PRACTICAL GUIDELINES IN REDUCING AND MANAGING BUSINESS RISKS Typical Areas of Organizational Risk

Financial Commercial Strategic Technical Operational

Practical Guidelines in Managing and Reducing Enterprise-wide Risk inherent in business Accounting Loss of key Marketing, Failure of Product or
activity is best achieved by applying the principles and techniques appropriate to the decisions and personnel and pricing and plant or design failure,
situation. practices tacit market entry equipment including failure
knowledge decisions to maintain
UNDERSTAND THE NATURE OF RISK supply
Treasury risks Failure to Market changes Accidental or Client failure
The willingness and readiness to take personal and financial risks is a defining characteristic comply with affecting negligent
of the entrepreneurial decision-maker. In late 90's, a study commissioned by an legal commercial actions (such
internationally-known accounting firm found that while in continental Europe strategies regulations or decisions (due as fire,
focus on avoiding and hedging risk, Anglo- American companies view risk as an opportunity codes of to customers pollution,
and accept risk management as necessary to achieving their goals. In 2017, this relative practice and/or floods)
attitude to risk among European and US companies remains broadly the same, the result of competitors)
long- standing cultural experiences and history as well as recent events. Fraud Contract Political or - Breakdown in
conditions regulatory labor relations
Successful businessmen and decision-makers make sure that the risks resulting from their developments
decisions are measured, understood and as far as possible eliminated. They also go beyond Robustness of Poor brand Resource- - Corporate
the direct financial perspective and actively manage risk as it affects the whole organization. information management building and malpractice
management or handling of a resource (such as sex
Accepting that risks exist is a starting point for the other actions needed, but the most systems crisis allocation discrimination)
important is to create the right climate for risk management. People need to understand decisions
why control systems are needed; this requires communication and leadership skills so that Inefficient cash Market - - Political change
standards and expectation are set and clearly understood. management changes
Inadequate - - - -
IDENTIFY AND PRIORITIZE RISKS insurance

Identification of significant risks both within and outside the organization is crucial and
allows to make informed decisions. This makes it easier to avoid unnecessary surprises.
Examples of significant risks might be the loss of a major customer, the failure of a key
supplier or the appearance of a significant competitor.
Consider the human factor into account. People behave differently and inconsistently when
making decisions involving risk. They may be exuberant, over confident or overly concerned.
They simply overlook the issue of risk.
Risk surrounds and continue to be with us. When identifying risk it helps to define the
categories into which they fall. This allows for a more structured analysis and reduce the
chances of risk being overlooked. Some of the most common areas of risk affecting business
are shown in the table below.
CONSIDER THE ACCEPTABLE LEVEL OF RISK
As earlier mentioned, the usual first step is to determine the nature and extent of the risks
the business will accept. This involves assessing the likelihood of risks becoming reality and
the effect they would have if they did. Only when this is understood can measures be taken
to minimize the incidence and impact of such risks.
There is also an opportunity cost associated with risk: avoiding a risk may mean avoiding a
potentially big opportunity. People can be too cautious and risk averse even though they
are often at their best when facing the pressure of risk deciding to take a more audacious
approach. Sometimes the greatest risk is to do nothing.
UNDERSTAND WHY RISKS BECOME REALITY

