Chartered Institute of Internal Auditors - Past paper pack

IIA Diploma Past Paper Pack

Corporate Governance and Risk

Management

P5

Friday 6 June 2014

Morning session

Time allowed – 3 hours and 10 minutes

DO NOT OPEN THIS PAPER UNTIL INSTRUCTED BY THE INVIGILATOR

Candidate information and instructions

There are two questions in Part A and four questions in Part B.

Answer both questions in Part A and any three questions in Part B on the answer
sheets provided.

There are 100 marks available in this paper.

Organisations marked with an asterisk, *, are fictitious. No similarity with any real
organisation is intended nor should it be inferred.
Start each question on a separate answer sheet.

Do not identify yourself in answering any questions.

Enter your candidate number, the paper number, the question number and the page
number within the answer at the top of each answer sheet used.
Any plans/notes that are made for each question should only be made on official IIA
exam paper. Separate answer sheets should be used for each question plan.
Clarity and logic of your answers, effective presentation and good use of English will be
taken into account by the examiners when marking this paper.

Past Paper Pack

Chartered Institute of Internal Auditors
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX
 September 2014
Chartered Institute of Internal Auditors - Past paper pack

PART A

There are two compulsory questions in this section. Questions one and two
relate to the following scenario.

Robsons Plc* is a regional supermarket chain, originally serving the east Midlands. In
recent years the chain has rapidly expanded its operations further across the UK and
Ireland. This rate of growth has been quicker than the board could ever have
imagined. This has been achieved in part as the result of depressed commercial
property prices in recent years. With significant cash reserves, Robsons has been
able to purchase prime locations in many cities and towns. This approach has been
supplemented by the purchase of two retail site portfolios by acquisition of a furniture
store chain and a carpet store chain from companies that had gone into liquidation.

Despite this, the board has become concerned following a succession of recent
surprises that has left them reacting to events on a number of fronts.

In 2013, Robsons was found to be selling a number of products containing

horsemeat. Further bad press arose later in the year as pressure groups criticised
the chain for dumping hundreds of tonnes of out of date food each week. Most
recently, in early 2014, the packing plants of some of Robson's key suppliers were
found to be employing significant numbers of illegal immigrants in unsafe working
conditions. There has also been recent press speculation that Robsons might be
vulnerable to a takeover by one of its larger competitors.

Robsons’ chief executive is frustrated at constantly having to offer apologies and

excuses, and wants to introduce some sort of structured method of horizon scanning
to anticipate strategic risks to the company.

The chief executive remains ambitious for further development and growth for the
company, not only through geographical expansion but also through moving into the
online shopping market. However, the recent crises have resulted in some of the
board being reluctant to take additional risks. The chief executive is keen to see the
development of a risk management methodology that will enable managers to risk
assess development and expansion options in order to take better advantage of the
opportunities available.

The chief executive also feels that the board and senior management are operating
with insufficient management information. There has been a constant succession of
localised problems, with individual store managers frantically chasing stock to meet
demand and no overall national management control. Local managers have also
implemented their own policies and processes. The chief executive realises that in
order to safely develop the company further, there is a need to establish clear
management structures, policies and company processes in order to provide the
stability and consistency required to support growth.

The chief executive also wishes to refocus efforts on highlighting the corporate social
responsibility successes of the company.

2
Chartered Institute of Internal Auditors - Past paper pack

QUESTION ONE

a. Describe the stages necessary for the implementation of an effective

risk management framework across Robsons. 12 marks

b. Explain how risk management could be used at Robsons to support

strategic planning and mitigate strategic risks. 8 marks

SYLLABUS REFERENCE

2.1 The principles of risk management

2.2 The structures and processes of (enterprise-wide) risk management

MARK SCHEME
Mark schemes are not definitive - valid points not listed will receive credit

Question Remember Apply/ Evaluate/ Total

/ Analyse Create marks
Understan
d
a. Up to 2 marks available for 12 12
each stage of implementation of a
risk management framework
providing an adequate description
is provided.

b. Up to 8 marks available for an 8 8

explanation of the application of
risk management in a strategic
context. Marks not divided but
may be awarded for different
elements of a structured
explanation, to a maximum of 2
marks per key point.

Total 12 8 20

a. Candidates should describe the stages required to successfully implement a

risk management framework across the company. Stages described could
include the following:

1. Setting the company objectives. Before Robsons can determine the

risks they are facing they need to have a clear understanding of their
objectives. Therefore the first step in any risk management
framework has to be defining and agreeing the company objectives
including SMART characteristics – ie objectives should be Specific,
Measurable, Achievable, Realistic and set within a Timeframe.
Breaking down the elements of each objective will assist in the next
stage.

