Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 3: Risk management, control frameworks, and governance

Overview
The scope of internal auditing has expanded over the past century. From a limited focus on compliance and financial integrity, it has grown to encompass the assessment of effectiveness, efficiency, and economy of operations. In recent years, the focus has widened to consider risk management and corporate governance. In Module 3, you learn about the importance of managing risk, control frameworks, control self-assessment, governance, and the role of the audit committee. Specifically, you learn how managers manage risk by assessing risk management practices and providing advice on measures to mitigate risk. When you have completed this module, you should be able to identify, evaluate, and advise on the risk management and internal control systems and communicate weaknesses to the appropriate level of the organization, as well as advise on the design and implementation of new or enhanced internal controls.

Test your knowledge

Begin your work on this module with a set of test-your-knowledge questions designed to help you gauge the depth of study required.

Learning objectives
3.1 Risk management Explain enterprise risk management and how risk models can help identify specific risks and set appropriate tolerance limits. (Level1) Role of the internal auditor Explain the role of the internal auditor in the risk management process and how this role changes when there is no established risk management process. (Level1) Risk assessment process Explain how auditors use risk assessment to assist in audit planning, and compare this approach with traditional approaches to internal auditing. (Level1) Control frameworks Explain the definition, nature, inherent limitations, and criteria of control as set out by the Committee of Sponsoring Organizations (COSO), and compare the COSO control framework with other frameworks. (Level2 ) Auditing using control frameworks Describe the impact of the development of control frameworks on internal auditing and outline the steps in using a control framework as the basis of assessing control in an organization. (Level2) Control self-assessment and continuous auditing Explain the control self-assessment process, identify its advantages and disadvantages, and outline how continuous monitoring can improve the effectiveness of internal control. (Level 2) Governance Outline the IIA performance standards on governance, the governance responsibilities of the board of directors or equivalent body, and the role of internal audit in corporate governance. (Levels 1 and 2) Role of the audit committee Explain the role of the audit committee of the board of directors. (Levels 1 and 2) The Sarbanes-Oxley Act of 2002 Explain how the Sarbanes-Oxley Act of 2002 has affected corporate governance and understand how internal audit may assist in the Sarbanes-Oxley compliance process. (Level2) Module summary

3.2

3.3

3.4

3.5

3.6

3.7

3.8 3.9

Print this module

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

MU1 Module 3: Test your knowledge

1. Which of the following functions of control are designed to provide reasonable assurance? a. Material misstatements (either deliberate or accidental) will be detected and corrected before the financial statements are issued. b. Management does not override the designed controls. c. The organizations goals are appropriate in the circumstances. d. Managements plans have not been circumvented by worker collusion. 2. Who should develop risk tolerances or risk limits? a. b. c. d. The companys external auditors The companys board and management The companys internal auditors Management and staff working in the related function

3. What is the difference between the term "control" as used by COSO and as used by the IIA Standards ? a. The IIA definition refers to those actions taken to address risks internal to the business; the COSO concept of control includes actions taken to address risks external to the business. b. The IIA definition mainly refers to accounting controls; the COSO definition refers to operational controls as well. c. The IIA definition views controls from the auditors perspective; the COSO definition views controls from a management perspective. d. There is really no difference between the meaning assigned to the term "control" by the two groups. 4. Which of the following statements about the CoCo control framework is true ? a. b. c. d. It can be applied to the entire organization. The control elements can be developed independently of each other. Use of the CoCo framework is mandatory in Canada. Application of the CoCo framework provides absolute assurance that all risk is eliminated.

5. To which of the following may the boards responsibility for monitoring management control be delegated? a. b. c. d. Solutions The companys internal auditors The companys chief executive officer The companys audit committee It cannot be delegated; it must be exercised by the full board.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

MU1 Module 3: Test your knowledge solutions

1. a. b. c. d. 2. Correct. This is within the purpose of ensuring reliable financial information. Incorrect. This is an inherent limitation of controls. Incorrect. This is an inherent limitation of controls. Incorrect. This is an inherent limitation of controls.

a. Incorrect. These decisions must be made within the company. b. Correct. The limits should be set by the board and senior management. c. Incorrect. Auditors may help management identify risks and set limits, but they cannot set the limits themselves. d. Incorrect. Management and staff may contribute to the identification of risks, but they are not responsible for setting the control limits. a. Incorrect. External risks are included in the IIA concept of controls. b. Incorrect. The IIA definition includes the means taken to enhance the achievement of operational objectives. c. Incorrect. There should be no difference in the view of controls taken by internal auditors and by management. d. Correct. The term "control" has the same meaning in the IIA Standards and in the COSO documents. a. Correct. The framework can be applied to an entire organization or to discrete parts of the organization. b. Incorrect. Control elements are interrelated and cannot be designed or evaluated in isolation from each other. c. Incorrect. Any organization can choose any control framework or develop its own; in addition, there is no requirement to formally adopt any control framework. d. Incorrect. It is impossible to eliminate all risk in an organization, whatever control framework is used. a. Incorrect. This is a board-level responsibility. b. Incorrect. This must be done by the board, independent of management. c. Correct. The audit committee is a board-level committee; the board can delegate responsibility to it. d. Incorrect. The board can delegate to one of its committees.

3.

4.

5.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

3.1 Risk management

Learning objective

Explain enterprise risk management and how risk models can help identify specific risks and set appropriate tolerance limits. (Level1)
Required reading

Reading 2-1, Performance Standards 2120 to 2120.C3 (Risk management) and 2130 to 2130.C1 (Control) (Level 1) Reading 3-1, Black Swan or Black Sheep? (Level 1) Reading 3-2, Risk and the Butterfly (Level 1)
LEVEL 1

Enterprise risk
The glossary to the Standards defines risk as the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Following this definition, the consequences of such risk for an enterprise can be adverse if the occurrence of an event creates the likelihood that the enterprise will not achieve its objectives. All organizations (whether commercial, governmental, or non-profit) are established with implicit or explicit goals. In many cases, the goals are set out in the organizations vision or mission statement. An individual unit of the organization should make its contribution toward the organization achieving its goals; however, not all organizations will achieve their goals. The impediments to achieving the goals or objectives of an enterprise (or organization) are the risks faced by the enterprise in other words, enterprise risk or business risk . There was a time when organizations focused primarily on financial risk the risk of the business failing to meet its financial objectives and perhaps being forced into bankruptcy or liquidation. Today, the concept of enterprise (or business) risk is much broader. Risks to success may include competition, regulatory risk, environmental risk, customer satisfaction risks, integrity risks, and a range of other factors. Each sub-unit of the organization is faced with a different set of such risks that threaten the ability of the unit to contribute to the organization achieving its goals. It may be true that the adverse consequences resulting from each of these risks can ultimately be measured in financial terms, and failure to deal with them adequately can result in financial failure to the organization. Nonetheless, it is useful to identify the specific risks facing each enterprise (and its varied departments) in order to determine what steps can be taken to mitigate them.

Enterprise risk management

Enterprise risk management (ERM) means identifying the risks faced by the enterprise, establishing acceptable tolerance limits (risk appetite) for those risks, implementing controls to keep risks within established tolerances, and testing controls to ensure that the uncontrolled risks remain within the established tolerances. Exhibit 3.1-1 demonstrates a process of risk management, moving from risk assessment to establishing risk limits with management to designing and implementing controls and then to ensuring that the controls are effective at keeping the risks within the entitys risk appetite. Existing processes can be evaluated or new processes can be implemented to avoid, transfer, or share the risks. Performance can then be measured to ascertain whether it falls within the agreed risk limits.

