P5
PART A
There are two compulsory questions in this section. Questions one and two
relate to the following scenario.
Robsons Plc* is a regional supermarket chain, originally serving the east Midlands. In
recent years the chain has rapidly expanded its operations further across the UK and
Ireland. This rate of growth has been quicker than the board could ever have
imagined. This has been achieved in part as the result of depressed commercial
property prices in recent years. With significant cash reserves, Robsons has been
able to purchase prime locations in many cities and towns. This approach has been
supplemented by the purchase of two retail site portfolios by acquisition of a furniture
store chain and a carpet store chain from companies that had gone into liquidation.
Despite this, the board has become concerned following a succession of recent
surprises that has left them reacting to events on a number of fronts.
The chief executive remains ambitious for further development and growth for the
company, not only through geographical expansion but also through moving into the
online shopping market. However, the recent crises have resulted in some of the
board being reluctant to take additional risks. The chief executive is keen to see the
development of a risk management methodology that will enable managers to risk
assess development and expansion options in order to take better advantage of the
opportunities available.
The chief executive also feels that the board and senior management are operating
with insufficient management information. There has been a constant succession of
localised problems, with individual store managers frantically chasing stock to meet
demand and no overall national management control. Local managers have also
implemented their own policies and processes. The chief executive realises that in
order to safely develop the company further, there is a need to establish clear
management structures, policies and company processes in order to provide the
stability and consistency required to support growth.
The chief executive also wishes to refocus efforts on highlighting the corporate social
responsibility successes of the company.
2
Chartered Institute of Internal Auditors - Past paper pack
QUESTION ONE
SYLLABUS REFERENCE
MARK SCHEME
Mark schemes are not definitive - valid points not listed will receive credit
Total 12 8 20
4. Allocate ownership, define the risk appetite and any responses to the
inherent risk. The owner of each risk will have an appetite for how
much risk they are willing to tolerate in respect of the objective which
is the target outcome of their work. The risk owner should compare his
appetite with the inherent level of risk and implement any responses or
actions required to bring the residual risk within that level of appetite.
The risk owner may choose to Treat, Tolerate, Terminate or Transfer
the risk.
2. The ongoing need to monitor strategic risks and to make best use of
the longer horizons provided by longer term planning to manage risks
effectively rather than ignoring things that seem distant.
EXAMINERS’ COMMENTS
Candidates attempting Question 1 achieved some good marks with the majority of
candidates being able to provide a well structured answer for part (a) in particular.
With 12 marks available for part (a) this resulted in many candidates reaching close
to a pass mark before attempting part (b).
Answers provided in respect of part (b) were less confident. A significant number of
candidates simply repeated the stages described in part (a), changing their answers
only by the addition of the word ‘strategic’. However, a number of candidates
developed well-reasoned explanations of how risk management could be used
specifically in a strategic planning and strategic risk management context.
Overall, we were genuinely pleased at the quality of the majority of the answers on
this occasion.
5
Chartered Institute of Internal Auditors - Past paper pack
QUESTION TWO
Given the recent failures at Robsons, one of the policies that the chief executive
wishes to introduce is a corporate social responsibility (CSR) policy.
SYLLABUS REFERENCE
MARK SCHEME
Mark schemes are not definitive - valid points not listed will receive credit
a. The benefits of Robsons PLC implementing a CSR framework include, but are not
limited to the following:
6
Chartered Institute of Internal Auditors - Past paper pack
b. The challenges in enhancing CSR practices include, but are not limited to the
following:
Lack of buy in from senior management - support for any CSR initiative
may be hard to find as there may be no perceived bottom line benefits and
CSR and the additional cost associated. It would be essential to engage
Senior Management from the onset and clearly articulate the benefits of
implementing CSR such as safeguarding brand reputation, increased
stakeholder and investor confidence.
7
Chartered Institute of Internal Auditors - Past paper pack
EXAMINERS’ COMMENTS
Corporate Social Responsibility (CSR) is a key theme within corporate
governance. If ignored, or undervalued, CSR could result in serious repercussions
for any organisation, which could ultimately lead to their failure.
