INTERNAL CONTROL

FRAMEWORK AND
RISK MANAGEMENT

FINANCIAL MANAGEMENT AND INNOVATIONS

 COSO

COSO, the Committee of Sponsoring

Organizations of the Treadway
Commission, is a private sector
initiative established in 1985 by five
financial professional associations.
ENRON SCANDAL
 ENRON SCANDAL
Enron Complex at Houston, Texas
 ENRON SCANDAL
CORPORATE PROFILE
 AN AMERICAN ENERGY,
COMMODITIES AND SERVICES
COMPANY
 WAS ONE OF THE WORLD’S MAJOR
ELECTRICITY, NATURAL GAS,
COMMUNICATIONS, AND PULP AND
PAPER COMPANIES
 EMPLOYED APPROXIMATELY 20,000
STAFF
 CLAIMED REVENUES OF NEARLY $101
 ENRON SCANDAL
CORPORATE PROFILE
  FORTUNE NAMED ENRON “AMERICA’S
MOST INNOVATIVE COMPANY” FOR
SIX CONSECUTIVE YEARS
 WAS ON THE FORTUNE’S “100 BEST
COMPANIES TO WORK FOR IN
AMERICA” LIST DURING 2000
 ENRON SCANDAL
PEOPLE INVOLVED OF THE CORPORATE
FRAUD
1. KENNETH LAY, CHAIRMAN & CEO
2. JEFFREY SKILLING, PRESIDENT & COO
3. ANDREW FASTOW, CHIEF FINANCIAL
OFFICER
 ENRON SCANDAL

 ENRON’S FRAUDULENT FINANCIAL

REPORTING
1. BEGAN ESTABLISHING NUMEROUS
LIMITED LIABILITY SPECIAL PURPOSE
ENTITIES (A COMMON PRACTICE).
2. IT ALSO ALLOWED ENRON TO
TRANSFER LIABILITY SO THAT IT
WOULD NOT APPEAR IN ITS ACCOUNTS,
ALLOWING TO MAINTAIN A ROBUST
 ENRON SCANDAL
 ENRON’S FRAUDULENT FINANCIAL
REPORTING

INCREASING STOCK PRICE AND

THUS KEEPING ITS CRITICAL
INVESTMENT GRADE CREDIT RATINGS.
3. MANY OF ENRON’S RECORDED
ASSETS AND PROFITS WERE INFLATED
OR EVEN WHOLLY FRAUDULENT AND
NONEXISTENT.
MCI WORLDCOM SCANDAL
MCI WORLDCOM SCANDAL
 MCI WORLDCOM SCANDAL
CORPORATE PROFILE
  WAS THE UNITED STATE’S SECOND
LARGEST LONG DISTANCE TELEPHONE
COMPANY (AFTER AT&T)
  THE LARGEST CORPORATE MERGER
OF US HISTORY ($37B MERGER
BETWEEN MCI COMMUNICATIONS AND
WORLDCOM)
 EMPLOYED OVER 30,000 EMPLOYEES
 HAS OVER $20B REVENUES ANNUALLY
 MCI WORLDCOM SCANDAL
PEOPLE INVOLVED OF THE CORPORATE
FRAUD
1. BERNARD EBBERS, CHIEF EXECUTIVE
OFFICER
2. SCOTT SULLIVAN, CHIEF FINANCIAL
OFFICER
3. DAVID MYERS, COMPTROLLER
4. BUFORD YATES, DIRECTOR OF GENERAL
ACCOUNTING
 MCI WORLDCOM SCANDAL
 Used fraudulent accounting methods to
disguise its decreasing earnings to maintain the
price of WorldCom’s stock
The fraud was accomplished primarily in two
ways:
1. Booking ‘line costs’ (interconnection
expenses with other telecommunication
companies) as capital on the balance sheet
instead of expenses.
2. Inflating revenues with bogus accounting
entries from "corporate unallocated revenue
accounts".
TYCO INTERNATIONAL
SCANDAL
 TYCO INTERNATIONAL SCANDAL
CORPORATE PROFILE
 A SWISS SECURITY SYSTEMS COMPANY
 S&P 500 COMPONENT
 OVER $17B REVENUES ANNUALLY
 HAS MORE THAT 69,000 EMPLOYEES
 TYCO INTERNATIONAL
SCANDAL
PEOPLE INVOLVED OF THE CORPORATE
FRAUD
1. DENNIS KOZLOWSKI, CHAIRMAN & CEO
2. MARK SWARTZ, CHIEF FINANCIAL
OFFICER

