May 2005 Examinations - Chartered Institute of … 2005 Examinations Strategy Level Paper P3 – Management Accounting Risk and Control Strategy Question Paper 2 Examiner’s Brief

May 2005 Examinations Strategy Level

Paper P3 – Management Accounting Risk and Control Strategy Question Paper 2 Examiner’s Brief Guide to the Paper 15 Examiner’s Answers 16 The answers published here have been written by the Examiner and should provide a helpful guide for both lecturers and students. Published separately on the CIMA website (www.cimaglobal.com) from the end of September 2005 is a Post Examination Guide for this paper, which provides much valuable and complementary material including indicative mark information. 2005 The Chartered Institute of Management Accountants. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recorded or otherwise, without the written permission of the publisher.

P3 2 May 2005

Management Accounting Pillar

Strategic Level Paper

P3 – Management Accounting – Risk and Control Strategy

26 May 2005 – Thursday Morning Session

Instructions to candidates

You are allowed three hours to answer this question paper.

You are allowed 20 minutes reading time before the examination begins during which you should read the question paper, and if you wish, make annotations on the question paper. However, you will not be allowed, under any circumstances, to open the answer book and start writing or use your calculator during this reading time.

You are strongly advised to carefully read the question requirement before attempting the question concerned. The question requirements are contained in a dotted box.

Answer the ONE compulsory question in Section A on pages 2 and 3.

Answer TWO questions only from Section B on pages 4 to 9.

Maths Tables and Formulae are provided on pages 11 to 14. These pages are detachable for ease of reference.

Write your full examination number, paper number and the examination subject title in the spaces provided on the front of the examination answer book. Also write your contact ID and name in the space provided in the right hand margin and seal to close.

Tick the appropriate boxes on the front of the answer book to indicate which questions you have answered.

P3 –

Ris

k an

d C

ontr

ol S

trat

egy

May 2005 3 P3

SECTION A – 50 MARKS [the indicative time for answering this section is 90 minutes] ANSWER THIS QUESTION Question One Company Overview IDAN is a large banking and financial services group that is listed on both the London Stock Exchange and the New York Stock Exchange. The group has over 20 million customers throughout the world and operates in 35 countries on four continents. The IDAN Group is composed of a mix of retail and commercial businesses that include corporate and investment banking, private banking and commercial banking. Trends within the Financial Services Sector The Board of Directors of IDAN is aware that a number of trends within the sector will require the bank to substantially re-design a number of its operating and information systems and review the nature of the interface between the internal audit and risk management functions. Current issues that are having an impact on the financial services sector include:

• A new European Union law requiring banks to provide details of interest paid on personal savings accounts held by non-residents. A withholding tax of 15% is to be imposed on such income and details must be sent by the bank to the tax authorities in the EU country where the recipient resides.

• Forecast rises in interest rates over the next two years.

• The elimination within the UK of the use of personal signatures as the authorisation method for credit and debit card transactions and their replacement with personal identification (PIN) numbers.

• The increasing use, by personal customers, of both telephone and internet banking

services. Over 40% of bill payments, standing order amendments and balance transfers by such customers were processed in this way during the last 12 months compared with 28% the previous year.

• A growth in the number of cases being sent to the financial ombudsman or the financial

industry regulator relating to claims of mis-selling or incorrect advice on the part of financial services companies in the supply of a range of savings and investment products.

• As a result of threats of terrorist activity, money laundering legislation has been

introduced or tightened in all of the countries in which IDAN has banking operations. Analysis by Type of Business (i) Net assets Year Ended 31 December 2004 31 December 2003 £m £m Corporate and investment banking 15,824 12,286 Personal financial services 9,250 6,400 Private Banking 2,320 1,755 Commercial banking 11,186 9,364 38,580 29,805

P3 4 May 2005

(ii) Profit on ordinary activities before tax Year Ended 31 December 2004 31 December 2003 £m £m Corporate and investment banking 3,416 2,949 Personal financial services 2,427 1,684 Private Banking 116 85 Commercial banking 3,356 3,558 9,315 8,276 (iii) Within the commercial banking portfolio, the allowance for credit losses equalled one per cent of the assets compared with two and a half per cent in personal financial services and private banking. (iv) Profits from Private Banking are viewed as being influenced by a range of factors including the state of the world economy and sentiment and performance in the equity markets. The current outlook for the global economy remains uncertain and depressed equity markets are expected to recover slowly over the coming financial year.

Required:

(a) Discuss the main categories of risk that are faced by a bank such as IDAN and the advantages of risk categorisation in the design of a risk management system.

(10 marks)

(b) For every one of the six issues identified in the question, recommend the controls that might be introduced to minimise IDAN’s exposure to such risks.

(15 marks)

(c) Compare and contrast the roles played by internal audit and risk management in organisations. Discuss the likely nature of the interaction between these two activities.

(10 marks)

The performance of the Managing Directors of the four types of business within IDAN is evaluated on the basis of the profits of their individual businesses. It has now been suggested by the Board that the strategy of the group, future investment opportunities and the profitability of each business should be evaluated against a risk-adjusted hurdle rate.

