performance strategy (2)
DESCRIPTION
performance strategyTRANSCRIPT
Performance strategy
Performance strategyLevel 6 ACPA_ACCEAChapter one Enterprise governance and riskEnterprise governance can be defined as: The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the organization's resources are used responsibly.
OverviewEnterprise governance describes a framework covering both the corporate governance and business governance aspects of an organization.Enterprise governance constitutes the entire accountability framework of an organization. It has two dimensions: 1. Conformance or corporate governance. 2. Performance or business governance.
Application
Good corporate governance is important and it is critical that failures in this area are addressed properly. However, good corporate governance on its own cannot make an organization successful. There is a danger that insufficient attention is paid to the need for organizations to create wealth or stakeholder value. Strategy and performance are also important. The key message of enterprise governance is that an organization must balance the two dimensions of conformance and performance needs to ensure long-term success.
The conformance dimension
This tends to take a historic view and covers corporate governance issues such as: roles of the chairman and CEO the role and composition of the board of directors board committees controls assurance risk management for compliance. Codes and/or standards can generally address this dimension with compliance being subject to assurance and/or audit. There are established oversight mechanisms for the board to ensure that good corporate governance processes are effective. These might include committees composed mainly or wholly of independent non-executive directors, particularly the audit committee or its equivalent in countries where the two tier board system is the norm. Other committees are usually the nominations committee and the remuneration committee.
The performance dimension
This tends to take a forward looking view. The performance dimension centers on strategy and value creation. The focus is on helping the board to make strategic decisions, to understand its appetite for risk and its key performance drivers. This dimension does not lend itself easily to a regime of standards and audit. Instead, it is desirable to develop a range of best practice tools and techniques such as scorecards and strategic enterprise systems that can be applied intelligently within different types of organization. However, while it is true that strategy is the responsibility of the full board, there are no dedicated oversight mechanisms comparable to the audit committee. Remuneration and financial reporting are scrutinized by a specialist board committee of independent non-executive directors and referred back to the full board. In contrast, the crucial area of strategy does not receive the same dedicated attention. There is therefore an oversight gap in respect of strategy. One way of dealing with this would be to establish a strategy committee of similar status to the other board committees. However, this might put at risk the fundamental tenet that the board must take collective decisions on matters of strategy.
The CIMA Strategic Scorecard
The CIMA Strategic Scorecard was developed in response to the key findings that emerged from a project led by the International Federation of Accountants (IFAC) and CIMA to develop the framework of enterprise governance.CIMA Strategic Scorecard TM this is a tool for helping boards of any organization to engage effectively in the strategic process in spite of the numerous challenges in the way, such as compliance requirements, information overload and sheer lack of time.The uniqueness of the scorecard lies in the fact that it: Summarizes the key aspects of the environment in which an organization is operating to ensure that the board is aware of changing competitor, economic and other factors. Identifies the (key) strategic options that could have a material impact on the strategic direction of the organization and helps the board to determine which options will be developed further and implemented. Charts for the board the significant steps or milestones in relation to the chosen strategic plans to be achieved in the coming period and then tracks performance against these. Highlights the risks facing the board in its strategic endeavors and moves these into manageable opportunities or mitigation plans.The CIMA Strategic Scorecard in practiceThe CIMA Strategic Scorecard is shown below with its four dimensions.Strategic position Strategic optionsStrategic implementationStrategic risksThe scorecard is a pragmatic and flexible tool that is designed to help boards to fulfill their responsibilities to contribute to and oversee strategy effectively. It is important to emphasize that it remains the role of the management team to develop and propose the strategy it is not for the board to undertake the detailed strategic planning. The boards focus should be to challenge the strategy constructively, endorse it and monitor its implementation.It is also important to note that the implementation of the scorecard assumes that the organization has already determined its broad strategic direction and has a strategic plan in place. The scorecard represents a process for developing and moving this strategy forward in a dynamic way.
ObjectivesThe objectives of the scorecard are to: Assist the board, in particular the non-executive directors, in the oversight of an organization's strategic process. In effect, it gives the board the big picture. Provide an integrated and dynamic framework for dealing with strategy at board level that focuses on the major strategic issues facing the organization and ensures that the strategy is discussed at board level on a regular basis. Provide strategic information in a consistent and summarized format to help directors to obtain sufficient grasp of the material so that they can offer constructive, informed input. Assist the board in dealing with strategic choice and transformational change and the attendant risks. Provide assurance to the board in relation to the organization's strategic position and progress. Assist the board in identifying key points at which it needs to take decisions.DimensionsThe four dimensions of the scorecard are summarized below.1 Strategic positionThis focuses on information that is required to assess the organization's current and likely future position. It covers externally focused information such as economic and market developments and market share as well as internal issues such as competences and resources.The purpose of this dimension is to: Ensure that the board and executive management share a common understanding of the relevant facts on the strategic position. Provide assurance to the board that management is reviewing its strategic position appropriately. In particular, the board will wish to know that the management team is considering the right information at the right time. Provide the board with a summary of the analysis undertaken so that the board can review it, discuss its implications and challenge it in a constructive manner. This then helps management to refine its thinking on the strategic position.2 Strategic optionsHaving set the scene with relevant background and information, the focus of the scorecard shifts towards decision making. Strategic options can be defined as those options that have the greatest potential for creating or destroying stakeholder value.The purpose of this dimension is to: Provide assurance to the board that management is identifying, developing and analyzing a comprehensive range of strategic options available to the organization on a continuous basis. Provide the board with a summary of the options so that the board can discuss them constructively and decide which should be developed further into a formal business plan for a separate and more detailed board debate. During the course of the scorecard discussion, the board may identify other options that have not been considered or reframe the ones that have been presented, for example, by combining two options into one. In essence, what the board is doing is scoping out the options in broad terms. The purpose of the scorecard is to set out the landscape rather than consider each option in detail.3 Strategic implementationAt this point, the emphasis of the scorecard is to identify key milestones for the board and to monitor implementation of the agreed strategy. Decisions on appropriate action may be required if things are not proceeding as planned.
4 Strategic risksThis dimension underpins the others by focusing specifically on the major strategic risks that pose the greatest threat to the achievement of the organization's strategy as well as key issues such as the organization's risk appetite.How the CIMA Strategic Scorecard relates tothe balanced scorecardThe CIMA Strategic Scorecard and the balanced scorecard differ in the way that they are used at other levels of the organization. The CIMA Strategic Scorecard is primarily a high-level tool for use by boards and executive management in exercising strategic oversight. It can also be used by strategic business units (SBUs) or divisions of an organization. This contrasts with the balanced scorecard which is often cascaded to lower levels of the organization. Many organizations have prepared lower-level scorecards e.g. at business unit, department and even individual level. These scorecards are designed to be used as a management tool to support implementation of the organization's agreed strategy.Unlike the CIMA Strategic Scorecard, the balanced scorecard is not really designed to address strategic issues that confront the organization as a result of major external disruption such as market collapse, competitor activity or regulatory change. Nor does it help with strategic choices, for example, whether to undertake mergers and acquisitions.Despite these differences, there is a link between the two scorecards in that, as we have seen, the balanced scorecard can supplement the strategic implementation dimension of the CIMA Strategic Scorecard. This then provides a clear cycle from the strategic position through to options and then to implementation.What is risk ?The management of risk should have a strategic dimension. Risks facing an organization are those that affect the achievement of its overall objectives, which should be reflected in its strategic aims. Risk should be managed and there should be strategies for dealing with risk. Risk in business is the chance that future events or results may not be as expected. Risk is often thought of as purely bad (pure or 'downside' risk), but it must be considered that risk can also be good the results may be better than expected as well as worse (speculative or 'upside' risk). Businesses must be able to identify the principal sources of risk if they are to be able to assess and measure the risks that the organization faces.Risk is inherent in a situation whenever an outcome is not inevitable. Uncertainty, in contrast, arises from ignorance and a lack of information.