Once risks are identified they can be ranked according to their potential impact and the
likelihood of them occurring. This helps to highlight not only where things might go wrong
and what their impact would be, but also how, why and where these catalysts might be
triggered. The five most significant types of risk catalyst are as follows:
1. Technology. New hardware, software or system configurations can trigger risks, as can
new demands on existing information systems and technology. In early 2010, Metro
Manila Development Authority Chair introduced a congestion change for traffic using
the center of the city; the greatest threat to the scheme's success (and his tenure as
chair) was posed by the use of new technology. It worked and the scheme was widely
seen as a success.
2. Organizational change. Risks are triggered by, for example, new management
structures or reporting lines, new strategies and commercial agreements (including
mergers, agency or distribution agreements).
3. Processes. New products, markets and acquisitions all cause change and can trigger
risks. The disastrous launch of "New Coke" by Coca-Cola was an even bigger risk than
anyone at the company had realized; it outraged Americans who felt angry that an
iconic US product was being changed. That Coca-Cola eventually turned the situation
to its advantage shows that risk can be managed and controlled, but such success is
rare.
4. People. Hiring new employees, losing key people, poor succession planning, or weak
people management can all create dislocation, but the main danger is behavior:
everything from laziness to fraud, exhaustion and simple human error can trigger this
risk.
5. External factors. Changes to regulation and political, economic or social developments
can all affect strategic decisions by bringing to the surface risks that may have lain
hidden. The economic disruption caused by the sudden spread of the SARS epidemic
from China to the rest of Asia in 2003 highlights this risk.
APPLY A SIMPLE RISK MANAGEMENT PROCESS
The stages of managing the enterprise-wide risk inherent in decisions are simple.
 First, assess and analyze the risks resulting from a decision by systematically
identifying and quantifying them.
 Second, consider how best to avoid or mitigate them.
 Third, in parallel with the second stage, take action to manage control and monitor
the risks.
A. Risk Assessment and Analysis
It is more difficult to assess the risks inherent in a business decision than to identify
them. Risks that lead to frequent losses, such as an increasing incidence of
employee-related problems or difficulties with suppliers, can often be solved using
past experience. Unusual or infrequent losses are harder to quantify. Risks with
little likelihood of occurring in the next in the next five years are not important to a
company focused on meeting shareholders' shorter-term expectations. Thus, it is
sensible to quantify the potential consequences of identified risks and then define
courses of action to remove or mitigate them.
Each category of risk can be mapped in terms of both likely frequency and potential
impact, with the potential consequences being ranked on a scale ranging from
inconvenient to catastrophic (see Table above).
B. Risk Management and Control
Risk should be actively managed and given a high priority across the whole
organization. Risk management procedures and techniques should be well
documented, clearly communicated, regularly reviewed and monitored. To
successfully manage risks, you have to know what they
are, what factors affect them and their potential impact.
If you plot the ability to control a risk against its potential impact, as-shown in the
table below, you can decide on actions either to exercise greater control over the
risk or to mitigate its potential impact. Risks falling into the top-right quadrant
require urgent action, but those in the bottom-right quadrant (total/significant
control, major/critical impact) should not be ignored because complacency,
mistakes and a lack of control can turn the risk into a reality.
Assessing and Mapping Risk
Once the inherent risks in a decision are understood, the priority is to exercise control. All
employees must be aware that unnecessary risk- taking is unacceptable. They should
understand what the risks are, where they lie and their role in controlling them. To achieve
this, share information, prepare and communicate clear guidelines, and establish control
procedures and risk measurement systems.
Avoiding and Mitigating Risks
Start by reducing or eliminating those risks that result only in costs: the non-trading risks.
These can be thought of as the fixed costs of risk and might include property damage risks,
legal and contractual liabilities and business interruption risks. Reducing these risks can be
achieved through quality assurance programs, environmental control processes, enforcing  Where are the greatest areas of risk relating to the most significant strategic
health and safety regulations, installing accident prevention and emergency equipment and decisions?
training people to use it, and taking security measures to prevent crime, sabotage,  What level of risk is acceptable for the company to bear?
espionage, and threats to people and systems. Reducing a risk may also mean that the cost  What are the potentially disclosing events that could inflict the greatest damage on
of insuring your organization?
against it goes down.  What are the risks inherent in the organization's strategic decisions, and what is
the organization's ability to reduce their incidence and impact on the business?
Risks can be reduced or mitigated by sharing them. For example, acceptable service  What is the overall level of exposure to risk?
agreements from, vendors are essential to reducing risk. Joint ventures, licensing and  Has this been assessed and is it being actively monitored?
agency agreements can also be used to mitigate risk. To reduce the chances of things going  What are the costs and benefits of operating effective risk management controls?
wrong, focus on the quality of what people do - doing, the right things right reduces risks  What review procedures are in place to monitor risks?
and costs.  Are the risks inherent in strategic decisions (such as acquiring a new business,
developing a new product or entering a new market) adequately understood?
Risk management relies on accurate, timely information. Management information systems  At what level in the organization are the risks understood and actively managed?
should provide details of the likely areas of risk, and the information needed to control the  Do people fully realize the potential consequences of their actions, and are they
risks. This information must reach the right people at the right time so that they can equipped to understand, avoid, control or mitigate risk?
investigate and take corrective action.  To what extent would be company be exposed if key staff left?
 If there have been major developments (such as a new management structure or
Create a Positive Climate for Managing Risk reporting arrangements), are the new responsibilities understood and accepted?
 Are management information systems keeping pace with demands?
Recognizing the need to manage. risk is not enough. The ethos of an organization should
 Are there persistent black spots - priority areas where the system needs to be
recognize and reward behavior that manages risk. This requires a commitment by senior
improved or overhauled?
managers and the resources (including training) to match. Too often, control systems are
 Do employees resent risk, or are they encouraged to view certain risks as
seen only as an additional overhead and not as something that can add value by ensuring
opportunities?
the effective use of assets, the avoidance of waste and the success of key decisions.
PRACTICAL CONSIDERATIONS IN MANAGING AND REDUCING FINANCIAL RISK
Overcoming the Fear of Risk
Finance is the lifeblood of a business, heavily influencing strategies and decisions at every
Everyone accepts that taking risks is needed to keep ahead of the competition.
level.
Consequently, employees need to understand better what the real risks are, to share
responsibility for the risks being taken and to see risk as an opportunity, not a threat.
Many managers find it difficult to get to grips with financial issues and, as the 2008 global
Understanding how organizations manage risk effectively is important, but managing risk is
financial crisis revealed, many lost touch with basic financial ground rules.
only one possible strategy. Another approach is to look for ways to use the risk to achieve
success by adding value or outstripping competitors - or both. To do this, organizations
Profitability, cash flow, long-term shareholder value and risk all need to be considered when
need to stop taking the fun out of risk by controlling it in ways that are perceived as
setting and reviewing strategy. This section provides practical guidance about financial
bureaucratic and stifling. Risk is both desirable and necessary. It provides opportunities to
decisions and explains how to:
learn and develop and compels people to improve and effectively meet the challenge of
 improve profitability;
change.
 avoid pitfalls in making financial decisions;
 reduce financial risk.
C. Controlling and Monitoring Enterprise-Wide Risk
Improving Profitability
The following questions when answered truthfully and positively will assist managers in
deciding how to manage the risks that confront the business enterprise.
Entrepreneurial flair and financial rigour are as much about attitude as skill. Nonetheless,
certain skills will ensure that decisions are focused on commercial success.
A. Variance Analysis
Interpreting the differences between actual and planned performance is crucial.
Variance analysis is used to monitor and manage the results of past decisions,
assess the current situation and highlight solutions.
Common causes of variances include inefficiency, poor or flawed planning (for
example, relying on historically inaccurate information), poor communication,
interdependence between departments and random factors. Every business should
use variance analysis but in a practical and pragmatic and cost-effective way.
B. Assessment of Market Entry and Exit Barriers
How easy or difficult it is to either enter or leave a market is crucial in strategic
decision-making. Entry barriers include the need to compete with businesses that
enjoy economies of scale, or established differentiated products.
Other barriers include capital requirements, access to distribution channels, factors
independent of scale (such as technology or location) and regulatory requirements.
When markets are difficult or costly for competitors to enter and relatively easy
and affordable to leave, firms can achieve high, stable returns, while still being able
to leave for other opportunities. Consider where the barriers to entry lie for your
market sector, how vulnerable you are to new entrants, and whether you can
strengthen and entrench your market position.
C. Break-even Analysis
The break-even point is when sales cover costs, where neither a profit nor a loss is
made. It is calculated by dividing the costs of the project by the gross profit at
specific dates, making sure to allow for overhead costs. Break-even analysis (cost-
volume-profit or CVP analysis) is used to decide whether to continue developing a
product, alter the price, provide or adjust a discount, or change suppliers to reduce
costs. It is also helps in managing the sales mix, cost structure and production
capacity, as well as in forecasting and budgeting.
D. Controlling Costs
To control costs:
 Focus on the big items of expenditure. Categories costs into major or
peripheral items. Often, undue emphasis is given to the 80% of activities
accounting for 20% of costs.
 Be cost aware. Casualness is the enemy of cost control. While focusing on
major items of expenditure it may also be possible to cut the cost of peripheral
items. Costs can be reduced over the medium to long term by managers'
attitudes to cost control and the effects of expenses on cash flow.
 Maintain a balance between costs and quality. Getting the best value means
achieving a balance between the price paid and the quality received.
 Use budgets for dynamic financial management. Budget early so financial
requirements are known as soon as possible. Consider the best time-period for
the budget - normally a year but it depends on the type of business. Some
larger firms have moved to rolling budgets, getting managers to forecast the
next 18 months every quarter. Budgets provide a starting point for cash flow
forecasts and revenues, and they also play an essential role in monitoring costs
and revenues.
 Develop a positive attitude to budgeting. People need to understand, accept
and use the budget, feeling a sense of ownership and responsibility for
developing, monitoring and controlling it.
 Eliminate waste. For decades, leading Japanese companies have directed much
of their cost-management efforts towards waste elimination. They achieve this
by using techniques such as process analysis, mapping and re-engineering.
Practical Techniques to Improve Profitability
Some practical techniques to improve profitability:
 Focus decision-making on the most profitable areas. Concentrating on products
and services with the best margin will protect or enhance profitability. This might
involve redirecting sales and advertising activities.
 Decide how to treat the least profitable products. These often drift, with
dwindling profitability. Turn around a poor performer (by reducing costs, raising
prices, altering discounts or changing the product) or abandon it to prevent drain
on resources and reputation. The shelf-life and appeal of product must be
considered when deciding to continue or discontinue it.
 Make sure new products enhance overall profitability. New product development
often focuses on market need or the production process, with insufficient regard to
cost, price, sales volume and overall profitability, which are inextricably linked.
 Manage development and production decisions. The amount spent on research,
as well as the priorities and methods used, affect profitability. Too little
expenditure may increase costs in the long term.
 Set the buying policy. For example, should there be a small number of preferred
suppliers or a bidding system among a wider number of potential suppliers? Also,
consider techniques for controlling delivery charges, monitoring exchange rates,
improving quality control, reducing inventory and improving production lead times.
  Consider how to create greater value from existing customers and products to
enhance profitability. Ask:
- How can customer loyalty (and repeat purchasing) be enhanced?
- How can the sales proposition be made more competitive relative to the
opposition? How can existing markets, sales channels, products, brand reputation
and other resources be adapted to exploit new markets and new opportunities?
- How can sales expenses be reduced?
- How can effectiveness of marketing activities be increased?
Know where the risk lies
Identifying risks and how to reduce them is crucial to successful financial decision-making.
For example, managers need to know not only where the break- even point is, but also how
and when it will be reached.
 Reduce Financial Risk Positive Replies to the following questions would assist Top
Management to Manage Financial Risk