Required:

(d) Critically discuss this suggestion by making reference to the information provided in

the question. (15 marks)

(Total for Question One = 50 marks)

(Total for Section A = 50 marks)

End of Section A. Section B starts on the next page

May 2005 5 P3

SECTION B – 50 MARKS [the indicative time for answering this section is 90 minutes] ANSWER TWO QUESTIONS ONLY Question Two BJP is an organisation involved in making business-to-business sales of industrial products. BJP employs a sales team of 40 representatives and assigns each a geographic territory that is quite large. Sales representatives search for new business and follow up sales leads to win new business, and maintain contact with the existing customer base. The sales representatives spend almost all their time travelling to visit clients. The only time when they are not doing this is on one day each month when they are required to attend their regional offices for a sales meeting. Sales representatives incur expenses. They have a mobile telephone, a fully maintained company car and a corporate credit card which can be used to pay for vehicle expenses, accommodation and meals and the cost of entertaining potential and existing clients. The performance appraisal system for each sales representative is based on the number and value of new clients and existing clients in their territory. All sales representatives are required to submit a weekly report to their regional managers which gives details of the new and existing clients that they have visited during that week. The regional managers do not get involved in the daily routines of sales representatives if they are generating sufficient sales. Consequently, sales representatives have a large amount of freedom. The Head Office Finance department, to whom regional managers have a reporting relationship, analyses the volume and value of business won by sales representatives and collects details of their expenses which are then reported back monthly to regional managers. At the last meeting of regional managers, the Head Office Finance department highlighted the increase in sales representatives’ expenses as a proportion of sales revenue over the last two years and instructed regional managers to improve their control over the work representatives carry out and the expenses they incur.

Required:

(a) Advise regional managers as to the risks facing BJP as a result of the lack of apparent control over sales representatives and their expenses and recommend the controls that should be implemented by regional managers to rectify this situation.

(12 marks)

(b) Explain what an internal control system is, how it relates to the control environment and its likely costs, benefits and limitations.

(8 marks)

(c) Recommend how analytic review could be used in the internal audit of BJP’s sales representatives’ expenses.

(5 marks)

(Total for Question Two = 25 marks)

P3 6 May 2005

Question Three AMF is a market leading, high technology manufacturing organisation producing components for the computer industry. AMF has adopted a ‘lean’ approach to all its functions and has already made a decision to implement a new enterprise resource planning system (ERPS) to support the management of its customers, suppliers, inventory, capacity planning, production scheduling, distribution and accounting functions. The Board of AMF is considering the outsourcing of the design, delivery, implementation and operation of the ERPS to a specialist contractor that has an excellent reputation within the computer industry. A team would be set up within AMF to manage the transition.

Required: Write a formal report to the Board of AMF that: • discusses the advantages and disadvantages of outsourcing the ERPS system as

suggested above; (5 marks)

• identifies the main risks involved in outsourcing the ERPS and suggests how these

risks might be mitigated through internal controls and internal audit; (10 marks)

• recommends the processes and controls that AMF should adopt to manage a project

for successful transition to a chosen outsource supplier should that be the decision of the Board.

(5 marks)

(Total for Question Three= 25 marks including 5 marks for style, coherence and presentation of the report)

Section B continues on the next page

May 2005 7 P3

Question Four AL and Co. is a London-based building contractor, with an annual turnover of almost £15 million. The company employs 50 people, the majority of whom are skilled tradesmen or apprentices in the areas of plumbing, electrical work, plastering, carpentry, glazing and hard landscaping. AL and Co. specialises in renovation work for private clients by offering a fast “all service” facility that suits busy professional people seeking to renovate properties either for their own occupation or for investment purposes. As a result of the property boom, turnover has grown by over 30% in the last two years. Day-to-day management of the business is shared by two executive directors, one of whom manages the financial and legal aspects of the business (Director X), while the other is responsible for operational activities including work scheduling, agreeing quotes with the sales staff, and all procurement (Director Y). The two directors have a mutual respect and trust for one another and therefore do not check or verify each other’s work. As a medium sized company, AL and Co. is subject to an annual external audit, but it has no internal audit function and both its internal control and management accounting systems are very basic. Management accounting procedures record the costs of materials associated with all contracts via a job costing system, but other costs are not charged to individual contracts. The system is thus unable to identify whether any specific contract is profitable, and can only compute aggregate profit. One consequence of this system is that the company profitability depends on there being a close match between the actual time taken to complete jobs and the sales team’s estimate of the times required: however, the time variances are neither calculated nor monitored. The systems have never been questioned or refined because, to date, an average gross markup of 25% has always been achieved. This margin has ensured that both directors earn high salaries which have risen year on year, and there has therefore been little incentive to improve controls and manage costs. Two staff are employed to issue written quotes in response to customer enquiries, with prices being calculated on the basis of estimated labour and material costs plus 25%. The quotes are reviewed by Director Y before they are sent to customers. All payments are due on completion of the work. In drafting the work schedules Director Y has full knowledge of which quotes are accepted by customers. Additionally, given his role of supervising procurement, he regularly gives administrative staff the names of new suppliers for inclusion in the accounting system. Six months ago, Director Y found himself over-committed financially, and devised a way of diverting company funds from AL and Co. for his own personal use. He began adding 10% to the figures quoted for all jobs requiring the use of more than three separate services (plastering, electrical etc), thereby raising the gross markup to 37·5% in such cases. The intention was to fraudulently redirect the additional income for his personal use. This was achieved by the submission to AL and Co., on the completion of a job, of an invoice (for the 10% additional charge) in the name of a fictitious supplier of small tools and consumables. Director Y would code the associated costs as variable overhead in the accounting system. The timing of the invoices could easily be matched to the job completion dates in view of his knowledge of work schedules, and he set up a separate bank account in the fictitious name to receive these payments. You are an accountant in AL and Co. and have been assigned responsibility for liaison with the external auditors. You find that you are unable to resolve their concerns about the escalation in variable overhead expenses over the course of the last year, most of which have been charged to a non-local supplier’s account. You are having difficulty clarifying the precise nature of the expenses incurred because telephone calls to the business number always request that a message be left but no calls are ever returned. All other aspects of the audit are satisfactory.

