CHAPTER 11: RISK MANAGEMENT

INTRODUCTION

Effective corporate governance cannot be attained without the organization mastering the art of
risk management. And risk management is recognized as one of the most important
competencies needed by the board of directors of modern organization, large as well as small
and medium sized business firms. The levels of risk faced by business firms have increased
because of the fast growing sophistication of organization, globalization, modern technology and
impact of corporate scandals. In addition therefore to compliance with legal requirements, top
management should consider adequate knowledge of risk management.

RISK MANAGEMENT DEFINED

Risk management is the process of measuring or assessing risk and developing strategies to
manage it. Risk management is a systematic approach in identifying, analyzing and controlling
areas or events with a potential for causing unwanted change. Risk management is the act or
practice of controlling risk. It includes risk planning, assessing risk areas, developing risk
handling options, monitoring risks to determine how risks have changed and documenting
overall risk management program.

As defined in the International Organization of Standardization (ISO 31000), Risk Management

is the identification, assessment, and prioritization of risks followed by coordinated and
economical application of resources to minimize, monitor and control the probability and/or
impact of unfortunate events and to maximize the realization of opportunities.

It is through risk management that risks to any specific program are assessed and
systematically managed to reduce risk to an acceptable level. Risks can come from uncertainty
in financial market, project failures, legal liabilities, credit risks, accidents, natural causes and
disasters as well as deliberate attack from adversary or events of uncertain or unpredictable
root-cause.

BASIC PRINCIPLES OF RISK MANAGEMENT

The International Organization of Standardization (ISO) identifies the basic principles of risk
management.

Risk management should:

1. create value - resources spent to mitigate risk should be less than the consequence of
inaction, i.e., the benefits should exceed the costs
2. address uncertainty and assumptions
3. be an integral part of the organizational processes and decision-making
4. be dynamic, iterative, transparent, tailorable, and responsive to change
5. create capability of continual improvement and enhancement considering the best available
information and human factors
6. be systematic, structured and continually or periodically reassessed

PROCESS OF RISK MANAGEMENT

According to the Standard ISO 31000 "Risk management Principles and Guidelines on
Implementation, "the process of risk management consists of several steps as follows:

1. Establishing the Context. This will involve

a. Identification of risk in a selected domain of interest
b. Planning the remainder of the process.
c. Mapping out the following:
i. the social scope of risk management
ii. the identity and objectives of stakeholders the basis upon which risks will be
evaluated, constraints.
d. Defining a framework for the activity and an agenda for identification.
e. Developing an analysis of risks involved in the process.
f. Mitigation or Solution of risks using available technological, human and organizational
resources.

2. Identification of potential risks. Risk identification can start with the analysis of the source
of problem or with the analysis of the problem itself. Common risk identification methods are:
a. Objective-based riski
b. Scenario-based risk
c. Taxanomy-based risk
d. Common-risk checking
e. Risk charting

3. Risk assessment. Once risks have been identified, their potential severity of impact and the
probability of occurrence must be assessed. The assessment process is critical to make the
best educated decisions in prioritizing the implementation of the risk management plan.

ELEMENTS OF RISK MANAGEMENT

In practice, the process of assessing overall risks can be difficult, and balancing resources to
mitigate between risks with a high probability of occurrence but lower loss versus a risk with
high loss but lower probability of occurrence can often be mishandled. Ideal risk management
should minimize spending of manpower or other resources and at the same time minimizing the
negative effect of risks.

For the most part, the performance of assessment methods should consist of the following
elements:
1. identification, characterization, and assessment of threats
2. assessment of the vulnerability of critical assets to specific threats
3. determination of the risk (i.e. the expected likelihood and consequences of specific types of
attacks on specific assets)
4. identification of ways to reduce those risks
5. prioritization of risk reduction measures based on a strategy

RELEVANT RISK TERMINOLOGIES

I. Risks Associated With Investments

Although a single risk premium must compensate the investor for all the uncertainty associated
with the investment, numerous factors may contribute to investment uncertainty. The factors
usually considered with respect to investments are:
 business risk
 financial risk
 liquidity risk
 default risk
 interest rate risk
 management risk
 purchasing power risk.

BUSINESS RISK
Business risk refers to the uncertainty about the rate of return caused by: the nature of the
business. The most frequently discussed causes of business risk are uncertainty about the
firm's sales and operating expenses. Clearly, the firm's sales are not guaranteed and will
fluctuate as the economy fluctuates or the nature of the industry changes. A firm's income is
also related to its operating expenses. If all operating expenses are variable, then sales volatility
will be passed directly to operating income. Most firms, however, have some fixed operating
expenses (for example, depreciation, rent, salaries). These fixed expenses cause the operating
income to be more volatile than sales. Business risk is related to sales volatility as well as to the
operating leverage of the firm caused by fixed operating expenses.

DEFAULT RISK
Default risk is related to the probability that some or all the initial investment will not be returned.
The degree of default risk is closely related to the financial condition of the company issuing the
security and the security's rank in claims on assets in the event of default or bankruptcy. For
example, if a bankruptcy occurs, creditors, including bondholders have a claim on assets prior
to the claim of ordinary equity shareholders.

FINANCIAL RISK
The firm's capital structure or sources of financing determine financial risk. If the firm is all equity
financed, then any variability in operating income is passed directly to net income on an equal
percentage basis. If the firm is partially financed by debt that requires fixed interest payments or
by preferred share that requires fixed preferred dividend payments, then these fixed charges
introduce financial leverage. This leverage causes net income to vary more than operating
income. The introduction of financial leverage causes the firm's lenders and its stockholders to
view their income streams as having additional uncertainty. As a result of financial leverage,
both investment groups would increase the risk premiums that they require for investing in the
firm.

INTEREST RATE RISK

Because money has time value, fluctuations in interest rates will cause the value of an
investment to fluctuate also. Although interest rate risk is most commonly associated with bond
price movements, rising interest rates cause bond prices to decline and declining interest rates
cause bond prices to rise. Movements in interest rates affect almost all investment alternatives.
For example, as a change in interest rates will impact the discount rate used to estimate the
present value of future cash dividends from ordinary shares. This change in the discount rate
will materially impact the analyst's estimate of the value of a share of ordinary share.

LIQUIDITY RISK

Liquidity risk is associated with the uncertainty created by the inability to sell the investment
quickly for cash. An investor assumes that the investment can be sold at the expected price
when future consumption planned. As the investor considers the sale of the investment, he or
she faces two uncertainties: (1) What price will be received? (2) How long will it take to sell the
asset? An example of an illiquid asset is a house a market with an abundance of homes relative
to the number of potential in buyers. This investment may not sell for several months or even
years. Of course, if the price is reduced sufficiently, the real estate will sell, but the investor must
make a selling price concession in order for the transaction to occur.

