Introduction to Risk Management: What Can Go Wrong? PDF

## Introduction to Risk Management: "What Can Go Wrong?" ### Learning Objectives At the end of the chapter, the students will be able to: - describe risk and its characteristics - identify the different types of risk - articulate the need for risk management - describe the steps in managing risks - identify globally recognized risk management frameworks ### Introduction Risks are inherent in every business. No profit will be earned without taking a certain degree of risk. It can be said that "doing business" is indeed a risk-taking activity. Nevertheless, risks must be properly managed and be kept within manageable levels. Too high levels of risks can result to operational bottlenecks, financial losses, poor corporate reputation, and, worst of all, closure of the business. Consequently, the economic and personal well-being of investors, creditors, and other stakeholders will be adversely affected. Risk can simply be described as "things that can go wrong." In the sphere of managing risk, it is not right to say "let's just cross the bridge when we get there." On the contrary, risks should be identified before they even happen so that the company will be in a better position and time to prepare for them. Risk can also be described as an event that can adversely affect the operating profit, cash flows, capital, and even the reputation of a company. An example of risk is credit risk, the possibility that customers of the company may not be able to pay on the due date. Another example is operational risk, the possibility of a disruption in the operations of the business due to machine breakdowns, natural calamities, and other causes. ### Table 4: Events Affecting the Achievement of Business Objectives | Business Objective | Event | |-----------------------------------------------------------|-----------------------------------------------------------------| | Generating 10 million profit | Increase in production and operating costs | | Manufacturing 20,000 units of the product | Loss of supply of raw materials needed in production | | Producing reliable financial statements | Clerical errors in recording transactions | | Reducing bad debts by 20% | Bankruptcy of a major customer | | Uninterrupted computer processing of business transactions | Brownouts, computer breakdown, flood in the office, etc. | There are many events that can affect the business. These events can either be internal or external. Those events that occur within the company are called internal events and those that happen outside are external events. ### Table 5: Internal Events and Their Potential Impact to the Company | Event | Potential Impact | |-------------------------|-------------------------------------------------------------| | Internal fraud | Financial loss, Damage to the reputation of the company | | Machine breakdown | Disruption in the production process, Failure to deliver finished goods to customers | | Accident in the factory | Physical injuries, loss of lives, Increase in medical costs | | Violation of laws and regulations | Fines and penalties, Potential criminal prosecution of erring corporate officers and employees | ### Table 6: External Events and Their Potential Impact to the Company | Event | Potential Impact | |---------------------------------|-------------------------------------------------------------------| | Economic recession | Decline in sales revenue and operating profit, Possible closure of the business | | Entry of more competitors in the market | Loss of market share, Decline in sales revenue | | Bankruptcy of a major customer | Failure to collect receivables, Decline in cash balance, Disruption in business operations, Decline in revenue and profit, Possibility of closure of the business | | Pandemic (e.g., COVID-19, SARS) and natural calamities (flood, earthquakes, volcanic eruption) | Failure to collect receivables, Decline in cash balance, Disruption in business operations, Decline in revenue and profit, Possibility of closure of the business | ### Types of Risk Because of the increasing complexity of business, there are different kinds of risk that the company may encounter. There is no single standard manner for classifying risks. At the minimum, however, risks can be categorized into two broad groups: financial risks and nonfinancial risks. #### Financial Risks Financial risk is the likelihood that the company might incur a financial loss, or suffer a decline in profit, capital, investment, or cash flows, on account of the occurrence of events or transactions. Specific risks included under the financial risk category are credit risk, liquidity risk, and market risks. Market risks can be further subdivided into interest rate risk, foreign currency risk, and price risk. These risks are defined as follows: - **Credit risk** - the risk that a counter-party such as a customer or a borrower might fail to pay its account on the due date. For instance, there is a possibility that a borrower of a bank will be unable to pay his/her loan on the maturity date. This is sometimes referred to as default risk. Credit risk is present in all activities where there is an expectation of returns or repayment. - **Liquidity risk** - the risk that the business will be unable to meet its financial obligations as they fall due because of insufficient cash, inability to liquidate assets, or obtain adequate funding given a short period of time.. This also includes the possibility that the business may not able to convert noncash assets such as investments into cash on short notice. - **Market risk** - is the risk of volatility in the market brought about by factors of interest rate, foreign currency, and market prices. - **Interest rate risk** - is the potential decline in earnings and capital arising from changes in interest rates in the market. This risk generally occurs because on entity may have a disproportionate amount of fixed and variable interest-rate instruments on either side of the balance sheet. For instance, a company will pay a higher