Professional Documents
Culture Documents
Governance, Business Ethics, Risk Management and Internal Control
Governance, Business Ethics, Risk Management and Internal Control
Management and
Internal Control
• Risk - the possibility of an occurrence of an event that adversely could affect the
achievement of business objectives.
transactions
Internal events
Event Potential impact
1. Internal fraud ∙ Financial loss
∙ Damage to the reputation of the company
• Financial risks - the likelihood that the company might incur a financial loss, or
suffer a decline in profit, capital, investment, or cash flows, on account of the
occurrence of events or transactions.
• Nonfinancial risks – a type of risk, other than financial risks, that can negatively
affect the company (e.g., breakdown of machines, loss of raw materials)
Credit risk
• Credit risk - the risk that a counterparty such as a customer or a borrower might fail to
pay its account on the due date
• For instance, there is a possibility that a borrower of a bank will be unable to pay
his or her loan on the maturity date.
• Liquidity risk - the risk that the business will be unable to meet its financial obligations
as they fall due because of insufficient cash.
• Liquidity risk also includes the possibility that the business may not be able to:
• Convert its noncash assets into cash on short notice.
• Borrow funds from banks and other creditors with reasonable interest and payment
terms.
Interest rate risk
• Interest rate risk - the potential decline in earnings due to changes in interest
rates
• If the company has variable rate loan payable, increase in the market rate of
interest will increase total interest expense resulting to lower profit.
• Occurs because the business may have a disproportionate amount of fixed and
variable interest rate instruments
Foreign currency risk
• Foreign currency risk - the risk that fluctuations in exchange rates could affect
the profit of the business.
• For example, a weakening of the Philippine peso will result to a foreign currency
loss to a Philippine importer of goods.
• The Philippine importer will have to convert more Philippine pesos into dollars to
pay off the transaction.
Other price risk
• Other price risk - the risk that changes in specific prices (stock price, purchase
price, index) could affect the profit or cash flow of the business.
• For instance, a decline in the price of shares owned by the company traded in the
stock exchange will result to a decrease in the value of the stock investments.
Business risk
• Business risk - possibility that the business may not be able to generate sufficient
revenue, or the chance that operating costs will increase
• For example, an increase in raw material cost will result to a decline in the gross
profit margin of the company.
• When the company is unable to achieve its sales target, revenues will not be
enough to cover operating costs.
Operational risk
• Operational risk - the risk that business operations will be disrupted due to
inadequate or failed systems, processes, people, breaches in internal controls, or
other unforeseen catastrophes
• The company uses internal controls (e.g., business continuity plans, preventive
maintenance) to mitigate the effect of operational risks.
Legal risk or compliance risk
• Legal or compliance risk - the risk that the company might fail to comply with
applicable laws and regulations
• This risk also includes the possibility of not complying with contractual
obligations to other entities.
• This type of risk may result to fines and penalties as well as possible criminal
prosecution of erring company officers and employees.
Health and safety risk
• Health and safety risk - the risk that unforeseen events could result to injuries,
illnesses, or even loss of lives
• This kind of risk increases the medical costs that will be incurred by the company.
Environmental risk
• Environmental risk - the risk that the company may fail to control or minimize
factory wastes, emissions, and other pollutants arising from its business activities.
• This type of risk may result to failure to achieve long-term strategic goals, loss of
market share, and shrinkage in corporate value.
Reputational risk
• Reputational risk - the risk that reputation or image of the company will be
damaged due to reasons such as improper acts of corporate officers, poor financial
performance, bad news about the company, among others
• This risk reduces the confidence of investors, customers, creditors, and other
entities with respect the status of the business.
• Financial reporting risk - the possibility that the financial statements of the
company will be incorrect due to errors, lapses, or failure to apply accounting
standards such as the International Financial Reporting Standards (IFRS).
• Fraud risk - the risk arising from deceptive and intentional acts that results to
loss of company assets, resources, and reputation
• Examples of fraud include theft of cash and inventories, bogus deliveries, ghost
employees, window dressing of the financial statements, and the like.
Enterprise risk management, defined
• Risk oversight pertains to the periodic review and monitoring of the process
being used by management in addressing and controlling risks.
• Management also identifies and assesses risks prior to selecting the appropriate
risk response or controls.
• Many companies have risk managers who are the ones tasked to manage risks in a
professional and technical manner.
Roles in risk management: Internal auditors
• Audit findings (e.g., weak risk processes) as well as their recommendations for
improvements are communicated to the Board of Directors, or to the Risk
Oversight Committee.
