You are on page 1of 146

Performance strategy

Level 6

Chapter one
Enterprise governance and risk
Enterprise governance can be
defined as: The set of
responsibilities and practices
exercised by the board and executive
management with the goal of
providing strategic direction,
ensuring that objectives are
achieved, ascertaining that risks are
managed appropriately and verifying
that the organization's resources are

Enterprise governance describes a
framework covering both the corporate
governance and business governance
aspects of an organization.
Enterprise governance constitutes the
entire accountability framework of an
organization. It has two dimensions:
1. Conformance or corporate governance.
2. Performance or business governance.


Good corporate governance is important and it is

critical that failures in this area are addressed properly.
However, good corporate governance on its own
cannot make an organization successful. There is a
danger that insufficient attention is paid to the need
for organizations to create wealth or stakeholder
value. Strategy and performance are also important.
The key message of enterprise governance is that an
organization must balance the two dimensions of
conformance and performance needs to ensure longterm success.

The conformance dimension

This tends to take a historic view and covers corporate governance
issues such as:

roles of the chairman and CEO

the role and composition of the board of directors
board committees
controls assurance
risk management for compliance.

Codes and/or standards can generally address this dimension with

compliance being subject to assurance and/or audit.
There are established oversight mechanisms for the board to ensure
that good corporate governance processes are effective. These might
include committees composed mainly or wholly of independent nonexecutive directors, particularly the audit committee or its equivalent
in countries where the two tier board system is the norm. Other
committees are usually the nominations committee and the
remuneration committee.

The performance dimension

This tends to take a forward looking view. The performance dimension centers
on strategy and value creation. The focus is on helping the board to make
strategic decisions, to understand its appetite for risk and its key performance
drivers. This dimension does not lend itself easily to a regime of standards
and audit. Instead, it is desirable to develop a range of best practice tools and
techniques such as scorecards and strategic enterprise systems that can be
applied intelligently within different types of organization.
However, while it is true that strategy is the responsibility of the full board,
there are no dedicated oversight mechanisms comparable to the audit
committee. Remuneration and financial reporting are scrutinized by a
specialist board committee of independent non-executive directors and
referred back to the full board. In contrast, the crucial area of strategy does
not receive the same dedicated attention. There is therefore an oversight gap
in respect of strategy.
One way of dealing with this would be to establish a strategy committee of
similar status to the other board committees. However, this might put at risk
the fundamental tenet that the board must take collective decisions on
matters of strategy.

The CIMA Strategic Scorecard

The CIMA Strategic Scorecard was developed in response to the key

findings that emerged from a project led by the International
Federation of Accountants (IFAC) and CIMA to develop the framework
of enterprise governance.
CIMA Strategic Scorecard TM this is a tool for helping boards of any
organization to engage effectively in the strategic process in spite of
the numerous challenges in the way, such as compliance
requirements, information overload and sheer lack of time.
The uniqueness of the scorecard lies in the fact that it:
Summarizes the key aspects of the environment in which an
organization is operating to ensure that the board is aware of changing
competitor, economic and other factors.
Identifies the (key) strategic options that could have a material
impact on the strategic direction of the organization and helps the board to
determine which options will be developed further and implemented.

Charts for the board the significant steps or milestones in relation

to the chosen strategic plans to be achieved in the coming period and then
tracks performance against these.

Highlights the risks facing the board in its strategic endeavors and
moves these into manageable opportunities or mitigation plans.

The CIMA Strategic Scorecard in

The CIMA Strategic Scorecard is shown below with its four dimensions.
Strategic position
Strategic options
Strategic implementation
Strategic risks

The scorecard is a pragmatic and flexible tool that is designed to help

boards to fulfill their responsibilities to contribute to and oversee strategy
effectively. It is important to emphasize that it remains the role of the
management team to develop and propose the strategy it is not for the
board to undertake the detailed strategic planning. The boards focus
should be to challenge the strategy constructively, endorse it and
monitor its implementation.
It is also important to note that the implementation of the scorecard
assumes that the organization has already determined its broad strategic
direction and has a strategic plan in place. The scorecard represents a
process for developing and moving this strategy forward in a dynamic


The objectives of the scorecard are to:

Assist the board, in particular the non-executive directors, in the

oversight of an organization's strategic process. In effect, it gives the
board the big picture.
Provide an integrated and dynamic framework for dealing with
strategy at board level that focuses on the major strategic issues facing
the organization and ensures that the strategy is discussed at board level
on a regular basis.

Provide strategic information in a consistent and summarized

format to help directors to obtain sufficient grasp of the material so that
they can offer constructive, informed input.

Assist the board in dealing with strategic choice and

transformational change and the attendant risks.

Provide assurance to the board in relation to the organization's

strategic position and progress.

Assist the board in identifying key points at which it needs to

take decisions.


The four dimensions of the scorecard are summarized below.

1 Strategic position
This focuses on information that is required to assess the organization's current and likely future position. It
covers externally focused information such as economic and market developments and market share as well
as internal issues such as competences and resources.
The purpose of this dimension is to:
Ensure that the board and executive management share a common understanding of the
relevant facts on the strategic position.
Provide assurance to the board that management is reviewing its strategic position
appropriately. In particular, the board will wish to know that the management team is considering the
right information at the right time.
Provide the board with a summary of the analysis undertaken so that the board can
review it, discuss its implications and challenge it in a constructive manner. This then helps
management to refine its thinking on the strategic position.
2 Strategic options
Having set the scene with relevant background and information, the focus of the scorecard shifts towards
decision making. Strategic options can be defined as those options that have the greatest potential for
creating or destroying stakeholder value.
The purpose of this dimension is to:
Provide assurance to the board that management is identifying, developing and
analyzing a comprehensive range of strategic options available to the organization on a continuous
Provide the board with a summary of the options so that the board can discuss them
constructively and decide which should be developed further into a formal business plan for a separate
and more detailed board debate. During the course of the scorecard discussion, the board may identify
other options that have not been considered or reframe the ones that have been presented, for
example, by combining two options into one. In essence, what the board is doing is scoping out the
options in broad terms. The purpose of the scorecard is to set out the landscape rather than consider
each option in detail.
3 Strategic implementation
At this point, the emphasis of the scorecard is to identify key milestones for the board and to monitor
implementation of the agreed strategy. Decisions on appropriate action may be required if things are not
proceeding as planned.
4 Strategic risks

How the CIMA Strategic Scorecard relates to

the balanced scorecard
The CIMA Strategic Scorecard and the balanced scorecard differ in the way that
they are used at other levels of the organization. The CIMA Strategic Scorecard
is primarily a high-level tool for use by boards and executive management in
exercising strategic oversight. It can also be used by strategic business units
(SBUs) or divisions of an organization. This contrasts with the balanced scorecard
which is often cascaded to lower levels of the organization. Many organizations
have prepared lower-level scorecards e.g. at business unit, department and even
individual level. These scorecards are designed to be used as a management tool
to support implementation of the organization's agreed strategy.
Unlike the CIMA Strategic Scorecard, the balanced scorecard is not really
designed to address strategic issues that confront the organization as a result of
major external disruption such as market collapse, competitor activity or
regulatory change. Nor does it help with strategic choices, for example, whether
to undertake mergers and acquisitions.
Despite these differences, there is a link between the two scorecards in that, as
we have seen, the balanced scorecard can supplement the strategic
implementation dimension of the CIMA Strategic Scorecard. This then provides
a clear cycle from the strategic position through to options and then to

What is risk ?
The management of risk should have a strategic dimension. Risks
facing an organization are those that affect the achievement of
its overall objectives, which should be reflected in its strategic
aims. Risk should be managed and there should be strategies for
dealing with risk.
Risk in business is the chance that future events or results may not be
as expected.
Risk is often thought of as purely bad (pure or 'downside' risk), but
it must be considered that risk can also be good the results may be
better than expected as well as worse (speculative or 'upside' risk).
Businesses must be able to identify the principal sources of risk if they
are to be able to assess and measure the risks that the organization

Risk is inherent in a situation whenever an outcome is not

inevitable. Uncertainty, in contrast, arises from ignorance and a
lack of information.

