Chapter 11: Risk Management
Chapter 11: Risk Management
Chapter 11: Risk Management
INTRODUCTION
Effective corporate governance cannot be attained without the organization mastering the art of
risk management. And risk management is recognized as one of the most important
competencies needed by the board of directors of modern organization, large as well as small
and medium sized business firms. The levels of risk faced by business firms have increased
because of the fast growing sophistication of organization, globalization, modern technology and
impact of corporate scandals. In addition therefore to compliance with legal requirements, top
management should consider adequate knowledge of risk management.
Risk management is the process of measuring or assessing risk and developing strategies to
manage it. Risk management is a systematic approach in identifying, analyzing and controlling
areas or events with a potential for causing unwanted change. Risk management is the act or
practice of controlling risk. It includes risk planning, assessing risk areas, developing risk
handling options, monitoring risks to determine how risks have changed and documenting
overall risk management program.
It is through risk management that risks to any specific program are assessed and
systematically managed to reduce risk to an acceptable level. Risks can come from uncertainty
in financial market, project failures, legal liabilities, credit risks, accidents, natural causes and
disasters as well as deliberate attack from adversary or events of uncertain or unpredictable
root-cause.
1. create value - resources spent to mitigate risk should be less than the consequence of
inaction, i.e., the benefits should exceed the costs
2. address uncertainty and assumptions
3. be an integral part of the organizational processes and decision-making
4. be dynamic, iterative, transparent, tailorable, and responsive to change
5. create capability of continual improvement and enhancement considering the best available
information and human factors
6. be systematic, structured and continually or periodically reassessed
2. Identification of potential risks. Risk identification can start with the analysis of the source
of problem or with the analysis of the problem itself. Common risk identification methods are:
a. Objective-based riski
b. Scenario-based risk
c. Taxanomy-based risk
d. Common-risk checking
e. Risk charting
3. Risk assessment. Once risks have been identified, their potential severity of impact and the
probability of occurrence must be assessed. The assessment process is critical to make the
best educated decisions in prioritizing the implementation of the risk management plan.
For the most part, the performance of assessment methods should consist of the following
elements:
1. identification, characterization, and assessment of threats
2. assessment of the vulnerability of critical assets to specific threats
3. determination of the risk (i.e. the expected likelihood and consequences of specific types of
attacks on specific assets)
4. identification of ways to reduce those risks
5. prioritization of risk reduction measures based on a strategy
BUSINESS RISK
Business risk refers to the uncertainty about the rate of return caused by: the nature of the
business. The most frequently discussed causes of business risk are uncertainty about the
firm's sales and operating expenses. Clearly, the firm's sales are not guaranteed and will
fluctuate as the economy fluctuates or the nature of the industry changes. A firm's income is
also related to its operating expenses. If all operating expenses are variable, then sales volatility
will be passed directly to operating income. Most firms, however, have some fixed operating
expenses (for example, depreciation, rent, salaries). These fixed expenses cause the operating
income to be more volatile than sales. Business risk is related to sales volatility as well as to the
operating leverage of the firm caused by fixed operating expenses.
DEFAULT RISK
Default risk is related to the probability that some or all the initial investment will not be returned.
The degree of default risk is closely related to the financial condition of the company issuing the
security and the security's rank in claims on assets in the event of default or bankruptcy. For
example, if a bankruptcy occurs, creditors, including bondholders have a claim on assets prior
to the claim of ordinary equity shareholders.
FINANCIAL RISK
The firm's capital structure or sources of financing determine financial risk. If the firm is all equity
financed, then any variability in operating income is passed directly to net income on an equal
percentage basis. If the firm is partially financed by debt that requires fixed interest payments or
by preferred share that requires fixed preferred dividend payments, then these fixed charges
introduce financial leverage. This leverage causes net income to vary more than operating
income. The introduction of financial leverage causes the firm's lenders and its stockholders to
view their income streams as having additional uncertainty. As a result of financial leverage,
both investment groups would increase the risk premiums that they require for investing in the
firm.