Exhibit 3.1-1: Enterprise risk management process

ERM is the subject of a report prepared by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in the United States.

For additional information, review the PowerPoint presentation on ERM development , Applying COSOs Enterprise Risk Management Integrated Framework on the COSO website. (This is optional reading and is therefore not examinable.)

Identifying risks using risk models (frameworks)

Increasingly, managers undertake formal processes to identify risks facing their businesses. For this purpose, a number of risk models have been developed. These models often appeal to both management and auditors because they can be applied to various types of industry processes, and the risk categories (ownership, process, and behavioural) are general enough that they are not product- or service-specific. These models can be used to review systematically a wide range of potential risks. Many large accounting and consultancy firms have also developed generic models that can be adapted to different industries. Using a risk framework reduces the likelihood that a significant risk will be overlooked. Most organizations have little experience in evaluating unusual, infrequent risks, often called black swan risks. Although these risks can have very damaging consequences for business, they are not often quantified. Reading 3-1 provides some insight into how to improve the management of unusual risks. Reading 3-2 describes a tool that can be useful for internal auditors in evaluating the effectiveness of managements identification of risk, thereby helping to improve the ERM process overall.

Establishing acceptable risk tolerances or limits

Managers recognize that few risks, if any, can be eliminated entirely. Even where this is possible, it may not be cost-effective to do so. For example, a retail store could develop controls that would eliminate shoplifting completely; however, except in rare cases, such as a furrier or dealer in rare art, the cost of such controls would exceed the losses saved. Therefore, introducing such controls would not assist the company in achieving its objectives. Management should attempt to set risk limits (also referred to as risk appetites or tolerances ) for each significant risk faced by the enterprise. Risk limits represent the amount of residual risk that the company is prepared to accept. Example 3.1-1 (a continuation of Example 1.4-1) illustrates this point by considering the

risks faced by a hydro-electric utility.

Example 3.1-1: Setting risk limits

The management of a hydro-electric utility should have an extremely low tolerance for dam failures. The utilitys dam safety practices should be consistent with this low tolerance and should be designed to minimize the probability of such a failure happening. The utilitys management may feel that it has little or no control over the possible deregulation of its industry. The best approach for dealing with this risk may be to attempt to determine its likelihood, and then select alternative plans of action to deal with the various possible scenarios of deregulation. The risk of insufficient electricity supply to meet peak demand can be dealt with in a more straightforward manner. The utilitys management can determine the amount of risk that it is prepared to accept. For example, management may decide that it is prepared to risk failing to meet demand once every 25 years. It could obtain information about the lowest temperature expected to occur with that frequency and use predictive models to determine the probable demand under those conditions. Having done that, it could then arrange contracts for sale of surplus power and contingency arrangements for the purchase of power to bring the risk within the limits decided on. The discipline imposed by this process would likely result in saving money (or generating extra revenue through the long-term sale of surplus power). In the absence of defined risk limits, the utility is likely to have been unnecessarily conservative in its approach to the purchase and sale of power. Similarly, management can determine the amount of risk that it is prepared to take with respect to such matters as bad debt losses, interest rate risk on debt, foreign currency exposure, and fraud, and then implement controls to mitigate the risk. Interest rate risk can be reduced by varying the due dates of debt, foreign currency exposure can be limited through hedging, and appropriate internal controls can be implemented to reduce the risk of bad debts or fraud.

Techniques for mitigating risks

To mitigate risks faced by an organization, management uses a number of techniques, including the following: Avoiding risks (for example, redesigning business process or eliminating some business activities) Diversifying risks (for example, sourcing several suppliers) Controlling risks Sharing or transferring risks (through insurance, warranties, and so on) These mitigating actions should be taken to the extent necessary to reduce the overall level of risk so that it falls within the entitys risk limits, appetites, or tolerances, and therefore can be accepted.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

3.2 Role of the internal auditor

Learning objective

Explain the role of the internal auditor in the risk management process and how this role changes when there is no established risk management process. (Level 1)
Required reading

Online reading 3.2-1, IPPF Practice Guide: Assessing The Adequacy of Risk Management using ISO 31000 (Level 1) Reading 3-3, Navigating Risk Management (Level 1) Reading 3-4, Managing the Complexity of Risk (Level 1) Standard 2100 of the International Standards for the Professional Practice of Internal Auditing sets out the scope of internal auditing: The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach. Reading 33 provides some practical ideas and examples of how internal auditors can evaluate their organizations risk management program. The role of internal audit in the risk management process is determined by senior management and the audit committee and is likely to be influenced by factors such as the culture of the organization, the ability of the internal audit staff, and local conditions and customs. The role can change over time. Although in practice all managers manage risks, some organizations do not have an established risk management process in place. In these circumstances, the internal auditor should bring the lack of an established risk management process to the attention of senior management along with suggestions for establishing such a process. The internal auditor should seek direction from the board and management as to internal audits role in the development of an established risk management process. International Organization for Standardization (ISO) is a network of standards bodies that publishes standards relating to technology and business. Online reading 3.2-1 provides insight into why risk management should be integrated into all levels of the organization, and outlines three approaches to providing assurance over the risk management process. Reading 3-4 discusses how ISO Standard 31000 is related to the IIAs Standard 2120 on risk management.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

3.3 Risk assessment process

Learning objective

Explain how auditors use risk assessment to assist in audit planning, and compare this approach with traditional approaches to internal auditing. (Level 1)
Required reading

Reading 3-5, Practice Advisory 2120-2: Managing the Risk of the Internal Audit Activity (Level 1)
LEVEL 1

Auditors use risk assessment to assist in the planning of both their audit schedule and the individual audits carried out. Risk assessment (in audit planning) requires an auditor to identify auditable activities, identify relevant risk factors, and assess their relative significance. The risk assessment process requires that an auditor assess and integrate professional judgments about probable adverse conditions and/or events from various information sources. The process implies establishing the consequences of risk realization and determining risk reduction strategies using a cost-benefit analysis approach. The risk assessment process assists an auditor in planning by establishing audit priorities and developing an audit work schedule for an enterprise. The Standards recognize that the effects of risk go beyond financial matters and include, for example, potential customer dissatisfaction and negative publicity. Online reading 3.2-1 sets out the guidelines for evaluating the adequacy of the risk management processes.

Traditional internal auditing compared to risk-based auditing

In the conventional paradigm of internal auditing, the audit focus was on the control system the internal controls in place to mitigate the various risks faced by the business. Controls were tested and recommendations made to address identified control weaknesses. In contrast, risk-based auditing begins with the organizational objectives, then considers the risks and examines the methodologies to mitigate those risks. The following example shows how an internal audit of a long-distance telephone service providers invoicing cycle can be performed using risk-based auditing.

