cima paper p3 - the exp · pdf filechapter 2 extract from our express notes for use with the...

Chapter 2 extract from our ExPress notes for use

with the current video.

A full set of P3 ExPress notes can be downloaded

free of charge at www.theexpgroup.com

CIMA Paper P3

Performance Strategy

For exams in 2011

theexpgroup.com

Notes

http://www.theexpgroup.com/

ExPress Notes CIMA P3 Performance Strategy

Page | 2 © 2011 The ExP Group. Individuals may reproduce this material if it is for their own private study use only. Reproduction by any means for any other purpose is prohibited. These course materials are for educational purposes only and so are necessarily simplified and summarised. Always obtain expert advice on any specific issue. Refer to our full terms and conditions of use. No liability for damage arising from use of these notes will be accepted by the ExP Group.

theexpgroup.com

Contents

About ExPress Notes 3

1. Management Control Systems 7

2. Risk and Internal Control 11

3. Review and Audit of Control Systems 24

4. Management of Financial Risk 27

5. Risk and Control in Information Systems 48



theexpgroup.com

START About ExPress Notes

We are very pleased that you have downloaded a copy of our ExPress notes for this paper.

We expect that you are keen to get on with the job in hand, so we will keep the introduction

brief.

First, we would like to draw your attention to the terms and conditions of usage. It’s a

condition of printing these notes that you agree to the terms and conditions of usage.

These are available to view at www.theexpgroup.com. Essentially, we want to help people

get through their exams. If you are a student for the CIMA exams and you are using these

notes for yourself only, you will have no problems complying with our fair use policy.

You will however need to get our written permission in advance if you want to use these

notes as part of a training programme that you are delivering.

WARNING! These notes are not designed to cover everything in the syllabus!

They are designed to help you assimilate and understand the most important areas for the

exam as quickly as possible. If you study from these notes only, you will not have covered

everything that is in the CIMA syllabus and study guide for this paper.

Components of an effective study system

On ExP classroom courses, we provide people with the following learning materials:

The ExPress notes for that paper

The ExP recommended course notes / essential text or the ExPedite classroom

course notes where we have published our own course notes for that paper

The ExP recommended exam kit for that paper.

In addition, we will recommend a study text / complete text from one of the CIMA

official publishers, but we do not necessarily give this as part of a classroom course,

as we think that it can sometimes slow people down and reduce the time that they

are able to spend practising past questions.

ExP classroom course students will also have access to various online support materials,

including:

The unique ExP & Me e-portal, which amongst other things allows “view again” of

the classroom course that was actually attended.

ExPand, our online learning tool and questions and answers database



theexpgroup.com

Everybody in the World has free access to CIMA’s own database of past exam questions,

answers, syllabus, study guide and examiner’s commentaries on past sittings. This can be

an invaluable resource. You can find links to the most useful pages of the CIMA database

that are relevant to your study on ExPand at www.theexpgroup.com.

How to get the most from these ExPress notes

For people on a classroom course, this is how we recommend that you use the suite of

learning materials that we provide. This depends where you are in terms of your exam

preparation for each paper.

Your stage in study for

each paper

These ExPress notes

ExP recommended

course notes, or

ExPedite notes

ExP recommended

exam kit

CIMA online past exams

Prior to

study, e.g.

deciding which optional papers

to take

Skim through

the ExPress notes

to get a feel for what’s in the

syllabus, the “size” of the paper

and how much it appeals to you.

Don’t use yet Don’t use yet Have a quick

look at the two

most recent real CIMA exam

papers to get a feel for

examiner’s style.

At the start of

the learning phase

Work through

each chapter of the ExPress notes

in detail before

you then work through your

course notes.

Don’t try to feel

that you have to understand

everything – just

get an idea for what you are

about to study.

Don’t make any

annotations on

the ExPress notes at this stage.

Work through in

detail. Review each chapter after

class at least once.

Make sure that you understand each

area reasonably well, but also make

sure that you can recall key

definitions,

concepts, approaches to exam

questions, mnemonics, etc.

Nobody passes an

exam by what they have studied – we

pass exams by

being efficient in being able to prove

what we know. In other words, you

need to have effectively input the

knowledge and be

effective in the output of what you

know. Exam practice is key to

this.

