CIMA P3

CIMA P3
Strategic Level P3 - Performance Strategy
May 2012
CIMA P3 Performance Strategy

Contents Paper information How to pass The Verb Hierarchy Learning Outcomes Grid 3 5 6 7 8
B. Risk and Internal Control

C3a Discuss the principles of good corporate governance for listed companies, for conducting reviews of internal controls and reporting on compliance. Discuss the principles of good corporate governance for listed companies, particularly as regards the need for internal controls. Evaluate risks facing an organisation Discuss ways of identifying, measuring and assessing risks facing an organisation, including the organisations ability to bear such risk Evaluate risk management strategies Discuss the purposes and importance of internal control and risk management for an organisation Evaluate the essential features of internal control systems for identifying, assessing and managing risks Evaluate the costs and benefits of a particular internal control system
13
13
B3a B1b B1a B2b B2a B2c B2d
13 26 39 43 46 48 49
A. Management Control Systems

A1a A1c A1d A1b Evaluate appropriate control systems for the management of an organisation Evaluate the control of activities and resources within an organisation Recommend ways in which identified weaknesses or problems associated with control systems can be avoided or solved Evaluate the appropriateness of an organisations management accounting control systems
55
55 55 63 63
C. Review and Audit of Control Systems

C1a C2a C2b C2e C2d C2c B3b C3b Discuss the importance of management review of controls Evaluate the process of internal audit and its relationship to other forms of audit Produce a plan for the audit of various organisational activities including management , accounting and information systems Discuss the relationship between internal and external audit work Recommend action to improve the efficiency, effectiveness and control of activities Recommend action to avoid or solve problems associated with the audit of activities and systems Evaluate ethical issues as a source of risk to the organisation and control mechanisms for their detection and resolution Discuss the importance of exercising ethical principles in conducting and reporting on internal reviews
68 68 70 72 72 77 77 78 78 80 80 82 89 92 94 101 101 101 101 101 101
E
E1a E1b E1c E1d E1e
Risk and Control in Information Systems

Advise managers on the development of IM ,IS and IT strategies that support management and control requirements Evaluate IS/IT systems appropriate to an organisations needs for operational and control information Evaluate benefits and risks in the structuring and organisation of the IS/IT function and its integration with the rest of the business Recommend improvements to the control of IS Evaluate specific problems and opportunities associates with the audit and control of systems which use IT
D
D1a D2a D2b D2c D2d
Management of financial risk

Evaluate financial risks facing an organisation Evaluate appropriate methods for managing financial risks Evaluate the effects of alternative methods of risk management Discuss exchange rate theory and the impact of differential inflation rates on forecast exchange rates Recommend risk management strategies and discuss their accounting implications
Paper Information
Section A 50 marks A maximum of four compulsory questions, totalling 50 marks, all relating to a pre-seen case study and further new unseen case material provided within the examination. Section B 50 marks Two questions, from a choice of three, each worth 25 marks. Short scenarios will be given to which some or all questions relate.
How to Pass
Have sound theoretical knowledge (attend tuition classes) Practice application skills (question practice) Be prepared! (attend revision & qbr) Read the question requirements Add value to the scenario material
The Verb Hierarchy
LEARNING OUTCOMES GRID

A Management Control Systems (10%) a) 1 Evaluate control systems for organizational activities and resources b) Evaluate appropriate control systems for the management of an organisation. Evaluate the appropriateness of an organisations management accounting control systems. Evaluate the control of activities and resources within the organisation. Recommend ways in which identified weaknesses or problems associated with control systems can be avoided or solved. Discuss ways of identifying, measuring and assessing risks facing an organisation, including the organisations ability to bear such risk. Evaluate risks facing an organisation 7 May 10 Sept 10 3a Nov 10
3b
c)
1b
d)
B Risk and Internal Control (25%) 1 Evaluate types of risk facing an organisation.
a)
1a(ii)
2a
b)
1a
1a(i)
1a(i) 1a(iii)
CIMA P3 Performance Strategy B Risk and Internal Control (25%) 2 Evaluate risk management strategies and a) internal controls. May 10 1d Sept 10 3b Nov 10
b) c)
d)
3 Evaluate governance and ethical issues facing an organisation.
a)
b)
Discuss the purposes and importance of internal control and risk management for an organisation. Evaluate risk management 2b strategies. Evaluate the essential features of internal control systems for identifying, assessing and managing risks. Evaluate the costs and benefits of a particular internal control system. Discuss the principles of good corporate governance, particularly as regards the need for internal controls. Evaluate ethical issues as a 2a source of risk to the organisation and recommend control mechanisms for their detection and resolution.
1a(ii)
CIMA P3 Performance Strategy C Review and Audit of Control Systems (15%) 1 Discuss the importance of management review of controls 2 Evaluate the process and purposes of audit in the context of internal control systems May 10 a) a) Discuss the importance of management review of controls Evaluate the process of internal audit and its relationship to other forms of audit. Produce a plan for the audit of various organisational activities including management, accounting and information systems Recommend action to avoid or solve those problems associated with the audit of activities and systems Recommend action to improve the efficiency, effectiveness and control of activities. Discuss the relationship between internal and external audit work Sept 10 Nov 10
b)
1b(i)
c)
1b(ii)
d)
e)
CIMA P3 Performance Strategy C Review and Audit of Control Systems (15%) 3 Discuss corporate governance and ethical issues facing an organisation May 10 a) Discuss the principles of good corporate governance for listed companies, for conducting reviews of internal controls and reporting on compliance. Discuss the importance of exercising ethical principles in conducting and reporting on internal reviews Sept 10 Nov 10 3a
b)
3b
D Management of Financial Risk (35%) 1 Evaluate financial risks facing an organisation 2 Evaluate alternative risk management tools
a) a) b)
c)
d)
Evaluate financial risk facing an organisation. Evaluate appropriate methods for managing financial risks. Evaluate the effects of alternative methods of risk management . Discuss exchange rate theory and the impact of differential inflation rates on forecast exchange rates. Recommend risk management strategies and discuss their accounting implications. 10
3a(i)
1c(ii)
1c(i) 1c(ii) 4b,c 4a(i)(ii)
1c(i)(ii) 4a(ii) 3a(ii) 1c(i) 4a(i)
3b(i)(ii) 1c(iii)
4b
CIMA P3 Performance Strategy E Risk and Control in Information Systems (15%) 1 Evaluate the benefits and risks associated with information related systems. May 10 a) Advise managers on the development of information management (IM), information systems (IS) and information technology (IT) strategies that support management and internal control requirements. Evaluate IS/IT systems appropriate to an organisations needs for operational and control information. Evaluate benefits and risks in the structuring and organisation of the IS/IT function and its integration with the rest of the business. Recommend improvements to the control of information systems. Evaluate specific problems and opportunities associated with the audit and control of systems which use information technology. Sept 10 2a Nov 10 2b
b)
1b
2b
c)
d)
4b
e)
4a
11
Introduction and Overview

Corporate Governance, Risk Management and Internal Controls Developments in corporate governance have resulted from a number of public exposures of business activities that consequently developed into major losses, frauds or scandals
Corporate governance represents a wide range of processes, policies and values, which exist to direct and control corporate activities to ensure the controlled achievement of strategy and objectives.
Risk Management and internal control processes act as enablers for the delivery of effective governance. Risk management techniques are used to determine and manage uncertainties that prevent an organization from achieving its targets and objectives, and can also allow an organisation to identify and exploit new business opportunities.
12
CIMA P3 Performance Strategy It is important to understand the links between governance, risk management and internal control and the interaction between the board of directors, the audit (and/or risk committees), external auditors and internal auditors. This is the foundation of the risk and control syllabus.
13
CIMA P3 Performance Strategy LEARNING OUTCOME B3a - Discuss the principles of good corporate governance for listed companies, particularly as regards the need for internal controls. C3a - Discuss the principles of good corporate governance for listed companies, for conducting reviews of internal controls and reporting on compliance. Background Corporate governance has increased in importance on the corporate agenda as a result of the Combined Code (in the UK), Sarbanes-Oxley (in the US) and similar reforms throughout the world, as a major response to major corporate collapses around the world Institutional investors have also promoted improved governance processes as part of the move to encourage sustainability of earnings.
The Turnbull report recognized that profits were in part a reward for successful risk taking, and that the purpose of internal control was to help manage and control risk, rather than eliminate it. The report requires a RISK-BASED APPROACH to establishing a system of internal controls and that all listed companies have an embedded internal control system that monitors important threats. A major responsibility of the Board is to review the effectiveness of internal control. It is required to make a statement on internal control, that is the process for identifying, evaluating and managing significant risks.
14
Corporate Governance Developments in the UK 1992 The Cadbury Report

1995 The Greenbury Report 1998 The Hampel Report 1999 The Turnbull Report 2003 The Higgs Report 2003 The Tyson Report 2003 The Smith Report 2003 Redraft of the Combined Code
15
Corporate Governance Corporate Governance is the system by which companies are directed and controlled through boards of directors which establish corporate aims, provide leadership, supervise management and report to shareholders. The boards role is to provide entrepreneurial leadership within a framework of controls that enable risk to be managed.
The aim of good corporate governance should be to ensure that an organisation is governed in a way that will ensure that its overall objectives are most likely to be achieved. Maximisation of shareholder wealth shareholder value/agency model Stakeholder model
Benefits Reduces risk Stimulates performance Improves access to capital markets Enhances the marketability of goods and services Improves leadership Demonstrates transparency and social accountability
16
CIMA P3 Performance Strategy PRINCIPLES OF CORPORATE GOVERNANCE
The Organisation of Economic Co-operation and Development (OECD) has issued Principles covering five sections Stakeholder perspective The rights of shareholders The equitable treatment of shareholders including minority interests The role of stakeholders Disclosure and transparency (ownership and performance) The responsibility of the Board and accountability to the company and its shareholders
The UK Combined Code has issued principles in relation to Directors Remuneration of directors Accountability and audit Relations with shareholders Institutional shareholders Disclosure
17
Corporate governance needs to cover the following areas; 1. Directors and Composition of the Board 2. Directors Remuneration 3. Accountability and Audit 4. Disclosure of Corporate Governance Arrangements 5. Relations with shareholders 6. Institutional Investors
18
CIMA P3 Performance Strategy 1 DIRECTORS AND COMPOSITION OF THE BOARD Companies should be led by an effective board Balance of executive and non-executive directors no one individual or small group should be able to dominate Chairman and chief executive split roles clear division of responsibilities so that no individual has unfettered powers Appointments to the board should be made in a formal, rigorous and transparent manner Boards should meet on a regular basis Board committees are recommended for audit, nominations to the board, remuneration of the board and for risk.
Each committee should have its own term of reference and be made up of independent non-executive directors. Although the board delegates its authority to the committee, it retains responsibility. The committee would make recommendations to the board appropriate to its responsibilities.
19
CIMA P3 Performance Strategy 1 DIRECTORS AND COMPOSITION OF THE BOARD (Cont.)
Role of Non-executive Directors (NEDs)
Strategy Role
have the right and responsibility to contribute to strategic success of the organization for the benefit of shareholders.have
Scrutinizing Role
are required to hold executive colleagues to account for decisions taken and results obtained representing shareholders interest
Risk Role
ensure that there is an adequate system of internal controls and risk management (comply with any codes of Corporate Governance or industry standards)
People Role
overseeing a range of responsibilities with regard to the management of the executive members of the board. This typically involves issues on appointments and remuneration, but might also involve contractual or disciplinary issues.
20
Examples of the Role and Responsibility of Nomination Committee Ensure there is a formal, rigorous and transparent procedure for the appointment of new directors to the board Review the composition of the board and consider and advise the board as to changes, which may be required to achieve a balanced and appropriately experienced and qualified board Make recommendations to the board on the independence of any existing or proposed non-executive directors Make sure that plans are in place for orderly succession for appointments to the board and other senior management Ascertain, when required, the time commitments required of NonExecutive Directors individually and collectively to fulfil the duties required Make a statement in the Companys Annual Report and accounts detailing its activities and the process it has used to make any recommendations in respect of appointments to the board
21
RECIPE FOR A GOOD BOARD The board should meet frequently The board should maintain a good balance of power An individual should not be allowed to dominate board meetings and decision making Members of the board should be open to other members suggestions There should be a high level of trust between board members Board members should be ethical and have a high level of integrity There must be a high level of effective communication between memebers of the board
The board should be responsible for the financial statements