BOTH WERE ACCUSED OF THEFT OF MORE

THAN $150M
 TYCO INTERNATIONAL
SCANDAL
 TYCO’S FRAUDULENT ACCOUNTING
AND FINANCIAL REPORTING (FRAUD
AND THEFT)
1. THE CEO, CFO AND GENERAL
COUNSEL WAS ACCUSED OF GIVING
THEMSELVES INTEREST-FREE OR LOW
INTEREST LOANS FOR PERSONAL
PURCHASES OF PROPERTY, JEWELRY
AND OTHER FRIVOLTIES. ACCORDING
TO SEC, THESE LOANS WERE NEVER
APPROVED OR REPAID.
 TYCO INTERNATIONAL
SCANDAL
 TYCO’S FRAUDULENT ACCOUNTING
AND FINANCIAL REPORTING (FRAUD
AND THEFT)
2. THE CEO & CFO WERE ALSO
ACCUSED OF ISSUING BONUSES TO
THEMSELVES AND OTHER EMPLOYEES
WITHOUT APPROVAL OF TYCO’S BOARD
OF DIRECTORS. IT IS ALLEGED THAT
THESE BONUSES ACTED AS DE FACTO
LOAN FORGIVENESS FOR EMPLOYEES
WHO HAD BORROWED COMPANY
 TYCO INTERNATIONAL
SCANDAL
 TYCO’S FRAUDULENT ACCOUNTING
AND FINANCIAL REPORTING (FRAUD
AND THEFT)
TO SILENCE OF THOSE WHO
SUSPECTED THE CEO AND CFO OF
FRAUD. ACCORDING TO TYCO, THE
INDIVIDUALS WHO RECEIVED LOAN
FORGIVENESS WERE NOT AWARE THAT
THEY WERE PARTICIPATING IN
ANYTHING ILLEGAL; THEY WERE TOLD
THE PROGRAM HAD THE BOARD’S
 TYCO INTERNATIONAL
SCANDAL
At this point it needs to be mentioned
that the Tyco International Ltd fraud is
very different from almost every other
fraud case in the last twenty years. The
main difference is that the company is
still financially sound. Another difference
is that all of the activity mentioned in the
fraud case was reflected on the
company’s books. 
 TYCO INTERNATIONAL
SCANDAL

THERE WERE NO DOCTORED

FINANCIALS OR SHREDDED
DOCUMENTS.

 
 TYCO INTERNATIONAL
SCANDAL

The fraud in question here is due to

the lack of disclosure. Company
loans, incentive plans, and bonuses
are all items that require the
approval of the board of directors.

 
TYCO INTERNATIONAL SCANDAL
OTHER INFORMATION:
It should also be noted that Dennis
Kozlowski had personal traits about him that
contributed to the fraud committed, such as
a seeming willingness to lie or exaggerate
about anything related to him. In interviews
Kozlowski would refer to his father a police
officer, when in fact he was not, and he
would mention on a fairly regular basis that
he had a Master’s Degree in business
administration (MBA) when he actually
never completed the program.
 TYCO INTERNATIONAL SCANDAL
REFLECTION:
IT IS THE WILLINGNESS TO TELL
SMALL LIES THAT LEAD TO STORIES
BEING FORMED THAT JUST BUILD
UPON THEMSELVES AND CREATE AN
ENTIRELY NEW REALITY PER SAY FOR
AN INDIVIDUAL THAT ALLOWS THE
FRAUD LIKE THE ONE DENNIS
KOZLOWSKI TO BE PERPETRATED
AND RATIONALIZED BY THE
PERPETRATOR.
 Member Organization of COSO
• The Institute of Internal Auditors