In contrast, a government Treasury bill can be sold almost immediately with very little
concession on selling price. Such an investment can be converted to cash almost at will and for
a price very close to the price the investor expected.

The liquidity risk for ordinary equity shares is more complex. Because they are traded on
organized and active markets, ordinary equity shares can be sold quickly. Some ordinary equity
shares, however, have greater liquidity risk than others due to a thin market. A thin market
occurs when there are relatively few shares outstanding and investor trading interest is limited.
The thin market results in a large price spread (the difference between the bid price buyers are
willing to pay and the ask price sellers are willing to accept). A large spread increases the cost
of trading to the investor and thus represents liquidity risk. Investors considering the purchase of
illiquid investments ones that have no ready market or require price concessions will demand a
rate of return that compensates for the liquidity risk.

MANAGEMENT RISK
Decisions made by a firm's management and board of directors materially affect the risk faced
by investors. Areas affected by these decisions range from product innovation and production
methods (business risk) and financing (financial risk) to acquisitions. For example, acquisition or
acquisition-defense decisions made by the management of such firms materially affected the
risk of the holders of their companies' securities.

PURCHASING POWER RISK

power risk perhaps, more difficult to recognize than the other types of risk. It is easy to observe
the decline in the price of a stock or bond, but it is often more difficult to recognize that the
purchasing power of the return you have earned on an investment has declined (risen) as a
result of inflation (deflation). It is important to remember that. an investor expects to be
compensated for forgoing consumption today. If an individual is invested in peso-denominated
assets such as bonds, Treasury bills, or savings accounts during the period of inflation, the real
or inflation adjusted rate of return will be less than the nominal or stated rate of return. Thus,
inflation erodes the purchasing power of the peso and increases investor risk.

II. Risk Associated with Manufacturing, Trading and Service Concerns

A. Market Risk
 Product Risk
o Complexity
o Obsolescence
o Packaging
o Delivery of Warranties

 Competitor Risk
o Pricing strategy
o Market share
o Market strategy

B. Operations Risk
 Process Stopage
 Health and safety
 After sales service failure
 Environmental
 Technological obsolescence
 Integrity
o Management fund
o Employee fund
o Illegal acts
 C. Financial Risk
 Interest rates votality
 Foreign currency
 Derivative
 Viability

D. Business Risk
 Regulatory Change
 Reputation
 Political
 Regulatory and Legal .
 Shareholder Relations
 Credit Rating
 Capital Availability
 Business Interruptions

III. Risks Associated with Financial Institutions

Financial Non-Financial
Liquidity Risk Operational Risk
o Systems
 Information Processing
 Technology
o Customer satisfaction
o Human Resources
o Fraud and illegal acts
o Bankruptcy
Market Risk Regulatory Risk
o Currency o Capital Adequacy
o Equity o Compliance
o Commodity o Taxation
o Changing laws and policies
Credit Risk Environment Risk
o Counterparty o Politics
o Trading o Natural disasters
o Commercial o War
 Loans o Terrorism
 Guarantees
Market Liquidity Risk Integrity Risk
o Currency Rates o Reputation
o Interest Rates
o Bond and Equity Prices
Hedged Positions Risk Leadership Risk
o Turnover
 o Succession
Portfolio Exposure Risk
Derivative Risk
Accounting Information Risk
o Completeness
o Accuracy
Financial Reporting Risk
o Adequacy
o Completeness

POTENTIAL RISK TREATMENTS

ISO 31000 also suggests that once risks have been identified and assessed, techniques to
manage the risks should be applied. These techniques can fall intobone or more of these four
categories:
 Avoidance
 Reduction
 Sharing
 Retention

Risk Avoidance
This includes performing an activity that could carry risk. An example would be not buying a
property or business in order not to take on the legal liability that comes with it. Avoiding risks,
however, also means losing out on the potential gain that accepting (retaining) the risk may
have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of
earning profits.

Risk Reduction
Risk reduction or optimization involves reducing the severity of the loss or the likelihood of the
loss from occurring. Optimizing risks means finding a balance between the negative risk and the
benefit of the operation or activity: and between risk reduction and effort applied. Outsourcing
could be an example of risk reduction if the outsourcer can demonstrate higher capability of
managing or reducing risks.

Risk Sharing
Risk sharing means sharing with another party the burden of loss or the benefit of gain, from a
risk, and the measures to reduce a risk.

Risk Retention
Risk retention involves accepting the loss or benefit of gain from a risk when it occurs. Self
insurance falls in this category. All risks that are not avoided are transferred or retained by
default. Also, any amounts of potential loss over the amount insured is retained risk. This is
acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage
involves a substantial amount that could hinder the goals of the organization.
AREAS OF RISK MANAGEMENT
As applied to corporate finance, risk management is the technique for measuring. monitoring
and controlling the financial or operational risk on a firm's balance sheet.

The Basel II framework breaks risks into market risk (price risk), credit risk and operational risk
and also specifies methods for calculating capital requirements for each of these components.

The most commonly encountered areas of risk management include

1. Enterprise risk management
2. Risk management activities as applied to project management
3. Risk management for megaprojects
4. Risk management of information technology
5. Risk management techniques in petroleum and natural gas

A simplified framework for an Enterprise-wide Risk Management Process follows:

SEC Requirement Relative to Enterprise Risk Management of Publicly Listed Corporation

SEC Code of Governance Recommendations 2.11 and corresponding explanation provide the
following:

"The Board should oversee that a sound enterprise risk management (ERM) framework is in
place to effectively identify, monitor, assess and manage key business risks. The risk
management framework should guide the Board in identifying units/business lines and
enterprise-level risk exposures, as well as the effectiveness of risk management strategies.

Risk management policy is part and parcel of a corporation's corporate strategy. The Board is
responsible for defining the company's level of risk tolerance and providing oversight over its
risk management policies and procedures."
Principle 12 which deals with strengthening the Internal Control System and Enterprise Risk
Management Framework states that

"To ensure the integrity, transparency and proper governance in the conduct of its affairs, the
company should have a strong and effective internal control system and enterprise risk
management framework."

RISK MANAGEMENT FRAMEWORK

The Board should oversee that a sound enterprise risk management (ERM) framework is in
place to effectively identify, monitor, assess and manage key business risks. The risk
management framework should guide the Board in identifying units/business lines and
enterprise-level risk exposures, as well as the effectiveness of risk management strategies.

