LESSON 1: EMERGENCE OF RISK What is risk management?

LESSON 2: RISK MANAGEMENT

What is risk? - Process of understanding and managing risks that the RISK
organization faces in attempting to achieve its objectives.
- In general, something going wrong. - Uncertain event/set of circumstances that should it occur,
- Combination of the probability of an event and its Accountability for performance cannot be separated from will have an effect on achievement of one or more project
consequences; concerned with both positive and negative risk management. objectives: positively/negatively.
aspects - Combination of the probability of an event and its
Risk: from hazard to opportunity
- Could be natural and man-made consequences
- Large/small Risk - Uncertain future events influence the achievement of the
- High impact/little effect organizations strategic, operational and financial objectives.
- Uncertain future events that could influence the - Any event that might affect a listed company’s performance:
Can risk be managed? achievement of the organizations strategic, operational environmental, ethical and social risks.
and financial objectives (IFAC, 1998)
- Risk can be reduced.
- The focus of risk is shifted from a negative concept of Risk Management
- The way we manage those risk depends on how likely
hazard to a positive interpretation that managing risk
they are to eventuate and the impact they will have if - Process by which org methodically address the risks
is an integral part of generating sustainable shareholder
they do eventuate. attaching to their activities with the goal of achieving
value.
- Avoidance is preferred to remedial work so control is put sustained benefit within each activity and across the portfolio
- Any event that might affect a listed company’s
in place to avoid the identifies risks from occurring or to of all activities.
performance, including environmental, ethical, and
provide early warning so that corrective action can be - Focus of good risk management is the identification and
social risks (ICA,1999)
take. treatment of these risks. Its objective is to add maximum
Standards for risk sustainable value to all the activities of the organization. It
What are controls? increases the probability of success and reduces both the
- COSO Committee of Sponsoring Organizations of the probability of failure and the uncertainty of achieving the
Steps in managing risk:
Treadway Commission organization’s overall objectives.
1. Identify the risk, because if it cannot be identified, it cannot
- Risk Management Standard (Institute of Risk Management, Benefits of risk management:
be managed.
2022) by International Organization for Standardization
2. Assess the impact the risk is likely to have if it does
(ISO/IEC Guide 73), the 1. Being seen by stakeholders as profitable and successful;
eventuate.
3. Prioritize the importance of each risk in terms of its - Australian and New Zealand Standard AS4360 2. Being seen by stakeholders as predictable with analysts
likelihood and impact, because we do not have the comfortable with what the organization is saying;
time/money to manage every risk. Risk and corporate governance
3. Not issuing profit warnings, or having major exceptional
4. Evaluate the risk in terms of the organization’s risk The corporate governance role of the Board of Directors involves items to report to shareholders;
appetite the management of risk and the review of the effectiveness of
5. Decide on action to lessen either the likelihood or impact of internal control. 4. Proactively managing mergers and acquisitions;
the risk.
6. Record each risk and the decisions made about them. 5. Reducing the impact of any impairment of goodwill;
7. Report the risks decisions about their treatment and who is 6. Maintaining brand reputation;
responsible.
7. Being seen by stakeholders to be adopting corporate social
responsibility and being a good corporate citizen;
8. Having a well-managed supply chain;
9. Having a good credit rating.
Common Features of Risk Management
1. Linked closely with achieving business objectives
2. Addressing both “upside” and “downside” risks
3. Involving the identification and treatment of risks
4. Reducing both uncertainties and the probability of failure
Avenues of Risk Management
Hazard – risk associated with compliance and prevention
Uncertainty – risks of uncertainty in respect of operating
performance.
Opportunity – increase and sustain shareholder value
Questions in risk management
1) What are the drivers of business value?
2) What are the key risks associated with these drivers of
value?
Process of Risk Management
The Risk Management and Process according to the
International Federation of Accountants (1999) report
1. Map the business processes that drive value to answer this
question;
2. Identify and analyze the business risks
3. Establish the appropriate responses that will have the most
impact on the value drivers.
Different Views on Risk
Risk as hazard/threat – using management techniques to
reduce the probability of the negative event.
Risk as uncertainty – reducing the variance between anticipated
and actual outcomes.
Risk as opportunity – maximizing the upside or benefits.
Enterprise Governance by (CIMA)
Conformance Risk Performance
Management
Control Return opportunity
threat/hazard upside “Good