Part (a) of this optional question focused on candidates identifying the benefits of
introducing a CSR policy. We were pleased to see that candidates generally
identified the benefits of implementing a CSR policy, including safeguarding
brand/reputation, prevention against CSR incidents, effective supply chain
management, enhanced investment and increased employee engagement. However
the differentiation between candidates and their results came down to the evaluation
of each benefit identified. A large number of scripts simply stated the benefit and did
not elaborate, whereas candidates that scored well clearly articulated an evaluation
to help determine the significance of each benefit.
Part (b) of the question focused on an assessment of the challenges that Robsons
would face in enhancing CSR practices. The answers varied in quality, and as we
saw in part (a), the key difference in marks awarded came down to the assessment
of each challenge. A large number of candidates simply stated the challenge and did
not elaborate on the likely consequences.
Overall there were a number of good answers but these were outweighed by
answers where we felt just a little more effort and focus on the question descriptors
would have been beneficial.
8
Chartered Institute of Internal Auditors - Past paper pack
PART B
There are four questions in this section. Answer any three questions.
QUESTION THREE
You are an internal auditor at a housing corporation that provides services for local
authorities across east London. A newly appointed non-executive director with a
background in financial services has raised a question about the impact of corporate
culture and the management of risks relating to it.
The head of internal audit has asked you to carry out a preliminary review in which
you:
SYLLABUS REFERENCE
MARK SCHEME
Mark schemes are not definitive - valid points not listed will receive credit
Total 5 15 20
Culture is set from the top of the organisation: established by the board (vision),
promoted by the CEO (strategy), demonstrated by the senior management
(example), adhered to by all employees (action).
Vision and values, mission to enhance life chances with focus on users of
social housing
Objective setting for individuals in line with vision and goals of corporation
Culture of openness not secrecy, transparency not cover up, honesty not
denial,
EXAMINERS’ COMMENTS
This proved to be an unpopular optional question, despite culture being a topical area
of interest in respect of corporate governance and risk management. Candidates
produced a range of key components for corporate culture based on different models
with varying relevance. Credit was given for points made that were clearly linked to
the cultural element of the question set.
A number of answers would have benefited from further expansion to develop the
relevance of the points given. The use of bullet pointed notes instead of complete
sentences often resulted in the logical connections being inferred rather than stated.
In many cases, the connection to the terms of the question was not always clear.
Finally we were disappointed to see that a few candidates identified the absence of
the component of corporate culture as the risk and implementing it as the mitigation.
This led to repetition in the two parts of the question and a circular argument in part
(b).
Overall this question was not answered as well as we had hoped, and given its
relevance and topicality we will undoubtedly revisit the issue of culture again in the
future.
QUESTION FOUR
You are a senior internal auditor within a listed UK company, where the chief
executive and chair roles are currently being exercised by one individual.
The chair of the audit committee has sought your advice on this arrangement and
11
Chartered Institute of Internal Auditors - Past paper pack
a. Explain what good practice suggests about an individual holding both 6 marks
the chief executive and chair roles in a listed UK company.
b. Identify the risks the company faces in maintaining the dual role of 8 marks
chief executive and chair.
SYLLABUS REFERENCE
1.1 The principles and development of corporate governance in the UK and Ireland
in public, private and not-for-profit sectors
1.2 The characteristics of good governance in public, private and not-for-profit
organisations
2.6 Practical techniques for implementing risk identification, analysis and evaluation
in an organisation including the identification of appropriate mitigation for
common risks
MARK SCHEME
Mark schemes are not definitive - valid points not listed will receive credit
Total 6 8 6 20
a.
c. Comply or explain principles allow the company to explain why an individual may
hold both roles - in contradiction to UK Corporate Governance Code. The Financial
Reporting Council issued guidance in February 2012 as to what constitutes an
explanation under 'comply or explain'.