 Consider how to increase profitability by managing people. Successful leadership
is prerequisite for profitability. People need to be motivated and supported, and
this implies rewarding them fairly for their work, training and developing them,
providing clear sense of direction, and focusing on the needs of the team, the task
and the individual.
 Are the most effective and relevant performance measures in place to monitor and
assess the effectiveness of financial decisions?
 Have you analyzed key business ratios recently? How useful are your performance
indicators? What are the main issues? Are you measuring the right things?

There are many techniques for assessing the likely profitability of an investment. One of the  Is there a positive attitude to budgets and budgeting?
most used is to apply discounted cash flows in evaluating capital investment programs.
 Dose decision-making focus on the most profitable products and services, or is it
 Avoiding Pitfalls preoccupied with peripheral issues?

Many managers have financial responsibilities and their decisions will often be influenced
by or have an impact on other parts of the business. The following principles will help avoid
flawed financial decision-making.
Financial expertise must be widely available
Every manager needs to understand why successful financial management increases profits
people need to own their part of the financial control process, to have the information and
expertise needed to routinely make the best financial decisions.
 What are the least profitable parts of the organization? How will they be
improved?
 Are market and customer decisions focused on improving profitability? Too often,
attention if given to non-financial objectives such as increasing market share,
without adequately considering the financial risks and alternatives.
 How efficiently is cash managed? Do your strategic business decisions take account
of cash considerations, such as the time value of money?

Consider the impact of financial decisions

Do not ignore or underestimate the wider impact of finance issues upon other departments
and decisions.

Avoid weak budgetary control

Budgets are an active tool to help make financial decisions, not merely a way to measure
performance.

Understand the impact of cash flow

Non-financial managers often ignore cash flows and the time value of money. Everyone
should be aware of the importance of cash to the organization.

