Evaluation of the Control Environment

Question 1

CoCo definition of ‘control environment’?

Answer 1

The elements of an org that, taken together, support people in the achievement of objectives. The elements include resources, systems, processes, culture. structure and tasks

Question 2

COSO definition of ‘control environment’?

Answer 2

Process effected by an entity’s directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• effective and efficient operations
• reliability of financial reporting
• compliance with applicable laws and regulations

Question 3

IIA definition of ‘control environment’?

Answer 3

Set of processes, functions, activities, sub-systems and people who are grouped together or consciously segregated to ensure the effective achievement of objectives or goals.

Question 4

What term is used to describe internal control by IIA?

Answer 4

Control environment

Question 5

What term is used to describe internal control by COSO?

Answer 5

internal environment

Question 6

What term is used to describe internal control by ISO31000?

Answer 6

RM context

Question 7

What is the definition of ‘control’ given in the ISO Guide 73?

Answer 7

A measure intended, or assumed, to modify risk

Question 8

What is the purpose of internal control?

Answer 8

• promote operational effectiveness and efficiency (CoCo)
• enhance reliability of internal and external reporting (CoCo)
• ensure compliance with laws and regulations (CoCo)
• safeguard and protect assets
• safeguard the interests of stakeholders
• ensure accurate records are kept
• adherence to policies, protocols and procedures

Question 9

LILAC and CoCo models will be used to drive ?

? will be measure using 4Ns.

Answer 9

Maturity

Question 10

Describe the 4 stages of the CoCo Framework

Answer 10

A clear purpose and sense of direction is set out

Commitment of individuals is guided by an understanding of purpose

Commitment supported by capability (sense of competence) leads to action

Monitoring action and learning from the internal and external environment facilitates improvement

Question 11

What element of COSO does CoCo make up?

Answer 11

Internal environment

Question 12

What other model of risk awareness is CoCo comparable to?

Answer 12

LILAC (leadership, involvement, learning, accountability, communication)

Question 13

Describe the PURPOSE component of the CoCo framework

Answer 13

• objectives established and communicated
• significant internal and external risks assessed
• policies established communicated and practiced
• plans established and communicated, with performance indicators/targets

Question 14

Describe the COMMITMENT component of the CoCo framework

Answer 14

• shared ethical values established communicated and practiced
• HR policies consistent with ethical values
• clearly defined authority, responsibility and accountability
• natural trust fostered to support flows of info

Question 15

Describe the CAPABILITY component of the CoCo framework

Answer 15

• people with necessary knowledge, skills and tools
• values of the org supported by comms processes
• relevant info identified and communicated
• decisions and actions co-ordinated
• control activities integral to org’s general activities

Question 16

Describe the MONITORING AND LEARNING component of the CoCo framework

Answer 16

• environment monitored to re-evaluate controls
• performance monitored against targets
• assumptions behind objectives challenged
• review of info needs and related info systems
• procedures established to ensure appropriate actions
• periodic assessment of control effectiveness

Question 17

CoCo and COSO internal control have differing emphasis. Compare both.

Answer 17

CoCo:

• need to exploit opportunities
• reduced weaknesses in resilience
• importance of individual trust in quality of controls
• need to periodically challenge assumptions

COSO:

• commitment to integrity and ethical values
• board oversight of development and performance of internal control
• management set structures, reporting lines, authorities and responsibilities
• attract, develop and retain competent individuals
• individuals accountable for internal control responsibilities

Question 18

Why is the CoCo framework useful for measuring risk-aware culture?

Answer 18

Strong scores in the areas of purpose, commitment, capability and learning indicates that staff and management understand the importance of RM and their role within it.

Question 19

What is the principle role of internal audit in in risk management?

Answer 19

Ensuring accurate reporting

Question 20

What additional role does the internal audit function have for companies subject to Sarbanes-Oxley?

Answer 20

Certification of financial performance statements

Question 21

What 5 assertions are used to present financial data?

Answer 21

• existence of info
• completeness of data
• rights and obligations
• valuation and allocation
• presentation and disclosure

Question 22

What does ‘materiality’ mean and how is this typically valued?

Answer 22

Significance of risk.

0.05% of annual turnover or above.

Question 23

Give a definition of internal audit

Answer 23

“An independent, objective assurance and consulting activity designed to add value and improve an org’s operations.

It helps an org accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, controls and governance processes.”

Question 24

What are the core roles of IA in ERM according to the IIA?

