B – QUESTIONS
1. If the internal audit department did not report directly to the Audit Committee, but to the CFO, what kind of issues would this raise in your mind? Is this something that you would support? Can you cite specific examples?
2. Is it important that internal audit annually reviews the company's risk management function? What advice would you provide to a head of internal audit that was not performing such a review? Have you seen any examples where internal audit has conducted such reviews and if not, why do you think this to be the case?
3. In many companies, it is typical for internal audit to itself perform a risk assessment which it will use for audit planning and execution purposes. Do you have any thoughts on what you see as the pitfalls in this? What is the ideal situation in a company?
4. Is it appropriate that internal audit provides an opinion on the integrity of work performed by the external auditors, as in the JAA case, and what do you see as pitfalls where internal audit does not do this? Should internal audit be asked to opine on the performance by the external auditors, when in fact not too long ago external auditors were the ones providing an opinion on internal audit performance?
5. What specific characteristics differentiate this external audit function from those you have seen over the past several years? How do you envision external audit fitting into JAA's overall risk management system?
6. If JAA was not using ISO 31000 and HB 436, but instead was using the COSO ERM framework and as well the new COSO internal controls framework, what challenges do you think the company would face in trying to roll out a credible program? Do you think they could be as successful? Support your opinion.
7. Would you consider using alternative internal control frameworks and if so, which ones?
8. Suppose the board decided that they did not need to monitor the risks at all and that this could be delegated down to the CEO. What problems do you see occurring in future?
9. Evaluate the different risk identification and analysis methods being used by JAA, and compare to other methods you are aware of that are not being used. Support your opinion on this subject matter.
10. Suppose that JAA did not have a formal system of risk management using ISO 31000. Do you think it is possible that they could still be doing an excellent job at managing their business risks? Please support your opinion in this regard.
11. How would the board measure the success of their risk management?
12. How would the Compensation Committee use risk management in their reward and compensation process of the company?