The delivery of company results and/or objectives under the dual role holding
arrangement
An outline of the time line that the company will be in 'noncompliance' with the
code (i.e. it is not a situation that is going to run and run)
Could refer to the guidance requiring that a chief executive should not go on
13
Chartered Institute of Internal Auditors - Past paper pack
to be the chairman of the same company. If the company was recently due to
lose both posts - and therefore the current situation was simply a holding
position until (e.g.) a new Chairman is appointed
The explanation may also set out how the company recognises the risks of an
individual holding both roles. But further sets out how it is mitigating these
risks and what it has put in place to do so (key themes to address being the
issues of leadership, independence of the Chairman and unfettered powers/
decision making)
Reference to the salary/ rewards being paid to the individual holding both
roles
The explanation should be specific to that company
Major shareholders could be asked to discuss/raise their concerns with the
company on the arrangement - prior to the annual statement being issued.
Thus:
- Key concerns raised at this meeting could then be explicitly
referred to in the statement
- This would additionally allow the explanation to be coherent and
make sense to shareholders
Answers may also recognise that there are other stakeholders to the company - not
just shareholders who may take an interest in the dual role holding.
EXAMINERS’ COMMENTS
Overall, this question was both popular and well answered. Good well-structured
answers were, as has been noted in previous sittings, often provided together with a
short answer plan. These showed where candidates had thought through the
question briefly in advance. Answers which had clearly been planned through tended
to scored very well; especially those which were able to expand on the points they
were making by referring to real examples and/or attributing their answer directly to
the context provided in the question.
A few candidates did not answer the question set but wrote general points about
corporate governance. A small number of candidates did not refer at all to The UK
Corporate Governance Code (2010 or 2012). Of those that did, quite a number
struggled to name the code correctly. Given the title of the exam paper this was
concerning.
Part (c) was the weakest answered part for several candidates. A number of
candidates delivered generic observations on what should appear in an annual
corporate governance statement without attributing the points made to the question
context.
While the question had three parts, many answers did not reflect the marking
allocation across the question. Some candidates wrote far too much on some
question parts and far too little eon others. Once again, this may be an indicator of
answers that would have benefited from a short plan to enable candidates to think
through their answer before committing pens to their final answer.
14
Chartered Institute of Internal Auditors - Past paper pack
QUESTION FIVE
You have recently conducted an audit on risk management in your organisation. One
of your key conclusions is that the risk management maturity of the organisation is
‘risk aware’.
Your head of internal audit has asked you to prepare a paper for the audit committee
in which you:
SYLLABUS REFERENCE
MARK SCHEME
Mark schemes are not definitive - valid points not listed will receive credit.
BRIEFING PAPER
To The Audit Committee
From Internal Auditor
Date June 2014
Subject The risk maturity of the organisation and recommended internal
audit strategy
15
Chartered Institute of Internal Auditors - Past paper pack
Risk maturity: The extent to which a robust risk management approach has been
adopted and applied, as planned, by management across the organisation to identify,
assess, decide on responses to and report on opportunities and threats that affect
the achievement of the organisation’s objectives.
a. The differences between risk aware and risk managed organisations can be
demonstrated in the following table:
b. The first stage in risk based internal audit (RBIA) planning is to review the
organisation’s level of risk maturity. The outcome of this assessment will determine
16
Chartered Institute of Internal Auditors - Past paper pack
the approach internal audit should take to auditing risk management. The approach
will differ depending on the risk maturity of the organisation. The approach to auditing
risk management differs in the following ways:
Implementation of RBIA
Audit work
In risk aware organisations internal audit should report their assessment of the risk
maturity to management and to the audit committee. They should then provide
assurance on control processes. In risk managed organisations, internal audit
provides assurance on the risk management processes, management of key risks
and reporting of risks.
In risk aware organisations Internal audit can help improve risk management and
governance processes by championing risk management throughout the internal
audit activity’s work.
Consultancy services
17
Chartered Institute of Internal Auditors - Past paper pack
EXAMINERS’ COMMENTS
The vast majority of candidates demonstrated a good knowledge of risk maturity
levels, how these were related to risk management and how these impacted internal
auditing. The question was answered well, with a number of candidates achieving
high scores and a few achieving full marks.