interest cost to the bank for its variable rate-loan when market interest rates increase. Higher interest expenses will result to lower profit. - **Foreign currency risk** - the risk that fluctuations in exchange rates could affect the profit of the business. For example, weakening of the Philippine peso will result to foreign currency loss to a Philippine importer of goods when the transaction is denominated in US dollars. - **Price risk** - the risk that changes in specific prices (stock price, price of other investments) could affect the profit or cash flow of the business. For instance, a decline in the price of shares owned by the company traded in the stock exchange will result to a decrease in the value of the stock investments. Closely related to financial risks are business risks. A business risk is the possibility that the business may not be able to generate sufficient revenue, or an increase in production and increased operating costs might occur. For example, an increase in raw material cost will result to a decline in the gross profit margin of the company. In the same manner, when the company is unable to achieve its sales target, revenues will not be enough to cover operating costs and provide a reasonable profit margin to shareholders. #### Nonfinancial Risks Nonfinancial risks do not have an immediate direct financial impact to the business. However, their consequences may be serious and can later affect the financial well-being of the business if not properly mitigated. Many risks belong to this category. The following are some examples: - **Operational risk** - the risk that business operations will be disrupted due to inadequate or failed systems, processes, people, breaches in internal controls, or other unforeseen catastrophes. - **Legal or compliance risk** - the risk that the company might fail to comply with applicable laws and regulations such as tax laws, labor laws, corporation law, anti-money laundering law, and environment laws among others. This risk also includes the possibility of not complying with contractual obligations to other entities. This type of risk may result to fines and penalties as well as possible criminal prosecution of erring company officers and employees. - **Health and safety risk** - the risk that unforeseen events could result to injuries, illnesses, or even loss of lives. Examples include injuries sustained by workers in the factory and transmission of COVID-19 virus to company staff. These examples will increase medical costs that will be incurred by the company. - **Environmental risk** - the risk that the company may fail to control or minimize factory wastes, emissions, and other pollutants arising from its business activities. Failure to remedy this negative contribution of the company to the environment could result to possible government sanctions, fines, and penalties. - **Strategic risk** - the risk of selecting an inappropriate corporate strategy or the failure of implementing an appropriate one. This type of risk may result to failure to achieve long-term strategic goals, loss of market share, and shrinkage in corporate value. - **Reputation risk** - the risk that reputation or image of the company will be damaged due to reasons such as improper acts of corporate officers, poor financial performance, and bad news about the company among others. The two important risks that are related to the work of professional accountants are financial reporting risk and fraud risk. - **Financial reporting risk** is the possibility that the financial statements of the company will be incorrect due to errors, lapses, or failure to apply accounting standards such as the International Financial Reporting Standards (IFRS). - **Fraud risk**, on the other hand, is the risk arising from deceptive and intentional acts that result to loss of company assets, resources, and reputation. Examples of fraud include theft of cash and inventories, bogus deliveries, ghost employees, and window dressing among others. ### Definition and Nature of Risk Management As previously discussed, many risks affect a business. If these risks are not properly managed, it will be "game over" because the business objectives of the company will not be achieved. A formal risk management process, therefore, becomes imperative in order to address and manage risks. COSO defines enterprise risk management as: > Enterprise risk management is a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. You may download the ERM Executive Summary using the link below: https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf ### Risk Management as a Process Risk management is not an isolated activity within the company. It is composed of a set of interrelated components that operate in an integrated manner in order to address the various risks affecting the company. The components of risk management will be discussed in the next chapter. ### Roles in the Risk Management Process Everyone has a role to play in the company's risk management process. The following summarizes the duties of key people pertaining to the management of risks: - **Board of directors**-conducts an oversight of the effectiveness of the company's risk management process. Risk oversight pertains to the periodic review and monitoring of the process being used by management in addressing and controlling risks. It is common for large companies to have risk oversight committees within the board of directors. - **Management**- implements specific risk mitigation and control procedures in managing the various types of risks affecting the company.. Management also identifies and assesses risks prior to selecting the appropriate risk response. - **Internal auditors** - conduct examination of the risk management process for the purpose of determining its effectiveness over time. . The results of their examination are communicated to either the board of directors or the risk oversight committee. - **Other personnel** - implement specific tasks and duties pertaining to the processes within their departments. ### Risk Appetite Risk appetite is the level of risk that the company can accept in pursuit of its objectives. As previously mentioned, operating a business naturally involves the taking of risks. However, these risks must be kept to within acceptable or manageable levels. This is one of the aims of the risk management process to keep risks within the company's risk appetite. ### Steps in the Risk Management Process 1. **Setting of business objectives.