Module 2 - Unit 5: Risk Assurance & Reporting Flashcards
What do we mean by the ‘control environment’?
The whole range and interaction of controls that address risks and support the achievement of objectives including resources, systems, processes, culture, structure and tasks.
Describe the ‘three lines of defence’ used to provide assurance of good risk management
- Business managers (responsible for applying the risk man. framework)
- Risk management function (responsible for supporting and challenging the RM activities and designing the RMF)
- Internal audit (responsible for providing independent and objective assurance on the robustness of the RMF and the effectiveness of internal control
How do the Institute of Internal Auditors define internal auditing?
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.
It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
How does internal audit fit into the “three lines of defence” model?
Internal audit represents the third line of defence.
Its role is to provide assurance over the effectiveness of the control environment and it also assesses the operation of the risk management strategy and activities in the organisation.
What are the four overarching responsibilities of an audit committee?
- External audit
- Internal audit
- Financial reporting
- Regulatory reports
What information on risk are companies required to disclose in their annual report and accounts?
Companies are required to disclose their principal risks and uncertainties in their annual report and accounts.
Why do many organisations not regard “reputation” as a risk category?
Most organisations regard damage to reputation as a consequence of the occurrence of risk events, rather than a risk in itself
The Nolan principles of public life underpin governance activities within government departments, agencies or authorities. List all 7.
Selflessness Integrity Objectivity Accountability Openness Honesty Leadership
When did the Financial Reporting Council (FRC) publish its “Guidance on Risk Management, Internal Control and Related Financial and Business Reporting”?
September 2014
According to the FRC’s “Guidance on Risk Management, Internal Control and Related Financial and Business Reporting”, what are the Board’s (6) main responsibilities towards Risk Management and Internal Control?
- Ensuring the design/implementation of appropriate RM and IC systems that (1) identify the company’s risks and (2) enable the Board to make an assessment of the principal risks.
- Determine the nature/extent of the risks faced, and which the org. is willing to take to achieve its objectives (its Risk Appetite).
- Ensure appropriate culture and reward systems are embedded.
- Agree on how principals risks should be managed/mitigated.
- Monitor/Review the RM and IC systems,
- Ensure sound internal/external communication.
Give 3 features of the system of Internal Control
The system of IC should:
- Be embedded in the company’s operations and form part of its culture.
- Be capable of responding quickly to evolving risks, both internal and external.
- Include procedures for reporting immediately any significant control failings or weaknesses, plus details of corrective actions.
Taking the example of fraud by employees, what may the control environment include?
- Pre-employment checks, e.g. references/criminal background.
- Accounting and asset protection measures to prevent fraudulent use/theft
- Policy of legal prosecution against guilty employees
- Periodic audit of finances/stocks
- Regular refresher tests for staff
- Standard operating process, e.g., insisting all staff take at least 2 weeks holiday per year
List the types of risk management documentation that may be required
Risk management administration
Risk response and improvement plans
event reports and recommendations
risk performance and certification reports
(Hopkin, p. 414)
Define the four components of the business model as listed by Hopkin
CORR
Customer - segments, recruitment and retention
Offering - customer value proposition
Resources - data, capabilities and assets of the organisation
Resilience - reputational and financial resilience
(Hopkin, p.228)
The business model represents the existing ________ for the delivery of the ________ _________ and provides a description of ________ and ________ activities.
The business model represents the existing mechanisms for the delivery of the customer offering and provides a description of operational and compliance activities.
(Hopkin, p. 228)