CIMA P3 Risk Management

Syllabus Content:

- Enterprise Risks: 25%

- Strategic Risks: 25%
- Internal Controls: 25%
- Cyber Risks: 25%

Chapter 1: RISKS

Risks are events that can affect the operations of the company negatively or positively. Risks are
caused by uncertainties which can be due to lack of information or due to ignorance.

Risk Perception

- Downside Risk: an event that is hazardous/adverse. In strategic management, these are

treated as threats.
- Upside Risk: events that can result into benefits or gains. In strategic management,
these are treated as opportunities.

Importance of Risk Management

- Protection of employees
- Protection of general public
- Protection of the environment
- Protection of the company assets
- Limitation of impact of disaster
- Increased confidence in the company by shareholders
- Investment decisions
- Ensure that business objectives are achieved.
- Prepares the company for any hazardous future event.

How can we Identify Risks

- Brainstorming
- SWOT Analysis
- Financial Statements Analysis

Types of Risks

There is no one classification standard that can be used to classify risks.

Classification Standard 1

- Pure Risk: risks whose outcome will always be adverse i.e. they are downside risks.
- Speculative Risk: risks whose outcome can either be positive or negative e.g. interest
rate risk, exchange rate risks, market risks.
- Fundamental Risk: risks that affect the whole society or a significant part of it e.g.
recession, outbreak of a pandemic
- Particular Risk: risks that affect an individual or a single organisation and may have a
measure of control.
- Static Risk: risks that are always present in the society.
Classification Standard 2

Strategic Risks vs Operational Risks

Strategic Risks affect the key decisions of the company i.e. risks whose outcomes affect the
company’s continuity/survival. When these risks crystallize, they affect the entire organisation.
As such, they will likely affect our competitive position in the market

Operational Risks are risks that are caused by failure in routine internal processes within a short
term, these risks affect a particular individual or department.

Other Classifications

1. PESTEL risks
2. Fraud Risk e.g. corruption/bribery, illegal gratuity, extortion, misrepresentation of
information
3. Environmental Risks
4. Financial Risks e.g. credit risks, currency risks, interest rates, gearing risks, Liquidity
Risks, Market Risks
5. Technology Risks
6. Risks in International Operations e.g. cultural risks, litigation, credit risk, currency risks,
tariff barriers/quotas, protectionism, public attitude towards foreign products.
7. Litigation Risks/Regulatory Risks
CHAPTER 2: RISK MANAGEMENT

What is Risk Management?

The process of understanding and managing risks that the organisation face in attempting to
achieve its objectives. (CIMA definition)

Risk Management is the process of identifying, assessing risks and coming up with measures to
mitigate them.

Risk Management and Corporate Governance

- Good governance means that the company has proper risk management and control
systems.
- It is the role of the board of directors to set up a sound system of controls and risk
management.
- UK Code of Governance recommends companies to compile reports on risk
management to shareholders. These reports give shareholders confidence that the
company is a going concern.

Risk management Framework

‘’ A process affected by the entity’s board of directors, management etc. applied in strategy
setting and across the enterprise designed to identify potential events that may affect the entity
and provide reasonable assurance regarding achievements of entity objectives.’’

It is a model that describes processes that should be put in place when designing risk
management systems procedures within the organisation.

