RISK MANAGEMENT DEFINED

Risk management is the process of measuring or assessing risk and developing strategies to
manage it. Risk management is a systematic approach in identifying, analyzing and controlling
areas or events with a potential for causing unwanted change. Risk management is the act or
practice of controlling risk. It includes risk planning, assessing risk areas, developing risk
handling options, monitoring risks to determine how risks have changed and documenting
overall risk management program.

BASIC PRINCIPLES OF RISK MANAGEMENT

Risk Management 165

The International Organization of Standardization (ISO) identifies the basic principles of risk
management.

Risk management should:

1. Create value resources spent to mitigate risk should be less than the consequence of
inaction, i.e., the benefits should exceed the costs

2. Address uncertainty and assumptions

3. Be an integral part of the organizational processes and decision-making

4. Be dynamic, iterative, transparent, tailorable, and responsive to change

 5. Create capability of continual improvement and enhancement considering

The best available information and human factors

6. Be systematic, structured and continually or periodically reassessed

PROCESS OF RISK MANAGEMENT

According to the Standard ISO 31000 “Risk management Principles and Guidelines on
Implementation, “the process of risk management consists of several steps as follows:

1. Establishing the Context. This will involve

a. Identification of risk in a selected domain of interest

b. Planning the remainder of the process.

c. Mapping out the following:

i. The social scope of risk management

ii. the identity and objectives of stakeholders

the basis upon which risks will be evaluated, constraints.

d. Defining a framework for the activity and an agenda for identification.

 e. Developing an analysis of risks involved in the process.

f. Mitigation or Solution of risks using available technological, human and

organizational resources.

2. Identification of potential risks. Risk identification can start with the analysis of the
source of problem or with the analysis of the problem itself. Common risk identification
methods are:

A. Objective-based risk

b. Scenario-based risk

c. Taxanomy-based risk

d. Common-risk checking

e. Risk charting

3. Risk assessment. Once risks have been identified, their potential severity of impact and
the probability of occurrence must be assessed. The assessment process is critical to make
the best educated decisions in prioritizing the implementation of the risk management
plan.

ELEMENTS OF RISK MANAGEMENT

For the most part, the performance of assessment methods should consist of the following
elements:

1. Identification, characterization, and assessment of threats

2. Assessment of the vulnerability of critical assets to specific threats

3. Determination of the risk (i.e. the expected likelihood and consequences of specific types
of attacks on specific assets)

4. Identification of ways to reduce those risks

5. Prioritization of risk reduction measures based on a strategy

I. Risks Associated With Investments

Although a single risk premium must compensate the investor for all the uncertainty
associated with the investment, numerous factors may contribute to investment uncertainty.
The factors usually considered with respect to investments are business risk

Financial risk

Liquidity risk

Default risk
Interest rate risk

Management risk

Purchasing power risk.

II. Risks Associated With Manufacturing, Trading And Service Concerns

A. Market Risk

Product Risk

O Complexity Obsolescence

0 Research and Development

O Packaging

O Delivery of Warranties

Competitor Risk

• Pricing Strategy

O Market Share
O Market Strategy

B. Operations Risk

Process Stoppage Health and Safety

After Sales Service Failure

Environmental

Technological Obsolescence

Integrity

• Management Fraud

O Employee Fraud

• Illegal Acts

C. Financial Risk

Interest Rates Volatility

Foreign Currency

Liquidity Derivative
Viability

D Business Risk

Regulatory Change

Reputation

Political

Regulatory and Legal

Shareholder Relations

Credit Rating

Capital Availability

Business Interruptions

POTENTIAL RISK TREATMENTS

ISO 31000 also suggests that once risks have been identified and assessed, techniques to
manage the risks should be applied. These techniques can fall into one or more of these four
categories:

Avoidance
Reduction

Sharing

Retention

AREAS OF RISK MANAGEMENT

Risk Management 173

As applied to corporate finance, risk management is the technique for measuring, monitoring
and controlling the financial or operational risk on a firm’s balance sheet.

The Basel II framework breaks risks into market risk (price risk), credit risk and operational
risk and also specifies methods for calculating capital requirements for each of these
components.

1. Enterprise risk management

2. Risk management activities as applied to project management

4. Risk management for megaprojects

5. Risk management of information technology

6. Risk management techniques in petroleum and natural gas

SEC Requirement Relative to Enterprise Risk Management of Publicly- Listed Corporation

SEC Code of Governance Recommendations 2.11 and corresponding explanation provide the
following

“The Board should oversee that a sound enterprise risk management (ERM)

Framework is in place to effectively identify, monitor, assess and manage key

Business risks. The risk management framework should guide the Board in identifying
units/business lines and enterprise-level risk exposures, as well as the effectiveness of risk
management strategies.

RISK MANAGEMENT FRAMEWORK

The Board should oversee that a sound enterprise risk management (ERM) framework is in place
to effectively identify, monitor, assess and manage key business risks. The risk management
framework should guide the Board in identifying units/business lines and enterprise-level risk
exposures, as well as the effectiveness of risk management strategies.

STEPS IN THE RISK MANAGEMENT PROCESS

To enhance management’s competence in their oversight role on risk management the following
steps may be followed:

1. Set up a separate risk management committee chaired by a board member.

• Creation of a risk management committee as board level will demonstrate the firm’s
commitment to adopt an integrated company-wide risk management system

2. Ensure that a formal comprehensive risk management system is in place. This fully
documented formal system will provide a clear vision of the board’s desire for an
effective company-wide risk management as well as awareness of the risks, internal and
external, that the company faces.

3. Assess whether the formal system possesses the necessary elements.

The key elements that the company-wide risk management system should possess are

a) Goals and objectives

b) Risk language identification

c) Organization structure and

d) The risk management process documentation.

The risk organizational structure should include formal charters, levels of authorization reporting
lines and job description.

The risk management process shall include the following steps:

a) Assessment risks: Identification; Determination of their

Source, b) Development actions plans: Reduce, avoid, retain, transfer or exploit

b) Implementation of action plans

c) Monitoring and reporting risk management performance.

d) Continuous improvement risk management capabilities.

176 Chapter 11

4. Evaluate the effectiveness of the various steps in the assessment of the comprehensive
risks faced by the business firm.

Risk assessment step which includes risks identification and determination of their sources and
measurement, represents the foundation for the rest of the procedures. This step is performed by
responsible managers, i.e., finance officers, production managers marketing managers and
human resource managers.

This process culminates in the presentation of the risk profile or risk map to the board of
directors.
5. Assess if management has developed and implemented the suitable risk management
strategies and evaluate their effectiveness.

The risk profile highlights all the significant possible risks identified, prioritized and measured
by the risk management system.

Strategies are developed to manage and resolve these identified risks. These will include the
process, people, management feedback methodologies and systems.
Strategies may include avoidance, reduction, transfer, exploitation and retention of risks.

6. Evaluate if management has designed and implemented risk management capabilities.

Directors must continue to monitor and assess if management has been implementing designed
risk management capabilities.