Non-executive directors should provide an independent viewpoint The board should be open to new ideas and strategies The board must possess an in-depth understanding of the companys business The board must be dynamic in nature and not be opposed to change
The board must understand the inherent risks of the business

The board must be prepared to take calculated risks: no risk no return The board must communiacte with shareholders, be aware of shareholder needs and translate them into management strategy The board must be aware of stakeholder issues and be prepared to engage actively with their stakeholders
22
CIMA P3 Performance Strategy 2 DIRECTORS REMUNERATION Amount necessary to recruit and retain directors of the right calibre Performance related Remuneration committee no director should be involved in determining his/her own remuneration Examples of the Role and Responsibilities of a Remuneration Committee Determine remunerations policy on behalf of the board and the shareholders. Policies will typically concern the pay scales applied to directors packages, the proportions of different types of reward within the overall package and the periods in which performance related elements become payable Ensure that each director is fairly but responsibly rewarded for their individual contribution. It is likely that discussions of this type will take place for each individual director and will take into account issues including market conditions, retention needs, long-term strategy and market rates for a given job. Reporting to shareholders on the outcomes of their decisions, usually in the corporate governance section of the annual report (usually called Report of the Remunerations Committee). This report, which is auditor reviewed, contains a breakdown of each directors remuneration and a commentary on policies applied to executive and non-executive remuneration The committee is required to be seen to be compliant with relevant laws and codes of best practice. This means that the remuneration committee will usually be made up of nonexecutive members of the board and will meet at regular intervals.
23
CIMA P3 Performance Strategy 3 ACCOUNTABILITY AND AUDIT The board should present a balanced and understandable assessment of the companys position and prospects The directors should explain their responsibility for preparing the accounts, and there should be a statement by the auditors about their reporting responsibilities The boards responsibility to present a balanced and understandable assessment extends to interim and other pricesensitive public reports to regulators as well as to information required to be presented by statutory requirements The directors should report that the business is a going concern, with supporting assumptions or qualifications as necessary The board should maintain a sound system of internal control to safeguard shareholders investment and the companys assets The board is required to appoint an audit committee (nonexecutives)
24
CIMA P3 Performance Strategy 3 ACCOUNTABILITY AND AUDIT (cont.) Examples of the Role and Functions of the Audit Committee The Combined Code recommends that Boards appoint an audit committee of independent non-executive directors to assist the board in fulfilling its stewardship function by reviewing systems of internal control the external audit process the work of internal and external auditors and reporting to shareholders The UK Combined Code suggests that the role and responsibilities of the audit committee should include: To monitor the integrity of the companys financial statements and any other formal statements relating to the companys financial performance To review the companys internal control and risk management systems (unless this responsibility is given to a separate risk committee or retained by the full board itself) To monitor and review the effectiveness of the companys internal audit function To make recommendations to the board about the appointment, re-appointment or removal of the audit firm as auditors of the company (for the board to make a recommendation to shareholders) Approve the remuneration and terms of engagement of the external auditors To review and monitor the independence and objectivity of the companys external auditors To review and monitor the effectiveness of the audit process The audit committee reports to the board, and the board reaches decisions based on the recommendations of the audit committee. However, if the board and the audit committee disagree about a particular matter, the audit committee should have the right to report the disagreement to the shareholders. 25
CIMA P3 Performance Strategy 3 ACCOUNTABILITY AND AUDIT (cont.) Contribution to the effectiveness of internal audit Head of internal audit should be appointed by and report to the audit committee Ensure that the internal audit charter is adequate Ensure that the head of internal audit is independent and objective Ensure that there are adequate internal audit resources to provide the necessary support. Approve internal audit plans, ensuring that they assess the most significant risks Ensure that any recommendations by internal audit are implemented. If the audit committee has given them its support Monitor and review the effectiveness of the internal audit and may seek the opinion of external audit in that assessment
26
CIMA P3 Performance Strategy 3 ACCOUNTABILITY AND AUDIT (cont.) Audit Committees Assessment of Internal Control
Risk Assessment Does the company have clear objectives with measurable targets and indicators that have been communicated so as to provide effective direction to employees on risk assessment and control issues? Are the significant internal and external operational, financial, compliance and other risks identified and assessed on an ongoing basis? Is there a clear understanding by management and others within the company of what risks are acceptable to the board?
Control Environment and Control Activities Does the Board have clear strategies for dealing with the significant risks that have been identified? Is there a policy on how to manage these risks? Does the companys culture, code of conduct, human resources policy and performance reward systems support the business objectives and risk management and internal control systems? Does senior management demonstrate, through actions and policies, the necessary commitment to competence, integrity and fostering a climate of trust within the company? Are authority, responsibility and accountability defined clearly such that decisions are made and actions taken by the appropriate people? Are the decisions and actions of different parts of the company appropriately co-ordinated? Does the company communicate to employees what is expected of them and the scope of their freedom to act?
27
CIMA P3 Performance Strategy Do people in the company (and its outsourced service providers) have the knowledge skills and tools to support the achievement of the companys objectives and to manage effectively risks to their achievement? How are processes/controls adjusted to reflect new or changing risks, or operational deficiencies?
28
CIMA P3 Performance Strategy 3 ACCOUNTABILITY AND AUDIT (cont.) Information and Communication Do management and the board receive timely , relevant and reliable reports on progress against business objectives and the related risks that provide them with the information for decisionmaking and management review purposes? Are information needs and related information systems reassessed as objectives and related risks change or as reporting deficiencies are identified? Are periodic reporting procedures effective in communicating a balanced and understandable account of the companys position and prospects? Are there established channels of communication foe individuals to report suspected breaches of law or regulations or other improprieties? Monitoring Are there on-going processes embedded within the companys overall business operations which monitor the effective application of the policies, processes and activities related to internal control and risk management? Do these processes monitor the companys ability to re-evaluate risks and adjust controls effectively in response to changes in its objectives, its business and its external environment? Are there effective follow-up procedures to ensure that appropriate change or action occurs in response to changes in risk and control assessments? Is there appropriate communication to the board on the effectiveness of the on-going monitoring processes on risk and control matters? Are there specific arrangements for monitoring and reporting to the board on risk and control matters of particular importance? 29
CIMA P3 Performance Strategy 4 DISCLOSURE OF CORPORATE GOVERNANCE ARRANGEMENTS A statement of how the board operates, including a high level statement of the types of decisions that are taken by the board and those that are delegated to management The names of the chairman, deputy chairman, chief executive, senior independent director and chairman and members of the nomination, audit and remuneration committees. The number of meetings of the board and the committees listed above and individual attendance by directors The names of the non-executive directors whom the board determines to be independent, with reasons where necessary Other significant commitments of the chairman How performance evaluation of the board, its committees and its directors has been conducted The steps the board has taken to ensure that directors develop an understanding of the views of the major shareholders about the company A description of the work of the nomination, remuneration and the audit committees
30
CIMA P3 Performance Strategy 5 RELATIONS WITH SHAREHOLDERS There should be a dialogue with shareholders based on mutual understanding of objectives. The board as a whole has responsibility for ensuring that a satisfactory dialogue with shareholders takes place. The board should use the annual general meeting to communicate with investors and to encourage their participation.
31
CIMA P3 Performance Strategy 6 INSTITUTIONAL INVESTORS Institutional investors should enter into a dialogue with companies based on the mutual understanding of objectives. When evaluating companies governance arrangements, particularly those relating to board structure and composition, institutional shareholders should give due weight to all relevant factors drawn to their attention. Institutional shareholders have a responsibility to make considered use of their votes.
32
Risk and Internal Control (B)

LEARNING OUTCOME B1b - Evaluate risks facing an organisation. Risk The probability that an expected event will occur and cause harm typically through injury to employees or third parties, damage to assets, or negative impact to corporate reputation leading ultimately to lower than expected cash flows or reduction in corporate net worth.
We should consider anything that might lead to an outcome different to that expected.
We should understand that risk is an unavoidable part of life.
Risk Management Risk management is the process by which organisations systematically identify and treat upside and downside risks with the goal of achieving organisational objectives. The goal of risk management is to manage, rather than eliminate risk. Initially, there needs to be a commitment from the board and top management in relation to risk management generally and business continuity in particular, even if this means a short-term detrimental impact on profitability
33
CIMA P3 Performance Strategy There is a natural progression in managing risk From managing the risk associated with compliance and prevention (downside). To moving to the higher level of managing opportunity risks (upside) which need to be taken in order to increase and sustain shareholder value RISK IS NOT ONLY ABOUT THE POSSIBILITY THAT SOMETHING BAD WILL OCCUR; ITS ALSO ABOUT MISSED OPPORTUNITIES GOALS THAT CANT BE ACHEIVED. Therefore to benefit from the upside organisations need to answer two questions (i) What are the drivers of value? (ii) What are the key risks associated with these drivers of value?
What might be considered value drivers?
Value
The price able to be charged for the added value must exceed the cost of the activity that adds value
Cost
Risk
The risks facing an organization can result from factors both external and internal to the organization.
34
Classification Internal Factors Financial Liquidity & cashflow (related to the financial operation of a business) Environmental (PEST) (related to the political, economic, social and technical environment) Business or Operational (related to the activities carried out within an organisation) Errors in transactional systems Errors by employees Fraud Product Loss of key people Accounting controls Quality issues Employees Products and services
External Factors Interest rates Foreign exchange Credit risk Legislation changes Regulations Climate change Natural disasters Terrorist activity Customer changes Industry changes Legislation Litigation Loss of suppliers Loss of market position
Reputation wider view of its role in society (Usually a consequence of failing to address some other risk)
Stakeholder perspective Suppliers Customers Competitors Regulators
35
International Risk Transaction the exchange rate risk associated with the time delay between entering a contract and settling it. Thus a company is subject to transaction risk whenever it imports goods from or exports goods abroad to be paid at a later date or borrows or invests in a foreign currency. Translation currency exchange rate risk that affects the valuation of the balance sheet assets and liabilities between financial reporting dates. Economic the risk that a companys value may decline as a result of currency movements causing a loss in competitive strength. Political the risk of politically motivated interference by a foreign government that adversely affects its cash flows.
36
Category Financial
Environmental Business/Operational Risk
Reputation Risk
Action Credit control procedures Hedging Export insurance Environmental Scanning Contingency planning Internal control procedures Recruitment & selection Testing Training IT controls Insurance Stakeholder analysis inform about any changes Compliance checks Training
37
CIMA P3 Performance Strategy Classification of Risks NB - There is no one widely accepted set of categories; they will vary according to the nature of the business and its industry. What is important is that risks are classified in some way that is relevant to the needs of the business. Advantages of risk classification A formal process forces management to be pro-active in their approach Once risks have been identified it allows the organisation to consider the tools that may be used to control the risks. Can use similar controls to manage a common group of risks May be useful for assigning responsibility Help recognise which risks are inter-related Allows for feedback which can be used for continuous improvement
What might be the key risks for Sony Corporation?
What might be the key risk for Adidas?
38
CIMA P3 Performance Strategy Risk Preferences Not everyone, even in the same organisation, will see risk in the same way and risks will almost certainly be seen differently by people in different organisations, even in the same industry. Accountants are seen as typically risk averse. Sales people are seen as more risk orientated. Adams (1995) describes four rationalities that have implications for how people perceive risk. Fatalists they are resigned to their fate and managing risk is irrelevant Hierarchists most comfortable with a bureaucratic risk management style using various risk management techniques Individualists - are likely to be less risk averse than people subscribing to other rationalities, risk management is typically intuitive rather than systematic. Egalitarians they like to arrive at decisions democratically. They are most comfortable in situations of risk sharing through insurance, hedging or transfer to other organisations. The concept that not everyone sees risk in the same way leads us to define some important risk terms:
Risk Appetite Refers to an organisations willingness to take on risk in exchange for higher returns, it reflects the willingness to tolerate particular levels of risk, and the costs incurred in maintaining that risk profile.
39
CIMA P3 Performance Strategy CASE IN POINT In relation to litigation the partners in an accountancy practice must decide the extent to whether they wish to purchase professional indemnity insurance to protect themselves against this risk, and the amount of insurance cover that is optimal. The insurance premiums will add to the costs of the practice, but may be offset by the additional revenue earned from client work that is covered by the indemnity insurance.
Risk Culture Risk culture is the set of shared values and practices that characterise how an entity considers risk in its day-to-day activities. Identifying appropriate policies, standards and practices is the first stage of creating a risk management culture. Once they are in place they need to be totally embedded in individuals through the enactment of their roles and associated responsibilities.
Risk Thermostat (Adams) Everyone has a propensity to take risks The propensity varies from person to person The propensity is influenced by the potential rewards Perception of risk are also influenced by experience of accidents that cause losses Individual risk taking represents a balance between perceptions of risk and the propensity to take risks
40
CIMA P3 Performance Strategy Understanding and Controlling Risk Management One of the most critical challenges for managers is determining how much risk the entity is prepared to accept to create value. The new approach to risk management is about seeking the upside whist managing the downside.
Risk Management is about Achieving organisational objectives Addressing both upside and downside risk Identification and treatment of risk Reducing both uncertainties and the probability of failure
41
CIMA P3 Performance Strategy Risk Management Models There are different organisational risk management models, but all of the models contain a number of key steps. MODEL ONE - ENTERPRISE RISK MANAGEMENT (ERM) [Committee of Sponsoring Organisations of the Treadway Commission (COSO) ] A pro-active activity which forms a key part of strategic management The underlying premise of enterprise risk management is that every entity Exists to provide value for its stakeholders Faces uncertainty Has the challenge of how much uncertainty to accept as it strives to grow stakeholder value The ERM framework is geared to achieving an entitys objectives and suggest four categories of objectives
High level goals which are aligned to the organisation's mission