Examples of Risk Management Frameworks

1. COSOs Enterprise Risk Management Framework (ERM) – the cube model

According to COSO a risk management system must have 8 components i.e. processes.
These components are:
- Internal Environment: Evaluate the board/management attitude towards risk
management. Also assess whether the board understand the relationship
between risk management and strategic management. Risk management
organisation structure. Does the board understand that it is their responsibility
to set up a system of risk management and controls?
- Objective Setting: this is where objectives of the company are identified. Once
the objectives are identified, they are aligned with the company’s risk appetite.
Risk appetite is the level of risk that is considered as normal by the company i.e.
the level of risk that we can tolerate.
- Event Identification: This is where risks affecting the company are identified.
Procedures for identifying risks may include brainstorming, SWOT analysis, audit
reviews, sensitivity analysis, scenario planning, consultants. Once risks are
identified, they are classified.
- Risk Assessment: Once risks are identified, they are analysed in terms of
probability or likelihood of the event happening and impact on the company if
the event or risk crystallises. It is done by a model called impact/likelihood
matrix or risk heat map. The purpose of assessing/analysing risks is to prioritise
 our risks. The process of assessing/analysing risks using risk heat map is called
risk mapping or profiling.
- Risk Response: where controls for mitigating risks are identified. TARA
framework suggests generic controls that can be instituted to deal with risks.
Transfer (risk can be transferred) through insurance, outsourcing, or limitation
liability clauses. Avoid (risks can be avoided by abandoning the cause of the
risk). Reduce (risks can be reduced through internal controls). Acceptance (risks
are absorbed by doing nothing)
- Control Activities: once controls are identified, they are documented in form of
policies and procedures
- Information, communication + reporting: Internal controls policies and
procedures are communicated to people responsible. An information system is
set up to compile and distribute information about risks and controls to relevant
departments functions.
- Monitoring: This is where a company sets up a system of monitoring its
performance in undertaking each of the components above. Monitoring can be
done by internal auditors, external auditors, consultants, management through
controlled self-assessment.

COSO argues that if a company successfully apply the components, it is likely going to
achieve 4 key objectives:

- Strategic Objectives (goals/objectives are likely going to be achieved)

- Operational Objectives (efficient and effective in your operations)
- Compliance Objectives (to comply applicable laws/regulations)
- Reporting Objectives (reports likely contain reliable information)

COSO advice that the ERM framework should be applied across the organisation at all
levels of management i.e. subsidiary level, business unit, divisional, entity level

Risk Management and the environment

- How often should risk management activities be undertaken?

- This depends on the environment in which the company operates. (Dynamic or
static environment)
- Dynamic environment: risk management procedures should be on-going.
- Static environment: risk management procedures can be once off.

Concept of Risk Dependence/ Risk covariance

- Some risks can be dependent in such that if one risk increases the other does
the same OR one risk can increase and the other reduces.
- Risks can be positively correlated or negatively correlated.
- Understanding of risk dependencies is important when evaluating the
significance of risks.

Example of Positively Correlated Risks

- A company decides to burn the forest. Environmental risk will increase, and
reputation risk will also increase.
- A company borrows money to clean the environment. Borrowing increases
gearing risk, clearing the environment reduces environmental risks.
 Risk Register

This is the document that summarises the risk profile of the company

Risk Risk Probability/ Impact/ Status Controls Ownership/

Description likelihood consequences of the responsibility
risk

Concept of Risk Appetite

Risk appetite is the level of risk that is considered normal. Level of risk that is within our
tolerable/acceptable limits. When designing risk management systems, business
objectives must be aligned with the company’s risk appetite.

Elements of Risk Appetite

The level of risk appetite that an individual or entity can take may be affected by the
individual’s risk capacity and their attitude towards risk. Factors:

- Industry that the company operates

- The nature of the product/service
- Company’s financial position
- The level of shareholder’s risk appetite

Concept of Residual Risk

Residual risk is the risk that remains after internal controls have been implemented.
This concept is based on understanding that risks cannot be completely eliminated but
rather can be reduced to our acceptable limits.

2. COSOs Enterprise Risk Management Framework – Integrating Strategy with

performance (the Helix model)
Introduced in 2017, the helix model argues that there are 5 components or processes
involved in risk management:
- Governance and culture: evaluate the organisation’s attitude towards risk
management i.e. you evaluate the ‘tone’ at the top in relation to risk
management. Do management understand the relationship between risk
management and strategic management?
- Strategy and objective setting: this is where objectives and strategies are set
up and aligned with the company’s risk appetite.
- Performance: identification of internal and external events that can affect the
company’s business objectives and strategies. Once the events are identified,
they are assessed using impact/likelihood matrix. Once assessment is done,
controls are put in place to mitigate the risk.
- Review and revision: this is where the controls identified in step 3 above are
documented in form policies and procedures. The policies and procedures are
then communicated to respective individuals within the organization
 - Information, communication and reporting: Information system about the
effectiveness of controls is set-up. The information system collects and reports
information on risks to responsible people within the organisation.