Subject to a corporation's size, risk profile and complexity of operations, the Board should
establish a separate Board Risk Oversight Committee (BROC) that should be responsible for
the oversight of a company's Enterprise Risk Management system to ensure its functionality
and effectiveness. The BROC should be composed of at least three members, the majority of
whom should be independent directors, including the Chairman. The Chairman should not be
the Chairman of the Board or of any other committee. At least one member of the committee
must have relevant thorough knowledge and experience on risk and risk management.

Subject to its size, risk profile and complexity of operations, the company should have a
separate risk management function to identify, assess and monitor key risk exposures.

STEPS IN THE RISK MANAGEMENT PROCESS

To enhance management's competence in their oversight role on risk management the
following steps may be followed:

1. Set up a separate risk management committee chaired by a board member.

 Creation of a risk management committee as board level will demonstrate the firm's
commitment to adopt an integrated company-wide risk management system

2. Ensure that a formal comprehensive risk management system is in place.

 This fully documented formal system will provide a clear vision of the board's desire för
an effective company-wide risk management as well as awareness of the risks, internal
and external, that the company faces.
3. Assess whether the formal system possesses the necessary elements.
 The key elements that the company-wide risk management system should possess are
a) goals and objectives
b) risk language identification
c) organization structure and
d) the risk management process documentation.

 The risk organizational structure should include formal charters, levels of authorization
reporting lines and job description.

 The risk management process shall include the following steps:

a) Assessment risks: Identification; Determination of their source,
b) Development actions plans: Reduce, avoid, retain, transfer or exploit
c) Implementation of action plans
d) Monitoring and reporting risk management performance.
e) Continuous improvement risk management capabilities.

4. Evaluate the effectiveness of the various steps in the assessment of the comprehensive risks
faced by the business firm.

 Risk assessment step which includes risks identification and determination of their
sources and measurement, represents the foundation for the rest of the procedures.
This step is performed by responsible managers, i.e., finance officers, production
managers marketing managers and human resource managers.

 This process culminates in the presentation of the risk profile or risk map to the board of
directors.

5. Assess if management has developed and implemented the suitable risk management
strategies and evaluate their effectiveness.

 The risk profile highlights all the significant possible risks identified, prioritized and
measured by the risk management system.

 Strategies are developed to manage and resolve these identified risks. These will
include the process, people, management feedback methodologies and systems.

 Strategies may include avoidance, reduction, transfer, exploitation and retention of risks.

6. Evaluate if management has designed and implemented risk management capabilities.

 Directors must continue to monitor and assess if management has been implementing
designed risk management capabilities.
  Risk management capabilities include processes, people, reports, methodologies and
technologies needed. These components should be complete, and aligned for the risk
management structure to function effectively.

7. Assess management's efforts to monitor overall company risk management performance and
to improve continuously the firm's capabilities.
 Risk management performance must be monitored on a continuing basis and
organization must be ready to innovate their approaches to be in line with the changing
lines.
 Monitoring is done by all concerned parties such as senior managers, process owners
and risk owners.
 An independent reviewer can also be appointed to validate results.

8. See to it that best practices as well as mistakes are shared by all. This involves regular
communication of results and feedbacks to all concerned.
 These should be an open communication channel to ensure that all risk management
participant particularly senior management, are informed of risk incidents or threat of risk
incident. This will go a long way towards attaining the company's risk management
vision.

9. Assess regularly the level of sophistication of the firm's risk management system.

10. Hire experts when needed.

CHAPTER 12
PRACTICAL GUIDELINES IN REDUCING AND MANAGING BUSINESS RISKS

Practical Guidelines in Managing and Reducing Enterprise-wide Risk inherent in business

activity is best achieved by applying the principles and techniques appropriate to the situation.

UNDERSTAND THE NATURE OF RISK

The willingness and readiness to take personal and financial risks is a defining characteristic of
the entrepreneurial decision-maker. In late 90's, a study commissioned by an internationally-
known accounting firm found that while in continental Europe strategies focus on avoiding and
hedging risk, Anglo American companies view risk as an opportunity and accept risk
management as necessary to achieving their goals. In 2017, this relative attitude to risk among
European and US companies remains broadly the same, the result of long standing cultural
experiences and history as well as recent events.
Successful businessmen and decision-makers make sure that the risks resulting from their
decisions are measured, understood and as far as possible eliminated. They also go beyond the
direct financial perspective and actively manage risk as it affects the whole organization..

Accepting that risks exist is a starting point for the other actions needed, but the most important
is to create the right climate for risk management. People need to understand why control
systems are needed; this requires communication and leadership skills so that standards and
expectation are set and clearly understood.

IDENTIFY AND PRIORITIZE RISKS

Identification of significant risks both within and outside the organization is crucial and allows to
make informed decisions. This makes it easier to avoid unnecessary surprises. Examples of
significant risks might be the loss of a major customer, the failure of a key supplier or the
appearance of a significant competitor.

Consider the human factor into account. People behave differently and inconsistently when
making decisions involving risk. They may be exuberant or diffident, overconfident or overly
concerned. They may simply overlook the issue of risk.

Risk surrounds and continues to be with us. A former British prime minister once said: "To be
alive t all involves some risk." When identifying risks it helps to define the categories into which
they fall. This allows for a more structured analysis and reduces the chances of a risk being
overlooked. Some of the most common areas of risk affecting business are shown in Table
12.1.

Table 12.1: Typical Areas of Organizational Risk

Financial Commercial Strategic Technical Operational

Accounting Loss of key Marketing. Failure of plant Product or
decisions and personnel and pricing and or equipment design failure,
practices tacit knowledge market entry including failure
decisions to maintain
supply
Treasury risks Failure to Market changes Accidental or Client failure
comply with affecting negligent actions
legal regulations commercial (such as fire,
or codes of decisions (due pollution, floods)
practice to customers
and/or
competitors)
Fraud Contract Political or Breakdown in
conditions regulatory labour relations
developments
Robustness of Poor brand Resource Corporate
information management or building and malpractice
 management handling of a resource (such as sex
systems crisis allocation discrimination)
decisions
Inefficient cash Market changes Political change
management
Inadequate
insurance

CONSIDER THE ACCEPTABLE LEVEL OF RISK

As earlier mentioned, the usual first step is to determine the nature and extent of the risks the
business will accept. This involves assessing the likelihood of risks becoming reality and the
effect they would have if they did. Only when this is understood can measures be taken to
minimize the incidence and impact of such risks.

There is also an opportunity cost associated with risk: avoiding a risk may mean avoiding a
potentially big opportunity. People can be too cautious and risk averse even though they are
often at their best when facing the pressure of risk deciding to take a more audacious approach.
Sometimes the greatest risk is to do nothing.