** The risk management process starts with the setting of business objectives. In this regard, the COSO Risk Management framework categorizes business objectives into strategic, operational, reporting, and compliance. **Descriptions of the four business objectives are shown below:** * **Strategic objectives** - are high-level goals aligned with and support the organization's mission and long-term vision. * **Operational objectives** – are goals that are related to the effective and efficient use of corporate resources. * **Reporting objectives** – are goals relating to the reliability and transparency of corporate reports such as financial and nonfinancial reports. * **Compliance objectives** – are goals relating to compliance and conformity with applicable laws and regulatory requirements. **Examples of business objectives in the four categories are shown below:** | Category of objective | Specific example | |-----------------------|---------------------------------------------------------------------------------| | Strategic | Increase market share of the company to 40% through business expansion. | | Operational | Achieve profit after tax of 100 million. | | Reporting | Generate financial statements that are reliable and compliant with the International Financial Reporting Standards (IFRS) | | Compliance | Compute, file, and pay taxes based on the requirements of tax laws and BIR Regulations | 2. **Identify the risks.** After setting the various objectives of the business, the risks or threats to the achievement of those objectives are identified. This is the process called risk identification. To reiterate, risks are events that can prevent the company from achieving its business objectives. Risks are not that easy to spot. To be able to identify risks, risk managers must possess a comprehensive understanding of the company, the way it operates and corporates mission and vision, major transactions, products and services, suppliers and customers, and regulatory environment among others. 3. **Assess the risks.** Any risk has two dimensions: (1) the probability that something can go wrong and (2) the negative consequence or impact if that event occurs. Hence, identified risks should be assessed in terms of (1) likelihood of occurrence and (2) impact. "Likelihood" pertains to the probability that the event will occur. In other words, "likelihood" means the chance of occurrence. "Likelihood" is often classified into "high,” "moderate,” or “low.” On the other hand, "impact" refers to the significance or magnitude of the negative effect of the risk to the company. The "impact" of a risk is also classified into "high," "moderate," or "low." Analyzing risk in terms of "likelihood" and "impact" is known as risk assessment. Assessment of risks will be discussed in the next chapter. 4. **Respond to the assessed risks.** Management will select the appropriate risk response depending on the result of the risk assessment which can be "high," "moderate," or "low." Possible responses to assessed risks are listed as follows: * **Accept** - Tolerating or accepting the risk is permissible only if it is of minor effect to the business or if its likelihood is "remote" such that it is not worth the money or effort to do anything about it. * **Reduce** - Risks that are likely to happen or those that are expected to have a significant impact to the business cannot be simply accepted. These risks should be mitigated or reduced to tolerable levels. Reducing risks can be done through implementing controls or specific risk mitigation plans. * **Share** - In some situations, the appropriate response might be to share or transfer the risks to some other entity such as an insurance company. An insurance company manages other people's risks. * **Avoid** - Avoiding a risk may be the right response when management thinks that mere reducing it is not enough. For instance, the company may terminate one of its product lines if it assesses that operating it has become too risky. 5. **Implement the risk response.** Implementing the risk response is done through deploying specific risk mitigating plans or management action plans to control the risks. The following are examples of specific action plans or controls needed to address assessed risks: | Risk | Risk mitigating action or management control | |---------------------------------------------------------------------------|-----------------------------------------------------------------------------------| | Loss of supply of raw materials needed in production | Identify alternative sources of raw materials, Maintain safety stock or buffer in raw materials inventory | | Entry of more competitors in the market | Massive advertising to promote the company's product, Product improvement through research and development | | Possibility that customers will be unable to pay their accounts on the due date | Proper evaluation of the paying-ability of customers and credit analysis, Applying credit limits to customers | | Possibility that the business will ran out of cash | Obtaining cash from preapproved and standby bank credit lines, Policy for converting investments into cash | | Clerical errors in the recording and processing of transactions | Computerization of transaction processing, Auditing of the recorded transactions to determine correctness | | Possibility of computer breakdown and loss of data | Use of uninterruptible power supply (UPS), Backup procedures on computer files | 6. **Monitor the risk management process.