ACCA P1 | Governance, Risk and Ethics

Study notes for September 2017

Internal Control
Internal control is any action taken by the management to enhance the likelihood that the established goals and
objectives will be achieved. Control is the result of planning, organizing and directing by the management.

Purpose of Internal Control

- To ensure the orderly and efficient conduct of its business and adhering to internal policies.
- To safeguard the assets.
- To prevent and detect fraud and error.
- To ensure the accuracy and completeness of the accounting records.
- To ensure the timely preparation of accounting records.

Importance of Internal Control

- Underpins shareholder confidence.
- Ensures smooth running of the business by rectifying errors throughout the course.
- Helps to manage quality.
- Provides information insights to the management for making decisions and planning for the future.
- Helps expose and improve underperforming internal operations.

Characteristics of Internal Control Systems

The Turnbull report summarizes key characteristics of internal control systems. They should:
- Be embedded in the operations of the company and form part of its culture.
- Be able to respond quickly to evolving risks within the business.
- Include procedures for reporting immediately to the management of any significant failings and weaknesses
together with the control action being taken.

Challenges in developing Internal Controls

- Insufficient staff resources to maintain segregation of duties.
- Domination of activities by management, with significant opportunities for management override of controls.
This arises from smaller companies having fewer levels of management with wider spans of control and their
managers having significant ownership interest or rights.
- Inability to recruit directors with the requisite financial reporting or other expertise.
- Inability to recruit and retain staff with sufficient knowledge of, and experience in financial reporting.
- Management having a wide range of responsibilities and thus having insufficient time to focus on
accountability and financial reporting.
- Inability to recruit and maintain staff with proper technical knowledge to maintain required quality controls
(could be relevant to firms operating in developing countries with skill shortage.

Limitations of Internal Control

In addition, an internal control framework in any organization can only provide the directors with reasonable
assurance that their objectives are reached, because of inherent limitations including:
- The costs of control not outweighing their benefits; sometimes setting up an elaborate system of controls will
be too costly when compared with the financial losses those controls may prevent.
- Poor judgement in decision-making.
- Collusion between employees.
- The possibility of controls being bypassed or overridden by management or employees.
- Controls being unable to cope with unforeseen circumstances.
Page 1 of 9
 ACCA P1 | Governance, Risk and Ethics
Study notes for September 2017
- Controls not being updated over time.

Why the effectiveness of internal controls cannot be guaranteed?

It is generally understood that, however robust and expensive an internal control is, it can sometimes be ineffective.
There are a number of possible reasons for this, with the most common being as follows:

1. The controlling can be under or over specified. An under-specified control is one which is not capable of actually
controlling the risk or activity intended. Conversely, an over-specified control is one which over-controls. An over-
specified control is one which is poor value for money and may constrain activity if the control does not adequately
allow normal levels of performance.

2. Human factors can undermine or circumvent the effectiveness of many internal controls. In this regard, the most
common is human error, which may or may not be accompanied by intentional fraud. It is sometimes believed, by an
individual, that personal gain could be achieved where a given control is not in place and this can result in that person
intentionally circumventing the control.

3. Likewise, controls can be ineffective if employees collude to achieve that circumvention. If a group in a workplace
believes a control to act against members’ personal interests, they can act together to reduce its effectiveness. This
may, of course, result in a sanction if discovered.

4. The fourth reason why internal controls are sometimes ineffective is the occurrence of non-routine events when a
control is designed for relatively routine behavior.

5. Management or employees may exercise poor judgement or miscalculation, which means that a control will become
ineffective. A brake on a machine tool or a vehicle is only effective, for example, as long as the machine is reasonably
and safely used. An excessive speed or the use of a wrong material in a machine tool, for example, would negate the
value of the brake, even though the brake is effective in its own right.

Why the effectiveness of internal control cannot be judged on the basis of cost attached to it?
There are several reasons why cost alone is a poor guide as to the effectiveness of internal controls.

First, it is the design of the control rather than the cost which is the primary driver of effectiveness. A wrongly or
inappropriately designed control regardless of cost will be less than fully effective. There need not be any direct
relationship between design and cost. A highly effective control can, at the same time, be very simple and
inexpensive.

