iia diploma past paper pack corporate governance … · p5 friday 6 june 2014 morning session ......

Chartered Institute of Internal Auditors - Past paper pack

Past Paper Pack Chartered Institute of Internal Auditors 13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX

September 2014

IIA Diploma Past Paper Pack

Corporate Governance and Risk Management

P5 Friday 6 June 2014 Morning session Time allowed – 3 hours and 10 minutes DO NOT OPEN THIS PAPER UNTIL INSTRUCTED BY THE INVIGILATOR

Candidate information and instructions

There are two questions in Part A and four questions in Part B. Answer both questions in Part A and any three questions in Part B on the answer sheets provided. There are 100 marks available in this paper. Organisations marked with an asterisk, *, are fictitious. No similarity with any real organisation is intended nor should it be inferred. Start each question on a separate answer sheet. Do not identify yourself in answering any questions. Enter your candidate number, the paper number, the question number and the page number within the answer at the top of each answer sheet used. Any plans/notes that are made for each question should only be made on official IIA exam paper. Separate answer sheets should be used for each question plan. Clarity and logic of your answers, effective presentation and good use of English will be taken into account by the examiners when marking this paper.


2

PART A There are two compulsory questions in this section. Questions one and two relate to the following scenario. Robsons Plc* is a regional supermarket chain, originally serving the east Midlands. In recent years the chain has rapidly expanded its operations further across the UK and Ireland. This rate of growth has been quicker than the board could ever have imagined. This has been achieved in part as the result of depressed commercial property prices in recent years. With significant cash reserves, Robsons has been able to purchase prime locations in many cities and towns. This approach has been supplemented by the purchase of two retail site portfolios by acquisition of a furniture store chain and a carpet store chain from companies that had gone into liquidation. Despite this, the board has become concerned following a succession of recent surprises that has left them reacting to events on a number of fronts. In 2013, Robsons was found to be selling a number of products containing horsemeat. Further bad press arose later in the year as pressure groups criticised the chain for dumping hundreds of tonnes of out of date food each week. Most recently, in early 2014, the packing plants of some of Robson's key suppliers were found to be employing significant numbers of illegal immigrants in unsafe working conditions. There has also been recent press speculation that Robsons might be vulnerable to a takeover by one of its larger competitors. Robsons’ chief executive is frustrated at constantly having to offer apologies and excuses, and wants to introduce some sort of structured method of horizon scanning to anticipate strategic risks to the company. The chief executive remains ambitious for further development and growth for the company, not only through geographical expansion but also through moving into the online shopping market. However, the recent crises have resulted in some of the board being reluctant to take additional risks. The chief executive is keen to see the development of a risk management methodology that will enable managers to risk assess development and expansion options in order to take better advantage of the opportunities available. The chief executive also feels that the board and senior management are operating with insufficient management information. There has been a constant succession of localised problems, with individual store managers frantically chasing stock to meet demand and no overall national management control. Local managers have also implemented their own policies and processes. The chief executive realises that in order to safely develop the company further, there is a need to establish clear management structures, policies and company processes in order to provide the stability and consistency required to support growth. The chief executive also wishes to refocus efforts on highlighting the corporate social responsibility successes of the company.


3

QUESTION ONE a. Describe the stages necessary for the implementation of an effective

risk management framework across Robsons.

12 marks b. Explain how risk management could be used at Robsons to support

strategic planning and mitigate strategic risks.

8 marks SYLLABUS REFERENCE

2.1 The principles of risk management

2.2 The structures and processes of (enterprise-wide) risk management MARK SCHEME Mark schemes are not definitive - valid points not listed will receive credit

Question Remember/

Understand

Apply/ Analyse

Evaluate/ Create

Total marks

a. Up to 2 marks available for each stage of implementation of a risk management framework providing an adequate description is provided.

12 12

b. Up to 8 marks available for an explanation of the application of risk management in a strategic context. Marks not divided but may be awarded for different elements of a structured explanation, to a maximum of 2 marks per key point.

8 8

Total 12 8 20

a. Candidates should describe the stages required to successfully implement a

risk management framework across the company. Stages described could include the following:

1. Setting the company objectives. Before Robsons can determine the risks they are facing they need to have a clear understanding of their objectives. Therefore the first step in any risk management framework has to be defining and agreeing the company objectives including SMART characteristics – ie objectives should be Specific, Measurable, Achievable, Realistic and set within a Timeframe. Breaking down the elements of each objective will assist in the next stage.