Strategic
Efficient and Effective use of resources

Operations
Reliability of reporting
Accuracy and timeliness of information
Compliance with laws and regulations
Minimum level of risk management
42
CIMA P3 Performance Strategy ERM consists of eight inter-related component Parts

Internal Environment
Risk appetite
Objective Setting
Aligned with mission and consistent with risk appetite
Event Identification
Internal and external events identified looking at both risks and opportumities
Information and Communication
Relevant, accurate and timely information
Continuous Improvement and feedback

Monitoring
ERM
Enterprise risk management aligns risk management with business strategy and embeds a risk management culture into business operations
Risk Assessment
Risks are analysed and the likelihood and impact is assessed
Decide whether to accept, reduce, share or avoid

Risk Response
Control Activities
Ensure that response has has the desired effect
43
CIMA P3 Performance Strategy MODEL TWO - CIMA S RISK MANAGEMENT CYCLE
Establish risk mgt Group and set goals Identify risk areas
Review and refine process and do it again
Information for decisionmaking
Understand and assess scale of risk
Implementation and monitoring of controls
Develop risk response strategy
Implement strategy and allocate responsibility
44
MODEL THREE - THE PROCESS DEVELOPED BY THE INSTITUTE OF RISK MANAGEMENT All organisations should develop a risk management strategy which will be set in the context of the organisations strategic objectives. STEP ONE Risk Assessment Identification Description Estimation
risk evaluation
STEP TWO Risk Reporting regarding the organisations policy for managing risk and its effectiveness.
STEP THREE Risk Treatment (Risk Response)
STEP FOUR Residual Risk Reporting and monitoring effectiveness of strategies and recommend changes as appropriate.
45
CIMA P3 Performance Strategy NOTE from examiners article There are different organisational risk management models, but here are some of the key steps. Identify the risks Assess their impact Map the risks Record risks in a register Evaluate against the organisations appetite for taking them Treat the risk Report the risks This is a good way to think about how organisations deal with the risks they face.
46
CIMA P3 Performance Strategy LEARNING OUTCOME B1a - Discuss ways of identifying, measuring and assessing risks facing an organisation, including the organisations ability to bear such risk. Risk Assessment
Identification Methods brainstorming questionnaires business studies which look at each business process and describe both the internal processes and the external factors which can influence these processes industry benchmarking scenario analysis risk assessment workshops incident investigation auditing and inspection HAZOP (Hazard and Operability Studies) PEST/SWOT analysis
Description Display the identified risks in a structured format, by using a table. (see pg116 of Study System) To include name scope nature stakeholders quantification appetite risk treatment action for improvement strategy and policy developments
Estimation/Evaluation Probability/Impact Grid high medium low Estimating Risk information gathering cause/effect cost/benefit decision trees previous experience Monte Carlo simulation (computers) Risk register Delphi (experts) Probability range of numeric probabilities
an organisation needs to identify its appetite for risk and a risk management policy needs to be formulated 47
Table Consequences High Financial impact on the organisation likely to exceed x Significant impact on the organisations strategy or operational activities Significant stakeholder concern Medium Financial impact on the organisation likely to be between x and y Moderate impact on the organisations strategy or operational activities Moderate stakeholder concern Low Financial impact on the organisation likely to be less than y Low impact on the organisations strategy or operational activities Low stakeholder concern Table Likelihood Threats (downside risk) High Likely to occur each year (Probable) More than 25% of occurrence Medium Likely to occur in a ten year (Possible) period or less than 25% chance of occurrence Low Not likely to occur in a ten year (Remote) period Less than 2% chance of occurrence
48
P O T E N T I A L IMPACT
Significant High risk
High Risk Medium risk Medium risk Low risk Medium risk Low risk
Low risk
Marginal
Medium risk
Low risk
Negligible Low risk
Very low risk Very Unlikely
Very Likely
Likely
Unlikely
LIKELIHOOD
Risk Matrix Example March 2007

Final evaluation of risk is high
Reputation
High Risk evaluated as high last time (refresh)
Food Safety
Contract Compliance
Risk has reduced in probability and impact since last time (refresh)
Impact
Union Globalisation Delivering Expectations Sustainable WC
USA Litigation Corporate Governance People Retention & Motivation Purchasing
Low
FIBV
Risk was high last time (refresh) but is no longer significant. Any Group risks that do not apply to the local business should be here
Restructuring
Low Probability High
49
The Risk Register Should contain as much information as should be useful for monitoring purposes. Risk number (unique identifier) Risk category (benefits?) Description of risk Date risk identified Name of person who identified risk (responsibility) Likelihood Consequences (including a monetary value) Interdependencies with other risks
50
LEARNING OUTCOME
B2b - Evaluate risk management strategies Risk Treatment (also called risk response) Avoidance Action is taken to exit the activities giving rise to risk. Changing or abandoning goals or objectives specifically associated with the risk in question, or choosing alternative approaches or processes that remove the risk. Action is taken to mitigate (reduce) the risk likelihood or impact. This is often through internal controls. Action is taken to share a portion of the risk (outsourcing, joint ventures) Action is taken to transfer a portion of the risk (insurance, hedging) No action is taken to affect the likelihood or impact
Reduction
Sharing
Transfer
Acceptance
51
Risk Reporting Concerned with regular reports to the Board and Stakeholders setting out the organisations policies in relation to risk and the importance of monitoring the effectiveness of those policies. Residual risk reporting involves a comparison of gross and net risk which enables a review of risk response effectiveness and possible alternative management options. Gross Risk the assessment of risk before the application of any controls, transfer or management responses Net Risk the assessment of risk, taking into account the application of any controls, transfer or management response to the risk under consideration.
Case in Point Avoidance A not-for profit organisation identified and assessed risks of providing direct medical services to its members and decided not to accept the associated risks. It decided instead to provide a referral service. Reduction A call centre identified and assessed the risk of its systems not being available for more than three hours and concluded that it would not accept the impact of such an occurance.. the company invested in technology with enhanced failure self-detecting and back up systems to reduce the likelihood of system unavailability. Sharing a university identified and assessed the risk associated with managing its student accomodation and concluded it did not have the requisite in-house capabilities to effectively manage these large residential properties. The university out sourced to a property management company better able to reduce the impact and likelihood of property-related risks. Acceptance A government agency identified and assessed the risk of fire to its infrastructure across diverse geographcal regions and assessed the cost of sharing the impact of its risk through insurance coverage. It concluded that the incremental cost of insurance exceeded the likely cost of replacement and decided to accept this risk.
52
CIMA P3 Performance Strategy Portfolio Theory The basic principal of portfolio theory is that it is less risky to have diverse sources of income through a portfolio of assets and investments, often through market expansion or diversification or both.
LEARNING OUTCOME 53
CIMA P3 Performance Strategy B2a - Discuss the purposes and importance of internal control and risk management for an organisation. Purpose of Risk Management Risk management is the process of identifying risks facing an organisation, assessing the scale of the risk (in terms of likelihood and impact). A risk response strategy is determined for each risk that takes into account the organisations risk appetite, and a system of controls are put in place for reporting and management of risks. There needs to be a risk treatment or response strategy whereby risks are managed by alternative courses of action: stopping an activity, influencing either or both the likelihood or impact of the risk; sharing through techniques such as insurance; or the risk may be accepted. One of the strategies for managing risk is internal control. Importance of risk management The importance of risk management is quite simply to identify and manage problems that could prevent an organization from achieving its objectives. Risk management improves the ability to respond to and mitigate risks that occur; it minimizes surprises; enables advantage to be taken of opportunities; maintains the organisations reputation; and helps the organization to be socially responsible and be seen as a good corporate citizen.
Purpose and Importance of Internal Control 54
CIMA P3 Performance Strategy Internal controls are the policies and procedures used by directors and managers to help ensure the effective and efficient conduct of the business; The safeguard of assets Regulatory compliance The prevention and detection of fraud and error The accuracy and completeness of accounting records The time preparation of reliable financial information
The importance of internal control is quite simply to manage problems that could prevent an organization from achieving its objectives. Relationship of Risk Management with Internal Control Systems Risk management is an important precursor to internal control as it allows the internal controls to be focused on the most significant risks. Therefore risks are assessed and control activities are determined that relate to the assessed risks. The benefits of effective risk management include: the maintenance of profitability in the medium and longer term; the avoidance of sudden losses if business continuity is impeded; the avoidance of profit warnings and major exceptional items; more cost-effective insurance cover and reduced premium cost; greater degree of assurance that business continuity will be safeguarded in the event of a catastrophe; continued customer satisfaction and the maintenance of the organisations reputation with customers, the public and investors. LEARNING OUTCOME
55
CIMA P3 Performance Strategy B2c - Evaluate the essential features of internal control systems for identifying, assessing and managing risks.
Preventative
Corrective
Types of Control
Directive
Detective
Students will need to be able to identify the lack of control in the organisation in the scenario and recommend controls that could be introduced. May 05 Nov 05 Nov 06 May 07 Nov 07 Control over expenses Identify and evaluate Risk mgt cycle as a control tool Internal controls to improve capital investment porcess Imrove control system to better mgt risk throughout the product life cycle Control over accounts payable Evaluate the controls
Questions usually require candidates to recommend internal controls that are consistent with the risks identified. LEARNING OUTCOME
56
CIMA P3 Performance Strategy B2d - Evaluate the costs and benefits of a particular internal control system Benefits Avoidance of losses Legal requirement (health & safety, information required for HMRC) Well being of employees motivation, succession planning important resource Preferred employer better calibre staff important resource Costs Establishment of policies & procedures Administrative support Opportunity cost of not spending time on the delivery of organisational objectives (Internal controls provide a safeguard but not an absolute guarantee)
57
Management and Control Systems (A)

