Risk Management II

• Internal controls
• Cyber risks
Internal controls
• Recommend internal controls
• Recommend appropriate controls and evaluate the implications of compliance failures
• Recommend responses to the threats arising from poor governance
Internal control systems
❖ Internal control and risk management are fundamental components of good corporate
governance. Good corporate governance means that the board must identify and manage
all risks for a company. In terms of risk management, internal control systems span
finance, operations, compliance and other areas, i.e. all the activities of the company.

❖ Internal control definitions

• Controls attempt to ensure that risks, those factors which stop the achievement of company
objectives, are minimised.
• An internal control system comprises the whole network of systems established in an organisation
to provide reasonable assurance that organisational objectives will be achieved.
• Internal management control refers to the procedures and policies in place to ensure that
company objectives are achieved.
• The control procedures and policies provide the detailed controls implemented within the
company.
Internal controls and COSO
❖ COSO (the Committee of Sponsoring Organisations) was formed in 1985 to sponsor the
national commission on fraudulent reporting. The 'sponsoring organisations' included the
American Accounting Association and the American Institute of Certified Public
Accountants. COSO now produces guidance on the implementation of internal control
systems in large and small companies.

❖ In COSO, internal control is seen to apply to three aspects of the business:

1) Effectiveness and efficiency of operations - that is the basic business objectives including
performance goals and safe guarding resources.
2) Reliability of financial reporting - including the preparation of any published financial information.
3) Compliance with applicable laws and regulations to which the company is subject.
Objectives of internal control systems
❖ A popular misconception is that the internal control system is implemented simply to stop
fraud and error.
❖ A lack of internal control implies that directors have not met their obligations under
corporate governance. It specifically means that the risk management strategy of the
company will be defective.
❖ The main objectives of an internal control system are summarised in the Auditing
Practices Board (APB) and the COSO guidelines. An internal control system is to ensure, as
far as practicable:
• the orderly and efficient conduct of its business, including adherence to internal policies
• the safeguarding of assets of the business
• the prevention and detection of fraud and error
• the accuracy and completeness of the accounting records, and
• the timely preparation of financial information.
Benefits of an internal control system
❖ Effectiveness and efficiency of operations.
❖ Reliability of financial reporting.
❖ Compliance with applicable laws and regulations.

These may further give rise to improved investor confidence.

Objectives of internal control
❖ The objectives of an internal control
system follow on from the need for
internal control in risk management
and corporate governance.
❖ E.g., APB objectives:
• ‘The internal control system – includes
all the policies and procedures (internal
records) adopted by the directors and
management of an entity to succeed in
their objective of ensuring, as far as
practicable.’
• The internal control system
encompasses the whole business, not
simply the financial records.
Objectives of internal control (cont.)
COSO objectives:
❖ COSO defines internal control as 'a process, effected by the entity's board of directors,
management and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives', in three particular areas:
(1) Effectiveness and efficiency of operations.
(2) Reliability of financial reporting.
(3) Compliance with applicable laws and regulations.

❖ This definition contains a number of key concepts which illustrate the pervasiveness of internal
control systems in a company.
• Internal control is a process, rather than a structure. It is a continuing series of activities, planned,
implemented and monitored by the board of directors and management at all levels within an organisation.
• Internal control provides only reasonable assurance, not absolute assurance, with regard to achievement of
the organisation's objectives.
• The objectives of internal control relate to assurance not only about reliable financial reporting and
compliance, but also with regard to the effectiveness and efficiency of operations.
• Internal control is therefore also concerned with the achievement of performance objectives, such as
profitability.
• It is also useful to think of internal control as a system for the management and control of certain risks, to
restrict the likelihood of adverse events or results.
Limitations of internal control systems
Warnings should be given regarding over-reliance on any system, noting in particular that:

❖ A good internal control system cannot turn a poor manager into a good one.
• The system can only provide reasonable assurance regarding the achievement of objectives - all
internal control systems are at risk from mistakes or errors.
• Internal control systems can be by-passed by collusion and management override.
• Controls are only designed to cope with routine transactions and events.
• There are resource constraints in provision of internal control systems, limiting their effectiveness.