Example 3.3-1: Comparing risk-based and traditional auditing

Tonys Telefonica needs to implement controls to minimize the risk of not billing or underbilling for services. Using traditional internal auditing methodology, Marie Blais, the internal auditor, identifies the controls stated to be in place, then tests them to establish that they were adequately designed and functioning as intended. Thus, Marie confirms existing practice or recommends additional controls, and provides management and the board with reasonable assurance that the controls were operating as intended. The focus of this traditional auditing is on controls. Using risk-based auditing, Marie first works with management to identify the business objectives and the related risks to achieving these objectives (in this case, the risk of failing to bill, or underbilling, its telephone customers). Management, working together with Marie, quantifies the amount of (dollar) risk that it is prepared to accept (if it hasnt done so already). Marie then conducts an audit to determine whether the unbilled time falls within the tolerances established by management. This will consist of audit testing for unbilled or underbilled revenue. Based on the results of the errors found during the testing, Marie can then extrapolate to estimate the likely

amount of underbilling with the present controls in place and working. This estimate is compared with managements risk limits. Possibly, the billing cycle is overcontrolled and the estimated losses are significantly less than the tolerances established by management. Marie will then look at the costs of the controls and determine if the additional accuracy will be attained at a cost that justifies continuing with the controls in place. She may conclude that the additional accuracy is being achieved at a cost greater than its value to the company and recommend that unnecessary controls be removed. Alternatively, she may conclude that revenue losses exceed managements risk limits and suggest steps to reduce the unbilled or underbilled revenue.

Before controls can be evaluated, management should determine the level of risk it is prepared to accept in the area to be reviewed. This risk limit should be identified in terms of reducing the likelihood and/or potential impact of the key threats to the achievements of the major objectives for the area under review. Once the acceptable risk level has been determined, the controls currently in place can be assessed to determine how successful they are expected to be in reducing the risks to the desired level.

Risk of the internal audit activity

The internal audit activity itself is not immune to risks. Risks to internal audit activities fall into three broad categories: audit failure, false assurance, and reputation risk. The management of the internal audit activity must recognize these risks and take the necessary steps to manage them. Reading 3-5, Practice Advisory 2120-2, highlights the key attributes of these risks and some steps that can be considered during the internal audit activity to better manage them.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

3.4 Control frameworks

Learning objective

Explain the definition, nature, inherent limitations, and criteria of control as set out by the Committee of Sponsoring Organizations (COSO), and compare the COSO control framework with other frameworks. (Level2 )
Required reading

Online reading 3.4-1, A Framework for Control: COSOs five components of internal control and questions too important to ignore (Level 2) Reading 3-6, Internal Control Integrated Framework (Level 2)
LEVEL 2

The IIA Standards define control as any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. IIA Standard 2130.A1 requires internal audit to evaluate internal controls, in responding to risks, regarding the following: Achievement of the organizations strategic objectives Reliability and integrity of financial and operational information Effectiveness and efficiency of operations and programs Safeguarding of assets Compliance with laws, regulations, policies, procedures, and contracts Both management and internal auditors must understand the nature and inherent limitations of controls. During the 1990s, a number of control frameworks were introduced in an attempt to provide a way of understanding the important elements of control, including the important relationships between them. You have already encountered the term risk framework. The terms risk framework and control framework are used somewhat interchangeably, but with different emphasis. Risk frameworks focus on identifying the key risks faced by an organization, whereas control frameworks focus on identifying the means of mitigating those key risks and knowing that they are under control. Typical control frameworks consist of a definition of control, criteria of control, and the grouping of criteria in some logical way. Foremost among these frameworks is the American COSO framework, developed by the Committee of Sponsoring Organizations of the Treadway Commission in 1992.

The COSO framework

The Committee of Sponsoring Organizations (COSO) is a voluntary private-sector organization comprising professional organizations, including the IIA, American Accounting Association, and the American Institute of CPAs (AICPA). According to the COSO website, The Committee of Sponsoring Organizations (COSO) mission is to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations. 1 The COSO control framework defines internal control in a more concise manner than other control frameworks. The COSO model has been widely adopted as the generally accepted framework for internal control and is recognized as the definitive standard against which organizations and their internal auditors measure the

effectiveness of their systems of internal control. COSO defines internal control as a process, effected by an entitys board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations COSO states that in an effective internal control system, the following five components work to support the achievement of an entitys mission, strategies and related business objectives: Control environment Risk Assessment Control activities Information and communication Monitoring activities Furthermore, COSO does not contain specific criteria, but rather provides illustrative issues to be considered for each component of control. Reading 3-6, the executive summary of the COSO control framework, provides an overview of this framework. For more detail, review Online reading 3.4-1.

Other control frameworks

In 1992, the Criteria of Control Committee (CoCo) of the Canadian Institute of Chartered Accountants produced the CoCo framework or CICA control framework. It had the objective of improving organizational performance and decision making with better risk management, controls, and corporate governance. In 1995, the committee issued its Guidance on Control, which defined controls and described the CoCo framework. The framework included 20 criteria for effective controls in four areas of an organization. That document sets out five observations on the nature of control: 1. Control is effected by people at all levels of the organization. 2. Managers who are accountable for their operations must also have control of those operations. 3. Control must be flexible enough to adapt to changing conditions, both internally and externally. (As risks change, controls must also change.) 4. Organizations must balance autonomy, integration, consistency, and change to effect controls. 5. Controls can never provide absolute assurance, only reasonable assurance, because they must be cost effective and have inherent limitations (faulty decision making, human errors, management overriding controls, collusion, system breakdown). CoCo defines three categories of control objectives: Effectiveness and efficiency of operations Reliability of internal and external reporting Compliance with applicable laws and regulations and internal policies The CoCo criteria are generally wider than most other frameworks. There are 20 control criteria separated into four groups: purpose (direction), commitment (culture and values), capability (competence), and monitoring and learning. In essence, the criteria consider the need for each organization to identify and exploit opportunities by continuously challenging its assumptions. They also recognize that controls extend beyond the traditional hard controls found in company policies and procedures. Soft controls are also essential to an organization achieving its objectives. Soft controls include, for example, the existence of the necessary trust, co-operation, leadership,

and interpersonal skills necessary to obtain commitment. Empowerment and other decision-making processes are seldom set out in policy manuals but are essential for companies to realize their potential. While the postmortem reviews necessary for effective monitoring and learning may be mandated for certain activities (large capital projects or computer installations, for example), their ongoing day-to-day use in other areas is usually informal. In Great Britain, the Cadbury Committee issued a control framework as part of the output of a study on corporate governance. That framework is similar to COSO and CoCo, but there are differences in the approach. In South Africa, the King Report on Corporate Governance includes a series of recommendations in the form of a Code of Corporate Practices and Conduct. This South African equivalent of COSO, CoCo, and Cadbury goes a step further by including a code of ethics for businesses. The King Report also recommends the establishment of an effective internal audit function in all public companies. Other control frameworks have been issued for specific industries (the Basel Committee on Banking Supervisions Framework for Internal Control Systems , Standards for Internal Control in the U.S. Federal Government ). Some specific control frameworks have also been created that deal with risks associated with information technology. (You look briefly at two of those in Module 7 of this course.)

Public reporting on controls

The various committees that prepare control frameworks have considered the desirability of public disclosure of compliance with control and governance standards. Although specific industry legislation in some countries has for some time required such disclosure, it has only recently become a general requirement for the largest public companies in North America. There is considerable debate as to whether such disclosure should consist only of representations by the board and/or management, or whether there should be independent verification of the representations made. The Sarbanes-Oxley Act of 2002 (SOX) and similar securities regulations in Canada now require that management provide an assertion about the state of the companys internal control in the Management Discussion and Analysis included in the companys annual report. The provisions of SOX require that the auditors of American listed companies provide assurance with respect to managements assertions. Although it had been announced that a similar requirement would be introduced in Canada, the Canadian Securities Administrators have decided not to proceed with implementation of this requirement in Canada.

