Notes. CIMA Paper P3. Performance Strategy

Transcription

1 Chapter 2 extract from our ExPress notes for use with the current video. A full set of P3 ExPress notes can be downloaded free of charge at www. CIMA Paper P3 Performance Strategy For exams in 2011 Notes

2 Contents About ExPress Notes 3 1. Management Control Systems 7 2. Risk and Internal Control Review and Audit of Control Systems Management of Financial Risk Risk and Control in Information Systems 48 Page 2

3 START About ExPress Notes We are very pleased that you have downloaded a copy of our ExPress notes for this paper. We expect that you are keen to get on with the job in hand, so we will keep the introduction brief. First, we would like to draw your attention to the terms and conditions of usage. It s a condition of printing these notes that you agree to the terms and conditions of usage. These are available to view at Essentially, we want to help people get through their exams. If you are a student for the CIMA exams and you are using these notes for yourself only, you will have no problems complying with our fair use policy. You will however need to get our written permission in advance if you want to use these notes as part of a training programme that you are delivering. WARNING! These notes are not designed to cover everything in the syllabus! They are designed to help you assimilate and understand the most important areas for the exam as quickly as possible. If you study from these notes only, you will not have covered everything that is in the CIMA syllabus and study guide for this paper. Components of an effective study system On ExP classroom courses, we provide people with the following learning materials: The ExPress notes for that paper The ExP recommended course notes / essential text or the ExPedite classroom course notes where we have published our own course notes for that paper The ExP recommended exam kit for that paper. In addition, we will recommend a study text / complete text from one of the CIMA official publishers, but we do not necessarily give this as part of a classroom course, as we think that it can sometimes slow people down and reduce the time that they are able to spend practising past questions. ExP classroom course students will also have access to various online support materials, including: The unique ExP & Me e-portal, which amongst other things allows view again of the classroom course that was actually attended. ExPand, our online learning tool and questions and answers database Page 3

4 Everybody in the World has free access to CIMA s own database of past exam questions, answers, syllabus, study guide and examiner s commentaries on past sittings. This can be an invaluable resource. You can find links to the most useful pages of the CIMA database that are relevant to your study on ExPand at How to get the most from these ExPress notes For people on a classroom course, this is how we recommend that you use the suite of learning materials that we provide. This depends where you are in terms of your exam preparation for each paper. Your stage in study for each paper These ExPress notes ExP recommended course notes, or ExPedite notes ExP recommended exam kit CIMA online past exams Prior to study, e.g. deciding which optional papers to take Skim through the ExPress notes to get a feel for what s in the syllabus, the size of the paper and how much it appeals to you. Don t use yet Don t use yet Have a quick look at the two most recent real CIMA exam papers to get a feel for examiner s style. At the start of the learning phase Work through each chapter of the ExPress notes in detail before you then work through your course notes. Don t try to feel that you have to understand everything just get an idea for what you are about to study. Don t make any annotations on the ExPress notes at this stage. Work through in detail. Review each chapter after class at least once. Make sure that you understand each area reasonably well, but also make sure that you can recall key definitions, concepts, approaches to exam questions, mnemonics, etc. Nobody passes an exam by what they have studied we pass exams by being efficient in being able to prove what we know. In other words, you need to have effectively input the knowledge and be effective in the output of what you know. Exam practice is key to this. Try to do at least one past exam question on the learning phase for each major chapter. Don t use at this stage. Page 4

5 Your stage in study for each paper These ExPress notes ExP recommended course notes, or ExPedite notes ExP recommended exam kit CIMA online past exams Practice phase Work through the ExPress notes again, this time annotating to explain bits that you think are easy and be brave enough to cross out the bits that you are confident you ll remember without reviewing them. Avoid reading through your notes again. Try to focus on doing past exam questions first and then go back to your course notes/ ExPress notes if there s something in an answer that you don t understand. This is your most important tool at this stage. You should aim to have worked through and understood at least two or three questions on each major area of the syllabus. You pass real exams by passing mock exams. Don t be tempted to fall into passive revision at this stage (e.g. reading notes or listening to CDs). Passive revision tends to be a waste of time. Download the two most recent real exam questions and answers. Read through the technical articles written by the examiner. Read through the two most recent examiner s reports in detail. Read through some other older ones. Try to see if there are any recurring criticism he/ she makes. You must avoid these! The night before the real exam Read through the ExPress notes in full. Highlight the bits that you think are important but you think you are most likely to forget. Unless there are specific bits that you feel you must revise, avoid looking at your course notes. Give up on any areas that you still don t understand. It s too late now. Don t touch it! Do a final review of the two most recent examiner s reports for the paper you will be taking tomorrow. At the door of the exam room before you go in. Read quickly through the full set of ExPress notes, focusing on areas you ve highlighted, key workings, approaches to exam questions, etc. Avoid looking at them in detail, especially if the notes are very big. It will scare you. Leave at home. Leave at home. Page 5

