Module 2 - Unit 5: Risk Assurance & Reporting

Question 1

What do we mean by the ‘control environment’?

Answer 1

The whole range and interaction of controls that address risks and support the achievement of objectives including resources, systems, processes, culture, structure and tasks.

Question 2

Describe the ‘three lines of defence’ used to provide assurance of good risk management

Answer 2

1. Business managers (responsible for applying the risk man. framework)
2. Risk management function (responsible for supporting and challenging the RM activities and designing the RMF)
3. Internal audit (responsible for providing independent and objective assurance on the robustness of the RMF and the effectiveness of internal control

Question 3

How do the Institute of Internal Auditors define internal auditing?

Answer 3

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.

It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Question 4

How does internal audit fit into the “three lines of defence” model?

Answer 4

Internal audit represents the third line of defence.

Its role is to provide assurance over the effectiveness of the control environment and it also assesses the operation of the risk management strategy and activities in the organisation.

Question 5

What are the four overarching responsibilities of an audit committee?

Answer 5

1. External audit
2. Internal audit
3. Financial reporting
4. Regulatory reports

Question 6

What information on risk are companies required to disclose in their annual report and accounts?

Answer 6

Companies are required to disclose their principal risks and uncertainties in their annual report and accounts.

Question 7

Why do many organisations not regard “reputation” as a risk category?

Answer 7

Most organisations regard damage to reputation as a consequence of the occurrence of risk events, rather than a risk in itself

Question 8

The Nolan principles of public life underpin governance activities within government departments, agencies or authorities. List all 7.

Answer 8

Selflessness 
Integrity
Objectivity
Accountability 
Openness 
Honesty
Leadership

Question 9

When did the Financial Reporting Council (FRC) publish its “Guidance on Risk Management, Internal Control and Related Financial and Business Reporting”?

Answer 9

September 2014

Question 10

According to the FRC’s “Guidance on Risk Management, Internal Control and Related Financial and Business Reporting”, what are the Board’s (6) main responsibilities towards Risk Management and Internal Control?

Answer 10

1. Ensuring the design/implementation of appropriate RM and IC systems that (1) identify the company’s risks and (2) enable the Board to make an assessment of the principal risks.
2. Determine the nature/extent of the risks faced, and which the org. is willing to take to achieve its objectives (its Risk Appetite).
3. Ensure appropriate culture and reward systems are embedded.
4. Agree on how principals risks should be managed/mitigated.
5. Monitor/Review the RM and IC systems,
6. Ensure sound internal/external communication.

Question 11

Give 3 features of the system of Internal Control

Answer 11

The system of IC should:

• Be embedded in the company’s operations and form part of its culture.
• Be capable of responding quickly to evolving risks, both internal and external.
• Include procedures for reporting immediately any significant control failings or weaknesses, plus details of corrective actions.

Question 12

Taking the example of fraud by employees, what may the control environment include?

Answer 12

• Pre-employment checks, e.g. references/criminal background.
• Accounting and asset protection measures to prevent fraudulent use/theft
• Policy of legal prosecution against guilty employees
• Periodic audit of finances/stocks
• Regular refresher tests for staff
• Standard operating process, e.g., insisting all staff take at least 2 weeks holiday per year

Question 13

List the types of risk management documentation that may be required

Answer 13

Risk management administration
Risk response and improvement plans
event reports and recommendations
risk performance and certification reports

(Hopkin, p. 414)

Question 14

Define the four components of the business model as listed by Hopkin

Answer 14

CORR

Customer - segments, recruitment and retention
Offering - customer value proposition
Resources - data, capabilities and assets of the organisation
Resilience - reputational and financial resilience

(Hopkin, p.228)

Question 15

The business model represents the existing ________ for the delivery of the ________ _________ and provides a description of ________ and ________ activities.

Answer 15

The business model represents the existing mechanisms for the delivery of the customer offering and provides a description of operational and compliance activities.

(Hopkin, p. 228)

Question 16

Define what the business model delivers according to Hopkin.

Answer 16

The business model represents how the organisation fulfils its vision and mission statement, as well as its aims and objectives.

(Hopkin, p. 229)

Question 17

What is at the heart of the business model, according to Hopkin?

Answer 17

The customer offering

Hopkin, p. 229

Question 18

Describe the EM3 model (Hopkin)

Answer 18

EM3 =

Embrace strategic risks
Manage Tactical risks
Mitigate Operational risks
Minimize Compliance risks

(Hopkin, p. 230)

Question 19

List some of the benefits to an organisation of achieving good standards of corporate social responsibility

Answer 19

Protect/enhance reputation, brand and trust
Attract, motivate and retain talent
Manage and mitigate risk
Improve operational & cost efficiency
Give the business a licence to operate
Develop new business opportunities
Create a more secure and prosperous operating environment

Question 20

Give a definition of CSR (Corporate Social Responsibility)

Answer 20

The EU definition is:

“CSR is the concept that an enterprise is accountable for its impact on all relevant stakeholders.

It is the continuing commitment by business to behave fairly and responsibly and contribute to economic development, while improving the quality of life of the workforce and their families, as well as of the local community and society at large.”

(Hopkin, p. 231)

Question 21

List the scope of issues covered by CSR (Corporate Social Responsibility)

Answer 21

Health & Safety
Employees
Customers
Environment
Suppliers
Community
Products/Services

(Hopkin, table 20.1)

Question 22

List the key groups that are stakeholders in the CSR agenda of an organisation.

Answer 22

Employees
Customers
Suppliers
The General community

(Hopkin, p. 233)

Question 23

List the areas where unethical trading can result in damage to reputation, loss of future profitability and a refusal on the part of customers and suppliers to deal with the orgnisation

Answer 23

Failure to comply with rules and regulations
Trading with undesirable overseas governments
Excessive payments to political parties
Tax evasion or dubious tax arrangements
inappropriate criticism of competitors
false allegations against competitors
Unethical alliances with competitors

Question 24

List the four main components of reputation

Answer 24

CASE

Capabilities, including purpose and resources
Activities, including processes and finances
Standards, including services/products and support
Ethics, including values and integrity

Question 25

Describe the three types of emerging risks

Answer 25

New risks that have emerged in the external environment, but are associated with the existing strategy of the organisation - new risks in known context

Existing risks that were already known to the organisation, but have developed or changed circumstances have triggered the risk - known risks in new context

Risks that were not previously faced by the organisation, because the risks are associated with changed core processes - new risks in new context

(Hopkin, p. 105)

Question 26

List some emerging risks that are not within the control of an individual or organisation

Answer 26

Climate change
Sovereign debt
National security
Changing demographics

Question 27

Give a definition of resilience

Answer 27

“the capacity of an organisation to consistently achieve a desired state following a change in circumstances” (Hopkin, p. 107)

Question 28

List the headings that are normally used to evaluate the risk-aware culture within an organisation, using the CoCo approach

Answer 28

Purpose, vision and mission;
commitment to integrity and ethical values;
capability, authority and responsibilities;
learning and development of competence

(Hopkin, p. 109)

Question 29

What is the role of Internal Audit, according to the IIA?

Answer 29

The role of internal audit is to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively.

(https://www.iia.org.uk/about-us/what-is-internal-audit)