P3 8 May 2005

Required: Write a report for the Directors of AL and Co. that:

• Details the inadequacies of the current ‘internal control’ system within the company

and possible changes that could be made to improve the system;

(10 marks) • Explains why the rise in variable overhead costs is a matter of concern from both an

external audit and an internal control perspective, and thus requires immediate agreement on a co-ordinated response to investigate the possibility of fraud;

(5 marks)

• Briefly explains the limits of the responsibility of external auditors to detect fraud;

(5 marks)

• Explains why the company should prepare a fraud response plan, and outlines the

issues to be considered in drafting such a plan.

(5 marks)

(Total for Question Four = 25 marks)

Section B continues on the next page

May 2005 9 P3

Question Five SDT plc is a UK based manufacturer of a wide range of printed circuit boards (PCBs) that are used in a variety of electrical products. SDT exports over 90% of its production to assembly plants owned by large multinational electronics companies all around the world. Two companies (A and B) require SDT to invoice them in a single currency, regardless of the export destination of the PCBs. The chosen currencies are the Japanese Yen (Company A) and the US$ (Company B) respectively. The remaining export sales all go to European customers and are invoiced in Euros. The variable cost and export price per unit PCB are shown below. Market Unit variable cost (£) Unit export sales price Company A 2·75 Yen 632·50 Company B 4·80 US$ 10·2678 Europe 6·25 Euro 12·033 Goods are supplied on 60 day credit terms. The following receipts for export sales are due in 60 days: Company A Yen 9,487,500 Company B US$ 82,142 Europe Euro 66,181 The foreign exchange rates to be used by SDT in evaluating its revenue from the export sales are as follows: Yen/£ US$/£ Euro/£ Spot market 198·987-200·787 1·7620-1·7826 1·4603-1·4813 2 months forward 197·667-200·032 1·7550-1·7775 1·4504-1·4784 3 months forward 196·028-198·432 1·7440-1·7677 1·4410-1·4721 1 year forward 188·158-190·992 1·6950-1·7311 1·4076-1·4426 The Managing Director of SDT believes that the foreign exchange markets are efficient and so the likelihood that SDT will make foreign exchange gains is the same as the likelihood that it will make foreign exchange losses. Furthermore, any exchange risk is already diversified across three currencies, each from countries in very different economic regions of the world. The Managing Director has therefore recommended that the Treasury Department should not hedge any foreign exchange risks arising from export sales.

P3 10 May 2005

Required:

(a) Critically comment on the validity of the views and recommendations expressed by

the Managing Director and explain how currency hedging might nevertheless be beneficial to SDT.

(6 marks)

(b) Calculate the sterling value of the contribution earned from exports to each of the customers (A, B and Europe) assuming that SDT

(i) hedges the risk in the forward market;

(3 marks)

(ii) does not hedge the risk and the relevant spot exchange rates in two months’ time are as follows:

Two month spot

Yen/£ 200·18-202·63 US$/£ 1·7650-1·7750 Euro/£ 1·4600-1·4680

(3 marks)

(iii) aims to maximise its contribution to sales ratio, calculate the average

contribution to sales ratio in each of the above scenarios and advise SDT accordingly on whether to hedge its foreign exchange exposure.

(3 marks)

(Total for requirement (b) = 9 marks)

(c) Comment on why (based on relative risk analysis) a company might seek to

generate higher rates of return from export sales compared to domestic sales.

(6 marks)

(d) If the payment from Company B is received late, briefly explain what risk SDT is taking in hedging B’s payment in the forward market, and how this risk could be avoided?

(4 marks)

(Total for Question Five = 25 marks)

(Total for Section B = 50 marks)

End of question paper

Maths Tables and Formulae are on pages 11 to 14

May 2005 11 P3

P3 12 May 2005

PRESENT VALUE TABLE

Present value of $1, that is ( ) nr −+1 where r = interest rate; n = number of periods until payment or receipt.