Risk Vs. Uncertainty
At this point it is important to distinguish between risk and uncertainty.Uncertainty: The lack of complete certainty, that is, the existence of more than one possibility. The "true outcome/state/result/value is not known.Risk: A state of uncertainty where some of the possibilities involve a loss, catastrophe, or other undesirable outcome.Why incur risk ? To generate higher returns a business may have to take more risk in order to be competitive. Conversely, not accepting risk tends to make a business less dynamic, and implies a follow the leader strategy. Incurring risk also implies that the returns from different activities will be higher benefit being the return for accepting risk. Benefits can be financial decreased costs, or intangible better quality information. In both cases, these will lead to the business being able to gain competitive advantage.Types and sources of risk for business organizationsThis risk can be broken up into different types:Political risk- Risk due to political instability. Generally considered to be external to the business.Legal/litigation risk-Risk that litigation will be brought against the business.Regulatory risk- Risk of changes in regulation affecting the business.Compliance risk- Risk of noncompliance with the law resulting in fines/penalties, etc.Political, legal and regulatoryThese are the risks that businesses face because of the regulatory regime that they operate in. Some businesses may be subject to very strict regulations, for example companies that could cause pollution, but even companies that do not appear to be in a highly regulated industry have some regulatory risk. For example all companies are subject to the risk of employment legislation changing or customers bringing litigation.Business riskBusiness risk is the risk businesses face due to the nature of their operations and products. Some businesses for instance are reliant on a single product or small range of products, or they could be reliant on a smallkey group of staff. The risks can be considered in different categories:Strategic risk -Risk that business strategies (e.g. acquisitions/product launches) will fail.Product risk- Risk of failure of new product launches/loss of interest in existing products.Commodity price risk- Risk of a rise in commodity prices (e.g. oil).Product reputation risk- Risk of change in products reputation or image.Operational risk- Risk that business operations may be inefficient or business processes may fail.Contractual inadequacy risk- Risk that the terms of a contract do not fully cover a business against all potential outcomes.Fraud and employee malfeasance-Considered separately later.Economic riskThis is the risk that changes in the economy might affect the business. Those changes could be inflation, unemployment rates, international trade relations or fiscal policy decisions by government. Again, this risk is considered to be external to the business.Financial riskFinancial risk is a major risk that affects businesses and this risk is studied in much more depth in later chapters of this text. Financial risk is a risk of a change in a financial condition such as an exchange rate, interest rate, credit rating of a customer, or price of a good.The main types of financial risk are:Credit risk -Risk of nonpayment by customers.Political risk- Risk arising from actions taken by a government that affect financial aspects of the business.Currency risk-Risk of fluctuations in the exchange rateInterest rate risk-Risk that interest rates change.Gearing risk -Risk in the way a business is financed (debt vs. equity) (sometimes this is considered part of interest rate risk).Technology risk
Technology risk is the risk that technology changes will occur that either present new opportunities to businesses, or on the downside make their existing processes obsolete or inefficient.Environmental risk
Environmental risk is the risk that arises from changes in the environment such as climate change or natural disasters. Some businesses may perceive this risk to be low, but for others, for example insurance companies, it can be more significant. Insurance companies have to take environmental risks into account when deciding policy premiums, and unusual environmental circumstances can severely alter the results of insurance businesses.Corporate reputation risk
Reputation risk is for many organizations a downside risk as the better the reputation of the business the more risk there is of losing that reputation. A good reputation can be very quickly eroded if companies suffer adverse media comments or are perceived to be untrustworthy. This could arise from: environmental performance social performance health & safety performance.Fraud risk
Fraud risk (a type of operational business risk) is the vulnerability of an organization to fraud. Some businesses are more vulnerable than others to fraud and as a result have to have stronger controls over fraud. Fraud risk is a risk that is considered controllable by most businesses (see Chapter 6 for more details on fraud risk).Employee malfeasance risk
Malfeasance means doing wrong or committing an offence. Organizations might be exposed to risks of actions by employees that result in an offence or crime (other than fraud). This, like fraud risk, is a type of operational business risk.Risks in international operations
International businesses are subject to all the risks above but also have to consider extra risk factors, which could be due to the following:CultureLitigationCreditItems in transitFinancial risksChapter threeRisk managementRisk managementRisk management is defined as: the process of understanding and managing the risks that the organization is inevitably subject to in attempting to achieve its corporate objectivesAlso it can defined as the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the adverse effects of accidental losses on that organization at reasonable cost.The traditional view of risk management has been one of protecting the organization from loss through conformance procedures and hedging techniques this is about avoiding the downside risk. The new approach to risk management is about taking advantage of the opportunities to increase overall returns within a business benefiting from the upside risk.Enterprise Risk Management (ERM)Enterprise risk management is the term given to the alignment of risk management with business strategy and the embedding of a risk management culture into business operations.It has been defined as: 'A process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.'Also can be defined is a process for ensuring the effective identification, assessment, and management of all significant risks to an entity. This includes not only the traditional areas of hazard risk and financial risk, but also operational risk and strategic risk.Risk management has transformed from a department focused approach to a holistic, coordinated and integrated process which manages risk throughout the organization.ERM The GoalIn short, the goal of an enterprise-wide risk management initiative is to create, protect, and enhance shareholder value by managing the uncertainties that could influence achieving the organizations objectives.ERM framework and the COSO Cube of implementation and monitoring The ERM framework is geared to achieving your utilitys objectives, which in every organization centers in four main categories: Strategic- high-level goals, aligned with and supporting your overall mission Operations- effective and efficient use of resources Reporting- reliability of reporting Compliance- compliance with applicable laws and regulations Which leads us to what we call the COSO Cube. The Cube is the interaction of all of the components of ERM across the organizations financial and operational areas. The cube works like this: 1. Internal Environment - The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entitys people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. 2. Objective Setting - Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has a process in place to set objectives and that the chosen objectives support and align with the entitys mission and are consistent with its risk appetite. 3. Event Identification - Internal and external events affecting achievement of an entitys objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to managements strategy or objective setting processes. 4. Risk Assessment - Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed; Risks are assessed on an inherent and residual basis.