Secondly, a control can be over-specified, meaning that the control is more robust, and usually therefore more
expensive than it needs to be. Cost-effectiveness is a key criterion to the adaption of any control, and a control costing
disproportionately more than the loss which could be incurred by its failure is seen to be poor value for money.

Thirdly, almost any control can be corrupted, circumvented or ignored in line with the limitations outlined in the first
section of this answer. With sufficient determination, an employee or service user can act against a control. Similarly,
a technical failure can render even the well-designed control less effective.

Monitoring Controls
Controls need to be monitored in order to support a sound system of internal controls. Once a control system is
designed and responsibilities to manage it are allocated; only those controls which are part of someone’s job or
performance appraisal will be monitored and thereby maintained. Any metrics which are not part of this control
regime may go unchecked and may not remain within compliance limits as circumstances change over time. Ongoing
Page 2 of 9
 ACCA P1 | Governance, Risk and Ethics
Study notes for September 2017
monitoring and separate evaluation enable management to determine whether internal controls continue to function
over time.

1. Ongoing monitoring
Ongoing monitoring includes routine review of reconciliations and system action applications. It may be particularly
effective in smaller companies where managers will have high level first-hand knowledge of company’s activities.
Their close involvement in operations will help them identify variances and inaccuracies.

2. Separate evaluation
Separate evaluation is generally carried out by audit committee or internal audit department, and also includes the
annual review of control procedures. Separate evaluation is difficult in companies where internal audit department
doesn’t exist, as review of control effectiveness within a business unit will be carried out by the manager responsible
for that unit lacking objectivity.

The results of monitoring should be reported to the right people and corrective action should be taken. Deficiencies in
internal controls should be reported to the person responsible for control’s operations and to at least one level higher.
The deficiencies need to be assessed in the same terms as risk, the likelihood that a control will fail to detect or
prevent a risk’s occurrence and the significance of the potential impact of the risk.

Internal Audit Department

Internal audit is an appraisal or monitoring activity established by the management and directors for the review of
accounting and internal control systems as a service to the entity. It functions by, among other things, examining,
evaluating and reporting to the management and directors on the adequacy and effectiveness of components of
accounting and internal control systems.

When is Internal Audit needed?

- Large, diverse and complex organization
- Large number of employees
- Cost benefit analysis required
- Changes in organizational structure
- Changes in key risks
- Problems with existing internal control
- Increased number of unexplained events

Role of internal audit in ensuring effective internal controls

Internal audit underpins the effectiveness of internal controls by performing several key tasks: -REFCC

1. Internal audit reviews and reports upon the controls put in place for key risks that the company faces in its
operations. This will involve ensuring that the control (i.e. mitigating measure) is capable of handling risk should it
materialize. This is the traditional view of internal audit. A key part of its role is to review the design and effectiveness
of internal controls.

2. Internal audit may also involve in examination of financial and operating information to ensure its accuracy,
timeliness and adequacy. In the preparation of internal management reports, for example, internal audit may be
involved in ensuring that the information used in those reports is correctly measured and accurate.

Page 3 of 9
 ACCA P1 | Governance, Risk and Ethics
Study notes for September 2017
3. Many organizations require the internal audit team to conduct follow-up visits to ensure that the weaknesses or
failures reported in the previous report have been adequately addressed. This will create pressure on the company staff
and they will implement the findings recommended by the internal audit team.

4. It will typically undertake reviews of operations for compliance against standards. Standard performance measures
will have an allowed variance or tolerance and internal audit will measure the actual performance against this
standard. Internal compliance is essential in all internal control systems. Examples might include safety performance,
cost performance or the measurement of a key environmental emission against a target amount (which would then be
used as a part of a key internal environmental control).

5. Internal audit is used to review the internal control and systems for compliance against relevant regulations and
externally imposed targets. Often assumed to be of more importance in rules-based jurisdictions such as the US, many
companies have upper and lower limits on key indicators and it is the role of internal audit to measure against these
and report as necessary. In financial services, banking, oil and gas, etc. legal compliance targets are often placed on
companies and compliance data is required periodically by the government.