Interest rates (r) Periods (n) 1% 2% 3% 4% 5% 6% 7% 8% 9% 10%

1 0.990 0.980 0.971 0.962 0.952 0.943 0.935 0.926 0.917 0.909 2 0.980 0.961 0.943 0.925 0.907 0.890 0.873 0.857 0.842 0.826 3 0.971 0.942 0.915 0.889 0.864 0.840 0.816 0.794 0.772 0.751 4 0.961 0.924 0.888 0.855 0.823 0.792 0.763 0.735 0.708 0.683 5 0.951 0.906 0.863 0.822 0.784 0.747 0.713 0.681 0.650 0.621 6 0.942 0.888 0.837 0.790 0.746 0705 0.666 0.630 0.596 0.564 7 0.933 0.871 0.813 0.760 0.711 0.665 0.623 0.583 0.547 0.513 8 0.923 0.853 0.789 0.731 0.677 0.627 0.582 0.540 0.502 0.467 9 0.914 0.837 0.766 0.703 0.645 0.592 0.544 0.500 0.460 0.424 10 0.905 0.820 0.744 0.676 0.614 0.558 0.508 0.463 0.422 0.386 11 0.896 0.804 0.722 0.650 0.585 0.527 0.475 0.429 0.388 0.350 12 0.887 0.788 0.701 0.625 0.557 0.497 0.444 0.397 0.356 0.319 13 0.879 0.773 0.681 0.601 0.530 0.469 0.415 0.368 0.326 0.290 14 0.870 0.758 0.661 0.577 0.505 0.442 0.388 0.340 0.299 0.263 15 0.861 0.743 0.642 0.555 0.481 0.417 0.362 0.315 0.275 0.239 16 0.853 0.728 0.623 0.534 0.458 0.394 0.339 0.292 0.252 0.218 17 0.844 0.714 0.605 0.513 0.436 0.371 0.317 0.270 0.231 0.198 18 0.836 0.700 0.587 0.494 0.416 0.350 0.296 0.250 0.212 0.180 19 0.828 0.686 0.570 0.475 0.396 0.331 0.277 0.232 0.194 0.164 20 0.820 0.673 0.554 0.456 0.377 0.312 0.258 0.215 0.178 0.149

Interest rates (r) Periods

(n) 11% 12% 13% 14% 15% 16% 17% 18% 19% 20% 1 0.901 0.893 0.885 0.877 0.870 0.862 0.855 0.847 0.840 0.833 2 0.812 0.797 0.783 0.769 0.756 0.743 0.731 0.718 0.706 0.694 3 0.731 0.712 0.693 0.675 0.658 0.641 0.624 0.609 0.593 0.579 4 0.659 0.636 0.613 0.592 0.572 0.552 0.534 0.516 0.499 0.482 5 0.593 0.567 0.543 0.519 0.497 0.476 0.456 0.437 0.419 0.402 6 0.535 0.507 0.480 0.456 0.432 0.410 0.390 0.370 0.352 0.335 7 0.482 0.452 0.425 0.400 0.376 0.354 0.333 0.314 0.296 0.279 8 0.434 0.404 0.376 0.351 0.327 0.305 0.285 0.266 0.249 0.233 9 0.391 0.361 0.333 0.308 0.284 0.263 0.243 0.225 0.209 0.194 10 0.352 0.322 0.295 0.270 0.247 0.227 0.208 0.191 0.176 0.162 11 0.317 0.287 0.261 0.237 0.215 0.195 0.178 0.162 0.148 0.135 12 0.286 0.257 0.231 0.208 0.187 0.168 0.152 0.137 0.124 0.112 13 0.258 0.229 0.204 0.182 0.163 0.145 0.130 0.116 0.104 0.093 14 0.232 0.205 0.181 0.160 0.141 0.125 0.111 0.099 0.088 0.078 15 0.209 0.183 0.160 0.140 0.123 0.108 0.095 0.084 0.079 0.065 16 0.188 0.163 0.141 0.123 0.107 0.093 0.081 0.071 0.062 0.054 17 0.170 0.146 0.125 0.108 0.093 0.080 0.069 0.060 0.052 0.045 18 0.153 0.130 0.111 0.095 0.081 0.069 0.059 0.051 0.044 0.038 19 0.138 0.116 0.098 0.083 0.070 0.060 0.051 0.043 0.037 0.031 20 0.124 0.104 0.087 0.073 0.061 0.051 0.043 0.037 0.031 0.026

May 2005 13 P3

Cumulative present value of $1 per annum, Receivable or Payable at the end of each year for n

years rr n−+− )(11


(n) 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% 1 0.990 0.980 0.971 0.962 0.952 0.943 0.935 0.926 0.917 0.909 2 1.970 1.942 1.913 1.886 1.859 1.833 1.808 1.783 1.759 1.736 3 2.941 2.884 2.829 2.775 2.723 2.673 2.624 2.577 2.531 2.487 4 3.902 3.808 3.717 3.630 3.546 3.465 3.387 3.312 3.240 3.170 5 4.853 4.713 4.580 4.452 4.329 4.212 4.100 3.993 3.890 3.791 6 5.795 5.601 5.417 5.242 5.076 4.917 4.767 4.623 4.486 4.355 7 6.728 6.472 6.230 6.002 5.786 5.582 5.389 5.206 5.033 4.868 8 7.652 7.325 7.020 6.733 6.463 6.210 5.971 5.747 5.535 5.335 9 8.566 8.162 7.786 7.435 7.108 6.802 6.515 6.247 5.995 5.759 10 9.471 8.983 8.530 8.111 7.722 7.360 7.024 6.710 6.418 6.145 11 10.368 9.787 9.253 8.760 8.306 7.887 7.499 7.139 6.805 6.495 12 11.255 10.575 9.954 9.385 8.863 8.384 7.943 7.536 7.161 6.814 13 12.134 11.348 10.635 9.986 9.394 8.853 8.358 7.904 7.487 7.103 14 13.004 12.106 11.296 10.563 9.899 9.295 8.745 8.244 7.786 7.367 15 13.865 12.849 11.938 11.118 10.380 9.712 9.108 8.559 8.061 7.606 16 14.718 13.578 12.561 11.652 10.838 10.106 9.447 8.851 8.313 7.824 17 15.562 14.292 13.166 12.166 11.274 10.477 9.763 9.122 8.544 8.022 18 16.398 14.992 13.754 12.659 11.690 10.828 10.059 9.372 8.756 8.201 19 17.226 15.679 14.324 13.134 12.085 11.158 10.336 9.604 8.950 8.365 20 18.046 16.351 14.878 13.590 12.462 11.470 10.594 9.818 9.129 8.514


