Unit 5

Question 1

Hopkin definition of internal control

Answer 1

Internal control is concerned with the methods, procedures and checks that are in place to ensure that a business or organisation meets its objectives

Question 2

COSO integrated framework description of control environment

Answer 2

the set of standards, processes and structures that provide the basis for carrying out internal control across the organisation.

Question 3

PRA rule book internal control for Solvency 2 firms

Answer 3

4.1 (1) A firm must have in place an effective internal control system.

4.1 (2) that system must include administrative and accounting procedures, an internal control framework, and appropriate reporting arrangements at all levels of the firm and a compliance function.

Question 4

PRA rule book- Compliance function must include:

Answer 4

• advising the governing body on compliance with the rules and other laws, regulations and administrative provisions adopted in accordance with the Solvency II directive.
• an assessment of the possible impact of any changes in the legal environment on the operations of the firm concerned and the identification and assessment of compliance risk.

Question 5

PRA cont

Answer 5

A firm must have internal processes and procedures in place to ensure the appropriateness, completeness and accuracy of the data used in the calculation of its technical provisions.

Question 6

PRA cont

Answer 6

A firm must have processes and procedures in place to ensure that the assumptions underlying the calculation of the best estimate are regularly compared against experience.

Question 7

FRC guidance on internal control systems:

Answer 7

encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together:

• Facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company’s objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed.
• Help ensure the quality of internal and external reporting.
• Help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business.
• help reduce the likelihood and impact of poor judgment in d-m

Question 8

FRC guidance on internal control continued- system should include:

Answer 8

A) control activities
B) information and communication processes
C) processes for monitoring the continuing effectiveness of the system of internal control

Question 9

FRC system of internal control should be:

Answer 9

• embedded
• capable of responding quickly
• include procedures for reporting immediately, to appropriate levels, any significant control failings or weaknesses with corrective action

Question 10

Pillar 2 supervisory review- 4 principles- first principle in relation to internal control

Answer 10

Principle 1 -Banks should have a process to assess their overall capital adequacy in relation to their risk profile as well as a strategy to maintain their capital levels.

5 features of rigorous capital assessment:
Internal control review- the bank’s internal control framework is a key element in the capital assessment process. An effective review of this framework should include an internal or external audit.

Question 11

Hopkin - internal controls

Answer 11

Can be considered to be the actions taken by management to plan, organise, and direct the performance of sufficient actions to provide reasonable assurance that objectives will be achieved.

Question 12

Three standards and how define

Answer 12

Risk management context = iSO 31000
Internal environment = COSO ERM cube
IA = control environment

Question 13

Purpose of internal control activities:

Answer 13

Help the org achieve its objectives. Purpose is:

• safeguard and protect the assets of the organisation
• ensure the keeping of accurate records
• promote operational effectiveness and efficiency
• adhere to policies and procedures, including control procedures
• enhance reliability of internal and external reporting
• ensure compliance with laws and regulations
• safeguard the interests of shareholders/stakeholders

Question 14

Well developed control environment will also ensure that:

Answer 14

Pre-planned responses to a crisis situation are effectively and efficiently implemented

Question 15

Tools to evaluate the control environment:

Answer 15

LILAC
CoCo
risk maturity models - FOIL and 4Ns

Question 16

CoCo framework

Answer 16

If the control environment is satisfactory, RM and internal control activities will be successfully and appropriately undertaken.

Purpose - a sense of direction
|
Commitment - a sense of identity and values
|
Capability - a sense of competence
|
Action
|
Monitoring and learning - a sense of evolution

Question 17

CoCo 3 main objectives of controls

Answer 17

• Effectiveness and efficiency of operations
• reliability of internal and external reporting
• compliance with applicable laws and regulations and internal policies

Question 18

Main differences between COSO and CoCo are that CoCo is more explicit about:

Answer 18

• identification of a need to exploit opportunities
• mitigation of weaknesses in business resilience
• the importance of individual trust to the quality of the control environment
• the need to periodically challenge assumptions