Try to do at least one past exam

question on the learning phase for

each major chapter.

Don’t use at

this stage.



theexpgroup.com

Your stage in

study for each paper

These ExPress

notes

ExP

recommended course notes, or

ExPedite notes

ExP

recommended exam kit

CIMA online

past exams

Practice phase Work through

the ExPress notes

again, this time annotating to

explain bits that you think are easy

and be brave

enough to cross out the bits that

you are confident you’ll remember

without reviewing

them.

Avoid reading

through your

notes again. Try to focus on doing

past exam questions first and

then go back to

your course notes/ ExPress notes if

there’s something in an answer that

you don’t

understand.

This is your most

important tool

at this stage. You should aim to

have worked through and

understood at

least two or three questions on each

major area of the syllabus. You pass

real exams by

passing mock exams. Don’t be

tempted to fall into “passive”

revision at this stage (e.g.

reading notes or

listening to CDs). Passive revision

tends to be a waste of time.

Download the

two most recent

real exam questions and

answers.

Read through the

technical

articles written by the examiner.

Read through the two most recent

examiner’s

reports in detail. Read through

some other older ones. Try to see if

there are any recurring criticism

he/ she makes.

You must avoid these!

The night

before the real exam

Read through

the ExPress notes in full.

Highlight the bits that you think are

important but you

think you are most likely to forget.

Unless there are

specific bits that you feel you must

revise, avoid looking at your

course notes. Give

up on any areas that you still don’t

understand. It’s too late now.

Don’t touch it! Do a final review

of the two most recent

examiner’s reports for the

paper you will be

taking tomorrow.

At the door of

the exam room before you go

in.

Read quickly

through the full set of ExPress

notes, focusing on

areas you’ve highlighted, key

workings, approaches to

exam questions, etc.

Avoid looking at

them in detail, especially if the

notes are very big.

It will scare you.

Leave at home. Leave at home.



theexpgroup.com

Our ExPress notes fit into our portfolio of materials as follows:

Notes

Notes

Notes

Provide a base understanding of the most important areas of the syllabus only.

Provide a comprehensive coverage of the syllabus and accompany our face to face professional exam courses

Provide detailed coverage of particular technical areas and are used on our Professional Development and Executive Programmes.

To maximise your chances of success in the exam we recommend you visit

www.theexpgroup.com where you will be able to access additional free resources to help

you in your studies.

START About The ExP Group

Born with a desire to be the leading supplier of business training services, the ExP Group

delivers courses through either one of its permanent centres or onsite at a variety of

locations around the world. Our clients range from multinational household corporate

names, through local companies to individuals furthering themselves through studying for

one of the various professional exams or professional development courses.

As well as courses for CIMA and other professional qualifications, our portfolio of expertise covers all areas of financial training ranging from introductory financial awareness courses for non financial staff to high level corporate finance and banking courses for senior executives.

Our expert team has worked with many different audiences around the world ranging from

graduate recruits through to senior board level positions.

Full details about us can be found at www.theexpgroup.com and for any specific enquiries

please contact us at [email protected].



theexpgroup.com

Chapter 2

Risk and Internal Control

START The Big Picture

This chapter addresses the variety of risks facing an organization and the risk management

strategy and internal controls that exist in response to those risks.

It is useful to start with CIMA’s definition of Risk Management: “the process of

understanding and managing the risks that the organization is inevitably subject to in

attempting to achieve its corporate objectives”. (CIMA Official Terminology)

KEY KNOWLEDGE Types of Risks



theexpgroup.com

Risk management at the enterprise level addresses all risks affecting a company. These can

be classified as follows (diagram on next page):

Enterprise Risk

Operational risk Financial risk

Process risk Credit risk

People risk Market (price) risk

Systems risk Gearing risk

Event risk

Business risk

Operational (or Operating) Risk

One may view this category as including all risks that can arise in the course of operating a

business, though by definition they are clearly distinguished from financial risks.

It will be seen that the list of risks presented below can be expanded and sub-divided

according to a particular company’s specific circumstances.

Process Risk

This relates to the processes within a business and evaluates them from the standpoint of

pure risks, as well as (a) economy, (b) efficiency and (c) effectiveness.

