ACCA P1 Governance, Risk and Ethics - 2011 - Study text - Emile Woolf Publishing
Подождите немного. Документ загружается.
Paper P1: Governance, risk and ethics
204 © Emile Woolf Publishing Limited
4 Is there appropriate communication by management to the board (or board committees) on
the effectiveness of the processes for monitoring risks and internal control?
5 Is there a recognised procedure for reporting exceptional events to the board, such as
suspected fraud, and other illegal acts or matters that could seriously affect the company’s
reputation and financial position?
Chapter 9: Internal control, audit and compliance
© Emile Woolf Publishing Limited 205
Reporting to shareholders on internal control
The requirement to report to the shareholders on internal control
The content of a board report on internal control
Summary: maintaining a sound system of internal control
Internal control: information systems and technology
4 Reporting to shareholders on internal control
4.1 The requirement to report to the shareholders on internal control
A system of good corporate governance should include a requirement for the board
of directors to report to shareholders on internal control and the effectiveness of the
internal control system. The board is responsible for ensuring that a sound system
of internal control is maintained, and it should be required to account to the
shareholders to explain how they have fulfilled this responsibility.
However, the specific requirements for reporting to shareholders vary between
different countries.
In the US, the annual report of stock market companies must include a statement
on internal control that includes an assessment of the effectiveness of the internal
control system and procedures for financial reporting. The internal control
report relates to financial controls only (not operational controls or non-financial
compliance controls), but it must provide an evaluation of those controls. Any
material weaknesses in financial controls must be disclosed.
In Singapore, the board is required to ensure that an annual review is conducted
into the effectiveness of the internal control and risk management system, but
the board is required to report to the shareholders on the adequacy of the
control system (not its effectiveness or weaknesses).
In the UK, listed companies are required to conduct a review of the effectiveness
of the system of internal controls and report to the shareholders that they have
conducted such a review. The board is not required to provide detailed
information about the review, and so is not required to provide shareholders
with an assessment of its effectiveness.
There are several reasons why the reporting requirements in the UK and Singapore
differ from the regulations in the US.
The main argument is cost. To comply with the requirements of section 404 of
the Sarbanes-Oxley Act requires a large amount of management time, and the
costs of compliance are high. It has been suggested that the requirements of
section 404 help to explain the preference of many foreign companies for seeking
a listing for their shares in London (where the principles-based requirements are
much less strict) rather than listing in New York.
Supporters of the principles-based approach in the UK (and critics of the rules-
based approach in the US) argue that the board of directors should have
Paper P1: Governance, risk and ethics
206 © Emile Woolf Publishing Limited
freedom to decide what it is appropriate to report to shareholders. The US
approach is based on compliance with detailed procedures and a ‘box-ticking’
mentality.
The Sarbanes-Oxley report on internal control relates to financial controls and
financial reporting only, not to operational controls and compliance controls. It
has been argued that it is difficult to assess the ‘effectiveness’ of operational
controls, because there is no objective standard for what these controls should
achieve.
Critics of the US regulations argue that there is an expectations gap, which is the
difference between the real situation and what investors expect. If the board of
directors made a statement that it was satisfied with the effectiveness of internal
controls, investors might expect that nothing can go wrong and there are no
risks that have not been controlled. This expectation would be incorrect.
It is also argued that if the board has to make a report to shareholders on the
effectiveness of internal controls, the directors would want to avoid any personal
liability for incorrect statements. As a consequence, board statements would be
written in ‘legal language’ with the assistance of the company’s lawyers, and
would not contain any information of value to shareholders.
4.2 The content of a board report on internal control
The report by the board of directors to shareholders on internal control should be
included in the company’s annual report.
In the UK, guidance on the content of this statement is provided by the Turnbull
Report.
The report to shareholders should provide ‘meaningful, high-level’ information
that the board considers necessary, so that shareholders are able to understand
the main features of the company’s risk management processes and system of
internal control. The information provided should not give a misleading
impression.
In its report, the board should disclose that:
- there is an ongoing process for identifying, evaluating and managing
significant risks faced by the company
- the system has been in place for the entire year under review and up to the
date that the annual report and accounts were approved by the board
- the system is regularly reviewed by the board, and
- the system is consistent with the guidance given in the Turnbull Report.
The report should include a statement by the board that it is responsible or the
company’s system of control and for reviewing its effectiveness.
The report should also state that the system of internal control is designed to
manage risk rather than to eliminate the risk of failure to achieve business
objectives. The internal control system can therefore only ‘provide reasonable
and not absolute assurance against material misstatement or loss.’