downside “bad things might not
things do happen” happen”
Enterprise Risk Management (ERM)
- Effected by an entity’s board of directors, management and
other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may
affect the entity and manage risks to be within its risk
appetite, to provide reasonable assurance regarding the
achievement of entity objectives.
- Risk-based approach to managing an enterprise, integrating
concepts of strategic planning, operations management,
performance management and internal control.
- ERM Framework describes the critical principles and
components of an effective enterprise risk management
process. How all-important risks should be identified,
assessed, responded to and controlled.
How firms manage risks
Models/Approaches to Risk Management
1. COSO’S ERM FRAMEWORK
2. The Institute of Risk Management Standard
3. Australia/New Zealand Standard AS/NZS 4360:2004.
4. CIMA’s risk management cycle.
COSO’S ENTRERPISE RISK MANAGEMENT (ERM)
FRAMEWORK
- COSO (Committee of Sponsoring Organizations of the
Treadway Commission)
- Voluntary private-sector organizations dedicated to
improving the quality of financial reporting through
business ethics, effective internal controls, and corporate
governance.
- Establishment of more effective, efficient and ethical
business operations
- Sponsors and disseminates frameworks and guidance based
on in-depth research, analaysis and business practices
- Members: AICPA, AAA, FEI, IMA. IIA
Aligning risk appetite and strategy – evaluating strategic,
alternatives, setting related objectives, and developing
mechanisms to manage related risks.
Enhancing risks response decisions – provides the rigor to
identify and select among alternative risk responses – risk
avoidance, reduction, sharing and acceptance.
Reducing operational surprises and losses – entities gain
enhanced capability to identify potential events and established
responses, reducing surprises and associated costs or losses.
Identifying and managing multiple and cross-enterprise risks
– facilitates effective response to the interrelated impacts, and
integrated responses to multiple risks.
Seizing opportunities – by considering a full range of potential
events, management is positioned to identify and proactively
realize opportunities.
Improving deployment of capital – obtaining robust risk Risk management process, risk assessment comprises risk - Ensure that all risks flowing from those activities are defined
information allows management to effectively assess overall analysis and risk evaluation.
- May employ top down (management knows best) or bottom
capital needs and enhance capital allocation.
Risk analysis – process of identification, description and up (operatives knows best) approach.
ERM seeks the ff organizational objectives: estimation of risks
Interviews
Questionnaires
1. Strategic – high-level goals, aligned with and supporting its Risk evaluation – used to make decisions about the significance and focus- Brainstorming Workshops
and surveys
mission of risks to the organization and whether each specific risk should groups
Stakeholder Industry Scenario
be accepted or treated. consultations benchmarking
Checklists
analysis
2. Operations – effective and efficient use of its resources
Five steps in the risk management process: Business
Incident
3. Reporting – reliability of reporting investigations
Auditing and Investigation process
1. Establish the goals and context for risk management; analysis
4. Compliance – compliance with applicable laws and
regulations 2. Identify risks;
Risk description
Interrelated Components of COSO’s ERM Model 3. Analyze risk in terms of likelihood and consequences and
estimate the level of risk faced; It includes a description of who is affected, the likely impact,
Internal Environment the tone of the organization appetite for such kinds of risk, possible treatment, among
(risk management policy and 4. Evaluate and rank those risks; others
risk appetite)
Objective Setting Setting objectives which are 5. Treat the risks through the most appropriate options.
aligned to the mission and CIMA’S RISK MANAGEMENT CYCLE
risk appetite
Event Identification Events (risks and The cycle begins with identifying risks, assessing the scale of
opportunities) affecting the risks, developing a risks response strategy, implementing the
achievement of objectives are strategy (which involves allocating responsibilities),
identified. implementing and monitoring controls and reviewing the
Risk Assessment Likelihood and impact of effectiveness of the process. At the center of the cycle is the
risks are identified and
provision of information for decision-making.
analyzed
Risk Response Whether to avoid, accept, IDENTIFYING, ASSESSING AND ESTIMATING RISK
reduce or share risks (aligned
with risk appetite) Methods of Identifying Risks
Control Activities Risk estimation
- Determine organization’s exposure to uncertainty.
Information and
Communication - Knowledge of the organization’s objectives, its - concerned with estimating the likelihood of an event’s
Monitoring Evaluations and necessary product/services, markets and the legal, political, economic, occurrence and the possible consequences, on the basis
modification social and technological environment in which it operates. of the risk description