People Risk

All risks connected to human resources, including quality and sufficiency of staff, and issues

of recruitment, training, compensation, honesty and morale. There is an important link to

corporate culture and explicit and implicit attitudes displayed by management; i.e. how they

cultivate risk awareness, or encourage profits with(out) regard to the methods employed in

achieving them.

Systems Risk



theexpgroup.com

Information systems and communications in the broadest sense of the term, including IT

hard/software, capacity, reliability (back-up) and policies relating to accuracy, access

(passwords) and data integrity.

Event/Hazard Risk

Risk of losses resulting from single events that may have a high or low impact. Natural

disasters and human actions, whether intentional (terrorism) or not (accidents), fall within

this category.

Some companies may include fraud in this category though fraud and malfeasance are also

clearly the result of the actions of people (see “people risk”).

Business Risk

This is a broad category with indistinct boundaries, but it generally covers risks to a

company’s ability to generate returns from its ordinary operations, including its strategy,

business model, competitive position, political/legal environment (including regulatory/

compliance/ intellectual property), products, marketing, clients and reputation.

Process, people and systems risks can be seen as being mainly internal in nature; the other

risks are generally seen as being external.

KEY KNOWLEDGE

International operations

The challenge presented by international operations can be analyzed using the above

categories; such operations add complexity to a company’s operations since they confront it

with differing:

Cultural norms

Political stability

Efficiency and honesty of the judicial system

Regulatory enforcement

Just to name a few!



theexpgroup.com

KEY KNOWLEDGE

Key risk concepts

There are several key concepts relating to risk:

Probability: measures the likelihood that a certain event will occur;

Severity (or impact): quantifies the loss which results if the undesired outcome occurs;

Exposure: Is the degree to which one is confronted by the particular type of risk

The above factors can be combined into a quantification of the risk of loss by multiplying the

financial consequences if the undesired event occurs by the probability factor:

Risk = Probability x Severity x Exposure

Note: This can be condensed to Risk = Probability x Financial consequences

This is essentially the application of the expected value technique to risk.

Volatility: refers to the variability or the spread of all likely outcomes of an uncertain factor

to which a business is exposed. Statistically, volatility is measured by standard deviation.

KEY KNOWLEDGE

Risk Mapping

Se

ve

rity

Hig

h

Detect/Monitor

Prevent (at source)

Low

Low control

Monitor

Low High

Likelihood



theexpgroup.com

KEY KNOWLEDGE

Risk Response Strategy

It is management’s responsibility to adopt a “risk response strategy”, which results from the

specific identification and assessment of each type of risk facing the organization. The

responses can come under one of the four following (generic) headings:

(1) Avoid: Discontinuing (or not starting) an activity that causes unacceptable risks;

(2) Reduce (or prevent): Taking (internal) action to reduce the risk;

(3) Insure (transfer or share): Transferring the risk to a 3rd party (such as an insurer)

or sharing the risk with a partner;

(4) Accept (or retain): the risk is considered small and it is not worth the effort to

protect against it.

Refer back to the risk map: One could chart the above risk responses as a progression from

upper right (High Severity/High Likelihood = Avoidance) to the lower left (Low Severity/Low

Likelihood = Acceptance).

KEY KNOWLEDGE

Risk & Corporate Objectives

Achieving a clear and explicit articulation of corporate objectives, and the connection to risk

appetite/acceptance, is the duty of senior management. This perspective begins at the most

senior corporate strategy and policy-making level, where strategic objectives are

established. This is a “top-down” process.

Following from the establishment of corporate objectives, a company’s business strategy can

be seen, among other purposes, as reconciling corporate objectives with the level of risk

accepted in pursuing strategic and financial goals.



theexpgroup.com

These elements are tied together by the culture of the organization (incl. attitudes to risk)

and its management control and other systems.

Objectives (strategy)

Risks Returns(Rewards)

KEY KNOWLEDGE

Risk Management Processes

There exist a number of risk management models. Since they have similar objectives, they

will resemble each other in their process steps. From a generic point of view, these

embrace:

Risk identification and awareness

At the policy level, this involves the need to define explicitly the organisation’s risk

appetite (the types and levels of risks it is willing to tolerate).