3. CIMA’s Risk Management Cycle

Just like the COSO frameworks, the CIMA risk management framework advocates that
risk management procedures should be integrated with strategic management
procedures:
 4. The Institute of Risk Management
According to this framework, risk management activities can be categorised into 3
processes:
- Risk assessment: Deals with risk identification, analysis(assessment) and
description
- Risk reporting: concerned with compiling reports on risks to internal and
external stakeholders.
- Risk treatment/risk response: deals with measures for mitigating risks.

Risk Reporting

CIMA proposed a methodology for compiling reports on risk management. According to CIMA,
risk management reports should disclose the following:

- Systematic review of risk forecast (i.e. disclose whether the company reviewed its risk
profile)
- Review of strategies and responses to significant risks (disclose whether you reviewed
controls set up to mitigate risks)
- Monitoring and feedback action taken on significant risks and controls (this is where you
disclose actions taken by the company in relation to control weaknesses and risk
exposures)
- Procedures to detect material changes to business circumstances to provide early
warnings (disclose procedures that the company has put in place to track significant
changes to the company’s business model that may affect the company’s risk profile).
Disclose procedures that the company has put in place to monitor emerging risks.

Risk management and corporate governance

Good governance means that the company has a sound system of controls and risk
management.

Roles:

- Determine the risk appetite of the company.

- To ensure that proper control environment exists for the effective operation of risk
management systems and procedures.
- To define the company’s risk management approach and philosophy.
- To ensure that controls are in place for effective management of risks.
- To compile reports on risk management to shareholders
CHAPTER 4: REPUTATION RISK

- Reputation risk is the possibility of adverse opinion about the entity or product.
- Any negative perception of the product or entity can be a source of reputational risk.
- It is therefore important that the board of directors should come up with measures to
mitigate litigation risk.
- Reputation risk may also be caused by unethical behaviour of the company and
employees. To mitigate this, it is important to have codes of ethics of corporate level.

Contents of a business code of ethics

- Introduction of the code

- Fundamental principles:
• Position on Gifts
• Position on competition
• Position on confidentiality
• Position on employment
- Company position on use of assets
- Disclosure of consequences of violation of the code.
- Ethics declaration note.
- Recognition of its limitations and advice on what should be done.
- The fact that a particular action/issue is not covered in this code does not mean that
action is acceptable. If a member encounters a situation that is not covered in this code,
he/she should take action that is consistent with the overall spirit of this code.

CIMA’s Code of Ethics

1. Integrity
2. Professional behaviour
3. Confidentiality
4. Objectivity
5. Professional competence and due care

CIMA Guidance on Resolving Ethical Conflicts

- Gather all the facts (i.e. document all the facts)

- Identify ethical issues in the case by applying CIMA’s ethical principles.
- Depending on the situation you face, escalate the issue internally (i.e. consult someone
above your supervisor). Check whether there is a policy within the company on conflict
resolution. If it is there, then follow it.
- Seek advice from CIMA
- Report externally to auditors or relevant trade/regulatory body.
- Remove yourself from the situation
CHAPTER 3 - Strategy Risk

- Johnson and Scholes argue that the problem with rationale model is that too much
focus on objectives may pose the rise of company missing out on opportunities that
arise in the market.
- According to the syllabus chapter 3 focus on the strategic choice phase.

Strategic Planning

Process of developing strategies. Development of strategies can be based on 3

assumptions/points of view:

- Traditional Approach: strategies are developed based on stakeholder expectations. The

problems with this approach:
• Stakeholder objectives conflicting
• Difficult to quantify some of the objectives

- Market-led Approach: strategies are developed after analysing internal and external
environment of the company. Problems with this approach:
• Too much information to analyse.

- Resource-based Approach: Where strategies are developed on what are we good at?
Or what resources do we have?

Chapter 3 focuses on strategy choice.

Strategy choice has 3 levels. These are:

- Option generation
- Option evaluation
- Option selection

Strategy choice involves the following options:

- How do we want to compete?

- Where do we want to compete?
- Which/what investment should we use to enter the market?
• Should we enter the market organically?
• Should we enter the market through acquisitions?
• Should we enter the market through partnerships (joint development
strategies)

Porter’s Generic Strategies

Porter's Generic Strategies can be used for identifying options for achieving competitive
advantage:

- Cost Leadership: assumes that when competition is stiff in the market, it results into
price wars. Risks:
• Foreign suppliers risk
• Foreign exchange risks
• Innovation and imitation by competitor
- Differentiation: uniquely different from competition. It assumes that the customer will
appreciate the additional value added to the product/service. Risks:
• More market research/advertising.
• Imitation by competition

- Niche/focus: specialisation in particular product or market segment.