Risk management capabilities include processes, people, reports, methodologies and

technologies needed. These components should be complete, and aligned for the risk
management structure to function effectively.

7. Assess management’s efforts to monitor overall company risk management performance

and to improve continuously the firm's

Capabilities.

Risk management performance must be monitored on a continuing basis and organization must
be ready to innovate their approaches to be in line with the changing lines.

Risk Management 177

Monitoring is done by all concerned parties such as senior managers, process owners and risk
owners.

An independent reviewer can also be appointed to validate results.

8. See to it that best practices as well as mistakes are shared by all. This involves regular
communication of results and feedbacks to all concerned.
These should be an open communication channel to ensure that all risk management participant
particularly senior management, are informed of risk incidents or threat of risk incident. This will
go a long way towards attaining the company’s risk management vision.

9. Assess regularly the level of sophistication of the firm’s risk management system.

10. Hire experts when needed.

Chapter 11: Practical Guidelines in managing and reducing business risk

UNDERSTAND THE NATURE OF RISK

The willingness and readiness to take personal and financial risks is a defining characteristic of
the entrepreneurial decision-maker. In late 90’s, a study commissioned by an internationally-
known accounting firm found that while in continental Europe strategies focus on avoiding and
hedging risk, Anglo- American companies view risk as an opportunity and accept risk
management as necessary to achieving their goals. In 2017, this relative attitude to risk among
European and US companies remains broadly the same, the result of long- standing cultural
experiences and history as well as recent events.

Successful businessmen and decision-makers make sure that the risks resulting from their
decisions are measured, understood and as far as possible eliminated. They also go beyond the
direct financial perspective and actively manage risk as it affects the whole organization..

Accepting that risks exist is a starting point for the other actions needed, but the most important
is to create the right climate for risk management. People need to understand why control
systems are needed; this requires communication and leadership skills so that standards and
expectation are set and clearly understood.

IDENTIFY AND PRIORITIZE RISKS

Identification of significant risks both within and outside the organization is crucial and allows to
make informed decisions. This makes it easier to avoid unnecessary surprises. Examples of
significant risks might be the loss of a major customer, the failure of a key supplier or the
appearance of a significant competitor.

CONSIDER THE ACCEPTABLE LEVEL OF RISK

As earlier mentioned, the usual first step is to determine the nature and extent of the risks the
business will accept. This involves assessing the likelihood of risks becoming reality and the
effect they would have if they did. Only when this is understood can measures be taken to
minimize the incidence and impact of such risks.

There is also an opportunity cost associated with risk: avoiding a risk may mean avoiding a
potentially big opportunity. People can be too cautious and risk averse even though they are often
at their best when facing the pressure of risk deciding to take a more audacious approach.
Sometimes the greatest risk is to do nothing.

UNDERSTAND WHY RISKS BECOME REALITY

Once risks are identified they can be ranked according to their potential impact and the
likelihood of them occurring. This helps to highlight not only where things might go wrong and
what their impact would be, but also how, why and where these catalysts might be triggered. The
five most significant types of risk catalyst are as follows:

Technology. New hardware, software or system configurations can trigger risks, as can new
demands on existing information systems and technology. In early 2010, Metro Manila
Development Authority Chair introduced a congestion change for traffic using the centre of the
city; the greatest threat to the scheme’s success (and his tenure as chair) was posed by the use of
new technology. It worked and the scheme was widely seen as a success.

Organizational change. Risks are triggered by, for example, new management structures or
reporting lines, new strategies and commercial agreements (including mergers, agency or
distribution agreements).
Processes. New products, markets and acquisitions all cause change and can trigger risks. The
disastrous launch of “New Coke” by Coca-Cola was an even bigger risk than anyone at the
company had realized; it outraged Americans who felt angry that an iconic US product was being
changed. That Coca-Cola eventually turned the situation to its advantage shows that risk can be
managed and controlled, but such success is rare.

People. Hiring new employees, losing key people, poor succession planning, or weak people
management can all create dislocation, but the main danger is behavior: everything from laziness
to fraud, exhaustion and simple human error can trigger this risk.

External factors. Changes to regulation and political, economic or social developments can all
affect strategic decisions by bringing to the surface risks that may have lain hidden. The
economic disruption caused by the sudden spread of the SARS epidemic from China to the rest
of Asia in 2003 highlights this risk.

APPLY A SIMPLE RISK MANAGEMENT PROCESS

The stages of managing the enterprise-wide risk inherent in decisions are simple.

First, assess and analyze the risks resulting from a decision by systematically identifying and
quantifying them.

Second, consider how best to avoid or mitigate them.

Third, in parallel with the second stage, take action to manage control and monitor the risks.

A. Risk Assessment and Analysis

It is more difficult to assess the risks inherent in a business decision than to identify them. Risks
that lead to frequent losses, such as an increasing incidence of employee-related problems or
difficulties with suppliers, can often be solved using past experience. Unusual or infrequent
losses are harder to quantify. Risks with little likelihood of occurring in the next in the next five
years are not important to a company focused on meeting shareholders’ shorter-term
expectations. Thus, it is sensible to quantify the potential consequences of identified risks and
then define courses of action to remove or mitigate them.

Each category of risk can be mapped in terms of both likely frequency and potential impact, with
the potential consequences being ranked on a scale ranging from inconvenient to catastrophic
(see Figure 12.1).

Practical Guidelines in Reducing and Managing Business Risks

185

B. Risk Management and Control

Risk should be actively managed and given a high priority across the whole organization. Risk
management procedures and techniques should be well documented, clearly communicated,
regularly reviewed and monitored. To successfully manage risks, you have to know what they
are, what factors affect them and their potential impact.

If you plot the ability to control a risk against its potential impact, as shown in Figure 12.1, you
can decide on actions either to exercise greater control over the risk or to mitigate its potential
impact. Risks falling into the top-right quadrant require urgent action, but those in the bottom-
right quadrant (total/significant control, major/critical impact) should not be ignored because
complacency, mistakes and a lack of control can turn the risk into a reality.

Avoiding and Mitigating Risks

Start by reducing or eliminating those risks that result only in costs: the non-trading risks. These
can be thought of as the fixed costs of risk and might include property damage risks, legal and
contractual liabilities and business interruption risks. Reducing these risks can be achieved
through quality assurance programs, environmental control processes, enforcing health and
safety regulations, installing accident prevention and emergency equipment and training people
to use it, and taking security measures to prevent crime, sabotage, espionage, and threats to
people and systems. Reducing a risk may also mean that the cost of insuring against it goes
down.

Risks can be reduced or mitigated by sharing them. For example, acceptable service agreements
from vendors are essential to reducing risk. Joint ventures, licensing and agency agreements can
also be used to mitigate risk. To reduce the chances of things going wrong, focus on the quality
of what people do doing the right things right reduces risks and costs.

Risk management relies on accurate, timely information. Management information systems

should provide details of the likely areas of risk, and the information needed to control the risks.
This information must reach the right people at the right time so that they can investigate and
take corrective action.

