The Control Environment Flashcards Preview

IRMCert Mod 2 - Unit 5: Risk Assurance & Reporting > The Control Environment > Flashcards

Flashcards in The Control Environment Deck (18):

What can 'control' mean within an org?

1. part of the management process e.g. controlling budgets
2. mechanisms to modify risk ie risk treatment
3. assurance framework e.g. control environment


What type of company is the "FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting" aimed at?

Primarily aimed at companies subject to the UK Corp Governance Code


What are the key recommendations from the "FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting"?

- Boards determine appetite and desired risk culture
- RM and internal controls embedded in normal business activities rather than distinct
- Board responsible for identifying principle risks to objectives, solvency and liquidity, agreeing controls
- Regular programme of RM activities and adequate assurance/monitoring
- Annual report to include disclosures relating to the above

2014 additions:
- Boards to ensure sound internal and external comms processes
- Boards to ensure management understand risks
- Boards to ensure policies and controls are implemented and monitored by management
- Board to ensure timely info from management to board


What 6 should components should the board consider to ensure it meets requirements?

Skills, knowledge and experience
Flow and quality of info
Use of delegation


What should the board consider in regards to CULTURE when deciding arrangements?

What do we want to embed and how will it be achieved?

- values communicated by management
- incentivised desired behaviour, sanctioned poor behaviour
- assessment of how well embedded values are at each level of the org


What should the board consider in regards to DISCUSSION when deciding arrangements?

Is there adequate discussion at the board?

- agreed scope and frequency of discussions relating to strategy, business model and risk
- Inclusion of risk assessment in other discussions
- how does impact of strategic decision on risk profile get assessed?
- informed debate and constructive challenge, constant review of effectiveness of decision-making.


What should the board consider in regards to SKILLS, KNOWLEDGE AND EXERIENCE when deciding arrangements?

Do the board and authority delegates have what is required to asses the risks of the org and exercise its responsibility effectively?


What should the board consider in regards to FLOW AND QUALITY OF INFO when deciding arrangements?

Is info to and from the board adequate?

- specify nature, source, format, frequency
- underlying models understood so challenges can be made
- agreed trigger for urgent escalation outside of standard frequency
- quality of info monitored


What should the board consider in regards to USE OF DELEGATION when deciding arrangements?

Are duties delegated to committees and are their responsibilities and accountabilities clear?

- board satisfied with arrangements
- board retains ultimate responsibility for RM and internal control systems
- remuneration committee should take risk into account when determining remuneration policies and rewards


What should the board consider in regards to ASSURANCE when deciding arrangements?

What is required and how is it obtained?

- where are the gaps and how are these addressed
- assurance might be sought from board, committees and management activities as well as compliance, RM and IA functions
- sufficient authority, independence, expertise required to provide objective info to the board


What do the RM and internal control systems include?

Policies, culture, organisation, behaviours, processes and systems that:

- facilitate effective and efficient operations through identification and response to emerging risk, safeguarding of assets
- reduces likelihood and impact of poor decision-making, risk taking outside of agreed levels, human error or sabotage.
- ensures quality of internal and external reporting
- ensures compliance with applicable laws, regulations and internal policies


The board should determine the principle risks to be clear about the extent to which they need to be managed. What are 'principle risks'?

Those that threaten on-going performance, the current business model, solvency or liquidity.


What should the board consider when determining principle risks?

Size, complexity and circumstances of the org

Awareness of strategy, processes, performance, stage of development and external changes

What constitutes a significant failing


What are the two main ways that the board monitor and review the effectiveness of internal control systems?

Regular, ongoing reporting:

- balanced assessment of risks
- effectiveness of risk assessment and identification of principle risks
- how these have been managed, whether action is being taken, whether they are the result of poor decisions

Annual review of effectiveness:

- board defines process to be adopted for the review
- consideration of appetite and culture, whether desired culture is embedded
- integration of RM in business activity
- changes to principle risks, ability to respond to internal and external changes
- extent, frequency and quality of comms to the board
- review of significant risk events
- effectiveness of public reporting


What disclosures should be included in the annual report and accounts?

- principle risks faced by the org and how they are managed
- whether the directors feel the org can continue and meet its liabilities
- the going concern basis of accounting
- information relating to the review of RM and IC systems and the main features in relation to financial reporting


What is the purpose of the annual report and accounts?

Evidence of board's stewardship

Info for the shareholders to be able to hold the directors to account


What should the annual report and accounts include for a Group organisation

How the board assesses and manages risk in its subsidiaries, or explain why this info is not available.


Annual report should have a Longer Term Viability Statement. What should this include?

Review of resilience to significant risk over a period significantly longer than 12 months, although not so distant that certainty is unclear.

Directors should use quantitative and qualitative methods to consider stress-testing simulations, with more weight given to downside risks so that opportunities with uncertain outcomes are not overstated.