The majority of candidates were able to contrast risk management in a risk aware
and risk managed organisation. Most candidates were able to link the maturity level
to risk based internal auditing and explain how the audit approach should differ
depending on the maturity level. Many candidates gave good examples of the type of
consultancy work that internal audit could do in both types of organisation.
In conclusion, the overall standard of the answers was good with over 90% of
candidates achieving more than 50% of the available marks. Well done!
QUESTION SIX
Business investors are keen to ensure that companies have effective ethical
practices.
Your team’s 2014 audit plan includes an internal audit of business ethics. Your head
of internal audit has asked you to prepare a paper in which you:
Describe ten key aspects that an internal audit of business ethics should
cover, and justify each aspect chosen. 20 marks
18
Chartered Institute of Internal Auditors - Past paper pack
SYLLABUS REFERENCE
1.1 The principles and development of corporate governance in the UK and Ireland
in public, private and not-for-profit sectors
MARK SCHEME
Mark schemes are not definitive - valid points not listed will receive credit.
Total 10 max 10 20
Ethics in business describes the culture and behaviour within an organisation that
helps it to maintain open, honest and fair interactions with all the organisation’s
stakeholders. High ethical standards within an organisation enhances its reputation
and builds commitment and trust in it. It is also good for investor confidence and
good for the long term success of the organisation.
Ten key aspects that internal audit should cover, justifying each aspect chosen:
1. Board
The board should communicate the organisation’s ethical policy and ensure that
ethical conduct is a standing item on the board’s agenda. The board must regularly
discuss ethics to show its importance to them and thus help embed it in the
organisation’s culture.
2. Leadership
The board needs to promote and demonstrate the ethical values and behaviours. If
the board does not demonstrate appropriate behaviour then values will never
become embedded in culture.
3. Business Strategy
Business strategy needs to align to ethical values. To become part of the culture,
values must underpin policy and behaviour throughout the organisation.
19
Chartered Institute of Internal Auditors - Past paper pack
The board and managers should perform social impact assessments on the impact
and consequences business decisions and their implementation have on CSR.
4. Shareholders/Investors
Openness and dialogue with key stakeholders and shareholders based on mutual
understanding of objectives is vital to good ethical procedures.
5. Risk Management
6. Legislative Compliance
For example, the Bribery Act came into force in July 2011, and the Ministry of Justice
published guidance to help organisations prepare for the Act. One of the Ministry's
guidance documents sets out the six principles by which organisations should be
guided when putting in procedures to prevent bribery. The six principles are:
proportionate procedures, top-level commitment, risk assessment, due diligence,
communication (and training), and monitoring and review.
Business ethic policies set out desirable and acceptable behaviour for Directors and
employees to follow. Past corporate scandals have been directly related to unethical
and fraudulent behaviour of individuals, leaving company exposed to legal or
regulatory action. Strong emphasis on ethics reduces this risk as employees are
clear on what is unacceptable behaviour and consequences of it. Also staff are not
afraid to speak up when they see unacceptable behaviour.
Use of staff surveys to demonstrate high employee satisfaction leading to better staff
retention and productivity.
Strong ethical stances help ensure that staff are proud to work for the company.
8. Performance Management
Reward strategies must shape right behaviour. To embed individual performance
measures should promote ethics and not encourage rule bending.
20
Chartered Institute of Internal Auditors - Past paper pack
The board and sub-committees should ensure that the remuneration policies
especially on senior staff bonuses are fully transparent and fair.
Internal audit can look at the last review to see if any ethical issues/noncompliance
were mentioned and assess the impact on the organisation.
EXAMINERS’ COMMENTS
In question six we sought to test candidates on the fundamental components
of business ethics. The majority of candidates performed very effectively in
their answers, clearly describing and justifying ten key aspects that should be
covered in an internal audit.
High scoring candidates were able to provide a wide range of areas they
would cover. Popular examples included the board’s commitment,
shareholders/investors, recruitment and retention.
END
21