Create a Positive Climate for Managing Risk

Recognizing the need to manage. Risk is not enough. The ethos of an organization should
recognize and reward behavior that manages risk. This requires a commitment by senior
managers and the resources (including training) to match. Too often, control systems are seen
only as an additional overhead and not as something that can add value by ensuring the effective
use of assets, the avoidance of waste and the success of key decisions.

Overcoming the Fear of Risk

Everyone accepts that taking risks is needed to keep ahead of the competition. Consequently,
employees need to understand better what the real risks are, to share responsibility for the risks
being taken and to see risk as an opportunity, not a threat. Understanding how organizations
manage risk effectively is important, but managing risk is only one possible strategy. Another
approach is to look for ways to use the risk to achieve success by adding value or outstripping
competitors – or both. To do this, organizations need to stop taking the fun out of risk by
controlling it in ways that are perceived as bureaucratic and stifling. Risk is both desirable and
necessary. It provides opportunities to learn and develop and compels people to improve and
effectively meet the challenge of change.

C. Controlling and Monitoring Enterprise-Wide Risk

The following questions when answered truthfully and positively will assist managers in
deciding how to manage the risks that confront the business enterprise.

O Where are the greatest areas of risk relating to the most significant strategic decisions?

O What level of risk is acceptable for the company to bear?

What are the potentially disclosing events that could inflict the greatest damage on your
organization?

What are the risks inherent in the organization’s strategic decisions, and what is the
organization’s ability to reduce their incidence and impact on the business?

What is the overall level of exposure to risk? Has this been assessed and is it being actively
monitored?

What are the costs and benefits of operating effective risk management controls?

What review procedures are in place to monitor risks?

Are the risks inherent in strategic decisions (such as acquiring a new business, developing a new
product or entering a new market) adequately understood?
O At what level in the organization are the risks understood and actively managed? Do people
fully realize the potential consequences of their actions, and are they equipped to understand,
avoid, control or mitigate risk?

O To what extent would be company be exposed if key staff left?

O If there have been major developments (such as a new management structure or reporting
arrangements), are the new responsibilities understood and accepted?

O Are management information systems keeping pace with demands? Are there persistent black
spots priority areas where the system needs to be improved or overhauled?

O Do employees resent risk, or are they encouraged to view certain risks as opportunities?

PRACTICAL CONSIDERATIONS IN MANAGING AND REDUCING FINANCIAL RISK

Finance is the lifeblood of a business, heavily influencing strategies and decisions at every level.

Many managers find it difficult to get to grips with financial issues and, as the 2008 global
financial crisis revealed, many lost touch with basic financial ground rules.

Profitability, cash flow, long-term shareholder value and risk all need to be considered when
setting and reviewing strategy. This section provides practical guidance about financial decisions
and explains how to:

Improve profitability;

Avoid pitfalls in making financial decisions;

Reduce financial risk.

• Improving Profitability

Entrepreneurial flair and financial rigour are as much about attitude as skill. Nonetheless, certain
skills will ensure that decisions are focused on commercial success.

A. Variance Analysis

189

Interpreting the differences between actual and planned performance is crucial. Variance analysis
is used to monitor and manage the results of past decisions, assess the current situation and
highlight solutions.

Common causes of variances include inefficiency, poor or flawed planning (for example, relying
on historically inaccurate information), poor communication, interdependence between
departments and random factors. Every business should use variance analysis but in a practical
and pragmatic and cost-effective way.

B. Assessment of Market Entry and Exit Barriers

How easy or difficult it is to either enter or leave a market is crucial in strategic decision-making.
Entry barriers include the need to compete with businesses that enjoy economies of scale, or
established differentiated products.

Other barriers include capital requirements, access to distribution channels, factors independent
of scale (such as technology or location) and regulatory requirements. When markets are difficult
or costly for competitors to enter and relatively easy and affordable to leave, firms can achieve
high, stable returns, while still being able to leave for other opportunities. Consider where the
barriers to entry lie for your market sector, how vulnerable you are to new entrants, and whether
you can strengthen and entrench your market position.

D. Break-even Analysis

The break-even point is when sales cover costs, where neither a profit nor a loss is made. It is
calculated by dividing the costs of the project by the gross profit at specific dates, making sure to
allow for overhead costs. Break-even analysis (cost-volume-profit or CVP analysis) is used to
decide whether to continue developing a product, alter the price, provide or adjust a discount, or
change suppliers to reduce costs. It is also helps in managing the sales mix, cost structure and
production capacity, as well as in forecasting and budgeting.

D. Controlling Costs

To control costs:

Focus on the big items of expenditure. Categories costs into major or peripheral items. Often,
undue emphasis is given to the 80% of activities accounting for 20% of costs.

Be cost aware. Casualness is the enemy of cost control. While focusing on major items of
expenditure it may also be possible to cut the cost of peripheral items. Costs can be reduced over
the medium to long term by managers attitudes to cost control and the effects of expenses on
cash flow.

• Maintain a balance between costs and quality. Getting the best value means achieving a balance
between the price paid and the quality received.

• Use budgets for dynamic financial management. Budget early so financial requirements are
known as soon as possible. Consider the best time-period for the budget normally a year but it
depends on the type of business. Some larger firms have moved to rolling budgets, getting
managers to forecast the next 18 months every quarter. Budgets provide a starting point for cash
flow forecasts and revenues, and they also play an essential role in monitoring costs and
revenues.

• Develop a positive attitude to budgeting. People need to understand, accept and use the budget,
feeling a sense of ownership and responsibility for developing, monitoring and controlling it.

• Eliminate waste. For decades, leading Japanese companies have directed much of their cost-
management efforts towards waste elimination. They achieve this by using techniques such as
process analysis, mapping and re-engineering.

Practical Techniques to Improve Profitability

Some practical techniques to improve profitability:

Focus decision-making on the most profitable areas. Concentrating on products and services with
the best margin will protect or enhance profitability. This might involve redirecting sales and
advertising activities.

Decide how to treat the least profitable products. These often drift, with dwindling profitability.
Turn around a poor performer (by reducing costs, raising prices, altering discounts or changing
the product) or abandon it to prevent drain on resources and reputation. The shelf-life and appeal
of product must be considered when deciding to continue or discontinue it.

Make sure new products enhance overall profitability. New product development often focuses
on market need or the production process, with insufficient regard to cost, price, sales volume
and overall profitability, which are inextricably linked.

Manage development and production decisions. The amount spent on research, as well as the
priorities and methods used, affect profitability. Too little expenditure may increase costs in the
long term.
Set the buying policy. For example, should there be a small number of preferred suppliers or a
bidding system among a wider number of potential suppliers? Also, consider techniques for
controlling delivery charges, monitoring exchange rates, improving quality control, reducing
inventory and improving production lead times.

Consider how to create greater value from existing customers and

Products to enhance profitability. Ask: How can customer loyalty (and repeat purchasing) be
enhanced?