- Has to be methodical: - can be quantitative, semi-quantitative or qualitative

Other framework: The Institute of Risk Management
Standard (IRM) - All activities within the org have been identified

THE LIKELIHOOD OR CONSEQUENCES MATRIX
A risk matrix is a graph on which risk categories can be plotted
in terms of their LIKELIHOOD and IMPACT. The diagonal line
indicates the risk appetite, above the line are the significant risks
facing the organization which needs some form of treatment.
Also, some organization use a 3x3 method of mapping.
However, there are also some who use 5x5 or 7x7.
RISK EVALUATION, TREATMENT AND REPORTING
- Concerned with making decisions about the significance of
risks to the organization and whether those risks should be
accepted or whether there should be an appropriate treatment
or mitigation
- Happens after risk analysis (identification, description, and
estimation)
Risk Treatment
Also called risk response
The process of selecting and implementing measures to modify
the risk. This may include risk control/mitigation, risk avoidance,
risk transfer, risk financing (e.g. hedging, insurance)
RISK TREATMENT: TYPES
1. AVOIDANCE - action is taken to exit the activities giving
rise to risk; for high-risk events
2. REDUCTION- actions are taken to reduce the likelihood or
impact (or both) generally through internal controls
3. SHARING - transfer of risk (e.g. insurance, pooling risk,
hedging or outsourcing
4. ACCEPTANCE - no action is taken to affect likelihood or
impact
RISK TREATMENT: EXAMPLES OF RISK RESPONSE
1. Setting a policy defining the organization’s attitude to a
particular risk within its risk appetite and the objectives of
the risk response;
2. Assigning individual accountability for the management of
the risk, with the nominated person having the expertise and
authority to effectively manage the risk;
3. The management processes currently used to manage the
risk;
4. Recommended business processes to reduce the residual risk
(after the application of controls, see below) to an acceptable
level;
5. Key performance measures to enable management to assess
and monitor risk;
6. Independent expertise to assess the adequacy of the risk
response;
7. Contingency plans to manage or mitigate a major loss
following the occurrence of an event.
RISK TREATMENT: METHODS OF RISK TREATMENT
Internal Control - the whole system of financial and other
controls established to provide reasonable assurance of effective
and efficient operation
Portfolio
Hedging - a transaction to reduce or eliminate an exposure to risk
- most common ‘underlying’ for which hedging takes place
are in relation to changes in interest rates and foreign
exchange fluctuations (but also exist for commodities, stocks
and bonds)
Insurance - involves protection against hazards by taking out an
insurance policy against an uncertain event
RISK TREATMENT: RISK REGISTER
1. After identification, description and estimation, risk are
recorded in a risk register
2. Useful for monitoring purposes
3. Examples of data which may be included in a cash register:
4. Risk number (a unique identifier)
5. Risk category (low, medium, high)
6. Description of risk
7. Date risk identified
8. Name of person who identified risk
9. Likelihood
10. Consequences
11. A monetary value, if such can be allocated to the risk
12. Interdependencies with other risks
RISK REPORTING
- The provision of information to management and the Board
that will explain the method of risk management, and how
risks are identified and assessed
- The risk register will contain all the risks, and only the high
risks are reported to management and Board
- In reporting, you should be able to present both the GROSS
RISK and the NET RISK to demonstrate the COST
EFFECTIVENESS of those controls
RISK CATEGORIES
Risk Categorization - a way of grouping individual risks into
meaningful groups so that they can be managed as a group.
Advantages of risk categorization
1. Managed in common through the use of similar controls.
2. Forces managers to think holistically
3. Help managers to identify how they can use their past
experience
4. Provides a framework
5. Helps organization to identify inter-related risks in the same
category
DRIVERS OF BUSINESS VALUE CAN BE VIEWED AS
“RISK DRIVERS”
Brisk can be categorized per value driver.
Operational Risk
 Relating to activities carried out within an organization
 Arising from structure, systems, people, products and
processes
 To a considerable extent within the control of the
organization
Ex: failure of IT systems, fraud, loss and etc.
Financial Risk
 Related to the financial operation of a business
 Typically, outside the organization’s control