(n) 11% 12% 13% 14% 15% 16% 17% 18% 19% 20% 1 0.901 0.893 0.885 0.877 0.870 0.862 0.855 0.847 0.840 0.833 2 1.713 1.690 1.668 1.647 1.626 1.605 1.585 1.566 1.547 1.528 3 2.444 2.402 2.361 2.322 2.283 2.246 2.210 2.174 2.140 2.106 4 3.102 3.037 2.974 2.914 2.855 2.798 2.743 2.690 2.639 2.589 5 3.696 3.605 3.517 3.433 3.352 3.274 3.199 3.127 3.058 2.991 6 4.231 4.111 3.998 3.889 3.784 3.685 3.589 3.498 3.410 3.326 7 4.712 4.564 4.423 4.288 4.160 4.039 3.922 3.812 3.706 3.605 8 5.146 4.968 4.799 4.639 4.487 4.344 4.207 4.078 3.954 3.837 9 5.537 5.328 5.132 4.946 4.772 4.607 4.451 4.303 4.163 4.031 10 5.889 5.650 5.426 5.216 5.019 4.833 4.659 4.494 4.339 4.192 11 6.207 5.938 5.687 5.453 5.234 5.029 4.836 4.656 4.486 4.327 12 6.492 6.194 5.918 5.660 5.421 5.197 4.988 7.793 4.611 4.439 13 6.750 6.424 6.122 5.842 5.583 5.342 5.118 4.910 4.715 4.533 14 6.982 6.628 6.302 6.002 5.724 5.468 5.229 5.008 4.802 4.611 15 7.191 6.811 6.462 6.142 5.847 5.575 5.324 5.092 4.876 4.675 16 7.379 6.974 6.604 6.265 5.954 5.668 5.405 5.162 4.938 4.730 17 7.549 7.120 6.729 6.373 6.047 5.749 5.475 5.222 4.990 4.775 18 7.702 7.250 6.840 6.467 6.128 5.818 5.534 5.273 5.033 4.812 19 7.839 7.366 6.938 6.550 6.198 5.877 5.584 5.316 5.070 4.843 20 7.963 7.469 7.025 6.623 6.259 5.929 5.628 5.353 5.101 4.870

P3 14 May 2005

Formulae Annuity Present value of an annuity of £1 per annum receivable or payable for n years, commencing in one year, discounted at r% per annum:

PV =

+−

nrr ]1[111

Perpetuity Present value of £1 per annum, payable or receivable in perpetuity, commencing in one year, discounted at r% per annum:

PV = r1

Growing Perpetuity Present value of £1 per annum, receivable or payable, commencing in one year, growing in perpetuity at a constant rate of g% per annum, discounted at r% per annum:

PV = gr −

1

May 2005 15 P3

The Examiners for Management Accounting – Risk and Control Strategy offer to future candidates and to tutors using this booklet for study purposes, the

following background and guidance on the questions included in this examination paper.

Section A – Question One – Compulsory

Question One is designed to test the candidate’s ability to categorise risk, recommend appropriate controls in relation to such risks, recognise the function of internal audit and risk management and how hurdle rates may be used in the risk-return trade-off. The syllabus topics being tested are mainly B (Risk and Internal Control), C (ii, internal audit) and D (Financial Risk). The question meets the learning outcomes by providing a case study in the financial services industry which identifies trends and performance data. Candidates are expected to apply their understanding of risk management, internal control and internal audit to a financial services case.

