Internal control

and risk: theory

and practice
Václav Brož
Prague City University
Ethical Frameworks and International
Corporate Governance
October 2023

1
Outline
 Lecture
 A general introduction
 COSO: an example of a risk management framework
 Seminar
 Enron

2
Effective vs
efficient
What is the difference?

3
 • Effective
• The desired result achieved which is a success

• Efficient
• Perfection
• Minimum resources

Effective vs
efficient
4
Purpose of internal control systems
• Internal control is a process spearheaded by an entity's board of directors, MGMT and potentially
others designed to provide reasonable assurance regarding the achievement of objectives in the
following categories:
• Effectiveness and efficiency of operation with respect to risk
• Reliability of reporting
• Compliance with laws and regulations

5
How to do an internal control?
• Control is the result of proper planning, organising and directing by MGMT
• Identification of objectives – potentially due to external factors
• Setting targets – e g. budget, costs
• Measuring achievements/outputs – have to be measurable (numerical / subjective)
• Comparing achievements with targets – provide feedback
• Identifying & implementing corrective action – changing objectives, resources as inputs, a particular process
or the whole system

6
Risk: key terms
• Risk is a condition in which there exists a quantifiable dispersion in the possible results of any
activity
• Types of risks for a company
• Fundamental = affect everyone, beyond control
• Speculative = an outcome can be both good and bad
• Pure = there is only a bad scenario

• Hazard is the impact if the risk materialises

• But it often expressed also as risk

7
Risk: key terms
• Uncertainty means that you do not know the possible outcomes and the chances of each outcome
occurring
• Risk appetite describes the nature and strength of risks that an organisation is prepared to bear
• Will be put into a document

• Risk attitude is the directors' views on the level of risk that they consider desirable
• Not written

8
Basics of risks within an organization
• MGMT responses to risk are not automatic, but will be determined by their own attitudes to risk,
which in turn may be influenced by
• Cultural factors
• Significant losses in the past
• Priorities of their stakeholders and how much influence stakeholders have
• Stakeholders that have significant influence may try to prevent an organisation bearing certain risks
• They can affect the market price of shares by selling them or they have the power to remove MGMT
• But they might have different risk attitudes among themselves!
• A particular case will be creditors – they can make the company’s life very difficult by e. g. charging higher interest rates or not
renewing a loan

9
Basics of risks within an organization
• It would be unwise (and costly) to try to eliminate risks completely, they are a part of doing
business!
• But why to manage speculative risks?
• Your cash flows get more predictable
• You may limit some very adverse scenarios like bankruptcy
• You reassure shareholders and markets in general
• They might have some doubts about their returns given the risks they bear
• This also has implications for directors’ renumeration – it should definitely be associated with the level of risks undertaken, otherwise
the PA problem can prove damaging (again)

10
Let‘s talk about COSO
• COSO is an example of a risk MGMT framework
• It is designed for an entire organization -> enterprise risk MGMT (ERM)
• COSO = committee of sponsoring organizations
• Came to life in 1992 when accountants, auditors, and CEOs got together to deliver guidance about how to
integrate controls to business practice
• Ethically
• Transparently
• In line with industry standards

11
Components of COSO
• COSO's enterprise risk MGMT framework provides a coherent framework for organisations to deal
with risk, based on the following components:
• Internal environment
• The board's attitude, participation and operating style will be a key factor in determining the strength of the control
environment
• Objective setting
• Each objective must fall within the risk appetite
• Event identification
• Both internal and external events which affect the achievement of a company's objectives must be identified

12
Components of COSO
• COSO's enterprise risk MGMT framework provides a coherent framework for organisations to deal
with risk, based on the following components:
• Risk assessment
• The importance of employing a combination of qualitative and quantitative risk assessment methodologies
• Risk response
• Avoidance
• Reduction
• Transfer
• Acceptance

13
Components of COSO
• COSO's enterprise risk MGMT framework provides a coherent framework for organisations to deal
with risk, based on the following components:
• Control activities
• Prevention is essential
• Information and communication
• Broad, relevant, of sufficient quality
• Monitoring
• Ongoing monitoring / periodic review

14
Strong and weak
points of COSO
• Promotes a link between risk appetite and
strategy (objectives)
• Not suitable for identification of slow
changes that can give rise to important
risks, for example changes in internal
culture or market sentiment

15
 Component 2:
Objective setting

What’s the difference between an

objective and a strategy?