LIQUIDITY RISK
Liquidity risk is associated with the uncertainty created by the inability to sell the investment
quickly for cash. An investor assumes that the investment can be sold at the expected price
when future consumption planned. As the investor considers the sale of the investment, he or
she faces two uncertainties: (1) What price will be received? (2) How long will it take to sell the
asset? An example of an illiquid asset is a house a market with an abundance of homes relative
to the number of potential in buyers. This investment may not sell for several months or even
years. Of course, if the price is reduced sufficiently, the real estate will sell, but the investor must
make a selling price concession in order for the transaction to occur.
In contrast, a government Treasury bill can be sold almost immediately with very little
concession on selling price. Such an investment can be converted to cash almost at will and for
a price very close to the price the investor expected.
The liquidity risk for ordinary equity shares is more complex. Because they are traded on
organized and active markets, ordinary equity shares can be sold quickly. Some ordinary equity
shares, however, have greater liquidity risk than others due to a thin market. A thin market
occurs when there are relatively few shares outstanding and investor trading interest is limited.
The thin market results in a large price spread (the difference between the bid price buyers are
willing to pay and the ask price sellers are willing to accept). A large spread increases the cost
of trading to the investor and thus represents liquidity risk. Investors considering the purchase of
illiquid investments ones that have no ready market or require price concessions will demand a
rate of return that compensates for the liquidity risk.
MANAGEMENT RISK
Decisions made by a firm's management and board of directors materially affect the risk faced
by investors. Areas affected by these decisions range from product innovation and production
methods (business risk) and financing (financial risk) to acquisitions. For example, acquisition or
acquisition-defense decisions made by the management of such firms materially affected the
risk of the holders of their companies' securities.
power risk perhaps, more difficult to recognize than the other types of risk. It is easy to observe
the decline in the price of a stock or bond, but it is often more difficult to recognize that the
purchasing power of the return you have earned on an investment has declined (risen) as a
result of inflation (deflation). It is important to remember that. an investor expects to be
compensated for forgoing consumption today. If an individual is invested in peso-denominated
assets such as bonds, Treasury bills, or savings accounts during the period of inflation, the real
or inflation adjusted rate of return will be less than the nominal or stated rate of return. Thus,
inflation erodes the purchasing power of the peso and increases investor risk.
A. Market Risk
Product Risk
o Complexity
o Obsolescence
o Packaging
o Delivery of Warranties
Competitor Risk
o Pricing strategy
o Market share
o Market strategy
B. Operations Risk
Process Stopage
Health and safety
After sales service failure
Environmental
Technological obsolescence
Integrity
o Management fund
o Employee fund
o Illegal acts
C. Financial Risk
Interest rates votality
Foreign currency
Derivative
Viability
D. Business Risk
Regulatory Change
Reputation
Political
Regulatory and Legal .
Shareholder Relations
Credit Rating
Capital Availability
Business Interruptions
Financial Non-Financial
Liquidity Risk Operational Risk
o Systems
Information Processing
Technology
o Customer satisfaction
o Human Resources
o Fraud and illegal acts
o Bankruptcy
Market Risk Regulatory Risk
o Currency o Capital Adequacy
o Equity o Compliance
o Commodity o Taxation
o Changing laws and policies
Credit Risk Environment Risk
o Counterparty o Politics
o Trading o Natural disasters
o Commercial o War
Loans o Terrorism
Guarantees
Market Liquidity Risk Integrity Risk
o Currency Rates o Reputation
o Interest Rates
o Bond and Equity Prices
Hedged Positions Risk Leadership Risk
o Turnover
o Succession
Portfolio Exposure Risk
Derivative Risk
Accounting Information Risk
o Completeness
o Accuracy
Financial Reporting Risk
o Adequacy
o Completeness
Risk Avoidance
This includes performing an activity that could carry risk. An example would be not buying a
property or business in order not to take on the legal liability that comes with it. Avoiding risks,
however, also means losing out on the potential gain that accepting (retaining) the risk may
have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of
earning profits.