Section B – answer two of four questions

Question Two is designed to test the candidate’s ability to make recommendations in relation to internal controls, understand the costs and benefits of internal control and show how analytic review can be used in internal audit. The syllabus topics being tested are mainly C (Review and Audit of Control Systems) and B (Internal Control Systems). The question meets the learning outcomes by providing a scenario of an organisation that appears to have little control over sales representative expenses. Candidates are expected to apply their understanding of risks, internal controls and internal audit to the scenario. Question Three is designed to test the candidate’s ability in relation to risk in information systems in general and outsourcing of IT in particular and show how internal controls and internal audit can mitigate the risk. The syllabus topics being tested are mainly E (Risk and Control in Information Systems). The question meets the learning outcomes by providing a scenario in which an ERPS system is to be outsourced. Candidates are expected to apply their understanding of IT systems, risk and control and to write a report identifying the advantages and disadvantages of outsourcing, evaluating the main risks and recommending appropriate controls. Question Four seeks to test the candidate’s ability to identify shortcomings in internal controls systems, and the parties responsible for fraud management and detection. By placing the question in the context of a small sized business, the need for fraud control across all types and sizes of business is emphasised. The syllabus topics being tested range across both B (Risk and Internal Control) and C (Review and Audit of Control Systems). Candidates are expected to recognize that control of directors is central to fraud management and to identify mechanisms for improving internal controls, as well as understand the limited role of the external auditors in relation to fraud detection. The design of a fraud response plan forms the final part of the question. Question Five tests the candidate’s understanding of the management of financial risk. (syllabus section D) and specifically currency risk. A little over one third of the marks go for computational exercises, with the remaining marks allocated for critical commentary on various issues related to foreign exchange risk. Candidates are expected to understand the pros and cons of currency hedging and be able to interpret spot and forward rate data to estimate revenue flows. Understanding of the limitations of forward contracts is also tested. Additionally, candidates are asked to comment upon the relative risk:return requirements for domestic versus overseas sales.

P3 16 May 2005

The Examiner's Answers for Management Accounting – Risk and Control Strategy

The answers that follow are fuller and more comprehensive than would have been expected from a well-prepared candidate. They have been written in this way to aid teaching, study and revision for tutors and candidates alike.

SECTION A Answer to Question One Requirement (a) There is no universally accepted system for risk categorisation; a range of schemes are promoted by management consulting firms, but in many cases a company chooses to devise its own set of categories that reflect the individual needs of the business. Nonetheless, it is possible to identify a number of key types of risk that are likely to be faced by a bank such as IDAN. The number of categories may vary according to the type of business undertaken by the bank, but for a large multinational institution such as IDAN there may be considered to be six risk categories. These are:

• Credit risk • Market risk • Operational risk • Reputation risk • Compliance risk • Business risk

Most of these categories will also incorporate a number of sub categories, but for control purposes it is often helpful to limit the number of categories to ensure clear lines of management responsibility. Credit, or default risk arises because a borrower may be unable to make timely interest and/or capital repayments on a loan. IDAN has a mix of loans granted to both commercial and individual customers in a wide range of locations around the world. The loans will be a mix of secured and unsecured, so clearly the credit risk on unsecured loans is likely to be higher. If a borrower cannot make payments when required under the loan contract, or defaults entirely on the loan, this impacts on both the bank’s capital and its income. Market risks are those risks that may affect a bank’s earnings or capital because of changes in market prices. IDAN may, for example, engage in equities trading and if the price of any equity assets fall, then the bank may incur losses, or see its targeted earnings reduced. One of the most common areas of trading for a bank is in the derivatives markets, where prices can be extremely volatile. Systems need to be devised to measure and monitor a bank’s exposure to loss from such volatility, and the most commonly used models are based on the computation of a Value at Risk (VaR).

May 2005 17 P3

Operational risk is often viewed as a “catch all” category, but it is intended to acknowledge that the transaction systems, IT systems, staff behaviour and customer relations may all lead to changes in income and threaten profits. For example, some years ago a major UK bank got into trouble because it failed to process the mortgage payments of a large number of its customers on the correct day of the month. Some of the customers incurred additional costs as a result, and the bank was forced to publicly apologise and reimburse them for these costs. Clearly such operational errors need to be minimised or eliminated via the establishment of good systems, but they can also create another form of risk that is referred to as reputation risk. Reputation risk arises when an institution receives unfavourable press coverage, or adverse public opinion. For example, if a bank was rebuked by the advertising standards authority for misleading advertising, then this bad publicity could lead to a loss of customers. Additionally, the bank may find it even more difficult to recruit new custom. In order to protect themselves against such risks, many banks engage in community projects such as sponsoring youth sports events in an attempt to positively boost their public reputation. Compliance risk is of major importance to banks, as they are required by law to conform with a wide range of legal requirements and banking regulations. IDAN operates in 35 countries, each of which may have slight differences in its regulatory requirements, and in addition the bank will have to meet the demands of international regulating bodies such as the Bank For International Settlements and the Basel Committee. An institution found to be in breach of regulatory requirements may face the risk of a wide range of penalties including loss of the right to trade in certain areas, heavy financial penalties, and a massive drop in public reputation. Business risk arises because income may be threatened as a result of changes in the economic, political or competitive environment. One example of this is the way in which the growth in sales of financial products by supermarkets and general retailers has served to divert business away from the traditional banks that have not got a share in these markets. Many customers may prefer to arrange a personal loan via the internet site of their favourite supermarket, rather than face an interview in a traditional bank setting. As the trading environment changes, new business risks continually arise. In order to establish a risk management system, the first thing that any company must do is identify all of the factors that may threaten either the income stream or the value of its capital. In practice, of course, the list is potentially endless, and so possible risks are grouped into categories that may then be managed in common by the use of similar control systems. Depending on the size of the company, the risk management function may comprise of a single individual or a whole department in which different people take specific responsibility for a particular risk type. There are several advantages arising from risk categorisation. The first of these is that the identification of risks needs to begin at a very senior level. The Board of Directors, in drafting a list of types of risk that need to be managed, converts what was previously an ad hoc process into one which is more formal. Companies have always tried in one way or another to manage their risks, but by adopting an ad hoc approach the style of management is reactionary. Risk categorisation forces managers to be more pro-active in their attitude to risk management. The second big advantage is that once a risk has been identified, it becomes possible to think of tools that may be used to control and measure it. The discipline of risk management has developed substantially over the last decade, and risk categorisation helps managers to identify how they can deploy lessons from the discipline. The third advantage of risk categorisation is that it provides a framework that can be used for the definition of lines of responsibility, design of an internal control system, and clarification of groupings for the purposes of both internal and external risk reporting. The tightening of corporate governance regulations means that companies need to demonstrate effective internal control and reporting systems. The development of a good risk management system would be extremely difficult to realise without the completion of the initial step of grouping risks into categories. A systematic approach