Risk Vs. Uncertainty

At this point it is important to distinguish
between risk and uncertainty.
Uncertainty: The lack of complete
certainty, that is, the existence of
more than one possibility. The "true
outcome/state/result/value is not known.
Risk: A state of uncertainty where
some of the possibilities involve a
loss, catastrophe, or other
undesirable outcome.

Why incur risk ?

To generate higher returns a business may have to
take more risk in order to be competitive.
Conversely, not accepting risk tends to make a
business less dynamic, and implies a follow the
leader strategy.
Incurring risk also implies that the returns from
different activities will be higher benefit being the
return for accepting risk.
Benefits can be financial decreased costs, or
intangible better quality information.
In both cases, these will lead to the business being
able to gain competitive advantage.

Types and sources of risk for

business organizations
This risk can be broken up into different types:
Political risk- Risk due to political instability.
Generally considered to be external to the
Legal/litigation risk-Risk that litigation will be
brought against the business.
Regulatory risk- Risk of changes in regulation
affecting the business.
Compliance risk- Risk of noncompliance with
the law resulting in fines/penalties, etc.

Political, legal and

These are the risks that businesses face
because of the regulatory regime that they
operate in. Some businesses may be subject
to very strict regulations, for example
companies that could cause pollution, but
even companies that do not appear to be in a
highly regulated industry have some
regulatory risk. For example all companies
are subject to the risk of employment
legislation changing or customers bringing

Business risk
Business risk is the risk businesses face due to the nature of their
operations and products. Some businesses for instance are reliant on a
single product or small range of products, or they could be reliant on a
key group of staff. The risks can be considered in different categories:
Strategic risk -Risk that business strategies (e.g. acquisitions/product
launches) will fail.
Product risk- Risk of failure of new product launches/loss of interest in
existing products.
Commodity price risk- Risk of a rise in commodity prices (e.g. oil).
Product reputation risk- Risk of change in products reputation or image.
Operational risk- Risk that business operations may be inefficient or
business processes may fail.
Contractual inadequacy risk- Risk that the terms of a contract do not fully
cover a business against all potential outcomes.
Fraud and employee malfeasance-Considered separately later.

Economic risk
This is the risk that changes in the
economy might affect the business.
Those changes could be inflation,
unemployment rates, international
trade relations or fiscal policy
decisions by government. Again, this
risk is considered to be external to
the business.

Financial risk
Financial risk is a major risk that affects businesses and this
risk is studied in much more depth in later chapters of this
text. Financial risk is a risk of a change in a financial condition
such as an exchange rate, interest rate, credit rating of a
customer, or price of a good.
The main types of financial risk are:
Credit risk -Risk of nonpayment by customers.
Political risk- Risk arising from actions taken by a government
that affect financial aspects of the business.
Currency risk-Risk of fluctuations in the exchange rate
Interest rate risk-Risk that interest rates change.
Gearing risk -Risk in the way a business is financed (debt vs.
equity) (sometimes this is considered part of interest rate risk).

Technology risk
Technology risk is the risk that
technology changes will occur that
either present new opportunities to
businesses, or on the downside make
their existing processes obsolete or

Environmental risk
Environmental risk is the risk that arises from
changes in the environment such as climate
change or natural disasters. Some businesses
may perceive this risk to be low, but for
others, for example insurance companies, it
can be more significant. Insurance companies
have to take environmental risks into account
when deciding policy premiums, and unusual
environmental circumstances can severely
alter the results of insurance businesses.

Corporate reputation risk

Reputation risk is for many organizations a
downside risk as the better the reputation of
the business the more risk there is of losing
that reputation. A good reputation can be
very quickly eroded if companies suffer
adverse media comments or are perceived
to be untrustworthy. This could arise from:
environmental performance
social performance
health & safety performance.

Fraud risk
Fraud risk (a type of operational
business risk) is the vulnerability of an
organization to fraud. Some businesses
are more vulnerable than others to
fraud and as a result have to have
stronger controls over fraud. Fraud risk
is a risk that is considered controllable
by most businesses (see Chapter 6 for
more details on fraud risk).

Employee malfeasance risk

Malfeasance means doing wrong or
committing an offence. Organizations
might be exposed to risks of actions
by employees that result in an
offence or crime (other than fraud).
This, like fraud risk, is a type of
operational business risk.

Risks in international operations

International businesses are subject
to all the risks above but also have to
consider extra risk factors, which
could be due to the following:
Items in transit
Financial risks

Chapter three
Risk management

Risk management
Risk management is defined as: the process of understanding
and managing the risks that the organization is inevitably
subject to in attempting to achieve its corporate objectives
Also it can defined as the process of planning, organizing,
leading, and controlling the activities of an organization in
order to minimize the adverse effects of accidental losses on
that organization at reasonable cost.
The traditional view of risk management has been one of
protecting the organization from loss through conformance
procedures and hedging techniques this is about avoiding
the downside risk.
The new approach to risk management is about taking
advantage of the opportunities to increase overall returns
within a business benefiting from the upside risk.

Enterprise Risk Management (ERM)

Enterprise risk management is the term given to the alignment of risk
management with business strategy and the embedding of a risk
management culture into business operations.
It has been defined as: 'A process, effected by an entitys board of
directors, management and other personnel, applied in strategy
setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the achievement
of entity objectives.'
Also can be defined is a process for ensuring the effective
identification, assessment, and management of all significant risks to
an entity. This includes not only the traditional areas of hazard risk
and financial risk, but also operational risk and strategic risk.
Risk management has transformed from a department focused
approach to a holistic, coordinated and integrated process which
manages risk throughout the organization.

ERM The Goal

In short, the goal of an enterprisewide risk management initiative is to
create, protect, and enhance
shareholder value by managing the
uncertainties that could influence
achieving the organizations

ERM framework and the COSO

Cube of implementation and
The ERM framework is geared
to achieving your utilitys objectives, which in
every organization centers in four main categories:
Strategic- high-level goals, aligned with and supporting your overall mission
Operations- effective and efficient use of resources
Reporting- reliability of reporting
Compliance- compliance with applicable laws and regulations
Which leads us to what we call the COSO Cube. The Cube is the interaction of
all of the components of ERM across the organizations financial and operational
areas. The cube works like this:
1. Internal Environment - The internal environment encompasses the
tone of an organization, and sets the basis for how risk is viewed and
addressed by an entitys people, including risk management
philosophy and risk appetite, integrity and ethical values, and the
environment in which they operate.
2. Objective Setting - Objectives must exist before management can
identify potential events affecting their achievement. ERM ensures
that management has a process in place to set objectives and that the
chosen objectives support and align with the entitys mission and are
consistent with its risk appetite.
3. Event Identification - Internal and external events affecting
achievement of an entitys objectives must be identified,
distinguishing between risks and opportunities. Opportunities are

5. Risk Response - Management selects risk responsesavoiding, accepting, reducing, or sharing risk- developing a
set of actions to align risks with the entitys risk tolerances
and risk appetite.
6. Control Activities - Policies and procedures are established
and implemented to help ensure the risk responses are
effectively carried out.
7. Information and Communication - Relevant information is
identified, captured, and communicated in a form and
timeframe that enable people to carry out their
responsibilities; Effective communication also occurs in a
broader sense, flowing down, across, and up the entity.
8. Monitoring - The entirety of enterprise risk management is
monitored and modifications made as necessary; Monitoring is
accomplished through ongoing management activities,
separate evaluations, or both.

Benefits of effective ERM

enhanced decision making by integrating risks
the resultant improvement in investor
confidence, and hence shareholder value
focus of management attention on the most
significant risks
a common language or risk management
which is understood throughout the
reduced cost of finance through effective
management of risk.

