📢

MAS 4
Tags Finals

Midterm topics that will be tackled during FINALS:

Risk Management

Internal Control

TOPIC 1: Risk Management

The Concept of Risk, Types, and

Corresponding Risk Responses
What is RISK?
Risk

PROBABILITY that some FUTURE EVENT could impact organization

measured in terms of PROBABILITY and IMPACT

exposure to possibility of LOSS, INJURY, or OTHER ADVERSE

CIRCUMSTANCES

inherent; can be mitigated

It can be SYSTEMATIC or UNSYSTEMATIC

Systematic Risk Unsystematic Risk

-not fully controllable by organization -usually controllable by organization
-not entirely predictable -reasonably predictable
-usually MACRO NATURE -MICRO in nature

MAS 4 1
 -usually affects large number of organizations
-cannot be fully assessed and anticipated in
advance in terms of TIMING and GRAVITY
E.g INTEREST RATE RISK, MARKET
RISK, PURCHASING POWER RISK
-If not managed, it directly affects
individual organizations first
-usually assessed well in advance with
reasonable efforts; risk mitigation can be
planned with proper understanding and
risk assessment techniques.
E.g COMPLIANCE RISK, CREDIT
RISK, OPERATIONAL RISK

RISK ASSOCIATED WITH INVESTMENTS (7)

-uncertainty about rate of return caused by nature of business

CAUSE: Uncertainty about firm’s sales and operating expenses

Business RISK
-related to sales volatility as well as to *operating leverage

*caused by fixed OPEX.

-most firms have fixed OPEX

-cause OPIN to be more volatile than sales

Firm’s sales are not guaranteed and will fluctuate as nature of industry change.

Firm’s income is related to its operating expenses.

= If all OPEX are variable, sales volatility will be passed directly to operating income.

Default RISK

-related to probability that some or all of the initial investment will not be returned

Degree of Default RISK - closely related to financial condition of company issuing

security and security ranks in claims on assets in event of default or bankruptcy.

Financial RISK
-firm’s capital structure or sources of financing

-any of various types of risk associated with financing, including financial transactions
that include company loans in risk of default.

If firm is partially financed by debt that requires fixed interest payments or by preferred
share that requires fixed preferred dividend payments. — Fixed charges introduced
FINANCIAL LEVERAGE

-causing firm’s lenders and stockholders to view their

income streams as having ADDITIONAL UNCERTAINTY

-as a result of this, both investment groups would

INCREASE risk premiums that they require for investing in firm.

-causes NI to vary more than OPIN

MAS 4 2
 Interest rate RISK
-most commonly associated with bond price movements.

-its movement affects almost all investment alternatives

Rising interest rates cause bond prices to decline

Declining interest rates cause bond prices to rise

Liquidity RISK

-uncertainty created by inability to sell investment quickly for cash

Uncertainties faces by an investor when considering sales of investment

what price will be received?

how long will it take to sell that asset?

Example of Illiquid Asset:

House in a market with an abundance of homes relative to the number of potential buyers.

-this investment may not sell for several month or even years. If piece reduced sufficiently,
real estate will sell, BUT investor must take SELLING PRICE CONCESSION in order for
transaction to occur.
-T-bills can be sold immediately with very little concession on selling price

-Ordinary equity shares can be sold quickly

— Liquidity risk for this are more complex

— they are traded on organized and active markets

Management RISK
-risk-financial, ethical, or otherwise associated with ineffective, destructive, or
underperforming management.

-if management is not that well, all risk associated that may occur on an entity will be
affected.
-decisions made by firm’s management and BOD materially affect the risk faced by
investors.

Areas affected: Product innovation and production methods, and financing to acquisitions.

Purchasing Power RISK

-difficult to recognize

! Easy to observe decline in price of stock or bond, but more difficult to recognize the
purchasing power of return earned on an investment has declined (risen) as a result of
inflation (deflation).

REMEMBER: Investor expects to be compensated for forgoing consumption

-Inflation erodes the purchasing power of peso and increases investor risk.

