November 2006 Examinations Strategic Level Paper P3 – Management Accounting – Risk and Control Strategy Question Paper 2 Examiner’s Brief Guide to the Paper 13 Examiner’s Answers 14 The answers published here have been written by the Examiner and should provide a helpful guide for both tutors and students. Published separately on the CIMA website (www.cimaglobal.com/students) from mid-February 2007 is a Post Examination Guide for this paper, which provides much valuable and complementary material including indicative mark information. 2006 The Chartered Institute of Management Accountants. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recorded or otherwise, without the written permission of the publisher.

P3 2 November 2006

Management Accounting Pillar

Strategic Level Paper

P3 – Management Accounting – Risk and Control Strategy

23 November 2006 – Thursday Morning Session

Instructions to candidates

You are allowed three hours to answer this question paper.

You are allowed 20 minutes reading time before the examination begins during which you should read the question paper, and if you wish, make annotations on the question paper. However, you will not be allowed, under any circumstances, to open the answer book and start writing or use your calculator during this reading time.

You are strongly advised to carefully read ALL the question requirements before attempting the question concerned (that is, all parts and/or sub-questions). The question requirements are contained in a dotted box.

Answer the ONE compulsory question in Section A on pages 3 and 5.

Answer TWO questions only from Section B on pages 5 to 8.

Maths Tables and Formulae are provided on pages 9 to 12.

Write your full examination number, paper number and the examination subject title in the spaces provided on the front of the examination answer book. Also write your contact ID and name in the space provided in the right hand margin and seal to close.

Tick the appropriate boxes on the front of the answer book to indicate which questions you have answered.

P3 –

Ris

k an

d C

ontr

ol S

trat

egy

November 2006 3 P3

SECTION A – 50 MARKS [the indicative time for answering this section is 90 minutes] ANSWER THIS QUESTION Question One BLU is a stock market listed manufacturing company that has historically invested in computer numerical control (CNC) equipment to manufacture a range of electronic components for the telecommunications industry. BLU’s strategic objective is to increase shareholder value through an annual increase in sales revenue of 15% and an annual increase in after-tax profits of 17.5%, both of which have been achieved over the past three years. This objective is strongly promoted within BLU and senior management bonuses are linked to the achievement of those targets. In early 2006, the following financial justification was presented to the Board of Directors of BLU to support a proposal for capital investment in new CNC manufacturing equipment: Projected cash flows for new equipment 2007 2008 2009 2010 2011 all figures in £000 Additional sales income 12,000 13,000 14,000 15,000 16,000Additional variable costs 3,600 3,900 4,200 4,500 4,800Additional fixed costs 1,500 1,500 1,500 1,500 1,500Additional operating profit 6,900 7,600 8,300 9,000 9,700Less taxation 2,070 2,280 2,490 2,700Additional operating cash flow 6,900 5,530 6,020 6,510 7,000Less additional working capital 1,000 300 400 500 600Additional cash flow 5,900 5,230 5,620 6,010 6,400 Cost of capital 15% Present value of future cash flows 19,398 Less capital cost of new equipment 17,500 Net present value 1,898

It is company policy to evaluate investments over the first five years only. In March 2006, the Board approved the capital investment as it met its minimum criterion of a positive NPV using a cost of capital of 15%. There was one other project that was competing for funds at that time. This was for a new distribution system. However, this project was rejected by the Board because the NPV was lower than that of the CNC equipment. Later in 2006, the audit committee asked a firm of consultants to review BLU’s capital investment approval process and the information system that informs that process. As part of the first stage of the consultants’ review, a draft report has been received by the Board that describes the process but as yet does not make any recommendations. The following are extracts from the consultants’ draft report: • BLU has a Market Research Department that looks at economic, industry and competitive

factors affecting the market demand for its products in order to forecast market growth and likely market share during BLU’s strategic planning horizon of five years. As part of its assessment, the Market Research Department asks the Sales Department to liaise with its largest customers to determine their likely requirements. The Sales Department forecasts sales based on its own knowledge of its market, including information from existing customers and its plan to win new customers. Having collated the available information, the Market Research Department provides the Production Department with annually updated forecasts of market demand for the next five years.

P3 4 November 2006

• The Production Department compares the Market Research Department’s forecasts with its

production capacity based on past experience of volumes, product mix, and cycle times. The Production Department then determines the ‘capacity gap’ over the next five years, which it defines as the difference between the capacity required to satisfy forecasts of market demand and its existing practical capacity.

• Based on the capacity gap, the Production Department conducts a search for new CNC manufacturing equipment that will satisfy projected sales. A range of alternative suppliers is considered and prices for the equipment are compared, after which the Production Department identifies the supplier and the equipment deemed most suitable to bridge the capacity gap. The capital costs of new equipment and the capacity of this new equipment are calculated by the Production Department.

• The Finance Department accepts the forecasts of market demand from the Market Research Department and the cost and capacity information from the Production Department. It then uses historical cost information to update standard costs of labour and materials, with advice from the Human Resources and Purchasing Departments respectively about likely increases in the price of labour and materials. The Finance Department makes its own assessments about the additional working capital requirement.

• The Finance Department then completes a discounted cash flow calculation to assess the investment in new capital equipment, which is then presented to the Board of Directors as part of the annual budget cycle. BLU uses a cost of capital of 15% for the assessment of new capital expenditure proposals. This is the benchmark figure used by the Board, which has been in use for several years. Proposals that show a positive net present value are likely to be approved and where there are competing proposals for limited capital funds, the project with the highest NPV is usually selected. The Board’s capital investment approval criteria are well known by BLU’s managers.

Required: Note: No calculations are required to answer this question. (a) Analyse the risks facing BLU in relation to

(i) its investment appraisal and approval process; and (ii) the information system feeding that process.

(20 marks)

(b) Explain how, as an internal auditor, you would plan an audit of BLU’s existing capital investment process (and the information system feeding that process), highlighting those elements of the process that you would pay particular attention to under a risk-based approach.

(10 marks) (c) Recommend to the Board of BLU the internal controls that should be introduced to

improve BLU’s capital investment process (including the information system feeding that process) and explain the benefits of your recommended controls.

(20 marks)

(Total for Question One = 50 marks)

(Total for Section A = 50 marks)

November 2006 5 P3

SECTION B – 50 MARKS [the indicative time for answering this section is 90 minutes] ANSWER TWO QUESTIONS ONLY Question Two STU is a large distribution business which provides logistical support to large retail chains. A significant problem currently faced by STU is the number of legacy systems1 in use throughout the organisation. The various legacy systems, each of which tends to be used by a single business function, hold data that is inconsistent with other systems, leading to an inconsistent approach to decision making across the business. The problem is made worse by many managers having developed their own PC-based databases and spreadsheets because of the lack of suitable information produced by the legacy systems. STU’s Board of Directors has recently approved the feasibility study presented by the Finance Director for the in-house development of a new Strategic Enterprise Management (SEM) system. The SEM system will use real-time data entry to collect transaction data from remote sites to maintain a data warehouse storing all business information which can then be accessed by various analytical tools to support strategic decision making. The SEM system will be developed and implemented over a three year period within a budget approved by the Board. Three phases have been identified: design of the new system; development of the software; and delivery of the finished system into business units. The Board considers that designing, developing and delivering the SEM system will be crucial to business growth plans in a competitive environment. 1Note: A legacy system is a computer system which continues to be used because the information it provides is critical to a business. However, the high cost of replacing or redesigning the system has led to it being retained by the business. It is typically an older design, is not compatible with more up-to-date software, and because of its age, provides information that is not as complete or reliable as it should be.