2. Identify risks to the achievement of Robsons’ objectives. This should

be done in the context of the company’s internal and external
3
Chartered Institute of Internal Auditors - Past paper pack

environments and consider a range of factors using tools such as

PESTLE. Risks can be identified in a variety of ways including Control
Risk Self Assessment workshops, brainstorming sessions or
questionnaires. Risk identification should become an integral part of
any planning process and should be used whenever new objectives
are defined or existing objectives modified in any way.

3. Assessing the impact and likelihood of each risk to Robsons’

objectives. The impact of a risk is the potential extent of the effects on
Robsons’ objectives should a risk materialise. Impact need not
necessarily be an absolute concept as a risk may materialise to a
greater or lesser extent. The likelihood associated with a risk is the
probability that the specific risk will materialise.

4. Allocate ownership, define the risk appetite and any responses to the
inherent risk. The owner of each risk will have an appetite for how
much risk they are willing to tolerate in respect of the objective which
is the target outcome of their work. The risk owner should compare his
appetite with the inherent level of risk and implement any responses or
actions required to bring the residual risk within that level of appetite.
The risk owner may choose to Treat, Tolerate, Terminate or Transfer
the risk.

5. Monitoring responses to the risk. When responses to the risk have

been commissioned to change the residual risk assessment the
effectiveness of those actions have to be monitored to gauge whether
or not they have achieved the desired outcome. For example, the
internal audit function may be requested to provide assurance on
particular elements of a control framework.

6. Corrective action. Where the risk responses are found to be not

having the desired effect in terms of reducing risk corrective actions
need to be taken and lessons learned from the experience. For
example, the internal audit review referred to in item 5 above might
make some recommendations for control improvements and the
implementation of these recommendations would constitute corrective
action in this context.

A risk management framework can be introduced to Robsons using recognised

project methodologies including the use of project plans and milestones and regular
reports to the audit committee of the board demonstrating progress against those
milestones.

Progress should be facilitated by the provision of appropriate training to all involved

as well as appropriately supported IT tools. A monthly risk reporting cycle and clearly
established risk ownership and escalation protocols would also facilitate the
development of a transparent process in which the responsibilities and
accountabilities of all involved are clearly visible.

Change management methodologies should be implemented and each business

area given targets in terms of implementation which could later be developed to
address progress in terms of achieving different stages of risk maturity.
4
Chartered Institute of Internal Auditors - Past paper pack

b. Candidates should provide an explanation of the application of risk

management in a strategic context and may draw on elements including;

1. Definition of strategic objectives during the longer-term planning

process and the subsequent identification of risks arising from those
objectives and the deployment of steps 1 to 6 above will enable
Robsons’ Board to have greater confidence in the successful delivery
of their strategic objectives. Risk analysis can also be used to analyse
the risks associated with alternative strategic plans and to determine
whether or not those risks can be mitigated effectively.

2. The ongoing need to monitor strategic risks and to make best use of
the longer horizons provided by longer term planning to manage risks
effectively rather than ignoring things that seem distant.

3. Strategic planning linked to strategic risk management can be used to

effectively deploy resources in a considered way to manage risks
within appetite.

4. Strategic planning often employs tools such as PESTLE, Five Forces

and SWOT in assessment and workshop activity. The outputs of these
exercises can help generate ideas and identify new strategic risks to
the achievement of key objectives. These can then be addressed
through the risk management process.

5. A longer-term view provides risk owners with the opportunity to

manage risks selecting from the available risk responses in a
structured and considered way rather than responding through fire
fighting more immediate risks with diminishing options available.

Taking a strategic perspective provides greater opportunity for managers to consider

the environment in which they are trying to deliver their objectives and to consider
strategic risks arising from environmental factors

EXAMINERS’ COMMENTS
Candidates attempting Question 1 achieved some good marks with the majority of
candidates being able to provide a well structured answer for part (a) in particular.
With 12 marks available for part (a) this resulted in many candidates reaching close
to a pass mark before attempting part (b).

Answers provided in respect of part (b) were less confident. A significant number of
candidates simply repeated the stages described in part (a), changing their answers
only by the addition of the word ‘strategic’. However, a number of candidates
developed well-reasoned explanations of how risk management could be used
specifically in a strategic planning and strategic risk management context.

Overall, we were genuinely pleased at the quality of the majority of the answers on
this occasion.

5
Chartered Institute of Internal Auditors - Past paper pack

QUESTION TWO

Given the recent failures at Robsons, one of the policies that the chief executive
wishes to introduce is a corporate social responsibility (CSR) policy.

a. Evaluate the benefits of introducing a CSR policy at Robsons. 8 marks

b. Assess the challenges involved in enhancing CSR practices at

Robsons. 12 marks

SYLLABUS REFERENCE

1.4 The main concerns of stakeholders as regards corporate social responsibility

and sustainability.

