ACCA P1 Governance, Risk and Ethics - 2011 - Study text - Emile Woolf Publishing
Подождите немного. Документ загружается.
Paper P1: Governance, risk and ethics
164 © Emile Woolf Publishing Limited
A company should operate in an ethical way, and with integrity. A company
should have a recognised code of ethical behaviour and should expect everyone
in the company to act in accordance with the ethical guidelines in that code.
A company should treat its employees fairly and with respect. The fair treatment
of employees can be assessed by the company’s employment policies, such as
providing good working conditions and providing education and training to
employees.
A company should demonstrate respect for basic human rights. For example, it
should not tolerate child labour.
A company should be a responsible citizen in its community. Responsibility to
the community might be shown in the form of investing in local communities,
such as local schools or hospitals. This can be an important aspect of CSR for
companies that operate in under-developed countries or regions of the world.
A company should do what it can to sustain the environment for future
generations. This could take the form of:
- reducing pollution of the air, land or rivers and seas
- developing a sustainable business, whereby all the resources used by the
company are replaced
- cutting down the use of non-renewable (and polluting) energy resources
such as oil and coal and increasing the use of renewable energy sources
(water, wind)
- re-cycling of waste materials.
4.3 CSR and stakeholders in the company
The concept of corporate citizenship and corporate social responsibility is consistent
with a stakeholder view of how a company should be governed. A company has
responsibilities not only to its shareholders, but also to its employees, all its
customers and suppliers, and to society as a whole.
In developing strategies for the future, a company should recognise these
responsibilities. The objective of profit maximisation without regard for social and
environmental responsibilities should not be acceptable.
Example
When a company promotes itself as a company with strong ethical views and a
considered policy on CSR, it exposes itself to reputation risk. This is the risk that its
reputation with the general public and customers will be damaged by an
unexpected event or disclosure.
For example, an ethical company might find that one or more of its major suppliers,
based in a foreign country, is using forced labour or child labour in the production
of goods that the company buys.
Chapter 7: Governance: reporting and disclosure
© Emile Woolf Publishing Limited 165
4.4 The effect of CSR on company strategy
The awareness of CSR will vary between different countries. To remain successful in
business, companies must respond to changes in the expectations of its customers.
In many countries, there has been a significant increase in public awareness of
environmental problems, such as global warming (pollution and energy
consumption) and the potential for natural disasters that this creates. There is also
concern about the irreplaceable loss of many natural resources and the failure to re-
cycle many raw materials that could be used again in products or services.
If companies fail to respond to growing public concern about social and
environmental issues, they will suffer a damage to their reputation and the possible
loss (long term) of sales and profits. This is the problem for companies of reputation
risk.
Unfortunately, although there is genuine concern by some companies for CSR
issues, other companies express concerns about CSR issues in order to improve their
public relations image with the public, and as a way of marketing their products.
Formulating a CSR policy
The following steps might be taken by a company to implement a CSR policy:
It should decide its code of ethical values, and possibly publish these as a Code
of Ethics.
It should establish the company’s current position with regard to its CSR values,
and decide the position it would like to reach in the future. The gap between the
current position and the target position provides a basis for developing CSR
strategies.
The company should develop realistic targets and strategies for its CSR policies.
These strategies should be implemented.
Key stakeholders in the company should be identified, whose views the
company wishes to influence (employees, pressure groups, customers).
The company’s CSR achievements should be communicated to the key
stakeholders. This is the main purpose of CSR reporting.
The company’s CSR achievements should be monitored, and actual
achievements compared with (1) the targets and (2) the CSR achievements of
similar companies (including business competitors).
4.5 CSR reporting
In some countries, stock market companies have published annual reports on their
corporate social responsibility. These reports have been voluntary, and have usually
been published separately from the annual report and accounts.
CSR reports are also called social and environmental reports, and CSR reporting is
sometimes called sustainability reporting, when its main focus is on environmental
issues.
Paper P1: Governance, risk and ethics
166 © Emile Woolf Publishing Limited
The purpose of CSR reports is to inform key stakeholders about the CSR policy
objectives of the company and how successful it has been in achieving them.
CSR reports in the UK originally developed out of Health, Safety and
Environmental Reports, which reported on health and safety at work, accident
rates, volumes of waste and pollution, and so on, and actions taken by the
company to deal with problems.
CSR reporting is broader in scope than health, safety and environmental
reporting, because it includes social issues and more employee issues, such as
ethical employment practices, education and training and investments by the
company in community projects.
A weakness with many CSR reports was their lack of structure, and (in many
cases) a lack of facts and figures.
Global Reporting Initiative (GRI)
The Global Reporting Initiative is a US-based initiative that encourages companies
world-wide to publish sustainability reports that are prepared using a common
reporting framework.
The GRI defines sustainability reporting as ‘the practice of measuring, disclosing
and being accountable to internal and external stakeholders for performance
towards the goal of sustainable development. Sustainable development is a broad
term [meaning the same as other terms used] to describe economic, environmental
and social impacts (such as triple bottom line, corporate responsibility reporting,
etc).