Required:

(a) Assuming that you are STU’s Head of Internal Audit, recommend the actions that should be taken in connection with the design, development and delivery of the SEM system.

(13 marks)

(b) Advise the audit committee of STU about

(i) possible approaches to auditing computer systems; and (ii) the controls that should exist in an IT environment.

(12 marks)

(Total for Question Two = 25 Marks)

P3 6 November 2006

Question Three The following information relates to two companies based in the United States of America, both of which are listed on the New York stock exchange. Each company had an annual turnover of approximately $800 million in 2005. Company A This company sells into a mix of business-to-business and end-user markets across a total of 15 countries in North America and Europe. Business-to-business sales predominate and 40% of turnover comes from two key European customers. Manufacturing, assembly and delivery is managed geographically rather than by product type, via three separate subsidiaries with their own CEO based in Canada, France and the UK respectively. Research and all Treasury operations for the arrangement of loan finance and hedging of foreign exchange risk are both fully centralised. The company has a diverse shareholder base that includes two major pension funds, one of which has a representative entitled to be present as an observer at the board meetings of Company A. Company B This company operates in the same product market as Company A, but earns most of its income from end user sales, many of which are initiated by on-line direct orders. 80% of the internet sales originate in the United States of America. Company’s B’s largest single customer, a Canadian company, represents 15% of its annual sales revenue, but no other customer exceeds 1% of total sales. Research and sales facilities are based at the US headquarters, but manufacturing and assembly is all undertaken by separate subsidiaries in China, where the company also has a joint venture business that manages all the global distribution. Treasury operations are fully decentralised, but run as cost rather than profit centres. The company was started ten years ago, and the Board of Directors remains dominated by members of the founding family. The CEO and the Finance Director are husband and wife, and together own 35% of the company’s shares.

Required: Using the information contained in the above scenario to develop your arguments, answer each of the following questions: (a) Discuss how decisions about company structure, market types and location can

impact upon the risk profile of a company.

(12 marks) (b) Compare and contrast the risks associated with the differing approaches to the

Treasury function adopted by the two companies in the above scenario. (4 marks)

(c) For either Company A or Company B as described in the scenario, taking into

account its current structure and size, recommend one example of each of financial, non-financial quantitative, and non-financial qualitative controls that may be useful tools in monitoring exposure to either strategic or operational risks. You should briefly justify your choices.

(9 marks)

(Total for Question Three = 25 marks)

November 2006 7 P3

Question Four MNO is a UK based company that has delivered goods, invoiced at $1,800,000 US dollars to a customer in Singapore. Payment is due in three months’ time, that is, in February 2007. The finance director of MNO is concerned about the potential exchange risk resulting from the transaction and wishes to hedge the risk in either the futures or the options market. The current spot rate is $1·695/£. A three month futures contract is quoted at $1·690/£, and the contract size for $/£ futures contracts is £62,500. A three month put option is available at a price of $1·675.

Required: (a) Assuming that the spot rate and the futures rate turn out to be the same in

February 2007, indicating that there is no basis risk, identify the lowest cost way of hedging the exchange rate risk (using either futures or options) where the exchange rate at the time of payment is:

(i) $1·665/£ (ii) $1·720/£

Note: Your answer should show all the calculations used to reach your answer, including the extent (if any) of the uncovered risk.

(10 marks)

(b) Briefly discuss the problems of using futures contracts to hedge exchange rate risks.

(6 marks)

(c) Identify and explain the key reasons why small versus large companies may differ in terms of both the extent of foreign exchange and interest rate hedging that is undertaken, and the tools used by management for such purposes.

(9 marks)

(Total for Question Four = 25 marks)

P3 8 November 2006

Question Five

Required: Write a report advising the Board of Directors of a stock market listed company on:

• the key responsibilities of Board members in relation to ensuring the effectiveness of internal controls;

• the methods used to assess such effectiveness; and

• the regulations that govern the reporting to the stock market of the results of

internal control reviews.

An indicative mark allocation for the three points above are 5, 10 and 5 marks respectively.

(Total for Question Five = 25 marks)

(includes 5 marks for report format and style)

(Total for Section B = 50 marks)

End of question paper

Maths Tables and Formulae are on pages 9 to 12

November 2006 9 P3

P3 10 November 2006

PRESENT VALUE TABLE

Present value of $1, that is ( ) nr −+1 where r = interest rate; n = number of periods until payment or receipt.

Interest rates (r) Periods (n) 1% 2% 3% 4% 5% 6% 7% 8% 9% 10%

1 0.990 0.980 0.971 0.962 0.952 0.943 0.935 0.926 0.917 0.909 2 0.980 0.961 0.943 0.925 0.907 0.890 0.873 0.857 0.842 0.826 3 0.971 0.942 0.915 0.889 0.864 0.840 0.816 0.794 0.772 0.751 4 0.961 0.924 0.888 0.855 0.823 0.792 0.763 0.735 0.708 0.683 5 0.951 0.906 0.863 0.822 0.784 0.747 0.713 0.681 0.650 0.621 6 0.942 0.888 0.837 0.790 0.746 0705 0.666 0.630 0.596 0.564 7 0.933 0.871 0.813 0.760 0.711 0.665 0.623 0.583 0.547 0.513 8 0.923 0.853 0.789 0.731 0.677 0.627 0.582 0.540 0.502 0.467 9 0.914 0.837 0.766 0.703 0.645 0.592 0.544 0.500 0.460 0.424 10 0.905 0.820 0.744 0.676 0.614 0.558 0.508 0.463 0.422 0.386 11 0.896 0.804 0.722 0.650 0.585 0.527 0.475 0.429 0.388 0.350 12 0.887 0.788 0.701 0.625 0.557 0.497 0.444 0.397 0.356 0.319 13 0.879 0.773 0.681 0.601 0.530 0.469 0.415 0.368 0.326 0.290 14 0.870 0.758 0.661 0.577 0.505 0.442 0.388 0.340 0.299 0.263 15 0.861 0.743 0.642 0.555 0.481 0.417 0.362 0.315 0.275 0.239 16 0.853 0.728 0.623 0.534 0.458 0.394 0.339 0.292 0.252 0.218 17 0.844 0.714 0.605 0.513 0.436 0.371 0.317 0.270 0.231 0.198 18 0.836 0.700 0.587 0.494 0.416 0.350 0.296 0.250 0.212 0.180 19 0.828 0.686 0.570 0.475 0.396 0.331 0.277 0.232 0.194 0.164 20 0.820 0.673 0.554 0.456 0.377 0.312 0.258 0.215 0.178 0.149