Risk management strategy

Formulation of a risk strategy
For many businesses the specific formulation of a risk
strategy has been a recent development.
In the past a formal strategy for managing risks
would not be made but rather it would be left to
individual managers to make assessments of the
risks the business faced and exercise judgment on
what was a reasonable level of risk.
This has now changed: failure to properly identify
and control risks has been identified as a major
cause of business failure (take Barings Bank as an

A framework for board consideration of risk is:
Risk appetite can be defined as the amount of
risk an organisation is willing to accept in pursuit
of value. This may be explicit in strategies,
polices and procedures, or it may be implicit. It is
determined by:
risk capacity the amount of risk that the organisation
can bear, and
risk attitude the overall approach to risk, in terms of
the board being risk averse or risk seeking.
Residual risk is the risk a business faces after its
controls have been considered

The factors or business strategies, which could affect the risk appetite of
the board of a company include:

Features of a risk management

the following key features of a risk management strategy
were identified:
Statement of the organisations attitude to risk the balance
between risk and the need to achieve objectives.
The risk appetite of the organisation.
The objectives of the risk management strategy.
Culture of the organisation in relation to risk (and the behaviour
the organisation expects from individuals with regard to
Responsibilities of managers for the application of risk
management strategy.
Reference should be made to the risk management systems the
company uses (i.e. its internal control systems).
Performance criteria should be defined so that the effectiveness of
risk management can be evaluated.

An alternative risk management

All organisations should develop
a risk management strategy
which will be set in the context of
the organisations strategic
STEP ONE Risk Assessment

risk evaluation

STEP TWO Risk Reporting

regarding the organisations policy
for managing risk and its
STEP THREE Risk Treatment (Risk
STEP FOUR Residual Risk
Reporting and monitoring
effectiveness of strategies and
recommend changes as appropriate.

Risk management cycle

Risk management should be a
proactive process that is an integral
part of strategic management.

Risk identification

Some techniques for identifying risk are:

Event inventories and loss event data
Interviews and self-assessment
Facilitated workshops
SWOT analysis
Risk questionnaires and risk surveys
Scenario analysis
Using technology
Other techniques

Quantification of risk
Some quantitative techniques
expected values

value at risk (VaR)

Expected values
Expected value = prob X
where prob = probability, X = outcome

Value at risk

The VaR models provide an appreciation of an assets portfolio

exposure degree to market risks i.e. to prices, interest rates,
exchange rates, unfavorable fluctuations, etc.
The VaR models assess the maximum potential loss resulting from an
unfavorable price fluctuations for a given time horizon at a specific
confidence level.
Many banks measure the risk in their portfolio of assets using a
Value at Risk (VaR) model.
Statistical methods are used to calculate a standard deviation for
the possible variations in the value of the total portfolio of assets over
a specific period of time.
Making an assumption that possible variations in total market value
of the portfolio are normally distributed, it is then possible to predict
at a given level of probability the maximum loss that the bank might
suffer on its portfolio in the time period.
A bank can try to control the risk in its asset portfolio by setting
target maximum limits for value at risk over different time periods
(one day, one week, one month, three months, and so on).
Other methods of measuring or assessing the severity of an identified
risk include:

Value at risk evaluates the potential loss that may be incurred
on a whole portfolio, over a set time frame and subject to a
pre-determined confidence level. It is based on the normal
distribution curve.
A key assumption underlying the calculation of VaR is that possible
changes from time to time in the value of the underlying asset or
portfolio are independent of each other and follow a normal distribution
with a mean of zero.
Step one calculate the daily volatility, that is the daily
standard deviation. You are given the standard deviation in the
question BUT NB you may have to calculate it if you are given
the standard deviation for a different period.
(if weekly standard deviation is 5,000 then daily deviation = 5,000/5
= 2,236)
Step two using statistical tables, determine the standard
normal value (z) associated with the one-tail confidence level, X
Step three multiply the result in step one with the result in
step two to obtain the daily VaR.

Yan expects to receive $1M in trading over the
next two week. The actual value in $ will depend
on changes in foreign exchange market
conditions which may result in gains or losses.
Possible gains or losses are normally distributed
around a mean of 0 and a weekly standard
deviation of S5,000. What is the daily VaR at 1%.
Step one daily standard deviation = $5,000/5 =
Step two normal value associated with 99%
confidence is 2.33 Step three daily value at risk
= 2,236 X 2.33 = $5,210

Risk mapping
A common qualitative way of assessing the
significance of risk is to produce a risk map.
The map identifies whether a risk will have a
significant impact on the organisation and links
that into the likelihood of the risk occurring.
The approach can provide a framework for
prioritising risks in the business.
Risks with a significant impact and a high
likelihood of occurrence need more urgent
attention than risks with a low impact and low
likelihood of occurrence.

Risks can be plotted on a diagram,
as shown below

The Risk Register

Should contain as much information as should be
useful for monitoring purposes.
Risk number (unique identifier)
Risk category (benefits?)
Description of risk
Date risk identified
Name of person who identified risk
Consequences (including a monetary value)
Interdependencies with other risks

Risk response strategy

A risk response strategy is determined for each risk that
takes into account the organisations risk appetite, and a
system of controls are put in place for reporting and
management of risks. There needs to be a risk treatment
or response strategy whereby risks are managed by
alternative courses of action:

stopping an activity,
influencing either or both the likelihood or impact of the risk;
sharing through techniques such as insurance; or
the risk may be accepted.

One of the strategies for managing risk is internal


Importance of risk
The importance of risk management is quite
simply to identify and manage problems that
could prevent an organization from achieving its
Risk management
improves the ability to respond to and mitigate risks
that occur;
it minimizes surprises;
enables advantage to be taken of opportunities;
maintains the organisations reputation; and
helps the organization to be socially responsible and
be seen as a good corporate citizen.

Purpose and Importance of

Internal Control
Internal controls are the policies and procedures used
by directors and managers to help ensure the
effective and efficient conduct of the business;

The safeguard of assets

Regulatory compliance
The prevention and detection of fraud and error
The accuracy and completeness of accounting records
The time preparation of reliable financial information

The importance of internal control is quite simply to

manage problems that could prevent an organization
from achieving its objectives.

Risk Treatment (also called risk response)

Avoidance; Action is taken to exit the activities giving rise to risk.
Changing or abandoning goals or objectives specifically associated with the risk in
question, or choosing alternative approaches or processes that remove the risk.
Reduction; Action is taken to mitigate (reduce) the risk likelihood or
impact. This is often through internal controls.
Sharing ;Action is taken to share a portion of the risk (outsourcing, joint
Transfer; Action is taken to transfer a portion of the risk (insurance,
Acceptance; No action is taken to affect the likelihood or impact
Risk Reporting ; Concerned with regular reports to the Board and Stakeholders
setting out the organisations policies in relation to risk and the importance of
monitoring the effectiveness of those policies. Residual risk reporting involves a
comparison of gross and net risk which enables a review of risk response
effectiveness and possible alternative management options.
Gross Risk the assessment of risk before the application of any controls,
transfer or management responses
Net Risk the assessment of risk, taking into account the application of
any controls, transfer or management response to the risk under

Risk treatment (management)

These methods will limit the risks, and the overall risk management strategy may define
how the risks will be managed and the way these methods will interact.
Avoid risk
A company may decide that some activities are so risky that they should be avoided.
This will always work but is impossible to apply to all risks in commercial organisations as risks have
to be taken to make profits.

Transfer risk
In some circumstances, risk can be transferred wholly or in part to a third party.
A common example of this is insurance. It does reduce/eliminate risks but premiums have to be paid.

Pool risks
Risks from many different transactions can be pooled together: each individual transaction/item has its
potential upside and its downside. The risks tend to cancel each other out, and are lower for the pool
as a whole than for each item individually.

For example, it is common in large group structures for financial risk to be managed centrally.

Diversification is a similar concept to pooling but usually relates to different industries or countries.
The idea is that the risk in one area can be reduced by investing in another area where the risks are
different or ideally opposite.
A correlation coefficient with a value close to 1 is essential if risk is to be nullified.

Risk reduction
Even if a company cannot totally
eliminate its risks, it may reduce them to
a more acceptable level by a form of
internal control.
The internal control would reduce either
the likelihood of an adverse outcome
occurring or the size of a potential loss.
The costs of the control measures should
justify the benefits from the reduced risk.

Hedging risks
Hedging will be considered in detail
when financial risk is examined
The concept of hedging is of
reducing risks by entering into
transactions with opposite risk
profiles to deliberately reduce the
overall risks in a business operation
or transaction.

Risk sharing
A company could reduce risk in a
new business operation by sharing
the risk with another party.
This can be a motivation for entering
into a joint venture

Risk reporting
Managers of a business, and external stakeholders,
will require information regarding the risks facing
the business. A risk reporting system would Include:
A systematic review of the risk forecast (at least
A review of the risk strategy and responses to significant
A monitoring and feedback loop on action taken and
assessments of significant risks.
A system indicating material change to business
circumstances, to provide an early warning.
The incorporation of audit work as part of the monitoring
and information gathering process.

