Evaluation of the Control Environment Flashcards by Simon Harding

CoCo definition of ‘control environment’?

The elements of an org that, taken together, support people in the achievement of objectives. The elements include resources, systems, processes, culture. structure and tasks

How well did you know this?

Not at all

Perfectly

COSO definition of ‘control environment’?

Process effected by an entity’s directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

effective and efficient operations
reliability of financial reporting
compliance with applicable laws and regulations

How well did you know this?

Not at all

Perfectly

IIA definition of ‘control environment’?

Set of processes, functions, activities, sub-systems and people who are grouped together or consciously segregated to ensure the effective achievement of objectives or goals.

How well did you know this?

Not at all

Perfectly

What term is used to describe internal control by IIA?

Control environment

How well did you know this?

Not at all

Perfectly

What term is used to describe internal control by COSO?

internal environment

How well did you know this?

Not at all

Perfectly

What term is used to describe internal control by ISO31000?

RM context

How well did you know this?

Not at all

Perfectly

What is the definition of ‘control’ given in the ISO Guide 73?

A measure intended, or assumed, to modify risk

How well did you know this?

Not at all

Perfectly

What is the purpose of internal control?

promote operational effectiveness and efficiency (CoCo)
enhance reliability of internal and external reporting (CoCo)
ensure compliance with laws and regulations (CoCo)
safeguard and protect assets
safeguard the interests of stakeholders
ensure accurate records are kept
adherence to policies, protocols and procedures

How well did you know this?

Not at all

Perfectly

LILAC and CoCo models will be used to drive ?

? will be measure using 4Ns.

Maturity

How well did you know this?

Not at all

Perfectly

Describe the 4 stages of the CoCo Framework

A clear purpose and sense of direction is set out

Commitment of individuals is guided by an understanding of purpose

Commitment supported by capability (sense of competence) leads to action

Monitoring action and learning from the internal and external environment facilitates improvement

How well did you know this?

Not at all

Perfectly

What element of COSO does CoCo make up?

Internal environment

How well did you know this?

Not at all

Perfectly

What other model of risk awareness is CoCo comparable to?

LILAC (leadership, involvement, learning, accountability, communication)

How well did you know this?

Not at all

Perfectly

Describe the PURPOSE component of the CoCo framework

objectives established and communicated
significant internal and external risks assessed
policies established communicated and practiced
plans established and communicated, with performance indicators/targets

How well did you know this?

Not at all

Perfectly

Describe the COMMITMENT component of the CoCo framework

shared ethical values established communicated and practiced
HR policies consistent with ethical values
clearly defined authority, responsibility and accountability
natural trust fostered to support flows of info

How well did you know this?

Not at all

Perfectly

Describe the CAPABILITY component of the CoCo framework

people with necessary knowledge, skills and tools
values of the org supported by comms processes
relevant info identified and communicated
decisions and actions co-ordinated
control activities integral to org’s general activities

How well did you know this?

Not at all

Perfectly

Describe the MONITORING AND LEARNING component of the CoCo framework

environment monitored to re-evaluate controls
performance monitored against targets
assumptions behind objectives challenged
review of info needs and related info systems
procedures established to ensure appropriate actions
periodic assessment of control effectiveness

How well did you know this?

Not at all

Perfectly

CoCo and COSO internal control have differing emphasis. Compare both.

CoCo:

need to exploit opportunities
reduced weaknesses in resilience
importance of individual trust in quality of controls
need to periodically challenge assumptions

COSO:

commitment to integrity and ethical values
board oversight of development and performance of internal control
management set structures, reporting lines, authorities and responsibilities
attract, develop and retain competent individuals
individuals accountable for internal control responsibilities

How well did you know this?

Not at all

Perfectly

Why is the CoCo framework useful for measuring risk-aware culture?

Strong scores in the areas of purpose, commitment, capability and learning indicates that staff and management understand the importance of RM and their role within it.

How well did you know this?

Not at all

Perfectly

What is the principle role of internal audit in in risk management?

Ensuring accurate reporting

What additional role does the internal audit function have for companies subject to Sarbanes-Oxley?

Certification of financial performance statements

What 5 assertions are used to present financial data?

existence of info
completeness of data
rights and obligations
valuation and allocation
presentation and disclosure

What does ‘materiality’ mean and how is this typically valued?

