Chartered Institute of Internal Auditors - Past paper pack
IIA Advanced Diploma Past Paper Pack
Risk Assurance and Audit Management
M3
Wednesday 28 November 2012
Afternoon session
Time allowed – 3 hours and 10 minutes
DO NOT OPEN THIS PAPER UNTILINSTRUCTED BY THE INVIGILATORCandidate information and instructions
There is one question in Part A and four questions in Part B.Answer the question in Part A and any three questions in Part B on the answer sheets provided.
There are 100 marks available in this paper.
Organisations marked with an asterisk, *, are fictitious. No similarity with any real organisation is intended nor should it be inferred.
Start each question on a separate answer sheet.
Do not identify yourself in answering any questions.
Enter your candidate number, the paper number, the question number and the page number within the answer at the top of each answer sheet used.
Any plans/notes that are made for each question should only be made on official IIA exam paper. Separate answer sheets should be used for each question plan.
Clarity and logic of your answers, effective presentation and good use of English will be taken into account by the examiners when marking this paper.
Past Paper Pack
Chartered Institute of Internal Auditors
13 Abbeville Mews, 88 Clapham Park Road, LondonSW4 7BX
March 2013
PART A
There is one compulsory question in this section.
QUESTION ONE
Games4Us Ltd* is a UK company based in Manchester city centre. The company, formed in 2010, sells games and entertainment software primarily to the UK and Northern European retail markets. In the first two years of trading the company suffered significant losses, although sales forecasts for years three and four show a healthy upward trend. Despite this, the current finance director resigned and their replacement, MikeRoberts, was appointed to the board in September 2012.
Mike’s first task was to meet with the individual function heads, with the primary objective of identifying cost reduction opportunities within each function. He plans to implement a ‘doing more with less’ strategy across the company. As head of internal audit you have explained to him that the internal audit department was only established one year ago with the sole remit of providing independent assurance to the board of Games4Us. Mike fully understands this remit, but also fails to see how this approach will help him achieve his strategy.
Prepare a report for MikeRoberts in which you:
a. / Explain the additional roles that internal audit could perform for Games4Us, outside of its independent assurance remit. / 14 marksb. / Consider the type of activities internal audit could undertake when performing the additional roles that you have explained in your answer to part (a). / 14 marks
c. / Appraise the constraints that the internal audit department might face within Games4Us when undertaking activities outside of its independent assurance remit. / 12 marks
SYLLABUS REFERENCE
3.1 internal audit roles and the constraints relating to them when working as:
- consultant/adviser
- negotiator
- facilitator
- mentor
- related to specific examples of internal audit activities designed to add value to an organisation.
MARK SCHEME
Mark schemes are not definitive and valid relevant points not listed will receive equal credit.One additional discretionary mark maybe awarded if the answer is laid out in a suitable report format.
Knowl/Compr / Appli/
Analy / Synth/
Evalu / Total marks
a
1 mark will be awarded for stating a role and 1 mark for a explaining what this role is. / 14 / 14
b / 14 / 14
c
1 mark for listing a constraint and 1 mark for stating why it is a constraint. / 12 / 12
Totals / 14 / 14 / 12 / 40
a.
Some examples of types of additional roles could be:
- Perform a consultant role
- Be a conduit for expressing and raising concerns e.g. Whistleblowing
- Perform a Critical friend role
- Be a Facilitator
- Be regarded as a Change agent and be respected as a catalyst for business change
- Perform a mentor role for other managers
- Be a department that leads by example, driving the right behaviours to do things right first time to reduce costs, increase efficiencies and drive the culture forward.
b.
- Reduce consultancy fees and therefore costs by undertaking ad hoc pieces of work
- Following up on whistle blowing cases and investigating them
- Review of policies and procedures and providing advice and support on the design of the controls (as a critical friend)
- Provide advice on risk and control on major projects (as a consultant or critical friend
- As the company is relatively new it is likely to be a risk immature company. Internal Audit could arrange risk and control workshops and help embed the risk management framework
- Link Internal Audit plans to key strategic risks. Highlighting internal and external risks using SWOT & PESTLE analysis for input to strategy documents and by undertaking ongoing discussions with the executive team
- Be a grooming department for future managers and leaders. If managers spend time in Internal Audit this will assist them in obtaining a greater understanding of risk and control
- The Internal Audit department should live the IIA Professional Standards, personally demonstrating integrity and probity as well as embracing the company values.
c.
