CHAPTER 11

RISK MANAGEMENT

RISK

- effect of uncertainty in objectives

- combination of the probability of occurrence of harm and the severity of that harm

 Risk is not the harm itself. It is merely a possibility that harm will occur. What causes harm
is hazard.

Example: COVID-19 virus – hazard; probability that a certain person may be infected –
risk

 The concept of risk does not always relate to harm. Risk can likewise create opportunities.

Example: investing in stocks

 The concept of risk must be distinguished from uncertainty. Risk can be measured. You
may be able to tell possible outcomes and the chances that each outcome will occur. All
that is unknown is the actual outcome. Uncertainty means that you do not know all the
possible outcomes and/or the chances of each outcome occurring.

IMPACT OF RISK ON STAKEHOLDERS

On Shareholders
When the company’s risk profile changes, shareholders may sell their shares, resulting to
a lower share price.

On Creditors
They are concerned on whether the company can fulfill its obligations and limit the risk of
default. Otherwise, they can deny credit, charge higher interest, file actions in court that could lead
the company into liquidations, or ask for collateral.

On Employees
They are concerned about the threats to their job- salary, promotion, benefits, satisfaction,
job itself. If the business fails, employees may lose their jobs.

On Customers and Suppliers

Suppliers are concerned about the risk of making unprofitable sales. Customers are
concerned on getting the value from the goods or services that they expect.

JENIELYN P. TORRES, CPA 1

On the Public
In general, the community is concerned with risks that the company does not act a good
corporate citizen. Otherwise, pressure groups tactic can include publicity, direct action, sabotage,
or pressure on the government.

INTRODUCTION

 Effective corporate governance cannot be attained without the organization mastering the
art of risk management.

DEFINITION

RISK MANAGEMENT

- Process of measuring or assessing risk and developing strategies to manage it

- Systematic approach in identifying, analyzing, and controlling areas or events with a
potential for causing unwanted change
- Act or practice of controlling risk
- Identification, assessment, and prioritization of risks followed by coordinated and
economical application of resources to minimize, monitor, and control the probability
and/or impact of unfortunate events and to maximize the realization of opportunities
(International Organization of Standardization)

BASIC PRINCIPLES OF RISK MANAGEMENT (identified by ISO)

Risk management should

1. Create value
2. Address uncertainty and assumptions
3. Be an integral part of the organizational processes and decision-making
4. Be dynamic, iterative, transparent, tailorable, and responsive to change
5. Create capability of continual improvement and enhancement considering the best
available information and human factors
6. Be systematic, structured, and continually or periodically reassessed

STEPS IN THE PROCESS OF RISK MANAGEMENT

Standard ISO 31000 “Risk Management – Principles and Guidelines on Implementation”

1. Establishing the context

a. Identification of risk in a selected domain of interest

JENIELYN P. TORRES, CPA 2

 b. Planning the remainder of the process
c. Mapping out the
i. Social scope of risk management
ii. Identity and objectives of stakeholders
iii. Basis upon which risks will be evaluated, constraints
d. Defining a framework for the activity and an agenda for identification
e. Developing an analysis of risks involved in the process
f. Mitigation or solution of risks using available technological, human, and organizational
resources

2. Identification of potential risks

Common Risk Identification Methods

a. Objective-based risk
b. Scenario-based risk
c. Taxonomy-based risk
d. Common-risk checking
e. Risk charting

3. Risk assessment – assessment of the potential severity of risks and the probability of their
occurrence

a. risk identification
b. risk analysis
c. risk evaluation

ELEMENTS OF RISK MANAGEMENT

 Risks with high probability of occurrence but lower loss v. risks with high loss but lower
probability of occurrence

1. Identification, characterization, and assessment of threats

2. Assessment of the vulnerability of critical assets to specific threats
3. Determination of the risk
4. Identification of ways to reduce those risks
5. Prioritization of risk reduction measures based on a strategy

RELEVANT RISK TERMINOLOGIES

I. Risks Associated with Investments

a. Business Risk – uncertainty about the rate of return caused by the nature of the business
- Causes: uncertainty about the firm’s sales and operating expenses