25. Risk Response - Management selects risk responses- avoiding, accepting, reducing, or sharing risk- developing a set of actions to align risks with the entitys risk tolerances and risk appetite. 6. Control Activities - Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. 7. Information and Communication - Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities; Effective communication also occurs in a broader sense, flowing down, across, and up the entity. 8. Monitoring - The entirety of enterprise risk management is monitored and modifications made as necessary; Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
Benefits of effective ERM include enhanced decision making by integrating risks the resultant improvement in investor confidence, and hence shareholder value focus of management attention on the most significant risks a common language or risk management which is understood throughout the organization reduced cost of finance through effective management of risk.Risk management strategyFormulation of a risk strategyFor many businesses the specific formulation of a risk strategy has been a recent development. In the past a formal strategy for managing risks would not be made but rather it would be left to individual managers to make assessments of the risks the business faced and exercise judgment on what was a reasonable level of risk. This has now changed: failure to properly identify and control risks has been identified as a major cause of business failure (take Barings Bank as an example).2A framework for board consideration of risk is:Risk appetite can be defined as the amount of risk an organisation is willing to accept in pursuit of value. This may be explicit in strategies, polices and procedures, or it may be implicit. It is determined by: risk capacity the amount of risk that the organisation can bear, and risk attitude the overall approach to risk, in terms of the board being risk averse or risk seeking.Residual risk is the risk a business faces after its controls have been considered3The factors or business strategies, which could affect the risk appetite of the board of a company include:
Features of a risk management strategythe following key features of a risk management strategy were identified: Statement of the organisations attitude to risk the balance between risk and the need to achieve objectives. The risk appetite of the organisation. The objectives of the risk management strategy. Culture of the organisation in relation to risk (and the behaviour the organisation expects from individuals with regard to risktaking). Responsibilities of managers for the application of risk management strategy. Reference should be made to the risk management systems the company uses (i.e. its internal control systems). Performance criteria should be defined so that the effectiveness of risk management can be evaluated.An alternative risk management processAll organisations should develop a risk management strategy which will be set in the context of the organisations strategic objectives. STEP ONE Risk Assessment Identification Description risk evaluation Estimation
2STEP TWO Risk Reporting regarding the organisations policy for managing risk and its effectiveness. STEP THREE Risk Treatment (Risk Response) STEP FOUR Residual Risk Reporting and monitoring effectiveness of strategies and recommend changes as appropriate. Risk management cycleRisk management should be a proactive process that is an integral part of strategic management.Risk identificationSome techniques for identifying risk are: Brainstorming Event inventories and loss event data Interviews and self-assessment Facilitated workshops SWOT analysis Risk questionnaires and risk surveys Scenario analysis Using technology Other techniquesQuantification of risk exposuresSome quantitative techniques include:expected valuesVolatility value at risk (VaR)Expected valuesExpected value = prob Xwhere prob = probability, X = outcomeValue at riskThe VaR models provide an appreciation of an assets portfolio exposure degree to market risks i.e. to prices, interest rates, exchange rates, unfavorable fluctuations, etc.The VaR models assess the maximum potential loss resulting from an unfavorable price fluctuations for a given time horizon at a specific confidence level. Many banks measure the risk in their portfolio of assets using a Value at Risk (VaR) model. Statistical methods are used to calculate a standard deviation for the possible variations in the value of the total portfolio of assets over a specific period of time. Making an assumption that possible variations in total market value of the portfolio are normally distributed, it is then possible to predict at a given level of probability the maximum loss that the bank might suffer on its portfolio in the time period.A bank can try to control the risk in its asset portfolio by setting target maximum limits for value at risk over different time periods (one day, one week, one month, three months, and so on).Other methods of measuring or assessing the severity of an identified risk include: scenario planning computer simulations, e.g. Monte Carlo decision trees sensitivity analysis.2Value at risk evaluates the potential loss that may be incurred on a whole portfolio, over a set time frame and subject to a pre-determined confidence level. It is based on the normal distribution curve.A key assumption underlying the calculation of VaR is that possible changes from time to time in the value of the underlying asset or portfolio are independent of each other and follow a normal distribution with a mean of zero. Step one calculate the daily volatility, that is the daily standard deviation. You are given the standard deviation in the question BUT NB you may have to calculate it if you are given the standard deviation for a different period. (if weekly standard deviation is 5,000 then daily deviation = 5,000/5 = 2,236) Step two using statistical tables, determine the standard normal value (z) associated with the one-tail confidence level, X%. Step three multiply the result in step one with the result in step two to obtain the daily VaR. 3Example Yan expects to receive $1M in trading over the next two week. The actual value in $ will depend on changes in foreign exchange market conditions which may result in gains or losses. Possible gains or losses are normally distributed around a mean of 0 and a weekly standard deviation of S5,000. What is the daily VaR at 1%. Step one daily standard deviation = $5,000/5 = $2,236 Step two normal value associated with 99% confidence is 2.33 Step three daily value at risk = 2,236 X 2.33 = $5,210 Risk mappingA common qualitative way of assessing the significance of risk is to produce a risk map. The map identifies whether a risk will have a significant impact on the organisation and links that into the likelihood of the risk occurring. The approach can provide a framework for prioritising risks in the business. Risks with a significant impact and a high likelihood of occurrence need more urgent attention than risks with a low impact and low likelihood of occurrence.
2 Risks can be plotted on a diagram, as shown below
The Risk RegisterShould contain as much information as should be useful for monitoring purposes. Risk number (unique identifier) Risk category (benefits?) Description of risk Date risk identified Name of person who identified risk (responsibility) Likelihood Consequences (including a monetary value) Interdependencies with other risks
Risk response strategyA risk response strategy is determined for each risk that takes into account the organisations risk appetite, and a system of controls are put in place for reporting and management of risks. There needs to be a risk treatment or response strategy whereby risks are managed by alternative courses of action: stopping an activity, influencing either or both the likelihood or impact of the risk; sharing through techniques such as insurance; or the risk may be accepted.
One of the strategies for managing risk is internal control.Importance of risk managementThe importance of risk management is quite simply to identify and manage problems that could prevent an organization from achieving its objectives. Risk management improves the ability to respond to and mitigate risks that occur; it minimizes surprises; enables advantage to be taken of opportunities; maintains the organisations reputation; and helps the organization to be socially responsible and be seen as a good corporate citizen.
Purpose and Importance of Internal ControlInternal controls are the policies and procedures used by directors and managers to help ensure the effective and efficient conduct of the business; The safeguard of assets Regulatory compliance The prevention and detection of fraud and error The accuracy and completeness of accounting records The time preparation of reliable financial information
The importance of internal control is quite simply to manage problems that could prevent an organization from achieving its objectives.Risk Treatment (also called risk response)
Avoidance; Action is taken to exit the activities giving rise to risk. Changing or abandoning goals or objectives specifically associated with the risk in question, or choosing alternative approaches or processes that remove the risk. Reduction; Action is taken to mitigate (reduce) the risk likelihood or impact. This is often through internal controls. Sharing ;Action is taken to share a portion of the risk (outsourcing, joint ventures) Transfer; Action is taken to transfer a portion of the risk (insurance, hedging) Acceptance; No action is taken to affect the likelihood or impact Risk Reporting ; Concerned with regular reports to the Board and Stakeholders setting out the organisations policies in relation to risk and the importance of monitoring the effectiveness of those policies. Residual risk reporting involves a comparison of gross and net risk which enables a review of risk response effectiveness and possible alternative management options. Gross Risk the assessment of risk before the application of any controls, transfer or management responses Net Risk the assessment of risk, taking into account the application of any controls, transfer or management response to the risk under consideration.
Risk treatment (management) methodsThese methods will limit the risks, and the overall risk management strategy may define how the risks will be managed and the way these methods will interact.Avoid risk A company may decide that some activities are so risky that they should be avoided. This will always work but is impossible to apply to all risks in commercial organisations as risks have to be taken to make profits.