Risk Reduction
Risk reduction or optimization involves reducing the severity of the loss or the likelihood of the
loss from occurring. Optimizing risks means finding a balance between the negative risk and the
benefit of the operation or activity: and between risk reduction and effort applied. Outsourcing
could be an example of risk reduction if the outsourcer can demonstrate higher capability of
managing or reducing risks.
Risk Sharing
Risk sharing means sharing with another party the burden of loss or the benefit of gain, from a
risk, and the measures to reduce a risk.
Risk Retention
Risk retention involves accepting the loss or benefit of gain from a risk when it occurs. Self
insurance falls in this category. All risks that are not avoided are transferred or retained by
default. Also, any amounts of potential loss over the amount insured is retained risk. This is
acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage
involves a substantial amount that could hinder the goals of the organization.
AREAS OF RISK MANAGEMENT
As applied to corporate finance, risk management is the technique for measuring. monitoring
and controlling the financial or operational risk on a firm's balance sheet.
The Basel II framework breaks risks into market risk (price risk), credit risk and operational risk
and also specifies methods for calculating capital requirements for each of these components.
SEC Code of Governance Recommendations 2.11 and corresponding explanation provide the
following:
"The Board should oversee that a sound enterprise risk management (ERM) framework is in
place to effectively identify, monitor, assess and manage key business risks. The risk
management framework should guide the Board in identifying units/business lines and
enterprise-level risk exposures, as well as the effectiveness of risk management strategies.
Risk management policy is part and parcel of a corporation's corporate strategy. The Board is
responsible for defining the company's level of risk tolerance and providing oversight over its
risk management policies and procedures."
Principle 12 which deals with strengthening the Internal Control System and Enterprise Risk
Management Framework states that
"To ensure the integrity, transparency and proper governance in the conduct of its affairs, the
company should have a strong and effective internal control system and enterprise risk
management framework."
The Board should oversee that a sound enterprise risk management (ERM) framework is in
place to effectively identify, monitor, assess and manage key business risks. The risk
management framework should guide the Board in identifying units/business lines and
enterprise-level risk exposures, as well as the effectiveness of risk management strategies.
Subject to a corporation's size, risk profile and complexity of operations, the Board should
establish a separate Board Risk Oversight Committee (BROC) that should be responsible for
the oversight of a company's Enterprise Risk Management system to ensure its functionality
and effectiveness. The BROC should be composed of at least three members, the majority of
whom should be independent directors, including the Chairman. The Chairman should not be
the Chairman of the Board or of any other committee. At least one member of the committee
must have relevant thorough knowledge and experience on risk and risk management.
Subject to its size, risk profile and complexity of operations, the company should have a
separate risk management function to identify, assess and monitor key risk exposures.
The risk organizational structure should include formal charters, levels of authorization
reporting lines and job description.
4. Evaluate the effectiveness of the various steps in the assessment of the comprehensive risks
faced by the business firm.
Risk assessment step which includes risks identification and determination of their
sources and measurement, represents the foundation for the rest of the procedures.
This step is performed by responsible managers, i.e., finance officers, production
managers marketing managers and human resource managers.
This process culminates in the presentation of the risk profile or risk map to the board of
directors.
5. Assess if management has developed and implemented the suitable risk management
strategies and evaluate their effectiveness.
The risk profile highlights all the significant possible risks identified, prioritized and
measured by the risk management system.
Strategies are developed to manage and resolve these identified risks. These will
include the process, people, management feedback methodologies and systems.
Strategies may include avoidance, reduction, transfer, exploitation and retention of risks.
7. Assess management's efforts to monitor overall company risk management performance and
to improve continuously the firm's capabilities.
Risk management performance must be monitored on a continuing basis and
organization must be ready to innovate their approaches to be in line with the changing
lines.
Monitoring is done by all concerned parties such as senior managers, process owners
and risk owners.
An independent reviewer can also be appointed to validate results.
8. See to it that best practices as well as mistakes are shared by all. This involves regular
communication of results and feedbacks to all concerned.