** The risk management process must be continuously monitored to determine if it remains to be effective and efficient over time. Management and corporate boards cannot make the erroneous assumption that an effective risk management process will simply remain to be effective. A risk management process that is effective today may no longer be effective for the next period. This is because risks are always changing. There are even new and emerging risks such as cybercrime risk and the risk of pandemics. Therefore, there must be a periodic evaluation of the risk management process. This is usually done through an internal audit process. ### Risk Management Frameworks Strategies for managing risks can only operate well if they are based on an appropriate framework for managing risks. A framework is used as a guide in formulating a company's risk management process. COSO Enterprise Risk Management and ISO 31000-Risk Management are the two leading risk management frameworks today. - **ISO 31000** - is a series of risk management standards formulated by the International Organization for Standardization. ISO 31000 provides a set of principles and guidelines for the design, implementation, and evaluation of the risk management process for companies across different industries. Information about ISO 31000 may be downloaded using the following link: https://www.iso.org/iso-31000-risk-management.html The International Organization for Standardization is an independent, nongovernmental organization that develops voluntary international standards and is comprised of 165 member-countries as of 2020. It was founded in 1947. ISO 31000 follows a structured approach toward the systematic application of management policies and procedures to the activities of communication, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring, and reviewing risk. **The steps under ISO 31000 are summarized below:** * Identification of all risks that could prevent the company from achieving its business objectives. * Analysis of risk including an understanding of its causes and effects. * Determination whether identified risks are tolerable or not. * Treatment of significant risks by way of mitigating procedures and thereby reducing the impact and/or the likelihood of the risks. * Monitoring risk management strategy and implementation to determine gaps that should be addressed. * Communication of information pertaining to the risk management process of the company. - **COSO Enterprise Risk Management (COSO ERM)**. The original framework was published in 2004. The COSO organization was originally established in order to study the causes of fraudulent financial reporting during the latter part of the 1980s. It was also tasked to make recommendations on how to prevent such improper accounting practices. Information about the COSO Framework may be obtained using the link below: https://www.coso.org/pages/erm-integratedframework.aspx. ### Guide Questions: 1. An enterprise-wide risk management system of a company should be robust, holistic, and comprehensive enough. Why is this so? 2. How does credit risk affect the profit of the company? What measures can be done by a bank to manage its credit risk? 3. How does a manufacturer reduce environmental risks brought about by emissions, effluents, and other pollutants? 4. How is the concept of risk appetite applied in the risk management process? Do all companies have the same level of risk appetite? Why or why not? 5. Why are risk management frameworks such as ISO 31000 and COSO Enterprise Risk Management important? ## Concept of Internal Control ### Learning Objectives At the end of the chapter, the students will be able to: - define internal control - explain the need for an internal control framework such as the COSO Internal Control Integrated Framework - articulate the three categories of internal control objectives - identify the five components of internal control - explain the "operating together" requirement of the COSO Framework - identify the inherent limitations of internal control - explain how specific control activities are selected - describe the Criteria of Control (CoCo) Framework ### Introduction In the previous chapters, we found out that effective risk management is critical in achieving the objectives of an organization. The risk management process addresses mostly external risks such as changes in market prices, interest rates, foreign exchange, political changes, and natural calamities among others. In this chapter, we will focus on internal control as a means for addressing risks that are internal to the organization. Internal control provides reasonable assurance that the objectives of the organization are achieved. For instance, what ensures that cash on hand of the company is safeguarded from theft? What ensures that all payments to suppliers for inventories are actually received by the company? What prevents billing errors from occurring? What ensures that all collections are remitted to the company and deposited intact to the bank? The answer is internal control. But what really is internal control? What are the components of internal control? How are specific control activities selected and deployed within the company? These questions, among others, will be answered in this chapter. Practical aspects of internal control will be discussed in the next chapter. ### Definition of Internal Control In layman's term, internal control is “what we do to ensure that the things we want to happen will happen and the things that we don’t want to happen won't happen.” For instance, we want the following things to happen: - Reliable financial statements - Minimizing spoilage of materials in the factory - Collections are safeguard from theft and are deposited the next banking day - Inventories are protected from damage and destruction - Compliance with applicable laws and regulations - Ensuring the continuous processing of transactions On the other hand, things that must not happen include fraud, errors, and noncompliance with laws and regulations among others. To avoid these things from happening, internal control should be implemented. As more formally defined in the COSO Framework, internal control is a process effected by the board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievements of business objectives.