How can the sales proposition be made more competitive relative to

The opposition?

How can existing markets, sales channels, products, brand reputation and other resources be
adapted to exploit new markets and new

Opportunities?

How can sales expenses be reduced?

How can effectiveness of marketing activities be increased?

Consider how to increase profitability by managing people. Successful leadership is prerequisite

for profitability. People need to be motivated and supported, and this implies rewarding them
fairly for their work, training and developing them, providing clear sense of direction, and
focusing on the needs of the team, the task and the individual.

There are many techniques for assessing the likely profitability of an investment. One of the
most used is to apply discounted cash flows in evaluating capital investment programs.
• Avoiding Pitfalls

Many managers have financial responsibilities and their decisions will often be influenced by or
have an impact on other parts of the business. The following principles will help avoid flawed
financial decision-making.

Financial expertise must be widely available

Every manager needs to understand why successful financial management increases profits
people need to own their part of the financial control process, to have the information and
expertise needed to routinely make the best financial decisions.

Consider the impact of financial decisions

Do not ignore or underestimate the wider impact of finance issues upon other departments and
decisions.

Avoid weak budgetary control

Budgets are an active tool to help make financial decisions, not merely a way to measure
performance.

Understand the impact of cash flow

Non-financial managers often ignore cash flows and the time value of money. Everyone should
be aware of the importance of cash to the organization.

Know where the risk lies

Identifying risks and how to reduce them is crucial to successful financial decision-making. For
example, managers need to know not only where the break- even point is, but also how and when
it will be reached.

Understand the impact of cash flow

Non-financial managers often ignore cash flows and the time value of money. Everyone should
be aware of the importance of cash to the organization.

Know where the risk lies

Identifying risks and how to reduce them is crucial to successful financial decision-making. For
example, managers need to know not only where the break- even point is, but also how and when
it will be reached.

208

Practical Guidelines in Reducing and Managing Business Atsi 19

• Reduce Financial Risk Positive Replies to the following Questions woul assist Top
Management to Manage Financial Risk

Are the most effective and relevant performance measures in place to monitor and assess the
effectiveness of financial decision

Have you analyzed key business ratios recently? How useful are vot performance indicators?
What are the main issues? Are you fo the right things?

Is there a positive attitude to budgets and budgeting?

Does decision-making focus on the most profitable products services, or is it preoccupied with
peripheral issues?

What are the least profitable parts of the organizations? How will they improved?

Are market and customer decisions focused on improving profitability Too often, attention if
given to non-financial objectives, such increasing market share, without adequately considering
the firanc risks and alternatives.

How efficiently is cash managed? Do your strategic business decisi take account of cash
considerations, such as the time value of money

CHAPTER 13

OVERVIEW OF INTERNAL CONTROL

NATURE AND PURPOSE OF INTERNAL CONTROL

Internal control is the process designed and effected by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of the
entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations and compliance with applicable laws and regulations. It follows that internal control is
designed and implemented to address identified business risks that threaten the achievement of
any of these objectives.

Those objectives fall into three categories:

Reliability of the entity’s financial reporting

Effectiveness and efficiency of operations

Compliance with applicable laws and regulations

Whether an entity achieves its objectives relating to financial reporting and compliance is
determined by activities within the entity’s control. However, achieving its objectives relating to
operations will depend not only on management’s decisions but also on competitor’s actions and
other factors outside the entity.

INTERNAL CONTROL SYSTEM DEFINED

Internal control system means all the policies and procedures (internal controls) adopted by the
management of an entity to assist in achieving management objective of ensuring, as far as
practicable, the orderly and efficient conduct of I business, including adherence to management
policies, the safeguarding < assets, the prevention and detection of fraud and error, the accuracy
and completeness of the accounting records, and the timely preparation of reliable financial
information.

ELEMENTS OF INTERNAL CONTROL

Internal control structures vary significantly from one company to the next. Factors such as size
of the business, nature of operations, the geographical dispersion of its activities, and objectives
of the organization affect the specific control features of an organization. However, certain
elements or features must be present to have a satisfactory system of control in almost any large
scale organization.

The internal control system extends beyond these matters which relate directly to the functions of
the accounting system and consists of the following components:

a. The control environment;

 b. The entity’s risk assessment process;

c. The information system, including the related business processes, relevant to financial
reporting, and communication;

d. Control activities;

e. Monitoring of controls.

Overview of Internal Control 199

The environment in which internal control operates has an impact on the effectiveness of the
specific control procedures. Several factors comprise the control environment, including:

1. Communication and Enforcement of Integrity and Ethical Values Integrity and ethical
values are essential elements of the internal control environment. They affect the design,
administration, and monitoring of other components of internal control. An entity’s
ethical and behavioral standards and the manner in which it communicates and reinforces
them determine the entity’s integrity and ethical behavior. Integrity and ethical values
include management’s actions to remove or reduce incentives and temptations that might
prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the
communication of entity values and behavioral standards to personnel through policy
statements, a code of conduct, and management’s example of appropriate behavior.

2. Commitment to Competence

Competence is the knowledge and skills necessary to accomplish tasks that define an employee’s
job. Commitment to competence means that management considers the competence levels for
particular jobs in determining the skills and knowledge required of each employee and that it
hires employees competent to perform the tasks.

3. Participation by those Charged with Governance

An entity’s control consciousness is influenced significantly by those charged with governance.

Attributes of those charged with governance include independence from management, their
experience and stature, the extent of their involvement and scrutiny of activities, th
appropriateness of their actions, the information they receive, the degre to which difficult
questions are raised and pursued with managemen and their interaction with internal and external
auditors. The importance of responsibilities of those charged with governance is recognized in
codes of practice and other regulations or guidance produced for the benefit of those charged
with governance. Other responsibilities of those charged with governance include oversight of
the design and effective operation of whistle blower procedures and the process for reviewing the
effectiveness of the entity’s internal control.

Management’s Philosophy and Operating Style This refers to management’s attitude towards (a)
business risk, (b) financial reporting, (c) meeting budget, profit and other established goals which
all have impact on the reliability of the financial statements. Management’s approach to taking
and monitoring business risks, its conservative or aggressive selection from alternative
accounting principles, its conscientiousness and conservatism in developing accounting
estimates, and its attitude toward information processing and the accounting function and
personnel are factors that affect the control environment.

4. Organizational Structure The responsibilities and authorities of the various personnel

within the organization should be established in such a manner as to (1) assist the entity
in meeting its goals and objectives and (2) ensure that transactions are processed,
recorded, summarized and reported in an accurate and timely manner. Organizational
structure provides the overall framework for planning, directing and controlling
operations.

5. Assignment of Authority and Responsibility Personnel within an organization need to

have a clear understanding of their responsibilities and the rules and regulations that
govern their actions. Management may develop job descriptions, computer system
 documentation. It may also establish policies regarding acceptable business practice,
conflicts of interest and code of conduct.