UNDERSTAND WHY RISKS BECOME REALITY

Once risks are identified they can be ranked according to their potential impact and the
likelihood of them occurring. This helps to highlight not only where things might go wrong and
what their impact would be, but also how, why and where these catalysts might be triggered.
The five most significant types of risk catalyst are as follows:

Technology. New hardware, software or system configurations can trigger risks, as can new
demands on existing information systems and technology. In early 2010, Metro Manila
Development Authority Chair introduced a congestion change for traffic using the centre of the
city; the greatest threat to the scheme's success (and his tenure as chair) was posed by the use
of new technology. It worked and the scheme was widely seen as a success.

Organizational change. Risks are triggered by, for example, new management structures or
reporting lines, new strategies and commercial agreements (including mergers, agency or
distribution agreements).

Processes. New products, markets and acquisitions all cause change and can trigger risks.
The disastrous launch of "New Coke" by Coca-Cola was an even bigger risk than anyone at the
company had realized; it outraged Americans who felt angry that an iconic US product was
being changed. That Coca-Cola eventually turned the situation to its advantage shows that risk
can be managed and controlled, but such success is rare.

People. Hiring new employees, losing key people, poor succession planning, or weak people
management can all create dislocation, but the main danger is behavior: everything from
laziness to fraud, exhaustion and simple human error can trigger this risk.
External factors, Changes to regulation and political, economic or social developments can all
affect strategic decisions by bringing to the surface. risks that may have lain hidden. The
economic disruption caused by the sudden spread of the SARS epidemic from China to the rest
of Asia in 2003 highlights this risk.

APPLY A SIMPLE RISK MANAGEMENT PROCESS

The stages of managing the enterprise-wide risk inherent in decisions are simple.
 First, assess and analyze the risks resulting from a decision by systematically identifying
and quantifying them.
 Second, consider how best to avoid or mitigate them.
 Third, in parallel with the second stage, take action to manage control and monitor the
risks.

A. Risk Assessment and Analysis

It is more difficult to assess the risks inherent in a business decision than to identify them. Risks
that lead to frequent losses, such as an increasing incidence of employee-related problems or
difficulties with suppliers, can often be solved using past experience. Unusual or infrequent
losses are harder to quantify. Risks with little likelihood of occurring in the next in the next five
years are not important to a company focused on meeting shareholders' shorter-term
expectations. Thus, it is sensible to quantify the potential consequences of identified risks and
then define courses of action to remove or mitigate them.

Each category of risk can be mapped in terms of both likely frequency and potential impact, with
the potential consequences being ranked on a scale ranging from inconvenient to catastrophic
(see Figure 12.1).

B. Risk Management and Control

Risk should be actively managed and given a high priority across the whole organization. Risk
management procedures and techniques should be well documented, clearly communicated,
regularly reviewed and monitored. To successfully manage risks, you have to know what they
are, what factors affect them and their potential impact.

If you plot the ability to control a risk against its potential impact, as shown in Figure 12.1. you
can decide on actions either to exercise greater control over the risk or to mitigate its potential
impact. Risks falling into the top-right quadrant require urgent action, but those in the bottom-
right quadrant (total/significant control, major/critical impact) should not be ignored because
complacency, mistakes and a lack of control can turn the risk into a reality.
Table 12.1: Assessing and Mapping Risk

Once the inherent risks in a decision are understood, the priority is to exercise control. All
employees must be aware that unnecessary risk taking is unacceptable. They should
understand what the risks are, where they lie and their role in controlling them. To achieve this,
share information, prepare and communicate clear guidelines, and establish control procedures
and risk measurement systems.

Avoiding and Mitigating Risks

Start by reducing or eliminating those risks that result only in costs: the non-trading risks. These
can be thought of as the fixed costs of risk and might include property damage risks, legal and
contractual liabilities and business interruption risks. Reducing these risks can be achieved
through quality assurance programs, environmental control processes, enforcing health and
safety regulations, installing accident prevention and emergency equipment and training people
to use it, and taking security measures to prevent crime, sabotage, espionage, and threats to
people and systems. Reducing a risk may also mean that the cost of insuring against it goes
down.

Risks can be reduced or mitigated by sharing them. For example, acceptable service
agreements from vendors are essential to reducing risk. Joint ventures, licensing and agency
agreements can also be used to mitigate risk. To reduce the chances of things going wrong,
focus on the quality of what people do - doing the right things right reduces risks and costs.

Risk management relies on accurate, timely information. Management information systems

should provide details of the likely areas of risk, and the information needed to control the risks.
This information must reach the right people at the right time so that they can investigate and
take corrective action.

Create a Positive Climate for Managing Risk

Recognizing the need to manage. risk is not enough. The ethos of an organization should
recognize and reward behavior that manages risk. This requires a commitment by senior
managers and the resources (including training) to match. Too often, control systems are seen
only as an additional overhead and not as something that can add value by ensuring the
effective use of assets, the avoidance of waste and the success of key decisions.

Overcoming the Fear of Risk

Everyone accepts that taking risks is needed to keep ahead of the competition. Consequently,
employees need to understand better what the real risks are, to share responsibility for the risks
being taken and to see risk as an opportunity, not a threat. Understanding how organizations
manage risk effectively is important, but managing risk is only one possible strategy. Another
approach is to look for ways to use the risk to achieve success by adding value or outstripping
competitors - or both. To do this, organizations need to stop taking the fun out of risk by
controlling it in ways that are perceived as bureaucratic and stifling. Risk is both desirable and
necessary. It provides opportunities to learn and develop and compels people to improve and
effectively meet the challenge of change.

C. Controlling and Monitoring Enterprise-Wide Risk

The following questions when answered truthfully and positively will assist managers in deciding
how to manage the risks that confront the business enterprise.
 Where are the greatest areas of risk relating to the most significant strategic decisions?
 What level of risk is acceptable for the company to bear?
 What are the potentially disclosing events that could inflict the greatest damage on your
organization?
 What are the risks inherent in the organization's strategic decisions, and what is the
organization's ability to reduce their incidence and impact on the business?
 What is the overall level of exposure to risk? Has this been assessed and is it being
actively monitored?
 What are the costs and benefits of operating effective risk management controls?
 What review procedures are in place to monitor risks?
 Are the risks inherent in strategic decisions (such as acquiring a new business,
developing a new product or entering a new market) adequately understood?
 At what level in the organization are the risks actively managed? Do people fully realize
potential consequences of their actions, and are they equipped to avoid, control or
mitigate risk?
 To what extent would be company be exposed if key staff left?
 If there have been major developments (such as a new management structure or
reporting arrangements), are the new responsibilities understood and accepted?
  Are management information systems keeping pace with demands? Are there persistent
black spots-priority areas where the system needs to be improved or overhauled?
 Do employees resent risk, or are they encouraged to view certain risks as opportunities?