Relationship of Risk Management

with Internal Control Systems
Risk management is an important precursor to internal control as it allows
the internal controls to be focused on the most significant risks. Therefore
risks are assessed and control activities are determined that relate to the
assessed risks.
The benefits of effective risk management include:
the maintenance of profitability in the medium and longer term;
the avoidance of sudden losses if business continuity is impeded;
the avoidance of profit warnings and major exceptional items;
more cost-effective insurance cover and reduced premium cost;
greater degree of assurance that business continuity will be safeguarded in the
event of a catastrophe;
continued customer satisfaction and the maintenance of the organisations
reputation with customers, the public and investors.

Risk management roles and

the role and responsibilities of the audit committee should include:
To monitor the integrity of the companys financial statements and any other formal
statements relating to the companys financial performance
To review the companys internal control and risk management systems (unless this
responsibility is given to a separate risk committee or retained by the full board itself)
To monitor and review the effectiveness of the companys internal audit function
To make recommendations to the board about the appointment, re-appointment or
removal of the audit firm as auditors of the company (for the board to make a
recommendation to shareholders)
Approve the remuneration and terms of engagement of the external auditors
To review and monitor the independence and objectivity of the companys external
To review and monitor the effectiveness of the audit process

The audit committee reports to the board, and the board reaches decisions
based on the recommendations of the audit committee. However, if the board
and the audit committee disagree about a particular matter, the audit
committee should have the right to report the disagreement to the

Chapter four
Management Control system

Internal Control
An internal control system comprises the
policies and procedures that an organisation
implements to achieve its objectives and is
used by directors and managers to help
ensure the effective and efficient conduct of
the business;
The safeguard of assets
Regulatory compliance
The prevention and detection of fraud and error
The accuracy and completeness of accounting

Control Environment
Is the attitude, awareness and
actions of directors and managers in
relation to the importance of internal
controls, including the organisations
culture and values and the style of
management.the control
environment is the necessary
background for internal control
procedures to be developed and
operate effectively.

What is a Management Control

Management control comprises the
processes used by managers to
ensure that organisational goals are
achieved and procedures followed,
and that the organisation responds to
environmental change.

Components of Management
Control Systems (MCS)
All businesses can be thought of as a system, the main
elements of an MCS are:

Comparison to target
Corrective action

Management control can be considered in relation to both

feedback (taking corrective action ex post) and feed forward
(taking action ex ante)
An organisation needs to identify whether it is going to fall
short of any objective as soon as possible, so that it can do
something about it in time.

Levels of Control
(NB make sure you have lots of
examples to illustrate the levels of

Control Structures
NB You may be asked to recommend a change of
structure to improve control
Cost centre
Profit centre
Investment centre


Organisation theory
Organisations are collectives of
people who join together in common
pursuit of shared goals. People form
organisations because they are
unable to achieve their goals as
individuals without marshalling other
resources (money, people, materials,
etc.). Organisations have a high
degree of structure or formality

Organisations as systems
An organisation is a social system, in
which people combine together to
carry out the purpose or purposes for
which the organisation exists.
Control keeps an organisation
together and makes it function in a
way that should enable the
organisation to achieve its objectives

Systems theory
Systems theory has been the foundation for much of
the theory of management accounting control
systems as well as non-financial performance
Systems theory emphasises the importance of
hierarchy in complex systems. Systems are
composed of multiple sub-systems. For example,
organisations are complex systems broken up into
strategic business units, divisions, geographic areas,
departments and teams. Subsystems may also exist
for different aspects of business activity such as
purchasing, production, distribution, administration.

Systems and their

A system is a set of interacting
components that operate together to
accomplish a purpose.
There are inputs to the process, a process
that converts inputs to outputs and then
the output of the process.
All systems have the above characteristics
of input, process and output, but also most
systems have other characteristics as well.

Open and closed systems

A closed system is a set of inter-related components that is
separate from its environment. An example of a simple control
system is the room thermostat which contains a number of
A measurement device to detect the room temperature.
A target temperature that has been pre-set as the comfortable
level that is desired by the occupants.
A mechanism by which the room temperature can be adjusted,
either by cooling or heating to achieve the target temperature.
Open systems are capable of self-regulation when they have
more than one part and contain a programme. In simple terms, a
programme is pre-determined information that guides
subsequent behaviour. A programme exercises control through
the processing of information and decision-making.

Sub systems: within a system there will usually be sub system.
Closed system: these are systems that accept no input from the
environment, are self-contained and cannot respond to change.
These donot exist in business
Open system: these are systems which accept inputs from their
enviroment and provide output to the enviroment. They react to
the enviroment.
Objective: a system must have an objective to function correctly.
The objective allows the system to be monitored or controlled.
Control: all systems should be controlled if they are not to decay
over time and start to fail to meet their objective. A system must
be controlled to keep it stable or to allow it to change safely.
Control dependent on receiving and processing information.
Information in the form of feedback allows us to judge how well or
badly a system is performing

Organisational control
An organisation as a cybernetic system contains three
1. Target-setting level: Targets and performance
standards are set in response to environmental
demands and constraints, such as customer demand for
products and services. The goals are sent to the
operations level.
2. Operations level: Where inputs (money, materials,
labour, etc.) are converted into outputs (products and
3. Control level: Which monitors the outputs and
compares them with the targets and performance
standards established at the target-setting level.

Organisations establish targets in order to achieve their goals
and objectives. These targets for a business organisation will
typically be related to the achievement of shareholder value
or a financial measure such as Economic Value Added
(EVA), Return on Investment (ROI) or Return on Capital
Employed (ROCE). These financial targets will usually be
reflected in budgets and standard costs.
Other targets may be set which are non-financial, such as
market share, customer satisfaction, productivity. In addition,
various performance standards may be established such as
on-time delivery, product quality, employee morale,
investment in research and development. Non-financial
performance measures may be established and reflected in a
measurement tool such as the Balanced Scorecard.


The operation of a business is concerned with converting inputs into

outputs .
Inputs are all the resources that go into the business: money; raw
materials; labour; skills, technology and expertise; information; etc.
Processes are the activities carried out to convert inputs into outputs.
The aim of these processes is to add value to the inputs. These
processes will vary as to whether an organisation is a service
provider, retailer or manufacturer. The processes variously include
purchasing, storage, materials handling, manufacturing, service
delivery, information processing, distribution, etc.
Outputs are the fi nished products or services that are sold and
delivered to customers. The price charged to customers for the
outputs must exceed the cost of the inputs and the cost of
processing if the business is to make a profi t. The same principle
applies to public sector and not-for-profi t organisations, the only
difference is that the conversion process does not result in a profi t
but in the expenditure of the least possible amount of money to
achieve the best possible circumstances, an approach called value
for money or best value.

Control may be carried out through:
a system in which there is
provision for corrective action
applying either a feedback or feed
forward process; or
a system which includes no
provision for corrective action, as no
human action is involved.

Feedback and feed-forward


Can be negative or positive
Based upon comparison of actual to budgeted performance
Control would be closing the door after the horse has bolted
Forecasting ahead and doing something now before the event occurs
Closing the door before you can see the horse will bolt
Cash budgets would be an example of this
Open and closed loop control systems
In an open loop control (double feedback loop) system, corrective action is not
automatically taken. The output of the system is measured, however environmental
factors will also be considered, along with internal feedback before any control action
is taken.
In a closed loop control (single feedback loop) system, the output is automatically
compared to a pre-determined standard; any exceptions and control action will be
automatically taken.
System classification:
Deterministic / mechanisitic; output can be accurately determined from input
Probabilistic: the output cannot be accurately predicted from the input, but it
can be assessed with probability.
Cybernetic: they are self orgainising and learn from their mistakes.
Thermostatic : they are ones that reach a pre-set point and then act.

An example of a closed loop system is an inventory
control system that enables management action such as
the ordering of needed stock and the identification of
surplus stock.
An open loop example would provide inventory records
which were not used for ordering. We typically refer to
organisational controls in the context of closed loop
A control is a method of ensuring that targets are
achieved and performance standards attained. Control as
it is used in the context of a control system is the power
of directing or restraining; a means of regulation; a
standard or comparison for checking.

