to identify, measure, and analyze the risk. Once the auditor identifies the risk, they should measure it. Is it high, medium, or low risk? With this knowledge, they may know if it has an impact on the organization. Then they must develop innovative and better methods for mitigating those risks.
REFERENCES
CFI. (n.d.). Top Accounting Scandals. Retrieved on October 28, 2021. https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Colby, L. (March 16, 2021). Entity-Level Controls: Impact On An Organization & The Audit Process. Retrieved on October 28, 2021. https://linfordco.com/blog/impact-of-entity-level-controls/
Kosutic, D. (n.d.). Why is residual risk so important?. Retrieved on October 28, 2021. https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Murdock, H. (2017). Operational Auditing: Principles and Techniques for a Changing World. CRC Press Taylor & Francis Group. pp. 107
Batjer, Jennalyn P.
2019-101439
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity-level controls are intended to manage risks at the internal and external organizational level. It also controls support, complement, and strengthen process- and transaction-level controls. Furthermore, these controls have a substantial effect on the attainment of various business objectives. Entity-level and process-level controls that are properly designed and effectively implemented operate in accordance to act as an organization's defense against risks that compromise the attainment of business objectives (Internal Audit Foundation, 2017).
According to Colby (2021), Entity-level controls must exist and be implemented in order for an organization to function properly. They lay the foundation for how the organization runs on a daily basis as well as how the organization is viewed and interacts with external stakeholders. Entity-level controls are also an important component of an audit because they assess and evaluate tone at the top of the organization being audited and serve as the foundation for lower-level operational controls. To provide an overall strong control environment, all five components such as control environment, risk assessment, monitoring, communication and information, and control activities, must be implemented.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
The best example of famous financial scandal is the sudden and unexpected collapse of Enron Corp. Based on the written report of Mark Jickling (2003), Enron Corp. was the first in a series of large corporate accounting scandals that has disturbed credibility in corporate governance and the stock market. The company's response to its challenges was what transformed the Enron case into a massive financial scandal. Enron manipulated its statements rather than disclosing its real financial status to public investors. It assigned financial losses and worthless assets to unconsolidated partnerships and special purpose entities. In other words, the company's public accounting statements pretended that losses were occurring not to Enron, but to the so-called Raptor entities, which were seemingly independent companies that had agreed to absorb Enron's losses, but were actually accounting deceits devised and entirely controlled by Enron's management. Furthermore, Enron appears to have disguised bank loans as energy derivatives trades in order to conceal the amount of its debt. After nearly 18 months, these accounting frauds were exposed, and updated accounting statements were released, more than 80% of the profits recorded since 2000 vanished, and Enron soon collapsed.
- FRANCIA, ANGELIKA D. (2019-101440)
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteResidual risk is a risk that remains after Risk Management solutions have been identified and action plans have been put in place. It also contains any risks that were previously unknown, as well as any concerns that were previously discovered and reviewed but were not designated for treatment at the time (ENISA, n.d.).
According to Shakleford (n.d.), residual risk is important for various reasons. The first thing to consider is that residual risk is the risk that is "left over" after security measures and process changes have been implemented. This indicates that residual risk is something that businesses may have to live with as a result of risk reduction decisions. They might also choose to transfer the residual risk, for example, by purchasing insurance to offload the risk to an insurance provider. Another reason residual risk consideration is necessary is for compliance and regulatory obligations. Finally, residual risk is important in order to determine which security measures and procedures should be prioritized over time.
References:
Colby, L. (2021). Entity-Level Controls: Impact on an Organization & the Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls/
ENISA (n.d.). Identification of Residual Risks. Accessed October 27, 2021. https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-process/risk-treatment
Internal Audit Foundation (2017). Case Study 1Auditing Entity-Level Controls. 4th Edition Internal Auditing: Assurance & Advisory Services
Jickling, M. (2003). The Enron Collapse: An Overview of Financial Issues. https://digital.library.unt.edu/ark:/67531/metacrs4673/
Shakleford, D. (n.d.). What is residual risk and why is it important? Accessed October 27, 2021. https://searchcompliance.techtarget.com/definition/residual-risk
- FRANCIA, ANGELIKA D. (2019-101440)
According to Lois Colby, entity-level controls refers to the overriding controls for overseeing if the management directives pertaining to the organization as a whole are implemented and enforced. They may also be considered as higher-level controls that are more general in nature or impact a broader audience. Generally speaking, entity-level controls are concerned with the organizational environment or atmosphere which is developed to mitigate risks that exist at the organizational level, including both internal and external risks. It is also important to understand because entity-level control serves as a building block or foundation to support, reinforce, strengthen the process-level and transaction-level controls. In addition, if these controls are well-designed and well-thought out it can bring use to the organization which can help to protect the organization against the risks that threaten the achievement of business objectives. In conclusion, it's crucial to analyze how such controls, particularly those that function throughout the entire company (i.e., entity-level controls), may affect the internal control system.
ReplyDeleteIt was mentioned above that it is important to have a well-designed and well-thought-out entity-level control because it serves as foundation to support, reinforce, strengthen the process-level and transaction-level controls but how it was possible that the Enron Corporation failed even though they have sophisticated controls and risk management capabilities? As per my understanding and research the Enron Corporation faced such financial scandal because the organization didn’t forecast the consequence of applying such practice / procedure also, instead of conducting and analyzing the reason why does their corporation is falling they prioritize thinking of ways on how to hide their debts. And that particular practice that I am referring is the use of Mark-to-market accounting method which is also used later on by the corporation to hide their mountains of debt. Although it is a legitimate and widely used practice it has its own flaw wherein it can be manipulated since it is not based on the actual cost but on fair value which is harder determine. And when the Enron starts to experience great number of losses they tend to manipulate and fool the regulators with their fake practices and off-the-books practices. Which resulted them to multiple criminal charges and found guilty by shredding their financial documents to conceal them from the SEC. In conclusion, the Enron Corporation failed to represent proper entity-level controls because instead of determining, mitigating and controlling the risks they choose to manipulate their methods which is not a good practice.
Residual risk is the risk that remains after controls are accounted for. It’s the risk that remains after your organization has taken proper precautions (Fasulo, 2020). As we all know that even though you properly apply different type of controls it is not perfectly made to eliminate all the risk but somehow help to lower the risk and the risk that remains in the organization after proper procedures and control has been made is called residual risk and the residual risk should be less than or equal to the risk appetite which means that the total residual risk should be in the level in which the organization still can tolerate it and it should not affect the organization big time and it can still operate and function properly. It is important to determine by the internal auditor because it can help them analyze om how to respond and if they should reassess and remeasure different things in order to bring peace and order to the organization.
ReplyDeleteREFERENCES:
Colby, L. (2021). Entity-Level Controls: Impact on an Organization & the Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls/
Fasulo, P. (2020) Inherent Risk vs. Residual Risk: What’s the difference?
https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Segal, Troy (2021) Enron Scandal: The Fall of a Wall Street Darling
https://www.investopedia.com/updates/enron-scandal-summary/
RETONE, RENCE LOUIESE E. (2019-105248) CBET- 01-503A
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity Level Controls, according to Colby (2021), are the overarching controls for ensuring that management directives relevant to the company as a whole are implemented and enforced. A company exists to achieve its aims, yet it cannot easily attain its target. Unexpected obstacles and disadvantages will always remain within the organization in light of the processes and everyday responsibilities. The goal of Entity Level Control is to at least provide conduct to its people, regardless of rank. Because a corporation as a whole does not rely on one individual alone, but on a collection of people who operate the firm. Furthermore, he also stated that it is related to both internal values and external factors such as laws, rules, and professional standards. A firm is branded by its culture and values; we cannot simply function as a corporation if we do not share the same beliefs or practices in the workplace. As a corporation, we must operate as one unit to guarantee that we meet the criteria set out. Entity Level Control is developed from rules in that it directs the entire organization to work properly. When one conceivable unknown possibility arises in its surroundings, it maneuvers all to act. We must ensure that if anything unexpected occurs, we are prepared to continue producing and live according to the company's objective.
On the other hand, auditing standards, in line with Hall (2021), need consideration of five components: control environment, risk assessment, monitoring, information and communication, and control actions. When these five components are properly developed and implemented, they provide substantially correct financial statements. So, when activated, the first component is understanding what or where you refer to know if your management or other coworkers are aligned with the right principles that are adopted in the creation of financial statements. If you are unable to obtain a superior's document or job, you can always refer to lesser sectors and disseminate if there is control or misrepresentation. Following that is the Risk Assessment, which, if done, may produce high accuracy in financial statements while avoiding misstatements that may be made by first-level accountants. The third step is monitoring, which is critical because it allows senior and lower level accountants to engage and address errors in the financial statements as soon as feasible. Then there's Information and Communication, where staff can see who their supervisors are and how they'll voice problems while adhering to the norms. Finally, there are Control Activities, which are activities that offer the organization initiative when it encounters issues both internally and outside.
We may conclude that the significance of Entity Level Control in an organization is related to its basic values, security, and effectiveness. It is a protocol that outlines all of the steps that must be taken in order for the firm to be successful at each phase. It is worth noting that not all of this is accomplished flawlessly, but we must remember the words of the renowned Tony Rawlins: "It is not merely a question of having a set of procedures and processes, nor is it simply having controls in place. Relying on a subpar control is frequently worse than having no control at all.”
GUASIN, Jerick E. (2019-105702 ; CBET-01-503A)
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
ReplyDeleteThe bankruptcy of MF Global Holdings Ltd., the eighth-largest in US history, has shown a lack of internal controls that may have prevented a last-minute rescue of Jon Corzine's futures broker. The Financial Times published an article on November 5, 2011.
3. What is residual risk and why is it important for Internal Auditors to identify., measure, and analyze this risk?
Fasulo (2020) defined residual risk as the risk that remains after all controls have been implemented. It is the risk that remains after your company has taken all necessary protections. Being aware of the potential threats that may be lurking around the firm is a good beginning point for developing potential responses when confronting them. When we come up with answers to a problem, we can't just assert that our firm is risk-free. A good business does not relax it's guard since any danger might blow up and interrupt the smooth flow of operations at any time and to avoid leakage of important assets. As a result, the concept of Residual Risk aids us in identifying security and breach concerns in our data. Being vigilant and understanding residual risk helps our internal auditors to see possible security risks more quickly and accurately, and to comprehend how these vulnerabilities may significantly harm a firm and its data. A security team can confidently respond to hazards by knowing when and how these dangers can slip through the wall that our organization has built around its data.
GUASIN, Jerick (2019-105702 ; CBET-01-503A)
References:
ReplyDeleteColby, L. (2021, March 16). Entity-Level Controls & How They Impact Your Organization.
Linford & Company LLP. https://linfordco.com/blog/impact-of-entity-level-controls/
Fasulo, P. (2020, December 21). Inherent Risk vs. Residual Risk: What’s the Difference?
SecurityScoreCard. Retrieved October 26, 2021, from https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Hall, C. (2021, March 10). Entity-Level Controls: Why They Matter. CPA Hall Talk. Retrieved October 26, 2021, from
https://cpahalltalk.com/entity-level-controls/
GUASIN, Jerick E. (2019-105702 ; CBET-01-503A)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity Level Controls, as defined by Fitzgerald (2021), are controls that function widely throughout and across the organization in order to reduce the risks that may be faced by the organization as a whole and to ensure that organizational objectives are met. Some examples of these controls are code of ethics, risk management policies and procedures, fraud prevention and detection programs, human resources policies and procedures, management’s control deficiency escalation process, and variance analysis. When companies lack or have insufficient entity-level controls, it is possible that companies may encounter a variety of challenges that will hinder the success of the organization.
According to Colby (2021), effective execution of the entity-level controls within the entity is a significant factor to effectively and efficiently operate. They provide the foundation under which the organization operates on a daily basis and how the organization is perceived and interacts with external stakeholders. Entity-level controls also serve as a key part of an audit as they assess the overall tone for the organization being audited and provide the basis for lower-level operational controls.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
According to the Corporate Finance Institute (CFI), one of the most controversial accounting scandals in the past decade was from the Enron Corporation, a US energy, commodities and services company based out of Houston, Texas. It was discovered in 2001 that the company had been using accounting loopholes to hide billions of dollars of bad debt, while simultaneously inflating the company’s earnings.
The SEC investigation revealed that the company’s CEO, Jeff Skillings, and former CEO, Ken Lay, had kept billions of dollars of debt on the company’s balance sheet. In addition, they had pressured the company’s auditing firm, Arthur Andersen, to ignore the issue. The two were convicted, largely based on the testimony of former Enron employee, Sherron Watkins. However, Lay died before serving time in prison. Jeff Skillings was sentenced to 24 years in prison. The scandal led to the bankruptcy of Enron and the dissolution of Arthur Andersen.
After the fact, the convictions were as controversial as the company collapse, as prosecutor Andrew Weissman indicted not just individuals, but the entire Arthur Andersen accounting firm, effectively bankrupting it. When the conviction was ultimately overturned, it was little consolation to the 20,000 people who had lost their jobs.
Aplacador, Bianca Marie Q.
2019-106307
CBET-01-503A
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteAccording to Kosutic (2015), Residual risk is the risk remaining after risk treatment. After you identify the risks and mitigate the risks you find unacceptable, you won’t completely eliminate all the risks because it is simply not possible, therefore, some risks will remain at a certain level, and this is what residual risks are. In addition, once you find out what residual risks are, you have three options to consider. First, if the level of risks is below the acceptable level of risk, then you do nothing, the management needs to formally accept those risks. Second, if the level of risks is above the acceptable level of risk, then you need to find out some new and better ways to mitigate those risks, which also means you’ll need to reassess the residual risks. And third, if the level of risks is above the acceptable level of risk, and the costs of decreasing such risks would be higher than the impact itself then you need to propose to the management to accept these high risks. The idea is that identifying, measuring, and analyzing the residual risk is important to determine whether or not the planned treatment is sufficient or the internal auditors need to reassess to find ways on how to successfully mitigate risks.
References:
CFI. (n.d). Top Accounting Scandals. https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Colby, L. (2021). Entity-Level Controls: Impact On An Organization & The Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls/
Fitzgerald, N. (2020). Entity Level Controls: Five Issues Caused by Weak or Non-Existent Controls in Place. https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
Kosutic, D. (2015). Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Aplacador, Bianca Marie Q.
2019-106307
CBET-01-503A
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteAccording to Nicole Fitzgerald, Entity Level Controls (ELCs) are “controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved.” Some examples of these controls are a code of ethics, risk management policies and procedures, fraud prevention and detection programs, human resources policies and procedures, management’s control deficiency escalation process and variance analyses. Organizations who have weak or no entity level controls in place can experience many problems.
Entity-level controls are important components of any organization as it lays the groundwork for the organization's everyday operations (people and processes), as well as how it is perceived and interacts with external stakeholders. Entity-level controls are also an important aspect of an audit since they analyze the organization's general tone at the top and serve as the foundation for lower-level operational controls. To provide for an overall strong control environment, all five components – control environment, risk assessment, monitoring, communication & information, and control actions – must be applied.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
The term "financial scandals" refers to business scandals caused by intentional manipulations of financial statements by trusted executives of companies or organizations. Examples of such financial misdeeds include misuse of funds, overstatement of revenue, understatement of expenses, asset overvaluation, and so on. One of the key causes of these financial scandals is excessive greed on the part of a few individuals, which leads to a sequence of events that eventually leads to the demise of entire corporations and affects millions of other people.
Enron Corporation scandal was regarded as one of the most controversial financial scandal in history. In the year 2001, it came to notice that this Houston-based company had been using accounting loopholes to hide billions of dollars of bad debt, while simultaneously inflating the company’s earnings. The scandal resulted in shareholders losing over $74 billion as Enron’s share price collapsed from around $90 to under $1 within a year.
An SEC investigation revealed that the company’s CEO, Jeff Skillings, and former CEO, Ken Lay, had kept billions of dollars of debt off the company’s balance sheet. In addition, they had pressured the company’s auditing firm, Arthur Andersen, to ignore the issue.The two were convicted, largely based on the testimony of former Enron employee, Sherron Watkins. However, Lay died before serving time in prison. Jeff Skillings was sentenced to 24 years in prison. The scandal led to the bankruptcy of Enron and dissolution of Arthur Andersen.
After the fact, the convictions were as controversial as the company’s collapse had been shocking, as prosecutor Andrew Weissman indicted not just individuals, but the entire accounting firm of Arthur Andersen, effectively putting the company out of business. It was little consolation to the 20,000 employees who had lost their jobs when the conviction was later overturned.
CHENCEL-ANNMAE F. ALMODIEL (2019-105222)
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteAccording to Madhuri Thakur, residual risk is the amount of risk that remains in the process after all the risks have been calculated, accounted, and hedged. During an investment or a business process, there are a lot of risks involved, and the entity takes into consideration all such risks. It counters factors in or eliminates all the known risks of the process. The risks that remain in the process may be due to unknown factors or such risks due to known factors that cannot be hedged or countered; such risks are called residual risks.
Residual risk is important for several reasons. First, to consider is that residual risk is the risk "left over" after security controls and process improvements have been applied. This means that residual risk is something organizations might need to live with based on choices they've made regarding risk mitigation. Or they could opt to transfer the residual risk, for example, by purchasing insurance to offload the risk to an insurance company. Another reason residual risk consideration is important is for compliance and regulatory requirements -- for example, International Organization for Standardization 27001 stipulates this risk calculation. Finally, residual risk is important to calculate for determining the appropriate types of security controls and processes that get priority over time.
References:
Nicole Fitzgerald (June 23, 2020). Entity Level Controls and Associated Risks. Retrieved October 31, 2021 from https://www.google.com/amp/s/blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place%3fhs_amp=true
Lois Colby, CPA, CIA, CISA (March 16, 2021). Entity-Level Controls: Impact On An Organization & The Audit Process. Retrieved October 31, 2021 from https://linfordco.com/blog/impact-of-entity-level-controls/
Madhuri Thakur (2020). List of 10 Major Accounting Scandals. Retrieved October 31, 2021 from https://www.educba.com/accounting-scandals/
CFI Education (2015). Accounting Scandals – List and Overview. Retrieved October 31, 2021 from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
https://www.wallstreetmojo.com/residual-risk/
Dave Shackleford and Francesca Sales (Oct 12, 2021). What is residual risk? How is it different from inherent risk? Retrieved October 31, 2021 from
https://www.google.com/amp/s/searchcompliance.techtarget.com/definition/residual-risk%3famp=1
CHENCEL-ANNMAE F. ALMODIEL (2019-105222)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteAccording to Fitzgerald (2020), Entity Level Controls (ELCs) are “controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved.” Some examples of these controls are a code of ethics, risk management policies and procedures, fraud prevention and detection programs, human resources policies and procedures, management’s control deficiency escalation process and variance analyses. Organizations who have weak or no entity level controls in place can experience many problems.
Additionally, Colby (2021) stated that Entity-level controls are the overriding controls for overseeing that management directives pertaining to the organization as a whole are implemented and enforced. They may also be considered as higher-level controls that are more general in nature or impact a broader audience. These controls define an organization’s corporate culture and values. They also relate to internal values as well as external forces such as laws, regulations, and professional standards. The entity-level controls impact the way in which personnel operate and operational processes are designed and implemented
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
When energy-trading company Enron declared bankruptcy in 2001, it was the largest bankruptcy filing in U.S. history. The company’s demise was tinged with scandal, as it was revealed that Enron execs were pocketing millions while knowingly overstating the company’s earnings to shareholders through fraudulent accounting.
Although Enron became the poster child for corporate scandal, it’s far from the only major company to fall from grace. These 24 other corporations were once at the top of their games — worth millions and even billions of dollars — but crashed and burned due to crooked execs, poor management, changing times or a combination of the above (Olya, 2021).
JADRAQUE, AIRON NICOLE T.
(2019-101826)
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteKosutic (n.d.) defines residual risk as the risk remaining after risk treatment. After you identify the risks and mitigate the risks you find unacceptable (i.e. treat them), you won’t completely eliminate all the risks because it is simply not possible – therefore, some risks will remain at a certain level, and this is what residual risks are.
It is vital for the Internal Auditors to assess the risk so they and the organization will have an idea and they'll know exactly whether the planned treatment is enough or not. Risk is inevitable and can not simply and literally be prevented because it is innate for everything to have a potential risk. So as an auditor, although they have plans to mitigate all risks, there will always be a residual risk and this has to be managed accordingly so it will lessen the adverse effect or effects that it may cause the company or the organization the auditor is working and responsible for.
References:
Fitzgerald, N. (2020). Entity Level Controls and Associated Risks | Freed Maxick. Freed Maxick Blog. https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
Colby, L. (2021). Entity-Level Controls: Impact On An Organization & The Audit Process. Linford Company. https://linfordco.com/blog/impact-of-entity-level-controls/
Olya, G. (2021). Enron and the 24 Other Most Epic Corporate Downfalls of All Time. Go Banking Rates. https://www.gobankingrates.com/money/business/most-epic-corporate-downfalls
Kosutic, D. (n.d.). Why is Residual Risk so Important? Advisera. https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
JADRAQUE, AIRON NICOLE T.
(2019-101826)
[1/2]
ReplyDeleteEntity level controls defined by Internal Audit Foundation or IAF (2017) is an organization-wide level scheme that seeks to reduce internal and external risks and strengthen the process-level and transaction-level controls. Since entity-level control works as a first-line defense in mitigating inherent risks, the company should conduct appropriate risk management. The broad scope of this control has an extensive effect in defending the goals against threats. Some examples of entity-level controls, as provided by IAF include:
• Code of ethics.
• Risk management policies and procedures.
• Fraud prevention and detection program.
• Human resources policies and procedures.
• Management’s control deficiency escalation process.
• Variance analyses.
• IT general controls.
Entity-level controls based on the cases of Enron Corporation (U.S.A.), WorldCom (U.S.A.), Wells Fargo (U.S.A.), Volkswagen (Germany), and Barings Bank (England), are crucial for failure to do so may result in the company’s (1) overseeing of significant risks; (2) vulnerability to fraud; (3) reputation tarnish, in which not only yours would be affected but also the businesses in your country like in the case of Volkswagen; and the worst case (4) end of entity life. In affirmation, Murdock (2017) states that entity-level Controls distinguish the ability of a firm to allow or prevent fraud and whether they support appropriate behavior through its values, systems, regulations, and operations.
Delving deep to the collapse of the Barings Bank of England, one of the firms that failed to represent proper entity-level, what caused its prominent financial scandal? Barings Bank left an unsupervised 28-year-old trader, Nick Leeson, who caused the failure of the bank in 1995 as reported by Chen (2020). According to Smith (2020), Leeson gambled unhedged, unauthorized specific trades amounting to more than 1 billion dollars. Contrary to Leeson’s task to fulfill an arbitrage trade, which is fast trading and capitalizing on the small-scale differences between two markets. He gambled on the rise of the underlying Nikkei index by keeping the contracts as he hoped to earn larger profits. Not only that, but he also concealed his losses and falsified his trading records by manipulating internal accounting systems.
Based on the Internal Audit Foundation’s list of entity-level controls, I think that the fraud prevention and detection program; and management’s control deficiency escalation process might have prevented the breakdown from occurring. The fraud prevention and detection program would help recognize material frauds through unusual transactions and their patterns, as stated by Ernst & Young Global Limited (2020).
Meanwhile, management’s control deficiency escalation process is needed because the non-detection of misstatements and performance of assigned functions fall under the category of control deficiency as stated in AU Section 325 of Public Company Accounting Oversight Board (2004). If the bank has early detected the actions of Leeson, it might have prevented its insolvency.
Aside from that, System access and authorization levels based on Murdock’s list (2017) and appropriate assignment of authority and responsibility from Zimmerman (n.d.) would have also been helpful. The bank should not make the same man do the derivatives trading and settle the account operation so that the manipulation would not be easy (Smith). In agreement with ACA Compliance Chief Services Officer Carlo di Florio, a former senior executive at both FINRA (Financial Industry Regulatory Authority) and the U.S. Securities and Exchange Commission (SEC), if Leeson’s work were to be done today, he would be monitored by trade surveillance systems while doing his work.
DUEÑAS, ALYSSA MAE B. (2019-102691)
[2/2]
ReplyDeleteDid the bank fail in recognizing the residual risk? Why is identifying, measuring, and analyzing is of this kind of risk required for the organization?
Residual risk, expressed by IAF, is the filtered inherent or gross risk that should be acceptable to the firm so that the risk can be controlled and not get out of hand. Gross risks pass through defenses such as entity-level controls then process-level and transaction-level controls. If the residual risk is still large enough, the organization may apply further actions to mitigate it. Residual risks should not be taken for granted because failure to do so may result in losses and a more complicated situation. In agreement, Kosutic (2012) says that residual risk is vital to the firms to know what they may face after applying treatments on the inherent risks.
Entity-level controls are vital in mitigating risks to the whole organization. Having those financial scandals as an example, the firm should seek to avoid those possibilities and improve the structure of their operation following ethics, technological advancement, management’s objectives, and human welfare. The control aforementioned is crucial to the residual risk as it is the first treatment in facing the threats of a company. Auditors must keep in mind that even though threats are internal, one must not ignore nor oversee relevant issues for the entity to survive longer and adapt to the changing world.
References:
Chen, J. (Reviewed 2020, October 30). Barings Bank. Investopedia. Retrieved November 1, 2021, from: https://www.investopedia.com/terms/b/baringsbank.asp
Ernst & Young Global Limited (2020). Preventing and detecting fraud: strengthening the roles of companies, auditors and regulators (p. 3) [eBook edition]. EYGM Limited. Retrieved from: https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/assurance/assurance-pdfs/ey-preventing-and-detecting-fraud.pdf
Internal Audit Foundation (2017). Internal Auditing: Assurance & Advisory Services (4th Edition). Case Study 1: Auditing Entity-Level Controls (pp. 1-2, 5-8) [eBook edition]. Internal Audit Foundation. Retrieved from: https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Kosutic, D. (2012, February 16). Why is residual risk so important? Help Net Security. Retrieved November 1, 2021 from: https://www.helpnetsecurity.com/2012/02/16/why-is-residual-risk-so-important/
Murdock, H. (2017). Operational Auditing (p. 316) [eBook edition]. CRC Press.
Public Company Accounting Oversight Board. (2004, November 15). AU Section 325 Communications About Control Deficiencies in an Audit of Financial Statements. Retrieved from: https://pcaobus.org/oversight/standards/auditing-standards/details/AU325b
Smith, E. (2020, February 26). The Barings collapse 25 years on: What the industry learned after one man broke a bank. CNBC Business News. Retrieved November 1, 2021 from: https://www.cnbc.com/2020/02/26/barings-collapse-25-years-on-what-the-industry-learned-after-one-man-broke-a-bank.html
Zimmerman, D. M. (n.d.). Part 4: Entity Level Controls vs. Activity Level Controls. Baden Gage & Schroeder LLC 2021. Retrieved November 1, 2021, from: https://www.badencpa.com/newaudit4.php
DUEÑAS, ALYSSA MAE B. (2019-102691)
1. The importance of Entity-Level Controls to Effective Risk Management & Control Across the Whole Organization
ReplyDeleteAn organization needs to establish more than one level or type of control. Among these controls, entity-level control is one of the most important controls to effectively manage the operations and processes of the business. This particular control tends to be essential when an external audit is being conducted to an entity or a company is evaluating a subservice organization for the purpose of conducting crucial business interactions. But the question is what is entity-level control? Based on the definition of Fitzgerald (2020), entity-level controls are controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved.
They are the overriding controls for overseeing that management directives pertaining to the organization as a whole are implemented and enforced (Colby, 2021). They are capable of causing more impact to a broader audience and are considered to be general in nature. In addition, these controls make the persons involved in the management accountable for their behaviours and actions.
Entity-level controls are proven to be significant to the organization as they provide the foundation for the business operations and implementation of various policies and processes. They help to maintain the good reputation of the company and how it cooperates with external stakeholders. Most importantly, these controls contribute to the improvement of risk management and enhance the business operations in terms of its efficiency and effectiveness. In order to achieve them, a company must apply a top-down approach. It pertains that they must assess first the effectiveness of entity-level controls to identify which risks are involved in process-level and transaction-level controls. If the company fails to evaluate entity-level controls first then it will probably result in over-testing of controls. Thus, the evaluation of the overall system of internal controls becomes ineffective and more expensive.
2. Famous Financial Scandal that Failed to Represent Proper Entity-Level Controls
According to the news article from Yahoo website under the finance section, Wells Fargo’s public woes kicked off with $185 million in fines for the creation of 1.5 million fake deposit accounts and more than 500,000 fake credit cards, all in customers’ names and without their permission. The bank had fired 5,300 low-level employees for creating these accounts under extreme sales pressure. Wells Fargo confessed that it pressured employees to meet unrealistic sales goals that led thousands of employees to provide millions of accounts or products to customers under false pretenses or without consent, often by creating false records or misusing customers’ identities. This financial scandal illustrates the failure of the company to implement proper entity-level controls and other types of controls within the bank. In exchange for short-term profits, they caused damage to their reputation and harmed multiple customers.
BALAYSOCHE, STEPHANIE (2019-101856)
3. The Residual Risk and the Importance for the Internal Auditors to Identify, Measure, and Analyze this Risk
ReplyDeleteResidual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made (Kosutic, n.d). This risk is assessed similarly to the initial risk assessment. The difference here is that it is important to account for the impact of controls so that the happening of an incident is less likely or the opposite of severe. Aside from that, it is also necessary for the internal auditors to identify, measure, and analyze residual risk to determine whether the planned treatment is efficiently and effectively working. Moreover, after conducting the risk assessment, it is the responsibility of the top management to identify which risks their business will encounter even after the application of different mitigation methods.
References:
Colby, L. (2021, March 16). Entity-Level Controls: Impact On An Organization & The Audit Process. Retrieved from https://linfordco.com/blog/impact-of-entity-level-controls/.
Fitzgerald, N. (2020, June 23). Entity Level Controls and Associated Risks. Retrieved from https://blog.freedmaxick.com/summing-it-up/all?Preview=true.
Mann, E. (2019, March 12). Wells Fargo scandals: The complete list. Yahoo! Finance. Retrieved from https://finance.yahoo.com/amphtml/news/wells-fargo-scandals-the-complete-timeline-141213414.html.
Prentice, C., Schroeder, P., Moise, I. (2020, February 22). Wells Fargo to pay $3 billion to U.S., admits pressuring workers in fake-accounts scandal. Reuters. Retrieved from https://mobile.reuters.com/article/amp/idUSKBN20F2KN.
The Critical Importance of Entity Level Controls to your Organization. (2021, September 13). Retrieved from https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/.
What is residual risk? How is it different from inherent risk? (2021, October 12). Retrieved from https://searchcompliance.techtarget.com/definition/residual-risk?amp=1.
BALAYSOCHE, STEPHANIE (2019-101856)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity-level controls have a general meaning for the various types of audit engagements and can also be more specific to a type of audit engagement. In general, entity-level controls are rules that apply across the entire organization rather than being intended for a single division or business, such as finance, manufacturing, or research and development. Entity-level controls ensuring that management instructions affecting the entire organization are implemented and enforced are entity-level controls. They can also be thought of as higher-level controls that have a greater influence or are more universal in nature.
The corporate culture and values of an organization are defined by these regulations. Internal values, as well as external factors such as laws, rules, and professional standards, are all discussed. Controls at the entity level have an impact on how people work and how operational procedures are created and performed. They lay the groundwork for the organization's everyday operations (people and processes), as well as how it is perceived and interacts with external stakeholders. Entity-level controls are also an important aspect of an audit since they analyze the organization's general tone at the top and serve as the foundation for lower-level operational controls.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Enron Corporation was a US energy, commodities, and services company based out of Houston, Texas. In one of the most controversial accounting scandals in the past decade, it was discovered in 2001 that the company had been using accounting loopholes to hide billions of dollars of bad debt, while simultaneously inflating the company’s earnings. With phony holdings and off-the-books accounting methods, Enron's leadership deceived authorities. Enron's stock price dropped from $90.75 at its peak to $0.26 after the company filed for bankruptcy. Between 2004 and 2011, the corporation paid out more than $21.7 billion to its creditors.
An SEC investigation revealed that the company’s CEO, Jeff Skillings, and former CEO, Ken Lay, had kept billions of dollars of debt off the company’s balance sheet. In addition, they had pressured the company’s auditing firm, Arthur Andersen, to ignore the issue.
- BERTIZ, COLINE B. (2019-100749)
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteResidual risk is the risk that remains after risk treatment has been completed. As business won't be able to completely eliminate all risks once you've recognized them and mitigated the ones you find unacceptable, residual risks will exist.
It is critical for the internal auditor to determine since it can assist them in determining how to respond and whether they should reassess and remeasure various things in order to restore peace and order to the business. Internal auditors must identify, assess, and analyze this risk because it has the potential to cause the organization to fail. To reduce these hazards, immediate and appropriate action should be taken. It is recommended that security practices be used to mitigate or completely eliminate the harmful impacts of a threat. Residual risk should not be underestimated because it has the ability to hurt the company.
References:
CFI. (2015). Top Accounting Scandals. https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Kosutic, D. (n.d.). Why is residual risk so important?. https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Linfordco. Lois Colbe,CPA (2021). Entry-Level Controls: Impact On An Organization and The Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls/
- BERTIZ, COLINE B. (2019-100749)
The importance of Entity-Level Controls is that it supports the process-level and transaction-level controls. And these controls have a pervasive effect on the success of many businesses objective to be effective and productive. This can also be utilized as a defense against the risk that threatens a business. The Entity-Level Controls can be done monthly, semiannually or periodically. When developing an internal audit plan and designing process-level and transaction-level tests, the internal auditor should consider the results of Entity-Level Controls because it can help the auditor mitigate the corresponding risks that can go wrong with certain processes and transactions. Also, the outcomes of Entity-Level Controls should be assessed by the internal auditor when planning individual or business engagements to ensure the approach of process-level and transaction-level is effective and efficient.
ReplyDeleteEnron Corporation is one of the most well-known financial scandals in which adequate entity-level controls were not demonstrated. Enron Corporation was a Houston, Texas-based energy, commodities, and services company. In one of the most acrimonious scandals in the previous decade, it was revealed in 2001 that the firm had been using accounting loopholes to hide billions of dollars in bad debt while inflating the company's earnings. According to CFI, the Enron Corporation incident is one of the most well-known financial scandals in history. The Enron scandal give rise to accounting and corporate fraud, as its stockholders lost $74 billion in the four years preceding its bankruptcy and its employees lost billions in pension payments. In short, the Enron firm lacks in corporate governance because its management engaged in an unethical plan and off-balance-sheet mechanism malpractice. They showed the people that their company is profitable so that many individuals would invest in their company but the truth is that they are already losing money and conceal the financial losses of the Enron.
The threat that remains after all efforts to detect and eliminate risks in a specific situation have been exhausted is known as residual risk. In other words, it is the level of vulnerability to a potential risk even after the risk has been identified and mitigation measures have been agreed upon. Identifying residual risk is important for Internal Auditors to identify, measure, and analyze risk because it helps the auditor to know the impact of that residual risk and how to lessen the effect of that type of risk.
Enron Scandal. (n.d.). What is the Enron Scandal? Retrieved November 01, 2021, from https://www.wallstreetmojo.com/enron-scandal/
Residual Risk. (2021). What Does Residual Risk Mean? Retrieved November 01, 2021, from https://www.safeopedia.com/definition/470/residual-risk#:~:text=Residual%20risk%20is%20defined%20as,upon%20mitigation%20has%20been%20implemented.
Murdock, H. (2017) Operational auditing: Principles and techniques for a changing world. CRC Press. Retrieved October 29, 2021, from https://e-rtu.online/pluginfile.php/286094/mod_resource/content/1/Operational%20Auditing%20The%20Principles%20%20Techniques%20for%20a%20Changing%20World.pdf
BATULAN, Anna Marie M. (2019-102079)
(1/2)
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Entity level controls are defined as the organization’s values, systems, policies, and processes which will be beneficial in minimizing the risks of fraud and maximizing proper conduct within the entity (Murdock, 2017). In addition, Fitzgerald also give emphasis on the idea of giving assurance or certainty that with proper and intact entity level controls risks will be mitigated and organizational objectives will be met or achieved. Hence, entity level controls indeed have the vital role in improving and enhancing the organizational entire system to promote attainment of the objectives alongside with the hedging of the risks associated in attaining such objectives. These entity level controls promulgated by the organization includes code of ethics, risk management and human resource policies and procedure, fraud programs, managements control process, variance analysis and IT general controls (Murdock, 2017). To site a personal example, since I am currently working in a BPO Company in the Philippines, we always have an email communication sent by our clients handed over to our managers and handed down to our supervisor that needs acknowledgement on certain policies or procedure that changes on the system. Thus, our company always make sure to remind their respective agents that they understood and comply with certain protocols that were implemented not only in the production but also within the site. And I believe that certain aspect of the company to proactively remind everyone about the current and new system will help people working on the organization to be aware and to be knowledgeable on the things that the management implemented in achieving its objectives. Furthermore, entity level controls will also be beneficial on assessing the effectivity of the controls that were implemented and how will such controls be modified in case it was not effectively attaining the organization’s objectives. Ultimately, these controls will also help every employee to comply and be vigilant on the act or actions that they will be executing in the organization which will be vital on the strict compliance on the management’s rules and regulations.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
One of the most famous financial scandals in the world would be non-other than the German company Wirecard. This occurrence was executed by the former Wirecard AG executive Jan Marsalek due to 80% of its net cash were missing from its statement of financial position and he is one of the major suspects on this scandal. I believe that this scandal reflects the organization’s systems and policies due to the fact that employees especially one of the higher positions in the company do such horrible things that destroys not only his own self but also the reputation of the company in the whole world. Hence, poor organizational values, systems, policies, and processes will definitely is riskier than of having financial difficulties due to the fact that nothing support the will of everyone to attain the objectives of the company.
(2/2)
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Based on Fasulo (2020), residual risks are risks that still remains after the organization taken proper precautions to mitigate the risks. In addition, Slabotsky (2017) emphasize as well that residual risks are risks that regardless of the control that risks will still remain regardless of the additional controls that the organization set up in hedging these risks. Based on the article of Kosutic (2014), these residual risks will be vital on assessing if the planned treatment or control over a risk is sufficient to mitigate such risks. Hence, these risks will eventually help the organization put emphasis on certain risks that needs greater risk management or support in order for the organization to lessen the uncertainty associated with such action or event.
References
Fasulo, P. (2020, December 21). Security Scorecard. Retrieved November 2, 2021, from https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Fitzgerald, N. (2020, June 23). FreedMaxick. Retrieved November 2, 2021, from https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
Kosutic, D. (2014). Advisera. Retrieved November 2, 2021, from https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Matussek, K. (2020, August 13). Insurance Journal. Retrieved November 2, 2021, from https://www.insurancejournal.com/news/international/2020/08/13/579030.htm
Murdock, H. (2017). Operational Auditing. Florida: CRC Press.
Rivas, R. (2021, June 4). Rappler. Retrieved November 2, 2021, from https://www.rappler.com/business/nbi-files-complaint-vs-wirecard-accounting-fraud-june-2021
Slabotsky, R. (2017, September 7). Fair Institute. Retrieved November 2, 2021, from https://www.fairinstitute.org/blog/inherent-risk-vs.-residual-risk-explained-in-90-seconds
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity level controls are the management style of the organization, which make sure the proper conduct of its culture, structure, and policies (Murdock, 2017). Entity level controls are broader among other types of control that focus on the specific aspect of the organization, while entity level focuses on the whole operation of the entity.