2. Identify risks to the achievement of Robsons’ objectives. This should be done in the context of the company’s internal and external


4

environments and consider a range of factors using tools such as PESTLE. Risks can be identified in a variety of ways including Control Risk Self Assessment workshops, brainstorming sessions or questionnaires. Risk identification should become an integral part of any planning process and should be used whenever new objectives are defined or existing objectives modified in any way.

3. Assessing the impact and likelihood of each risk to Robsons’ objectives. The impact of a risk is the potential extent of the effects on Robsons’ objectives should a risk materialise. Impact need not necessarily be an absolute concept as a risk may materialise to a greater or lesser extent. The likelihood associated with a risk is the probability that the specific risk will materialise.

4. Allocate ownership, define the risk appetite and any responses to the inherent risk. The owner of each risk will have an appetite for how much risk they are willing to tolerate in respect of the objective which is the target outcome of their work. The risk owner should compare his appetite with the inherent level of risk and implement any responses or actions required to bring the residual risk within that level of appetite. The risk owner may choose to Treat, Tolerate, Terminate or Transfer the risk.

5. Monitoring responses to the risk. When responses to the risk have been commissioned to change the residual risk assessment the effectiveness of those actions have to be monitored to gauge whether or not they have achieved the desired outcome. For example, the internal audit function may be requested to provide assurance on particular elements of a control framework.

6. Corrective action. Where the risk responses are found to be not having the desired effect in terms of reducing risk corrective actions need to be taken and lessons learned from the experience. For example, the internal audit review referred to in item 5 above might make some recommendations for control improvements and the implementation of these recommendations would constitute corrective action in this context.

A risk management framework can be introduced to Robsons using recognised project methodologies including the use of project plans and milestones and regular reports to the audit committee of the board demonstrating progress against those milestones.

Progress should be facilitated by the provision of appropriate training to all involved as well as appropriately supported IT tools. A monthly risk reporting cycle and clearly established risk ownership and escalation protocols would also facilitate the development of a transparent process in which the responsibilities and accountabilities of all involved are clearly visible.

Change management methodologies should be implemented and each business area given targets in terms of implementation which could later be developed to address progress in terms of achieving different stages of risk maturity.


5

b. Candidates should provide an explanation of the application of risk management in a strategic context and may draw on elements including;

1. Definition of strategic objectives during the longer-term planning process and the subsequent identification of risks arising from those objectives and the deployment of steps 1 to 6 above will enable Robsons’ Board to have greater confidence in the successful delivery of their strategic objectives. Risk analysis can also be used to analyse the risks associated with alternative strategic plans and to determine whether or not those risks can be mitigated effectively.

2. The ongoing need to monitor strategic risks and to make best use of the longer horizons provided by longer term planning to manage risks effectively rather than ignoring things that seem distant.

3. Strategic planning linked to strategic risk management can be used to effectively deploy resources in a considered way to manage risks within appetite.

4. Strategic planning often employs tools such as PESTLE, Five Forces and SWOT in assessment and workshop activity. The outputs of these exercises can help generate ideas and identify new strategic risks to the achievement of key objectives. These can then be addressed through the risk management process.

5. A longer-term view provides risk owners with the opportunity to manage risks selecting from the available risk responses in a structured and considered way rather than responding through fire fighting more immediate risks with diminishing options available.

Taking a strategic perspective provides greater opportunity for managers to consider the environment in which they are trying to deliver their objectives and to consider strategic risks arising from environmental factors EXAMINERS’ COMMENTS Candidates attempting Question 1 achieved some good marks with the majority of candidates being able to provide a well structured answer for part (a) in particular. With 12 marks available for part (a) this resulted in many candidates reaching close to a pass mark before attempting part (b). Answers provided in respect of part (b) were less confident. A significant number of candidates simply repeated the stages described in part (a), changing their answers only by the addition of the word ‘strategic’. However, a number of candidates developed well-reasoned explanations of how risk management could be used specifically in a strategic planning and strategic risk management context. Overall, we were genuinely pleased at the quality of the majority of the answers on this occasion.