Control of systems
A system must be controlled, to keep
it stable or to allow it to change safely.
Control is dependent on receiving and
processing information. Without
information, there is no way of judging
how well or badly the system is
performing, and so there is no basis
on which to decide whether control
action is necessary.

Feedback control is defined as:

'The measurement of differences between planned outputs and
actual outputs achieved, and the modification of subsequent
action and/or plans to achieve future required results.
Feedback typically takes place through comparing actual with
standard costs, and actual performance with budget. In non-fi
nancial performance measurement, targets and actual
performance are compared. In both cases, corrective action is
taken after the event.'
Feed forward control is defined as:
'The forecasting of differences between actual and planned
outcomes and the implementation of actions before the event
to prevent such differences. Feed forward can take place
during the budget process when forecasts prior to approval
are reviewed as to whether they will contribute to
organisational objectives.

In order for feedback to work, a feedback loop must be established.
In the a feedback loop:
Outputs from a system are measured.
Measured output is reported.
Control infromation is fed back to a comparator.
Control action is needed.( adjustments are made to the inputs to the system,
in order to change future output.)
Continual process. ( measuring output and providing feedback for
comparison with plan.)

Open loop systems are where there is scope within the control
mechanism for outside involvement.
Closed loop: are where the control action is automatic.
Double loop feedback, also called secondary feedback , is the
provision of feedback to a higher level in an organization, where the
original plan can be reviewed and possibly changed.

Negative feedback is feedback taken
to reserve a deviation from standard.
(this feedback can amend the input
to the system).
Positive feedback is feedback taken
to reinforce a deviation from
standard.(if positive feedback is
taken then it is unlikely that action
will alter the inputs or the standard
level of performance.

Positive feedback refers to a deviation from target that has
a positive impact on the organisation, for example, a higher
than expected income, which does not require corrective
action, although it can lead to valuable learning so that it
can be repeated.
Negative feedback refers to a deviation from target that is
detrimental to the organisation, with corrective action being
required to meet the target, for example, an overspend on
an expense budget.
Double loop (or secondary) feedback indicates that it is the
target that is incorrect rather than behaviour. Corrective
action is to the plan, for example, where standard costs
need to be adjusted to refl ect changes in purchasing prices
or working methods.

Control in organisations
To begin, some defi nitions from CIMAs Offi cial Terminology
are relevant here:
Control is:
The ability to direct the fi nancial and operating policies of an entity
with a view to gaining economic benefi ts from its activities.

Management control is:

All of the processes used by managers to ensure that organisational
goals are achieved and procedures adhered to, and that the
organisation responds appropriately to changes in its environment.

Control environment is:

The overall attitude, awareness and actions of directors and
management regarding internal controls and their importance to the
entity [it] encompasses the management style, and corporate
culture and values shared by all employees. It provides a
background against which the various other controls are operated.

Control procedures:
Those policies and procedures in addition to the control environment
which are established to achieve the entitys specifi c objectives.

There are some important aspects of control that can be derived from
these definitions:
Control is not limited to fi nancial control but extends to operational and
other forms of control.
Control is linked to goals and environmental change.
Control is a set of procedures, but also a set of values or attitudes which
need to be embedded in the culture of the organisation.
Management control is defined as 'the process of guiding organisations
into viable patterns of activity in a changing environment'.
Management control systems are defined as 'the processes by which
managers attempt to ensure that their organisation adapts successfully to
its changing environment'.
These definitions are both about adapting to changing environments and
therefore management control systems must be a variety of open systems
that change over time.
If the control systems are to be successful, management must always be
monitoring the way the system operates and how the system could be
changed to improve its performance.

Control methods
Due to the need to adapt and change control
systems, most companies use a variety of
different control processes to ensure that the
business achieves its objectives.
The typical processes that could be used are:
organisation structure
contracts of employment;
discipline and reward system
performance appraisal and feedback.

This section overviews the main accounting controls and

and critiques the main management accounting controls
and evaluates lean accounting systems.


Accounting controls
Accounting controls are important in all
organisations. They include control over:
Investments and intangibles
Non-current assets
Income and expenses

Management accounting control

A management accounting control system can
be defined as an information system that helps
managers to make planning and control
All management accounting control systems
differ as the circumstances of businesses
always differ and the systems are designed to
meet the needs of the business. It should
always be borne in mind when recommending
systems to companies that the unique features
of the company are considered.

Designing a management
accounting control system

Output requirements; The system must produce the output that the managers want.
If a system does not provide the necessary information, managers will make poor
decisions and will fail to control the business properly. The output should be linked to:
the objectives of the control system it supports and
the objectives of the organisation as a whole.
Response required; The information must be presented to managers such that they
can deal with it appropriately. For example, the information could be presented in an
exception report which the managers know they have to act upon
Timing of information; Information must be given to managers at the appropriate
time for them to act on it. Some information will be presented daily, for example
stock levels in retail stores so that managers can restock, or monthly, such as
management accounts, or perhaps even on an ondemand basis, for example
information about competitor actions.
Sources of information; The data sources for the information must be defined so that
the system can process the data into information.
Processing; The actions that management are taking will define the information and
therefore the processing that will be required for that information.
Cost-benefit analysis; The system must provide the information to managers in a
costeffective way. This means that the benefits of the information must exceed the
costs of producing it.

Cash controls ensure that:
Monies received by the organisation are banked
Bank accounts exist and are properly safeguarded
Bank accounts, especially foreign accounts, are properly
Signatories for bank accounts are authorised and suffi
Payments are properly authorised
Transfers between bank accounts are properly accounted
Adequate cash forecasting is carried out to ensure that
commitments are recorded and overdraft limits are not

Debtor controls ensure that:
Invoicing of customers is properly recorded in debtor accounts
Money collected from customers are properly recorded in
debtor records
Bad debts are written off and adequate provision is made for
doubtful debts
Debtor accounts are regularly reconciled
Appropriate credit checking procedures are in place
Collection activity is ongoing and effective
Credit notes and write-offs are properly authorised
Investigations take place in relation to all disputed amounts
with customers
Customers verify the balances on their accounts.

Inventory controls ensure that:
Physical inventory is periodically checked by counting and
compared with inventory records
Inventory is valued in accordance with accounting
Adequate procedures exist to record receipts of stock from
suppliers and issue of stock to production/distribution
Inventory is stored adequately to avoid loss and secured
from theft and damage and that insurance cover is adequate
Inventory is usable; obsolete, excess or damaged stock is
identified for provisions and that authorisation is given prior
to disposal of stock
Adequate procedures exist to record stock in transit.

Investment controls ensure that:
There is physical evidence of ownership of investments
and that this evidence is held in safe custody
Periodic reviews are carried out of all investments to
determine whether they should be retained or disposed
Investments are valued in accordance with accounting
Acquisitions and disposals are properly authorised
Income from investments is properly accounted for
Charges for amortisation are appropriate and
consistent with accounting standards.

Non-current asset controls ensure that:
Assets are recorded in an Assets Register
Assets are periodically checked to ensure they exist
Acquisitions and disposals are properly authorised
Assets are secured as far as possible against theft,
damage or misuse and appropriate insurance cover
Assets are depreciated over reasonable periods of
time and assets are valued in accordance with
accounting standards
Assets that are obsolete, worn out or damaged are
identified for appropriate accounting treatment.

Creditors controls ensure that:
Purchases are properly authorised
Receipts of goods and services are in accordance with the
purchase order
Invoices received from suppliers are checked against the
receipt of goods or services, the price and the invoice calculations
Adequate documentation exists to support all invoices and
invoices are authorised
Invoices are properly recorded in creditor accounts
Payments to suppliers are authorised and properly recorded in
creditor accounts
Creditor accounts are periodically reconciled
Investigations take place in relation to all disputed amounts
with suppliers.

Loan controls ensure that:
Amounts owed are properly
Loans are properly authorised
Interest obligations are satisfi ed
Loan provisions are being met.