Entity level control is an essential element that helps the organization mitigate risks concerning its overall conduct internally or externally. Inadequate or absence of entity-level controls increases the probability of experiencing difficulties in the organization. Proper entity-level control allows for the achievement of the objectives and has a significant influence on ensuring success.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
A financial scandal is a situation where manipulation of financial resources in a morally questionable manner has resulted in severe consequences for third parties, which are widely known (Toms, 2019). Among the various financial scandals in history, the WorldCom Scandal (2002) is one of the worst financial scandals.
WorldCom was an American telecommunications company based out of Ashburn, Virginia. In 2002, the fraudulent act of WorldCom had come to light after the conduct of its internal audit. It turns out that WorldCom had overstated its assets by approximately $11 billion, making it by far one of the largest accounting scandals in U.S. history as well as one of the largest bankruptcies. The company had understated line costs by capitalizing instead of expensing them and had inflated its revenues by making false entries. The company’s CEO, Bernie Ebbers, was sentenced to 25 years in prison for fraud, conspiracy, and filing false documents. The scandal resulted in over 30,000 job losses and over $180 billion in losses by investors (CFI, n.d.).
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Residual risk refers to the risk remaining after risk treatment (Dejan Kosutic). It is the risk that persists after mitigating risk, as it is impossible to eliminate risk (completely). This type of risk is often neglected by people or organizations thinking that it would not affect the attainment of their objectives. Hence, the internal Auditor needs to assess this type of risk as it will cause tremendous damage to the organization if left untreated.
Conducting a risk assessment to residual risk, which includes identifying, measuring, and analyzing, is beneficial for the organization. The risk assessment will allow them to enhance their technique on risk mitigation by making them aware of the loopholes in their methods, thus, enabling them to achieve almost, if not all, their objectives.
References:
Murdock, H. (2017). Operational Auditing: Principles and Techniques for a Changing World.
Toms, S. (2019). Financial scandals: a historical overview, Accounting and Business Research, 49:5, 477-499, DOI: 10.1080/00014788.2019.1610591
Corporate Finance Institute. (n.d.). Top Accounting Scandals. Retrieved November 1, 2021, from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Kosutic, D. (n.d.). Why is residual risk so important? Retrieved November 1, 2021, from https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Dizon, Jake C. (2019-106975)
Importance of Entity-Level Controls to Effective Risk Management and Control
ReplyDeleteEntity-Level Controls is important because it provides the foundation on the daily operations of an organization and as to how the business is perceived by and interacts to the stakeholder. It is also important to provide strong control environment through the five components that are critical and needs to be implemented, namely: control environment, risk assessment, monitoring, communication & information, and control activities. Moreover, it is an integral part of auditing as it assesses the top-level operational controls of a business and provides basis for the lower-level operational controls to follow. Hence, understanding entity-level controls is also to understand how it affects the business.
Some of the specific importance of entity-level controls are: (1) Quality of financial statement and financial reporting; (2) Better risk and assessment management; (3) Improve effectiveness and efficiency of the business operations; (4) Lowered reliance on activity- and transaction- level controls; (5) High-quality personnel driving internal controls; and (6) Strong personnel management.
Famous Financial Scandal
WorldCom, an American telecommunications company, is discovered that inflated its assets by almost $11 billion. The company capitalized the line costs instead of expensing them, and that also inflated the net income and cash flows making its profit exaggerated by $3.8 billion in 2001 and $797 million in the 1st quarter of 2002. They reported a net profit of $1.4 billion instead of a net loss. The internal audit department found the $3.8 billion fraudulent accounts and that’s why the scandal came to light. Arthur Anderson, WorldCom’s auditor who audited WorldCom's 2001 financial statements and reviewed its books for 1st quarter of 2002 was found to have ignored memos from WorldCom executives informing them that the company was inflating profits by improperly accounting for expenses. He is also the one who shredded the documents relating to its audit of Enron. He, together with the WorldCom’s CEO Bernard Ebbers was convicted. Bernard Ebbers was convicted on nine counts of securities fraud and sentenced to 25 years in prison in 2005.
Residual Risk and its Importance
ReplyDeleteResidual risk as the name suggests, is the remaining risks after all or some of the other risks are identified and had taken proper precautions. The first reason why residual risk is important is because it is something that the business might need to live with based on choices they made from risk mitigation. Another reason is for compliance and regulatory requirement which is the International Organization for Standardization 27001 that stipulates the risk circulation. Also, the purpose of the residual risk is to identify if the proper safety precaution is enough or needs to be revised or be improved as the top management needs to know other risks even after the risk mitigation because those risk may affect the bottom line of the company but as well as its viability wherein the top management is also responsible.
References:
Colby, L. (2021). Entity-Level Controls: Impact on an Organization & the Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls/
Hayes, A. (2021). The Rise and Fall of WorldCom. https://www.investopedia.com/terms/w/worldcom.asp
Kosutic, D. (n.d.). Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
MBG Corporate Services. (2021). The Critical Importance of Entity Level Controls to your Organization. https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
Shackleford, D. (n.d.). What is residual risk and why is it important? https://searchcompliance.techtarget.com/definition/residual-risk
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity-level controls have a broad definition that applies to all types of audit engagements, but they can also be more particular to a specific audit engagement. In general, entity-level controls are pervasive throughout the organization rather than controls that are designed for a specific division or operation. These are the primary controls for ensuring that management directives for the organization as a whole are implemented and enforced. They can also be thought of as higher-level controls because they are more general in nature or affect a larger audience. (Colby, 2021) These controls define the company's organizational culture. They serve as the foundation of its operations, both in terms of people and processes. They influence how the company is perceived by its stakeholders and how it interacts with them. As a result, their significance cannot be overstated. It can give better risk assessment and management, as well as more effective risk mitigation, enhanced business and operational effectiveness and efficiency, reduction in reliance on activity- and transaction-level controls and lastly, effective personnel management is achieved through clearly defined roles and expectations. It is self-evident that not all controls are created equal. Everyone may play a role in achieving the desired outcome, but only a few are truly critical. With that, their absence would make it difficult to achieve the desired outcome. These crucial actions are known as key controls. Controls at the operational level may have a significant influence on the system of internal controls than the strategic controls at the process. Thus, understanding how such controls work, particularly those that operate across the entire organization is critical.
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDelete2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
ReplyDeleteEnron Corporation is one of the most widely publicized and well-known examples of entity-level controls breaking down. While Enron was known to have sophisticated controls and risk management capabilities to support many of its detailed processes, failures in controls at the board and senior management levels contributed to one of the most significant financial scandals that failed to represent proper entity-level controls. A closer examination of what went wrong at Enron, as well as some other well-publicized financial failures, can provide insight into the significance of strong entity-level controls. (IAF, 2017)
It was discovered in 2001 that this Houston-based company was concealing massive debt by classifying it as an off balance sheet item. Internal whistleblower Sherron Watkins helped to uncover the problem, and high stock price movement also raised concerns. As a result, $74 billion in shareholder funds were lost, as well as the retirement funds of thousands of investors and employees. The scandal's key figures, Jeff Skilling (CEO) and Ken Lay (former CEO), were found guilty and sentenced to prison. (Thakur, 2021)
According to the Report of the Permanent Subcommittee on Investigations of the Committee on Governmental Affairs United States Senate, the Eron’s board of directors failed to protect their shareholders and contributed to the collapse of the seventh largest public company in the United States by allowing Enron to engage in high-risk accounting, inappropriate conflict of interest transactions, extensive undisclosed off-the-books activities, and excessive executive compensation. Over several years, the Board witnessed numerous indications of questionable practices by Enron management but chose to ignore them to the detriment of Enron shareholders, employees, and business associates. Financial ties between the company and certain Board members jeopardized the independence of the Enron Board of Directors. The Board also failed to ensure the auditor's independence, allowing Andersen to provide internal audit and consulting services while also serving as Enron's outside auditor.
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
The risk that remains after risk treatment is referred to as residual risk. After you identify the risks and mitigate the ones you find unacceptable, you will not be able to completely eliminate all of them. Consequently, some risks will remain at a certain level, which is what residual risks are. It is important for the internal auditors to identify these risks in such a systematic way because this ensures that management is involved in the most critical decisions for the operation and that nothing is overlooked. Therefore, the management must understand and evaluate which risks their company will face even after various mitigation techniques have been established. After all, top management is responsible not only for the company's growth, but also for its viability.
References:
Colby, L. (2021, March 16). Entity-Level Controls & How They Impact Your Organization. Linford & Company LLP. Accessed October 27, 2021, from
https://linfordco.com/blog/impact-of-entity-level-controls/
Auditing Entity-Level Controls. (2017). Internal Auditing: Assurance & Advisory Services, 4th Edition by the Internal Audit Foundation. Accessed October 27, 2021, from
https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Thakur, M. (2021, March 24). Accounting Scandals. EDUCBA. Accessed October 27, 2021, from
https://www.educba.com/accounting-scandals/
Report of the Permanent Subcommittee on Investigations of the Committee on Governmental Affairs United States Senate. (2002, July 08). THE ROLE OF THE BOARD OF DIRECTORS IN ENRON’S COLLAPSE. Accessed October 27, 2021, from
https://www.govinfo.gov/content/pkg/CPRT-107SPRT80393/html/CPRT-107SPRT80393.htm
- MENDOZA, RHEA LYN B. (2019-101819)
What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity-level controls have a general meaning for the various types of audit engagements and can also be more specific to a type of audit engagement. In general, entity-level controls are pervasive throughout the organization versus designed for a specific division or operation, such as finance, manufacturing, research & development, Etc. (Colby, 2021).
Entity-level controls are the overriding controls for overseeing that the organization's management directives are implemented and enforced. They may also be considered higher-level controls that are more general or impact a broader audience. Murdock (2017) refers to the entity's management style, as reflected in the corporate culture, values, philosophy, operating style, organizational structure, and policies and procedures. The entity-level controls impact how personnel operates, and operational processes are designed and implemented. Entity-level control is essential to an audit because it benefits the company's quality and error-free information gathered better risk assessment and management. It also has more substantial risk mitigation, which improves effectiveness and efficiencies in business operations. It also includes lowered reliance on activity-and transaction-level control, high-quality and strong personnel driving internal control.
Give one example of famous financial scandals that failed to represent proper entity-level controls.
An accounting scandal is a scenario of accounting irregularities that can be so damaging to a company, industry, or economy that it has far-reaching consequences. The damage may have little impact on many people, for example, the Lehman Brothers. In 2020, Corporate Finance Institute stated that It was a New York City-based multinational financial services provider. That was one of America's most prominent investment banks. The business was determined to have hidden approximately $50 billion in loans during the 2008 financial crisis. These loans were pushed off as sales using accounting loopholes. According to an SEC inquiry, the firm sold toxic assets to Cayman Islands banks on a short-term basis. These assets were expected to be purchased back by Lehman Brothers. The corporation appeared to have $50 billion more in cash and $50 billion less in hazardous assets due to this. Lehman Brothers declared bankruptcy as an outcome of the incident.
Sean Lester Nombrado/2019-106902
What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteThe possibility that persists after every effort has been made to detect and eliminate risks in a specific circumstance is a residual risk. Even when a possible hazard has been identified, and agreed-upon mitigation measures were implemented, the degree of exposure to that hazard remains increased. Residual risks will always be present. The process of managing residual risk involves setting an acceptable threshold and then implementing programs and solutions to mitigate all risks below that threshold (Kost,2021).
Reducing, avoiding, accepting, and transferring are the four basic ways to approach the residual risk, which may be helpful to internal auditors to identify, measure, and analyze the risks. Residual risk is crucial because it can help the company monitor the changing nature of threats and help them recalibrate the risk. It enables the internal auditor identify security threats in the information and measure the vulnerabilities that may harm the company’s reputation. A security team can confidently respond to hazards by knowing when and how these dangers can slip through our organization's wall around its data.
References:
Colby, L. (2021, March 16). Entity-Level Controls & How They Impact Your Organization.
Linford & Company LLP. https://linfordco.com/blog/impact-of-entity-level-controls/
Corporate Finance Institute. (2020, June 12). Top Accounting Scandals. https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Kost, E. (2021, October 25). What is Residual Risk? Why it Matters in 2021 | UpGuard. UpGuard. https://www.upguard.com/blog/residual-risk
Murdock, H. (2016). Operational Auditing: Principles and Techniques for a Changing World (Internal Audit and IT Audit) (1st ed.). Auerbach Publications.
Sean Lester Nombrado/2019-106902
[1/2]
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Entity-level controls are utilized to decide whether an association's qualities, frameworks, arrangements, and cycles would empower or discourage fraud and encourage proper conduct. They refer to management's style, as reflected in the corporate culture, qualities, reasoning, and working style, the authoritative construction, and approaches and systems set up. According to Lois Colby, entity-level controls are considered to be a crucial part when an external auditor or CPA firm performing an audit over an entity. The auditor must perform risk assessment procedures to obtain an understanding of the impact on the organization and, thus, impact on the audit procedures to be performed. Once the analysis of entity-level controls and risk assessment is complete and reliance is determined, the auditor can plan the audit and design the tests of controls based on the scope of the audit (Lois, 2021). The presence and execution of entity-level controls is a key component of an organization. They give the establishment under which the association works consistently (employees and processes) and how the organization is perceived and interacts with external stakeholders. It is necessary to supervise all the areas of management such as control environment, risk assessment, monitoring, communication & information, and control activities which are critical to have a successful organization.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls?
Freddie Mac Scandal (2003)
The Federal Home Loan Mortgage Corporation, also known as Freddie Mac, is a US federally-backed mortgage financing giant based out of Fairfax County, Virginia. In 2003, it was discovered that Freddie Mac had misstated over $5 billion in earnings. COO David Glenn, CEO Leland Brendsel, former CFO Vaughn Clarke, and former Senior Vice Presidents Robert Dean and Nazir Dossani had intentionally overstated earnings in the company’s books. The scandal came to light due to an SEC investigation into Freddie Mac’s accounting practices. Glenn, Clarke, and Brendsel were all fired and the company was fined $125 million.
John Michael Ruiz (2019-103444)
[2/2]
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
In organizations where a risk management process is already in place, internal audit can utilize the information obtained by risk management to plan audit activities and determine how to properly allocate internal audit resources. Residual risk, also known as current risk, is the threat that remains after management has taken action to reduce the impact and likelihood of an event. Since they will consistently be available, the most common way of overseeing leftover danger implies setting an adequate edge and afterward carrying out projects and answers for alleviate all dangers underneath that limit. When effective security controls are implemented, there is an obvious discrepancy between inherent and residual risk assessments. These results are not enough to verify compliance and should always be validated with an independent internal audit. The longer the trajectory between inherent and residual risks, the greater the dependency, and therefore effectiveness, on established internal controls. (Edward Kost, 2021)
References:
Hernan, M. (2015). Operational Auditing. CRC Press.
Lois C. (2021). Entity-Level Controls: Impact On An Organization & The Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls/
CFI. (2021). Top Accounting Scandals. https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
ERM Initiative Faculty (2009). Internal Audit and Risk Oversight. https://erm.ncsu.edu/library/article/internal-audit-assurance
Edward K. (2021). What is Residual Risk? Why it Matters in 2021. https://www.upguard.com/blog/residual-risk
John Michael Ruiz (2019-103444)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity level controls are the systems that the management used or placed to address the risk that is found in the entity. Addressing them all at once so the entity is assured that the objectives are met. Then solving or coping with the risk went thru the entity-level control (net risk).
Besides having more effective and efficient management and production, entity-level control also contributes to the risk involved in poor management or internal control. Because poor entity-level control will lead to a lot of residual risks. Since the management is responsible for the procedures and guidelines that the entity must follow, they are the reason why there are a lot/small residual risks. As the risk increases the effectiveness and efficiency of the management of assets will decrease and will eventually lead to a reduction in the performance. It must be addressed to all the risk is found in the entity regardless of the department because some risk is interrelated and has some similarities with other risk found in the other department. This means that the same coping technique used in one department can be used with other risks.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
According to Investopedia the Enron scandal is about a company that has reached incredible heights but failed because of poor management and entity-level controls. The management had changed its accounting treatment to reflect the fair values of the asset, the assets created are projected to have a lot of future benefits, and the management makes sure that the employees will not sell the share they have by creating compensation for holding the share for 30 days.
Instead of analyzing the risk of merging or engaging in the fields, they are not familiar with they just used several techniques that will lead to an even greater fall. Also, they are just hiding the losses their company incurred and not doing research on what went wrong in their management or internal auditors and actions that will correct their procedures.
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Residual or Net risks are risk that pass through or slipped through the managements internal control system. This risk must not exceed the appetite risk of the entity or the level or amount of risk that the entity is willing to take or handle.
Entity or the internal auditor must identify if the risks are too much and cannot be addressed by the entity, they must focus on the risks that are related to the objective of the entity. According to the case analysis, some risk has an impact to other risk, some are clustered. This means that they are interrelated and looking them individually might be small but collectively they are at large. Analyze the risk to know how the risk will behave this is important because solving one of the interrelated risk can eliminate or reduce other risk. Entity’s measure risk to know the impact and the priority the entity must give to solve it. In fact, the entity level controls are created to solve the largest identified and measured risk.
REFERENCE:
(n.d.). Retrieved November 3, 2021, from https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf.
Internal controls. Old Dominion University. (n.d.). Retrieved November 3, 2021, from https://www.odu.edu/about/compliance/internal-auditing/internal-controls#:~:text=Detective%20controls%20are%20designed%20to,occurring%20in%20the%20first%20place.
Segal, T. (2021, March 31). Enron scandal: The fall of a wall street darling. Investopedia. Retrieved November 2, 2021, from https://www.investopedia.com/updates/enron-scandal-summary/.
What are the 3 types of internal controls? — reciprocity. (n.d.). Retrieved November 2, 2021, from https://reciprocity.com/resources/what-are-the-3-types-of-internal-controls/.
(1/4)
ReplyDeleteAn entry level control is formulated to mitigate and assess the risk that are pre-existing or risk that may happen in future at the level in the organization, it includes risk in internal or external. Entity-level controls also serve to support, complement, and reinforce process-level and transaction-level controls. In conducting entry level controls, it will result in achieving the organizational goals and objectives. In doing such, this will serves as defense against all the risk that threatens the achievement of business objectives. In order to become successful, the entry level control must be effective and well suited to the organizations. Assessment or series of assessment is done usually periodically or annually or quarterly. The assessment is based on that time period allotted, at the same time, the result from the test of the previous assessment. Management considers the results of its entity-level control assessments when evaluating and opining on the organization’s overall system of internal controls. The assessment of entry level control is important for audit plan and designing test of process level and transaction level controls.
- Villanueva, Don Luis M. (2019-102313)
(2/4)
ReplyDeleteWhat is the importance of Entity-Level Controls to effective risk management & control across the whole organization? Entry level control is control all over the organization to mitigate the risk and tighten the assurance in achieving the organization’s objectives. This is also practical guidance developed to assist organizations in conducting a comprehensive evaluation of the design adequacy or operating effectiveness of such controls. This will serves to the management as evaluating the organization’s control if sufficient and effective and identifying the risks. This will also monitor the effectiveness of controls, also identifying the possible problems in lower level controls. “Entity-level controls include: Controls related to the control environment; Controls over management override; The company’s risk assessment process; Centralized processing and controls, including shared service environments; Controls to monitor results of operations; Controls to monitor other controls, including activities of the internal audit function, the audit committee, and self-assessment programs; Controls over the period-end financial reporting process; and Policies that address significant business control and risk management practices. Examples of entity-level controls include, but are not limited to: Code of ethics, Risk management policies and procedures, Fraud prevention and detection program, Human resources policies and procedures, Management’s control deficiency escalation process, Variance analyses, IT general controls. Entry level controls have two specifications the governance control and management oversight control. Governance control is established by the board of directors and senior management to establish the control culture and expectations of the organization. Examples include: Audit committee oversight of internal controls, senior management’s attitude toward financial reporting, the board and senior management’s risk appetite. Governance control also prescribes guidance that pervasively supports strategic objectives and affects the overall system of internal controls. Examples include: Code of Ethics and compliance policies, organization-level risk assessment, IT policies, monitoring business units’ performance.
- Villanueva, Don Luis (2019-102313)
(3/4)
ReplyDeleteGive one example of famous financial scandals that failed to represent proper entity level controls. One of the examples is Enron’s scandal in 2000. It all happened when they used the market to market accounting method in which the cost is not based on the actual cost but in the fair value cost. This is easily be manipulating in stating the value of assets and liabilities which is harder to pin down. In Enron’s case, the company build an asset, such as a power plant and immediately claim the projected profit on its books, even though the company doesn’t receive any profit to that project. If the revenue is less than the cost of putting the plant, instead of taking a loss, they transfer the asset to an off-the-books corporation where the loss would go unreported. This type of accounting enabled Enron to write off unprofitable activities without hurting its bottom line.
In relating the Enron’s scandal to entry level controls, the failed in conducting the governance control in which audit committee doesn’t foresight this happenings and just let the market to market accounting method to conduct without further assessment and studies. They failed to direct the senior management in their attitudes in reporting financial statements, they are greedy that they only want their company sounds financial stable even though they are incurring losses. The management failed in conducting ethics and policies that the auditors didn’t anticipated to that risks. They failed in monthly analysis of budget versus the actual cost because they are using market to market accounting and off-the-books entries. They failed in many ways that resulted to their downfall.
- Villanueva, Don Luis M. (2019-102313)
(4/4)
ReplyDeleteWhat is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk? Residual risk is the risk that remains after control is accounted for. it is the amount of risk or danger associated with an actions or events remaining after reducing other risk. The importance of residual risk is the left over risk after securing controls and improvements have been applied. This means that the remaining risk is now need to assess and have an action based on the assessment to mitigate it. Also the importance of this is for compliance and regulatory requirements. In identifying the risk, it is important so that the auditor will properly know how to address and take the actions. Identify whether it is inherent or controllable risk, and identify the type of risk like capacity risk, strategic risk, compliance risk, natural environmental risk and political risk. Then measure the risk through its impact (high, medium, low), degree and level of certainty. Last is to analyse the risk in knowing the effects as to governance function of the management, as to risk management policies of the organization and as to internal control policies of the organization.
Reference:
Segul, T., (2021). Enron Scandal: The Fall of a Wall Street Darling. [online] Investopedia.
Shackleford, D., (2021). What is Residual Risk? How is it Different from Inherent Risk?. [online] SearchCompliance.
Louwers, T., Blay, A., Thibodeau, J., Strawser, J. and Bagley, P., (2017). Auditing & assurance services.
Grabillo, M. A. (2021). Risk Assessment Parts 1 & 2. Accounting Made Easy. Retrieved October 25, 2021. https://www.youtube.com/watch? v=lk313MOYcl0&list=PLqmYUi2kytZY168mPBCbvZLI QETDe8tat&index=2
- Villanueva, Don Luis M. (2019-102313)
(1/2)
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
One of the component of internal control is an entity-level control. They are the second level of the top-down approach when it comes to understanding the risks of an organization. Some examples of entity-level controls are code of ethics, risk management policies and procedures, fraud prevention and detection program, human resources policies and procedures, management’s control deficiency escalation process, variance analyses, and IT general controls.
A code of ethics is a guide of principles designed to help professionals conduct business with honesty and integrity. Risk management policies and procedures is an essential part of the whole organization as they provide roadmap for day-to-day operations in order to ensure compliance with laws and regulations and give guidance for decision-making. On the other hand, human resources policies and procedures ensure every employee of an organization and help them to address any complaints, problems, and grievances of employees. They also provide guidelines on employer-employee relationships with regards to behavior, work schedules, health and safety, employment laws, and etc. Control management, as well as fraud prevention and detection program are also essential because it helps to check errors and implement corrective action for these. Another example of entity-level control is variance analyses that helps managers and auditors in making efficient, detailed, and forward-looking budgetary decisions. Last but not the least, IT general controls is also important as it measures and safeguards the whole organization by means of protecting the integrity of data processed and stored by information systems.
Entity-level control is merely important to operate effectively and pervasively across the whole organization. These controls help to mitigate the risks threatening the entire organization and to achieve the organizational goals and objectives. Therefore, auditors need to understand the entity-levels controls since it greatly influence throughout an organization in a sense that they avoid producing material misstatements in the financial statements of the company.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
From the given case study, Enron is one of the famous financial scandals that failed to represent proper entity-level controls. They declared bankruptcy due to fraudulent accounting. Based on my research, the company used off-balance-sheet and falsify its financial statements by overstating the earnings to shareholders, not recording expenses, as well as misstating assets and liabilities. Another one is that, Enron failed to disclose the necessary details of its transactions. Enron’s leadership fooled regulators with fake holdings and use special purpose vehicles, or special purpose entities, to hide their debts and assets from investors and creditors. Consequently, the company’s top executives were charged as a criminal and some of them were sent to prison. This scandal eventually ruined the accounting giant Arthur Andersen LLP, which handled Enron’s books.
HEDREYDA, HILARY N. (2019-103876)
(2/2)
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Whenever you treat the risks, it is not completely be eliminated. There are still risks that will remain at a certain level and this is called residual risk. Residual risk is the risk that remains after the management has taken action to reduce the impact and likelihood of an event. The main goal of it is to make it as low as possible by means of identifying, measuring, and analyzing the said risk.
It is important for Internal Auditors to do those things to secure the protection of all stakeholders. Identifying and assessing those factors that could negatively affect the business allows them to examine the risks that you and your organization face. With that, the organization will able to know how to respond by developing plans and mitigate those risks as soon as possible by minimizing harmful events before it could have caused large impact to the company as a whole.
REFERENCES:
Maxick, Freed. Entity Level Controls and Associated Risks. Accessed November 04, 2021. https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by--or-no-controls-in-place
Reciprocity. (2021, October 21). What is Residual Risk. Accessed November 04, 2021. https://reciprocity.com/resources/what-is-residual-risk-in-information-security.
Segal, Troy. Enron Scandal: The Fall of a Wall Street Darling. Accessed November 04, 2021. https://www.investopedia.com/updates/enron-scandal-summary/
HEDREYDA, HILARY N. (2019-103876)
IMPORTANCE OF EFFECTIVE ENTITY-LEVEL CONTROLS TO RISK MANAGEMENT AND CONTROL ACROSS ORGANIZATION
ReplyDeleteDeriving definition from the word itself, entity level controls are controls implemented to cover all corners of work in an organization, meaning, these apply to and function on the entirety of a company. Likewise, as mentioned by Lois Colby (2021), they may also be considered as higher-level controls that are more general in nature or those that impact a broader audience.
The purpose behind its implementation is to primarily mitigate risks that exist at the organizationwide level, including those that arise internally and externally. Also, it must be understood that entity level controls should support, complement, and reinforce specific control measures (e.g. Transaction-level and process-level controls) created to cater the needs of particular departmental units (Internal Audit Foundation, 2017).
As this broader set of rules was proven to have a significant influence on the smaller segments and specific processes within an organization, this opens a compelling reason for companies to do regular evaluation of their entity-level controls, concerning its effectiveness and adequacy in dealing with the overall business threats. This assessment will help internal auditors to accurately track risks within specific processes. It then will enable them to formulate additional control measures that fully or best address risks which have been discovered.
Entity-level controls shall work in unison with process-level and transaction-level controls to ensure that the company's general and specific objectives will be achieved. A failure in either one of them is in itself forms a risk that could lead to a company's downfall.
THE COLLAPSE OF BARINGS BANK
ReplyDeleteBarings was among the largest and most stable banks in the world not until Nick Leeson, their head of derivatives, had led them down to bankruptcy in 1995, losing over 1 billion dollars in unauthorized trades. The losses were collosal that even efforts by the Bank of England to arrange a rescue package could not avert the inevitable collapse (Chen, 2020).
Leeson even had the guts to blame the Bank's systems by claiming that there were no proper monitoring and sharing of information across the organization as the bank highly relied mostly in manual processes, thus, risks cannot be identified and solved immediately. That's what had driven him to continue betting on unhedged, unauthorized speculative trades, while doing accounting tricks to hide the losses he incurred from the unsupervised activity.
During the closing session of the RSA Conference 2009 in London, he told that an itegrated information technology, as well as having risk managers which do have the necessary understanding of the business and the authority to take action could have prevented Barings collapse.
In conclusion, this controversial issue in the history of financial instititutions had proven how crucial it is for a company to establish an effective entity-level controls, just like in this case which particularly shows the defect in fraud prevention and detection program, code of ethics, compliance policies, and other governance controls, as well as the absence of IT general controls.
RESIDUAL RISK AND THE NEED TO ADDRESS IT
ReplyDeleteAs defined by Edward Kost (2021), residual risk is the threat or vulnerability that remains after all risk treatment and remediation efforts have been implemented. Either there are no control measures that could prevent it, or they would be disproportionate to the level or risk presented. There’s no way to completely eliminate residual risk, but the goal is to make it as low as reasonably possible (Snook, 2020).
Moreover, if the residual risk indeed poses a big threat to the company's operations, there is a need to apply an extra effort to mitigate this type of risk as this could bring serious and long-term negative impacts when not given enough attention. On the other hand, residual risk that bear a little to no effect should still not be underestimated. Who knows if this grows to something that could breed new major risks that eventually lead to unexpected operational breakdowns.
References:
Colby, Lois. (2021). Entity-Level Controls: Impact On An Organization & The Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls/
Internal Audit Foundation. (2017). Internal Auditing: Assurance & Advisory Services (4th ed.) Auditing Entity-Level Controls.
Chen, James. (2020). Barings Bank. Investopedia. https://www.investopedia.com/terms/b/baringsbank.asp
Warwick, Ashford. (2009). Integrated IT could have prevented Barings collapse, says Nick Leeson. https://www.computerweekly.com/news/1280091154/Integrated-IT-could-have-prevented-Barings-collapse-says-Nick-Leeson
Kost, Edward. (2021). What is Residual Risk? Why it Matters in 2021. https://www.upguard.com/blog/residual-risk#:~:text=Residual%20risk%20is%20the%20threat,remain%2C%20these%20are%20residual%20risks.
Snook, Ann. (2020). How to Reduce Residual Risk with Case Management Software. https://www.i-sight.com/resources/how-to-reduce-residual-risk-with-case-management-software/
- Ellen Grace B. Tanhueco (2019-100741)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteThe preparation of control when it comes to risk management can be too wide for an auditor. There are a variety of risks that an entity may experience both in a long and short run of operation. Those risks may involve external such as natural environmental risk, political risk, and compliance risk, while on the other hand, it may also involve internal or the risk that the entity may face inside the organization such as capacity risk, strategic risk, and others. These risks should be thoroughly applied by its specific external and internal control policies that will remove or lessen the impact of risks. Within the scope of organization, the board of directors are responsible for the implementations of policies, standards, and procedures that to be followed. To manage the business well, Colby (2021), a CPA and a partner of Linford CPA Firm named a few organization control levels such as divisional regulatory, transaction-level, process-specific controls, and entity-level controls to utilize the type of control in the entity. Entity-level control is defined as the most crucial part when a company is conducting business interactions. This control addresses the financial statement level risks and will oversee if the entity enforced all the directives of the organization as a whole. Entity-level control is important in auditors because it tackles the five required auditing standards in audit. The five auditing standards are control environment, risk assessment, monitoring the feedback, information and communication, and the control activities. If these five components are enforced correctly, it will reflect in the financial statements materially.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
It is not new to us that the company's primary goal is to gain profit for the business. Some business owners will take risks of course to expect return in the future operations. Of course, there is a crucial participation of competition in the market to secure the best quality of goods and services that flow in the market. In the last decades, there are many businesses around the world that have been involved in accounting scandals, affecting not just the company's credibility but also the lives of the people that are related to those businesses. These are because of the excessive greed of some individuals that led to some consequences. One of those businesses that was involved in an accounting scandal is the Luckin Coffee Accounting Fraud. According to a recent study, Luckin Coffee Inc. is a beverage retailer in China selling mainly coffee and tea that started in January 2018 in Beijing and Shanghai with just a few stores. In a span of two years, Lickin became the largest coffee retailer in China, overshadowing its competitor Starbucks in the region by expanding its outlets to 4,507 stores compared to Starbucks' 4,300 in valuation. In order to increase the market profit, Luckin provided discounts such as payment through digital platforms or by redeeming coupons through Luckin's app. The misstatements were found during the end of 2020 and charged by the US Securities and Exchange Commission of fabricating the revenue, expenses, and net loss to deceive its investors about their financial statements, and therefore, agreed to pay millions of charges to settle charges of fraud and accounting irregularities. As Luckin's Senior Management, the board of directors are responsible to certify and ensure that the financial statements are accurate. Unfortunately, Luckin's COO named Jian Liu resigned and was found guilty, together with its few employees, of having overstated the company's revenue. The management failed to maintain a strong internal control, that is, internal and external failures because of the statements fabrications.
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteSome risks after the control measures and activities being done in the operations have a potential to remain in the entity. These risks that remain after all the efforts of identifying, removing, or eliminating all types of risks are what we call the residual risks. The residual risk, as stated, is the "left over" after security controls have been implemented, meaning to say that these are the risks that the entity might need in the organization to sustain the balance in the entity's operation. We all know that even those risks can not be eliminated hundreds percent of the time just like in any other activities such as cleaning with residual germs after work. Business is a complex activity and managers can not always eliminate risks in the business, perhaps, risks are essential in an organization to produce competitive and good quality products and services. To calculate residual risk, organizations must understand the difference between inherent risk and residual risk. Inherent risk in the business is the amount of risk that exists in the absence of controls. These are the risks that a company may face regardless of implementation of controls and measurements. In other words, the primary difference between the two risks is the influence of the controls and other mitigation solutions for them. To calculate the residual risk, first is to quantify the uniqueness of it to the landscape. This will help the specific controls that are required to solve each risk and to measure the success of the efforts. Risk should be measured to know its impact and its certain degrees in the organization.
REFERENCE:
Chung, E. (2021, August 27). Case Study: Luckin Coffee Accounting Fraud. Seven Pillars Institute For Global Finance and Ethics. https://sevenpillarsinstitute.org/case-study-luckin-coffee-accounting-fraud/
Colby, L. (2021, March 16). Entity-Level Controls: Impact On An Organization & The Audit Process. Lincord & Co. CPA Firm. https://linfordco.com/blog/impact-of-entity-level-controls/#:~:text=Conclusion,and%20interacts%20with%20external%20stakeholders.
Fasulo, P. (2020, December 21). Inherent Risk vs. Residual Risk: What’s the Difference? Security Scorecard. https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Hall, C. (2021). Entity-Level Controls: Why They Matter. CPA Hall Talk. https://cpahalltalk.com/entity-level-controls/
Kost, E. (2021, October 25). What is Residual Risk? Why it Matters in 2021. UpGuard. https://www.upguard.com/blog/residual-risk
Bandola, Erica C.
2019-105307
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity-Level controls are the controls that operate pervasively across and throughout the organization to mitigate risks threatening the organizations as a whole and to provide assurance that the organizational objectives are achieved (Internal Audit Foundation, 2017). Entity-level controls are often wide in scope and frequently deal with the organizational environment or environment. They are intended to manage risks that exist across the whole company, including those that emerge both internally and externally. Process-level and transaction-level controls are also supported, supplemented, and reinforced by entity-level controls. It has two types, governance or management oversight. Governance controls are established by the board and senior management (e.g. CEO). On the other hand, management control is formed by management (for example, business unit and line management) to reduce risks to the business unit and ensure that its objectives are met. When evaluating whether controls are sufficient to handle identified risks, management evaluates entity-wide controls that are widespread across the organization. Following that, management takes educated judgments on which processes require more controls. These controls are typically constant in principle across business divisions, although their implementation may differ from one to the next. When evaluating entity-level controls, the objectives, risk, control and assessment approach works. An effective and efficient entity-level controls could result in fewer process and transaction-level controls, mitigating and compensating controls, and resources devoted to testing such controls (Internal Audit Foundation, 2017). As a result, the organization's efficiency will improve, and costs will potentially decrease.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
One of the famous entity-level controls breaking down is Enron Corporation, a U.S. corporate scandal. Kenneth Lay, a great entrepreneur, created Enron, a Huston-based energy firm. In 1985, two American gas pipeline firms merged to form the corporation. The firm went from a very minor concern dealing in gas pipelines and oil and gas exploration to the world's largest energy trading corporation in just 16 years (The Economist, 28 November 2002). Enron, the advocate of energy deregulation who grew to be one of the country's top ten corporations, went bankrupt. This happened when a competitor pulled out of a plan to purchase Enron, and many of the company's major trade partners ceased doing business with it. Aside from these, the primary reason of failure in the corporate governance of Enron, is when the entity’s board of directors waived conflict of interest rules to allow the Chief Financial Officer (CFO), Andrew Fastow, to conduct private partnerships to do business with the firm. These partnerships appear to have covered debts and obligations that would have impacted Enron's stated earnings significantly. Following Enron's demise, the subject of how to strengthen the boards' competence and willingness to oppose unethical activities via company management arises. Subsequently, several corporate governance complications arise due to unrestricted power in the hands of the chief executives, which provided great impact in the management of Enron. It resulted to multiple unethical and fraudulent activities since the beginning of the entity’s downfall. Enron's corporate governance was inadequate in practically every way. As a result, the board of directors is largely comprised of people who lacks moral character. They are also frequently willing to participate in dishonest behavior. The exact origin of the company's corporate governance failure was this.
This comment has been removed by the author.
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteAfter an organization has taken proper control and risk treatment, there are still risk that remain at certain level, this is called a residual risk. According to Kosutic, residual risks are often assessed in the same manner as initial risk assessment - using the same methodology, assessment scales, and so on. What's different is that you have to consider the impact of controls (and other mitigation strategies), therefore the chance of an incident is typically reduced, and the impact is sometimes even reduced. Residual risk is always present (Kost, 2021). Setting an acceptable risk benchmark and then implementing programs and solutions to minimize any hazards below that level is the process of managing residual risk.
In my opinion, all types of risk necessitate an attention from the company’s management. Either low or high, they have equal level of importance as it brings impact to the overall company’s internal control. Moreover, residual risk is important for internal auditors to identify, measure, and analyze to assess whether the residual risk is above the acceptable level of risk or not. In this manner, the internal auditors could evaluate if the residual risk needs to mitigate.
References:
Internal Audit Foundation. (2017). Case Study 1 Auditing Entity-Level Controls. Internal Auditing: Assurance & Advisory Services, 4th Edition. Pp. 1
European Scientific Institute (2016 June). Corporate Governance Failure: The Case Of Enron And Parmalat. European Scientific Journal 2016 Edition Vol.12 . Pp. 283-286
Kosutic, D. (n.d). Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Aloroy, Genelyn T.
2019-202971
This comment has been removed by the author.
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity Level Controls (ELCs) are “controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved.” Some examples of these controls are a code of ethics, risk management policies and procedures, fraud prevention and detection programs, human resources policies and procedures, management’s control deficiency escalation process and variance analyses. Organizations who have weak or no entity level controls in place can experience many problems. These five items can be risks associated with weak or non-existent entity level controls. (Burgos, D. 2020). Radical solutions and open science: An open approach to boost higher education. Springer Nature.
Management is the primary source of the design, implementation, and maintenance of entity level controls and therefore, there is potential for management to have the ability to override these controls. If a member of the management team has the opportunity, incentive, and/or pressure to override these controls and commit fraud, it is a risk that is not easily overcome. Those charged with governance, such as shareholders, the Board of Directors, and the Audit Committee, need to take an active approach in evaluating any possible scenarios in which fraud can occur and mitigate these risks. Additional steps can be taken in order to control the risk of management override if this risk is identified. (OECD. 2014). Corporate governance risk management and corporate governance. OECD Publishing. Entity level controls tend to be less formal than activity level controls and normally carried out by one or two key individuals, such as the owner or manager. Regardless whether these controls are formal or informal, they need to be actively monitored to ensure they are being performed. (National Research Council, Division on Engineering and Physical Sciences, Board on Infrastructure and the Constructed Environment, & Committee for Oversight and Assessment of U.S. Department of Energy Project Management. 2005). The owner's role in project risk management. National Academies Press.
