ACCA P1 Governance, Risk and Ethics - 2010 - Study text

Подождите немного. Документ загружается.

Chapter 9: Internal control, audit and compliance

Reporting to shareholders on internal control

 The requirement to report to the shareholders on internal control

 The content of a board report on internal control

 Summary: maintaining a sound system of internal control

 Internal control: information systems and technology

4 Reporting to shareholders on internal control

4.1 The requirement to report to the shareholders on internal control

A system of good corporate governance should include a requirement for the board

of directors to report to shareholders on internal control and the effectiveness of the

internal control system. The board is responsible for ensuring that a sound system

of internal control is maintained, and it should be required to account to the

shareholders to explain how they have fulfilled this responsibility.

However, the specific requirements for reporting to shareholders vary between

different countries.

 In the US, the annual report of stock market companies must include a statement

on internal control that includes an assessment of the effectiveness of the internal

control system and procedures for financial reporting. The internal control

report relates to financial controls only (not operational controls or non-financial

compliance controls), but it must provide an evaluation of those controls. Any

material weaknesses in financial controls must be disclosed.

 In Singapore, the board is required to ensure that an annual review is conducted

into the effectiveness of the internal control and risk management system, but

the board is required to report to the shareholders on the adequacy of the

control system (not its effectiveness or weaknesses).

 In the UK, listed companies are required to conduct a review of the effectiveness

of the system of internal controls and report to the shareholders that they have

conducted such a review. The board is not required to provide detailed

information about the review, and so is not required to provide shareholders

with an assessment of its effectiveness.

There are several reasons why the reporting requirements in the UK and Singapore

differ from the regulations in the US.

 The main argument is cost. To comply with the requirements of section 404 of

the Sarbanes-Oxley Act requires a large amount of management time, and the

costs of compliance are high. It has been suggested that the requirements of

section 404 help to explain the preference of many foreign companies for seeking

a listing for their shares in London (where the principles-based requirements are

much less strict) rather than listing in New York.

 Supporters of the principles-based approach in the UK (and critics of the rules-

based approach in the US) argue that the board of directors should have

Paper P1: Professional accountant

206 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP

freedom to decide what it is appropriate to report to shareholders. The US

approach is based on compliance with detailed procedures and a ‘box-ticking’

mentality.

 The Sarbanes-Oxley report on internal control relates to financial controls and

financial reporting only, not to operational controls and compliance controls. It

has been argued that it is difficult to assess the ‘effectiveness’ of operational

controls, because there is no objective standard for what these controls should

achieve.

 Critics of the US regulations argue that there is an expectations gap, which is the

difference between the real situation and what investors expect. If the board of

directors made a statement that it was satisfied with the effectiveness of internal

controls, investors might expect that nothing can go wrong and there are no

risks that have not been controlled. This expectation would be incorrect.

 It is also argued that if the board has to make a report to shareholders on the

effectiveness of internal controls, the directors would want to avoid any personal

liability for incorrect statements. As a consequence, board statements would be

written in ‘legal language’ with the assistance of the company’s lawyers, and

would not contain any information of value to shareholders.

4.2 The content of a board report on internal control

The report by the board of directors to shareholders on internal control should be

included in the company’s annual report.

In the UK, guidance on the content of this statement is provided by the Turnbull

Report.

 The report to shareholders should provide ‘meaningful, high-level’ information

that the board considers necessary, so that shareholders are able to understand

the main features of the company’s risk management processes and system of

internal control. The information provided should not give a misleading

impression.

 In its report, the board should disclose that:

- there is an ongoing process for identifying, evaluating and managing

significant risks faced by the company

- the system has been in place for the entire year under review and up to the

date that the annual report and accounts were approved by the board

- the system is regularly reviewed by the board, and

- the system is consistent with the guidance given in the Turnbull Report.

 The report should include a statement by the board that it is responsible or the

company’s system of control and for reviewing its effectiveness.

 The report should also state that the system of internal control is designed to

manage risk rather than to eliminate the risk of failure to achieve business

objectives. The internal control system can therefore only ‘provide reasonable

and not absolute assurance against material misstatement or loss.’

The information provided to shareholders does not need to go into details about

controls and control processes. ‘High-level’ information is sufficient.

Chapter 9: Internal control, audit and compliance

The Turnbull Report also states that in the report to shareholders, the board should:

 Summarise the process it has used, or board committees have used, to review

the effectiveness of the system of internal control. (The board of directors is not

required to provide detailed information about the processes it has used, only a

summary.)

 Confirm that action has been taken to remedy any significant weaknesses or

failings that were found in the system as a result of the review.

 Disclose the process it has used for dealing with the internal control aspects of

any significant problems revealed in the annual report and accounts.

If the board has failed to conduct a review of the effectiveness of internal control

and risk management, a UK listed company must disclose this fact in its annual

report. (This regulation exists because of the ‘comply or explain’ requirement in the

UK Listing Rules.)

Example: Risk management and internal control report to shareholders

It would be a useful exercise for you to read one or two internal control reports in

company accounts. You can find these by visiting company web sites on the internet

and looking for the most recent annual report and accounts.

A good example of a report, and the level of detail provided, is shown below. It

comes from the 2006 report and accounts of Tesco plc (reproduced with kind

permission). The level of detail in this report is fairly typical of similar reports by

other large listed companies.

‘Risk management and internal control

Accountabilities. Accepting that risk is an inherent part of doing business, our risk

management system is designed to both encourage entrepreneurial spirit whilst also

providing assurance that risk is understood and managed. In terms of broad

accountabilities, the Board has overall responsibility for risk management and

internal control within the context of achieving the Group’s objectives. Executive

management is responsible for defining and maintaining the necessary control

systems. The role of Internal Audit is to monitor the overall system and report on its

effectiveness.

Background. The Group has a five-year rolling business plan to support the

delivery of the Company’s strategy of long-term growth in returns for shareholders.

Every business units and support function derives its objectives from the five-year

plan and these are cascaded to managers and staff by way of personal objectives.

Key to delivering effective risk management is ensuring that our people have a

good understanding of the Group’s strategy and our policies, procedures, values

and expected performance. We have a structured internal communications

programme that provides employees with a clear definition of the Group’s purpose,

goals and accountabilities, and the scope of permitted activities for each unit, line

managers and individuals. This ensures that all our people understand what is

expected of them and that decision-making takes place at the appropriate level….

Paper P1: Professional accountant

208 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP

Risk management. The Board maintains a Key Risk Register which we review

formally twice a year. The register is populated with risks identified through

discussions principally between the Head of Internal Audit and the Board of

Directors although the views of senior management are also invited. Collectively,

the Board conducts an assessment of risk severity, considering impact and

likelihood and the adequacy of mitigating measures taken by the business….

Our key risks are set out [in the operating review]….

Internal controls. Accountability for managing risk at an operational level sits with

management. We have a Group-wide process for establishing clearly the risks and

responsibilities assigned to each level of management and the expected controls

required to be operated and monitored….

Monitoring. The Board oversees the monitoring system and has set specific

responsibilities for itself and Board or Executive Committees…. The Audit, Finance,

Compliance and Corporate Responsibility Committees’ reports are distributed to

the Board and a formal discussion on each is held at least once a year. These all

provide assurance that the Group is operating legally, ethically and in accordance

with approved financial and operational policies. We continue to review how the

Turnbull Guidance has been applied. In addition, internal and external audit play

key roles in the monitoring process.

 Audit Committee. Annually, the Audit Committee reports to the Board on its

review of the effectiveness of the internal control systems for the accounting

year…. Throughout the year, the Committee also receives regular reports from

the internal and external auditors and has dialogue with senior managers on

their control responsibilities.

It should be understood that such systems are designed to provide reasonable,

but not absolute, assurance against material misstatement or loss.

 Internal Audit. The Internal Audit department is fully independent of business

operations and has a Group-wide mandate. It operates a risk-based

methodology ensuring that the Group’s key risks receive appropriate regular

examination. Its responsibilities also include maintaining the Key Risk Register

and facilitating risk management and internal control with the Board, Audit

Committee and senior management throughout the Group. Internal Audit

facilitates oversight of risk and control systems of Group companies though a

number of risk committees established on either a geographic or business basis.

The Head of Internal Audit also attends all Audit Committee meetings….’

4.3 Summary: maintaining a sound system of internal control

The responsibility of the board of directors for maintaining a sound system of

internal control, as suggested by the Turnbull Guidance, can be summarised as

follows.

Chapter 9: Internal control, audit and compliance

Internal control activities

Responsibilities: the

board, management

and other employees

The Board sets policies on internal control. It

should obtain regular assurance from management

that the system is effective.

Management should implement board policies on

risk and control. Management should identify and

evaluate risks, and report these to the board for

consideration by the board. Management should

design, operate and monitor the system of internal

control, and report regularly to the board.

Employees should consider internal control as part

of their responsibility for achieving business

objectives.

Key elements

 Control

environment

 Risk assessment

 Internal controls

 Information and

communication

 Monitoring

(A sound system of

internal control reduces

risk, but cannot

eliminate it -

unavoidable risks occur

from poor judgement,

human error,

management override

and unforeseeable

circumstances.)

Internal control consists of the policies, processes,

tasks and behaviour that, taken together:

 enable the company to respond to the risks

business, operational, financial and

compliance risks (and other risks) to the

achievement of its business objectives. These

include business, operational, financial and

compliance risks.

 safeguard assets from misuse, loss and fraud

 help to ensure the quality of internal and

external reporting

 help to ensure compliance with laws and

regulations and with the company’s internal

policies for the conduct of business.

Reviewing

effectiveness

• Regular reports from

management to the

board.

• Also an annual

assessment should be

made each year by

the board.

Monitoring risks and controls on a continuous

basis is essential for a sound system of internal

control. The board should receive and review

reports on internal control regularly. In addition,

there should be an annual assessment. The board

should define the process to be used. Management

is accountable to the board for monitoring the

control system.

Paper P1: Professional accountant

210 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP

Internal control activities

The Board statement to

shareholders (in the

annual report)

The board should state that there is an ongoing

process for identifying, evaluating and managing

significant risks, that this process is reviewed

regularly by the board and accords with the

Turnbull Guidance.

4.4 Internal control: information systems and technology

Providing information to management and the board of directors is an essential part

of a system for monitoring internal control and risk management. The Turnbull

Guidance states that management and the board should receive ‘timely, relevant

and reliable reports on progress against business objectives and the related risks’.

The Guidance does not specify in any detail how frequently reports should be

obtained and what they should contain. The frequency and content of reports will

differ according to the size, nature and complexity of the business.

 Timeliness. A company should have a policy about the timeliness of reports on

risk and control. As a general rule, when significant weaknesses or failings on

control are discovered, these should be reported to senior management and (by

senior management) to the board as quickly as possible. Other reports on risk

might be less urgent: for example, reports to management on risk might be

provided after each meeting of a risk committee, which might meet every

month. Reports to the board might be submitted by management every three

months, or possibly more frequently (at every meeting of the board).

 Reliability. The information provided about risks should be reliable. The

processes for identifying and monitoring risks should therefore be effective, so

that management and the board of directors receive accurate assessments of

risks and controls.

Reports on internal control and risk management should be formal reports to the

managers responsible and the members of the board of directors. Unlike many

management information systems, where information is made available on demand

and online to management, internal control and risk management reports should be

provided in a printed form as part of a regular and continuing process.

This is to make sure that relevant information about risks and internal control are

brought to the attention of management, and the manager (or board director)

responsible cannot claim that he (or she) does not know.

Whistle blowing

An effective system of internal control and risk management should provide a

channel of communication for ‘whistle blowers’ to report their concerns about

breaches of the law or other regulations. For example, a company might give

employees to report their concerns to a board committee (such as the audit

committee) or to the senior independent director.

Chapter 9: Internal control, audit and compliance

The purpose of providing a channel of communication for whistle blowers is to

allow information about failings in internal control to be reported when it might

otherwise be suppressed by managers responsible for the failing (for example, a

fraud).

A problem with providing a communication channel for whistle blowers to the

board of directors is that some of the information provided might be unreliable. An

employee might make false accusations against a manager.

The committee or individual responsible for dealing with information from whistle

blowers should investigate the allegations with tact and care. It might be possible to

establish the truth of the allegations quickly, and then take action. Alternatively, it

might be necessary to suspend the individuals who are accused, ‘pending further

investigations’.

Paper P1: Professional accountant

Paper P1

ProfessionalAccountant

CHAPTER

Identifying and assessing risk

Contents

1 Risk and risk management

2 Categories of risk

3 Concepts in risk management

4 Identification, assessment and measurement of

risk

Paper P1: Professional accountant

Risk and risk management

 The nature of risk

 The nature of risk management

 Responsibilities for risk management

 Elements of a risk management system

1 Risk and risk management

1.1 The nature of risk

Risk is usually associated with the possibility that things might go wrong, that

events might turn out worse than expected or that something bad might happen.

However, risk has a broader meaning. Risk exists whenever a future outcome or

future event cannot be predicted with certainty, and a range of different possible

outcomes or events might occur.

Risks can be divided into two categories:

 pure risks

 speculative risks.

Pure risk (downside risk)

Pure risk, also called downside risk, is a risk where there is a possibility that an

adverse event will occur. Events might turn out to be worse than expected, but they

cannot be better than expected.

For example, there might be a safety risk that employees could be injured by an item

of machinery. This is a pure risk, because the expectation is that no-one will be

injured but a possibility does exist.

Similarly, there might be a risk for a company that key workers will go on strike and

the company will be unable to provide its goods or services to customers. This is a

pure risk, because the expected outcome is ‘no strike’ but the possibility of a strike

does exist.

Speculative risk (two-way risk)

Speculative risk, also called two-way risk, exists when the actual future event or

outcome might be either better or worse than expected.

 An investor in shares is exposed to a speculative risk, because the market price

of the shares might go up or down. The investor will gain if prices go up and

suffer a loss if prices go down.

ACCA P1 Governance, Risk and Ethics - 2010 - Study text - Emile Woolf Publishing

Подождите немного. Документ загружается.