JENIELYN P. TORRES, CPA 3

b. Default Risk – related to the probability that some or all of the initial investment will not
be returned
- Closely related to the financial condition of the company issuing the security and the
security’s rank in claims on assets in the event of default or bankruptcy

c. Financial Risk – determined by the firm’s capital structure or sources of financing

d. Interest Rate Risk – gives rise to uncertainty about the cost of the debt

e. Liquidity Risk – inability to meet short-term obligations. It is associated with the

uncertainty created by the inability to sell the investment quickly for cash.

f. Management Risk

g. Purchasing Power Risk

II. Risks Associated with Manufacturing, Trading, and Service Concerns

a. Market Risk – risk of gain or loss due to movement in the market value of an asset – a
stock, bond, loan, foreign exchange, or commodity – or a derivative contract linked to these
assets

i. Product Risk
- Complexity
- Obsolescence
- Research and Development
- Packaging
- Delivery of Warranties

ii. Competitor Risk

- Pricing Strategy
- Market Share
- Market Strategy

b. Operations Risk

i. Process Stoppage
ii. Health and Safety
iii. After Sales Service Failure
iv. Environmental
v. Technological Obsolescence
vi. Integrity
- Management Fraud
- Employee Fraud
- Illegal Acts

JENIELYN P. TORRES, CPA 4

 c. Financial Risk – has some direct financial impact on the entity

i. Interest Rates Volatility

ii. Foreign Currency
iii. Liquidity
iv. Derivative
v. Viability

d. Business Risk

i. Regulatory Change
ii. Reputation
iii. Political
iv. Regulatory and Legal
v. Shareholder Relations
vi. Credit Rating
vii. Capital Availability
viii. Business Interruptions

III. Risks Associated with Financial Institutions

i. Financial
ii. Non-Financial

OTHER TYPES OF RISKS

Credit risk – occurs when a counter party is unable or unwilling to fulfill its contractual obligation

Currency risk – the possibility of gain or loss due to future changes in exchange rates

Political risk – risk that political action will affect the position and value of an organization

Technological risk – failure of system due to tampering of data access to critical information,
nonavailability of data, and lack of controls

Internet risk – numerous security dangers brought by internet connectivity

Denial of service attack – characterized by an attempt by attackers to prevent legitimate users of

a service from using that service

Probity risk – risk of unethical behavior by one or more participants in a particular process

JENIELYN P. TORRES, CPA 5

CATEGORIES OF POTENTIAL RISK TREATMENTS

1. Risk Avoidance – includes not performing an activity that could carry risk
2. Risk Reduction or Optimization – involves reducing the severity of the loss or the
likelihood of the loss from occurring
3. Risk Sharing – sharing with another party the burden of loss or the benefit of gain, from a
risk, and the measures to reduce a risk
4. Risk Retention – accepting the loss or benefit of gain from a risk when it occurs

AREAS OF RISK MANAGEMENT

1. Enterprise Risk Management

2. RM activities as applied to project management
3. RM for megaprojects
4. RM for information technology
5. RM techniques in petroleum and natural gas

SEC REQUIREMENT RELATIVE TO ENTERPRISE RISK MANAGEMENT OF

PUBLICLY-LISTED CORPORATIONS

 SEC Code of Governance Recommendations 2.11 and 3.4 and their corresponding
explanations

RISK MANAGEMENT FRAMEWORK

 SEC Code of Governance Principle 12

STEPS IN THE RISK MANAGEMENT PROCESS

1. Set up a separate risk management committee chaired by a board member.

- To demonstrate the firm’s commitment to adopt an integrated company-wide risk

management system

2. Ensure that a formal comprehensive risk management system is in place.

- To provide a clear vision of the board’s desire for an effective company-wide risk
management

3. Assess whether the formal system possesses the necessary elements.

JENIELYN P. TORRES, CPA 6

 KEY ELEMENTS

a. Goals and objectives

b. Risk language identification
c. Organization structure – should include formal charters, levels of authorization
reporting lines, and job description
d. Risk management process documentation

4. Evaluate the effectiveness of the various steps in the assessment of the comprehensive risks
faced by the business firm.

5. Assess if management has developed and implemented the suitable risk management
strategies and evaluate their effectiveness.

- Strategies may include avoidance, reduction, transfer, exploitation and retention of risks.