Transfer riskIn some circumstances, risk can be transferred wholly or in part to a third party. A common example of this is insurance. It does reduce/eliminate risks but premiums have to be paid.Pool risksRisks from many different transactions can be pooled together: each individual transaction/item has its potential upside and its downside. The risks tend to cancel each other out, and are lower for the pool as a whole than for each item individually. For example, it is common in large group structures for financial risk to be managed centrally.DiversificationDiversification is a similar concept to pooling but usually relates to different industries or countries. The idea is that the risk in one area can be reduced by investing in another area where the risks are different or ideally opposite. A correlation coefficient with a value close to 1 is essential if risk is to be nullified.Risk reductionEven if a company cannot totally eliminate its risks, it may reduce them to a more acceptable level by a form of internal control. The internal control would reduce either the likelihood of an adverse outcome occurring or the size of a potential loss. The costs of the control measures should justify the benefits from the reduced risk.Hedging risksHedging will be considered in detail when financial risk is examined The concept of hedging is of reducing risks by entering into transactions with opposite risk profiles to deliberately reduce the overall risks in a business operation or transaction.Risk sharingA company could reduce risk in a new business operation by sharing the risk with another party.This can be a motivation for entering into a joint ventureRisk reportingManagers of a business, and external stakeholders, will require information regarding the risks facing the business. A risk reporting system would Include:A systematic review of the risk forecast (at least annually). A review of the risk strategy and responses to significant risks. A monitoring and feedback loop on action taken and assessments of significant risks. A system indicating material change to business circumstances, to provide an early warning. The incorporation of audit work as part of the monitoring and information gathering process.Relationship of Risk Management with Internal Control Systems Risk management is an important precursor to internal control as it allows the internal controls to be focused on the most significant risks. Therefore risks are assessed and control activities are determined that relate to the assessed risks. The benefits of effective risk management include: the maintenance of profitability in the medium and longer term;
the avoidance of sudden losses if business continuity is impeded;
the avoidance of profit warnings and major exceptional items;
more cost-effective insurance cover and reduced premium cost;
greater degree of assurance that business continuity will be safeguarded in the event of a catastrophe;
continued customer satisfaction and the maintenance of the organisations reputation with customers, the public and investors. Risk management roles and responsbilitiesthe role and responsibilities of the audit committee should include: To monitor the integrity of the companys financial statements and any other formal statements relating to the companys financial performance To review the companys internal control and risk management systems (unless this responsibility is given to a separate risk committee or retained by the full board itself) To monitor and review the effectiveness of the companys internal audit function To make recommendations to the board about the appointment, re-appointment or removal of the audit firm as auditors of the company (for the board to make a recommendation to shareholders) Approve the remuneration and terms of engagement of the external auditors To review and monitor the independence and objectivity of the companys external auditors To review and monitor the effectiveness of the audit process
The audit committee reports to the board, and the board reaches decisions based on the recommendations of the audit committee. However, if the board and the audit committee disagree about a particular matter, the audit committee should have the right to report the disagreement to the shareholders.Chapter fourManagement Control systemInternal Control An internal control system comprises the policies and procedures that an organisation implements to achieve its objectives and is used by directors and managers to help ensure the effective and efficient conduct of the business; The safeguard of assets Regulatory compliance The prevention and detection of fraud and error The accuracy and completeness of accounting records
Control Environment Is the attitude, awareness and actions of directors and managers in relation to the importance of internal controls, including the organisations culture and values and the style of management.the control environment is the necessary background for internal control procedures to be developed and operate effectively. What is a Management Control System? Management control comprises the processes used by managers to ensure that organisational goals are achieved and procedures followed, and that the organisation responds to environmental change.
Components of Management Control Systems (MCS) All businesses can be thought of as a system, the main elements of an MCS are: Inputs Process Outputs Measurement Comparison to target Corrective action Management control can be considered in relation to both feedback (taking corrective action ex post) and feed forward (taking action ex ante) An organisation needs to identify whether it is going to fall short of any objective as soon as possible, so that it can do something about it in time.
Levels of Control (NB make sure you have lots of examples to illustrate the levels of control) Strategic
Management
Operational
Control Structures NB You may be asked to recommend a change of structure to improve control Functional
Divisionalised Cost centre Profit centre Investment centre
Matrix
Network Organisation theoryOrganisations are collectives of people who join together in common pursuit of shared goals. People form organisations because they are unable to achieve their goals as individuals without marshalling other resources (money, people, materials, etc.). Organisations have a high degree of structure or formalityOrganisations as systemsAn organisation is a social system, in which people combine together to carry out the purpose or purposes for which the organisation exists. Control keeps an organisation together and makes it function in a way that should enable the organisation to achieve its objectivesSystems theorySystems theory has been the foundation for much of the theory of management accounting control systems as well as non-financial performance measurement.Systems theory emphasises the importance of hierarchy in complex systems. Systems are composed of multiple sub-systems. For example, organisations are complex systems broken up into strategic business units, divisions, geographic areas, departments and teams. Subsystems may also exist for different aspects of business activity such as purchasing, production, distribution, administration.Systems and their characteristicsA system is a set of interacting components that operate together to accomplish a purpose.There are inputs to the process, a process that converts inputs to outputs and then the output of the process. All systems have the above characteristics of input, process and output, but also most systems have other characteristics as well.Open and closed systemsA closed system is a set of inter-related components that is separate from its environment. An example of a simple control system is the room thermostat which contains a number of components: A measurement device to detect the room temperature. A target temperature that has been pre-set as the comfortable level that is desired by the occupants. A mechanism by which the room temperature can be adjusted, either by cooling or heating to achieve the target temperature.Open systems are capable of self-regulation when they have more than one part and contain a programme. In simple terms, a programme is pre-determined information that guides subsequent behaviour. A programme exercises control through the processing of information and decision-making.definitionsSub systems: within a system there will usually be sub system.Closed system: these are systems that accept no input from the environment, are self-contained and cannot respond to change. These donot exist in businessOpen system: these are systems which accept inputs from their enviroment and provide output to the enviroment. They react to the enviroment.Objective: a system must have an objective to function correctly. The objective allows the system to be monitored or controlled.Control: all systems should be controlled if they are not to decay over time and start to fail to meet their objective. A system must be controlled to keep it stable or to allow it to change safely. Control dependent on receiving and processing information. Information in the form of feedback allows us to judge how well or badly a system is performingOrganisational controlAn organisation as a cybernetic system contains three levels:1. Target-setting level: Targets and performance standards are set in response to environmental demands and constraints, such as customer demand for products and services. The goals are sent to the operations level.2. Operations level: Where inputs (money, materials, labour, etc.) are converted into outputs (products and services).3. Control level: Which monitors the outputs and compares them with the targets and performance standards established at the target-setting level.Target-settingOrganisations establish targets in order to achieve their goals and objectives. These targets for a business organisation will typically be related to the achievement of shareholder value or a financial measure such as Economic Value Added (EVA), Return on Investment (ROI) or Return on Capital Employed (ROCE). These financial targets will usually be reflected in budgets and standard costs.Other targets may be set which are non-financial, such as market share, customer satisfaction, productivity. In addition, various performance standards may be established such as on-time delivery, product quality, employee morale, investment in research and development. Non-financial performance measures may be established and reflected in a measurement tool such as the Balanced Scorecard.OperationsThe operation of a business is concerned with converting inputs into outputs .Inputs are all the resources that go into the business: money; raw materials; labour; skills, technology and expertise; information; etc.Processes are the activities carried out to convert inputs into outputs. The aim of these processes is to add value to the inputs. These processes will vary as to whether an organisation is a service provider, retailer or manufacturer. The processes variously include purchasing, storage, materials handling, manufacturing, service delivery, information processing, distribution, etc.Outputs are the fi nished products or services that are sold and delivered to customers. The price charged to customers for the outputs must exceed the cost of the inputs and the cost of processing if the business is to make a profi t. The same principle applies to public sector and not-for-profi t organisations, the only difference is that the conversion process does not result in a profi t but in the expenditure of the least possible amount of money to achieve the best possible circumstances, an approach called value for money or best value.ControlControl may be carried out through: a system in which there is provision for corrective action applying either a feedback or feed forward process; or a system which includes no provision for corrective action, as no human action is involved.Feedback and feed-forward controlFeedback Can be negative or positive Based upon comparison of actual to budgeted performance Control would be closing the door after the horse has boltedFeed-forward Forecasting ahead and doing something now before the event occurs Closing the door before you can see the horse will bolt Cash budgets would be an example of thisOpen and closed loop control systemsIn an open loop control (double feedback loop) system, corrective action is not automatically taken. The output of the system is measured, however environmental factors will also be considered, along with internal feedback before any control action is taken.In a closed loop control (single feedback loop) system, the output is automatically compared to a pre-determined standard; any exceptions and control action will be automatically taken.System classification:Deterministic / mechanisitic; output can be accurately determined from inputProbabilistic: the output cannot be accurately predicted from the input, but it can be assessed with probability.Cybernetic: they are self orgainising and learn from their mistakes.Thermostatic : they are ones that reach a pre-set point and then act.2An example of a closed loop system is an inventory control system that enables management action such as the ordering of needed stock and the identification of surplus stock.An open loop example would provide inventory records which were not used for ordering. We typically refer to organisational controls in the context of closed loop systems.A control is a method of ensuring that targets are achieved and performance standards attained. Control as it is used in the context of a control system is the power of directing or restraining; a means of regulation; a standard or comparison for checking.Control of systemsA system must be controlled, to keep it stable or to allow it to change safely. Control is dependent on receiving and processing information. Without information, there is no way of judging how well or badly the system is performing, and so there is no basis on which to decide whether control action is necessary.