OVERVIEW OF INTERNAL CONTROL
NATURE AND PURPOSE OF INTERNAL CONTROL
Internal control is the process designed and effected by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement
of the entity's objectives with regard to reliability of financial reporting, effectiveness and
efficiency of operations and compliance with applicable laws and regulations. It follows that
internal control is designed and implemented to address identified business risks that
threaten
the achievement of any of these objectives.
Those objectives fall into three categories:
- Reliability of the entity's financial reporting
- Effectiveness and efficiency of operations
- Compliance with applicable laws and regulations
Whether an entity achieves its objectives relating to financial reporting and compliance is
determined by activities within the entity's control. However, achieving its objectives
relating to operations will depend not only on management's decisions but also on
competitor's actions and other factors outside the entity.
INTERNAL CONTROL SYSTEM DEFINED
Internal control system means all the policies and procedures (internal controls) adopted by
the management of an entity to assist in achieving management's objective of ensuring, as
far as practicable, the orderly and efficient conduct of its business, including adherence to
management policies, the safeguarding of assets, the prevention and detection of fraud and
error, the accuracy and completeness of the accounting records, and the timely preparation
of reliable financial information.
ELEMENTS OF INTERNAL CONTROL
Internal control structures vary significantly from one company lo the next. Factors such as
size of the business, nature of operations, the geographical dispersion of its activities, and
objectives of the organization affect the specific control features of an organization.
However, certain elements or features must be present to have a satisfactory system of
control in almost any large scale organization.
The internal control system extends beyond these matters which relate directly to the
functions of the accounting system and consists of the following components:
a. the control environment;
b. the entity's risk assessment process;
c. the information system, including the related business processes, relevant
to financial reporting, and communication;
d. control activities;
e. monitoring of controls.
A. Control Environment
The control environment which means the overall attitude, awareness and actions of
directors and management regarding the internal control system and its importance in the
entity. The control environment has an effect on the effectiveness of the specific control
procedures. A strong control environment, for example, one with tight budgetary controls
and an effective
internal audit function, can significantly complement specific control procedures. However,
a strong environment does not, by itself, ensure the effectiveness of the internal control
system.
Factors reflected in the control environment include:
- The function of the board of directors and its committees;
- Management's philosophy and operating style;
- The entity's organizational structure and methods of assigning authority and
responsibility;
- Management's control system including the internal audit function, personnel
policies and procedures and segregation of duties.
The environment in which internal control operates has an impact on the effectiveness of
the specific control procedures. Several factors comprise the control environment,
including:
1. Communication and Enforcement of Integrity and Ethical Values. Integrity and ethical
values are essential elements of the internal control environment. They affect the
design, administration, and monitoring of other components of internal control. An
entity's ethical and behavioral standards and the manner in which it communicates
and reinforces them determine the entity's integrity and ethical behavior. Integrity and
ethical values include management's actions to remove or reduce incentives and
temptations that might prompt personnel to engage in dishonest, illegal, or unethical
acts. They also include the communication of entity values and behavioral standards to
personnel through policy statements, a code of conduct, and management's example
of appropriate behavior.
2. Commitment to Competence. Competence is the knowledge and skills necessary to
accomplish tasks that define an employee's job. Commitment to competence means
 that management considers the competence levels for particular jobs in determining
the skills and knowledge required of each employee and that it hires employees
competent to perform the tasks.
3. Participation by those Charged with Governance. An entity's control consciousness is
influenced significantly by those charged with governance. Attributes of those charged
with governance include independence from management, their experience and
stature, the extent of their involvement and scrutiny of activities, the appropriateness
of their actions, the information they receive, the degree to which difficult questions
are raised and pursued with management, and their interaction with internal and
external auditors. The importance of responsibilities of those charged with governance
is recognized in codes of practice and other regulations or guidance produced for the
benefit of those charged with governance. Other responsibilities of those charged with
governance include oversight of the design and effective operation of whistle blower
procedures and the process for reviewing the effectiveness of the entity's internal
control.
4. A management's Philosophy and Operating Style. This refers to management's
attitude towards (a) business risk,. (b) financial reporting, (c) meeting budget, profit
and other established goals which all have impact on the reliability of the financial
statements. Management's approach to taking and monitoring business risks, its
conservative or aggressive selection from alternative accounting principles, its
conscientiousness and conservatism in developing accounting estimates, and its
attitude toward information processing and the accounting function and personnel are
factors that affect the control environment.
5. Organizational Structure. The responsibilities and authorities of the various personnel
within the organization should be established in such a manner as to (1) assist the
entity in meeting its goals and objectives and (2) ensure that transactions are
processed, recorded, summarized and reported in an accurate and timely manner.
Organizational structure provides the overall framework for planning, directing and
controlling operations.
6. Assignment of Authority and Responsibility. Personnel within an organization need to
have a clear understanding of their responsibilities and the rules and regulations that.
govern their actions. Management may develop job descriptions, computer system
documentation. It may also establish policies regarding acceptable business practice,
conflicts of interest and code of conduct.
7. Human Resources Policies and Procedures. Perhaps the most important element of
an internal accounting control system is the people who perform and execute the
established policies and procedures. Personnel policies should be adopted by the
client to reasonably ensure that only capable and honest persons are hired and
retained. Policies with respect to employee selection, training, and supervision should
be adopted and implemented by the client. The selection of competent and honest
personnel does not automatically assure that errors or irregularities will not occur.
However, adequate personnel policies, coupled with the design concepts suggested
earlier in this section, enhance the likelihood that the client's policies and procedures
will be followed.
B. Entity's Risk Assessment Process
Risk assessment is the "identification, analysis, and management of risks pertaining to the
preparation of financial statements". For example risk assessment may focus on how the
entity considers the possibility of transactions not being. recorded or identifies and assesses
significant estimates recorded in the financial statements.
An entity's risk assessment process is its process for identifying and responding to business
risks and the results thereof. For financial reporting purposes, the entity's risk assessment
process includes how management identifies risks relevant to the preparation of financial
statements that are presented fairly, in all material respects in accordance with the entity's
applicable financial reporting framework, estimates their significance, assesses the
likelihood of their occurrence, and decides upon actions to manage them. For example, the