1 The Committee of Sponsoring Organizations of the Treadway Commission (COSO). About Us,

http://coso.org/aboutus.htm, Accessed May 3, 2012.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

3.5 Auditing using control frameworks

Learning objective

Describe the impact of the development of control frameworks on internal auditing, and outline the steps in using a control framework as the basis of assessing control in an organization. (Level 2)
Required reading

Reading 3-7, Practice Advisory 2130-1: Assessing the Adequacy of Control Processes (Level 2)
LEVEL 2

Applying control frameworks

Control frameworks such as CoCo and COSO were designed not only to provide insight into the structure and workings of control, but also to provide a fresh look at the assessment of controls. COSO, for example, requires that the board and management have reasonable assurance concerning the extent to which the organization is achieving its objectives, that published financial statements are reliable, and that the company is complying with applicable laws and regulations. This raises the question, How are the board and management to obtain such assurance? Particularly in large organizations, senior management and the board will not have first-hand knowledge to support such assurance. They must rely on assessments made on their behalf to establish that effective measures are in place and working to provide such assurance. Internal audit reports from the organizations internal auditors are a primary source of such assessments. Reading 3-7, Practice Advisory 2130-1, sets out guidelines for assessing and reporting on control processes.

Auditing using COSO

Because COSO was issued in 1992, internal auditors have more experience working with it than with other frameworks. The process for COSO-based auditing requires the following steps: 1. 2. 3. 4. 5. 6. Understand COSO. Determine control strengths and weaknesses. Define key issues and reportable conditions. Validate testimonial evidence. Make the final assessment. Identify corrective actions.

The major value of using COSO over traditional audit methods is that the auditor can effectively include an evaluation of the soft controls, as described by COSO. The auditor begins with a thorough understanding of the COSO definition of internal control and the five components necessary for an effective control system. Through the use of control questionnaires and interviews, the auditor determines the control strengths and weaknesses in each of the five control components within the operational area under review. Key issues and reportable conditions are defined by asking management and executives to identify what situations could cause significant errors or irregularities. The fourth step is obtaining evidence related to the information provided by management. This can be done in a variety of ways, including the following: Review of written documentation, including policies and procedures Testing of samples for evidence of the presence or absence of a control Comparison with industry standards or best practices After validating managements information, the auditor makes a final assessment. If reportable conditions have

occurred but have been corrected by management, there is a strong likelihood that all five COSO components of control are present and effective. If reportable conditions have not been identified or corrected, or if they have become pervasive in other areas of the organization, then the auditor identifies corrective actions and makes audit recommendations. Using COSO and CoCo frameworks requires the identification and evaluation of soft controls such as trust, working relationships, empowerment, and post-mortem analyses. Empowerment, which is implied by both COSO and CoCo, reduces the hard rules against which compliance can be measured. Auditors have always supplemented their other audit tools with continuous monitoring processes that enable them to monitor key controls as events occur, without waiting for the results of a periodic (and by its nature, historical) audit. Audit techniques in an empowered environment, for example, involve the auditors obtaining the views of the people responsible for the operations. These views are sought with respect to the relevance of specific controls and the effectiveness of the controls. This testimonial evidence, while a key part of the audit, must be validated through testing.

Auditing using CoCo

In 1999, the CoCo board issued its Guidance on Assessing Control . Since the CoCo framework was first developed, a number of Canadian organizations in both the private and public sectors have incorporated the CoCo framework into their audit activities. The CoCo board has provided a methodology of the principles and process for a comprehensive assessment of control throughout the organization based on the organizations overall objectives. However, this has also created a barrier to its use, as few organizations are prepared to bear the cost of such comprehensive reviews. Organizations, including their internal auditors, are working to adapt the CoCo framework to apply to more restricted audits of specific objectives, risks, or activities.

Guidance on Assessing Control sets out a 10-stage process for assessment using the CoCo framework:
1. Understand the expectations of the board. 2. Establish an assessment working group appointed by the chief executive officer. 3. Understand the objectives that form the focus of the assessment. 4. Understand the CICA criteria of control framework. 5. Develop a plan for the assessment. 6. Obtain information and develop a conclusion. 7. Review and discuss with the chief executive officer and senior management. 8. Prepare the report. 9. Present the assessment to the board of directors. 10. Review and learn from the assessment.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

3.6 Control self-assessment and continuous auditing

Learning objective

Explain the control self-assessment process, identify its advantages and disadvantages, and outline how continuous monitoring can improve the effectiveness of internal control. (Level 2)
Required reading

Reading 3-8, Maximized Monitoring (Level 2)

LEVEL 2

Control self-assessment (CSA) recognizes that controls consist of all processes directed toward the achievement of organizational goals and that the responsibility for controls rests not with the companys internal and external auditors, but with those who manage and operate the business processes. Control selfassessment is an alternative method to help provide assurance regarding an organizations risk management and control processes. It is a methodology that uses facilitated team workshops, surveys, or managementproduced analysis (or some combination of these) to collaboratively assess and evaluate control procedures. Control self-assessment (CSA) consists of the following phases: 1. 2. 3. 4. 5. 6. 7. Identify business objectives and customize the process for the participating workshop team. Conduct one or more workshops with management and staff from the unit being assessed. Prepare a summary report and provide feedback. Analyze and review results, comparing them with those from other workshops. Report results to management. Report summary results to the audit committee. Provide follow-up and assistance in dealing with the issues identified.

Advantages and disadvantages of CSA

Control self-assessment is not without its critics. In 1995, Glenda S. Jordan of Bell South Corporation authored a study of control self-assessment that was published by the Institute of Internal Auditors. In her study, she quoted Thomas E. Powell, the IIA Director of Certification and Standards, as expressing his personal opinion that control self-assessment is not internal auditing because it lacks the objectivity and independence that he considers essential to auditing. It is costly to implement, both in terms of training and the time that management staff must dedicate to the process. It is possible that repeated use in specific units will not result in fresh thinking each time and that the process will become mechanical. It will not work (and should not be implemented) when the management style of a business unit does not encourage open, constructive criticism. It also cannot replace verification of hard controls in high-risk areas of the business. CSA does have some advantages, however, particularly the first time it is used in any unit. It increases awareness on the part of management and employees of both the purposes of controls and those responsible for them. The CSA process brings the focus of those most knowledgeable about the business and the actual processes in place to bear on assessing the adequacy of the controls in meeting their objectives. It is also a good training tool for managers who may not be aware of internal control concepts.

Continuous auditing
Another technique auditors use to monitor new risks and evaluate the effectiveness of internal controls is known as continuous auditing. This technique uses technology to monitor risk and control automatically, on an on-going basis. This tool is explained in Reading 3-8.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

3.7 Governance
Learning objective

Outline the IIA performance standards on governance, the governance responsibilities of the board of directors or equivalent body, and the role of internal audit in corporate governance. (Levels 1 and 2)
Required reading

Reading 2-1, Performance Standards 2110 to 2110.A2 (Level 1) Reading 3-9, Practice Advisories 2110-1, 2110-2 and 2110-3: Governance (Level 2)
LEVEL 1

Standards on governance
In the glossary of the Standards , the IIA defines governance as the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. Standard 2110 states that the internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: Promoting appropriate ethics and values within the organization; Ensuring effective organizational performance management and accountability; Communicating risk and control information to appropriate areas of the organization; and Coordinating the activities of and communicating information among the board, external and internal auditors and management.