6

QUESTION TWO Given the recent failures at Robsons, one of the policies that the chief executive wishes to introduce is a corporate social responsibility (CSR) policy. a. Evaluate the benefits of introducing a CSR policy at Robsons. 8 marks b. Assess the challenges involved in enhancing CSR practices at

Robsons.


1.4 The main concerns of stakeholders as regards corporate social responsibility and sustainability.

MARK SCHEME Mark schemes are not definitive - valid points not listed will receive credit

Question Remember/ Understand

Apply/ Analyse

Evaluate/ Create

Total marks

a. 1 mark for each benefit identified and 1 mark for each benefit evaluated linked to the scenario context. Max 8 marks (4 evaluated benefits)

4 4 8

b. 1 mark for each challenge identified and 2 marks for assessment linked to the scenario context. Max 12 marks (4 assessed challenges expected)

6 6 12

Total 10 10 20

a. The benefits of Robsons PLC implementing a CSR framework include, but are not limited to the following:

Safeguarding Brand / Reputation - Improves the organisation’s reputation and brand with stakeholders and customers. May help mitigate the fall out from Robsons PLC selling products containing horse meat.

Prevention against CSR incidents - Through embedding CSR, the organisation would be less likely to find itself in irresponsible corporate social positions such as dumping hundreds of tons of out of date food each week.

Supplier Management - Through embedding CSR, Robsons could define standards to which they can assess their 3rd party suppliers to ensure CSR adherence. E.g. Robsons suppliers were employing illegal immigrants which


7

could have been prevented/detected with an effective CSR framework encompassing 3rd parties.

Increased Investment - Attract more investment as investors may favour organisations with strong CSR both from an ethical perspective or financial in that they would be less likely to be impacted by CSR incidents.

Increased employee engagement – An organisation that is devoted to CSR could realise increased employee engagement as employees are working in an organisation whose values could be close to their own or employees may feel that they have an effective contribution to CSR in there day to day role.

b. The challenges in enhancing CSR practices include, but are not limited to the following:

Lack of buy in from senior management - support for any CSR initiative may be hard to find as there may be no perceived bottom line benefits and CSR and the additional cost associated. It would be essential to engage Senior Management from the onset and clearly articulate the benefits of implementing CSR such as safeguarding brand reputation, increased stakeholder and investor confidence.

Lack of buy in from staff to support any CSR initiative as it is something else to do in addition to the already heavy workload. It is essential to demonstrate the reasons for CSR activities and the benefits to the environment, society and local community.

Changing stakeholder perceptions given the previous issues that Robsons PLC has encountered over the years. Stakeholders may be sceptical on Robsons PLC approach to CSR given the horsemeat and out of date food dumping incidents. Robsons will need to ensure that CSR is on the agenda for the long term and that Robsons PLC ensures that CSR is engrained in the organisation’s culture.

Poorly defined CSR strategy would result in limited realisation of CSR benefits. i.e. if CSR strategy did not include third parties, Robsons PLC could be impacted by CSR incidents from its 3rd parties. It is essential that Robsons PLC seek specialist skills in CSR and ensuring that the CSR strategy covers all aspects of the business.

Ineffective CSR measurement system to identify CSR progress and benefits. This may result in a lack of resources and support to the CSR programme as benefits are not perceived by Senior Management.

Unclear CSR roles and responsibilities may result in a lack of ownership and progress with the CSR strategy. CSR is a company-wide initiative across Robsons and requires support from a Board sponsor and representatives from across the business each with clear CSR roles and responsibilities. Management can then be held to account on their contribution to delivering the CSR strategy.


8

EXAMINERS’ COMMENTS Corporate Social Responsibility (CSR) is a key theme within corporate governance. If ignored, or undervalued, CSR could result in serious repercussions for any organisation, which could ultimately lead to their failure. Part (a) of this optional question focused on candidates identifying the benefits of introducing a CSR policy. We were pleased to see that candidates generally identified the benefits of implementing a CSR policy, including safeguarding brand/reputation, prevention against CSR incidents, effective supply chain management, enhanced investment and increased employee engagement. However the differentiation between candidates and their results came down to the evaluation of each benefit identified. A large number of scripts simply stated the benefit and did not elaborate, whereas candidates that scored well clearly articulated an evaluation to help determine the significance of each benefit. Part (b) of the question focused on an assessment of the challenges that Robsons would face in enhancing CSR practices. The answers varied in quality, and as we saw in part (a), the key difference in marks awarded came down to the assessment of each challenge. A large number of candidates simply stated the challenge and did not elaborate on the likely consequences. Overall there were a number of good answers but these were outweighed by answers where we felt just a little more effort and focus on the question descriptors would have been beneficial.