6 Our ExPress notes fit into our portfolio of materials as follows: Notes Notes Notes Provide a base understanding of the most important areas of the syllabus only. Provide a comprehensive coverage of the syllabus and accompany our face to face professional exam courses Provide detailed coverage of particular technical areas and are used on our Professional Development and Executive Programmes. To maximise your chances of success in the exam we recommend you visit www. where you will be able to access additional free resources to help you in your studies. START About The ExP Group Born with a desire to be the leading supplier of business training services, the ExP Group delivers courses through either one of its permanent centres or onsite at a variety of locations around the world. Our clients range from multinational household corporate names, through local companies to individuals furthering themselves through studying for one of the various professional exams or professional development courses. As well as courses for CIMA and other professional qualifications, our portfolio of expertise covers all areas of financial training ranging from introductory financial awareness courses for non financial staff to high level corporate finance and banking courses for senior executives. Our expert team has worked with many different audiences around the world ranging from graduate recruits through to senior board level positions. Full details about us can be found at www. and for any specific enquiries please contact us at info@. Page 6

7 Chapter 2 Risk and Internal Control START The Big Picture This chapter addresses the variety of risks facing an organization and the risk management strategy and internal controls that exist in response to those risks. It is useful to start with CIMA s definition of Risk Management: the process of understanding and managing the risks that the organization is inevitably subject to in attempting to achieve its corporate objectives. (CIMA Official Terminology) Types of Risks Page 7

8 Risk management at the enterprise level addresses all risks affecting a company. These can be classified as follows (diagram on next page): Enterprise Risk Operational risk Process risk People risk Systems risk Financial risk Credit risk Market (price) risk Gearing risk Event risk Business risk Operational (or Operating) Risk One may view this category as including all risks that can arise in the course of operating a business, though by definition they are clearly distinguished from financial risks. It will be seen that the list of risks presented below can be expanded and sub-divided according to a particular company s specific circumstances. Process Risk This relates to the processes within a business and evaluates them from the standpoint of pure risks, as well as (a) economy, (b) efficiency and (c) effectiveness. People Risk All risks connected to human resources, including quality and sufficiency of staff, and issues of recruitment, training, compensation, honesty and morale. There is an important link to corporate culture and explicit and implicit attitudes displayed by management; i.e. how they cultivate risk awareness, or encourage profits with(out) regard to the methods employed in achieving them. Systems Risk Page 8

9 Information systems and communications in the broadest sense of the term, including IT hard/software, capacity, reliability (back-up) and policies relating to accuracy, access (passwords) and data integrity. Event/Hazard Risk Risk of losses resulting from single events that may have a high or low impact. Natural disasters and human actions, whether intentional (terrorism) or not (accidents), fall within this category. Some companies may include fraud in this category though fraud and malfeasance are also clearly the result of the actions of people (see people risk ). Business Risk This is a broad category with indistinct boundaries, but it generally covers risks to a company s ability to generate returns from its ordinary operations, including its strategy, business model, competitive position, political/legal environment (including regulatory/ compliance/ intellectual property), products, marketing, clients and reputation. Process, people and systems risks can be seen as being mainly internal in nature; the other risks are generally seen as being external. International operations The challenge presented by international operations can be analyzed using the above categories; such operations add complexity to a company s operations since they confront it with differing: Cultural norms Political stability Efficiency and honesty of the judicial system Regulatory enforcement Just to name a few! Page 9

10 Severity Low High ExPress Notes Key risk concepts There are several key concepts relating to risk: Probability: measures the likelihood that a certain event will occur; Severity (or impact): quantifies the loss which results if the undesired outcome occurs; Exposure: Is the degree to which one is confronted by the particular type of risk The above factors can be combined into a quantification of the risk of loss by multiplying the financial consequences if the undesired event occurs by the probability factor: Risk = Probability x Severity x Exposure Note: This can be condensed to Risk = Probability x Financial consequences This is essentially the application of the expected value technique to risk. Volatility: refers to the variability or the spread of all likely outcomes of an uncertain factor to which a business is exposed. Statistically, volatility is measured by standard deviation. Risk Mapping Detect/Monitor Prevent (at source) Low control Monitor Low Likelihood High Page 10

11 Risk Response Strategy It is management s responsibility to adopt a risk response strategy, which results from the specific identification and assessment of each type of risk facing the organization. The responses can come under one of the four following (generic) headings: (1) Avoid: Discontinuing (or not starting) an activity that causes unacceptable risks; (2) Reduce (or prevent): Taking (internal) action to reduce the risk; (3) Insure (transfer or share): Transferring the risk to a 3 rd party (such as an insurer) or sharing the risk with a partner; (4) Accept (or retain): the risk is considered small and it is not worth the effort to protect against it. Refer back to the risk map: One could chart the above risk responses as a progression from upper right (High Severity/High Likelihood = Avoidance) to the lower left (Low Severity/Low Likelihood = Acceptance). Risk & Corporate Objectives Achieving a clear and explicit articulation of corporate objectives, and the connection to risk appetite/acceptance, is the duty of senior management. This perspective begins at the most senior corporate strategy and policy-making level, where strategic objectives are established. This is a top-down process. Following from the establishment of corporate objectives, a company s business strategy can be seen, among other purposes, as reconciling corporate objectives with the level of risk accepted in pursuing strategic and financial goals. Page 11

12 These elements are tied together by the culture of the organization (incl. attitudes to risk) and its management control and other systems. Objectives (strategy) Culture & Systems Risks Returns(Rewards) Risk Management Processes There exist a number of risk management models. Since they have similar objectives, they will resemble each other in their process steps. From a generic point of view, these embrace: Risk identification and awareness At the policy level, this involves the need to define explicitly the organisation s risk appetite (the types and levels of risks it is willing to tolerate). There is also a need to agree common definitions of risks. One can refer to this a common language of risk or risk glossary. There is an effort to inventory risks; this means categorizing risks, including an understanding of their causes and degree of impact. Risk management and assessment This is concerned with methods and techniques used to evaluate risks, including methodologies to prioritize risks (risk-ranking) and to quantify them. Page 12

13 Risk response and control Risk response means effective action-taking to ensure that the identified risks are addressed in conformity with policy. This requires an assignment of responsibilities to individuals -- who does what. Risk monitoring and reporting A system of monitoring the ERM process, including periodic evaluations as to whether the system is accomplishing its purpose, is indispensable. The costs of maintaining the system must be outweighed by the benefits. Management is accountable to shareholders, and other stakeholders, by a system of periodic reporting. CIMA Risk Management Cycle The student is advised to refer also to CIMA s Risk Management Cycle (contained in CIMA publication Fraud Risk Management: A Guide to Good Practice): The student might also refer to COSO (Committee of Sponsoring Organisations of the Treadway Commission) which addresses Enterprise Risk Management (ERM) through its eight Components and four Objectives categories. The Components are: Internal environment Objective setting Event identification Risk assessment Risk response Control activities Page 13

14 Information and communication Monitoring The Objectives address: Strategy Operations Financial Reporting Compliance ERM Implementation Defining Enterprise Risk Management (ERM) in conceptual terms is merely the first step. Moving from theory to practical implementation begins with: 1. The Board of Directors explicit responsibility for risk management oversight This may be accompanied by the establishment of a Risk Committee at the board level, or including the responsibility within the scope of the Audit Committee; 2. Creation of a risk management team under the leadership of a senior-level executive (Chief Risk Officer, CRO, or VP Risk) with a reporting line into the Board The real test of the effectiveness of a risk management process is measured by the degree to which: 3. The methods and norms of ERM are successfully disseminated throughout the organization. Effective implementation requires important commitments at all levels of the organization, manifested by: Clear written policies and procedures; Staff training; Page 14