entity's risk assessment process may address how the entity considers the possibility of
unrecorded transactions or identifies and analyzes significant estimates recorded in the
financial statements. Risks relevant to reliable financial reporting also relate to specific
events or transactions.
Risks relevant to financial reporting include external and internal events and circumstances
that may occur and adversely affect an entity's ability to initiate, record, process, and report
financial data consistent with the assertions of management in the financial statements.
Once risks are identified, management considers their significance, the likelihood of their
occurrence, and how they should be managed. Management may initiate plans, programs,
or actions to address specific risks or it may decide to accept a risk because of cost or other
considerations. Risks can arise or change due to circumstances such as the following:
- Changes in operating environment. Changes in the regulatory or operating
environment can result in changes in competitive pressures and significantly
different risks.
- New personnel. New personnel may have a different focus on or understanding of
internal control.
- New or revamped information systems. Significant and rapid changes in
information systems can change the risk relating to internal control.
- Rapid growth. Significant and rapid expansion of operations can strain controls and
increase the risk of a breakdown in controls.
- New technology. Incorporating new technologies into production processes or
information systems may change the risk associated with internal control.
- New business models, products, or activities. Entering into business areas or
transactions with which an entity has little experience may introduce new risks
associated with internal control.
 - Corporate restructurings. Restructurings may be accompanied by staff reductions
and changes in supervision and segregation of duties that may change the risk
associated with internal control.
- Expanded foreign operations. The expansion or acquisition of foreign operations
carries new and often unique risks that may affect internal control, for example,
additional or changed risks from foreign currency transactions.
- New accounting pronouncements. Adoption of new accounting principles or
changing accounting principles may affect risks in preparing financial statements.
The basic concepts of the entity's risk assessment process are relevant to every entity,
regardless of size, but the risk assessment process is likely to be less formal and less
structured in small entities than in larger ones. All entities should have established financial
reporting objectives, but they may be recognized implicitly rather than explicitly in small
entities. Management may be aware of risks related to these objectives without the use of a
formal process but through direct personal involvement with employees and outside
parties.
Considerations Specific to Smaller Entities
Many small entities are carried out entirely by the engagement partner (who. May be a sole
practitioner). In such situations, it is the engagement partner who, having personally
conducted the planning of the audit, would be responsible for considering the susceptibility
of the entity's financial statements to material misstatement due to fraud and error.
C. Information System, including the Business Processes, Relevant to Financial Reporting
and Communication
An information system consists of infrastructure (physical and hardware components),
software, people, procedures, and data. Infrastructure and software will be absent, or have
less significance, in systems that are exclusively or primarily manual. Many information
systems make extensive use of IT.
The Information System, Including Related Business Processes, Relevant to Financial
Reporting
The information system relevant to financial reporting objectives, which includes the
accounting system, consists of the procedures and records designed and established to:
- Initiate, record, process, and report entity transactions (as well as events and
conditions) and to maintain accountability for the related assets, liabilities, and
equity;
- Resolve incorrect processing of transactions, for example, automated suspense files
and procedures followed to clear suspense items out on a timely basis;
- Process and account for system overrides or bypasses to controls; Transfer
information from transaction processing systems to the general ledger;
- Capture information relevant to financial reporting for events and conditions other
than transactions, such as the depreciation and amortization of assets and changes
in the recoverability of accounts receivables; and
- Ensure information required to be disclosed by the applicable financial reporting
framework is accumulated, recorded, processed, summarized and appropriately
reported in the financial statements.
Journal Entries
An entity's information system typically includes the use of standard journal entries that are
required on a recurring basis to record transactions. Examples might be journal entries to
record sales, purchases, and cash disbursements in the general ledger, or to record
accounting estimates that are periodically made by management, such as changes in the
estimate of uncollectible accounts receivable.
An entity's financial reporting process also includes the use of non-standard journal entries
to record non-recurring, unusual transactions or adjustments. Examples of such entries
include consolidating adjustments and entries for a business combination or disposal or
nonrecurring estimates such as the impairment of an asset. In manual general ledger
systems, non-standard journal entries may be identified through inspection of ledgers,
journals, and supporting documentation. When automated procedures are used to maintain
the general ledger and prepare financial statements, such entries may exist only in
electronic form and may therefore be more easily identified through the use of computer-
assisted audit techniques.
Related Business Processes
An entity's business processes are the activities designed to:
- Develop, purchase, produce, sell and distribute an entity's products and services;
- Ensure compliance with laws and regulations; and
- Record information, including accounting and financial reporting information.
Business processes result in the transactions that are recorded, processed and reported by
the information system. Obtaining an understanding of the entity's business processes,
which include how transactions are originated, assists the auditor obtain an understanding
of the entity's information system relevant to financial reporting in a manner that is
appropriate to the entity's circumstances.
Accordingly, an information system encompasses methods and records that:
- Identify and record all valid transactions.
 - Describe on a timely basis the transactions in sufficient detail to permit proper
classification of transactions for financial reporting.
- Measure the value of transactions in a manner that permits recording their proper
monetary value in the financial statements.
- Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
- Present properly the transactions and related disclosures in the financial
statements.
Communication involves providing an understanding of individual roles and responsibilities
pertaining to internal control over financial reporting. It includes the extent to which
personnel understand how their activities in the financial reporting information system
relate to the work of others and the means of reporting exceptions to an appropriate higher
level within the entity. Open communication channels help ensure that exceptions are
reported and acted on.
Communication takes such forms as policy manuals, accounting and financial reporting
manuals, and memoranda. Communication also can be made electronically, orally, and
through the actions of management.
Application to Small Entities
Information systems and related business processes relevant to financial reporting in small
entities are likely to be less formal than in larger entities but their role is just as significant.
Small entities with active management involvement may not need extensive descriptions of
accounting procedures, sophisticated accounting records, or written policies.
Communication may be less formal and easier to achieve in a small entity than in a larger
entity due to the small entity's size and fewer levels as well as management's greater
visibility and availability.
D. Control Activities
Control activities are the policies and procedures that help ensure that management
directives are carried out, for example, that necessary actions are taken to address risks that
threaten the achievement of the entity's objectives. Control activities, whether within IT or