6. Evaluate if management has designed and implemented risk management capabilities.

7. Assess management’s efforts to monitor overall company risk management performance

and to improve continuously the firm’s capabilities.

- Must be monitored on a continuing basis

8. See to it that best practices as well as mistakes are shared by all.

- Regular communication of results and feedback to all concerned

- Open communication channel

9. Assess regularly the level of sophistication of the firm’s risk management system.

10. Hire experts when needed.

JENIELYN P. TORRES, CPA 7

 CHAPTER 12
PRACTICAL GUIDELINES IN REDUCING AND MANAGING BUSINESS RISKS

 Apply the principles and techniques appropriate to the situation.

 Risks can be managed and controlled but success is rare. Hence, the need for proper and
careful risk management.

UNDERSTAND THE NATURE OF RISK

 Some companies view risk as an opportunity.

 Starting point: Accept that risks exist.
 Understanding the nature of risk involves assessing the likelihood of risks becoming reality
and the effect they would have if they did.

IDENTIFY AND PRIORITIZE RISKS

 Identify significant risks both within and outside the organization in order to avoid
unnecessary surprises.
 Examples of significant risks: loss of a major customer, failure of a key supplier,
appearance of a significant competitor
 People behave differently and inconsistently when making decisions involving risk.
 For a more structured analysis, define the categories into which risks fall.

TYPICAL AREAS OF ORGANIZATIONAL RISK

1. Financial – inefficient cash management, fraud

2. Commercial – poor brand management, market changes
3. Strategic – marketing and pricing decisions, resource allocation decisions
4. Technical – failure of plant or equipment, accidental or negligent actions
5. Operational – product or design failure, corporate malpractice

CONSIDER THE ACCEPTABLE LEVEL OF RISKS

 Opportunity cost associated with risk: Avoiding a risk may mean avoiding a potentially
big opportunity.
 Sometimes, the greatest risk is to do nothing.

UNDERSTAND WHY RISKS BECOME REALITY

 Upon identification of risks, they can be ranked according to their potential impact and the
likelihood of their occurrence in order to highlight

JENIELYN P. TORRES, CPA 1

 a. where things might go wrong and what their impact would be
b. how, why, and where the risk catalysts might be triggered

TYPES OF RISK CATALYSTS (those that can change and trigger risks)
1. Technology – new hardware, software or system configurations; traffic congestion change
introduced by the Metro Manila Development Authority (MMDA) Chair
2. Organizational change – new management structures or reporting lines, new strategies,
commercial agreements like mergers
3. Processes – new products, markets, and acquisitions
4. People – hiring new employees, poor succession planning, weak people management,
behavior - laziness, fraud, human error
5. External factors – changes in regulation and political, economic, or social developments;
economic disruption brought by the pandemic

APPLY A SIMPLE RISK MANAGEMENT PROCESS

A. Risk Assessment and Analysis

 Assessment of risk differs from one company to another. For example, there are risks that
can be solved using past experience. There are also those that are harder to assess or
quantify. When a company is focused on meeting short-term expectations, risks with little
likelihood of occurrence in the next five years may not be so important to such company.

B. Risk Management and Control

 Risk management procedures and techniques should be well documented, clearly

communicated, and regularly reviewed and monitored.

Table 1. Assessing and Mapping Risk

JENIELYN P. TORRES, CPA 2

 - Risks falling into the top-right quadrant require urgent action.
- Those in the bottom-right quadrant should not be ignored because complacency,
mistakes, and lack of control can turn into a reality.

 Once the inherent risks in a decision are understood, the priority is to exercise control.

 Share information, prepare and communicate clear guidelines, and establish control
procedures and risk measurement systems.

Avoid and Mitigate Risks

 Reduce or eliminate those that result only in costs.

 Can be achieved through quality assurance programs, environmental control processes,

health and safety regulations, accident prevention and emergency equipment installation,
and security measures to prevent crime, sabotage, espionage and threats to people and
systems

 Can also be reduced or mitigated by sharing them – ex: acceptable service agreements from
vendors

Create a Positive Climate for Managing Risk

 The ethos of an organization should recognize and reward behavior that manages risk.