Subjective and Objective Risk Assessment

Risk assessment is an important but complicated process and involves establishing both the probability of a particular
risk event happening and also the impact or hazard that would arise if it was realized. A key point is that some of these
calculations can be made with some degree of objectivity whilst other rely more on subjective assessment. There is an
important distinction, then, between objective and subjective assessments. A risk can be objectively assessed if we can
‘scientifically’ measure the probability of a given outcome or predict with some certainty, the impact. We can predict
with some confidence, for example, based on past data, the number of working days likely to be lost in a given year
through absenteeism of employees. We can predict with much less certainty, the probability that the stock market will
rise or fall in a given day. In such a situation, we must use more subjective risk assessment.

Risks
Risk Risk is a condition in which there exists a quantifiable dispersion in the possible results
of any activity.
Hazard Hazard is the impact if the risk materializes.
Uncertaint Uncertainty means that you do not know the possible outcomes and the chances of each
y outcome occurring.

Fundamental risks are those risks that affect society in general or broad groups of people, and are beyond the control
of any one individual. For example, there is a risk of atmospheric pollution which can affect the health of whole
community, but which may be quite beyond the power of an individual within it to control.

Particular risks are risks over which an individual may have some sort of control. For example, there is a risk
associated with smoking and we can mitigate that risk by refraining from smoking.

Speculative risks are those from which either good or harm may result. A business venture, for example, presents a
speculative risk because either profit or loss can result.

Pure risks are those whose only possible outcome is harmful. The risk of loss of data in computer systems caused by
fire is a pure risk because no gain can result from it.

Page 4 of 9
ACCA P1 | Governance, Risk and Ethics
Study notes for September 2017
Management must be aware of potential risks. They change as the business changes so this stage is particularly
important for those turbulent environments. Uncertainty can come from any political, economic, natural, socio-
demographic or technological contexts in which the organization operates.

Corporate governance guidelines therefore require directors to:

- Establish appropriate control mechanisms to deal with risks the organization faces.
- Monitor risks themselves by conducing regular reviews and a wider annual review.
- Disclose their risk management process in the accounts.

The Risk Management Process

Overall risk management is the responsibility of the BOD and involves 4 steps:

1. Identify risk: Make list of potential risks continually.

2. Analyze risk: Prioritize according to threat/likelihood.
3. Plan for risk: Transfer, Accept, Reduce, Avoid (TARA)
4. Monitor risk: Assess risks continually

Risk Appetite and Attitudes

Risk appetite Risk appetite describes the nature and strength of the risks that an organization is
prepared to bear.
Risk attitude Risk attitude is the directors’ views on the level of risks that they consider
desirable.
Risk capacity Risk capacity describes the nature and strength of the risks that an organization is
able to bear.

Risk-averse businesses may be willing to tolerate risks up to a point provided they receive acceptable returns.

Risk-seeking businesses are likely to focus on maximizing returns and may not be worried about the level of risks that
have to be taken to maximize returns.

Whatever the viewpoint is, a business should be concerned with reducing risks where possible and necessary but not
eliminating all risks, while managers try to maximize the returns that are possible given the levels of risk.

Risk Assessment
Risk assessment involves analyzing, profiling and consolidating risks.

Static and Dynamic Risk Environments

The frequency of risk assessment will depend on how dynamic the environment is within which they operate, and how
changes in that environment will result in significant and sudden changes in risks. This will in turn also change the
way in which those risks are managed.

Changes in the environment might include changes in any of the PEST (political, economic, social, and technological)
or any other industry level change such as a change in the competitive behavior of suppliers, buyers or competitors. In
either case, new risks can be introduced, existing ones can become more likely to have a higher impact, or the
opposite (they may disappear or become less important).

Quantifying risks
A number of tools can be used to quantify the impact of risks on the organization, some of which are described below:
Page 5 of 9
ACCA P1 | Governance, Risk and Ethics
Study notes for September 2017

Scenario planning: In which different possible views of the future are developed, usually through a process of
discussions within the organization.

Sensitivity analysis: In which the values of different factors which could affect an outcome are changed to assess how
sensitive the outcome is to changes in those variables.

Decision trees: often used in the management of projects to demonstrate the uncertainties at each stage and evaluate
the expected value for the project based on the likelihood and cash flow of each possible outcome.

Computer simulations: such as the Monte Carlo’s simulation which uses probability distributions and can be run
repeatedly to identify many possible scenarios and outcomes for a project.

Software packages: designed to assist in the risk identification and analysis processes.

Analysis of existing data: concerning the impact of risks in the past.