MARK SCHEME
Mark schemes are not definitive - valid points not listed will receive credit

Question Remember/ Apply/ Evaluate/ Total

Understand Analyse Create marks
a. 1 mark for each benefit
identified and 1 mark for each
benefit evaluated linked to the
scenario context. 4 4 8

Max 8 marks (4 evaluated

benefits)
b. 1 mark for each challenge
identified and 2 marks for
assessment linked to the
scenario context. 6 6 12

Max 12 marks (4 assessed

challenges expected)
Total 10 10 20

a. The benefits of Robsons PLC implementing a CSR framework include, but are not
limited to the following:

 Safeguarding Brand / Reputation - Improves the organisation’s reputation and

brand with stakeholders and customers. May help mitigate the fall out from
Robsons PLC selling products containing horse meat.

 Prevention against CSR incidents - Through embedding CSR, the

organisation would be less likely to find itself in irresponsible corporate social
positions such as dumping hundreds of tons of out of date food each week.

 Supplier Management - Through embedding CSR, Robsons could define

standards to which they can assess their 3rd party suppliers to ensure CSR
adherence. E.g. Robsons suppliers were employing illegal immigrants which

6
Chartered Institute of Internal Auditors - Past paper pack

could have been prevented/detected with an effective CSR framework

encompassing 3rd parties.

 Increased Investment - Attract more investment as investors may favour

organisations with strong CSR both from an ethical perspective or financial in
that they would be less likely to be impacted by CSR incidents.

 Increased employee engagement – An organisation that is devoted to CSR

could realise increased employee engagement as employees are working in
an organisation whose values could be close to their own or employees may
feel that they have an effective contribution to CSR in there day to day role.

b. The challenges in enhancing CSR practices include, but are not limited to the
following:

 Lack of buy in from senior management - support for any CSR initiative
may be hard to find as there may be no perceived bottom line benefits and
CSR and the additional cost associated. It would be essential to engage
Senior Management from the onset and clearly articulate the benefits of
implementing CSR such as safeguarding brand reputation, increased
stakeholder and investor confidence.

 Lack of buy in from staff to support any CSR initiative as it is something

else to do in addition to the already heavy workload. It is essential to
demonstrate the reasons for CSR activities and the benefits to the
environment, society and local community.

 Changing stakeholder perceptions given the previous issues that Robsons

PLC has encountered over the years. Stakeholders may be sceptical on
Robsons PLC approach to CSR given the horsemeat and out of date food
dumping incidents. Robsons will need to ensure that CSR is on the agenda
for the long term and that Robsons PLC ensures that CSR is engrained in the
organisation’s culture.

 Poorly defined CSR strategy would result in limited realisation of CSR

benefits. i.e. if CSR strategy did not include third parties, Robsons PLC could
be impacted by CSR incidents from its 3rd parties. It is essential that Robsons
PLC seek specialist skills in CSR and ensuring that the CSR strategy covers
all aspects of the business.

 Ineffective CSR measurement system to identify CSR progress and

benefits. This may result in a lack of resources and support to the CSR
programme as benefits are not perceived by Senior Management.

 Unclear CSR roles and responsibilities may result in a lack of ownership

and progress with the CSR strategy. CSR is a company-wide initiative across
Robsons and requires support from a Board sponsor and representatives
from across the business each with clear CSR roles and responsibilities.
Management can then be held to account on their contribution to delivering
the CSR strategy.

7
Chartered Institute of Internal Auditors - Past paper pack

EXAMINERS’ COMMENTS
Corporate Social Responsibility (CSR) is a key theme within corporate
governance. If ignored, or undervalued, CSR could result in serious repercussions
for any organisation, which could ultimately lead to their failure.

Part (a) of this optional question focused on candidates identifying the benefits of
introducing a CSR policy. We were pleased to see that candidates generally
identified the benefits of implementing a CSR policy, including safeguarding
brand/reputation, prevention against CSR incidents, effective supply chain
management, enhanced investment and increased employee engagement. However
the differentiation between candidates and their results came down to the evaluation
of each benefit identified. A large number of scripts simply stated the benefit and did
not elaborate, whereas candidates that scored well clearly articulated an evaluation
to help determine the significance of each benefit.

Part (b) of the question focused on an assessment of the challenges that Robsons
would face in enhancing CSR practices. The answers varied in quality, and as we
saw in part (a), the key difference in marks awarded came down to the assessment
of each challenge. A large number of candidates simply stated the challenge and did
not elaborate on the likely consequences.