manual systems, have various objectives and are applied at various organizational and
functional levels.
The major categories of control procedures are:
A. Performance Review
B. Information Processing Controls
1) Proper authorization of transactions and activities
2) Segregation of duties
3) Adequate documents and records
4) Safeguards over access to assets; and
5) Independent checks on performance
C. Physical controls
A brief discussion of these control procedures follows:
A. Performance Review
In a performance review management-uses accounting and operating data to assess
performance, and it then takes corrective action. Such reviews include:
- comparing actual performance (or operating results) with budgets, forecasts, prior
period performance, or competitors' data or tracking major initiatives such as cost-
containment or cost-reduction programs to measure the extent to which targets
are being met.
- investigating performance indicators based on operating or financial data, such as
quantity or purchase price variances or the percentage of returns to total orders.
- reviewing functional or activity performance, such as relating the performance of a
manager responsible for a bank's consumer loans with some standard, such as
economic statistics or targets.
Personnel at various levels in an organization may make performance reviews. Performance
reviews may be used by managers for the sole purpose of making operating decisions. For
example, managers may analyze performance data and base operating decisions on them
because the data are consistent with their expectations. This type of review improves the
reliability of the data. However, when managers follow up on unexpected results
determined by a financial reporting system, performance reviews become a useful control
over financial reporting.
B. Information Processing Controls
Information processing controls are policies and procedures designed to require
authorization of transactions and to ensure the accuracy and completeness of transaction
processing. Control activities may be classified according to the scope of the system they
affect. General controls are control activities that prevent or detect errors or irregularities
for all accounting systems. General controls affect all transaction cycles and apply to
information processing as a center, hardware and systems software acquisition and
maintenance, and backup and recovery procedures. Application controls are controls that
pertain to the processing of a specific type of transaction, such a payroll, or sales and
collections. These controls help ensure that transactions occurred, are authorized, and are
completely and accurately recorded and processed. Examples of application controls
include checking the arithmetical accuracy of records, maintaining and reviewing accounts
and trial balances. automated controls such as input data and numerical sequence checks,
and manual follow-up of exception reports. General IT- controls are policies and procedures
that relate to many applications and support the effective functioning of application
controls by helping to ensure the continued proper operation of information systems.
General IT-controls commonly include controls over data center and network operations;
system software acquisition, change and maintenance; access security; and application
system acquisition, development, and maintenance. These controls apply to mainframe,
mini-frame, and end-user environments. Examples of such general IT-controls are program
change controls, controls that restrict access to programs or data, controls over the
implementation of new releases of packaged software applications, and controls over
system software that restrict access to or monitor the use of system utilities that could
change financial data or records without leaving an audit trail.
Internal controls relating to the accounting system are concerned with achieving objectives
such as:
- Transactions are executed in accordance with management's general or specific
authorization.
- All transactions and other events are promptly recorded in the correct amount, in
the appropriate accounts and in the proper accounting period so as to permit
preparation of financial statements in accordance with an identified financial
reporting framework.
- Access to assets and records is permitted only in accordance with management's
authorization.
- Recorded assets are compared with the existing assets at reasonable intervals and
appropriate action is taken regarding any differences.
Control activities related to the processing of transactions may be grouped as follows: (1)
proper authorization, (2) design and use of adequate documents and records, and (3)
independent checks on performance.
1. Proper authorization of transactions and activities.
As suggested earlier, authorization for the execution of transactions flows from the
stockholders to management and its subordinates. Before a transaction is entered
into with another party, certain conditions must usually be met. As part of the
evaluation of the potential transaction, documentation will be created. The auditor
uses this documentation, to determine whether business transactions are properly
authorized. For example, the purchase of inventory may create a purchase order, a
receiving report, and a vendor invoice. By inspecting these documents and
comparing them with company policy, the auditor may be reasonably satisfied that
a business transaction was authorized and executed in a manner consistent with
company policy.
2. Segregation of duties.
An important element in designing an internal accounting control system that
safeguards assets and reasonably ensures the reliability of the accounting records
is the concept of segregation of responsibilities. No one person should be assigned
duties that would allow that person to commit an error or perpetuate fraud and to
conceal the error or fraud. For example, the same person should not be
responsible for recording the cash received on account and for posting the receipts
to the accounting records.
3. Adequate documents and records
The use of adequate documents and records allow the company to obtain
reasonable assurance that all valid transactions have been recorded.
4. Access to assets
The resources of a client can be protected by the establishment of physical barriers
and appropriate policies. For example, inventories may be kept in a storeroom, or
negotiable instruments may be placed in a safe deposit box. Appropriate company
policies are adopted so that only authorized persons have access to company
resources. Safeguarding of assets is more than establishing physical barriers. A
client should design its internal accounting control system so that documents
authorizing the movement of assets into an organization or out of an organization
are adequately controlled.
5. Independent checks on performance
The objective of a well-designed internal accounting control system is the adoption
of procedures that periodically compare the actual asset with its recorded balance.
Regardless of the effectiveness of an internal control system, some transactions
may not be accurately recorded, and some assets may be misappropriated. An
important part of an internal accounting control system is to determine the
effectiveness of recording policies and asset access policies. This is accomplished
by periodic counts of assets by the client and comparing the counts to the balances
in the general ledger account. Examples are the count of inventory and the
preparation of monthly bank reconciliation.
C. Physical Controls
Controls that encompass:
- The physical security of assets, including adequate safeguards such as secured
facilities over access to assets and records.
- The authorization for access to computer programs and data files.
 - The periodic counting and comparison with amounts shown on control records (for
example, comparing the results of cash, security and inventory counts with
accounting records).
The extent to which physical controls intended to prevent theft of assets are relevant to the
reliability of financial statement preparation, and therefore the audit, depends on
circumstances such as when assets are highly susceptible to misappropriation.
communications relating to internal control from external auditors in performing
monitoring activities.
Application to Small Entities
Ongoing monitoring activities of small entities are more likely to be informal and are
typically performed as a part of the overall management of the entity's operations.
Management's close involvement in operations often will identify significant variances from
expectations and inaccuracies in financial data leading to corrective action to the control.