Risk appetite
• Risk appetite - the level of risk that the company can accept in pursuit of its
objectives
• This is one of the aims of the risk management process - to keep risks within the
company’s risk appetite.
Steps in the Risk Management process
• Strategic objectives - are high-level goals, aligned with and supporting the
organization's mission and long-term vision.
• Operational objectives - are goals that are related to the effective and efficient
use of corporate resources.
Categories of business objectives
• “Impact” - the significance of the negative effect of the risk to the company
• Reduce - Risks that are likely to happen or those that are expected to have a
significant impact to the business cannot be simply accepted.
• These risks should be mitigated or reduced to tolerable levels.
• Reducing risks can be done through implementing controls.
Risk responses
• Avoid - Avoiding a risk may be the right response when management thinks that
mere reducing it is not enough.
• Examples:
• The company may terminate one of its product lines if it assesses that operating it has become too risky.
• The company may totally avoid entering into dollar-denominated transactions to eliminate foreign
currency risk.
Implementing the risk response
• A risk management process that is effective today may no longer be effective for
the next period. This is because risks are always changing.
Risk management frameworks
1. Identification of all risks that could prevent the company from achieving its
business objectives
1. a.
b.
c.
2. a.
b.
c.
3. a.
b.
c.
4. a.
b.
c.
5. a.
b.
c.
Activity 2 (Group Work): Risks and Management
Action Plans
From your output in Activity 1, select at least five (5) risks to achieving business objectives. Identify
management action plans that may be applied in addressing the selected risks. Use the following
template:
Make a group research about the top five (5) global risks being experienced by
companies. You may use the following table:
1.
2.
3.
4.
5.
Conclusion:
• Risk is the chance for a potential loss or the probability of not achieving a
business objective.
• Risks can be categorized into financial risks and nonfinancial risks. There are
many examples of risks for each category.
• In light of the above, companies must implement a robust and comprehensive risk
management system to ensure the achievement of business objectives.
Conclusion:
• There are several risk management frameworks that can be adopted by companies
such as COSO Enterprise Risk Manaegement or ISO 31000 - Risk Management.
References:
Meneses, Jesse Rey L. and Villaceran, Eugene V. 2022. Governance, Business
Ethics, Risk Management and Internal Control. Quezon City: Rex Book Store,
Inc.
The Committee of Sponsoring Organizations of the Treadway Commission. 2004.
COSO Enterprise Risk Management - Integrated Framework.
Chapter 5:
Assessment of Risks and Selection
of Risk Strategies
Learning objectives:
• The internal environment encompasses the "tone at the top" and it influences the
governance process as well as the risk and control consciousness of people in the
company.
• The board and management must have an awareness and understanding of risks to
effectively perform their execution (management) and oversight (board)
functions on the effectiveness of the risk management process.
Objective setting
• The business objectives are formulated within the company's risk appetite or the
level of risk that the company can accept.
Event identification
• Management identifies potential events that may affect the company’s ability to
achieve its strategic, operational, reporting, and compliance objectives.
• Residual risk - the risk that remains after applying management’s response to the risk
Example of risk scoring for “likelihood”
2 Minor impact
3 Moderate impact
4 Major impact
5 Catastrophic effect
Risk map
• Residual risk - risk that remains after applying controls and mitigating
management plans
Risk response
• After risks are assessed, management will select the right risk response.
• Risk responses:
Accept the risk.
Mitigate (reduce) the risk.
Share the risk.
Avoid the risk.
Risk response
• Significant risks (high likelihood, high impact) cannot be accepted, but should be
mitigated by controls or management actions, shared through insurance, or totally
avoided (exiting a risky business venture or product line).
Control activities
• Management carries out specific risk mitigation policies and control procedures
throughout the organization, at all levels and in all functions, to help ensure that
risk responses are properly implemented.
• The company identifies, captures, and communicates pertinent information from internal
and external sources to enable personnel in carrying out their responsibilities.
• Without the communication of reliable and relevant information, people in the company will
not be able to perform their functions in an appropriate manner.
Information and communication
• Communication can also be inbound (to the company) or outbound (from the company).
Monitoring
Business
continuity plan
2. Potential cash deficit Mitigate Contingency
funding plan
4 5 20 Yes Standby credit
lines with bank
Risk Response
Risk Assess Combined risk Significant risk (e.g., reduce, Specific
score (Yes/No)? share, avoid, Control Activity
Likelihood Impact accept)
Activity 2 - Continuation of activity 1
Directions: Using your chosen business in Activity 1, list specific examples of activities or procedures
falling under the eight (8) components of the original COSO ERM Framework. Use the following
template:
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring activities
Activity 3: Internet assignment
Research on the risk management processes of at least two (2) listed
companies and discuss these to the class. This information may be found in
annual reports posted on their corporate websites.