Interest rates (r) Periods

(n) 11% 12% 13% 14% 15% 16% 17% 18% 19% 20% 1 0.901 0.893 0.885 0.877 0.870 0.862 0.855 0.847 0.840 0.833 2 0.812 0.797 0.783 0.769 0.756 0.743 0.731 0.718 0.706 0.694 3 0.731 0.712 0.693 0.675 0.658 0.641 0.624 0.609 0.593 0.579 4 0.659 0.636 0.613 0.592 0.572 0.552 0.534 0.516 0.499 0.482 5 0.593 0.567 0.543 0.519 0.497 0.476 0.456 0.437 0.419 0.402 6 0.535 0.507 0.480 0.456 0.432 0.410 0.390 0.370 0.352 0.335 7 0.482 0.452 0.425 0.400 0.376 0.354 0.333 0.314 0.296 0.279 8 0.434 0.404 0.376 0.351 0.327 0.305 0.285 0.266 0.249 0.233 9 0.391 0.361 0.333 0.308 0.284 0.263 0.243 0.225 0.209 0.194 10 0.352 0.322 0.295 0.270 0.247 0.227 0.208 0.191 0.176 0.162 11 0.317 0.287 0.261 0.237 0.215 0.195 0.178 0.162 0.148 0.135 12 0.286 0.257 0.231 0.208 0.187 0.168 0.152 0.137 0.124 0.112 13 0.258 0.229 0.204 0.182 0.163 0.145 0.130 0.116 0.104 0.093 14 0.232 0.205 0.181 0.160 0.141 0.125 0.111 0.099 0.088 0.078 15 0.209 0.183 0.160 0.140 0.123 0.108 0.095 0.084 0.079 0.065 16 0.188 0.163 0.141 0.123 0.107 0.093 0.081 0.071 0.062 0.054 17 0.170 0.146 0.125 0.108 0.093 0.080 0.069 0.060 0.052 0.045 18 0.153 0.130 0.111 0.095 0.081 0.069 0.059 0.051 0.044 0.038 19 0.138 0.116 0.098 0.083 0.070 0.060 0.051 0.043 0.037 0.031 20 0.124 0.104 0.087 0.073 0.061 0.051 0.043 0.037 0.031 0.026

November 2006 11 P3

Cumulative present value of $1 per annum, Receivable or Payable at the end of each year for n

years rr n−+− )(11

Interest rates (r) Periods

(n) 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% 1 0.990 0.980 0.971 0.962 0.952 0.943 0.935 0.926 0.917 0.909 2 1.970 1.942 1.913 1.886 1.859 1.833 1.808 1.783 1.759 1.736 3 2.941 2.884 2.829 2.775 2.723 2.673 2.624 2.577 2.531 2.487 4 3.902 3.808 3.717 3.630 3.546 3.465 3.387 3.312 3.240 3.170 5 4.853 4.713 4.580 4.452 4.329 4.212 4.100 3.993 3.890 3.791 6 5.795 5.601 5.417 5.242 5.076 4.917 4.767 4.623 4.486 4.355 7 6.728 6.472 6.230 6.002 5.786 5.582 5.389 5.206 5.033 4.868 8 7.652 7.325 7.020 6.733 6.463 6.210 5.971 5.747 5.535 5.335 9 8.566 8.162 7.786 7.435 7.108 6.802 6.515 6.247 5.995 5.759 10 9.471 8.983 8.530 8.111 7.722 7.360 7.024 6.710 6.418 6.145 11 10.368 9.787 9.253 8.760 8.306 7.887 7.499 7.139 6.805 6.495 12 11.255 10.575 9.954 9.385 8.863 8.384 7.943 7.536 7.161 6.814 13 12.134 11.348 10.635 9.986 9.394 8.853 8.358 7.904 7.487 7.103 14 13.004 12.106 11.296 10.563 9.899 9.295 8.745 8.244 7.786 7.367 15 13.865 12.849 11.938 11.118 10.380 9.712 9.108 8.559 8.061 7.606 16 14.718 13.578 12.561 11.652 10.838 10.106 9.447 8.851 8.313 7.824 17 15.562 14.292 13.166 12.166 11.274 10.477 9.763 9.122 8.544 8.022 18 16.398 14.992 13.754 12.659 11.690 10.828 10.059 9.372 8.756 8.201 19 17.226 15.679 14.324 13.134 12.085 11.158 10.336 9.604 8.950 8.365 20 18.046 16.351 14.878 13.590 12.462 11.470 10.594 9.818 9.129 8.514

Interest rates (r) Periods

(n) 11% 12% 13% 14% 15% 16% 17% 18% 19% 20% 1 0.901 0.893 0.885 0.877 0.870 0.862 0.855 0.847 0.840 0.833 2 1.713 1.690 1.668 1.647 1.626 1.605 1.585 1.566 1.547 1.528 3 2.444 2.402 2.361 2.322 2.283 2.246 2.210 2.174 2.140 2.106 4 3.102 3.037 2.974 2.914 2.855 2.798 2.743 2.690 2.639 2.589 5 3.696 3.605 3.517 3.433 3.352 3.274 3.199 3.127 3.058 2.991 6 4.231 4.111 3.998 3.889 3.784 3.685 3.589 3.498 3.410 3.326 7 4.712 4.564 4.423 4.288 4.160 4.039 3.922 3.812 3.706 3.605 8 5.146 4.968 4.799 4.639 4.487 4.344 4.207 4.078 3.954 3.837 9 5.537 5.328 5.132 4.946 4.772 4.607 4.451 4.303 4.163 4.031 10 5.889 5.650 5.426 5.216 5.019 4.833 4.659 4.494 4.339 4.192 11 6.207 5.938 5.687 5.453 5.234 5.029 4.836 4.656 4.486 4.327 12 6.492 6.194 5.918 5.660 5.421 5.197 4.988 7.793 4.611 4.439 13 6.750 6.424 6.122 5.842 5.583 5.342 5.118 4.910 4.715 4.533 14 6.982 6.628 6.302 6.002 5.724 5.468 5.229 5.008 4.802 4.611 15 7.191 6.811 6.462 6.142 5.847 5.575 5.324 5.092 4.876 4.675 16 7.379 6.974 6.604 6.265 5.954 5.668 5.405 5.162 4.938 4.730 17 7.549 7.120 6.729 6.373 6.047 5.749 5.475 5.222 4.990 4.775 18 7.702 7.250 6.840 6.467 6.128 5.818 5.534 5.273 5.033 4.812 19 7.839 7.366 6.938 6.550 6.198 5.877 5.584 5.316 5.070 4.843 20 7.963 7.469 7.025 6.623 6.259 5.929 5.628 5.353 5.101 4.870

P3 12 November 2006

Formulae Annuity Present value of an annuity of £1 per annum receivable or payable for n years, commencing in one year, discounted at r% per annum:

PV =

+−

nrr ]1[111

Perpetuity Present value of £1 per annum, payable or receivable in perpetuity, commencing in one year, discounted at r% per annum:

PV = r1

Growing Perpetuity Present value of £1 per annum, receivable or payable, commencing in one year, growing in perpetuity at a constant rate of g% per annum, discounted at r% per annum:

PV = gr −

1

November 2006 13 P3

The Examiners for Management Accounting – Risk and Control Strategy offer to future candidates and to tutors using this booklet for study purposes, the

following background and guidance on the questions included in this examination paper.

Section A – Question One – Compulsory Question One is a manufacturing scenario and is designed to test the candidate’s ability to “look behind the numbers” in a capital investment proposal and to recognise that, despite the apparent accuracy implied by a net present value calculation, the assumptions leading to the estimates of future cash flows may be very questionable. The question requires no calculations, but is one where candidates are expected to interpret the numbers and to think about the risks in the capital investment process and the information system that produces the forecast cash flows. The question goes on to ask candidates to plan an internal audit of the capital investment process, based on the risks identified in response to the first part of the question. Finally, candidates are expected to recommend internal controls to improve the capital investment process, and to explain the benefits of those controls. The learning outcomes tested are mainly B (i) and B (v) in relation to risks and internal control, C (iii) for an internal audit plan, A (iv) in relation to control systems generally, and E (iv) which is specific to information systems. This is a good example of a scenario that cuts across four of the five syllabus areas.

Section B – answer two of four questions Question Two is a scenario of a distribution business implementing a strategic enterprise management (SEM) system. This is designed to test candidates’ ability to understand the role of internal audit and internal controls in the design, development and delivery of a new IT system and candidates are expected to make recommendations in relation to a project management structure to ensure that the design, development and delivery of the SEM is effective. The question also requires candidates to advise the audit committee about approaches to the audit of computer systems and the controls that are particularly relevant to an IT environment. The learning outcomes tested are mainly E (iv) and (v) in relation to improving the control and audit of information systems and C (iii) a plan for the audit. Question Three is a question about two US listed companies that have different structures, strategies and markets. The question is intended to test candidates’ understanding of how decisions about corporate strategy work to influence decisions on structure and marketing. All of these issues will in turn influence the design of performance management systems and risk exposure. Other elements of the question require consideration of the relative risks of centralisation versus de-centralisation of the treasury function, and recommendations of a range of financial and non financial controls suitable for managing the risks identified in the company scenarios. The learning outcomes being tested in this question are B (i) and (ii) in relation to risk identification and assessment, A (ii) which tests evaluation of controls, and C (v) on recommendations of actions to improve controls. Question Four tests understanding of the techniques available for managing foreign exchange risk via the use of either futures contracts or options. The questions tests both numerical and discursive knowledge of the topic, and also the factors that may influence a company’s decision to hedge foreign exchange risk, including company size. The syllabus topics being tested all fall within Part D of the syllabus, which covers management of financial risk. The learning outcomes being tested are (vi), requiring recommendation of currency risk management strategies, (iii) which requires evaluation of alternative risk management approaches and (ii) on identification and evaluation of alternative approaches to financial risk management. It is recognised that there is strong overlap between (ii) and (iii). Question Five provides candidates with a chance to display their knowledge of governance regulations in relation to board of director responsibilities regarding internal controls. The question covers responsibilities in the areas of ensuring control effectiveness, methods used to assess effectiveness and the reporting of internal control reviews to the stock market. The suggested solution is drafted from the perspective of a UK listed company, but other international contexts are acceptable. The question tests basic knowledge rather than the application of knowledge to a particular scenario. The learning outcomes being tested in this question are from Section C of the syllabus, namely C (i), which requires understanding of the importance of management review of controls, and C (vi) and C (vii) which cover the principles of good corporate governance for listed companies and the importance of ethical principles in reporting on internal reviews.

P3 14 November 2006

The Examiners’ Answers for Management Accounting – Risk and Control Strategy

The answers that follow are fuller and more comprehensive than would have been expected from a well-prepared candidate. They have been written in this way to aid teaching, study and revision for tutors and candidates alike.

SECTION A Answer to Question One Requirement (a) (i) The following risks should be identified in relation to the investment appraisal process:

• The Finance department appears to unquestioningly accept the forecasts produced by Market Research and Production, without testing their reasonableness. Value chain analysis and other less incremental processes may enable BLU to be more competitive;

• Historical information about standard costs of labour and materials used by the Finance

department may be inaccurate and assessments of price increases by Human Resources and Purchasing may also be inaccurate, especially over a 5-year time frame. This seems particularly so when variable costs seem to be calculated at 30% of sales and fixed costs do not change over the five years. Assessments of working capital requirements may also be inaccurate;

• The period for evaluating investments over five years is an artificial one which may lead

to inappropriate decisions being made. Examples that could be used here include the absence of operating cash flows after year 5 as these are unlikely to stop altogether; the absence of a provision for the cash flow for taxation for year 5 (paid in year 6); and the absence of any cash flow arising from the reduction in working capital at the end of the five year life;

• Fixed costs may in fact not be fixed and there is a possibility of productivity savings as a

result of the learning/experience curve effect;

• The discounted cash flow seems to be based on single point estimates rather than a range of possible outcomes, and no sensitivity analysis appears to be performed;

• The discounted cash flow method is only one method of assessing capital investment,

and no mention is made of accounting rate of return or payback methods;

• The cost of capital used in the calculation is 15%, a historical figure which may not equate to the current cost of capital for BLU. No internal rate of return calculation appears to be carried out. As the benchmark of 15% is known by managers, there will be a bias towards manipulating projected cash flows to exceed that figure if managers

November 2006 15 P3

desire the new investment. The cost of capital should reflect the riskiness of projects as a uniform discount rate may lead to incorrect decisions;

• The highest NPV is not a good guide to selecting from among competing proposals

where there are different capital investments or risks involved. There is no information about the alternative proposal for a new distribution system that would lead to an effective comparison;

• There is a risk of inappropriate, short term decisions as a result of focusing on financial

results alone, rather than on the causes of results which are less easily captured in a single NPV figure. The lack of any information on non-financial factors poses a potential risk for long-term survival;

• There is no evidence as to whether the cash forecast with the positive NPV actually

achieves BLU’s strategic objectives for growth in sales and after-tax profits. Strategic coherence and focus are important in providing a consistent message to customers and other stakeholders. Without this, there is a risk of the company becoming a portfolio of unrelated investments;

• Recognition needs to be given to the actual availability of funds at any specific point in

time. Capital rationing may lead to fund raising being inopportune as a result of temporary situations such as a high level of gearing or depressed share prices.

(ii) The following risks should be identified in relation to the information system:

• Accuracy of forecasts by Market Research about economic, industry and competitive factors (such as changes in economic conditions; changes in technology; impact of changed competitor activity). Estimates of market growth and market share may be inaccurate;

• Accuracy of forecasts by Sales based on largest customers (loss of customers; new

customers; bias in sales forecasts). Estimates of customer retention and new customers may be inaccurate. Reactions of existing or new competitors may have a significant influence on sales;

• In reconciling its own projections with those of the Sales department, the Market

Research department may not take proper account of differences between its own market forecasts and the forecasts of the Sales department. The final forecasts of market demand may be influenced by strategic goals, optimistic or pessimistic assessments of market conditions and optimistic or pessimistic assessments of sales growth by the Sales department;

• Accuracy of Production estimates of practical capacity (such as changed volumes;

product mix; and cycle times); • Capacity gap is the result of Market Research and Sales forecasts and Production

estimates of practical capacity, but this is likely to be influenced by a range of potential biases and subjective judgements. These biases are likely to be influenced by BLU’s strategic objectives and the management bonus scheme;

• The supplier and equipment selected by the Production department may not be the best

available. There is no evidence of any independent appraisal outside the Production department which might be biased towards particular suppliers or particular equipment.

P3 16 November 2006

Requirement (b) Risks in the capital investment process and the information system that informs that process have been identified (see solution to (a) above). A plan needs to be developed to assess the effectiveness of internal controls in relation to those risks. Initially, a survey needs to be carried out to scope the internal audit. This will involve the review of previous internal audit reports, changes in the business environment, the work of the consultants appointed by the audit committee, and the work of the external auditors. The issues relating to the information system and capital investment process should be discussed with managers in each of the functional areas as well as with the Board or audit committee. The internal audit plan will set out the terms of reference for the audit, a description of the system to be audited, the risks, the scope of work, a timeframe, the reporting and review procedure, the audit programme and techniques to be used and the audit staff who will be involved. Given a risk-based approach to internal auditing, the particular elements of the capital investment process that are likely to be highlighted in the audit plan are:

• Assess reliability of Market Research and Sales department forecasts of projected sales;

• Assess reliability of Production department forecasts of the ‘capacity gap’; • Review Production (or if the recommendation is adopted, Purchasing) department

process in relation to selection of suppliers and equipment; • Assess reliability of cash forecasts produced by Finance department; • Determine accuracy of cost of capital calculation; • Verify NPV and other calculations (ARR, payback, IRR) used in capital investment

proposals; • Evaluate proposals using sensitivity analysis and non-NPV techniques to determine

sensitivity to variations in cash forecasts; • Post-completion evaluation of past capital investments to see if projected cash flows

have been achieved. Requirement (c) There are significant weaknesses in the information system used to inform the capital investment process and a lack of adequate internal controls to avoid errors in forecasting. There are also weaknesses in the capital investment approval process. Particular internal controls that should be introduced are:

• Link investment appraisal with strategic planning process; • Independent appraisal of market forecasts to avoid the risk of bias. Maximum tenure

and succession planning for staff within the department may reduce bias;

• Sign off by managers in Sales department at each level in different geographic regions as to the achievability of sales forecasts to ensure estimates are realistic;

• Purchasing department should carry out a tender for new capital equipment, based on

specifications by Production. Three separate responses to the tender should be presented for comparative purposes. This will assure an independent judgement about the best equipment to be purchased;

• Zero-based or activity-based budgeting of standard costs for labour and materials

should be used, rather than reliance on historical costs, to avoid errors in past assumptions. Market research should also verify Human Resource and Purchasing

November 2006 17 P3

assessments of likely increases in labour and material costs, to provide independent judgement of likely changes;

• Each investment proposal should be supported by an explicit statement of the critical

assumptions on which it is based, for example volumes, selling prices, increased operating costs, working capital requirements, cost of capital, etc. The uncertainties involved in projects and any non-quantifiable factors should be made explicit;

• Finance department should test all forecasts for reasonableness and make a judgement

based on achievement (or otherwise) of past market and production forecasts. This will provide a counterbalance to unrealistic forecasts;

• The arbitrary five year period over which investments are evaluated should be changed

to a more realistic period, perhaps covering the expected life of the asset or the expected life of the product so that life cycle costs and revenues are compared and discounted to present values;

• The discounted cash flow should involve sensitivity analysis and the application of

probabilities against pessimistic and optimistic scenarios, enabling NPV (and other) calculations to take into account sensitivity to variations in projected cash flows. This enables the assessment of risk under different scenarios;

• Accounting rate of return and payback methods should supplement NPV calculations

and IRR or Cash Value Added (profitability index) should be used to compare capital investment proposals, with different risks being taken into account. This enables a broader assessment of risk and the optimum capital investment;

• Cost of capital to be re-calculated annually. Capital investment criteria should be less

visible to avoid manipulation of proposals. This will avoid the risk of bias in producing cash forecasts to satisfy the minimum criteria;

• Projections should be not only for the new capital investment but for the cumulative

position of BLU, to determine whether objectives for sales growth and growth in after-tax profits are being achieved. This will avoid the risk of capital investments appearing to be justified on an individual project basis, while the cumulative position is not achieving corporate objectives;

• Internal audit of the capital investment process, including post-implementation reviews,

which should follow a standard procedure. This will provide some independent assurance that the process is reliable, is being followed and has led to sound capital investment decisions in the past. It will also more likely ensure the accuracy of proposals and ensure that lessons are learned from past failures.

P3 18 November 2006

SECTION B Answer to Question Two Requirement (a) The Head of Internal Audit needs to ensure that the following actions are carried out in order to establish strong controls over the systems design and development process through an appropriate structure of project management. The main actions relating to the elements of project management affecting IT implementation are:

• Project planning and definition: STU has defined the project as a SEMS implementation over a period of three years;

• Obtaining management support for the project: the Board has approved the project,

stated its importance (growth in a competitive environment) and expects regular progress reports;

• Project organisation: A steering committee needs to be established and a project

manager needs to be appointed. The roles and responsibilities of each need to be defined. The steering committee reports to the Board to monitor systems implementation in comparison with the approved feasibility study and ensures that all deliverables are accepted within quality, time and cost constraints. It should comprise the Finance Director who is sponsoring the project; a project manager who is responsible for project delivery; specialist IT staff; user representatives from accounting and operational functions; and a representative of internal audit;

• Resource planning and allocation: Sufficient personnel and funds need to be made

available to implement the SEM system;

• Quality control and progress monitoring: systems development controls should be put in place to ensure the project meets user requirements and is delivered to time and budget constraints. Regular reports should be provided;

• Risk management: key risks affecting the project should be identified, a risk assessment

carried out in terms of likelihood and consequences and risks should be monitored throughout the project;

• Systems design and approval: an appropriate process such as the Systems

Development Life Cycle (SDLC) should be used, comprising a feasibility study, systems analysis, systems design, implementation and operation. As the feasibility study has been completed and approved by the Board, the objectives, deliverables, cost and timeframe are known. Systems analysis involves the specification for the system through a detailed analysis to build on the feasibility study. This will result in a full system specification. Systems design involves the detail of source data, input documents, screen layouts, file structures, report formats and so on and will also address data security issues;

• Cost/benefit appraisals should be undertaken for each alternative that arises during

design and development. This will help ensure that the best alternative is selected;

• System testing and implementation: this involves comprehensive testing by the developers, auditors and users. Prior to implementation, documentation must be reviewed, staff trained and issues of staffing and supervision must be addressed. Conversion of data will also take place from the legacy systems which must be removed from use after implementation is complete. Parallel running will ensure the new systems are effective prior to abandonment of old ones. User participation and involvement

November 2006 19 P3

should take place throughout the design phase and into testing before acceptance of the new system and its implementation;

• An external review by consultants or auditors may provide further evidence of the

design, development and delivery process being effectively managed. Requirement (b) (i) Approaches to auditing computer systems Distributed processing in remote sites connected through networks increases the risk of errors and omissions in transaction data entry, while the storage of critical business data in a single, centralised location increases the risk of loss or damage to the database. The first approach to audit entails reviewing computer security through checking the effectiveness of network controls, physical and logical access, and systems recovery procedures. It will also involve auditing maintenance, particularly the authorisation of any system modifications. This is then followed by testing the accuracy of data entry, processing and information produced by the system. Control self-assessment (CSA) enables managers to identify strengths and weaknesses for audit attention. Audit can be carried out through computer assisted audit techniques (CAATS). CAATS can be used to review system controls by test data processed through the SEM system which are then compared with expected results through manual processing of the same data, although this is time consuming and difficult with a real-time system. Embedded audit facilities permit continuous review by being built into the SEM software. This could be done through a false entity within the organisation to which test data is processed. Code comparison programs can also be used to identify differences between versions of programmes in use. Logical path analysis programs can produce a logic flowchart from a source program which can then be compared with standard documentation. CAATS can be used to review actual data through audit interrogation software which permits interrogation of computer files, and extraction of data from those files for calculation and statistical analysis. Audit interrogation software can also provide verification with management reports and can identify transactions that are unreasonable or fail to comply with system rules. Audit interrogation software may be resident; that is integrated with real-time systems by selecting and tagging items for later audit review. Integrated audit monitors allow certain accounts to be selected and designated for monitoring. (ii) Controls in an IT environment The following are the types of controls, together with examples of each, which could be introduced in relation to the SEM system:

• Personnel controls such as recruitment, training and supervision should be put in place to ensure competency of staff and the separation of duties;

• Physical controls over access to computer systems including physical access controls (for example swipe cards) and fire alarms and smoke detectors;

• Logical access controls through password authorisation; • Input controls to prevent and detect errors through transaction authorisation, data entry

screen design, online verification of codes and limits, reasonableness checks and authorisation of all adjustments;

• Processing controls to ensure transactions are all processed correctly through chart of accounts, control totals, balancing and so on;

• Output controls to ensure information is reliable and distributed to users through transaction lists, exception reporting, forms control, suspense accounts and distribution lists;

P3 20 November 2006

• Network controls to avoid viruses, hacking and so on through firewalls, data encryption, and anti-virus software;

• Business continuity or disaster recovery planning to recover from major disasters affecting hardware and/or software, through regular back-up of software and data, off-site storage of back-up, and recovery procedures in the event of system failure.