The GRI promotes the view that to be a sustainable business in the long-term,
companies will benefit by giving attention to environmental and social issues, as
well as financial issues. Sustainability reporting within the GRI guidelines is based
on measuring three areas of performance, sometimes called the ‘triple bottom line’.
These are:
financial performance
impacts on the environment and natural resources
social benefits and costs.
Adverse effects and costs should be reported, as well as financial and non-financial
benefits.
The GRI approach is also based on quantifiable measurements of performance, in
preference to qualitative statements, so that progress towards ‘sustainability’ can be
measured. There are GRI ‘technical protocols’ explaining the methods for measuring
social and environmental (as well as financial) performance. There are also sector
supplements, which deal with measurement problems in specific industry sectors,
such as mining, car manufacture, financial services and telecommunications.
Chapter 7: Governance: reporting and disclosure
© Emile Woolf Publishing Limited 167
Mandatory reporting on CSR issues
In some countries, such as the countries of the European Union, some reporting on
CSR issues is required by companies in their annual business review. Business
reviews were explained earlier in this chapter. It is not yet clear whether mandatory
reporting in business reviews will replace voluntary sustainability reports.
4.6 CSR and institutional investors
Pressure on companies to show greater CSR awareness has come from institutional
investors, as well as the general public and consumers. There are some ‘ethical
investors’, including some investment institutions, that choose to invest only in
companies that meet certain minimum standards of social and environmental
behaviour.
In the UK, the National Association of Pension Funds (NAPF) published a policy
document on CSR in 2005. This stated that it did not consider CSR to be a corporate
governance issue, since corporate governance is concerned mainly with how to
handle the potential conflicts of interest between shareholders and management.
The NAPF suggested that CSR issues are an issue for the management of a company
rather than its governance.
However, the NAPF policy document stated that the board and managers should
remember the company’s wider role in society; the longer-tern prospects of a
company can be damaged by maximising short-term gain in a manner that society
finds unacceptable and this can lead to shareholders suffering real financial losses.
These losses could be due to consumer preferences changing or new legislation
adding more costs to the company.
Example UN initiative
In 2005, the UN Global Compact launched the UNEP Finance Initiative. (UNEP is
the United Nations Environment Program.) The aim of this initiative is to promote a
set of principles that define best practice for responsible investment by institutional
investors that have the full support of the UN and also of leading institutional
investors worldwide.
The initiative is based on the view that institutional investors should consider
sustainable development when making their decisions on investment in companies.
In 2006, the UN published six ‘Principles for Responsible Investment’, which
provide a framework for institutional investors to use when considering CSR issues.
These principles, which are ‘voluntary and aspirational’ are as follows.
1 CSR issues should be considered in investment analysis and decision-making
processes by investment institutions.
2 Institutional investors will include CSR issues into its policies and practices on
share ownership.
3 Institutional investors will seek appropriate disclosure on CSR issues by the
companies in which they invest.
Paper P1: Governance, risk and ethics
168 © Emile Woolf Publishing Limited
4 Investment institutions that subscribe to the Principles will promote their
acceptance and implementation within the investment industry.
5 Investment institutions will work together to increase their effectiveness in
implementing the Principles.
6 Investment institutions will each report on their activities and progress
towards implementing the Principles.
© Emile Woolf Publishing Limited
169
Paper P1
Governance,riskandethics
CHAPTER
8
Internal control systems
Contents
1 Risk management and corporate governance
2 Internal control
3 Elements of a sound system of internal control
Paper P1: Governance, risk and ethics
170 © Emile Woolf Publishing Limited
Risk management and corporate governance
Internal control risk and business risk
The importance of internal control and risk management
Responsibility for risk management and internal control
The governance responsibility of the board of directors for internal control and
risk management
1 Risk management and corporate governance
1.1 Internal control risk and business risk
Risk is generally associated with the possibility that actual events will turn out
worse than expected, or the possibility that ‘things will go wrong’. A more accurate
definition of risk is that it is the possibility that events will turn out differently from
what is expected: this often means the possibility of a worse outcome, but there may
also be the possibility of a better outcome than expected.
Risks, especially the risks of a worse outcome than expected or the risk of
unexpected losses, should be managed and kept within acceptable limits.
There are two broad types of risk that companies face.
Internal control risks. These are risks of losses that might arise due to failures or
weaknesses in systems or due to errors (or fraud) by individuals. They are risks
that controls within an entity are insufficient to stop adverse events from
happening and losses being incurred. Internal control risks can be categorised
into three broad types:
- Financial risks. These are risks of errors or fraud in financial controls,
resulting in the misreporting of financial performance or financial
position, the risk that assets may not be properly safeguarded and the risk
of fraud.
- Operational risk. A helpful definition of operational risk is given by the
Basel Committee for banking supervision. Although this definition
applies to risks in the banking industry, it has a wider application.
Operational risk is ‘the risk of losses resulting from inadequate or failed
internal processes, people and systems, or external events.’
- Compliance risk. This is the risk that important laws or regulations will
not be complied with properly. Failure to comply with the law could
result in legal action and/or fines.
Internal controls are established to eliminate some of these risks, or to reduce the
risks, or to identify an error or fault when it occurs. Internal controls may be
categorised as financial controls, operational controls and compliance controls.