DIZON, MARK RAVEN R.
2019-107007
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
ReplyDeleteThe last two decades saw some of the worst accounting scandals in history. Billions of dollars were lost as a result of these financial disasters, which destroyed companies and ruined peoples’ lives. Many of these accounting scandals were a result of the excessive greed of a few individuals whose actions led to disastrous consequences which brought down whole companies and affected millions of people. (Commission, F. C. 2011). The financial crisis inquiry report: The final report of the National Commission on the causes of the financial and economic crisis in the United States including dissenting views. Cosimo.
Waste Management Inc. is a publicly-traded US waste management company. In 1998, the company’s new CEO, A Maurice Meyers, and his management team discovered that the company had reported over $1.7 billion in fake earnings. The Securities and Exchange Commission (SEC) found the company’s owner and former CEO, Dean L Buntrock, guilty, along with several other top executives. In addition, the SEC fined Waste Management’s auditors, Arthur Andersen, over $7 million. Waste Management eventually settled a shareholder class-action suit for $457 million. (United Nations Publications 2017). Understanding cybercrime: Phenomena, challenges and legal response. UN.
DIZON, MARK RAVEN R.
2019-107007
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteResidual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made. Residual risk is important for several reasons. First to consider is that residual risk is the risk "left over" after security controls and process improvements have been applied. This means that residual risk is something organizations might need to live with based on choices they've made regarding risk mitigation. Or they could opt to transfer the residual risk, for example, by purchasing insurance to offload the risk to an insurance company. (Food and Agriculture Organization of the United Nations, & World Health Organization. 2020). Guidelines for personal protection when handling and applying pesticides: International code of conduct on pesticide management. Food & Agriculture Org.
The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals I t t ti Interpretation The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the org ,/ anization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. (Hansen, E., & Juslin, H. 2011). Strategic marketing in the global forest industries. Considering residual risks would always be present, the method of managing them entails establishing an appropriate risk level and then adopting programs and solutions to eliminate any risks below it (Kost, 2021). It is critical for internal auditors to identify, measure and analyze this risk as it could cause the organization to fail. Immediate and appropriate actions should be made to minimize these risks. There should be an implementation of security procedures to lessen or totally eradicate the negative effects of a threat. (Vallabhaneni, S. R. 2014). Wiley CIAexcel exam review 2014: Part 2, internal audit practice. John Wiley & Sons.
References:
https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
https://searchcompliance.techtarget.com/definition/residual-risk
https://chapters.theiia.org/pittsburgh/Events/Documents/IIA%20Lunch%20and%20Learn_Risk%20Assessment_2.4.13.pdf
1. What is the importance of Entity-Level Controls to effective risk management & Control across the whole organization?
ReplyDeleteAccording to Charles Hall in his article, "Controls that address financial-statement-level risks are known as entity-level controls. For example, a poor control environment can pervasively affect financial statements.". Entity-Level Control has five (5) components: (1) control environment, (2) risk assessment, (3) monitoring, (4) information and communication, and (5) control activities.
The internal auditor must test the five components of entity-level controls because they are critical to the auditor's conclusion on whether the company has adequate internal control over financial reporting. The auditor's assessment of entity-level controls may increase or decrease in the testing that the auditor would typically conduct on other rules.
For instance, consider the control environment component. Internal auditors should assess the control environment since certain persons may take inappropriate behaviors and make a misstatement error. To avoid this, the organization should practice active governance, accountability, implement a code of conduct, a conflict-of-interest statement, a whistleblower policy, and document controls. By doing so, the organization can ensure that the atmosphere is controlled and that misstatements are avoided. Furthermore, if the entity-level Control adequately addresses the risk of misstatement, the auditor does not need to examine further controls related to that risk.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
The Enron scandal is perhaps the most well-known accounting scandal. Accounting flaws, poor financial reporting, and special-purpose organizations are all used by senior executives to hide billions of dollars in debt from failing deals. Former Vice President of Corporate Development Sherron Watkins uncovered the wrongdoing. The company's top executives misled the board of directors and audit committee about their high-risk accounting procedures, and they encouraged its auditor to ignore problems. After the stock price dropped, shareholders launched a $440 billion lawsuit. It was the largest corporate bankruptcy in U.S. history at the time.
Aronce, Mary Angelou N. 2019-105627
3. What is a residual risk, and why is it essential for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteResidual risk refers to the remaining amount of loss exposure to which an organization is exposed after all other dangers have been avoided or neutralized using risk management approaches.
Some residual risk occurs solely due to unforeseeable situations, and as a result, a firm's managers are unaware that it exists. Because the earnings to be made are so great, an organization may choose to stay in a specific business area despite the significant residual risk. However, when profits are minimal or non-existent to counter the residual threat, the organization should abandon that line of business since it will eventually incur losses from residual risk, resulting in net long-term losses.
Internal auditors have a critical role in identifying, measuring, and analyzing risk because these risks might result in a short- or long-term loss for the organization.
Knowing the nature of risk is the first step towards identifying it. If the risk is inherent or if it can be controlled. After identifying the risk, the auditor should begin brainstorming policies to mitigate the identified potential risks. The next step is to measure the risk. The auditor should determine whether the risk is low, medium, or high in impacts. Banks, for example, usually are cautious and do not accept risks lightly. On the other hand, start-ups have a more proactive mentality and are more willing to chase risky opportunities. After determining the risk level, the following step should be risk analysis. Analyzing the risk is necessary to comprehend the consequences of potential risks and to put in place adequate internal controls to minimize them, such as raising employee awareness of the risk by emphasizing excellent practices during the risk analysis process.
It is vital to identify, measure, and analyze residual risk. To be aware of the types of risks that exist and to be prepared for changes in the business environment.
REFERENCES:
• C. Hall (2020, September 21). Entity-Level Controls: Why They Matter. Retrieved October 29, 2021, from https://cpahalltalk.com/entity-level-controls/
• R. Biedron (2021, March 1). Famous Accounting Scandals in Corporate Finance. Retrieved November 3, 2021, from https://planergy.com/blog/famous-accounting-scandals/
• Murdock, H. (2017). Operational Auditing: Principles and Techniques for a Changing World. CRC Press Taylor & Francis Group. pp 64 – 73
• (N.A.) (2021, April 10). Residual risk definition. Retrieved November 03, 2021, from https://www.accountingtools.com/articles/2017/10/22/residual-risk
Aronce, Mary Angelou N. 2019-105627
(1/2)
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
As businesses often have a wide range of operations and extensive processes, the controls over the entity have been divided into several levels to maximize the efficiency and effectiveness of these controls. Entity-level control is one of these control levels in business. The Internal Audit Foundation (2017) noted that entity-level controls are the controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved. In other words, entity-level controls encompass the controls for the business as a whole and if we are to compare this is like the biggest picture of the controls over the business.
Entity-level control is significant to the risk management and control of the whole business as it provides a wide view when it comes to the overall situation of the business, internally and externally. This way, the risks that the business is exposed to can be observed as a whole so it will be easily identified and sorted out for the business to take immediate action. Also, having control over the organization as a whole provides a wide range of solutions to every identified risk creating an efficient path for the business to take. Moreover, it can give the organization the overall view of what factors in the processes and operations should be prioritized, kept in check, and should be changed for the overall good of the firm.
Effective risk management and control across the whole organization will be properly utilized and implemented when the entity-level controls of the business are efficiently exercised and effectively improved over time as it sees over the whole well-being of the entity.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
With the long history of different businesses and industries in the market, financial scandals from these businesses are not uncommon. As failure is bound at some point of different decisions, sometimes these failures are too big for the entities creating the most famous scandals of failures of one’s business entity in the market.
One of the famous financial scandals that failed to represent proper entity-level control is the scandal of the Volkswagen diesel emissions scandal. This scandal mainly started with the poor discretion of the senior management of the entity specifically, in an effort to evade the law, senior executives at one of the world’s oldest and most recognized automobile corporations install sophisticated software in over 11 million of its vehicles (Sharpe, 2017). The company installed “defeat devices" in the form of computer software designed to cheat on federal emissions tests (US EPA, OAR, 2019). In this case, the top management of the company decided to install software that makes the carbon emission test for the cars that they are producing for the past ten years to be passed even though, in reality, the cars cannot pass the emission tests and surely produced a lot of emissions to the environment when it is being used. This case is a failure to the entity-level control of the company as what they had practiced with their products is a violation of the code of ethics as it is harmful to the environment, it is a form of fraud as they release false information in the market and they’d cheated to the existing laws, and it is an escalated management control deficiency as the people that involved and admitted the failure of the company is the senior management that should be one overseeing if the operations are in line with what is correct and should be done by the company.
TALABONG, ELA RAIN F.
2019-102788
(2/2)
ReplyDeleteThe failure of the senior management and the entity-level control dooms the company to fail and makes a billion dollars of losses to the business entity.
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Once the internal control of the business is designed sufficiently and it operates effectively, the —different levels of control. This way the risks are being handed, observed, and solved by appropriate control levels of the entity. Once the risks are identified in the top levels of control the remaining risks unidentified should be considered as residual risk or net, the risks that do not exceed the organization’s risk appetite and are acceptable to the organization.
Residual risk is important for Internal Auditors to identify, measure, and analyze as these risks are the ones considered as controllable and can be taken by the organization, in a way it could be considered as the risks taken by the company in its operations. These risks being identified, measured, and analyzed gives way to its overall nature, its implications, and the steps that the company may take to mitigate these risks properly and sometimes could be turned into opportunities. Moreover, residual risks should be less than or equal to the risk appetite of the company— meaning it should be measured accurately and analyzed thoroughly so it won’t exceed the expected as it would affect negatively the risks control of the management and in turn will jeopardize the overall operations of the business.
Residual risks are risks taken by the company and that should be always under the control of the entity to avoid its escalation to bigger problems in the future. Also, it may be called residual, but if it would be taken for granted these risks might turn into the greatest downfall of the company, as the saying goes, things may be small, but surely it can make someone blind.
References:
Internal Audit Foundation. (2017). Internal Auditing: Assurance & Advisory Services, 4th Edition. Internal Audit Foundation. https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Sharpe, N. (2017). Michigan Business & Entrepreneurial Law Review Volkswagen’s Bad Decisions & Harmful Emissions: How Poor Process Corrupted Codetermination in Germany’s Dual Board Structure. 7 MICH. BUS. & ENTREPRENEURIAL L. REV. 49. https://repository.law.umich.edu/mbelr/vol7/iss1/3
US EPA, OAR. (2019, February 4). Learn About Volkswagen Violations | US EPA. US EPA. https://www.epa.gov/vw/learn-about-volkswagen-violations
TALABONG, ELA RAIN F.
2019-102788
(1) The importance of Entity-Level Controls to effective risk management & control across the whole organization
ReplyDeleteEntity-level controls are pervasive throughout the organization versus designed for a specific division or operation, such as finance, manufacturing, research & development, etc. (Colby, 2021). Those controls describe organizational cultures or beliefs. It acts as a regulation, laws, and professional standards that an individual abides by.
There are five components of Entity-level control that Colby provides on his blog such as (1) control environment, (2) risk assessment, (3) monitoring, (4) information and communication, and (5) control activities. Those components should be implemented to provide an overall strong control environment. Implementing entity-level control will provide a foundation for an organization to its daily operations.
(2) WorldCom Scandal
Too good to be true, that is what other people called about the profit of WorldCom. Its market capitalization had grown to $175 billion, which is kind of alarming knowing that the Enron scandal occurred in the past year. It is like a warning to those investors that want to invest in WorldCom. WorldCom was a telecommunications company that went bankrupt in 2002 following a massive accounting fraud. WorldCom remains the biggest accounting scandal in U.S. history, as well as one of the largest bankruptcies.
The fraud was discovered after Bernard Ebbers, former CEO of WorldCom step down on his position in the company. It revealed that he had borrowed $408 million from the Bank of America to cover margin calls, using his shares in the company as collateral. The fraud that Ebbers did was recording the expenses as an investment. By doing so, it exaggerated the profits by $3.8 billion in 2001 and $797 million in the first quarter of 2002, resulting in a profit of $1.4 billion instead of net loss.
The incident resulted in the conviction of former CEO Bernard Ebbers, who was sentenced to 25 years in jail, and former Chief Financial Officer Scott Sullivan, who was sentenced to five years. This scandal shows that the company has a weakness when assessing the anomaly in the company
1/2
2019-104415
Mangilog, Anthony C.
(3) Residual risk and the importance of Internal Auditors need to identify, measure, and analyze this risk.
ReplyDeleteRisks that remain after identifying and eliminating some or all the risks that have been made are referred to as residual risks (Shackleford, 2021). It is important for the Internal Auditors to identify, measure, and analyze the risk because it will help the company properly assess the situation. There is nothing you can do to extinguish the residual risk. There will always be a residual risk. Suppose the residual risk is below the acceptable risk that the company forecasted. In that case, it means that the implemented control of the company is effective and efficient.
If the residual risk remains over an acceptable threshold of risk and the cost of the necessary controls and countermeasures is too expensive, organizations may be forced to accept the risk regardless of the residual risk.
In general, organizations should take the following steps when dealing with residual risk: Determine the important and relevant governance, risk, and compliance requirements. Specify the organization's control framework's strengths and weaknesses. Recognize existing risks, establish the organization's risk tolerance, and identify available options for mitigating unacceptable residual risks.
References:
Cpa, L. C. C. |. (2021, March 16). Entity-Level Controls & How They Impact Your Organization. Linford & Company LLP. https://linfordco.com/blog/impact-of-entity-level-controls/
Murdock, H. (2016). Operational Auditing: Principles and Techniques for a Changing World (Internal Audit and IT Audit) (1st ed.) [E-book]. Auerbach Publications.
Shackleford, D., & Sales, F. (2021, October 12). residual risk. SearchCompliance. https://searchcompliance.techtarget.com/definition/residual-risk
WorldCom. (2021, October 3). Investopedia. https://www.investopedia.com/terms/w/worldcom.asp
2/2
2019-104415
Mangilog, Anthony C.
This comment has been removed by the author.
DeleteThis comment has been removed by the author.
Delete1/2
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Entity-Level Controls is one of the level of controls. Under this control are code of ethics, risk management and procedures, fraud prevention and detection program, human resource policies, management’s control deficiency escalation process, variance analysis and IT general controls are included which has a wide range of effects to achieve the objective of an organization. It is very important because these controls operate throughout the whole organization to mitigate or lessen the possible impacts of risks that threaten the business, it provides assurance of achieving the objectives of the organization as well. This will help the whole organization to build its strong foundation and to overcome any uncertainties they might encounter along the way. Through applying Entity-Level Controls, they can identify the strength and weaknesses of the business entity and generate solutions on how to appropriately use their strength and properly addressed their weaknesses. It’s a significant factor to have an effective risk management and control through the whole organization.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
In the year 2002, WorldCom was an American telecommunication company located at Ashburn, Virginia was discovered that they inflated their assets by almost $11 billion just a year after the Enron scandal. It is considered as one of the largest accounting scandals in the industry. They inflated their revenues by making false financial entries on its books from 1999 by underreporting costs through capitalizing instead of expensing them. The company set aside reserves to cover estimated losses such as uncollected payments from customers and judgements in lawsuits and other expected costs. This scandal was first discovered by the company’s internal audit department found fraudulent accounts costs amounting to $3.8 billion. The entity’s Chief of Financial Officer and Controller, was sentenced to prison for 65 years due to securities fraud, conspiracy, and filing false documents. The chief of executive and founder of WorldCom has not been charged because he said that he was unaware of the scandal. They also have the same accountant with Enron which is Arthur Andersen. It resulted to 30,000 job losses and $180 billion losses of investors and shareholders.
Mondia, DIvine Grace A
2019-105175
2/2
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
According to Shackleford (2021) is the remaining risks or “left over” risks after identifying and eliminating some or all of the risks has been made. It is important because it is something that an organization might need to live with based on choices they've made regarding risk mitigation. It is also important for compliance and regulatory requirements. Based on assessment internal auditors can determined which activities or operations needs to include in the audit plan. In areas having the greatest risk exposure, internal auditors may perform assurance, inquiry, or consulting activities. They can use risk assessments as well to identify any controls that inefficiently reduce risk.
Reference
IAF, (2017). Internal Auditing: Assurance & Advisory Services. 4th Edition. Retrieved (2021) from https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Tran, M. (2002). WorldCom accounting scandal. Retrieved (2021) from https://www.theguardian.com/business/2002/aug/09/corporatefraud.worldcom2
Shackleford, D. (2021). What is residual risk and why is it important? Retrieved (2021) from https://searchcompliance.techtarget.com/definition/residual-risk
Mondia, Divine Grace A.
2019-105175
(1/2)
ReplyDelete(1) What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Every businesses has its own system of rules, policies, practices, values and goals. In simple terms, these are the corporate governance of the business. Corporate governance is a fundamental tenet of a business to balance its interests with government and society and with its own stakeholders. To be more specific, one of the key part and foundation of Corporate Governance is the Entity Level Controls.
Entity level controls, referred to as “Tone at the Top” controls, are rules, policies and procedures that lay down the desired behaviors of the board members, management team and employees in addressing the financial statement-level risk of a company (MBG Corporate Services, 2021). Entity level controls help the organization in ensuring management directives are effectively carried out.
Some of the activities that are included in entity level controls are Mission Statements, Code of Conduct, Code of Ethics, internal audits and compliance requirements, employee rulebooks and guidelines, Board policies, documented procedures, stakeholder training programs, etc. (MBG Corporate Services, 2021).
In establishing strong entity level controls, it is important to keep in mind before selecting the right controls, is to study first the size and nature of the business. These will be the basis in establishing entity level controls. Next step is to classify the established controls into two: the direct and indirect entity level controls. Direct entity level controls are established for the company to prevent or detect a material misstatement in the financial statements, thereby ensuring that they are stated fairly and accurately and the people responsible for them are held accountable (MBG Corporate Services, 2021). While indirect entity level controls relates to the operation, governance, conduct and behaviors of the organization and its internal stakeholders (codes of ethics, conduct and behavior, etc.)
Entity-level controls are undoubtedly vital for every organization. They have a pervasive impact throughout an organization. Through these controls, organizational culture of a company can be defined. According to MBG Corporate Services (2021), here are the benefits of having strong entity level controls: (1) Quality, error-free financial statements and financial reporting; (2) Better risk assessment and management, stronger risk mitigation; (3) Improved effectiveness and efficiencies in business and operations; (4) Lowered reliance on activity- and transaction- level controls; (5) Senior, high-quality personnel driving internal controls; and (6) Strong personnel management through well-defined roles and expectations.
Reference:
MBG Corporate Services. (September 13, 2021). The Critical Importance of Entity Level Controls to your Organization. Retrieved November 02, 2021 from https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
— KRYSTAL VIEN T. LADAO (2019-106903)
(2/2)
ReplyDelete(2) Give one example of famous financial scandals that failed to represent proper entity-level controls.
An example of famous financial scandals that failed to represent proper entity-level controls is the Lehman Brothers Scandal (2008). Lehman Brothers was a global financial services firm based out of New York City, New York and one of the largest investment banks in the United States (Corporate Finance Institute, n.d.). It was discovered that during the 2008 financial crisis, the Lehman Brothers had hidden over $50 billion in loans that had been disguised as sales using accounting loopholes. According to an SEC investigation, the Lehman Brothers had buy back the toxic assets they had sold to banks in the Cayman Islands on a short-term basis. This gave the impression that the company had $50 billion more in cash and $50 billion less in toxic assets (Corporate Finance Institute, n.d.). Lehman Brothers went bankrupt after the 2018 scandal.
(3) What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
In recognizing and managing risks of the business, it is important to keep in mind that it is not possible to completely eliminate all the risks of the business. There are always some risks that will remain at a certain level. These risks are what called residual risks. Residual risk is the risk that remains after efforts to identify and eliminate some or all types of risk have been made (TechTarget, 2021). It is the "left over risk" after improvements and controls have been made. Managing residual risk is solely in the hands of the organization. The management needs to assessed first the risk management of the organization and examine if the planned mitigation methods and controls are enough or not. It is important to take into account the influence of the planned mitigation methods and controls. So the incident of residual risks can be decreased or make the impact smaller.
Managing residual risk comes down to the organization's willingness to adjust the acceptable level of risk in any given scenario (TechTarget, 2021). The organization can do nothing if residual risk is below the acceptable level of risk. Or the organizations can update or modify the controls and mitigation methods. In recognizing residual risks it is important to keep in mind not just the evaluation of controls but also the mitigation costs.
Managing residual risk is important for every businesses. Number one reason for this is, mitigating residual risk is a vital part of compliance and regulatory requirements of the business. Recognizing and calculating residual risk is important in determining the appropriate types of security controls and processes that get priority over time (TechTarget, 2021). Especially when comparing different control measures and planning to introduce a new control measure, you need to know what it will control the hazards and reduce the residual risk as low, or lower than any current controls you have in place (HASpod, 2019).
References:
Corporate Finance Institute. (n.d.). Top Accounting Scandals: A recap of the top scandals in the past. Retrieved November 02, 2021 from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
HASpod. (July 02, 2019). Residual Risk, How You Can Calculate And Control It. Retrieved November 02, 2021 https://www.haspod.com/blog/management/residual-risk
TechTarget. (October 12, 2021). What is residual risk and why is it important? Retrieved November 02, 2021 from https://www.google.com/amp/s/searchcompliance.techtarget.com/definition/residual-risk%3famp=1
— KRYSTAL VIEN T. LADAO (2019-106903)
1/2
ReplyDelete1. The importance of Entity-Level Controls to effective risk management & control across the whole organization.
Internal controls are intended to protect the organization and reduce the risk to its goal. As controls operate at different levels of organization, there are different types of control, and one is entity-level controls. Entity-level controls apply across and throughout the organization, and this reflects the corporate culture, values, philosophy, and operating style. It is important to have this control as this would enable and dissuade fraud and encourage proper conduct. Some of the controls that the organization can impose at entity-level are establishing a code of ethics, risk management policies and procedures, and fraud prevention and detection programs. This ensures that the organizational objectives are achieved and that the team is not lagging behind.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Failure to implement and observe entity-level control would lead to the failure of the organization as well. One of the most famous financial scandals was the collapse of one of the world’s oldest banks, the Baring bank. The Baring bank, founded in 1762, ceased to exist in 1955 because of a single rouge trader, Nick Leeson. He was then the head of derivatives in Singapore and gambled more than $1 billion in unhedged and unauthorized speculative trades. He was approved to arbitrage derivatives contracts, but what he did was to bet on future contracts and other derivative instruments. He buys and holds them until he accumulates a loss and never recovers. There are many deficiencies in the risk management of Baring Bank that allowed Leeson to act fraudulently. One of the errors in internal control was allowing Leeson to be the head of both trading desk and settlement operations, which should be assumed by separate employees. It was as if he had "the duty of guarding the hen house". With the fall of this 233-year old bank, financial companies and businesses have become more vigilant about the need for separate control groups and have become more aware of risk management.
BUCAL, RINA P. (2019-102462)
2/2
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Other than the usual risks the organization is exposed to, like inherent and controllable risk, there is also residual risk. Residual risks are risks that remain after efforts to identify and eliminate them have been made (Shackleford, 2021). It is the left-over or net risk after controls have been applied as it is impossible to completely eliminate all the risk identified. Residual risk is helpful to assess whether the control is sufficient or needs improvement if this residual risk exceeds the risk appetite of the organization. It is also helpful in comparing different control measures as it serves as a measurement of how effective a specific control is. It is important to identify, measure, and analyze residual risk like the initial risk back to where it originated, because this may end up affecting the achievement of organizational goals if left unattended. Residual risk must not exceed the risk appetite of the organization because if it does, it only suggests that the controls or treatment were ineffective. Though it is expected that risk cannot be completely eliminated, it is important to control residual risk to its lowest possible level.
References:
Murdock, H. (2017). Operational Auditing: Principles and Techniques for a Changing World. Taylor & Francis Group.
Smith, E. (2020). The Barings collapse 25 years on: What the industry learned after one man broke a bank. Retrieved November 4, 2021. https://www.cnbc.com/2020/02/26/barings- collapse-25-years-on-what-the-industry-learned-after-one-man-broke-a-bank.html
Shackleford, D. (2021). What is residual risk and why is it important? Retrieved November 4, 2021. https://searchcompliance.techtarget.com/definition/residual-risk?amp=1
BUCAL, RINA P. (2019-102462)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity-level controls are rules, policies, and procedures which are being operated pervasively across and throughout the organization. These controls are laid down to mitigate risks appearing to be threats to the organization as a whole and are made to provide assurance that the company’s objectives are attained. It is said that all types of control are not of equal value. Some controls are significant and critical to the outcome of business operation, while some are only supporting controls. However their absence would make the organization’s goals difficult to achieve. Entity-level controls have two types - governance controls and management-oversight controls.
The International Audit Foundation (IAF) illustrated a top-down view of enterprise risk management which showed that every organization faces a variety of risks which could be disastrous when ignored. Entity-level controls are referred to as “Tone at the Top” because in a funnel-like illustration, it is placed at the top. It is a filter of the possible key risks that will occur at varying levels of that system. It is important because it shapes how the company is being perceived and how it communicates with external stakeholders.
It is important that a company implements entity-level controls across the whole organization because it produces quality, error-free financial statements and financial reporting (MBG Corporate Services, 2021). This is through the direct entity level control which focuses on the prevention or detection of possible and material misstatements in the financial statements at the account or disclosure level which arise from fraud or error. It also provides the company a better risk assessment and management, improved effectiveness and efficiency in business and operations. These controls are vital to the overall success of the organization because it makes them prepared to face any unwanted problems and circumstances which would make them unorganized and weak. Companies should consider setting up internal controls, especially entity-level controls, in order for them to operate easier, more efficiently, and more organized. Without these controls, a company is guaranteed to stumble on the ground because its main foundation, the internal controls, are not as sturdy as they thought it to be.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
The Barings Bank, also called the “Queen’s Bank” was one of the many famous financial scandals which failed to represent proper entity-level controls. After the company’s big share of success, they eventually failed due to their organizational architecture. Their failure was an epitome of even how powerful a company is, it could still be devastated by their shortcomings and minimal mistakes which accumulated because they were left unnoticed. What happened to Barings Bank was a perfect representation of failure in the implementation of internal control.
Nick Leeson, a trader, was promoted as general manager in the Singapore branch. Even though he has the capacity of bringing millions to the company, he eventually got caught up in unauthorized trading activities which were unnoticed. He made bets and lost all the money he placed in. As he gained power and authority, he acted outside the bank’s interest and made decisions which were personally directed to him. His acts were an obvious implication of an abuse of power which were not regularly monitored by the management because of the trust given to him.
In order to prevent this event from occurring, a company should set limitations to the power vested upon the employees, continue to monitor the transactions made by the employees - may it be financial and operational, set plans how to operate the business, and maintain transparency over every actions done.
Barabicho, Thea Sofia A.
2019-106912
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteResidual risk is the risk of loss or harm which remains after all the threats have undergone elimination. After a company has mitigated its risks, it is impossible that it will be completely eliminated even by how thorough a company’s internal control is. A company incurring a residual risk is still considered safe but only to the extent that it should be less than or equal to the risk appetite of an organization. This means that the total residual risk should always be at the level in which the organization could still bear it and not be affected by it. It is important for an internal auditor to identify, measure, and analyze residual risks because even if it is not material in number, it can still have an adverse effect when accumulated. An auditor’s role in this prevention is to create risk management which would serve as their plan of action in case the risks are below the acceptable level or above the acceptable level. It should be noted that everything that the management has built can fall down in a single mistake. Businesses, in order to be successful, should never let their guard down and be complacent.
Barabicho, Thea Sofia A.
2019-106912
REFERENCES
DeleteInternal Audit Foundation. (2017). Case Study 1: Auditing Entity-Level Controls. 4th Edition
Internal Auditing: Assurance & Advisory Services. https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
MBG Corporate Services. (2021). The Critical Importance of Entity Level Controls to your
Organization.https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
Auditing plays an important role for a business to function properly. It assesses how a company performed from previous periods, and how will it affect its future venture. At regular times, management often completes its own assessment or a series of assessments of the organization's entity level controls (for example, annually or quarterly). Such evaluations are based on tests undertaken near the time of the assessment, as well as tests completed in connection with other assessments (such as assessments of an ERM program, a compliance program, or specific IT general controls). (Internal Audit Foundation (2017)). When analyzing and opining on the organization's overall system of internal controls, management examines the outcomes of its entity-level control assessments. Entity Level Controls (ELCs) are “controls that operate across and throughout the organization to minimize risks that threaten the company as a whole and to offer assurance that organizational objectives are met.” (Fitsgerald, 2020). A code of ethics, risk management policies and processes, fraud prevention and detection programs, human resources policies and procedures, management's control deficiency escalation process, and variance analysis are just a few examples of these controls. Entity level controls that are poor or non-existent in an organization can cause a slew of issues. These five objects can be risky if entity level restrictions are poor or non-existent.
ReplyDelete1. Entity Level Controls Risk #1: Management Override of Controls
Because management is the major source of entity level control design, implementation, and maintenance, there is the possibility that management will be able to overrule these controls. It is a risk that is difficult to overcome if a member of the management team has the chance, motive, or pressure to circumvent these measures and commit fraud. Those in charge of governance, such as shareholders, the Board of Directors, and the Audit Committee, must take an active role in assessing and mitigating the risks of fraud. If the danger of management override is identified, additional actions can be taken to mitigate it.
2. Entity Level Controls Risk #2: Limited Segregation of Duties
One of the most significant parts of preventing fraud or error in any business is the separation of tasks. The permission, recording, and handling of transactions should not be delegated to a single person. The implementation of a segregation of duties may be problematic for some firms with a small workforce. If this occurs, compensatory measures, such as oversight, supervision, and monitoring by management or those responsible with governance, must be instituted to guarantee that objectives are accomplished.
3. Entity Level Controls Risk #3: Over-reliance on Detective Controls vs. Preventative Controls
When something goes wrong, detective controls locate it, but preventative controls find it before it happens. Entity-level controls that are effective use both preventative and detective measures. Some preventative controls include ongoing and updated policy and procedure training, limiting user identities and passwords to specified individuals and systems, requiring multiple signatures on disbursements, and reviewing and approving purchase requests before they are made.
4. Entity Level Controls Risk #4: Informal vs. Formal Controls
Entity level controls are often carried out by one or two key personnel, such as the owner or manager, and are less formal than activity level controls. Whether formal or informal, these controls must be actively monitored to ensure that they are being followed.
5. Entity Level Controls Risk #5: Poor Tone at the Top
The ethical attitude that the organization's leadership creates in the workplace is referred to as "tone at the top." The tone set at the top of a company has a trickle-down influence on the rest of the staff. Employees will be more willing to uphold ethical and integrity ideals if supervisors set a positive tone.
------ to be continued
------continuation
DeleteAs you can see, no business is perfect. There will always be flaws— but there are some flaws that this industry can remember. One example is the scandal of Enron. Enron Corporation was a Houston, Texas-based energy, commodities, and services firm. In 2001, it was revealed that the corporation had been utilizing accounting loopholes to hide billions of dollars in bad debt while inflating the company's revenues, in one of the most contentious accounting scandals in the last decade. Enron's stock price plummeted from roughly $90 to under $1 in a year as a result of the scandal, costing shareholders over $74 billion.
The company's CEO, Jeff Skillings, and former CEO, Ken Lay, hid billions of dollars in debt off the balance sheet, according to an SEC probe. Furthermore, they had forced Arthur Andersen, the company's auditor, to disregard the problem.
The two were found guilty partly due to former Enron employee Sherron Watkins' evidence. Lay, on the other hand, died before completing his sentence. Jeff Skillings was given a sentence of 24 years behind bars. The controversy led to Enron's bankruptcy and Arthur Andersen's demise.
Given that this kind of event took place in a large corporation, there is still no assurance that every audit will be of accuracy and faithfulness. If a company wants to sustain its existence, they will be true to their words and operations. They will be able to understand what kind of risks they would face. Risk documentation must be clearly documented. The risk that remains after management has taken steps to lessen the impact and chance of an incident is known as residual risk. Auditors measure risk that company faces to see what the impacts to its operations would be. It is significant, essential, and crucial for internal auditors to do the job properly to identify whether the strategies they are formulating will be effective or not. It will also highlight the areas of improvement and could lead to identification of new risks.
References:
Nicole Fitzgerald (June 2020). Entity Level Controls: Five Issues Caused by Weak or Non-Existent Controls in Place
https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
Internal Audit Foundation (2017). Internal Auditing: Assurance & Advisory Services, 4th Edition, 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, USA
https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Corporate Finance Institute (2015 to 2021). CFI Education Inc.
https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
(1/2)
ReplyDeleteImportance of Entity-Level Controls to Effective Risk Management & Control
Not all know that there is more than one level or type of control when considering controls for an organization, such as entity-level, divisional, regulatory, transaction-level, and process-specific controls. But entity-level control is one of the most important controls to efficiently and effectively manage the operations and processes of the business. Fitzgerald (2020) stated that entity-level controls are controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and at the same time to assure that organizational objectives are achieved. They are designed to minimize risks at the organization-wide level, including those that arise internally and externally.
According to Internal Audit Foundation (2017), organizational controls may impact the system of internal controls differently than the tactical controls at the process level or transaction level. Therefore, it is essential to understand how such controls, particularly those that operate across the entire organization (that is, entity-level controls), may impact the system of internal controls. Entity-level controls are also an essential part of an audit. They investigate the overall tone of the audited organization and provide the foundation for lower-level operational controls. Because they are so important, internal auditors must conduct periodic assessments to determine the design adequacy and operating effectiveness of such controls. Entity-level controls are a tremendous help to an organization if it is present and practiced, they are critical for successful risk management and controls throughout the company.
Famous Financial Scandal that Failed to Represent Proper Entity-Level Controls
Based on the case study, Internal Audit Foundation (2017) gave one of the most widely publicized and well-known examples of entity-level controls breaking down, which is Enron Corporation. In the past, Enron was known for its sophisticated controls and risk management capabilities supporting many of its detailed processes. However, the Enron scandal drew attention to accounting and corporate fraud. The corporation has been utilizing accounting loopholes to conceal billions of dollars in bad debt while using fraudulent schemes to make their earnings look better than they are. The scandal led to the bankruptcy and conviction of a significant player in the Enron scandal: the company’s CEO, Jeff Skillings, and former CEO, Ken Lay, and the dissolution of Arthur Andersen and Enron itself.
The collapse of Enron was the largest corporate bankruptcy ever to impact the financial world (since then, the failures of WorldCom, Lehman Brothers, and Washington Mutual have surpassed it).
MARANAN, PATRISHA C., 2019-100624
(2/2)
ReplyDeleteResidual Risk and its Importance
According to Fasulo (2020), residual risk is the risk that remains after controls are accounted for. It’s the risk that remains after your organization has taken proper precautions. Although there is no way to eradicate residual risk fully, the primary aim is to reduce it as much as possible by recognizing, measuring, and assessing the risk.
Internal auditors must detect, measure, and assess residual risk to secure and assist the organization and its stakeholders in remaining safe and determine whether or not the planned treatment is running efficiently and successfully. Further, if they ignore such dangers, it may damage the organization, which is why it is critical.
REFERENCES:
Colby, L. (2021, March 16). Entity-Level Controls & How They Impact Your Organization. Accessed November 5, 2021, from https://linfordco.com/blog/impact-of-entity-level-controls/
Internal Audit Foundation (2017). Internal Auditing: Assurance & Advisory Services (4th Edition). Case Study 1: Auditing Entity-Level Controls (pp. 2, 13) [eBook edition]. Internal Audit Foundation. From https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Enron Scandal: The Fall of a Wall Street Darling. (2021, January 19). Accessed November 5, 2021, from https://www.investopedia.com/updates/enron-scandal-summary/
Corporate Finance Institute. (2020b, June 12). Top Accounting Scandals. Accessed November 5, 2021, from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Fasulo, P. (2020, December 21). Inherent Risk vs. Residual Risk: What’s the Difference? Accessed November 5, 2021, from https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Kosutic, D. (n.d.). Residual risk definition and why it’s important. Accessed November 5, 2021, from https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Reciprocity. (2021, October 21). What Is Residual Risk in Information Security? Retrieved November 5, 2021, from https://reciprocity.com/resources/what-is-residual-risk-in-information-security/
MARANAN, PATRISHA C., 2019-100624
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity level controls are measures that are implemented at the organizational level in order to reduce the risk that the organization as a whole is exposed to. It also aims to provide confidence that the company's goals and objectives have been met and are being met. In the context of IT governance, entity level controls are controls that ensure that management directives are carried out and enforced. The implementation of entity-level controls is critical since it is a critical component of any organization's structure. It serves as the foundation for the day-to-day operations of the company's workers and processes. It is also important to note that entity-level controls play an important part in auditing because they are used to evaluate the overall performance of an organization. It is critical to have entity-level control since it helps to determine how a company interacts with its stakeholders outside the organization. It would be beneficial to the company to have entity-level control since it would result in the production of high-quality financial statements that are free of errors. Entity-level controls can also assist in mitigating the risk associated with the unpredictability of future events. For an organization's daily operations to be more efficient, it must implement entity-level controls to improve its efficiency and effectiveness.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
The Enron incident is an example of a well-known financial scandal in which sufficient entity-level controls were not properly implemented. Incorporated in Houston, Texas, Enron is a global energy trading firm. The firm was having a successful run, but it failed as a result of the bankruptcy of the company, which caused many of their employees to go into financial distress. The Enron controversy came about as a result of the incorporation of fictitious holdings. The corporation owes a large amount of money, and in order to conceal this, they create special purpose vehicles. They were able to conceal all of their financial losses because they used market-to-market accounting. It is a fraud committed through the use of an off-balance-sheet method, which allows them to conceal their obligations from investors and creditors.
CASAL, CHRISTIAN T.
CBET-01-503A
(Part 1)
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteIt is the risk that remains after you have taken all of the necessary safeguards, because no matter how well you manage your risks, it is impossible to prevent every single one of them completely.. Remaining risk is the threat that remains after all of your efforts have been made to identify and eliminate risk in a particular situation. It is critical for internal auditors to identify risks because if a risk is not identified and then occurs, it will have a negative impact on the organization's ability to achieve its ultimate goals and objectives. If the risk is not identified and then occurs, the organization will be unable to achieve its ultimate goals and objectives. It is critical to quantify risk since doing so will assist the internal auditor in determining the likelihood of the consequences you outlined occurring if the risk is realized. It is also critical to conduct a risk analysis in order to identify potential mitigation strategies or solutions that will assist the internal auditor in mitigating the risk.
References:
Fitzgerald (June 23, 2020). Entity Level Controls: Five Issues Caused by Weak or Non-Existent Controls in Place. Retrieved October 28, 2020, from https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place#:~:text=Entity%20Level%20Controls%20%28ELCs%29%20are%20%E2%80%9Ccontrols%20that%20operate,to%20provide%20assurance%20that%20organizational%20objectives%20are%20achieved.%E2%80%9D
Segal (2021). Enron Scandal: The Fall of a Wall Street Darling. Retrieved October 28, 2021, from https://www.investopedia.com/updates/enron-scandal-summary/
Kost ( 2021). What is Residual Risk? Why it Matters in 2021. Retrieved October 28, 2021, from https://www.upguard.com/blog/residual-risk
CASAL, CHRISTIAN T.