Product-Market strategies (Ansoff)

Dealing with Disruptions/uncertainties in Strategic Planning

There are 3 methods that can be used to deal with uncertainties/disruptions in strategic
planning:

- Scenario Planning: is done when the company faces uncertainties in the environment.
When analysing the environment using models like PESTEL, we must understand that
the elements may be different in levels of uncertainties and impact on the company. For
high impact and highly likely events, we must create scenarios. Steps:
• Identify high impact/high uncertain factors (from PESTEL)
• For each factor, identify possible future outcomes.
• Cluster together different factors to identify various consistent future
scenarios.
• Write the scenarios for the most important scenarios and assess future
implications of each scenario.
• Monitor reality and see which scenario is unfolding.
• Revise the scenarios and strategic options as appropriate.
- Application of Game theory approach: this theory deals with anticipating actions of
competitors in response to our strategies. It is based on the fact that sometimes the
success of our strategies may depend on the response of our competitors. For instance,
if we reduce prices of our products to increase demand, this strategy may work if our
competitors do not respond. But if our competitors respond by reducing prices their
prices, then our strategies may not work. Therefore, when developing our strategies we
must evaluate the likelihood of competitors’ response.

Normally, competitors are likely to respond to our strategy if our gain is equal to their
loss. When our gains are equal to our competitors’ loss. A condition called zero sum
games occur.

- Stress Testing: this is a technique that can be used to assess whether an organisation
can cope with a possible significant unusual event. This technique is based on the fact
that when a business is doing well, it may be difficult to assess how it will fare when a
sudden downturn in the market occurs. Sources of stress may include:
• Sudden change in customer tastes
• Economic changes
• Cybersecurity attacks
• Production failures
CHAPTER 5: CORPORATE GOVERNANCE

Governance are principles that explain how best a company can be directed and controlled.
Agency theory is the basis of governance debate. In governance we are assuming that there is
separation between ownership and control of the company. In corporate governance, the board
of directors are the agents of the shareholders who are owners of the business. As agents of the
company, the board of directors are accountable to shareholders (they must take decisions that
serve the interest of shareholders).

The relationship between the agents (board of directors) and principles (shareholders) is
fiduciary and based on trust.

• The UK Code of corporate governance advocates that the board must have a wider
accountability (much as the board should be accountable to shareholders’ interest.
They must also be responsible to the needs of other stakeholders)
• The reason being that since activities of the company affects the interests of other
stakeholders other than shareholders, the board must also be responsible to the
concerns of other stakeholder groups.
• However, whatever the company responds to concerns of other stakeholders depends
on their relative power and interest in the company.

Approaches to Governance Compliance (2 approaches)

• Rules-based approach: compliance is mandatory. A one shoe fits all approach. Since its
mandatory, penalties are imposed on non-compliance.
• Principle-based approach: commonly called the comply or explain approach where
compliance with governance principles is voluntary. The ‘comply or explain’ statement
should include the following:
- Specify the governance principle that the company decided not to comply with.
- Explain what the company did in ‘violation’ of the principle.
- Explain the reason for departure from normal governance.
- Explain when the company intends to revert back to full compliance.

Basic Principles of UK Code of corporate governance

• The board leadership and company purpose

- The board of directors shall be responsible for governance of an entity and shall
have entrepreneurial skills.
- The board shall lead by example, it shall have members of integrity.
- The board must establish dialogue with investors. (the board must engage
shareholders on key decisions of the company)
- The board shall be responsible for crafting the company’s strategies and define
the company’s vision.
- The board must maintain attendance register of board members after each
meeting.
- The board should compile and champion implementation of whistleblowing
policies.
- The board must ensure that proper culture/attitude exist within the company has
effective implementation of company policies.
 - If 20% or more of shareholders disagree with the board’s resolution on certain
matters, the board must explain how it intends to resolve the issue with the
shareholder and must disclose action taken to resolve the matter.