2Feedback control is defined as:'The measurement of differences between planned outputs and actual outputs achieved, and the modification of subsequent action and/or plans to achieve future required results. Feedback typically takes place through comparing actual with standard costs, and actual performance with budget. In non-fi nancial performance measurement, targets and actual performance are compared. In both cases, corrective action is taken after the event.'Feed forward control is defined as:'The forecasting of differences between actual and planned outcomes and the implementation of actions before the event to prevent such differences. Feed forward can take place during the budget process when forecasts prior to approval are reviewed as to whether they will contribute to organisational objectives.
3In order for feedback to work, a feedback loop must be established.In the a feedback loop:Outputs from a system are measured.Measured output is reported.Control infromation is fed back to a comparator.Control action is needed.( adjustments are made to the inputs to the system, in order to change future output.)Continual process. ( measuring output and providing feedback for comparison with plan.)Open loop systems are where there is scope within the control mechanism for outside involvement. Closed loop: are where the control action is automatic.Double loop feedback, also called secondary feedback , is the provision of feedback to a higher level in an organization, where the original plan can be reviewed and possibly changed.
4Negative feedback is feedback taken to reserve a deviation from standard. (this feedback can amend the input to the system).Positive feedback is feedback taken to reinforce a deviation from standard.(if positive feedback is taken then it is unlikely that action will alter the inputs or the standard level of performance.Definitions Positive feedback refers to a deviation from target that has a positive impact on the organisation, for example, a higher than expected income, which does not require corrective action, although it can lead to valuable learning so that it can be repeated.Negative feedback refers to a deviation from target that is detrimental to the organisation, with corrective action being required to meet the target, for example, an overspend on an expense budget.Double loop (or secondary) feedback indicates that it is the target that is incorrect rather than behaviour. Corrective action is to the plan, for example, where standard costs need to be adjusted to refl ect changes in purchasing prices or working methods.Control in organisationsTo begin, some defi nitions from CIMAs Offi cial Terminology are relevant here:Control is:The ability to direct the fi nancial and operating policies of an entity with a view to gaining economic benefi ts from its activities.Management control is:All of the processes used by managers to ensure that organisational goals are achieved and procedures adhered to, and that the organisation responds appropriately to changes in its environment.Control environment is:The overall attitude, awareness and actions of directors and management regarding internal controls and their importance to the entity [it] encompasses the management style, and corporate culture and values shared by all employees. It provides a background against which the various other controls are operated.Control procedures:Those policies and procedures in addition to the control environment which are established to achieve the entitys specifi c objectives.2There are some important aspects of control that can be derived from these definitions: Control is not limited to fi nancial control but extends to operational and other forms of control. Control is linked to goals and environmental change. Control is a set of procedures, but also a set of values or attitudes which need to be embedded in the culture of the organisation.Management control is defined as 'the process of guiding organisations into viable patterns of activity in a changing environment'. Management control systems are defined as 'the processes by which managers attempt to ensure that their organisation adapts successfully to its changing environment'.These definitions are both about adapting to changing environments and therefore management control systems must be a variety of open systems that change over time.If the control systems are to be successful, management must always be monitoring the way the system operates and how the system could be changed to improve its performance.
Control methodsDue to the need to adapt and change control systems, most companies use a variety of different control processes to ensure that the business achieves its objectives.The typical processes that could be used are:organisation structurecontracts of employment;Policies;discipline and reward systemperformance appraisal and feedback.Accounting controlsThis section overviews the main accounting controls and overviewsand critiques the main management accounting controls and evaluates lean accounting systems.Accounting controls
Accounting controls are important in all organisations. They include control over: Cash Debtors Inventory Investments and intangibles Non-current assets Creditors Loans Income and expensesManagement accounting control systemsA management accounting control system can be defined as an information system that helps managers to make planning and control decisions. All management accounting control systems differ as the circumstances of businesses always differ and the systems are designed to meet the needs of the business. It should always be borne in mind when recommending systems to companies that the unique features of the company are considered.Designing a management accounting control systemOutput requirements; The system must produce the output that the managers want. If a system does not provide the necessary information, managers will make poor decisions and will fail to control the business properly. The output should be linked to: the objectives of the control system it supports and the objectives of the organisation as a whole.Response required; The information must be presented to managers such that they can deal with it appropriately. For example, the information could be presented in an exception report which the managers know they have to act uponTiming of information; Information must be given to managers at the appropriate time for them to act on it. Some information will be presented daily, for example stock levels in retail stores so that managers can restock, or monthly, such as management accounts, or perhaps even on an ondemand basis, for example information about competitor actions.Sources of information; The data sources for the information must be defined so that the system can process the data into information.Processing; The actions that management are taking will define the information and therefore the processing that will be required for that information.Cost-benefit analysis; The system must provide the information to managers in a costeffective way. This means that the benefits of the information must exceed the costs of producing it.1Cash controls ensure that: Monies received by the organisation are banked Bank accounts exist and are properly safeguarded Bank accounts, especially foreign accounts, are properly authorised Signatories for bank accounts are authorised and suffi cient Payments are properly authorised Transfers between bank accounts are properly accounted for Adequate cash forecasting is carried out to ensure that commitments are recorded and overdraft limits are not exceeded.2Debtor controls ensure that: Invoicing of customers is properly recorded in debtor accounts Money collected from customers are properly recorded in debtor records Bad debts are written off and adequate provision is made for doubtful debts Debtor accounts are regularly reconciled Appropriate credit checking procedures are in place Collection activity is ongoing and effective Credit notes and write-offs are properly authorised Investigations take place in relation to all disputed amounts with customers Customers verify the balances on their accounts.3Inventory controls ensure that: Physical inventory is periodically checked by counting and compared with inventory records Inventory is valued in accordance with accounting principles Adequate procedures exist to record receipts of stock from suppliers and issue of stock to production/distribution Inventory is stored adequately to avoid loss and secured from theft and damage and that insurance cover is adequate Inventory is usable; obsolete, excess or damaged stock is identified for provisions and that authorisation is given prior to disposal of stock Adequate procedures exist to record stock in transit.4Investment controls ensure that: There is physical evidence of ownership of investments and that this evidence is held in safe custody Periodic reviews are carried out of all investments to determine whether they should be retained or disposed of Investments are valued in accordance with accounting standards Acquisitions and disposals are properly authorised Income from investments is properly accounted for Charges for amortisation are appropriate and consistent with accounting standards.5Non-current asset controls ensure that: Assets are recorded in an Assets Register Assets are periodically checked to ensure they exist Acquisitions and disposals are properly authorised Assets are secured as far as possible against theft, damage or misuse and appropriate insurance cover exists Assets are depreciated over reasonable periods of time and assets are valued in accordance with accounting standards Assets that are obsolete, worn out or damaged are identified for appropriate accounting treatment.6Creditors controls ensure that: Purchases are properly authorised Receipts of goods and services are in accordance with the purchase order Invoices received from suppliers are checked against the receipt of goods or services, the price and the invoice calculations Adequate documentation exists to support all invoices and invoices are authorised Invoices are properly recorded in creditor accounts Payments to suppliers are authorised and properly recorded in creditor accounts Creditor accounts are periodically reconciled Investigations take place in relation to all disputed amounts with suppliers.7Loan controls ensure that: Amounts owed are properly recorded Loans are properly authorised Interest obligations are satisfi ed Loan provisions are being met.8Income and expense controls ensure that: Sales of goods and services are properly documented (invoice, cash receipt, etc.) immediately after the transaction occurs Costs are properly recorded and classifi ed (e.g. expense, inventory, fi xed asset, etc.) Income and expenses are matched and relate to the appropriate accounting period and accrual and prepayments, etc. are properly recorded to adjust between periods Expenses are properly authorised. Specifi c controls may exist in relation to certain expenses, such as: Payroll Personnel-related expenses.9Payroll controls Employees have been properly recruited in accordance with Personnel/Human Resource policies, with adequate pre-employment checks being carried out New employees have been authorised by the appropriate department manager and the Personnel/Human Resource department Rates of pay are in accordance with Personnel/Human Resource policies Time worked is properly recorded Annual leave, sick or maternity leave, overtime, etc. are properly authorised Employees who terminate employment are removed from the payroll All employees on the payroll exist (payroll ghosts are a common method of fraud) Payroll calculations are checked for calculation errors and unusually high (or low) payments before payment is made Payroll deductions are all properly authorised by employees Employee benefi ts (e.g. health fund) are properly authorised.