9

PART B There are four questions in this section. Answer any three questions. QUESTION THREE

You are an internal auditor at a housing corporation that provides services for local authorities across east London. A newly appointed non-executive director with a background in financial services has raised a question about the impact of corporate culture and the management of risks relating to it. The head of internal audit has asked you to carry out a preliminary review in which you:

a. Identify five key components of corporate culture in the housing corporation and explain the importance of each.

10 marks

b. Describe five risks relating to these components and suitable

measures to mitigate these risks.

10 marks

SYLLABUS REFERENCE

1.2 The characteristics of good governance in public, private and not-for-profit Organisations

2.1 The principles of risk management

2.2 The structures and processes of risk management

2.3 How organisations manage risks


Question/Part Remember/ Understand

Apply/ Analyse

Evaluate/ Create

Total marks

a Five components of corporate culture - 0.5 mark for identification (remember) - 0.5 mark for explanation (understand)

5

5

10

b risks

- 1 mark for description of risk

Suitable measures to mitigate the risks. - 1 mark for outline (apply)

5 5

10 5


10

Total 5 15 20

Culture is set from the top of the organisation: established by the board (vision), promoted by the CEO (strategy), demonstrated by the senior management (example), adhered to by all employees (action).

a. Key components of corporate culture include inter alia

Vision and values, mission to enhance life chances with focus on users of social housing

Business plan and priorities, set by top leadership and senior management to reinforce values

Objective setting for individuals in line with vision and goals of corporation

HR policies on remuneration and incentives

HR policies on appraisal and performance monitoring, discipline etc

b. Risks related to corporate culture in general

Mismatch between vision and values with behaviour and attitudes of senior managers

Lack understanding and commitment from staff

Inadequate corporate governance structures, no clear accountability

Weak preventive measures

Culture intangible, hard to measure or evaluate

Risks related to housing services in particular

Conflict between corporate goals (profit) and service standards

Temptation for personal gain in housing development market

Possibilities for kickbacks in contracting for construction industry

Performance measures not related to needs of vulnerable service users

Reputation, damage by adverse incidents slow to recover

Mitigation could include aspects of:

Culture of openness not secrecy, transparency not cover up, honesty not denial,

Values based decision making process

Corporate social responsibility focus


11

Zero tolerance policy for breaches of ethical standards

Credible whistleblowing process, safe channel for employees to voice concerns without fear of recrimination

Internal audit reporting on effectiveness of governance, visible support from audit committee and board to implement recommendations for improvement

EXAMINERS’ COMMENTS This proved to be an unpopular optional question, despite culture being a topical area of interest in respect of corporate governance and risk management. Candidates produced a range of key components for corporate culture based on different models with varying relevance. Credit was given for points made that were clearly linked to the cultural element of the question set. Successful answers combined both the general components of corporate culture common to all organisations and the specific cultural risks for the housing corporation. Common shortcomings in the answers included:

Employing the word culture interchangeably with governance and focusing on the structure of the board rather than the organisation as a whole.

Using the COSO framework with its emphasis on risk management and internal control but without linking these elements to the culture of the organisation.

Considering specific external issues for the housing corporation such as government housing policy without any obvious connection to the corporate culture.

Ignoring the scenario altogether and making no reference to the range of issues that could be faced by the housing corporation.

A number of answers would have benefited from further expansion to develop the relevance of the points given. The use of bullet pointed notes instead of complete sentences often resulted in the logical connections being inferred rather than stated. In many cases, the connection to the terms of the question was not always clear. Finally we were disappointed to see that a few candidates identified the absence of the component of corporate culture as the risk and implementing it as the mitigation. This led to repetition in the two parts of the question and a circular argument in part (b). Overall this question was not answered as well as we had hoped, and given its relevance and topicality we will undoubtedly revisit the issue of culture again in the future. QUESTION FOUR You are a senior internal auditor within a listed UK company, where the chief executive and chair roles are currently being exercised by one individual. The chair of the audit committee has sought your advice on this arrangement and


12

has asked for a report in which you: a. Explain what good practice suggests about an individual holding both

the chief executive and chair roles in a listed UK company. 6 marks

b. Identify the risks the company faces in maintaining the dual role of

chief executive and chair. 8 marks

c. Describe what could be included within the company’s annual

corporate governance statement to help explain the benefits of maintaining the dual role of chief executive and chair.