These should be an open communication channel to ensure that all risk management
participant particularly senior management, are informed of risk incidents or threat of risk
incident. This will go a long way towards attaining the company's risk management
vision.
9. Assess regularly the level of sophistication of the firm's risk management system.
CHAPTER 12
PRACTICAL GUIDELINES IN REDUCING AND MANAGING BUSINESS RISKS
Accepting that risks exist is a starting point for the other actions needed, but the most important
is to create the right climate for risk management. People need to understand why control
systems are needed; this requires communication and leadership skills so that standards and
expectation are set and clearly understood.
Identification of significant risks both within and outside the organization is crucial and allows to
make informed decisions. This makes it easier to avoid unnecessary surprises. Examples of
significant risks might be the loss of a major customer, the failure of a key supplier or the
appearance of a significant competitor.
Consider the human factor into account. People behave differently and inconsistently when
making decisions involving risk. They may be exuberant or diffident, overconfident or overly
concerned. They may simply overlook the issue of risk.
Risk surrounds and continues to be with us. A former British prime minister once said: "To be
alive t all involves some risk." When identifying risks it helps to define the categories into which
they fall. This allows for a more structured analysis and reduces the chances of a risk being
overlooked. Some of the most common areas of risk affecting business are shown in Table
12.1.
There is also an opportunity cost associated with risk: avoiding a risk may mean avoiding a
potentially big opportunity. People can be too cautious and risk averse even though they are
often at their best when facing the pressure of risk deciding to take a more audacious approach.
Sometimes the greatest risk is to do nothing.
Technology. New hardware, software or system configurations can trigger risks, as can new
demands on existing information systems and technology. In early 2010, Metro Manila
Development Authority Chair introduced a congestion change for traffic using the centre of the
city; the greatest threat to the scheme's success (and his tenure as chair) was posed by the use
of new technology. It worked and the scheme was widely seen as a success.
Organizational change. Risks are triggered by, for example, new management structures or
reporting lines, new strategies and commercial agreements (including mergers, agency or
distribution agreements).
Processes. New products, markets and acquisitions all cause change and can trigger risks.
The disastrous launch of "New Coke" by Coca-Cola was an even bigger risk than anyone at the
company had realized; it outraged Americans who felt angry that an iconic US product was
being changed. That Coca-Cola eventually turned the situation to its advantage shows that risk
can be managed and controlled, but such success is rare.
People. Hiring new employees, losing key people, poor succession planning, or weak people
management can all create dislocation, but the main danger is behavior: everything from
laziness to fraud, exhaustion and simple human error can trigger this risk.
External factors, Changes to regulation and political, economic or social developments can all
affect strategic decisions by bringing to the surface. risks that may have lain hidden. The
economic disruption caused by the sudden spread of the SARS epidemic from China to the rest
of Asia in 2003 highlights this risk.
Each category of risk can be mapped in terms of both likely frequency and potential impact, with
the potential consequences being ranked on a scale ranging from inconvenient to catastrophic
(see Figure 12.1).
Risk should be actively managed and given a high priority across the whole organization. Risk
management procedures and techniques should be well documented, clearly communicated,
regularly reviewed and monitored. To successfully manage risks, you have to know what they
are, what factors affect them and their potential impact.
If you plot the ability to control a risk against its potential impact, as shown in Figure 12.1. you
can decide on actions either to exercise greater control over the risk or to mitigate its potential
impact. Risks falling into the top-right quadrant require urgent action, but those in the bottom-
right quadrant (total/significant control, major/critical impact) should not be ignored because
complacency, mistakes and a lack of control can turn the risk into a reality.
Table 12.1: Assessing and Mapping Risk
Once the inherent risks in a decision are understood, the priority is to exercise control. All
employees must be aware that unnecessary risk taking is unacceptable. They should
understand what the risks are, where they lie and their role in controlling them. To achieve this,
share information, prepare and communicate clear guidelines, and establish control procedures
and risk measurement systems.