10Personnel-related expensesMany personnel incur expenses as part of their employment. These expenses include, but are not limited to: Use of motor vehicle (capital cost, often by lease payment; mileage; fuel; maintenance; accident damage; fi nes; etc.) Mobile telephone Offi ce telephone, fax, email, Internet use Travel and accommodation Entertainment.Such expenses may be paid personally by employees and then reimbursed by the organisation, or may be charged to the company by purchase order or by corporate credit card.All such expenses must be: Documented Authorised Necessary for business purposes Not private expenditure which the employee seeks to have paid for by the organisation.Contingency theroy (no one best fit)
Alternative Perspectives
NB Understanding different perspectives will enable you to look at a business problem from many different points of view and take a more complete view to problem solving economic rational national & non-rational interpretive/socially constructed radical /critical pluralist There are other theoretical frameworks that provide a different view of the role of management control systems, examples include: Agency theory emphasises shareholder value Contingency theory is concerned with environmental fit Cultural theory emphasies organisations as a social system, relies less on formal controls and more on developing a set of beliefs and norms to guide behaviour Institutional theory is concerned with a broader stakeholder environment.
Management accounting control system Organizational structure = gool congruenceBehavioural implicationsLong term V short termDysfunctional behaviourDemotivationalPerformance targetsCSF/KPIBudget padding/slackFinancial V non-financialResponsibility accounting = controllable V uncontrollable
Performance target setting
One factor within any discussion of control systems is that there must be some standards of performance if the system is to operate successfully. The standards of performance allow the feedback loops discussed earlier towork. An effective control system must incorporate a feedback loop such as: performance target (standard) set actual result recorded compared with target control action taken (if required). If managers are to be controlled successfully then the standards set must be sufficiently varied to ensure that the manager works in the best interests of the company. The standards set can be: Financial: These would be based on information supplied by the management accounting system and are often financial ratios, but they have the problem of being historic looking and short term. Nonfinancial: These are measures that consider other factors such as customer perception, research and development, production efficiency or staff satisfaction. These measures are very important to help managers focus on long term future performanceDYSFUNCTIONAL BEHAVIOUR Tunnel vision the emphasis on Quantifiable data at the expensive of qualitative data
Sub-optimisation the pursuit of narrow local objectives at the expense of broader organisational-wide ones
Myopia the short-term focus on performance may have longer term consequences
Measure fixation an emphasis on measures rather than the underlying objective
Misrepresentation the way in which the performance measure is explained
NON-FINANCIAL QUALITATIVE CONTROLS These controls influence behaviour by requiring certain policies and procedures or standard instructions to be implemented in order to ensure that behaviour is legally correct, co-ordinated and consistent throughout the organisation. Culture Physical controls Organisational structure and chain of command the form of structure that is adopted will determine the type of control exercised over operational management o Project management - post implementation reviews Authorisation procedures Authorisation of expenses Staff control policies and procedures Contracts of employment Performances appraisal Control of the board o Composition of the board Chairman & chief executive Executive & non executive directors Board appointments nominations committee Framework for board meetings Purpose Agenda Control Action Frequency of board meetings Regular review
Behavioural implications of management accounting controlsystemsWhen structuring the control system, companies must take account of the behavioural aspects of setting performance targets and standards. The possible consequences might be:Short-termism. If a manager's performance and reward structure focuses on short-term profits the manager will make short-term decisions. Demonization could occur if unachievable targets are set, or alternatively managers will make no attempt to achieve the target and will ignore it. Managers focusing only on their part of the business, ignoring the whole of the business. The desire to build 'padding' into budgets and to manipulate results to achieve targets set.Traditional management accounting systemsThe traditional management accounting systems that have been employed by businesses have included techniques such as:Standard costing, budgeting and variance analysis. Overhead allocation: labour hour and machine hour costing systems. Capital investment appraisal (such as NPV, IRR, ARR). Transfer pricing. Rewards and appraisal based o financial/management accounts.
Criticisms of traditional management accounting systems.Despite their continuing popularity in many businesses, all these methods have been criticised for a number of reasons:Systems are often too formal. They produce routine preset information whereas managers require more ondemand adaptable information. Some assumptions they make are questionable, for example treating labour costs as a variable cost when in the shortterm they are really a fixed cost. The systems are very cumbersome (for example, budgets are timeconsuming) and produce information of little value. Traditional systems view many costs as production costs, when in reality they are overhead costs of businesses. The systems may not take account of the business strategy. They tend to focus on low cost, hence not assisting a business that wants to differentiate itself and produce very high quality.Modern manufacturing methodsThe concept of being competitive in industry has changed significantly in recent years, the accepted truths of efficiency have been changed fundamentally due to a number of factors. As a result of the change in the manufacturing environment the type of information and control systems that must be employed by the organisation have altered.Traditional manufacturing Modern manufacturing standardisation of product globalisation long production runs competition 'acceptable' level of quality JIT and TQM slow product development 'intelligent machines'Just-in-time (JIT)This is a technique for the organisation of work flows, to allow rapid, high quality, flexible production whilst minimising manufacturing waste and stock levels. It was originally considered as a stock control system, but it is rather more involved than this. The JIT system can be applied to both production and purchasing.Total Quality Management (TQM)TQM is a business philosophy aimed at:minimizing errors (ideally to zero) as the cost of getting things right first time is always less than the costs of correction and maximizing customer satisfaction such that every customer's expectations are met or exceeded.To achieve this philosophy a TQM firm should have an appropriately installed quality culture and very good systems that are documented and adhered to by all staff.Modern management accounting techniquesThe new manufacturing methods such as JIT and TQM have required questioning traditional techniques such as variance analysis. New management accounting techniques have been introduced as a result.JIT and TQM environments Throughput accounting Backflush accounting Costs of quality Nonfinancial performance indicatorsLarge overhead costs Activity based costing (ABC) Activity based budgeting (ABB)Focus on longerterm strategic issues Nonfinancial performance indicators Balanced scorecard Strategic management accounting (SMA)It is essential to remember that there is no unique ideal management accounting control system and the most suitable accounting system varies according to circumstances.Nonfinancialperformance indicatorsIn order to achieve the aims of JIT and TQM, managers have had to look at nonfinancial performance measures as well as financial ones. For example, TQM does not accept wastage and failures in production and therefore there need to be performance measures ensuring that wastage is monitored. These might be: Wastage rates. Rectification rates. In a JIT environment it will be necessary to monitor lead times and quality of input so that the raw materials can be ordered in the right quantity and at the right time. Nonfinancial measures are also often associated with forward thinking organisations. They can tell managers of problems that might occur in the future for example, high numbers of defective products indicate higher rectification costs, and possibly a loss of customer satisfaction.Balanced scorecard
This is a popular method used by businesses to assess both financial and nonfinancial performance.Financial perspective Return on investmentEconomic value added (EVA)Profit targetOperating cash flow targetCost reduction targetProfit targetCustomer perspective Target for new customersTarget for retention of existing customers orrepeat ordersPercentage of orders met within X daysPercentage of orders delivered on timeMarket share targetTarget for customer satisfaction (quantifiable measure of satisfaction)Internal business perspectivePercentage of tenders accepted by customersPercentage of items produced that have to be reworkedProduction cycle timeInnovation and learning perspectiveNumber of new products launchedTarget for employee productivityPercentage of total revenue coming from new productsRevenue per employeeTime from identifying a new product idea to market launchStrategic management accounting (SMA)'The preparation and presentation of information for decisionmaking laying particular stress on external factors. SMA is linked with business strategy and maintaining or increasing competitive advantage. The achievement of objectives requires the 'linking' of strategic planning to shortterm operational planning. Lord (1996) characterised SMA as: Collection of competitor information (such as pricing, costs and volume). Exploitation of cost reduction opportunities (a focus on continuous improvement and nonfinancial performance measures). Matching the accounting emphasis with the firm's strategic position.
