Example exam Internal Control & Risk Management 2019

LIST OF COURSE OBJECTIVES

1. Can explain the relation between Internal Control and Risk Management and other discipli-
nes as Accounting Information Systems, Management Control and Corporate Governance.
2. Have a thorough understanding of the concepts of Internal Control and Risk Management.
3. Can explain the basics and historical development of the Anglo-Saxon and Dutch-German
concepts and tools of Internal Control
4. Know the basic concepts of Internal Control and Enterprise Risk Management and have tho-
rough knowledge of the latest COSO-models for Internal Control and Enterprise Risk Mana-
gement
5. Are able to explain academic and professional criticism on the commonly used Internal Con-
trol and Enterprise Risk Management models.
6. Are able to identify and analyse relevant issues regarding the objectives of Internal Control
and Risk Management as disclosed in annual statements.
7. Are able to evaluate the added value of various Control and Risk Management models.
8. Can analyse the characteristics and elements of fraud, fraud risk and internal control of
fraud.

LIST OF PAPERS AND REPORTS

1. 1992 COSO I - Internal Control Integrated Framework (ICIF) 1
2. 2004 COSO II - Enterprise Risk Management (ERM) 1
3. 2013 COSO III ICIF 2
4. 2016 COSO IV ERM 2
5. 2016 COSO FRMG -Fraud Risk Management Guide
6. Kajuter & Woods (2007) - International Risk Management (ch 1 & 2)
7. Vaassen & Meuwissen (2009) - Accounting Information Systems & Internal Control (ch 2 &
3)
8. Spira & Page (2003) - Reinventing Internal Control
9. Power (2009) - The Risk Management of Nothing
10. Samad Khan (2005) - Why COSO is flawed
11. Speklé & Paape (2012) - The adoption and design of ERM practices
12. Brivot et al (2016) - Constructing, Contesting, and Overloading: A Study of Risk Manage-
ment Framing
13. Power (2013) - The Apparatus of Fraud Risk
14. Morales (2014) - The Fraud Triangle Genealogy
15. Murphy & Dacin (2011) - Psychological Pathways to Prevent Fraud
16. Schiller & Prpich (2014) - Learning to Organize Risk Management
17. Tekathen & Dechow (2013) - ERM and continuous re-alignment in the accountantability
18. Bromiley et al (2015) - ERM: Review, Critique and research Directions
19. Hayne & Free (2014) - Hybridized Professional Groups and Institutional Work: COSO and
the Rise of ERM
PART 1 TECHNICAL APPLICATION OF IC & RM QUESTIONS (30 points)

Please note that the Case (appendix) questions about this much longer case will be re-
placed by shorter extracts derived from annual reports or comparable sources. Typically
the questions refer to the relation between certain contingencies, risks and the compo-
nents of a control framework such as COSO III ICIF 2013.

A summary of the COSO ICIF framework and principles is provided as an appendix to the case.

1. Topic COSO - Control Environment (course objective 1, 4)

Q1 ”The first component of the 2013 COSO III framework is Control Environment. Evaluate
the Control Environment of MORE before the take-over. (10p)”

General direction: Students are required to identify contingency factors and match them within
the Control Environment using the 5 principles (P1 - P5) and use this to evaluate whether MORE is
“in control”. 5p for evaluation per principle / 5p for conclusion.

Answer indication
P1 commitment to integrity (code of conduct, tone at the top)
The tone at the top of the organization is good towards employees in the organization before the
take-over, because there was a family-like atmosphere and the firm sees employees as their most
valuable asset.
A code of conduct is not mentioned in the case.
P2 oversight of IC
The board of directors is more of a managementteam. It seems that they didn’t invest much time
in oversight of internal control.
P3 establishing structures and reporting lines
The organization has a functional structure.
There is no mention of formal reporting lines.
P4 commitment to competence
Employees are seen as a valuable asset (this demonstrates such a commitment).
There are structural problems in the PDA and AP departments.
More has too little staff for the workload of A/P and that turnover rates were going up in logistics.
The organization also does not listen to the complaints of the employees.
P5 Holds individuals accountable
The company does not offer large incentives to its employees.
No indications of excessive pressures on its employees (which can lead to problems with accoun-
tability)
Conclusion / evaluation
MORE is formally NOT in control due to some deficiencies in comparison with 5 CE COSO princi-
ples. Bonuspoint for analytical remarks whether MORE actually - more or less - is in control.
2. Topic - Risk identification (course objective 2)
Q2 “Identify four important risks for MORE after the take-over regarding the objective to
maximize profitability. Analyse this risks in terms of probability and impact and argue which
risk should be managed first (10p)”

General direction: This question refers to the component Risk Assessment of COSO. Students
are required to analyse probability and impact of risks found in the case. 4p for analysis of the 4
risks using probability and impact scores and 6p for arguments which risk should be first.
Answer indications
All kinds of risks are possible as long as they are related to profitability. A strong argument can be
made for (incorrect) pricing as the biggest threat for profitability.

