2-Internal-control-Risk-Management.pdf

Full Transcript

RISK Management &
Internal Control
What about Risks?
For all businesses there are risks
that exist and that need to be
identified and addressed in
order to prevent or minimize
losses.
What is Risk?
Risk is the threat that an event, action, or
non-action will adversely affect an
organization’s ability to achieve its
business objectives and execute its
strategies successfully. Risk is measured in
terms of consequences and likelihood.
Assessing Risks.

Identifying Sourcing Prioritizing
Risk Risk Risk
Risk Strategies
Acceptance-
Risk acceptance does not
Mitigation- It is reduce any effects however it is
the taking steps still considered a strategy. This
strategy is a common option
to reduce adverse when the cost of other risk
effects. management options such
as avoidance or limitation may
outweigh the cost of the risk
itself. A company that doesn’t
want to spend a lot of
money on avoiding risks that
do not have a high possibility
of occurring will use the risk
acceptance strategy.
 Risk Strategies
Transference- Risk Limitation-
transference is the Risk limitation is the
Avoidance- involvement of handing risk off
to a willing third party. For example,
most common
businesses.
risk
This strategy
Risk avoidance is numerous companies outsource limits a company’s exposure
the opposite of risk certain operations such as by taking some action. It is a
acceptance. It is the customer service, payroll services, strategy employing a bit of risk
action that avoids any etc. This can be beneficial for a acceptance along with a bit of
exposure to the risk company if a transferred risk is not a risk avoidance or an average of
whatsoever. Risk core competency of that company. It both. An example of risk
avoidance is usually can also be used so a company can limitation would be a
the most expensive of focus more on their core company accepting that a
all risk mitigation competencies. disk drive may fail and
options. avoiding a long period of failure
by having backups.
 Scenario

Sarah, the head of the procurement department, needs to
purchase new machinery. The approved company policy states that
any purchase above $50,000 requires approval from both the
department head and the CFO. The machinery cost is $48,000,
which falls under her approval limit. However, additional costs for
shipping and installation push the total expense to $55,000.

Instead of seeking CFO approval, Sarah splits the transaction into Consequences:
two payments—$48,000 for the machinery and $7,000 for ❑ Unauthorized Spending
installation. Both amounts stay under her approval limit, allowing ❑ Fraud Risk
her to authorize the transactions without further review. ❑ Inaccurate Financial Reporting
❑ Audit Issues
 Risk Considerations
Evaluate the nature and types of errors and omissions that could occur, i.e., “what
can go wrong”
Consider significant risks (errors and omissions) that are common in the industry
or have been experienced in prior years
Information Technology risks (i.e. - access, backups, security, data integrity)
Volume, size, complexity and homogeneity of the individual transactions
processed through a given account or group of accounts (revenue, receivables)
Susceptibility to error or omission as well as manipulation or
loss
Robustness versus subjectiveness of the processes for determining significant
estimates
Extent of change in the business and its expected effect
Other risks extending beyond potential material errors or omissions
 INTERNAL CONTROL
-a process, effected by an entity's board of directors, management
and other personnel, designed to provide reasonable assurance:
that information is reliable, accurate, and timely
of compliance with applicable laws, regulations, contracts, policies
and procedures
of the reliability of financial reporting.
Internal controls are intended to prevent errors and irregularities,
identify problems and ensure that corrective action is taken.
Control definition reflects certain fundamental concepts:
Internal control is a process. It is a means to an end, not an end in
itself.
Internal control is effected by people. It is not merely policy
manuals and forms, but also people at every level of organization.
Internal control can be expected to provide only reasonable, not
absolute assurance to an entity's management and board.
The main control objectives are:

✓ Authorization
✓ Reconciliation
✓ Recording
✓ Safeguarding
✓ Valuation
Responsibility for Internal Controls

✓ Board of Directors
✓ Senior Management
✓ Financial Mangement
✓ Internal Audit Staff
✓ Independent Auditor
 INTERNAL AUDITORt

Evaluate the company’s internal controls, including its corporate governance and
accounting processes.
Internal auditors examine and analyze company records and financial documents.
Internal auditors do not have to be CPA. A bachelor's degree in finance, business
administration or computer information systems is accepted.
 INTERNAL AUDITOR vs. EXTERNAL AUDITORt

Internal auditors are employed to educate management and staff about how
the business can function better. External auditors, on the other hand, have no
such obligations. They are responsible for reviewing financial statements to
ensure that they are accurate and conform to GAAP. Their findings are then
reported back to shareholders, rather than management.
 Internal control is put in place to mitigate
the risks to give the organization a better
chance at achieving its objectives.

Aid companies in complying with laws
and regulations, and promoting
employees from stealing assets or
committing fraud.