CBET-01-503A
(Part 2)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteIn every businesses and organizations there is always risks that it may and will encounter, such controls are being implemented to reduce its impact in the business. One of these controls is the entity-level controls, Internal Audit Foundation (2017) defined it as “controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved” (p. 5). Additionally, entity-level controls define an organization’s corporate culture and values. They also relate to internal values as well as external forces such as laws, regulations, and professional standards. These controls impact the way in which employees operate and operational processes are designed and implemented (Colby, 2021). Thus, its very existence and implementation is critical in every organization. As it lays the groundwork for how the organization runs daily, as well as how the organization is viewed and engages with external stakeholders. Also, entity-level controls help the organization to provide accurate and reliable financial statements. In conclusion, it is implemented generally in the entire organization to help achieve its goals and objectives. But it is also important to take note that these controls may impact differently the system of internal controls, hence understanding the impact of such controls in the entity-level is significant.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Proper implementation of entity-level controls in an organization could lead to success, but failure to do so could lead to its end. One example of famous financial scandals is the Tyco scandal company who failed to represent proper entity-level controls. Tyco International was an American blue-chip security systems company based out of Princeton, New Jersey. In 2002, it was discovered that CEO, Dennis Kozlowski, and CFO, Mark Swartz, had stolen over $150 million from the company and had inflated the company’s earnings by over $500 million in their reports. Kozlowski and Swartz had siphoned off money using unapproved loans and stock sales. The scandal was discovered when the SEC and the office of the District Attorney of Manhattan carried out investigations related to certain questionable accounting practices by the company. Kozlowski and Swartz were both sentenced to 8 to 25 years in prison. A class-action suit forced them to pay $2.92 billion to investors (CFI, n. d.).
Tandayu, Lexter M.
CBET - 01 - 503A
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteAside from the risk that an organization usually exposed to such as controllable and inherent, there is another type of risk which is the residual risk. From the name itself residual risk is the excess risk that remains after all risk controls are implemented. According to (Fasulo, 2020), “residual risk is the risk that remains after controls are accounted for. It’s the risk that remains after your organization has taken proper precautions.” Moreover, Internal Audit Foundation (2017) states that, “if the system of internal controls is designed adequately and operates effectively, those risks that make it all the way through the funnel (top-down view of enterprise risk management) should be acceptable to the organization” (p. 8). In other words, the residual, or net, risk does not exceed the organization’s risk appetite. Although it is acceptable to the organization, it does not mean that it should be neglected by the organization. It is still important to identify, measure, and analyze this risk because there is a tendency for this risk to become big and impact the organization. And internal auditors must keep an eye to this residual risk to keep it from affecting the operation of the organization in achieving its goals and objectives.
REFERENCES:
Colby, L. (2021, March 16). Entity-Level Controls: Impact on An Organization & The Audit Process. Retrieved November 05, 2021, from https://linfordco.com/blog/impact-of-entity-level-controls/
Corporate Finance Institute. (n. d.). Top Accounting Scandals. Retrieved November 05, 2021, from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Fasulo, P. (2020, December 21). Inherent Risk vs. Residual Risk: What’s the Difference? Retrieved November 05, 2021, from https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Internal Audit Foundation. (2017). Internal Auditing: Assurance & Advisory Services (4th Edition). Case Study 1: Auditing Entity-Level Controls (pp. 5, 8) [eBook edition]. Accessed November 05, 2021, from https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Tandayu, Lexter M. (2019-106755)
CBET- 01 - 503A
1. What is the importance of Entity-Level Controls to effective risk management and control across the whole organization?
ReplyDeleteEntity-Level Controls, as defined by Colby (2021), it is conducted to ensure that management directives, corporate culture, and values are implemented and enforced. These controls also relate to internal values and external forces that are implemented in every businesses. The auditor must consider the Entity-Level controls, since these are crucial in the foundation of the audit. Through the analysis of entity-level controls, the Internal Auditor can plan and design the tests of controls based on the scope of the audit. It serves as a key component of audit since they provide basis for operational controls.
According to Hall (2021), Entity-Level controls are known for addressing the financial statement risks. In a larger company, risk assessment is more robust than smaller ones. The business entity focuses on risk assessment, testing accounting system, and providing reports and feedbacks to the leadership. In light of existing errors, internal auditors keeps an eye on how the financial materials might contain misstatements, frauds, and errors. Overall, Entity-Level Controls is viable and important to the whole organization since it has a noticeable influence throughout an entity. It reduces the risk of material weaknesses which leads to material misstatements and requires a lot of money and qualified opinion to fix the problem. Some examples of entity-level controls include enforcement of integrity and ethical values, conservative attitude in operations, and hiring, training, and promotion policies.
2. Give one example of famous financial scandals that failed to represent proper Entity-Level Controls.
In 2001, Enron Corporation, a US based company located in Houston, Texas was discovered in conducting accounting loopholes to hide billions of dollars. This case is considered as one of the most controversial accounting scandals of the past century. (CFI, n,d.). Its failure to enforce and ensure Entity-Level controls to prevent potential misstatements leads to fraud and bankruptcy. From the dramatic heights to downfall of one of the ubiquitous and largest companies in United States, it all comes down to the effectivity of implementation of its Entity-Level controls which also includes strong enforcement of integrity and leadership. The Enron’s leadership were able to fool the regulators with its fake holdings and accounting practices.
3. What is residual risk and why it is important for Internal Auditors to identify measure and analyze this risk?
Residual Risk is the unidentified risks as well as the identified ones but not appropriated for the same treatment at the time identified. It is promulgated that it must always be documented and subject for constant monitoring. (Enisa, n,d). After all the risk treatments, there are still possibility that these risks still remains. It is important because for an organization to be compliant with rules, the entity must complete a residual security check. (Kost, 2021). Aside from compliance, it is also help the business to identify the specific requirement for your management plan and leads to success of the efforts of the business.
References
Colby, L. (2021). Entity-Level Controls: Impact On An Organization & The Audit Process. Retrieved from https://linfordco.com/blog/impact-of-entity-level-controls/
CFI (n,d). Top Accounting Scandals. Retrieved from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Enisa (n,d). Risk Treatment. Retrieved from https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-process/risk-treatment
Hall, C. (2021). Entity-Level Controls: Why They Matter. Retrieved from https://cpahalltalk.com/entity-level-controls/
Kost, E. (2021). What is Residual Risk? Why it matters in 2021? Retrieved from https://www.upguard.com/blog/residual-risk
-ZARAIN, KIANNA ERIKA D.
2019-104924
CBET-01-502A
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteThe main goal of every business is to earn profit and in order to achieve this, one essential matter that must be considered is the risk that the organization may encounter. As we all know, risk is in the nature of every business, when there is a business then there is a risk. Risk may prevent the organization from reaching its objectives depending on its severity that is why management forms policies and controls that are specifically for risks to deal with that are performed by the internal auditors.
One of the most common used controls in internal auditing is the entity-level controls, it is defined by the Internal Audit Foundation (2017) as Controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved. This type of control is broadly focused and deals with organizational environment, wherein it is designed to minimize internal and external risks that may have a huge effect to the organization’s objectives. It also serves as the first hand control or we may call as a defense for all the risks that the organization may encounter which it is the first one that will filter and try to eliminate risks as many as possible. If entity-level controls performed effectively and efficiently then the next controls, process and transaction level, won’t handle that much risks which means fewer reliance quantifiably, lesser costs for the preceding levels of control, and resources are properly used. With all that being said, effective entity-level controls will result to an increase in efficiency and potential reduction in cost to the organization, and higher possibility of achieving the overall objectives.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
One of the famous financial scandal is the Carillion’s, it is a giant construction company in the United Kingdom that collapsed in 2018. Generally, this is caused by significant reliance on estimates in making the financial statements and as a result, management can easily manipulate these by overstating net income and net worth. This financial fraud includes aggressive revenue recognition practices where all of Carillion’s annual reports in the past three years since its liquidation, cash conversion had been used as a key performance indicator, and as a factor influencing upper-level management remuneration (Carillion, Annual Report and Accounts 2016 18; Carillion, Annual Report and Accounts 2015). Carillion also used the reverse factoring technique, a practice where it appears that they seem healthier that they actually was or may also referred as “hidden debt loophole.” Moreover, Carillion management had opted to disburse dividends to shareholders instead of utilizing the finances to pay for its pension commitments to past and current employees that resulted to a pension deficit. Also, Carillion tends to engage in low margin contracts with excessive debts that resulted on creating high risks because minor changes and cost of those contracts can easily impact the overall profitability.
Taking all the facts into consideration, Carillion’s debt reached to £2 billion to its suppliers, sub-contractors, and creditors and a pension liability amounting £2.6 billion leading to its bankruptcy.
Chavez, Catherine H
2019-101209
CBET-01-502A
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteEvery organization faces a variety of risks, depending on its business objectives. Some of these business objectives may describe the desired state of operation brought about by a good system of internal control (Internal Audit Foundation, 2017). Risks prevent the organization from reaching its objectives through increasing its chances of losses and reduce the opportunities of profit, and of course management won’t let that happen, therefore, they formulate plans and controls that these risks to ruin their operation. As stated earlier, entity-level control is the first defense to face all the risks, followed by process and transaction level controls that deal with the risks previous level did not eliminate. Management may utilize additional mitigating and compensating controls to further limit the risks passed through previous levels of control. Additionally, not all risks are eliminated, those that make all the way through all certain levels of control are the remaining risks or residual risks that must be acceptable to the organization. Although these are only residuals, auditors should also take these into consideration for them to know what controls influenced the entire defense letting these risks made it all the way through all the control levels. These risks will guide the auditors to find what went wrong and what level of controls needs to be improved making the management to reach its full efficient and effective controls.
References:
Internal Audit Foundation
(2017). Internal auditing: assurance & advisory services, 4th edition. https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
The Carillion Scandal & Financial Statement Fraud
(2021). https://studycorgi.com/the-carillion-scandal-and-amp-financial-statement-fraud/
Chavez, Catherine H
2019-101209
CBET-01-502A
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteWhen single policy is implemented, and that policy has a negative impact on the organization as a result of an error, the organization as a whole suffers greatly. This is why companies use entity level control, which is a set of activities performed by an organization to effectively manage its environment, which includes mitigating risks, supporting other control systems, and controlling other threats that may disrupt the achievement of the organization's goals (IAF, 2017). This control, which is also part of the internal control system, operates throughout the organization. Management should be responsible for considering these entity-level controls; they must evaluate and assess them to ensure that they will be effective in supporting the organization's operations. It's also critical to employ a top-down approach, in which the effectiveness of entity-level controls is assessed first to see which risks have made it past the filters and into process- and transaction-level controls. Over testing of controls at the process and transaction levels is likely if entity-level controls are not examined first. This is a time-consuming and costly method of assessing the overall system of internal controls (IAF, 2017). Entity-Level Controls can also help detect or prevent misstatements that could affect other controls, monitor the performance of other controls, and be configured to work at a level of precision that would effectively assist the controls. Entity level control is needed because it ensures that all business operations are properly utilized and managed in order to achieve the company's objectives.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Enron Corporation was an energy, commodities, and services company based in Houston. It was discovered in 2001 that the company had been using accounting loopholes to conceal billions of dollars in bad debt while inflating revenues (CFI, n.d.). The Enron Corporation and its management engaged in an unethical plan and off-balance-sheet accounting malpractice mechanism, which led to the company's scandalous operation. It created a special economic vehicle to hide its massive debt from outside investors. Enron's CEO, Jeffrey Skilling, also switched the company's accounting method from historical cost accounting to mark-to-market accounting. The method has been manipulated in some way. there is also a poor corporate governance. Enron's stock price dropped from around $90 to under $1 in a year as a result of the scandal, causing shareholders to lose more than $74 billion (CFI, n.d.). This event also resulted in the dissolution of Arthur Andersen LLP, which had been one of the world's largest auditing and accounting firms. As a result of the company's bankruptcy, employees lost various benefits and pension payments. This scandal also taught us that accounting procedures should not be manipulated, that strong governance is necessary, and that effective entity level management is critical to ensure that all business processes are correctly utilized and managed in order to fulfill the company's goals.
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteRisk management aims to reduce the impact and likelihood of inherent risk (CFI, n.d.). Its goal is to safeguard the organization's physical and human assets so that it can continue to function successfully. However, there are risks that the organization cannot completely eliminate despite management intervention; these risks are known as residual risks. The risk that remains after the application of controls (Chambers, A. & Rand, G., 2010). It happens after controls or procedures to prevent it are established. Because of the likelihood and potential impact on the organization, it is vital for Internal Auditors to identify, measure, and analyze this risk. The organization must determine whether the proposed solution is adequate. Another reason to evaluate residual risk is to meet compliance and regulatory requirements. Finally, residual risk must be measured in order to prioritize which security measures and processes should be implemented over time (Shackleford, n.d.). Taking residual risks into account assists management in determining how these risks will affect their operations and decision making.
References:
Internal Audit Foundation (2017). Internal Auditing: Assurance & Advisory Services, 4th Edition. Case Study 1: Auditing Entry Level Control. https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Corporate Finance Institute. (n.d.). Top Accounting Scandals: A recap of the top scandals in the past. https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Chartered Financial Analyst (CFA) Institute. (n.d.). Enron Scandal. https://www.wallstreetmojo.com/enron-scandal/
Chambers, A. & Rand, G. (2010). The Operational Auditing Handbook: Auditing Business and IT Processes, Ltd. ISBN 978-0-470-74476-5. P 208
Shackleford, D. (n.d.). What is residual risk and why is it important? https://searchcompliance.techtarget.com/definition/residual-risk
ALCANTARA, SHIELA MAE D.
2019-103506
Not all controls are created equal, they are used to eliminate risks of varying sizes and types. Entity-level control is defined as control that operates pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved (Internal Audit Foundation, 2017, p. 5). This being the mouth of the funnel that filters all inherent (gross) risks, its effectiveness is significant as it first assesses the organization’s objectives before any other. MBG Corporate Services (2021) divided entity level controls into Direct, which is designed to prevent material misstatements or disclosures arising from error or fraud. Additionally, it ensures management's accountability when everything seems to be dubious; and Indirect, which focuses on governance, operation, conduct and behaviors of a company and its internal stakeholders. In contrast to direct, these controls are more general as to scope of action and act as the foundation for an effective controls environment.
ReplyDeleteIts objectives are: (1) Effective control environment as it monitors the management's integrity, philosophy, policy and responsibility that have significant influence over the company; (2) Risk assessment; (3) Proper communication and relevant information considering that management gathers and disseminates data on a timely basis. Also, a "whistleblower" program must be efficiently implemented as it directly affects the company's financial reports; and lastly (4) Monitoring activities and separate assessment of segregated internal control duties to confirm its effectiveness (McNally, 2005).
Failed implementation of these policies and regulations will result in financial scandals and the company's bankruptcy. Examples are Enron and WorldCom Inc. that were known as the biggest accounting scandals of history. Enron started out as a merger of two natural-gas transmission companies named Houston Natural Gas Corp. and InterNorth Inc., who serves as an intermediary between producer and customer as Jeffrey Skilling, Chief Operating Officer, transformed the company into a trader of energy derivative contracts. During the 1990s, Enron experienced rapid growth as deals were created everywhere and the launch of an online trading division helped traders to easily conduct trading but this success came to an end due to increased competition in the energy-trading business that resulted in the company's profit shrinkage. Troubled assets were dumped into Special Purpose Entity, a limited partnership with outside creditors, that were run by Fastow himself, the Chief Financial Officer of Enron. This practice is believed to be abused as it presents losses less severe than actual. Market-to-market accounting was also used by the company to give an illusion to shareholders that they still earn high current profit, in fact they are not. Mid-2001 when analysts began to dig into details of Enron's Financial Statement which later on stated a $638M losses and $1.2B reduction is Shareholder's Equity that results in the company's free fall.
BATALLER, ERICA ANN R. (2019-103327)
Another example is WorldCom Inc., a telecommunications company who experienced a skyrocketing value of shares as long distance services began to boom in late 1990s to early 2000s. But in 2002, Bernard Ebbers, the Chief Executive Officer, used an improper accounting method to reduce the company's E/R ratio, a tool used to measure the performances of telecommunication companies, due to outgrowing competition. In relation to Enron, WorldCom also exaggerated its revenue and cutted its expenses.
ReplyDeleteIt is evident that assessing the internal control is a critical part in every company as it prevents any fraudulent methods such as sudden change in accounting estimates, early revenue recognition, erroneous capitalization of long-term assets, and alteration of reserves to improve earnings picture, from happening.
Together with Governance, Management-Oversight, Process-Level, and Transaction-Level Controls, inherent (gross) risks were sifted into residual (net) risks. Some risks always remain as it may get through the initial elimination or through evasion but it doesn't mean that Entity-Level control isn't effective. Organizations must know their risk-tolerance as net risks must be below an acceptable level of risks because if not, the entity's security team must find new ways to mitigate it through continuous reassessment.
REFERENCES:
International Audit Foundation. (2017). Case Study 1: Auditing Entity-Level Controls.
McNally, J. (2005). Assessing Company-Level Controls. Retrieved from
https://www.journalofaccountancy.com/issues/2005/jun/assessingcompanylevelcontrols.htm
MBG Corporate Services. (2021). The Critical Importance of Entity Level Controls to your Organization. Retrieved from
https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
BATALLER, ERICA ANN R. (2019-103327)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteIt's possible that there are more than one degree or type of control when weighing up restrictions for an organization. It is neccessary for organizations to have entity-level that endeavors the firm to analyze a subservience organization for consideration of conducting critical business interactions in order to manage business operations well.
Entity-level controls have a broad definition that applies to a variety of Auditing firms, but they can also be more specialized to a particular audit engagement. Furthermore, Entity-Level are safeguards that are implemented across the company rather than controls that are tailored to a particular undertaking or business such s finance and manufacturing.
Entity-level controls, their existence and application are critical components of any organizations beacuse they lay the groundwork for the organizations diurnal operations ( people and process), as well as how it is perceived and interacts with external stakeholders . In addition, Entity-level controls are also dominant aspect of an audit since they analyze the organizations general tone at the top and sever as the foundation for lower operational controls.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Enron Corporation is one of the most prominent financial scandals in which mediocre entity-level controls were not authenticated. The Eron scandal was a series of events that culminated in the bankruptcy of Eron Corporation, a U.S energy, commodities and services corporation. The collapse of Arthur Andersen LLP,l was one of the world's largest auditing and accounting firms.
In connection with this, the collapse of Eron which had more than $60 billion in assets, resulted in one of the largest bankruptcy cases in US history that sparking extensive debate as well as the legislation aimed at improving accounting rules and practices with long-term financial ramifications. The scandal resulted in a wave of new regulations and legislation designed to increase the accuracy of financial reporting for publicly traded companies.
DELAMBACA, VICENTE JR T. (2019-106640)
This comment has been removed by the author.
ReplyDeleteWhat is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteWhen companies consider risk, they frequently assess the implications they'd undergo if they didn't have any security procedures in place. The risk that remains after all controls have been taken into consideration is referred to a residual risks. Moreover, it's danger that still exists after your company has taken all necessary protections. From a compliance standpoint, monitoring and understanding residual risk is critical for internal auditors because it allows organizations to manage the security of assets entrusted to them by third parties. Internal Auditors should identify, quantify and assess residual risk in order to comprehend and demonstrate how this risk may affect the organization. It also enables security experts to identify possible ethical threats more quickly and correctly, as well as comprehend how those attacks might harm an organization and its data.
However, managing residual risk comes down to the organization's willingness to adjust the acceptable level of risk in any given scenario. It also important that internal auditors should manage the residual risk in order to identify its relevance to governance and compliance requirements and also to determine the strengths and weaknesses of the organization's control framework that acknowledge the existing risks.
REFERENCES:
Francesca Sales (2021). What is residual risk and why is it important? https://searchcompliance.techtarget.com/definition/residual-risk
Lois Colby (2020). Entity-Level Controls: Impact On An Organization & The Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls/
Peter Bondarenko (2016). Eron Scandal. https://www.britannica.com/event/Enron-scandal
DELAMBACA, VICENTE JR T. (2019-106640
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity-Level Controls (ELCs) are "controls that operate widely across the business to minimize risks that threaten the company as a whole and to ensure that organizational objectives are met." There are five risks connected with entity-level controls that are either insufficient or non-existent. It includes: management override of controls; limited segregation of duties; over-reliance on detective controls vs. preventive controls; informal vs formal controls; and poor tone at the top (Fitzgerald, 2020). Implementing entity-level control is a key component of any organization. It provides foundation under the organization operation on a daily basis and how the organization is perceived and interacts with external stakeholders. It is also an important aspect of an audit since it analyzes the organization's overall tone at the top and provides the foundation for lower-level operational controls.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Bangladesh Bank's authorities were notified in early February 2016 that around $100 million had been fraudulently moved out of its account with the Federal Reserve Bank of New York through the SWIFT interbank messaging system. The laundered funds were initially sent to the Philippines, where they were deposited in four Rizal Commercial Banking Corporation (RCBC) foreign currency accounts totaling $81 million at its Jupiter, Makati branch. The stolen funds were subsequently transferred to Midas Hotel and Casino, City of Dreams, and Solaire Resort and Casino through two foreign currency accounts linked to Filipino-Chinese businessman William Go. (Dela Paz, 2016)
Rizal Commercial Banking Corporation (RCBC) committed to fix any flaws in internal controls and processes that allowed $81 million in dirty money stolen from Bangladesh's central bank to enter the local financial system. The bank also expressed its "sincerest regrets" for its employees' role in the money laundering operation, which is currently being investigated by the Senate Blue Ribbon Committee and the Anti-Money Laundering Council (AMLC) (Abadilla, 2016).
The risk that remains after all controls have been taken into consideration is referred to as residual risk. It's the danger that still exists after your company has taken all necessary protections. To put it another way, you've built a fence around your data and networks to keep the risk out, and while the fence is keeping the majority of the risk out, some can still get through. Residual risk is the risk that sneaks in despite your team's best efforts.
Yuga, Rhea Mae D.
2019-103574
CBET-01-501A
3. What is residual risk and why is it important for Internal Auditors to identify., measure, and analyze this risk?
ReplyDeleteInternal auditors must identify, measure, and analyze this risk in order to limit the effect to the organization. Internal auditors must pick the optimal control mechanisms for the job at hand in order to reduce residual risk as much as possible. However, they are unlikely to do it properly the first time. Case management software helps expedite the risk assessment process, allowing you to decrease residual risk more quickly and efficiently. Risk management is a company-wide responsibility. Internal auditors require input from employees across the board to acquire a thorough view of what possible hazards exist in your workplace, how to control them, and if those controls are effective. Case management software enables them to interact safely and efficiently across departments. Team members may work on cases directly in the file, storing all relevant data in one location for speedier resolution. As you collaborate to decrease workplace risk, the secure platform and role-based access keep data safe.
References:
Abadilla, D. (2016, March 23). RCBC vows to boost internal controls, apologizes for $81M scandal. Retrieved from Inquirer.net: https://business.inquirer.net/208872/rcbc-vows-to-boost-internal-controls-apologizes-for-81m-scandal
Colby, L. (2021, March 16). Entity-Level Controls: Impact On An Organization & The Audit Process. Retrieved from Linford & Company, LLP: https://linfordco.com/blog/impact-of-entity-level-controls/
Dela Paz, C. (2016, March 15). How Bangladesh Bank dirty money easily got into PH. Retrieved from Rappler: https://www.rappler.com/business/bangladesh-bank-philippine-banking-system
Fasulo, P. (2020, December 21). Inherent Risk vs. Residual Risk: What’s the Difference? Retrieved from Security Scorecard: https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Fitzgerald, N. (2020, June 23). Entity Level Controls: Five Issues Caused by Weak or Non-Existent Controls in Place. Retrieved from Freed Maxick: https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
Snook, A. (2020, August 27). How to Reduce Residual Risk with Case Management Software. Retrieved from Sight: https://www.i-sight.com/resources/how-to-reduce-residual-risk-with-case-management-software/
Yuga, Rhea Mae D.
2019-103574
CBET-01-501A
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity level controls (ELC) are used to determine if an organization’s values, systems, policies, and processes would enable or dissuade fraud and encourage proper conduct. They refer to the entity’s management style, as reflected in the corporate culture, values, philosophy, and operating style, the organizational structure, and policies and procedures in place (Murdock, 2017). Some examples of these controls are a code of ethics, risk management policies and procedures, fraud prevention and detection programs, human resources policies and procedures, management’s control deficiency escalation process and variance analyses.
As shown in a case study published by the Internal Audit Foundation (2017), entity-level controls are adequately designed to achieve effectiveness and efficiency in operations and to serve as an organization's defense against risks that threaten the achievement of business objectives. Accordingly, two types of Entity-Level Controls will be introduced to help minimize the inherent risks that will arise: governance controls and management-oversight controls. Governance controls are set by the board and senior management to develop the organization's control culture and expectations, as well as to provide guidance that pervasively supports strategic objectives and influences the total system of internal controls. Whereas management-oversight controls are set by management to mitigate risks threatening the business unit and to offer assurance that business unit objectives are met. Overall, ELCs are internal controls that filters significant threats entering the organization before they reach the process and transaction level controls.
In conclusion, a good Entity-Level Control is critical in effective risk management and control, not only for reducing entity-level risks to acceptable levels but also for establishing and promoting a culture of integrity, compliance, competence, and accountability. If the internal control system is sufficiently designed and performs successfully, the risks that pass through the funnel should be acceptable to the business. In other words, the residual risk does not exceed the risk appetite of the company.
-Palacio, Darlene L. (2019-10309)
CBET 01-503A
*correction to my student number: 2019-103509
Delete2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
ReplyDeleteWorldCom Scandal (2002)
WorldCom was the leading American telecommunications company based out of Ashburn, Virginia in the 1990s. During 2001, WorldCom began to fraudulently inflate the earnings reported on its profit and loss statements. It did so by manipulating financial data in its income statements, balance sheets, Form 10-K filings and annual reports. The scandal first came to light when the company’s internal audit department found almost $3.8 billion in fraudulent accounts. The company’s CEO, Bernie Ebbers, was sentenced to 25 years in prison for fraud, conspiracy, and filing false documents. The scandal resulted in over 30,000 job losses and over $180 billion in losses by investors (Corporate Finance Institute, 2015). In this case, WorldCom failed to establish a proper entity-level control such as the proper selection of their audit committee, company’s integrity, compliance policies, and other legal risks, resulting in fraudulent consequences, bankruptcy, and the company's demise.
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
According to (Fasulo, 2020), residual risk is the risk that remains after controls are accounted for. It’s the risk that remains after your organization has taken proper precautions. It is the risk that remains after your company has taken all necessary precautions.
Internal auditors should not overlook the importance of residual risk and should treat it with proper residual risk assessment. Kosutic (n.d.) proposed three approaches for assessing this risk, which are discussed hereunder. (1) Nothing is done if the degree of risk is less than the acceptable level of risk; the management must clearly accept those risks. (2) If the amount of risk exceeds the permissible level of risk, you must create new (and better) risk-reduction procedures, which involves an evaluation of the residual risks. (3) If the quantity of risk exceeds the acceptable level of risk and the costs of mitigating such risks are more than the damage itself, you must recommend to management that these high risks be accepted.
Monitoring and understanding residual risk as well as inherent risk assists security professionals to identify potential security threats more quickly and correctly, as well as understand how those threats can adversely affect the company and its data. Moreover, residual risk is important in the compliance standpoint as per the ISO 27001 regulations, which allows organizations to manage the security of assets that are entrusted to an organization by third parties.
References:
Internal Audit Foundation. (2017). Case Study 1: Auditing Entity-Level Controls. Internal Auditing: Assurance & Advisory Services, 4th Edition. Retrieved November 5, 2021, from https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Corporate Finance Institute. (2015). Top 10 Accounting Scandals in the Past Decades. Retrieved November 5, 2021, from corporatefinanceinstitute.com/: https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Fasulo, P. (2020, December 21). Inherent Risk vs. Residual Risk: What’s the Difference? Retrieved November 5, 2021, from Security Scorecard: https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Kosutic, D. (n.d.). Why is residual risk so important? Retrieved Novmber 5, 2021, from https://advisera.com/: https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Murdock, H. (2017). Operational Auditing: The Principles and Techniques for a Changing World. CRC Press Taylor & Francis Group. Retrieved November 5, 2021
-Palacio, Darlene L. (2019-10309)
CBET 01-503A
*correction to my student number: 2019-103509
Delete1/2
ReplyDeleteThe proverb, “A chain is only as strong as its weakest link.” is mentioned by Murdock in his book. It is linked with managing a company as it shows that even though most of the processes, systems, and departments within the business are functioning correctly and efficiently, it is still susceptible to collapsing because of those areas that are more prone to risks and threats. Controls should be established for both the strongest and weakest areas of the business, just with different levels of intensity. Its objective is to eliminate as many threats as possible and create a safe condition for the company.
There are different controls set up for areas of the business to be oversight and supervised; a couple of them are entity-level, divisional, regulatory, transaction-level, and process-specific controls. The Entity-Level Controls are the most important among them as they play a crucial role and relay a broader impact to the organization. To be clear with their function, Entity-Level Controls are controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved (Internal Audit Foundation, 2017). It reflects the overall operations, processes, and systems of the company. It is a key component of control so, they are the first to filter risks, as illustrated in the top-down approach, before risks are designated to secondary controls.
The five components of entity-level are listed by Colby (2021) as; Control Environment, where the values and behaviors of the company are defined, like the commitment to integrity, accountability, and ethical standards through the company’s Code of Ethics. It is made sure that these principles are promoted and embodied by superiors themselves to set as an example to the employees of the company; The risk assessment and management are designed and implemented to identify and respond to risks at their earliest stage. Policies and procedures for fraud prevention and human resources are also included; The constant monitoring of its effectiveness and actions taken; The information and communication to their internal stake; and Control activities implemented.
SAMSON, SHAYNE DANIELLE G.
2019-102562
2/2
ReplyDeleteWithout the successful accomplishment of the entity-level and other controls, malpractices and non-compliance may happen and may continue to be a financial scandal. Just like what happened to Volkswagen, a worldwide known motor vehicle manufacturer. It was in 2015 when the news broke out about the dubbed 'dieselgate scandal'. The US Environmental Protection Agency (EPA) found that Volkswagen had violated the Clean Air Act as their vehicles are equipped with 'defeat devices'. These devices are activated to reduce emissions when the vehicles are being tested so they would pass the standard. It was revealed that it emitted 40 times more pollution than the level permitted. Volkswagen has acknowledged that the diesel emission scandal was a series of the negligence of the company, like tolerating the rule-breaking decision, and not just decisions of the engineers alone. That is why a strong entity-level control is essential for a business to survive and succeed.
And although the main objective of an entity-level control is to protect the organization by mitigating risk, it is impossible to fully eliminate it. There would still be remains even after the risk treatment. Residual risks are usually assessed in the same way as you perform the initial risk assessment – you use the same methodology, the same assessment scales, etc. (Kosutic 2015). The good thing is, it would be at the level that’s acceptable by the organization. That’s why it is important to identify, measure and analyze these risks. The level of acceptance would be valuable for determining the next step. If it is below the limit, it is okay for the management to accept the risk as it doesn’t have a huge impact on the company. If it is above the limit, new ways should be looked into and considered.
SAMSON, SHAYNE DANIELLE G.
2019-102562
References:
DeleteColby, L. (2021, March 17). Entity-Level Controls & How They Impact Your Organization. Linford & Company LLP. https://linfordco.com/blog/impact-of-entity-level-controls/
Explained Desk. (2020, May 27). Explained: What is the “dieselgate scandal” against Volkswagen? The Indian Express. https://indianexpress.com/article/explained/volkswagen-dieselgate-scandal-6427918/
Internal Audit Foundation. (2017). Case Study 1: Auditing Entity-Level Controls. In Internal Auditing: Assurance & Advisory Services, 4th Edition. https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Kosutic, D. (2015, June 23). Residual risk definition and why it’s important. 27001Academy. https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Murdock, H. (2016). Operational Auditing: Principles and Techniques for a Changing World (1st ed.). Auerbach Publications. https://doi.org/10.1201/9781315368733
Ruddick, G. (2018, February 14). VW admits emissions scandal was caused by “whole chain” of failures. The Guardian; The Guardian. https://www.theguardian.com/business/2015/dec/10/volkswagen-emissions-scandal-systematic-failures-hans-dieter-potsch
According to (Fitzgerald 2020) a risk advisory services consultant at Freed Maxick, the significance of entity level Controls (ELCs) is that it controls the operations extensively across and throughout the organization to lessen risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved. The controls also involve ethics, policies and procedures, fraud prevention and detection programs and more. However, (Colby 2021) claims that Entity-level controls are the overriding controls for overseeing that management directives pertaining to the organization as a whole are implemented and enforced. It can also be considered as higher-level controls that are more general in nature or impact a broader audience. Organizations who have weak or no entity level controls in place can experience many problems. That is why there are five existing components associated with the entity-level controls. These components are: Control environment, Risk assessment, Monitoring, Information and communication and control activities. That being said, the existence and implementation of entity- level controls are a key component of any organization.
ReplyDeleteTyco International was a large security system organization in 2002 a theft done by the former CEO and Chairman Denis Kozlowski and former corporate Chief Financial Officer Mark Swartz of almost 600 million dollars from the firm. CEO Kozlowski was questioned because of financial transaction that is in the company's financial reports, and try to cover up his illegal doings. Stealing millions of dollars from Tyco with the help of CFO Swartz. (Romero 2020)
(Kosutic n.d.) he defined residual risk as the remaining risk after conducting the initial risk measures. He also mentioned that there are instances wherein after all the risk treatment a company won't eliminate all risk because it is simply not possible, therefore some risk will remain at certain level. It is still important for internal auditors to identify such risk because this makes the company vulnerable and still be classified as a threat. Risk like this should not be neglected, a relative risk tolerance must be observed to assess if this residual risk can affect the business in the long run and even limit the business objectives and success.
LONGNO, MICAH LEI C. (2019-106978)
References
Colby, L. (2021, March 16). Linford & Company LLP. Retrieved from Google : https://linfordco.com/blog/impact-of-entity-level-controls/
FITZGERALD, N. (2020, June 23). Freed Maxick. Retrieved from Google: https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
Kosutic, D. (n.d.). 27001 Academy . Retrieved from Google: https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Romero, J. (2020, September 18). Panmore Institute. Retrieved from Google: http://panmore.com/tyco-corporate-scandal-2002-case-analysis
Importance of Entity-Level Controls to effective risk management & control across the whole organization
ReplyDeleteAfter reading the case study about auditing entity-level controls, I understand that entity-level controls play an important role in effective risk management. It functions as a control that operates throughout the organization and it is designed to help mitigate risks that threaten the organization and also to ensure that organizational objectives are met. It includes code of ethics, human resources policies and procedures, fraud prevention and detection programs, risk management policies and procedures, etc ( Fitzgerald, N. ). Process-level and transaction-level controls are also supported, supplemented, and reinforced by entity-level controls. These controls have a large effect on the success of a variety of business objectives. Analyzing entity-level controls will assess factors that influence the risk of substantial misstatement, and design control tests and substantive procedures based on this.
The company needs entity-level controls to effectively manage the business operations. They serve as the backbone of the company's operations in terms of both personnel and processes. They influence how external stakeholders view the organization and how it interacts with them.
Entity-level controls also help in improving risk assessment and management, as well as more effective risk mitigation. In addition, it assists the organization to have financial statements and financial reporting that are accurate and free of errors. Having an entity-level control will result in an increase in efficiency and a potential cost reduction to the organization.
Importance of Entity-Level Controls to effective risk management & control across the whole organization
ReplyDeleteAfter reading the case study about auditing entity-level controls, I understand that entity-level controls
WorldCom Scandal (2002)
WorldCom was one of the world’s biggest telecommunications companies before they committed fraud. WorldCom was found to have overstated its assets by about $11 billion, making it one of the greatest accounting scandals in history. WorldCom produced about $9 billion in erroneous accounting entries in order to give the impression that it was profitable. It was planned by a few key senior managers based in the company's Mississippi headquarters and carried out by employees in the financial and accounting divisions in several locations.
The fraud was further aided by a lack of controls in the financial system at the time. Scott Sullivan, WorldCom's Chief Financial Officer, was in charge of and directed the fraud. According to the SEC's investigation report, "as business operations fell further and further short of financial targets announced by Ebbers, Sullivan directed the entry of accounting entries that had no basis in generally accepted accounting principles to create the false appearance that WorldCom had achieved those targets."
Bernie Ebbers, the company's CEO, was sentenced to 25 years in jail for fraud, conspiracy, and falsifying records, while Scott Sullivan, the company's top financial officer, was sentenced to five years in prison. Over 30,000 jobs were lost as a result of the fraud, and investors lost over $180 billion.
Residual risk and its importance for Internal Auditors to identify, measure, and analyze this risk
According to Edward Kost, residual risk is the threat or vulnerability that remains after all risk treatment and remediation efforts have been implemented. The amount of risk that remains after cybersecurity controls have been established is known as residual risk. It is important for internal auditors to identify, measure, and analyze this risk because it can negatively affect the company.
Internal auditors conduct residual risk assessments to assist discover and mitigate risks before they're exploited by cybercriminals. They also detect and analyse the likelihood and potential impact of various risks to the organization during the risk assessment process. Using the residual risk assessment done by internal auditors, security experts may more quickly and correctly identify possible security risks and understand how those risks can negatively affect the organization.
References
Institute of Internal Auditors. (n.d.). Retrieved November 5, 2021, from https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf.
Fitzgerald, N. (n.d.). Entity level controls and associated risks: Freed Maxick. Entity Level Controls and Associated Risks | Freed Maxick. Retrieved November 5, 2021, from https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place.
Top accounting scandals. Corporate Finance Institute. (2020, June 12). Retrieved November 5, 2021, from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/.
Internationalbanker. (2021, September 29). The WorldCom Scandal (2002). International Banker. Retrieved November 5, 2021, from https://internationalbanker.com/history-of-financial-crises/the-worldcom-scandal-2002/.
What is residual risk? why it matters in 2021: Upguard. RSS. (n.d.). Retrieved November 5, 2021, from https://www.upguard.com/blog/residual-risk.
-Buling, Catherine (2019-103626)
DeleteThis comment has been removed by the author.
ReplyDeleteA business has a complicated and complex system that we can compare to a human body; all of them are interconnected, resulting in maximum performance. It is not uncommon for us to encounter risks as we go, but with better management and assessment, we can stop a problem from developing into a threat or avoid them if we can. Entity Level Controls are the ones who assure that the organization will achieve its goals and continue to flourish. One of its primary purposes is to analyze whether the systems, policies, and others throughout the organization effectively steer clear of fraud and promote proper conduct. Keep in mind that if an organization’s Entity Level of Controls were frail, it would be easy for employees or people with high status to override this, a risk we cannot easily overcome. Also, if the leaders within the organization were to show employees they do not care much about ethics and integrity when working, it is more likely for them to do the same. It is essential to identify the problems from the early stages because it will give us more opportunities to adjust and make sure we can counter them, a job of the risk assessment and management. Defective controls are the one that notifies the company when something is wrong, while preventive controls are the ones that prevent it before it even happens; two of these are being offered by strong Entity Level Controls. We can see how the three of them work together and are crucial from one another.
ReplyDeleteA handful of financial scandals shocked the world, and one of those is General Electric Co. Accounting Scandal. They had failed to show accountability and transparency to their customers by misleading them with a superficial truth. It is a company’s utmost priority to disclose everything and anything to their customers or potential investors. GE is an example of a company with poor Entity Level Controls because even the higher-ups approved this unethical business. They paid millions for the penalty and had lost their opportunity to expand their business in the right way, and it is nearly impossible to start again. Money is something we can earn again, but the disgrace attached to our names will follow us wherever we go.