16
Component 2: Objective setting
• What’s the difference between an objective and a strategy?
• Objective = more abstract
• Strategies = specific tools

• An organisation needs to have objectives in place and an idea of what strategies can be used to
implement those objectives

17
Component 3:
Event
identification
• The role of the board and a designated risk
committee
• Organisations should issue a risk policy
statement and maintain a risk register

18
Component 3: Event identification
• Risk policy statement should crucially include information on:
• Objectives of risk policy
• Regulatory requirements
• Roles of board, managers, staff and audit and risk committees
• Internal control framework and important controls conducted

19
Component 3: Event identification
• Risk register
• Will be an internal document
• What are the main risks?
• Who is responsible?
• What are the risk levels before and after the control?

20
Component 3: Event identification
• Risk identification itself can be done in several ways:
• Physical inspection
• Enquiries
• Checking
• Brainstorming
• Checklisting
• Benchmarking

21
Component 4:
Risk assessment
There is a key distinction between strategic and
operational risks
How are they different?

22
Component 4: Risk assessment
• There is a key distinction between strategic and operational risks
• Strategic (business) risks are risks that relate to the fundamental decisions that the directors take about the future of the
organization
• A product becomes less popular
• Operational risks relate to matters that can go wrong on a day-to-day basis while the organization is carrying out its
business
• Credit risk: arises when customers fail to pay for good and services they obtained on credit
• Several risks can encompass both dimensions
• Information technology risks

23
Component 4: Risk assessment
• How to quantify risks?
• Organisations can calculate possible results by several ways
• Risk rating – e. g. for mortgage clients
• Sensitivity analysis – calculate under alternative assumptions how sensitive the outcome is to changing conditions +
identify critical variables
• Accounting ratios – e. g. debt ratio = debt / assets < 50 %
• Be aware of the subjectivity and inherently bad measurability of risks!

24
Component 5: Risk response
• The so-called Likelihood/Consequences matrix might be useful
• Recommended actions for the MGMT of the company
• Explanations
• Examples

25
 26

Component 5: Risk response

Consequences (Impacts or hazard)
Low High
Low Accept Transfer
Risks are not significant, keep under view, Insure risk or implement contingency
but costs of dealing with risks unlikely to plans; reduction of severity of risk will
be worth the benefits minimise insurance premiums
Loss of suppliers of small scale and Failure of computer systems
Likelihood (risk probability) unimportant inputs
High Reduce Avoid
Take some action, e.g self-insurance to deal Take immediate action to reduce severity
with frequency of losses and frequency of losses, e. g. charging
higher prices to customers or ultimately
Loss of lower-level staff
abandoning activities.
Loss of senior or specialist staff
Component 8: Monitoring
Aspect Internal audit External audit
Purpose Designed to add value and improve an An exercise to give an opinion on the
organisation's operations financial statements

Reporting to Board of directors or the audit Shareholders

committee
Relating to The operations of the organisation Financial statements, financial records

Relationship with the company Employees of the organisation, Independent of the company and its
although sometimes the internal audit MGMT, appointed by the shareholders
function is outsourced
27
 What did Enron do originally and what did it do eventually?

What was the important precondition for the rise of Enron in 1980s?

What was the new company’s culture that commenced in 1989

about?

What was the California scam of 2001 about?

The Enron case s What was the public image of Enron before the scandal?

tudy Do you recognize any red flags based on the talk?

What was the role of the company Arthur Anderson in the whole
story?

How did the actual end of Enron come along?

What are some of the consequences of the Enron scandal?

28
Thank you for your
attention!
[email protected]

29