6. Human Resources Policies and Procedures Perhaps the most important element of an
internal accounting control system is the people who perform and execute the established
po and procedures. Personnel policies should be adopted by the cli reasonably ensure that
only capable and honest persons are hire retained. Policies with respect to employee
selection, training, and supervision should be adopted and implemented by the client. The
selection of competent and honest personnel does not automatically assure that errors or
irregularities will not occur. However, adequate personnel policies, coupled with the
design concepts suggested earlier in this section, enhance the likelihood that the client’s
policies and procedures will be followed.

Overview of Internal Control 201

B. Entity’s Risk Assessment Process

Risk assessment is the “identification, analysis, and management of risks pertaining to the
preparation of financial statements”. For example risk assessment may focus on how the
entity considers the possibility of transactions not being recorded or identifies and assesses
significant estimates recorded in the financial statements.

An entity’s risk assessment process is its process for identifying and responding to business
risks and the results thereof. For financial reporting purposes, the entity’s risk assessment
process includes how management identifies risks relevant to the preparation of financial
statements that are presented fairly, in all material respects in accordance with the entity’s
applicable financial reporting framework, estimates their significance, assesses the likelihood
of their occurrence, and decides upon actions to manage them. For example, the entity’s risk
assessment process may address how the entity considers the possibility of unrecorded
transactions or identifies and analyzes significant estimates recorded in the financial
statements. Risks relevant to reliable financial reporting also relate to specific events or
transactions.
Risks relevant to financial reporting include external and internal events and circumstances
that may occur and adversely affect an entity’s ability to initiate, record, process, and report
financial data consistent with the assertions of management in the financial statements. Once
risks are identified, management considers their significance, the likelihood of their
occurrence, and how they should be managed. Management may initiate plans, programs, or
actions to address specific risks or it may decide to accept a risk because of cost or other
considerations. Risks can arise or change due to circumstances such as the following:

Changes in operating environment. Changes in the regulatory or operating environment can

result in changes in competitive pressures and significantly different risks.

New personnel. New personnel may have a different focus on or understanding of internal
control.

New or revamped information systems. Significant and rapid changes in information systems
can change the risk relating to internal control.

Rapid growth. Significant and rapid expansion of operations can strain controls and increase
the risk of a breakdown in controls.

New technology. Incorporating new technologies into production processes or information

systems may change the risk associated with internal control.

New business models, products, or activities. Entering into business areas or transactions
with which an entity has little experience may introduce new risks associated with internal
control.

Corporate restructurings. Restructurings may be accompanied by staff reductions and

changes in supervision and segregation of duties that may change the risk associated with
internal control.
Expanded foreign operations. The expansion or acquisition of foreign operations carries new
and often unique risks that may affect internal control, for example, additional or changed
risks from foreign currency transactions.

New accounting pronouncements. Adoption of new accounting principles or changing

accounting principles may affect risks in preparing financial statements.

The basic concepts of the entity’s risk assessment process are relevant to every entity,
regardless of size, but the risk assessment process is likely to be less formal and less
structured in small entities than in larger ones. All entities should have established financial
reporting objectives, but they may be recognized implicitly rather than explicitly in small
entities. Management may be aware of risks related to these objectives without the use of a
formal process but through direct personal involvement with employees and outside parties.

Considerations Specific to Smaller Entities

Many small entities are carried out entirely by the engagement partner (who may be a sole
practitioner). In such situations, it is the engagement partner having personally conducted the
planning of the audit, would be responsil considering the susceptibility of the entity’s
financial statements to m misstatement due to fraud and error.
Overview of Internal Control 203

C. Information System, including the Business Processes, Relevant to

Financial Reporting and Communication

An information system consists of infrastructure (physical and hardware components),

software, people, procedures, and data. Infrastructure and software will be absent, or have
less significance, in systems that are exclusively or primarily manual. Many information
systems make extensive use of IT.
The Information System, Including Related Business Processes, Relevant to Financial
Reporting

The Information system relevant to financial reporting objectives, which includes the
accounting system, consists of the procedures and records designed and established to:

Initiate, record, process, and report entity transactions (as well as events and conditions) and
to maintain accountability for the related assets,

Liabilities, and equity; Resolve incorrect processing of transactions, for example, automated

Suspense files and procedures followed to clear suspense items out on a

Timely basis; Process and account for system overrides or bypasses to controls;

Transfer information from transaction processing systems to the general ledger;

Capture information relevant to financial reporting for events and conditions other than
transactions, such as the depreciation and

Amortization of assets and changes in the recoverability of accounts receivables; and

Ensure information required to be disclosed by the applicable financial reporting framework

is accumulated, recorded, processed, summarize and appropriately reported in the financial
statements.

Journal Entries
An entity’s information system typically includes the use of standard journal entries that are
required on a recurring basis to record transactions. Examples might be journal entries to
record sales, purchases, and cash disbursements in the general ledger, or to record accounting
estimates that are periodically made by management, such as changes in the estimate of
uncollectible accounts receivable.

Related Business Processes

An entity’s business processes are the activities designed to:

Develop, purchase, produce, sell and distribute an entity’s products and services;

Ensure compliance with laws and regulations; and

Record information, including accounting and financial reporting information.

Business processes result in the transactions that are recorded, processed and reported by the
information system. Obtaining an understanding of the entity’s business processes, which
include how transactions are originated, assists the auditor obtain an understanding of the
entity’s information system relevant to financial reporting in a manner that is appropriate to
the entity’s circumstances.

Accordingly, an information system encompasses methods and records that:

Identify and record all valid transactions.

Describe on a timely basis the transactions in sufficient detail to permit proper classification
of transactions for financial reporting.
Measure the value of transactions in a manner that permits recording their proper monetary
value in the financial statements.

Determine the time period in which transactions occurred to recording of transactions in the
proper accounting period.

Present properly the transactions and related disclosures in the financial statements.

Electronically, orally, and through the actions of management.

Application to Small Entities

Information systems and related business processes relevant to financial reporting in small
entities are likely to be less formal than in larger entities but their role is just as significant.
Small entities with active management involvement may not need extensive descriptions of
accounting procedures, sophisticated accounting records, or written policies. Communication
may be less formal and easier to achieve in a small entity than in a larger entity due to the
small entity’s size and fewer levels as well as management’s greater visibility and
availability.

D. Control Activities

Control activities are the policies and procedures that help ensure that management directives
are carried out, for example, that necessary actions are taken to address risks that threaten the
achievement of the entity’s objectives. Control activities, whether within IT or manual
systems, have various objectives and are applied at various organizational and functional
levels.

The major categories of control procedures are:

A. Performance Review
 B. Information Processing Controls

1) Proper authorization of transactions and activities

2) Segregation of duties

3) Adequate documents and records

4) Safeguards over access to assets; and

5) Independent checks on performance

C. Physical controls

A. Performance Review

In a performance review management uses accounting and operating data to assess performance,
and it then takes corrective action. Such reviews include:

Comparing actual performance (or operating results) with budgets, forecasts, prior period
performance, or competitors’ data or tracking major initiatives such as cost-containment or cost-
reduction programs to measure the extent to which targets are being met.