Once a problem is solved, it does not mean we can move on because there will always be an unresolved part; it is called Residual Risk. “Residue” is a term we use to describe the fragments left by the whole, or we can put it as the parts that passed through the company’s barrier despite the efforts to keep it out. The Internal Auditors must be aware of this so they can observe and analyze it. Despite not being a major one, it still can damage the organization if left unsupervised or, worst, unknown. We can accept it and not do anything if, and only if it is below the acceptable risk. If not, we need to eliminate this and reassess it again once the new controls are implemented.
REFERENCE:
Fitzgerald, N. (n.d.). Entity level controls and associated risks: Freed Maxick. Entity Level Controls and Associated Risks | Freed Maxick. Retrieved November 5, 2021, from https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place.
Press release. SEC Emblem. (2020, December 9). Retrieved November 5, 2021, from https://www.sec.gov/news/press-release/2020-312.
Fasulo, P. (2020, December 21). Inherent risk vs. residual risk: What's the difference? Security Ratings & Cybersecurity Risk Management. Retrieved November 5, 2021, from https://securityscorecard.com/blog/inherent-risk-vs-residual-risk.
Murdock, H. (2016). Operational Auditing: Principles and Techniques for a Changing World (Internal Audit and IT Audit) (1st ed.) [E-book]. Auerbach Publications.
ISIP, IRIS G.
2019-103614
1/2
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
According to Murdock (2017), entity level controls are the organization’s values, systems, policies, and processes which will be beneficial in minimizing the risks of fraud and maximizing proper conduct within the entity. In general, entity-level controls are controls that are pervasive throughout the organization versus designed for a specific division or operation such as specifically for finance, manufacturing, research & development, etc. Entity-level controls are the overriding controls for overseeing that management directives pertaining to the organization as a whole are implemented and enforced. They may also be considered as higher-level controls that are more general in nature or impact a broader audience. These controls define an organization’s corporate culture and values. They also relate to internal values as well as external forces such as laws, regulations, and professional standards. The entity-level controls impact the way in which personnel operate and operational processes are designed and implemented.
The existence and implementation of entity-level controls is a key component of any organization. They provide the foundation under which the organization operates on a daily basis (employees and processes) and how the organization is perceived and interacts with external stakeholders. Entity-level controls also serve as a key part of an audit as they assess the overall tone at the top for the organization being audited and provide the basis for lower-level operational controls.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
One example of famous financial scandals that failed to represent proper entity-level controls is the collapse of Enron. As is widely known, Enron was one of the largest US-based companies, mainly providing wholesale services, retail energy services, broadband services and transportation (Enron Corp 2001). However, the corporation became well-known because of its failures, which resulted from poor corporate governance. It is publicly acknowledged that the event of Enron filing for bankruptcy marked a new period of revolutionary changes to corporate governance worldwide, mainly focusing on law reform to prevent, or at least mitigate, future corporate collapses.
The sudden and unexpected collapse of Enron Corp. was the first in a series of major corporate accounting scandals that has shaken confidence in corporate governance and the stock market. Only months before Enron's bankruptcy filing in December 2001, the firm was widely regarded as one of the most innovative, fastest growing, and best managed businesses in the United States. With the swift collapse, shareholders, including thousands of Enron workers who held company stock in their 401(k) retirement accounts, lost tens of billions of dollars. It now appears that Enron was in terrible financial shape as early as 2000, burdened with debt and money-losing businesses, but manipulated its accounting statements to hide these problems. This shows the accounting system that failed to provide a clear picture of the firm's true condition, the independent auditors and board members who were unwilling to challenge Enron's management, the Wall Street stock analysts who failed to warn investors of trouble ahead, the rules governing employer stock in company pension plans, and the unregulated energy derivatives trading that was the core of Enron's business. Overall, the poor corporate governance and a dishonest culture that nurtured serious conflicts of interests and unethical behavior in the entity-level controls at Enron are the reason of its downfall.
-MORENO, GLORENE MAE R. (2019-105014)
2/2
Delete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
According to Edward Kost, Residual risk is the threat or vulnerability that remains after all risk treatment and remediation efforts have been implemented. Because they will always be present, the process of managing residual risk involves setting an acceptable threshold and then implementing programs and solutions to mitigate all risks below that threshold. It also includes all initially unidentified risks as well as all risks previously identified and evaluated but not designated for treatment at that time.
It is essential for internal auditors to identify, measure and analyze risk because will help define the specific requirement for your management plan and also allow you to measure the success of your mitigation efforts. Additionally, when effective security controls are implemented, there is an obvious discrepancy between inherent and residual risk assessments. These results are not enough to verify compliance and should always be validated with an independent internal audit. The longer the trajectory between inherent and residual risks, the greater the dependency, and therefore effectiveness, on established internal controls.
REFERENCES:
Colby, L. (2021). Entity-Level Controls: Impact on an Organization & the Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls
EveryCRSReport.com (February 4, 2002 – August 12, 20. The Enron Collapse: An Overview of Financial Issues. https://www.everycrsreport.com/reports/RS21135.html
Kost, Edward. (2021). What is Residual Risk? Why it Matters in 2021. https://www.upguard.com/blog/residual-risk#:~:text=Residual%20risk%20is%20the%20threat,remain%2C%20these%20are%20residual%20risks
Murdock, H. (2017). Operational Auditing: Principles and Techniques for a Changing World. https://ertu.online/pluginfile.php/286094/mod_resource/content/1/Operational%20Auditing%20The20Principles %20%20Techniques%20for%20a%20Changing%20World.pdf
MORENO, GLORENE MAE R. (2019-105014)
1/2
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Entity Level Controls (ELCs) are controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved. The existence and implementation of entity-level controls is a key component of any organization. They provide the foundation under which the organization operates on a daily basis (employees and processes) and how the organization is perceived and interacts with external stakeholders. Entity-level controls have a pervasive influence throughout an organization. If they are weak, inadequate, or nonexistent, they can produce material weaknesses relating to an audit of internal control and material misstatements in the financial statements of the company. The presence of material misstatements could result in receiving an adverse opinion on internal controls and a qualified opinion on the financial statements. Material misstatements are expensive to fix, and receiving an adverse or qualified opinion generally results in a drop in stock price of a publicly traded company.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Enron Corporation was a US energy, commodities, and services company based out of Houston, Texas. In one of the most controversial accounting scandals in the past decade, it was discovered in 2001 that the company had been using accounting loopholes to hide billions of dollars of bad debt, while simultaneously inflating the company’s earnings. The scandal resulted in shareholders losing over $74 billion as Enron’s share price collapsed from around $90 to under $1 within a year. An SEC investigation revealed that the company’s CEO, Jeff Skillings, and former CEO, Ken Lay, had kept billions of dollars of debt off the company’s balance sheet. In addition, they had pressured the company’s auditing firm, Arthur Andersen, to ignore the issue. After the fact, the convictions were as controversial as the company’s collapse had been shocking, as prosecutor Andrew Weissman indicted not just individuals, but the entire accounting firm of Arthur Andersen, effectively putting the company out of business. It was little consolation to the 20,000 employees who had lost their jobs when the conviction was later overturned.
TICALA, JOYLYN L. (2019-103552)
2/2
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
In risk management, there are several ways to overcome the risks that may be present in the business operations. The risks could be managed either by avoiding, reducing, transferring, or accepting. Just as the name suggests, risk avoidance is when the team decided to go for another way and avoid performing process that may be exposed to a certain risk altogether. Risk reduction, on the other hand, is when solutions were done to lower the level of risk of a certain operation. Risk transfer is when the risk is shifted to another party or team. Last but not least, risk acceptance is when the management is aware of a certain risk but decided not to invest in solving the risk. Despite all of these efforts in handling risks, it is still difficult or impossible to completely eradicate all risks that exist. The risks that remain after the control’s mitigation were done are known as residual risks. It is important for the organizations management and all other decision makers to be well informed about the nature and extent of the residual risk. For this purpose, residual risks should always be documented and subjected to regular monitor-and-review procedures. Also, it is important to identify, measure and analyze this risks that could potentially derail a project. Efforts should be taken to mitigate these risks, including the introduction of security controls to either eliminate a threat completely or reduce its negative impacts. Residual risk is what remains after these controls have been implemented.
References:
Colby, L. (2021). Entity-Level Controls: Impact On an Organization & The Audit Process. Linford & Company, LLP
https://linfordco.com/blog/impact-of-entity-level-controls/
Corporate Finance Institute. (n.d). Top Accounting Scandals. CFI Education Inc.
https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Editorial Team. (2021). Inherent Risk Vs Residual Risk Explained with Examples. Project Practical.
https://www.projectpractical.com/inherent-risk-vs-residual-risk/
TICALA, JOYLYN L. (2019-103552)
It's possible that there are more than one degree or type of control when contemplating controls for an organization. Organizations will have entity-level, divisional, regulatory, transaction-level, and process-specific controls to manage their business operations, to name a few.
ReplyDeleteOf these controls, entity-level controls are considered to be a crucial part when:
• One company is assessing a subservice organization for consideration of conducting critical business interactions with that subservice organization or
• An external auditor or CPA firm performing an audit over an entity.
Entity-level controls have a broad definition that applies to a variety of audit engagements, but they can also be more specialized to a particular audit engagement. Entity-level controls, in general, are controls that are implemented across the company rather than controls that are tailored to a specific division or business, such as finance, manufacturing, or research and development.
One of the financial scandals is the Enron Corp. The sudden and unexpected collapse of Enron Corp. was the first in a series of major corporate accounting scandals that has shaken confidence in corporate governance and the stock market. Only months before Enron’s bankruptcy filing in December 2001, the firm was widely regarded as one of the most innovative, fastest growing, and best managed businesses in the United States. With the swift collapse, shareholders, including thousands of Enron workers who held company stock in their 401(k) retirement accounts, lost tens of billions of dollars. It now appears that Enron was in terrible financial shape as early as 2000, burdened with debt and money-losing businesses, but manipulated its accounting statements to hide these problems. Why didn’t the watchdogs bark? This report briefly examines the accounting system that failed to provide a clear picture of the firm’s true condition, the independent auditors and board members who were unwilling to challenge Enron’s management, the Wall Street stock analysts who failed to warn investors of trouble ahead, the rules governing employer stock in company pension plans, and the unregulated energy derivatives trading that was the core of Enron’s business.
What is Residual Risk?
The risk that remains after risk treatment is referred to as residual risk. You won’t be able to totally eliminate all risks once you’ve identified them and mitigated the ones you deem unacceptable (i.e. treated them), therefore some risks will remain at a certain level, which is what residual risks are. The point is, the organization needs to know exactly whether the planned treatment is enough or not.
Residual risks are typically assessed in the same way as initial risks are – using the same methodology, assessment scales, and so on. What’s different is that you have to consider the impact of controls (and other mitigation strategies), therefore the likelihood of an event is usually reduced, and the impact is sometimes even reduced.
References:
Colby, Lois (2021, March 16). Entity-Level Controls: Impact On An Organization & The Audit Process
https://linfordco.com/blog/impact-of-entity-level-controls/
August 12, 2004. The Enron Collapse: An Overview of Financial Issues
https://www.everycrsreport.com/reports/RS21135.html
Kosutic, Dejan. Why is residual risk so important?
https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Dalmacion, Khyla Bernadette S.
2019-105708
What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDelete- Entity-level controls are very broadly focused and often deal with the organizational environment or atmosphere. They are designed to mitigate risks that exist at the Organization wide level, including those that arise internally as well as externally. Entity-level controls also serve to support, complement, and reinforce process-level and transaction-level controls. Additionally, these controls have a pervasive effect on the achievement of many business objectives (Internal Audit Foundation, 2017). It is important to effective risk management because it defines the organizational culture of the company – providing a foundation in both people and the process. The benefits included in Entity level in accordance to risk management and control are Quality, error-free financial statements and financial reporting, better risk assessment and management, stronger risk mitigation, improved effectiveness and efficiencies in business and operations, lowered reliance on activity- and transaction- level controls and so on (mbgcorp, 2021). This can help the efficiency and effectivity the organization is aiming for in facing the challenges of their company. It is much easier and can give us our utmost preparedness in handling every occurrence.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
- Aside from the biggest and known accounting scandal, Bernie Madoff Scandal is also a failed representation if proper entity level controls. Bernie Madoff is a former American stockbroker who orchestrated the biggest Ponzi scheme in history, and also one of the largest accounting scandals. Madoff ran Bernard L. Madoff Investment Securities LLC. After the 2008 financial crisis, it was discovered that Madoff had tricked investors out of over $64.8 billion. Madoff, his accountant, David Friehling, and second in command, Frank DiPascalli, were all convicted of the charges filed against them. The former stockbroker received a prison sentence of 150 years and was also ordered to pay $170 billion in restitution (corporate finance institute, n. d.). The entity level controls were completely absent that made billions of dollars lost from mismanagement in the internal controls
HABON, ASHLEY P
2019-202695
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDelete- Residual risk is the risk remaining after risk treatment. After you identify the risks and mitigate the risks you find unacceptable (i.e. treat them), you won’t completely eliminate all the risks because it is simply not possible – therefore, some risks will remain at a certain level, and this is what residual risks are. It assesses in the same way as you perform the initial risk assessment – you use the same methodology, the same assessment scales, etc. What is different is that you need to take into account the influence of controls (and other mitigation methods), so the likelihood of an incident is usually decreased and sometimes even the impact is smaller (Dejan Kosutic, n. d.). It is important to know the risk in order to know what kind of approach you are going to use in handling these risks. Just like what they say, you have to know the enemy before you can defeat it. It is also important to measure and analyze the risk since it will help you in assessing how big of an impact it will be in your chosen business path.
References
Internal Audit Foundation, 2017. Case Study 1Auditing Entity-Level Controls. 4th Edition Internal Auditing: Assurance & Advisory Services. https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
mbgcorp, 2021. The Critical Importance of Entity Level Controls to your Organization. https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
corporate finance institute, n. d. Accounting Scandals – List and Overview. https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Dejan Kosutic, n. d. ISO 27001 & ISO 22301 Knowledge base. https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
HABON, ASHLEY P
2019-102695
(1/2)
ReplyDelete1. What is the importance of entity-level controls to effective risk management and control across the whole organization?
The importance of entity level controls to effective risk management and control across the entire organization stems from the fact that the presence of these controls is critical to the success of any business or organization. Entity level controls serve as the foundation for how an organization operates on a regular schedule, as well as how it interrelates with and is interpreted by interested parties. It is also an essential component of an audit because it assesses the tone and content of an audited organization. The components of entity level controls must be introduced in order to provide an exceptionally positive control environment. When the analysis of entity-level controls and threat assessment is perfect, significance can be determined, and the auditor can strategize the assessment and layout the assessment of control mechanisms based on the audit scope. Overall, it is critical to control the organization's design for a specific content area and operations such as financial services, production, and case studies
Overall, there is a big significance in effective risk management and control in an organization when using entity-level controls. It is the key for the organization’s success so its presence is really important.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
One example is the Enron Scandal. Enron Corp.'s rapid and unanticipated downfall was the first in a string of significant high - profile corporate that have shattered investor trust in governance practices and the equity markets. Enron was widely considered as one of the most inventive, quickest, and best-managed enterprises in the United States just months before its bankruptcy filing in December 2001. Investors, including hundreds of Enron employees who owned company stock in their 401(k) retirement savings, lost hundreds of billions of dollars as a result of the company's rapid collapse. Enron was in bad financial position as early as 2000, with debt and money-losing enterprises, yet it appears that it distorted its accounts.
Businesses frequently collapse as a result of poor or ill-timed investments. The company's response to its challenges was what turned the Enron case into a massive financial scandal. Enron manipulated its statements rather than reveal its true financial status to public investors, as required by law. It attributed monetary damages and nearly worthless resources to poorly consolidated collaborative relationships and "privately owned entities," within certain words, the company's professional accountants statements decided to pretend that setbacks were occurring not to Enron, but to the enough that Raptor entities, which were presumably self-governing firms that had negotiated to accumulate Enron's losses, but were actually accounting diversions created and entailed by Enron.
-Dugay, Bernadeth B (2019-103892)
Entity level controls are controls that operate across an organization to manage risks that pose a danger to the entire company and provide assurance that organizational objectives are met. Control Environment, Risk Assessment, Monitoring, Information and Communication Activities, and Control Activities are the five components of entity-level controls, according to Lois Colby.
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
- - Although there are many types of controls in an organization, entity level control is the most important part of conducting critical business interactions with other organizations and when an external audit is performed on the entity. The code of ethics, risk management policies and processes, fraud prevention and detection policies and procedures, human resources policies and procedures, management's control deficiency escalation mechanism, and variance analysis are all covered by controls in the firm.
The benefits or importance of the entity level control are first, the company have a strong personnel management, improve effectiveness and efficiency of the business operations, quality and error free of financial statement and reporting, and strong risk mitigation.
Overall, entity level control is one of the most critical aspects of any organization, and all five components of this control are necessary for a strong control environment.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
The Tyco Accounting Scandal is one of the most well-known financial scandals in the United States. Tyco is a security products and services company that grew rapidly in the 1990s and 2000s due to the revenue it generated, but the company is now embroiled in a scandal after former CEO and Chairman Dennis Kozlowski and former Chief Financial Officer Mark Swarts engaged in unethical behavior. Tax evasion by acquiring millions of dollars in art is one of the crimes perpetrated by the former CEO and Chairman Kozlowski, and Tyco's accounting firm are also embroiled in the scandal because they failed to notice or point out that a fraud had already occurred. The suspects stole a large sum of money from the fraud they committed, and as a result, they were sentenced to prison.
3. What is residual risk and why is important for Internal Auditors to identify, measure, and analyze this risk?
- - Residual risk is a sort of risk that exists or persists after controls have been accounted for and the organization has taken precautions, and it is critical for the auditor to detect, assess, and analyze this type of risk. The security specialists can rapidly and effectively detect risk and comprehend the impact of that risk on the firm by monitoring and managing residual risk. Your organization has no choice but to accept residual risk if it is less than an acceptable level of risk. If not, the security team will need to devise new procedures to mitigate the risks, which will necessitate a reevaluation of your residual risk once the new controls are in place.
Colby, L. (2021). Entity-Level Controls: Impact On An Organization & The Audit Process. Retrieved November 5, 2021.
https://linfordco.com/blog/impact-of-entity-level-controls/
7 Worst Accounting Scandals in U.S. History. (n, d.). Retrieved November 5, 2021. https://onlinedegrees.unr.edu/blog/worst-accounting-scandals/#vfg968h6jsgq
Fasulo, P. (2020). Inherent Risk vs. Residual Risk: What’s the Difference?. Retrieved November 5,2021. https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Salutim, Hershey Mae D.
502A 2019-106961
(2/2)
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify measure and analyse risk?
The risk that wants to remain after management has taken steps to lessen the impact and chance of an incident is known as residual risk. Critical management are those that aid in the management and reduction of risk within in the risk assets of an institution. Internal audit can use these techniques to address which operations to be included in the audit proposed arrangement. Internal audit may provide assurance, investigation, or consultation activities in areas with the greatest risk exposure. Furthermore, risk assessments can be used by internal audit to identify any controls that are ineffective in reducing risk.
It is important for internal auditors to identify, measure and analyse risk in order to coordinate internal audit activity with risk in an entity’s and it will help to have the organization’s operations clearly documented. Risk records have been produced by certain enterprises to acknowledge risks based on particular and residual risk level. Regardless of the strategy, companies should have a procedure in place that identifies high-risk regions in a systematic manner. Because internal audit is unable to assess all of these risks, those that are not included in the internal audit strategy should be reported to the board separately. These frequently contain significant inherent danger ratings with little improvement in residual risk. Audit team should also have some relatively low activities in their proposed arrangement on a regular basis to ensure that the risks have not altered.
REFERENCES:
The Enron Collapse: An Overview of Financial Issues (2005) retrieved from https://www.everycrsreport.com/reports/RS21135.html
Colby, Lois (2021) Entity-Level Controls: Impact on An Organization and The Audit Process; retrieved from https://linfordco.com/blog/impact-of-entity-level-controls/
Internal Audit and Risk Oversight (2009) Retrieved from; https://erm.ncsu.edu/library/article/internal-audit-assurance
-Dugay, Bernadeth B. (2019-103892)
1/2
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
According to the case study from the Internal Audit Foundation about Auditing Entity-Level Controls, Entity-Level-Controls are controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved. Its examples are about code of ethics, risk management policies and procedures, fraud prevention and detection program, human resources policies and procedures, Management’s control deficiency escalation process, Variance analyses, and IT general controls. Basically, it is important because it will mitigate risks that the company will face in the future and have the confidence that it will effectively and efficiently operate its transactions without abnormalities which are performed and led by an internal auditor. Furthermore, entity-level control should be implemented across the whole organization by a competent internal auditor who makes risk assessments about the entity by identifying, measuring, and analyzing risks because he will be the guidance of the company on its operations and his risk assessment will be the basis of the company its decisions. Hence, having an effective entity-level control reduced the cost the company might incur and therefore increase its efficiency and save its resources.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
According to Corporate Finance Institute, the famous financial scandal that failed to represent proper entity-level control is the case of Enron Corporation who declared profits in their company books despite having losses in its operation because they believe that it will be recovered in the future which then not happened that results to its bankruptcy and high amount of debts from its creditors, lost of pension benefits to its employees, and criminal records in the regulating bodies outside the entity. In their case, the company failed to implement proper entity-level-control to mitigate the risks that the company might incur in the future. If only the internal auditor is competent enough to stand on what is right and just, then the company would not continue its operation as early as they were incurring losses and be brave enough to report it to the regulating bodies outside the entity and not on the time that the company has incurred a lot of loss which makes them difficult to recover.
2/2
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Residual risks are risks that remain to have despite implementing the controls. According to Kost (2021), it is important to assess in an organization because its mitigation is a mandatory requirement of ISO 27001 regulations, and to be compliant with ISO 27001, organizations must complete a residual security check in addition to inherent security processes, before sharing data with any vendors. In relation to this, internal auditors must really identify, measure, and analyze this risk especially if it has a direct impact on the operation of the company because by making a risk assessment a company can make plans on how to deal with risk and perhaps deduce its effects on the operation. Hence, quantifying residual risk during risk assessments will improve risk assessment plans, reduce cost, and save resources for the company. By estimating the likelihood of the residual risks, the company could make an improvement in its entity-level control and reduce the discrepancy and abnormalities during the operation of the business.
Kont, E. (2021), Attack Surface Management: What is Residual Risk? Why it Matters in 2021, https://www.upguard.com/blog/residual-risk
Corporate Finance Institute (CFI): Accounting Scandals - List of Top 10 Scandals in Past Decades https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/#:~:text=Enron%20Corporation%20was,was%20later%20overturned.
Segal, T. (2021), Enron Scandal: The Fall of a Wall Street Darling, https://www.investopedia.com/updates/enron-scandal-summary/
Slabotsky, R. (2017), FAIR Institute Blog, Inherent Risk vs. Residual Risk Explained in 90 Seconds (fairinstitute.org)
Case-Study on Auditing-Entity-Level-Control, https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
ESCRITOR, RHEABELLE: CBET01-503A: 2019-106337
(1/2)
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Controls that address financial-statement-level risks are known as entity-level controls. For example, a poor control environment can pervasively affect financial statements. And controls that address risks at the assertion level–such as control activities–are known as activity-level controls (Hall, 2021). It is important because assessment of a company’s entity-level controls is the first step in determining the makeup of the control structure and operating effectiveness of that control structure for the specific operations covered by the audit. According to Colby, there are five components of entity-level controls to be considered. They are control environment, risk assessment, monitoring, information & communication, and control activities. They are implemented to provide for an overall strong control environment.
It is important because it is one of the key component of any organization. They provide the foundation under which the organization operates on a daily basis and how the organization is perceived and interacts with external stakeholders. Entity-level controls is designed to mitigate the risks and complement existing good controls.
2. Give one example of famous financial scandals that failed to represent proper entity level controls.
One example of famous financial scandals is the story of Enron Corporation depicts a company that reached dramatic heights only to face a dizzying fall. The fated company's collapse affected thousands of employees and shook Wall Street to its core. At Enron's peak, its shares were worth $90.75; just prior to declaring bankruptcy on Dec. 2, 2001, they were trading at $0.26.
By the fall of 2000, Enron was starting to crumble under its own weight. CEO Jeffrey Skilling hid the financial losses of the trading business and other operations of the company using mark-to-market accounting. This technique measures the value of a security based on its current market value instead of its book value. This can work well when trading securities, but it can be disastrous for actual businesses.
In Enron's case, the company would build an asset, such as a power plant, and immediately claim the projected profit on its books, even though the company had not made one dime from the asset. If the revenue from the power plant was less than the projected amount, instead of taking the loss, the company would then transfer the asset to an off-the-books corporation where the loss would go unreported. This type of accounting enabled Enron to write off unprofitable activities without hurting its bottom line. In 1998, they developed a deliberate plan to show that the company was in sound financial shape despite the fact that many of its subsidiaries were losing money. Fastow and others at Enron orchestrated a scheme to use off-balance-sheet special purpose vehicles (SPVs), also known as special purposes entities (SPEs), to hide its mountains of debt and toxic assets from investors and creditors. The primary aim of these SPVs was to hide accounting realities rather than operating results.
– CRUZ, IVY FRANCESCA SN. (CBET-01-502A)
(2/2)
DeleteThe Enron scandal resulted in other new compliance measures. Additionally, the Financial Accounting Standards Board (FASB) substantially raised its levels of ethical conduct. Moreover, company boards of directors became more independent, monitoring the audit companies, and quickly replacing poor managers. These new measures are important mechanisms to spot and close loopholes that companies have used to avoid accountability. At the time, Enron's collapse was the biggest corporate bankruptcy to ever hit the financial world (since then, the failures of WorldCom, Lehman Brothers, and Washington Mutual have surpassed it).
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
The risk that remains after you've eliminated all of the dangers that you believe the asset is exposed to is referred to as residual risk. Residual risk is important for several reasons. First to consider is that residual risk is the risk "left over" after security controls and process improvements have been applied. This means that residual risk is something organizations might need to live with based on choices they've made regarding risk mitigation. Or they could opt to transfer the residual risk, for example, by purchasing insurance to offload the risk to an insurance company.
Another reason residual risk consideration is important is for compliance and regulatory requirements -- for example, International Organization for Standardization 27001 stipulates this risk calculation. Finally, residual risk is important to calculate for determining the appropriate types of security controls and processes that get priority over time.
Reference:
Hall, C. (2021). Entity-level controls: why they matter. CPA Hall Talk. https://cpahalltalk.com/entity-level-controls/
Colby, L. (2021). Entity-level controls: impact on an organization and the audit process . Linford & Co LLP. https://linfordco.com/blog/impact-of-entity-level-controls/
Segal, T. (2021). Enron Scandal: the fall of a wall street scandal. Investopedia. https://www.investopedia.com/updates/enron-scandal-summary/
Shackleford, D. & Sales, F. (2021). What is residual risk and why is it important?. Search Compliance. https://www.google.com/amp/s/searchcompliance.techtarget.com/definition/residual-risk%3famp=1
– CRUZ, IVY FRANCESCA SN. (CBET-01-502A)
(1/1)
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
To truly manage the business operations of a company, Entity-Level Controls are one of the needed things to know to be able to know how to manage the business properly. According to Murdock, Entity-Level Controls are used to determine if the values, systems, procedures and policies are effective to prevent fraud and encourage proper conduct. The implementation of entity-level controls is a vital component of any organization since it serves as the foundation upon which the organization runs on a daily basis. Entity-level controls are also an important component of an audit since they examine the general tone at the top of the company being audited and serve as the foundation for lower-level operational controls. It also mitigates the risks that can be seen as a threat to the organization and provide assurance that the objectives will be achieved.
Entity-Level Controls establish the organizational culture of the company. They serve as the core element of its operations, both in terms of people and processes. They influence how the firm is regarded by its stakeholders and how it interacts with them.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
One of the famous financial scandals that happened is the WorldCom Scandal which is the WorldCom Company, an American telecommunications company. In 2002, just a year after the Enron scandal, it was discovered that WorldCom had inflated its assets by almost $11 billion, making it by far one of the largest accounting scandals ever. The corporation underreported line expenses by capitalizing them rather of expensing them, and it overstated sales by making false entries. The problem originally surfaced when the company's internal audit department discovered about $3.8 billion in fake accounts. Bernie Ebbers, the company's CEO, was sentenced to 25 years in jail for fraud, conspiracy, and submitting fraudulent paperwork. Over 30,000 jobs were lost as a result of the scam, and investors lost more than $180 billion.
(2/2)
Delete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Residual risk is the risk remaining which are the risks you didn’t completely eliminate because of the impossibility of the risks. These are the risks that after you identify all the risks and mitigate then you see some unacceptable risks, these risks will still remain. There are four fundamental ways of approaching residual risk: reduce it, maintain a strategic distance from it, acknowledge it, or transfer it. Since residual risk is frequently unknown, many organizations choose either to acknowledge or transfer it—for case, outsourcing administrations with residual risk to a third-party organization.
Identifying, measuring and analyzing residual risks is significant to the Internal Auditors because they need to consider the influence of controls to come up with other methods to reduce those risks, with that the residual risks’ impact will be lesser from what they will expected. Since they will continuously be display, the method of overseeing residual risk includes setting an acceptable limit and after that implementing programs and arrangements to moderate all dangers underneath that threshold.
Murdock, H. (2017). Operational Auditing: Principles and Techniques for a Changing World. CRC Press Taylor & Francis Group. pp. 107
Cpa, L. C. C. |. (2021, March 16). Entity-Level Controls & How They Impact Your Organization. Linford & Company LLP. Retrieved November 5, 2021, from https://linfordco.com/blog/impact-of-entity-level-controls/
https:\/\/www.mbgcorp.com\/in\/insights\/the-critical-importance-of-entity-level-controls-to-your-organization\/#author. (2021, September 13). Entity level controls and their importance to organizations. MBG Corporate Services - Your Global Business Experts. Retrieved November 5, 2021, from https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
Corporate Finance Institute. (2020, June 12). Top Accounting Scandals. Retrieved November 5, 2021, from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Safeopedia. (2017, May 8). Residual Risk. Safeopedia.Com. Retrieved November 5, 2021, from https://www.safeopedia.com/definition/470/residual-risk
What is Residual Risk? Why it Matters in 2021 | UpGuard. (n.d.). UpGuard. Retrieved November 5, 2021, from https://www.upguard.com/blog/residual-risk
TAPIA, GIAN TRICIA B. 2019-103668
1. WHAT IS THE IMPORTANCE OF ENTITY- LEVEL CONTROLS TO EFFECTIVE RISK MANAGEMENT AND CONTROL ACROSS THE WHOLE ORGANIZATION?
ReplyDeleteEvery organization faces a variety of risks depending on its business objectives. These can affect a business's ability to achieve its goals and objectives for entity-level controls. The Internal Audit Foundation defines entity-level controls as a set of controls that operate across areas through management to mitigate risk threatening the operations and ensure the achievement of organizational objectives. It serves to support, complement, and reinforce process levels and transaction-level controls. Entity-level control is a crucial component in an internal control system.
It is essential to understand how entity-level control can influence the performance of a process. The weaknesses in entity-level controls can allow circumvention of well-designed controls within an organization. Relatedly, little entity-level commitment to attracting, training, and developing competitive employees in crucial areas requiring decision-making abilities and complex judgments. Entity-level controls are necessary to detect breakdowns in the control structure and help the company see control weaknesses (Hall,2021). Additionally, it aids in error-free financial reporting. It helps in improving the effectiveness and efficiencies in business operations. Entity-level controls lower reliance on activity and transaction controls and develop strong personnel management through well-defined roles and expectations.
PIOLIN, RICKA MAE B.
2019-101805
2. GIVE ONE EXAMPLE OF FAMOUS FINANCIAL SCANDAL THAT FAILED TO REPRESENT PROPER ENITY-LEVEL CONTROLS
ReplyDeleteSeveral companies or prominent corporations operating across borders have stopped their operations due to a failure to implement a proper internal control system in operations, listed, the Enron Corporation. Enron Corporation was an energy company that began to trade extensively in the energy derivatives market. It was the first nationwide natural gas pipeline network, shifted its business focus during the 1990s from the regulated transportation of natural gas to trading in unregulated energy markets. The entity to earn a speed rate annual revenue from $10 in the early 1990s to $139 billion in 2001 hides massive losses, ultimately leading to one of the largest accounting scandals and bankruptcy in recent history. Enron Corp. raised fundamental issues about corporate fraud, accounting transparency, and investor protection. Its auditor, Arthur Andersen, not only turned a blind eye to improper accounting practices but was actively involved in devising complex financial structures and transactions that facilitated deception. The high-ranking executives had sued before the court with wire fraud, money laundering, securities fraud, mail fraud, and conspiracy. The Enron Scandal or Enron Collapsed of 2001 was due to a combination of unethical accounting practices and failure of business watchdogs. They uncovered massive exposure while investors lost money as market capitalization deteriorated. Jeffrey Skilling, the President, concealed all financial losses by applying the accounting concept of mark-to-market accounting and reported profits that accrue. Meanwhile, Enron reported not its losses if the actual profit earned were less than the reported earnings. They have met their downfall due to a failure in implementing internal control from the high-ranking personnel, low-ranking personnel down to its day-to-day operations.
PIOLIN RICKA MAE B
2019-101805
3. WHAT IS RESIDUAL RISK AND WHY IS IT IMPORTANT FOR INTERNAL AUDITORS TO IDENTIFY, MEASURE AND ANALYZE THIS RISK?
ReplyDeleteThere are two primary types of risks that management face: Inherent Risk and Residual Risk. Inherent Risks are defined as the level of risk in place to achieve management’s objectives and before taking necessary actions to mitigate the risk or alter its impact or likelihood. On the other hand, Residual Risk is the remaining level of risk following the development and implementation of the entity’s response. Additionally, residual risks are risks that remain after controls are accounted for and remain in the organization. (Fasulo, 2020).
The assessment of residual risk is similar to the initial risk assessment. Most of the time, these are associated with risk appetite, the concept of management’s level of risk acceptability which provides an answer to whether the planned treatment is sufficient and how much risk appetite the entity has, and the decision whether to operate in a high-risk environment or operate in high-level security but under a low-level risk. The former are risks “leftover” after proper internal control measures implementation that would mean that residual risk is something that the management might need to live based on the selections they’ve made regarding risk mitigation. More importantly, it is relevant for compliance and regulatory requirements. Residual risks determine appropriate types of security controls and processes that get priority over time.
Identifying, measuring, and analyzing residual risk is as important as monitoring and understanding inherent risks. Internal auditors are allowed to quickly and accurately identify potential internal and external threats and determine how those threats could undermine management’s operations. Knowing how and when risks might slip through the fence, an internal auditor can confidently respond to risks.
REFERENCES:
Hall, Charles (2021, September 21). Entity-level Control: Why they matter. Retrieved 05 November 2021 10:33 am from https://cpahalltalk.com/entity-level-controls/
Internal Audit Foundation (2017). Internal Auditing: Assurance and Advisory Services, 4th edition. Retrieved 27 October 2021 03:30 pm from https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Segal (2021, May 31). Enron Scandal: The Fall of a Wall Street Darling. Retrieved 05 November 2021 4:00 pm from https://www.investopedia.com/updates/enron-scandal-summary/
Nigam, Rishab (n.d). Enron Scandal. Retrieved 04 November 2021 03:00 pm from https://www.wallstreetmojo.com/enron-scandal/
Fasulo, Phoebe (2020, December 21). Inherent Risks vs. Residual Risks: What’s the difference? Retrieved 05 November 2021 from https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
PIOLIN RICKA MAE B
2019-101805
I. Importance of Entity-Level Controls to effective risk management & control across the whole organization
ReplyDeleteEntity-level controls are the primary controls for ensuring that management guidelines for the organization as a whole are effectively implemented. They can also be thought of as relatively high control system because they are more broad in scope or affect a larger audience. Entity-level controls must exist and be implemented in order for an organization to function properly. They lay the groundwork for how the organization performs on a frequent basis (employees and processes), as well as how the institution is deemed and interrelates with external stakeholders. Entity-level controls are also an important component of an audit because they assess and evaluate tone at the top of an organization being audited and serve as the foundation for reduced operational controls. To provide an excellent overall control environment, all five components – control environment, risk assessment, tracking, communication & information, and control activities – must be implemented.
II. Famous financial scandals that failed to represent proper entity-level controls
Enron Corporation was a US energy, goods, and services conglomerate headquartered in Houston, Texas. In one of the most contentious accounting scandals in recent memory, it was revealed in 2001 that the company had been using accounting loopholes to conceal billions of dollars in bad loans while overstating earnings. The Enron Corporation story depicts a company that reached dizzying heights only to plummet dramatically. The failure of the ill-fated company affected thousands of workers and rattled Wall Street to its core. Enron's shares were worth $90.75 at their peak, but they were trading at $0.26 just before the company declared bankruptcy on December 2, 2001. The Enron failure of 2001 happened when Enron, a previously phenomenally successful stock market company, went bankrupt. The failure of Enron was caused by a combination of unethical accounting practices, the collapse of business watchdogs, and other factors.
III. Residual risk
The risk that persists after accounting for controls is referred to as residual risk. It is the risk that remains after your company has taken all appropriate precautions. The participants must take into account whether the amount of residual risk is adequate, that is, within the appetite for risk of the organization, and whether control systems need to be revised (in design and/or utilization) to reduce the amount of residual risk.
Residual risk is significant for a number of reasons. The first thing to keep in mind is residual risk, which is the risk that is "left over" after security measures and improved efficiency have been implemented. This means that residual risk is something that organizations may have to live with as a result of risk-mitigation decisions. Alternatively, they could choose to transmit the residual risk, such as by purchasing insurance to offload the risk to an insurance provider. The residual risk must be calculated in order to determine the appropriate kinds of security structures and procedures that will be prioritized over time.
References:
Corporate Finance Institute. (2020, June 12). Top Accounting Scandals. Retrieved November 5, 2021, from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Shackleford, D., & Sales, F. (2021, October 12). residual risk. SearchCompliance. Retrieved November 5, 2021, from https://searchcompliance.techtarget.com/definition/residual-risk
Colby, L. C. (2021, March 16). Entity-Level Controls & How They Impact Your Organization. Linford & Company LLP. Retrieved November 5, 2021, from https://linfordco.com/blog/impact-of-entity-level-controls/
SALVO, MARY ROSE., 2019-102485
Hi Mary Rose! Thankyou for sharing your ideas about entity-level controls, I'm astound on how you explained it. Keep up the good work.
DeleteRate: 10/10
1. . What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity-level controls are rules, policies, and procedures that specify how the board of directors, management team, and staff should respond to a company's financial statement-level risk (“The Critical Importance of Entity Level Controls to your Organization”, 2021).
According to Colby (2021), entity-level controls are the primary controls for ensuring that management instructions for the organization as a whole are implemented and enforced. Entity-level controls are considered important and in result, internal auditors must undertake frequent evaluations to establish the design soundness and operational effectiveness in the organization. Furthermore, entity-level controls are considered higher-level controls since they are more general in nature or they affect a larger audience. In addition, it is evident that all controls are designed to mitigate risk either at the enterprise level or at the operational level within an organization. With this, some organizations implement these controls in reaction to frauds or other scandals.
According to the study of Internal Audit Foundation (2017), management visualizes the system of internal controls, which is the entity-level control, as a funnel in which major risks are filtered at various levels of the system. Furthermore, when evaluating whether controls are sufficient to meet identified risks, management evaluates entity-wide controls that are widespread throughout the organization. In result, the management can make informed decisions about which processes require additional controls.