ALARP (As Low As Reasonably Practicable)

In many businesses, the focus will be on reducing the risks rather than eliminating them. This raises the issue of the
extent to which managers will seek to reduce risks. The general principle is that the higher the level of risk, the less
acceptable it is.

However, many risks cannot be avoided. Many businesses undertake hazardous activities where there is a risk of an
injury or loss of life (for example; oil rig, factory or farm). These risks cannot be avoided completely but can be
reduced to an acceptable level by incurring the costs – installing protective shields, issuing safety equipment like hats
or protective glasses.

The fact that certain risks cannot be eliminated doesn’t mean that companies become complacent; instead they ought
to maintain a number of controls that should reduce the probability of risk materializing.

Judgement will be involved in deciding what level of risk is as low as reasonably practicable. It may be that new
control systems could reduce risks further, but they are judged to be far too expensive. The level of risk considered as
low as reasonably practicable may well be a compromise.

It would be financially and operationally impracticable to completely eliminate certain risks such as health and safety
risks in mining company or market volatility risks in a stock trading company.

Importance of accurate risk assessment

 Underestimated risks may mean that inadequate risk management processes are employed to address them.
 Exaggerated risks may mean that unnecessary costs have been put in to address them.
 Governments and legislators require risk assessments in number of areas (EU requires companies to carry out risk
assessment in health and safety, product reliability and finance)
 Number of stakeholders may be concerned with the adequacy of risk assessment process. If they are dissatisfied,
then this may have an impact on the company.
 Inaccurate risk assessments may bread fear and mistrust among shareholders and stakeholders.

Likelihood/Consequence Matrix (TARA Framework)

Page 6 of 9
 ACCA P1 | Governance, Risk and Ethics
Study notes for September 2017

1. Accept
A risk acceptance strategy involves taking limited or no action to reduce the exposure to risk and would be taken if the
returns expected from bearing the risk were expected to be greater than the potential liabilities. Some businesses will
accept risks as they want to receive potential returns. However others will be accepted because there is nothing that
can be done about them. In this case the organization must know the potential costs and the probability of the risk
occurring.
For example, if a profitable product has a high return rate, costing the company warranty and refund costs, they may
decide that it is worth putting up with these costs as they want to earn the profits from the product.

2. Transfer
This means passing the risk on to another party which in practice means an insurer or business partner such as a
supplier or a customer.

3. Reduce
A risk reduction strategy involves seeking to retain a component of the risk (in order to enjoy the return assumed to be
associated with that risk) but to reduce it and thereby limit its ability to create liability.
- Primarily through Internal controls
- Lesser of the activity which causes risk

4. Avoid
Not engage in the activity or area in which the risk is incurred. Some risks can be totally avoided. If a business has
identified that opening a subsidiary in a foreign country appears to be high risk, then not opening the subsidiary solves
the problem. However, to totally avoid a business opportunity is often a rather extreme reaction as the company avoids
the risk and the potential returns. If no risks are taken, the chance of returns being earned is small.

Categories of Risk
1. Strategic risks
These arise from the overall strategic positioning of the company in its environment. Some strategic positions give
risk to greater risk exposure than other. Because strategic risks affect the whole of an organization and not just one or
more of its parts, strategic risks involve very high stakes – they can have very high hazards and high returns. Because
of this, they are managed at a board level in an organization and form a key part of strategic management.

2. Operational risks
Operational risks refer to potential losses arising from the normal business operations which are likely to affect a part
of a business rather than the whole organization. Accordingly, they affect the day-to-day running of operations and
business systems.

3. Business risks
Business risks are strategic risks that threaten the survival of whole business, likely to be greatest in the start-up
businesses or cyclical industries.

4. Market risks
Market risks refer to risks which derive from the sector in which the business is operating and from its customers.
These risks can apply to:
- Resource (not being able to obtain required inputs)
- Production (risk in poor manufacturing, etc.)
- Capital markets (not being able to obtain necessary finance)
- Foreign exchange movement
- Liquidity (the risk of having insufficient cash for the day-to-day running of the business)

Market risks also refer to potential losses on capital markets from changes in the value or volatility of a share price or
other security. A number of factors can give rise to market risk, sometimes referred to as ‘market or price sensitive’

Page 7 of 9
 ACCA P1 | Governance, Risk and Ethics
Study notes for September 2017
factors including a range of external opportunities and threats (& sometimes internal too such as a key person
leaving).