Overall there were a number of good answers but these were outweighed by
answers where we felt just a little more effort and focus on the question descriptors
would have been beneficial.

8
Chartered Institute of Internal Auditors - Past paper pack

PART B

There are four questions in this section. Answer any three questions.

QUESTION THREE

You are an internal auditor at a housing corporation that provides services for local
authorities across east London. A newly appointed non-executive director with a
background in financial services has raised a question about the impact of corporate
culture and the management of risks relating to it.

The head of internal audit has asked you to carry out a preliminary review in which
you:

a. Identify five key components of corporate culture in the housing

corporation and explain the importance of each. 10 marks

b. Describe five risks relating to these components and suitable

measures to mitigate these risks. 10 marks

SYLLABUS REFERENCE

1.2 The characteristics of good governance in public, private and not-for-profit

Organisations

2.1 The principles of risk management

2.2 The structures and processes of risk management

2.3 How organisations manage risks

MARK SCHEME
Mark schemes are not definitive - valid points not listed will receive credit

Question/Part Remember/ Apply/ Evaluate/ Total

Understand Analyse Create marks
a
Five components of corporate
culture 5 5 10
- 0.5 mark for identification
(remember)
- 0.5 mark for explanation
(understand)
b
risks

- 1 mark for description of risk 5 10

Suitable measures to mitigate the

risks.
- 1 mark for outline (apply) 5 5
9
Chartered Institute of Internal Auditors - Past paper pack

Total 5 15 20

Culture is set from the top of the organisation: established by the board (vision),
promoted by the CEO (strategy), demonstrated by the senior management
(example), adhered to by all employees (action).

a. Key components of corporate culture include inter alia

 Vision and values, mission to enhance life chances with focus on users of
social housing

 Business plan and priorities, set by top leadership and senior

management to reinforce values

 Objective setting for individuals in line with vision and goals of corporation

 HR policies on remuneration and incentives

 HR policies on appraisal and performance monitoring, discipline etc

b. Risks related to corporate culture in general

 Mismatch between vision and values with behaviour and attitudes of

senior managers

 Lack understanding and commitment from staff

 Inadequate corporate governance structures, no clear accountability

 Weak preventive measures

 Culture intangible, hard to measure or evaluate

Risks related to housing services in particular

 Conflict between corporate goals (profit) and service standards

 Temptation for personal gain in housing development market

 Possibilities for kickbacks in contracting for construction industry

 Performance measures not related to needs of vulnerable service users

 Reputation, damage by adverse incidents slow to recover

Mitigation could include aspects of:

 Culture of openness not secrecy, transparency not cover up, honesty not
denial,

 Values based decision making process

 Corporate social responsibility focus

10
Chartered Institute of Internal Auditors - Past paper pack

 Zero tolerance policy for breaches of ethical standards

 Credible whistleblowing process, safe channel for employees to voice

concerns without fear of recrimination

 Internal audit reporting on effectiveness of governance, visible support

from audit committee and board to implement recommendations for
improvement

EXAMINERS’ COMMENTS
This proved to be an unpopular optional question, despite culture being a topical area
of interest in respect of corporate governance and risk management. Candidates
produced a range of key components for corporate culture based on different models
with varying relevance. Credit was given for points made that were clearly linked to
the cultural element of the question set.

Successful answers combined both the general components of corporate culture

common to all organisations and the specific cultural risks for the housing
corporation.

Common shortcomings in the answers included:

 Employing the word culture interchangeably with governance and focusing on
the structure of the board rather than the organisation as a whole.
 Using the COSO framework with its emphasis on risk management and
internal control but without linking these elements to the culture of the
organisation.
 Considering specific external issues for the housing corporation such as
government housing policy without any obvious connection to the corporate
culture.
 Ignoring the scenario altogether and making no reference to the range of
issues that could be faced by the housing corporation.

A number of answers would have benefited from further expansion to develop the
relevance of the points given. The use of bullet pointed notes instead of complete
sentences often resulted in the logical connections being inferred rather than stated.
In many cases, the connection to the terms of the question was not always clear.

Finally we were disappointed to see that a few candidates identified the absence of
the component of corporate culture as the risk and implementing it as the mitigation.
This led to repetition in the two parts of the question and a circular argument in part
(b).

Overall this question was not answered as well as we had hoped, and given its
relevance and topicality we will undoubtedly revisit the issue of culture again in the
future.

QUESTION FOUR

You are a senior internal auditor within a listed UK company, where the chief
executive and chair roles are currently being exercised by one individual.