- There may be suspicion by other functions – Internal Audit is relatively new. Why are they trying to do my role as well? This could lead to lack of engagement and buy in
- There may be a conflict of interest. If Internal Audit are advising on risks and controls within projects then its independence may be compromised if the department has to undertake a formal audit review of that project at a later date. Also, if Internal Audit has been associated with a project that subsequently fails then this may affect its reputation as a credible department.
- Has the Internal Audit department got the right skills and experience to perform these additional roles? The sole remit so far was to provide a traditional role of providing independent assurance.
- If the Internal Audit department is a key conduit in whistleblowing cases what would happen if an internal auditor was subject to a whistleblowing case and who would investigate this?
- Has the Internal Audit department got the right resources to perform all of the additional roles that it could perform? As the original remit was to provide independent assurance, current resource will be matched to this task and therefore it is unlikely that resourcing plans would be matched to delivery of non core activities
- A balance is required between undertaking non core roles against the primary role of providing independent assurance. There is a risk that Internal Audit becomes part of the management process and its independence becomes compromised.
EXAMINERS’ COMMENTS
Part A On the whole Part A was not very well answered as candidates tended to only state a role that Internal Audit could provide without actually defining what the role actually was. The majority of candidates stated a role, for example mentor, facilitator or critical friend and were awarded some credit for this, however then failed to achieve higher marks as they went on to describe how this role would be undertaken with the company, which was what was required in Part B of the question. In these instances no marks were awarded.
Part B was also not very well answered with very little depth of answer being demonstrated by the majority of candidates. For example candidates discussed in general terms how Internal Audit would assist the company, such as making references to improving risks and controls or references to implementing enterprise risk management through facilitated workshops. Some credit was awarded for this; however given the question was essentially about financial risk, there were very few references in scripts to Internal Audit assisting in improvements around cost controls, budgetary processes, fraud and procurement or even discussing whether the company has too many controls or inefficient processes. Scripts could also have made reference to reviewing whether the new Finance Director’s strategy was appropriate and that the assumptions were robust or whether Internal Audit could challenge the company’s sales forecast projections. Strangely, one script referred to ‘denial of access’ risk and other candidates highlighted general IT risks and corporate social responsibility without specifically linking this back to the scenario. Some of the better scripts made reference to using CAATs to highlight possible areas of cost reduction however further marks could have been awarded f examples were given of how this could be achieved, for example by focusing on accounts payable or payroll processes.
Part C was the best answered part of the overall question with expected references made to potential impact of independence and objectivity, or lack of management co operation due to suspicion or misunderstanding of Internal Audit’s role and remit during a ‘doing more with less ‘strategy. The majority of candidates achieved this although some candidates proposed bringing in of consultants to complement Internal Audit skills and knowledge gaps (which would not be in line with the company strategy of ‘doing more with less’).
In general, it was pleasing to note that the majority of scripts were legible and therefore relatively easy to mark. Some very good scripts were received which displayed a certain level of depth and understanding and therefore answered the question set. Other scripts however discussed risk management and controls only in general terms and therefore the maximum amount of marks available were not achieved in the majority of cases. Where risk management references are made in candidates’ answers at Advanced Diploma level then these need to be explicitly referred back to the scenario material in order to gain additional marks available. Few marks (if any) are awarded for generic or text book answers at this level
1
PART B
There are four questions in this section. Answer any three questions.
QUESTION TWO
Westmore Mining Plc* is a UK based multinational mining company that operates in twelve countries across three continents. The company makes payments to governments for mineral mining rights in their countries, and uses a number of foreign contractors to conduct mining operations on its behalf.
In response to recent UK legislation, the board of Westmore Mining has approved a new bribery and corruption policy for managers, staff and contractors. The company has also updated its code of ethics to show its commitment to doing business ethically.
a. / Discuss the potential impact of legal, political, ethical and reputational risks associated with bribery and corruption for Westmore Mining. / 12 marksb. / Evaluate the role of internal audit in providing the board with assurance over the mitigation of the four categories of risk given in part (a). / 8 marks
SYLLABUS REFERENCE
2.4Specific and topical risk types and their importance to different business sectors
3.7Audit involvement in complex and sensitive organisational areas such as providing assurance on ethical and social risks
MARK SCHEME
Mark schemes are not definitive and valid relevant points not listed will receive equal credit.Question/Part / Remember/
Understand / Apply/
Analyse / Evaluate/
Create / Total Marks
Part a
Relevant specific examples of legal, political, ethical and reputational risks / 4 / 4
Potential impact of risks / 5 / 5
Role of risk mitigation in reducing impact of risks / 2 / 1 / 3
Part b
Audit assurance work related to risks / 2 / 3 / 5
Challenges for internal audit in providing adequate assurance / 3 / 3
Total / 4 / 7 / 9 / 20
Part a
A range of risks may be given in answers. Risks should be related to the scenario and credit will be given for relevant topical risks.
