Database Reference
In-Depth Information
Control verification requires the management to assess the internal controls design
and operating effectiveness at the beginning of the fiscal year. Many organizations
send quarterly control assessment surveys to process owners and control owners to
identify any changes in the control environment.
The results of management risk assessment and control verification are reviewed
and evaluated by the Chief Audit Executive to select the business units, significant
processes, control activities, and technology infrastructure for the annual audit plan.
The Audit Committee approves the Audit plan based on the control verification
approach, resource budget, and testing schedule. In general, the control verification
approach is based on the risk rating and tolerance. For example, controls that
mitigate low risk activities are assigned to employees that own the controls for
self-assessment, whereas, higher risk controls are verified by independent auditors
to assure the effectiveness on internal controls. We will discuss audit planning and
controls testing in
Chapter 7
,
Managing Your Testing Phase: Management Testing and
Certifying Controls
;
Chapter 8
,
Managing Your Audit Function
; and
Chapter 9
,
IT Audit
.
We will begin this chapter with an approach for risk assessment and control
verification that InFission has adopted. Next, we will show how InFission Audit
and Compliance team perform risk assessment and control verification activities
independently within Oracle GRC Manager and GRC Intelligence to manage risk
and verify controls across the enterprise. We will address the following topics in
this chapter:
• Describe a
Program Office
that should include executive management
leadership to ensure the
tone at the top
and necessary sponsorship for
achieving risk management objectives
• Provide an overview of the risk management frameworks commonly
used by publically traded companies to assure internal controls over
financial statements
• Illustrate the activities to gather qualitative and quantitative data and
rate risks based on the data collected and tolerance for risk
• Explain management control veriication activities and representation
of evidence of control design and operating effectiveness
• Show how to create a Qualitative Risk Assessment in Oracle GRC Manager
and rate risks using Oracle GRC Intelligence to analyze qualitative risks as
well as quantitative risks
Search WWH ::
Custom Search