The concepts underlying control activities in small entities are likely to be similar to those in
larger entities, but the formality with which they operate varies. Further, small entities may
find
that certain types of control activities are not relevant because of controls applied by
management. For example, management's retention of authority for approving credit sales,
significant purchases, and drawdown's on lines of credit can provide strong control over
those activities, lessening or removing the need for more detailed control activities. An
appropriate segregation of duties often appears to present difficulties in small entities. Even
companies that have only a few employees, however, may be able to assign their
responsibilities to achieve appropriate segregation or, if that is not possible, to use
management oversight of the incompatible activities to achieve control objectives.

E. Monitoring of Controls

Monitoring, the final component of internal control, is the process that an entity uses to
assess the quality of internal control over time. Monitoring involves assessing the design
and operation of controls on a timely basis and taking corrective action as necessary.
Management monitors controls to consider whether they are operating as intended and to
modify them as appropriate for changes in conditions. In many entities, internal auditors
evaluate the design and operation of internal control and communicate information about
strengths and weaknesses and recommendations for improving internal control.

Some monitoring activities may include communications from external parties. For example,
customers implicitly corroborate sales data by paying their bills or raising questions. Also,
bank regulators, other regulators, and outside auditors may communicate about the design
or effectiveness of internal control.

Monitoring activities may include using information from communications from external
parties that may indicate problems are highlight areas in need of improvement. Customers
implicitly corroborate billing data by paying their invoices or complaining about their
charges. In addition, regulators may communicate with the entity concerning matters that
affect the functioning of internal control, for example, communications concerning
examinations by bank regulatory agencies. Also, management may consider
  Steal inventory or other assets and manipulate the financial records to cover up
the Fraud.

Misstatements arising from Fraudulent Financial Reporting

The intentional manipulation of reported financial results to misstate the economic

condition of the organization is called fraudulent financial reporting. The perpetrator of
such a fraud generally seeks gain through the rise in stock price and the commensurate
increase in personal wealth. Sometimes the perpetrator does not seek direct personal gain,
but instead uses the fraudulent financial reporting to "help" the organization avoid
bankruptcy or to avoid some other negative financial outcome. Three common ways in
which fraudulent financial reporting can take place include:

1. Manipulation, falsification, or alteration of accounting records or supporting

FRAUD AND ERROR documents.
2. Misrepresentation or omission of events, transactions, or other significant
information.
INTRODUCTION 3. Intentional misapplication of accounting principles.

Fraud is an intentional act involving the use of deception that results in a material THE FRAUD TRIANGLE
misstatement of the financial statements. Two types of misstatements are relevant to
auditors' consideration of fraud: (a) misstatements arising from misappropriation of assets, The Fraud Triangle characterizes incentives, opportunities and rationalizations that enable
and (b) misstatements arising from fraudulent financial reporting. Intent to deceive is what fraud to exist.
distinguishes fraud from errors. Auditors routinely find financial errors in their client's
books, but those errors are not intentional. The three elements of the fraud triangle are:
 Incentive to commit fraud
 Opportunity to commit and conceal the fraud
 Rationalization - the mindset of the fraudster to justify committing
TYPES OF MISSTATEMENTS the fraud.
a. Misstatements arising front misappropriation of assets
b. Misstatements arising from fraudulent financial reporting
Incentives or Pressures to Commit Fraud
Misstatements arising from misappropriation of assets
Incentives relating to asset misappropriation include:
Asset misappropriation occurs when a perpetrator steals or misuses an organization's  Personal factors, such as severe financial considerations
assets. Asset misappropriations are the dominant fraud scheme perpetrated against small  Pressure from family, friends, or the culture to live a more lavish lifestyle than
business and the perpetrators are usually employees. Asset misappropriations can be one's personal earnings allow for
accomplished in various ways, including embezzling cash receipts, stealing assets, or causing  Addictions to gambling or drugs
the company to pay for goods or services that were not received.
The incentives include the following for fraudulent financial reporting:
 Management compensation schemes
Asset misappropriation commonly occurs when employees:  Other financial pressures for either improved earnings or an improved balance
 Gain access to cash and manipulate accounts to cover up cash thefts. sheet
 Manipulate cash disbursements through fake companies.
  Debt covenants
 Pending retirement or stock option expirations
 Personal wealth tied to either financial results or survival of the company
 Greed - for example, the backdating of stock options was performed by individuals
who already had millions of pesos of wealth through stock
Opportunities to Commit Fraud
One of the most fundamental and consistent findings in fraud research is that there must be
an opportunity for fraud to be committed. Although this may sound obvious - that is,
"everyone has an opportunity to commit fraud" it really conveys much more. It means not
only that an opportunity exists, but either there is a lack of controls or the complexities
associated with a transaction are such that the perpetrator assesses the risk of being caught
as low. Some of the opportunities to commit fraud that the top management should
consider include the following:
 Significant related-party transactions
 A company's industry position, such as the ability to dictate terms or conditions to
suppliers or customers that might allow individuals to structure fraudulent
transactions
 Management's inconsistency involving subjective judgments regarding assets or
accounting estimates
 Simple transactions that are made complex through an unusual recording process
 Complex or difficult to understand transactions, such as financial derivatives or special-
purpose entities
 Ineffective monitoring of management by the board, either because the board of
directors is not independent or effective, or because there is a domineering manager
 Complex or unstable organizational structure
 Weak or nonexistent internal controls
Rationalizing the Fraud
For asset misappropriation, personal rationalizations often revolve around mistreatment by
the company or a sense of entitlement (such as, "the company owes me!") by the individual
perpetrating the fraud. Following are some common rationalizations for asset
misappropriation:
 Fraud is justified to save a family member or loved one from financial crisis.
 We will lose everything (family, home, car and so on) if we don't take the money.
 No help is available from outside.
 This is "borrowing", and we intend to pay the stolen money back at some point.
 Something is owed by the company because others are treated better.
 We simply do. not care about the consequences of our actions or of accepted
notions of decency and trust; we are for ourselves.
For fraudulent financial reporting, the rationalization can range from "saving the company"
to personal greed, and may include the following:
 This is one-time thing to get us through the current crisis and survive until things
get better.
 Everybody cheats on the financial statements a little; we are just playing the same
game.
 We will be in violation of all of our debt covenants unless we find a way to get this
debt off the financial statements.
 We need a higher stock price to acquire company XYZ, or to keep our employees
through stock options, and so forth.
Risk Factors Contributory to Misappropriation of Assets
Misappropriation of assets involves the theft of an entity's assets and is often perpetrated
by employees in relatively small and immaterial amounts. However, it can also involve
management who are usually more able to disguise or conceal misappropriations in ways
that are difficult to detect. Misappropriation of assets can be accompanied in a variety of
ways including:
 Embezzling receipts (for example, misappropriating collections on accounts receivable
or diverting receipts in respect of written-off accounts to personal bank accounts).
 Stealing physical assets or intellectual property (for example, stealing inventory for
personal use or for sale, stealing scrap for resale, colluding with a competitor by
disclosing technological data in return for payment).
 Causing an entity to pay for goods and services not received (for example, payments to
fictitious vendors, kickbacks paid by vendors to the entity's purchasing agents in return
for inflating prices, payments to fictitious employees).
 Using an entity's assets for personal use (for example, using the entity's assets as
collateral for a personal loan or a loan to a related party).
Misappropriation of assets is often accompanied by false or misleading records or
documents in order to conceal the fact that the assets are missing or have been pledged
without proper authorization.
A. Incentives / Pressures
1. Personal financial obligations may create pressure on management or
employees with access to cash or other assets susceptible to theft to
misappropriate those assets.
2. Adverse relationships between the entity and employees with access to cash or
other assets susceptible to theft may motivate those employees to
misappropriate those assets. For example, adverse relationships may be
created by the following:
 a. Known or anticipated future employee layoffs.
b. Recent or anticipated changes to employee compensation or benefit plans.
c. Promotions, compensation, or other rewards inconsistent with
expectations.
B. Opportunities
1. Certain characteristics or circumstances may increase the susceptibility of
assets to misappropriation. For example, opportunities to misappropriate
assets increase when following situations exist:
a. large amounts of cash on hand or processed.
b. inventory items that are small in size, of high value, or in high demand
c. fixed assets which are small in size, marketable, or lacking observable
identification of ownership.
2. Inadequate internal control over assets may increase the susceptibility of
misappropriation of those assets. For example, misappropriation of assets may
occur because of the following:
a. Inadequate segregation of duties or independent checks.
b. Inadequate oversight of senior management expenditures, such as travel
and other reimbursements.
c. Inadequate management oversight of employees responsible for assets, for
example, inadequate supervision or monitoring of remote locations.
d. Inadequate job applicant screening of employees with access to assets.
e. Inadequate record keeping with respect to assets.
f. Inadequate system of authorization and approval of transactions (for
example, in purchasing).
g. Inadequate physical safeguards over cash, investments. inventory, or fixed
assets.
h. Lack of complete and timely reconciliations of assets.
i. Lack of timely and appropriate documentation of transactions, for example,
credits for merchandise returns.
j. Lack of mandatory vacations for employees performing key control
functions.
k. Inadequate management understanding of information technology, which
enables information technology employees to perpetrate a
misappropriation.
l. Inadequate access controls over automated records, including controls over
and review of computer systems event logs.
C. Attitudes / Rationalizations
1. Disregard for the need for monitoring or reducing risks related to misappropriation
of assets.
2. Disregard for internal control over misappropriation of assets by overriding existing
controls or by failing to correct known internal control deficiencies.
3. Behavior indicating displeasure or dissatisfaction with the entity or its treatment of
the employee.
4. Changes in behavior or lifestyle that may indicate assets have been
misappropriated.
5. Tolerance of petty theft.
Risk Factors Contributory to Fraudulent Financial Reporting
Fraudulent financial reporting may be accomplished by the following:
 Manipulation, falsification (including forgery), or alteration of accounting records
or supporting documentation from which the financial statements are prepared.
 Misrepresentation in, or intentional omission from. the financial statements of
events, transactions or other significant information.
 Intentional misapplication of accounting principles relating to amounts.
classification, manner of presentation, or disclosure.
Fraudulent financial reporting involves intentional misstatements including omissions of
amounts or disclosures in financial statements to deceive financial statement users. It can
be caused by the efforts of management to manage earnings in order to deceive financial
statement users by influencing their perceptions as to the entity's performance and
profitability. Such earnings management may start out with small actions or inappropriate
adjustment of assumptions and changes in judgments by management. Pressures and
incentives may lead these actions to increase to the extent that they result in fraudulent
financial reporting. Such a situation could occur when, due to pressures to meet market
expectations or a desire to maximize compensation based on performance, management
intentionally takes positions that lead to fraudulent financial reporting by materially
misstating the financial statements. In some entities, management may be motivated to
reduce earnings by a material amount to minimize tax or inflate earnings to secure bank
financing.
Fraud, whether fraudulent financial reporting or misappropriation of assets, involves
incentive or pressure to commit fraud, a perceived opportunity to do so and some
rationalization of the act.
A. Incentive / Pressure. Incentive or pressure to commit fraudulent financial
reporting may exist when management is under pressure, from sources outside or
inside the entity, to achieve an expected (and perhaps unrealistic) earnings target
or financial outcome - particularly since the consequences to management for
failing to meet financial goals can be significant.
B. Opportunities. A perceived opportunity to commit fraud may exist when an
individual believes internal control can be overridden, for example, because the
 individual is in a position of trust or has knowledge of specific weaknesses in
internal control.

