The Control Environment Flashcards
What can ‘control’ mean within an org?
- part of the management process e.g. controlling budgets
- mechanisms to modify risk ie risk treatment
- assurance framework e.g. control environment
What type of company is the “FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting” aimed at?
Primarily aimed at companies subject to the UK Corp Governance Code
What are the key recommendations from the “FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting”?
2010/11:
- Boards determine appetite and desired risk culture
- RM and internal controls embedded in normal business activities rather than distinct
- Board responsible for identifying principle risks to objectives, solvency and liquidity, agreeing controls
- Regular programme of RM activities and adequate assurance/monitoring
- Annual report to include disclosures relating to the above
2014 additions:
- Boards to ensure sound internal and external comms processes
- Boards to ensure management understand risks
- Boards to ensure policies and controls are implemented and monitored by management
- Board to ensure timely info from management to board
What 6 should components should the board consider to ensure it meets requirements?
Culture Discussion Skills, knowledge and experience Flow and quality of info Use of delegation Assurance
What should the board consider in regards to CULTURE when deciding arrangements?
What do we want to embed and how will it be achieved?
- values communicated by management
- incentivised desired behaviour, sanctioned poor behaviour
- assessment of how well embedded values are at each level of the org
What should the board consider in regards to DISCUSSION when deciding arrangements?
Is there adequate discussion at the board?
- agreed scope and frequency of discussions relating to strategy, business model and risk
- Inclusion of risk assessment in other discussions
- how does impact of strategic decision on risk profile get assessed?
- informed debate and constructive challenge, constant review of effectiveness of decision-making.
What should the board consider in regards to SKILLS, KNOWLEDGE AND EXERIENCE when deciding arrangements?
Do the board and authority delegates have what is required to asses the risks of the org and exercise its responsibility effectively?
What should the board consider in regards to FLOW AND QUALITY OF INFO when deciding arrangements?
Is info to and from the board adequate?
- specify nature, source, format, frequency
- underlying models understood so challenges can be made
- agreed trigger for urgent escalation outside of standard frequency
- quality of info monitored
What should the board consider in regards to USE OF DELEGATION when deciding arrangements?
Are duties delegated to committees and are their responsibilities and accountabilities clear?
- board satisfied with arrangements
- board retains ultimate responsibility for RM and internal control systems
- remuneration committee should take risk into account when determining remuneration policies and rewards
What should the board consider in regards to ASSURANCE when deciding arrangements?
What is required and how is it obtained?
- where are the gaps and how are these addressed
- assurance might be sought from board, committees and management activities as well as compliance, RM and IA functions
- sufficient authority, independence, expertise required to provide objective info to the board
What do the RM and internal control systems include?
Policies, culture, organisation, behaviours, processes and systems that:
- facilitate effective and efficient operations through identification and response to emerging risk, safeguarding of assets
- reduces likelihood and impact of poor decision-making, risk taking outside of agreed levels, human error or sabotage.
- ensures quality of internal and external reporting
- ensures compliance with applicable laws, regulations and internal policies
The board should determine the principle risks to be clear about the extent to which they need to be managed. What are ‘principle risks’?
Those that threaten on-going performance, the current business model, solvency or liquidity.
What should the board consider when determining principle risks?
Size, complexity and circumstances of the org
Awareness of strategy, processes, performance, stage of development and external changes
What constitutes a significant failing
What are the two main ways that the board monitor and review the effectiveness of internal control systems?
Regular, ongoing reporting:
- balanced assessment of risks
- effectiveness of risk assessment and identification of principle risks
- how these have been managed, whether action is being taken, whether they are the result of poor decisions
Annual review of effectiveness:
- board defines process to be adopted for the review
- consideration of appetite and culture, whether desired culture is embedded
- integration of RM in business activity
- changes to principle risks, ability to respond to internal and external changes
- extent, frequency and quality of comms to the board
- review of significant risk events
- effectiveness of public reporting
What disclosures should be included in the annual report and accounts?
- principle risks faced by the org and how they are managed
- whether the directors feel the org can continue and meet its liabilities
- the going concern basis of accounting
- information relating to the review of RM and IC systems and the main features in relation to financial reporting