The chair of the audit committee has sought your advice on this arrangement and
11
Chartered Institute of Internal Auditors - Past paper pack

has asked for a report in which you:

a. Explain what good practice suggests about an individual holding both 6 marks
the chief executive and chair roles in a listed UK company.

b. Identify the risks the company faces in maintaining the dual role of 8 marks
chief executive and chair.

c. Describe what could be included within the company’s annual

corporate governance statement to help explain the benefits of
maintaining the dual role of chief executive and chair. 6 marks

SYLLABUS REFERENCE

1.1 The principles and development of corporate governance in the UK and Ireland
in public, private and not-for-profit sectors
1.2 The characteristics of good governance in public, private and not-for-profit
organisations
2.6 Practical techniques for implementing risk identification, analysis and evaluation
in an organisation including the identification of appropriate mitigation for
common risks

MARK SCHEME
Mark schemes are not definitive - valid points not listed will receive credit

Question Remember/ Apply/ Evaluate/ Total

Understand Analyse Create marks

a) Explanation of good practice

In UK Corporate Governance in 6
respect of holding both roles

b) Identification of potential risks 8

c) Potential inclusions within the 6

annual governance statement to
address potential shareholder
concerns

Total 6 8 6 20

a.

 UK Corporate Governance Code 2012 is the key element of good practice

 The code is an evolutionary development and so former iterations of the
code/guidance underpinning it will be accepted where relevant
 Comply or explain principles (i.e. not prevented from following the main
provisions and principles but should state why not)
 The guidance states quite clearly within leadership guidance (A.2.1) that the
roles of chairman and chief executive should not be exercised by the same
individual
 The guidance also provides guidance on the role of the chairman in so far as
12
Chartered Institute of Internal Auditors - Past paper pack

there should be a clear division of responsibility at the head of the company

between the:
- Running of the board
- Executive responsibility of running the company's business
 Crucially no one individual should have unfettered powers of decision

b. Potential risks could include:

 No balance of power within the leadership of the company

 Chief Executive and Chairman are the two most authoritative positions in the
boardroom - role vested in one individual in effect raises the possibility of
'fear' within the boardroom
 No checks and balances/poor decision making at board level
 Poor decision making - views of one individual take precedence
 Less opportunity to take advantage of the diversity of skills/experience of the
board
 Role/influence of non-executive directors (not just the chairman) reduced
 Potential conflict of interest issues are heightened
 Both roles are highly paid - risk of one individual earning high levels of
remuneration - and potentially holding the levers to influence their
remuneration
 Tone at the top (chief executive) could be allowed to follow aggressive
behaviour without effective (and independent from the chairman) board
challenge/ debate
 Absence of effective oversight of the strategic direction of the company for
shareholders
 Heightens the impact of the loss of one individual (for example short notice
stress - several recent example of high profile leaders taking time off for
stress - e.g. Lloyds Banking Group)
 Reference to impact on/development of corporate governance good practice
of real scenarios and risks thereof. Where one individual has held dual role
(e.g. Sir Stuart Rose at M&S) or powerful individuals within organisations -
which the split of role is designed to address (e.g. Robert Maxwell; Fred
Goodwin). Sets out how a risk can be transferred

c. Comply or explain principles allow the company to explain why an individual may
hold both roles - in contradiction to UK Corporate Governance Code. The Financial
Reporting Council issued guidance in February 2012 as to what constitutes an
explanation under 'comply or explain'.

Such an explanation should aim to address shareholder concerns. Examples of

possible explanations could include:

 It is a short-term measure to address a specific challenge or company

objective. This could include:
- The return of the founder of the company
- An individual with relevant experience

 The delivery of company results and/or objectives under the dual role holding
arrangement
 An outline of the time line that the company will be in 'noncompliance' with the
code (i.e. it is not a situation that is going to run and run)
 Could refer to the guidance requiring that a chief executive should not go on
13
Chartered Institute of Internal Auditors - Past paper pack

to be the chairman of the same company. If the company was recently due to
lose both posts - and therefore the current situation was simply a holding
position until (e.g.) a new Chairman is appointed
 The explanation may also set out how the company recognises the risks of an
individual holding both roles. But further sets out how it is mitigating these
risks and what it has put in place to do so (key themes to address being the
issues of leadership, independence of the Chairman and unfettered powers/
decision making)
 Reference to the salary/ rewards being paid to the individual holding both
roles
 The explanation should be specific to that company
 Major shareholders could be asked to discuss/raise their concerns with the
company on the arrangement - prior to the annual statement being issued.
Thus:
- Key concerns raised at this meeting could then be explicitly
referred to in the statement
- This would additionally allow the explanation to be coherent and
make sense to shareholders

Answers may also recognise that there are other stakeholders to the company - not
just shareholders who may take an interest in the dual role holding.