Governance refers to the responsibilities and actions of members of governing bodies in their stewardship capacity. Accountability is the obligation to answer for a responsibility.
During the 1980s, boards of directors of large public companies were increasingly subject to scrutiny and criticism for their apparent shortcomings in carrying out their stewardship function of protecting the interests of investors. A number of major scandals occurred in which investors lost most or all of their investments, and questions were asked about where the directors were when this was happening. Several studies were undertaken in Canada, Great Britain, and the United States aimed at defining the role of the board and its responsibility for risk management and control within the company. The Cadbury and COSO studies were among them.

Governance in the private sector

Good corporate governance is integral to directors discharging their responsibilities. In a general sense, corporate governance refers to the process and procedures used to manage the business and affairs of a corporation. It relates to the operation of the organization and external matters such as the corporations dealings with shareholders and other stakeholders. In 1994, the Toronto Stock Exchange Committee on Corporate Governance in Canada (known as the Dey Committee) released its report, Where Were the Directors? Guidelines for Improved Corporate Governance in Canada. With respect to private-sector, for-profit organizations, this report defined corporate governance as the process and structure used to direct and manage the business and affairs of the corporation with the objective of enhancing shareholder value, which includes ensuring the financial viability of the business. The process and structure define the division of power and establish mechanisms for achieving accountability among

shareholders, the board of directors, and management. The direction and management of the business should take into account the impact on other stakeholders such as employees, customers, suppliers, and communities. As a result of the increased interest in corporate governance, PricewaterhouseCoopers and the IIA Research Foundation carried out a study on board responsibilities and leadership. The central theme of the report was the need to strengthen the independence and effectiveness of boards of directors from management, thereby improving the contributions by directors individually. A principal theme of the report is the empowerment of individual directors. Accordingly, the committee stated that effective corporate governance requires every board of directors to have in place appropriate structures, resources, and procedures to ensure that the board can function independently of management to carry out its governance responsibilities. This requirement includes the means to conduct independent research where appropriate. From the perspective of internal auditors, the study gave them the tools they need to become a board-level resource for information and education. The reports recommendations were adopted by the TSX Board of Governors and were approved by the Ontario Securities Commission. Though none of the guidelines are mandatory, TSX-listed Canadian companies are required each year to disclose to shareholders the extent to which they have complied with the guidelines and, where they do not comply, to provide the reasons.
Role of the board of directors

The Dey Committee report sought to clarify the boards supervision, direction, and oversight role. It recommended that each board of directors assume the following responsibilities: 1. Approve the long-term goals and strategy as they evolve for the corporation and monitor managements success in implementing the strategy. 2. Ensure that there are systems in place to effectively monitor and manage the principal risks of all aspects of the corporations business with a view to the long-term viability of the corporation, and achieve a proper balance between the risks incurred and the potential returns to the shareholders. 3. Ensure management of the highest calibre in appointing, training, assessing, and providing for succession. 4. Ensure that the corporation has a policy in place to enable the corporation to communicate effectively with its shareholders, other stakeholders, and the public generally, to effectively interpret the operations of the corporation to shareholders, and to accommodate feedback from shareholders. 5. Ensure that there are effective control and information systems in place for the board of directors to discharge its responsibilities. As a result of the increased interest in corporate governance, the CoCo Board of the CICA issued Guidance for Directors Governance Processes for Control in late 1995 and Guidance for Directors Dealing with Risk in the Boardroom in April 2000. This guidance assumes that the board should be able to exercise its judgment independently of management and identifies six control responsibilities for the board of directors: Approving and monitoring mission, vision, and strategy Approving and monitoring the organizations ethical values Monitoring management control Evaluating senior management Overseeing external communications Assessing the boards own effectiveness Notice the similarities in the responsibilities set out by the CoCo board and the Dey Committee. One of the recommendations of the CoCo report that is not specifically listed in the Dey report is the responsibility for the board to assess its own effectiveness. This can be done by the board itself but can also be assigned to the

internal audit department or to outside consultants. There may be advantages in having the assessment carried out by specialists from outside the company. In addition to the potential conflict of interest in employees criticizing the highest levels in their organization, it is likely that the internal audit department may lack real expertise in the subject matter of the review. Specialist consulting practices have started to develop. They undertake board effectiveness reviews not only for public companies but also for government agencies, large not-for-profit organizations, and others.
Role of internal audit in governance

According to IIA Standard 2110, the internal audit activity must assess and make appropriate recommendations for improving the governance process. As noted in the IIA definition of internal auditing, the role of internal auditing includes the responsibility to evaluate and improve governance processes as part of the assurance function. This is explained more fully in Reading 3-9, Practice Advisory 2110-1. Practice Advisory 2110-2 addresses the relationships among governance, risk management, and internal control. Practice Advisory 2110-3 discusses assessing governance.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

3.8 Role of the audit committee

Learning objective

Explain the role of the audit committee of the board of directors. (Levels 1 and 2)
Required reading

Online reading 3.8-1, The Audit Committee: Purpose, Process, Professionalism Reading 3-10, Practice Advisory 2060-1: Reporting to Senior Management and the Board (Level 1) Reading 3-11, Vision and Leadership: Critical Elements for Analysis of the Internal Audit Function (Level 2) Reading 3-12, A Stronger Partnership (Level 2)
LEVEL 1

Standard 2060 requires that the chief audit executive report periodically to senior management and the board on the internal audit activitys purpose, authority, responsibility, and performance relative to its plan. Reading 3-10, Practice Advisory 2060-1, provides guidance on such reporting. An increasing number of boards assign overview of financial reporting and internal control to an audit committee of the board, the majority of whose members should be non-executive directors. Such committees are often required by securities regulators or government legislation (for government departments, Crown corporations, and so on). Each audit committee should, at its first meeting, draw up its terms of reference and submit them to the board for approval. The terms of reference should be reviewed at regular intervals to ensure that they remain relevant. The Canadian Securities Administrators issued a Notice on Audit Committees in 1990 that sets out recommendations concerning the role of the audit committee. Most major public accounting firms have published guidance to audit committees to help them define their terms of reference. From these guidance publications emerged a consensus that the generally accepted role of the audit committee includes responsibility for oversight of annual financial information, external audit, interim financial statements, other public disclosure documents, internal audit, the corporate code of conduct, and internal accounting control. Many audit committees have also recently included oversight of enterprise risk management in their terms of reference. Traditionally, the role of the audit committee has been restricted to financial reporting and internal financial controls. Overview responsibility for objectives beyond these areas will need to be undertaken by the board itself, or the terms of reference of the audit committee will have to be expanded to include this additional responsibility. Online reading 3.8-1 explains what is needed of todays audit committees to provide effective overview responsibility and governance. Note in particular the section on internal auditing, and the sample audit committee charter. This sample charter captures many of the best practices used today and complies with the requirements of the Sarbanes-Oxley Act and the U.S. Stock Exchanges. Of course, no sample charter encompasses all activities that may be appropriate to a particular audit committee, nor will all activities identified in a sample charter be relevant to every committee. Accordingly, this charter must be tailored to each committees needs and governing rules. A strong working relationship between internal audit staff and the audit committee is essential for both parties to fulfill their goals. Specifically, the chief audit executive should do the following: Assist the audit committee to ensure that its charter, activities, and processes are appropriate to fulfill its responsibilities.