PRACTICAL CONSIDERATIONS IN MANAGING AND REDUCING FINANCIAL RISK

Finance is the lifeblood of a business, heavily influencing strategies and decisions at every
level.

Many managers find it difficult to get to grips with financial issues and, as the 2008 global
financial crisis revealed, many lost touch with basic financial ground rules.

Profitability, cash flow, long-term shareholder value and risk all need to be considered when
setting and reviewing strategy. This section provides practical guidance about financial
decisions and explains how to:
 improve profitability:
 avoid pitfalls in making financial decisions;
 reduce financial risk.

Improving Profitability.
Entrepreneurial flair and financial rigour are as much about attitude as skill. Nonetheless, certain
skills will ensure that decisions are focused on commercial success.

A. Variance Analysis
Interpreting the differences between actual and planned performance is crucial. Variance
analysis is used to monitor and manage the results of past decisions, assess the current
situation and highlight solutions.

Common causes of variances include inefficiency, poor or flawed planning (for example, relying
on historically inaccurate information), poor communication, interdependence between
departments and random factors. Every business should use variance analysis but in a practical
and pragmatic and cost-effective way.

B. Assessment of Market Entry and Exit Barriers

How easy or difficult it is to either enter or leave a market is crucial in strategic decision-making.
Entry barriers include the need to compete with businesses that enjoy economies of scale, or
established. differentiated products.

Other barriers include capital requirements, access to distribution channels, factors independent
of scale (such as technology or location) and regulatory requirements. When markets are
difficult or costly for competitors to enter and relatively easy and affordable to leave, firms can
achieve high, stable returns, while still being able to leave for other opportunities. Consider
where the barriers to entry lie for your market sector, how vulnerable you are to new entrants,
and whether you can strengthen and entrench your market position.

C. Break-even Analysis
The break-even point is when sales cover costs, where neither a profit nor a loss is made. It is
calculated by dividing the costs of the project by the gross profit at specific dates, making sure
to allow for overhead costs. Break-even analysis (cost-volume-profit or CVP analysis) is used to
decide whether to continue developing a product, alter the price, provide or adjust a discount, or
change suppliers to reduce costs. It is also helps. in managing the sales mix, cost structure and
production capacity, as well as in forecasting and budgeting.

D. Controlling Costs
To control costs:

Focus on the big items of expenditure. Categories costs into major or peripheral items.
Often, undue emphasis is given to the 80% of activities accounting for 20% of costs.

Be cost aware. Casualness is the enemy of cost control. While focusing on major items of
expenditure it may also be possible to cut the cost of peripheral items. Costs can be reduced
over the medium to long term by managers' attitudes to cost control and the effects of expenses
on cash flow.

Maintain a balance between costs and quality. Getting the best value means achieving a
balance between the price paid and the quality received.

Use budgets for dynamic financial management. Budget early so financial requirements are
known as soon as possible. Consider the best time-period for the budget - normally a year but it
depends on the type of business. Some larger firms have moved to rolling budgets, getting
managers to forecast the next 18 months every quarter. Budgets provide a starting point for
cash flow forecasts and revenues, and they also play an essential role in monitoring costs and
revenues.

Develop a positive attitude to budgeting. People need to understand, accept and use the
budget, feeling a sense of ownership and responsibility for developing, monitoring and
controlling it.

Eliminate waste. For decades, leading Japanese companies have directed much of their cost-
management efforts towards waste elimination. They achieve this by using techniques such as
process analysis, mapping and re-engineering.

Practical Techniques to Improve Profitability

Some practical techniques to improve profitability:

 Focus decision-making on the most profitable areas. Concentrating on products and

services with the best margin will protect or enhance profitability. This might involve
redirecting sales and advertising activities.

 Decide how to treat the least profitable products. These often drift, with dwindling
profitability. Turn around a poor performer (by reducing costs, raising prices, altering
discounts or changing the product) or abandon it to prevent drain on resources and
reputation. The shelf-life and appeal of product must be considered when deciding to
continue or discontinue it.

 Make sure new products enhance overall profitability. New product development
often focuses on market need or the production process, with insufficient regard to cost,
price, sales volume and overall profitability, which are inextricably linked.

 Manage development and production decisions. The amount spent on research, as

well as the priorities and methods used, affect profitability. Too little expenditure may
increase costs in the long term.

 Set the buying policy. For example, should there be a small number of preferred
suppliers or a bidding system among a wider number of potential suppliers? Also,
consider techniques for controlling delivery. charges, monitoring exchange rates,
improving quality control, reducing inventory and improving production lead times.

 Consider how to create greater value from existing customers and products to
enhance profitability. Ask:
o How can customer loyalty (and repeat purchasing) be enhanced?
o How can the sales proposition be made more competitive relative to the opposition?
o How can existing markets, sales channels, products, brand reputation and other
resources be adapted to exploit new markets and new opportunities?
o How can sales expenses be reduced?
o How can effectiveness of marketing activities be increased?

 Consider how to increase profitability by managing people. Successful leadership is

prerequisite for profitability. People need to be motivated and supported, and this implies
rewarding them fairly for their work, training and developing them, providing clear sense of
direction, and focusing on the needs of the team, the task and the individual.

There are many techniques for assessing the likely profitability of an investment. One of the
most used is to apply discounted cash flows in evaluating capital investment programs.

Avoiding Pitfalls
Many managers have financial responsibilities and their decisions will often be influenced by or
have an impact on other parts of the business. The following principles will help avoid flawed
financial decision-making.

Financial expertise must be widely available

Every manager needs to understand why successful financial management increases profits
people need to own their part of the financial control process, to have the information and
expertise needed to routinely make the best financial decisions.

Consider the impact of financial decisions

Do not ignore or underestimate the wider impact of finance issues upon other departments and
decisions.

Avoid weak budgetary control

Budgets are an active tool to help make financial decisions, not merely a way to measure
performance.

Understand the impact of cash flow

Non-financial managers often ignore cash flows and the time value of money. Everyone should
be aware of the importance of cash to the organization.

Know where the risk lies.

Identifying risks and how to reduce them is crucial to successful financial decision-making. For
example, managers need to know not only where the break even point is, but also how and
when it will be reached.

Reduce Financial Risk Positive Replies to the following Questions would assist Top
Management to Manage Financial Risk

 .Are the most effective and relevant performance measures in place to monitor and assess
the effectiveness of financial decisions?

 Have you analyzed key business ratios recently? How useful art you in performance
indicators? What are the main issues? Are you measuring the right things?

 Is there a positive attitude to budgets and budgeting?

 Does decision-making focus on the most profitable products and services, or is it

preoccupied with peripheral issues?