 Action can be taken to mitigate those risks
Ex: liquidity risk, currency risk
Environmental Risk
Relating to changes in the political, economic, social and
financial environmental
Ex: legislative/regulatory change, climate change
Reputation Risk
Failing to address some other risk
Within the organization’s control but requires the organization to
take a wider view of its role in society and to consider how it is
seen by its customers, suppliers, competitors and regulators
Sophisticated Classification of Risks
Strategic Risk
Economic – macroeconomic policies and economic cycles
Industry – industry competition and concentration, profit
margins, market structure, competition and law.
Strategic transactions – significant changes in strategic
direction, e.g., mergers
Social – social attitudes affecting consumer behavior
Technology – obsolescence, new tech that change industries and
market
Political – changes in government policy, regulatory
environment, political instability, terrorism
Organizational – business policies, culture, control systems,
performance measurement and reward systems.
Operational Risks
Environmental – earthquake, fire, flood, pollution
Financial – changes in credit, interest rates, currency
Business Continuity – condition that could affect production,
distribution, customers, suppliers, employees, outsourcing or
compliance issues.
Innovation – poor performance in research and development or
new product or market development
Commercial – poor quality in marketing, engineering,
production etc. leading to warranty claims or product failure and
liability.
Project – technical difficulties or commercial obstacles to
completing projects on time, to budget and to quality
Humann skills – loss of skilled personnel, industrial relations
problems, lack of training, unethical conduct.
Health and safety – workplace accidents or caused sickness
Property – security of assets including spoilage, theft, loss of
intellectual property.
Reporting Risks
Information – poor quality and accessibility of information Beyond its influence/control Control Environment
including problems with data accuracy or security. Management of risks focus on identification and mitigation of
impact The overall attitude, awareness and actions of directors and
Compliance Risks https://hbr.org/2012/06/managing-risks-a-new-framework management regarding the internal control system and its
Legal and regulatory – corporate governance, industrial importance in the entity.
Internal Control
relations, environmental standards. Communication and enforcement of integrity and ethical
The process designed and effected by those charged with values
Control – internal control systems and security that could result
governance, management and other personnel to provide
in fraud, computer failure and errors Commitment to competence
reasonable assurance about the achievement of the entity’s
Professional – organizational and personal liability of directors objectives with regard to reliability of financial reporting,
1. Participation by those charged with governance
and managers. effectiveness and efficiency of operations, and compliance
with applicable laws and regulations. 2. Management’s philosophy and operating style
Three categories of risks 3. Organizational structure
Internal Control System 4. Assignment of authority and responsibility
 Internal risks arising within the org.
All the policies and procedures (internal controls) adopted by the 5. Human resource policies and resources
 Controllable and ought to be eliminated/avoided management of an entity to assist in achieving management’s
objectives such as: Entity’s Risk Assessment Process
 Companies should determine a zone of tolerance
Efficient conduct of business The process of identifying and responding to business risks and
 Best managed through active prevention
the results thereof
 Adherence to management policies
Monitoring operational processes Examples:
 Safeguarding of assets
In financial reporting, risk assessment process may include:
Guiding people’s behaviors and decisions toward desired  Prevention and detection of fraud and error
How management identifies risks relevant to the preparation of
norms  Accuracy and completeness of accounting records financial statements
 Timely preparation of reliable financial information
Ex: risks from employees’ and managers unauthorized
Information System
Elements of Internal Control
Strategy risks
Control Activities
1. Control environment
 A company voluntarily accepts some risk in order to
generate superior returns (credit risk) The policies and procedures that help ensure that management
2. Entity’s risk assessment process
directives are carried out