• American Institute of Certified

Public Accountants

• American Accounting Association

• Institute of Management Accountants

• Financial Executives Institute

 Objective

COSO’s goal is to improve the

quality of financial reporting
through a focus on
corporate governance,
ethical practices, and
internal control.
 Definition of
Internal Control

A process, effected by an entity's

board of directors, management, and
other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives.
 COSO’s Five Components of
Internal Control

1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring
 1. Control Environment
The control environment sets the
tone of an organization, influencing
the control consciousness of its
people. It is the foundation for all
other components of internal control,
providing discipline and structure.
Control environment factors include
the integrity, ethical values and
competence of the entity’s people;
 1. Control Environment
management’s philosophy and
operating style; the way
management assigns authority and
responsibility, and organizes and
develops its people; and the
attention and direction provided by
the board of directors.
 Integrity and Ethical Values
Integrity and ethical values are
essential elements of the control
environment, affecting the design,
administration and monitoring of
other internal control components.
The effectiveness of internal
controls cannot rise above the
integrity and ethical values of
the people who create,
administer and monitor it.
 Integrity and Ethical Values
Integrity is a prerequisite for ethical
behavior in all aspects of an
enterprise’s activities.

Ethical behavior and management

integrity are a product of the
“corporate culture.”
 Integrity and Ethical Values
Top management — starting with
the CEO — plays a key role in
determining the corporate culture.

The CEO usually is the dominant

personality in an organization, and
individually often sets its ethical
tone.
 Incentives and Temptations
Incentives cited for engaging in
fraudulent or questionable financial
reporting practices and, by extension,
other forms of unethical behavior are:
● Pressure to meet unrealistic
performance targets, particularly for
short-term results;
● High performance-dependent
rewards; and
● Upper and lower cutoffs on bonus
 Incentives and Temptations
The following are “temptations” for
employees to engage in improper acts:
● Nonexistent or ineffective controls,
such as poor segregation of duties in
sensitive areas, that offer temptations
to steal or to conceal poor
performance.
● High decentralization that leaves top
management unaware of actions taken
at lower organizational levels and
 Incentives and Temptations
● A weak internal audit function that
does not have the ability to detect and
report improper behavior.
● An ineffective board of directors that
does not provide objective oversight of
top management.
● Penalties for improper behavior that
are insignificant or unpublicized and
thus lose their value as deterrents.
 Providing and Communicating
Moral Guidance

A third cause of fraudulent and

questionable financial reporting
practices: IGNORANCE.
 Providing and Communicating
Moral Guidance
“In many of the companies that have
suffered instances of deceptive financial
reporting, the people involved either did not
know what they were doing was wrong or
erroneously believed they were acting in the
organization’s best interest.” This
ignorance is often caused by poor
moral background or guidance, rather
than by an intent to deceive.
 2. Risk Assessment

Risk assessment is the identification

and analysis of relevant risks to
achievement of the objectives,
forming a basis for determining how
the risks should be managed.
 3. Control Activities

Control activities are the policies and

procedures that help ensure
management directives are carried
out. It occur throughout the
organization, at all levels and in all
functions. They include a range of
activities as diverse as approvals,
authorizations,
 3. Control Activities

verifications, reconciliations, reviews

of operating performance, security of
assets and segregation of duties.
 4. Information and
Communication
Pertinent information must be
identified, captured and
communicated in a form and
timeframe that enable people to
carry out their responsibilities.
Information systems produce
reports, containing operational,
financial and compliance-related
information, that make it possible to
run and control the business.
 5. Monitoring

Internal control systems need to be

monitored–a process that assesses
the quality of the system’s
performance over time. It includes
regular management and
supervisory activities, and other
actions personnel take in performing
their duties.
Internal Control Components
Objectives and Components
What Internal Control Can Do
Internal control can help an entity
achieve its performance and
profitability targets, and prevent loss
of resources. It can help ensure
reliable financial reporting. In sum, it
can help an entity get to where it
wants to go, and avoid pitfalls and
surprises along the way.
 What Internal Control Cannot Do

Internal control can ensure an

entity’s success — that is, it will
ensure achievement of basic
business objectives or will, at the
least, ensure survival. But internal
control cannot change an
inherently poor manager into a
good one.
 What Internal Control Cannot Do