EXAMINERS’ COMMENTS
Overall, this question was both popular and well answered. Good well-structured
answers were, as has been noted in previous sittings, often provided together with a
short answer plan. These showed where candidates had thought through the
question briefly in advance. Answers which had clearly been planned through tended
to scored very well; especially those which were able to expand on the points they
were making by referring to real examples and/or attributing their answer directly to
the context provided in the question.

A few candidates did not answer the question set but wrote general points about
corporate governance. A small number of candidates did not refer at all to The UK
Corporate Governance Code (2010 or 2012). Of those that did, quite a number
struggled to name the code correctly. Given the title of the exam paper this was
concerning.

Part (c) was the weakest answered part for several candidates. A number of
candidates delivered generic observations on what should appear in an annual
corporate governance statement without attributing the points made to the question
context.

While the question had three parts, many answers did not reflect the marking
allocation across the question. Some candidates wrote far too much on some
question parts and far too little eon others. Once again, this may be an indicator of
answers that would have benefited from a short plan to enable candidates to think
through their answer before committing pens to their final answer.

14
Chartered Institute of Internal Auditors - Past paper pack

QUESTION FIVE

You have recently conducted an audit on risk management in your organisation. One
of your key conclusions is that the risk management maturity of the organisation is
‘risk aware’.

Your head of internal audit has asked you to prepare a paper for the audit committee
in which you:

a. Contrast how risk management differs in a ‘risk aware’ organisation

to a ‘risk managed’ organisation. 10 marks

b. Discuss whether the approach to auditing risk management should

differ if the organisation is ‘risk aware’ or ‘risk managed’. 10 marks

SYLLABUS REFERENCE

2.1 the principles of risk management, including:

• definitions of risk, including (enterprise-wide) risk management and risk
assurance, risk appetite and risk management strategies
2.4 the relationship between internal audit and risk management, including the
choice of roles available to internal audit and the consequences for corporate
governance
2.7 the building of a risk-based audit work plan

MARK SCHEME
Mark schemes are not definitive - valid points not listed will receive credit.

Question/Part Remember/ Apply/ Evaluate/ Total

Understand Analyse Create marks
0.5 for paper format 0.5 0.5
a. Introduction or definition of risk 0.5 9 9.5
management
9 marks for contrasting the
difference between risk aware
and risk managed organisations
b. 0.5 for stating that the audit 0.5 10
approach would differ in risk 9.5
aware and risk managed
organisations
1 to 2 marks per point for
describing the difference in the
audit approach in risk aware and
risk managed organisations
Total 1 19 20

BRIEFING PAPER
To The Audit Committee
From Internal Auditor
Date June 2014
Subject The risk maturity of the organisation and recommended internal
audit strategy
15
Chartered Institute of Internal Auditors - Past paper pack

Risk management is ‘a process to identify, assess, manage, and control potential

events or situations, to provide reasonable assurance regarding the achievement of
the organisation’s objectives’ (IIA)

Risk maturity: The extent to which a robust risk management approach has been
adopted and applied, as planned, by management across the organisation to identify,
assess, decide on responses to and report on opportunities and threats that affect
the achievement of the organisation’s objectives.

a. The differences between risk aware and risk managed organisations can be
demonstrated in the following table:

Risk Aware Risk Managed

Scattered silo approach to risk
management
Some limited training
No consistent approach defined for
assessing risks
Risk appetite not defined
Unlikely processes are defined
Some incomplete lists of risks may
exist
Some incomplete lists of risk
assessments may exist
Some responses have been identified
Some monitoring controls
Some risks are reviewed but
inconsistently
No reporting
Projects not routinely assessed for
risk
Responsibility for determination,
assessment, and management of
risks is not included in job description
Managers don’t provide assurance on
the effectiveness of their risk
management
Managers are not assessed on their
risk management performance
Enterprise approach to risk management
developed and communicated
Management have been trained to
understand what risks are and their
responsibility for them
Scoring system for assessing risks has been
defined
Risk appetite of the organisation has been
defined in terms of the scoring system
Processes have been defined to determine
risks and these have been followed
All risks have been collected into one list.
Risks have been allocated to specific job
titles.
All risks have been assessed in accordance
with defined scoring system
Responses to the risks have been selected
and implemented
Management have set up methods to
monitor the proper operation of key
processes, responses and action plans
Risks are regularly reviewed, probably
quarterly by organisation.
Management report risks to directors where
responses have not managed the risks to a
level acceptable to the board
All significant new projects are routinely
assessed for risk
Responsibility for determination,
assessment, and management of risks is
included in most job description
Some managers provide assurance on the
effectiveness of their risk management
Some managers are assessed on their risk
management performance

b. The first stage in risk based internal audit (RBIA) planning is to review the
organisation’s level of risk maturity. The outcome of this assessment will determine

16
Chartered Institute of Internal Auditors - Past paper pack

the approach internal audit should take to auditing risk management. The approach
will differ depending on the risk maturity of the organisation. The approach to auditing
risk management differs in the following ways:

 Implementation of RBIA

Risk managed organisations have a developed and communicated enterprise

approach to risk management. This means the audit planning can be driven by the
organisation’s risk register. RBIA can be implemented. A risk aware organisation has
a scattered silo based approach to risk management. This suggests that the
organisation’s system of internal control and the board’s ability to assess it may be
ineffective. Therefore the organisation’s risk management processes cannot be relied
on and RBIA cannot be implemented straight away.