Overcome the Fear of Risk

 Taking risks is needed to keep ahead of the competition.

 See risk as an opportunity, not a threat.
 Risk is both desirable and necessary. It provides opportunities to learn and develop and it
compels people to improve and effectively meet the challenge of change.

C. Controlling and Monitoring Enterprise-Wide Risks

Guide Questions

- Where are the greatest areas of risk relating to the most significant strategic decisions?
- What level of risk is acceptable for the company to bear?
- What is the overall level of exposure to risk? Has this been assessed and is it being
actively monitored?
- What are the costs and benefits of operating effective risk management controls?

JENIELYN P. TORRES, CPA 3

 - Do employees resent risk, or are they encouraged to view certain risks as opportunities?

PRACTICAL CONSIDERATIONS IN MANAGING AND REDUCING FINANCIAL

RISKS

Finance – lifeblood of a business. It heavily influences strategies and decisions at every level.

1. Improving Profitability

A. Variance Analysis – interpreting the differences between actual and planned

performance

B. Assessment of Market Entry and Exit Barriers – assessment of how easy or difficult it
is to either enter or leave a market

 When markets are difficult or costly for competitors to enter and relatively easy and
affordable to leave, firms can achieve high, stable returns, while still being able to leave
for other opportunities.

C. Break-even Analysis – cost-volume-profit analysis; analysis of the point when sales

cover costs or where neither profit nor loss is made

D. Controlling Costs – achieved by focusing on the big items of expenditure, being aware
of costs, maintaining a balance between costs and quality, using budgets for dynamic
financial management, developing a positive attitude to budgeting, eliminating waste

Practical Techniques to Improve Profitability

- Focus decision-making on the most profitable areas.

- Decide how to treat the least profitable products.
- Make sure new products enhance overall profitability.
- Manage development and production decisions.
- Set the buying policy.
- Consider how to create greater value from existing customers and products to
enhance profitability.
- Consider how to increase profitability by managing people.

2. Avoiding Pitfalls in Making Financial Decisions – achieved by applying the following

principles

a. Financial expertise must be widely available.

- To routinely make the best financial decisions

b. Consider the impact of financial decisions.

JENIELYN P. TORRES, CPA 4

 - Impact of finance issues upon other departments and decisions

c. Avoid weak budgetary control.

- Budgets are useful not just in measuring performance but also in making financial
decisions.

d. Understand the impact of cash flow.

- Importance of cash in organizations

e. Know where the risk lies.

- Ex: not only where the break-even point is but also how and when it will be reached

3. Reducing Financial Risk

Guide Questions
- Are the most effective and relevant performance measures in place to monitor and
assess the effectiveness of financial decisions?
- Is there a positive attitude to budgets and budgeting?
- What are the least profitable parts of the organization? How will they improve?
- How efficiently is cash managed? Do your strategic business decisions take account of
cash considerations, such as time value of money?

JENIELYN P. TORRES, CPA 5

 M G T 2 0 9
Overview of Internal control

Companies establish goals and objectives and then assess the risks of achieving those objectives. As a response to the
assessed risk, the company may design and implement internal control to have a reasonable assurance that the objectives will be
achieved.

 Assessment of control risk and consideration of internal control are important steps in the audit process.
 Control risk – risk that the entity’s internal control may not detect or prevent a material misstatement

Internal Control
- process designed and effected by those charged with governance, management, and other personnel to provide reasonable
assurance about the achievement of the entity’s objectives with regard to (1) reliability of financial reporting (financial
reporting objective), (2) effectiveness and efficiency of operations (operational objective), and (3) compliance with
applicable laws and regulations (compliance objective)

4 essential concepts embodied in the said definition

a. Internal control is a process.