Income and expense controls ensure that:
Sales of goods and services are properly documented
(invoice, cash receipt, etc.) immediately after the transaction
Costs are properly recorded and classifi ed (e.g. expense,
inventory, fi xed asset, etc.)
Income and expenses are matched and relate to the
appropriate accounting period and accrual and prepayments,
etc. are properly recorded to adjust between periods
Expenses are properly authorised. Specifi c controls may
exist in relation to certain expenses, such as:
Personnel-related expenses.

Payroll controls
Employees have been properly recruited in accordance with
Personnel/Human Resource policies, with adequate pre-employment
checks being carried out
New employees have been authorised by the appropriate department
manager and the Personnel/Human Resource department
Rates of pay are in accordance with Personnel/Human Resource policies
Time worked is properly recorded
Annual leave, sick or maternity leave, overtime, etc. are properly
Employees who terminate employment are removed from the payroll
All employees on the payroll exist (payroll ghosts are a common
method of fraud)
Payroll calculations are checked for calculation errors and unusually
high (or low) payments before payment is made
Payroll deductions are all properly authorised by employees
Employee benefi ts (e.g. health fund) are properly authorised.


Personnel-related expenses
Many personnel incur expenses as part of their employment. These expenses
include, but are not limited to:
Use of motor vehicle (capital cost, often by lease payment; mileage; fuel;
maintenance; accident damage; fi nes; etc.)
Mobile telephone
Offi ce telephone, fax, email, Internet use
Travel and accommodation
Such expenses may be paid personally by employees and then reimbursed by
the organisation, or may be charged to the company by purchase order or by
corporate credit card.
All such expenses must be:
Necessary for business purposes
Not private expenditure which the employee seeks to have paid for by the

Contingency theroy (no one best fit)

Alternative Perspectives
NB Understanding different perspectives will enable you to look at a
business problem from many different points of view and take a more
complete view to problem solving

economic rational
national & non-rational
interpretive/socially constructed
radical /critical

There are other theoretical frameworks that provide a different view

of the role of management control systems, examples include:
Agency theory emphasises shareholder value
Contingency theory is concerned with environmental fit
Cultural theory emphasies organisations as a social system, relies less on
formal controls and more on developing a set of beliefs and norms to guide
Institutional theory is concerned with a broader stakeholder environment.

Management accounting control

Organizational structure = gool congruence
Behavioural implications
Long term V short term
Dysfunctional behaviour

Performance targets
Budget padding/slack
Financial V non-financial

Responsibility accounting = controllable V


Performance target setting

One factor within any discussion of control systems is that there must be
some standards of performance if the system is to operate successfully.
The standards of performance allow the feedback loops discussed earlier
An effective control system must incorporate a feedback loop such as:

performance target (standard) set

actual result recorded
compared with target
control action taken (if required).

If managers are to be controlled successfully then the standards set

must be sufficiently varied to ensure that the manager works in the best
interests of the company. The standards set can be:
Financial: These would be based on information supplied by the
management accounting system and are often financial ratios, but they
have the problem of being historic looking and short term.
Nonfinancial: These are measures that consider other factors such as
customer perception, research and development, production efficiency or
staff satisfaction. These measures are very important to help managers
focus on long term future performance

Tunnel vision the emphasis on Quantifiable data at the expensive of
qualitative data
Sub-optimisation the pursuit of narrow local objectives at the
expense of broader organisational-wide ones
Myopia the short-term focus on performance may have longer term
Measure fixation an emphasis on measures rather than the
underlying objective
Misrepresentation the way in which the performance measure is

These controls influence behaviour by requiring certain policies and procedures or standard instructions to be
implemented in order to ensure that behaviour is legally correct, co-ordinated and consistent throughout the
Physical controls
Organisational structure and chain of command the form of structure that is adopted will determine the type of
control exercised over operational management
o Project management - post implementation reviews
Authorisation procedures
Authorisation of expenses
Staff control policies and procedures
Contracts of employment
Performances appraisal
Control of the board
o Composition of the board
Chairman & chief executive
Executive & non executive directors
Board appointments nominations committee
Framework for board meetings
Frequency of board meetings
Regular review

Behavioural implications of management accounting

When structuring the control system, companies must
take account of the behavioural aspects of setting
performance targets and standards. The possible
consequences might be:
Short-termism. If a manager's performance and reward
structure focuses on short-term profits the manager will
make short-term decisions.
Demonization could occur if unachievable targets are set,
or alternatively managers will make no attempt to achieve
the target and will ignore it.
Managers focusing only on their part of the business,
ignoring the whole of the business.
The desire to build 'padding' into budgets and to
manipulate results to achieve targets set.

Traditional management accounting

The traditional management accounting
systems that have been employed by
businesses have included techniques such as:
Standard costing, budgeting and variance analysis.
Overhead allocation: labour hour and machine
hour costing systems.
Capital investment appraisal (such as NPV, IRR,
Transfer pricing.
Rewards and appraisal based o
financial/management accounts.

Criticisms of traditional management

accounting systems.
Despite their continuing popularity in many businesses, all
these methods have been criticised for a number of reasons:
Systems are often too formal. They produce routine preset
information whereas managers require more ondemand adaptable
Some assumptions they make are questionable, for example
treating labour costs as a variable cost when in the shortterm they
are really a fixed cost.
The systems are very cumbersome (for example, budgets are
timeconsuming) and produce information of little value.
Traditional systems view many costs as production costs, when in
reality they are overhead costs of businesses.
The systems may not take account of the business strategy. They
tend to focus on low cost, hence not assisting a business that wants
to differentiate itself and produce very high quality.

Modern manufacturing
The concept of being competitive in industry has changed
significantly in recent years, the accepted truths of
efficiency have been changed fundamentally due to a
number of factors.
As a result of the change in the manufacturing
environment the type of information and control systems
that must be employed by the organisation have altered.
Traditional manufacturing
standardisation of product
long production runs
'acceptable' level of quality
slow product development
'intelligent machines'

Just-in-time (JIT)
This is a technique for the organisation of
work flows, to allow rapid, high quality,
flexible production whilst minimising
manufacturing waste and stock levels.
It was originally considered as a stock
control system, but it is rather more
involved than this.
The JIT system can be applied to both
production and purchasing.

Total Quality Management

TQM is a business philosophy aimed at:
minimizing errors (ideally to zero) as the cost of
getting things right first time is always less than
the costs of correction and
maximizing customer satisfaction such that every
customer's expectations are met or exceeded.

To achieve this philosophy a TQM firm should

have an appropriately installed quality culture
and very good systems that are documented
and adhered to by all staff.

Modern management accounting

The new manufacturing methods such as JIT and TQM have required
questioning traditional techniques such as variance analysis. New
management accounting techniques have been introduced as a result.
JIT and TQM environments

Throughput accounting
Backflush accounting
Costs of quality
Nonfinancial performance indicators

Large overhead costs

Activity based costing (ABC)
Activity based budgeting (ABB)

Focus on longerterm strategic issues

Nonfinancial performance indicators
Balanced scorecard
Strategic management accounting (SMA)

It is essential to remember that there is no unique ideal management

accounting control system and the most suitable accounting system varies
according to circumstances.

performance indicators
In order to achieve the aims of JIT and TQM, managers have had
to look at nonfinancial performance measures as well as financial
ones. For example, TQM does not accept wastage and failures in
production and therefore there need to be performance measures
ensuring that wastage is monitored. These might be:
Wastage rates.
Rectification rates.

In a JIT environment it will be necessary to monitor lead times

and quality of input so that the raw materials can be ordered in
the right quantity and at the right time.
Nonfinancial measures are also often associated with forward
thinking organisations. They can tell managers of problems that
might occur in the future for example, high numbers of defective
products indicate higher rectification costs, and possibly a loss of
customer satisfaction.