1.1 The principles and development of corporate governance in the UK and Ireland in public, private and not-for-profit sectors

1.2 The characteristics of good governance in public, private and not-for-profit organisations

2.6 Practical techniques for implementing risk identification, analysis and evaluation in an organisation including the identification of appropriate mitigation for common risks


Question Remember/ Understand

Apply/ Analyse

Evaluate/ Create

Total marks

a) Explanation of good practice In UK Corporate Governance in respect of holding both roles b) Identification of potential risks c) Potential inclusions within the annual governance statement to address potential shareholder concerns

6

8

6

Total 6 8 6 20 a.

UK Corporate Governance Code 2012 is the key element of good practice

The code is an evolutionary development and so former iterations of the code/guidance underpinning it will be accepted where relevant

Comply or explain principles (i.e. not prevented from following the main provisions and principles but should state why not)

The guidance states quite clearly within leadership guidance (A.2.1) that the roles of chairman and chief executive should not be exercised by the same individual

The guidance also provides guidance on the role of the chairman in so far as


13

there should be a clear division of responsibility at the head of the company between the:

- Running of the board - Executive responsibility of running the company's business

Crucially no one individual should have unfettered powers of decision b. Potential risks could include:

No balance of power within the leadership of the company

Chief Executive and Chairman are the two most authoritative positions in the boardroom - role vested in one individual in effect raises the possibility of 'fear' within the boardroom

No checks and balances/poor decision making at board level

Poor decision making - views of one individual take precedence

Less opportunity to take advantage of the diversity of skills/experience of the board

Role/influence of non-executive directors (not just the chairman) reduced

Potential conflict of interest issues are heightened

Both roles are highly paid - risk of one individual earning high levels of remuneration - and potentially holding the levers to influence their remuneration

Tone at the top (chief executive) could be allowed to follow aggressive behaviour without effective (and independent from the chairman) board challenge/ debate

Absence of effective oversight of the strategic direction of the company for shareholders

Heightens the impact of the loss of one individual (for example short notice stress - several recent example of high profile leaders taking time off for stress - e.g. Lloyds Banking Group)

Reference to impact on/development of corporate governance good practice of real scenarios and risks thereof. Where one individual has held dual role (e.g. Sir Stuart Rose at M&S) or powerful individuals within organisations - which the split of role is designed to address (e.g. Robert Maxwell; Fred Goodwin). Sets out how a risk can be transferred

c. Comply or explain principles allow the company to explain why an individual may hold both roles - in contradiction to UK Corporate Governance Code. The Financial Reporting Council issued guidance in February 2012 as to what constitutes an explanation under 'comply or explain'. Such an explanation should aim to address shareholder concerns. Examples of possible explanations could include:

It is a short-term measure to address a specific challenge or company objective. This could include:

- The return of the founder of the company - An individual with relevant experience

The delivery of company results and/or objectives under the dual role holding arrangement

An outline of the time line that the company will be in 'noncompliance' with the code (i.e. it is not a situation that is going to run and run)

Could refer to the guidance requiring that a chief executive should not go on


14

to be the chairman of the same company. If the company was recently due to lose both posts - and therefore the current situation was simply a holding position until (e.g.) a new Chairman is appointed

The explanation may also set out how the company recognises the risks of an individual holding both roles. But further sets out how it is mitigating these risks and what it has put in place to do so (key themes to address being the issues of leadership, independence of the Chairman and unfettered powers/ decision making)

Reference to the salary/ rewards being paid to the individual holding both roles

The explanation should be specific to that company

Major shareholders could be asked to discuss/raise their concerns with the company on the arrangement - prior to the annual statement being issued. Thus:

- Key concerns raised at this meeting could then be explicitly referred to in the statement

- This would additionally allow the explanation to be coherent and make sense to shareholders

