top of page

Internal Control Risk and Business Risk:

Risk is generally associated with the possibility that actual events will turn out worse than expected,or the possibility that things will go wrong.A more accurate definition of risk is that it is the possibility that events will turn out differently from what is expected:this often means the possibility of a worse outcome,but there may also be the possibility of a better outcome than expected.

 

Risks,especially the risks of a worse outcome than expected or the risk of unexpected losses,should be managed and kept within acceptable limits.

 

There are two board types of risk that companies face.

  • Internal Control Risks:

   These are risks of losses that might arise due to failures or weaknesses in systems or due to errors(or fraud) by individuals.They are risks that controls within an entity are insufficient to stop adverse events from happening and losses being incurres.Internal control risks can be categorised into three brroad types:

  • Financial Risks:

       These are risks of errors or fraud in financial controls,resulting in the misreporting of financial performance or financial position,the risk that assets may not be properly safeguarded and the risk of fraud.

  • Operational Risk:

       A helpful definition of operational is given by the Basel Committee for banking supervision.Although this definition applies to risks in the banking industry,it has a wider application.Operational risk is the risk of losses resulting from inadequate or failed internal processes,people and systems or external events.

  • Compliance Risk:

   This is the risk that important laws or regulations will not be complied with properly.Failure to comply with the law could result in legal action and or fines.

 

  • Internal Controls:

Internal controls are established to eliminate some of these risks or to reduce the risks,or to identify an error or fault when it occurs internal controls may be categorised as financial controls,operational controls and compliance controls.

 

  • Business Risk or Strategic Risk:

       All business entities face risks in their business environement.Business entities take risks to make a profit and profit is the reward for risk.When a company decides on its business strategies,management cannot be certain that they have made the right choices.Conditions in the company's markets might turnout differently from what management expect.

 

The Business environment is continually changing-competition in the market,customer demand,economic conditions,government regulation,the state of technology and many other factors.Business risk has to be managed.Companies have to respond to changes in their environment.Chosen strategies should not be excessively risky in relation to the size of profits that the company expects to make from its investments.

 

Business risks is also called entrepreneurial risk.Companies must take business risks in order to make profits.They need to be entrepreneurial otherwise they will lose market share to rival companies that are prepared to take more risks and business initiatives.

 

The importance of internal control and risk management:

Internal control and the management of business risk are important matters for all companies.In the UK guidance on internal control for directors was published by the ICAEW.The guidance was known as the Turnbull Report.The turnbull report set out four connected reasons why internal control and business risk management are important.

 

  • A company's system of internal control is important for managing risks to the achievement of the company's business objectives.A strong system of internal control helps to safeguard (a) the investment of the company's shareholders and (b) the company's assets.Protecting the investment of the shareholders and safeguarding the company's  assets are duties of the board of directors towards their shareholders.

  • Internal control can achieve three things:(a) control can improve the efficiency and effectiveness of operations (b) control helps to ensure the reliability of the company's financial reporting to shareholders and (c) controls can help the company to ensure compliance with laws and other regulations.

  • Effective financial controls are important.These include controls to ensure that proper accounting records are maintained that unnecessary financial risks(for example from fraud) are avoided and financial reporting is reliable.

  • A company's strategic objectives and conditions in its business environment are continually changing.As a result the risks faced by the company are also continually changing.A strong system of internal control depends on the ability of the company to identify the changing risks in its business environment and the extent of the risk that it faces.Profits are (in part) the reward for successful risk-taking in business,and internal control helps management to manage and controls the business risks(rather than eliminate them).

 

Responsibility for risk management and internal control:

The responsibility for risk management and internal control is shared between the board of directors and management.

  • The board of director is responsible for safeguarding the company's assets and for protecting the value of the shareholders investment in the company.It should fulfil these duties with care and should be accountable to shareholders for what they have done.It is therefore a corporate governance responsibility of the board of directors to ensure that adequate systems for internal control and risk management are in place.

 

  • The board of directors are not responsible for running the opeerations of the company.Although the directors should monitor internal control and risk management systems,management has the responsibility for designing and implementing these systems.

 

The governance responsibility of the board of directors for internal control and risk management:

The management of risk,and the internal control system for managing risk are aspects of corporate governance.However,there are differing views about the extent to which risk management and internal control should be a governance issue.

 

  • One view is that the directors have a governance responsibility for the strength of the financial controls in their company.They should therefore be responsible for ensuring that the system of financial control is adequate and should account to the shareholders for this responsibility.This view is accepted in the US and is applied by the Surbanes-Oxley Act.

  • Another view is that the board of directors has a broader governance responsibility for ensuring the soundness of the entire internal control system and also for the business risk management system of the company.This view is applied in countries such as the UK,Singapore and South africa.

       

UK corporate governance code(combined code) requirements.

The UK combined code makes only a brief reference to the internal control system.

  • A principle of the code is that.'the board should maintain a sound system of internal control to safeguard shareholders' investment and the company's assets.

  • A Provision of the code linked to this principle is that:'The directors should at least annually conduct a review of the effectiveness of the (company's) system of Internal control and should report to shareholders that they have done so.The review should cover all material controls including financial,operational and compliance controls and risk management systems.

 

US requirements:Sarbanes-Oxley Act:

In the Us,the sarbanes-Oxley act limits the governance responsibility to control over financial reporting Section 404 of the act,requires the annual report of companies to:

  • state the responsibility of mangement for establishing and maintaining an adequate internal control structure and procedures for financial reporting and,

  • contain an assessment of the effectiveness of the company's internal control structure and procedure for financial reporting.

 

bottom of page