There is also a need to agree common definitions of risks. One can refer to this a

“common language” of risk or “risk glossary. There is an effort to “inventory” risks; this

means categorizing risks, including an understanding of their causes and degree of

impact.

Risk management and assessment

This is concerned with methods and techniques used to evaluate risks, including

methodologies to prioritize risks (risk-ranking) and to quantify them.

Culture &

Systems



theexpgroup.com

Risk response and control

Risk response means effective action-taking to ensure that the identified risks are

addressed in conformity with policy.

This requires an assignment of responsibilities to individuals -- who does what.

Risk monitoring and reporting

A system of monitoring the ERM process, including periodic evaluations as to whether the

system is accomplishing its purpose, is indispensable. The costs of maintaining the system

must be outweighed by the benefits.

Management is accountable to shareholders, and other stakeholders, by a system of periodic reporting.

KEY KNOWLEDGE

CIMA Risk Management Cycle

The student is advised to refer also to CIMA’s Risk Management Cycle (contained in CIMA

publication Fraud Risk Management: A Guide to Good Practice): www.cimaglobal.com

The student might also refer to COSO (Committee of Sponsoring Organisations of the

Treadway Commission) which addresses Enterprise Risk Management (ERM) through its

eight Components and four Objectives categories.

The Components are:

Internal environment

Objective setting

Event identification

Risk assessment

Risk response

Control activities

http://www.cimaglobal.com/



theexpgroup.com

Information and communication

Monitoring

The Objectives address:

Strategy

Operations

Financial Reporting

Compliance

KEY KNOWLEDGE

ERM Implementation

Defining Enterprise Risk Management (ERM) in conceptual terms is merely the first step.

Moving from theory to practical implementation begins with:

1. The Board of Directors’ explicit responsibility for risk management oversight

This may be accompanied by the establishment of a Risk Committee at the board

level, or including the responsibility within the scope of the Audit Committee;

2. Creation of a risk management team under the leadership of a senior-level executive

(Chief Risk Officer, CRO, or VP – Risk) with a reporting line into the Board

The real test of the effectiveness of a risk management process is measured by the

degree to which:

3. The methods and norms of ERM are successfully disseminated throughout the

organization.

Effective implementation requires important commitments at all levels of the

organization, manifested by:

Clear written policies and procedures;

Staff training;



theexpgroup.com

Disciplinary steps for violations;

Constant management reinforcement (both in word and deed)

KEY KNOWLEDGE

Internal Control

The IIA (Institute of Internal Auditors) have provided the following useful definition:

“An internal control is any action taken by management to enhance the likelihood that

established objectives and goals will be achieved. Management plans, organises and directs

the performance of sufficient actions to provide reasonable assurance that objectives and

goals will be achieved. Thus, control is the result of proper planning, organising and

directing by management.”

The internal control function should be regarded as a process designed to provide

reasonable (not absolute) assurance that the company is in a position to achieve its

objectives; it should be integral to a company’s operations, not an external imposition.

Responsibilities include:

Safeguarding of corporate assets;

Checking the accuracy and reliability of corporate accounting data;

Promoting operational efficiency;

Ensuring adherence to accounting and financial control policies

KEY KNOWLEDGE

COSO – Internal Controls

A widely-used framework of internal control in the USA is the COSO Internal Control –

Integrated Framework, which consists of five components:

Control Environment – setting the “tone at the top”;

Risk Assessment - identification risks (to the achievement of objectives);

Information and Communication – internal data flow (timely, relevant, etc.);

Control Activities - the policies and procedures;

Monitoring – verification processes to assess the quality/effectiveness of internal

controls



theexpgroup.com

KEY KNOWLEDGE

Types of Controls

Corporate controls = general policy statements, established core culture and overall

monitoring procedures, corporate governance

Management controls = planning and performance monitoring

Business process controls = authorisation limits and reconciliation

Transaction controls include = accuracy and completeness checks

You may use the mnemonic SOAPSPAM to generate ideas for types of control:

Segregation of duties

Organisational controls (eg set authority limits)

Authorisation

Physical

Supervision

Personnel, eg background checks

Arithmetical and reconciliations

Management – the tone from the top, including existence of an internal audit

department.