¹ The following further explains the definition of internal control: * **Firstly**, it is a process. It is not an isolated procedure. Rather, it is comprised of an interrelated sets of policies, procedures and activities that work together for the achievement of business objectives. Under the COSO Framework, internal control is comprised of five interrelated components which will be discussed momentarily. * **Secondly**, it is something that must be put into effect by people from all levels within the company. Internal control is not a mere checklist of dos and don’ts.. Even a lengthy internal control procedures manual will not be enough if it is not implemented. Last but not the least, internal control is not an end in itself; rather, it is a means toward achieving the objectives of the company. Therefore, without internal control, there would be no assurance that the objectives of the company will be achieved. ### The Need for an Internal Control Framework - COSO Management and auditors need to assess the effectiveness of the internal control system of the company. However, it will be difficult to make the assessment if there are no criteria or benchmarks as to what constitutes good internal control. Therefore, there needs to be a criteria or a framework that can be used as a gauge in assessing whether or not one’s system of internal control is effective. One of these frameworks is the COSO Internal Control - Integrated Framework. COSO stands for the Committee of Sponsoring Organizations comprised of the American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Institute of Management Accountants (IMA), Institute of Internal Auditors (IIA), and the Financial Executives International (FEI). Through the project leadership of PriceWaterhouseCoopers (PwC), COSO published the original internal control framework in 1992. It was subsequently revised in 2013 to reflect changes in the business, operating, regulatory, and economic environment. Reference to the COSO website: Committee of Sponsoring Organizations of the Treadway Commission. 2013. Updated COSO Internal Control - Integrated Framework. Accessed November 25, 2020. https://www.coso.org/Pages/ic.aspx ### Categories of Internal Control Objectives From the top view, the COSO Cube in Figure 22 shows the three categories of internal control objectives, namely: 1. Effective and efficient operations 2. Reliability of financial and nonfinancial reporting 3. Compliance with applicable laws and regulations ### Objective No. 1: Effective and efficient operations One may conclude that managers and employees have effectively carried out operations when revenue and operating cash flow targets are achieved. Efficient operations, on the other hand, is achieved when the company is able to minimize operating costs and avoid operational inefficiencies. For instance, there are engineering controls and proper factory layout in the factory in order to achieve smooth operation in the production process as well as to minimize spoilage of raw materials. In the area of treasury operations, cash accounts should be safeguarded from theft. This may be achieved through the utilization of physical controls such as cash vaults, locks, CCTV cameras, and the like. All collections from customers must be remitted, recorded in the books, and deposited the next banking day. There should be segregation of incompatible duties such that no person should be in complete control of a transaction, from authorization, execution, recording, and custody. For instance, the cash custodian should not be allowed to post transactions in the official accounting records (which is a recording function) because he/she holds cash. On the other hand, the accounting staff should not have cash custodial duty. This is segregating recording from custodial functions. In the event of calamities such as flood, the processing of transactions is assured because the company implements business continuity plans such as establishing a standby alternate office with computers alongside backup controls. The safeguarding of assets destruction is also part and parcel of the operational objectives of internal control. Many companies pay for insurance premiums so that they might receive some proceeds from the insurance company if assets get destroyed through fire and other catastrophes. All of these are part of internal control in the aspect of achieving effective and efficient operations. ### Objective No. 2: Reliability of financial and nonfinancial reporting If financial statements are to be useful to external as well as internal users, they need to be reliable. Inaccurate accounting records and unreliable financial statements arise because of errors in recording. Another cause of this is fraudulent financial reporting or more popularly known as "window dressing.” In view of these errors or fraud that result to unreliable financial reports, the company must implement Internal Controls over Financial Reporting (ICFR).. An example is an accounting staff reviews and reconciles cash, accounts receivable, inventory, and other accounts. Discrepancies, if any, should be corrected on a timely basis. Ideally, the person who will conduct bank reconciliation is one who does not have access to cash; hence, purely accounting duties. Inventory counts must be performed periodically in order to determine shortages or even possible inventory pilferage. The reliability objective of internal control is not confined to financial reports only but also to nonfinancial reports. Nonfinancial reports should also be reliable so as not to mislead users. Examples of nonfinancial reports include environmental and sustainability reports. ### Objective No. 3: Compliance with applicable laws and regulations Part and parcel of internal control is the assurance that the company complies with applicable laws and regulations. These include taxation, labor, environmental, anti-money laundering, and