• Division of the board’s responsibility

There shall be separation between running the board and running the executive
fundraising of the business (the roles of the chairman must be separate from those of
CEO). Why separating roles of the chairman and CEO?
- To avoid domination.
- Separation creates proper accountability.
- Separation avoids information overload.

Why combine the roles of the Chairman and CEO?

- Combining the roles ensures that the holder of the position has a more
holistic picture of the company. As such better-quality decisions are
likely to be made.
- Most companies combine these roles for security reasons.

The board shall not be dominated by a single individual or a few individuals. The
chairman of the board can serve up to 9 years (familiarity threat).

Board Membership

- Chairman
- CEO
- Members
- Co-opted members
Roles of the Chairman
- Set the board’s agenda.
- Facilitate induction of new board members.
- Facilitate annual performance appraisal of the board and its individual
members.
- Ensure that the interests of the shareholders are taken into account.
- Ensure that the board establish dialogue with investors.
- Ensure that the board is provided with relevant information that is
accurate on timely basis.

Circumstances that impair the chairman independence.

- Where the chairman was an employee of the company (past 5 years).

- Close family ties with the company.
- If he is involved in cross-directorship (a situation where 2 or more
directors serve on each other’s board. Cross directorship is not good
because it creates conflict of interest)
- Chairman may not be independent if he had significant business
interests or relationship with the company within past three years.
- Chairman may not be independent if he has 9 years as chairman.
 Roles of the CEO

- Implement strategies approved by the board.

- Develop policies that are necessary for implementation of the board’s strategies.
- Advice the board on emerging issues affecting the business
- Ensure that the interest of shareholders is protected on daily basis.

The board should be made up of executives and non-executive directors. Excluding the
chairman, there must be 50% executives and 50% NEDs.

Provisions relating to NEDs

- NEDs are not required to receive performance related payments. This is

because NEDs to receive bonus, will align their interests with the
executives meaning they are no longer independent.
- NEDs should serve up to 9 years

Roles of NEDs

- Strategy role: develop strategies.

- Monitoring/scrutiny role: hold the executives to account.
- People role: make arrangements for appointment and remuneration of
executives. Also involved in disciplinary issues and contractual

Benefits of NEDs

- Skills and expertise

- Presence of NEDs reduces domination by executives.
- Existence of NED act as a comfort zone for shareholders because of their
position or independent members.
- Existence of NED on the board can improve debate on the board.

Disadvantages /limitations

- May lack independence

- Most highly skilled NED want to be associated with successful companies.

• Composition, succession and evaluation

Provisions relating to appointment of board members.

- The process of appointing new board members must be formal, transparent and
rigorous.
- On appointment of new board members, undertake induction.
- The induction must cover the nature of the business in terms of vision, goals
and objectives, macro and micro-economic environment of the business, board
members’ entitlement, company policies, roles of the BOD in relation to
corporate governance. Other issues covered include introducing the new board
members to the company’s key stakeholders.
 - The board must prepare succession plan of its members including the chair.
- The board must be drawn from diverse background in terms of skills and
expertise, age, gender, ethnic background etc. Diverse board encourages
debate and better information analysis. A diverse board better represents the
society and provides assurance that fairer and more balanced decisions will be
made by the board.

A balanced board signals the company’s seriousness in providing equal

opportunities for all.
- The board must undertake performance appraisal of itself and the individual
members.

Criteria for assessing performance of individual board members

- Commitment (attendance register)

- Contribution to strategies and participation maybe in debate.

Criteria for assessing the board

- Achieved objectives
- Performance of the company (financially and regulatory)
- Quality of information contained in the board reports.
- Whether the board involved shareholders in key decisions of the company
(whether the board established dialogue with investor)
- Whether there is team spirit on the board.
- Board response to crisis.

Appointment of board members shall be done by a subcommittee of the board called

Nominations Committee. This subcommittee must be made of 100% NEDs. Its roles
include:

- Make appointments of new board members.

- Prepare the board’s succession plan
- Ensure that the board has the right size.
- Ensure that the board has the right mix of skills and expertise. (diversity)
- Ensure that the shareholders have access board members service contracts.

• Audit, Risk and Control.