Balanced scorecard

This is a popular method used by businesses to assess both financial and nonfinancial performance.
Financial perspective

Return on investment
Economic value added (EVA)
Profit target
Operating cash flow target
Cost reduction target
Profit target
Customer perspective

Target for new customers

Target for retention of existing customers or
repeat orders
Percentage of orders met within X days
Percentage of orders delivered on time
Market share target
Target for customer satisfaction (quantifiable measure of satisfaction)
Internal business perspective
Percentage of tenders accepted by customers
Percentage of items produced that have to be reworked
Production cycle time
Innovation and learning perspective
Number of new products launched
Target for employee productivity
Percentage of total revenue coming from new products
Revenue per employee
Time from identifying a new product idea to market launch

Strategic management accounting

'The preparation and presentation of information for
decisionmaking laying particular stress on external
SMA is linked with business strategy and maintaining or
increasing competitive advantage. The achievement of
objectives requires the 'linking' of strategic planning to
shortterm operational planning.
Lord (1996) characterised SMA as:
Collection of competitor information (such as pricing, costs and
Exploitation of cost reduction opportunities (a focus on continuous
improvement and nonfinancial performance measures).
Matching the accounting emphasis with the firm's strategic

Lean organisations and lean

Lean manufacturing is a philosophy
of management based on cutting out
waste and unnecessary activities.
Organisations can become lean and
mean if they can get rid of their
unnecessary fat.
Two elements in lean manufacturing
are JIT and TQM.

Lean management
Provides information to control and improve the value stream
(focus on value streams rather than traditional departmental
Provides information for performance measurement and cost
reporting purposes (nonfinancial measures, continuous
improvement and techniques such as target and lifecycle
Provides relevant cost information for financial reporting
purposes (only that which is required, eliminating no value added
information (via implementing techniques such as back flush
Ensures that management are provided with statements that
instantly accessible through an IT system, and
simple to read.

Internal control

Internal control systems

In order to manage their risks, businesses need to set up internal
control systems.
These internal controls apply across all parts and activities of a
There are a number of different definitions of internal control
systems, but all have similar features. One definition is:
'The whole system of controls, financial and otherwise, established by the
management in order to carry out the business of the enterprise in an
orderly and efficient manner, ensure adherence to management policies,
safeguard the assets, prevent and detect fraud and error and secure as far
as possible the completeness and accuracy of the records. The individual
components of an internal control system are known as controls or
internal controls.'

An internal control system can be thought of as a system for

management to control certain risks and therefore help businesses
achieve their objectives.

Internal control
Internal control is the whole system of financial and other
controls established to provide reasonable assurance of
effective and efficient operation; internal financial control;
and compliance with regulation. Internal controls include
accounting controls (e.g. budgets) but include quantitative
controls (non-financial controls such as measures of
quality) as well as qualitative (e.g. personnel) controls.
Control encompasses all of the processes used by
managers to ensure that organizational goals are achieved
and procedures adhered to, and that the organization
responds appropriately to changes in its environment.
Controls are put in place in response to identified risks in
order to reduce the likelihood or impact of risk.

Internal controls and risk

Internal controls can be considered
as part of the risk reduction method
of responding to risk (see chapter 3).
The need for a robust system of
internal control and risk
management is seen as a major
element of good corporate

Features of internal control systems

In 1992 COSO (Committee of Sponsoring Organisations) stated that effective
internal control systems consist of five integrated elements.
Control environment
The control environment can be thought of as management's attitude, actions and
awareness of the need for internal controls.
If senior management do not care about internal controls and feel that it is not
worthwhile introducing internal controls then the control system will be weak.
Management can try to summarise their commitment to controls in a number of
When auditors assess the control systems of business for the audit, if the
environment is poor they will place no reliance on any detailed control procedures.
Behave with integrity and ethics (corporate governance will be considered in the next
Maintain an appropriate culture in the organisation.
Set up a good structure for example an independent internal audit function, and have
segregation of duties.
Set proper authorisation limits.
Employ appropriately qualified staff and conduct staff training.

Risk assessment
Risk assessment (as discussed in chapter 3) feeds directly into the internal control system. A risk
assessment must be performed and should identify:
Controllable risks for these risks internal control procedures can be established.
Uncontrollable risks for these risks the company may be able to minimise the risk in other ways
outside the internal control environment. Uncontrollable risks could be risks that are caused by the
external environment that the company operates in. For example, the best internal control processes
in the world cannot reduce the risk of inflation or the economy going into recession.
Control activities
Once controllable risks have been identified, actual specific control activities can be undertaken to
reduce those risks. There is a huge variety of control activities that companies can adopt at all levels
of management and in all parts of the organisation.
Information and communication
In order for managers to operate the internal controls, they need information and therefore a good
information system must be set up. The information provided to managers must be:

Accurate (and therefore reliable).

Relevant to the actions being taken.

Computer systems have led to increased quality of information being provided to managers but the
systems must be integrated into the business strategies if they are to provide what managers need.
Information systems and information management are a specific part of this syllabus because they
are so important to the successful running and control of business.

The company may have produced a very good internal
control system but it must be monitored. If the system
is not monitored it will be very difficult to assess
whether it is out of control and needs amendment.
Internal control systems are also dynamic in that they
need to evolve over time as the business evolves.
The internal audit function is often the key monitor of
the internal control system. Internal auditors will
examine the controls and control system, identify where
controls have failed so that the failures can be rectified,
and also make recommendations to management for
new and improved systems

Risk management
Arisk management framework needs to be established in
every organisation, reflecting its policy and guidelines in
relation to identifying, assessing, evaluating, treating and
reporting risk. Particular roles and responsibilities need to
be established with clear responsibilities assigned to:
The Board, or its audit committee ,
A risk management group ,
The chief risk officer ,
Internal audit ,
External audit,
Line managers and
Employees, through the organisations culture

Every organisation should develop a risk management strategy that
the risk appetite and tolerance of the organisation, that is the level of risk
it finds acceptable;
the risk assessment and evaluation processes the organisation practises;
its preferred options for risk treatment;
who is responsible in the organisation for risk management; and
how reporting and monitoring processes will take place.
Effective risk management requires
management commitment;
integration with the strategic planning process;
the use of a consistent language and framework;
acceptance of risk management as a continuous and evolving process;
organisation-wide ownership with a supportive culture;
that risk management be embedded in organisational processes.

Internal control

An internal control system includes all the policies and procedures (internal
controls) adopted by the directors and management of an entity to assist in
achieving their objectives of ensuring, as far as practicable, the orderly and
efficiently conducting a business, including adherence to internal policies,
the safeguarding of assets, the prevention and detection of fraud and error,
the accuracy and completeness of the accounting records, and the timely
preparation of reliable financial information
An internal control system comprises the control environment and control
procedures. The control environment is the overall attitude, awareness and
actions of directors and management regarding internal controls and their
importance to the entity . . . [it] encompasses the management style, and
corporate culture and values shared by all employees. The control
environment provides the context for the whole set of control procedures.
The control environment provides the discipline and structure for the
achievement of the primary objectives of the system of internal control. The
control environment includes: integrity and ethical values, managements
philosophy and operating style, organisational structure, assignment of
authority and responsibility, human resource policies and practices, and
competence of personnel

There are some important aspects of control
that can be derived from these definitions:
Control is not limited to financial control but
extends to operational and other forms of
Control is linked to organisational goals and
environmental change;
Control is not only a set of procedures, but
also a set of values or attitudes which need to
be embedded in the culture of the organisation.

COSO model of internal


COSOs Enterprise Risk Management Integrated Framework (Committee of

Sponsoring Organizations of the Treadway Commission (COSO), 2004) states
that internal control is an integral part of enterprise risk management. This is
described in COSOs Internal Control Integrated Framework (Committee of
Sponsoring Organizations of the Treadway Commission (COSO), 1992) which is
encompassed within the ERM framework.
The COSO internal control framework contains five elements:
Control environment (see above).
Risk assessment: identifies the risks of failing to meet objectives in relation
to financial reporting, compliance and operational objectives.
Control activities: the policies and procedures that help ensure
management directives are carried out and objectives are achieved. These
include both accounting and non-accounting controls.
Monitoring: the need for management to monitor the entire control system
through specific evaluations.
Information and communication: capturing relevant internal and external
information about competition, economic and regulatory matters and the
potential of strategic and integrated information systems.

Financial controls
There are various accounting methods by which control is exercised.
The main ones which will be covered here are:
Financial ratios
Budgetary reporting (variance analysis)
Capital investment appraisal.
Financial ratios are calculated by dividing one figure by another, with
the source of the figures being information presented in Income
Statements and Balance Sheets. Ratios are interpreted by reference to
their (improving or worsening trend) and by benchmark comparisons to
similar organisations and industry averages. Ratios exist for
profitability, liquidity (cash flow), gearing (borrowing), asset efficiency,
and there are also shareholder-based ratios. Targets are usually set and
monitored by the Board and senior management for the financial
performance needed to maintain shareholder value and the confidence
of capital markets which is reflected in the share price. By monitoring
ratios, the Board exercises control over financial performance.