Examiners’ note: The following could also be identified by candidates in relation to either (i) or (ii)

Internal audit and systems design Internal audit can only accomplish ITS function by working closely with those responsible for systems development and testing. Internal audit will be represented on the steering committee to ensure that internal controls are adequate and system testing takes place with users to fully test the system before implementation. Internal audit needs to be involved during systems design to ensure that adequate data security and authorisation levels are built into the system. The role of internal audit will also be to ensure that the information in the system is accurate, complete and suitable for its intended purpose, both in terms of financial and non-financial information. Potential problems in data collection, input, processing and output should be identified and resolved, an adequate audit trail should be provided and the scope for fraud needs to be understood. System documentation should be reviewed and the internal auditor should ensure that all users have accepted the system design. Internal audit and systems development The main aspects of auditing systems development include ensuring that the project is headed by a senior operational manager who has responsibility for the design and who has a sound knowledge of IT in general and SEM systems in particular. At this stage, it appears that no such project manager has been identified. A project team then needs to be established. It is important that IT staff have adequate knowledge and experience of SEM systems and that appropriate external professional advice is available to support in-house IT expertise. During the systems development phase, alternative approaches to business problems need to be considered and the objectives of the system defined in the feasibility study are adhered to. It is important to check that project timescales are realistic and that the budget and staff allocated for the implementation are sufficient. Implementation progress should be monitored and there should be reporting to the Board (or audit committee) on progress, independent of the steering committee. Finally, internal audit should be involved in a post-completion audit of the implementation. Internal audit and systems delivery The implementation plan for the SEM system should include conversion of data from existing legacy systems and parallel running with the existing system until such time as reliance can be placed on the new system. Care needs to be exercised with data conversion as it has been recognised that legacy systems are incompatible with each other and supplementary PC-based data is held, making a single agreed source of historic data problematic. Users need to be satisfied with the new system and confident in it. This is particularly important given the business criticality of the new system, before legacy systems can be dispensed with. It is also important that confidence in the new system enables managers to dispense with the PC-based spreadsheets and databases that have supplemented the legacy systems, to ensure that the new data warehouse is the single point of reference for business information for decision-making. It may be that no historic data is converted due to a general lack of confidence in its reliability. Internal audit needs to sign off the system before implementation. This will involve assessing whether user requirements have been satisfied, the system functions as it should, it has been developed with adequate internal controls, it is auditable, any data conversion is complete and accurate, and the implementation plan is realistic.

November 2006 21 P3

Answer to Question Three Requirement (a) CIMA defines risk management as “the process of understanding and managing the risks that the organisation is inevitably subject to in attempting to achieve its corporate objectives”. This definition clearly emphasises the link between strategy and risk, and it is difficult to disentangle corporate structures from corporate strategy. Members of a Board of Directors may be risk takers or risk averse, but wherever they position themselves on the scale, they will be aware that taking risks offers both opportunities and dangers, and that there is a need to balance risks against returns. As a result, a company will tend to pursue strategies that reflect the internal attitude to risk, or the risk appetite of the senior management. The structure of an organisation can also impact upon risks. Company A is structured around subsidiaries that are geographically managed. This is common practice in a world where companies seek to “act global but think local” but the success of this approach will depend partly upon the performance management systems that are used to control local management. The choice of ROCE, residual income, profit centres, cost centres or investment centres will all lead to different forms of behaviour and yield different results. In other words, the choice of structure is inextricably linked to the associated need to design relevant internal control systems in order to manage the risks. Company B has chosen to become involved in a joint venture project that manages its global distribution. Intuitively, one might think that joint ventures would reduce risk, but they also have high failure rates because of cultural incompatibilities. In this case, therefore, where all of the global distribution is in the hands of the one joint venture, the company may actually have increased its risk in opting for this type of structure. In terms of market types and locations, Company A incurs relatively high risk insofar as its dependence on two key customers makes it vulnerable to any downturns in their fortunes or willingness to switch suppliers in a competitive market. This is in part a consequence of the fact that its sales are primarily business to business rather than end user, and reflects a choice about targeting specific market types/categories. There is no information about the product and so it is impossible to know if this high dependence on specific customers is because of bespoke manufacture that cannot readily be copied by others. As a general rule, however, risk increases as dependence on key customers increases, and the cash flow risks may be crippling. In contrast, Company B has a very broad customer base, but this carries a different risk in the form of potentially high costs per unit sale. Repeat sales to large business customers are relatively cheap to maintain, but sales to end users are commonly associated with a higher advertising spend that eats into the higher gross margin. Consequently, in choosing market types, a company must recognise the potential trade off between the lower cost of business to business sales and the resulting increased cash flow and credit risks. Additionally, there is a need to accept that market diversification may reduce some risks, but may also increase a company’s vulnerability to competition from specialist providers who focus on a specific market/customer type. The market locations of the two companies also carry different levels of risk. For Company A, the information implies that the bulk of its sales are within Europe, where the economic cycles will be similar but not identically matched to those of the USA, the domestic base of the company. Consequently, the geographic diversification of markets helps to reduce risk, although this may be offset by the increase in risk created by exchange rate movements. In contrast, almost all of Company B’s sales are in North America, including its key customer. Despite receiving its revenue in dollars, however, the company still incurs foreign exchange risks because the manufacturing and assembly work is undertaken in China. As the Chinese economy grows in strength, there is the risk that costs will rise, leading to reduced margins relative to the competition.

P3 22 November 2006

We can therefore conclude that when a company makes choices about its strategies, markets and organisational structure, all of these things have implications in terms of changing the level of net risk in the organisation. Requirement (b) A centralised treasury function may be deemed to reduce risk because it means that the work will be undertaken by specialists and the larger average transaction sizes should serve to reduce unit costs. In the case of A, however, there is no information given about whether the treasury is treated as a cost or a profit centre. Hence there is the potential for the staff at the centre to engage in speculative trading unless the correct internal controls are put in place. In addition, the concentration of activity in one location increases the scope for fraud, and risk can only be reduced by ensuring clear demarcation of duties and regular checking that transaction controls are working effectively. Centralisation also increases the scope for demotivation of staff at the local level, despite the fact that this was presumably one of the motivations for establishing separate subsidiaries. The decentralised approach to treasury management that is adopted by Company B serves to increase flexibility, so that local staff can react more quickly to the needs of a local subsidiary, but this benefit is countered by the increased risk of weak controls caused by the geographic distance from the centre. This risk can be managed via the introduction of good real time reporting and information systems, but it can never be entirely eliminated. Nonetheless the decentralisation acts to limit the size of the assets placed at risk. The decision to treat all treasury units as cost centres serves to limit the risks of decentralisation, but ignores the fact that small scale trades may be more expensive anyway from a group perspective. The choice of centralised versus decentralised, and cost centre versus profit centre will reflect the characteristics of the individual company and the need for flexibility and local control as well as the relative scale of operations according to geographic area. In addition, corporate culture may also play a part, because the level of decentralisation of management is partially dictated by national cultural traits (Hofstede). It is therefore not possible to identify an optimal structure for Treasury operations that will always serve to minimise company risks. Requirement (c)

Examiners’ note: This answer cannot be construed as being fully comprehensive, but merely a series of suggestions that are appropriate to the circumstances outlined in the question. Variations on the suggested answer may therefore be acceptable, and would be assessed on their individual merits.