❖ In other words, it is good corporate governance to establish a system of internal controls

so that risks within the company will be minimised, but those risks can never be entirely
eliminated.
Sound control systems
❖ It is not sufficient to simply have an internal control system since a system can be
ineffective and fail to support the organisation and serve the aim of corporate
governance.
❖ Three features of a sound internal control system:
Roles in risk management and internal control
❖ Responsibility for internal control is not simply an executive management role.
• All employees have some responsibility for monitoring and maintaining internal controls.
• Roles in monitoring range from the CEO setting the 'tone' for internal control compliance, to the
external auditor, reporting on the effectiveness of the system.
❖ Directors should:
• set appropriate internal control policies.
• seek regular assurance that the system is functioning.
• review the effectiveness of internal control.
• provide disclosures on internal controls in annual reports and accounts.
• Directors should review internal controls under the five headings identified by COSO in 1992.
▪ Control environment
▪ Risk assessment
▪ Information systems
▪ Control procedures
▪ Monitoring
Roles in risk management and internal control
❖ Management should:
• implement board policies.
• identify and evaluate the risks faced by the company.

❖ Internal audit makes a significant and valuable contribution to a company.

Reviewing the effectiveness of internal control
❖ In respect of reviewing the internal control system:
• the review is a normal responsibility of management
• the review itself, however, will be delegated to the audit committee (the board do not have the
time or the expertise to carry out the review themselves)
• the board must provide information on the internal control system and review in the annual
accounts
• the review should be carried out at least annually.

❖ The COSO framework identifies five main elements of a control system against which the
review should take place.
• These range from the board setting the overall philosophy of the company in terms of applying
internal controls to the detail of the control activities.
Elements of an effective internal control system (COSO)
Elements of an effective internal control system (COSO)
(1) Control environment

❖ The control environment has been defined by the Institute of Internal Auditors as:
‘The attitude and actions of the board and management regarding the significance of
control within the organisation. The control environment provides the discipline and
structure for the achievement of the primary objectives of the system of internal
control.’

❖ The control environment includes the following elements:

• Management's philosophy and operating style.
• Organisational structure.
• Assignment of authority and responsibility.
• Human resource policies and practices.
• Competence of personnel.
Elements of an effective internal control system (COSO)
(2) Risk assessment
❖ There is a connection between the objectives of an organisation and the risks to which it
is exposed.
• In order to make an assessment of risks, objectives for the organisation must be established.
• Having established the objectives, the risks involved in achieving those objectives should be
identified and assessed, and this assessment should form the basis for deciding how the risks
should be managed.
❖ risk assessment should be conducted for each business within the organisation, and
should consider, for example:
• internal factors, such as the complexity of the organisation, organisational changes, staff turnover
levels, and the quality of staff
• external factors, such as changes in the industry and economic conditions, technological changes,
and so on.
❖ The risk assessment process should also distinguish between:
• risks that are controllable: management should decide whether to accept the risk, or to take
measures to control or reduce the risk
• risks that are not controllable: management should decide whether to accept the risk, or whether
to withdraw partially or entirely from the business activity, so as to avoid the risk.
Elements of an effective internal control system (COSO)
(3) Control activities
❖ These are policies and procedures that
ensure that the decisions and instructions
of management are carried out.
❖ Control activities occur at all levels within
an organisation.
❖ The APC provided a list of eight internal
controls:
• S Segregation of duties
• P Physical
• A Authorisation and approval
• M Management
• S Supervision
• O Organisation
• A Arithmetic and accounting
• P Personnel
Segregation of duties
❖ Most transactions can be broken down into three separate duties:
• the authorisation or initiation of the transaction,
• the handling of the asset that is the subject of the transaction, and
• the recording of the transaction.
This reduces the risk of fraud and may also reduce the risk of error.
❖ Segregation of duties can also make it easier to spot unintentional mistakes, and should
not be seen simply as a control against fraud.
❖ Although segregating duties provides protection against fraud by one individual, it is not
effective against collusion to commit fraud by two or more individuals.
❖ At board of directors level, corporate governance codes state that the duties of the
chairman of the board and the CEO should be segregated, to prevent one individual from
acquiring a dominant position on the board.
Physical controls
❖ Physical controls are measures and procedures to protect physical assets against theft or
unauthorised access and use. They include:
• using a safe to hold cash and valuable documents
• using secure entry systems to buildings or areas of a building
• dual custody of valuable assets, so that two people are needed to obtain access to certain assets
• periodic inventory checks
• hiring security guards and using closed circuit TV cameras.
Authorisation and approval
❖ Authorisation and approval controls are established to ensure that a transaction must not
proceed unless an authorised individual has given his approval, possibly in writing.
❖ E.g., for spending transactions, an organisation might establish authorisation limits,
whereby an individual manager is authorised to approve certain types of transaction up
to a certain maximum value.
Management control
❖ Controls are exercised by management on the basis of information they receive.