Investigating performance indicators based on operating or financial data, such as quantity or

purchase price variances or the percentage of returns to total orders.
Reviewing functional or activity performance, such as relating the performance of a manager
responsible for a bank’s consumer loans with some standard, such as economic statistics or
targets.

Personnel at various levels in an organization may make performance reviews. Performance

reviews may be used by managers for the sole purpose of making operating decisions. For
example, managers may analyze performance data and base operating decisions on them because
the data are consistent with their expectations. This type of review improves the reliability of the
data. However, when managers follow up on unexpected results determined by a financial
reporting system, performance reviews become a useful control over financial reporting.

B. Information Processing Controls

Information processing controls are policies and procedures designed to require authorization of
transactions and to ensure the accuracy and completeness of transaction processing. Control
activities may be classified according to the scope of the system thev affect. General controls are
control activities that prevent or ( errors or irregularities for all accounting systems. General col
affect all transaction cycles and apply to information processing as a center, hardware and
systems software acquisition and maintenance,

1. Proper authorization of transactions and activities

As suggested earlier, authorization for the execution of transactions flows from the stockholders
to management and its subordinates. Before a transaction is entered into with another party,
certain conditions must usually be met. As part of the evaluation of the potential transaction,
documentation will be created. The auditor uses this documentation, to determine whether
business transactions are properly authorized. For example, the purchase of inventory may create
a purchase order, a receiving report, and a vendor invoice. By inspecting these documents and
comparing them with company policy, the auditor may be reasonably satisfied that a business
transaction was authorized and executed in a manner consistent with company policy.

2. Segregation of duties
An important element in designing an internal accounting control system that safeguards assets
and reasonably ensures the reliability of the accounting records is the concept of segregation of
responsibilities. No one person should be assigned duties that would allow that person to commit
an error or perpetuate fraud and to conceal the error or fraud. For example, the same person
should not be responsible for recording the cash received on account and for posting the receipts
to the accounting records.

3. Adequate documents and records

The use of adequate documents and records allow the compa to obtain reasonable assurance that
all valid transactions ha been recorded.

4. Access to assets

The resources of a client can be protected by the establishment of physical barriers and
appropriate policies. For example, inventories may be kept in a storeroom, or negotiable

Instruments may be placed in a safe deposit box. Appropriate company policies are adopted so
that only authorized persons have access to company resources. Safeguarding of assets is more
than establishing physical barriers. A client should design its internal accounting control system
so that documents authorizing the movement of assets into an organization or out of an
organization are adequately controlled.

5. Independent checks on performance

The objective of a well-designed internal accounting control system is the adoption of

procedures that periodically compare the actual asset with its recorded balance. Regardless of the
effectiveness of an internal control system, some transactions may not be accurately recorded,
and some assets may be misappropriated. An important part of an internal accounting control
system is to determine the effectiveness of recording policies and asset access policies. This is
accomplished by periodic counts of assets by the client and comparing the counts to the balances
in the general ledger account. Examples are the count of inventory and the preparation of
monthly bank reconciliation.

C. Physical Controls

Controls that encompass:

The physical security of assets, including adequate safeguards such as secured facilities over
access to assets and records.

The authorization for access to computer programs and data files.

The periodic counting and comparison with amounts shown on control records (for example,
comparing the results of cash, security and inventory counts with accounting records).

The extent to whichh physical controls intended to prevent theft of assets are relevant to the
reliability of financial statement preparation, and therefore the audit, depends on circumstances
such as when assets are highly susceptible to misappropriation.

D. Monitoring of Controls

Monitoring, the final component of internal control, is the process that an entity uses to assess
the quality of internal control over time. Monitoring involves assessing the design and operation
of controls on a timely basis and taking corrective action as necessary. Management monitors
controls to consider whether they are operating as intended and to modify them as appropriate
for changes in conditions. In many entities, internal auditors evaluate the design and operation of
internal control and communicate information about strengths and weaknesses and
recommendations for improving internal control.

Some monitoring activities may include communications from external parties. For example,
customers implicitly corroborate sales data by paying their bills or raising questions. Also, bank
regulators, other regulators, and outside auditors may communicate about the design or
effectiveness internal control.

Monitoring activities may include using information from communications from external parties
that may indicate problems are highlight areas in need of improvement. Customers implicitly
corroborate billing data by paying their invoices or complaining about their charges. In addition,
regulators may communicate with the entity concerning matters that affect the functioning of
internal control, for example, communications concerning examinations by bank regulatory
agencies. Also, management may consider communications

Chapter 14: Fraud and Error

Fraud is an intentional act involving the use of deception that results in a material misstatement
of the financial statements. Two types of misstatements are relevant to auditors’ consideration of
fraud: (a) misstatements arising from misappropriation of assets, and (b) misstatements arising
from fraudulent financial reporting.

Intent to deceive is what distinguishes fraud from errors. Auditors routinely find financial errors
in their client’s books, but those errors are not intentional.

TYPES OF MISSTATEMENTS

a. Misstatements arising front misappropriation of assets

b. Misstatements arising from fraudulent financial reporting

Asset misappropriation commonly occurs when employees:

-Gain access to cash and manipulate accounts to cover up cash thefts.

Manipulate cash disbursements through fake companies.

Steal inventory or other assets and manipulate the financial records to cover up the Fraud.

Misstatements arising from Fraudulent Financial Reporting

The intentional manipulation of reported financial results to misstate the economic condition of
the organization is called fraudulent financial reporting. The perpetrator of such a fraud generally
seeks gain through the rise in stock price and the commensurate increase in personal wealth.
Sometimes the perpetrator does not seek direct personal gain, but instead uses the fraudulent
financial reporting to “help” the organization avoid bankruptcy or to avoid some other negative
financial outcome. Three common ways in which fraudulent financial reporting can take place
include:

1. Manipulation, falsification, or alteration of accounting records or supporting documents.

2. Misrepresentation or omission of events, transactions, or other significant information.

3. Intentional misapplication of accounting principles.

THE FRAUD TRIANGLE

The Fraud Triangle characterizes incentives, opportunities and rationalizations that enable fraud
to exist.

The three elements of the fraud triangle are:

Incentive to commit fraud

Opportunity to commit and conceal the fraud

Rationalization the mindset of the fraudster to justify committing the fraud.

Incentives or Pressures to Commit Fraud

Incentives relating to asset misappropriation include:

 Personal factors, such as severe financial considerations

 Pressure from family, friends, or the culture to live a more lavish lifestyle than one’s
personal earnings allow for

 Addictions to gambling or drugs

 The incentives include the following for fraudulent financial reporting:

 Management compensation schemes

 Other financial pressures for either improved earnings or an improved balance sheet

 Debt covenants

 Pending retirement or stock option expirations

 Personal wealth tied to either financial results or survival of the company

 Greed for example, the backdating of stock options was performed by individuals who
already had millions of pesos of wealth through stock

Opportunities to Commit Fraud

One of the most fundamental and consistent findings in fraud research is that there must be an
opportunity for fraud to be committed. Although this may sound obvious that is, “everyone has
an opportunity to commit fraud” it really conveys much more. . Some of the opportunities to
commit fraud that the top management should consider include the following:

Significant related-party transactions

A company’s industry position, such as the ability to dictate terms or conditions to suppliers or
customers that might allow individuals to structure fraudulent transactions
Management’s inconsistency involving subjective judgments regarding assets or accounting
estimates

Simple transactions that are made complex through an unusual recording process

Complex or difficult to understand transactions, such as financial derivatives or special-purpose

entities

Ineffective monitoring of management by the board, either because the board of directors is not
independent or effective, or because there is a domineering manager

Complex or unstable organizational structure

Weak or nonexistent internal controls

Rationalizing the Fraud

For asset misappropriation, personal rationalizations often revolve around mistreatment by the
company or a sense of entitlement (such as, “the company owes me!”) by the individual
perpetrating the fraud. Following are some common rationalizations for asset misappropriation:

Fraud is justified to save a family member or loved one from financial crisis.

We will lose everything (family, home, car and so on) if we don’t take the money.

No help is available from outside.

This is “borrowing”, and we intend to pay the stolen money back at some point.

Something is owed by the company because others are treated better.

We simply do not care about the consequences of our actions or of accepted notions of decency
and trust; we are for ourselves.

For fraudulent financial reporting, the rationalization can range from “saving the company” to
personal greed, and may include the following:

This is one-time thing to get us through the current crisis and survive until things get better.

Everybody cheats on the financial statements a little; we are just playing the same game.
We will be in violation of all of our debt covenants unless we find a way to get this debt off the
financial statements.

We need a higher stock price to acquire company XYZ, or to keep our employees through stock
options, and so forth.

Risk Factors Contributory to Misappropriation of Assets

Misappropriation of assets involves the theft of an entity’s assets and is often perpetrated by
employees in relatively small and immaterial amounts. However, it can also involve management
who are usually more able to disguise or conceal misappropriations in ways that are difficult to
detect. Misappropriation of assets can be accompanied in a variety of ways including:

Embezzling receipts (for example, misappropriating collections on accounts receivable or

diverting receipts in respect of written-off accounts to personal bank accounts).
Stealing physical assets or intellectual property (for example, stealing inventory for personal use
or for sale, stealing scrap for resale, colluding with a competitor by disclosing technological data
in return for payment).

Causing an entity to pay for goods and services not received (for example, payments to fictitious
vendors, kickbacks paid by vendors to the entity’s purchasing agents in return for inflating
prices, payments to fictitious employees).

Using an entity’s assets for personal use (for example, using the entity’s assets as collateral for a
personal loan or a loan to a related party).

A. Incentives / Pressures

1. Personal financial obligations may create pressure on management or employees

with access to cash or other assets susceptible to theft to misappropriate those
assets.
2. Adverse relationships between the entity and employees with access to cash or
other assets susceptible to theft may motivate those employees to misappropriate
those assets. For example, adverse relationships may be created by the following:
(a) Known or anticipated future employee layoffs.
(b) Recent or anticipated changes to employee compensation or benefit plans.
3. © Promotions, compensation, or other rewards inconsistent with expectations.

B. Opportunities

1. Certain characteristics or circumstances may increase the susceptibility of assets

to misappropriation. For example, opportunities to misappropriate assets increase
when following situations exist:

(a) Large amounts of cash on hand or processed.

 (b) Inventory items that are small in size, of high value, or in high demand.

© fixed assets which are small in size, marketable, or lacking observable identification of
ownership.

2. Inadequate internal control over assets may increase the susceptibility of

misappropriation of those assets. For example, misappropriation of assets may
occur because of the following:

(a) Inadequate segregation of duties or independent checks.

(b) Inadequate oversight of senior management expenditures, such as travel

and other reimbursements.

© Inadequate management oversight of employees responsible for assets, for example,

inadequate supervision or monitoring of remote locations.

(c) Inadequate job applicant screening of employees with access to assets.

€ Inadequate record keeping with respect to assets.

(f) Inadequate system of authorization and approval of transactions (for example, in purchasing).

(g) Inadequate physical safeguards over cash, investments, inventory, or fixed assets.

(h) Lack of complete and timely reconciliations of assets. (1) Lack of timely and appropriate
documentation of transactions, for example, credits for merchandise returns.
(j) Lack of mandatory vacations for employees performing key control functions.

(k) Inadequate management understanding of information technology, which enables information

technology employees to perpetrate a misappropriation.

(1) Inadequate access controls over automated records, including controls over and review of
computer systems event logs.

C. Attitudes/ Rationalizations

1. Disregard for the need for monitoring or reducing risks related to

misappropriation of assets.

2. Disregard for internal control over misappropriation of assets by overriding

existing controls or by failing to correct known internal control deficiencies.

3. Behavior indicating displeasure or dissatisfaction with the entity or its treatment

of the employee.

4. Changes in behavior or lifestyle that may indicate assets have been

misappropriated.

5. Tolerance of petty theft.

Risk Factors Contributory to Fraudulent Financial Reporting

Fraudulent financial reporting may be accomplished by the following:

Manipulation, falsification (including forgery), or alteration of accounting records or supporting
documentation from which the financial statements are prepared.

Misrepresentation in, or intentional omission from, the financial statements of events,

transactions or other significant information.

Intentional misapplication of accounting principles relating to amounts. Classification, manner of

presentation, or disclosure.

A. Incentive / Pressure
B.
Incentive or pressure to commit fraudulent financial reporting may exist when management is
under pressure, from sources outside or inside the entity, to achieve an expected (and perhaps
unrealistic) earnings target or financial outcome particularly since the consequences to
management for failing to meet financial goals can be significant.

C. Opportunities

A perceived opportunity to commit fraud may exist when an individual believes internal control
can be overridden, for example, because the individual is in a position of trust or has knowledge
of specific weaknesses in internal control.

Fraudulent financial reporting often involves management override of controls that otherwise
may appear to be operating effectively. Fraud can be committed by management overriding
controls using such techniques

As:

Recording fictitious journal entries, particularly close to the end of an accounting period, to
manipulate operating results or achieve other objectives.
Inappropriately adjusting assumptions and changing judgments used to estimate account
balances.

Omitting, advancing or delaying recognition in the financial statements of events and

transactions that have occurred during the reporting period.

Concealing, or not disclosing, facts that could affect the amounts recorded in the financial
statements.

Engaging in complex transactions that are structured to misrepresent the financial position or
financial performance of the entity.

Altering records and terms related to significant and unusual transactions.

D. Rationalizations

Individuals may be able to rationalize committing a fraudulent act. Some individuals possess an
attitude, character or set of ethical values that allow them knowingly and intentionally to commit
a dishonest act. However, even otherwise honest individuals can commit fraud in an environment
that imposes sufficient pressure on them.