corporation laws among others. Needless to say, failure to comply with laws and regulations carries monetary penalties not to mention possible prosecution and/or administrative charges to be filed against erring corporate officers and employees. To enhance the degree of adherence to laws and regulations, a compliance function must be established within the company. For regulated entities such as banks and insurance companies, compliance departments are tapped to monitor the company's adherence to laws and regulations. The compliance department is usually headed by a chief compliance officer. ### Components of Internal Control The internal control system has five components under the COSO Framework. The following describes the characteristics of each component of internal control: 1. **Control environment**: The foundation of internal control is the control environment. It is a set of standards, processes, and structures that provide the basis for carrying out internal control. Without an effective control environment, internal control will not function properly. The control environment is comprised of the following: * Integrity and ethical values * Management's philosophy and operating style * Organizational structure * Commitment to competence * Human resource policies and procedures * Functioning of the board of directors In addition, the control environment should ensure controls are in place in areas such as: * Hiring practices * Code of ethical conduct * Whistleblower policies * Employee training * Succession planning * Clear lines of responsibility and authority * Competence and independence of the board of directors and board committees 2. **Risk assessment**: Risk assessment is an iterative process for identifying and assessing those risks that may prevent the achievement of enterprise objectives. First, management sets the company's operational and financial reporting and compliance objectives. Then, risks that could prevent the achievement of these objectives will be identified. This sub-process is known as risk identification. The identified risks are subsequently assessed in terms of likelihood and impact. Likelihood pertains to the probability of the occurrence of negative event. Impact pertains to the significance, consequence, or magnitude of the identified risk to the company. This sub-process is called risk analysis or risk assessment. The assessment of risks in terms of likelihood and impact results to the determination whether such risks are significant or not. Significant risks are typically those that have high risk scores for likelihood and impact. The last step in this component is risk response. Risk responses include “accept,” "mitigate," "share," "transfer," and "avoid." Risk acceptance is not an appropriate response for significant risks. Significant risks should be mitigated by way of deploying control activities. Some risks can be transferred through insurance. An example of totally avoiding risk is when a company chooses to exit a market or drop one of its product lines due to market saturation. 3. **Control activities**: Control activities are the specific actions established through policies and procedures that help ensure that management's directives to mitigate risks to the achievement of objectives are carried out. Control activities encompasses the following: * **Performance reviews** - comparison of actual performance against budgets and forecasts. * **Information processing** - controls that check accuracy, completeness, and authorization of transactions. * **Physical controls** - activities that assure the physical security of assets and records. * **Segregation of duties** - separation of the functions of transaction authorization, record-keeping, and custody. 4. **Information and communication**: Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains, generates, and uses relevant and quality information from both internal and external sources to support the functioning of internal control. For instance, managers need accounting information in order to make business decisions. In this regard, the company's accounting information system plays an important role in ensuring that only actual transactions are recorded and fictitious ones are prevented from getting recorded in the books. To accomplish this, the company must have a properly working accounting information system. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. For instance, the code of ethical conduct in the company must be communicated from top management to rank-and-file personnel. On the other hand, deviations or violations of internal control policies must be communicated to top management and/or to the audit committee of the board of directors. A best practice in internal control is a whistleblower reporting mechanism wherein an employee may report a fraud or irregularity through a hotline system. This whistleblower hotline is typically an effective fraud deterrence procedure in many companies. External communication is two-fold; it enables inbound communication of relevant external information and provides information to external parties in response to requirements and expectations. In-bound communication should ensure that correspondences from government agencies such as the Bureau of Internal Revenue (in the case of deficiency tax assessment letters), Securities and Exchange Commission, and other government regulators are properly received by management.. Management must reply in a timely manner to these letters from government agencies through outbound communications. 