MAS 4 3
 RISK ASSOCIATED WITH MANUFACTURING, TRADING, AND SERVICE CONCERNS (4)
Market RISK

-risk that an investor faces due to decrease in market value of financial product arising out
of the factors that affect the whole market and is not limited to particular commodity.
-PRODUCT risks: Complexity, Obsolescence, Research and Development, Packaging,
Delivery of Warranties

-COMPETITOR risk: Pricing strategy, Market share, Market Strategy

Operations RISK

-risk of losses caused by flawed or failed processes, policies, systems or events that
disrupt business operations.
-Process stoppage

-Health and Safety

-After sales service failure

-Environmental
-Technological Obsolescence

-Integrity: Management Fraud, Employee Fraud, Illegal Acts

Financial RISKS
-the likelihood of losing money on a business or investment decision.

-Interest rate volatility

-Foreign Currency

-Liquidity
-Derivative

-Viability

Business RISKS
-exposure a company or organization has to factor(s) that will lower its profits or lead it to
fail.

-anything that threatens a company’s ability to achieve its financial goals

-Regulatory Change

-Reputation

-Political

-Regulatory and legal

-Shareholder relations
-Credit rating

MAS 4 4
 -Capital Availability

-Business Interruptions

RISK ASSOCIATED WITH FINANCIAL INSTITUTIONS

Financial Risk Non-Financial Risk

Liquidity Risk Operational Risk

Market Risk Systems; Information Processing,

Technology
Currency,Equity, Commodity
Customer Satisfaction, Human Resources,
Credit Risk
Fraud and Illegal Acts, Bankruptcy
Counterparty, Trading, Commercial; Loans,
Regulatory Risk
Guarantees
Capital Adequacy, Compliance, Taxation,
Market Liquidity Risk
Changing Laws and Policies
Currency rates, Interest rates, Bond and
Environmental Risk
equity prices
Politics, Natural Disasters, War, Terrorism
Hedged Positions Risk
Integrity Risk
Portfolio Exposure Risk
Reputation
Derivative Risk
Leadership Risk
Accounting Information Risk
Turnover, Succession
Completeness, Accuracy

Financial Reporting Risk

Adequacy, Completeness

RISK RESPONSES/TECHNIQUES

International Organization for Standardization (ISO 31000) - suggests that once risks
have been identified and assessed, these techniques should be applied to manage the risks.

Risk Avoidance - also means losing out on the potential gain that accepting risk may have
allowed.
-also avoids the possibility of earning profits
-not performing an activity that could carry risk

Risk Sharing - sharing with another party the burden of loss or the benefit of gain, from a
risk, and the measures to reduce risk.

Risk Mitigation - reducing severity of loss or likelihood of loss from occuring.

-finding a balance between negative risk and benefit of the activity.

MAS 4 5
 E.g. Outsourcing - if outsourcer can demonstrate higher capability of managing or reducing
risks

Risk Acceptance - accepting loss or benefit of gain from risk when it occurs.
E.g. Self insurance

Risk Creation

Concept of Risk Management and It’s Basic

Principles
What is Risk Management?

process of measuring or assessing risk and developing strategies to manage it.

systematic approach in identifying, analyzing, and controlling areas or events with

potential for causing unwanted change.

act or practice of controlling risk:

a. Risk planning

b. Assessing risk areas

c. Developing risk-handling options

d. Monitoring risks ( determine how risks changed)

e. Documenting overall risk management program

According to ISO 31000:

a. identification, assessment. and prioritization or risks

b. followed by coordinated and economical application of resources to minimize,

monitor, and control probability or impact of unfortunate events

c. maximizes realization of opportunities

response to risk

Basic Principles of Risk Management

Create Value

Address uncertainty and assumption

Be an integral part of the organizational processes and decision-making

Be dynamic, iterative, transparent, tailorable, and responsive to change

Create capability of continual improvement and enhancement considering the best

available information and human factors

Be systematic, structures and continually or periodically reassessed

MAS 4 6
 Process of Risk Management

Establishing the Context

*Identification of risk in a selected domain of interest

*Planning the remainder of the process

*Mapping out the ff:

-social scope of risk management
-identity and objectives of stakeholders

-basis upon which risks will be evaluated, constraints

*Defining framework for the activity and an agenda for identification
*Developing an analysis of risks involved in the process

*Mitigation or Solution of risks using available technological, human and organizational

resources.