3. Topic - Categories of fraud and counter practices (course objective 8)

Additional information Case MORE


The head of the Past Due Accounts department (PDA) was fired in may 2017. After the take-over
it was discovered that he had written off debts - with reference to pricing errors - for an amount of
EUR 125.000. These debts were completely written of and consisted of a total of app. 200 sales
invoices regarding expensive comsumer goods such as watches, laptop and telephones. The in-
voices were sent to relatives of him such as his four brothers, his three sons and his ex-wife. The
goods were all delivered to a mailbox of himself.  
When confronted with these facts it came out that he was put under pressure for some time by an
illegal gambling organization, which he owes more than EUR 300.000.
Another element is that he - in the discussion with his new director about the "up or out program"
- already was informed that he could lose his job by the end of 2017 because of "disappointing
results of PDA related to lack of leadership".

Q3 “Power (2013) describes four different categories of fraud. Motivate what category is
applicable for the fraud at MORE and explain the consequences for principle 8 of the imple-
mentation of the 2013 COSO III framework at MORE (10p)?”

General direction: Students are required to categorize the fraud as insider fraud and this means
that according to Power the mechanisms for this to use in principle 8 (the organization considers
the potential for fraud) are: manipulation of records and deceit.
Answer indication
Insider fraud - with an element of outsider fraud because of external cooperation by means of
manipulation of records and deceit. This means that the risks can be mitigated with better internal
control, segregation of duties and oversight.
PART 2 THEORY QUESTIONS (50 points)

In general theory questions refer to the articles and the slides on this articles. Please note that for
most of this questions a maximum of approximately 400 words is given to answer the question.

4. Speklé & Paape - Empirical evidence for mechanical approach of ERM (course objective 7)
Q4 “Spira & Page (2003) and Power (2009) pointed in their critique towards the mechanical
and technocratic approach of ERM. Argue whether the empirical findings of Spekle & Paape
(2012) supported - or not - this critique (10p).”

General direction: 5 points for combining main findings Spekle & Paape with critique and 5p for
arguments. Recognizing differences between critique Power en Spira & Page is rewarded.

Answer indication
Spekle en Paape - abstract: “Our results raise some concerns as to the COSO framework. Particu-
larly, we find no evidence that application of the COSO framework improves risk management
effectiveness. Neither do we find support for the mechanistic view on risk management that is im-
plied by COSO’s recommendations on risk appetite and tolerance.”
Spekle & Paape - §5. discussion: “Taken together, these negative findings challenge the validity of
some of COSO’s key assumptions. The COSO framework is predicated on the idea that sound risk
management
should be highly structured, starting with an explicit definition of the organization’s overall risk ap-
petite, followed by a deductive process to decompose the risk appetite into quantified risk tole-
rances at the level of specific objectives, which subsequently need to be matched with appropria-
te risk responses and control activities to ensure that the organization remains within the pre-set
boundaries. This mechanistic and technocratic perspective has been criticized for being built on a
reductionist notion of organizations as unitary and intentional actors, and for assuming hyper rati-
onal human agency (Power, 2009). Our empirical evidence also suggests that this perspective
might be misguided. That is to say, the majority of organizations do not seem to embrace COSO’s
systematic, ‘calculative’ (Mikes, 2009) approach, and apparently without loss of effectiveness. This
may be taken to imply that a less structured, more heuristic approach to risk management is fea-
sible”.

5. Internal Control and transparancy of disclosure (course objective 6, 7)

Q5 “In the lectures the concept of "internal control transparancy" has been introduced.
Name at least 3 types of "internal control transparancy", give an example of each and ex-
plain why they occur (10p).”

General direction: 4 points per type and example and 6 points for explanation.

Answer indication See slide 44 lecture 6 :

- Strategy-transparancy > Risk of Informing the Competition
- Accountability-transparancy > Risk of Being Blamed
- Litigation-transparancy > Risk of Being Sued
- Fraud-transparancy > Risk of Being Prosecuted
 - Compliance-transparancy > Risk of Being Fined by Regulators
- Effectiveness-transparancy > Risk of Disclosing How Effective Internal Control Really is

Conclusion: Transparancy in disclosure of internal control and risk management is carefully mana-
ged and a result of some sort of risk related rationality.