- MACANIP, JOANNA ELAINE O. (2019-103856)
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
DeleteMany public and private businesses have faced financial scandals in recent years, and fraud is one of the top concerns of business executives. Financial scandals, as well as the growing sophistication, complexity, and potential to harm individuals and entire economies, are important causes of concern. The King Mongkut's Institute of Technology Ladkrabang (KMITL), a renowned public research and education institution recognized as Thailand's top-ranked engineering institute, was engaged in a 1.58 billion Baht (USD 52 million) embezzlement scandal. According to Terdpaopong & Trimek (2015), the CSD was given authority by KMITL to pursue legal action against three former KMITL officials. The executives were charged with theft, document forgery, abuse of authority, dereliction of duty, and money laundering by the police, but they were freed on bail. Theft, fabrication of official papers, embezzlement, carelessness, and money laundering are among the allegations leveled against another 11 people. Eight of them, including the previous branch manager, are being held in custody. The embezzlement at KMITL puts into doubt the institute's internal controls as well as other public institutions' regulatory processes.
The KMITL case demonstrates the importance of reviewing entity-level control, auditing, and governance norms. It calls for the establishment of financial fraud policies and methods to prevent and identify its occurrence. When policies, practices, and procedures are debated and formed, they must include the effectiveness and efficiency of operations, as well as reliability and compliance with laws and regulations. The COSO cube's eight pillars can assist an institution in improving the effectiveness of its internal control system.
- MACANIP, JOANNA ELAINE (2019-103856)
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
DeleteAccording to Kost (2021), the danger or vulnerability that remains after all risk treatment and mitigation measures have been performed is referred to as residual risk. Internal auditors won’t be able to remove all risks once they have identified them and mitigated the ones deem unacceptable, therefore some risks will remain at a certain level. The purpose of identifying, measuring, and analyzing residual risk is to find out whether the planned treatment is sufficient and could be managed accordingly. It is important for an internal auditor to set an acceptable risk threshold, and then implement programs and solutions to minimize any hazards below the desired level in the process of properly managing residual risks.
References:
Colby, L. (2021, March 16). Entity-Level Controls: Impact on an Organization & The Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls/.
Internal Audit Foundation. (2017). Case Study 1: Auditing Entity-Level Controls. Internal Auditing: Assurance & Advisory Services, 4th Edition. https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf.
Kost, E. (2021, October 25). What is Residual Risk? Why it Matters in 2021. https://www.upguard.com/blog/residual-risk.
Terdpaopong, K. & Trimek, J. (2015). Financial Scandal: The Case of King Mongkut’s Institute of Technology Ladkrabang, Thailand. Procedia Economics and Finance 28 (2015) 39 – 45. https://doi:10.1016/S2212-5671(15)01079-5.
The Critical Importance of Entity Level Controls to your Organization. (2021, September 13). https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/.
- MACANIP, JOANNA ELAINE (2019-103856)
This comment has been removed by the author.
ReplyDelete1. The Importance of Entity-Level Controls to Effective Risk Management & Control Across the Whole Organization
ReplyDeleteNot all controls are made equal, as should be obvious. All may play a part in attaining the intended outcome, but only a few are actually crucial; that is, their absence would make reaching the desired result impossible. Key controls are the names given to these crucial activities. Similarly, controls at the organizational level may have a different influence on the internal control system than controls at the process or transaction level. As a result, it's critical to comprehend how such controls, particularly those that function throughout the whole company (i.e., entity-level controls), may affect the internal control system.
At regular times, management often completes its own evaluation or a series of assessments of the organization's entity level controls (for example, annually or quarterly). Such evaluations are based on tests taken at the time of the evaluation, as well as other tests that may have been taken in conjunction with prior evaluations (such as assessments of an ERM program, a compliance program, or certain IT general controls). When it comes to entity-level control evaluations, management takes them into account.
assessing and commenting on the organization's overall internal control system
2. Famous Financial Scandals That Failed to Represent Proper Entity-Level Controls
Enron Corporation is one of the most well-known and well-publicized examples of entity-level controls failing. While Enron was recognized for having sophisticated controls and risk management skills to support many of its intricate operations, failings in controls at the board and senior management levels contributed to one of the most important corporate collapses in history. A detailed examination of what went wrong at Enron, as well as certain other well-publicized financial catastrophes, can reveal the significance of effective entity-level controls.
3. Residual Risk and Why Is It Important for Internal Auditors to Identify, Measure, And Analyze This Risk
The risk that remains after management has taken steps to lessen the effect and chance of an incident is known as residual risk. Key controls are those that aid in the management and reduction of risk within the risk appetite of an institution. Internal audit can use these evaluations to identify which actions to include in the audit activity plan. Internal audit may provide assurance, investigation, or consultation activities in areas with the greatest risk exposure. Furthermore, risk assessments may be used by internal audit to identify any controls that are ineffective in reducing risk.
Risk identification inside a company must be well documented in order to link internal audit work with risk management. Risk registers have been produced by certain organizations to document hazards based on inherent and residual risk ratings. Regardless of the strategy, companies should have a procedure in place that identifies high-risk regions in a methodical manner. Because internal audit is unable to assess all of these risks, those that are not included in the internal audit strategy should be disclosed to the board separately. These frequently contain high inherent risk ratings with little change in residual risk. Internal audit should include certain lower-risk tasks in their activity plan on a regular basis to ensure that the risks have not change.
References:
Internal Audit and Risk Oversight. (2009, August). NC State Poole College of Management. https://erm.ncsu.edu/library/article/internal-audit-assurance
Auditing Entity-Level Controls. Internal Auditing: Assurance & Advisory Services. 1-2. https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Salapare, Daryll A. (2019-102486)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDelete- Entity-level controls have a general definition for the different types of audit engagements and can also be more specific to a type of audit engagement. In general, entity-level controls are controls that are pervasive throughout the organization to mitigate the risks threathening the company as a whole and to ensure that the institution's goals and objectives are achieved (Fitzgerald 2020). These are the rules, policies and procedures that lay down the desired behaviors of the board members, management and employees of an organization in addressing the financial statement-level risk of a company. It is also the key and foundation of a corporate governance and its operations in terms of both people and process. Entity-level controls define the organizational culture of the company. They shape how the company is perceived by and how it interacts with external stockholders. Hence, their significance cannot be overstated. The purpose is to ensure quality, error-free financial statements and financial reporting; better risk assessment and management, stronger risk mitigation; improved effectiveness and efficiencies in business and operations; lowered reliance on activity and transaction- level controls; senior, high-quality personnel driving internal controls; strong personnel management through well-defined roles and expectations. Auditors evaluate the company’s Entity Level Controls along the five components of the COSO framework: Control Environment, Risk Assessment, Information and Communication, Control Activities and Monitoring.
-Dela Cruz, Joyce Ann N. (2019-105673)
2. Give one example of famous financial scandals that failed to represent proper entity level controls.
ReplyDelete- Enron Corp., the first nationwide natural gas pipeline network, shifted its business focus during the 1990s from the regulated transportation of natural gas to trading in unregulated energy markets. Until late 2001, most of all observers, including Wall Street professionals, regarded this transformation as an outstanding success but as it transform it ran into serious trouble. Enron saw their future on the internet and invest heavily to online marketers and service providers until Enron reported debt and significant losses from these investments. It is not unusual for businesses to fail after making bad investments. What turned the Enron case into a major financial scandal was the company’s response to its problems. Rather than to disclose its true condition to public investors, as the law requires, Enron committed fraud by falsification of its accounts. In this case, Enron failed to represent the entity-level control properly.
-Dela Cruz, Joyce Ann N. (2019-105673)
This comment has been removed by the author.
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDelete- In mitigating business risk, it is impossible to eliminate it all. Some will remain at a certain level which is commonly called as residual risk. This is the risk remaining after risk treatment (Kusotic 2021). Residual risks are usually assessed in the same way as auditors perform the initial risk assessment. The purpose of this is to find out whether the planned treatment is sufficient. It is enough when the concept of acceptable level of risks comes into play. It is nothing else but deciding how much risk appetite an organization has, whether the management thinks it is fine for a company to operate in a high-risk environment where it is more likely that something will happen, or the management wants a higher level of security involving a lower level of risk. Both approaches are allowed in ISO 27001 depending for the company's circumstances and budget. Managing residual risk comes with three options for the auditor. First, if the level of risks is below the acceptable level of risk, then auditors will do nothing. Management just needs to formally accept those risks. Second, if the level of risks is above the acceptable level of risk, auditors need to find some new and better ways to mitigate those risks and to reassess the residual risks. Lastly, if the level of risks is above the acceptable level of risk, and the costs of decreasing such risks would be higher than the impact itself, auditors need to propose to the management to accept these high risks. Top management needs to know which risks their company will face even after various mitigation methods have been applied. After all, top management is not only responsible for the bottom line of the company, but also for its viability.
References:
Fitzgerald, N. (2020). Entity Level Controls and Associated Risks | Freed Maxick. https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
MBG (2021). The Critical Importance of Entity Level Controls to your Organization.
MBG Corporate Services. https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
Jackson, et al. (2004). The Enron Collapse: An Overview of Financial Issues. The Congressional Research Service (CRS). https://www.everycrsreport.com/reports/RS21135.html
Kusotic, D. (2021). Why is residual risk so important? ISO 27001 & ISO 22301 Online Consultation Center. https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
-Dela Cruz, Joyce Ann N. (2019-105673)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteIn accordance with the discussed chapter 6 of the provided case study about Auditing Entity-Level Controls, all controls are intended to reduce risk at the organization or at the individual level. In addition that, such terms "entity level" and "activity level" were used in the 1992 edition (the phrase "business process" was added to the 2013 revision).
Assessing a company's entity-level controls is the first stage in establishing the composition of the control system and its operational effectiveness. Entity-level controls are significant in a way that they must exist and be implemented for any organization to function effectively. They lay the groundwork for how the company operates on a daily basis, as well as how it is regarded by external stakeholders. Entity-level controls are also an important aspect of an audit since they analyze the organization's general tone at the top and provide the foundation for lower-level operational controls. To provide for an overall strong control environment, all five components must be implemented: control environment, risk assessment, monitoring, communication & information, and control actions.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
One example of a famous financial scandal that failed to represent proper entity-level controls is about Enron Corporation's journey. It is one of the firms that rose to incredible heights only to collapse. Thousands of employees were affected by the fated company's failure, which rocked Wall Street.
Enron's management deceived auditors with fictitious holdings and off-the-books bookkeeping. He used special purpose vehicles (SPVs) or special purpose entities (SPEs) to hide its mountains of debt and toxic assets from investors and creditors. Enron's stock price plummeted from $90.75 at its peak to $0.26 at its bankruptcy. From 2004 to 2011, the corporation paid out more than $21.7 billion to its creditors.
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
The risk that remains after the management has taken steps to decrease the impact and chance of an event is known as residual risk, also known as present or current risk. Internal auditors’ activities must be integrated with the risk management if risk identification within an organization is to be adequately documented.
It is crucial for Internal Auditors to identify, measure and analyze the said risk since it must be mitigated in order to comply with ISO 27001 criteria. This is a popular information security standard that is part of the ISO/IEC 2700 family of best security practices. It enables businesses to effectively assess the security of assets before and after sharing them with vendors (Kost, 2021).
References:
Colby, L. (2021). Entity-Level Controls: Impact On An Organization & The Audit Process.
https://linfordco.com/blog/impact-of-entity-level-controls/
Segal, Troy. (2021). Enron Scandal: The Fall of a Wall Street Darling. Retrieved from
https://www.investopedia.com/updates/enron-scandal-summary/
Kost, D. (2021). What is Residual Risk? Why it Matters in 2021. Retrieved from https://www.upguard.com/blog/residual-risk
-Sunthorn, Honey Lizette B. (2019-103582)
(1/2)
ReplyDeleteRisk is an unavoidable undertaking in a business. These risks may result in either good or bad consequences. Taking risks may develop good results that can provide expansion and betterment to the business. On the other hand, risks that resulted in bad consequences may affect the strength of the business that can influence the financial aspect and the overall profitability. Hence, having a risk assessment is crucial to managing the risks involved. Risk assessment is a process of identifying, measuring, and analyzing risks relevant to a program or process (Murdock, 2017).
In today's topic, these guided questions will help readers to understand the concept of risk to deepen their understanding regarding the subject matter being discussed. These questions are the following: (1.) What is the importance of Entity-Level Control across the whole organization?; (2.) Give one example of a famous financial scandal that failed to represent proper entity-level controls, and (3.) What is residual risk and why is it important for Internal Auditors to identify, measure; and analyze this risk?.
1. What is the importance of Entity-Level Control across the whole organization?
According to Fitzgerald, 2020, Entity-Level Control is defined as the “controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved.” It is broad because it encompasses the internal and external aspects of the business. Entity-level controls are the overriding controls for overseeing that management directives about the organization as a whole are implemented and enforced. They may also be considered as higher-level controls that are more generic or influences a broader audience (Colby, 2021)
Like any other control, Entity-Level Control is important because they are designed to mitigate the risks that exist at the organization-wide level. Also, it is crucial to the auditing process as it examines the overall tone of the entity and provides the basis for lower-level operational controls. Moreover, if this control is worked in unison with process-level control, it will surely serve as a defense against the risks that might be experienced by the organization in which may hinder the achievement of the objectives.
Griarte, Lovely Rose (2019-105060)
(2/2)
ReplyDelete2. Give one example of a famous financial scandal that failed to represent proper entity-level controls.
Enron Scandal: The Fall of a Wall Street Darling. Enron is a merger of two natural gas transmission companies– Houston Natural Gas Corporation and Internorth Inc. It was formed by Kenneth Lay in 1995. Enron becomes a corporate giant with the help of Jeffrey Skilling, the Chief Executive Officer. He introduced the Market-to-market accounting process wherein the costs of the assets were based on the fair market value of those assets. In this way, the information to be gathered will become more relevant to the decision-making of the business.
However, due to this change in accounting procedure, the assets were not properly valued in which Skilling discloses irrelevant information so that the company will report a profit where in fact they already incurred losses. These acts lead the company to file bankruptcy because their assets are not sufficient to pay their liabilities.
Thus, the Enron Company failed its entity-level control because it did not anticipate the risk of not properly disclosing the amounts of the assets. The five components of the entity-level control which include control environment; risk assessment; monitoring; communication and information; and control activities were not considered.
a. Control environment was neglected because their Board of Directors failed to demonstrate integrity and apply the ethical values because their main goal is to earn a profit;
b. Risk Assessment helps the company mitigate the risk but because of the use of fair market values to the resources and not properly indicating the right amount according to the market, the entity did not anticipate that they are incurring more and more debts;
c. Monitoring, Skilling is the only person who monitored the undertakings of the business because of his position in the company and he failed to execute the proper attitude of being an officer;
d. Communication and information, Enron company lacks communication because the information was not conveyed to essential persons. If these data were disseminated ahead of time, the company may not result in bankruptcy; and
e. Control Activities, Skilling should not enter into any investments without a proper plan just like what happened on their investment in the VOD market wherein the profit gained was not sufficient to outweigh costs.
3. What is residual risk and why is it important for Internal Auditors to identify, measure; and analyze this risk?
Conducting risk assessment and management is important to minimize the effects of risks. However, although certain risks have already been eliminated, there are still some risks that remain unsettled and this is known as the residual risk.
It is not possible to mitigate the uncertainties totally. This is the reason why Internal Auditors must identify, measure, and analyze residual risks because it may hinder the business from achieving its objectives.
References:
• Murdock, H. (2017). Operational Auditing: Principles and Techniques for a Changing World. CRC Press Taylor & Francis Group. pp 64
• Fitzgerald, N. (2020). Entity Level Control and Associated Risks. Retrieved on November 6, 2021. https://www.google.com/amp/s/blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place%3fhs_amp=true
• Colby, L. (2021). Entity-Level Controls: Impact On An Organization & The Audit Process. Retrieved on November 6, 2021. https://linfordco.com/blog/impact-of-entity-level-controls/
• Segal, T. (2021). Enron Scandal: The Fall of a Wall Street Darling. Retrieved on November 6, 2021. https://www.investopedia.com/updates/enron-scandal-summary/
• Bondarenko, P. (n.d.). Enron Scandal. Retrieved on November 6, 2021. https://www.britannica.com/event/Enron-scandal/Downfall-and-bankruptcy
• Kosutic, D. (n d.). Why is the residual risk so important?. Retrieved on November 6, 2021. https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Griarte, Lovely Rose B. (2019-105060)
PART 1/3
ReplyDeleteAmong the four basic managerial functions, control is considered one of the functions that is done continuously in order to ensure that all the other functions such as planning, organizing, and leading is being maintained religiously by any company. This means that managers or anyone who is in charge must keep an eye on monitoring employee performance, work quality, and the efficiency, effectiveness, and reliability of completed projects, of which purpose is directed towards meeting the ultimate goals of the business in an adequate manner, and at the same time, testing whether changes are necessary when a specific activity, policy, or procedure is no longer effective anymore based on a cost-benefit analysis conducted.
Meanwhile, in the context of auditing, control is almost no different from its managerial point of view. In fact, a definition devised by Joe Howell (2020) in a podcast at Compliance Podcast Network has been mentioned. For him, control is “a systematic measures, such as reviews, methods, and procedures, instituted by an organization that performs several different functions.” Deriving from this description, it can be gleaned that, although indirect, it is pertaining to what we call entity-level controls, which is an internal control on a broader scale that aims to cater the needs of the organization as a whole. To emphasize, because of it being broad, according to Colby (2021), it is considered as “higher-level controls that are more general in nature or impact a broader audience” in comparison to other type of controls like activity-level, process-level, and the like.
To put it simply, entity-level controls are controls that are pervasive across an organization. The only issue with this concept is that, there is actually no universal definition of what constitutes an entity-level control, and it will vary from firm to firm depending on how it is implemented by them. This implies that a process that is an entity-level in one firm might not be an entity-level in another. However, this issue can be easily addressed as it is relatively easy to identify what is pervasive and what should be the focus of the company in its entirety.
PART 2/3
ReplyDeleteExamples of entity-level controls are: code of ethics, risk management policies and procedures, fraud prevention and detection programs, human resources policies and procedures, management’s control deficiency escalation process and variance analyses (Fitzgerald, 2020). Based from these examples, it is safe to say that entity-level controls set forth the company's principles through implementation of policies and procedures that will define the intended conduct of the entire organization from employees up to the management.
Moreover, entity-level controls are designed to provide assistance to companies in line with assessing the effectiveness of implemented policies and procedures. As they are tested and reviewed, the results of this control will be the foundation for mitigating risks. This particular system of effective risk management and control is of great value for all organizations as it helps in ensuring that they have the capacity and capability in attaining their overall objectives while acting within ethical and legal bounds established with the business that they have.
With this implication, entity-level controls are definitely an integral part of the business and without it, although companies can still function as they do, potential risks may be overlooked. If neglected, it can hamper the company as a whole without them realizing that it become pervasive to the extent that it will become costly and time-wasting to address. Do also take note that once a company’s reputation is tainted, it is difficult to gain it back as the impression of the society towards them often lasts. For instance, the well-known Enron scandal back in 2001, which revealed that their executives were stealing millions of dollars in their company while willfully overstating their company’s revenues to shareholders through fraudulent accounting, declared the largest bankruptcy in the history of United States.
However, aside from the above-mentioned scandal, there is also WorldCom. With the fall of their stock price and how their revenue slowed back in 1999, they fraudulently portrayed itself as a profitable company by classifying operating expenses as long-term capital investments and accounted for $500 million in computer expenses with no documentation to back them up. As an effect, it turned its losses into a profit of $1.38 billion, leading the Securities and Exchange Commission to grow suspicious of the numbers they presented. WorldCom admits to exaggerating its earnings and filed for bankruptcy shortly after an internal audit began in 2002. Bernard Ebbers, who was the co-founder and CEO of the WorldCom on that time, was found guilty and sentenced in prison for twenty-five years (Olya, 2021).
PART 3/3
ReplyDeleteWith this matter in mind, this highlights more the importance of entity-level controls to mitigate risks as much as possible. However, no matter how the organization attempt to eliminate all the risks that have been identified, it is simply impossible, and there will be always risks that remain, hence the need to introduce companies with the concept of residual risks.
Residual risk, according to Shackleford (2021), is the “risk left over after security controls and process improvements have been applied”. This implies that depending upon the options made by the organization on how to treat these risks, they could either: (1) leave it as is if the level of risk is below acceptable; (2) make changes with the controls that have been implemented if the level of risk is above acceptable; or (3) accept these high risks if the level of risk is beyond acceptable especially when the costs associated to mitigate such risks would outweigh the supposedly benefits that the company would acquire from it. Taking this all into consideration, assessing residual risks is therefore very crucial for defining the appropriate sorts of security measures, procedures, and processes that should be prioritized over time in order to parallel the objectives and goals of the business in its entirety.
References:
Colby, L. (2021). Entity-Level Controls: Impact on an Organization and the Audit Process. Accessed October 28, 2021 from https://linfordco.com/blog/impact-of-entity-level-controls/
Fitzgerald, N. (2020). Entity Level Controls: Five Issues Caused by Weak or Non-Existent Controls in Place. Accessed October 28, 2021 from https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
Howell, Joe. (2020). Internal Controls in Compliance: Part 1, What are Internal Controls? Accessed October 28, 2021 from http://compliancepodcastnetwork.net/internal-controls-in-compliance-part-1-what-are-internal-controls/
Olya, G. (2021). Enron and the 24 Other Most Epic Corporate Downfalls of All Time.
Accessed October 28, 2021 from https://www.gobankingrates.com/money/business/most-epic-corporate-downfalls/
Shackleford, D. (2021). What is Residual Risk and Why is it Important? Accessed October 28, 2021 from https://searchcompliance.techtarget.com/definition/residual-risk
Written by:
Demabildo, John Michael F.
2019-101694
[1/2]
ReplyDeleteEntity level controls are controls that function throughout and across an organization is to manage risks that threaten the organization as a whole and to ensure that organizational goals are met. These controls determine a company’s culture and values, as well as how they connect to internal and external influences including laws, rules, and professional standards.
The existence and application of this controls are critical components of any organization as they lay the groundwork for how the organization functions on a daily basis, as well as how it is perceived and interacts with external stakeholders. In terms of audit, it analyze the organization’s general tone at the top and serve as the foundation for lower-level operational controls.
Financial scandals occurs when a organization financial reporting lacks transparency and having poor quality of management information such as misleading and irrelevant information. These scandals are caused by few individuals’ overwhelming greed, which resulted in terrible consequences that brought downfall to the entire organizations and ruined millions of people’s lives.
One of the famous financial scandal that failed to represent proper entity-level controls is the HealthSouth Scandal that was occurred in 2003. HealthSouth Corporation is a top US publicly traded healthcare company based out of Birmingham, Alabama.
Richard Scrushy, the current CEO was pressured to attained company’s growth. Scrushy and HealthSouth were able to satisfy analyst expectations for 40 quarters in a row by employing inventive accounting techniques and, eventually, fraudulent accounting. Driven by this greed to hit analyst expectations, Scrushy and HealthSouth’s allied partners altered their earnings numbers, overestimate insurance reimbursements, overvaluing fixed assets, and employing flawed reserve accountings. The fraud went unnoticed until 2003, when former HealthSouth CFO Weston Smith revealed the scheme to federal authorities and discovered that the company had inflated earnings by over $1.8 billion. Scrushy was convicted seven years in prison due to bribing Governor of Alabama, Don Siegelman.
[2/2]
ReplyDeleteResidual risk is the risk that remains after the application of controls. The issue the participants need to consider is whether the level of residual risk is satisfactory, that is within the organisation’s risk appetite, and whether controls need to be modified in order to reduce the level of residual risk. ( Chambers & Rand, 2010, p. 208). It should always be documented and monitored and reviewed on a regular basis.
The nature and amount of residual risk must be properly understood by the organization’s management and all other decision makers as they have the capacity to derail a project. Also, It is important to meet compliance and regulatory requirements implemented by the International Organization for Standardization (ISO) 27001 and organization’s must properly address and identify it to minimize these risks, including the implementation of security controls and totally eradicate or lessen the negative effects of the said threats. Lastly, residual risk must be calculated in order to determine which security measures and processes should be prioritized over time.
References :
Chambers, A., & Rand, G. (2010). The Operational Auditing Handbook: Auditing Business and It Processes (Second ed. ). John Wiley and Sons, Ltd.
HealthSouth, Inc.: A case of corporate fraud. (n.d.). Retrieved November 2, 2021, from https://www.google.com/amp/s/stakeholder11.wordpress.com/2014/11/24/healthsouth-inc-a-case-of-corporate-fraud/amp/.
SANGOL, LEAREIN J.
2019-106977
1/2
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
According to International Audit Foundation (2017), entity-level controls are "controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved." These controls intend to reduce risks that occur at the organizational level, including those that arise from internal and external factors. Some of the examples of entity-level controls are code of ethics, risk management policies and procedures, fraud prevention and detection program, human resources policies and procedures, management's control deficiency escalation process, variance analyses, and IT general controls.
Entity-level controls are important in an organization because they provide the foundation under which the organization operates daily (employees and processes) and how the organization is perceived and interacts with external stakeholders (Colby, 2021). These also work with process-level controls to serve as an organization's defense against risks that jeopardize the achievement of business objectives, and it has a pervasive effect on the achievement of business objectives. Entity-level controls influences the performance of an organization and a weak, inadequate, or nonexistence of entity-level controls may disrupt the overall performance of the organization. By having entity-level controls, the likelihood of the occurrence of a negative event caused by risk is reduced because there is an established and reinforced control consciousness in the organization.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
One of the famous financial scandals that failed to represent proper entity-level controls is the fall of Enron Corporation. The story of Enron Corporation depicts a firm that reached dramatic heights only to plummet dramatically. The fated company's collapse affected thousands of employees and shook Wall Street to its core. At Enron's peak, its shares were worth $90.75, and when they declared bankruptcy on Dec. 2, 2001, they were trading at $0.26.
Enron was formed in 1985 following a merger between Houston Natural Gas Company and Omaha-based InterNorth Incorporated. But after a good run, it failed miserably and ended up as a bankrupt business. The scandal began with the Enron misdeeds in the video rental chains. The business collaborated with a blockbuster to penetrate the VOD market. During that time, the company made $350 billion in trades, but it did not endure long as the dot-com boom burst. It spends a lot of money on broadband initiatives, but the company hasn't been able to recoup those expenses. The corporation was exposed to significant risks, and investors lost money as the company's market value declined. The company began to fail in 2000 and by using the accounting concept of mark-to-market accounting, CEO Jeffrey Skilling disguised all financial losses coming from the trading business and broadband projects. The corporation continued to invest in assets, profits that had yet to be earned were reported, losses were never declared, and asset was moved to the off-the-books corporation. To make matters worse, the company's chief financial officer, Andrew Fastow, purposefully resorted to a plan that showed that the company is in good financial form despite the fact that its subsidiaries lost a lot of money from investors.
Gesta, Charlotte G. (2019-100594)
2/2
ReplyDeleteThe Enron Corporation and its management resorted to an unethical scheme and malpractice of off-balance-sheet mechanism. It created a special economic vehicle to hide the massive debt from its external stakeholders. Furthermore, the mark-to-market that Jeffrey Skilling, the CEO of Enron, used is exposed to some form of manipulation. Rather than taking up the actual worth, the mark to market is based on fair value. It caused the company to fail tragically because they reported predicted earnings as actual profits.
3. What is residual risk and why is it important for internal auditors to identify, measure, and analyze this risk?
According to Fasulo (2020), residual risk is the risk that remains after controls are accounted for and after the organization has taken proper precautions. Residual risks or net risks are risks left after implementing entity-level controls, process-level controls, transaction-level controls, and other mitigating and compensational controls in an organization. Residual risk should be equal to or less than the risk appetite of an organization so that the business will be able to absorb the effects of these risks without threatening the overall performance of the business.
It is salient for internal auditors to identify, measure, and analyze residual risks because these are the risks that may have an impact on the organization even though precautionary controls were implemented. Furthermore, identifying, measuring, and analyzing residual risks will help the auditor and the management in calculating and determining the appropriate types of security controls and processes that will get priority over time. It will also help compare different control measures, and it is a deciding factor about what should be done to reduce these residual risks as lower as possible.
REFERENCES:
Colby, Lois. (2021, March 16). Entity-Level Controls: Impact On An Organization & The Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls/
Fasulo, Phoebe. (2020, December 21). Inherent Risk vs. Residual Risk: What’s the Difference?. https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Haspod. (2019, July 2). Residual Risk, How You Can Calculate and Control It. https://www.haspod.com/blog/management/residual-risk
Internal Audit Foundation. (2017). Internal Auditing: Assurance & Advisory Services, 4th Edition. Internal Audit Foundation. https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Nigam, Rishab. (n.d.). Enron Scandal. Retrieved November 1, 2021 from https://www.wallstreetmojo.com/enron-scandal/
Segal, Troy. (2021, May 31). Enron Scandal: The Fall of a Wall Street Darling. https://www.investopedia.com/updates/enron-scandal-summary/
Shackleford, D. (n.d.). Residual Risk. Retrieved November 1, 2021 from https://searchcompliance.techtarget.com/definition/residual-risk
Gesta, Charlotte G. (2019-100594)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteThe entity-control level provides the foundation under which the organization operates on a daily basis (employees and processes) and how the organization is perceived and interacts with external stakeholders. Entity-level controls also serve as a key part of an audit as they assess the overall tone at the top for the organization being audited and provide the basis for lower-level operational controls. All five components – control environment, risk assessment, monitoring, communication & information, and control activities are critical to have implemented to provide for an overall strong control environment (Colby, 2021). It can be depicted from the above passage that the entity-control level is the backbone of any organization. It is crucial to establish stringent controls that oversee how top management is performing their responsibilities of directing the entire organization in realizing their goals. Any fraud or misconduct should not be tolerated as having vested with great power comes with great responsibilities. In addition, this serves as the overall control of internal practices and compliance with external forces to regulate the behavior and performance of the related parties. More importantly, this helps the internal stakeholders to be strongly attached to the entity's objectives and refrain from any personal interest that can ruin the trust of the capital provider and the entity's reputation. Proper governance and management of potential risks significantly help the entity to focus on more value-added matters for its growth.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
According to Fortune Editors (2020), Wirecard, now insolvent and dismembered, was Europe’s preeminent fintech firm, offering mobile payment and banking services worldwide. Former CEO Markus Braun seemed to think the financial services company had $2.1 billion that didn’t exist the company collapsed in June and investors lost billions. The parallel scandal is the failure of regulators and auditors to spot the looming disaster despite years of warning signs. Outsiders, notably journalist Dan McCrum of the Financial Times, had been finding discrepancies in Wirecard’s accounts since 2015. Wirecard always denied vehemently that anything was wrong, but the drumbeat of doubts continued. In 2019, Germany’s market supervisor, BaFin, launched an investigation—not of Wirecard, but of the Financial Times. When the Singapore police raided Wirecard’s offices there a month later, BaFin banned short-selling of Wirecard stock for two months. The stock, which once traded at 191 euros ($233), was recently at 0.43 euros (52 cents). The financial turmoil of Wirecard could be avoided if only they implement strict Entity-level control.
Bangate, Lovely V. (2019-104176)
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteThe vulnerability or susceptibility that persists after all risk management and restoration measures have been accomplished is referred to as residual risk. Even with a well-designed exposure sanitation program, residual risks will still exist. Considering residual risks would always be present, the method of managing them entails establishing an appropriate risk level and then adopting programs and solutions to eliminate any risks below it (Kost, 2021). Internal Auditors need to identify, measure, and analyze these risks to mitigate their adverse impact on the company. If after passing the key controls and secondary controls, the risks still exist, then auditors may suggest integrating additional mitigating and compensating controls to further limit the impact of the risks. The management and the auditors need to ensure that residual risk should not exceed the organization's risk appetite to continue its survival.
Coldy, L. (2021). Entity-level controls: Impact on an organization & the audit process. Retrieved November 06,2021, from https://linfordco.com/blog/impact-of-entity-level-controls/
Fortune Editors. (2020).The biggest business scandals of 2020. Retrieved November 06,2021, from https://fortune.com/2020/12/27/biggest-business-scandals-of-2020-nikola-wirecard-luckin-coffee-twitter-security-hack-tesla-spx-mcdonalds-ceo-ppp-fraud-wells-fargo-ebay-carlos-ghosn/
Kost, E. (2021). What is Residual Risk and Why It Matters in 2021. Retrieved November 06,2021, from https://www.upguard.com/blog/residual-risk
-Bangate, Lovely V. (2019-10417)
Part 01/02
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
The controls used in effective monitoring of implementation and enforcement of managers in activities and directives relevant to the organization are known as entity-level controls (Colby, 2021). They are also considered high levels of control that are inherently more common or affect external stakeholders. These are the controls that are consistently applied to the entire business and organization, reducing the risks of threatening the overall performance. Entity-level controls can also help ensure that the organization is on the right track to attaining its goals and objectives.
Entity-level controls deal with, but are not limited to the following: (a) code of ethics; (b) risk management policies and procedures; (c) fraud prevention and detection program; (d) human resources policies and procedures; (e) management’s control deficiency escalation process; (f) variance analyses; and (g) IT general controls (Anderson et al., 2017).
As stated, one of the primary purposes of entity-level control is to lessen risk either at the company level or at the operational level within an organization. In risk management, entity-level controls are vital to achieving the desired result of the business. It is advantageous if an organization fully understands how these controls affect its business strategy as a whole. The existence and implementation of entity-level measures is a vital element of any organization. It provides a sturdy foundation in the long-term and day-to-day operations of a business.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Enron, a company located in Houston, was considered one of a new generation of American companies involved in various ventures in the energy sector. It bought and sold gas and oil futures, built oil refineries and power plants, and grew into one of the largest pulp and paper, gas, electricity, and telecommunications companies before filing for bankruptcy in 2001 (Carlson,2019).
MBA Knowledge Base (n.d.) mentioned that Enron had too many internal control weaknesses. First, the CFO was exempt from conflict of interest policies, and that internal control over SPE was a formal but non-existent deception. In addition, many of their tax authorities lacked work backgrounds. The daily pursuit of cash was slow, and they ignored off-balance-sheet debt despite its existence. Internal control was inadequate, and they ignored company-wide risks. Andersen (accounting firm) overlooked all these weaknesses resulting in the downfall of Enron.
FRANDIAN A. BLANCO, 2019-103951
Part 02/02
ReplyDelete3. What is a residual risk, and why is it vital for Internal Auditors to identify, measure, and analyze this risk?
As its name suggests, residual risk is the remaining risks in an organization after doing some preventive, directive, or corrective actions. It is the risks that remain after controls are accounted for by the organization. Or the risk that endures after the organization has taken appropriate and adequate precautions.
Residual risk is calculated in the same way as an initial risk by determining its probability to happen, impacts, and summarizing them in a risk matrix. If an organization encounters and identifies any residual risk, there are several ways to handle them. Safeopedia (n.d.) stated that a business approaches this kind of risk either by reducing it, avoiding it, accepting it, or transferring it.
Risk evaluation is the identification, measurement, and analysis of relevant risks within or outside the organization. The principal purpose of identifying, measuring, and analyzing the risks is to manage different risks. It helps identify where deception and errors can occur. Risk assessment is vital for an internal auditor to determine the business implications of risks. In addition, it allows them to focus on the risks that are most important to their business strategy and operations.
References:
Colby, L. (2021, March 16). Entity-Level Controls: Impact On An Organization & The Audit Process. Linford. Retrieved from: https://linfordco.com/blog/impact-of-entity-level-controls/
Anderson, U. L., Head, M. J., Ramamoorti, S., Riddle, C., Salamasick, M., & Sobel, P. J. (2017). Internal Auditing: Assurance & Advisory Services, 4th Edition. Internal Audit Foundation
Carlson, M. (2019, November 16). The Enron Scandal That Prompted the Sarbanes-Oxley Act. Small Business. Retrieved from: https://www.thebalancesmb.com/sarbanes-oxley-act-and-the-enron-scandal-393497
MBA Knowledge Base. (n.d.). The Lessons from Enron: The Importance of Proper Internal Controls. Retrieved from: https://www.mbaknol.com/business-ethics/the-lessons-from-enron-the-importance-of-proper-internal-controls/
Fasulo, P. (2020, December 21). Inherent Risk vs. Residual Risk: What’s the Difference? Security Scorecard. Retrieved from: https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Safeopedia. (n.d.). Residual Risk. Retrieved from: https://www.safeopedia.com/definition/470/residual-risk
FRANDIAN A. BLANCO, 2019-103951
1/2
ReplyDeleteThe United Nations Office for Disaster Risk Reduction (n.d.) defined risk as the probability of the occurrence of an outcome that can harm the people, the system, or even the assets itself. It is the reflection of our own choices and having said the word system, it can also affect the businesses that is why there’s the existence of risk assessment to provide information to entities against the impacts of different risks present everywhere. Furthermore, even some risks are innate, thus hard to handle, most of the risks out there can be controlled especially when internal controls are well-established as it is designed to safeguard the organization and minimize risk to its objectives (Audit Board, 2018).
What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Entity-Level Controls are controls that are pervasive across and throughout the organization against designed for a specific purpose or division to mitigate risks that put the whole organization into danger and also to provide assurance that the organizational objectives can be achieved (International Audit Foundation, 2017). It must be known that there are more than one level of controls exists in an organization to manage the operation properly and these controls are not created equally so an impact of one is different from others. Even though entity-level controls are not as specific as those designed to be on purpose, it has a huge significant influence to other type of controls since it is considered as higher-level controls that oversee the whole organization. Also, it defines the corporate culture and values, thus values on internal and external forces are influenced (Colby, 2021). Moreover, entity-level controls support, compliment and enhances the process-level and transaction-level, these two are critical to the achievement of many business objectives as well as to defend against threats that could prevent the objectives to achieve. Having said that, entity-level controls influence most of the types of controls, it must not be weak as it compromised other controls or division and could be a hindrance in achieving the entity’s objectives becoming ineffective and inefficient.
Permejo, Alikhan James M.
2019-102651
2/2
ReplyDeleteGive one example of famous financial scandals that failed to represent proper entity-level controls
The fraud scandal of Wells Fargo, what they did is that they acknowledged millions of dollars of fraudulent activities or transactions such as creations of millions of savings account and collecting fees out of it without their client’s consent and this illegal practice were carried out by thousands of its employees to meet unrealistic sales target for more than a decade (Horsley, 2020). This scandal definitely represents a failure not only in entity-level controls but also in leadership as its bank managers are aware of this illegal practice. In order to become competitive and to be look like it is performing well, they put their hard-earned reputation at risk for an unreasonable exchange losing everything from them.
What is the residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
From the word itself, this is the risk that is left after all the counter-measures against risks have been implemented (Kost, 2021). Like germs, even remediation efforts have been done still there will be remaining since risk are innate in the world. It is important to take it into consideration because at the end of the day, in nature it is still a risk and also aside from being mandated to mitigate it, it provides information to auditors about the loopholes of their risk assessment, thus a way to strengthen it more.
References:
Audit Board (2018). 7 Reasons to Maintain your Internal Controls. Retrieved from: https://www.auditboard.com/blog/7-reasons-to-maintain-your-internal-controls-compliance-program/
Colby, L. (2021). Entity-Level Controls: Impact on an Organization & The Audit Process. Retrieved from: https://linfordco.com/blog/impact-of-entity-level-controls/
Horsley, S. (2020). Wells Fargo paying $3 Billion to settle U.S. case over Fraudulent Customer Accounts. Retrieved from: https://www.npr.org/2020/02/21/808205303/wells-fargo-paying-3-billion-to-settle-u-s-case-over-illegal-sales-practices
International Audit Foundation (2017). Internal Auditing: Assurance & Advisory Services, 4th Edition. Accessed November 05, 2021 https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Kost, E. (2021). What is Residual Risk? Why it Matters in 2021. Retrieved from: https://www.upguard.com/blog/residual-risk
United Nations Office for Disaster Risk Reduction (n.d.). Understanding risk. Retrieved from https://www.undrr.org/building-risk-knowledge/understanding-risk
Permejo, Alikhan James M.