 What are the least profitable parts of the organizations? How will they improved?
 Are market and customer decisions focused on improving profitability. Too often, attention if
given to non-financial objectives, increasing market share, without adequately considering
the financial risks and alternatives.

 How efficiently is cash managed? Do your strategic business decisions take account of cash
considerations, such as the time value of money?

CHAPTER 13
OVERVIEW OF INTERNAL CONTROL

NATURE AND PURPOSE OF INTERNAL CONTROL

Internal control is the process designed and effected by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of
the entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency
of operations and compliance with applicable laws and regulations. It follows that internal control
is designed and implemented to address identified business risks that threaten the achievement
of any of these objectives.

Those objectives fall into three categories:

 Reliability of the entity's financial reporting
 Effectiveness and efficiency of operations
 Compliance with applicable laws and regulations

Whether an entity achieves its objectives relating to financial reporting and compliance is
determined by activities within the entity's control. However, achieving its objectives relating to
operations will depend not only on management's decisions but also on competitor's actions
and other factors outside the entity. INTERNAL CONTROL SYSTEM DEFINED

Internal control system means all the policies and procedures (internal controls) adopted by the
management of an entity to assist in achieving management's objective of ensuring, as far as
practicable, the orderly and efficient conduct of its business, including adherence management
policies, the safeguarding of assets, the prevention and detection of fraud and error, the
accuracy and completeness of the accounting records, and the timely preparation of reliable
financial information.

ELEMENTS OF INTERNAL CONTROL

Internal control structures vary significantly from one company to the next. Factors such as size
of the business, nature of operations, the geographical dispersion of its activities, and objectives
of the organization affect the specific control features of an organization. However, certain
elements or features must be present to have a satisfactory system of control in almost any
large scale

The internal control system extends beyond these matters which relate directly to the functions
of the accounting system and consists of the following components:
a. the control environment;
b. the entity's risk assessment process;
c. the information system, including the related business processes, relevant to financial
reporting, and communication;
d. control activities;
e. monitoring of controls.
A. Control Environment
The control environment which means the overall attitude, awareness and actions of directors
and management regarding the internal control system and its importance in the entity. The
control environment has an effect on the effectiveness of the specific control procedures. A
strong control environment, for example, one with tight budgetary controls and an effective
internal audit function, can significantly complement specific control procedures. However, a
strong environment does not, by itself, ensure the effectiveness of the internal control system.
Factors reflected in the control environment include:
 The function of the board of directors and its committees;
 Management's philosophy and operating style;
 The entity's organizational structure and methods of assigning authority and
responsibility:
 Management's control system including the internal audit function, personnel policies
and procedures and segregation of duties.

The environment in which internal control operates has an impact on the effectiveness of the
specific control procedures. Several factors comprise the control environment, including:

1. Communication and Enforcement of Integrity and Ethical Values

Integrity and ethical values are essential elements of the internal control environment. They
affect the design, administration, and monitoring of other components of internal control. An
entity's ethical and behavioral standards and the manner in which it communicates and
reinforces them determine the entity's integrity and ethical behavior. Integrity and ethical values
include management's actions to remove or reduce incentives and temptations that might
prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the
communication of entity values and behavioral standards to personnel through policy
statements, a code of conduct, and management's example of appropriate behavior.

2. Commitment to Competence
Competence is the knowledge and skills necessary to accomplish tasks that define an
employee's job. Commitment to competence means that management considers the
competence levels for particular jobs in determining the skills and knowledge required of each
employee and that it hires employees competent to perform the tasks.

3. Participation by those Charged with Governance

An entity's control consciousness is influenced significantly by those i charged with governance.
Attributes of those charged with governance. include independence from management, their
experience and stature, the extent their involvement and scrutiny of activities, the
appropriateness of their actions, the information they receive, the degree to which difficult
questions are raised and pursued with management, and their interaction with internal and
external auditors. The importance of responsibilities of those charged with governance is
recognized in codes of practice and other regulations or guidance produced for the benefit of
those charged with governance. Other responsibilities of those charged with governance include
oversight of the design and effective operation of whistle blower procedures and the process for
reviewing the effectiveness of the entity's internal control.

4. Management's Philosophy and Operating Style

Thus refers to management's attitude towards (a) business risk, (b) financial reporting, (e)
meeting budget, profit and other established goals which all have impact on the reliability of the
financial statements. Management's approach to taking and monitoring business risks, its
conservative or aggressive selection from alternative accounting principles, its
conscientiousness and conservatism in developing accounting estimates, and its attitude toward
information processing and the accounting function and personnel are factors that affect the
control environment.

5. Organizational Structure
The responsibilities and authorities of the various personnel within the organization should be
established in such a manner as to (1) assist the entity in meeting its goals and objectives and
(2) ensure that transactions are processed, recorded, summarized and reported in an accurate
and timely manner. Organizational structure provides the overall framework for planning,
directing and controlling operations.

6. Assignment of Authority and Responsibility

Personnel within an organization need to have a clear understanding of their responsibilities and
the rules and regulations that govern their actions. Management may develop job descriptions,
computer system documentation. It may also establish policies regarding acceptable business
practice, conflicts of interest and code of conduct.

7. Human Resources Policies and Procedures

Perhaps the most important element of an internal accounting control system is the people who
perform and execute the established policies and procedures. Personnel policies should be
adopted by the client reasonably ensure that only capable and honest persons are hired and
retained. Policies with respect to employee selection, training, and supervision should be
adopted and implemented by the client. The selection of competent and honest personnel does
not automatically assure that errors or irregularities will not occur. However, adequate personnel
policies, coupled with the design concepts suggested earlier in this section, enhance the
likelihood that the client's policies and procedures will be followed.

B. Entity's Risk Assessment Process

Risk assessment is the "identification, analysis, and management of risks pertaining to the
preparation of financial statements". For example risk assessment may focus on how the entity
considers the possibility of transactions not being recorded or identifies and assesses significant
estimates recorded in the financial statements.

An entity's risk assessment process is its process for identifying and responding to business
risks and the results thereof. For financial reporting purposes, the entity's risk assessment
process includes how management identifies risks relevant to the preparation of financial
statements that are presented fairly, in all material respects in accordance with the entity's
applicable financial reporting framework, estimates their significance, assesses the likelihood of
their occurrence, and decides upon actions to manage them. For example, the entity's risk
assessment process address how the entity considers the possibility of unrecorded transactions
or identifies and analyzes significant estimates recorded in the financial statements. Risks
relevant to reliable financial reporting also relate to specific events or transactions.