Legal, political, ethical and reputational risks and their potential impact include:
- There are often ethical and political risks specific to the countries in which Westmore Mining operates. For example, offering bribes to secure contracts may be common practice in certain countries. There may even be differences in culture within a country depending on local leadership. The challenge for Westmore is to obtain uniform behaviour despite different cultures
- The Bribery Act 2010 has made it essential for companies to develop an anti-corruption culture. For example, hospitality given to influence a foreign public official towards certain conduct may be a bribe. Westmore faces a higher legal risk in respect of this legislation as it operates in foreign markets
- There is a risk that environmental legislation may be breached by environmental disasters due to mining activities. This could lead to a serious reputational risk as was the case for BP in the Gulf of Mexico oil leak
- Legal risks can emerge due to new legislation or changes in existing legislation and there is a risk that these might be missed by the company leading to prosecution and fines for breaches of law
- The current increase in global communications and social networking means that adverse behaviour or events associated with the company in a particular country could quickly become widely known across the world. There is a political risk that the company may be known to be doing business with a government regime that is globally poorly regarded in respect of political freedoms or treatment of workers
- A current political risk is that political power changing hands in a country may lead to a loss of mining rights with a subsequent threat to business continuity
- Political instability can disrupt production, cause price instability and impact the supply chain. For example some companies in the Middle East had to close their operations for several weeks to offer expat workers the chance to repatriate during the uprisings
- There is a reputational risk in using foreign contractors and it may be difficult for the company to ensure consistent quality and standards of behaviour between contractors in different locations and countries
Risk mitigation can reduce the impact of these risks:
- The company needs to introduce proportionate procedures to prevent bribery taking into account the risk of operating in foreign markets
- Procedures should be established to ensure emerging legal risks are captured promptly in the company’s risk register
- The company should keep good records of sums paid to governments for mining rights which should help to identify any bribes or facilitation payments to foreign officials. Greater scrutiny will be required if financial reporting requirements move to country by country external reporting
- There should be rigorous selection and oversight processes for foreign contractors who should comply with the company’s code of ethics
Part b
Internal audit can undertake the following assurance work in respect of these risks:
- Audit should review the adequacy of the code of ethics and ethical policies and processes. The board can be assured by an internal audit opinion on their effectiveness in ensuring staff and contractors apply ethical values to business behaviour. Internal audit can give an opinion on the formulation of policy in this area and on how well the code of ethics and ethical policies have been communicated to foreign contractors
- The rising tide of legal regulation may be making non-executive directors more risk averse which could stifle the strategic agenda of the company. Internal audit can give assurance that legal risks are being managed effectively
- The board should be aware of the ethical aspects of the strategies they set. Ethical assurance provided by audit enables the board to be assured that the company is living up to its values
- Internal audit is experienced in working across many departments and can co-ordinate assurance evidence from external assurance providers and management. This is useful for legal, political, ethical and reputational risks which can have an impact across the company
- Audit can assess the adequacy of the company’s risk management system and advise management on its appetite and capacity for risk
- Ethical business conduct and management of reputational risk should be specifically assessed in all audit reports. There could be an audit of corporate resilience that looks at how the company protects its brand and reputation and how it learns from past negative events
There are a number of challenges for internal audit:
- Ethical assurance is a relatively new concept. Does internal audit have the required skills and is further training needed, for example in behavioural aspects?
- Internal audit needs to keep up to date on emerging legislation to assess whether the company has identified emerging legal risks. This can be a challenge for audit, particularly if there is no legal expertise
There may be reputational damage for internal audit if it fails to identify inadequate risk mitigation that leads to a serious loss of reputation for the company, for example internet exposure of illegal dealings with a certain country
EXAMINERS’ COMMENTS
Overall Question 2 was well answered by the 33 who attempted it with candidates demonstrating a good knowledge of specific and relevant risks related to the scenario. Many candidates showed knowledge of the recent Bribery Act 2010 and its implications for Westmore Mining plc. A few high quality answers showed a good understanding of the impact of social media on risks stated in the question.