6. Power - Risk Management of Nothing (course objective 5, 7)

Q6 “Describe the three flaws of enterprise riskmanagement systems such as the first COSO
ERM framework (2004 COSO II) and explain the consequences of each of the three flaws for
the effectiveness of enterprise riskmanagement systems according to Power (2009) (10p).”

General direction: 4p for the flaws and 6p for explanation of the consequences.

Answer indication
1. Definition and operationalization of risk appetite, wherein an organization is assumed to be
able to create one risk appetite for the whole organization. It is not possible to define one risk ap-
petite for an organization, as different departments might have different risk appetites.
2. The logic of an audit trail. This means that organizations that implement COSO ERM 2004 have
to document every control and actions taken for risk management in order to make it auditable.
3. Interconnectedness of risks. COSO assumes that every organization stands on its own and with
this view they take a legalistic perspective on enterprises. An organization is better defined as a
nexus of contracts, meaning that it has connections with other entities as well. This interconnec-
tedness is according to Power actually the largest threat to organizations.

7. Two different views on why COSO is flawed (Samad Khan vs Power) (course objective 5)
Q7 “COSO is flawed according to Samad Khan (2005). Argue whether Samad Khan and Po-
wer (2009) share the same line of reasoning (10p).”

General direction: Samad Khan follows an practical line of reasoning and Power an academic line
of reasoning (4p). To reach this conclusion students should (1) name the practical flaws identified
by Samad Khan > done by amateurs (4p) and (2) refer to the previous question for Power flaw’s >
intellectual failure (2p).

Answer indication
See lecture 3 slides 45 - 55.
8. Haynes & Free / Brivot - Rise of ERM and role of professionals ((course objective 3)
Q8 “Hayne & Free (2014) present an account of the mechanisms and processes that gave rise
to the formation of COSO’s first ERM framework (2004 COSO II) , which has become the
dominant risk management model in North America and beyond. Summarize this account
(6p) and explain how the paper of Brivot et al (2016) supports this account (4p).”

General direction: 6p for summary adoption of COSO and 4p for recognizing the similarities and
differenses between disruptor / creator / maintainer of Hayne & Free and the dynamics of first
creating complexity and then creating simplicity as described by Brivot.

Answer indication
See article Hayne & Free:

Disruptor: Mounting pressures and shocks paired with the growing sense that risk could be mea-
sured
resulted in a gradual shift away from the logics of internal control towards the logics of risk. This
disruption work was not intentionally deployed by COSO but instead enabled COSO to then exe-
cute its own disruption work by commissioning consultants to evaluate the need for a framework
to manage risk, and also by further undermining the assumptions and comprehensiveness of the
IC-IF. COSO defended its institutional space by using their IC-IF as a springboard to create the
ERM-IF with similar style/language and lower costs/risks of adoption. The logics of internal control
were disrupted without formal intervention, and this paved the way for a new framework to emer-
ge.

Creator: COSO was able to build on its identity as a ‘‘thought leader’’ with a proven track record,
and also to construct a widely connected normative network wherein the ERM-IF would diffuse.
An important part of the institutional work performed by COSO as a creator was to engage the
marketplace early through consultation and information gathering processes, and also to begin to
educate potential adopters at presentations and conferences during the exposure period. In turn,
COSO was able to leverage the receptive marketplace and conduct advocacy work to mobilize
their ERM-IF.

Maintainer: To this day, COSO continues to educate and enable the marketplace by issuing addi-
tional guidance. Within these ‘‘thought papers’’, demonizing institutional work continues to im-
press upon failures and risk more generally, while valourizing work offers success stories and high-
lights the potential to benefit from the logics of enterprise risk management. The unique presen-
ce, expertise and resources of COSO, a hybridized professional group, meant that policing and
deterring forms of institutional work were not required to maintain the preeminent status of the
ERM-IF and the rhetoric of risk management
more generally.

and lecture 6 slides 37 - 39 on Brivot



Case Moritat Retail (MORE)

OWNERSHIP OF MORE
The Moritat era

MORE is a mail order retailer that was fully owned by the family Moritat. In his twenties, Max Moritat –
called mr. Max by the old employees – has founded the company in 1952. The company has been ma-
king profits ever since and always has had a healthy growth rate. In the eighties revenues threatened
to collapse, mainly because of the cheesy image of the company.

However, as a result of the emergence of the Internet and thanks to Victor Moritat – Max’ son – turning
the company into a web store with an almost infinite line of products, the company remained succes-
full and even was declared ‘best web store of the Netherlands’ several times.