Risks relevant to financial reporting include external and internal events and circumstances that
may occur and adversely affect an entity's ability to initiate, record, process, and report financial
data consistent with the assertions of management in the financial statements. Once risks are
identified, management considers their significance, the likelihood of their occurrence, and how
they should be managed. Management may initiate plans, programs, or actions to address
specific risks or it may decide to accept a risk because of cost or other considerations. Risks
can arise or change due to circumstances such as the following:
 Changes in operating environment. Changes in the regulatory or operating
environment can result in changes in competitive pressures and significantly different
risks.
 New personnel. New personnel may have a different focus on or understanding of
internal control.
 New or revamped information systems. Significant and rapid changes in information
systems can change the risk relating to internal control.
 Rapid growth. Significant and rapid expansion of operations can strain controls and
increase the risk of a breakdown in controls.
 New technology. Incorporating new technologies into production processes or
information systems may change the risk associated with internal control. New business
models, products, or activities. Entering into business areas or transactions with which
an entity has little experience may introduce new risks associated with internal control.
 Corporate restructurings. Restructurings may be accompanied by staff reductions and
changes in supervision and segregation of duties that may change the risk associated
with internal control.
  Expanded foreign operations. The expansion or acquisition of foreign operations
carries new and often unique risks that may affect internal control, for example,
additional or changed risks from foreign currency transactions.
 New accounting pronouncements. Adoption of new accounting principles or changing
accounting principles may affect risks in preparing financial statements.

The basic concepts of the entity's risk assessment process are relevant to every entity,
regardless of size, but the risk assessment process is likely to be less formal and less structured
in small entities than in larger ones. All entities should have established financial reporting
objectives, but they may be recognized implicitly rather than explicitly in small entities.
Management may be aware of risks related to these objectives without the use of a formal
process but through direct personal involvement with employees and outside parties.

Considerations Specific to Smaller Entities

Many small entities are carried out entirely by the engagement partner (who may be a sole
practitioner). In such situations, it is the engagement partner who, having personally conducted
the planning of the audit, would be responsible for considering the susceptibility of the entity's
financial statements to material misstatement due to fraud and error.

C. Information System, including the Business Processes, Relevant to Financial

Reporting and Communication
An information system consists of infrastructure (physical and hardware components), software,
people, procedures, and data. Infrastructure and software will be absent, or have less
significance. in systems that are exclusively or primarily manual. Many information systems
make extensive use of IT.

The Information System, Including Related Business Processes, Relevant to Financial

Reporting
The information system relevant to financial reporting objectives, which includes the accounting
system, consists of the procedures and records designed and established to:
 Initiate, record, process, and report entity transactions. well as events and conditions)
and to maintain accountability for the related assets, liabilities, and equity;
 Resolve incorrect processing of transactions, for example, automated suspense files and
procedures followed to clear suspense items out on a timely basis;
 Process and account for system overrides or bypasses to controls;
 Transfer information from transaction processing systems to the general ledger, Capture
information relevant to financial reporting for events and conditions other than
transactions, such as the depreciation and amortization of assets and changes in the
recoverability of accounts receivables; and
 Ensure information required to be disclosed by the applicable financial reporting
framework is accumulated, recorded, processed, summarized and appropriately
reported in the financial statements.
Journal Entries.
An entity's information system typically includes the use of standard journal entries that are
required on a recurring basis to record transactions. Examples might be journal entries to record
sales, purchases, and cash disbursements in the general ledger, or to record accounting
estimates that are periodically made by management, such as changes in the estimate of
uncollectible accounts receivable.

An entity's financial reporting process also includes the use of non-standard journal entries to
record non-recurring, unusual transactions or adjustments. Examples of such entries include
consolidating adjustments and entries for a business combination or disposal or nonrecurring
estimates such as the impairment of an asset. In manual general ledger systems, non-standard
journal entries may be identified through inspection of ledgers, journals, and supporting
documentation. When automated procedures are used to maintain the general ledger and
prepare financial statements, such entries may exist only in electronic form and may therefore
be more easily identified through the use of computer assisted audit techniques

Related Business Processes

An entity's business processes are the activities designed to:
 Develop, purchase, produce, sell and distribute an entity's products and services;
 Ensure compliance with laws and regulations; and
 Record information, including accounting and financial reporting information.

Business processes result in the transactions that are recorded, processed and reported by the
information system. Obtaining an understanding of the entity's business processes, which
include how transactions are originated, assists the auditor obtain an understanding of the
entity's information system relevant to financial reporting in a manner that is appropriate to the
entity's circumstances.

Accordingly, an information system encompasses methods and records that:

 Identify and record all valid transactions.
 Describe on a timely basis the transactions in sufficient detail to permit proper
classification of transactions for financial reporting.
 Measure the value of transactions in a manner that permits recording their proper
monetary value in the financial statements.
 Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
 Present properly the transactions and related disclosures in the financial statements.

Communication involves providing understanding of individual roles and responsibilities

pertaining to internal control over financial reporting. It includes the extent to which personnel
understand how their activities in the financial reporting information system relate to the work of
others and the means of reporting exceptions to an appropriate higher level within the entity.
Open communication channels help ensure that exceptions are reported and acted on.
Communication takes such forms as policy manuals, accounting and financial reporting
manuals, and memoranda. Communication also can be made electronically, orally, and through
the actions of management.

Application to Small Entities

Information systems and related business processes relevant to financial reporting in small
entities are likely to be less formal than in larger entities but their role is just as significant. Small
entities with active management involvement may not need extensive descriptions of accounting
procedures, sophisticated accounting records, or written policies. Communication may be less
formal and easier to achieve in a small entity than in a larger entity due to the small entity's size
and fewer levels as well as management's greater visibility and availability.

D. Control Activities
Control activities are the policies and procedures that help ensure that management directives
are carried out, for example, that necessary actions are taken to address risks that threaten the
achievement of the entity's objectives. Control activities, whether within IT or manual systems,
have various objectives and are applied at various organizational and functional levels.

The major categories of control procedures are:

A. Performance Review

B. Information Processing Controls

1) Proper authorization of transactions and activities
2) Segregation of duties
3) Adequate documents and records
4) Safeguards over access to assets; and
5) Independent checks on performance

C. Physical controls
A brief discussion of these control procedures follows:

A. Performance Review
In a performance review management-uses accounting and operating data to assess
performance, and it then takes corrective action. Such reviews include:

 comparing actual performance (or operating results) with budgets, forecasts, prior period
performance, or competitors data or tracking major initiatives such as cost-containment
or cost-reduction programs to measure the extent to which targets are being met.

 investigating performance indicators based on operating or financial data, such as

quantity or purchase price variances or the percentage of returns to total orders.
  reviewing functional or activity performance, such as relating the performance of a
manager responsible for a bank's consumer loans with some standard, such as
economic statistics or targets.