Chapter 15: Errors and irregularities in the transaction cycles

While businesses in different individuals can have striking different characteristics most have
some fundamental conceptual characteristics are practices in common. The three basic
business transaction cycles include

1. Sales and Collections Cycle

2. Acquisitions and Payments Cycle

3. Payroll and Personnel Cycle

Management should establish controls to ensure that these transactions are appropriately
handled and recorded. However, if internal controls are not properly implemented, or are
overridden, fraud and errors may occur. This chapter presents the errors and fraudulent
activities that could result if there is poor internal control.

I. Sales and Collections Cycle

1. Errors in Recording Sales and Collections Transactions

Errors in recording sales include mechanical errors, such as using a wrong piece or wrong
quantity, recording sales in the wrong period (cutoff errors), a bookkeeper’s failure to
understand proper accounting for a transaction, and so on. Internal controls are designed to
prevent or detect many of these kinds of errors.

2. Frauds in Sales and Collections

Frauds in sales generally relate to fraudulent financial reporting. In contrast, frauds in cash
collections relate to misappropriation of assets, typically accomplished by clerks or
management-level employees.

a. Fraudulent Financial Reporting Fraudulent financial reporting involving sales

typically results in overstated sales or understated sales returns and allowances.
Managers under pressure to achieve high profits may inflate sales to meet target
profits established by senior managers, to obtain bonuses, to retain the respect of
senior managers, or even to keep their jobs. The following methods can be used to
increase sales fraudulently:
Recording fictitious sales (creating fictitious shipping documents, sales invoices, and so on)

Recording valid transactions twice

Recording in the current period sales that occurred in the

Succeeding period (improper cutoff)

Recording operating leases as sales

Recording deposits as sales

Recording consignments as sales

Recording sales when the chance of a return is likely

Following revenue recognition practices that are not in

Accordance with PFRS

Recognizing revenue that should be deferred

b. Misappropriation of Assets: Withholding Cash Receipts

1. Skimming
This refers to the act of withholding cash receipts without recording them. An example is
when a cashier in a retail store does not ring up a transaction and takes the cash. Another
example is when an employee who has access to cash receipts and maintains accounts
receivable records can record a sale at an amount lower than the invoice amount. When the
customer pays, the employee takes the difference between the invoice and the amount
recorded as a receivable. Detection of unrecorded cash receipts is very difficult; however,
unexplained changes in the gross profit percentage or sales volume may indicate that cash
receipts have been withheld.

2. Lapping

This technique is used to conceal the fact that cash has been abstracted; the shortage in one
customer’s account is covered with a subsequent payment made by another customer. An
employee who has access to cash receipts and maintains accounts receivable can engage in
lapping. Routine testing of details of collections compared with validated bank deposit slips
should uncover this fraud.

3. Kiting

This is another technique used to cover cash shortage or to inflate cash balance. Kiting
involves counting the cash twice by using the float in the banking system. (Float is the gap
between the time the check is deposited or added to an account and the time the check clears
or is deducted from the account it was written on). Analyzing and verifying cash transfers
during the days surrounding year-end should reveal this type of fraud.

Π. Acquisitions and Payments Cycle

1. Errors in the Acquisitions and Payments Cycle

The following may occur in the acquisitions and payments cycle:

Failing to record a purchase in the proper period (cutoff

Errors)

Recording goods accepted on consignment as a purchase

Misclassifying purchases of assets and expenses

Failing to record a cash payment

Recording a payment twice

Failing to record prepaid expenses as assets

Entities normally design controls to prevent these errors from occurring or to detect errors if
they do occur. When such controls exist, auditors test the controls to assess their
effectiveness. If the controls are not effective, auditors should perform substantive tests to
determine that the financial statements do not contain material misstatements that arose
because of possible errors.

2. Frauds in the Acquisitions and Payments Cycle

a. Paying for Fictitious Purchases

This involves the perpetrator creating a fictitious invoice (and sometimes a receiving report,
purchase order and so forth) and processing the invoice for payment. Alternatively, the
perpetrator can pay the invoice twice.

b. Receiving Kickbacks
In this scheme, a purchasing agent may agree with a vendor to receive a kickback (refund
payable to the purchasing person on goods or services acquired from the vendor).

This is usually done in return for the agent’s ensuring that the particular vendor receives an
order from the firm. Often a check is made payable to the purchasing agent and mailed to the
agent at a location other than his or her place of employment. Sometimes the purchasing
agent splits the kickback with the vendor’s employee for approving and paying it. Detecting
kickbacks is difficult because the buyer’s records do not reflect their existence. However,
when vendors are required to submit bids for goods or services, the likelihood of kickbacks is
reduced.

c. Purchasing Goods for Personal Use

Goods or services for personal use may be purchased by executive or purchasing agents and
charged to the company’s account. To execute such a purchase, the perpetrator must have
access to blank receiving reports and purchase approvals or must connive with another
employee. Fraud involving the purchase of goods for personal use is more likely to go
unnoticed when perpetual records are not maintained.

II. Payroll and Personnel Cycle

Historically, errors and irregularities involving payroll have been reported to occur frequently
and are largely undetected.

1. Errors

The most errors that can occur in the payroll and personnel cycle are

a) Paying employees at the wrong rate,

b) Paying employees for more hours than they worked,

 c) Charging payroll expense to the wrong accounts, and

d) Keeping terminated employees on the payroll.

Good internal control can be established to prevent these errors from occurring and to detect
them if they do occur.

2. Frauds involving Payroll

The major payroll-related frauds include’

a. Fictitious Employees

Adding fictitious employees to the payroll is one of the most common defalcations. Detecting
fictitious employees on the payroll is very difficult; but auditors do sometimes perform a
surprise payoff as a deterrent to this form of defalcation. Alternatively, the auditor may turn
the check distribution over to an official not associated with preparing payroll, signing
checks, or supervising workers. Personnel files and the employees’ completed time cards and
time tickets may also be examined to substantiate the existence of absent employees.

b. Excess Payments to Employees

Increasing the rate above that approved or paying employees for more hours than they
worked are the most common ways of paying employees more than they are entitled to
receive. These practices can be substantially reduced by requiring personnel department
officials to authorize changes in pay rates and by monitoring total hours worked and paid for.
Analytical procedures that focus on cost per unit of actual production can also be helpful in
detecting excess payments to employees.
 c. Failure to Record Payroll Companies having difficulty meeting profit
targets or not-for- profit entities having difficulty managing costs and
expenses might fail to record a payroll. The omission of payroll can be
difficult to hide unless a similar amount of revenues or receipts has been
omitted. Analytical procedures can be performed to test the
reasonableness of payroll cost.

E. Inappropriate Assignment of Labor Costs to Inventory A company having

difficulty meeting profit targets might assign to inventory labor cost that should
have been charged to expense. Analytical procedures such as comparing costs
incurred to budgeted cost and verification of valuation of inventory are some of
the useful techniques in detecting such fraud.