Answers may also recognise that there are other stakeholders to the company - not just shareholders who may take an interest in the dual role holding. EXAMINERS’ COMMENTS Overall, this question was both popular and well answered. Good well-structured answers were, as has been noted in previous sittings, often provided together with a short answer plan. These showed where candidates had thought through the question briefly in advance. Answers which had clearly been planned through tended to scored very well; especially those which were able to expand on the points they were making by referring to real examples and/or attributing their answer directly to the context provided in the question. A few candidates did not answer the question set but wrote general points about corporate governance. A small number of candidates did not refer at all to The UK Corporate Governance Code (2010 or 2012). Of those that did, quite a number struggled to name the code correctly. Given the title of the exam paper this was concerning. Part (c) was the weakest answered part for several candidates. A number of candidates delivered generic observations on what should appear in an annual corporate governance statement without attributing the points made to the question context. While the question had three parts, many answers did not reflect the marking allocation across the question. Some candidates wrote far too much on some question parts and far too little eon others. Once again, this may be an indicator of answers that would have benefited from a short plan to enable candidates to think through their answer before committing pens to their final answer.


15

QUESTION FIVE You have recently conducted an audit on risk management in your organisation. One of your key conclusions is that the risk management maturity of the organisation is ‘risk aware’. Your head of internal audit has asked you to prepare a paper for the audit committee in which you: a. Contrast how risk management differs in a ‘risk aware’ organisation

to a ‘risk managed’ organisation.

10 marks b. Discuss whether the approach to auditing risk management should

differ if the organisation is ‘risk aware’ or ‘risk managed’.


2.1 the principles of risk management, including: • definitions of risk, including (enterprise-wide) risk management and risk assurance, risk appetite and risk management strategies

2.4 the relationship between internal audit and risk management, including the choice of roles available to internal audit and the consequences for corporate governance

2.7 the building of a risk-based audit work plan MARK SCHEME Mark schemes are not definitive - valid points not listed will receive credit.


Apply/ Analyse

Evaluate/ Create

Total marks

0.5 for paper format 0.5 0.5

a. Introduction or definition of risk management 9 marks for contrasting the difference between risk aware and risk managed organisations

0.5 9 9.5

b. 0.5 for stating that the audit approach would differ in risk aware and risk managed organisations 1 to 2 marks per point for describing the difference in the audit approach in risk aware and risk managed organisations

0.5 9.5

10

Total 1 19 20

BRIEFING PAPER To The Audit Committee From Internal Auditor Date June 2014 Subject The risk maturity of the organisation and recommended internal

audit strategy


16

Risk management is ‘a process to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organisation’s objectives’ (IIA) Risk maturity: The extent to which a robust risk management approach has been adopted and applied, as planned, by management across the organisation to identify, assess, decide on responses to and report on opportunities and threats that affect the achievement of the organisation’s objectives. a. The differences between risk aware and risk managed organisations can be demonstrated in the following table:

Risk Aware Risk Managed

Scattered silo approach to risk management

Enterprise approach to risk management developed and communicated

Some limited training Management have been trained to understand what risks are and their responsibility for them

No consistent approach defined for assessing risks

Scoring system for assessing risks has been defined

Risk appetite not defined Risk appetite of the organisation has been defined in terms of the scoring system

Unlikely processes are defined Processes have been defined to determine risks and these have been followed

Some incomplete lists of risks may exist

All risks have been collected into one list. Risks have been allocated to specific job titles.

Some incomplete lists of risk assessments may exist

All risks have been assessed in accordance with defined scoring system

Some responses have been identified Responses to the risks have been selected and implemented

Some monitoring controls Management have set up methods to monitor the proper operation of key processes, responses and action plans

Some risks are reviewed but inconsistently

Risks are regularly reviewed, probably quarterly by organisation.

No reporting Management report risks to directors where responses have not managed the risks to a level acceptable to the board

Projects not routinely assessed for risk

All significant new projects are routinely assessed for risk

Responsibility for determination, assessment, and management of risks is not included in job description

Responsibility for determination, assessment, and management of risks is included in most job description

Managers don’t provide assurance on the effectiveness of their risk management

Some managers provide assurance on the effectiveness of their risk management

Managers are not assessed on their risk management performance

Some managers are assessed on their risk management performance

b. The first stage in risk based internal audit (RBIA) planning is to review the organisation’s level of risk maturity. The outcome of this assessment will determine


17

the approach internal audit should take to auditing risk management. The approach will differ depending on the risk maturity of the organisation. The approach to auditing risk management differs in the following ways:

Implementation of RBIA

Risk managed organisations have a developed and communicated enterprise approach to risk management. This means the audit planning can be driven by the organisation’s risk register. RBIA can be implemented. A risk aware organisation has a scattered silo based approach to risk management. This suggests that the organisation’s system of internal control and the board’s ability to assess it may be ineffective. Therefore the organisation’s risk management processes cannot be relied on and RBIA cannot be implemented straight away.