They can also help improve operational
efficiency by improving the accuracy and
timeliness of financial reporting.
 Control Focus
Redefining the control focus

The new approach to controlling business risks m a y be characterized by the “new
rules” of “prevent and monitor” and “build in quality” as opposed to the “old rules”
of “detect and correct” and “inspect in quality.” This means a paradigm shift in the
traditional viewpoint of control as illustrated in the following table:

Old Paradigm New Paradigm

Only AUDITORS and TREASURY EVERYONE, including operations, is
are concerned about risks and concerned about managing business
controls
risks
FRAGMENTATION – Every function Business risk assessment and control
and department does its own thing are FOCUSED and COORDINATED
(“SILO MANAGEMENT”) with senior level OVERSIGHT
NO BUSINESS RISK CONTROL FORMAL BUSINESS RISK CONTROL
POLICY POLICY approved by management and
the board

INSPECT for and DETECT business ANTICIPATE and PREVENT business
risk and REACT to it
risk at the source and MONITOR
business risk controls continuously
Ineffective PEOPLE are the primary Ineffective PROCESSES are the
source of business risk primary source of business risk
 Components of Internal
In many cases, you perform Control
controls and interact with the Monitoring:
control structure every day, Monthly reviews of performance
perhaps without even realizing reports
Internal audit function
it.

Control Activ ities: I n formati on &
Purchasing limits
Communication:
Approvals Vision and values survey
Security Issue resolution calls
Reconciliations Reporting
Specific policies Corporate communications
(e-mail, meetings)
Risk Assessment:
Monthly Risk Control
meetings
Internal audit risk
assessment
Control
Env ironment:
Tone from the top
Corporate Policies
Organizational authority

A n internal control structure is simply a different w a y of viewing the b us i ne s s – a perspective that focuses
on doing the right things in the right way.
 COMPONENTS OF
INTERNAL CONTROL
Control Environment
The control environment sets the tone of an organization,
influencing the control consciousness of its people.

Control environment factors include:
-Integrity and ethical values;
-The commitment to competence;
-Leadership philosophy and operating style;
-The way management assigns authority and responsibility, and
organizes and develops its people;
-Policies and procedures.
Risk Assessment Control Activities
Risk assessment is the identification and
Control activities are the policies and
analysis of relevant risks to achievement of the
procedures that help ensure management
objectives, forming a basis for determining
directives are carried out.
how the risks should be managed.
They include a range of activities as diverse as
approvals,authorizations, verifications,
A company must regularly assess and identify
reconciliations, reviews of operating
the potential for, or existence of, risk or loss.
performance, security of assets and
Examples include: segregation of duties.
- Monthly meetings to discuss risk issues
- Internal audit risk assessment
- Formal internal departmental risk assessment
 Information and Communication Monitoring
INFORMATION
Set of processes used by management to examine and
Information needed must be identified, captured and communicated in a
assess whether its internal controls are functioning
form and timeframe that enable people to carry out their responsibilities.
Information systems produce reports, containing operational, financial, and properly.
compliance-related information, that make it possible to run and control the Internal control systems need to be monitored a
business. process that assesses the quality of the system's
The management deal not only with internally generated data, but also
performance over time.
information about external events, activities and conditions necessary to
inform business decision-making and external reporting This is accomplished through ongoing monitoring
activities, separate evaluations, regular management,
COMMUNICATION
supervisory activities and other action personnel take
Internal --it enables personnel to recieve clear message from senior
Communication- management that control responsibilities must be taken. in performing duties.
The scope and frequency of separate evaluations will
External it enables inbound communication of relevant external depend primarily on an assessment of risks and the
Communication- information and provide information to external parties to effectiveness of ongoing monitoring procedures.
response the requirements and expectations.
PREVENTIVE CONTROLS VS. DETECTIVE CONTROLS
Financial Controls - These are the policies and
procedures that intended to safeguards the assets
and minimize financial reporting errors/fraud.
 - the main goal is to decrease the chance of errors and fraud before they occur.

Examples of Preventive Controls
Authorizations - requiring management to formally approve certain types of transactions like
paying salaries of employees that comes from the supervisor to payroll clerk.
Segregation of Duties - Dividing responsibilities related to authorizing transactions, recording
transactions, and maintaining custody of the related assets. As the result, it reduce fraudulent
payments or activities.
Physical Safeguards - using cameras, locks, sensors, and physical barriers to protect asset.
Job Rotation -avoiding employee doing the same job repeatedly or for a very long time, switch
people
Proper hiring and training of employees- selecting right people for a certain job like as an
accountant and providing good training method
 - designed to find errors or problems after the transaction has occurred.

Examples of Detective Controls
Maintaining Records - maintaining written or electronic evidence to support transactions.
Performance Reviews - comparing actual performance to various benchmarks to identify
unexpected results.
Reconciliations - relating data set to one another to identify and resolve discrepancies.
Limitations of Controls
1. Cost - Benefit
2. Collusions
 In conclusion, these two types of internal controls minimize risks, protect
assets, ensure accuracy of records, promote operational efficiency, and encourage
adherence to policies, rules, regulations and laws. However, in future context we
can apply it in our work as financial controller to have a good performance output
as it reduce, detect and correct financial reporting errors or fraud if there's any
that certainly contribute to the progress of the company we are working with.
To be continue…

Types of Fraud, Preventing
Fraud and How to Deal with a
Fraud Situation