Significance of risk.

0.05% of annual turnover or above.

Give a definition of internal audit

“An independent, objective assurance and consulting activity designed to add value and improve an org’s operations.

It helps an org accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, controls and governance processes.”

What are the core roles of IA in ERM according to the IIA?

evaluating the reporting of key risks
evaluating RM processes
reviewing management of key risks
providing assurance that risks are correctly evaluated
providing assurance on RM processes

What roles can the IA function undertake if appropriate safeguards are implemented according to the IIA?

- facilitate identification and evaluation of risks - training management in responding to risk - co-ordinating RM activities - consolidated reporting on risks maintaining and developing ERM framework. - championing establishment of ERM - developing RM strategy for board approval

What role must the IA function NOT undertake in an ERM framework according to the IIA?

- setting risk appetite - imposing RM processes - taking decisions on RM responses - implementing risk responses on management's behalf - accountability for RM

How might the Risk Manager and internal audit work together in a risk-based audit programme?

Identifying the key controls so that these are the audit priority Attending risk assessment workshops to ensure controls are auditable

What are the four steps involved with carrying out internal audit?

Planning Fieldwork Audit report Follow-up

What is involved in the PLANNING stage of internal audit?

- initial contact with 'audit target' informing of audit and its objectives - initial meeting; target describes areas for review and available processes/resources - preliminary survey to gather info required - audit programme prep to outline required fieldwork

What is involved in the FIELDWORK stage of internal audit?

- testing critical internal controls, accuracy of randomly selected records - regular updates through financial reporting and oral comms - drafting audit summary report, findings conclusions, recommendations

What is involved in the AUDIT REPORT stage of internal audit?

- audit report reviewed by audit team and target - report created, taking into account any comments - distribution of final report to people involved, senior management

What is involved in the FOLLOW-UP stage of internal audit?

- review response from target | - reporting follow-up including effects of resolved and unresolved findings

Why is it important to agree audit recommendation with local department/management?

To ensure they are implemented

What should happen if there is disagreement about the adequacy of controls?

This should be escalated.

What body are likely to be considered the fourth line of defence?

External auditors

What body are likely to be considered the fifth line of defence?

Regulators

What are the advantages of the risk manager and auditors working together?

- common focus - co-ordinated planning - sharing of best practice, tools and techniques

What are the disadvantages of the risk manager and auditors working together?

- blurred boundaries around responsibilities - possible compromise of auditors independence - differing reporting relationships (audit in to most senior non-exec, RM in to less senior secretary or finance director)

Who is responsible for implementing the three lines of defence?

The org's governing body and senior management (the board)

Compare the high-level responsibility of each of the three lines of defence in risk management?

First Line: ownership and management of risk Second Line: oversight of RM activity Third Line: independent assurance

Explain how the first line of defence acts to control risk

Ops management lead processes with embedded risk controls Adequate managerial and supervisory controls in place to ensure compliance and identify control failures and risk events.

Explain how the second line of defence acts to control risk

RM function or committee assists ops managers with risk activities, identifying target exposure and reporting risk info. Monitors and reports on compliance with laws, regulations and financial performance

Explain how the third line of defence acts to control risk

Independent entity that provides assurance of: - efficiency and effectiveness of operations - safeguarding of assets - reliability and integrity of reporting - compliance with laws, regulations policies, procedures and contracts

What size organisation should employ an IA function?

All! Smaller orgs will have just as complex control environments, with potentially less formal/robust organisational structures. Also high exposure from the risk-aggressive attitude of a start-up or growing business

It is best practice to maintain an independent, adequately resourced, competently staffed IA function that...?

- acts in line with recognised international IA standards - reports to a sufficiently high level in the org - has an active and effective reporting line to the board

What practices does Hopkins recommend for effective IA?

- risk and controls processes structured in accordance with 3 lines of defence - each line supported by policies and role definitions - co-ordination across lines for efficiency and effectiveness - knowledge and info shared across lines so all functions can carry out their duties efficiently - lines of defence should not be combined or co-ordinated in a way that compromises their effectiveness - where functions are combined the board should advised of structure and impact - where no IA function is in place the stakeholders should be advised of how adequate assurance is obtained.