Internal control is defined in more detail later.
Chapter 8: Internal control systems
© Emile Woolf Publishing Limited 171
Business risk or strategic risk. All business entities face risks in their business
environment. Business entities take risks to make a profit, and profit is the
reward for risk. When a company decides on its business strategies,
management cannot be certain that they have made the right choices. Conditions
in the company’s markets might turn out differently from what management
expect.
The business environment is continually changing – competition in the market,
customer demand, economic conditions, government regulation, the state of
technology and many other factors. Business risk has to be managed. Companies
have to respond to changes in their environment. Chosen strategies should not be
excessively risky in relation to the size of profits that the company expects to
make from its investments.
Business risk is also called entrepreneurial risk. Companies must take business
risks in order to make profits. They need to be entrepreneurial; otherwise they
will lose market share to rival companies that are prepared to take more risks
and business initiatives.
1.2 The importance of internal control and risk management
Internal control and the management of business risk are important matters for all
companies.
In the UK, guidance on internal control for directors was published by the Institute
of Chartered Accountants in England and Wales. This guidance was known as the
Turnbull Report. The Turnbull Report set out four connected reasons why internal
control and business risk management are important.
(1) A company’s system of internal control is important for managing risks to
the achievement of the company’s business objectives. A strong system of
internal control helps to safeguard (a) the investment of the company’s
shareholders and (b) the company’s assets. Protecting the investment of the
shareholders and safeguarding the company’s assets are duties of the board of
directors towards their shareholders.
(2) Internal control can achieve three things: (a) control can improve the
efficiency and effectiveness of operations (b) control helps to ensure the
reliability of the company’s financial reporting to shareholders and (c)
controls can help the company to ensure compliance with laws and other
regulations.
(3) Effective financial controls are important. These include controls to ensure
that proper accounting records are maintained, that unnecessary financial
risks (for example from fraud) are avoided and financial reporting is reliable.
(4) A company’s strategic objectives and conditions in its business environment
are continually changing. As a result the risks faced by the company are also
continually changing. A strong system of internal control depends on the
ability of the company to identify the changing risks in its business
environment and the extent of the risk that it faces. Profits are (in part) the
reward for successful risk-taking in business, and internal control helps
management to manage and control the business risks (rather than eliminate
them).
Paper P1: Governance, risk and ethics
172 © Emile Woolf Publishing Limited
1.3 Responsibility for risk management and internal control
The responsibility for risk management and internal control is shared between the
board of directors and management.
The board of directors is responsible for safeguarding the company’s assets, and
for protecting the value of the shareholders’ investment in the company. It
should fulfil these duties with care, and should be accountable to shareholders
for what they have done. It is therefore a corporate governance responsibility
of the board of directors to ensure that adequate systems for internal control
and risk management are in place.
The board of directors are not responsible for running the operations of the
company. Although the directors should monitor internal control and risk
management systems, management has the responsibility for designing and
implementing these systems.
1.4 The governance responsibility of the board of directors for internal
control and risk management
The management of risk, and the internal control system for managing risk, are
aspects of corporate governance. However, there are differing views about the
extent to which risk management and internal control should be a governance issue.
One view is that the directors have a governance responsibility for the strength
of the financial controls in their company. They should therefore be responsible
for ensuring that the system of financial control is adequate and should account
to the shareholders for this responsibility. This view is accepted in the US, and is
applied by the Sarbanes-Oxley Act.
Another view is that the board of directors has a broader governance
responsibility for ensuring the soundness of the entire internal control system
and also for the business risk management system of the company. This view is
applied in countries such as the UK, Singapore and South Africa.
UK Combined Code requirements
The UK Combined Code makes only a brief reference to the internal control system.
A principle of the Code is that: ‘The board should maintain a sound system of
internal control to safeguard shareholders’ investment and the company’s
assets.’
A provision of the Code, linked to this principle, is that: ‘The directors should, at
least annually, conduct a review of the effectiveness of the [company’s] system
of internal control and should report to shareholders that they have done so. The
review should cover all material controls, including financial, operational and
compliance controls and risk management systems.’
UK listed companies are required to comply with all requirements of the Combined
Code, or explain their non-compliance. This ‘comply or explain’ rule is contained in
the Listing Rules of the UK financial services regulator. It would be very difficult for
a board of directors to explain convincingly why they have not reviewed the system
of internal control, which means that the requirement to conduct an annual review
Chapter 8: Internal control systems
© Emile Woolf Publishing Limited 173
of the internal control and risk management systems is an obligation that listed
companies cannot avoid.
US requirements: Sarbanes-Oxley Act
In the US, the Sarbanes-Oxley Act limits the governance responsibility to controls
over financial reporting. Section 404 of the Act, which has been explained in an
earlier chapter, requires the annual report of companies to:
state the responsibility of management for establishing and maintaining an
adequate internal control structure and procedures for financial reporting, and
contain an assessment of the effectiveness of the company’s internal control
structure and procedures for financial reporting.
This assessment should be based on an evaluation by management (including the
CEO and chief financial officer) of the effectiveness of the internal control over
financial reporting.