OVERVIEW
Objective
¾
To consider the basic concepts of business risk, risk management and internal control.CORPORATE GOVERNANCE REQUIREMENTS UNDERSTANDING
THE ENTITY
BUSINESS RISK
¾ Risk management
¾ Risk mapping ¾ Risks and control ¾ Strategies
INTERNAL CONTROL
¾ Overview
¾ Control environment ¾ Risk assessment procedures ¾ Information system
¾ Control activities ¾ Monitoring controls ¾ Limitations
¾ Introduction
¾ Combined Code
1
UNDERSTANDING THE ENTITY
¾
ISA 315 Identifying and assessing the risks of material misstatement through understanding the entity and its environment states that:The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through
understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.
¾
This requires the auditor to obtain an extensive understanding of the entity (but as not as detailed as required of the management) its environment and controls in order to establish the risks of material misstatement within financial statements and how they need to respond to such risks in order to reduce their audit risk to an acceptable level.¾
Understanding the entity and its environment will provide the auditor with a key understanding of the entity’s objectives, strategies and business risks. Understanding the business risks and how the management deals with such risks (including the necessary controls) provides the auditor with an increased assessment of the potential for material misstatement as, eventually, most business risks will have financial consequences.2
BUSINESS RISK
¾
Business risk is the risk that the entity will not be able to achieve its objectives and execute its strategies. Responsibility for monitoring and controlling business risk rests with management.¾
Such risks result from the way the entity is managed, its operating environment, products, customer base, employee base, ownership, legal and regulatory regimes and the very fact that it operates in a dynamic and adaptive environment.¾
Management should have risk assessment procedures in place to be able to recognise business risks and take appropriate action (e.g. through risk management procedures and controls) to minimise the impact of such risks.2.1
Risk management
¾
Any system of risk management and internal control needs to be aligned with business objectives. Business objectives and risks relating to those objectives can be classified in many ways. For example: Effectiveness and efficiency of operations (including profitability customer service, and corporate responsibility);
Reliability of internal and external reporting (i.e. internal financial control); Compliance with internal and external regulations.
Environment risks (e.g. relating to the economy, technology and competition). Financial risks (e.g. relating to liquidity, interest rates, exchange rates and the
misuse of financial resources).
Compliance risks (e.g. a breach of stock exchange regulations, non-compliance with accounting standards (eg IFRSs) or company law and non-compliance with tax or environmental regulations).
Operational risks (e.g. loss of assets, poor service levels, employee-related issues or a shortage of raw materials).
Empowerment risks (e.g. poor leadership of managers and workers, too much authority given to one individual).
Integrity risk (eg leading to financial loss and/or damage to reputation).
¾
Risk management involves the entity’s management in: identifying the risks relating to business objectives;
assessing risk in terms of probability and timing, measuring the potential impact and thereby prioritising risks;
deciding how to deal with the risks identified; and monitoring.
2.2
Risk mapping and assessing risks
¾
Risk mapping enables risks to be prioritised by taking into account: the significance of a risk (e.g. in financial terms and in such terms as public image); and
the likelihood of its occurrence.
¾
Significance may be assessed, for example, as: High (catastrophic) – seriously threatening to the viability of operations if not controlled
¾
Similarly, likelihood: High – probable – has occurred in the past and will do so again within the next five years
Medium – possible – has not yet occurred but expected within the next five years Low – remote – not expected within the next five years
¾
A simplistic risk model is the 2x2 Boston Consulting Matrix as follows:Low impact, high likelihood
High impact, high likelihood
Like
lih
ood Low impact,
low likelihood low likelihood High impact,
Impact
¾
Those risks identified as high impact, high likelihood would need the greatestmanagement effort and control. However, the double low cannot be neglected as it may transfer to a double high.
2.3
Risks and control
Assessed risk
HIGH LOW
Controllable?