Lean organisations and lean accountingLean manufacturing is a philosophy of management based on cutting out waste and unnecessary activities. Organisations can become lean and mean if they can get rid of their unnecessary fat. Two elements in lean manufacturing are JIT and TQM.Lean management accountingProvides information to control and improve the value stream (focus on value streams rather than traditional departmental structures). Provides information for performance measurement and cost reporting purposes (nonfinancial measures, continuous improvement and techniques such as target and lifecycle costing). Provides relevant cost information for financial reporting purposes (only that which is required, eliminating no value added information (via implementing techniques such as back flush accounting)). Ensures that management are provided with statements that are: instantly accessible through an IT system, and simple to read.chapter5Internal controlInternal control systemsIn order to manage their risks, businesses need to set up internal control systems. These internal controls apply across all parts and activities of a businessDefinition;There are a number of different definitions of internal control systems, but all have similar features. One definition is:'The whole system of controls, financial and otherwise, established by the management in order to carry out the business of the enterprise in an orderly and efficient manner, ensure adherence to management policies, safeguard the assets, prevent and detect fraud and error and secure as far as possible the completeness and accuracy of the records. The individual components of an internal control system are known as controls or internal controls.'An internal control system can be thought of as a system for management to control certain risks and therefore help businesses achieve their objectives.Internal controlInternal control is the whole system of financial and other controls established to provide reasonable assurance of effective and efficient operation; internal financial control; and compliance with regulation. Internal controls include accounting controls (e.g. budgets) but include quantitative controls (non-financial controls such as measures of quality) as well as qualitative (e.g. personnel) controls. Control encompasses all of the processes used by managers to ensure that organizational goals are achieved and procedures adhered to, and that the organization responds appropriately to changes in its environment. Controls are put in place in response to identified risks in order to reduce the likelihood or impact of risk.Internal controls and risk management Internal controls can be considered as part of the risk reduction method of responding to risk (see chapter 3). The need for a robust system of internal control and risk management is seen as a major element of good corporate governance.
Features of internal control systemsIn 1992 COSO (Committee of Sponsoring Organisations) stated that effective internal control systems consist of five integrated elements.Control environmentThe control environment can be thought of as management's attitude, actions and awareness of the need for internal controls.If senior management do not care about internal controls and feel that it is not worthwhile introducing internal controls then the control system will be weak.Management can try to summarise their commitment to controls in a number of ways:When auditors assess the control systems of business for the audit, if the environment is poor they will place no reliance on any detailed control procedures. Behave with integrity and ethics (corporate governance will be considered in the next session). Maintain an appropriate culture in the organisation. Set up a good structure for example an independent internal audit function, and have segregation of duties. Set proper authorisation limits. Employ appropriately qualified staff and conduct staff training.
Risk assessmentRisk assessment (as discussed in chapter 3) feeds directly into the internal control system. A risk assessment must be performed and should identify:Controllable risks for these risks internal control procedures can be established. Uncontrollable risks for these risks the company may be able to minimise the risk in other ways outside the internal control environment. Uncontrollable risks could be risks that are caused by the external environment that the company operates in. For example, the best internal control processes in the world cannot reduce the risk of inflation or the economy going into recession.Control activitiesOnce controllable risks have been identified, actual specific control activities can be undertaken to reduce those risks. There is a huge variety of control activities that companies can adopt at all levels of management and in all parts of the organisation.Information and communicationIn order for managers to operate the internal controls, they need information and therefore a good information system must be set up. The information provided to managers must be:Timely. Accurate (and therefore reliable). Understandable. Relevant to the actions being taken.Computer systems have led to increased quality of information being provided to managers but the systems must be integrated into the business strategies if they are to provide what managers need.Information systems and information management are a specific part of this syllabus because they are so important to the successful running and control of business.2MonitoringThe company may have produced a very good internal control system but it must be monitored. If the system is not monitored it will be very difficult to assess whether it is out of control and needs amendment. Internal control systems are also dynamic in that they need to evolve over time as the business evolves.The internal audit function is often the key monitor of the internal control system. Internal auditors will examine the controls and control system, identify where controls have failed so that the failures can be rectified, and also make recommendations to management for new and improved systemsRisk management strategyArisk management framework needs to be established in every organisation, reflecting its policy and guidelines in relation to identifying, assessing, evaluating, treating and reporting risk. Particular roles and responsibilities need to be established with clear responsibilities assigned to: The Board, or its audit committee , A risk management group , The chief risk officer , Internal audit , External audit, Line managers and Employees, through the organisations culture2Every organisation should develop a risk management strategy that encompasses: the risk appetite and tolerance of the organisation, that is the level of risk it finds acceptable; the risk assessment and evaluation processes the organisation practises; its preferred options for risk treatment; who is responsible in the organisation for risk management; and how reporting and monitoring processes will take place.Effective risk management requires management commitment; integration with the strategic planning process; the use of a consistent language and framework; acceptance of risk management as a continuous and evolving process; organisation-wide ownership with a supportive culture; that risk management be embedded in organisational processes.Internal controlAn internal control system includes all the policies and procedures (internal controls) adopted by the directors and management of an entity to assist in achieving their objectives of ensuring, as far as practicable, the orderly and efficiently conducting a business, including adherence to internal policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial informationAn internal control system comprises the control environment and control procedures. The control environment is the overall attitude, awareness and actions of directors and management regarding internal controls and their importance to the entity . . . [it] encompasses the management style, and corporate culture and values shared by all employees. The control environment provides the context for the whole set of control procedures.The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes: integrity and ethical values, managements philosophy and operating style, organisational structure, assignment of authority and responsibility, human resource policies and practices, and competence of personnel2There are some important aspects of control that can be derived from these definitions: Control is not limited to financial control but extends to operational and other forms of control; Control is linked to organisational goals and environmental change; Control is not only a set of procedures, but also a set of values or attitudes which need to be embedded in the culture of the organisation.