P3 18 May 2005

to risk categorisation may help companies identify other related risks generally accepted to be in each category. Categorisation can help the recognition of the extent to which individual component risks within a category may be inter-related and likely to interact. Requirement (b) New EU Law The risk that is faced here falls into the category of compliance risk. If the bank fails to keep correct records of interest paid to non-residents, deduct the correct amount in withholding tax and notify the appropriate overseas tax authorities then it may be subject to legal action and/or financial penalties. Under such circumstances its reputation may also suffer damage. The controls that are required to be put into place are operational in nature. A separate database of overseas accounts needs to be created, and grouped into accounts according to the relevant fiscal authority. Sample testing of the accuracy of the database also needs to take place, and an updating schedule determined. An automated deduction system then needs to be created that will ensure that any interest payments into such accounts are paid net of the withholding tax, and a software programme written to compute the total liabilities due to each individual tax authority. The internal audit department should be notified of the changes introduced, so that an audit of the changeover and the new controls can be undertaken. A legal review could also be carried out to ensure that contractual arrangements with depositors comply with legal requirements. Forecast Rises in Interest Rates Interest rate movements represent a form of market risk, because the rate of interest represents a change in the “price” of money. Interest rate exposure may come from either trading activities or from traditional banking activities; in the latter case the interest rate risk is commonly described as structural. The forecast rises may have an effect on both sides of IDAN’s balance sheet, as well as affecting its credit risk exposure and possibly its business risk. A key component in limiting risk exposure is the definition of the bank’s appetite for interest rate exposure/risk. This is often the responsibility of the bank’s assets and liabilities committee (ALCO). A range of financial instruments may be used by both the Treasury department and ALCO to manage the risk, with the type of instrument varying by geographic location. For example, to avoid the risk of unanticipated rises, an interest rate cap may be purchased. The controls that need to be introduced under such circumstances will primarily involve adjustments to the interest rate sensitivity tables, currency by currency. It is safest to assume that not all interest rates will move together, and so interest rate risk is grouped on the basis of currencies where rates are likely to move in unison. The forecast interest rate change is likely to only affect a limited number of countries and so may not have a massive effect on the bank’s overall interest rate exposure. Systems should already be in place to facilitate the computation of the income effect created by each 10 basis point rise in interest rate according to the currency group in question, and this will yield a revised figure for interest rate sensitivity across the bank as a whole. This figure should be reported internally, and checked to ensure that it is within the defined risk appetite. Elimination of the use of signatures for debit/credit card authorisation This change is likely to reduce the bank’s long term exposure to the risk of losses through fraud. For credit card transactions this affects the credit risk category, but for debit card transactions it is an operational risk that is reduced. In the short term, however, whilst the new systems are introduced and customers have to be sent details of the PIN numbers required for authorisations, there is a temporary increase in operational risk. Systems need to be put in place to ensure that all relevant customers are notified of the intended changes, and a facility established to ensure that they can obtain the necessary PIN number. For banks such as IDAN that operate telephone and internet banking, the web site will need updating to include new information for customers and call centre staff trained as necessary. No assumptions can be made about the way in which a customer will become informed – multiple information channels will need to be established. If they are not, then