LEARNING OUTCOME A1a - Evaluate appropriate control systems for the management of organisations A1c - Evaluate the control of activities and resources within the organisation
Internal Control An internal control system comprises the policies and procedures that an organisation implements to achieve its objectives and is used by directors and managers to help ensure the effective and efficient conduct of the business; The safeguard of assets Regulatory compliance The prevention and detection of fraud and error The accuracy and completeness of accounting records The time preparation of reliable financial information Control Environment Is the attitude, awareness and actions of directors and managers in relation to the importance of internal controls, including the organisations culture and values and the style of management.the control environment is the necessary background for internal control procedures to be developed and operate effectively.
58
CIMA P3 Performance Strategy What is a Management Control System? Management control comprises the processes used by managers to ensure that organisational goals are achieved and procedures followed, and that the organisation responds to environmental change. Features of a Sound Internal Control System(Turnbull Code) Embedded in an organisations structures, procedures and culture awareness of internal control issues becomes everybodys business and this contributes to effectiveness Should be capable of responding quickly to evolving risks to the business - the speed of reaction is an important feature of any control system i.e. thermostat on a heating system Report immediately any failures together with corrective action being taken feedback is essential for control formal and relatively rigorous information channels are required to maximise the effectiveness of the internal control systems
59
CIMA P3 Performance Strategy Management Control A Wider Perspective Controls may be cybernetic, non-cybernetic or contingent. Cybernetic systems Within organisations the control of operations through targets, operations and feedback is referred to as a management control system. This is referred to as a cybernetic system. Target setting (set in response to environmental demands and constraints)
The goals are sent to the operational level
Operations (inputs are converted into outputs)
The outputs are monitored at the control level
Control (comparison of outputs to inputs) involving feedback and feed forward processes. In cybernetic systems variations between targets and actual achievements are detected (predicted) which result in corrective action, either through feedback or feed forward processes. The cybernetic form of control is based on an economic-rational view of the world. Rational = following reason as oppose to experience or observation Economic = evaluation of alternatives to maximise benefits and minimise effort in pursuit of their own self interests Cybernetic management control attempts to ensure that the organisation or responsibility centre is efficient and effective. It can take place through budgetary control, variances from standard cost, non-financial measures of capacity utilisation, productivity, efficiency, quality, waste, etc. 60
CIMA P3 Performance Strategy One problem with the cybernetic model is that actual and planned results and corrective action may not be seen within an organisation in a consistent manner. (people may interpret events differently) A second problem is that control can be seen not just as an objective regulator of activities to achieve goals, but in terms of the domination of one person or group over others within an organisation. Non-cybernetic systems In the natural or non-rational perspective, informal relations between people are more important than the formal organisational structure of rules and roles. Non-cybernetic forms of control include intuition, judgement and the exercise of power, politics and influence. The limitation of non cybernetic controls is that they can alter depending on the mood of the individual and this may be unclear or ambiguous to employees. If a company relies on non cybernetic controls they can become heavily dependent on individuals. If any one of the controlling individuals has a major illness then this may lead to uncertainty and who is in control and what priorities should be followed.
61
CIMA P3 Performance Strategy Contingent systems (no one best fit) The attributes of control systems vary due to the industry, size of organisation, management style, etc. Fisher categorised different approaches to management control as: tight versus loose; objective measurement versus subjective assessment; mechanistic versus organic evaluation of performance; short-term versus long-term focus; group versus business unit focus.
This is a contingent explanation of the design of control systems.
Alternative Perspectives NB Understanding different perspectives will enable you to look at a business problem from many different points of view and take a more complete view to problem solving economic rational national & non-rational interpretive/socially constructed radical /critical pluralist There are other theoretical frameworks that provide a different view of the role of management control systems, examples include: Agency theory emphasises shareholder value Contingency theory is concerned with environmental fit Cultural theory emphasies organisations as a social system, relies less on formal controls and more on developing a set of beliefs and norms to guide behaviour Institutional theory is concerned with a broader stakeholder environment.
62
CIMA P3 Performance Strategy COST/BENEFIT OF INTERNAL CONTROL SYSTEMS BENEFITS Avoidance of losses Legal requirement (health & safety, information required for HMRC) Well being of employees motivation, succession planning important resource Preferred employer better calibre staff important resource
COSTS Establishment of policies & procedures Administrative support Opportunity cost of not spending time on the delivery of organisational objectives
63
CIMA P3 Performance Strategy Components of Management Control Systems (MCS) All businesses can be thought of as a system, the main elements of an MCS are: Inputs Process Outputs Measurement Comparison to target Corrective action
Input
Process
Output
Implementation of action if necessary
Predictive Model of Process
Output measured & compared with what was expected to happen (objective)
Determination of Cause of deviation. Generation and evaluation of alternative corrective actions
Comparison
Objective
Management control can be considered in relation to both feedback (taking corrective action ex post) and feed forward (taking action ex ante) An organisation needs to identify whether it is going to fall short of any objective as soon as possible, so that it can do something about it in time. 64
CIMA P3 Performance Strategy Levels of Control (NB make sure you have lots of examples to illustrate the levels of control) Strategic Management Operational
Control Structures NB You may be asked to recommend a change of structure to improve control Functional Divisionalised o Cost centre o Profit centre o Investment centre Matrix Network
65
CIMA P3 Performance Strategy LEARNING OUTCOME A1d - Recommend ways in which identified weaknesses or problems associated with control systems can be avoided or solved. A1b - Evaluate the appropriateness of an organisations management accounting control systems. Examples of Internal Control Systems NB Remember that control is not limited to accounting! Accounting Controls/Financial o Standard costing Will this be appropriate for an organisation that wants to delivery flexibility and customisation? o Capital investment appraisal in line with strategic objectives Can future cash flows be predicted with some accuracy? Does it capture the richness of the investment evaluation problem, would the use of value chain analysis, cost driver analysis and competitive advantage analysis achieve a better fit between investment decisions and business strategy implementation? o Cash controls Debtor control o Exchange controls hedging o Overhead allocation Does this accurately reflect the resources consumed in production? This could lead to misleading information about product/service profitability. (Is ABC the answer?)
66
o Transfer Pricing Negotiated prices may help to reduce demotivating effects on divisional performance o Budgets and budgetary control Forecast of future events Motivational targets Standards for performance evaluation One of the most common dysfunctional consequences of budgeting is the creation of 'slack' resources or low targets being set because managers believe they will readily be achieved. Budget expectations perceived to be unfair or exploitative are not internalised by employees and can lead to lower motivation and performance. Similarly, the manipulation of data or its presentation to show performance in the best possible light is another common behaviour, particularly where performance is linked to rewards. 'Beyond Budgeting: proposes targets based on stretch goals linked to performance against world-class benchmarks and prior periods; enables decision-making and performance accountability to be devolved to line managers and a culture of personal responsibility; increased motivation; higher productivity and better customer service. o JIT Elimination of inventories Consider the total cost of ownership rather than the initial purchase price o Cost of quality Strategic management accounting PAF model
67
o Life cycle costing Estimates lifetime costs and profits Do profits generated in the production phase cover all the life cycle costs Increased cost control during the development phase o Target costing Determine the target price customers are prepared to pay Determine a target profit margin, therefore can establish the target cost If actual cost exceeds target cost then need to investigate ways of reducing the estimated cost to the target cost. o Kaizen (tightening) Continuous improvement & feedback during the production process Even the smallest improvement is worth consideration o Lean management accounting JIT Target costing TQM Eliminates waste within value streams Non Financial Quantitative Controls a balanced scorecard approach o Customer Customer satisfaction number of clients (especially increases and potential losses) Market share o Business processes IT controls input/process/output/network/physical/disaster recovery Post implementation reviews Tender process for suppliers 68
CIMA P3 Performance Strategy o Innovation/learning and growth Employees retention Training costs Employees satisfaction
69
CIMA P3 Performance Strategy DYSFUNCTIONAL BEHAVIOUR Tunnel vision the emphasis on Quantifiable data at the expensive of qualitative data Sub-optimisation the pursuit of narrow local objectives at the expense of broader organisational-wide ones Myopia the short-term focus on performance may have longer term consequences Measure fixation an emphasis on measures rather than the underlying objective Misrepresentation the way in which the performance measure is explained
70
CIMA P3 Performance Strategy NON-FINANCIAL QUALITATIVE CONTROLS These controls influence behaviour by requiring certain policies and procedures or standard instructions to be implemented in order to ensure that behaviour is legally correct, co-ordinated and consistent throughout the organisation. o Culture o Physical controls o Organisational structure and chain of command the form of structure that is adopted will determine the type of control exercised over operational management o Project management - post implementation reviews o Authorisation procedures Authorisation of expenses o Staff control policies and procedures Contracts of employment Performances appraisal o Control of the board o Composition of the board Chairman & chief executive Executive & non executive directors Board appointments nominations committee o Framework for board meetings Purpose Agenda Control Action o Frequency of board meetings Regular review
71
REVIEW AND AUDIT OF CONTROL SYSTEMS (C)

LEARNING OUTCOME C1a - Discuss the importance of management review of control. Audit involves a systematic process, aimed at providing a defined level of assurance. The audit process is to obtain and evaluate evidence through a variety of techniques in order to make a judgement based on that evidence, and to present an opinion based on an audit report.
Assurance from management

Reports from management on the effectiveness of the systems they have established provide one mechanism by which Boards (often through audit committees) receive assurances about the adequacy and effectiveness of the system .
The Combined Code suggests that reports from management to the board should provide a balanced assessment of the significant risks and the effectiveness of the system of internal control in managing those risks. any significant control failings or weaknesses identified should be discussed in the reports, including the impact that they have had, could have had, or may have, on the company and the actions being taken to rectify them.
72
CIMA P3 Performance Strategy What is being reviewed? An internal control system includes all the policies and procedures necessary to ensure that organisational objectives are achieved including the orderly and efficient conduct of the business; the safeguarding of assets; the prevention and detection of fraud and error; the accuracy and completeness of the accounting records and the timely preparation of reliable financial information
Compliance with the Combined Code The Smith Guidance contained within the combined code on Corporate Governance emphasizes that a companys management is responsible for the identification, assessment management and monitoring of risk; developing, operating and monitoring the system of internal control; providing assurance to the board that it has done so.
The audit committee should receive reports from management on a balanced assessment of the significant risks the effectiveness of the system of internal control in managing the risks the conclusions of any testing carried out by internal and external auditors any significant control failings or weaknesses and the actions being taken to rectify them
73
CIMA P3 Performance Strategy C2 a Evaluate the process of internal audit and its relationship to other forms of audit. Internal audit is defined as an appraisal or monitoring activity established by management and directors for the review of the accounting and internal control systems as a service to the entity. It functions by, amongst other things, examining, evaluating and reporting to management and the directors on the adequacy and effectiveness of components of the accounting and internal control systems. (UK Auditing Practices Board)
Contribution to the effectiveness of internal controls
Checking that the internal controls are working correctly. To retain their independence, internal audit staff do not actually establish systems; they check what has already been established.
Ensuring that the internal controls take into account the risks facing the organization and that the risks are reduced to a level acceptable to the board.
Ensuring that the risk management system