Ensure that audit committee members understand the charter, role, and activities of the internal audit activity. Ensure that the internal audit activity is responsive to the needs of the audit committee and the board. Maintain open and effective communications with the audit committee and its chair. Reading 3-11 sets out some guidance for audit committees related to the committee function of providing oversight to the internal audit activity. The reading answers the following questions: How can an audit committee be confident that its internal audit department is fulfilling its corporate governance responsibilities? What is the internal audit department doing to make sure the company behaves in an ethical, legal and well-governed manner? Reading 3-12 explains how an effective relationship between internal audit and the audit committee, based on excellent communication, is more important now than ever in assisting the audit committee with its new role in corporate governance.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

3.9 The Sarbanes-Oxley Act of 2002

Learning objective

Explain how the Sarbanes-Oxley Act of 2002 has affected corporate governance and understand how internal audit may assist in the Sarbanes-Oxley compliance process. (Level 2)
Required reading

Reading 3-13, A Smarter Compliance Process (Level 2)

LEVEL 2

Following the Enron Corp. collapse, investor confidence was shaken, particularly in the United States. As a result, the U.S. Congress passed the Sarbanes-Oxley Act of 2002 (SOX) to address a number of investor concerns. Since 2004, the New York Stock Exchange has required its listed companies to maintain an internal audit function to provide management and the audit committee with ongoing assessments of the companys risk management processes and system of internal control. One consequence of these new regulations is an increased role for internal auditors. Sarbanes Oxley Section 404 requires publicly-listed U.S. companies to file an internal control report as follows: Filing the internal control report with the annual and interim reports Stating managements responsibilities in establishing and maintaining internal controls over financial reporting Including management conclusions on the effectiveness of these controls Companies have set up internal procedures to verify this internal control reporting information prior to its release. CEOs and CFOs look to internal auditors to contribute to the process of reviewing such information with the audit committee, senior management, and the companys external auditors. Reading 3-13 describes how one companys internal audit group improved the organization of its corporate compliance with the Sarbanes-Oxley legislation. There has been an increase in governance expectations with respect to the work of both the board (and its audit committee) and internal auditors. If both do their jobs well, the result will be better accountability to the stakeholders and to the public, for both private and public-sector enterprises. There have been some specific legislative and regulatory initiatives undertaken in Canada following the passing of SOX in the United States. They have resulted, for example, in the establishment of an accountability board in Canada and requirements that the chief executive and chief financial officers attest to their belief in the completeness and accuracy of corporate filings (such as quarterly and annual reports to shareholders). In both Canada and the United States, the senior management of large public companies is required to provide a certification with respect to the design of the internal controls over financial reporting. This will be expanded to require a certification with respect to the operating effectiveness of these internal controls. In the United States, the companys external auditor will be required to attest to managements assertions. Although it was initially decided that a similar attestation would be required in Canada, securities regulators have reconsidered this and reversed that decision.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 3 summary
Risk management, control frameworks, and governance
This module covers the concept of enterprise risk and risk management. It also covers the development and use of control frameworks, control self-assessment, continuous auditing, and the roles of the board of directors and its audit committee in corporate governance.

Explain enterprise risk management and how risk models can help identify specific risks and set appropriate tolerance limits.
Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Enterprise risk is the possibility of an event occurring that may reduce the likelihood that the organization will achieve its objectives. Effective control provides reasonable assurance that the organization will achieve its objectives reliably (by reducing uncontrolled risk to an acceptable level), and therefore includes the identification and mitigation of risk. Risk models enable management to classify risks, establish acceptable tolerance limits for these risks, and test controls to ensure that uncontrolled risks remain within the established tolerances. Enterprise risk management is a process to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organizations objectives. A number of risk models (frameworks) have been developed to help identify the risks related to an organizations activities and plans. The risks faced by businesses vary from organization to organization and should be identified by the organizations management. Risk tolerances (limits) define the amount of residual, uncontrolled risk that the board and management are prepared to consider as acceptable. For example, a company could determine the amount of foreign currency risk that it is prepared to accept and implement processes to hedge exposures in excess of that amount. The amount of exposure that the company is prepared to accept would be its risk tolerance or limit.

Explain the role of the internal auditor in the risk management process and how this role changes when there is no established risk management process.
Internal auditing includes assisting the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. The internal auditor should monitor and evaluate the effectiveness of the organizations risk management system. The purpose of internal auditing (in the context of risk management) is to assess the appropriateness and adequacy of managements actions to avoid, share, transfer, and control risks to keep them within the defined control limits or tolerances. The internal audit activity itself is not immune from risks, including those of audit failure, false assurance, and reputation risks. It needs to take the necessary steps to ensure that it is managing its own risks. If an organization has not established a risk management process, the internal auditor should

bring this to the attention of management together with suggestions for establishing such a process. If requested, internal auditors can play a proactive role in assisting with the initial establishment of a risk management process for the organization. Internal auditors can facilitate or enable risk management processes, but they should not own or be responsible for the management of the risks identified.

Explain how auditors use risk assessment to assist in audit planning, and compare this approach with traditional approaches to internal auditing.
Traditional approaches and risk-based auditing approach compared: Risk-based auditing starts by reviewing the organizational objectives, then considers the business risks that impact the achievement of those objectives, and examines the methodologies in place to mitigate those risks. Risks can be avoided, shared, or transferred rather than controlled. Riskbased auditing also explicitly accepts that there will always be some risk that must be accepted, but the acceptable amount must be kept within the limits established by the board and management. Traditional auditing begins with a consideration of controls, focusing only on the design and effectiveness of the controls in meeting traditional control objectives of ensuring accurate financial information, compliance with laws and policies, safeguarding of assets, and achievement of effectiveness, efficiency, and economy of operations.

Explain the definition, nature, inherent limitations, and criteria of control as set out by the Committee of Sponsoring Organizations (COSO), and compare the COSO control framework with other frameworks.
The COSO framework classifies control into five groups or components of control: control environment, risk assessment, control activities, information and communication, and monitoring. COSO does not contain specific criteria, but rather provides illustrative issues to be considered for each component of control. The COSO framework defines internal control as a process, effected by an entitys board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations This is similar to CoCo and also to IIA Standard 2130.A1, which now requires internal audit to evaluate internal controls, in responding to risks relating to the same categories. The CoCo definition of control includes some additional activities as part of internal control; these include objective setting, strategic planning, and risk management. CoCo s criteria of control include the following characteristics: It is generally wider than most frameworks. It has four main groups purpose, commitment, capability, and monitoring and learning consisting of 20 specific criteria. It identifies and exploits opportunities. It deals with soft and hard controls: Hard controls are more traditional and are found in company policies and procedures. Soft controls include the existence of necessary trust, cooperation, and interpersonal skills.

CoCos guidance makes five observations on the nature of control: Control is effected by people throughout an organization. Those who are accountable for activities should be accountable for controlling those activities. Organizations are constantly interacting and adapting. Control can never supply absolute assurance only reasonable assurance. Effective control requires a balance between autonomy and integration, and between the status quo and adapting to change. COSO and CoCo frameworks both include a definition of control, criteria of control, and logical groupings of criteria. Both define control in terms of providing reasonable assurance with respect to effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. COSO and CoCo use virtually identical language to describe control objectives. The IIA Standards list five objectives (achievement of the organizations strategic objectives, reliability and integrity of financial and operational information, effectiveness and efficiency of operations, safeguarding of assets, and compliance with laws, regulations, and contracts). These can all be considered to fall within the objectives set out in the CoCo and COSO frameworks. Control cannot give absolute assurance only reasonable assurance for the following reasons: Controls must be cost effective. There are inherent limitations to control, including the following: Faulty decision making The inevitability of human error The possibility of collusive circumvention of controls The possibility of management override of most controls The definitions are similar in that they all consider control to consist of actions taken to support people in the achievement of the organizations objectives.