This principle explains the roles of the board of directors in relation to audit, risk
management and control. The provision also explains the board accountability to
shareholders:
- The board shall have a subcommittee responsible for financial reporting,
risk management, audit and controls. This subcommittee shall be called
audit committee.
- The audit committee shall of the board shall be made up of 100% NEDs.
- At least one member of the audit committee shall have financial
background.
 Roles of the audit committee

- Ensure that financial statements contain reliable information.

- Appoint head of the internal audit.
- Ensure that internal audit is resourced.
- Ensure that Internal audit is independent.
- Appoints Internal audit.
- Approve Internal audit plans.
- Develop Internal audit chatter.
- Ensures that external auditors are independent and are provided with all
information and accesses required by law.
- Facilitate interaction between internal audit and external auditors.
- Makes recommendations for appoint of auditors.
- Designing the company’s sound system of controls and risk management.
- Reviewing or assessing the effectiveness of the company’s system of controls
and risk management.
- Compile reports and on internal controls and risk management to shareholders.
- Audit committee is responsible for approve special investigations

Advantages of Separation of Audit Committee

- Efficiency through specialisation

- Separation reduces the risk that audit committee may divert more attention
toward financial statements.

• Remuneration
Directors are not allowed to determine or decide their own remuneration packages. The
remuneration of the board members shall be done by a subcommittee of the board
called the remuneration.
- Remuneration committee shall be made up of NEDs
- When determining the remuneration packages, the committee must make sure
that the package can attract, retain and motivate employees.
- A significant proportion of one/s.

Components of remuneration

- Basic pay
- Performance related
- Shares/share options
- Benefits in kind.
- Pensions
CHAPTER 6 – INTERNAL CONTROLS

Definitions of Internal Controls

- The whole system of controls, financial or otherwise, established by management of an

entity in order to carry out the business of the enterprise in an orderly and efficient
manner, ensure adherence to management policies, safeguard assets, and secure as far
as possible the completeness, validity and accuracy of records.
- A process designed by management to provide reasonable assurance regarding
achievement of objectives in 3 key areas:
o Effectiveness and efficiency of operations.
o Reliability of financial reporting.
o Compliance with laws.

Internal Controls and Corporate Governance

Good governance means that a company must have a sound system of controls. Role of the
board of directors in relation to internal controls:

- Design the company’s sound system of controls.

- Conduct an annual review of the company’s system of controls.
- To ensure that proper control environment exist for the effective operation of an internal
control system.
- To compile reports on internal controls to shareholders.

Contents of a Report to Shareholders on Internal Controls

- Board’s acknowledgement that it is responsible for designing the company’s system of

controls.
- Disclose whether the board undertook annual review of the company’s system of
controls.
- Disclose techniques used when evaluating the company’s internal controls system.
- Disclose major internal control failures/weaknesses.
- Disclose whether the company’s internal controls system operated effectively
throughout the year.
- Disclose the external auditor’s attestation to our internal controls system.

Uses of Internal Controls system by External Auditors

- As part of the tests, external audits review the company’s system of controls. In their
review the External Auditors assess:
o Whether or not the internal controls exist in the company’s procedures.
o External auditors conduct audit tests to assess or verify whether the
internal controls system is effective.
- external auditors use the results of the internal controls system evaluation to determine
the scope of their audit (i.e. if external auditors concludes that internal controls exist
and are effective)
Characteristics of a good internal control system

- must have controls that are embedded within the company’s operations.
- Must have controls at all levels of management.
- Must have the support of the board and management.
- Must reduce risks.
- Must have measure for reporting and communicating control failures to relevant people.

How can we design a sound system of Controls

A sound system of controls can be designed by using COSOs Integrated Control Framework.
The process of designing an internal control system has five steps or components. These steps
must be undertaken in a logical order:

- Control Environment: evaluate management attitude towards internal controls. Assess

whether or not there is a process of accountability within the organisation. Assess
human resource policy to check whether employee screening takes place on
recruitment. Assess whether an ethical culture exist within an organisation. Assess the
company’s organisation structure in terms of reporting lines, command chains and
allocation of responsibilities. Assess management competence
- Risk Assessment: risks relating to company’s objectives are identified and assessed.
Risk identification should be undertaken throughout the organisation. The company
should consider internal and external risks. When identifying risks, the company should
consider changes within the company’s internal and external environment.