 It is a not an end in itself. Instead, it is a means of achieving the entity’s objectives.

b. Internal control is effected by those charged with governance and management, and by other personnel.
 Responsibility of the management: to establish a control environment and maintain policies and procedures
to assist in achieving the entity’s objectives
 Responsibility of those charged with governance: to ensure the integrity of accounting and financial
reporting systems through oversight of management

c. Internal control can be expected to provide reasonable assurance of achieving the entity’s objectives.
 Only reasonable assurance, not absolute assurance (because of inherent limitations that may affect the
effectiveness of internal control)
 Examples of limitations: usual requirement that the cost of internal control should not exceed the expected
benefits to be derived, reality that human judgment in decision making can be faulty and subject to bias
 Internal control can help
1. Achieve organizational, operational, and
financial goals
2. Prevent loss of resources
3. Support reliable financial reporting
4. Support compliance with laws, regulations,
and internal policies and procedures to avoid
damage to reputation and other
consequences
But internal control cannot
1. Ensure organizational success
2. Ensure absolute protection of assets
3. Ensure the reliability of financial reporting
4. Ensure absolute compliance with laws,
regulations, and policies and procedures

d. Internal control is designed to help achieve the entity’s objectives.

 Achievement of objectives depends not only on management decisions but also on competitor’s actions and other factors outside
the entity.

Internal Control System – all the policies and procedures (internal controls) adopted by the management of an entity to assist in
achieving management’s objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including
adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and
completeness of the accounting records, and the timely preparation of reliable financial information.

 Internal control structures vary from one company to the next, depending on factors such as size of the business,
nature of operations, geographical dispersion of activities, and organizational objectives.

A. Control Environment – overall attitude, awareness, and actions of directors and management regarding the internal control
system and its importance in the entity

 A strong control environment does not, by itself, ensure the effectiveness of the internal control system.

Subcomponents of the Control Environment

1. Communication and enforcement of integrity and ethical values
 Management should establish ethical standards that discourage employees from engaging in dishonest, unethical,
or illegal acts that could materially affect the financial statements.

2. Commitment to competence
 The entity should consider the level of competence required for each task and translate it to requisite knowledge
and skills.
 3. Participation by those charged with governance
 The entity must have an audit committee, which will be responsible for overseeing the financial reporting policies
and practices of the entity.

4. Management’s philosophy and operating style

 The auditor should assess the management attitudes towards financial reporting and their emphasis on meeting
projected profit goals because these will significantly influence the risk of material misstatements in the financial
statements.

5. Organizational structure
 This provides a framework for planning, directing, and controlling the entity’s operations.

6. Assignment of authority and responsibility

 Appropriate methods of assigning responsibility must be implemented to avoid incompatible functions and to
minimize the possibility of errors because of too much workload assigned to an employee.

7. Human resources policies and procedures

 The entity must implement appropriate policies for hiring, training, evaluating, promoting, and compensating
entity’s personnel because the competence of the entity’s employees will bear directly on the effectiveness of
the entity’s internal control.

B. Entity’s Risk Assessment Process

 Entity’s business objectives cannot be achieved without some risks.

Risk Assessment – identification, analysis, and management of risks pertaining to the preparation of financial statements

 The basic concepts of the entity’s risk assessment process are relevant to every entity, regardless of size, but the risk
assessment process is likely to be less formal and less structured in small entities than in larger ones.

C. Information and Communication System

Information system – consists of infrastructure (physical and hardware components), software, people, procedures, and
data
- encompasses methods and records that
1. Identify and record all valid transactions
2. Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial
reporting
3. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial
statements
4. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting
period
5. Present properly the transactions and related disclosures in the financial statement
  The SEC Code of Corporate Governance provides that companies should maintain a comprehensive and cost-efficient
communication channel for disseminating relevant information.

 Communication – continual, iterative process of providing, sharing, and obtaining necessary information.
- can be made electronically, orally, or through the actions of management.
- can take such forms as policy manuals, accounting and financial reporting manual, and memoranda.

D. Control Activities – policies and procedures that help ensure that management directives are carried out, for example,
that necessary actions are taken to address risks that threaten the achievement of the entity’s objectives

Major Categories of Control Procedures

1. Performance Review

Examples
a. comparing actual performance with budgets, forecasts, and prior period performance
b. investigating performance indicators based on operating and financial data
c. reviewing functional or activity performance

2. Information Processing Controls – policies and procedures designed to require authorization of transactions and to
ensure the accuracy and completeness of transaction processing

Classification of Control Activities

a. General controls – control activities that prevent or detect errors or irregularities for all accounting systems
b. Application controls – controls that pertain to the processing of a specific type of transaction