Describe the impact of the development of control frameworks on internal auditing, and outline the steps in using a control framework as the basis of assessing control in an organization.
The development of control frameworks has led to a broader understanding of control and managements responsibility for controlling the activities that they manage. It has brought management more into the control assessment process. It has recognized the existence and potential effectiveness of soft controls and included them in control evaluation. The process for control frameworks in general is as follows: 1. 2. 3. 4. 5. 6. Understand the control framework to be used. Determine control strengths and weaknesses. Define key issues and reportable conditions. Validate testimonial evidence. Make the final assessment. Identify and recommend corrective actions.

Explain the control self-assessment process, identify its advantages and disadvantages, and outline how continuous monitoring can improve the effectiveness of internal control.
Control self-assessment (CSA) consists of the following phases: 1. 2. 3. 4. Identify business objectives and customize the process for the participating workshop team. Conduct one or more workshops with management and staff from the unit being assessed. Prepare a summary report and provide feedback. Analyze and review results, comparing them with those from other workshops.

5. Report results to management. 6. Report summary results to the audit committee. 7. Provide follow-up and assistance in dealing with the issues identified. Continuous auditing uses technology to monitor both risk and control on an on-going basis. Internal auditors play an important role in designing continuous auditing systems to collect and analyze data. Continuous auditing helps ensure that controls are continuously functioning.
Advantages of control self-assessment:

It It It It

increases management and employee awareness of controls. brings the focus of those who know the processes to bear on control issues. gains acceptance of recommendations. provides potential cost savings in later years.

Disadvantages of control self-assessment:

It It It It

lacks objectivity and independence of evaluations. can be costly, in management time requirements, to implement (in the first year or two). may become mechanical in time. requires an open management style.

Outline the IIA performance standards on governance, the governance responsibilities of the board of directors or equivalent body, and the role of internal audit in corporate governance.
Control and governance responsibilities for the board include the following: 1. 2. 3. 4. 5. 6. Approve and monitor mission, vision, and strategy. Approve and monitor the organizations ethical values. Monitor management control. Evaluate senior management. Oversee external communications. Assess the boards own effectiveness.

Explain the role of the audit committee of the board of directors.

The role of the boards audit committee usually includes the following responsibilities: Oversight of published financial information including annual financial reports, interim reports, public disclosure documents, and so on Oversight of the internal audit function Oversight of internal financial controls Oversight of the corporate code of conduct Liaison with the external auditors Internal auditing is integral to the organizations governance process. According to the IIA standards, the role of internal auditing includes the responsibility to evaluate and improve governance processes as part of the assurance function. The internal audit activity must assess and make appropriate recommendations for improving the governance process. Effective governance relies on internal controls and communication to the board on the effectiveness of those controls. Internal audits unique position within the organization enables internal auditors to observe and formally assess the governance structure, its design, and its operational effectiveness while remaining independent.

Explain how the Sarbanes-Oxley Act of 2002 has affected corporate governance, and understand how internal audit may assist in the Sarbanes-

Oxley compliance process.

The Sarbanes-Oxley Act was passed by the U.S. Congress to address investor concerns after the Enron collapse. Publicly listed U.S. companies must file an internal control report stating managements responsibilities to establish and maintain internal controls over financial reporting and management conclusions on the effectiveness of these controls. Companies have set up internal procedures to verify this internal control reporting information prior to its release. CEOs and CFOs look to internal auditors to contribute to the process of reviewing such information with the audit committee, senior management, and the companys external auditors.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Module 3: Self-test
1. Multiple choice a. Which of the following is not included in the COSO components of good internal control? 1. 2. 3. 4. Safeguarding of assets Control environment Risk assessment Control activities

b. Which of the following roles in the risk management process should not be undertaken by the internal audit activity? 1. 2. 3. 4. Setting the risk limits Co-ordinating ERM activities Evaluating risk management processes Facilitating the identification of risks

c. According to the CoCo Guidance for Directors Governance Processes for Control , who is responsible for monitoring management control? 1. 2. 3. 4. The The The The chief executive officer of the organization organizations board of directors (or equivalent body) organizations internal audit department organizations external auditors

d. The CoCo Guidance on Control says that control cannot provide absolute assurance, in part because there are inherent limitations in control. What do these inherent limitations include? 1. The need for controls to be cost-effective 2. The possibility of circumvention of controls through collusion 3. The inability to have adequate segregation of responsibilities in small businesses 4. Improper design of controls such that they do not achieve their objectives e. Enterprise risk management means identifying the risks faced by the enterprise and establishing an acceptable tolerance limit for each major risk to which the enterprise is exposed. Which of the following statements is consistent with the definition of risk limit? 1. Risk limit represents the amount prepared to accept. 2. Risk limit represents the amount prepared to accept. 3. Risk limit represents the amount prepared to accept. 4. Risk limit represents the amount enterprise is prepared to accept. of inherent risk that the enterprise is of residual risk that the enterprise is of systemic risk that the enterprise is of audit procedures risk that the

f. Which of the following is considered by the CoCo board to be a responsibility of management and not of the board of directors or equivalent body?

1. 2. 3. 4. Solution

Developing the companys mission, vision, and strategy Assessing the boards effectiveness Monitoring corporate ethics Evaluating the performance of senior management

2. You are employed as the internal auditor of Cascadia Chemicals Inc., a company that operates in Quebec and the northwestern United States as a manufacturer and distributor of chemicals to the pulp and paper industry in that area. Your company has been in business for 40 years and has a 75% share of its market. The board of directors has recently approved a proposal from management to enter into a joint venture with a business in Colombia to manufacture and market the companys chemical products in Latin America. Initially, products will be supplied from Canada, but manufacturing facilities will eventually be built in Colombia. This will be the first venture of its kind for Cascadia. You have been approached by the president of Cascadia, Mark Downing, who has read with interest of the increased involvement of internal auditors in the subject of business risk. He has asked you to consider the risks faced by the company in its new venture. Specifically, he would like you to identify the specific risks that the company may face in the following areas: a. b. c. d. e. f.
Required

Technical expertise Reputation Financial reporting Government regulations Marketing Financial management and treasury

Identify two key risks under each of the areas named by the president. For each risk, indicate briefly how the risk may be avoided, transferred, shared, or controlled. Solution 3. List the advantages and disadvantages of the introduction of control self-assessment to the audit of the treasury department of a large multinational corporation that has significant dealings in complex securities such as derivatives. Solution 4. The company in which you are employed as internal auditor has established an audit committee for the first time. The committee is scheduled to meet next Monday for its first meeting. The first item on the agenda is the role and purpose of the committee and its terms of reference. You have been asked by the president to prepare a brief summary for the committee, setting out the purposes of the audit committee and its role in corporate governance, possible functions and duties of the committee, and the relationship that the committee should have with the company's external and internal auditors.
Required