Financial Controls For Company A, the obvious financial control to introduce is one that can be used to control speculative activity in the overseas subsidiaries. The CEO’s of these businesses are responsible for the full product range across their territory, and hence it is essential to ensure co-ordination of demand relative to supply for each of the separate product categories. This can be done by operating each company as a profit centre, which is required to purchase its products at centrally determined transfer prices. Managers can be given discretion over management of all local costs and selling prices but the transfer prices can be used to control demand in each geographic region. The dependence upon on-line sales by Company B may work to drive down margins if it is operating in a competitive market, and it would therefore make sense for the company to use a target net margin per customer as a tool of financial control. If run effectively, this would prevent hefty discounting, whilst retaining some degree of flexibility. Non-Financial Quantitative Company A’s dependence upon business to business sales may be seen as increasing its risks depending upon current market conditions, and so maintaining a balance of BtoB and end user

November 2006 23 P3

sales is important. This could be achieved by setting regular sales targets for the different market segments which are varied according to where sales growth is most needed. For Company B, a key value driver will be maintenance of a reliable distribution network that effectively meets the needs of large numbers of end customers scattered across North America. At the same time, controlling the number of separate deliveries will have an important impact on costs. Good route planning and delivery management will facilitate higher average load factors per delivery vehicle, and so the load factor per vehicle could be actively monitored as part of the internal control system. Non- Financial Qualitative In the business to business market on which Company A is dependent, repeat orders are central to success, and should therefore form an integral part of the performance management system. Control and monitoring of customer complaints and the installation of a system for assessing customer satisfaction levels is therefore important. Feedback from such systems should then be integrated into product design and production processes. In the case of Company B, where delivery is key to continuing market success, a useful qualitative non- financial control that could be introduced would be one linked to the quality of the delivery process that checks whether customers receive goods within the specified time frame laid down in the sales literature. This could be done via the establishment of a system of feedback from focus groups or “mystery shoppers” in relation to delivery efficiencies. High levels of customer satisfaction re delivery times can serve to increase the level of sales via personal recommendation, hence reducing marketing costs and raising profits. In both companies, levels of customer satisfaction are a key non- financial qualitative control, but in practice such qualitative judgement is commonly converted into numerical performance measures, albeit non-financial.

P3 24 November 2006

Answer to Question Four Requirement (a) (i)

Futures Hedging against the risk of sterling strengthening against the dollar is achieved by purchasing $/£ contracts. Number of contracts required is: 1,800,000 / (1·690 x 62,500) = 17·041 contracts As it is only possible to trade a full number of contracts, we assume that MNO will purchase 17 contracts, leaving a small element of the risk unhedged. 17 contracts will cover $1,795,625, leaving just $4,375 uncovered. Assuming that MNO closes out its position in February when the futures price equals $1·665/£, this will yield a dollar loss of: (1·690 – 1·665) x 62,500 x 17 = $26,562

When deducted from the invoice receipts of $1,800,000, the sum available for sale on the spot market at $1·665/£ equals $1,773,438, yielding sterling receipts of £1,065,043. This represents an effective exchange rate of 1,800,000/1,065,127 = $1·690 because the loss on the futures contract has exactly counteracted the gain on the spot rate. Options The cost of the option is $1·690 – 1·675 = $0·015 per pound If the option was exercised, MNO would receive $1,800,000/ $1·675 = £1,074,626 LESS THE COST OF THE OPTION Cost = 0.015 x $1,800,000 = $27,000/$1.675 = £16,119 The net sterling receipts would therefore be £1,074,626 – 16,119 = £1,058,507 In practice, MNO would let the option lapse, and sell the receipts on the spot market at the better rate of $1·665 yielding £1,081,081 before meeting the option cost which is payable even if it is unexercised. This would give net receipts of £1,064,962, just marginally below the sum received under the futures contract. Conclusion The receipts are higher when a futures contract is used and this is therefore, ceteris paribus, the preferred option.

November 2006 25 P3

Requirement (a) (ii)

Futures Using the same scenario in which MNO purchases 17 contracts at a rate of $1·690/£, and a closing out of position at the rate of $1·720/£, the company will make a profit of: 1·720 – 1·690 x 62,500 x 17 = $31,875 When added to the receipt of $1,800,000 and sold on the spot market, this will yield 1,831,875/1·720 = £1,065,043. This represents an effective exchange rate of 1,800,000/1,065,127 = $1·690 because the gain on the futures contract has exactly counteracted the loss on the spot rate. Options The cost of the option is $1·690 – 1·675 = $0·015 per pound The option would be exercised because it offers a better exchange rate than the spot rate of $1.720/£. On exercise, MNO would receive $1,800,000/ $1·675 = £1,074,626 LESS THE COST OF THE OPTION Cost = 0·015 x £1,074,626 = £16,119 The net sterling receipts would therefore be £1,074,626 – 16,119 = £1,058,507 Conclusion Hedging via the futures market is the best option, ceteris paribus.

Requirement (b) The use of futures contracts to hedge foreign exchange risk has a number of associated problems, which include the following:

• The fixed contract size makes it difficult to ensure a perfect hedge. For contract sizes of £62,500 as in the case of sterling dollar contracts, a sum of up to £31,250 may remain uncovered/overhedged and this may lead to substantive risks.

• The level of basis risk is difficult to forecast. This represents the difference between the

futures price and the spot price and as the gap increases, so does the risk of using futures for hedging.

• The expiry dates for futures contracts on the over the counter market are fixed, and

these may not match the delivery dates that suit the company wanting to hedge its risk.

• Not all currencies can be hedged via futures, and so the particular needs of the company may not be met.

• There are cash flow risks associated with futures contracts because as the price

changes daily, there is a requirement to make margin payments throughout the life of the contract. In cases where exchange rates are highly volatile, these margin payments may act as a significant cash flow drain on a company.

In practice it is therefore common for a company to use futures contracts as part of a “suite” of hedging instruments, and they are more common in businesses where the treasury function is centralised and so contract sizes are larger. Requirement (c) The most obvious reason why both the scale and type of hedging used by small versus large companies will differ is because of the average size of the overseas contracts or loans. External

P3 26 November 2006

hedging incurs costs, which are subject to some economies of scale. For example, large companies may find it easy to meet the contract sizes that are necessary to use the OTC market, whereas smaller businesses incur additional costs because of having to negotiate bespoke deals with their bank. Hedging costs erode margins, even if they also reduce risks and if the cost of hedging is disproportionately high, then it will not be undertaken. At the most basic level, therefore, small firms will tend to hedge less per £ of sales than the larger firms. A secondary explanation of differences is the simple fact that larger companies are, ceteris paribus, more likely to be involved in overseas trade than smaller ones. Theories of company development suggest that internationalisation tends to be small scale when it is accidentally triggered, but large scale when formally planned, although it then occurs later in the company life cycle. As a result, small firms are less exposed internationally and hence have less motivation to hedge their risks. Furthermore, many small businesses that do choose to sell into foreign markets only do so via intermediaries such as import:export agents, who take over the foreign exchange risks. In such cases, there is no requirement to hedge. Similar, but not identical, arguments can be applied to interest rate risk management. Many smaller companies are heavily dependent upon bank finance and other forms of borrowing during their early years of life, but the associated interest rate risks are commonly unhedged. This can be explained by a mix of both cost, as with foreign exchange rate hedging, and lack of knowledge. Many small firms are set up by entrepreneurs who have product or market knowledge, but lack financial expertise, and therefore do not know about the hedging methods such as caps/collars that are commonly deployed by larger firms. This limited knowledge also impacts upon the choice of hedging tools used by smaller firms. For example, forward contracts are relatively simple to understand and access, but futures contracts are both larger and more complex. In conclusion, therefore, both the extent and nature of hedging instruments utilised tends to reflect the company size.