 Not inherently undesirable 3. Information systems Major categories
 Performance review
 Cannot be managed through rules-based approaches 4. Control activities
 Information processing controls
 Managed through a risk management system that is designed 5. Monitoring controls   Physical controls
to reduce the probability that the assumed risks actually Control Activities: Performance Review
materialize and to improve the company’s ability to manage
1. Comparing actual performance with projections
or contain the risk events should they occur
External risks 2. Investigating performance indicators based on operating or
Outside the company financial data.
3. Reviewing functional or activity performance  Determination of the effectiveness of recording policies and  Misrepresentation or omission of events, transactions, or
Control Activities: Information Processing Controls asset access policies. other significant information
Refer to policies and procedures designed to require  E.g. inventory count, bank reconciliation  Intentional misappropriation of accounting principles
authorization of transactions and to ensure the accuracy and Control Activities: Physical Controls The Fraud Triangle
completeness of transaction processing. Encompass: 1. Incentive to commit fraud
 General Controls – affect all transactions cycles 1. Physical security of assets (e.g. secured facilities over assets INCENTIVES TO COMMIT ASSET MISAPPROPRIATION
 Application Controls – pertain to a specific type of and records Personal factors such financial needs
transaction such as payroll, sales and collection. 2. Authorization External pressure
Examples of Controls: 3. Periodic counting and comparison with amount on records. INCENTIVES TO COMMIT FRAUDULENT FINANCIAL
Proper authorization of transactions and activities Monitoring of Controls REPORTING
Segregation of authorities  The process that an entity uses to assess the quality of Management compensation schemes
Adequate documents and records internal control over time. Improved reported earnings
Access to assets  Assessing the design and operation of controls on a timely Debt covenants
Independence checks on performance basis and taking corrective action as necessary. Stock option expirations
Proper authorization of transactions and activities Example Opportunities: significant related party transactions,
 Before a transaction is entered into with another party, FRAUD AND ERROR industry position, unusual recording process.
certain conditions must be met.  Is an intentional act involving the use of deception that 2. Rationalization
 There has to be proper documentation results in a material misstatement of the financial statements. Example
 Checked by the auditor to make sure transactions are Two types of misstatements:  They treated me wrong.
properly authorized.  Misstatements arising from misappropriate of assets  Upper management is doing it as well
 E.g the existence of approved purchase order, receiving  Misstatements arising from fraudulent financial reporting  There is no other solution
report and invoice in examining a purchase transaction Misstatements arising from misappropriation of assets 3. Opportunity to commit and conceal fraud
Segregation of Duties  Or asset misappropriation Asset Misappropriation
 “no one person should be assigned duties that would allow  Occurs when a perpetrator steals or misuses an INCENTIVES/PRESSURES
that person to commit an error or perpetuate fraud and to organization’s assets. 1. Personal financial obligations
conceal that error or fraud.  E.g. embezzling cash receipts, stealing assets, etc. 2. Adverse relationship between entity and employees
 E.g., the same person receives cash and posts the same Occurs when:  Anticipated layoffs
receipt on the ledgers.  Employees gain access and manipulates accounts to  Anticipated changes in compensation or benefit schemes
Adequate documents and records cover up theft  Promotions, compensation inconsistent with expectation
 Provides reasonable assurance that all valid transactions have  Manipulation on disbursements OPPORTUNITIES
been recorded.  Steal and manipulate financial records to conceal. 1. Certain circumstances
Access to assets Misstatements arising from fraudulent financial reporting  Large amount of cash on hand
 Characterized by physical barriers and appropriate policies. Common ways:  Inventory items which are small in size, of high value or in
 E.g. inventories should be kept in a storeroom, etc.  Manipulation, falsification, or alteration of accounting high demand
Independent checks on performance records or supporting documents  Fixed assets which are small in size, or lacking observable
identification of ownership