Identification of Potential Risk

Risk Identification - can start with analysis of source of problem or with analysis of problem
itself.
Common risk identification methods:

a. Objective-based risk

b. Scenario-based risk

c. Taxanomy-based risk

d. Common-risk checking

e. Risk charting

Risk Assessment - critical to make the best educated decisions in prioritizing the
implementation of risk management plan

Different Areas of risk Management and Steps

in Risk Management Process
Elements of Risk Management

— Identification, characterization, and assessment of threats

— Assessment of the vulnerability of critical asset to specific threats

— Determination of the risk*

— Identification of ways to reduce those risk
— Prioritization of risk reduction measures on a strategy
Areas of Risk Management

Most commonly encountered areas of risk management

— Enterprise Risk Management

— Risk management activities as applied to project management

MAS 4 7
 — Risk management for megaprojects
— Risk management of information technology

— Risk management techniques in petroleum and natural gas

Steps in Risk Management Process

1. Set up separate risk management committee chaired by board member

2. Ensure that formal comprehensive risk management system is in place

3. Assess whether formal system possesses the necessary elements

4. Evaluate effectiveness of various steps in assessment of comprehensive risks faced by

business firm

5. Assess if management developed and implemented suitable risk management strategies

and evaluate their effectiveness

6. Evaluate if management has designed and implemented risk management capabilities

7. Assess management’s efforts to monitor overall company risk management performance

and to improve continuously firm’s capabilities

8. See to it that best practices as well as mistakes are shared by all

9. Assess regularly the level of sophistication of firm’s risk management system

10. Hire experts when need

Concept of Enterprise Risk Management

(TRM vs ERM)
SEC Requirement Relative to Enterprise Risk Management of Publicly-Listed
Corporation.

SEC Code of Governance Recommendation 2.11 and corresponding explanation provide the
ff:

Board should oversee that a sound ERM framework is in place to effectively identify,
monitor, assess, and manage key business risks.

Risk management framework should guide the BOARD in identifying units/business lines
and enterprise-level risk exposures, as well as the effectiveness of risk management
strategies.

Risk management policy - part and parcel of a corporation’s corporate strategy.

Board - responsible for defining the company’s level of risk tolerance and providing
oversight over its risk management policies and procedures.

Principle 12 was the one that deals with strengthening the Internal Control System and
Enterprise Risk Management Framework

—> “To ensure the integrity, transparency, and proper governance in the conduct of its
affairs, the company should have a strong and effective internal control system and
enterprise risk management framework.”

MAS 4 8
 Risk Management Framework

Subject to corporation’s size, risk profile and complexity of operations, the BOARD
should establish a separate Board Risk Oversight Committee (BROC) that should be
responsible for the oversight of a company’s ERM system - to ensure functionality and
effectiveness.

BROC composed of:

atleast three (3) members; majority of whom should be independent directors including
Chairman.

Chairman should not be Chairman of the Board or of any other committee.

atleast one (1) member of the committee must have relevant thorough knowledge and
experience on risk and risk management.

Subject to its size, risk profile and complexity of operations, the company should have a
separate risk management function to IDENTIFY, ASSESS, AND MONITOR KEY
RISK EXPOSURES.

Traditional Risk Management

-a process that aims to develop a consistent understanding of an organization’s goals and the
risks that may inhibit its success.

Enterprise Risk Management

-known as the company wide risk management

-considers risks and opportunities across the organization, aligns with strategic objectives and
promotes a risk-aware culture

Primary disctinctions:
Siloed vs. Holistic
TRM - various risk functions within an organization “own” their respective risk and tend to
operate in silos
ERM - takes more holistic view, looking at relationships among various risk types
Risk averse vs. Risk taking

TRM - risk averse

ERM - risk taking

Reactive vs Proactive
TRM - tends to be reactive; company changes its behavior after a risk manifests
ERM - takes proactive approach to risk management using a combination of people,
processes and technology
Insurable vs. Uninsurable

MAS 4 9
 TRM - focus on risks that are insurable versus non-insurable risks.

If an executive commits a crime, such as an embezzlement or insider trading, insurance will

not cover the criminal fines.