The information provided to shareholders does not need to go into details about
controls and control processes. ‘High-level’ information is sufficient.
Chapter 9: Internal control, audit and compliance
© Emile Woolf Publishing Limited 207
The Turnbull Report also states that in the report to shareholders, the board should:
Summarise the process it has used, or board committees have used, to review
the effectiveness of the system of internal control. (The board of directors is not
required to provide detailed information about the processes it has used, only a
summary.)
Confirm that action has been taken to remedy any significant weaknesses or
failings that were found in the system as a result of the review.
Disclose the process it has used for dealing with the internal control aspects of
any significant problems revealed in the annual report and accounts.
If the board has failed to conduct a review of the effectiveness of internal control
and risk management, a UK listed company must disclose this fact in its annual
report. (This regulation exists because of the ‘comply or explain’ requirement in the
UK Listing Rules.)
Example: Risk management and internal control report to shareholders
It would be a useful exercise for you to read one or two internal control reports in
company accounts. You can find these by visiting company web sites on the internet
and looking for the most recent annual report and accounts.
A good example of a report, and the level of detail provided, is shown below. It
comes from the 2006 report and accounts of Tesco plc (reproduced with kind
permission). The level of detail in this report is fairly typical of similar reports by
other large listed companies.
‘Risk management and internal control
Accountabilities. Accepting that risk is an inherent part of doing business, our risk
management system is designed to both encourage entrepreneurial spirit whilst also
providing assurance that risk is understood and managed. In terms of broad
accountabilities, the Board has overall responsibility for risk management and
internal control within the context of achieving the Group’s objectives. Executive
management is responsible for defining and maintaining the necessary control
systems. The role of Internal Audit is to monitor the overall system and report on its
effectiveness.
Background. The Group has a five-year rolling business plan to support the
delivery of the Company’s strategy of long-term growth in returns for shareholders.
Every business units and support function derives its objectives from the five-year
plan and these are cascaded to managers and staff by way of personal objectives.
Key to delivering effective risk management is ensuring that our people have a
good understanding of the Group’s strategy and our policies, procedures, values
and expected performance. We have a structured internal communications
programme that provides employees with a clear definition of the Group’s purpose,
goals and accountabilities, and the scope of permitted activities for each unit, line
managers and individuals. This ensures that all our people understand what is
expected of them and that decision-making takes place at the appropriate level….
Paper P1: Governance, risk and ethics
208 © Emile Woolf Publishing Limited
Risk management. The Board maintains a Key Risk Register which we review
formally twice a year. The register is populated with risks identified through
discussions principally between the Head of Internal Audit and the Board of
Directors although the views of senior management are also invited. Collectively,
the Board conducts an assessment of risk severity, considering impact and
likelihood and the adequacy of mitigating measures taken by the business….
Our key risks are set out [in the operating review]….
Internal controls. Accountability for managing risk at an operational level sits with
management. We have a Group-wide process for establishing clearly the risks and
responsibilities assigned to each level of management and the expected controls
required to be operated and monitored….
Monitoring. The Board oversees the monitoring system and has set specific
responsibilities for itself and Board or Executive Committees…. The Audit, Finance,
Compliance and Corporate Responsibility Committees’ reports are distributed to
the Board and a formal discussion on each is held at least once a year. These all
provide assurance that the Group is operating legally, ethically and in accordance
with approved financial and operational policies. We continue to review how the
Turnbull Guidance has been applied. In addition, internal and external audit play
key roles in the monitoring process.
Audit Committee. Annually, the Audit Committee reports to the Board on its
review of the effectiveness of the internal control systems for the accounting
year…. Throughout the year, the Committee also receives regular reports from
the internal and external auditors and has dialogue with senior managers on
their control responsibilities.
It should be understood that such systems are designed to provide reasonable,
but not absolute, assurance against material misstatement or loss.
Internal Audit. The Internal Audit department is fully independent of business
operations and has a Group-wide mandate. It operates a risk-based
methodology ensuring that the Group’s key risks receive appropriate regular
examination. Its responsibilities also include maintaining the Key Risk Register
and facilitating risk management and internal control with the Board, Audit
Committee and senior management throughout the Group. Internal Audit
facilitates oversight of risk and control systems of Group companies though a
number of risk committees established on either a geographic or business basis.
The Head of Internal Audit also attends all Audit Committee meetings….’
4.3 Summary: maintaining a sound system of internal control
The responsibility of the board of directors for maintaining a sound system of
internal control, as suggested by the Turnbull Guidance, can be summarised as
follows.