Control activities related to the processing of transactions

a. Proper authorization of transactions and activities
b. Segregation of duties
c. Adequate documents and records
d. Access to assets
e. Independent checks on performance

3. Physical Controls – controls that encompass the physical security of assets, authorization for access to computer
programs and data files, and the periodic counting and comparison with amounts shown on control records

Examples
a. Petty cash should be kept locked in a fireproof safe.
b. Cash received by retail clerks should be entered into a cash register to record all cash received.
c. Accounts receivable records should be stored in a locked, fireproof safe. If the records are computerized, adequate
backup copies should be maintained and access to the master files should be restricted via passwords.
d. Raw material inventory should be retained in a locked storeroom with a reliable and competent employee controlling
access.
e. Perishable tools should be stored in a locked storeroom under control of a reliable employee.
 f. Manufacturing equipment should be kept in an area protected by burglar alarms and fire alarms and kept locked when
not in use.
g. Marketable securities should be stored in a safety deposit vault.

4. Segregation of Duties – assigning the responsibilities of authorizing transactions, recording transactions, and maintaining
custody of assets to different people
- purpose: to reduce the opportunities of allowing any person to be in a position to both perpetrate and conceal
errors or fraud in the normal course of the person’s duties

E. Monitoring of Controls – process that an entity uses to assess the quality of internal control over time
- involves assessing the design and operation of controls on a timely basis and taking corrective action as necessary
- accomplished through
1. Ongoing monitoring activities – built into the normal recurring activities of an entity
- include regularly performed supervisory and management activities
- example: continuous monitoring of customer complaints

2. Separate evaluations – performed on a non-routine basis

- example: periodic audits by the internal auditors

COSO - Committee of Sponsoring Organizations of the Treadway Commission

- a joint initiative dedicated to provide thought leadership through the development of frameworks and guidance on enterprise risk
management, internal control and fraud deterrence.

The 2013 Framework sets out 17 principles representing the fundamental concepts associated with each component.
Because these principles are drawn directly from the components, an entity can achieve effective internal control by applying all
principles. All principles apply to operations, reporting, and compliance objectives.

Control Environment (5) Demonstrates commitment to integrity and ethical values

Exercises oversight responsibility
Establishes structures, reporting lines, authorities, and responsibilities
Demonstrates commitment to competence
Enforces accountability

Risk Assessment (4) Specifies appropriate objectives

Identifies and analyzes risks
Assesses fraud risks
Identifies and analyzes significant changes
Control Activities (3) Selects and develops control activities
Selects and develops general controls over technology
Deploys control activities through policies and procedures

Information and Communications (3) Uses relevant information

Communicates internally
Communicates externally

Monitoring Activities (2) Conducts ongoing and/or separate evaluations

Evaluates and communicates internal control deficiencies
 M G T 2 0 9
FRAUD & ERROR
This chapter introduces fraud risk and errors and how they can be reduced, if not totally avoided, by having effective
internal control – a tool of good corporate governance and a vital tool in managing risk.

FRAUD – an intentional act involving the use of deception to obtain an unjust or illegal advantage
– involves motivation to commit it and a perceived opportunity to do so

ERROR – the underlying cause of the misstatement is unintentional

 The risk of not detecting a material misstatement resulting from fraud is higher than the risk of not detecting one
resulting from error.

TYPES OF MISSTATEMENTS
A. Misstatement arising from misappropriation of assets
- occurs when a perpetrator steals or misuses an organization’s assets
- also known as employee fraud because it usually involves employees
- can also involve management who are usually more able to disguise or conceal misappropriations in ways that
are difficult to detect
- often accompanied by false or misleading records or documents in order to conceal the fact that the assets
are missing or have been pledged without proper authorization

Misappropriation – an act of using or disposing of another’s property as if it were one’s own or of devoting
it to a purpose or use different from that agreed upon

Examples
♥ embezzling cash receipts – misappropriating collections on accounts receivable
♥ stealing entity’s assets such as cash, inventory, and intellectual property – stealing scrap for resale, colluding
with a competitor by disclosing technological data in return for payment
♥ causing the company to pay for goods or services that were not received – payments to fictitious vendors
and employees, kickbacks paid to purchasing agents in return for inflating prices
♥ using an entity’s assets for personal use – using entity’s assets as collateral for a personal loan
 B. Misstatement arising from fraudulent financial reporting
- results from an intentional manipulation of reported financial results to misstate the economic condition of the
organization
- also known as management fraud because it usually involves members of the management or those charged
with governance
- can be caused by efforts of management to manage earnings in order to deceive financial statement users by
influencing their perceptions as to the entity’s performance and profitability