Answer 24

• evaluating the reporting of key risks
• evaluating RM processes
• reviewing management of key risks
• providing assurance that risks are correctly evaluated
• providing assurance on RM processes

Question 25

What roles can the IA function undertake if appropriate safeguards are implemented according to the IIA?

Answer 25

• facilitate identification and evaluation of risks
• training management in responding to risk
• co-ordinating RM activities
• consolidated reporting on risks
  maintaining and developing ERM framework.
• championing establishment of ERM
• developing RM strategy for board approval

Question 26

What role must the IA function NOT undertake in an ERM framework according to the IIA?

Answer 26

• setting risk appetite
• imposing RM processes
• taking decisions on RM responses
• implementing risk responses on management’s behalf
• accountability for RM

Question 27

How might the Risk Manager and internal audit work together in a risk-based audit programme?

Answer 27

Identifying the key controls so that these are the audit priority

Attending risk assessment workshops to ensure controls are auditable

Question 28

What are the four steps involved with carrying out internal audit?

Answer 28

Planning
Fieldwork
Audit report
Follow-up

Question 29

What is involved in the PLANNING stage of internal audit?

Answer 29

• initial contact with ‘audit target’ informing of audit and its objectives
• initial meeting; target describes areas for review and available processes/resources
• preliminary survey to gather info required
• audit programme prep to outline required fieldwork

Question 30

What is involved in the FIELDWORK stage of internal audit?

Answer 30

• testing critical internal controls, accuracy of randomly selected records
• regular updates through financial reporting and oral comms
• drafting audit summary report, findings conclusions, recommendations

Question 31

What is involved in the AUDIT REPORT stage of internal audit?

Answer 31

• audit report reviewed by audit team and target
• report created, taking into account any comments
• distribution of final report to people involved, senior management

Question 32

What is involved in the FOLLOW-UP stage of internal audit?

Answer 32

• review response from target

- reporting follow-up including effects of resolved and unresolved findings

Question 33

Why is it important to agree audit recommendation with local department/management?

Answer 33

To ensure they are implemented

Question 34

What should happen if there is disagreement about the adequacy of controls?

Answer 34

This should be escalated.

Question 35

What body are likely to be considered the fourth line of defence?

Answer 35

External auditors

Question 36

What body are likely to be considered the fifth line of defence?

Answer 36

Regulators

Question 37

What are the advantages of the risk manager and auditors working together?

Answer 37

• common focus
• co-ordinated planning
• sharing of best practice, tools and techniques

Question 38

What are the disadvantages of the risk manager and auditors working together?

Answer 38

• blurred boundaries around responsibilities
• possible compromise of auditors independence
• differing reporting relationships (audit in to most senior non-exec, RM in to less senior secretary or finance director)

Question 39

Who is responsible for implementing the three lines of defence?

Answer 39

The org’s governing body and senior management (the board)

Question 40

Compare the high-level responsibility of each of the three lines of defence in risk management?

Answer 40

First Line: ownership and management of risk
Second Line: oversight of RM activity
Third Line: independent assurance

Question 41

Explain how the first line of defence acts to control risk

Answer 41

Ops management lead processes with embedded risk controls

Adequate managerial and supervisory controls in place to ensure compliance and identify control failures and risk events.

Question 42

Explain how the second line of defence acts to control risk

Answer 42

RM function or committee assists ops managers with risk activities, identifying target exposure and reporting risk info.

Monitors and reports on compliance with laws, regulations and financial performance

Question 43

Explain how the third line of defence acts to control risk

Answer 43

Independent entity that provides assurance of:

• efficiency and effectiveness of operations
• safeguarding of assets
• reliability and integrity of reporting
• compliance with laws, regulations policies, procedures and contracts

Question 44

What size organisation should employ an IA function?

Answer 44

All! Smaller orgs will have just as complex control environments, with potentially less formal/robust organisational structures.

Also high exposure from the risk-aggressive attitude of a start-up or growing business

Question 45

It is best practice to maintain an independent, adequately resourced, competently staffed IA function that…?

Answer 45

• acts in line with recognised international IA standards
• reports to a sufficiently high level in the org
• has an active and effective reporting line to the board

Question 46

What practices does Hopkins recommend for effective IA?

Answer 46

• risk and controls processes structured in accordance with 3 lines of defence
• each line supported by policies and role definitions
• co-ordination across lines for efficiency and effectiveness
• knowledge and info shared across lines so all functions can carry out their duties efficiently
• lines of defence should not be combined or co-ordinated in a way that compromises their effectiveness
• where functions are combined the board should advised of structure and impact
• where no IA function is in place the stakeholders should be advised of how adequate assurance is obtained.