5. **Monitoring activities**: Monitoring of internal control is essential because internal control that is effective today may no longer be effective months or a year from now. In addition, internal control is subject to obsolescence as a result, for instance, of more sophisticated fraud or cybercrime. The condition of internal control should be evaluated over a period of time. Because of these, there should be a monitoring of internal control to find out if it remains to be effective over time. Monitoring of controls is of two types: Ongoing monitoring and separate evaluations. These two monitoring activities are used to ascertain whether each of the five components of internal control is present and functioning. Ongoing monitoring, built into business processes at different levels of the entity, provide timely information. An example of ongoing monitoring is a routine review of the purchasing manager of the procurement procedures in the company. Separate evaluations, on the other hand, are conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Separate evaluations of internal control are often performed by internal auditors. Findings are evaluated against criteria established by regulators, standard-setting bodies, or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate. ### COSO Requirements for Integrated Components The following are two basic requirements under the COSO Internal Control Integrated Framework before one can conclude that the company’s internal control system is effective: 1. **Each of the five components must be present and functioning**. In this respect, "present” means that the five components exist in the design and implementation of the system of internal control to achieve business objectives.. "Functioning" means that the components continue to exist and are being implemented over time. 2. **The five components must “operate together” in an integrated manner.** The components of internal control are not to be treated in isolation; rather, they need to be operated in an integrated manner. The concept of the “operating together” of the components is discussed on the next page. ### "Operating Together" of Internal Control Components **Example 1: ABC Company: There is monitoring but control environment and information and communication components are missing.** **Fact-pattern:** ABC Co. has an internal audit function. Its internal auditors are competent and they conduct their audits in accordance with suitable internal audit programs. They conduct internal audit of operations as well as the compliance of the company with respect to applicable laws and regulations. In the course of performing their audits, the internal auditors were able to identify weaknesses in the warehousing and procurement procedures of the company which may open the doors for the commission of fraud especially when it comes to inventories. As such, the internal auditors prepared formal audit reports reflecting their audit findings with the corresponding audit recommendations to address fraud risks in the warehousing and procurement functions. The internal auditors communicated their audit findings to the general manager, warehouse manager, and procurement manager. However, they do not have direct access to the company’s audit committee nor to the board of directors. Furthermore, internal audit reports and recommendations were simply submitted to the general manager’s office for future reference. No copy of their internal audit reports ever reaches the audit committee level. In the case of the above scenario, one can conclude that there exists effective procedures in the monitoring component of internal control as evidenced by a functional internal audit. However, there is no proper communication of information contained in the internal audit reports to the audit committee and/or board of directors. Hence, the components information and communication (no effective reporting of audit findings to the appropriate level) as well as control environment (audit committee and the board cannot perform their oversight role due to their lack of awareness about the condition of procurement and warehousing functions) are missing. In summary, the components of internal control in the area of warehousing and procurement of ABC Co. are not effective. This is due to the fact that the components do not “operate together” as required by the COSO Framework. **The table below summarizes the status of the control components of ABC Co.** Component | Present and Functioning? | |:---|:---| | Control environment | X | | Information and communication | × | | Monitoring | √ | **Example 2: XYZ Company: There are control activities but there is no risk assessment.** **Fact pattern:** XYZ Co. is a merchandising business that is family-owned. The owners are in the process of preparing the company’s internal control manual of procedures. They started formulating control activities in the area of preventing asset misappropriations. They listed in the internal control manual physical controls such as cash vaults, locks, CCTV cameras, and the like. In addition , segregation of incompatible functions (separating duties relating to authorization of transactions, execution, recording, and custody) is included in the manual. On top of that, securing insurance was incorporated in the internal control manual. It seems that the control procedures listed in the control manual are already adequate. Unknown to the owners, even though assets are safeguarded from theft because of the various control activities listed in the manual, managers of the company are manipulating the records by recording fictitious revenue. This is because their bonuses are based on achieving relatively high revenue targets. The owners of XYZ Co. failed to consider this risk when they drafted the internal control manual. Therefore, no controls that deals with the possibility of recording fictitious revenue gets listed in the internal control manual since the owners focused solely on controls that prevents asset misappropriations. Recording fictitious revenue is a different type of fraud and is classified under the fraudulent financial reporting category. In assessing XYZ Co.’s internal control, one can conclude that the risk assessment component is missing. Ideally, prior to selecting and deploying specific control activities, one must performed risk assessments. Risks identified should be mapped to specific controls. If risk assessment is absent, the company may

Introduction to Risk Management: What Can Go Wrong? PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue