Understanding Risk and Internal Control

Okay, our next topic is risk and internal control. First of all, what is risk? We discussed risk yesterday. Risk are those unforeseen obstacles, unforeseen events, unforeseen issues, hindrances that may prevent you from achieving the objectives of the organization, maybe at a personal level. any unforeseen event that prevents you from achieving your goal is a risk so risk are unforeseen obstacles to the pursuit of organizational objectives now let's take a couple of examples there are three examples given like here maybe a hacker breaks into a university information system and changes the grades and awards himself a degree it's a risk So university information system should have some strong controls to prevent this from happening. Second risk that if the interest rates go up, the firm's borrowing costs will go up. How would you manage? Risk management is a complete section in CMA part two, section D, and you will learn many tools of managing risk, but in CMA part two, not here. So you just need to know there are risks and we need to do something about it. And then your competitor brings a new technology and this technology can put your business in trouble. So these are some risks and you need to manage these risks. So any mid or large size organization will have a risk management department which is responsible for regular risk assessment. Regular risk assessment whereby a company identifies what are our vulnerabilities, what can go wrong. So this is important. You will learn that there are five responses to risks. You identify risk during risk assessment, that we are facing risk A, risk B, risk C, D and so on. Many risks. What can we do with these risks? There are five responses. You can take five actions. Either you say, okay, let's accept it. This is called risk acceptance. You accept the risk. We'll take it. We'll see what happens. Second, you are right. kali valley in first case you accept the risk you take in this is also called self-insurance you accept the risk and manage it yourself second you say no we will not engage into activity that involves risk avoid it third could be let us share this risk with some insurance company or with our counterparty this is called risk sharing or risk transfer fourth institute a system institute a management process and activity that reduces the impact of risk. This is called risk mitigation. And fifth one, which is very serious and very dangerous, exploitation. Exploit risk. Deliberately look for risk and see what you can do with it. Because higher the risk, more is the expected benefit. So these are the five responses. Through risk assessment, we identify different risks. Some of these risks we will accept. Some of these we will avoid. Some of these we will share, mitigate and expand. What should be the right response? It's a detailed topic you will do in your CMA part two, section D, risk management. These are the five responses to risk. Now, we are specifically concerned with those risks that we can manage, those we can reduce, called risk mitigation, risk reduction. How do we do that? We do that by instituting a strong system of internal control, a system of check and balance. Today we will discuss what is a system of internal control in detail. Hezer, could you please rephrase your question? Performance controlling is also a part of RIC, maybe it's an abbreviation of something, I can't recall exactly. Could you rephrase, then I will answer your question. So when you decide to mitigate risk, for that you need to set up a system of internal control, reconciliations. independent checks, verifications, physical observations. We will discuss internal control in our current class and the next class also. So whenever you institute or set up a control, that control will have a cost and that control will also have a benefit. So we need to see the cost of the control and the benefit of the control. For example, we have a team of auditors and five auditors and they are assigned to conduct audit of different branches and they are given air tickets. This is clearly the cost. of conducting this engagement and what are the expected benefits. So comparing the cost versus benefits will help us decide that whether this control is okay or not. Yes, this is also part of yes, exactly. We will discuss components of internal controls coming your way shortly. So this is the response called the risk mitigation. We can set up a system of internal control, keeping in mind that the benefits of control should be more and the cost of control should be less. this this is an important point and as i said the risk management is an ongoing process because organizations keep on facing different types of risks and they need to keep themselves updated to the changing circumstances right so let's move on and let's see can we quantify risk can we quantify risk can we measure risk yes risk can be quantified if we have two factors first the severity of consequence that if that event occurs how much loss can we suffer and then what is the probability of that event occurring if we have these two variables the severity of consequences financial impact and the possibility of occurring if we have these two we can quantify risk otherwise normally risk is assessed qualitative in qualitative terms means the risk is either high or it's moderate or it is low or you can also find out another sub classification within high and medium and medium and low so this is called the qualitative evaluation of this so we are now going to discuss how we can quantify this let us see we have identified these three events are companies assessing the risk of its information system being penetrated by hackers so the first event is that there is minor penetration and this is 90% probable. So we have the likelihood of occurrence. If we can somehow estimate what is going to be the financial loss, let's say, just assume number $10 million. So in this case, if an event is 90% probable, and if that event occurs, we might lose $10 million, which means the probable loss, expected loss, expected value of loss is $9 million. The second event that a hacker enters into our system and he's able to... view the internal databases. And it is 8% probable. And the financial loss, let's say it's $200 million. So 200 million times 8% is going to be $16 million. See, we are able to quantify this. And this will also result in public embarrassment, loss of customer confidence, because your information is now publicly third event, that someone entered into your information system and was able to alter. internal database. It is very unlikely, 2% only, but if it happens, it will result in public relation crisis, it will result in customer defection, maybe some legal cases against you, some lawsuits against you. So if this happens, the likely loss is going to be $30 billion, let's say. And if $30 billion, which is less likely to occur, the loss is still significant. Expected value of loss is $6 billion. See? such a massive massive amount so the point here to learn is that the event that is most likely to occur which is almost inevitable inevitable means something that is now which will surely happen so the event that is most likely to happen so you won't find it worthwhile to put some money on managing this control what can you do with it let's suck it up nine million dollar fine this will suffer this loss but to the contrary to the contrary the event that that has a very little chance of occurrence just two percent but the consequence is disastrous so maybe you will put most of your money in instituting a strong system of control to avoid this because this is a disastrous level of event if it occurs the business would be in trouble so this is how we quantify risk just this is to the extent you need to know risk management as i said is a detailed topic you will study in your cma part 2 section d okay now let us discuss aicp american institute of certified public accountants they use a risk model and we are going to modify this risk model they say that the total risk this model basically was originally envisaged for audit but we are going to use it for internal control so total risk is in fact a combination of three risks, inherent risk, control risk, and detection risk. Let me explain. Inherent risk... But maybe you are engaged in gold business, highly desirable, highly desirable item. Right now, its current market price in Pakistan is 143,000 rupees per tola, per 11 grams. Highly desirable. So a business that is engaged in gold trading, it is inherently risky. So the risk arises from the nature of the business objective is called inherent risk. So if you are engaged in gold trading, your business is inherently risky. This inherent risk is specifically used in an audit perspective. Like if you are auditing a company financial statements and you see some complex transactions like insurance premium computation or pension liability computation or lease liability computation, such accounts, such transactions are inherently risky because they are more likely to contain some misstatement. that's the original model used in audit we are not concerned with audit we are specifically concerned with internal control so inherent risk is the risk that arises because of the nature of the objectives like if your business is a uranium prospecting uranium is a very dangerous radioactive material can cause genetic mutation so if you are a uranium prospector your employees are more exposed to radiation so there is risk of very serious health issues so dealing in gold or uranium prospecting or maybe putting out fire in oil wells which is very dangerous so these businesses are inherently risky so let's take an example carry on with it we are into a gold trading business which is clearly inherently risky it's a highly desirable item so if we do not keep any control it's an item that is most likely to be stolen okay khizr says his allowance created for those amounts in budget under risk categories are only considered once we set up our budget and break it down into different types we discussed in material labor so normally those our budgets are specifically related to financial statements perform our financial statements your concern might be related to production maybe right so we we keep an allowance of what can go wrong there is a certain tolerance limit that you need to set up in the budgeting process of course because otherwise if you do not bring into these possibilities of losses then your budget will be unrealistic so inherent risk is the risk that arises because of the nature of the objectives or the type of business we are in control risk so what we have done since it's a very risky business we have installed closed circuit tv cameras we have employed some security guards we keep and who keep watch on employees Despite having these controls, these are called controls, actions taken by the management to manage the risk, inherent risk. So even closed circuit cameras are there, even security guards are there. Still, still we see that our items are being stolen. So what is the control risk? Control risk is the risk that controls will fail to prevent an obstacle from interfering with the achievement of the objective. We have system. We have security guards, we have constant vigilance, but despite that, we are losing money on our items. Because employees might collude, the security guards might collude, people might collude with each other. They act a crime through connivance. Connivance means, let me explain this idea. We have four employees, A, B, C, D. A is responsible for recording cash transaction. B is responsible for cash custody. C is responsible for cash authorization and D is the one who is responsible for cash reconciliation. Very good segregation of duties. Looks nice and lovely. But what if these four are friends and they in connivance commit a fraud, B allows a certain item to be held, C authorizes, A does not record it, and D says everything is fine, everything is reconciled. So this is called collusion. So when employees collude, your control system can collapse. Despite having a good system of internal control, segregation of duties, your system can collapse. So when the control system doesn't work, it fails to achieve the organizational objective. We say the risk of this happening is called control risk. And then the next risk is called detection risk. Detection risk is the risk that obstacles to an objective will not be detected before a loss has occurred. like when you prepare the bank reconciliation statement you will compare your cash book with your bank statement any differences will be identified and they need to be investigated but you conduct your brs in one year let's say a crude example but it can happen a business can prepares bank reconciliation one year in a time ideally it should be done on monthly basis or weekly or daily if there are lots of turnover but if a business prepares brs after a year that means we will not be able to detect the fraud we detect the fraud when it is too late a loss has occurred so the total risk is in fact the combination of inherent risk inherently risky, control risk, control system failing, detection risk that we are unable to detect the error and problem in time, hence we suffer a loss. So these are the three risks we will be discussing along. This is a typical organizational chart, board of directors at the top, then we have certain committees formed, these committees report directly to the board of directors and then we have internal audit team, I told you internal auditor, the report to the audit committee. Remember, this is important, internal audit have dual responsibilities. They are functionally responsible to audit committee as a function of their role, and they are administratively responsible to report to chief executive officer. So, in fact, you can say that there are two bosses who govern the work of internal audit, functionally to the audit committee and administratively chief executive officer, and that's all. Internal audit is no longer a part of your syllabus, so you may skip this topic altogether. So this is how the organization is laid out. We divide our work, we distribute the responsibility so that someone is held responsible and someone cross-checks his work. It's a system of check and balance. As I said, internal control is a system of check and balance. Let us define what is internal control. There are a couple of definitions we'll study today and then there's a comprehensive definition of internal control we'll discuss in our next class when we will study the control procedures. So what is the system of internal control? A system of check and balance, system of internal control to help organization manage many of its risks. So let us define internal control as per IMA. The definition you're going to study is the definition given by the Institute of Management Accountants. IMA says that a system of internal control, whether it's a financial system or otherwise, It does four things for us. Let me first mark them and then I will explain. I will explain. This is the first role it plays. Then this is the second one. This is third and this is fourth. Now let me highlight. A system of internal control, a system of check and balance, a system of check and balance established by the management. This is a key word. System of internal control is established by the management to carry out the business and it does four things for us. It gives us a reasonable assurance that business will be conducted in an orderly and efficient manner. First. Second, adherence to the management policy. Two. Third, safeguarding of assets. Three. And finally, the completeness and accuracy of records. These are the four things that a system of internal control does for us. It provides us a reasonable assurance that business operations will be orderly and efficient. Management policies will be followed. adhered to, complied with, assets will be protected and the records would be complete and accurate. A system that does these four things for us is called the system of internal control. This is the definition given by the Institute of Management Accountants. There is another definition also discussed later on, so you can just read it well and be able to reproduce in your own words if the assay type asks you to define what is internal control. please note and i keep on saying it internal controls design drafting implementation is the responsibility of the management and management alone board of directors they will only supervise or oversee internal auditors will monitor them and internal auditors will assess their efficiency and effectiveness whether they are working effectively so please note internal controls are designed implemented and maintained by the management they are overseen by the board of directors and internal auditors will assess their efficiency and effectiveness and to see whether they are adequately doing their job right so next there are some parties to the organizations we need to know some internal parties these people at the top board of directors uh there are two types of directors in the board of directors those who have some operational role called the executive directors and those who do not have any operational roles, they are called non-executive directors or independent directors in the US. Out of those independent directors, we constitute some committees. Audit committee we discussed is responsible for appointment of internal auditors and external auditors. Compensation committee is responsible for setting salaries of the executive management. Management cannot set his own salary and compensation itself. Someone else should do it. I can't say I am the CEO, so from next month my salary is going to be 5 million dollars. No, I do not set my compensation. Who does? compensation committee finance committee will make sure that the business has sufficient financial resources to continue and risk committee we already discussed previously is responsible for overall management of the risk in the organization then comes the senior management responsible for the running of the business and ceo is a part of senior management remember then we have the subordinate management then we have internal auditors as i said auditing internal auditing is removed they are responsible to report functionally to the audit committee as a part of their role and administratively to the ceo now you might ask what is functional administrative functional means the reporting on internal controls the reporting on different engagements requested by audit committee but reporting on day-to-day basis how purchasing department is doing to the ceo how finance department is doing to the ceo how inventory control is doing to the CEO. So day-to-day reporting, operational reporting goes to the CEO and functional reporting goes to the audit committee. That's what you need to know, nothing more. And then we have some other entity personnel, other people working in the department, many different departments we have and the people working within them. Then there are some external parties also connected to our organization. First, external auditors, these are the CPA firms or ACCA or CAs who conduct the external audit. Then we have regulators when you say, regulators, we are talking about SEC in the US that governs the corporate structure in the US and for taxation we have IRS, Inland or Internal Revenue Services. Interacting parties, clearly your customers and suppliers, financial analysts who conduct financial analysis of your financial statements and based upon that analysis they give buy or sell recommendation to their clients and then Other outsource service providers because we do not produce everything ourselves. Sometimes we outsource some of our functions to outsource firms so that they perform work for our behalf. Next, we are going to do something in a very superficial manner, flowcharts. You will never be required to construct any flowchart on your exam because your essay type window is of this size. and you can only type text and text only no graphics no excel sheets no such additions can be made so the point here is why are we studying flow charts because in the next unit unit 18 we will be doing different control procedures and you need some understanding of flow charts there so what kind of questions you should expect maximum what you can expect on your exam is that if a symbol is given you might be required to tell what the symbol means right what does it mean only up to the sixth and otherwise uh drawing up a flow chart or constructing or even mcg is going to flow to very very unlikely because this is a highly high tech area we normally do it in um in cia but your syllabus contains just a little reference to the internet let us just get a quick overview and focus entirely on our learning outcomes what are flow charts there are two types of flow charts system flowcharts and program flowcharts and what flowcharts themselves are flowcharts basically are graphical representation of step-by-step progression of information how the information is prepared who authorizes information how the information flows between different departments and how it is stored so this is what why do we construct flowcharts information preparation how the documents flow and where it is stored. And this flowchart can be for a manual system where there is no computerization, or you can compare a flowchart for a computerized environment. Why do we need it? To understand the system better, I'm sure wherever you're working in different accounting departments, you would have some, at least you will have some DFDs, data flow diagrams, showing you how the information moves from one department to another and who does what. at least so dfb is a modified version of your flow chart so basically it is constructed to give an understanding how the work is done how documents move. It allows the internal auditor as well as external auditor to analyze the area of audit emphasis, that how the information moves, who authorizes what, who controls what, who is responsible for what. So if you are an external auditor or an internal auditor, these flowcharts will help you in your preliminary survey in understanding how the client system works. So this is the most important part. You need to understand these different symbols used in flowchart. because the maximum you will be tested on your exam is that you will be given a symbol and you will be asked what it is so i would recommend that at least you should you should know some symbols or all of these they're hardly maybe 10 to 12 symbols or 15 maybe you just need to know what what they mean let us first see a flow chart and then i will link it with these symbols given here is a program flow chart this sign here is the start starting or ending of a pointer is starting of a process and ending of a process so you can see this sign shows starting and ending okay what actually is the system all about start load invoice we received invoice from our vendor okay read the invoice number invoice number one two one five compare it with the open purchase order compared now the decision tree open purchase order number exists no this po is already closed then if the purchase order is already closed then how do we have this invoice again it's maybe a duplicate invoice if the open purchase order doesn't exist it's a duplicate invoice and then issue is closed we won't process it further if the open purchase order number exists display open purchase order and then accept users approval for pay if the goods have been received pay to the supplier through accounts payable and if the order is complete file it in the closed po if the order is not complete update the goods received and put it in the upper purchase order and stop so it's a complete flow of how the information would move in relating to advice and purchase order now let us relate with it this sign indicates starting and ending of the process this document is not shown here in the flow chart this document this sign is the input or output of a document normally it's simply a document you can say this sign is for a document whether it is being input in the system or being generated by the system this sign the rectangular sign this is the computer operation comparing the loading of invoice comparing the invoice with the open purchase order this rectangular sign is computer operation okay then this uh i would say trapezium it's a trapezium this trapezium is a sign which shows manual processing this sign rectangle is a computer operation and when We don't know whether it's a computer operation or a manual operation. We use a symbol that closely resembles the two. A parallelogram. It's a generalized symbol. We would not know whether it's computerized or manual. This sign here, as you can see, looks like a tape, hard drive used in the old flowchart. So it's a symbol for hard drives. This symbol shows a storage device shown right here where you placed your open purchase order. okay the difference is this hard drive is used for input output connected to the system and this is the hard drive where the data is stored storage media and this sign is called the decision diamond and shown here open purchase order no yes and then we do accordingly decision symbol indicating a branch in the flow or sometimes called the decision diamond okay then what next this sign is a connector Means, let's say, if I have some processes which are connected, so I will mark it 7 and I will show it 7, which means these two processes are connected. Instead of drawing a line, I can draw a circle and put a same number on both sides, indicating that these two processes are linked. If they are on the same page, then you use the circle. Maybe your flowchart consists of maybe 15 pages and an item on third page is connected with an item on eighth. so in that case if you need to connect third page with eighth page you use this connection between two pages of the flow chart page number three and for eight so you just need to to know these symbols uh this is a storage that is not immediately accessible by computer storage that is not connected to the system these are the flow of information as you can see these are arrows up down right left uh this sign is used for your cathode ray tube the older those of you are above 40 i'm sure you would know Before LED technology or LCD technology, there used to be bulky monitors showing this sign. This is the cathode air side. So this is a computer display or the video terminal. And then this sign is manual input representing a kind of keyboard. And this is adding machine tape. This is, you can omit this because we no longer use the disk tape to enter information into the system. So this is the maximum that you may be tested on your exam. Some symbols and asking you what they are. Constructing a flowchart is completely beyond the scope of your CMA exam. And we would need it in our next subunit, our next unit where we will learn different control procedures. Let me first show you what is coming so you know exactly. uh what it's all about so these are the kind of system flow charts we will be doing in our next class sales siebel cycle purchase payable cycle cash collection salary payables all these so we will use these symbols extensively not in your syllabus not in your textbook but this is good for your understanding we'll do it in our next class so there are two types of flow charts One are the system flowcharts. The flowchart I just showed you a little while ago. This is a system flowchart. This shows you how the documents move, how different departments perform their work. Look at this. We have different departments here. Sales department, warehouse, shipping, billing, inventory control, account receivable, general ledger, treasurer. So you have your functional department shown vertically. and the action that is taking place is moved is shown from left to right so this is coming your way so horizontal flowchart sometimes called system flow chart they show area of responsibility different departments and the information moves from left to right document so it shows activities controls document flows and which are the department responsible to perform certain tasks so they are all shown departments are shown in columnar form and documents move from left to right and different actions are taken take place in different departments like this one here we are purchasing department computer processing receiving inventory and what happens in all these it is coming in the next next overview in the next unit then we have the vertical flow charts you would never be required to draw any system flow chart or program flow chart just you need to know what they are so vertical flow charts are for computer programs. That's why they are called the program flowcharts. Then what they show, they show you step by step, successive steps from top to bottom format, and they are used in the computer programming. When a computer program is developed, we first construct a flowchart to explain how the processes will work. These are only two, that's all. Okay, so this is already done. This is a vertical program flowchart, how the program functions. Now, coming back to what we did yesterday, we did six sections of Saban's auxiliary act. And out of these, 404 comes again. 404 Saban's auxiliary act, we know what it said. It says that management is responsible for instituting a system of internal control. Yes. And management is responsible to report whether the system is working efficiently and effectively. This is what we read in detail. in section 404 in our previous class then we also learned that public companies accounting oversight board it requires under as5 auditing standard 5 that now the auditor will conduct two audits simultaneously audit of financial statements and the audit of the system of internal control and then the auditor will express an opinion on both system of internal control and whether the financial statements are presenting fairly the state of affairs of the business right so this is what we read earlier an audit of internal control and for audit of financial statement they are integrated into one right so so so when these two audits are invest integrated they are all covered in the as5 we've already done it so this is just a revisiting of what we've already done now let us study something new here kosso cost of sponsoring organization of treadway commission it's a body that has been formed by five accounting bodies in the us jointly funded or supported by five entities let me write their name so you know aaa aicpa then i will explain then we have fei then we have ima your institution and then institute of internal auditors these are the five accounting bodies in the us a american accounting association american institute of certified public accountants financial executives international institute of management accountants cma what we are doing and the institute of internal these five bodies they have formed an entity called the COSO or the sponsoring organization of TREAD Wake Commission. This entity has provided so much of guidelines to the management accountant, a professional accountant. Please remember this body is not a legal entity. It provides only the thought leadership. It provides you just the guidance, the guidelines. Whatever you study under the COSO framework, it is for your guidance only. It does not have the force of the law. So you are going to study two items related to from COSO. One is for internal control, we are studying now. Another is the COSO risk management, which is studied in Section DCM in Part 2. That's all. So now we are going to define internal control in a totally different way. Internal control defined by the COSO framework. COSO says that internal control does three things for us. ERC, everything really counts. It ensures efficient and efficient and effective operations, reliability of financial reporting, and compliance with the laws and regulations. If you can remember the word, these mnemonics, everything really counts as ERC, so you can define internal controls as per COSO. Your choice, whether you want to use the management accountants, definition IMAs, or you want to use this one. So COSO says internal control is a system affected by the entities, board of directors, management, and other personnel. primarily management is responsible for setting up a system of internal control and this system provides us a reasonable assurance minded not absolute assurance only this is a keyword the reasonable assurance not 100 percent assurance regarding achievement of objectives in three dimensions efficient and effective operations your operations are working efficiently using minimal resources and they are working as they should reliability of financial reporting financial reporting mean the information generated by the system is reliable and finally the regulations and laws they are complied with or they are adhered to this is the role of internal controls giving you a reasonable assurance that your operations are okay efficient and effective your financial reporting is reliable and you are following laws and regulations so so you can define internal control this way easier way to memorize is this erc this classification this definition this model is uh widely accepted and it is also followed by the american institute of internal orders a certified public accountant the body that govern cpa certification in the u.s cost of framework provides you these five interrelated components it says internal control is composed of five components we'll discuss these in detail You can memorize these just like previously you can memorize internal controls through ERC. You can also memorize these components of control environment by the word the mnemonic crime. C here stands for control activities. R here stands for risk assessment. We'll discuss all these. I stands for information and communication. M stands for monitoring and E stands here for environment. So these are the five interrelated components of the COSSO model. We will discuss this in detail. All is coming in your way. Let us discuss this one by one. Control activities, risk assessment, information communication, monitoring and control environment. Let us first discuss the control environment with E. What are we studying? We are studying five interrelated components given by the COSSO model. costo says that let me first take you directly to the main cube this costo says that an organization can be viewed in the form of a cube a cube with rows and columns remember erc this is it efficiency and effect effectiveness of operations reliability of financial reporting and compliance with the laws and regulations. These items at the top, these are the overriding objectives. These are the overriding objectives. Why do we have system of internal control? So that we can have efficient and effective operations, reliable financial information, and compliance with the laws and regulations. Agreed. Then the first front face you see, these are the components of internal controls. We can memorize this with the word crime. Monitoring information, communication, control activities, risk assessment, and control environment. This is the foundation. That's why this is the first we're going to do. Control environment is the foundation of your whole system of internal controls. Now, monitoring takes place at different levels within the organization. It takes place at production floor. departmental level at senior management level even at the board of directors information and communication it affects every level of the organization control activities different standard operating procedures they interact and play every level of the organization risk assessment different types of risk of businesses facing it is applicable to all levels within the organization and control environment also pervades every level of the organization so you can see these these three faces are interrelated these are overriding objectives of the system of internal control as per the cost of model these are components and these are different levels within the entity now coming back to the foundation of all of it this is called the control environment this is the first part control environment one of the components of the kosovo framework it is the foundation it is the basis and it provides the overall discipline structure you may argue that control environment is basically the management operating style management philosophy, how do they run the business? I'm sure you're working in different organizations. You can sense this, you can feel the control environment, whether the environment in which you're working is a democratic system or is it a bureaucratic system, or is it a macho system, or is it a kamina system, or what kind of system it is, you can see, you can feel it. Control environment is the foundation over which the whole system of internal control is built. And this is present everywhere within the organization. And if your control environment is absent or inadequate or weak, your business is not going to sustain for long. A strong control environment is essential, which defines who is responsible for what. Clearly defining responsibilities, clearly defining roles, performance requirements. This is the job of control environment. Segregation of duties. So this is the function of control. This is the foundation. over which the complete system of internal control will be built. The second element of COSO framework is the risk assessment. Risk assessment means we regularly identify different types of risk we face, different events that might prevent the organization from achieving its objective, especially related to financial statement assertions. Financial statement assertions mean our financial statements are complete, they are giving true and fair view, they are complete to every material aspect. So whether the information is initiated, authorized, recorded and processed consistent with the financial statement of session from the accounting perspective. Otherwise, risk assessment is quite a broad concept. The different risks that the organization faces and these risks might prevent the organization from achieving a subjective. Right. So financial statement of session is a very detailed topic that when the external auditor comes, the management, when it presents the financial statement. they are basically asserting that whatever you are seeing auditors it is complete it is accurate it is fairly representing the state of affairs and then auditor test the assertions of the management and see whether the information is really complete so the risk assessment basically will identify the events which might uh hinder initiation or might prevent authorization of record keeping or in fact in other words will prevent the financial statement from becoming reliable and true and fair and in general risk assessment means that define different risks that an organization might face and those may affect the organization in achieving its objectives and then we have different activities control activities check and balance different procedures reconciliations independent checks verifications right so control activities are policies and procedures that will help ensure that management directives are carried out written policies written procedures So whether your system is automated or manual, you need to have control activities. And we are going to discuss this in our next class, that how control activities are taken, are done and how they are performed by different departments in the organization. Then the next component in the COSO framework is information and communication. Yes, this is important. People who are working, they should know what they're doing. So this This information system, communication system will enable people to carry out their responsibilities, what they're supposed to do. So information and communication may involve software, it would be manual, it would be automated, it could include manuals, memoranda, emails, oral means, or even by the management action. So the way we communicate with our employees, define what they're responsible to do. So communication is essential to let the employees know about their roles and responsibilities, to control them and to guide them. And finally, the last component. of the cost of framework is monitoring. Monitoring means we keep on assessing the quality of internal control over time because internal control set about 10 years ago may not be relevant now. Things change. So we keep on regularly assessing the effectiveness of internal control. We keep on monitoring them. And if there are changes, we need to bring those changes in our internal control. So these are five components of the COSO framework. This is we already discussed monitoring, information communication, risk and control environment. They slice through every level within the organization and both of these the horizontal rows and vertical column they are affected by the overriding objective in the organization. So you can see they're crisscrossing and they're interrelated. Objectives affect every level of the organization, affect every component. and these components slide through every level within the organization and then you can see that they are all correlated and connected next control environment provides you the organizational structure defines the responsibilities defines roles within the organization policies and procedures they are part of your control procedures control activities written procedures written policies who is supposed to do what objectives and goal setting objective at the organizational level objectives at the departmental level they're all a part of in fact we already discussed this so there's a little more emphasis on control environment management philosophy and operating style this is control environment I told you the control environment will tell you what kind of organization you're working in ethical values come from control environment from the senior management the sense of integrity comes from senior management who will do what authority responsibility comes from the senior management. So, control environment provides you the foundation over which the system of internal control is built and organization functions. And all these are components of your control environment. Then, what is the role of board of directors? The people at the top. They are the ones who are governing authority. They are the ones who are responsible for strategic direction setting and oversight. These people have fiduciary duty to the shareholders. Fiduciary duty means the the duty of trust and confidence just like a duty of a lawyer towards his clients a teacher to his students a doctor to his patient fiduciary duty means duty of trust and confidence shareholders have appointed you as directors so they are expecting that you will take decision in their interest and since these are not angels they are human beings so you can expect them to take reasonable care they cannot be 100% error-free. They're not infallible. Only God is infallible. So what you should expect from them is reasonable care. We don't expect them recklessness from them. We expect reasonable care. They have duty of loyalty towards us. So these are some key important terms. They have fiduciary duty. They should take reasonable care, not absolute care, because they're not infallible. They can make mistakes. But if they have made a mistake and we take them to the court of law, then there is this business judgment rule this rule says the directors have taken some decision it has gone wrong director will not be personally liable if he acted in good faith he was not motivated by fraud and there was nothing illegal if he acted in good faith he was not committing any fraud he didn't do anything illegal then he is fine he will be set free by the court of law but if he didn't have good faith or he was trying to defraud or he was doing something illegal then he will be booked under the law then directors the people at the top what are the general duties they do they select and remove the officers the people at the top audit committee composition appointment of the external and internal auditors they are the one determine the capital structure through finance committee how much debt and equity should we have in our capital structure. They are the one who repeal bylaws, the articles of associations, the internal constitution of the organization, how the business is run. They can add anything, amend or delete anything altogether. They are the one who decide that whether should we divest or whether you should merge with another business. Only when the directors declare the dividend, the dividend becomes liability. And they are the one who set the compensation of the officers through. the compensation committees. These are typical roles which we already discussed. This ends your unit 17 and let's do a few questions to grasp the idea to a fuller extent. There are three components to audit risk. Inherent risk, control risk, and detection risk. Yes. What is inherent risk? Inherent risk is the risk that auditor may unknowingly fail to appropriately modify his or her opinion on financial statement that are materially misstated. Auditor may give inappropriate audit report. This is audit risk, not inherent risk. Inherent risk is the risk that emerges because of the nature of the business or the nature of the account we are studying. So, this is the first one is audit risk. What about B? There is that the material misstatement that could occur in an assertion will not be prevented or detected by on timely basis by the entity's internal control structures, policies and procedures. This is the control risk. Your system is unable to detect problems that are there. There is that the auditor will not detect a material misstatement that exists in assertion. This is the detection risk. Audit is unable to detect something is wrong. Then what is inherent risk? It is the possibility of an assertion to material statement, assuming that there are no related internal control structures, policies and procedures. There is no, like you are running a goldsmith business or gold trading business, and there is no control, there is no check and balance. Things can go wrong because of the nature of the business. This is called inherent risk. But from an audit perspective, the possibility of a management assertion completeness accuracy financial statements are okay but they can be wrong assuming that there are no related internal control when there are no control thing can go wrong by the nature of the business itself by the nature of objective this is called the inherent risk if there is no control things can go wrong and those things going wrong represent the inherent risk of the business next i will explain this idea further because this question was specifically from the point of view of the audit of inherent risk the primary responsibility for establishing and maintaining internal control who is primarily responsible for internal controls management no doubt about that some account balances such as those of pensions or leases are the result of complex calculations so inherent risk doesn't always mean the businesses of this type objective the business are little complex it could be like some accounts like pension and leases they involve some complex calculations so the possibility to material misstatement in these types of accounts because these accounts are inherently risky they can contain some errors so this is what you call the inherent risk these accounts by nature may involve some some material misstatement this is what you call inherent risk from the point of view of audit what we discussed inherent risk as it was the risk because of the nature of the objectives of the business a business itself could be risky okay moving on uh the graphical portrayal of the flow of data and information processing of a system including computer hardware is best displayed in yes either is going to be b or d information processing of a system including computer hardware so it means you're talking about an organization system and with the information moves from left to right and there are different departments and it's a system flow chart not a program flow chart uh basic to Proper control environment. Control environment means, I hope you remember, the basic management philosophy, operating style. This is control environment. Just a quick look. This is control environment people. Policies, procedures, organizational structure, segregation of duties, management philosophy, operating style. All these are part of your control environment. Basic to proper control environment are quality and integrity of personnel. you should hire good quality people who must perform the prescribed procedures which is not affected in providing a competent personnel we want to hire a competent person performance evaluation will help you by taking a competent person hiring practices you have a very high standard of hiring so you will take in more competent people training policies training programs so a c and d they are the one the options that will help you select the best person for the company but segregation of duties this is this is this doesn't ensure give you any surety that you will get a a competent person for your organization or quality hr right so performance evaluation hiring practices training programs they will help you in assuring the quality and integrity of your your staff member but segregation of duties means just dividing your job into different uh role so that there is no incompatibility of performance. Then, when management of the sales department has the opportunity to override the system of internal control of the accounting department, sales department and accounting department, they are separate. Sales department should not influence, should not direct or dictate accounting department. If it happens, like in the company I was working for, sales department was headed by the owner's son since he was powerful so he was able to poke his nose everywhere he wanted to. If this is happening, there's a problem. not in risk management, not in information communication. In fact, the problem is in control environment. Problem is in control environment because organizational structure is flawed. Sales department should have no interference in the accounting department. If it is happening, it means your control environment is weak. A director of the corporation is best characterized as a director is not a trustee. He's not holding property in my name. He is a fiduciary. a person having a relationship of mutual trust and confidence right organization is the principle not not the director an agent director is not the agent because they do not bind the company with their actions so they are basically fiduciaries one of the financial statement auditors major concern financial statement auditors major concern is to a certain whether the internal control is designed to provide reasonable assurance i am the external auditor So I am conducting a financial audit. So what I am interested in, corporate model problems, how happy the employees are. I don't care. As an auditor, do I care whether the employees are happy or not? The chief accounting officer reviews all the transactions. This is not my duty to see whether the chief accounting officer reviews all transactions. Maybe he can't because he's too busy. Profit margins are maximized. I'm not conducting an operational audit to see whether the company is performing well or not. so this is not my job what my job is as an external auditor whether the financial statements are reliable or not or financial reporting is reliable not because i will base my opinion based upon a so this is what i will be concerned with as an auditor then directors management external auditors internal auditors they all play important roles in creating proper control processes senior management senior management CEO is primarily responsible for what? Let us discuss. Implementing and monitoring controls, not implementing, designed by the board of directors, this is totally wrong. Board of directors do not design the system of internal controls. Overseeing the establishment, administration and assessment of the control processes. What do you see? It makes sense. CEO, they oversee. They do not design the right controls themselves, they oversee. Reviewing the reliability and integrity of financial and operational information. This review is conducted by the internal audit department regularly, ensuring that the external and internal auditors oversee the administration of system of risk management and control. This is totally wrong. Internal auditors and external auditors, they do not design, they do not draft, they do not implement any system of internal control. They just report on them. So the correct answer, so the guarded right. it's b which is the following is the control component that reflects the attitude and actions of the board of board and the management regarding significance of control within the organization management's operating style management philosophy it is reflected in which component of the control environment or which component of the course of framework control environment absolutely right chilesa you're right uh then few more questions we are done the policies and procedures helping to ensure that management directives are executed and actions are taken to address risk to achievement of objectives, are best described as policies and procedures. They are not control environment because they are different processes guiding people what to do. They are control activities. They are control environment itself provides the foundation. Control environment provides the basic framework over which the controls will function. So, policies, procedures, standard operating procedures, who should do what, these are part of control activities. We will discuss this in our next class in detail. And organizations, directors, management, internal auditors, all have important roles in creating proper control environment. Senior management is primarily responsible for what? I think we have already done it. Previously, it was overseeing, but maybe the options are a little different. Operating and monitoring controls. they oversee implementation and monitoring but they don't implement themselves they don't implement Ensuring that external and internal auditors adequately monitor, this is wrong. There is no such responsibility. Designing an operating control system, senior management doesn't design. In fact, it oversees. Then what it does, it establishes a proper ethical culture called the control environment, operating style, operating philosophy. And then the risk associated with the auditor failing to identify material misstatement in financial statement, there was something wrong. but auditor was unable to detect it so it is the detection risk where audit is unable to detect unsystematic risk is the risk related to a particular company's operations this is specifically related to your cma part two because the risk is classified into systematic and unsystematic and that's a completely different domain inherent risk is the risk emerging from the objective of the business or the type of business we are in and control this mean there is a system of internal control but uh the system is not working is not identifying problems that's controller so guys that completes your unit 17 and the topic risk and internal controls

any unforeseen event that prevents you from achieving your goal is a risk so risk are unforeseen obstacles to the pursuit of organizational objectives now let's take a couple of examples there are three examples given like here maybe a hacker breaks into a university information system and changes the grades and awards himself a degree it's a risk So university information system should have some strong controls to prevent this from happening. Second risk that if the interest rates go up, the firm's borrowing costs will go up. How would you manage?

Risk management is a complete section in CMA part two, section D, and you will learn many tools of managing risk, but in CMA part two, not here. So you just need to know there are risks and we need to do something about it. And then your competitor brings a new technology and this technology can put your business in trouble.

So these are some risks and you need to manage these risks. So any mid or large size organization will have a risk management department which is responsible for regular risk assessment. Regular risk assessment whereby a company identifies what are our vulnerabilities, what can go wrong.

So this is important. You will learn that there are five responses to risks. You identify risk during risk assessment, that we are facing risk A, risk B, risk C, D and so on. Many risks. What can we do with these risks?

There are five responses. You can take five actions. Either you say, okay, let's accept it. This is called risk acceptance. You accept the risk.

We'll take it. We'll see what happens. Second, you are right. kali valley in first case you accept the risk you take in this is also called self-insurance you accept the risk and manage it yourself second you say no we will not engage into activity that involves risk avoid it third could be let us share this risk with some insurance company or with our counterparty this is called risk sharing or risk transfer fourth institute a system institute a management process and activity that reduces the impact of risk.

This is called risk mitigation. And fifth one, which is very serious and very dangerous, exploitation. Exploit risk. Deliberately look for risk and see what you can do with it.

Because higher the risk, more is the expected benefit. So these are the five responses. Through risk assessment, we identify different risks. Some of these risks we will accept. Some of these we will avoid.

Some of these we will share, mitigate and expand. What should be the right response? It's a detailed topic you will do in your CMA part two, section D, risk management.

These are the five responses to risk. Now, we are specifically concerned with those risks that we can manage, those we can reduce, called risk mitigation, risk reduction. How do we do that?

We do that by instituting a strong system of internal control, a system of check and balance. Today we will discuss what is a system of internal control in detail. Hezer, could you please rephrase your question?

Performance controlling is also a part of RIC, maybe it's an abbreviation of something, I can't recall exactly. Could you rephrase, then I will answer your question. So when you decide to mitigate risk, for that you need to set up a system of internal control, reconciliations.

independent checks, verifications, physical observations. We will discuss internal control in our current class and the next class also. So whenever you institute or set up a control, that control will have a cost and that control will also have a benefit. So we need to see the cost of the control and the benefit of the control.

For example, we have a team of auditors and five auditors and they are assigned to conduct audit of different branches and they are given air tickets. This is clearly the cost. of conducting this engagement and what are the expected benefits. So comparing the cost versus benefits will help us decide that whether this control is okay or not.

Yes, this is also part of yes, exactly. We will discuss components of internal controls coming your way shortly. So this is the response called the risk mitigation. We can set up a system of internal control, keeping in mind that the benefits of control should be more and the cost of control should be less. this this is an important point and as i said the risk management is an ongoing process because organizations keep on facing different types of risks and they need to keep themselves updated to the changing circumstances right so let's move on and let's see can we quantify risk can we quantify risk can we measure risk yes risk can be quantified if we have two factors first the severity of consequence that if that event occurs how much loss can we suffer and then what is the probability of that event occurring if we have these two variables the severity of consequences financial impact and the possibility of occurring if we have these two we can quantify risk otherwise normally risk is assessed qualitative in qualitative terms means the risk is either high or it's moderate or it is low or you can also find out another sub classification within high and medium and medium and low so this is called the qualitative evaluation of this so we are now going to discuss how we can quantify this let us see we have identified these three events are companies assessing the risk of its information system being penetrated by hackers so the first event is that there is minor penetration and this is 90% probable.

So we have the likelihood of occurrence. If we can somehow estimate what is going to be the financial loss, let's say, just assume number $10 million. So in this case, if an event is 90% probable, and if that event occurs, we might lose $10 million, which means the probable loss, expected loss, expected value of loss is $9 million. The second event that a hacker enters into our system and he's able to... view the internal databases.

And it is 8% probable. And the financial loss, let's say it's $200 million. So 200 million times 8% is going to be $16 million.

See, we are able to quantify this. And this will also result in public embarrassment, loss of customer confidence, because your information is now publicly third event, that someone entered into your information system and was able to alter. internal database. It is very unlikely, 2% only, but if it happens, it will result in public relation crisis, it will result in customer defection, maybe some legal cases against you, some lawsuits against you.

So if this happens, the likely loss is going to be $30 billion, let's say. And if $30 billion, which is less likely to occur, the loss is still significant. Expected value of loss is $6 billion. See?

such a massive massive amount so the point here to learn is that the event that is most likely to occur which is almost inevitable inevitable means something that is now which will surely happen so the event that is most likely to happen so you won't find it worthwhile to put some money on managing this control what can you do with it let's suck it up nine million dollar fine this will suffer this loss but to the contrary to the contrary the event that that has a very little chance of occurrence just two percent but the consequence is disastrous so maybe you will put most of your money in instituting a strong system of control to avoid this because this is a disastrous level of event if it occurs the business would be in trouble so this is how we quantify risk just this is to the extent you need to know risk management as i said is a detailed topic you will study in your cma part 2 section d okay now let us discuss aicp american institute of certified public accountants they use a risk model and we are going to modify this risk model they say that the total risk this model basically was originally envisaged for audit but we are going to use it for internal control so total risk is in fact a combination of three risks, inherent risk, control risk, and detection risk. Let me explain. Inherent risk...

But maybe you are engaged in gold business, highly desirable, highly desirable item. Right now, its current market price in Pakistan is 143,000 rupees per tola, per 11 grams. Highly desirable. So a business that is engaged in gold trading, it is inherently risky.

So the risk arises from the nature of the business objective is called inherent risk. So if you are engaged in gold trading, your business is inherently risky. This inherent risk is specifically used in an audit perspective. Like if you are auditing a company financial statements and you see some complex transactions like insurance premium computation or pension liability computation or lease liability computation, such accounts, such transactions are inherently risky because they are more likely to contain some misstatement. that's the original model used in audit we are not concerned with audit we are specifically concerned with internal control so inherent risk is the risk that arises because of the nature of the objectives like if your business is a uranium prospecting uranium is a very dangerous radioactive material can cause genetic mutation so if you are a uranium prospector your employees are more exposed to radiation so there is risk of very serious health issues so dealing in gold or uranium prospecting or maybe putting out fire in oil wells which is very dangerous so these businesses are inherently risky so let's take an example carry on with it we are into a gold trading business which is clearly inherently risky it's a highly desirable item so if we do not keep any control it's an item that is most likely to be stolen okay khizr says his allowance created for those amounts in budget under risk categories are only considered once we set up our budget and break it down into different types we discussed in material labor so normally those our budgets are specifically related to financial statements perform our financial statements your concern might be related to production maybe right so we we keep an allowance of what can go wrong there is a certain tolerance limit that you need to set up in the budgeting process of course because otherwise if you do not bring into these possibilities of losses then your budget will be unrealistic so inherent risk is the risk that arises because of the nature of the objectives or the type of business we are in control risk so what we have done since it's a very risky business we have installed closed circuit tv cameras we have employed some security guards we keep and who keep watch on employees Despite having these controls, these are called controls, actions taken by the management to manage the risk, inherent risk.

So even closed circuit cameras are there, even security guards are there. Still, still we see that our items are being stolen. So what is the control risk? Control risk is the risk that controls will fail to prevent an obstacle from interfering with the achievement of the objective. We have system.

We have security guards, we have constant vigilance, but despite that, we are losing money on our items. Because employees might collude, the security guards might collude, people might collude with each other. They act a crime through connivance. Connivance means, let me explain this idea. We have four employees, A, B, C, D. A is responsible for recording cash transaction.

B is responsible for cash custody. C is responsible for cash authorization and D is the one who is responsible for cash reconciliation. Very good segregation of duties. Looks nice and lovely.

But what if these four are friends and they in connivance commit a fraud, B allows a certain item to be held, C authorizes, A does not record it, and D says everything is fine, everything is reconciled. So this is called collusion. So when employees collude, your control system can collapse.

Despite having a good system of internal control, segregation of duties, your system can collapse. So when the control system doesn't work, it fails to achieve the organizational objective. We say the risk of this happening is called control risk.

And then the next risk is called detection risk. Detection risk is the risk that obstacles to an objective will not be detected before a loss has occurred. like when you prepare the bank reconciliation statement you will compare your cash book with your bank statement any differences will be identified and they need to be investigated but you conduct your brs in one year let's say a crude example but it can happen a business can prepares bank reconciliation one year in a time ideally it should be done on monthly basis or weekly or daily if there are lots of turnover but if a business prepares brs after a year that means we will not be able to detect the fraud we detect the fraud when it is too late a loss has occurred so the total risk is in fact the combination of inherent risk inherently risky, control risk, control system failing, detection risk that we are unable to detect the error and problem in time, hence we suffer a loss.

So these are the three risks we will be discussing along. This is a typical organizational chart, board of directors at the top, then we have certain committees formed, these committees report directly to the board of directors and then we have internal audit team, I told you internal auditor, the report to the audit committee. Remember, this is important, internal audit have dual responsibilities. They are functionally responsible to audit committee as a function of their role, and they are administratively responsible to report to chief executive officer.

So, in fact, you can say that there are two bosses who govern the work of internal audit, functionally to the audit committee and administratively chief executive officer, and that's all. Internal audit is no longer a part of your syllabus, so you may skip this topic altogether. So this is how the organization is laid out. We divide our work, we distribute the responsibility so that someone is held responsible and someone cross-checks his work. It's a system of check and balance.

As I said, internal control is a system of check and balance. Let us define what is internal control. There are a couple of definitions we'll study today and then there's a comprehensive definition of internal control we'll discuss in our next class when we will study the control procedures. So what is the system of internal control? A system of check and balance, system of internal control to help organization manage many of its risks.

So let us define internal control as per IMA. The definition you're going to study is the definition given by the Institute of Management Accountants. IMA says that a system of internal control, whether it's a financial system or otherwise, It does four things for us. Let me first mark them and then I will explain.

I will explain. This is the first role it plays. Then this is the second one. This is third and this is fourth. Now let me highlight.

A system of internal control, a system of check and balance, a system of check and balance established by the management. This is a key word. System of internal control is established by the management to carry out the business and it does four things for us.

It gives us a reasonable assurance that business will be conducted in an orderly and efficient manner. First. Second, adherence to the management policy.

Two. Third, safeguarding of assets. Three. And finally, the completeness and accuracy of records.

These are the four things that a system of internal control does for us. It provides us a reasonable assurance that business operations will be orderly and efficient. Management policies will be followed.

adhered to, complied with, assets will be protected and the records would be complete and accurate. A system that does these four things for us is called the system of internal control. This is the definition given by the Institute of Management Accountants.

There is another definition also discussed later on, so you can just read it well and be able to reproduce in your own words if the assay type asks you to define what is internal control. please note and i keep on saying it internal controls design drafting implementation is the responsibility of the management and management alone board of directors they will only supervise or oversee internal auditors will monitor them and internal auditors will assess their efficiency and effectiveness whether they are working effectively so please note internal controls are designed implemented and maintained by the management they are overseen by the board of directors and internal auditors will assess their efficiency and effectiveness and to see whether they are adequately doing their job right so next there are some parties to the organizations we need to know some internal parties these people at the top board of directors uh there are two types of directors in the board of directors those who have some operational role called the executive directors and those who do not have any operational roles, they are called non-executive directors or independent directors in the US. Out of those independent directors, we constitute some committees. Audit committee we discussed is responsible for appointment of internal auditors and external auditors. Compensation committee is responsible for setting salaries of the executive management.

Management cannot set his own salary and compensation itself. Someone else should do it. I can't say I am the CEO, so from next month my salary is going to be 5 million dollars.

No, I do not set my compensation. Who does? compensation committee finance committee will make sure that the business has sufficient financial resources to continue and risk committee we already discussed previously is responsible for overall management of the risk in the organization then comes the senior management responsible for the running of the business and ceo is a part of senior management remember then we have the subordinate management then we have internal auditors as i said auditing internal auditing is removed they are responsible to report functionally to the audit committee as a part of their role and administratively to the ceo now you might ask what is functional administrative functional means the reporting on internal controls the reporting on different engagements requested by audit committee but reporting on day-to-day basis how purchasing department is doing to the ceo how finance department is doing to the ceo how inventory control is doing to the CEO.

So day-to-day reporting, operational reporting goes to the CEO and functional reporting goes to the audit committee. That's what you need to know, nothing more. And then we have some other entity personnel, other people working in the department, many different departments we have and the people working within them.

Then there are some external parties also connected to our organization. First, external auditors, these are the CPA firms or ACCA or CAs who conduct the external audit. Then we have regulators when you say, regulators, we are talking about SEC in the US that governs the corporate structure in the US and for taxation we have IRS, Inland or Internal Revenue Services.

Interacting parties, clearly your customers and suppliers, financial analysts who conduct financial analysis of your financial statements and based upon that analysis they give buy or sell recommendation to their clients and then Other outsource service providers because we do not produce everything ourselves. Sometimes we outsource some of our functions to outsource firms so that they perform work for our behalf. Next, we are going to do something in a very superficial manner, flowcharts.

You will never be required to construct any flowchart on your exam because your essay type window is of this size. and you can only type text and text only no graphics no excel sheets no such additions can be made so the point here is why are we studying flow charts because in the next unit unit 18 we will be doing different control procedures and you need some understanding of flow charts there so what kind of questions you should expect maximum what you can expect on your exam is that if a symbol is given you might be required to tell what the symbol means right what does it mean only up to the sixth and otherwise uh drawing up a flow chart or constructing or even mcg is going to flow to very very unlikely because this is a highly high tech area we normally do it in um in cia but your syllabus contains just a little reference to the internet let us just get a quick overview and focus entirely on our learning outcomes what are flow charts there are two types of flow charts system flowcharts and program flowcharts and what flowcharts themselves are flowcharts basically are graphical representation of step-by-step progression of information how the information is prepared who authorizes information how the information flows between different departments and how it is stored so this is what why do we construct flowcharts information preparation how the documents flow and where it is stored. And this flowchart can be for a manual system where there is no computerization, or you can compare a flowchart for a computerized environment.

Why do we need it? To understand the system better, I'm sure wherever you're working in different accounting departments, you would have some, at least you will have some DFDs, data flow diagrams, showing you how the information moves from one department to another and who does what. at least so dfb is a modified version of your flow chart so basically it is constructed to give an understanding how the work is done how documents move. It allows the internal auditor as well as external auditor to analyze the area of audit emphasis, that how the information moves, who authorizes what, who controls what, who is responsible for what.

So if you are an external auditor or an internal auditor, these flowcharts will help you in your preliminary survey in understanding how the client system works. So this is the most important part. You need to understand these different symbols used in flowchart. because the maximum you will be tested on your exam is that you will be given a symbol and you will be asked what it is so i would recommend that at least you should you should know some symbols or all of these they're hardly maybe 10 to 12 symbols or 15 maybe you just need to know what what they mean let us first see a flow chart and then i will link it with these symbols given here is a program flow chart this sign here is the start starting or ending of a pointer is starting of a process and ending of a process so you can see this sign shows starting and ending okay what actually is the system all about start load invoice we received invoice from our vendor okay read the invoice number invoice number one two one five compare it with the open purchase order compared now the decision tree open purchase order number exists no this po is already closed then if the purchase order is already closed then how do we have this invoice again it's maybe a duplicate invoice if the open purchase order doesn't exist it's a duplicate invoice and then issue is closed we won't process it further if the open purchase order number exists display open purchase order and then accept users approval for pay if the goods have been received pay to the supplier through accounts payable and if the order is complete file it in the closed po if the order is not complete update the goods received and put it in the upper purchase order and stop so it's a complete flow of how the information would move in relating to advice and purchase order now let us relate with it this sign indicates starting and ending of the process this document is not shown here in the flow chart this document this sign is the input or output of a document normally it's simply a document you can say this sign is for a document whether it is being input in the system or being generated by the system this sign the rectangular sign this is the computer operation comparing the loading of invoice comparing the invoice with the open purchase order this rectangular sign is computer operation okay then this uh i would say trapezium it's a trapezium this trapezium is a sign which shows manual processing this sign rectangle is a computer operation and when We don't know whether it's a computer operation or a manual operation.

We use a symbol that closely resembles the two. A parallelogram. It's a generalized symbol.

We would not know whether it's computerized or manual. This sign here, as you can see, looks like a tape, hard drive used in the old flowchart. So it's a symbol for hard drives. This symbol shows a storage device shown right here where you placed your open purchase order.

okay the difference is this hard drive is used for input output connected to the system and this is the hard drive where the data is stored storage media and this sign is called the decision diamond and shown here open purchase order no yes and then we do accordingly decision symbol indicating a branch in the flow or sometimes called the decision diamond okay then what next this sign is a connector Means, let's say, if I have some processes which are connected, so I will mark it 7 and I will show it 7, which means these two processes are connected. Instead of drawing a line, I can draw a circle and put a same number on both sides, indicating that these two processes are linked. If they are on the same page, then you use the circle. Maybe your flowchart consists of maybe 15 pages and an item on third page is connected with an item on eighth. so in that case if you need to connect third page with eighth page you use this connection between two pages of the flow chart page number three and for eight so you just need to to know these symbols uh this is a storage that is not immediately accessible by computer storage that is not connected to the system these are the flow of information as you can see these are arrows up down right left uh this sign is used for your cathode ray tube the older those of you are above 40 i'm sure you would know Before LED technology or LCD technology, there used to be bulky monitors showing this sign.

This is the cathode air side. So this is a computer display or the video terminal. And then this sign is manual input representing a kind of keyboard.

And this is adding machine tape. This is, you can omit this because we no longer use the disk tape to enter information into the system. So this is the maximum that you may be tested on your exam. Some symbols and asking you what they are. Constructing a flowchart is completely beyond the scope of your CMA exam.

And we would need it in our next subunit, our next unit where we will learn different control procedures. Let me first show you what is coming so you know exactly. uh what it's all about so these are the kind of system flow charts we will be doing in our next class sales siebel cycle purchase payable cycle cash collection salary payables all these so we will use these symbols extensively not in your syllabus not in your textbook but this is good for your understanding we'll do it in our next class so there are two types of flow charts One are the system flowcharts.

The flowchart I just showed you a little while ago. This is a system flowchart. This shows you how the documents move, how different departments perform their work. Look at this. We have different departments here.

Sales department, warehouse, shipping, billing, inventory control, account receivable, general ledger, treasurer. So you have your functional department shown vertically. and the action that is taking place is moved is shown from left to right so this is coming your way so horizontal flowchart sometimes called system flow chart they show area of responsibility different departments and the information moves from left to right document so it shows activities controls document flows and which are the department responsible to perform certain tasks so they are all shown departments are shown in columnar form and documents move from left to right and different actions are taken take place in different departments like this one here we are purchasing department computer processing receiving inventory and what happens in all these it is coming in the next next overview in the next unit then we have the vertical flow charts you would never be required to draw any system flow chart or program flow chart just you need to know what they are so vertical flow charts are for computer programs.

That's why they are called the program flowcharts. Then what they show, they show you step by step, successive steps from top to bottom format, and they are used in the computer programming. When a computer program is developed, we first construct a flowchart to explain how the processes will work. These are only two, that's all. Okay, so this is already done.

This is a vertical program flowchart, how the program functions. Now, coming back to what we did yesterday, we did six sections of Saban's auxiliary act. And out of these, 404 comes again. 404 Saban's auxiliary act, we know what it said. It says that management is responsible for instituting a system of internal control.

Yes. And management is responsible to report whether the system is working efficiently and effectively. This is what we read in detail. in section 404 in our previous class then we also learned that public companies accounting oversight board it requires under as5 auditing standard 5 that now the auditor will conduct two audits simultaneously audit of financial statements and the audit of the system of internal control and then the auditor will express an opinion on both system of internal control and whether the financial statements are presenting fairly the state of affairs of the business right so this is what we read earlier an audit of internal control and for audit of financial statement they are integrated into one right so so so when these two audits are invest integrated they are all covered in the as5 we've already done it so this is just a revisiting of what we've already done now let us study something new here kosso cost of sponsoring organization of treadway commission it's a body that has been formed by five accounting bodies in the us jointly funded or supported by five entities let me write their name so you know aaa aicpa then i will explain then we have fei then we have ima your institution and then institute of internal auditors these are the five accounting bodies in the us a american accounting association american institute of certified public accountants financial executives international institute of management accountants cma what we are doing and the institute of internal these five bodies they have formed an entity called the COSO or the sponsoring organization of TREAD Wake Commission.

This entity has provided so much of guidelines to the management accountant, a professional accountant. Please remember this body is not a legal entity. It provides only the thought leadership. It provides you just the guidance, the guidelines.

Whatever you study under the COSO framework, it is for your guidance only. It does not have the force of the law. So you are going to study two items related to from COSO. One is for internal control, we are studying now. Another is the COSO risk management, which is studied in Section DCM in Part 2. That's all.

So now we are going to define internal control in a totally different way. Internal control defined by the COSO framework. COSO says that internal control does three things for us. ERC, everything really counts. It ensures efficient and efficient and effective operations, reliability of financial reporting, and compliance with the laws and regulations.

If you can remember the word, these mnemonics, everything really counts as ERC, so you can define internal controls as per COSO. Your choice, whether you want to use the management accountants, definition IMAs, or you want to use this one. So COSO says internal control is a system affected by the entities, board of directors, management, and other personnel. primarily management is responsible for setting up a system of internal control and this system provides us a reasonable assurance minded not absolute assurance only this is a keyword the reasonable assurance not 100 percent assurance regarding achievement of objectives in three dimensions efficient and effective operations your operations are working efficiently using minimal resources and they are working as they should reliability of financial reporting financial reporting mean the information generated by the system is reliable and finally the regulations and laws they are complied with or they are adhered to this is the role of internal controls giving you a reasonable assurance that your operations are okay efficient and effective your financial reporting is reliable and you are following laws and regulations so so you can define internal control this way easier way to memorize is this erc this classification this definition this model is uh widely accepted and it is also followed by the american institute of internal orders a certified public accountant the body that govern cpa certification in the u.s cost of framework provides you these five interrelated components it says internal control is composed of five components we'll discuss these in detail You can memorize these just like previously you can memorize internal controls through ERC.

You can also memorize these components of control environment by the word the mnemonic crime. C here stands for control activities. R here stands for risk assessment. We'll discuss all these. I stands for information and communication.

M stands for monitoring and E stands here for environment. So these are the five interrelated components of the COSSO model. We will discuss this in detail.

All is coming in your way. Let us discuss this one by one. Control activities, risk assessment, information communication, monitoring and control environment. Let us first discuss the control environment with E. What are we studying?

We are studying five interrelated components given by the COSSO model. costo says that let me first take you directly to the main cube this costo says that an organization can be viewed in the form of a cube a cube with rows and columns remember erc this is it efficiency and effect effectiveness of operations reliability of financial reporting and compliance with the laws and regulations. These items at the top, these are the overriding objectives. These are the overriding objectives.

Why do we have system of internal control? So that we can have efficient and effective operations, reliable financial information, and compliance with the laws and regulations. Agreed. Then the first front face you see, these are the components of internal controls.

We can memorize this with the word crime. Monitoring information, communication, control activities, risk assessment, and control environment. This is the foundation. That's why this is the first we're going to do. Control environment is the foundation of your whole system of internal controls.

Now, monitoring takes place at different levels within the organization. It takes place at production floor. departmental level at senior management level even at the board of directors information and communication it affects every level of the organization control activities different standard operating procedures they interact and play every level of the organization risk assessment different types of risk of businesses facing it is applicable to all levels within the organization and control environment also pervades every level of the organization so you can see these these three faces are interrelated these are overriding objectives of the system of internal control as per the cost of model these are components and these are different levels within the entity now coming back to the foundation of all of it this is called the control environment this is the first part control environment one of the components of the kosovo framework it is the foundation it is the basis and it provides the overall discipline structure you may argue that control environment is basically the management operating style management philosophy, how do they run the business? I'm sure you're working in different organizations.

You can sense this, you can feel the control environment, whether the environment in which you're working is a democratic system or is it a bureaucratic system, or is it a macho system, or is it a kamina system, or what kind of system it is, you can see, you can feel it. Control environment is the foundation over which the whole system of internal control is built. And this is present everywhere within the organization. And if your control environment is absent or inadequate or weak, your business is not going to sustain for long.

A strong control environment is essential, which defines who is responsible for what. Clearly defining responsibilities, clearly defining roles, performance requirements. This is the job of control environment.

Segregation of duties. So this is the function of control. This is the foundation.

over which the complete system of internal control will be built. The second element of COSO framework is the risk assessment. Risk assessment means we regularly identify different types of risk we face, different events that might prevent the organization from achieving its objective, especially related to financial statement assertions.

Financial statement assertions mean our financial statements are complete, they are giving true and fair view, they are complete to every material aspect. So whether the information is initiated, authorized, recorded and processed consistent with the financial statement of session from the accounting perspective. Otherwise, risk assessment is quite a broad concept.

The different risks that the organization faces and these risks might prevent the organization from achieving a subjective. Right. So financial statement of session is a very detailed topic that when the external auditor comes, the management, when it presents the financial statement. they are basically asserting that whatever you are seeing auditors it is complete it is accurate it is fairly representing the state of affairs and then auditor test the assertions of the management and see whether the information is really complete so the risk assessment basically will identify the events which might uh hinder initiation or might prevent authorization of record keeping or in fact in other words will prevent the financial statement from becoming reliable and true and fair and in general risk assessment means that define different risks that an organization might face and those may affect the organization in achieving its objectives and then we have different activities control activities check and balance different procedures reconciliations independent checks verifications right so control activities are policies and procedures that will help ensure that management directives are carried out written policies written procedures So whether your system is automated or manual, you need to have control activities. And we are going to discuss this in our next class, that how control activities are taken, are done and how they are performed by different departments in the organization.

Then the next component in the COSO framework is information and communication. Yes, this is important. People who are working, they should know what they're doing.

So this This information system, communication system will enable people to carry out their responsibilities, what they're supposed to do. So information and communication may involve software, it would be manual, it would be automated, it could include manuals, memoranda, emails, oral means, or even by the management action. So the way we communicate with our employees, define what they're responsible to do.

So communication is essential to let the employees know about their roles and responsibilities, to control them and to guide them. And finally, the last component. of the cost of framework is monitoring.

Monitoring means we keep on assessing the quality of internal control over time because internal control set about 10 years ago may not be relevant now. Things change. So we keep on regularly assessing the effectiveness of internal control. We keep on monitoring them.

And if there are changes, we need to bring those changes in our internal control. So these are five components of the COSO framework. This is we already discussed monitoring, information communication, risk and control environment. They slice through every level within the organization and both of these the horizontal rows and vertical column they are affected by the overriding objective in the organization.

So you can see they're crisscrossing and they're interrelated. Objectives affect every level of the organization, affect every component. and these components slide through every level within the organization and then you can see that they are all correlated and connected next control environment provides you the organizational structure defines the responsibilities defines roles within the organization policies and procedures they are part of your control procedures control activities written procedures written policies who is supposed to do what objectives and goal setting objective at the organizational level objectives at the departmental level they're all a part of in fact we already discussed this so there's a little more emphasis on control environment management philosophy and operating style this is control environment I told you the control environment will tell you what kind of organization you're working in ethical values come from control environment from the senior management the sense of integrity comes from senior management who will do what authority responsibility comes from the senior management.

So, control environment provides you the foundation over which the system of internal control is built and organization functions. And all these are components of your control environment. Then, what is the role of board of directors? The people at the top. They are the ones who are governing authority.

They are the ones who are responsible for strategic direction setting and oversight. These people have fiduciary duty to the shareholders. Fiduciary duty means the the duty of trust and confidence just like a duty of a lawyer towards his clients a teacher to his students a doctor to his patient fiduciary duty means duty of trust and confidence shareholders have appointed you as directors so they are expecting that you will take decision in their interest and since these are not angels they are human beings so you can expect them to take reasonable care they cannot be 100% error-free. They're not infallible.

Only God is infallible. So what you should expect from them is reasonable care. We don't expect them recklessness from them.

We expect reasonable care. They have duty of loyalty towards us. So these are some key important terms. They have fiduciary duty.

They should take reasonable care, not absolute care, because they're not infallible. They can make mistakes. But if they have made a mistake and we take them to the court of law, then there is this business judgment rule this rule says the directors have taken some decision it has gone wrong director will not be personally liable if he acted in good faith he was not motivated by fraud and there was nothing illegal if he acted in good faith he was not committing any fraud he didn't do anything illegal then he is fine he will be set free by the court of law but if he didn't have good faith or he was trying to defraud or he was doing something illegal then he will be booked under the law then directors the people at the top what are the general duties they do they select and remove the officers the people at the top audit committee composition appointment of the external and internal auditors they are the one determine the capital structure through finance committee how much debt and equity should we have in our capital structure.

They are the one who repeal bylaws, the articles of associations, the internal constitution of the organization, how the business is run. They can add anything, amend or delete anything altogether. They are the one who decide that whether should we divest or whether you should merge with another business. Only when the directors declare the dividend, the dividend becomes liability.

And they are the one who set the compensation of the officers through. the compensation committees. These are typical roles which we already discussed. This ends your unit 17 and let's do a few questions to grasp the idea to a fuller extent.

There are three components to audit risk. Inherent risk, control risk, and detection risk. Yes.

What is inherent risk? Inherent risk is the risk that auditor may unknowingly fail to appropriately modify his or her opinion on financial statement that are materially misstated. Auditor may give inappropriate audit report.

This is audit risk, not inherent risk. Inherent risk is the risk that emerges because of the nature of the business or the nature of the account we are studying. So, this is the first one is audit risk.

What about B? There is that the material misstatement that could occur in an assertion will not be prevented or detected by on timely basis by the entity's internal control structures, policies and procedures. This is the control risk. Your system is unable to detect problems that are there.

There is that the auditor will not detect a material misstatement that exists in assertion. This is the detection risk. Audit is unable to detect something is wrong.

Then what is inherent risk? It is the possibility of an assertion to material statement, assuming that there are no related internal control structures, policies and procedures. There is no, like you are running a goldsmith business or gold trading business, and there is no control, there is no check and balance. Things can go wrong because of the nature of the business. This is called inherent risk.

But from an audit perspective, the possibility of a management assertion completeness accuracy financial statements are okay but they can be wrong assuming that there are no related internal control when there are no control thing can go wrong by the nature of the business itself by the nature of objective this is called the inherent risk if there is no control things can go wrong and those things going wrong represent the inherent risk of the business next i will explain this idea further because this question was specifically from the point of view of the audit of inherent risk the primary responsibility for establishing and maintaining internal control who is primarily responsible for internal controls management no doubt about that some account balances such as those of pensions or leases are the result of complex calculations so inherent risk doesn't always mean the businesses of this type objective the business are little complex it could be like some accounts like pension and leases they involve some complex calculations so the possibility to material misstatement in these types of accounts because these accounts are inherently risky they can contain some errors so this is what you call the inherent risk these accounts by nature may involve some some material misstatement this is what you call inherent risk from the point of view of audit what we discussed inherent risk as it was the risk because of the nature of the objectives of the business a business itself could be risky okay moving on uh the graphical portrayal of the flow of data and information processing of a system including computer hardware is best displayed in yes either is going to be b or d information processing of a system including computer hardware so it means you're talking about an organization system and with the information moves from left to right and there are different departments and it's a system flow chart not a program flow chart uh basic to Proper control environment. Control environment means, I hope you remember, the basic management philosophy, operating style. This is control environment. Just a quick look.

This is control environment people. Policies, procedures, organizational structure, segregation of duties, management philosophy, operating style. All these are part of your control environment.

Basic to proper control environment are quality and integrity of personnel. you should hire good quality people who must perform the prescribed procedures which is not affected in providing a competent personnel we want to hire a competent person performance evaluation will help you by taking a competent person hiring practices you have a very high standard of hiring so you will take in more competent people training policies training programs so a c and d they are the one the options that will help you select the best person for the company but segregation of duties this is this is this doesn't ensure give you any surety that you will get a a competent person for your organization or quality hr right so performance evaluation hiring practices training programs they will help you in assuring the quality and integrity of your your staff member but segregation of duties means just dividing your job into different uh role so that there is no incompatibility of performance. Then, when management of the sales department has the opportunity to override the system of internal control of the accounting department, sales department and accounting department, they are separate. Sales department should not influence, should not direct or dictate accounting department. If it happens, like in the company I was working for, sales department was headed by the owner's son since he was powerful so he was able to poke his nose everywhere he wanted to.

If this is happening, there's a problem. not in risk management, not in information communication. In fact, the problem is in control environment.

Problem is in control environment because organizational structure is flawed. Sales department should have no interference in the accounting department. If it is happening, it means your control environment is weak.

A director of the corporation is best characterized as a director is not a trustee. He's not holding property in my name. He is a fiduciary.

a person having a relationship of mutual trust and confidence right organization is the principle not not the director an agent director is not the agent because they do not bind the company with their actions so they are basically fiduciaries one of the financial statement auditors major concern financial statement auditors major concern is to a certain whether the internal control is designed to provide reasonable assurance i am the external auditor So I am conducting a financial audit. So what I am interested in, corporate model problems, how happy the employees are. I don't care. As an auditor, do I care whether the employees are happy or not?

The chief accounting officer reviews all the transactions. This is not my duty to see whether the chief accounting officer reviews all transactions. Maybe he can't because he's too busy. Profit margins are maximized. I'm not conducting an operational audit to see whether the company is performing well or not.

so this is not my job what my job is as an external auditor whether the financial statements are reliable or not or financial reporting is reliable not because i will base my opinion based upon a so this is what i will be concerned with as an auditor then directors management external auditors internal auditors they all play important roles in creating proper control processes senior management senior management CEO is primarily responsible for what? Let us discuss. Implementing and monitoring controls, not implementing, designed by the board of directors, this is totally wrong. Board of directors do not design the system of internal controls. Overseeing the establishment, administration and assessment of the control processes.

What do you see? It makes sense. CEO, they oversee.

They do not design the right controls themselves, they oversee. Reviewing the reliability and integrity of financial and operational information. This review is conducted by the internal audit department regularly, ensuring that the external and internal auditors oversee the administration of system of risk management and control. This is totally wrong. Internal auditors and external auditors, they do not design, they do not draft, they do not implement any system of internal control.

They just report on them. So the correct answer, so the guarded right. it's b which is the following is the control component that reflects the attitude and actions of the board of board and the management regarding significance of control within the organization management's operating style management philosophy it is reflected in which component of the control environment or which component of the course of framework control environment absolutely right chilesa you're right uh then few more questions we are done the policies and procedures helping to ensure that management directives are executed and actions are taken to address risk to achievement of objectives, are best described as policies and procedures. They are not control environment because they are different processes guiding people what to do. They are control activities.

They are control environment itself provides the foundation. Control environment provides the basic framework over which the controls will function. So, policies, procedures, standard operating procedures, who should do what, these are part of control activities.

We will discuss this in our next class in detail. And organizations, directors, management, internal auditors, all have important roles in creating proper control environment. Senior management is primarily responsible for what?

I think we have already done it. Previously, it was overseeing, but maybe the options are a little different. Operating and monitoring controls. they oversee implementation and monitoring but they don't implement themselves they don't implement Ensuring that external and internal auditors adequately monitor, this is wrong.

There is no such responsibility. Designing an operating control system, senior management doesn't design. In fact, it oversees.

Then what it does, it establishes a proper ethical culture called the control environment, operating style, operating philosophy. And then the risk associated with the auditor failing to identify material misstatement in financial statement, there was something wrong. but auditor was unable to detect it so it is the detection risk where audit is unable to detect unsystematic risk is the risk related to a particular company's operations this is specifically related to your cma part two because the risk is classified into systematic and unsystematic and that's a completely different domain inherent risk is the risk emerging from the objective of the business or the type of business we are in and control this mean there is a system of internal control but uh the system is not working is not identifying problems that's controller so guys that completes your unit 17 and the topic risk and internal controls

Transcript for:Understanding Risk and Internal Control

Transcript for:
Understanding Risk and Internal Control