Whilst ratios consider historical performance, budgets are concerned
with expected
future performance. Budgets provide:
a forecast of future events, a short-term picture of the desired
financial results resulting from the chosen strategy,
a motivational target to which managers are expected to strive; and
a standard for business unit and management performance which is
then evaluated.
Budgets provide a control mechanism through both the feed forward
and feedback loops. In feed forward terms, budgets can be reviewed in
advance, to ensure that they are consistent with organisational goals
and strategy. If they do not contribute to goals, changes can be made to
the budget before it is approved. Using feedback, variations between
the budget and actual performance can be investigated and monitored
and corrective action can be taken for future time periods.

Non-financial controls
There are many kinds of non-financial
controls that rely on measurement,
Performance measurement through key
performance indicators;
Quality systems: measuring and
monitoring errors and wastage;
Project management: establishing
detailed plans with budgets, timeframes
and quality expectations

Qualitative controls
There is also a wide variety of non-financial qualitative controls. Some of
these are:
Formal structures: the organisational chart with its hierarchy of
Personnel controls: recruitment, training and socialisation, supervision
and performance appraisal processes;
Informal structures: the organisational culture;
Rules, policies and procedures: embedded in manuals or corporate
policies and in computer systems;
Physical controls: physical access to offices, computers, etc.;
Strategic plans: strategies direct behaviour and define the boundaries in
which the organisation operates;
Incentives and rewards: reinforcing desired behaviour.
These controls influence behaviour by requiring certain policies and
procedures or standard instructions to be followed. Qualitative controls
ensure that behaviour is legally correct, co-ordinated and consistent
throughout the organisation; is linked to objectives and is efficient and

Relationship of Risk Management

with Internal Control Systems
Risk management is an important precursor to internal
control as it allows the internal controls to be focused on the
most significant risks. Therefore risks are assessed and
control activities are determined that relate to the assessed
The benefits of effective risk management include:

the maintenance of profitability in the medium and longer term;

the avoidance of sudden losses if business continuity is impeded;
the avoidance of profit warnings and major exceptional items;
more cost-effective insurance cover and reduced premium cost;
greater degree of assurance that business continuity will be
safeguarded in the event of a catastrophe;
continued customer satisfaction and the maintenance of the
organisations reputation with customers, the public and investors.

The costs and benefits of a

particular internal control system
Avoidance of losses
Legal requirement (health & safety, information required for
Well being of employees motivation, succession planning
important resource
Preferred employer better calibre staff important resource

Establishment of policies & procedures
Administrative support
Opportunity cost of not spending time on the delivery of
organisational objectives

(Internal controls provide a safeguard but not an absolute


Accounting Controls/Financial
Standard costing
Will this be appropriate for an organisation that wants to delivery flexibility and

Capital investment appraisal in line with strategic objectives

Can future cash flows be predicted with some accuracy?
Does it capture the richness of the investment evaluation problem, would the use of
value chain analysis, cost driver analysis and competitive advantage analysis achieve
a better fit between investment decisions and business strategy implementation?

Cash controls
Debtor control

Exchange controls hedging

Overhead allocation
Does this accurately reflect the resources consumed in production? This could lead to
misleading information about product/service profitability. (Is ABC the answer?)

Transfer Pricing
Negotiated prices may help to reduce demotivating effects on divisional performance

Budgets and budgetary control

Forecast of future events
Motivational targets
Standards for performance evaluation
One of the most common dysfunctional consequences of budgeting is the creation of 'slack' resources or low targets being
set because managers believe they will readily be achieved.
Budget expectations perceived to be unfair or exploitative are not internalised by employees and can lead to lower
motivation and performance.
Similarly, the manipulation of data or its presentation to show performance in the best possible light is another common
behaviour, particularly where performance is linked to rewards.
'Beyond Budgeting:
proposes targets based on stretch goals linked to performance against world-class benchmarks and prior periods;
enables decision-making and performance accountability to be devolved to line managers and a culture of personal
increased motivation;
higher productivity and better customer service.
Elimination of inventories
Consider the total cost of ownership rather than the initial purchase price
Cost of quality
Strategic management accounting
PAF model

Life cycle costing

Estimates lifetime costs and profits

Do profits generated in the production phase cover all the life cycle costs
Increased cost control during the development phase
Target costing
Determine the target price customers are prepared to pay
Determine a target profit margin, therefore can establish the target cost
If actual cost exceeds target cost then need to investigate ways of reducing the estimated cost to the target cost.
Kaizen (tightening)
Continuous improvement & feedback during the production process
Even the smallest improvement is worth consideration
Lean management accounting
Target costing
Eliminates waste within value streams
Non Financial Quantitative Controls a balanced scorecard approach
Customer satisfaction number of clients (especially increases and potential losses)
Market share
Business processes
IT controls input/process/output/network/physical/disaster recovery
Post implementation reviews
Tender process for suppliers

Innovation/learning and growth

Employees retention
Training costs
Employees satisfaction


These controls influence behaviour by requiring certain policies and procedures or standard instructions to be
implemented in order to ensure that behaviour is legally correct, co-ordinated and consistent throughout the
Physical controls
Organisational structure and chain of command the form of structure that is adopted will determine the
type of control exercised over operational management
Project management - post implementation reviews
Authorisation procedures
Authorisation of expenses
Staff control policies and procedures
Contracts of employment
Performances appraisal
Control of the board
Composition of the board
Chairman & chief executive
Executive & non executive directors
Board appointments nominations committee
Framework for board meetings
Frequency of board meetings
Regular review

Evaluation of an internal control

The internal control system of the business is no different to other business
activities the benefits of maintaining the system must outweigh the costs of
operating it. As part of the monitoring process therefore management must
consider the costs and benefits.
However, it can be difficult to quantify those costs and benefits as they are
often not direct cash costs.
Costs of an internal control system will include:
time of management involved in the design of the system
costs of IT consultants to implement new software
training all staff in new procedures
maintenance of system:
software upgrades
monitoring and review
Benefits are to be found in the reduction of the risks and achievement of
business objectives.

Limitations of internal control

Warnings should be given regarding overreliance on
any system, noting in particular that:
A good internal control system cannot turn a poor
manager into a good one.
The system can only provide reasonable assurance
regarding the achievement of objectives all internal
control systems are at risk from mistakes or errors.
Internal control systems can be bypassed by collusion
and management override.
Controls are only designed to cope with routine
transactions and events.
There are resource constraints in provision of internal
control systems, limiting their effectiveness.


What is fraud ?
The term fraud commonly includes activities such as theft,
corruption, conspiracy, embezzlement, money laundering,
bribery and extortion.
Fraud can be defined as 'dishonestly obtaining an advantage,
avoiding an obligation or causing a loss to another party'.
Fraud is a crime, but does not have a precise legal definition.
The term fraud refers to an international act by one or
more individuals among management, those charged with
governance, employees or third parties, involving the use of
deception to obtain an unjust or illegal advantage.
A definition is made between:
Fraud , which is deliberate falsification, and
Errors, which are unintentional mistakes.

Different types of fraud

Fraud can mean many things and result from many varied relationships between
offenders and victims. Examples of fraud include:

crimes against consumers or clients,

employee fraud against employers,
crimes against investors, consumers and employees,
crimes against financial institutions,
crimes against government,
crimes by professional criminals,

there are three main categories of fraud that affect organisations. The first of
these is asset misappropriations, which involves the theft or misuse of an
organization's assets. Examples include theft of plant, inventory or cash, false
invoicing, accounts receivable fraud, and payroll fraud.
The second category of fraud is fraudulent statements. This is usually in the form
of falsification of financial statements in order to obtain some form of improper
benefit. It also includes falsifying documents such as employee credentials.
The final of the three fraud categories is corruption. This includes activities such
as the use of bribes or acceptance of kickbacks, improper use of confidential
information, conflicts of interest and collusive tendering.