Start by reducing or eliminating those risks that result only in costs: the non-trading risks. These
can be thought of as the fixed costs of risk and might include property damage risks, legal and
contractual liabilities and business interruption risks. Reducing these risks can be achieved
through quality assurance programs, environmental control processes, enforcing health and
safety regulations, installing accident prevention and emergency equipment and training people
to use it, and taking security measures to prevent crime, sabotage, espionage, and threats to
people and systems. Reducing a risk may also mean that the cost of insuring against it goes
down.
Risks can be reduced or mitigated by sharing them. For example, acceptable service
agreements from vendors are essential to reducing risk. Joint ventures, licensing and agency
agreements can also be used to mitigate risk. To reduce the chances of things going wrong,
focus on the quality of what people do - doing the right things right reduces risks and costs.
Finance is the lifeblood of a business, heavily influencing strategies and decisions at every
level.
Many managers find it difficult to get to grips with financial issues and, as the 2008 global
financial crisis revealed, many lost touch with basic financial ground rules.
Profitability, cash flow, long-term shareholder value and risk all need to be considered when
setting and reviewing strategy. This section provides practical guidance about financial
decisions and explains how to:
improve profitability:
avoid pitfalls in making financial decisions;
reduce financial risk.
Improving Profitability.
Entrepreneurial flair and financial rigour are as much about attitude as skill. Nonetheless, certain
skills will ensure that decisions are focused on commercial success.
A. Variance Analysis
Interpreting the differences between actual and planned performance is crucial. Variance
analysis is used to monitor and manage the results of past decisions, assess the current
situation and highlight solutions.
Common causes of variances include inefficiency, poor or flawed planning (for example, relying
on historically inaccurate information), poor communication, interdependence between
departments and random factors. Every business should use variance analysis but in a practical
and pragmatic and cost-effective way.
Other barriers include capital requirements, access to distribution channels, factors independent
of scale (such as technology or location) and regulatory requirements. When markets are
difficult or costly for competitors to enter and relatively easy and affordable to leave, firms can
achieve high, stable returns, while still being able to leave for other opportunities. Consider
where the barriers to entry lie for your market sector, how vulnerable you are to new entrants,
and whether you can strengthen and entrench your market position.
C. Break-even Analysis
The break-even point is when sales cover costs, where neither a profit nor a loss is made. It is
calculated by dividing the costs of the project by the gross profit at specific dates, making sure
to allow for overhead costs. Break-even analysis (cost-volume-profit or CVP analysis) is used to
decide whether to continue developing a product, alter the price, provide or adjust a discount, or
change suppliers to reduce costs. It is also helps. in managing the sales mix, cost structure and
production capacity, as well as in forecasting and budgeting.
D. Controlling Costs
To control costs:
Focus on the big items of expenditure. Categories costs into major or peripheral items.
Often, undue emphasis is given to the 80% of activities accounting for 20% of costs.
Be cost aware. Casualness is the enemy of cost control. While focusing on major items of
expenditure it may also be possible to cut the cost of peripheral items. Costs can be reduced
over the medium to long term by managers' attitudes to cost control and the effects of expenses
on cash flow.
Maintain a balance between costs and quality. Getting the best value means achieving a
balance between the price paid and the quality received.
Use budgets for dynamic financial management. Budget early so financial requirements are
known as soon as possible. Consider the best time-period for the budget - normally a year but it
depends on the type of business. Some larger firms have moved to rolling budgets, getting
managers to forecast the next 18 months every quarter. Budgets provide a starting point for
cash flow forecasts and revenues, and they also play an essential role in monitoring costs and
revenues.
Develop a positive attitude to budgeting. People need to understand, accept and use the
budget, feeling a sense of ownership and responsibility for developing, monitoring and
controlling it.
Eliminate waste. For decades, leading Japanese companies have directed much of their cost-
management efforts towards waste elimination. They achieve this by using techniques such as
process analysis, mapping and re-engineering.