Prepare the summary requested by the president. Solution

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 3 Solution 1
a. 1. 2. 3. 4. b. 1. Correct. Risk limits should be set by senior management and the board of directors. 2. Incorrect. Internal auditors may co-ordinate enterprise risk management activities. 3. Incorrect. Internal auditors must evaluate the entitys risk management processes. 4. Incorrect. Internal auditors may facilitate the identification of risks. c. 1. Incorrect. It is the CEOs power and influence that must be monitored. 2. Correct. This is one of the specific responsibilities assigned to the board. 3. Incorrect. The internal auditors can carry out exercises on behalf of the board, but this is the boards responsibility. 4. Incorrect. The external auditors have no responsibility for control. Correct. Safeguarding of assets is a control objective, not a component of control. Incorrect. Control environment is a COSO component of internal control. Incorrect. Risk assessment is a COSO component of internal control. Incorrect. Control activities is a COSO component of internal control.

d. 1. Incorrect. This is not an inherent limitation, but one imposed by practicality. 2. Correct. Even if controls are well designed, those operating them will almost always be able to circumvent them through collusive action of two or more people. 3. Incorrect. This is also a matter of practicality, not an inherent weakness or limitation; cost constraints create this problem. 4. Incorrect. This is not inherent limitation, but one which can be remedied.

e. 1. Incorrect. Risk limit does not represent the amount of inherent risk that the enterprise is prepared to accept. It represents the amount of residual risk that the enterprise is prepared to accept. 2. Correct. Risk limit represents the amount of residual risk that the enterprise is prepared to accept. 3. Incorrect. Risk limit does not represent the amount of systemic risk that the enterprise is prepared to accept. It represents the amount of residual risk that the enterprise is prepared to accept. 4. Incorrect. Risk limit does not represent the amount of audit procedures risk that the enterprise is prepared to accept. It represents the amount of residual risk that the enterprise is prepared to accept. f. 1. Correct. The boards responsibility is to approve and monitor the mission, vision, and strategy; it is management's responsibility to develop them. 2. Incorrect. This is a role for the board. 3. Incorrect. This is also a role for the board. 4. Incorrect. This is also a role for the board.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 3 Solution 2
a. Technical expertise: The types of wood used in pulp and paper production in Colombia may not be the same as those used in Quebec and the northwestern United States; therefore, the chemicals may not be as effective. (This risk can be mitigated by doing research prior to beginning production and sales in Latin America.) The suppliers of such chemicals usually provide technical expertise to their customers; the technical expertise may not be locally available in Colombia, and expertise in Canada and the United States may not be totally relevant. (This can also be researched prior to startup.) The company may not know what effect the long-distance shipping or higher temperatures will have on the stability and effectiveness of its chemicals. (This can be researched as well.) b. Reputation: Business practices in Latin America do not always coincide with what is acceptable in Canada and the United States; the company may suffer a loss of reputation if it is associated with activities that would not be permitted here. (This risk can be reduced by research and declaration and enforcement of ethical standards in the Latin American operations.) Providing services to the pulp and paper industry in Latin America may involve the company in controversies such as those related to deforestation. (This risk can be reduced by involvement in organizations dedicated to reforestation, for example.) The company may not be aware of the reputation of the joint venture partner. (This should be thoroughly researched.) c. Financial reporting: It may be difficult to obtain timely information concerning the performance of the venture. (This could be mitigated by having an accountant supplied by Cascadia or perhaps by contracting the accounting to an international accounting practice in Colombia.) Accounting practices in Latin America differ from those in Canada, for example, with respect to price level adjustments (because of the historically high inflation rates). (This could be mitigated by adopting Canadian accounting standards.) It may be difficult to obtain accurate information concerning the venture, particularly if the accountant is under the control of the Colombian partner. (This could be mitigated by having an accountant supplied by Cascadia or perhaps by contracting the accounting to an international accounting practice in Colombia.) d. Government regulations: The company may not be knowledgeable about regulations affecting employment, benefits, and so on. (This could be mitigated by obtaining advice from a qualified Colombian lawyer or accountant.)

There may be regulations restricting the repatriation of income and/or capital. (This could be mitigated by seeking advice prior to investing in Colombia.) There may be a lack of knowledge concerning environmental regulations in Colombia and concerning the ability of the company to meet them. (Again, a Colombian lawyers advice should be sought before beginning operations there.) e. Marketing: The company may not be knowledgeable about current market shares and brand loyalty in Latin American markets. (The company could reduce this risk through market surveys.) The company may face resistance because it is a foreign operation. (The company should research this prior to beginning to sell into the market.) The market may not permit prices that allow the company to recover its costs, particularly during the period when it is shipping from Canada. (Again, market research should be conducted and costs and prices determined.) f. Financial management and treasury: The company could be exposed to high inflation rates and the potential devaluation of its investment and income. (Consideration can be given to finding methods of hedging this exposure.) The company will have to consider the risks involved in financing the construction of the manufacturing facilities. In some cases, interest may either be subject to withholding tax or not deductible for tax purposes by the Colombian company. (The company may look at obtaining loans through a Colombian financial institution.) The company will be exposed to the typically longer inventory and receivables cycles in Latin American markets. This may create a need for more operating capital than previously considered. (The company should base the assumptions on its cash flows on carefully researched local conditions in Colombia.)

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 3 Solution 3
The advantages of using control self-assessment in this case include the following: The views of those involved can be sought; this should provide some insights into their perceptions of the risks involved. Staff involved will probably be aware of other companies problems and know what the risks and possible controls might be. The audit team can learn about the technical operation of the treasury department from those who are actually involved in its operation. The disadvantages include the following: There will likely be a small number of people involved; staff numbers in treasury may be low; successful control self-assessments require an exchange of ideas among a number of people. Risks are extremely high; a substantial amount of verification work will be required, especially with respect to compliance with trading limits. This will have to be done with whatever approach is used. Because of the high risk, objectivity in assessing controls will be important. Staff members of the treasury department may not be objective. Outside specialist consultants should be brought in to work on this audit. The controls should be hard controls, which lend themselves more to the traditional audit approach. Authority levels, trading limits, and so forth should be subject to strict control, and compliance will need to be tested. The cost of training staff in control self-assessment techniques will not be justified for this particular audit. Because of the nature and magnitude of the risks, senior management and the board should be concerned about obtaining an objective, independent assessment of the controls in place and the extent of compliance with them.

Course Schedule

Course Modules

Review and Practice

Exam Preparation

Resources

Self-test 3 Solution 4
The purpose of the audit committee of the board of directors is to assist the board in carrying out its governance responsibilities The CoCo studies include monitoring management control among its list of board responsibilities. The audit committee exists to assist the board in carrying out these governance responsibilities. The specific role and functions of the committee vary somewhat from organization to organization, but typically may include some or all of the following activities: Reviewing the resources, budget, reporting relationships, and planned activities of the internal audit function Reviewing internal audit reports and resulting actions by management Approving the internal audit departments long-term and annual plans Approving the internal audit budget and resource plan Approving the remuneration of the chief audit executive Acting as a go-between in case of conflict between management and the internal auditors Concurring on the appointment of the chief audit executive Monitoring compliance with the corporate code of conduct Reviewing the scope of work, management letter, remuneration, and so on with the external auditor Reviewing the financial statements and audit report before approval by the board Acting as a go-between to help resolve conflicts between the external auditor and management Recommending appointment or reappointment of the external auditor While neither the external auditor nor chief audit executive should be members of the audit committee, they should attend all committee meetings. Organizational independence is effectively achieved when the chief audit executive reports functionally to the audit committee. According to IIA Standard 1111 Direct Interaction with the Board, the chief audit executive must communicate and interact directly with the board. Board refers to an audit committee to which the board has delegated certain functions. The committee acts to reinforce the mandate of the internal auditors and to resolve any conflicts that might arise between either internal or external auditors and the companys management.