 Audit planning approach

In risk managed organisations reliance can be placed on management’s approach to

risk and this can be used to determine the ‘universe’ of auditable areas, the scope
and priority of assignments and the specific areas for review. In this way
managements view of risk drives the audit plan. In risk aware organisations, internal
audit will need to plan its audit work using its own assessment of the organisations
key risks or an alternative framework such as key systems or business units.

 Audit work

In risk aware organisations internal audit should report their assessment of the risk
maturity to management and to the audit committee. They should then provide
assurance on control processes. In risk managed organisations, internal audit
provides assurance on the risk management processes, management of key risks
and reporting of risks.

 Championing Risk Management

In risk aware organisations Internal audit can help improve risk management and
governance processes by championing risk management throughout the internal
audit activity’s work.

 Consultancy services

In a risk aware organisation internal audit can provide consultancy to support

management in improving the organisation’s risk maturity. This may include
facilitating risk identification and evaluating risks; working with management to
identify any actions they propose to take to improve maturity; facilitating workshops
with management to define scoring systems, risk appetite, risk management
processes; consolidated reporting on risks; and training management in risk
management.

In risk managed organisations, internal audit can provide consultancy on improving

risk management for instance facilitating training and promoting risk management
processes throughout the organisation. However the majority of the internal audit
approach will be to conduct their core roles in enterprise wide risk management.

17
Chartered Institute of Internal Auditors - Past paper pack

Conclusion: The maturity of risk management in the organisation will have a

significant impact on the approach internal audit will take to auditing risk
management.

EXAMINERS’ COMMENTS
The vast majority of candidates demonstrated a good knowledge of risk maturity
levels, how these were related to risk management and how these impacted internal
auditing. The question was answered well, with a number of candidates achieving
high scores and a few achieving full marks.

The majority of candidates were able to contrast risk management in a risk aware
and risk managed organisation. Most candidates were able to link the maturity level
to risk based internal auditing and explain how the audit approach should differ
depending on the maturity level. Many candidates gave good examples of the type of
consultancy work that internal audit could do in both types of organisation.

Candidates who scored less effectively tended to:

 Have over-lengthy introductions explaining risk management, risk based

internal auditing or thoroughly describing the risk maturity model.
 Confuse what to put in part (a) and part (b) of their answers. In part (a), a
number of candidates described how internal audit should deliver assurance
and provide consultancy in a risk aware and risk managed organisations.
These points were better made in part (b). In part (b), some candidates also
more thoroughly described the risk management at the different types of risk
maturity than they had done in part (a). Unless the answer was directly
related back to the question in both of these cases no marks were given.
 Have very detailed answers for one part of the question but seeming to run
out of time when it came to the other part. In addition it was clear that time
was a factor for some candidates as there were a number of short answers.
In these instances candidates may have better employed a tabular approach
to get their points across as quickly as possible. Candidates who adopted a
table type format for part (a) tended to score well and avoided repetition in
their points.

In conclusion, the overall standard of the answers was good with over 90% of
candidates achieving more than 50% of the available marks. Well done!

QUESTION SIX

Business investors are keen to ensure that companies have effective ethical
practices.

Your team’s 2014 audit plan includes an internal audit of business ethics. Your head
of internal audit has asked you to prepare a paper in which you:

Describe ten key aspects that an internal audit of business ethics should
cover, and justify each aspect chosen. 20 marks

18
Chartered Institute of Internal Auditors - Past paper pack

SYLLABUS REFERENCE

1.1 The principles and development of corporate governance in the UK and Ireland
in public, private and not-for-profit sectors

MARK SCHEME
Mark schemes are not definitive - valid points not listed will receive credit.

Question/Part Remember/ Apply/ Evaluate/ Total

Understand Analyse Create marks
Your Head of Internal Audit has
been asked by the Audit
Committee to undertake an
internal audit of business ethics.

