Chapter 10 - Internal Control Systems

Question 1

What are the 5 main elements of a system of internal control (by COSO)?

Answer 1

1 A control environment
2 Risk identification and assessment
3 Internal controls
4 Information and communication
5 Monitoring

Question 2

Identify two or more examples of significant internal control failings in major companies in the past.

Answer 2

1995 Barings Banks collapse - failure to identify rogue trader

2010 Northern Rock - “growth” culture led employees to lie to investors, leading to fines by the FCA.

Question 3

Give 5 examples of operational risks.

Answer 3

• system breakdown (IT)
• lost/stolen information (i.e. data breach)
• terrorist attack
• losses due to staff mistakes
• inefficient use of resources

Question 4

What are the three main categories of internal controls?

Answer 4

1 Preventative controls
2 Detective controls
3 Corrective controls

Question 5

What are the three main categories of internal controls?

Answer 5

1 Preventative controls
2 Detective controls
3 Corrective controls

Question 6

What are the provisions of the UKCGC relating to internal control?

Answer 6

• the board should at least annually conduct a review of the effectiveness of the company’s risk management and internal control system.

Question 7

What are the responsibilities of an audit committee with respect to internal control and internal audit, as stated in the Code?

Answer 7

The Code states that the responsibilities of the audit committee include:

• review internal financial controls
• review internal control system and risk management system
• monitoring effectiveness of the internal audit function.

Question 8

What are the responsibilities of an audit committee with respect to internal control and internal audit, as stated in the Code?

Answer 8

The Code states that the responsibilities of the audit committee include:

• review internal financial controls
• review internal control system and risk management system
• monitoring effectiveness of the internal audit function.

Question 9

What are the main reccommendations in the FRC Guidance on Risk Management, Internal Control, and Related Financial and Business Reporting?

Answer 9

• board has responsibility for overall approach to risk management and internal control
• the risk management and internal control systems should be integrated into the operations of the company
• there should be an annual review of the internal control system
• the board should make a statement on the annual review

Question 10

How might an audit committee review the effectiveness of a company’s system of internal control?

Answer 10

Using the questions set out within the FRC Guidance.

Question 11

What is the purpose of an internal audit function?

Answer 11

To provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively.

Question 12

What tasks might be carried out by an internal audit department?

Answer 12

• reviewing the internal control system
• special investigations
• examination of financial and operating information
• value for money (VFM) audits
• reviewing compliance by the organisation with particular laws or regulations
• risk assessment

Question 13

How can the independence of the head of internal audit be protected?

Answer 13

Auditors should have a reporting line that makes them independent of the executives, and therefore avoids bias.

Question 14

What four factors might be assessed by internal audit when investigating internal financial controls?

Answer 14

1 Whether controls are automated or mandatory
2 Whether controls are discretionary or non-discretionary
3 Whether the controls can be circumnavigated easily
4 Whether the controls are effective in achieving their purpose.

Question 15

Why should disaster recovery planning be a part of the internal control system of a large company?

Answer 15

To help the company to cope and adapt to any major disaster.

Question 16

What are the key components of a disaster recovery plan?

Answer 16

• specify which operations are essential
• identify how IT systems can be transferred in the event of a disaster
• specify where operations should be transferred to if they cannot continue in their current location
• identify key personnel who are needed to maintain systems
• identify who should keep the public informed.

Question 17

What does the UK Code state about whistleblowing?

Answer 17

The audit committee should review arrangement by which staff of the company may, in confidence, raise concerns about possible improprieties in financial reporting or other matters.

Question 18

What would be the most appropriate reporting channel for whistleblowing?

Answer 18

Report initially to the CoSec, who can pass on allegations to the SID and other NEDs.

Question 19

What are the key features of a whistleblowing policy according to the “Whistleblowing Arrangements Code Of Practice” by BSI?

Answer 19

• every employee should receive a copy
• reporting lines should be established
• give examples of the type of conduct in question
• set out procedures by which allegations will be investigated
• make clear that false accusations will have consequences
• establish an external whistleblowing route
• promise confidentiality

Question 20

What are the three offences under the Bribery Act 2010?

Answer 20

• offering (active) or recieving (passive) bribes
• bribery of foreign officials
• failure to prevent a bribe being paid on the organisation’s behalf

Question 21

What are the six principles of the MoJ guidance on the Bribery Act 2010?

Answer 21

1 Proportionate procedures
2 Top-level commitment
3 Risk assessment
4 Due diligence
5 Communication
6 Monitoring and review