Is of sound design Is focused on the most significant risks Measures that managers responses to risk are adequate and effective is based on a framework of controls to mitigate risk
To effectively assess the adequacy of internal controls, internal auditors need to have expertise in risk management, how risks are identified, assessed and managed.
74
CIMA P3 Performance Strategy The Role of Internal Audit
Reviewing accounting and internal control systems the adequacy and effectiveness of the systems of financial, operational and management control in relation to business risks
Identify any significant control deficiencies
Assess how risks are identified, analysed and managed
The safeguarding of business assets
Focusing on matters of high risk
Assess the risk responses
Provide assurance that the main business risks are being managed
The adequacy and reliability of financial and non-financial reporting
Give independent advice on how to embed risk management activities into business activities
Value for money assessments the auditor checks whether a particular activity is cost effective (economy), uses the minimum inputs for a given output (efficiency), and meets the stated objective (effectiveness)
The degree of compliance with legislation
Developing an audit plan based on an assessment of the significant risks to which the organization is exposed
Submitting plan to the audit committee for approval
Head of Internal Audit should be appointed by the audit committee and have independent reporting responsibilities
Implementing the agreed audit plan
Maintain audit team with knowledge, skill and experience
75
CIMA P3 Performance Strategy LEARNING OUTCOME C2b - Produce a plan for the audit of various organisational activities including management, accounting and information systems. C2e- Discuss the relationship between internal and external audit work .
Initially a survey needs to be carried out to scope the internal audit
the audit plan will set out the terms of refernec for the audit
a descrition of the activities to be audited and the associated risks
the timeframe
the reporting and review procedure
techniques to be used
audit staff to be involved
76
CIMA P3 Performance Strategy Financial Audit A financial audit, or more accurately, an audit of financial statements, is the examination by an independent third party (typically external auditors) of the financial statements of a company or any other legal entity (including governments), resulting in the publication of an independent opinion on whether or not those financial statements are relevant, accurate, complete, and fairly presented and comply with applicable accounting standards. Compliance Audit A compliance audit is an audit of specific activities in order to determine whether performance is in conformity with a predetermined contractual, regulatory or statutory requirement (CIMA Official Terminology) Transactions Audit The checking of a sample of transactions against documentary evidence. An audit trail or audit log is a chronological sequence of audit records, each of which contains evidence directly pertaining to and resulting from the execution of a business process or system function. Systems Based Auditing An audit planned on the basis of validation of the effective functioning of operating, accounting or control systems rather than validation of the associated documentary records. A systems based audit checks whether the system is meeting its objectives and comments on factors that may be affecting the achievement. A risk based approach could be used in the planning of the audit, that systems identified at highest risk are audited more frequently and in more depth than those which carry a lower level of risk.
77
CIMA P3 Performance Strategy Risk-Based Auditing: An approach that focuses upon how an organisation responds to the risks it faces in achieving its goals and objectives; it aims to provide assurance on the management of the identified risks within the context of the organisations corporate plans and aims. This approach reviews the risk management process: how the organization manages risk and takes action (risk response) including the use and evaluation of controls. Internal auditors can provide advice to the board in relation to the identification of key risks the effectiveness of the process to identify and analyses threats to the business the controls in place to manage the most important risks the culture in relation to risk and control the adequacy and reliability of financial and non financial reporting the effectiveness of management in directing and controlling the business the degree of compliance with legislation the safeguarding of business assets The relationship between risk management and audit is two-way. Risk management will inform the priorities for the internal audit plan. However the risk management system itself will need to be audited, in order to ensure that it can be relied on. Different types of risk in auditing inherent risk follow from the nature of the business and its environment failure of controls i.e. failure to implement adequate access controls to information residual risk remaining after controls have been implemented (controls are not a guarantee) audit risk the inability of audit to detect control failures Value for Money Audits The auditor checks whether a particular activity is cost effective (economy), uses the minimum inputs for a given output (efficiency), and meets the stated objective (effectiveness)
78
CIMA P3 Performance Strategy Post Completion Audit A post-completion audit can be defined as `an objective and independent appraisal of all phases of the capital expenditure process as it relates to a specific project' It enables a check to be made on whether the actual results correspond with the expected results. If this is not the case, the reason can be sought. This could form the basis for improvements in projects that are not functioning as expected or can cause projects to be abandoned. It generates information which allows an appraisal to be made of the managers who took the investment decision. Managers will therefore tend to arrive in advance at more realistic estimates of the advantages and disadvantages of their proposed investments. It can produce lessons for the decision-making process. If these lessons are actually learned, people will be able to make a better evaluation of the significance and the profitability of future projects. Finally, it can provide for better project planning. If in the evaluation it is found that the planning of the investment programme was poor, provision can be made to ensure that it is better for future investments.
Environmental Audits An environmental audit is a means by which businesses can assess the environmental impacts of their operations. At its core is the measurement and evaluation of all inputs and outputs from the production process. It is only after these impacts have been identified and measured, that a company can determine where it should implement cleaner production and eco-efficiency improvements. The financial benefits and improved efficiencies from adopting cleaner production and eco-efficiency are not the only incentives that may encourage firms to undertake audits. It can also be an effective risk management tool for assessing compliance with environmental legislation, and thereby assisting companies avoid the risk of prosecution and fines arising from potential environmental breaches.
79
CIMA P3 Performance Strategy Management Audit A management audit or leadership audit can bring substantial benefit to an organisation, whatever its size. Having a thorough understanding of the existing capabilities of a Board or senior management group is critical for the welfare of an organisation at any time. This is particularly true when it is going through a significant change such as taking a new strategic direction, introducing organisational restructuring or completing a merger or acquisition. Whatever the change, the organization needs to know whether they have the developed capabilities to be able to gain maximum benefit from the change. The organization needs to know what the strengths and limitations of its key people are at individual and group levels; what gaps exist and how they can be filled; which individuals will be able to push the organisation forward and which, if any, are not going to be able to adapt to the new demands.
80
CIMA P3 Performance Strategy Audit Techniques
Analytical Review
examination of ratios, trends and changes between periods to help idetify items requiring further investigation includes benchmarking
Testing
simulation of a scenario walk through, compliance, substantive
physical inspection
asset count
Internal checklist of internal controls that should be present Control Questionnaire
record of the work carried out and provide evidence that leads to conclusions and recommendations being made Audit working
papers
81
CIMA P3 Performance Strategy LEARNING OUTCOME C2c - Recommend action to avoid or solve problems associated with the audit of activities and systems C2d Recommend action to improve the efficiency , effectiveness and control of activities .
analyse effectiveness recommend improvements purpose, authority and responsibility defined independence expertise considered important business risks continuous improvement benchmarked against best practice
LEARNING OUTCOME 82
CIMA P3 Performance Strategy C3b - Discuss the importance of exercising ethical principles in conducting and reporting on internal reviews. B3b- Evaluate ethical issues as a source of risk to the organisation and control mechanisms for their detection and resolution.
The Fundamental ethical principles for CIMA members are: Principles Integrity
Objectivity
Professional Competence & Due Care
Confidentiality
Professional Behaviour
Straightforward and honest in all professional and business relationships No bias, conflict of interest or undue influence to over-ride professional or business judgements Continuing duty to maintain professional knowledge. Act in accordance with applicable technical and professional standards when providing professional services Should not disclose information to third parties without proper and specific authority unless there is a legal or professional right or duty to disclose. Comply with relevant laws and regulations and should avoid any action that discredits the profession.
83
CIMA P3 Performance Strategy CIMA members should be constantly conscious of, and be alert to factors which give rise to conflicts of interest Self interest threats Self-review threats Familiarity threats Intimidation threats and the resolution of ethical conflicts. Relevant facts Ethical issues involved Fundamental principles related to the matter in question Established internal procedures Alternative courses of action
84
RISK AND CONTROL IN INFORMATION (E)

LEARNING OUTCOME E1a - Advise managers on the development of IM, IS and IT strategies that support management and internal control requirements. Information Systems (IS) Strategy determines the information requirements of an organization. Development of an IS strategy cannot occur without an analysis of the strategic information needs of an organisation. This in turn cannot occur without development of a business strategy. Simply using information technology to support a business strategy, however, will result in an organisation failing to capitalise on opportunities offered by developments in technology. An effective IS/IT strategy will both support and drive forward the business strategy. The diagram below stresses the interaction that occurs between the business and information systems strategies. Changes in business strategy will engender changes in system strategy, ie new business strategies will generate new information needs and uses and therefore new systems to meet these needs. Equally, technological change may make new systems available that can trigger change in the business strategy
Environmental forces (including technological developments)
Business strategy
Systems strategy (decide information systems needed to support and drive business strategy)
IT strategy How is IT infrastructure to be developed to meet system needs?
85
CIMA P3 Performance Strategy Information Technology (IT) Strategy defines the specific systems that are needed, including the hardware and the software. Information Management (IM) Strategy is concerned with methods by which information is stored and available for access. The IM strategy will ensure that information is being provided to users and that redundant information is not produced.
86
LEARNING OUTCOME E1b - Identify and evaluate IS/IT systems appropriate to an organisations needs for operational and control information. Information systems and their characteristics You are highly unlikely to be given a question that asks you to list the characteristics of different information systems that could exist within an organisation. However, you may well be asked to assess the effectiveness of current systems or to express ideas for their improvement. A knowledge of the characteristics of different types of system and their purpose is therefore very useful. A hierarchy of management levels can be identified, it follows that it is possible to identify a hierarchy of information systems designed to meet these different needs.
Name Transaction processing systems (TPS) Management Characteristics and purpose level Operational Transaction processing systems are designed to capture the details of individual business transactions, eg stock movements, production output, accounting transactions. These systems focus on automation of core business processes. They typically have the following features. They operate in real time. They contain transactions. details of individual
They often contain internal information only. They have limited analytical and output functions. They are designed for day-to-day automation and management of key business functions Many are mission critical systems, eg EFTPOS systems for supermarkets and other stores.
87

Management information systems (MIS) Tactical and above Data stored in transaction processing systems is a key input into management information systems. Although sources of information are mainly internal there is often significant input from external sources. Management information systems do exactly as their name suggests they are designed to provide information useful to management in planning, monitoring and controlling business activities in the short to medium term. Typically management information systems have the following features. They draw information from a number of sources. They may synthesise the output from a number of TPSs. They produce information in summary format, often in a time-based way. They may provide comparison against budgeted or expected results. They may incorporate external information for comparison purposes. A typical management report from an MIS could be a monthly performance report comparing budgeted levels of production and cost with actual levels of production and cost. Decision support systems (DSS) Tactical and above Decision support systems allow managers to explore different options when making decisions. They focus on manipulation of quantitative data and allow managers to impose some form of structure on poorly structured or semi-structured decisions. Data may be from both internal and external sources.
88