YES Apply suitable controls
NO
Check Compliance
Pass it
2.4
Risk management strategies
¾
Often referred to as the TARA approach. Transfer Avoid Reduce Accept
Reduce Avoid
Like
lih
ood
Accept Transfer
Impact
¾
Transfer risk using insurance (may eliminate risk), strategic alliances, joint ventures and contractual risk sharing arrangements with independent parties.¾
Avoid unacceptable risks. Price and cost services appropriately to reflect retained risk (e.g. audit firms in quotes fees).¾
Control (manage) the risk and reduce it to within the risk threshold through internal control processes. A risk management framework should include: a control environment control procedures
monitoring activities (on the effectiveness of risk management) information flow.
These are all part of a strong internal control environment.
¾
Modify the risk – i.e. change the way in which the business or activity is conducted to reduce the risk.¾
Accept at the present level as one that can legitimately be borne (e.g. part of doing day to day business).¾
Develop a recovery plan to salvage the situation quickly and as cost effectively as possible Consider certain disaster scenarios (e.g. loss of office due to fire) May not be possible to adequately reduce or eliminate the risk Take out insurance.
3
INTERNAL CONTROL
3.1
Overview
Internal control is the process designed, and effected by, those charged with governance and management, to provide reasonable assurance about:
¾
the achievement of the entity’s objectives with regard to reliability of financial reporting;¾
the effectiveness and efficiency of its operations and¾
the entity’s compliance with applicable laws and regulations¾
Although this framework (next page) is used by the IAASB, in practice, differentterminology or frameworks to describe the various aspects of internal control, and their effect on the audit, may be used (see Section 4.2).
¾
The auditor’s primary consideration is whether, and how, a specific control prevents, or detects and corrects, material misstatements in the financial statements, rather than its classification into any particular component.3.1.1
Audit requirements
¾
The auditor must understand the five components of internal control as an essential part of their risk assessment procedures. They must obtain an understanding of the control environment;
the entity’s process for identifying business risks relevant to financial reporting objectives and deciding about actions to address those risks;
the information system, relevant to financial reporting, e.g.:
−
the classes of transactions in the entity’s operations that are significant to the financial statements;CONTROL ENVIRONMENT
RISK ASSESSMENT
INFORMATION SYSTEMS
CONTROL ACTIVITIES
−
the procedures by which those transactions are initiated, recorded, processed and reported in the financial statements;−
the related accounting records, supporting information, and specific accounts in the financial statements;−
how the information system captures events and conditions, other than classes of transactions, that are significant to the financial statements;−
the financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures. the control activities to assess the risks of material misstatement at the assertion level (and to design further audit procedures responsive to assessed risks); the major types of activities that the entity uses to monitor internal control over
financial reporting and how the entity initiates corrective actions to its controls;
¾
In addition, auditors must also obtain an understanding of: how the entity has responded to risks arising from IT (see Session 12); and how the entity communicates financial reporting roles and responsibilities and
significant matters relating to financial reporting.
3.2
The control environment
Governance and management functions Attitude, Awareness and Actions
¾
Sets the tone of an organization, influencing the control consciousness of its management and employees. It is the foundation for effective internal control, providing discipline and structure.¾
Strongly relates to how management (and governance) has created a culture of honesty and ethical behaviour, supported by appropriate controls to prevent and detect fraud and error, through: Communication and enforcement of integrity and ethical values; Cascade effect (i.e. following management’s example);
Commitment to competence (eg only those with the appropriate skills and knowledge are considered for each position);
Participation by those charged with governance;
−
independent from the entity and management;−
experienced and prepared to be a sounding board for management;−
prepared to work with, but stand up to, management;−
demanding and challenging of management decisions;−
access to documents and information as required;−
effective interaction with internal and external auditors; Management’s philosophy and operating style (including approach to risk management and application of accounting policies);
Organizational structure (eg open and transparent or closed and opaque); Assignment of authority and responsibility (eg clearly defined);
Human resource policies and practices (eg commitment to best practice in recruitment, training, appraisal, counselling, progression, compensation and remedial actions).