DISTINCITIONS 0.2
Reactiveness:
TRM - Reactive: respond to incidents that have occurred and focus on preventing
reoccurrence
ERM - Proactive: looks forward to prevent risk occuring
Scope:

TRM - Focuses on insurable and financially tangible risks

ERM - Encompasses both insurable and non-insurable risk, and those where the cost is hard
to define (risk damage from brand reputation)

Adaptability:
TRM - Standardized, prescribed approaches

ERM - Fluid, adaptable, agile

Effort:
TRM - Focus on business units or departments; siloed; can create duplicatory activity

ERM - Holistic and enterprise-wide; minimizes duplication

Alignment:
TRM - Limit risk prioritization and alignment across teams
ERM - Enable risks that impact multiple departments to be prioritized and tackled in
integrated way,
Integration:
TRM - approach, metrics, and reporting inconsistent between teams, sites or departments
ERM - approach, metrics, and reporting consistent and integrated across the business.
Identification:

TRM - identifies and tackles risks on case by case basis

ERM - focuses on root cause risks common to every silo
Mitigation:
TRM - focuses on impact on individual business units or teams
ERM - takes into account impact on entire organization
Mindset:

TRM - risk averse; focuses on mitigation

ERM - risk tolerant; takes enterprise wide risk culture
Connection:
TRM - standards and approaches are business-specific and can be simplistic

MAS 4 10
 ERM - aligns with recognized standards like the COSO Framework (internal framework) to
ensure risk management approach is in line with best practice
Prominence:
TRM - keeps risk conversations to team or department level
ERM - elevates risk discussions to board level
Responsiveness:
TRM - static checklist of risks and responses

ERM - real-time, responsive approach to the changing organization and risk landscape

Sarbanes-Oxley Act of 2002

It was Enron’s fraudulent behavior why SOX ACT was passed in 2002

-largest company in US during 2001

Sarbanes-Oxley Act - a U.S Federal Law
-spearheaded by Senator Paul Sarbanes and Representative Michael Oxley

-signed into law by President George W. Bush on July 30, 2002

-aka SOX Act of 2002 and the Corporate Responsibility Act of 2002
-mandated strict reforms to existing securities regulations and imposed tough new penalties
on lawbreakers.
-aims to protect investors from fraudulent financial reporting by corporations

-came in response to financial scandals in early 2000s

New law set out reforms and additions in four (4) principal areas:

1. Corporate responsibility 2. Increased criminal punishment

3. Accounting regulation 4. New protections

Management level that SOX act affect

External & Internal auditors BOD and their committees

Top executives Senior managers

Attorneys (Internal and external) Regulators

Sections of SOX Relevant to Compliance

Section 302 - Corporate Responsibility for Financial Reports
Financial reports and statement must certify that:

Documents have been reviewed by signing officers and passed internal controls within
last 90 days

Documents are free of untrue statements or misleading omissions

MAS 4 11
 Documents are truthfully represent the company’s financial health and position

Documents must be accompanied by list of all deficiencies or changes in internal

controls and information on any fraud involving company employees

Section 401 - Disclosures in Periodic Reports

-Financial statements are required to be accurate.

-Financial statements should also represent any off balance liabilities, transaction, or
obligations
Section 404 - Management Assessment of Internal Controls
-requires management and auditors establish internal controls and reporting methods to
ensure adequacy of those controls
Section 409 - Real time issuer disclosures

-Companies are required to urgently disclose drastic changes in financial position or

operations
Section 802 - Criminal Penalties for Altering Documents
-contains three(3) rules that affect recordkeeping:
-deals with destruction and falsification of records
-defines retention period for storing records

-outlines specific business records that companies need to store (electronic

communications)
Outlines:
-any company official found guilty of concealing, destroying, or altering documents, with
intent to disrupt investigation, will face up to 20 years in prison and applicable fines.
-any accountant who knowingly aids company officials in destroying, altering, or falsifying
financial statements could face up to 10 years in prison
Section 806 - Protection for Employees of Publicly Traded Companies who provide
Evidence of Fraud
-deals with whistleblower protection.
-mandates protection for whistleblowers, stating that employees and contractors who report
fraud or testify about fraud to Department of Labor are protected against retaliation,
including dismissal and discrimination.
Section 902 - Attempts & Conspiracies to Commit Fraud Offenses
-crime for any person to corruptly alter, destroy, mutilate, or conceal any document with
intent to impair object’s integrity or availability for use in an offical proceeding.
Section 906 - Corporate Responsibility for Financial Reports

-addresses criminal penalties for certifying a misleading or fraudulent financial reports.