Typical features of a DSS include the following. Ability to import and export data from other systems for analysis Ability to model different scenarios Ability to carry out what if? analysis Ability to complete sensitivity analysis Ability to output data in graphical as well as numerical format. Typical DSS systems have three components. A database subsystem A query or data extraction language A suite of data manipulation and modelling tools Fully featured spreadsheet packages such as Excel support many of the functions of a DSS. Executive information systems Strategic level These systems are used to support decisionmaking at the highest level within an organisation. External information is an important component of these systems and much of the information they contain may be non-quantitative. Key characteristics of these systems include the following. Integration of a wide range of internal and external information sources Extensive summarisation of data Extensive use of graphical and tabular presentation Ability to drill down to different levels of detail, including the individual transaction levels Forecasting and scenario modelling tools
89

Although much of the data may be historical or forecasts, many EIS systems also include real time monitoring of key business variables that can be displayed on screen to keep executives up to date with important developments. Expert systems (ES) All levels (potentially) Unlike decision support systems, expert systems have the capability to recommend courses of action. The objective of these systems is to replace human experts and to make expert advice available at all levels within an organisation. Expert systems have the following characteristics. A knowledge base. This contains facts relevant to a particular area, together with rules regarding how these facts are to be applied to scenarios A knowledge acquisition system this allows entry and up-date of the knowledge base An inference engine this element of the system applies the facts and rules to the particular scenario under consideration The explanation subsystem this allows users to explore decisions being made by the system to understand the reasoning behind them and the information input needs they generate. Expert systems have found use in a number of areas including engineering, medicine, law and tax consultancy. Expert systems are expensive to develop and maintain but if properly configured can offer significant advantages in terms of speed and quality of decision making. It can be argued of course that expert systems are best used by an expert as only a suitably qualified human being can assess the quality of the output from the system.
90
Enterprise resource planning system.
All levels Enterprise Resource Planning systems (ERPs) integrate (or attempt to integrate) all data and processes of an organization into a unified system. A typical ERP system will use multiple components of computer software and hardware to achieve the integration. A key ingredient of most ERP systems is the use of a unified database to store data for the various system modules. Examples of modules in an ERP which formerly would have been stand-alone applications include: Manufacturing, Supply Chain, Financials, Customer Relationship Management (CRM), Human Resources, Warehouse Management and Decision Support System.
Strategic enterprise management
Strategic level
Strategic Enterprise Management (SEM) refers to the management techniques, metrics and related tools (such as computer software) designed to assist companies in making highlevel (strategic) decisions. Aligning strategic objectives to resource allocation and performance management Applying tools such as Shareholder value management Activity based management Balanced scorecard approaches Typically, a business using SEM would incorporate a strategic information system, to manage information and assist in strategic decision making. A strategic information system has been defined as, "The information system to support or change enterprise's strategy concepts in strategic enterprise management include:
91
Setting specific strategic goals which will improve the position of the company, rather than more general goals such as increased profit or reduced costs. Measuring performance in terms of defined goals, and making the information available to those making strategic decisions. Measuring and managing "intellectual capital", the skill and knowledge base of the companies workforce. Activity-based management (ABM), which seeks to evaluate customers and projects in terms of their total cost and benefit to the organisation, rather than assuming that the most important projects are those bringing the highest revenue.
92
CIMA P3 Performance Strategy The growth of Information Linked to E-Commerce Opportunities Low-cost, rapid and reliable global communications in the form of email A readily accessible source of product, supplier and customer information A global marketing platform for all organisations regardless of size and resources A new channel for promoting and selling existing products and services through development of e-commerce solutions The opportunity to automate core business processes through on-line ordering and automated transaction processing The opportunity to develop new products and services, tailored to on-line sale
Drawbacks Difficulty in controlling information flow into and out of an organisation Security threats posed by integration of internal systems with external networks, particularly those of hacking and virus infection Information overload leading to a reduction in decision-making efficiency and quality Decline in staff efficiency as staff exploit the internet for personal use
93
CIMA P3 Performance Strategy Some of the major pull and push factors are listed below. Pull factors Increased market/geographical coverage Improved customer support and service 24-hour access to a companys products and services Reduction in marketing costs Reduction in transaction costs Push factors Perceived disadvantage due to ecommerce implementation by competitors Fear that company image will be dated and old fashioned Inability to meet customer expectations for ever increasing quality of service High cost base relative to competitors Threat to current relationships between suppliers, retailers and customers
Development of closer customer Inability to offer product/service relations range comparable to competitors Market research benefits Need for increased efficiency
94
CIMA P3 Performance Strategy LEARNING OUTCOME E1c - Evaluate benefits and risks in the structuring and organisation of the IS/IT function and its integration with the rest of the business. Why outsource? There are a number of reasons for increased use of outsourcing by companies. Outsourcing injects new skills into the in-house team. The range of skills required to manage modern systems would be too expensive to provide in-house. Many IS/IT staff are only needed for specific periods of time, eg systems analysts, programmers. It provides access to hardware resources that a company could not afford to buy outright. It enables more frequent upgrades than would be affordable inhouse. It enables staff to focus on core competencies. It offers control over costs a company can negotiate a fee for a fixed level of service provision. There may be an overall cost saving through flexible use of staff resources and reduced capital investment costs in hardware and software.
However, there are a number of significant problems with outsourcing. Outsourcing contracts are often for long periods of time (510 years). Getting out of inappropriate outsourcing agreements can be difficult and expensive. Outsourcing contracts normally detail precisely the level of service agreed. Obtaining services above this level or outside the scope of the existing contract can be very expensive. Changing business needs may render the outsourcing service agreement inappropriate.
95
CIMA P3 Performance Strategy Outsourcing is difficult to reverse owing to the loss of in-house expertise. Contractors may prove unreliable. Dependence on third party for key business services. Lack of competitive advantage competitors will have access to the same systems and services.
96
CIMA P3 Performance Strategy Selecting an outsourcing partner Given the importance of IS/IT functions, the long-term nature of such contracts and the difficulty of reversing this type of decision, careful thought must be given to choice of partner. Typical questions to ask about any provider are as follows. What is their experience of providing similar services to other clients? Are they prepared to identify other clients and allow you to meet them? What resources are to be allocated to your contract? Are they shared or dedicated? What provision do they have for back-up resources in the event of problems? What is the industry opinion of your proposed partner? Is the provider large enough to cope with your need without placing undue strain on its resources? What is the financial status of your provider? Does the provider share your cultural values? mission and how close is it to yours? What is their
How flexible is the provider in terms of changing needs and what is the charging policy? What is the policy for upgrading hardware/software resources and for keeping their staff up to date with technical developments?
Once a provider has been identified contracts should be negotiated carefully. There should be absolute clarity over the service level agreement, up-grade and back-up policies. A clear charging scheme for additional services should also be negotiated before the contract is signed. Annual cost increments should also be clearly agreed in advance.
97
CIMA P3 Performance Strategy LEARNING OUTCOME E1d - Recommend improvements to the control of information systems Audit Recommendations Use a recognised methodology Systems Development Life Cycle (SDLC) Project Management Process Systems Development Life Cycle Feasibility Analysis Design Implementation Changeover Post Completion Review Project Management Process Initiation Planning Execution Monitor & Control Completion
Undertake a feasibility/Initiation study Identify the needs and objectives of the system YES/NO decision to ensure that the company does not make an expensive mistake and waste resources Feasibility would include o Technical o Operational o Financial (Cost:Benefit) o Risk Management (Assessment/Likelihood/Impact) Project Organisation o Steering committee o Roles and responsibilities on project Sponsor Project manager (correct skills) Project team
Systems Analysis 98
CIMA P3 Performance Strategy o Understanding user & customer requirements o Consider the controls that need to be built into the system (completeness, accuracy and validity) o Discouraging fraud is important (if only a few people use the system it is hard to segregate duties then other ways of discouraging fraud are needed) Systems Design o CASE Tools o Prototyping o Input/process/output/network/physical/disaster recovery o Ensure adequate audit trails o Monitor progress/regular reporting Systems Implementation o Staff Training o Installation o File conversion o Testing o Changeover o maintenance Post Completion Review o Success and failure o Continuous improvement & feedback
99
CIMA P3 Performance Strategy LEARNING OUTCOME E1e - Evaluate specific problems and opportunities associated with the audit and control of systems which use information technology This section is also linked to section C Review and Audit of Control Systems. The Information Technology Infrastructure Library (ITIL) is a framework of best practice approaches intended to facilitate the delivery of high quality information technology (IT) services. ITIL outlines an extensive set of management procedures that are intended to support businesses in achieving both high financial quality and value in IT operations. These procedures are supplier-independent and have been developed to provide guidance across the breadth of IT infrastructure, development, and operations. Service Support Configuration management identify, record and report on all IT components Incident management to restore normal service operation as quickly as possible Change management accept change as the norm Problem management minimise the impact of problems and prevent recurrence Release management consider technical and non technical issues Service Delivery Service level management meeting customers needs Availability management minimise downtime Capacity management volume requirements Continuity management business continuity plan Financial management cost/benefit
These are aspects that the ITIL suggests should be managed and documented. Think about them when answering a scenario question that involves revising system development and management controls 100
Controls Security controls the prevention of unauthorised access, modification or destruction of stored data Integrity controls data must be accurate, consistent and free from accidental corruption Contingency controls if security or integrity controls fail, there must be a backup facility and a contingency plan to restore business operations as quickly as possible Input Controls These include controls to stop any unauthorised access through passwords and user IDs. Once access to the system has been authorised controls will be required to ensure the accuracy completeness of the information. format checks, i.e. supplier codes should be one alpha, four numeric. Transaction authorisation Reasonableness checks Processing Controls To ensure all transactions are processed correctly. balancing checks for journals so that they could not be posted unless they balanced Control total Matching checks - invoices would need to match with an order before they could be processed Output Controls These are usually in the form of reports to ensure information is reliable. Transaction lists Exception reports Suspense accounts
101
Network Controls Information will be distributed across wide area networks so data needs to be protected. Encryption Firewalls Anti-virus software Additional security that might be considered would be to undertake vulnerability or prevention testing, i.e. a company could deliberately attempt to breach security, could carry out intrusion detection, regular monitoring of the network and scanning of all emails received.
Physical Controls These would prevent access to computers by housing terminals in secure locations and would include swipe cards rooms with code-pad entry systems to prevent unauthorised access.
102
CIMA P3 Performance Strategy System Recovery Procedures Implementation of a firewall around internal systems Firewalls are often a combination of hardware and software designed to control the flow of data across the interface between internal and external networks.
Firewalls can operate in a number of ways and with different levels of sophistication. Some firewalls operate using packet protocols in which data is allowed entry on the basis of its characteristics (protocols), source and destination. Some companies operate hardened hosts or proxy application gateway systems. Both of these involve locating a separate computer at the interface between internal and external systems. Incoming data packages are then temporarily stored on this gateway computer whilst they are subject to a thorough check for viruses, appropriate formats, permissions and protocols before being released into the internal network. In the event of attack by a virus or hacker this gateway computer can be closed down, effectively isolating the internal systems from the outside world.
Encryption and authentication Given that the internet is a public access network there is little to stop other people from capturing and reading information being transmitted. As hackers have developed more sophisticated software to capture internet traffic an increasing number of companies use data encryption to protect their data during transmission. Sophisticated encryption algorithms are used to encrypt data before it is transmitted. Without an appropriate key to decode this information, intercepted transmissions are nothing more than electronic noise. Authentication of data is a variant of encryption in which senders of information include a digital signature that can only be decoded by the recipient computer. Failure to decode the signature (or its absence) will result in a packet of data being rejected.
103
CIMA P3 Performance Strategy Virus software
To protect against viruses companies normally implement virus protection software on their networks. This often works at a number of levels, with initial checks taking place during passage through the companys firewall followed by checking by individual client machines. Given that new viruses come to light on a daily basis, this type of software will only remain effective if virus definition databases are regularly updated by systems administrators. There are two main elements of auditing in an information systems environment: Systems development auditing. Auditing computer systems. Computer Assisted Audit Techniques (CAATs) Can be used to audit the actual system, there are two types of CAATs: Techniques used to review system controls Techniques used to review actual data System Controls Test Data A set of data that had been processed by the system would be compared to a set of data processed manually. An organisation may find this too time consuming because the test data has to be prepared, may have to be reversed unless run against a separate copy of the data files. For this reason test data is more commonly used with the testing of a system before it is implemented or after program modifications.
104
CIMA P3 Performance Strategy Embedded Audit Facilities This would allow a continuous audit review of data and its processing. They consist of programs that are built into the organisations accounting system, such as an integrated test facility. A false entity would be created (i.e. customer) within an existing system. Transactions are posted to the false entity together with all of the normal transactions. The normal processing cycle results would then be compared with what should have been produced by the system, determined as for the test data, by alternative means. These false entities must not become part of the organisations real financial data.
Actual Data Audit Interrogation Software This would allow for extraction of data from files so that analysis and investigation of the data could be undertaken. Audit interrogation software can also provide verification with management reports and can identify transactions that are unreasonable or fail to comply with system rules.
Resident Audit Software A real time version of audit interrogation software, the software allows items to be selected and tagged for later audit review.
Integrated Audit Monitors Whole accounts can be designated for monitoring. The audit monitoring software will then monitor all transactions on the specified accounts and select items outside the parameters set by the auditor.
105
106
CIMA P3 Performance Strategy FRAUD Fraud is dishonestly obtaining an advantage, avoiding an obligation or causing a loss to another party. Those committing fraud may be managers, employees or third parties. There are three prerequisites for fraud to occur (i) Dishonesty on the part of the perpetrator (ii) The opportunity or fraud to occur (iii) A motive for the fraud The risk of fraud exists in most organisations and internal controls are therefore very important to safeguard against, detect and respond to any fraud that occurs. A risk management strategy needs to be developed for fraud Fraud prevention The existence of a fraud strategy is itself a deterrent. Fraud prevention can be achieved through Anti-fraud culture Risk awareness Whistle blowing Sound internal control systems Identifying fraud most frauds are discovered accidentally or as a result of information received Responding to fraud o Internal disciplinary action o Civil litigation for recovery of loss o Criminal prosecution through the police
107
MANAGEMENT OF FINANCIAL RISK (D)