The Moritat family was able to create a “family-atmosphere” in the company. Employees were seen as
their most valuable asset and employee retention was very high. Salaries were above average, alt-
hough there was no bonus scheme for normal employees. Employees that performed extra-ordinary
were given small gifts such as dinner cheques and wine packages.

Max and his sons -  Victor and Arthur -  together formed the company’s Executive Board.  They are ap-
pointed “for life”. Max, who had reached the age of 86, was not planning to resign “as long as I can
walk”.

 

1.2. The 2016 take-over

In the summer of 2016 the family received an unexpected offer from the investment company, “New-
money Inc.”. The offer is to good to refuse and the family decides to sell the company. Mr. Max, Victor
and Arthur are subsequently asked to resign as board members and all other board members are also
dismissed before the end of 2016.

Newmoney decides to transform the organization and introduces in januari 2017 a new management
program: “Up-or-out”. This program contains strong objectives related to growth in sales and efficien-
cy in the whole organization. The managers of all departments receive a stretched target in terms of
sales rise and/or cost reduction. If managers succeed they are entitled to a bonus of app. one year sa-
lary. The board also made clear that managers that do not succeed “should ask themselves if they are
in the right place”.

MORE

Introduction

Mail-order company MORE carries well over 20.000 products, in various product groups. Sales are for
100% via its website. Under the company’s marketing slogan ‘Why postpone if you can enjoy know?’ it
offers flexible credit arrangements to its customers. The payment obligation gets definitely less atten-
tion in the company’s marketing efforts than the sales as such.

Organization

Sales and delivery are done in the Mail-order department, Payment settlement is done in the Admin
and Credit department. In the following paragraphs some of the departments of MORE, before or af-
ter the takeover, are described.

a. Human resources 

The human resource policy of MORE was not very structured. In most cases new employees were hired
by mr. Max based on a conversation with him. Managers were very critical on this method, since they
do not have much influence on the quality of the people in their department. From januari 2017 an
elaborate assessment test is implemented. Employees are only hired if they succeed in this assess-
ment. 

b. Product Management

The Product Management department is responsible for the product line and for product pricing. The
entire product line is on the website. Every day twenty products on an average are added or removed
and well over 100 prices are adjusted either permanently or temporarily. The Head of Product Mana-
gement decides on these price adjustments and enters these into the system. Already in 2013 the
company faced several lawsuits because of errors in pricing: A computer that should be priced at EUR
799,-- was priced for EUR 7,99.

Hundreds of customers demanded MORE to deliver the product for this wrong price. MORE lost the
lawsuit and was obliged to deliver the computers for this price. Although several attempts were done
to control this issue errors in pricing continue to occur until today.

c. Customer Contact Center (CCC)


The Customer Contact Center is responsible for all the regular customer contacts, including order pro-
cessing and type of credit adjustments upon request of the customer. Customers that buy via Internet
will receive their own account (MyMOR), which they can use to view their payment history and their
orders, make appointments for deliveries and return sales and make adjustments to their type of cre-
dit. The CCC receives the orders and processes these.

d. Logistics

The Logistics department is responsible for the warehouse and the logistical processing of deliveries
and return sales. In 2016 MORE has introduced the concept ‘Ordered before 11pm, delivered tomor-
row’. This has led to some substantial changes in the organization. It used to be an exception – only
within the CCC and the IT department – when employees worked before 7.00am and after 7.00pm.
Since the above concept came into effect, at least 50% of all the logistical activities have to take place
during the night. This turnaround has led to involuntary lay-offs, labor unrest and an increase of sick-
ness absence from 4% to over 12%.

e. Accounts payable (A/P) and Past Due Accounts (PDA) 


The A/P department is responsible for billing, monthly interest charges and monitoring timely pay-
ments by debtors. If customers are overdue for payments for more than two months their file is trans-
ferred to the department Past Due Accounts (PDA). This department is able to use all necessary means
in order to collect the outstanding amounts. Sometimes this leads to court actions.

The number of clients that are handled by the PDA department has doubled every year since 2010
while the amount of employees working within A/P has stayed the same. The growth of the volume in
cases and court cases that are handled by PDA are primarily caused by errors in pricing. PDA-employ-
ees are complaining about the unwillingness by upper management to establish guidelines and other
guidance to deal with this issue. It has happened three times that all contested due accounts at a cer-
tain moment were written off completely in order to catch up with the work that was piling up beyond
control.

The managers of A/P and PDA have on several occasions informed the CFO of the company on these
difficulties and the effect they were having on work pressure and tensions on the work-floor. Employ-
ees were complaining about lack of attention from upper management and the unrealistic targets up-
per management has set for PDA on the other hand.

--- end of case ---