Inadequate internal control
 Inadequate segregation of duties and independent checks
 Inadequate oversight of senior management expenditures
 Inadequate oversight of employees responsible assets
 Inadequate job screening
 Inadequate record keeping
 Inadequate systems of authorization
 Inadequate safeguards over assets.
 Lack of timely and complete reconciliation
 Lack of timely and complete documentation
 Inadequate management understanding of systems
 Inadequate access controls Lack of timely and complete
reconciliation
Fraudulent Financial Reporting
INCENTIVES/PRESSURES
1. When management is under pressure to achieve an expected
earnings target or financial outcome
OPPORTUNITIES
2. An individual may commit fraud if that individual believes
internal control can be overridden, with techniques as
follows:
 Recording fictitious journal entries, particularly close to the
accounting period
 Inappropriate or unstable assumptions on estimates.
 Omitting, advancing or delaying recognition of some events.
 Concealing facts that could influence how some accounts are
measured.
 Engaging in complex transactions
Fraud: Responsibility for Detection
 Rests with both those charged with governance and the
management.
 Commitment to creating a culture of honesty and ethical 1. Paying for fictitious purchases
behavior 2. Purchasing goods for personal usage
Errors and irregularities Payroll and Personnel Cycle
THREE BASIC BUSINESS TRANSACTION CYCLES Errors in Recording
 Sales and collection cycle  Paying employees at the wrong rate
 Acquisition and payments cycle  Paying employees for more than the hours they worked.
 Payroll and personnel cycle  Charging payroll expense to the wrong accounts
Sales and Collections Cycle  Keeping terminated employees on the payroll
1. Errors in Recording Fraudulent Financial Reporting
 Mechanical error (e.g. using a wrong price or quantity,  Fictitious employees
recording sales in the wrong period)  Excess payments to employee’s failure to record payroll
 Bookkeeper’s wrong treatment of a transaction  Inappropriate assignment of labor costs to inventory
2. Fraudulent Financial Reporting
- Usually overstated sales or understated returns and allowances
 Recording fictitious sales
 Recording valid transactions twice
 Improper cutoff
 Recording operating leases as sales
 Recording deposit sales Internal Control Affecting Assets: Cash
 Recording consignment as sales Functions
1. All cash that should have been received was in fact received,
 Recording sales even when return is likely
recorded and deposited
 Revenue recognition not in consonance with IFRS 15
2. Cash disbursements have been authorized and have been
 Recording revenue from deferred revenue
recorded.
Asset Misappropriation
3. Cash balance are maintained at adequate levels
 Skimming (withholding cash receipts without recording
GUIDELINES FOR INTERNAL CONTROL OVER CASH
them)
1. Do not permit one employee to handle a transaction from
 Lapping beginning to end
 Kiting 2. Separate cash handling from recordkeeping
Acquisitions and Payments Cycle 3. Centralize the receiving of cash
3. Errors in Recording 4. Record cash receipts timely
4. Failing to record a purchase in the proper period 5. Encourage customers to ask for receipts.
5. Recording consignment as a purchase 6. Deposit cash daily.
6. Misclassifying purchases and expense 7. Make all disbursements through check
7. Failing to record a cash payment 8. Monthly bank reconciliation prepared by employees not
8. Recording payment twice responsible for the issuance of checks or in custody of cash
Fraudulent Financial Reporting
9. Monitor cash receipts and payments by comparing records to year’s cash receipts position Unauthorized Employee Inadequate segregation of
forecasts as this year’s  investment converts duties for recordkeeping
POTENTIAL MISSTATEMENTS transactions  securities for and custody
Inaccurate Bookkeeper Inadequate personal use
recording of prepares a check to segregation of duties;
Examples Risk Factors purchase of himself and records inadequate Incomplete Failure to record Inadequate accounting
Misstatement payment it as issued to a authorization and recording of derivative manual; incompetent
Recording Overstating cash on Lack of segregation supplier approval policy investments agreements  accounting personnel;
fictitious cash records by of duties; no inadequate monitoring
  Payment to invoice Ineffective control for internal auditors
receipts transferring cash effective bank for goods not matching invoices
from one account to reconciliation  received with receiving
another to cover up documents; poor
embezzlement authorization  Misstatement Examples Risk Factors