An internal control system, no

matter how well conceived and
operated, can provide only
reasonable — not absolute —
assurance to management and the
board regarding achievement of an
entity’s objectives.
 Roles and Responsibilities

Management — The Chief Executive

Officer is ultimately responsible and
should assume “ownership” of the
system. The chief executive fulfills
this duty by providing leadership and
direction to senior managers and
reviewing the way they’re controlling
the business.
 Roles and Responsibilities
Senior managers assign
responsibility for establishment of
more specific internal control policies
and procedures to personnel
responsible for the unit’s functions.
A manager is effectively a Chief
Executive of his or her sphere of
responsibility.
Roles and Responsibilities
Board of Directors — Management is
accountable to the board of
directors, which provides
governance, guidance and oversight.
A strong, active board, particularly
when coupled with effective upward
communications channels and
capable financial, legal and internal
audit functions, is often best able to
identify and correct such a problem.
Roles and Responsibilities
Internal Audit— Internal audit plays
an important role in evaluating the
effectiveness of control systems, and
contribute to ongoing effectiveness.
An internal audit function often plays
a significant monitoring role.
 Roles and Responsibilities
Other Personnel — Internal control is,
to some degree, the responsibility of
everyone in an organization and
therefore should be an explicit or
implicit part of everyone’s job
description. All personnel should be
responsible for communicating
upward problems in operations,
noncompliance with the code of
conduct, or other policy violations or
illegal actions.
 RISK

1. Is relevant and reliable internal and

external information identified, compiled,
and communicated in a timely manner to
those who are positioned to act?        
 RISK

2. Are risks identified and analyzed, and

actions taken to mitigate them?  
       
 RISK

3. Are controls in place to assure that

management decisions are properly
carried out? 
        
 Applying COSO’s
Enterprise Risk
Management —
Integrated Framework
2004
Today’s organizations are
concerned about:

• Risk Management
• Governance
• Control
• Assurance (and Consulting)
 ERM Defined:
“… a process, effected by an entity's board of
directors, management and other personnel,
applied in strategy setting and across the
enterprise, designed to identify potential events
that may affect the entity, and manage risks to
be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.

 Why ERM Is Important
Underlying principles:

• Every entity, whether for-profit

or not, exists to realize value for
its stakeholders.

• Value is created, preserved, or eroded by

management decisions in all activities,
from setting strategy to operating the
enterprise day-to-day.
 Why ERM Is Important
ERM supports value creation by enabling
management to:
 
• Deal effectively with potential future
events that create uncertainty.

• Respond in a manner that reduces the

likelihood of downside outcomes and
increases the upside.
Enterprise Risk Management —
Integrated Framework

This COSO ERM framework defines essential

components, suggests a common language,
and provides clear direction and guidance for
enterprise risk management.
 The ERM Framework

Entity objectives can be viewed in the

context of four categories:
• Strategic
• Operations
• Reporting
• Compliance
 The ERM Framework

ERM considers activities at all levels

of the organization:
• Enterprise-level
• Division or
subsidiary
• Business unit
processes
 The ERM Framework

Enterprise risk management

requires an entity to take a portfolio
view of risk.
 The ERM Framework
• Management considers how
individual risks interrelate.

• Management develops a portfolio view

from two perspectives:
- Business unit level
- Entity level
 The ERM Framework

The eight components

of the framework
are interrelated …
 Internal Environment
• Establishes a philosophy regarding risk
management. It recognizes that
unexpected as well as expected events
may occur.

• Establishes the entity’s risk culture.

• Considers all other aspects of how the

organization’s actions may affect its risk
culture.
 Objective Setting
• Is applied when management considers
risks strategy in the setting of
objectives.

• Forms the risk appetite of the entity —

a high-level view of how much risk
management and the board are willing
to accept.

• Risk tolerance, the acceptable level of

variation around objectives, is aligned
with risk appetite.
 Event Identification
• Differentiates risks and opportunities.

• Events that may have a negative impact

represent risks.

• Events that may have a positive impact

represent natural offsets
(opportunities), which management
channels back to strategy setting.
 Event Identification
• Involves identifying those incidents,
occurring internally or externally, that
could affect strategy and achievement
of objectives.