Risk assessment is important because it ensures that our control responses are
prioritised.
- Control activities: these re procedures/policies that are put in place to treat or reduce
risks. Controls must be applied to all levels of management and must be integrated or
embedded in our operations.

Examples of control activities:

o Authority and approval.
o Reconciliation (supplier or bank).
o Segregation of duties.
o Performance reviews.
o Physical procedures.
o ICT Controls.
o Information systems controls.
o Personnel Controls.
- Information and communication: an information system is set up to collect and
communicate information about risks and controls to relevant individuals. Procedures
are set up to report control violations to relevant people. Internal controls are
documented in form of policies that are communicated to respective people.
- Monitoring: A good system of internal control must have procedures for monitoring its
effectiveness. Control weaknesses that are identified during the monitoring process are
reported to relevant people. Monitoring of controls can be done by external consultants,
internal auditors, management through self-assessment.
Types of Controls

- Quantitative: take the form of targets.

o Financial
o Non-Financial
- Qualitative: take the form of policies, rules and procedures

Example: Designing a control system procedure:

- Identify key transaction cycles for the organization. E.g. sales, purchases, payroll.
- For each transaction cycle, identify control objectives.
- Determine the logical process or stage involved within each transaction cycle.
- For each stage identify risks.
- For each risk, identify controls.

Limitations of the Internal Controls

- Management may override internal control measures.

- Internal Controls are designed to detect routine events, they may not be effective in
detecting once off events like fraud.
- Internal Controls based on segregation of duties can be undermined by collusion among
staff.
- Internal controls that depend on human effort can be affected by tiredness/fatigue.

Fraud Risk Management

Fraud is defined as deprivation of company resources through deceit. Types of fraud:

- Misappropriation of Assets
- Financial Statements Fraud
- Corruption
- Illegal gratuities

Causes of Fraud

- Opportunity
- Motive/situational pressure
- Rationalization

Strategies for Managing Fraud Risk

- Fraud Prevention measures:

o Development of code of ethics.
o Institution of Internal Controls system.
o Education and training on fraud awareness.
o Development of fraud policy that defines fraud from company point of
view.
- Fraud Detection Measures:
o Perform surprise checks.
o Tips from whistle blowers.
o Internal Controls (e.g. reconciliation).
o Warning signals or red flags (e.g. lifestyle analysis)
- Fraud Response
Come up with a fraud response plan. A fraud response plan explains who and what
should do what when fraud is suspected. Contents of a fraud response plan:
o How to set up an investigation team.
o Procedures for preventing further loses.
o Procedures for respecting the rights of the suspect.
o Procedures for reporting the incident to third parties (i.e. the police).
o Procedures for dealing publicity.
o Procedures for gathering evidence.

Responses to fraud incidents

o Internal disciplinary actions

o Civil litigation to recover the money stollen.
o Criminal prosecution through the police
CHAPTER 8: CYBER SECURITY RISK

Cyber security: procedures, processes systems that must be put in place to mitigate cyber
threats. How can we recognise cyber threats? To identify cyber threats, we must undertake
company situation analysis in the following areas:

Laws Relating to Information Systems Security in UK and Europe

- Data protection regulation: law requires companies keeping data about living individuals
to put in place measures that secure the data
- Provisions of the law include:
o Requires companies to allow data subjects to access data about themselves.
o Compel companies to delete data about living individuals if it’s usefulness has
elapsed.
- Computer misuse Act: this is the law that makes it illegal for an individual or entity to
plant viruses on to other’s systems; to access other people’s systems without company
content.
CHAPTER 7: INTERNAL AUDIT

An appraisal function, set up by management as a service to it. The roles of an internal audit
function:

- Review systems of controls, risk management and governance.

- Undertake value for money audit.
- Ensure that the company complies with laws and regulations.
- To conduct tests that are intended to safeguard assets of the company.

Internal Audit and Corporate Governance

Good governance means that the company has an effective Internal Audit function.

Factors to consider before having an Internal Audit function

- Size of the company

- Complexity of the company’s accounting systems and procedures.
- Cost benefit analysis
- number of internal controls violations.
- Number of employees
- Type of economic environment that the company operates.