❖ Top level reviews.

• The board of directors or senior management might call for a performance report on the progress
of the organisation towards its goals.
• For example, senior management might review a report on the progress of the organisation toward
achieving its budget targets. Questions should be asked by senior management, prompting
responses at lower management levels. In this way, top level reviews are a control activity.

❖ Activity controls.
• At departmental or divisional level, management should receive reports that review performance
or highlight exceptions.
• Functional reviews should be more frequent than top-level reviews, on a daily, weekly or monthly
basis.
• As with top-level reviews, questions should be asked by management that initiate control activity.
• An example of control by management is the provision of regular performance reports, such as
variance reports, comparing actual results with a target or budget.
Supervision
❖ Supervision is oversight of the work of other individuals, by someone in a position of
responsibility.
❖ Supervisory controls help to ensure that individuals do the tasks they are required to and
perform them properly.
Organisation
❖ Organisation controls refer to the controls provided by the organisation’s structure, such
as:
• the separation of an organisation's activities and operations into departments or responsibility
centres, with a clear division of responsibilities
• delegating authority within the organisation
• establishing reporting lines within the organisation
• co-ordinating the activities of different departments or groups, e.g. by setting up committees or
project teams.
Arithmetic and accounting
❖ Controls are provided by:
• recording transactions properly in the accounting system
• being able to trace each individual transaction through the accounting records
• checking arithmetical calculations, such as double-checking the figures in an invoice before sending
it to a customer (sales invoice) or approving it for payment (purchase invoice) to make sure that
they are correct.
Personnel controls
❖ Controls should be applied to the selection and training of employees, to make sure that:
• suitable individuals are appointed to positions within the organisation;
• individuals should have the appropriate personal qualities, experience and qualifications where
required;
• individuals are given suitable induction and training, to ensure that they carry out their tasks
efficiently and effectively.

❖ Staff should also be given training in the purpose of controls and the need to apply them.
• Specific training about controls should help to increase employee awareness and understanding of
the risks of failing to apply them properly.
Internal audit
• Apply internal audit resources
Internal audit definition
❖ “The role of internal audit is to provide independent assurance that an organisation’s risk
management, governance and internal control processes are operating effectively.
Internal auditors deal with issues that are fundamentally important to the survival and
prosperity of any organisation. Unlike external auditors, they look beyond financial risks
and statements to consider wider issues such as the organisation’s reputation, growth, its
impact on the environment and the way it treats its employees.”
(Chartered Institute of Internal Auditors)
Risk management
vs Internal audit
In summary, risk management
identifies risks, management
devises controls which they think
will prevent or mitigate the risk,
and the auditors check that the
controls work.
Function and importance of internal audit
❖ Internal audit is a management control. The department reviews the effectiveness of
other controls within a company.
❖ It is part of the control systems of a company, with the aim of ensuring that other
controls are working correctly.
❖ In some regimes, it is a statutory requirement to have internal audit. In others, codes of
corporate governance strongly suggest that an internal audit department is necessary.
❖ The work of internal audit is varied – from reviewing financial controls through to
checking compliance with legislation.
❖ The department is normally under the control of a chief internal auditor who reports to
the audit committee.
Roles of internal audit
Types of audit work
❖ The internal audit department will carry out many different types of audit, as highlighted
by the department's varied roles.