LEARNING OUTCOME D1a - Evaluate financial risks facing an organisation. D2a - Evaluate appropriate methods for managing financial risks. D2b - Evaluate the effects of alternative methods of risk management and make recommendations accordingly. D2c - Discuss exchange rate theory and the impact of differential inflation rates on forecast change exchange rates. D2d - Recommend risk management strategies and discuss their accounting implications. Background The financial environment in which companies operate has undergone substantial changes in recent times, including increased globalisation and changes in the regulatory environment of financial and capital markets. These have resulted in more companies trading and investing outside their home countries and increased volatility in interest rates and foreign exchange rates. Management Larger organisations may operate a treasury function, which would be responsible for management of the funding and investment areas of the business, including hedging of financial risk. appreciate the purpose and functions of a treasury department
108
CIMA P3 Performance Strategy The financial Risk Management Process Identify the risk exposure Quantify the exposure (which includes the financial impact) Quantification method one - Regression Method Regression analysis which you have studied before can be used to measure exposure to various risk factors. The regression model could be expressed as R = +1 INT + 2 FX + 3 OIL + e Where R represents changes in the companys cash flows INT represents changes in interest rates FX represents changes in exchange rates OIL represents changes in oil prices 1, 2, 3 represent the measurements of the sensitivity of cash flows to the risk factor. The main drawback of this method is that it is based on historical data which may not be a good guide to future risks.
109
CIMA P3 Performance Strategy Quantification method two - Expected Values (Simulation Analysis) The financial forecast of the outcome of a course of action, multiplied by the probability of achieving that outcome. The probability is expressed as a value ranging from 0 to 1. Example NPV Project A EV 000 probability 000 -20 0.15 (3.0) 10 0.20 2.0 20 0.35 7.0 40 0.30 12.0 18.0
NPV 000 5 15 20 25
Project B EV Probability 000 0.2 1.0 0.3 4.5 0.4 8.0 0.1 2.5 16.0
Project A has a higher EV of NPV, but what about risk of variation in the NPV above or below the EV? This can be measured by the standard deviation of the NPV which is used to give an indication of the risk involved.
Standard Deviation for Project A: 19,391 Standard Deviation for Project B: 6,245
Although project A has a higher NPV, it also has a higher standard deviation of NPV, and so has greater risk associated with it.
Which project should be selected? Clearly it depends on the attitude of the companys management to risk. (a) if management are prepared to take the risk of a low NPV in the hope of a high NPV they will opt for project A. (b) if management are very risk-averse, they will opt for the less risky project B. 110
CIMA P3 Performance Strategy Quantification method three Value at risk (VaR) Value at risk evaluates the potential loss that may be incurred on a whole portfolio, over a set time frame and subject to a predetermined confidence level. It is based on the normal distribution curve that you have studied in previous exams.
A key assumption underlying the calculation of VaR is that possible changes from time to time in the value of the underlying asset or portfolio are independent of each other and follow a normal distribution with a mean of zero. Step one calculate the daily volatility, that is the daily standard deviation. You are given the standard deviation in the question BUT NB you may have to calculate it if you are given the standard deviation for a different period. (if weekly standard deviation is 5,000 then daily deviation = 5,000/5 = 2,236) Step two using statistical tables, determine the standard normal value (z) associated with the one-tail confidence level, X%. Step three multiply the result in step one with the result in step two to obtain the daily VaR.
Example Yan expects to receive $1M in trading over the next two week. The actual value in $ will depend on changes in foreign exchange market conditions which may result in gains or losses. Possible gains or losses are normally distributed around a mean of 0 and a weekly standard deviation of S5,000. What is the daily VaR at 1%. Step one daily standard deviation = $5,000/5 = $2,236 Step two normal value associated with 99% confidence is 2.33 Step three daily value at risk = 2,236 X 2.33 = $5,210
111
CIMA P3 Performance Strategy Market Risks Major market risks are usually the most obvious type of financial risk that an organisation faces. Major market risks arise out of changes to financial market prices such as Interest rates Exchange rates Commodity prices
Interest Rate Risk This is the probability of an adverse impact on profitability or asset value as a result of interest rate changes. Interest rate risk affects many organisations, both borrowers and investors, and in affects capital-intensive industries and sectors. Interest rate risk arises as a result of borrowing over long periods to invest in assets where a company either borrows at a fixed or floating rate. The risk arises from differences between the rate at which the interest is to be paid by the group relative to movements in market rates of interest.
112
CIMA P3 Performance Strategy (Foreign) Exchange Risk Exchange rate risk arises as a result of purchasing and selling goods and services across national borders and the relative mix of monies owed to, and owing by, a company in different currencies and the effect of changes in relative exchange rates between currencies. When an organisation has foreign currency cash inflows and outflows, cash forecast for each currency assists in identifying currency exposures. Exchange rate risk can arise through: Transaction Translation Economic exposures
113
CIMA P3 Performance Strategy TRANSACTION EXPOSURE Transaction risk impacts on organisations profitability through the income statement. It arises from the ordinary transactions of an organisation including purchases to suppliers and sales to customers. It refers to identified transactions. Hence, we are likely to know the amounts of currency involved and the timing of receipt or payment. This makes it easier to manage transaction exposure than economic exposure. (management of transaction risk is looked at in detail later)
TRANSLATION EXPOSURE Translation risk refers to fluctuations that result from the accounting translation of financial statements, particularly assets and liabilities on the balance sheet. Translation exposure results whenever assets, liabilities or profits are translated from the operating currency into a reporting currency for example the reporting currency of the parent company. Translation exposure affects an organisation by affecting the value of foreign currency balance sheet items such as accounts payable and receivable foreign currency cash and deposits foreign currency debt longer term assets and liabilities, such as those associated with foreign operations are likely to be particularly impacted. Translation losses can result, for example, from restating the book value of a foreign subsidiarys assets at the exchange rate on the balance sheet date. Such losses will not have an impact on the firms cash flow unless the assets are sold. Such risk can be reduced if assets and liabilities denominated in particular currencies can be held in balanced amounts.
114
CIMA P3 Performance Strategy ECONOMIC/STRATEGIC EXPOSURE The location and the activities of major competitors may be an important determinant of foreign exchange exposure. Strategic or economic exposure affects an organisations competitive position as a result of changes in exchange rates. Economic exposures such as declining sales from international customers do not show up on the balance sheet, though their impact appears in income statements. For example, a firm whose domestic currency has appreciated dramatically may find its products are too expensive in international markets despite its efforts to reduce costs of production and minimise prices. The prices of goods exported by the firms competitors, who are coincidentally located in a weak-currency environment, become cheaper by comparison without any action on their part. Diversification of the supplier and customer base across different countries will reduce this kind of exposure to risk or matching assets and liabilities in each currency. Political Risk discrimination against foreign business expropriation of assets legislation exchange controls tax regulations
Credit Risk Credit risk is one of the most prevalent risks of finance and business. In general, credit risk is a concern when an organisation is owed money or must rely on another organisation to make a payment to it or on its behalf. It is the likelihood of a loss arising from default or failure of another organisation.
115
CIMA P3 Performance Strategy Liquidity Risk Liquidity impacts all markets. It affects the ability to purchase or sell a security or obligation, either for hedging purposes or trading purposes, or alternatively to close out an existing position. Liquidity can also refer to an organisation having the financial capacity to meet its short-term obligations. UNDERSTANDING FOREIGN EXCHANGE
Spot Rate
The exchange rate for transactions of immediate delivery. e.g. $2.00/ or US$/UK is 2.00
Forward Rate
A deal which is agreed upon today but the exchange of currency will not take place until an agreed future date. e.g. Current spot 1 month forward $2.00/1 $2.02/1
Bid/Offer Spread
This is the difference between the buying and the selling prices offered at the close of business each day. The rate at which the bank buys from customers and the rate at which it sells to customers is different however, the bank ALWAYS wins! e.g. The US$/ at the close of business was: 1.996 2.004 or 2.000 .004
116
CIMA P3 Performance Strategy Arbitrage Profit Arbitrage profit arises when a trader is able to take advantage of price or rating differences between two markets. Arbitrage opportunities will frequently be very short-term in nature because the law of supply and demand ensures that they will disappear automatically as they are taken up. The price of the undervalued item will rise and conversely the price of the overvalued item will fall, until equilibrium is regained. Predicting Future Exchange Rates
Factors influencing the exchange rate include the comparative rates of inflation in different countries (purchasing power parity), comparative interest rates in different countries (interest rate parity), the underlying balance of payments, speculation and government policy on managing or fixing exchange rates.
Purchasing Power Parity (PPP) PPP predicts that exchange rates will vary to eliminate price differences between countries. Purchasing power parity suggests that exchange rates move in response to differences in rates of domestic inflation between countries. Consequently, if the rate of inflation in one country is higher than the rate of inflation in another country, exchange rates will adjust to offset the differential such that the cost of living in each country would be the same. In practice this means that the expected movement in spot exchange rates is equal to the difference in expected inflation rates.
Forward rate US$/ Spot US$/ 1 US inflation rate 1 UK inflation rate
117
CIMA P3 Performance Strategy Interest Rate Parity (IRP) IRP predicts that the exchange rate will vary to compensate for the interest rate differences between countries. Interest rates also have an effect on exchange rates because interest rate parity states, that, other things being equal, a currency with a higher interest rate will sell at a discount in the forward market to a currency with a lower interest rate. The reason for this is because higher interest rates imply higher domestic inflation, which is a negative indicator of economic strength. The international Fischer effect predicts that Interest rates and exchange rates are closely linked.
Forward rate US$/ Spot US$/ 1 nominal US interest rate 1 nominal UK interest rate
118
CIMA P3 Performance Strategy Derivatives Strategies for risk management often involve derivatives. Unfortunately, there is no universally satisfactory answers to what exactly is a derivative. Derivative contracts, are assets that confer upon their owners certain rights or obligations. These contracts owe their existence to the presence of markets for an underlying asset or a portfolio of assets, on which such agreements are written.
A derivative is an asset whose performance is based on the behaviour of an underlying asset for example shares bonds commodities currencies exchange rates
The three major categories of derivative securities are options forward and futures contracts swaps Derivative products can be classified into exchange-traded derivatives, and over-thecounter (OTC) derivatives.
119
CIMA P3 Performance Strategy HEDGING A hedge is a transaction to reduce or eliminate an exposure to risk, i.e. reduce the spread of future results. Benefits of Corporate Hedging can reduce the variability of the companys cash flows by reducing the companys exposure to price movements, and hence reduce cash flow and profit risk. reducing the volatility of cash flows may increase the value of the firm.
Drawbacks of Corporate Hedging there are transaction costs relating to any financial instrument that may reduce risk. There are various tax and accounting issues relating financial instruments. Specifically IAS 39 requires firms to disclose their use of derivatives.
120
CIMA P3 Performance Strategy Categories of Derivatives
Futures Listed and OTC futures and forward contracts
Options Calls Puts
Derivatives
Swaps Interest rate swap Foreign currency swap
121
CIMA P3 Performance Strategy FORWARD CONTRACTS A forward contract is where one party agrees to buy something from another party at a specified date in the future. The terms of the agreement, such as quantity being bought or sold, or the time frame, can be tailor made to meet the requirements of the buyer or seller and therefore the contracts are usually OTC. An entity that is buying a forward contract is said to be in the long position, and the entity that is selling the forward contract is said to be in the short position.
Example Connery plc, a UK based company, is due to pay $200,000 in 3 months time. The spot rate $/ is currently $2/, but this has been volatile over recent month. The 3 month forward rate is $1.99 0.03. Required Calculate the expected sterling payments in 3 months time, if a forward market hedge is used.
122
CIMA P3 Performance Strategy MONEY MARKET HEDGE The use of forward contracts enables the entity to peg its future cash flows at a given exchange rate, thus providing certainty at a point in the future. A similar result can be achieved by using a money market hedge, and therefore can be used when forward markets are not available. A hedge will involve the following steps; If the company makes payments in the future in a foreign currency, o borrow in the domestic currency o convert into overseas currency o invest the money in an overseas bank o at the end of the term, that money can be used to make the overseas payment. If the company receives money in the future in a foreign currency, o borrow in the overseas currency o convert into domestic currency o invest the money in a domestic bank o use receipt to pay off overseas loan
Exercise (continued) Connery plc is still expected to pay $200,000 in 3 months time but is now considering a money market hedge. The following details are available; Borrow 7% 5.3% Deposit 6.6% 5%
UK USA Required
Construct a money market hedge for the future payment in 3 months time 123
CIMA P3 Performance Strategy FUTURES CONTRACTS Futures contracts are essentially the same as forward contract in the sense that they are a contract between a buyer and a seller to exchange something at some point in the future. However, futures tend to be for foreign currency, interest rates or shares and can be traded on recognised exchanges such as the London International Financial Futures and Options Exchange (LIFFE). As they are tradable, futures need to be more standardised than OTC derivatives and will therefore be bought/sold in set quantities and will have a fixed execution date, usually at the end of March, June, September or December. As the future is tradable, it makes it more flexible than the forward market, as the future can be bought or sold at any point. The approach; if you are due to receive foreign currency in the future, you would sell currency futures; if you are due to pay foreign currency in the future, you would buy currency future.
124
Exercise (a) A UK importer of Italian shoes needs to make a payment of $9m in 3 months time. The following market data is available; Spot $/ rate is 3 month $ interest rate is 3 month interest rate is 1.49-1.52 6-8% per annum 8-10% per annum
Required Show how a money market hedge could be constructed to reduce the risk of the above transaction, and calculate the cost of the import if the hedge is used. (b) Assume that it is June 2007 and a UK company needs to pay $5m to a US supplier in two months time (August). Explain how the exchange rate risk may be hedged by using September $ futures, 0.67/$. The contract size for the $, is $125,000. Assume that the spot rate and the futures market rate for /$ are the same in August. Calculate the effective cost to the UK company in sterling if the rate at the time of payment is; (i) (ii) 0.65/$ 0.68/$
125
CIMA P3 Performance Strategy Options Option the right but not the obligation to buy or sell the underlying asset at a predetermined price (exercise price) on or before a specified date. The buyer of the option can exercise this right or let it lapse (walk away).
Call option the right but not the obligation to buy. Put option the right but not the obligation to sell. Premuim the amount paid to the seller of the option.
An option is the right to either buy or sell something, at a set price, within a set period of time. The right to buy is called a call option, while the right to sell is a put option. It is important to note that an option is the right to do something. That means you can exercise your option if you wish, but you do not have to do so.
What are European and American options, and how do they differ from each other? If the option were to be European in nature, then the right can be exercised only at a fixed date in the future, known as the expiration date of the option. If the option is not exercised on that day, then the contract itself will expire. In the case of an American option however, the option holder has the right to transact at any point in time, between the time of acquisition of the right and the expiration date of the contract. The expiration date is the only point at which a European contract can be exercised, and the last point in time at which an American option can be exercised.
126
CIMA P3 Performance Strategy Illustration Assume that an individual owns 1,000 shares in company X quoted in the Stock Exchange, and that the current share price is 5. The individual is not sure whether the share price will rise or fall over the coming three months. Example 1. Changes in the value of 1,000 shares - shows the increase and decreases in wealth as the share price changes.
gain +500
0 4.50 5.00 5.50 Share price
-500 loss
If the individual could buy a 3 month put option on 1,000 shares in company X at a premium of 150 with an exercise price of 5 per share, the following is possible.
127
CIMA P3 Performance Strategy Example 2: Put option pay off

In Example 2, if the share price rises above 5 the put will not be exercised; if the price falls below 5 it will be. The payoff is limited downwards to a loss of 150 for share prices above 5, ie the right to walk away loses the individual the premium paid. The 4.50 5.00 5.50 Share price payoff for share prices less than 5 is calculated as (5 share price) 1,000 less 150 premium.
+ +350
0 4.50 -150 5.00 5.50 Share price
0 -150
Example 3: Combination
In Example 3 the profits and losses from the holding of 1,000 shares are + combined with the profits and losses +350 from the put option on 1,000 shares. The result is a limited downside, ie risk has been hedged or reduced. 0 The option is effectively an insurance 4.50 5.00 5.50 Share price policy and is only used if -150 necessary; otherwise like any insurance policy, the premium is lost. Instead of hedging, an individual may wish simply to speculate. In the above example an individual may feel that shares in company X are likely to fall, so he buys a put option in the hope of making money. If the shares rise the loss is limited to the premium. Note that the individual does not
0 4.50 -150 5.00 5.50 Share price
128
CIMA P3 Performance Strategy Assume that our individual is also interested in buying 1,000 shares in company Y quoted on the Stock Exchange and that the current share price is 2. Again, there is uncertainty as to whether the price will rise or fall over the coming three months. Example 5: Changes in the cost of 1,000 shares
gain +500
0 1.50 -500 loss 2.00 2.50 Share price
If the individual could buy a 3 month call option on 1,000 shares in company Y at a premium of 100 with an exercise price of 2 per share, then the following would be possible. Example 6: Call option pay off
+ +150 + +400
Example 7: Combination
0 1.50 -100 2.00

2.25
2.50 Share price
0 1.50 -100 2.00 2.50 Share price
129
There are two major types of swaps interest rate swap one firm pays a fixed interest rate on a sum of money and, from some other firm, receives a floating interest rate on the same sum, based on a reference rate, say, the London Inter-Bank Offer Rate (LIBOR). A swap is arranged in the OTC market and can be considered as a long-term forward contract with a series of settlement dates compared to a simple forward that gas only one settlement date. Foreign currency swap two firms agree to swap equivalent amounts of currency for a period. This effectively involves the exchange of debt from one currency to another. Liability on the main debt (the principal) is not transferred and the parties are liable to counterparty risk: if the other party defaults on the agreement to pay interest, the original borrower remains liable to the lender.
130

CIMA P3 - May 2012

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIMA P3 - May 2012

Uploaded by

Copyright:

Available Formats

Strategic Level P3 - Performance Strategy

CIMA P3 Performance Strategy

B. Risk and Internal Control

B3a B1b B1a B2b B2a B2c B2d

A. Management Control Systems

CIMA P3 Performance Strategy

C. Review and Audit of Control Systems

68 68 70 72 72 77 77 78 78 80 80 82 89 92 94 101 101 101 101 101 101

Risk and Control in Information Systems

Management of financial risk

CIMA P3 Performance Strategy

CIMA P3 Performance Strategy

CIMA P3 Performance Strategy

The Verb Hierarchy

CIMA P3 Performance Strategy

LEARNING OUTCOMES GRID

3 Evaluate governance and ethical issues facing an organisation.

1c(i) 1c(ii) 4b,c 4a(i)(ii)

1c(i)(ii) 4a(ii) 3a(ii) 1c(i) 4a(i)

CIMA P3 Performance Strategy

Introduction and Overview

CIMA P3 Performance Strategy

Corporate Governance Developments in the UK 1992 The Cadbury Report

CIMA P3 Performance Strategy

CIMA P3 Performance Strategy PRINCIPLES OF CORPORATE GOVERNANCE

CIMA P3 Performance Strategy

CIMA P3 Performance Strategy 1 DIRECTORS AND COMPOSITION OF THE BOARD (Cont.)

Role of Non-executive Directors (NEDs)

CIMA P3 Performance Strategy 1 DIRECTORS AND COMPOSITION OF THE BOARD (Cont.)

CIMA P3 Performance Strategy 1 DIRECTORS AND COMPOSITION OF THE BOARD (Cont.)

The board should be responsible for the financial statements

The board must understand the inherent risks of the business

CIMA P3 Performance Strategy

Risk and Internal Control (B)

We should understand that risk is an unavoidable part of life.

What might be considered value drivers?

CIMA P3 Performance Strategy

Stakeholder perspective Suppliers Customers Competitors Regulators

CIMA P3 Performance Strategy

CIMA P3 Performance Strategy

Environmental Business/Operational Risk

What might be the key risks for Sony Corporation?

What might be the key risk for Adidas?

High level goals which are aligned to the organisation's mission

Efficient and Effective use of resources

Accuracy and timeliness of information

Compliance with laws and regulations

Minimum level of risk management

CIMA P3 Performance Strategy ERM consists of eight inter-related component Parts

Aligned with mission and consistent with risk appetite

Information and Communication

Relevant, accurate and timely information

Continuous Improvement and feedback

Risks are analysed and the likelihood and impact is assessed

Decide whether to accept, reduce, share or avoid

Ensure that response has has the desired effect

CIMA P3 Performance Strategy MODEL TWO - CIMA S RISK MANAGEMENT CYCLE

Review and refine process and do it again

Information for decisionmaking

Understand and assess scale of risk

Implementation and monitoring of controls