15 Disciplinary steps for violations; Constant management reinforcement (both in word and deed) Internal Control The IIA (Institute of Internal Auditors) have provided the following useful definition: An internal control is any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Management plans, organises and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Thus, control is the result of proper planning, organising and directing by management. The internal control function should be regarded as a process designed to provide reasonable (not absolute) assurance that the company is in a position to achieve its objectives; it should be integral to a company s operations, not an external imposition. Responsibilities include: Safeguarding of corporate assets; Checking the accuracy and reliability of corporate accounting data; Promoting operational efficiency; Ensuring adherence to accounting and financial control policies COSO Internal Controls A widely-used framework of internal control in the USA is the COSO Internal Control Integrated Framework, which consists of five components: Control Environment setting the tone at the top ; Risk Assessment - identification risks (to the achievement of objectives); Information and Communication internal data flow (timely, relevant, etc.); Control Activities - the policies and procedures; Monitoring verification processes to assess the quality/effectiveness of internal controls Page 15

16 Types of Controls Corporate controls = general policy statements, established core culture and overall monitoring procedures, corporate governance Management controls = planning and performance monitoring Business process controls = authorisation limits and reconciliation Transaction controls include = accuracy and completeness checks You may use the mnemonic SOAPSPAM to generate ideas for types of control: Segregation of duties Organisational controls (eg set authority limits) Authorisation Physical Supervision Personnel, eg background checks Arithmetical and reconciliations Management the tone from the top, including existence of an internal audit department. Features of a good system Essential features of any good system of internal control As a useful aide memoire when asked to evaluate a described system of internal control within a question scenario, you could make use of the mnemonic PCRAM. Plan of organisation Custody procedures Recording procedures Authorisation procedures Management supervision Page 16

17 The Turnbull Report The UK Turnbull report gives us a useful summary of the main purposes of an internal control system, by stating that internal control consists of the policies, processes, tasks, behaviour and other aspects of a company that taken together: Facilitate its effective and efficient operation by enabling it to respond to significant business, operational, financial, compliance and other risks to achieving the company s objectives. This includes safeguarding the assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed. Help to ensure the quality of internal and external reporting. Help ensure compliance with applicable laws and regulation, and also with internal policies with respect to conduct of business. The Turnbull committee recognised that while a sound internal control system cannot eliminate poor judgment in decision-making, it may minimize that risk to a significant degree. Further, the committee stated: Reviewing the effectiveness of internal controls is an essential part of the board's responsibilities ; at the same time, Management is accountable to the board for monitoring the system of internal control and for providing assurance to the board that it has done so. The board is responsible for the disclosures on internal control in the company's annual report and accounts. Corporate Governance There is an close connection between corporate governance and risk management: in order to fulfill its corporate governance role faithfully, the directors of the company have to ensure that there is in place at the company a robust system of internal controls and risk management systems. There are several models of corporate governance: Page 17

18 Shareholder-based models: typical of the US and the UK; and Stakeholder-based: common on the Continent (Europe) and Japan Sarbanes Oxley (US) In the US, Sarbanes-Oxley is Federal legislation dating from 2002 that prescribes corporate governance principles for publicly-quoted US corporations. It seeks to safeguard the economic interests of the shareholders, by promoting an active market where corporate control can change hands in an effort to promote the most efficient allocation of economic resources. Combined Code (UK) In the UK, this is a set of principles of good corporate governance which sets forth a code of best practice aimed at companies listed on the London Stock Exchange. It is overseen by a body called the Financial Reporting Council. The Combined Code on Corporate Governance is the result of the collective efforts of numerous commissions formed in the UK to study and make recommendations on the subject (e.g. Cadbury, Greenbury and Hampel) and incorporates conclusions from the following committees: Turnbull: Guidance on internal control (as described earlier); Smith: Guidance on audit committees; Higgs: Suggestions for good practice Some key features of the Combined Code include: Comply or explain: Deviations from the Code may be justified in particular circumstances ; Board Composition: At least half the Board (excluding the chairman) should be independent non-executive directors; Separation of Chairman and CEO roles: These should not be exercised by the same individual; Page 18

19 Non-Executive Directors duties: Include scrutinise the performance of management and satisfy themselves that financial controls and systems of risk management are robust and defensible ; Executive remuneration: remuneration; No director should be involved in deciding his or her own Audit Committee: At least three members, all be independent non-executive directors; Audit Committee role: Oversee the effectiveness of internal controls and to liaise with the internal and external auditors. Internal Audit The role of the internal audit is to make sure that the company s internal controls are appropriate and working properly. Internal auditors are employees and report to management. However, they can also have a reporting line to the Audit committee of the board, so that their professional independence is not compromised. CIMA Ethical Guidelines The student is expected to be fully familiar with CIMA Ethical Guidelines which can be accessed via: Page 19