2019-102651
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDelete• (1) Quality, error-free financial statements and financial reporting; (2) Better risk assessment and management, stronger risk mitigation; (3) Improved effectiveness and efficiencies in business and operations (4) Lowered reliance on activity- and transaction- level controls; (4) Senior, high-quality personnel driving internal controls and (5) Strong personnel management through well-defined roles and expectations
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
• the story of Enron Corporation depicts a company that reached dramatic heights only to face a dizzying fall. The fated company's collapse affected thousands of employees and shook Wall Street to its core. At Enron's peak, its shares were worth $90.75; just prior to declaring bankruptcy on Dec. 2, 2001, they were trading at $0.26.1 To this day, many wonder how such a powerful business, at the time one of the largest companies in the United States, disintegrated almost overnight. Also difficult to fathom is how its leadership managed to fool regulators for so long with fake holdings and off-the-books accounting
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
• Residual risk is the amount of risk that remains in the process after all the risks have been calculated, accounted, and hedged. During an investment or a business process, there are a lot of risks involved, and the entity takes into consideration all such risks. It counters factors in or eliminates all the known risks of the process. The risks that remain in the process may be due to unknown factors or such risks due to known factors that cannot be hedged or countered; such risks are called residual risks
References:
• MBG Corporate Services (2021). Risk Advisory: The Critical Importance of Entity Level Controls to your Organization. https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
• Segal T. Reviewed by Mansa J. (2021) Fact checked by: Reeves M. Enron Scandal: The fall of a wall street darling. https://www.investopedia.com/updates/enron-scandal-summary/
• Thakur M. (N.D.) Reviewed by Vaidya D. CFA, FRM. What is residual risk? https://www.wallstreetmojo.com/residual-risk/
• Kosutic D. (2012) Why is residual risk so important? https://www.helpnetsecurity.com/2012/02/16/why-is-residual-risk-so-important/
Nudo, Marinel S.
2019-106335
(1/2)
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Entity-level controls are fairly broad in scope and frequently deal with relationships to the organizational environment or atmosphere. They are intended to reduce risks that arise at the organizational level, including issues that develop both within and externally (Internal Audit Foundation,2017). Internal issues are those issues concerned with internal values, while external issues are laws, rules, and professional standards. Entity Level Controls determine the company's organizational culture. They serve as the cornerstone of its operations, both in terms of people and processes. They influence how the firm is regarded by its stakeholders and how it interacts with them. As a result, their importance cannot be overstated (MBG Corporate Services, 2021).
One of the components of entity level control is risk assessment. The use of entity level control can help the company to address the risk that may exist at the entity-level. This will follow the company's control structure to determine if these controls are helping to mitigate the risks. Furthermore, In assessing risk, it is critical to use a top-down strategy. The top down approach requires auditors to begin by understanding a company and its industry, then move down to the entity-level controls, then to significant accounts and disclosures and their relevant assertions, then double check that the auditor has a complete understanding of the risks, and finally select the controls that must be tested to ensure that all risks have been addressed (MBA Knowledge Base,2018). Entity-level controls must exist and be implemented in order for an organization to function properly. They lay the groundwork for how the organization runs on a daily basis (people and procedures), as well as how the organization is viewed and interacts with external stakeholders. Entity-level controls are also an important component of an audit since they examine the general tone at the top of the company being audited and serve as the foundation for lower-level operational controls (Colby, 2021).
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
The Lehman Brothers scandal is one such case. This was the largest bankruptcy in US history. Lehman had a high-leverage business strategy that required it to raise billions of dollars every day just to stay open, and its failure triggered the 2008 financial crisis. The failure of Lehman Brothers had four fundamental causes: (a) risk. The bank had taken on too much risk without the capacity to swiftly obtain capital. (b) culture, Management rewarded excessive risk-taking. According to Lehman's chief risk officer, senior management rejected several of her risk-management methods. Top executives sought to keep ahead of competitors who were also employing high-risk techniques, and they also believed the corporation was too sophisticated to fail. (c) Excessive self-assurance. The company depended on complex financial instruments based on rapid real estate expansion precisely as the market began to fall. (d) Inaction by regulators, The Securities and Exchange Commission and other regulators did not take any action. The SEC was aware that Lehman Brothers was taking on too much risk as early as 2007, yet the agency never ordered Lehman to do anything about it. It also failed to report publicly to rating agencies that the bank had breached risk restrictions (Amadeo,2020).
Cebuano, Mary Ann (2019-106907)
(2/2)
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
The risk that remains after management has taken action to decrease the effect and possibility of an occurrence is referred to as residual risk, also known as present risk. In comparison to inherent risk, residual risk is lower in terms of both the impact of an occurrence on the organization and the possibility of the event occurring. Residual risk should be managed within the parameters of a company's risk appetite since the inherent risk is frequently unacceptable (Corporate Finance Institute, 2021). The very essence of residual risk is to find out whether the planned treatment is sufficient. Internal auditors should properly identify residual risks as these risks may affect the company if disregarded and overlooked. Then, after the auditor has identified the risks, they need to measure those risks. What is the overall effect if the company chooses to continue operating with the risks that in the long run, something may happen? Or do they want to recognize it already and do a reassessment? which is the same procedure as in the initial risk assessment. Then the auditor needs to analyze the level of the residual risk to see if it is below or above the acceptable level of risk. Then at this point, the auditor is properly examining the effect of the possible decision that could affect the company. The decision may vary depending on the level of the risk. If it is below, then the company only needs to accept those risks and do nothing, but it is always important to monitor those risks. While if the level is above, the auditor would reach out to the company's management to conduct a re-assessment. This method ensures that management is involved in the most crucial choices and that nothing is ignored (Kosutic, 2021).
References:
Cambridge Dictionary. (2021, November 3). risk meaning: 1. the possibility of something bad happening: 2. something bad that might happen: 3. in a. . .. Learn more. Retrieved October 29, 2021, from https://www.google.com/amp/s/dictionary.cambridge.org/us/amp/english/risk
Corporate Finance Institute. (2021, March 1). Inherent Risk. Retrieved October 29, 2021, from https://corporatefinanceinstitute.com/resources/knowledge/accounting/inherent-risk/
Cpa, L. C. C. |. (2021, March 16). Entity-Level Controls & How They Impact Your Organization. Linford & Company LLP. Retrieved October 29, 2021, from https://linfordco.com/blog/impact-of-entity-level-controls/
Hall, C. (2021, March 10). Entity-Level Controls: Why They Matter. CPA Hall Talk. Retrieved October 29, 2021, from https://cpahalltalk.com/entity-level-controls/
Kosutic, D. (n.d.). Residual risk definition and why it’s important. 27001Academy. Retrieved October 29, 2021, from https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
MBG Corporate Services. (2021, September 13). Entity level controls and their importance to organizations. MBG Corporate Services - Your Global Business Experts. Retrieved October 29, 2021, from https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
Cebuano, Mary Ann (2019-106907)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity level controls are the control for supervising the company’s directives that are implemented and followed. Its primary purpose is to manage risk and helps to attain its objectives. They are the one who regulates external forces such as laws and regulations. This control shows the company’s values. It is also supposed as higher level-control in general.
Entity level control is the key component in an organization. It is the cornerstone on how the organization operates on a day to day basis both in people and in process, and shows how they interrelate with external stakeholders. Since it is the key component of auditing in the top of the organization, it also serves as basis to the lower-level operational controls.
There are various reasons that shows how important entity level control in the organization such as it provides quality and error-free financial reporting and statements, giver better risk assessment and stronger risk mitigation. Also improves business effectiveness and stronger management.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Enron corp. is one of the most fastest growing, innovative and best managed business in the United States. Until its unexpected collapse, shareholders including Enron’s employees lost millions of dollars. It shows that since 2000s, the company’s financial state is already going down, but they manipulated their accounting statements in order to hide their problem. This problem become more rampant when the auditors didn’t properly do well in their job and didn’t advise better plans to overcome this risk and they let the management go on their own.
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Residual risk are risk that remains after controls are accounted for. It means that even after proper precautions, the risk still remains. ISO 27001 regulations, allows the security of assets that are entrusted to an organization by the third parties- require companies to monitor residual risk. Monitoring and analyzing the risk allows professional to accurately identify potential threats and how it affects the management. By knowing how it can affect the company, they can properly respond to the risk.
References:
Fasulo, P. (2020, December 21). Inherent Risk vs. Residual Risk: What’s the Difference? SecurityScoreCard. https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
The Enron Collapse: An Overview of Financial Issues. (2004, August 12). CRS Reports. Retrieved November 6, 2021, from https://www.everycrsreport.com/reports/RS21135.html
-AMARGA,ROCHELLE ANNE V. (2019-106144)
1/2
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Entity Level Controls are controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved. (Fitzgerald, n.d.) According to Colby, entity-level controls are the overriding controls for overseeing that management directives pertaining to the organization as a whole are implemented and enforced. There are 5 components of entity- level controls that need to be considered. These components are vital in entity level controls as it serve as the foundation for auditors in making conclusion. Entity-level controls are important for effective risk management and control because they give a greater scale of internal and external control. These controls are capable of detecting a wide range of errors, misstatements, and other flaws in the organization's activities. Furthermore, because it focuses on mitigating and assessing the risks of the organization as a whole, it ensures that organizational objectives will be met.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
One of the famous scandal that failed to represent proper entity- level controls are the Lehman Brothers. It was a global financial services firm based out of New York City, New York. It was one of the largest investment banks in the United States. During the 2008 financial crisis, it was discovered that the company had hidden over $50 billion in loans. These loans had been disguised as sales using accounting loopholes. According to an SEC investigation, the company had sold toxic assets to banks in the Cayman Islands on a short-term basis. It was understood that Lehman Brothers would buy back these assets. This gave the impression that the company had $50 billion more in cash and $50 billion less in toxic assets. In the aftermath of the scandal, Lehman Brothers went bankrupt. (Corporate Finance Institute, 2020)
Rillera, Myra Dianne G. (2019-107121)
2/2
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Organizations faced different risks such as controllable, inherent, and residual risk. Residual risk is defined as the risk that remains after efforts to identify and eliminate some or all types of risk have been made. (Shackleford, n.d.). Residual risk is important for internal auditors to identify, measure, and analyze because as a result of their risk mitigation, businesses may have to accept residual risk. Alternatively, they could choose to shift the risk. Compliance and regulatory requirements are another reason why residual risk consideration is crucial. Moreover, residual risk must be calculated in order to determine which security measures and processes are prioritized over time.
REFERENCES:
Fitzgerald, N. (n.d.). Entity level controls and associated risks: Freed Maxick. Entity Level Controls and Associated Risks | Freed Maxick. Retrieved November 5, 2021, from https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place.
Colby, L. (2021, March 16). Entity-level controls & how they impact your organization. Retrieved November 5, 2021, from https://linfordco.com/blog/impact-of-entity-level-controls/.
Shackleford, D., & Sales, F. (2021, October 12). What is residual risk? how is it different from inherent risk? SearchCompliance. Retrieved November 5, 2021, from https://searchcompliance.techtarget.com/definition/residual-risk.
Top accounting scandals. Corporate Finance Institute. (2020, June 12). Retrieved November 5, 2021, from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/.
1/2
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
In an organization, it is very crucial to consider all the different types of controls that a business have and one of its controls is the Entity-level control. According to Colby, Entity-level controls are the overriding controls for overseeing that management directives pertaining to the organization as a whole are implemented and enforced. They may also be considered as higher-level controls that are more general in nature or impact a broader audience. These controls define an organization’s corporate culture and values. The existence and implementation of entity-level controls is a key component of any organization. They provide the foundation under which the organization operates on a daily basis (employees and processes) and how the organization is perceived and interacts with external stakeholders. Furthermore, the five components of an entity-level control must be possessed by business. These are the control environment, risk assessment, monitoring, information and communication, and control activities. These components may help the business to sustain its needs. Its importance in the risk management and control across the whole organization is that it serves as a key part of an audit as they assess the overall tone at the top for the organization being audited and provide the basis for lower-level operational controls. It helps to mitigate risks that threatens the organization as a whole and it also provide assurance that the organizational goals and objective will be achieved.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
The term “financial scandals” refers to a situation or event that has occurred as a result of financial resources being employed in a morally questionable manner where there are serious consequences for third parties, which are widely known. According to this definition financial scandals may involve accounting and financial market manipulation, multiple types of fraud, and accentuate the possibility of corporate bankruptcy. One of the examples of famous financial scandals that failed to represent proper entity-level controls is the WorldCom Scandal in 2002. WorldCom was an American telecommunications company based out of Ashburn, Virginia. In 2002, just a year after the Enron scandal, it was discovered that WorldCom had inflated its assets by almost $11 billion, making it by far one of the largest accounting scandals ever. The company had underreported line costs by capitalizing instead of expensing them and had inflated its revenues by making false entries. The scandal first came to light when the company’s internal audit department found almost $3.8 billion in fraudulent accounts. The company’s CEO, Bernie Ebbers, was sentenced to 25 years in prison for fraud, conspiracy, and filing false documents. The scandal resulted in over 30,000 job losses and over $180 billion in losses by investors.
RAMOS, CRISHIA ELLAINE P. (2019-105763)
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity Level Controls (ELCs) are "controls that operate across and across the organization to control risks that threaten the organization as a whole and to provide assurance that organizational objectives are met" (Fitzgerald, 2020). A code of ethics, risk management policies and procedures, fraud prevention and exposure programs, human resources policies and procedures, management's control deficiency escalation process, and variance analyses are just a few instances of these controls. Organizations that ineffective or non-existent entity-level controls and ineffective risk management and control can experience a slew of problems.
Entity Level Controls define the organizational culture of the firm. They provide the groundwork of its actions in terms of both people and procedure. They outline in what way the company is perceived by and how it cooperates with external stakeholders. Hence, their importance cannot be overstated.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Lehman Brothers Scandal (2008)
Lehman Brothers was a global financial services firm based out of New York City, New York. It was one of the largest investment banks in the United States. During the 2008 financial crisis, it was discovered that the company had hidden over $50 billion in loans. These loans had been disguised as sales using accounting loopholes.
According to an SEC investigation, the company had sold toxic assets to banks in the Cayman Islands on a short-term basis. It was understood that Lehman Brothers would buy back these assets. This gave the impression that the company had $50 billion more in cash and $50 billion less in toxic assets. In the aftermath of the scandal, Lehman Brothers went bankrupt.
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Residual risk, also known as present risk, is the risk that remains after management has taken action to lessen the impact and likelihood of an event. Key controls are those that assist an entity manage and reduce risk while maintaining within their risk appetite. Internal audit could use these evaluations to determine which activities to include in the audit activity plan. Internal audit may provide assurance, investigation, or consultation activities in areas with the greatest risk exposure. Furthermore, risk assessments can be used by internal audit to identify any controls that are ineffective in reducing risk. Risk identification within an organization is essential for syncing internal audit activity with risk management.
Risk identification within an organization must be visibly documented in order to synchronize internal audit activity with risk management. Risk registers have already been developed by some organizations and document risks based on inherent and residual risk ratings. The inherent and residual risks must be identified and assessed first. Internal audit must also assess for any current risk-related mitigating controls, contingency plans, or monitoring activities. Internal audit should also ensure that the risk registers are organized and that risks are properly documented. Acceptable present risks, controls on which the organization is most reliant, areas with a high differential between inherent and residual risk, and areas with high inherent risk are the area that needs the most focus when completing the internal audit plan. Internal audit and the risk management process must work together to properly manage risk within an organization.
Rosete, Jun Roi S.
2019-106001
2/2
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Residual risk is the risk remaining after risk treatment. After you identify the risks and mitigate the risks you find unacceptable (i.e. treat them), you won’t completely eliminate all the risks because it is simply not possible – therefore, some risks will remain at a certain level, and this is what residual risks are (Kosutic, 2021). In my own understanding regarding the definition of residual risk, it is the excess risks after identifying all the types of risks that have been made. This type of risks shall be assessed by the Internal Auditors. Internal Auditors are the ones who is capable of assessing the risk of an organization. They consider the three major steps in assessing the risk and these are the identifying the nature of risks, measure the size of the risks and analyze the effects of risks. These major steps play a vital role in an organization and it is important for Internal Auditors to identify, measure and analyze the risk because of the fact that this will help the business for monitoring the business risks and to be able come up with the best solution and to make some corrective actions to attain its goals and objectives.
References:
Colby, L. (2021). Entity-Level Controls: Impact on an Organization & the Audit Process. https://linfordco.com/blog/impact-of-entity-level-controls/
Corporate Finance Institute. (2020). Top Accounting Scandals. https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Financial scandals: a historical overview. (n.d.). Taylor & Francis. https://www.tandfonline.com/doi/full/10.1080/00014788.2019.1610591
Grabillo, M. A. (2021). Risk Assessment Parts 1 & 2. Accounting Made Easy. Retrieved November 05, 2021. https://www.youtube.com/watch?v=lk3l3MOYcl0&list=PLqmYUi2kytZYI68mPBCbvZLlQETDe8tat&index=2
Residual risk definition and why it’s important. (n.d.). 27001Academy. https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
RAMOS, CRISHIA ELLAINE P. (2019-105763)
Part 1/3
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
As we continue to grow and adapt to the fast-paced, highly competitive business environment, a robust and reliable internal control system becomes increasingly important in achieving the company’s goals and objectives. Indeed, having an effective internal control system reduces the risk of asset loss, provides accurate financial reporting for management decisions, and protects the company’s reputation by assuring compliance with applicable laws and regulations to avoid public scandals. In order to do this, the organization could establish various management and controls to ensure that it can operate to its full potential. Entity-Level Controls, as described by Murdock (2017), are the key controls used to establish whether an organization’s values, systems, rules, and processes will enable or dissuade fraud and encourage proper conduct. It essentially refers to the entity’s management style, which is reflected in the business culture, values, philosophy, and operational style, as well as the organizational structure and policies and procedures in place. Furthermore, according to the Internal Audit Foundation, it is intended to manage internal and external risks that exist within the business. Entity-Level Controls allow management to reinforce process- and transaction-level controls, resulting in a stronger foundation for the organization’s daily operations (people and processes). Ultimately, Entity-Level controls act as an organization’s defense against risks that can potentially ruin the attainment of business goals and objectives.
SABANGAN, REMELYN T.
2019-101964
Part 2/3
ReplyDelete2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Over the decades, there are several corporate giants that have failed miserably and ended up as a bankrupt business due to inefficient internal control system. One of the most widely publicized and well known examples of entity-level controls breaking down is Enron Corporation. Enron Corporation was widely regarded as one of the America’s most innovative, fastest growing, and best managed corporation. This firm is the first nationwide natural gas pipeline network turned its corporate focus from regulated natural gas transportation to unregulated energy trading in 1990s. The firm’s comprehensive controls and risk management capabilities have been demonstrated in subsequent years, resulting in excellent success. Unfortunately, as it dives into more diversified operations, Enron Corp. invested heavily in online marketers and service providers, built a fiber optic communications network, and attempted to create a market for trading broadband communications capacity – but this only led to them paying exorbitant prices and taking on a heavy debt load to fund its purchases.
Apparently, it is no surprising if the businesses collapse as a result of ill-timed investments. In this case, the company’s response to its challenges was what turned the Enron case into a controversial financial scandal. Enron manipulated its statements rather than reveal its true financial status to public investors, as required by law. Specifically, Enron’s leadership fooled regulators with fake holdings and off-the-books accounting practices, the firm also used special purpose vehicles (SPVs), or special purposes entities (SPEs), to hide its mountains of debt and toxic assets from investors and creditors while simultaneously inflating the company’s earnings. The scandal resulted in Enron’s bankruptcy and Arthur Andersen’s dissolution; also, the prosecution has indicted Arthur Andersen’s entire accounting practice, thus putting the firm out of business. Several employees lost their jobs as a result of the Enron Corporation’s downfall and bankruptcy, putting them on the verge of a financial crisis.
SABANGAN, REMELYN T.
2019-101964
Part 3/3
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Residual risk, according to Kosutic (n.d.), is the risk that remains after risk treatment. It is explained that no matter how badly the organization attempts, it would never be able to entirely eliminate the risks that have been identified and mitigate those that are still unacceptable. As a result, there will always be risks that will remain at a certain level, which we refer as Residual Risk. It’s important to remember that this is not the same as inherent risk, which refers to risk that exists in any situation where no attempts at mitigation have been made and no controls or other measures have been implemented to reduce the risk from its initial levels to levels that the organization can accept. Furthermore, when compared to inherent risk, residual risk has a lower impact on the organization as well as a lower possibility of occurring. Residual risk should be controlled within a company’s risk appetite just as the inherent risk is often beyond acceptable. It is critical to identify, measure, and analyze this risk because it allows for a more methodical approach to ensure that management is involved in the most important decisions and that nothing is overlooked. Thus, the management would be able to know which risks their company will face even after various mitigation methods have been applied. Finally, the internal auditor would be able to identify and monitor risks promptly, as well as provide effective recommendations for risk mitigation controls.
REFERENCES:
Murdock, H. (2017). Operational Auditing: Principles and Techniques for a Changing World. CRC Press Taylor & Francis Group.
Internal Audit Foundation (2017). Internal Auditing: Assurance and Advisory Services, 4th edition. Retrieved 29 October 2021 06:48 pm from https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Segal (2021). Enron Scandal: The Fall of a Wall Street Darling. Retrieved 30 October 2021 2:15 pm from https://www.investopedia.com/updates/enron-scandal-summary/
Nigam, Rishab (n.d). Enron Scandal. Retrieved 01 November 2021 08:35 am from https://www.wallstreetmojo.com/enron-scandal/
Shackleford, D. (2021). What is Residual Risk and Why is it Important? Retrieved 03 November 2021 9:45 am from https://searchcompliance.techtarget.com/definition/residual-risk
Kosutic, D. (n.d.). Why is residual risk so important?. Retrieved 03 November 2021 10:00 am https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
SABANGAN, REMELYN T.
2019-101964
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity- Level Controls may be known as controls that are pervasive within the organization towards the design for a specific division or operation such as specifically for finance, manufacturing, research & development, etc. It is used to mitigate the risks that may threaten the organization as a whole and to provide assurance that organizational objectives and standards are achieved and met. In a simple term, Entity-Level Controls are the overriding controls used for overseeing the management directives pertaining to the organization as a whole are implemented and enforced. Moreover, this is considered as higher-level controls that are more general in nature or impact a broader audience. Entity-level controls are considered to be significant to an organization when one company is assessing a subservice organization for consideration of conducting critical business interactions with that subservice organization and ah external auditor or CPA firm performing an audit over an entity. Conclusively, the importance of Entity-Level Control to effective risk management and control across the whole organization is its robust risk assessment toward the organization. Management within the organization could periodically meet its more objective and become more productive because Entity Level Control eliminates some risk and helps risk assessment to become more effective. It also encompasses the procure and subdue financial statements, misstatements, errors or fraudity. Entity- Level Control impact the way in which personnel operate and operational processes are designed and implemented. Examples of its impacts are a code of ethics, risk management policies and procedures, fraud prevention and detection programs, human resources policies and procedures, management’s control deficiency escalation process and variance analyses. Remember that an Organization without effective risk assessment and no entity level controls in place can experience and face more complex problems.
Mallari, Eugene S.
CBET 01-503A
2. Give one example of famous financial scandals that failed to represent proper entity level controls.
ReplyDeleteThe most famous financial scandals that failed to represent proper entity level controls is the most widely known scandal about the The Fall of a Wall Street Darling in Enron Corporation. The sudden and unexpected falls of Enron Corp. Was the first in a series of major corporate accounting scandals that has shaken confidence in corporate governance and the stock market. Month before Enron Corporation filed for bankruptcy in December 2001. Enron Corporation was entitled as one of the most innovative, fastest growing, and best managed businesses in the United States. Enron's leadership fooled regulators with fake holdings and off-the-books accounting practices and used special purpose vehicles (SPVs), or special purposes entities (SPEs), to hide its mountains of debt and toxic assets from investors and creditors that cost the corporation with the quick and swift collapses Enron's Corporation including thousands of Enron workers who held company stock. The Enron corporation and its management resorted to an unethical scheme and malpractice of off-balance-sheet mechanism. It created a special economic vehicle to hide the massive debt from its external stakeholders, known as creditors and investors. The special purpose vehicle was utilized for concealing realities of accounting rather than focussing on the operating results.. With regards to this issue we can see that this scandal taught us why strong corporate governance is the most significant and impactful thing to success for any business to sustain and drive profitable business. Conclusively, it taught us on how accounting policies should not be used and applied. Any misuse can result in drastic failures or impacts on the health of the business. That's why we have an Entity- Level control and Effective risk assessment to subdue any complex risk and constraints.
Mallari, Eugene S.
CBET 01-503A
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteResidual risk is defined as the risk that still remains after risk treatment and remediation efforts have been implemented. It is usually seen after company's identify and mitigate the risks that they find unacceptable. Residual risk is the risk that something will occur after controls or procedures are implemented to prevent it. Audits required by state regulations, those activities or functions with higher levels of residual risk are typically selected for audits. The point of residual risk is the organization needs to know exactly whether the planned treatment is enough or not. The importance of Residual Risk to Internal Auditor to identify, measure and analyze the risk by the use of residual risk is something organizations might need to live with based on choices they've made regarding risk mitigation. Or they could adopt to transfer the residual risk, for example, by purchasing insurance to offload the risk to an insurance company. It also helps the internal auditor make a sound decision regarding the threat or vulnerability that remains after all risk treatment and remediation efforts have been implemented. Moreover, residual risk consideration is important for compliance and regulatory requirements. Therefore, Residual risk is important to calculate for determining the appropriate types of security controls and processes that get priority over time that will be made by the Internal Auditor to Identify and Measure efficiently the risk. The difference of adopting or knowing residuals is that company's need to take into account the influence of controls (and other mitigation methods), so the likelihood of an incident is usually decreased and sometimes even the impact is smaller.
References:
Nicole Fritzgersld (2020) Entity Level Control and Associated Risk Retrieved from: https://www.google.com/amp/s/blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place%3fhs_amp=true
Segal (2021). Enron Scandal: The Fall of a Wall Street Darling. Retrieved 04 November 2021 2:15 pm from https://www.investopedia.com/updates/enron-scandal-summary/
Nigam, Rishab (n.d). Enron Scandal. Retrieved 05 November 2021 08:35 am from https://www.wallstreetmojo.com/enron-scandal/
Francesca Sales (n.d) Residual Risk Retrieved from: https://www.google.com/amp/s/searchcompliance.techtarget.com/definition/residual-risk%3famp=1
Mallari, Eugene S.
CBET 01-503A
2019-102848
1/2
ReplyDeleteMany businesses set their goal anytime they would see an opportunity. That's why entities make sure that their guidelines are updated and should be aligned with the newest goal. This kind of situation can give rise to what you called entity control. You could see that without guidelines the performance of an entity will be inconsistent and may experience failure to have an immediate action to prevent fraud or any kind of risks. Surely, this will not help the company on achieving their goals.
Entity-level controls are the integral parts of internal control. The word control is a very broad idea to comprehend, for example, a company may claim that they have control of the current situation and if you are part of it you'll start asking yourself, how in the world is that control? Well, it's just a mere assurance because at the end of the day all you need to see is a concrete plan or what you called guidelines. Guidelines are the details on how to prevent fraud and mitigate risks, these are also called controls or entity-level controls. Each control has tasks to be accomplished such as control environment, risk assessment, monitoring, information systems, and control activities (ANAO, 2017). This becomes essential because it sets the standard of achieving the best way on how to overcome the presence of threats that surrounds the business.
Just a few reminders that entity-level controls also give importance to the code of conduct and how all of its employees including the directors behave. It is somewhat a training to fully implement the good practices of an entity. However, some failed to follow practices.
I would like to give an example of a famous financial scandal, one of the largest telecommunication companies in the US is Worldcom (Hayes, 2021). In 2002, Worldcom had finally filed its bankruptcy as a result of the fraudulent action led by the CEO, Bernard Ebbers. The company accumulates a large amount of debt and had its shares and assets as collateral, however, mighty witty Mr. Ebbers with the help of his pro-accountants was able to make their liabilities disappear like a bubble in the air by overstating the case. In short, the supposed liabilities were moved to the capital. It was only discovered then by the Vice president of Worldcom, Cynthia Cooper, who led the company internal audit unit to the checking of the financial statements (Wikipedia, 2021). Indeed, she was right, there's really something wrong with the financial stability of a company.
AGULLO, JAMAICA MAE A.
2019-105485
2/2
ReplyDeleteWhat the Worldcom did is very tragic to the investors, they thought that the company had been doing good for years. Come to think of it, if the company standing is too perfect to say, isn't that too good to be true? The Worldcom wasn't able to follow the code of ethics such as the practices of full disclosure and transparency. The entity induced many investors and manipulate the numbers just so the Wall Street will be able to hear their success. Sometimes, being too ambitious is not a good thing most importantly if you have nothing to bragged about.
To go back from the topic of entity level controls – a system that mitigate risks but not all the risks are fully treated. The excess or the remaining risks around the entity are called residual risk (Sales, 2021). Aside from this risk being mitigate as provided by the mandatory requirement, in a business perspective, there's no small or larger risk as long as this could affect the business it needs to be addressed. It is treated the same way of doing the initial assessment of risk (Kosutic, 2012). While an entity is not expecting to eliminate all risks after treated, they cannot tell if the remaining risks can duplicate themselves or stay floating in the surroundings. To be able to know if it's active or not, entity must do an assessment first. There are instances that entity just accept the risk when it is not probable that this would cause bigger problems in the future. The ability of an entity to accept a risk through measuring its level is called risk tolerance.
Through following the 5 steps of doing risk assessment, an entity will have a good judgment of how influential this risk could be. It's as simple as knowing your competitors not just by names but with their whole identity as well. Then after, try to make a solution on how to improve yourself. As we usually believe, internal auditors do not just settled to compromises that these risks are small and will do nothing to the company, as a matter of fact, they dwelt for more investigation. They become skeptic for a good years and time.
Australian National Audit Office. (2017). Interim Report on Key Financial Controls of Major Entities.
https://www.anao.gov.au/work/financial-statement-audit/interim-report-key-financial-controls-major-entities-2016-17
Hayes, A. (2021). The rise and fall of Worldcom.
https://www.investopedia.com/terms/w/worldcom.asp
Wikipedia. (2021). Wordcom Scandal.
https://en.m.wikipedia.org/wiki/WorldCom_scandal
Sales, F. (2021). Residual Risk.
https://searchcompliance.techtarget.com/definition/residual-risk
Kosutic, D. (2012). Why is residual risk so important?
https://www.helpnetsecurity.com/2012/02/16/why-is-residual-risk-so-important/
AGULLO, JAMAICA MAE A.
2019-105485
PART 1/2
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Entity Level Controls (ELCs) are “controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved.” Some examples of these controls are a code of ethics, risk management policies and procedures, fraud prevention and detection programs, human resources policies and procedures, management’s control deficiency escalation process and variance analyses. Organizations who have weak or no entity level controls in place can experience many problems.
Entity Level Controls define the organizational culture of the company. They provide the foundation of its operations in terms of both people and process. They shape how the company is perceived by and how it interacts with external stakeholders. Hence , their importance can not be overstated. Some benefits include quality, error-free financial statements and financial reporting, better risk assessment and management, stronger risk mitigation, improved effectiveness and efficiencies in business and operations, lowered reliance on activity- and transaction- level controls, senior, high-quality personnel driving internal controls, and strong personnel management through well-defined roles and expectations.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
One of the famous financial scandals was Enron Scandal (2001). Enron Corporation was a US energy, commodities, and services company based out of Houston, Texas. In one of the most controversial accounting scandals in the past decade, it was discovered in 2001 that the company had been using accounting loopholes to hide billions of dollars of bad debt, while simultaneously inflating the company’s earnings. The scandal resulted in shareholders losing over $74 billion as Enron’s share price collapsed from around $90 to under $1 within a year.
An SEC investigation revealed that the company’s CEO, Jeff Skillings, and former CEO, Ken Lay, had kept billions of dollars of debt off the company’s balance sheet. In addition, they had pressured the company’s auditing firm, Arthur Andersen, to ignore the issue.
The two were convicted, largely based on the testimony of former Enron employee, Sherron Watkins. However, Lay died before serving time in prison. Jeff Skillings was sentenced to 24 years in prison. The scandal led to the bankruptcy of Enron and dissolution of Arthur Andersen.
After the fact, the convictions were as controversial as the company’s collapse had been shocking, as prosecutor Andrew Weissman indicted not just individuals, but the entire accounting firm of Arthur Andersen, effectively putting the company out of business. It was little consolation to the 20,000 employees who had lost their jobs when the conviction was later overturned.
CORTEZANO, ELEONORA LAURA A.
2019-103875
PART 2/2
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Residual risk is the risk that something will occur after controls or procedures are implemented to prevent it. In addition to audits required by state regulations, those activities or functions with higher levels of residual risk are typically selected for audits.
In order to coordinate internal audit activity with risk management, risk identification within an organization must be clearly documented. Some organizations have developed risk registers that document risks based on inherent and residual risk ratings. Despite the method, organizations should have a process that systematically identifies high-risk areas. Since internal audit cannot review all these risks, those not chosen for the internal audit plan should be reported separately to the board. These most often include high inherent risk rankings where the residual risk remains largely unchanged. Internal audit should also periodically include some lower risk items in their activity plan to ensure these risks have not changed.
The Practice Advisory also reminds internal audit functions that they should consider many factors of the risk management process when developing the internal audit plan. Inherent risks and residual risks must first be identified and assessed. Internal audit must also verify any existing mitigating controls, contingency plans, or monitoring activities that are linked to risks. In addition, internal audit needs to confirm that risk registers are systematic and that the risks are properly documented. When completing the internal audit plan, the areas requiring the greatest amount of focus are unacceptable current risks, controls on which the organization are most reliant, areas with a large differential between inherent and residual risk, and areas with high inherent risk. Coordination between internal audit and the risk management process is key to efficiently managing risk within an organization.
References:
CFI Education Inc. (n.d.). Top Accounting Scandals: A recap of the top scandals in the past. Retrieved November 06, 2021. https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
ERM Initiative Faculty. (August 1, 2009). Internal Audit and Risk Oversight. Retrieved November 06, 2021. https://erm.ncsu.edu/library/article/internal-audit-assurance
Fitzgerald, N. (June, 23 2020). Entity Level Controls: Five Issues Caused by Weak or Non-Existent Controls in Place. Freed Maxick.Com. Retrieved November 06, 2021. https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
Internal Auditing Department of Western Illinois University. (n.d.). Internal Auditing: Value Added Audit Services. Retrieved November 06, 2021. http://www.wiu.edu/internal_auditing/value_added_audit_services/risk.php
MBG Corporate Services. (September 13, 2021). The Critical Importance of Entity Level Controls to your Organization. Retrieved November 06, 2021. https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
CORTEZANO, ELEONORA LAURA A.
2019-103875
1.) What is the importance of Entity-Level Controls to effective risk management and control across the whole organization?
ReplyDeleteAccording to Colby, Entity-Level Controls have a broad definition depending on what type of auditing is applied. Generally, the entity-level control is evident throughout the organization, not just focused on a specific division or area of the operation (Colby, 2021). From the word itself “Entity-Level”, this type of control is not just about the tactical controls applied to the business, it covers the whole performance of the organization because it is about the control for the totality of what should be controlled within an organization which should be not limited to risks. This includes the Mission statements, Code of Conduct, Code of Ethics Internal audits and compliance requirements, Employee rule books and guidelines, Board Policies, defined and documented procedures for various functions, stakeholders training programs and etc. (MBG Corporate Services, 2021). The Entity-Level Control will be effective in managing risks as much as how effective it is across the whole organization. In risk management, this control will be effective in identifying from general risks up to the specific risks because there are two types of Entity-Level Controls, Direct and Indirect. The Direct Entity-Level Control is the control that is designed for the preventive measures and detection of the error or act of fraud in the financial reports of the company. With this type of ensuring in terms of Financing, possible risks will be prevented and any anomalies will be avoided. The other one is the Indirect-Entity Level Control, this type of control is all about the governance, operation, conduct and behaviors of a company and its stakeholders (MBG Corporate Services, 2021). The main purpose of this type of control is more like the foundation of an effective control and monitoring of the environment within the company which will help lessen and avoid any unnecessary dispute that will cause legal risk to rise and might lead to another risk if gotten out of control.
In conclusion, the Entity-Level Control will be beneficial and at the same time vital to the company’s and make a quality and credible financial reporting, better risk assessment and reduction, improve effective and efficient business operation, high-quality of personnel in internal control and strong personnel management. That will generally be helpful in risk mitigation and management within the business.
2.) Give one example of famous financial scandals that failed to represent proper entity-level controls.
There are some company/businesses that failed to represent proper entity-level controls, and one of those is the Kmart Holding Corp. According to the Securities and Exchange Commission a five former executives and current managers at vendor companies were involved in fraud, misleading investors with false financial statements with worth of millions of dollars of vendor allowances. The similar with what happened to Enron Corporation, where they fabricated a false information regarding supplies to the retailer’s accounting, and what’s worse is the SEC believes that the true terms of the payments were set up in side agreements to be able to meet the expected earnings, which clearly not effective because by the year 2002 The Kmart Holding Corp. filed for bankruptcy and one of the largest retail bankruptcies recorded in the US history that time.
Johanna Marie V. Rotoni
2019-103691
3.) What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze risks?
ReplyDeleteAccording to Safeopedia, “residual risk is defined as the threat that remains after every effort has been made to identify and eliminate risks in a given situation”. This is the risk that is excess after assessing and applying entity-level control to all the previous risks that has been identified, a kind of risk that is not taken into consideration. In assessing risks, it is important to not left any small residue of risk because of the changing situations and those risks might rise again and will cause much bigger than it is currently. So, identifying, measuring and analyzing those residual risks early is very important to Avoid it getting bigger and affect the future performance of the business operation.
References:
Colby, L. (2021 March 16). Entity-Level Controls: Impact on An Organization & The Audit
Process. https://linfordco.com/blog/impact-of-entity-level-controls/
Internal Audit Foundation. (n.d.). Internal Auditing: Assurance and Advisory Services, 4th edition. https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
MBG Corporate Services. (2021 September 13). RISK ADVISORY: The Critical Importance of Entity Level Controls to your Organization. https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/#:~:text=The%20importance%20of%20Entity%20Level%20Controls%20Entity%20Level,by%20and%20how%20it%20interacts%20with%20external%20stakeholders.
Safeopedia. (n.d.). Residual Risk. https://www.safeopedia.com/definition/470/residual-risk
Waters, J. (2004 December 2). Kmart execs, vendors charged with fraud. https://www.marketwatch.com/story/sec-charges-8-in-24-million-kmart-fraud-from-2001/#:~:text=Kmart%20filed%20for%20the%20largest%20retail%20bankruptcy%20in,his%20%22demonstrated%20inability%20to%20pay%2C%22%20the%20complaint%20said.
Johanna Marie V. Rotoni
2019-103691
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity-level controls is an internal control designed to mitigate risks that ensues throughout the whole organization, either internally or externally. They help ensure the achievement of the organization’s goals and objectives. It is an internal control that is focused in handling the organization’s environment, such as overseeing and directing organizational ethical principles, risk management policies, frauds control and prevention, rules and regulation for workforce development, and so on. Entity-level controls do the groundwork to support other controls to effectively carry out their roles to accomplish business objectives and gain successful results. If entity-level controls showed holes and vulnerabilities, it might deter or hinder the entirety of the organization from performing its duties and responsibilities well, resulting to further damages and loss for the company. Its significance is very notable as it influences and affects the entire organization’s processes and operations.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
According to Fortune, the Paycheck Protection Program (PPP) is included as one of the most famous financial scandals to happen in the year 2020. Paycheck Protection Program is, by most measures, the largest small-business relief program in American history. It is the federal government’s program that is reserved for all the small businesses that were devastated by global pandemic that occurred in 2020 across the country. As response to the worldwide crisis, PPP was enacted but after nine months it was named as a waste, graft and fraud by critics, saying that the Trumph administration had done a very sloppy job at managing the funds that is meant for the people. The Small Business Administration later released data that only 5% of the total number of deserving recipients were only given and many small businesses did not even get the money they needed from out of the billions and billions of the reserved funds that was supposed to be allocated to the program.