For U.S. companies, you may find these information on the company’s
Form 10-K. For Philippine companies, you may find these on the company’s
Form 17-A.
Conclusion:
• The risk management process begins with the setting of clear business objectives
and subsequently identifying threats to achieving those goals.
• The identified risks are then assessed in terms of likelihood and impact for the
purpose of determining the appropriate risk response and the specific management
action or control.
• Applicable risk responses may accept the risk (for insignificant risks) and mitigate
or share the risk for significant risks.
Reference:
3 business objectives:
• Effective and efficient operations
• Reliability of financial and nonfinancial reporting
• Compliance with laws and regulations
5 components:
• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
COSO requirements to conclude that internal
control is effective
1. Each of the five components must be present and functioning.
• “Present” - the five components exist in the system of internal control
• “Functioning” - the components are being implemented over time
• Reflects the attitudes, awareness, and actions of senior management and BOD
regarding the importance of internal control
• Risk assessment - process for identifying and assessing those risks that may prevent
the achievement of business objectives
Steps:
• Objective setting
• Risk identification
• Risk analysis (likelihood, impact)
• Risk response
Control activities
• Performance reviews
• Information processing
• Physical controls
• Segregation of duties
Information and communication
• Information is necessary for the entity to carry out internal control responsibilities to support
the achievement of its objectives.
• Management obtains, generates, and uses relevant and quality information from both
internal and external sources to support the functioning of internal control.
• Internal control provides reasonable assurance that the business objectives will be achieved.
Select a small business in your locality. With the owner’s permission, attempt to identify control policies and procedures
that the business implements. Map these specific control policies and procedures to the five (5)
components of internal control. Use the following format:
Policy/Procedure Component/s
Example: Control environment
1. The business hires only competent staff.
2. The internal auditor reports audit findings and Monitoring Information and communication
recommendations to the owner on a periodic basis.
3.
4.
5.
6.
Activity 2: Identifying internal controls in a business
Identify internal controls that are being implemented in the following business establishments:
1. Department store
2. Bank
3. Convenience store
4. Supermarket
Requirement:
Demonstrate to the class how the five (5) components of internal control operate
together under the COSO Framework.
• Under the COSO Framework, there are five (5) components of internal control,
namely: control environment, risk assessment, information and communication,
control activities, and monitoring.
• Internal control provides only a reasonable assurance that business objectives will
be achieved because there is no perfect control system.
Meneses, Jesse Rey L. and Villaceran, Eugene V. 2022. Governance, Business Ethics,
Risk Management and Internal Control. Quezon City: Rex Book Store, Inc.
The Committee of Sponsoring Organizations of the Treadway Commission. 1992.
Internal Control - Integrated Framework.
Chapter 7:
Internal Control
in Action
Learning objectives:
• Entity-level controls - controls that are applied broadly at the company level and
affects the functioning of transaction-level controls.
Examples:
• Functioning of the board of directors
• Code of conduct in the workplace
• Controls under the risk assessment component
• Monitoring process
• Code of corporate governance
Transaction-level controls
• Types of fraud:
• Fraudulent financial reporting
• Misappropriation of assets
• Corruption
Fraudulent Financial Reporting
Misappropriation of Assets
Elements of the Fraud Triangle
• Perceived opportunities
• Rationalizations
Control deficiency
• A control deficiency is a (a) missing control, or an (b) existing control that is not
designed properly, or is properly designed but is not operating effectively.
Go to your favorite grocery or supermarket. List at least 10 internal controls that the grocery or
supermarket is implementing. Classify the controls into hard controls and soft controls. Use the following
template:
Internal control Hard or soft control?
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Activity 2. Classifying controls into preventive, detective or
corrective
Classify internal control 1 through 10 into preventive, detective, or corrective controls.
1. 1. 1.
2. 2. 2.
3. 3. 3.
4. 4. 4.
5. 5. 5.
Conclusion:
• The business should apply a mix of controls, both entity-level controls and
specific transaction-level controls.
• Specific control activities are further categorized into preventive, detective, and
corrective controls.
• For documentation and reference purposes, the business must have an internal
control manual of procedures.
Conclusion:
• To understand fraud, one must consider the elements of the fraud triangle which
are incentives or pressures, perceived opportunities, and rationalizations.
Conclusion: