Control and Accounting

Information Systems
Board’s Oversight

Board Oversight
Board
Committees

Management
Environment

Company
Control

Risk
Operations

2
Enterprise Risk
 In today’s challenging global economy, business
opportunities and risks are constantly changing
 However, discussion of Risk usually comes to
the forefront in times of crisis but then
recede as normalcy returns
 Today, it is important for businesses to know
their vulnerabilities to enable them to robustly
support their plans and objectives
ERM
 In determining risk exposure of an entity
several factor come into play.
 Risk varies with the type of business or its
market circumstance
 Exposure to risk also depends on the stage of
the business that is whether the business is
young or mature or high growth
 Risk assessment is critical because it becomes
the foundation of the Control Environment in
an organization
Risk-Management Process

To answer all these question, the board

should have a robust Risk Management
Process. Risk management process entails;
 Risk identification

 Understanding the nature of the risks and

evaluating their likelihood
 Deciding on appropriate action

 Risk monitoring

5
Identified Risks
Risks can be categorized in many different ways.
We may look at risks related to
 Strategy

 People

 Marketplace

 Ethical

 Suppliers/Outsourcers

 Financial

 Legal/Compliance

 Environmental

 Political 6
Risk Assessment

 After risks have been identified at all levels,

a risk assessment needs to be carried out.
 The methodology for analyzing risks can vary,
largely because many risks are difficult to
quantify.

7
Risk Assessment

Invariably organizations assess significance

using criteria such as:
 Likelihood of risk occurring and impact

 Velocity or speed to impact upon occurrence

of the risk
 Persistence or duration of time of impact

after occurrence of the risk

8
Risk-Assessment Matrix
Impact Risk Distribution

Significant

Moderate

Minor

Low Medium High

Likelihood

9
 Premier Oil PLC
Likelihood
Rare Low Medium High
Not
Significant
I Low
M
P
Medium
A Exploration Commodit
C
Organizational
y Price
Capability
High
Volatility
T
Financial
Discipline Production & Joint Political &
& Development Venture Fiscal
Governan Delivery Partner
ce
Extreme
Alignment

HSES
10
Risk Response
 Once the potential significance of risks has
been assessed, the board and management
need to consider how the risk should be
managed.
 This involves applying judgment based on
assumptions about the risk and reasonable
analysis of costs associated with reducing the
level of risk.

11
Risk Response
Risk responses fall in the following categories:
 You may accept the risk (Acceptance)— and
decide to take no action to affect risk
likelihood or the impact.
 The company may decide to avoid the risk(
Avoidance)— That means exiting the
activities giving rise to risk; it may involve
exiting a product line, declining expansion to a
new geographical market, or selling a division.

12
Risk Response

 The company may also consider that it wishes

to stay with the risk but somehow reduce its
likelihood or its impact or both. (Reduction)—
 Action are then taken to reduce the risk and
may typically involves taking a number of
steps in respect of everyday business
decisions.

13
Risk Response
 A company may also share its risk in a bid to
reduce its likelihood or impact or both.
(Sharing)
 This is done by transferring or otherwise
sharing a portion of the risk; common
techniques include purchasing insurance
products, forming joint ventures, engaging in
hedging transactions, or outsourcing an
activity.

14
Risk Response
 In evaluating response options, management
considers significance, including the effect on
both likelihood and impact of the risk,
recognizing that a response might affect
them differently.
 Naturally, resources always have constraints,
and entities must consider the relative costs
and benefits of alternative risk response
options.

15
Risk-Monitoring Tools
 Risk monitoring is usually carried out by
focusing upon Key Performance Indicators
(KPI’s).
 These KPI’s are used to provide red flags,
usually via dashboards or balanced
scorecards.
 It is imperative that there is some flexibility
to question the risk-monitoring personnel
 The Board has to ensure that formal follow-
up actions and its recommendations are
implemented by management
16
Control Environment

Effective risk management is done through:

 Effective internal controls
 Efficient internal audit functions
 Robust selection of external audit functions
 Compliance of laws and regulations
Control Environment

 It in fact reflects the overall attitude,

awareness and actions of the board and
management concerning the importance of
control activities.
 An organization that establishes and
maintains a strong control environment
positions itself to be more resilient in the
face of internal and external pressures.
Control Environment

Four aspects central to Control environment are

 Tone at the top

 Core values

 Control Consciousness

 Foundation for Internal Control

Tone at the Top

Tone at the top is determined by:

 Independence of Board and Audit Committee’s from
management.
 Experience and stature of its members

 Extent of its involvement and scrutiny of entity’s

activities
 Appropriateness of its actions

 Degree to which difficult questions are raised and

pursued with management regarding plans or
performance
Core Values
Core values are reflected in
 Written codes of conduct

 Integrity, ethical values and competence of

the entity’s people
 Management’s philosophy and operating style

 Commitment to competency
Control Consciousness

Control consciousness comes through;

 Structured business activities

 Establishment of objectives

 Assessment of risks

 Response to control break downs

 Response to Internal Audit and external

auditor’s recommendations
 Mind set with updating processes and
controls
Foundation of Internal Control

Foundations of internal control are laid

through
 Establishment of policies and procedures

 The way management assigns authority and

responsibility, and organizes and develops its
people.
 Defining competence via roles and
responsibilities
What Factors Affect the Design of A
Control System?
There are several factors that affect the
design of a control system. Some of these are
 Size of the organization

 The job/function’s position in the

organization’s hierarchy
 Degree of organizational decentralization

 Type of organizational culture

 Importance of the activity to the

organization’s success
24
Harnessing Employees Creativity
with Four Levers of Control
Boundary
Belief
Systems;
Systems;
Risks to be
Core Values
avoided

Business
Strategy
Interactive Diagnostic
Control Control
Systems; Systems;
Strategic Critical
Uncertainties Performance
Variables
25
Formal and Informal Controls

 In today’s business, formal controls, such

as policies, procedures, written
authorizations, organization charts, and
chain of command practices as valuable
and effective as informal controls, which
include intangible attributes such as
ethics and values, corporate culture, trust,
teamwork, open communication, and
professionalism.

26
Types of Internal Controls

 Administrative
 Informational
 Managerial
 Procedural
 Physical

27
Types of Controls

 Directive
 Preventive
 Detective
 Corrective

28
Directive

 These ensure that there is a clear

direction and drive towards achieving the
stated objectives.

29
Preventive

 These ensure that systems work in the

first place.
 These may include employing competent
employees, high moral standards,
segregation of duties, physical and access
controls such as lock, passwords and
security personnel are all designed to stop
people breaching the system.

30
 Detective

 These controls are designed to pick up

transaction errors that have not been
prevented.
 They cover controls such as supervisory
review, internal checks, variance reporting,
spot checks and reconciliations.
 Fire alarms are detective controls in that
they will be activated in the event of a fire
or release of smoke.

31
Corrective

 These ensure that where problems are

identified they are properly dealt with.
 These include management action,
correction and follow-up procedures.

32
Benefits of Internal Control

Internal control processes:

 Detect errors

 Prevent mistakes

 Identify fraud

 Ensure the reliability of financial reports

33
The Qualities Of An Effective Control
System
 Accuracy  Strategic
 Timeliness placement
 Economy  Reasonable

 Flexibility criteria
 Understandability  Multiple criteria

 Emphasis on the  Corrective action

exception

34
Principles of Internal Control

Measures vary with

Size and nature of
the business.
Management’s control
philosophy.

Does not include “management responsibility”

Limitations of Internal Control

Costs should not exceed benefit.

Human element.
Size of the business.
Identifying Control Problems
 It is imperative that Board is aware of the
shortcomings in controls.
 There are several Symptoms of Inadequate
Control; some of these could be
 An unexplained decline in revenues or profits.

 A degradation of service (customer complaints).

 Employee dissatisfaction .

 Cash shortages caused by bloated inventories or

delinquent accounts receivable.
 Idle facilities or personnel.

 Disorganized operations.

 Excess costs.

 Evidence of waste and inefficiency.

37
Internal Audit’s Role in Control
Environment
 Roleof internal audit is to assist
management, audit committee and the
board in the process by monitoring,
evaluating, examining, reporting and
recommending improvements

38
Threats to Accounting Information
Systems
 Natural & Political Disasters
 Software Error & Equipment Malfunctioning
 Unintentional Acts
 Intentional Acts
Natural & Political Disasters

– fire or excessive heat

– floods
– Earthquakes and landslides
– high winds
– war
Software errors and Equipment
Malfunctioning
– hardware or software failures
– Operating system crashes
– power outages and fluctuations
– undetected data transmission errors
Unintentional Acts

– accidents caused by human carelessness;

– failure to follow established procedures
– Poorly trained staff
– innocent errors of omissions
– Lost, erroneous or misplaced data
– logic errors
– systems that do not meet company needs
Intentional Acts

– sabotage
– misrepresentation, unauthorized disclosure of
data
– misappropriation of assets
– financial statements fraud
– corruption
– computer frauds, attacks
Break Down of System

 What constitutes a fraud?

 How is it perpetrated?
 Why did the company not catch these
mistakes earlier?
 Was there a breakdown in controls?
 What can the company do to detect and
prevent fraud?
 Just how vulnerable are computer systems
to fraud?
Why Fraud Occurs

Three conditions are necessary for fraud to

occur:
1 A pressure or motive
2 An opportunity
3 A rationalization
Pressures

What are some financial pressures?

– living beyond means
– high personal debt
– “inadequate” income
– poor credit ratings
– heavy financial losses
– large gambling debts
Pressures

What are some work-related pressures?

– low salary including pay less than minimum
wages
– non-recognition of performance
– job dissatisfaction
– fear of losing job
– overaggressive bonus plans
Pressures

What are other pressures?

– challenge
– family/peer pressure
– emotional instability
– need for power or control
– excessive pride or ambition
Opportunities

 An opportunity is the condition or situation

that allows a person to commit and conceal
a dishonest act.
 Opportunities often stem from a lack of
internal controls.
 However, the most prevalent opportunity
for fraud results from a company’s failure
to enforce its system of internal controls.

9-49
Rationalizations

 Most perpetrators have an excuse or a

rationalization that allows them to justify
their illegal behavior.
 What are some rationalizations?
 The perpetrator is just “borrowing” the stolen
assets.
 The perpetrator is not hurting a real person,
just a computer system.
 No one will ever know.
Thank You