Examples
♥ manipulation, falsification, or alteration of records or documents
♥ misrepresentation in or intentional omission of the effects of transactions from records or documents
♥ recording of transactions without substance
♥ intentional misapplication of accounting principles relating to amounts, classification, manner of presentation,
or disclosure

The risk of auditor not detecting a material misstatement resulting from management fraud is
greater than for employee fraud.
Reason: The management is frequently in a position to directly or indirectly manipulate
accounting records, present fraudulent financial information, or override
control procedures designed to prevent similar frauds by other employees.

CORRUPTION
- improper use of power
- usually uncovered through tips or complaints from third parties

Examples
1. Conflicts of interest – an undisclosed personal economic interest in a transaction that adversely affects
the organization or its shareholders
♥ Employees hiring someone close to them over another more qualified applicant
♥ Transfer of knowledge to a competitor by an employee who intends to join the competitor’s company

2. Kickbacks
♥ Preferentialtreatment of customers in return for a kickback
♥ Kickback to employees by a supplier in return for the supplier receiving favorable treatment
 3. Bribery – offering, giving, receiving, or soliciting anything of value to influence an outcome
♥ Payment to government officials to obtain a benefit (ex: tax inspectors)
♥ Payment of agency/facilitation fees (bribes) in order to secure a contract

4. Extortion – offering to keep someone from harm in exchange for money or other considerations
Blackmail – offering to keep information confidential in return for money or other considerations

FRAUD RED FLAG

- condition that indicate potential fraud
- can be anything that strongly suggests than an unethical or suspicious event has taken place or is
a situation that would enable fraud to take place without detection

Examples
1. inadequate or non-transparent explanations for unusual transaction, variances, or results
2. large adjustments made after period end
3. absence of underlying documentation supporting the transaction
4. creation of fictitious reconciling items to create the appearance that accounts are in balance,
when they are not
5. discovery of falsification of documents, dates, contractual terms, or other business records

THE FRAUD TRIANGLE

- framework designed to explain the reasoning behind a worker’s decision to commit fraud
- describes the 3 factors that are present in every situation of fraud
Elements of the Fraud Triangle
1. incentive – factors that may create pressure on the management or employees
2. opportunity – characteristics or circumstances that may increase the susceptibility to fraud
3. rationalization – the attitude or mindset of the fraudster to justify committing the fraud

EXAMPLE
Fraud Incentive Opportunity Rationalization

Recording fictitious Significant declines in Significant related-party Poor ethical standards

sales customer demand transactions
1. INCENTIVES OR PRESSURES TO COMMIT FRAUD
A. Asset Misappropriation
♥ Personal factors, such as severe financial considerations
♥ Pressure from family, friends, or society to live in a more lavish lifestyle
♥ Addictions to gambling
♥ Adverse relationships between the entity and employees with access to cash and other assets susceptible
to theft

B. Fraudulent Financial Reporting

♥ Management compensation schemes
♥ Pressure from outside or inside the entity, to achieve an expected (and perhaps unrealistic) earnings target
or financial outcome
♥ Debt covenants
♥ Greed

2. OPPORTUNITIES TO COMMIT FRAUD

♥ Significant related party transactions
♥ Company’s industry position - ability to dictate terms or conditions to suppliers or customers that might allow
individuals to structure fraudulent transactions
♥ Weak, inadequate, or inexistent internal controls
■ inadequate physical safeguards over assets
■ lack of complete and timely reconciliation of assets
■ inadequate system of authorization and approval of transactions (for example, in purchasing)
♥ Large amounts of cash on hand
♥ Inventory items that are small in size, of high value, or in high demand
♥ Fixed assets that are small in size, marketable, or lacking observable identification of ownership.
♥ Management overriding controls
■ recording fictitious journal entries, particularly close to the end of an accounting period, to manipulate
operating results
■ concealing facts that could affect the amounts recorded in the financial statements
■ altering records and terms related to significant and unusual transactions