5. Product risk
The risk that customers will not buy new products or services provided by the organization, or the demand for current
products and services will decline unexpectedly.

6. Commodity price risk

Businesses might be exposed to risks from unexpected increases or falls in the price of a key commodity

7. Product reputation risk

Some companies rely heavily on brand image and product reputation, and an adverse event could put its reputation
and so future sales at risk. Risk to a product’s reputation could arise from adverse public attitude to a product or from
negative publicity; this has been evident in Europe with widespread hostility to genetically modified (GM) foods.

8. Financial risks
These are the risks which arise from the way a business is financially structured, its management of working capital
and its management of short and long-term debt financing. Cash flow can be strongly influenced by how much debt to
equity a business has, its needs to service that debt and the rate at which it is borrowed. Likewise, the ability of a
business to operate on a day-to-day basis depends upon how it manages its working capital and its ability to control
receivables, payables, cash and inventories. Any change which makes its cash flow situation worse, such as poor
collection of receivables, excessive borrowing, increased borrowing rates, etc. could represent an increased financial
risk for the business.

Embedding Risks
Risk management becomes most effective when it is embedded into company. This means that it is not a ‘standalone’
activity but becomes normal behavior.

The embedding of risk awareness into culture and systems involves introducing risk components in the process of
work and environment in which it takes place. Risk awareness and mitigation becomes as much a part of a process as
the process itself so that people assume such measures to be non-negotiable components of their work experience.

Companies can embed risk by following ways: -MACE

1. Monitoring systems that measure and report to management on agreed targets, measures and compliance with those.
These might involve regular reports against key targets (perhaps monthly) and alerts if one or more of the measures
strays out of its specified ranges.

2. Human resource systems can be designed to provide incentives for monitoring and alerting management about risks.
Staff appraisals and the reward structures could be designed to reward behavior more likely to control and mitigate
the financial risks.

3. Promoting risk culture: awareness of risks and those things that can increase them can be normalized as a part of the
company’s culture. This would mean that it should be a normal thing to discuss, tell stories about, create rituals
around, etc.

4. Inform and educate a wide range of employees to understand and recognize risk factors. This may also involve
advising on the importance of risks by discussing the impacts they can have and hence the necessity of managing
them.

The COSO Framework – ERM

Page 8 of 9
 ACCA P1 | Governance, Risk and Ethics
Study notes for September 2017
The COSO enterprise risk management (ERM) framework describes a way of linking company’s objectives to what it
needs to do to actually achieve them, namely manage its risks.

ERM considers risk management in the context of business strategy, but applying it to every level of the organization.
Therefore everyone in the organization has some responsibility for ERM, but the board is ultimately responsible and
should assume ownership of risk management.

ERM is an iterative process which comprises of eight discrete stages: -MICRECOR

1. Control environment
This is generally the tone from the top which an organization adopts towards risk management, and so provides a basis
for how risks are viewed and addressed. Emanating from the top of the organization, the control environment is
embedded in the company’s culture and defines its risk appetite.

2. Objective setting
The company’s risk appetite must be aligned to its business strategy, which is achieved by the setting of suitable risk-
adjusted objectives. The objectives must be agreed before management is able to identify any potential events which
may affect their achievement.

3. Event identification
These are the internal and external events, sometimes triggered by uncontrollable sources, which can ultimately affect
the company’s ability to achieve its objectives. Some of the events may present the business with positive
opportunities whereas other present risks.

4. Risk assessment
Risks are analyzed considering their likelihood and impact, as a basis for determining how they should be managed.
Since likelihood can be measured in terms of probabilities and impact in terms of its financial consequences.

5. Risk response
Although not an automated process, management can then select an appropriate response to the individual risk
assessed. Responses include accepting the risk if it falls within the pre-determined appetite, transferring the risk to a
third-party, reducing the risk to an acceptable level or avoiding the risk altogether.

6. Control activities
The company then devises policies and procedures, which are implemented to help ensure the risk responses are
effectively carried out.

7. Information and communication

Relevant risk information must be communicated in a manner which is readily understood, and in a timeframe which
enables people throughout the company to carry out their responsibilities.

8. Monitoring
Finally the whole process of ERM is monitored and modified as necessary.

Page 9 of 9