• Addresses how internal and external

factors combine and interact to
influence the risk profile.
 Risk Assessment
• Allows an entity to understand the
extent to which potential events might
impact objectives.

• Assesses risks from two perspectives:

- Likelihood
- Impact

• Is used to assess risks and is normally

also used to measure the related
objectives.
 Risk Assessment
• Employs a combination of both
qualitative and quantitative risk
assessment methodologies.

• Relates time horizons to objective

horizons.

• Assesses risk on both an inherent and a

residual basis.
 Risk Response
• Identifies and evaluates possible
responses to risk.

• Evaluates options in relation to entity’s

risk appetite, cost vs. benefit of
potential risk responses, and degree to
which a response will reduce impact
and/or likelihood.

• Selects and executes response based on

evaluation of the portfolio of risks and
responses.
 Control Activities
• Policies and procedures that help ensure
that the risk responses, as well as other
entity directives, are carried out.

• Occur throughout the organization, at

all levels and in all functions.

• Include application and general

information technology controls.
 Information & Communication
• Management identifies, captures,
and communicates pertinent
information in a form and
timeframe that enables people to
carry out their responsibilities.

• Communication occurs in a broader

sense, flowing down, across, and
up the organization.
 Monitoring
Effectiveness of the other ERM components is
monitored through:

• Ongoing monitoring activities.

• Separate evaluations.

• A combination of the two.

 Internal Control

A strong system of internal control is

essential to effective enterprise risk
management.
Relationship to Internal Control —
Integrated Framework
• Expands and elaborates on elements
of internal control as set out in COSO’s
“control framework.”

• Includes objective setting as a separate

component. Objectives are a “prerequisite”
for internal control.

• Expands the control framework’s “Financial

Reporting” and “Risk Assessment.”
 ERM Roles & Responsibilities
• Management

• The board of directors

• Risk officers

• Internal auditors
 Internal Auditors
• Play an important role in monitoring ERM, but
do NOT have primary responsibility for its
implementation or maintenance.

• Assist management and the board or audit

committee in the process by:
- Monitoring - Evaluating
- Examining - Reporting
- Recommending improvements
 Standards
• 2010.A1 – The internal audit activity’s plan of
engagements should be based on a risk
assessment, undertaken at least annually.

• 2120.A1 – Based on the results of the risk

assessment, the internal audit activity should
evaluate the adequacy and effectiveness of
controls encompassing the organization’s
governance, operations, and information systems.

• 2210.A1 – When planning the engagement, the

internal auditor should identify and assess risks
relevant to the activity under review. The
engagement objectives should reflect the results of
the risk assessment.
 Key Implementation Factors
1. Organizational design of business
2. Establishing an ERM organization
3. Performing risk assessments
4. Determining overall risk appetite
5. Identifying risk responses
6. Communication of risk results
7. Monitoring
8. Oversight & periodic review
by management
 Periodic Review
• Accountability for risks

• Ownership

• Updates
-Changes in business objectives
- Changes in systems
- Changes in processes
Internal auditors can add value
by:
• Reviewing critical control systems and risk
management processes.

• Performing an effectiveness review of

management's risk assessments and the
internal controls.

• Providing advice in the design and

improvement of control systems and risk
mitigation strategies.
Internal auditors can add value
by:
• Implementing a risk-based approach to
planning and executing the internal audit
process.

• Ensuring that internal auditing’s resources are

directed at those areas most important to the
organization.

• Challenging the basis of management’s risk

assessments and evaluating the adequacy
and effectiveness of risk treatment strategies.
Internal auditors can add value
by:
• Facilitating ERM workshops.