❖ Examples of audit types are:

• financial audit
• operational audit
• project audit
• value for money audit
• social and environmental audit
• management audit
Social and environmental audit
❖ Social auditing
• A process that enables an organisation to assess and demonstrate its social, economic, and
environmental benefits and limitations.
• Also measures the extent to which an organisation achieves the shared values and objectives set
out in its mission statement.
• Provides the process for environmental auditing.
❖ Environmental auditing
• Aims to assess the impact of the organisation on the environment.
• Normally involves the implementation of appropriate environmental standards such as ISO 14001
and EMAS (Eco-Management and Audit Scheme).
• Provides the raw data for environmental accounting.
• An environmental audit typically contains three elements:
▪ agreed metrics (what should be measured and how)
▪ performance measured against those metrics
▪ reporting on the levels of compliance or variance
Accounting for sustainability
❖ Two methods which attempt to account for sustainability are 'full cost' and 'triple bottom
line' accounting.
❖ Full cost accounting
• Full cost accounting means calculating the total cost of company activities, including environmental,
economic and social costs.
• It attempts to include all the costs of an action, decision or manufacture of a product into a costing
system, and as such will include many non-financial costs of certain actions.
• The aim of full cost accounting is to internalise all costs even those which are incurred outside of
the company.
Audit of internal controls
To ensure that the company's control
system is effective, the internal auditor will
be looking for controls similar to these for
each risk identified.
Auditor independence
❖ Internal audit is an independent objective
assurance activity.
❖ To ensure that the activity is carried out
objectively, the internal auditor must have
his/her independence protected.
❖ Independence is assured in part by having an
appropriate structure within which internal
auditors work.
❖ Independence is also assured in part by the
internal auditor following acceptable ethical
and work standards.
Potential ethical threats
❖ Auditor independence will be
compromised where ethical threats are
faced.
❖ A threat to independence is anything
that means that the opinion of an
auditor could be doubted.
❖ Threats can be real or perceived.
❖ The conceptual framework in the ACCA
code of ethics provides examples of
generic threats that affect auditors,
which can be viewed as affecting both
external and internal auditors.
❖ The code of ethics also provides
examples of other threats that
(normally) affect external auditors.
Protection of independence
❖ The internal auditors should be independent of executive management and should not
have any involvement in the activities or systems that they audit.
❖ The head of internal audit should report directly to a senior director or the audit
committee.
❖ In addition, however, the head of internal audit should have direct access to the chairman
of the board of directors, and to the audit committee, and should be accountable to the
audit committee.
❖ The audit committee should approve the appointment and termination of appointment
of the head of internal audit.
❖ independence requires:
• independence of mind: the state of mind that permits the provision of an opinion without being
affected by influences that compromise professional judgement, allowing an individual to act with
integrity, and exercise objectivity and professional scepticism.
• independence in appearance: the avoidance of facts and circumstances that are so significant that
a reasonable and informed third party, having knowledge of all relevant information, including
safeguards applied, would reasonably conclude a firm's, or a member of the assurance team's,
integrity, objectivity or professional scepticism had been compromised.
Audit committee
❖ The audit committee is a committee of the board of directorsconsisting entirely of
independent non-executive directors (NEDs) (atleast three in larger companies), of whom
at least one has had recentand relevant financial experience.
❖ Roles of the audit committee
• The key roles of the audit committee are 'oversight', 'assessment' and 'review' of other functions
and systems in the company.
• Most of the board objectives relating to internal controls will be delegated to the audit committee.
Factors affecting the role of the audit committee
❖ How effective the audit committee is in checking compliance and internal controls depends
primarily on how it is constituted and the power vested in that committee. The following factors
are relevant:
• The board should decide how much responsibility it wishes to delegate to the audit committee. The tasks of
the committee will differ according to the size, complexity and risk profile of the company.
• The committee should meet as often as its responsibilities require, and it is recommended that there should
be at the very least three meetings each year, to coincide with key dates in the audit cycle. (for example,
when the annual audit plans are available for review, when the interim statement is near completion and
when the preliminary announcement/full annual report are near completion).
• The audit committee should meet at least once a year with the external and internal auditors, without
management present, to discuss audit-related matters.
• Formal meetings of the audit committee are at the heart of its work. However, they will rarely be sufficient.
The audit committee chairman in particular will probably wish to meet informally with other key people,
such as the board chairman, CEO, finance director, senior audit partner and head of internal audit.
• Any disagreement between audit committee members that cannot be resolved within the committee should
be referred to the main board for a resolution.
• The audit committee should review both its terms of reference and its effectiveness annually, and
recommend any necessary changes to the board. (The board should also review the effectiveness of the
audit committee annually.)
• To do its work properly, the audit committee must be kept properly informed by the executive management.
Management is under an obligation to keep the audit committee properly informed and should take the
initiative in providing information, instead of waiting to be asked.
The audit committee and internal control
❖ The board is responsible for the total process of risk management, which includes
ensuring that the system of internal control is adequate and effective.
❖ The board delegates this internal control responsibility to the audit committee.
The audit committee and internal control (cont.)
❖ In relation to internal controls, the audit committee should:
• review the company's internal financial controls