Question 19

Features of the control environment that are considered important by COSO internal control:

Answer 19

• org is committed to integrity and ethical values
• board has oversight of development and performance of internal control
• mgt sets structures, reporting lines, authority and responsibilities
• org seeks to attract, develop, and retain competent individuals
• org holds individuals accountable for internal control responsibilities

Question 20

Board is responsible for RM, need assurance that risk strategy is working through

Answer 20

Risk assurance and Audit Committee

Question 21

Hopkin on audit committee make up and purpose

Answer 21

the audit committee consists of non-executive directors, with senior executive directors in attendance at audit committee meetings… The audit committee has a status and responsibility that enables it to evaluate all the activities of the organisation, including the activities of the board itself.’

Question 22

Audit committee position

Answer 22

AC is in a position to evaluate the governance standards within the org,

ensure that RM receives appropriate attention and

Seek assurance on the levels of compliance achieved within the org

Question 23

Responsibilities of audit committee

Answer 23

• External audit.
- recommend the appointment and re-appointment of external auditors
- review the performance and cost effectiveness of external auditors
- review the qualification, expertise and independence of external auditors
- review and discuss any reports from external auditors

• internal audit
- review internal audit and it’s relationship with external auditors
- review and assess the annual internal audit plan
- review promptly all reports from the internal auditors
- review mgt response to the findings of the internal audits

• Financial reporting
- review annual and half year financial results
- evaluate annual report against requirements of the governance code
- review disclosures by CEO and CFO during certification of annual report

• Regulatory reports
- review arrangements for producing audited accounts
- monitor and review standards of RM and internal control
- develop a code of ethics for CEO and other senior mgt roles
- annually review the adequacy of the RM processes
- receive reports on litigation, financial commitments and other liabilities
- receive reports of any issues raised by whistleblowing

Question 24

Uk Corp Gov code

Answer 24

Only LSE listed. Those without internal audit should review the need for such a department on a routine basis

Question 25

Sources of risk assurance

Answer 25

1. Culture measurement- use CoCo or COSO to evaluate control environment
2. Audit reports- internal and external reports on a range of issues- risk assessment, compliance, training
3. Unit reports- on issues such as risk performance, indicators, crsa, incidents
4. Performance of the unit - on risk related issues, losses, sig weakness in control measures
5. Unit documentation- RM policy, H&S policy, BCP and DR

Question 26

Internal audit definition

Answer 26

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.’

Question 27

PRA requirement re IA

Answer 27

A firm must establish and maintain an IA function which is separate and independent from the other functions and activities of the firm

Question 28

Activities which should not involve IA

Answer 28

Setting risk appetite
Imposing RM processes
Taking decisions on risk responses

Question 29

BIS Principle 10 on IA

Answer 29

The IA function should provide independent assurance to the Board and should support the Board and senior management in promoting an effective governance process and the long term soundness of the bank

Question 30

BIS principle 10, IA function should

Answer 30

• have a clear mandate
• be accountable to Board
• be independent
• have sufficient skills, standing, resources and authority within the bank to enable the auditors to carry out their assignments effectively and objectively

Question 31

EOIPA -section 8 -IA

Answer 31

• independence
• COI within IA function- not reviewing areas recently covered
• IA policy
• IA plan - based on risk analysis, sig activities
• IA documentation - need to be able to re perform
• IA function tasks- time to remedy short comings, previous recommendations

Question 32

Own assessment of risk

Answer 32

For banks this is the ICAAP –internal capital adequacy assessment process – required by Basel III.
• For insurers this is the ORSA – own risk and solvency assessment – required by Solvency II.

Question 33

Pillar 2 of Basel 4 key principles of supervisory review

Answer 33

Principle 1: Banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels. Within this principle, the regulators are looking to see the following.

board and senior management oversight
sound capital assessment
comprehensive assessment of risks
monitoring and reporting
internal control review.

