Evaluation of the Control Environment Flashcards
CoCo definition of ‘control environment’?
The elements of an org that, taken together, support people in the achievement of objectives. The elements include resources, systems, processes, culture. structure and tasks
COSO definition of ‘control environment’?
Process effected by an entity’s directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- effective and efficient operations
- reliability of financial reporting
- compliance with applicable laws and regulations
IIA definition of ‘control environment’?
Set of processes, functions, activities, sub-systems and people who are grouped together or consciously segregated to ensure the effective achievement of objectives or goals.
What term is used to describe internal control by IIA?
Control environment
What term is used to describe internal control by COSO?
internal environment
What term is used to describe internal control by ISO31000?
RM context
What is the definition of ‘control’ given in the ISO Guide 73?
A measure intended, or assumed, to modify risk
What is the purpose of internal control?
- promote operational effectiveness and efficiency (CoCo)
- enhance reliability of internal and external reporting (CoCo)
- ensure compliance with laws and regulations (CoCo)
- safeguard and protect assets
- safeguard the interests of stakeholders
- ensure accurate records are kept
- adherence to policies, protocols and procedures
LILAC and CoCo models will be used to drive ?
? will be measure using 4Ns.
Maturity
Describe the 4 stages of the CoCo Framework
A clear purpose and sense of direction is set out
Commitment of individuals is guided by an understanding of purpose
Commitment supported by capability (sense of competence) leads to action
Monitoring action and learning from the internal and external environment facilitates improvement
What element of COSO does CoCo make up?
Internal environment
What other model of risk awareness is CoCo comparable to?
LILAC (leadership, involvement, learning, accountability, communication)
Describe the PURPOSE component of the CoCo framework
- objectives established and communicated
- significant internal and external risks assessed
- policies established communicated and practiced
- plans established and communicated, with performance indicators/targets
Describe the COMMITMENT component of the CoCo framework
- shared ethical values established communicated and practiced
- HR policies consistent with ethical values
- clearly defined authority, responsibility and accountability
- natural trust fostered to support flows of info
Describe the CAPABILITY component of the CoCo framework
- people with necessary knowledge, skills and tools
- values of the org supported by comms processes
- relevant info identified and communicated
- decisions and actions co-ordinated
- control activities integral to org’s general activities
Describe the MONITORING AND LEARNING component of the CoCo framework
- environment monitored to re-evaluate controls
- performance monitored against targets
- assumptions behind objectives challenged
- review of info needs and related info systems
- procedures established to ensure appropriate actions
- periodic assessment of control effectiveness
CoCo and COSO internal control have differing emphasis. Compare both.
CoCo:
- need to exploit opportunities
- reduced weaknesses in resilience
- importance of individual trust in quality of controls
- need to periodically challenge assumptions
COSO:
- commitment to integrity and ethical values
- board oversight of development and performance of internal control
- management set structures, reporting lines, authorities and responsibilities
- attract, develop and retain competent individuals
- individuals accountable for internal control responsibilities
Why is the CoCo framework useful for measuring risk-aware culture?
Strong scores in the areas of purpose, commitment, capability and learning indicates that staff and management understand the importance of RM and their role within it.
What is the principle role of internal audit in in risk management?
Ensuring accurate reporting
What additional role does the internal audit function have for companies subject to Sarbanes-Oxley?
Certification of financial performance statements
What 5 assertions are used to present financial data?
- existence of info
- completeness of data
- rights and obligations
- valuation and allocation
- presentation and disclosure
What does ‘materiality’ mean and how is this typically valued?
Significance of risk.
0.05% of annual turnover or above.
Give a definition of internal audit
“An independent, objective assurance and consulting activity designed to add value and improve an org’s operations.
It helps an org accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, controls and governance processes.”
What are the core roles of IA in ERM according to the IIA?