November 2006 27 P3

Answer to Question Five

Examiner’s note: This answer assumes a UK listed company but an answer based on a non-UK context would be equally valid.

Report to Board of Directors Author: Management Accountant Subject: Directors’ Responsibilities re ensuring effectiveness of internal controls Terms of Reference For the purposes of this report the term internal control system is defined as including “all the policies and procedures adopted by the directors and management of an entity to assist in achieving their objectives of ensuring, as far as practicable, the orderly and efficient conduct of a business, including adherence to internal policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information”. (CIMA Official Terminology). The internal control system is deemed to comprise both a control environment and also control procedures, and its effectiveness is thus assessed in relation to both of these components. The role of the Board of Directors in relation to internal control is clearly specified within the Combined Code, and the guidance contained within this report is based upon that regulatory framework. Ensuring Effectiveness of Internal Controls Effectiveness is assessed in terms of the successful achievement of the objectives of internal control systems as specified in the terms of reference to this report. In order to ensure the orderly and efficient conduct of the business, safeguard assets and prevent and detect fraud/inaccuracies, it is essential that the Board of Directors considers and understands the risk profile of the business. This includes knowing both the sources and scale of key risks, awareness of the potential to reduce risk by careful design of a risk management system and knowledge of the cost of implementing risk controls. Within this context, it is the responsibility of the Board of Directors to reach agreement about the risk appetite of the business, because control effectiveness needs to be measured in terms of its ability to maintain risks within the desired boundaries. The Board of Directors is not required to be involved in the identification and specification of risks, as this is deemed to be a managerial responsibility. Similarly, the board members determine the policies that are required for control of risks, but are not involved in their day to day implementation. In other words, responsibility for risk identification, together with the detailed design and day to day operation of internal controls rests with management, but the Board of Directors has a responsibility to ensure that the system is working effectively. The responsibility for ensuring the effectiveness of internal controls is clearly specified in Provision C.2.1 of the Combined Code which states that: “the board should, at least annually, conduct a review of the effectiveness of the group’s system of internal controls”. The methods that may be used by the Board of Directors to review and assess the effectiveness of internal controls are the subject of the next section of this report. Methods used to assess effectiveness Under the terms of the Turnbull guidance that now forms part of the Combined Code, one of the elements of a sound system of internal control is its ability to ensure effective response to significant business, financial, compliance, operational and other risks. This is a broad ranging

P3 28 November 2006

requirement, but serves to provide some guidance to directors on how to assess effectiveness at a broad level. The distinction between the roles of the board and those of management in relation to internal control means that one of the simplest ways of ensuring effectiveness is via close scrutiny of management reports. Depending upon the aspect of control that is being appraised, reports may go to executive members of the board, or to the audit committee. Oversight of the internal audit process that is an integral part of the control system is undertaken by the audit committee, and hence reports on the risks identified by internal audit and their assessment of the effectiveness of risk controls are of major interest to the board. Ideally, therefore, discussion of the content of these reports should be a regular board agenda item. The Turnbull Guidance which is now incorporated into the Combined Code, includes a series of questions that boards may wish to consider when reviewing management reports and carrying out the annual assessment of internal control. The questions focus on four main elements of the control system – the process of risk assessment; control environment and control activities; information and communication of risk information, and monitoring of processes. The questions provide a useful checklist, a copy of which can be forwarded to you if required. In addition to the standard reports on control effectiveness, the board may wish to ask for regular updates on the controls relevant to the company’s key risk register. Key risks may change as conditions in the external environment change, and the board of directors needs to reassure themselves that any new risks are covered by the control system, and equally that money is not being spent on controlling risks that no longer exist. For larger companies, the use of internal benchmarking may be helpful as an effectiveness measure. This facilitates learning from best practice, so that weaker subsidiaries/areas of the business can raise the standards of their control procedures. Where company size precludes internal benchmarking, it is still possible to subscribe to anonymised benchmarking groups managed by the big audit firms and management consultancies. Specific internal controls can also be tested by simulation of a scenario, and the speed and impact of the response then assessed for effectiveness. For example, disaster risk can be managed in part via insurance and the installation of back up facilities, e.g. IT systems, but the mere existence of the back up does not make it effective, and tests can be done to see how long it takes to switch systems and maintain the daily flow of business. On the day of the London bombings in July 2005, many of the banks and financial service institutions immediately shut down and business was transferred to alternative locations. Such real life disasters act as very harsh tests of an internal control system, but they can also be simulated to ensure that when a problem strikes it does not devastate the business. All of the methods identified above provide internal assessments of control effectiveness, but there is always a risk of bias in this perspective, and the board of directors should therefore also consider employing independent external advisors to review the internal controls. Such external reviews can be relatively infrequent, but are useful in providing a more objective judgement that can stimulate change and redesign of both the control environment and procedures. They also have the benefit of bringing in new expertise that can provide detailed insights into practice in other companies. The last factor that needs to be taken into account in appraising an internal control system is that of cost. The elimination of all losses due to human error may be technically possible but is also likely to be prohibitively expensive, and the board of directors must decide on the balance between control failures versus expense that it considers tolerable. This judgement is closely linked to the establishment of the entity’s risk appetite, and risk averse entities may well spend more on internal controls than those that are more risk takers. In some cases, the relative cost versus benefit may also be very easy to specify. For example, a company may be required to reformat its accounts in compliance with local regulations, or face the risk of a fine for non compliance. If the cost of restating the accounts exceeds that of the fine, then the control system could ignore the non compliance and accept the cost of the fine, but the decision on whether or not to adopt this stance is one for the board of directors, not management.

November 2006 29 P3

Regulations on the reporting of effectiveness reviews Code C2 of the Combined Code requires that the Board of Directors not only undertakes an annual review of the effectiveness of the system of internal controls, but also reports to the shareholders that it has done so. This approach to regulation emphasises that responsibility for internal control rests with management and the board, and that shareholders must place their trust in them as guardians of their investments. There is no requirement to provide any detail about the findings of the directors’ review, merely to report that it has taken place. This means that, in the UK at least, there is little risk of the directors facing litigation because of their failure to ensure the effectiveness of controls. In reporting to the shareholders, it is helpful if the board does not simply state that it has undertaken a review, but also explains that there is an ongoing process for the review and control of risks within the company, and that systems are updated in response to changes in perceived risks. Additionally, it should be pointed out that internal controls are designed as tools for the management rather than total elimination of risks. Consequently the board can only provide reasonable but not absolute assurance against material misstatement or loss. Conclusion The number of high profile cases of company collapse due to control failures and/or fraud has served to focus attention on the importance of effective internal control systems. As a result, regulators around the world have chosen to either require or at least recommend a number of practices to raise the standard of control systems. Overall responsibility for effective control rests clearly with the Board of Directors, and this report has sought to explain in detail how those responsibilities may be exercised. The first requirement is for the board to offer clear guidance to management on the level of risk that it is willing to tolerate, and the areas where it sees risks as being most significant. Secondly, the effectiveness of the management’s control system must be regularly reviewed via the use of both internal and external reports and monitoring. Lastly, the Board of Directors has a duty to report to shareholders that it has an internal control system in place to manage risks, and that this system is the subject of an annual review. If you require any further detail or clarification of any of the issues discussed in this report, please do not hesitate to contact me.