Chapter 9: Internal control, audit and compliance
© Emile Woolf Publishing Limited 209
Internal control activities
Responsibilities: the
board, management
and other employees
The Board sets policies on internal control. It
should obtain regular assurance from management
that the system is effective.
Management should implement board policies on
risk and control. Management should identify and
evaluate risks, and report these to the board for
consideration by the board. Management should
design, operate and monitor the system of internal
control, and report regularly to the board.
Employees should consider internal control as part
of their responsibility for achieving business
objectives.
Key elements
Control
environment
Risk assessment
Internal controls
Information and
communication
Monitoring
(A sound system of
internal control reduces
risk, but cannot
eliminate it -
unavoidable risks occur
from poor judgement,
human error,
management override
and unforeseeable
circumstances.)
Internal control consists of the policies, processes,
tasks and behaviour that, taken together:
enable the company to respond to the risks
business, operational, financial and
compliance risks (and other risks) to the
achievement of its business objectives. These
include business, operational, financial and
compliance risks.
safeguard assets from misuse, loss and fraud
help to ensure the quality of internal and
external reporting
help to ensure compliance with laws and
regulations and with the company’s internal
policies for the conduct of business.
Reviewing
effectiveness
• Regular reports from
management to the
board.
• Also an annual
assessment should be
made each year by
the board.
Monitoring risks and controls on a continuous
basis is essential for a sound system of internal
control. The board should receive and review
reports on internal control regularly. In addition,
there should be an annual assessment. The board
should define the process to be used. Management
is accountable to the board for monitoring the
control system.
Paper P1: Governance, risk and ethics
210 © Emile Woolf Publishing Limited
Internal control activities
The Board statement to
shareholders (in the
annual report)
The board should state that there is an ongoing
process for identifying, evaluating and managing
significant risks, that this process is reviewed
regularly by the board and accords with the
Turnbull Guidance.
4.4 Internal control: information systems and technology
Providing information to management and the board of directors is an essential part
of a system for monitoring internal control and risk management. The Turnbull
Guidance states that management and the board should receive ‘timely, relevant
and reliable reports on progress against business objectives and the related risks’.
The Guidance does not specify in any detail how frequently reports should be
obtained and what they should contain. The frequency and content of reports will
differ according to the size, nature and complexity of the business.
Timeliness. A company should have a policy about the timeliness of reports on
risk and control. As a general rule, when significant weaknesses or failings on
control are discovered, these should be reported to senior management and (by
senior management) to the board as quickly as possible. Other reports on risk
might be less urgent: for example, reports to management on risk might be
provided after each meeting of a risk committee, which might meet every
month. Reports to the board might be submitted by management every three
months, or possibly more frequently (at every meeting of the board).
Reliability. The information provided about risks should be reliable. The
processes for identifying and monitoring risks should therefore be effective, so
that management and the board of directors receive accurate assessments of
risks and controls.
Reports on internal control and risk management should be formal reports to the
managers responsible and the members of the board of directors. Unlike many
management information systems, where information is made available on demand
and online to management, internal control and risk management reports should be
provided in a printed form as part of a regular and continuing process.
This is to make sure that relevant information about risks and internal control are
brought to the attention of management, and the manager (or board director)
responsible cannot claim that he (or she) does not know.
Whistle blowing
An effective system of internal control and risk management should provide a
channel of communication for ‘whistle blowers’ to report their concerns about
breaches of the law or other regulations. For example, a company might give
employees to report their concerns to a board committee (such as the audit
committee) or to the senior independent director.
Chapter 9: Internal control, audit and compliance
© Emile Woolf Publishing Limited 211
The purpose of providing a channel of communication for whistle blowers is to
allow information about failings in internal control to be reported when it might
otherwise be suppressed by managers responsible for the failing (for example, a
fraud).
A problem with providing a communication channel for whistle blowers to the
board of directors is that some of the information provided might be unreliable. An
employee might make false accusations against a manager.
The committee or individual responsible for dealing with information from whistle
blowers should investigate the allegations with tact and care. It might be possible to
establish the truth of the allegations quickly, and then take action. Alternatively, it
might be necessary to suspend the individuals who are accused, ‘pending further
investigations’.
Paper P1: Governance, risk and ethics
212 © Emile Woolf Publishing Limited
© Emile Woolf Publishing Limited
213
Paper P1
Governance,riskandethics
CHAPTER
10
Identifying and assessing risk
Contents
1 Risk and risk management
2 Categories of risk
3 Concepts in risk management
4 Identification, assessment and measurement of
risk