- evaluating the reporting of key risks
- evaluating RM processes
- reviewing management of key risks
- providing assurance that risks are correctly evaluated
- providing assurance on RM processes
What roles can the IA function undertake if appropriate safeguards are implemented according to the IIA?
- facilitate identification and evaluation of risks
- training management in responding to risk
- co-ordinating RM activities
- consolidated reporting on risks
maintaining and developing ERM framework. - championing establishment of ERM
- developing RM strategy for board approval
What role must the IA function NOT undertake in an ERM framework according to the IIA?
- setting risk appetite
- imposing RM processes
- taking decisions on RM responses
- implementing risk responses on management’s behalf
- accountability for RM
How might the Risk Manager and internal audit work together in a risk-based audit programme?
Identifying the key controls so that these are the audit priority
Attending risk assessment workshops to ensure controls are auditable
What are the four steps involved with carrying out internal audit?
Planning
Fieldwork
Audit report
Follow-up
What is involved in the PLANNING stage of internal audit?
- initial contact with ‘audit target’ informing of audit and its objectives
- initial meeting; target describes areas for review and available processes/resources
- preliminary survey to gather info required
- audit programme prep to outline required fieldwork
What is involved in the FIELDWORK stage of internal audit?
- testing critical internal controls, accuracy of randomly selected records
- regular updates through financial reporting and oral comms
- drafting audit summary report, findings conclusions, recommendations
What is involved in the AUDIT REPORT stage of internal audit?
- audit report reviewed by audit team and target
- report created, taking into account any comments
- distribution of final report to people involved, senior management
What is involved in the FOLLOW-UP stage of internal audit?
- review response from target
- reporting follow-up including effects of resolved and unresolved findings
Why is it important to agree audit recommendation with local department/management?
To ensure they are implemented
What should happen if there is disagreement about the adequacy of controls?
This should be escalated.
What body are likely to be considered the fourth line of defence?
External auditors
What body are likely to be considered the fifth line of defence?
Regulators
What are the advantages of the risk manager and auditors working together?
- common focus
- co-ordinated planning
- sharing of best practice, tools and techniques
What are the disadvantages of the risk manager and auditors working together?
- blurred boundaries around responsibilities
- possible compromise of auditors independence
- differing reporting relationships (audit in to most senior non-exec, RM in to less senior secretary or finance director)
Who is responsible for implementing the three lines of defence?
The org’s governing body and senior management (the board)
Compare the high-level responsibility of each of the three lines of defence in risk management?
First Line: ownership and management of risk
Second Line: oversight of RM activity
Third Line: independent assurance
Explain how the first line of defence acts to control risk
Ops management lead processes with embedded risk controls
Adequate managerial and supervisory controls in place to ensure compliance and identify control failures and risk events.
Explain how the second line of defence acts to control risk
RM function or committee assists ops managers with risk activities, identifying target exposure and reporting risk info.
Monitors and reports on compliance with laws, regulations and financial performance
Explain how the third line of defence acts to control risk
Independent entity that provides assurance of:
- efficiency and effectiveness of operations
- safeguarding of assets
- reliability and integrity of reporting
- compliance with laws, regulations policies, procedures and contracts
What size organisation should employ an IA function?
All! Smaller orgs will have just as complex control environments, with potentially less formal/robust organisational structures.
Also high exposure from the risk-aggressive attitude of a start-up or growing business
It is best practice to maintain an independent, adequately resourced, competently staffed IA function that…?
- acts in line with recognised international IA standards
- reports to a sufficiently high level in the org
- has an active and effective reporting line to the board
What practices does Hopkins recommend for effective IA?
- risk and controls processes structured in accordance with 3 lines of defence
- each line supported by policies and role definitions
- co-ordination across lines for efficiency and effectiveness
- knowledge and info shared across lines so all functions can carry out their duties efficiently
- lines of defence should not be combined or co-ordinated in a way that compromises their effectiveness
- where functions are combined the board should advised of structure and impact
- where no IA function is in place the stakeholders should be advised of how adequate assurance is obtained.