Fraudulent financial reporting often involves management override of controls that

otherwise may appear to be operating effectively. Fraud can be committed by
management overriding controls using such techniques as:
 Recording fictitious journal entries, particularly close to the end of an
accounting period, to manipulate operating results or achieve other objectives.
 Inappropriately adjusting assumptions and changing judgments used to
estimate account balances.
 Omitting, advancing or delaying recognition in the financial statements of
events and transactions that have occurred during the reporting period.
 Concealing, or not disclosing, facts that could affect the amounts recorded in
the financial statements. Engaging in complex transactions that are structured
to misrepresent the financial position or financial performance of the entity.
 Altering records and terms related to significant and unusual transactions.

C. Rationalizations. Individuals may be able to rationalize committing a fraudulent

act. Some individuals possess an attitude, character or set of ethical values that
allow them knowingly and intentionally to commit a dishonest act. However, even
otherwise honest individuals can commit fraud in an environment that imposes
sufficient pressure on them. Responsibility for the Prevention and Detection of
Fraud The primary responsibility for the prevention and detection of fraud rests
with both those charged with governance of the entity and management. It is
important that management, with the oversight of those charged with governance,
place a strong emphasis on fraud prevention, which may reduce opportunities for
fraud to take place, and fraud deterrence, which could persuade individuals not to
commit fraud because of the likelihood of detection and punishment. This involves
a commitment to creating a culture of honesty and ethical behavior which can be
reinforced by an active oversight by those charged with governance. In exercising
oversight responsibility, those charged with governance consider the potential for
override of controls or other inappropriate influence over the financial reporting
process, such as efforts by management to manage earnings in order to influence
the perceptions of analysts as to the entity's performance and profitability.