¾
A strong control environment may be a positive influence when assessing, for example, the risk of fraud. However, the elements must be considered collectively (e.g.enforcement of ethical values together with appropriate recruitment policies for financial reporting staff will not mitigate aggressive earnings reporting by senior management).
3.3
Risk assessment procedures
How the entity’s management identify business risks relevant to the financial reporting objectives and how they decide to address those risks and review the results of doing so.
¾
Risks relevant to financial reporting include external and internal events andcircumstances that may occur and adversely affect an entity’s ability to initiate, record, process, and report financial data.
Example 1
Suggest FIVE business risks that may impact on the production of the financial statements.
Solution
¾
¾
¾
¾
3.4
Information system
¾
Consists of: physical and hardware (if IT based) infrastructure; software (if IT based);
people;
procedures; and data.
¾
Includes the accounting system and consists of the procedures and records established to: initiate (e.g. manually or by programmed procedures);
record (e.g. identify, capture and record valid transactions and relevant information on a timely basis, including information for disclosure);
process (e.g. edit, validate, calculate, measure, summarise, reconcile and classify);
report (e.g. preparation of financial and other statements so that the transactions, disclosures and other information are correctly presented); and
maintain accountability (for the related assets, liabilities, and equity). of the records and information necessary to satisfy financial reporting objectives. The above encompasses recording the correct monetary value of transactions and that the transactions are recorded in the correct accounting period (i.e. cut-off)
¾
Transactions may be standard (e.g. within the normal course of business – sales, purchases, accruals, depreciation) or non-standard (e.g. asset impairment, bad debt write off, related party transactions). How the information systems deals with both standard and non-standard transactions must be understood, e.g. raising and authorising journal entries.¾
The information system must also be able to deal with errors and incorrect processing. Is a suspense account used and regularly checked and cleared? Is it possible to override the system or bypass controls? If so, how does the management deal with such matters.¾
Management must be able to demonstrate that they understand the individual roles and responsibilities of those within the information system.¾
Individuals within the system must also understand their roles and responsibilities and how they relate to others within the system.¾
The means of reporting exceptions to a higher authority must be clear and3.5
Control activities
¾
The policies and procedures that help ensure that management directives are carried out, e.g. that actions are taken to address risks that threaten the achievement of the entity’s objectives.¾
They have various objectives and are applied at various organisational and functional levels.¾
More than one control activity may be necessary in order to achieve a given control objective.¾
Appendix 2 (Session 36) details control objectives and activities for the main transaction cycles within the financial accounting process.3.5.1
Control objectives relating to financial statements
¾
At the financial statement assertion level, control objectives aim to ensure that only: authorised (Valid - V) transactions are promptly recorded (Complete - C) in the correct (Accurate - A) amount in the
appropriate (A) accounts in the
proper (Correct Cut-off – C) accounting period and that recorded assets exit (Existence – E).
⇒ Mnemonic
CAVE:
¾
For example, the overall control objective over purchases may be stated as being “to ensure that payments are only made for goods and services actually received and required by the entity”. This may be broken down into sub-objectives, eg “to ensure that goods are only received for orders placed”.¾
This requires control activities over placing the order, receipt and acceptance of the goods/services, recording and analysing the invoice and settling the liability for the overall control objective to be achieved.3.5.2
Control activities relating to financial statements
¾
Examples of appropriate control activities include: Authorisation, (basically, “if it can move, authorise it”) e.g.:
−
purchase or disposal of non-current assets−
new suppliers−
journals−
payments Performance reviews, e.g.:
−
actual against budget, prior year and variance analysis−
analytical review, internal verses external data−
functional or activity performance in that activities that should take place, actually took place Information processing, (accuracy, completeness and authorisation) e.g.:
−
checking arithmetical accuracy (eg of documents, records)−
maintaining and reviewing accounts and trial balances−
carrying out reconciliations (eg bank, supplier statements)−
sequence checks (of pre-numbered documents, eg despatch notes)−
completeness checks (eg that all documents have been processed)−
follow up of error reports (includes taking appropriate action)−
IT application controls (see Session 12)−
IT general controls (see Session 12) Physical controls, e.g.:
−
secured access to assets and records−
password access to computer systems−
comparing book to physical (e.g. inventory, petty cash, non-current assets)) Segregation of duties, e.g.:
−
separation of the authorising, recording and custody functions−
actions of one employee are checked by another3.6
Monitoring controls
¾
Without monitoring control systems and receiving feedback on the performance of those controls, the entity’s management will have no idea if a control, whilst still operating, is actually effective.¾
Monitoring is therefore a process to assess the effectiveness of internal controlperformance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions for changes in conditions.