Decide how to treat the least profitable products. These often drift, with dwindling
profitability. Turn around a poor performer (by reducing costs, raising prices, altering
discounts or changing the product) or abandon it to prevent drain on resources and
reputation. The shelf-life and appeal of product must be considered when deciding to
continue or discontinue it.
Make sure new products enhance overall profitability. New product development
often focuses on market need or the production process, with insufficient regard to cost,
price, sales volume and overall profitability, which are inextricably linked.
Set the buying policy. For example, should there be a small number of preferred
suppliers or a bidding system among a wider number of potential suppliers? Also,
consider techniques for controlling delivery. charges, monitoring exchange rates,
improving quality control, reducing inventory and improving production lead times.
Consider how to create greater value from existing customers and products to
enhance profitability. Ask:
o How can customer loyalty (and repeat purchasing) be enhanced?
o How can the sales proposition be made more competitive relative to the opposition?
o How can existing markets, sales channels, products, brand reputation and other
resources be adapted to exploit new markets and new opportunities?
o How can sales expenses be reduced?
o How can effectiveness of marketing activities be increased?
There are many techniques for assessing the likely profitability of an investment. One of the
most used is to apply discounted cash flows in evaluating capital investment programs.
Avoiding Pitfalls
Many managers have financial responsibilities and their decisions will often be influenced by or
have an impact on other parts of the business. The following principles will help avoid flawed
financial decision-making.
Reduce Financial Risk Positive Replies to the following Questions would assist Top
Management to Manage Financial Risk
.Are the most effective and relevant performance measures in place to monitor and assess
the effectiveness of financial decisions?
Have you analyzed key business ratios recently? How useful art you in performance
indicators? What are the main issues? Are you measuring the right things?
What are the least profitable parts of the organizations? How will they improved?
Are market and customer decisions focused on improving profitability. Too often, attention if
given to non-financial objectives, increasing market share, without adequately considering
the financial risks and alternatives.
How efficiently is cash managed? Do your strategic business decisions take account of cash
considerations, such as the time value of money?
CHAPTER 13
OVERVIEW OF INTERNAL CONTROL
Whether an entity achieves its objectives relating to financial reporting and compliance is
determined by activities within the entity's control. However, achieving its objectives relating to
operations will depend not only on management's decisions but also on competitor's actions
and other factors outside the entity. INTERNAL CONTROL SYSTEM DEFINED
Internal control system means all the policies and procedures (internal controls) adopted by the
management of an entity to assist in achieving management's objective of ensuring, as far as
practicable, the orderly and efficient conduct of its business, including adherence management
policies, the safeguarding of assets, the prevention and detection of fraud and error, the
accuracy and completeness of the accounting records, and the timely preparation of reliable
financial information.
The internal control system extends beyond these matters which relate directly to the functions
of the accounting system and consists of the following components:
a. the control environment;
b. the entity's risk assessment process;
c. the information system, including the related business processes, relevant to financial
reporting, and communication;
d. control activities;
e. monitoring of controls.
A. Control Environment
The control environment which means the overall attitude, awareness and actions of directors
and management regarding the internal control system and its importance in the entity. The
control environment has an effect on the effectiveness of the specific control procedures. A
strong control environment, for example, one with tight budgetary controls and an effective
internal audit function, can significantly complement specific control procedures. However, a
strong environment does not, by itself, ensure the effectiveness of the internal control system.
Factors reflected in the control environment include:
The function of the board of directors and its committees;
Management's philosophy and operating style;
The entity's organizational structure and methods of assigning authority and
responsibility:
Management's control system including the internal audit function, personnel policies
and procedures and segregation of duties.
The environment in which internal control operates has an impact on the effectiveness of the
specific control procedures. Several factors comprise the control environment, including:
2. Commitment to Competence
Competence is the knowledge and skills necessary to accomplish tasks that define an
employee's job. Commitment to competence means that management considers the
competence levels for particular jobs in determining the skills and knowledge required of each
employee and that it hires employees competent to perform the tasks.