Internal Audit Standards

- Attribute standards: qualities that the Internal Audit function and an internal auditor
must have:
o Independence
o Objectivity
o Proficiency and due care

- Performance Standards: looks at Internal Audit activities /tasks that Internal Audit
perform:
o Risk management
o Control
o Management of internal audit function (quality controls issues related to Internal
Audit)
o Governance
o Communication of results

Internal Auditor’s Independence

Factors to consider to ensure that the Internal Audit function is independent:

- Head of Internal Audit should have direct access to chairman of the board of directors.
- Audit committee must appoint head of Internal Audit.
- Internal Audit office must be separated from others.
- Internal Audit function must report to the Audit committee
- Scope of the Internal Audit function should be defined by audit committee and
documented through audit charter.
- Functional and administrative responsibilities must be separated. Internal Audit should
not be involved in administrative responsibilities.
Outsourcing Internal Audit

Advantages

- Likely to be more independent

- Benefit from skills and expertise from outside
- Risk of staff turnover passed on to 3rd party
- Through the 3rd party auditors, we can access new technologies and benefit from new
innovations.
- Its flexible: can be engaged when required and scope can be tailored to our needs.
- Cost savings

Disadvantages

- Lack specific knowledge of the business.

- Conflict of priorities
- Confidentiality
- May send wrong signals to shareholders about the importance of Internal Audit.

Differences between internal audit and external audit

- Appointment: Head of internal audit is appointed by audit committee whereas external

auditors are appointed by shareholders.
- Reporting: Internal audit reports to management and the board whereas external
auditors report to shareholders.
- Requirement: Need for external audit is required by law whereas need for internal audit
is required by management of the company.
- Scope of work: external audit reviews financial statements and come up with opinion as
to whether they give true and fair view and were prepared in accordance with applicable
financial reporting framework or law.

Internal audit is defined by the board/audit committee through internal audit charter.
Scope of work is wider.

- Degree of Independence: external audit likely to be more independent as they are not
employees. Internal audit not likely be independent because they are employees of the
company.

Expectations Gap in relation to the Duties and Operations of External auditors.

- Responsibility for fraud: it is the duty of management and the board to prevent and
detect fraud. It is not the duty of the external auditors. However, ISA recommends that
external audit must assess the risks that financial statements may be materially
mistreated due to fraud.
- Auditors in most cases do not review all transactions. Audit is done on sampling basis.
- Audit report does not certify accuracy of accounts (auditors give reasonable and not
absolute assurance that financial statements give a fair and true view.
Types of Internal Audits

- Financial audit: review financial statements

- Compliance audit: confirms with regulations, laws, contracts
- Traditional audit: check transactions against supporting documents.
- Systems based audit: assessment of internal controls.
- Operational audit: 3Es
- Environmental Audit
- Management audit: appraise the efficiency and effectiveness of management

Audit Tests

These are procedures that auditors undertake to assess the completeness, accuracy, validity,
existence, ownership of transactions. Audit tests include collecting evidence relating to
assertions that people make in relation financial statements.

Types of audit tests

- Substantive tests: can further be classified into substantive tests of transactions,

substantive tests of balances and analytical review procedures. It is intended to assess
the validity, accuracy, completeness of figures in the financial statements.

Analytical review procedures: techniques for conducting substantive tests. It is intended

to identify abnormal or unusual transactions, to assess events or transactions that you
did not expect are happening. To assess whether events or transactions that you expect
to happen are happening. It is done by comparisons. Compare financial indicators of
the company with non-financial data. Compare performance of our company vs the
industry average.

Apply ratio analysis to compare performance of the company. Compare actual vs

budget. Where the auditor compares his expectation with actual confiad
- Tests of controls: these are tests that the auditor undertake to assess the operational
effectiveness of internal controls. Examples:
o Enquiries of client personnel.
o Inspection of documents and records that contain evidence of an internal
control implementation.
o Observation of the operation of the internal control activity or procedure.
o Reperformance of the control task by the auditor.

Internal Audit Report

- Criteria: standard or a measure/expectation (correct state)

- Condition: factual evidence that the auditor found during the course of the audit.
(current state)
- Cause: the reason for all the difference expected and actual outcome.
- Effect: the risk or exposure that the organisation may encounter because the condition
is not consistent with the criteria.