-penalties can be upwards of $5 million in fines and 20 years in prison

Summary of Sarbanes-Oxley Act 2002 (11 titles)

TITLE I - Public company accounting oversight board (PCAOB)

MAS 4 12
 consists of 9 sections and establishes PCAOB, provide independent oversight of public
accounting firms providing audit services.

TITLE II - Auditor Independence

consists of 9 sections and establishes standards for external auditor independence, to

limit conflicts of interest.

addresses new auditor approval requirements, audit partner rotation, and auditor
reporting requirements

TITLE III - Corporate Responsibility

consists of 8 sections and mandates that senior executives take individual responsibility
for the accuracy and completeness of corporate financial reports

TITLE IV - Enhanced Financial Disclosures

consists of 9 sections and describes enhanced reporting requirements for financial

transactions, including off-balance sheet transactions, pro-forma figures and stock
transactions of corporate officers.

TITLE V - Analyst Conflicts of Interest

consist of 1 section, includes measures designed to help restore investor confidence in

reporting of securities analysts.

TITLE VI - Commission Resources and Authority

consists of 4 sections, defines practices to restore investor confidence in securities

analysts.

TITLE VII - Studies and Reports

consists of 5 sections, requires Comptroller General and SEC to perform various studies
and report their findings

TITLE VIII - Corporate and Criminal Fraud Accountability

consists of 7 sections, referred to as the Corporate and Criminal fraud accountability Act
of 2002

TITLE IX - White-collar Crime Penalty Enhancements

consists of 6 sections, aka White-collar crime penalty enhancement act of 2002

increases criminal penalties associated with white-collar crimes and conspiracies

TITLE X - Corporate Tax Returns

consists of 1 section

Chief executive officers should sign company tax return

TITLE XI - Corporate Fraud and Accountability

consists of 7 sections, called as Corporate Fraud Accountability Act of 2002

identifies corporate fraud and records tampering as criminal offenses and joins those
offenses to specific penalties

MAS 4 13
 TOPIC 2: Internal Control

Concept, Purpose, and Elements of Internal

Control
Internal Control - process designed and affect by those charged with governance,
management, and other personnel
-provide reasonable assurance about the achievement of the entity’s objectives.
OBJECTIVES:
-Reliability of the entity’s financial reporting -Effectiveness and efficiency of operations -
Compliance with applicable laws and regulations
others:

Adherence to management policies

Safeguarding of assets

Prevention and detection of fraud and error

Accuracy and completeness of accounting records

Timely preparation of financial information

Elements/Components
Control Environment

Communication & Enforcement of Integrity and Ethical Values

-entity’s ethical and behavioral standards and manner in which it communicates and
reinforces them, determine entity’s integrity and ethical behavior

Commitment to Competence

-knowledge and skills necessary to accomplish tasks that define employee’s job

Participation by those charge with Governance

-entity’s control consciousness is influenced significantly by those charge with governance

-over sight and whistle blower mechanism

Management’s Philosophy and Operating Style

-management’s approach to taking and monitoring business risk, its conservatice or aggresive
selection from alternative accounting principles

Organizational Structure

-provides overall framework for planning, directing, and controlling operation

Assignment of Authority and Responsibility

-personnel within organization need to have clear understanding of their responsibilites and
rules and regulation that govern their actions

Human Resources Policies and Procedure

MAS 4 14
 -important elements of IAS is the people who perform and execute established policies and
procedures.

Entity’s Risk Assessment Process

Risk Assessment - identification, analysis, and management of risks pertaining to preparation
of FS.
Entity’s risk assessment process - process for identifying and responding to business risks
and results thereof.
-FS purposes: how management identifies risk relevant to preparation of FS that are
presented fairly…

Circumstance where RISKS can arise:

-changes in operating environment
-new personnel
-new or revamped information systems
-rapid growth

-new technology
-new business models, products, or activities
-corporate restructurings
-expanded foreign operation
-new accounting pronouncements

Application to Small entities: Entity’s risk assessment process is likely to be less formal and
less structured.
-FR objectives may recognized implicitly rather than explicitly.

Information System and Communication

Information system - consists of infrastructure (physical and hardware components),

software, people, procedures, and data

AS procedures and records designed and established:

Initiate, record, process, and report entity transactions and to maintain accountability for
related assets, liability, and equity.