Personnel at various levels in an organization may make performance reviews. Performance

reviews may be used by managers for the sole purpose of making operating decisions. For
example, managers may analyze performance data and base operating decisions on them
because the data are consistent with their expectations. This type of review improves the
reliability of the data. However, when managers follow up on unexpected results determined by
a financial reporting system, performance reviews become a useful control over financial
reporting.

B. Information Processing Controls

Information processing controls are policies and designed to require authorization of
transactions and to ensure the procedures accuracy and completeness of transaction
processing. Control activities may be classified according to the scope of the system they affect.
General controls are control activities that prevent or detect errors or irregularities for all
accounting systems. General controls affect all transaction cycles and apply to information
processing as a center, hardware and systems software acquisition and maintenance, and
backup and recovery procedures. Application controls are controls that pertain the processing of
a specific type of transaction, such a payroll, or sales and collections. These controls help
ensure that transactions occurred, are authorized, and are completely and accurately recorded
and processed. Examples of application controls include checking the arithmetical accuracy of
records, maintaining and reviewing accounts and trial balances, automated controls such as
input data and numerical sequence checks, and manual follow-up of exception reports. General
IT controls are policies and procedures that relate to many applications and support the
effective functioning of application controls by helping to ensure the continued proper operation
of information systems. General IT-controls commonly include controls over data center and
network operations, system software acquisition, change and maintenance; access security;
and application acquisition, development, and maintenance. These controls apply to mainframe,
tion system miniframe, and end-user environments. Examples of such general IT-controls are
program change controls, controls that restrict access to programs or data, controls over the
implementation of new releases of packaged software applications, and controls over system
software that restrict access to or monitor the use of system utilities that could change financial
data or records without leaving an audit trail.

Internal controls relating to the accounting system are concerned with achieving objectives such
as:
 Transactions are executed in accordance with management's general or specific
authorization.
  All transactions and other events are promptly recorded in the correct amount, in the
appropriate accounts and in the proper accounting period so as to permit preparation of
financial statements in accordance with an identified financial reporting framework.

 Access to assets and records is permitted only in accordance with management's

authorization.

 Recorded assets are compared with the existing assets at reasonable intervals and
appropriate action is taken regarding any differences.

Control activities related to the processing of transactions may be grouped as follows: (1) proper
authorization, (2) design and use of adequate documents and records, and (3) independent
checks on performance.

1. Proper authorization of transactions and activities

As suggested earlier, authorization for the execution of transactions flows from the stockholders
to management and its subordinates. Before a transaction is entered into with another party,
certain conditions must usually be met. As part of the evaluation of the potential transaction,
documentation will be created The auditor uses this documentation to determine whether
business transactions are properly authorized. For example, the purchase of inventory may
create a purchase order, a receiving report, and a vendor invoice. By inspecting these
documents and comparing them with company policy, the auditor may be reasonably satisfied
that a business transaction was authorized and executed in a manner consistent with company
policy.

2. Segregation of duties
An important element in designing an internal accounting control system that safeguards assets
and reasonably ensures the reliability of the accounting records is the concept of segregation
responsibilities. No one person should be assigned duties that would allow that person to
commit an error or perpetuate fraud and to conceal the error or fraud. For example, the same
person should not be responsible for recording the cash received on account and for posting the
receipts to the accounting records.

3. Adequate documents and records

The use of adequate documents and records allow the company to obtain reasonable
assurance that all valid transactions have been recorded.

4. Access to assets
The resources of a client can be protected by the establishment of physical barriers and
appropriate policies. For example, inventories may be kept in a storeroom, or negotiable
instruments may be placed in a safe deposit box. Appropriate company policies are adopted so
that only authorized persons have access to company resources. Safeguarding of assets is
more than establishing physical barriers. A client should design its internal accounting control
system so that documents authorizing the movement of assets into an organization or out of an
organization are adequately controlled.

5. Independent checks on performance

The objective of a well-designed internal accounting control system is the adoption of
procedures that periodically compare the actual asset with its recorded balance. Regardless of
the effectiveness of an internal control system, some transactions may not be accurately
recorded, and some assets may be misappropriated. An important part of an internal accounting
control system is to determine the effectiveness of recording policies and asset access policies.
This is accomplished by periodic counts of assets by the client and comparing the counts to the
balances in the general ledger account. Examples are the count of inventory and the
preparation of monthly bank reconciliation.

C. Physical Controls
Controls that encompass:
 The physical security of assets, including adequate safeguards such as secured facilities
over access to assets and records.

 The authorization for access to computer programs and data files.

 The periodic counting and comparison with amounts shown on control records (for
example, comparing the results of cash, security and inventory counts with accounting
records).

The extent to which physical controls intended to prevent theft of assets are relevant to the
reliability of financial statement preparation, and therefore the audit, depends on circumstances
such as when assets are highly susceptible to misappropriation.

The concepts underlying control activities in small entities are likely to be similar to those in
larger entities, but the formality with which they operate varies. Further, small entities may find
that certain types of control activities are not relevant because of controls applied by
management. For example, management's retention of authority for approving credit sales,
significant purchases, and drawdown's on lines of f credit can provide strong control over those
activities, lessening or removing the need for more detailed control activities. An appropriate
segregation of duties often appears to present difficulties in small entities. Even companies that
have only a few employees, however, may be able to assign their responsibilities to achieve
appropriate segregation or, if that is not possible, to use management oversight of the
incompatible activities to achieve control objectives.
E. Monitoring of Controls

Monitoring, the final component of internal control, is the process that an entity uses to assess
the quality of internal control over time. Monitoring involves assessing the design and operation
of controls on a timely basis and taking corrective action as necessary. Management monitors
controls to consider whether they are operating as intended and to modify them as appropriate
for changes in conditions. In many entities, internal auditors evaluate the design and operation
of internal control and communicate information about strengths and weaknesses and
recommendations for improving internal control.

Some monitoring activities may include communications from external parties. For example,
customers implicitly corroborate sales data by paying their bills or raising questions. Also, bank
regulators, other regulators, and outside auditors may communicate about the design or
effectiveness of internal control.

Monitoring activities may include using information from communications from external parties
that may indicate problems are highlight areas in need of improvement. Customers implicitly
corroborate billing data by paying their invoices or complaining about their charges. In addition,
regulators may communicate with the entity concerning matters that affect the functioning of
internal control, for example, communications concerning examinations by bank regulatory
agencies. Also, management may consider communications relating to internal control from
external auditors in performing monitoring activities.

Application to Small Entities

Ongoing monitoring activities of small entities are more likely to be informal and are typically
performed as a part of the overall management of the entity's operations. Management's close
involvement in operations often will identify significant variances from expectations and
inaccuracies in financial data leading to corrective action to the control.