An internal auditor is conducting an assessment of the organization's fraud prevention program using the COSO enterprise risk management framework. According to this framework, which of the following activities would fall under the control environment component for preventing fraud?

1. The organization uses an automated authority approval matrix to control payments.

2. The organization has a whistleblower hotline that is available to employees.

3. Annually, every manager completes a comprehensive fraud assessment of his or her department.

4. Annually, the organization reviews and communicates the code of expected behavior.