Resolve incorrect processing of transactions

Process and account for system overrides or bypasses to controls

Transfer information from transaction processing systems to general ledger

capture information relevant to financial reporting for events and conditions other than
transactions

MAS 4 15
 Ensure information required to be disclosed by applicable financial reporting framework
is ACCUMULATED, RECORDED, PROCESSED, SUMMARIZED, and appropriately
reported in FS

*Entity’s IS includes use of standard JEs that are required on recurring basis; includes use of
non-standard JEs to record non-recurring, unusual transactions o adjustments.

Related Business Processes

Develop, purchase, produce, sell, and distribute an entity’s products and services

Ensure compliance with laws and regulations

Record information, including accounting and financial reporting information

Information system encompasses methods and records:

Identify and record all valid transactions

Describe on timely basis the transactions in sufficient details

Measure value of transactions

Determine time period where transactions occured

Present transaction and related disclosures in FS properly

Communication - involves providing understanding of individual roles and responsibilities

pertaining to internal control over financial reporting
-takes such forms as policy manuals, accounting, and FRmanuals, and memoranda.

-can be made electronically, orally, and through actions of management

Control Activities
-policies and procedures that help ensure that management directives are carried out
3 major categories of control procedures

Performance review - uses accounting and operating data to assess performance and
takes corrective action

-personnel at various levels in org may perform this

-manager may used for sole purpose of making operating decisions

Information processing controls (Proper authorization of transactions and activities,

Separation of Duties, Adequate Documents and records, Access to Assets, Independent
checks on performance)

Physical Control

-physical security of assets

-authorization for access to compute programs and data files
-periodic accounting and comparison with amounts shown on control records

MAS 4 16
 Monitoring of Controls
-process that entity uses to assess quality of internal control over time.
-involves assessing design and operation of control on timely basis and taking corrective
action as necessary

PURPOSE: INTERNAL CONTROL, COSO FRAMEWORK

Internal control - organizational plan

-all related measures to safeguard assets, ensure accuracy and reliability, promote operation
efficiency, and encourage adherence

COSO - Committee of Sponsoring Organization of Tradeway Commission

-composed of representatives from five (5) organizations:

American Accounting Association (AAA)

American Institute of Certified Public Accountants (AICPA)

Financial Executives International (FEI)

Institute of Management Accountants (IMA)

Institute of Internal Auditors (IIA)

Coso framework - system used to established internal controls to be integrated in business

processes.
-these controls provide reasonable assurance that organization is operating ethically,
transaparently and in accordance with established industry standards.
-defines IC as “process effected by entity’s board of directors, management, and other
personnel - designed to provide reasonable assurance of achievement of objectives.
(Operations, reporting, Compliance)

Components of COSO Framework

Control Environment - set of standards, processes and structures provides basis for carrying
out internal control across organization.
Risk Assessment - forms basis for determining how risks will be managed
Control Activities - actions established through policies and procedures that help ensure risk
are minimized

Information and Communication

Information - obtained by management from both internal and external sources to

support internal control components

Communication - based on internal and external sources used to disseminate important

information throughout and outside org, as needed to respond and support meeting

MAS 4 17
 requirements and expectations

Monitoring Activities - evaluation used to ascertain whether components of internal

control are present and functioning

-ongoing evaluations;separate evaluations

17 principles of Internal Control

Control Environment

Demonstrated commitment to integrity and ethical values

Exercises oversight responsibility

Establishes structure, authority, and responsibility

Demonstrates commitment to competence

Enforces accountability

Risk Assessment

Specifies suitable objectives

Identifies and analyze risk

Assess fraud risk

Identifies and analyzes significant change

Control Activities

Selects and develops control activities

Selects and develops general controls over technology

Deploys control activities through policies and procedures

Information and Communication

Uses relevant information

Communicates internally

Communicates externally

Monitoring Activities

Conducts ongoing or separate evaluations

Evaluates and communicated deficiencies

BENEFITS OF COSO FRAMEWORK

-enables business procedures to be carried out consistently
-often better position to detect fraudulent act
-helps them to make existing business processes more efficient

LIMITATIONS OF COSO FRAMEWORK

MAS 4 18
 -relatively broad in scope -broken into series of rigid categories

Fraud Error and Fraud Triangle

Risk factors that contribute fraudulent acts

MAS 4 19