Prepare a paper for your Head of Upto 1

Internal Audit in which you: mark
Describe ten key aspects that 1 per 1 per
internal audit should cover, aspect aspect
justifying each aspect chosen identified justified

Total 10 max 10 20

Appropriately formatted paper

Definition/explanation of business ethics

Ethics in business describes the culture and behaviour within an organisation that
helps it to maintain open, honest and fair interactions with all the organisation’s
stakeholders. High ethical standards within an organisation enhances its reputation
and builds commitment and trust in it. It is also good for investor confidence and
good for the long term success of the organisation.

Ten key aspects that internal audit should cover, justifying each aspect chosen:

1. Board
The board should communicate the organisation’s ethical policy and ensure that
ethical conduct is a standing item on the board’s agenda. The board must regularly
discuss ethics to show its importance to them and thus help embed it in the
organisation’s culture.

2. Leadership
The board needs to promote and demonstrate the ethical values and behaviours. If
the board does not demonstrate appropriate behaviour then values will never
become embedded in culture.

3. Business Strategy
Business strategy needs to align to ethical values. To become part of the culture,
values must underpin policy and behaviour throughout the organisation.

19
Chartered Institute of Internal Auditors - Past paper pack

The board and managers should perform social impact assessments on the impact
and consequences business decisions and their implementation have on CSR.

4. Shareholders/Investors
Openness and dialogue with key stakeholders and shareholders based on mutual
understanding of objectives is vital to good ethical procedures.

New investment. Ethical organisations will attract socially responsible investment

funds.

5. Risk Management

Risk Management processes should identify key risks to the organisations’s

objectives and there should be an effective risk management methodology for
evaluating, assessing and managing risks. Failure to look far enough ahead in the
risk management process will prevent an organisation anticipating risks or monitoring
and addressing the development of risks and will leave them in a “fire fighting”
position reducing the opportunity to implement planned and cost effective mitigations.
This would encourage reactive rather than proactive responses.

Risk Management should include reputational risks. A good reputation attracts

customers, suppliers, and partners that share the same values. Strong emphasis
reduces risk of unethical behaviours that could lead to corporate scandals.

6. Legislative Compliance
For example, the Bribery Act came into force in July 2011, and the Ministry of Justice
published guidance to help organisations prepare for the Act. One of the Ministry's
guidance documents sets out the six principles by which organisations should be
guided when putting in procedures to prevent bribery. The six principles are:
proportionate procedures, top-level commitment, risk assessment, due diligence,
communication (and training), and monitoring and review.

Business ethic policies set out desirable and acceptable behaviour for Directors and
employees to follow. Past corporate scandals have been directly related to unethical
and fraudulent behaviour of individuals, leaving company exposed to legal or
regulatory action. Strong emphasis on ethics reduces this risk as employees are
clear on what is unacceptable behaviour and consequences of it. Also staff are not
afraid to speak up when they see unacceptable behaviour.

7. Recruitment and retention

Attract and retain the best possible staff long and short term: strong emphasis on
business ethics may be attractive to staff looking for family friendly and flexible
working.

Use of staff surveys to demonstrate high employee satisfaction leading to better staff
retention and productivity.

Strong ethical stances help ensure that staff are proud to work for the company.

8. Performance Management
Reward strategies must shape right behaviour. To embed individual performance
measures should promote ethics and not encourage rule bending.

20
Chartered Institute of Internal Auditors - Past paper pack

The board and sub-committees should ensure that the remuneration policies
especially on senior staff bonuses are fully transparent and fair.

9. Reporting, Reviews and Benchmarking

Business ethics champion who is in charge of leading the ethics programme and
reports directly to CEO.

10. Compliance with UK Corporate Governance Code

The organisation should comply with the UK Corporate Governance Code or explain
any deviations.

Internal audit can look at the last review to see if any ethical issues/noncompliance
were mentioned and assess the impact on the organisation.

EXAMINERS’ COMMENTS
In question six we sought to test candidates on the fundamental components
of business ethics. The majority of candidates performed very effectively in
their answers, clearly describing and justifying ten key aspects that should be
covered in an internal audit.

High scoring candidates were able to provide a wide range of areas they
would cover. Popular examples included the board’s commitment,
shareholders/investors, recruitment and retention.

However, a few candidates gave very general details associated with

undertaking an internal audit rather than directly linking their answer to
business ethics. A small number of other candidates appeared to struggle with
the question set and wrote short lists of words that were not sufficiently
expanded to gain all of the available marks.

Unfortunately a few candidates also wrote long introductions and then

appeared to run out of time describing and justifying the ten key areas. This
was a shame as many clearly knew the subject area being examined.

In conclusion, the majority of students provided very thorough answers with

appropriate details and content that demonstrated a professional knowledge
of business ethics. As a result, we were broadly pleased as a number of good
results were achieved by candidates on this 20 mark question.

END

21