COSO model of internal controlCOSOs Enterprise Risk Management Integrated Framework (Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2004) states that internal control is an integral part of enterprise risk management. This is described in COSOs Internal Control Integrated Framework (Committee of Sponsoring Organizations of the Treadway Commission (COSO), 1992) which is encompassed within the ERM framework.The COSO internal control framework contains five elements: Control environment (see above). Risk assessment: identifies the risks of failing to meet objectives in relation to financial reporting, compliance and operational objectives. Control activities: the policies and procedures that help ensure management directives are carried out and objectives are achieved. These include both accounting and non-accounting controls. Monitoring: the need for management to monitor the entire control system through specific evaluations. Information and communication: capturing relevant internal and external information about competition, economic and regulatory matters and the potential of strategic and integrated information systems.Financial controlsThere are various accounting methods by which control is exercised. The main ones which will be covered here are: Financial ratios Budgets Budgetary reporting (variance analysis) Capital investment appraisal.Financial ratios are calculated by dividing one figure by another, with the source of the figures being information presented in Income Statements and Balance Sheets. Ratios are interpreted by reference to their (improving or worsening trend) and by benchmark comparisons to similar organisations and industry averages. Ratios exist for profitability, liquidity (cash flow), gearing (borrowing), asset efficiency, and there are also shareholder-based ratios. Targets are usually set and monitored by the Board and senior management for the financial performance needed to maintain shareholder value and the confidence of capital markets which is reflected in the share price. By monitoring ratios, the Board exercises control over financial performance.2Whilst ratios consider historical performance, budgets are concerned with expectedfuture performance. Budgets provide: a forecast of future events, a short-term picture of the desired financial results resulting from the chosen strategy, a motivational target to which managers are expected to strive; and a standard for business unit and management performance which is then evaluated. Budgets provide a control mechanism through both the feed forward and feedback loops. In feed forward terms, budgets can be reviewed in advance, to ensure that they are consistent with organisational goals and strategy. If they do not contribute to goals, changes can be made to the budget before it is approved. Using feedback, variations between the budget and actual performance can be investigated and monitored and corrective action can be taken for future time periods.Non-financial controlsThere are many kinds of non-financial controls that rely on measurement, including: Performance measurement through key performance indicators; Quality systems: measuring and monitoring errors and wastage; Project management: establishing detailed plans with budgets, timeframes and quality expectationsQualitative controlsThere is also a wide variety of non-financial qualitative controls. Some of these are: Formal structures: the organisational chart with its hierarchy of management; Personnel controls: recruitment, training and socialisation, supervision and performance appraisal processes; Informal structures: the organisational culture; Rules, policies and procedures: embedded in manuals or corporate policies and in computer systems; Physical controls: physical access to offices, computers, etc.; Strategic plans: strategies direct behaviour and define the boundaries in which the organisation operates; Incentives and rewards: reinforcing desired behaviour.These controls influence behaviour by requiring certain policies and procedures or standard instructions to be followed. Qualitative controls ensure that behaviour is legally correct, co-ordinated and consistent throughout the organisation; is linked to objectives and is efficient and effective.Relationship of Risk Management with Internal Control Systems Risk management is an important precursor to internal control as it allows the internal controls to be focused on the most significant risks. Therefore risks are assessed and control activities are determined that relate to the assessed risks. The benefits of effective risk management include: the maintenance of profitability in the medium and longer term; the avoidance of sudden losses if business continuity is impeded; the avoidance of profit warnings and major exceptional items; more cost-effective insurance cover and reduced premium cost; greater degree of assurance that business continuity will be safeguarded in the event of a catastrophe; continued customer satisfaction and the maintenance of the organisations reputation with customers, the public and investors.
The costs and benefits of a particular internal control system Benefits Avoidance of losses Legal requirement (health & safety, information required for HMRC) Well being of employees motivation, succession planning important resource Preferred employer better calibre staff important resource Costs Establishment of policies & procedures Administrative support Opportunity cost of not spending time on the delivery of organisational objectives (Internal controls provide a safeguard but not an absolute guarantee) NON-FINANCIAL QUANLITATIVE CONTROLS Accounting Controls/Financial Standard costing Will this be appropriate for an organisation that wants to delivery flexibility and customisation? Capital investment appraisal in line with strategic objectives Can future cash flows be predicted with some accuracy? Does it capture the richness of the investment evaluation problem, would the use of value chain analysis, cost driver analysis and competitive advantage analysis achieve a better fit between investment decisions and business strategy implementation? Cash controls Debtor control Exchange controls hedging
Overhead allocation Does this accurately reflect the resources consumed in production? This could lead to misleading information about product/service profitability. (Is ABC the answer?)
3 Transfer Pricing Negotiated prices may help to reduce demotivating effects on divisional performance
Budgets and budgetary control Forecast of future events Motivational targets Standards for performance evaluation One of the most common dysfunctional consequences of budgeting is the creation of 'slack' resources or low targets being set because managers believe they will readily be achieved. Budget expectations perceived to be unfair or exploitative are not internalised by employees and can lead to lower motivation and performance. Similarly, the manipulation of data or its presentation to show performance in the best possible light is another common behaviour, particularly where performance is linked to rewards. 'Beyond Budgeting:
proposes targets based on stretch goals linked to performance against world-class benchmarks and prior periods; enables decision-making and performance accountability to be devolved to line managers and a culture of personal responsibility; increased motivation; higher productivity and better customer service. JIT Elimination of inventories Consider the total cost of ownership rather than the initial purchase price
Cost of quality Strategic management accounting PAF model
4 Life cycle costing Estimates lifetime costs and profits Do profits generated in the production phase cover all the life cycle costs Increased cost control during the development phase Target costing Determine the target price customers are prepared to pay Determine a target profit margin, therefore can establish the target cost If actual cost exceeds target cost then need to investigate ways of reducing the estimated cost to the target cost. Kaizen (tightening) Continuous improvement & feedback during the production process Even the smallest improvement is worth consideration Lean management accounting JIT Target costing TQM Eliminates waste within value streams Non Financial Quantitative Controls a balanced scorecard approach Customer Customer satisfaction number of clients (especially increases and potential losses) Market share Business processes IT controls input/process/output/network/physical/disaster recovery Post implementation reviews Tender process for suppliers
Innovation/learning and growth Employees retention Training costs Employees satisfaction
NON-FINANCIAL QUALITATIVE CONTROLSThese controls influence behaviour by requiring certain policies and procedures or standard instructions to be implemented in order to ensure that behaviour is legally correct, co-ordinated and consistent throughout the organisation. Culture Physical controls Organisational structure and chain of command the form of structure that is adopted will determine the type of control exercised over operational management Project management - post implementation reviews Authorisation procedures Authorisation of expenses Staff control policies and procedures Contracts of employment Performances appraisal Control of the board Composition of the board Chairman & chief executive Executive & non executive directors Board appointments nominations committee Framework for board meetings Purpose Agenda Control Action Frequency of board meetings Regular review
Evaluation of an internal control systemThe internal control system of the business is no different to other business activities the benefits of maintaining the system must outweigh the costs of operating it. As part of the monitoring process therefore management must consider the costs and benefits.However, it can be difficult to quantify those costs and benefits as they are often not direct cash costs.Costs of an internal control system will include: time of management involved in the design of the system implementation: costs of IT consultants to implement new software training all staff in new procedures maintenance of system: software upgrades monitoring and review
Benefits are to be found in the reduction of the risks and achievement of business objectives.Limitations of internal control systemsWarnings should be given regarding overreliance on any system, noting in particular that: A good internal control system cannot turn a poor manager into a good one. The system can only provide reasonable assurance regarding the achievement of objectives all internal control systems are at risk from mistakes or errors. Internal control systems can be bypassed by collusion and management override. Controls are only designed to cope with routine transactions and events. There are resource constraints in provision of internal control systems, limiting their effectiveness.chapter6FraudWhat is fraud ?The term fraud commonly includes activities such as theft, corruption, conspiracy, embezzlement, money laundering, bribery and extortion.Fraud can be defined as 'dishonestly obtaining an advantage, avoiding an obligation or causing a loss to another party'.Fraud is a crime, but does not have a precise legal definition. The term fraud refers to an international act by one or more individuals among management, those charged with governance, employees or third parties, involving the use of deception to obtain an unjust or ill