Audit planning approach

In risk managed organisations reliance can be placed on management’s approach to risk and this can be used to determine the ‘universe’ of auditable areas, the scope and priority of assignments and the specific areas for review. In this way managements view of risk drives the audit plan. In risk aware organisations, internal audit will need to plan its audit work using its own assessment of the organisations key risks or an alternative framework such as key systems or business units.

Audit work

In risk aware organisations internal audit should report their assessment of the risk maturity to management and to the audit committee. They should then provide assurance on control processes. In risk managed organisations, internal audit provides assurance on the risk management processes, management of key risks and reporting of risks.

Championing Risk Management

In risk aware organisations Internal audit can help improve risk management and governance processes by championing risk management throughout the internal audit activity’s work.

Consultancy services

In a risk aware organisation internal audit can provide consultancy to support management in improving the organisation’s risk maturity. This may include facilitating risk identification and evaluating risks; working with management to identify any actions they propose to take to improve maturity; facilitating workshops with management to define scoring systems, risk appetite, risk management processes; consolidated reporting on risks; and training management in risk management. In risk managed organisations, internal audit can provide consultancy on improving risk management for instance facilitating training and promoting risk management processes throughout the organisation. However the majority of the internal audit approach will be to conduct their core roles in enterprise wide risk management.


18

Conclusion: The maturity of risk management in the organisation will have a significant impact on the approach internal audit will take to auditing risk management.

EXAMINERS’ COMMENTS The vast majority of candidates demonstrated a good knowledge of risk maturity levels, how these were related to risk management and how these impacted internal auditing. The question was answered well, with a number of candidates achieving high scores and a few achieving full marks.

The majority of candidates were able to contrast risk management in a risk aware and risk managed organisation. Most candidates were able to link the maturity level to risk based internal auditing and explain how the audit approach should differ depending on the maturity level. Many candidates gave good examples of the type of consultancy work that internal audit could do in both types of organisation.

Candidates who scored less effectively tended to:

Have over-lengthy introductions explaining risk management, risk based internal auditing or thoroughly describing the risk maturity model.

Confuse what to put in part (a) and part (b) of their answers. In part (a), a number of candidates described how internal audit should deliver assurance and provide consultancy in a risk aware and risk managed organisations. These points were better made in part (b). In part (b), some candidates also more thoroughly described the risk management at the different types of risk maturity than they had done in part (a). Unless the answer was directly related back to the question in both of these cases no marks were given.

Have very detailed answers for one part of the question but seeming to run out of time when it came to the other part. In addition it was clear that time was a factor for some candidates as there were a number of short answers. In these instances candidates may have better employed a tabular approach to get their points across as quickly as possible. Candidates who adopted a table type format for part (a) tended to score well and avoided repetition in their points.

In conclusion, the overall standard of the answers was good with over 90% of candidates achieving more than 50% of the available marks. Well done!

QUESTION SIX Business investors are keen to ensure that companies have effective ethical practices. Your team’s 2014 audit plan includes an internal audit of business ethics. Your head of internal audit has asked you to prepare a paper in which you: Describe ten key aspects that an internal audit of business ethics should cover, and justify each aspect chosen.

20 marks


19

SYLLABUS REFERENCE

1.1 The principles and development of corporate governance in the UK and Ireland in public, private and not-for-profit sectors

MARK SCHEME Mark schemes are not definitive - valid points not listed will receive credit.