• monitor the adequacy of the internal control systems, with a specific focus on
▪ control environment
▪ management attitude
▪ management controls
• review compliance with regulations, legislation and ethical practices (such as environmental policies
and codes of conduct), and ensure that systems are in place to support such compliant behaviour
• review the company's fraud risk management policy, ensuring that awareness is promoted and
reporting and investigation mechanisms exist
• give its approval to the statements in the annual report relating to internal control and risk
management
• receive reports on the conclusions of any tests carried out on the controls by the internal or
external auditors, and consider the recommendations that are made
• where necessary, the committee may be required to supervise major transactions for
appropriateness and validity.
The audit committee and internal control (cont.)
The audit committee and internal control (cont.)
❖ As part of their obligation to ensure adequate and effective internal controls, the audit
committee is responsible for overseeing the work of the internal audit function.
• monitor and assess the role and effectiveness of the internal audit function within the company's
overall risk management system
• check the efficiency of internal audit by, e.g. comparing actual costs and output against a target
• approve the appointment, or termination of appointment, of the head of internal audit
• ensure that the internal audit function has direct access to the board chairman and is accountable
to the audit committee
• review and assess the annual internal audit work plan
• receive periodic reports about the work of the internal audit function
• review and monitor the response of management to internal audit findings
• ensure that recommendations made by internal audit are actioned
• help preserve the independence of the internal audit function from pressure or interference.
Review of internal audit
The audit committee, and the external
auditor where they are relying on the
internal audit department, will need to
ensure that the internal audit department
is working effectively. Such a review will
normally involve four key areas:
Review of internal audit (cont.)
Cyber security risk management
• Evaluate and mitigate cyber risks
Types of sensitive information
❖ Organisations deal with a wide variety of sensitive information on a daily basis.
❖ It is important to understand
• what constitutes sensitive information,
• how it is used,
• what an organisation’s objectives regarding cyber security might be, and
• how different organisations may interact with technology.
❖ Generally, 3 types of sensitive information:
• Personal information – Personally Identifiable Information (PII). Anything that can be used
either on its own or with other information to identify, contact or locate a single person.
• Business information – Anything that may cause a risk to the company if discovered by an
external party, e.g., a competitor. Includes research data, marketing plans, new product
developments.
• Classified information – Usually refers to information that a national government has put
special restrictions on where disclosure could harm public safety and security.
How technology interacts with the organisation
❖ To enable an organisation to protect itself from cyber security threats, it must understand
how technology interacts with the organisation.
❖ The following should be considered:
• Type of technology the company uses
▪ E.g., Enterprise Resource Planning (ERP) systems, Data Centres
• The different ways the organisation is connected with technology
▪ E.g., Virtual Private Network (VPN), routers, virtual servers
• The different service providers the company uses
▪ E.g., cloud service provider, software providers, call centres
• How the company delivers its product or services to the customer
▪ E.g., transmissions to vendors, online retail channels, wholesale customers
❖ All the above factors provide opportunities for issues to arise, if they are not properly
understood and controlled.
❖ Many organisations depend on their digital strategies. Threats to these strategies can be
complex, more so as reliance on information systems increases.
❖ As organisations look to exploit greater efficiency from technological advances, new and
unforeseen threats are created.
• E.g., smart technology and devices linked together to create networks increases vulnerabilities – a
system or network is only as secure as the weakest device in the network.
Cyber security and the external environment
❖ Environmental, technological, organisation and other changes could have a significant
effect on the organisation’s cyber security risks and therefore the cyber security risk
management programme.
❖ Examples of types of changes that could affect cyber security risk management:
• Expansion – E.g., adding additional manufacturing operation will require an additional connection
to the local area network, which in turn leads to an additional area requiring protection.
• Acquisition – An acquisition or merger involves integrating different software packages, leading to
risks such as data loss during the changeover process and potential breaches through additional
access points.
• Restructure – An internal restructure would change reporting lines and IT users would require their
access to be updated to match their new roles.
• Hardware update – Rolling out any kind of update poses a risk because people need to change they
way they do things, old hardware must be disposed of securely (data stored in hard drive could be
accessed if not correctly wiped and fell into the wrong hands).
• Regulations – Changes in legal and regulatory frameworks can affect cyber security risk
management. E.g., data privacy laws.
Cyber security objectives
❖ Management must establish cyber security objectives.
• Risk based, so cyber security objectives will link to the cyber security risks that may impact the
achievement of the organisation’s ultimate business objectives.
• Board reviews overall objectives and approve them as appropriate. This may include stating any
industry standards the company complies with (e.g., Payment Card Industry Data Security
Standards, PCI DSS).
❖ AICPA has identified a reporting framework for cyber security that outlines the following
cyber security objectives:
• Availability
▪ Websites and applications that are available 24/7 increases customer access and sales.
• Confidentiality
▪ Organisations create and obtain a huge amount of data (proprietary to personal information) that
must be protected from unauthorised access and disclosure, including complying with privacy
requirements.
• Integrity of data
▪ Must take steps to prevent unauthorised modification of or destruction of information.
• Integrity of processing
▪ Guarding against the improper use, modification, or destruction of systems.
[Link]
Cyber Threat Actors