• Defining risk tolerances where none have

been identified, based on internal auditing's
experience, judgment, and consultation with
management.
 Organizational Design
• Strategies of the business
• Key business objectives
• Related objectives that cascade
down the organization from key business
objectives
• Assignment of responsibilities to
organizational elements and leaders
 Example:
• Mission – To feed people

• Strategic Objective – To be the

largest Franchisee of Julie’s
Franchising Corporation

• Related Objective – To establish

branches and outlets across Asia-
Pacific region
 Establish ERM
• Determine a risk philosophy

• Survey risk culture

• Consider organizational integrity

and ethical values

• Decide roles and responsibilities

Example: ERM Organization
Vice President and
Chief Risk Officer

Insurance ERM Corporate Credit

Risk Manager Director Risk Manager

ERM ERM
Manager Manager

Staff Staff Staff

 Assess Risk

Risk assessment is the identification

and analysis of risks to the
achievement of business objectives.
It forms a basis for determining how
risks should be managed.
 Risk Model
Environmental Risks
• Capital Availability
• Regulatory, Political, and Legal
• Financial Markets and Shareholder Relations

Process Risks
• Operations Risk
• Empowerment Risk
• Information Processing / Technology Risk
• Integrity Risk
• Financial Risk

Information for Decision Making

• Operational Risk
• Financial Risk
• Strategic Risk
 Risk Analysis

Risk Risk Risk

Assessment Management Monitoring

Process
Identification Control It
Level

Share or Activity
Measurement
Transfer It Level

Diversify or
Prioritization Entity Level
Avoid It

Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors

 DETERMINE RISK APPETITE
• Risk appetite is the amount of risk — on a
broad level — an entity is willing to accept in
pursuit of value.

• Use quantitative or qualitative terms (e.g.

earnings at risk vs. reputation risk), and
consider risk tolerance (range of acceptable
variation).
DETERMINE RISK APPETITE
Key questions:

• What risks will the organization not accept?

(e.g. environmental or quality

compromises)

• What risks will the organization take on

new initiatives?
(e.g. new product lines)

• What risks will the organization accept for

competing objectives?
(e.g. gross profit vs. market share?)
IDENTIFY RISK RESPONSES
 Quantification of risk exposure

 Options available:
- Accept = monitor
- Avoid = eliminate (get out of situation)
- Reduce = institute controls
- Share = partner with someone
(e.g. insurance)

 Residual risk (unmitigated risk – e.g. shrinkage)

 Impact vs. Probability

High Medium Risk High Risk

I
M Share Mitigate & Control
P
A Low Risk Medium Risk
C
T
Accept Control

Low PROBABILITY High

 RMG RISK ASSESSMENT
AREAS OF CONCERN HIGH MEDIUM LOW
1. PRODUCTION REPORTING
2. RECEIVING OF ORDERED MATERIALS &
SUPPLIES
3. ORDERING OF MATERIALS & SUPPLIES
4. INVENTORY TAKING
5. JBS HOUSEKEEPING
6. PAYROLL SYSTEM (JBS LEVEL)
7. PRODUCTION SCHEDULING
8. INVENTORY MANAGEMENT
9. DAILY SALES REPORTING
10. BAKESHOP PERSONNEL BEARING
11. INTEGRITY OF THE PHYSICAL
CONDITION OF BRANCH
 JBS Operations Risk Assessment
High Medium Risk High Risk
• Production Scheduling • Daily Sales Reporting
Inventory Taking Ordering of Materials and Supplies
I
• •
• Integrity of the Physical • Inventory Management
M Condition of the Branch • Payroll System (JBS Level)
P
A Low Risk Medium Risk
C
JBS Housekeeping Production Reporting
T
• •

• Bakeshop Personal Bearing

• Receiving of Ordered Materials
and Appearance and Supplies

Low PROBABILITY High

 Accounts Payable Process
Control Risk Control
Objective Activity

Completeness, Material Recording based on

Proper transactions received DRs
valuation not properly matched properly
recorded against Invoices,
POs, and Receiving
Reports
 Communicate Results
• Dashboard of risks and related responses
(visual status of where key risks stand relative to risk
tolerances)

• Flowcharts of processes with key controls noted

• Narratives of business objectives linked to

operational risks and responses

• List of key risks to be monitored or used

• Management understanding of key business risk

responsibility and communication of assignments
 Monitor
• Collect and display information

• Perform analysis
- Risks are being properly addressed
- Controls are working to mitigate risks
Management Oversight &
Periodic Review
• Accountability for risks

• Ownership

• Updates
-Changes in business objectives
- Changes in systems
- Changes in processes
 End of
Presentation