Apply/ Analyse

Evaluate/ Create

Total marks

Your Head of Internal Audit has been asked by the Audit Committee to undertake an internal audit of business ethics. Prepare a paper for your Head of Internal Audit in which you: Describe ten key aspects that internal audit should cover, justifying each aspect chosen

Upto 1 mark

1 per

aspect identified

1 per aspect justified

Total 10 max 10 20

Appropriately formatted paper Definition/explanation of business ethics Ethics in business describes the culture and behaviour within an organisation that helps it to maintain open, honest and fair interactions with all the organisation’s stakeholders. High ethical standards within an organisation enhances its reputation and builds commitment and trust in it. It is also good for investor confidence and good for the long term success of the organisation. Ten key aspects that internal audit should cover, justifying each aspect chosen: 1. Board The board should communicate the organisation’s ethical policy and ensure that ethical conduct is a standing item on the board’s agenda. The board must regularly discuss ethics to show its importance to them and thus help embed it in the organisation’s culture. 2. Leadership The board needs to promote and demonstrate the ethical values and behaviours. If the board does not demonstrate appropriate behaviour then values will never become embedded in culture. 3. Business Strategy Business strategy needs to align to ethical values. To become part of the culture, values must underpin policy and behaviour throughout the organisation.


20

The board and managers should perform social impact assessments on the impact and consequences business decisions and their implementation have on CSR.

4. Shareholders/Investors Openness and dialogue with key stakeholders and shareholders based on mutual understanding of objectives is vital to good ethical procedures. New investment. Ethical organisations will attract socially responsible investment funds. 5. Risk Management Risk Management processes should identify key risks to the organisations’s objectives and there should be an effective risk management methodology for evaluating, assessing and managing risks. Failure to look far enough ahead in the risk management process will prevent an organisation anticipating risks or monitoring and addressing the development of risks and will leave them in a “fire fighting” position reducing the opportunity to implement planned and cost effective mitigations. This would encourage reactive rather than proactive responses. Risk Management should include reputational risks. A good reputation attracts customers, suppliers, and partners that share the same values. Strong emphasis reduces risk of unethical behaviours that could lead to corporate scandals. 6. Legislative Compliance For example, the Bribery Act came into force in July 2011, and the Ministry of Justice published guidance to help organisations prepare for the Act. One of the Ministry's guidance documents sets out the six principles by which organisations should be guided when putting in procedures to prevent bribery. The six principles are: proportionate procedures, top-level commitment, risk assessment, due diligence, communication (and training), and monitoring and review. Business ethic policies set out desirable and acceptable behaviour for Directors and employees to follow. Past corporate scandals have been directly related to unethical and fraudulent behaviour of individuals, leaving company exposed to legal or regulatory action. Strong emphasis on ethics reduces this risk as employees are clear on what is unacceptable behaviour and consequences of it. Also staff are not afraid to speak up when they see unacceptable behaviour. 7. Recruitment and retention Attract and retain the best possible staff long and short term: strong emphasis on business ethics may be attractive to staff looking for family friendly and flexible working. Use of staff surveys to demonstrate high employee satisfaction leading to better staff retention and productivity. Strong ethical stances help ensure that staff are proud to work for the company. 8. Performance Management Reward strategies must shape right behaviour. To embed individual performance measures should promote ethics and not encourage rule bending.


21

The board and sub-committees should ensure that the remuneration policies especially on senior staff bonuses are fully transparent and fair. 9. Reporting, Reviews and Benchmarking Business ethics champion who is in charge of leading the ethics programme and reports directly to CEO. 10. Compliance with UK Corporate Governance Code The organisation should comply with the UK Corporate Governance Code or explain any deviations. Internal audit can look at the last review to see if any ethical issues/noncompliance were mentioned and assess the impact on the organisation. EXAMINERS’ COMMENTS

In question six we sought to test candidates on the fundamental components of business ethics. The majority of candidates performed very effectively in their answers, clearly describing and justifying ten key aspects that should be covered in an internal audit. High scoring candidates were able to provide a wide range of areas they would cover. Popular examples included the board’s commitment, shareholders/investors, recruitment and retention. However, a few candidates gave very general details associated with undertaking an internal audit rather than directly linking their answer to business ethics. A small number of other candidates appeared to struggle with the question set and wrote short lists of words that were not sufficiently expanded to gain all of the available marks. Unfortunately a few candidates also wrote long introductions and then appeared to run out of time describing and justifying the ten key areas. This was a shame as many clearly knew the subject area being examined. In conclusion, the majority of students provided very thorough answers with appropriate details and content that demonstrated a professional knowledge of business ethics. As a result, we were broadly pleased as a number of good results were achieved by candidates on this 20 mark question.

END

iia diploma past paper pack corporate governance … · p5 friday 6 june 2014 morning session ......

Documents