SOP Reverse Jeopardy

Annual IA Planning Process

Planning Phase

Fieldwork Phase

Reporting and Wrap-Up Phase

Issue Management

100

What are the 5 risk assessment residual risk ratings?

High, Moderate-High, Moderate, Low-Moderate, Low

100

What is the document that summarizes the identified processes, risks, and controls including the test steps, conclusions, and issues identified?

Risk Control Matrix (RCM)

100

How many samples should be selected for a weekly control (lower risk of failure)?

100

What are the audit report ratings?

Satisfactory, Adequate, Needs Improvement, Unsatisfactory

100

How often is an auditor required to follow-up on open issues?

Quarterly or every 90 days

200

How often should continuous monitoring be performed?

At least quarterly

200

What is a management identified issue called?

Self-Identified Issue

200

What are the TOE conclusions?

Effective and Ineffective

200

What are the issue ratings?

Significant, Moderate, Low, Observation

200

This field will contain an Executive-level current issue status update which will be leveraged by the Enterprise Risk Management (ERM) Team for Board Reporting. Engagement Owners must review language within this field as a part of Quarter-end activity.

Board Update field

300

How often should all significant processes be covered in an audit?

At least every 3 years.

300

How often should client status update meetings be held?

Weekly

300

What are the 2 sampling methods?

Statistical and non-statistical

300

What is an estimate of the extent (severity or magnitude) to which the risk, if realized, would impact the organization?

Impact

300

Which issue status indicates management has communicated and provided documentation to review teams that it has completed its Action Plan remediation activities, but the review teams have not had an opportunity to confirm for closure.

Closed Pending Review

400

What risk categories (9) are assessed as part of the risk assessment process?

Credit, Liquidity, Market, Operational - Operations, Operational - Technology, Regulatory Compliance/Legal, AML/BSA Compliance, Strategic, Reputation

400

What are the TOD conclusions?

Adequate, Inadequate, Gap

400

What testing technique involves following the documents through the system, from origination or source document to final records?

Tracing

400

What is the probability of the risk event occurring?

Likelihood

400

Low/Moderate first time issue extensions should be approved by whom?

CAE

500

What are the 2 types of SAS engagements?

Audits and Projects

500

What is performed to confirm whether the control has indeed been established and put in place?

Test of One

500

What population details should be documented within the audit workpaper (5)?

Source, method for obtaining, population characteristics, population start/end dates, method for determining completeness.

500

What are the 5 C's for audit issues?

Criteria, Condition, Cause (Root Cause), Consequence (Risk/Effect), Corrective Action (Recommendation)

500

What testing is required to be completed for issue validation testing?

TOD and TOE testing