¾
Ongoing monitoring activities are often built into the normal recurring activities of an entity and include regular management and supervisory activities.¾
Examples of monitoring activities include: checking that activities (e.g. bank reconciliations) are carried out;
reports are produced when expected and actions carried out (e.g. follow up on exception reports);
customers paying amounts as stated on their statements or complaining about being overcharged;
internal audit evaluations of the effectiveness of internal control and business risk procedures;
external audit management letters and reports;
business activity and management accounts discussed at monthly board meetings and challenged by non-executive directors and those charged with governance
3.7
Limitations
3.7.1
Manual verses IT controls
¾
Internal control comprises a mix of manual and IT controls. Even where IT isextensively used, there will be manual elements within the system, e.g. authorisation of program changes, monitoring the effectiveness of IT.
¾
In general, manual controls are considered to be higher risk than IT controls as: manual controls are performed by people who are less predictable than IT and more error prone (e.g. they are human after all);
manual controls are more easily bypassed, ignored or overridden than IT controls; and
manual controls are subject to random, simple errors and mistakes.
¾
Manual controls may be more suitable where judgement and discretion are required, eg: large, unusual or non-recurring transactions;
where errors are non-routine and difficult to define, anticipate or predict; where a control response is required outside of the routine automated control; in monitoring the effectiveness of automated controls.
However, the very nature of using judgement and discretion within internal control may mean high risk (e.g. where the control environment – attitude, awareness and actions of management – is weak).
3.7.2
Inherent limitations
¾
No internal control system, no matter how well designed and operated, can provide management with conclusive evidence that the financial reporting objectives are reached. Only reasonable assurance can be achieved.Example 2
Solution
¾
¾
¾
¾
¾
4
CORPORATE GOVERNANCE REQUIREMENTS
4.1
Introduction
¾
Good corporate governance requires management (the board) to (amongst many requirements): Review and guide corporate strategy, major plans of action, risk policy, annual budgets and business plans; set performance objectives; monitor implementation and corporate performance; oversee major capital expenditures, acquisitions and divestitures (OECD).
Ensure the integrity of the corporation’s accounting and financial reporting systems, e.g. independent audit, control systems, risk management procedures, financial and operational control, compliance with the law and regulations (OECD).
¾
Business risk management and the use of sound internal controls are a fundamental element within corporate governance.4.2
Combined Code
4.2.1
Turnball Guidance on internal controls
¾
The Turnbull Guidance on internal controls under the UK’s Combined Code takes a risk based approach to internal control. Under the Guidance, a company’s system ofinternal control should aim to manage “risks that are significant to the fulfilment of its business objectives, with a view to safeguarding the company’s assets and enhancing, over time, the value of the shareholders’ investment”. The Code requires a strong link between business risk management and internal controls.
¾
A “sound system of internal control” should provide reasonable assurance that a company will not be hindered in: pursuing its business objectives; or
But however sound a system it cannot eliminate the possibility of: poor judgement in decision-making;
human error;
control processes being deliberately circumvented by employees; management overriding controls; and
the occurrence of unforeseeable circumstances.
¾
In determining its policies with regard to internal control, and thereby assessing what constitutes a sound system of internal control in the particular circumstances of the entity, the board must consider: the nature and extent of the risks facing the company;
the extent and categories of risk which it regards as acceptable for the company to bear;
the likelihood of the risks concerned materialising;
the company's ability to reduce the incidence and impact on the business of risks that do materialise; and
the costs of operating particular controls relative to the benefit thereby obtained in managing the related risks.