Failure to record Cashier embezzles Inadequate Duplicate Duplicate invoice Ineffective controls Recording Recording fictitious Ineffective board;
receipts from receipts supervision; failure recording and from supplier for review and unearned sales; intentional undue pressure to meet
sales to encourage payment of cancellations of revenue over-shipment of earnings target 
customers to ask for purchases supporting documents goods
receipt
Unrecorded       Recording sales Ineffective billing
  Omission  Inadequate controls disbursements based on receipt of process
in reconciling cash orders rather than
register tapes to Financial Investments
shipment
records; inadequate  MAJOR ELEMENTS OF ADEQUATE INTERNAL
bank reconciliation CONTROL   Inaccurate billing Ineffective controls for
and recording of testing invoices;
Failure to record Cashier embezzles Lack of segregation 1. Formal investment policies sales ineffective input
cash from cash and does not of duties 2. An investment committee of the Board validation checks 
collections of record
3. Separation of duties between executive authorizing
accounts   Recording cash that Inadequate accounting
purchases and sales of securities, custodian and recording represents a manual; incompetent
  Cashier embezzles Lack of segregation 4. Complete detailed records and the related terms provisions liability as revenue accounting personnel
cash and records of duties
and terms
account written off
5. Periodic physical inspection
  Omission of payment Inadequate 6. Determination of appropriate accounting policy Misstatement Examples Risk Factors
reconciliation of
subsidiary records   Cutoff error Holding the sales Ineffective
Examples Risk Factors
with general ledger Misstatement journal open to board, undue
record next year’s influence to
Misstatement of Failure to record Inadequate accounting
sales as having increase sales
recorded value changes in fair manual; incompetent
occurred in the target
Misstatement Examples Risk Factors value personnel
current year
  Fraudulent Ineffective board; undue
Cutoff Problems Holding cash Inadequate internal   Recording sales in Ineffective
misstatement pressure to improve
receipt journals audit; pressure to the wrong period  cutoff
earnings
open to record next show better financial procedures
 Recording revenue Recording sales Ineffective overhead to inventory 4. A reporting procedure for prompt disclosure and analysis of
when significant despite likelihood of board, undue items is inaccurate; variances between expenditures and actual costs
uncertainties exist return influence to erroneous pricing of 5. Authoritative written statement of company policy
increase sales inventory distinguishing capital expenditures and revenue expenditures
target
Misstatement Items are stolen and no Ineffective physical 6. Policy requiring acquisitions to be made through the
  Recording   of inventory journal entry reflecting controls over purchasing department
consignment as sales quantities the theft  inventories;
7. Periodic physical inventories to verify existence
ineffective board;
Recording revenue     undue pressure to 8. A system of retirement procedures
when significant meet earnings  
services still must target. 
be performed by Misstatement Examples Risk Factors
  Inventory quantities in Ineffective physical
seller
locations not frequently controls over
Misstatement of Capitalization of Undue pressure to
visited by auditors are inventories;
acquisitions  expenditures for meet earnings target
INTERNAL CONTROL OVER NOTES RECEIVABLE systematically ineffective board;
repairs and
overstated  undue pressure to
Segregation of Duties maintenance r
meet earnings
1. The custodian of notes receivable not have access to cash or target.    Purchases of Inadequate
to general accounting records equipment accounting manual;
  Miscounting of Ineffective controls
2. The acceptance and renewal of notes be authorized in writing erroneously reported incompetent
inventory  or supervision of
by a responsible official who does not have custody of the as expense accounting
physical inventory
personnel
notes.
  Intentional recording or Ineffective board;
3. The write-off of defaulted notes be approved in writing by Failure to record Replacement is Inadequate
purchases in the undue pressure to
responsible officials and effective procedures adopted for Cutoff retirements of without an accounting policies
subsequent period  meet earnings
Problems PPE accounting entry
subsequent follow-up such defaulted notes target. 
Improper Recording of gain Inadequate
  Recording purchases of Ineffective
Inventories and Cost of Goods Sold reporting of for transactions accounting manual;
the current period in the accounting
  unusual without commercial incompetent
Misstatement Examples Risk Factors subsequent period procedures that do
transactions  substance accounting
not tie recorded
personnel
Misstatement Intentional misstatement Ineffective board; purchases to
of inventory of production costs undue pressure to receiving data
costs assigned to inventory meet earnings Affecting Liabilities and Equity
targets
PPE Misstatement Examples Risk Factors
  Intentional misstatement Ineffective board; KEY CONTROLS FOR PPE
of inventory prices  undue pressure to 1. Annual plant budget used to forecast and control acquisitions Inaccurate Bookkeeper prepares Inadequate
meet earnings recording of a a check to himself segregation of
targets and retirements
purchase or and records it as duties of
2. Subsidiary ledgers for each unit of property.
  Assignment of direct Ineffective cost payment having been issued recordkeeping and
3. System of authorization (advance executive approval of to a major supplier preparing cash
labor costs, direct accounting system
materials costs or factory acquisitions); serial numbering disbursements
   Payment is made for Ineffective controls
goods that have not for matching
been received  invoices with
receiving
documents before
payment is
authorized 

Misappropriation Goods are ordered Ineffective controls

of purchases but delivered to an for matching
inappropriate invoices with
address and stolen receiving
documents before
payment is
authorized 

Duplicate Purchase is recorded Ineffective controls

recording of when an invoice is for review and
purchases received from a cancellation of
vendor and recorded supporting
again when a documents by the
duplicate invoice is check signer
sent by the vendor

Cutoff Problems This period’s Ineffective board;

purchases recorded undue pressure to
as having occurred meet earnings
in subsequent target
period 

INTERNAL CONTROL OVER EQUITY

1. Proper authorization of transactions by the board and
corporate officers
2. Segregation of duties in handling these transactions
3. Maintenance of adequate records