5. Organizational Structure
The responsibilities and authorities of the various personnel within the organization should be
established in such a manner as to (1) assist the entity in meeting its goals and objectives and
(2) ensure that transactions are processed, recorded, summarized and reported in an accurate
and timely manner. Organizational structure provides the overall framework for planning,
directing and controlling operations.
An entity's risk assessment process is its process for identifying and responding to business
risks and the results thereof. For financial reporting purposes, the entity's risk assessment
process includes how management identifies risks relevant to the preparation of financial
statements that are presented fairly, in all material respects in accordance with the entity's
applicable financial reporting framework, estimates their significance, assesses the likelihood of
their occurrence, and decides upon actions to manage them. For example, the entity's risk
assessment process address how the entity considers the possibility of unrecorded transactions
or identifies and analyzes significant estimates recorded in the financial statements. Risks
relevant to reliable financial reporting also relate to specific events or transactions.
Risks relevant to financial reporting include external and internal events and circumstances that
may occur and adversely affect an entity's ability to initiate, record, process, and report financial
data consistent with the assertions of management in the financial statements. Once risks are
identified, management considers their significance, the likelihood of their occurrence, and how
they should be managed. Management may initiate plans, programs, or actions to address
specific risks or it may decide to accept a risk because of cost or other considerations. Risks
can arise or change due to circumstances such as the following:
Changes in operating environment. Changes in the regulatory or operating
environment can result in changes in competitive pressures and significantly different
risks.
New personnel. New personnel may have a different focus on or understanding of
internal control.
New or revamped information systems. Significant and rapid changes in information
systems can change the risk relating to internal control.
Rapid growth. Significant and rapid expansion of operations can strain controls and
increase the risk of a breakdown in controls.
New technology. Incorporating new technologies into production processes or
information systems may change the risk associated with internal control. New business
models, products, or activities. Entering into business areas or transactions with which
an entity has little experience may introduce new risks associated with internal control.
Corporate restructurings. Restructurings may be accompanied by staff reductions and
changes in supervision and segregation of duties that may change the risk associated
with internal control.
Expanded foreign operations. The expansion or acquisition of foreign operations
carries new and often unique risks that may affect internal control, for example,
additional or changed risks from foreign currency transactions.
New accounting pronouncements. Adoption of new accounting principles or changing
accounting principles may affect risks in preparing financial statements.
The basic concepts of the entity's risk assessment process are relevant to every entity,
regardless of size, but the risk assessment process is likely to be less formal and less structured
in small entities than in larger ones. All entities should have established financial reporting
objectives, but they may be recognized implicitly rather than explicitly in small entities.
Management may be aware of risks related to these objectives without the use of a formal
process but through direct personal involvement with employees and outside parties.
An entity's financial reporting process also includes the use of non-standard journal entries to
record non-recurring, unusual transactions or adjustments. Examples of such entries include
consolidating adjustments and entries for a business combination or disposal or nonrecurring
estimates such as the impairment of an asset. In manual general ledger systems, non-standard
journal entries may be identified through inspection of ledgers, journals, and supporting
documentation. When automated procedures are used to maintain the general ledger and
prepare financial statements, such entries may exist only in electronic form and may therefore
be more easily identified through the use of computer assisted audit techniques
Business processes result in the transactions that are recorded, processed and reported by the
information system. Obtaining an understanding of the entity's business processes, which
include how transactions are originated, assists the auditor obtain an understanding of the
entity's information system relevant to financial reporting in a manner that is appropriate to the
entity's circumstances.
D. Control Activities
Control activities are the policies and procedures that help ensure that management directives
are carried out, for example, that necessary actions are taken to address risks that threaten the
achievement of the entity's objectives. Control activities, whether within IT or manual systems,
have various objectives and are applied at various organizational and functional levels.
C. Physical controls
A brief discussion of these control procedures follows:
A. Performance Review
In a performance review management-uses accounting and operating data to assess
performance, and it then takes corrective action. Such reviews include:
comparing actual performance (or operating results) with budgets, forecasts, prior period
performance, or competitors data or tracking major initiatives such as cost-containment
or cost-reduction programs to measure the extent to which targets are being met.