ERANDIO, JANNA A. (2019-103533)
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteResidual risks are risks that are still left lingering around in the organization after all controls have been accounted for and after taking care of preceding risks that were identified by the auditors. Assessing residual risk is of importance for auditors as it strengthens the security of an organization, which prevents left behind risks from targeting the vulnerabilities a company has, because they neglect to identify, measure and analyze the remaining threats and hazards that aroused after taking the proper precautions. Tolerating residual risks is like a teacher that teaches only the smart ones at school because he or she thinks it is such a bother to educate slow-witted and simple-minded kids. By assessing residual risks, an organization can determine which risks needs mitigation and which do not. It helps these risks from further harming or hindering the accomplishments of the organization’s goals and objectives.
References:
Fitzgerald, N. (2020). Entity Level Controls: Five Issues Caused by Weak or Non-Existent Controls in Place. Freed Maxick. https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
Zimmerman, D. (2021). Part 4: Entity Level Controls vs. Activity Level Controls. Baden Gage & Schroeder LLC. https://www.badencpa.com/newaudit4.php
Wikipedia (2019). Entity-Level Controls. Retrieved November 6, 2021. https://en.wikipedia.org/wiki/Entity-level_controls
Fortune Editors (2020). The biggest business scandals of 2020. Fortune Media IP Limited. Retrieved November 6, 2021. https://fortune.com/2020/12/27/biggest-business-scandals-of-2020-nikola-wirecard-luckin-coffee-twitter-security-hack-tesla-spx-mcdonalds-ceo-ppp-fraud-wells-fargo-ebay-carlos-ghosn/
Fasulo, P. (2020). Inherent Risk vs. Residual Risk: What’s the Difference? SecurityScorecard. Retrieved November 6, 2021. https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
ERANDIO, JANNA A. (2019-103533)
1/2
ReplyDeleteWhat is the importance of the entity-level controls to effective risk management & control across the whole organization?
Entity level controls are used to determine if an organization’s values, systems, policies, and processes would enable or dissuade fraud and encourage proper conduct. They refer to the entity’s management style, as reflected in the corporate culture, values, philosophy, and operating style, the organizational structure, and policies and procedures in place. Fitzgerald defined ELC as “controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved.” Organization that has weak or no entity-level control may face many problems. These problems includes management overrides control, limited segregation, over-reliance on Detective Controls rather than Preventative Control, poor tone at the top and many more. If these risks are mitigated, success of the whole organization is not impossible.
Give one example of famous financial scandals that failed to represent proper entity-level controls.
Enron Scandal. Enron faced an ethical accounting scandal in 2001 after using “mark-to-market” accounting to fake their profits and misused special purpose entities, or SPEs. Enron worked to make their losses seem less than they actually were, and “cooked the books” to make their income look much higher than it was. The Enron scandal drew attention to accounting and corporate fraud as its shareholders lost $74 billion in the four years leading up to its bankruptcy, and its employees lost billions in pension benefits.
2/2
DeleteWhat is residual risk and why is it important for internal auditor to identify, measure, and analyze this risk?
Residual risk is the risk that remains after the application of controls. It is the risk remaining after risk treatment. After you identify the risks and mitigate the risks you find unacceptable , you can't completely eliminate all the risks because it is simply impossible – therefore, some risks will remain at a certain level, and this is what residual risks are. It is important for internal auditors to identify, measure and analyze risk because the organization needs to know if the planned treatment is enough or not. Residual risk is also assessed in the same way you perform initial risk assessment. The only difference is that, you need to take into account the influence of controls so the likelihood of an incident is decreased and sometimes the impact become smaller.
References
Murdock, H. (2017). Operational Auditing: Principles and Techniques for a Changing World. CRC Press Taylor & Francis Group. Pp 107-110
Fitzgerald, N. (2020, June 23). Entity Level Controls and Associated Risks. Freed Maxick. https://www.google.com/amp/s/blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place%3fhs_amp=true
Western Governors University (2021) Ethical Dilemmas: How Scandals Damage Companies. https://www.wgu.edu/blog/ethical-dilemmas-how-scandals-damage-companies1909.html#close
Seal T. (2021) Enron Scandal: The Fall of a Wall Street Darling. Investopedia
https://www.investopedia.com/updates/enron-scandal-summary/
Chambers, A., & Rand, G. (2010). The Operational Auditing Handbook: Auditing Business and IT Processes. John Willy and Sons. Pp.208
VELASCO, MELY JANE
2019-103477
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity-level controls have a broad definition that can be applied to a wide range of audit engagements, but they can also be more specific to a specific audit engagement. Controls that are established across the organization rather than controls that are specialized to a specific division or business, such as finance, manufacturing, or research and development, are known as entity-level controls. Entity-level controls are overarching controls that ensure that management instructions affecting the entire organization are implemented and enforced. They can also be thought of as higher-level controls with more sway or that are more general in nature. These regulations determine an organization's corporate culture and values. External variables like as laws, rules, and professional standards, as well as internal values, are all explored. Entity-level constraints have an impact on how people work and how operational processes are established and implemented.
The Committee of Sponsoring Organizations is the epicenter of internal controls (COSO). When auditors notice the following, they know it's a COSO control component:
1. Environment control
2. Assessment of the dangers
3. Monitoring
4. Communication and information
5. Controlling actions
The controls that handle risks at the financial statement level are known as entity-level controls. According to auditing guidelines, all audits must consider these five factors. Auditors are more familiar with the fifth aspect, control actions, although the others are equally important. Auditors examine not only control activities, but also the design and implementation of controls for each component. Auditors examine controls at the entity and activity levels, in other words. At the very least, they should. The financial accounts are materially correct when the five components are formed and work properly. In large companies, the five components are usually described more specifically. Smaller businesses, on the other hand, are more likely to mix the five, blurring their distinction. Entity-level and activity-level controls are necessary in all businesses, organizations, and government bodies, regardless of their size.
The organizational culture of a corporation is defined by entity level controls. In terms of both employees and processes, they are the backbone of the company's operations. They have an impact on how external stakeholders perceive the company and how it engages with them. As a result, their importance can't be overstated. Among the benefits are:
• Financial statements and financial reporting that are accurate and free of errors
• Improved risk assessment and management, as well as more effective risk mitigation
• Improved business and operational performance and efficiency
• Reliance on activity- and transaction-level restrictions is lessened.
• Internal controls are overseen by senior, high-quality individuals.
• Personnel management that is based on clearly defined responsibilities and expectations
The existence and use of entity-level controls are key components of any organization. They create the foundation for the organization's day-to-day operations (people and processes), as well as how it is perceived by external stakeholders and interacts with them. Entity-level controls are particularly crucial in an audit since they analyze the organization's general tone at the top and serve as the foundation for lower-level operational controls. All five components – control environment, risk assessment, monitoring, communication & information, and control actions – must be used to create an overall strong control environment.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
ReplyDeleteWorldCom was an American telecommunications company based in Ashburn, Virginia. In 2002, just a year after the Enron scandal, WorldCom was found to have overstated its assets by nearly $11 billion, making it by far one of the largest accounting frauds ever.
The company underreported line costs by capitalizing rather than expensing them, and it inflated its revenues by producing fraudulent entries. The incident became public after the company's internal audit department identified $3.8 billion in fake accounts. For fraud, conspiracy, and fabricating records, the company's CEO, Bernie Ebbers, was sentenced to 25 years in prison. As a result of the fraud, nearly 30,000 jobs were lost, and investors lost over $180 billion.
3. What is residual risk and why is it important for internal auditors to identify, measure and analyze this risk?
Residual risk refers to the risk that remains after all controls have been taken into account. It's the risk that still persists after your organization has put in place all of the appropriate safeguards.
For a variety of reasons, residual risk is significant. The first issue to tackle is residual risk, which is the risk that persists after security controls and process improvements have been introduced. This suggests that organizations may have to live with residual risk as a result of risk reduction measures. They could also choose to transfer the remaining risk to an insurance company by purchasing insurance, for example. Another reason to assess residual risk is to comply with compliance and regulatory requirements; the International Organization for Standardization, for example, specifies this risk calculation in ISO 27001. Finally, residual risk must be evaluated in order to prioritize security measures and processes over time.
Reference:
• Entity level controls and their importance to organizations. (2021, September 13). MBG Corporate Services - Your Global Business Experts. Retrieved November 3, 2021, from https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
• Hall, C. (2021, March 10). Entity-Level Controls: Why They Matter. CPA Hall Talk. Retrieved November 3, 2021, from https://cpahalltalk.com/entity-level-controls/
• Corporate Finance Institute. (2020, June 12). Top Accounting Scandals. Retrieved November 3, 2021, from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
• Cpa, L. C. C. |. (2021, March 16). Entity-Level Controls & How They Impact Your Organization. Linford & Company LLP. Retrieved November 3, 2021, from https://linfordco.com/blog/impact-of-entity-level-controls/
• Fasulo, P. (2020, December 21). Inherent Risk vs. Residual Risk: What’s the Difference? Security Scorecard. Retrieved November 3, 2021, from https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Joseph Ian Yap 503A
ReplyDeletePart 1
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Entity Level Controls are rules, systems, and procedures that outline the desired behaviors of a company's board members, management team and address the financial statement-level risk to employees. These key stakeholders are held accountable for their actions and behaviors as a result of the controls. Entity Level Controls are also known as "Tone at the Top" controls because they are driven at the company level by Board members and management teams.
Entity Level Controls describe the company's organizational culture. They serve as the foundation of its operations, both in terms of people and processes. They influence the company how to managed by its stakeholders and how it interacts with them. Overstated are can't be the significance of the result.
Among the advantages are:
• Financial statements and financial reporting of high quality and without errors
• Better risk assessment and management, as well as more effective risk mitigation
• Enhanced business and operational effectiveness and efficiency
• Reduction in reliance on activity- and transaction-level controls
• Senior, high-quality employees managing internal controls
• Performed by strong personnel management through defined roles and expectations.
Entity-Level Controls are significant because it should be intuitive that not all controls are created equal. All may play a role in achieving the result, but only a few are critical. Their absence would make it difficult to achieve the desired result.
Joseph Ian Yap 503A
ReplyDeletePart 2
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Based on the website of everycrsreport.com. The sudden and unexpected collapse of Enron Corp. was the first in a series of major corporate accounting scandals that has shaken confidence in corporate governance and the stock market. Only months before Enron's bankruptcy filing in December 2001, the firm was widely regarded as one of the most innovative, fastest growing, and best managed businesses in the United States. With the swift collapse, shareholders, including thousands of Enron workers who held company stock in their 401(k) retirement accounts, lost tens of billions of dollars. It now appears that Enron was in terrible financial shape as early as 2000, burdened with debt and money-losing businesses, but manipulated its accounting statements to hide these problems. Why didn't the watchdogs bark? This report briefly examines the accounting system that failed to provide a clear picture of the firm's true condition, the independent auditors and board members who were unwilling to challenge Enron's management, the Wall Street stock analysts who failed to warn investors of trouble ahead, the rules governing employer stock in company pension plans, and the unregulated energy derivatives trading that was the core of Enron's business. This report also summarizes the Sarbanes-Oxley Act (P.L. 107-204), the major response by the 107th Congress to Enron's fall, and related legislative and regulatory actions during the 108th Congress. It will be updated as events warrant.
Joseph Ian Yap 503A
ReplyDeletePart 3
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
The quantity of risk left over after actions already taken to address threats defined the residual risk. In project management, it is crucial to distinguish any risks that could probably hinder a project. Efforts should mitigate these risks, including the ''introduction of security controls'' to either excrete a threat or reduce its negative impacts. Residual risk is what remains after implementing the controls.
The internal controls system is described as a funnel to represent the filtering of ''key risks'' that happen at varying levels of that system. The example of the most comprehensive risks must lessen by the entity-level controls at the top of the funnel.
Those that pass by the entity-level filters to the process-level and transaction-level controls. Remember that may acknowledge the ''controls'' as ''key'' or secondary, depending on whether they reduce the risk associated with critical objectives. Distinguishing between ''key controls'' and ''secondary controls'' also applies to entity-level controls.
Residual risk is crucial because its moderation is a compulsory requirement of ISO 27001 regulations. It is a general information security standard within the ISO/IEC 2700 family of best security practices that support organizations to quantify the protection of assets before and after distributing them to vendors.
References/Source
Internal Auditing: Assurance & Advisory Services, 4th Edition (2017). Case Study 1: Auditing Entity-Level Controls. Retrieved: November 5, 2021
MBG Corporate Services (2021). The Critical Importance of Entity Level Controls to your Organization. Retrieved: November 5, 2021. From: https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
E. Kost (2021). What is Residual Risk? Why it Matters in 2021. Retrieved: November 5, 2021. From: https://www.upguard.com/blog/residual-risk
EveryCsrReport (2004). RS21135 - The Enron Collapse: An Overview of Financial Issues. Retrieved: November 5, 2021. From: https://www.everycrsreport.com/reports/RS21135.html
1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteEntity-Level Controls are a set of policies and procedures that specify the board members and staff's expected and acceptable behaviors. This control will help them how to take proper action in terms of handling financial statement-level risk. It provides a foundation to the entity’s operation that will significantly impact its risk management and control effectiveness.
Entity-level controls, their existence and application, are critical components of any organization. They lay the groundwork for the organization's daily operations (people and processes) and its views and interactions with external stakeholders. Entity-level controls are also a critical component of an audit. They evaluate the organization's general tone at the top and serve as the foundation for lower-level operational controls. Control environment, risk assessment, monitoring, communication & information, and control activities are all essential components in establishing a sound control environment. (Colby, 2021)
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
Enron Corporation was a US energy, commodities, and services company based out of Houston, Texas. In one of the most controversial accounting scandals in the past decade, it was discovered in 2001 that the company had been using accounting loopholes to hide billions of dollars of bad debt while simultaneously inflating its earnings. The scandal resulted in shareholders losing over $74 billion as Enron’s share price collapsed from around $90 to under $1 within a year.
An SEC investigation revealed that the company’s CEO, Jeff Skillings, and former CEO, Ken Lay, had kept billions of dollars of debt off the company’s balance sheet. In addition, they had pressured the company’s auditing firm, Arthur Andersen, to ignore the issue. After the fact, the convictions were as controversial as the company’s collapse had been shocking, as prosecutor Andrew Weissman indicted not just individuals but the entire accounting firm of Arthur Andersen, effectively putting the company out of business. It was little consolation to the 20,000 employees who had lost their jobs when the conviction was later overturned. (Corporate Finance Institute, n.d.)
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Residual Risk is a risk that remains after all the plans and strategies are done to eliminate it. We all know that it is impossible to prevent risks. All we can do is identify it and make plans and actions to lessen its negative impact on the entity. After finding out the residual risks, you have three options to consider when dealing with them. You have to determine first the level of the risk. If the level of risks is below the acceptable level of risk, then you do nothing – the management needs to accept those risks formally. If the level of risks is above the adequate level of risk, you need to find out some new and better ways to mitigate those risks – that also means you’ll need to reassess the residual risks. If the level of risks is above the acceptable level of risk, and the costs of decreasing such risks would be higher than the impact itself, you need to propose to the management to accept these increased risks. (Kosutic, n.d.)
References
Colby, L. (2021, March 16). Entity-Level Controls: Impact On An Organization & The Audit Process. Linford and Company LLP. https://linfordco.com/blog/impact-of-entity-level-controls/
Corporate Finance Institute. (n.d.). Top Accounting Scandals. https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Kosutic, D. (n.d.). Why is Residual Risk so important? Advisera.com. https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/
Dianne M. Madera
2019-102064
(1/2)
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Entry-Level controls are controls that are extensively implemented throughout the organization to reduce risks that threaten or may threaten the organization as a whole. Correct and proper entry-level control may also provide assurance that they can achieve their set objectives. A code of ethics, risk management policies and practices, fraud prevention, and detection programs, human resources policies and procedures, management's control deficiency escalation process, and variance analysis are some examples of these controls.
After identifying, assessing, understanding, and controlling the risk in the organization, it should be linked for organizational strategy and control to be aware of which risk is fit for the organization's appetite and which of them needs additional control and actions.
Risk management programs focus to help organizations be as smart as they can be about managing risk. So, an organization that has weak, improper, or no entry-level controls can experience many problems that may lead to their destruction.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
We have here Satyam Computer Services that was marked as one of the largest accounting scandals throughout history. It is an Indian IT service and non-public facing accounting firm that was based in Hyderabad, India. They were discovered to have a 1.5 billion dollars inflated revenue in 2009.
After a thorough investigation, India’s Central Bureau of Investigation disclosed that the founder and chairman of the said company, Ramalinga Raju, had fabricated revenues, margins, and cash balances. ICBI raided the house of the youngest sibling of the chairman and found a 112 deed of sale of different land purchases, an estimated 13,000 fake employee records created, and claimed a scam of over rs 7000 scores. This scandal brought turmoil to the Indian Stock Market. To conclude, they broke and failed to represent a proper implementation of controls/entry-level controls that lead their company to destruction. We can also say that without proper entry-level control, it does not only affect the organization but the industry and market as well.
Janine Louise S. Errua
2019-103959
(2?2)
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
According to ISO 27001, residual risk is “the risk remaining after risk treatment”. Residual risks are often assessed in the same manner as initial risk management - using the same methodology, assessment scales, and so on. What is different is that they must consider the influence of controls (and other mitigation strategies), thus the chance of an event is typically reduced and, in certain cases, the damage is reduced. After identifying and reducing the impact of risk, some of it will remain at a certain level- and these are the residual risks. Even though they are only leftover risks, the management must still know and understand whether their plans are enough or not and if they need to accept the residual risk or do nothing. Because at the end of the day, they are still at risk that may threaten the organization.
References:
Corporate Finance Institute. (2020, June 12). Top Accounting Scandals. Retrieved November 6, 2021, from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Fitzgerald, N. (2020, June 23). Entity Level Controls and Associated Risks | Freed Maxick. Freed Maxick CPAs. Retrieved November 6, 2021, from https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
Kosutic, D. (2012, February 16). Why is residual risk so important? Help Net Security. Retrieved November 6, 2021, from https://www.helpnetsecurity.com/2012/02/16/why-is-residual-risk-so-important/
Janine Louise S. Errua
2019-103959
1/2
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Entity Level Controls (ELCs) are “controls that operate pervasively across and throughout the organization to mitigate risks threatening the organization as a whole and to provide assurance that organizational objectives are achieved.” (Fitzgerald, 2020) It is essential to effective risk management because it is a key component of auditing as it assesses the overall tone at the top for the organization being audited and provides the foundation for lower-level operational controls. It is also critical to overall control because it provides the foundation under which the organization operates on a daily basis (employees and processes) as well as how the organization is perceived and interacts with external stakeholders.
If the entity has a weak or non-existent entity level control, there are risks that the entity may face, such as the risk of employees, particularly those in high-ranking positions, committing fraud, not being able to use detective controls to identify when something is wrong, or even preventative controls that find something before it happens, putting the entity at greater risk, and others. Entity level control has numerous advantages, including error-free financial statements and financial reporting, improved risk assessment and management, and enhanced risk mitigation.
Reduced reliance on activity- and transaction-level controls, high-quality staff driving internal controls, and excellent personnel management through well-defined roles and expectations in business and operations.
2. Give one example of famous financial scandals that failed to represent proper entity level controls.
Tyco International was an American blue-chip security systems company based out of Princeton, New Jersey. In 2002, it was discovered that CEO, Dennis Kozlowski, and CFO, Mark Swartz, had stolen over $150 million from the company and had inflated the company’s earnings by over $500 million in their reports. Kozlowski and Swartz had siphoned off money using unapproved loans and stock sales.
The scandal was discovered when the SEC and the office of the District Attorney of Manhattan carried out investigations related to certain questionable accounting practices by the company. Kozlowski and Swartz were both sentenced to 8 to 25 years in prison. A class-action suit forced them to pay $2.92 billion to investors
It failed to demonstrate sufficient entity level controls because the CEO was able to commit fraud by stealing a substantial sum of money without the management discovering it until it was too late, though this kind of risk is not easy to overcome the management must have some ways in detecting this kind of risks. That's why Audit Committees need to take an active approach in evaluating any possible scenarios in which fraud can occur and mitigate these risks.
-Rochel Bulatao
Delete2019-101054
2/2
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Residual risk from the term itself is the "left over" risks after all risk controls has been implemented to mitigate the overall risks. Its main purpose is to know whether the planned precautionarry measures are enough to prevent all the risk that the entity may face. It is important aside from it is a mandatory requirement of ISO 27001 regulations because this risk even it is already the left over from the controllable risks may still hold a significant value that may put the business in a bad situation.
After knowing what are the residual risk are the entity may have three options according to Dejan Kosutic:
1. If the level of risks is below the acceptable level of risk, then you do nothing – the management needs to formally accept those risks.
2. If the level of risks is above the acceptable level of risk, then you need to find out some new (and better) ways to mitigate those risks – that also means you’ll need to reassess the residual risks.
3. If the level of risks is above the acceptable level of risk, and the costs of decreasing such risks would be higher than the impact itself, than you need to propose to the management to accept these high risks.
References:
Fitzgerald, N. (2020). Entity Level Controls and Associated Risks | Freed Maxick. Retrieved from: https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by-weak-or-no-controls-in-place
MBG Corporate Services. (2021). The Critical Importance of Entity Level Controls to your Organization. Retrived from: https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to-your-organization/
Corporate Finance Institute. (NA). Top 10 Accounting Scandals in the Past Decades. Retrieved from: https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting-scandals/
Kosutic, D. (2012). Why is residual risk so important?. Retrieved from: https://www.helpnetsecurity.com/2012/02/16/why-is-residual-risk-so-important/
-Rochel M. Bulatao
2019-101054
1/3
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
Overarching controls for ensuring that management instructions affecting the entire organization are implemented and enforced are entity-level controls. They can also be thought of as higher-level controls that have a greater influence or are more universal in nature. The corporate culture and values of an organization are defined by these regulations. Internal values, as well as external factors such as laws, rules, and professional standards, are all discussed. The way people work and how operational processes are created and implemented are all influenced by entity-level restrictions. Entity level controls are the organization's management style, which ensures that its culture, structure, and policies are followed correctly. (Murdock, 2017). They are the most important part of the company's operations, both in terms of people and processes. They have an impact on how stakeholders perceive the company and how it engages with them. These controls have a wide-ranging impact on the company, including the effectiveness of controls at the process and transaction levels. Internal auditors must undertake frequent assessments to determine the design soundness and operating effectiveness of entity-level controls because they are so crucial. Controls at the organizational level may have a different influence on the internal control system than controls at the process or transaction level. As a result, it's critical to comprehend how such controls, particularly those that function throughout the entire company may affect the internal control system.
LIGUTAN, JAQUELINE V.
(2019-104055)
2/3
ReplyDelete2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
WorldCom was the country's second-largest telecommunications business before declaring bankruptcy in 2002. Things quickly went south when the company's internal auditors identified $3.8 billion in fraudulent revenues from 1999 to 2002. WorldCom eventually file for bankrupt in the end, costing investors $180 billion and displacing 30,000 people. WorldCom inflated its net income and cash flow by categorizing expenses as investments to mask its declining profitability, reporting a profit of $1.4 billion in Q1 2002 instead of a net loss. It was not only the worst accounting fraud in US history, but it was also one of the largest bankruptcies in history. The news that telecommunications behemoth WorldCom had falsified its books came just days after the financial markets were rocked by the Enron and Tyco scandals. The size of the WorldCom deception, on the other hand, put them in the shade. By this financial fraud, WorldCom left an indelible mark on the reputations of accountancy companies, financial firms, and credit rating organizations.
LIGUTAN, JAQUELINE V. (2019-104055)
3/3
ReplyDelete3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
Residual risk refers to the risk that remains after the organization has taken all necessary precautions. (Fasulo, 2020). It's crucial for the internal auditor to figure out since it can help them come up with a response and whether they need to evaluate and take measurements on various things to get the business back on track. According to Kost (2021), the danger or vulnerability that remains after all risk treatment and mitigation measures have been performed is referred to as residual risk. This risk has the potential to cause the organization to collapse, internal auditors must identify, assess, and analyze it. To limit or entirely remove the detrimental effects of a danger, security techniques should be utilized. Residual risk should not be overlooked because it has the potential to harm the business. Immediate and appropriate action should be made to mitigate these risks.
REFERENCES
Colby, L. (2021). Entity-Level Controls: Impact on an Organization & The Audit Process. Retrieved November 5, 2021. https://linfordco.com/blog/impact-of-entity-level-controls/
Fasulo, P. (2020, December 21). Inherent Risk vs. Residual Risk: What’s the Difference? Security Scorecard. Retrieved November 5, 2021.https://securityscorecard.com/blog/inherent-risk-vs-residual-risk
Hayes, Adam. (2021, October 3). The Rise and Fall of WorldCom. Retrieved November 5, 2021. https://www.investopedia.com/terms/w/worldcom.asp
Internal Audit Foundation. (n.d). Case Study 1: Auditing Entity-Level Controls. Retrieved November 5, 2021. https://dl.theiia.org/BookstorePublic/Case-Study-1-v.3.pdf
Kost, E. (2021, October 25). What is Residual Risk? Why it Matters in 2021. Retrieved November 5, 2021. https://www.upguard.com/blog/residual-risk.
Murdock, H. (2016). Operational Auditing: Principles and Techniques for a Changing World (Internal Audit and IT Audit) (1st Ed.). Auerbach Publications.
LIGUTAN, JAQUELINE V.
2019-104055
This comment has been removed by the author.
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteThe importance of the Entity-Level Controls lies in its very own definition. As defined by Fitzgerald (2020), ELCs are controls in which operate pervasively throughout the whole organization to mitigate risks that would generally threaten the entire organization and it serves as assurance that organizational goals are to be achieved. From this definition, we can conclude that ELCs are an instrument for the attainment of level of performance across the entire organization – it does not matter on what level an employee is currently with the business. In line with this concept, having ELCs would provide a foundation on how the entity should operate and how the organization is being perceived and interacts (Colby, 2021).
In relation of ELCs to an effective risk management and control across the whole organization, ELCs would have a connection as to the performance of the organization as a whole. Colby (2021) also stated that ELC would serve as a key part of an audit as it would assess the overall tone at the top-level managers and provides basis for lower-level operational controls. To add to this, MBG Corp. (2021) stated that ELCs would define the organizational culture of the company in terms of the processes and its personnel. Due to this, ELCs would have an overall relationship to the organization in which, in turn, would define how the organization conduct risk management and it would also showcase how the organization would like to be perceived by outside parties - specifically the stakeholders.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
An example of this scandal is the Tyco Scandal of 2002 where the company CEO, Dennis Kozlowski, and company CFO, Mark Swartz, had stolen 150 million dollars and inflated the business’ earnings by 500 million dollars (CFI, n.d.). This scandal showed that the ones who should be in control are the ones corrupted; hence, entity-level controls are being misrepresented through the actions of these two executives.
BENTULAN, JOHN PATRICK ABRAHAM A. (2019-106909)
CBET-01-502A
1/2
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
ReplyDeleteResidual risk is defined as the amount of risk that remains after controls are accounted for (Slabotsky, 2017). In other words, residual risks are the various risks that would still exist even after the precautions made by the organization. According to Fasulo (2020), understanding residual risk is important from a compliance standpoint, particularly the ISO 27001 regulations require companies to monitor residual risk – organizations must have residual security checks in place alongside inherent security checks to be complaint with such regulation. In addition to this, residual risks also include all initial unidentified risks as well as risks previously identified and evaluated but not designated for treatment at that time. Knowing this information, internal auditors should be very well-informed of these residual risks because such may be troublesome in the future if left unnoticed. They should be well-documented and be assessed regularly, depending on the organization, to fully grasp the level of risk that these residual risks have.
References:
Colby, L. (March 16, 2021). Entity-Level controls: impact on an organization & the audit process. Retrieved on October 28, 2021 from https://linfordco.com/blog/impact-of-entity-level- controls/
Corporate Financial Institution. (N.D.). Top Accounting Scandals. Retrieved on October 29, 2021 from https://corporatefinanceinstitute.com/resources/knowledge/other/top-accounting- scandals/
Fasulo, P. (December 21, 2020). Inherent risk vs. Residual risk: What’s the difference? Retrieved on October 28, 2020 from https://securityscorecard.com/blog/inherent-risk-vs-residual- risk
Fitzgerald, N. (June 23, 2020) Entity level controls: Five issues caused by weak or non-existent controls in place. Retrieved on October 28, 2021 from https://blog.freedmaxick.com/summing-it-up/entity-level-controls-five-issues-caused-by- weak-or-no-controls-in-place
MBG Corp. (September 13, 2021). The Critical importance of Entity Level Controls to your Organization. Retrieved on October 28, 2021 from https://www.mbgcorp.com/in/insights/the-critical-importance-of-entity-level-controls-to- your-organization/
Slabotsky, R. (September 7, 2017). Inherent risk vs. Residual risk explained in 90 seconds. Retrieved on October 28, 2021 from https://www.fairinstitute.org/blog/inherent-risk-vs.- residual-risk-explained-in-90-seconds
BENTULAN, JOHN PATRICK ABRAHAM A. (2019-106909)
CBET-01-502A
2/2
This comment has been removed by the author.
ReplyDelete1.) What is the importance of Entity-Level Controls to effective risk management and control across the whole organization?
ReplyDeleteInternal Control are practices that helps the entity to minimize the risks and produce results for the sake of the stakeholders. In creating frameworks, it will be easier for us to manage diversifying dynamics and assess and/or evaluate results systematically. Entity- Level Controls determine if the values, practices, processes, rules and regulations of a business encourages proper conduct and avoids fraud. These are controls that have and effect or influence on a company’s internal controls that covers the entire organization to support an assertion related to financial as well as management reporting. It also reflects the businesses’ culture, philosophy policies and operational structure. If an entity-level control sufficiently addresses the assessed risks of misstatements or any kind of risks, the auditor need not test additional controls relating to that risk. We need to remember that the values and practices of a company can affect the behavior of an employee, regardless of rank and status.
2.) Give one example of famous financial scandals that failed to represent proper entity-level controls.
One of the famous financial scandals that failed to represent proper entity-level controls is Enron Corporation: The Fall of a Wall Street Darling. Based on my research, Enron was ranked as America’s fifth largest company by Fortune Magazine in 2002, despite its 2001 bankruptcy filing (Archive Fortune). The story of Enron Corporation depicts a company that reached dramatic heights only to face a dizzying fall. Enron's leadership fooled regulators with fake holdings and off-the-books accounting practices. Under pressure from shareholders, company executives began to rely on dubious accounting practices, including a technique known as “mark-to-market accounting,” to hide the troubles. Mark-to-market accounting allowed the company to write unrealized future gains from some trading contracts into current income statements, thus giving the illusion of higher current profits. The scandal resulted in a wave of new regulations and legislation designed to increase the accuracy of financial reporting for publicly traded companies. One of the traits of an accountant is that we can work under pressure and we should not follow certain practices if we know that it will result to any kind of fraud. This the problem in the Enron Corporation, instead of mitigating and assessing their risks and financial statements properly they chose to manipulate their records that lead to their bankruptcy.
3.) What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze risk?
Residual risks are the risk remaining after risk treatment. We should know that there are risks that we can’t entirely eliminate. After mitigating one risk, there will be a possibility that some risks will remain, thus there will always be a risk no matter what and we should assess it continuously. To assess it properly, company needs to develop a better understanding in every risk they face as well as makes better methods that can keep up to the ever-changing risks.
REFERENCES:
Murdock, H. (2017). Operational Auditing: Principles and Techniques for a Changing World. Taylor & Francis Group, LLC.
(n.d.). Retrieved November 6, 2021, from https://archive.fortune.com/magazines/fortune/fortune500_archive/full/2002/
Segal, T. (2021, November 03). Enron Scandal: The Fall of a Wall Street Darling. Retrieved November 6, 2021, from https://www.investopedia.com/updates/enron-scandal-summary/
Downfall and bankruptcy. (n.d.). Retrieved November 6, 2021, from https://www.britannica.com/event/Enron-scandal/Downfall-and-bankruptcy
ISO 27001/ISO 27005 risk assessment/treatment: 6-step guide. (2021, June 03). Retrieved November 6, 2021, from https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
CANCINO, JOVIN E.
2019-106913
WHAT IS THE IMPORTANCE OF ENTITY-LEVEL CONTROLS TO EFFECTIVE RISK MANAGEMENT & CONTROL ACROSS THE WHOLE ORGANIZATION?
ReplyDeleteEntity level controls are mainly implemented to address risks at organization-wide level to ensure a smooth entity performance and achievement of objectives. It embodies two different controls:
A. Governance control which is concerned with the administration, strategic objectives, and overall system of internal controls.
B. Management-oversight control which is primarily concerned with risk assessment and management.
With unison to other specific controls such as process-level and transaction-level controls, the organization can have a solid defense against the risks that threaten the achievement of business objectives (International Audit Foundation, 2017).
GIVE ONE EXAMPLE OF FAMOUS FINANCIAL SCANDALS THAT FAILED TO REPRESENT PROPER ENTITY-LEVEL CONTROLS
As per the case study provided, one of the most widely publicized examples of companies that failed to represent proper entity-level controls is the Enron Corporation. According to the case study conducted by Cuong (2011), it was the poor corporate governance and dishonest culture that seed the serious recession and collapse of Enron.
In addition to this, other findings discovered through the investigations of the Permanent Subcommittee on Investigations of the Committee on Governmental Affairs of United States Senate (2002) listed the following causes:
a. fiduciary failure
b. high risk accounting practices
c. inappropriate conflicts of interest
d. extensive undisclosed off-the-books activity
e. excessive compensation
f. lack of independence
Other companies that failed to strengthen their entity-level controls are the Enron Corporation (U.S.A.), WorldCom (U.S.A.), Wells Fargo (U.S.A.), Volkswagen (Germany), and Barings Bank (England).
--- to be continued...
PARAGAS, DANIELA T.
2019-104925
---continuation...
ReplyDeleteWHAT IS RESIDUAL RISK AND WHY IS IT IMPORTANT FOR INTERNAL AUDITORS TO IDENTIFY, MEASURE, AND ANALYZE THIS RISK?
To understand residual risks, organizations must first identify its inherent risks.
Inherent risks are natural and uncontrollable risks that arise at the very beginning of an entity and continues as it operates. As quoted by Slabotsky (2017) from the work of Jack Jones, the creator of the Factor Analysis of Information Risk (FAIR) Model, "Inherent risk is current risk level given the existing set of controls rather than the hypothetical notion of an absence of any controls".
On the other hand, residual risk refers to remaining risks after efforts have been made to reduce the inherent risk (Shackleford, nd). It is the left-over or excess risks after applying the entity-level controls and additional mitigating and compensating controls. Thus, it is calculated by subtracting the inherent risk to the impact of risk controls.
Residual risk just like any other types of risks post danger and can lead to undesired outcomes. Its assessment and management are crucial because its existence only means that the chosen risk control option is imperfect, ineffective, incompatible, or lacking (Pomeroy, 2014). It can also be that the net risks are not clearly identified, not fully understood, underestimated, and must be reviewed accordingly (Pomeroy, 2014).
REFERENCES:
Committee on Governmental Affairs United States Senate (2002) The role of the board of directors in Enron's Collapse. U.S. Government Printing Office: Senate Prints 107-70
Cuong, H. (2011) Factors causing Enron's collapse: An investigation into corporate governance and company culture. Corporate Ownership & Control. Vietnam: The University of Danang.
International Audit Foundation (2017) Case study 1: Auditing entity level controls. Internal Auditing: Assurance & Advisory Services, 4th Edition. USA: 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746
Pomeroy, V. (2014). On future ship safety - People, complexity, and systems. Proceedings of the Institute of Marine Engineering, Science, and Technology. DOI:10.1080/20464177.2014.11020298
Shackleford, D. (nd.) What is residual risk and why is it important. Retrieved from https://searchcompliance.techtarget.com/definition/residual-risk
Slabotsky, R. (2017) Inherent risk vs. residual risk explained in 90 seconds. Retrieved from https://www.fairinstitute.org/blog/inherent-risk-vs.-residual-risk-explained-in-90-seconds
---
PARAGAS, DANIELA T.
2019-104925
This comment has been removed by the author.
ReplyDelete1. What is the importance of Entity-Level Controls to effective risk management & control across the whole organization?
ReplyDeleteNot all controls are made equal, as should be obvious. Controls at the organizational level, likewise, may have an impact. Internal controls, in contrast to more tactical controls at the process or transaction level, are a set of internal controls level. As a result, it's critical to comprehend how such controls, particularly ones that function across many systems, work. The system of internal controls may have an impact on the entire organization (that is, entity-level controls) (Internal Audit Foundation, 2017).
Entity-level controls, their existence and application, are critical components of any organization. They lay the groundwork for the organization's everyday operations (people and processes), as well as how it is perceived and interacts with external stakeholders. Entity-level controls are also an important aspect of an audit since they analyze the organization's general tone at the top and serve as the foundation for lower-level operational controls. To provide for an overall strong control environment, all five components – control environment, risk assessment, monitoring, communication & information, and control actions – must be applied (Colby, 2021). Reiterating from these, I learned that entity-level controls is outlines how an organization should operate and oversees the implementation of management directives in the organization holistically.
2. Give one example of famous financial scandals that failed to represent proper entity-level controls.
The Enron Corporation narrative illustrates a firm that rose to dizzying heights only to plummet. Thousands of employees were touched by the fated company's demise, which shocked Wall Street to its core. Enron's stock peaked at $90.75, and it was trading at $0.26 immediately before declaring bankruptcy on December 2, 2001 (Segal, 2021).
Enron Corporation is one of the most well-known and well-publicized examples of entity-level controls failing. While Enron was known for having sophisticated controls and risk management skills to support many of its intricate operations, failings in controls at the board and senior management levels contributed to one of the most important corporate failures in history. A detailed examination of what went wrong at Enron, as well as other well-publicized financial catastrophes, can reveal the need of robust entity-level controls (Internal Audit Foundation, 2017).
3. What is residual risk and why is it important for Internal Auditors to identify, measure, and analyze this risk?
The risk that remains after risk treatment is referred to as residual risk. You won't be able to totally eliminate all risks once you've identified them and mitigated the ones you deem unacceptable (i.e. treated them), therefore some risks will remain at a certain level, which is what residual risks are. So, even after numerous mitigation strategies have been deployed, top management has to know which risks their organization will face. After all, top management is responsible not only for the company's bottom line, but also for its long-term viability (Kosutic, 2014).
References
Colby, L. (2021). Entity-Level Controls: Impact On An Organization & The Audit Process.
Retrieved November 5, 2021 from https://linfordco.com/blog/impact-of-entity-level-controls/.
Internal Audit Foundation. (2017). Internal Auditing: Assurance & Advisory Services, 4th
Edition. 1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, USA.
Kosutic, D. (2014). Why is residual risk so important?. Retrieved November 5, 2021 from
https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/.
Segal, T. (2021). Enron Scandal: The Fall of a Wall Street Darling. Retrieved November
5, 2021 from https://www.investopedia.com/updates/enron-scandal-summary/.
Paglinawan, Eliazar Acosta 2019-101459