¾
The internal control system should encompass the policies, processes, tasks, behaviours and other aspects of a company that, taken together: facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to
achieving the company's objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed;
help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation; help ensure compliance with applicable laws and regulations, and also with
internal policies with respect to the conduct of business.
4.2.2
Management review of internal control
¾
The Code requires an entity’s board to regularly review, and form its own opinion of, the effectiveness of the company’s system of internal control.¾
There should be a defined process for the board’s review, to support its statement in the annual report (as required by the Code). It is not enough to rely on the internal control system itself. The board should: receive and review regular reports from management and consider:
−
the key risks;−
the effectiveness of the internal controls; ensure that all aspects of internal control are being reviewed;
perform an annual review for the purposes of preparing a statement for the annual report.
¾
If internal controls are regularly reviewed, the annual review should be relatively straightforward and focus on: changes in risks since the last review; the company’s ability to respond to change;
the scope and quality of the management’s ongoing monitoring of internal control; the adequacy of communication;
weaknesses in the system;
the effectiveness of the year-end financial reporting process;
whether the company needs a separate internal audit function, rather than relying on management to review internal control.
¾
If internal control is not regularly reviewed, then the annual review will have to be more comprehensive and this will take longer.¾
Strong emphasis is placed on the role of internal audit in assessing the effectiveness of the entity’s risk assurance procedures. If an entity does not have an internal audit function, then it must consider, each year, the need for one and state within its annual report that it has done so.¾
As discussed in Session 3, whilst there is no requirement under the Code for the entity’s auditor to report on this process, there is a requirement under the London StockExchange for a review and report from the auditor.
FOCUS
You should now be able to:
¾
explain the components of business risk;¾
discuss the importance of risk analysis;¾
describe and explain the key components of an internal control system;¾
explain the importance of internal control and risk management;¾
identify and explain management’s risk assessment process with reference to internal control components;¾
identify and describe the important elements of internal control including the control environment and management control activities;EXAMPLE SOLUTION
Solution 1 — Business risks
¾
Changes in regulatory or operating environment. Changes in the regulatory or operatingenvironment can, for example, result in changes in competitive pressures and significantly different risks. Such risks have to be identified and their impact quantified.
¾
New personnel. Will depend on their seniority or the position they hold within finance asto the potential risk. New personnel may have a different focus on understanding and applying internal control; they will need to learn new processes and may attempt to change or ignore existing controls.
¾
New or upgraded information systems. Significant and rapid changes in informationsystems can change the risk relating to internal control, e.g. previous controls may no longer be effective, new controls are not enacted. The change process in itself is a significant risk in that data may not be correctly converted or the new system does not function as intended.
¾
Rapid growth. Significant and rapid expansion of operations can strain controls andincrease the risk of a breakdown in controls, e.g. overtrading, strained gearing and loss of direction by the entity.
¾
New technology. Incorporating new technologies into production processes orinformation systems may change the risk associated with internal control.
¾
New business models, products, or activities. Entering into business areas or transactionswith which an entity has little experience may introduce new risks associated with internal control.
¾
Corporate restructurings. Restructurings may be accompanied by staff reductions andchanges in supervision and segregation of duties that may change the risk associated with internal control. Management time spent on restructuring and making every effort to ensure it works means that less time can be spent on running other areas of the business.
¾
Expanded foreign operations. The expansion or acquisition of foreign operations carriesnew and often unique risks that may affect internal control, for example, additional or changed risks from foreign currency transactions.
¾
New accounting pronouncements. Adoption of new accounting principles or changingaccounting principles may affect risks in preparing financial statements, especially in relation to recognition, measurement and disclosure requirements.
Solution 2 — Inherent limitations
¾
Cost of internal control should not exceed benefits derived¾
Non-routine transactions¾
Human error/machine breakdown¾
Collusion (to circumvent controls)