Internal controls relating to the accounting system are concerned with achieving objectives such
as:
Transactions are executed in accordance with management's general or specific
authorization.
All transactions and other events are promptly recorded in the correct amount, in the
appropriate accounts and in the proper accounting period so as to permit preparation of
financial statements in accordance with an identified financial reporting framework.
Recorded assets are compared with the existing assets at reasonable intervals and
appropriate action is taken regarding any differences.
Control activities related to the processing of transactions may be grouped as follows: (1) proper
authorization, (2) design and use of adequate documents and records, and (3) independent
checks on performance.
As suggested earlier, authorization for the execution of transactions flows from the stockholders
to management and its subordinates. Before a transaction is entered into with another party,
certain conditions must usually be met. As part of the evaluation of the potential transaction,
documentation will be created The auditor uses this documentation to determine whether
business transactions are properly authorized. For example, the purchase of inventory may
create a purchase order, a receiving report, and a vendor invoice. By inspecting these
documents and comparing them with company policy, the auditor may be reasonably satisfied
that a business transaction was authorized and executed in a manner consistent with company
policy.
2. Segregation of duties
An important element in designing an internal accounting control system that safeguards assets
and reasonably ensures the reliability of the accounting records is the concept of segregation
responsibilities. No one person should be assigned duties that would allow that person to
commit an error or perpetuate fraud and to conceal the error or fraud. For example, the same
person should not be responsible for recording the cash received on account and for posting the
receipts to the accounting records.
4. Access to assets
The resources of a client can be protected by the establishment of physical barriers and
appropriate policies. For example, inventories may be kept in a storeroom, or negotiable
instruments may be placed in a safe deposit box. Appropriate company policies are adopted so
that only authorized persons have access to company resources. Safeguarding of assets is
more than establishing physical barriers. A client should design its internal accounting control
system so that documents authorizing the movement of assets into an organization or out of an
organization are adequately controlled.
C. Physical Controls
Controls that encompass:
The physical security of assets, including adequate safeguards such as secured facilities
over access to assets and records.
The periodic counting and comparison with amounts shown on control records (for
example, comparing the results of cash, security and inventory counts with accounting
records).
The extent to which physical controls intended to prevent theft of assets are relevant to the
reliability of financial statement preparation, and therefore the audit, depends on circumstances
such as when assets are highly susceptible to misappropriation.
The concepts underlying control activities in small entities are likely to be similar to those in
larger entities, but the formality with which they operate varies. Further, small entities may find
that certain types of control activities are not relevant because of controls applied by
management. For example, management's retention of authority for approving credit sales,
significant purchases, and drawdown's on lines of f credit can provide strong control over those
activities, lessening or removing the need for more detailed control activities. An appropriate
segregation of duties often appears to present difficulties in small entities. Even companies that
have only a few employees, however, may be able to assign their responsibilities to achieve
appropriate segregation or, if that is not possible, to use management oversight of the
incompatible activities to achieve control objectives.
E. Monitoring of Controls
Monitoring, the final component of internal control, is the process that an entity uses to assess
the quality of internal control over time. Monitoring involves assessing the design and operation
of controls on a timely basis and taking corrective action as necessary. Management monitors
controls to consider whether they are operating as intended and to modify them as appropriate
for changes in conditions. In many entities, internal auditors evaluate the design and operation
of internal control and communicate information about strengths and weaknesses and
recommendations for improving internal control.
Some monitoring activities may include communications from external parties. For example,
customers implicitly corroborate sales data by paying their bills or raising questions. Also, bank
regulators, other regulators, and outside auditors may communicate about the design or
effectiveness of internal control.
Monitoring activities may include using information from communications from external parties
that may indicate problems are highlight areas in need of improvement. Customers implicitly
corroborate billing data by paying their invoices or complaining about their charges. In addition,
regulators may communicate with the entity concerning matters that affect the functioning of
internal control, for example, communications concerning examinations by bank regulatory
agencies. Also, management may consider communications relating to internal control from
external auditors in performing monitoring activities.