Principle 2: Supervisors should review and evaluate banks’ internal capital adequacy assessments and strategies, as well as their ability to monitor and ensure their compliance with regulatory capital ratios. Supervisors should take appropriate action if they are not satisfied with the result of this process. This monitoring can be performed through onsite visits, offsite review, discussions with management or other means.

Principle 3: Supervisors should expect banks to operate above the minimum regulatory capital ratios and should have the ability to require banks to hold capital in excess of the minimum.

Principle 4: Supervisors should seek to intervene at an early stage to prevent capital from falling below the minimum levels required to support the risk characteristics of a particular bank and should require rapid remedial action if capital is not maintained or restored.

Question 34

ORSA

Answer 34

insurers are required to produce an ORSA (Own Risk and Solvency Assessment) The ORSA describes the risk management framework that the insurer has in effect in order to assess the risks that it faces, manage them and identify how much capital is required to run the business. This will include the components of the risk framework, including risk strategy, risk appetite, risk policy, risk identification, risk control, reporting and so on.

ORSA allows an insurer to calculate its capital requirements at a confidence interval of its own choosing. Typically, this would be higher than the regulatory capital requirement since the regulatory capital is calibrated at a level at which an insurer would receive a low credit rating. In addition, ORSA might include risks that are not set out in the Pillar 1 regulatory capital requirement, including strategic risk and reputational risk.

ORSA is a business process which involves the components in the risk management framework but also it results in a formal report at least once per year and the two are distinct
Pillar 2 of Solvency II formalises the role of the risk manager in an insurance business and it also introduces the requirement for an actuarial function. Pillar 2 also sets out requirements for internal audit and compliance functions and broader governance requirements that regulators expect to be met. This includes fit for purpose requirements for senior management.

Question 35

Solvency 2 vs Basel 3 differences

Answer 35

Solvency II sets out guidance of what firms should put in place, whereas the banking rules define what the regulators will be looking for in their review.

Question 36

Risk reporting internally and externally

Answer 36

Internally: the risk management function will provide detailed risk analysis reports and options for controls, their cost and effect on processes. The board or senior management team can then make decisions about investment in measures that mitigate the risk.
Externally: regulators require information to evaluate the firm’s risk exposures and risk framework. In addition public disclosure of risk information is required as required by Pillar 3 requirements of Basel III and Solvency II.

Question 37

Internal reporting examples

Answer 37

• exposure reports measuring against risk appetite
• risk exposure by risk type
• risk indicators
• loss of existing business
• client feedback and complaints
• staff turnover rates
• audit findings

Question 38

FRC summary of obligations for Board

Answer 38

1. RM process
2. Principle risks and risk appetite
3. Risk culture and risk assurance
4. Risk profile and risk mitigation
5. Monitoring and review activities
6. Risk communication and reporting

Question 39

Components of business model

Answer 39

●● Customer includes analysis of customer segments, recruitment and retention, as well as how products or services will be delivered.
●● Offering refers to the customer value proposition and the related benefits that are delivered to those customers.
●● Resources include the data, capabilities and assets of the organization, as well as partnerships and networks.
●● Resilience of the organization is reputational (based on ethos and culture) and financial resilience (based on expenditure and revenue).

Question 40

Government risk - reporting principles

Answer 40

• openness and transparency
• involvement
• proportionality
• evidence
• responsibility

Question 41

Pillar 3 external reporting- disclosure requirements related to:

Answer 41

• capital adequacy
• risk exposures, including credit, mkt, operational
• the RM framework

Question 42

Pillar 3 Solvency 2 - report to regulator through

Answer 42

1. Solvency and Financial condition report. Publicly available. P&L; B/s; business and performance; risk appetite; risk policy and process; gov arrangements, basis of capital calculation (internal model or standard formula)
2. Report to supervisor. Not public

Question 43

6 purposes of internal control

Answer 43

• protect assets
• record keeping
• operational efficiency
• adhere to policies and procedures
• reliability of reporting
• compliance
• safeguard shareholders

Question 44

Components of rep risk

Answer 44

Capabilities- purpose, resources
Activities- process, finances
Standards- services, support
Ethics- integrity, values