KEY KNOWLEDGE

Features of a good system

Essential features of any good system of internal control

As a useful aide memoire when asked to evaluate a described system of internal control

within a question scenario, you could make use of the mnemonic PCRAM.

Plan of organisation

Custody procedures

Recording procedures

Authorisation procedures

Management supervision



theexpgroup.com

KEY KNOWLEDGE

The Turnbull Report

The UK Turnbull report gives us a useful summary of the main purposes of an internal

control system, by stating that internal control consists of “the policies, processes, tasks,

behaviour and other aspects of a company that taken together:

Facilitate its effective and efficient operation by enabling it to respond to

significant business, operational, financial, compliance and other risks to

achieving the company’s objectives. This includes safeguarding the assets

from inappropriate use or from loss and fraud and ensuring that liabilities are

identified and managed.

Help to ensure the quality of internal and external reporting.

Help ensure compliance with applicable laws and regulation, and also with

internal policies with respect to conduct of business.”

The Turnbull committee recognised that while a sound internal control system cannot

eliminate poor judgment in decision-making, it may minimize that risk to a significant

degree. Further, the committee stated: “Reviewing the effectiveness of internal controls is

an essential part of the board's responsibilities…”; at the same time, “Management is

accountable to the board for monitoring the system of internal control and for providing

assurance to the board that it has done so.”

The board is responsible for the disclosures on internal control in the company's annual report and accounts.

KEY KNOWLEDGE

Corporate Governance

There is an close connection between corporate governance and risk management: in order to fulfill its corporate governance role faithfully, the directors of the company have to ensure that there is in place at the company a robust system of internal controls and risk management systems. There are several models of corporate governance:



theexpgroup.com

Shareholder-based models: typical of the US and the UK; and

Stakeholder-based: common on the Continent (Europe) and Japan

KEY KNOWLEDGE

Sarbanes Oxley (US) In the US, Sarbanes-Oxley is Federal legislation dating from 2002 that prescribes corporate

governance principles for publicly-quoted US corporations. It seeks to safeguard the

economic interests of the shareholders, by promoting an active market where corporate

control can change hands in an effort to promote the most efficient allocation of economic

resources.

KEY KNOWLEDGE

Combined Code (UK)

In the UK, this is a set of principles of good corporate governance which sets forth a code of

best practice aimed at companies listed on the London Stock Exchange. It is overseen by a

body called the Financial Reporting Council.

The Combined Code on Corporate Governance is the result of the collective efforts of

numerous commissions formed in the UK to study and make recommendations on the

subject (e.g. Cadbury, Greenbury and Hampel) and incorporates conclusions from the

following committees:

Turnbull: Guidance on internal control (as described earlier);

Smith: Guidance on audit committees;

Higgs: Suggestions for good practice

Some key features of the Combined Code include: Comply or explain: Deviations from the Code may be justified “in particular circumstances”; Board Composition: At least half the Board (excluding the chairman) should be independent non-executive directors; Separation of Chairman and CEO roles: These should not be exercised by the same individual;

http://en.wikipedia.org/wiki/Corporate_governance

http://en.wikipedia.org/wiki/London_Stock_Exchange

http://en.wikipedia.org/wiki/Financial_Reporting_Council



theexpgroup.com

Non-Executive Directors’ duties: Include “scrutinise the performance of management” and satisfy themselves that financial controls and systems of risk management are “robust and defensible”; Executive remuneration: No director should be involved in deciding his or her own remuneration; Audit Committee: At least three members, all be independent non-executive directors; Audit Committee role: Oversee the effectiveness of internal controls and to liaise with the internal and external auditors.

KEY KNOWLEDGE

Internal Audit

The role of the internal audit is to make sure that the company’s internal controls are appropriate and working properly. Internal auditors are employees and report to management. However, they can also have a reporting line to the Audit committee of the board, so that their professional independence is not compromised.

KEY KNOWLEDGE

CIMA Ethical Guidelines

The student is expected to be fully familiar with CIMA Ethical Guidelines which can be

accessed via: www.cimaglobal.com

http://www.cimaglobal.com/

cima paper p3 - the exp · pdf filechapter 2 extract from our express notes for use with the...

Documents