3. RATIONALIZING THE FRAUD

A. Asset Misappropriation
♥ Mistreatment by the company – behavior indicating displeasure or dissatisfaction with the entity or its
treatment of the employee
♥ Sense of entitlement
♥ Tolerance of petty theft
♥ “We will lose everything if we don’t take the money.”
♥ “Something is owed by the company because others are treated better.”
 B. Fraudulent Financial Reporting
♥ Savingthe company
♥ Personal greed
♥ “Everybody cheats on the financial statements a little; we are just playing the same game.”
♥ “We will be in violation of all of our debt covenants unless we find a way to get this debt off the financial
statements.”

PREVENTION AND DETECTION OF FRAUD

- The responsibility rests primarily with (a) those charged with governance of the entity and (b) management.

TOP FRAUD TYPES

(according to 2020 PwC’s Economic Crime and Fraud Survey)

1. Customer fraud
2. Cybercrime
3. Asset misappropriation
4. Bribery and corruption
5. Accounting/financial statement fraud
6. Procurement fraud
7. Human resources fraud
8. Deceptive business practices
9. Anti-competition law infringement
10. Money laundering and sanctions
11. Intellectual property theft
12. Insider trading
13. Tax fraud

FRAUD PREVENTION
- involves action to discourage fraud and limit the exposure when it occurs
- principal mechanism: internal control

FRAUD DETECTION
- involves whistleblowing, internal and external tip-off, law enforcement investigation, change of personnel/duties,
corporate security, risk management, and internal and external audit.
 M G T 2 0 9
Errors & irregularities

This chapter presents the errors and fraudulent activities that could result when there is poor internal control.

1. Sales and Collections Cycle

2. Acquisitions and Payments Cycle
3. Payroll and Personnel Cycle

1. Errors in Recording Sales and Collections Transactions

 using a wrong piece or quantity, recording sales in the wrong period (cutoff error), bookkeeper’s failure
to understand proper accounting for a transaction

2. Fraud in Sales and Collections

a. Fraudulent Financial Reporting

 Recording fictitious sales (fictitious shipping documents, sales invoices, etc.)
 Recording valid transactions twice
 Recording in the current period sales that occurred in the succeeding period (improper cutoff)
 Following revenue recognition principle that are not in accordance with PFRS
 Recognizing revenue that should be deferred

 Commonly committed by managers to achieve high profits, to obtain bonuses, to retain the respect
of senior managers, or to even keep their jobs
 b. Misappropriation of Assets
 Skimming – act of withholding cash receipts without recording them
- examples: when a cashier in a retail store does not ring up a transaction and takes the cash,
recording sales at an amount lower than the invoice amount

 Lapping – technique used to conceal the fact that cash has been abstracted
- the shortage in one customer’s account is covered with a subsequent payment made by another
customer

 Kiting – technique used to cover cash shortage or to inflate cash balance

- involves counting the cash twice by using the float in the banking system

Float – gap between the time the check is deposited or added to an account and the time
the check clears or is deducted from the account it was written on

1. Errors in the Acquisitions and Payments Cycle

 Failing to record a purchase in the proper period
 Recording goods accepted on consignment as a purchase
 Misclassifying purchases of assets and expenses
 Failing to record a cash payment

 Entities normally design controls to prevent these errors from occurring or to detect errors if they
do occur.
 When such controls exist, auditors test the controls to assess their effectiveness.
 If the controls are not effective, auditors should perform substantive tests to determine that the
financial statements do not contain material misstatements that arose because of possible errors.
Example of substantive test: contacting customers to confirm that accounts receivable
balances are correct

2. Frauds in the Acquisitions and Payments Cycle

 Paying for fictitious purchases
 Receiving kickbacks
 Purchasing goods for personal use
1. Errors
 Paying employees at the wrong rate
 Paying employees for more hours than they worked
 Charging payroll expense to the wrong accounts
 Keeping terminated employees on the payroll

2. Frauds involving Payroll

 Fictitious employees
 Excess payment to employees
 Failure to record payroll
 Inappropriate assignment of labor costs to inventory