[Link]
Cybersecurity Best Practices to Protect from Cyber Threats

[Link]
Social media
❖ Social media is a catch-all term for a range of sites that may provide radically different
social interactions. E.g.,
• Twitter is designed to let people share short updates (‘tweets’) with others.
• Facebook is a social networking site that allows for sharing updates, photos, joining events and a
variety of other activities.
• Linkedin is a professional business-related networking site.
• Instagram is a free photo-sharing program.
❖ Social media offers the following opportunities:
• Advertising
• Brand development
• Big data analytics – E.g., by monitoring when a brand is mentioned, by who and in what context,
marketers can target advertising better
• Method of listening to customers – Businesses can gather instant feedback with quick polls.
• Real-time information gathering
• Communication
• Recruitment and selection – A wide range of potential candidates can see recruitment ad on social
networking sites like Facebook and Twitter. Avoid costly recruitment fees and more likely to find
candidates already engaged with their brand.
• Selection – Screening candidates by researching their web presence, e.g., Linkedin or Facebook to
see interesting facts, photos and opinions that might be relevant to their future careers.
Risks of social media to organisations
❖ Human error – Mistakes by employees could range from being hacked after clicking on
fraudulent links on work computers, making inappropriate comments either through their
personal social media accounts or via the company account.
❖ Productivity – Can disrupt employees’ work and reduce operational efficiency if
employees can access social media at work.
❖ Data protection – Need to make sure networks are secure and comply with legislation on
how companies gather, use and store data about customers.
❖ Hacking – A hacker may try to infiltrate social media accounts for malicious reasons.
❖ Reputation – Mistakes a company makes on social media could pose a reputational risk:
impacts brand; result in lost customers, sales or employees
❖ Inactivity – Not using social media or not keeping existing accounts up to date could be
damaging as an online presence becomes increasingly important.
❖ Costs – To use social media well and to control accompanying risks could incur significant
costs. Includes fines from non-compliance with regulations, which could be significant.
Risk of security vulnerabilities
❖ Vulnerabilities can be classified as follows:
• Technical deficiencies – Includes issues like software defects, not using appropriate protection
(e.g., encryption) correctly.
• Procedural deficiencies – IT related (e.g., system configuration mistakes, not keeping software
security patches up to date) or user related (e.g., not complying with company guidelines on
changing passwords, using overly simple passwords)
• Physical – Physical event like fire or flood causes damage to the IT system

❖ Impact on organisation when IT system is compromised includes:

• Down time – loss of production or potentially lost revenue generating opportunities
• Reputation damage – organisation’s name and brand value negatively affected, leading to lost sales
• Customer flight – Especially critical in e-commerce. Lost sales.
• Industry consequences – More costly in more highly regulated industries like health care and
financial services.
• Legal consequences – Fines, lawsuit costs and settlements