May 2005 19 P3

reputation risk may be increased. A detailed schedule will need to be drafted and adhered to, that ensures that all information goes out in time to the customers. Reputation could be destroyed if IDAN’s customers found they could not use their cards for purchases on the day of the changeover. Estimates of the impact on card fraud will need to be made, and new targets defined under the new authorisation system. Internal audit will then need to be informed of the revised targets, and a pre- implementation audit undertaken to ensure that everything is in place and ready for the change. Contingency plans should be in place to accommodate systems failure (hardware or software) and to provide business continuity. This should include, but not be limited to, off-site back-up of data, alternative hardware and network facilities, etc. Increased use of internet and telephone banking The figures show that the popularity of both types of banking is increasing, and so there will be increasing pressure being placed on the operating systems that support them. This pressure will result in a rise in operational risks. In the case of telephone banking, the level of call monitoring may need to be increased for a short time, or the centre subjected to a general internal audit. This would reveal the extent to which customers are kept waiting (compared to target times) and the speed and accuracy of the subsequent transaction processing. Operational speed and accuracy could possibly be reduced via increased staff training or changes in working methods. In addition, if call levels are increasing a security audit of the telephone system may be required to ensure that there is zero risk of interception. In the case of internet banking, the operational risk here arises primarily in the website design. Absolute security must be guaranteed and if new staff are recruited then care must be taken to ensure that personal security checks are not missed in the rush to expand the business. There is also a potential business risk if the bank fails to respond to changes in customer preferences which leads to an inability to compete effectively and thereby causing the bank to lose market share. Growth in the number of cases of mis-selling This represents a compliance risk. In the UK the FSA, the law, and the banking authorities lay down very strict rules regarding the type of information that must be provided to customers when they are being sold financial services. IDAN can do very little about any past mistakes that have been made but it can work to minimise the risk of future errors. This means that all promotional material for new products, such as contracts of sale, loan contracts and all other documentation must be subjected to rigorous checks to ensure compliance. Ideally, all such material should be required to pass a compliance check as part of the authorisation process, before a new product can be launched onto the market. Similarly, staff training must be extremely rigorous, to ensure full understanding of what they can/cannot promise their potential customers. Additional controls may be put in place via a review of staff remuneration schemes to ensure they do not encourage active “over selling.” Money Laundering This is a compliance risk that may arise out of ineffective control of operating systems. The law in the UK now requires that banks obtain original documentation from new customers wishing to open an account, and certain existing account holders wishing to open a new form of account. Good staff training needs to be put in place to ensure that all documentation is double checked and records kept of the verification. In addition, because money laundering may involve regular transactions both within and across national boundaries, a system needs to be implemented to track unusual transactions on accounts that are above a specified value. The value limit for personal accounts will be set much lower than for business accounts. The tracking process should include follow up monitoring of any identified accounts, including follow up interviews with customers where deemed necessary, and an automated system for notifying the police of relevant details. In all such cases, however, compliance with data protection legislation must also be ensured.

P3 20 May 2005

Requirement (c) Internal audit is concerned with using staff who work within an organisation to audit and verify the control systems within any given section of the organisation. The audit staff work independently of all other departments and are employed to give an objective assessment of the efficiency of the control systems, bearing in mind the type of checks that will be undertaken by the external auditors as well. For example, control systems will be in place to ensure that all expenditure is authorised. If the controls are in place then an order for a personal computer, for example, can be tracked through in terms of who placed the order, who authorised it and when, the date of and signature that delivery is accepted and payment of the associated invoice. If any of the documentation is missing the audit trail is incomplete and the system is thus open to potential abuse/fraud. It is the job of internal audit to ensure that all such control systems are working effectively across all sections of an organisation. Many but by no means all, of the controls will be related to financial transactions. For example, if legislation requires a customer to be given copies of contract documentation, then internal audit will undertake random checks to ensure that the controls that initiate the distribution of such documents are working effectively. The roles undertaken by internal audit and risk management will vary from one organisation to another but there may be considerable overlap. The work undertaken by internal audit and risk management will both be considered by external auditors. While internal audit will normally report direct to the audit committee, risk management may report to the audit committee or to a separately constituted risk committee of the board. Traditionally, many internal audit departments have operated on a cyclical basis, resulting in every section of an organisation being subject to audit every 1 – 5 years on the basis of compliance. In such situations the audit plan was drawn up simply on the basis of the audits that had fallen due. An alternative framework for devising an audit programme is on the basis of risk assessment, with more risky areas being subjected to more frequent audit. In such a situation it is business risks that determine where the internal auditors should be working, rather than a pre-determined timetable, and the risk priorities may shift over time. A study by Selim and McNamee found that in almost half of the firms surveyed, the Chief Internal Auditor reviewed the audit plan on a quarterly basis and revised it according to the current assessment of business risks and management concerns. The risk management section in an institution performs a related, but not identical function to that of internal audit. In essence risk management is concerned with ensuring that adequate processes are in place to ensure that the risks to which a company may be exposed, are kept within agreed boundaries. Risk management therefore encompasses a number of tasks including:

• Advising the Board of Directors on how to define an institution’s risk appetite and the required policies and processes necessary to fulfil that objective.

• Designing and maintaining a range of risk management processes including risk measurement systems

• Monitoring risk performance against the target levels. • Nurturing a risk conscious culture within an organisation

One important aspect of the relationship between internal audit and risk management is that risk management will itself be subject to internal audit. In other words, the way in which the risk management department operates in terms of identifying, measuring and monitoring defined risks will be subject to review. For example, a section of a bank’s branch network might be the subject of an internal audit, in the course of which it is discovered that personal loan customers are not being informed of their legal rights under consumer credit legislation. Such a situation is unlikely, but possible, and it would mean that the operational risk control systems were not sufficiently robust. The risk management department would be informed, and called upon to redesign the control system to eradicate/minimise future risks. If a large number of such faults were identified then a major internal audit of the risk management department would be instigated. In a bank such as IDAN, therefore, the twin functions of risk management and

May 2005 21 P3

internal audit work closely together to ensure that risk levels do not exceed the bank’s risk appetite, and that good monitoring systems are in place to ensure that risk exposures are reported in a timely and appropriate manner. Requirement (d) The data divides assets and profit according to four key lines of business. In 2004, corporate and investment banking absorbs the greatest proportion of assets (41%), closely followed by commercial banking (29%) with private banking being the least important. In terms of profits earned in 2004, the contribution from commercial banking is almost equivalent to that from corporate and investment banking (36·03% versus 36·67%), indicating that the return on assets in commercial banking is higher. The return on net assets (RONA) for each of the business categories is as follows:

2004 2003 Corporate and investment banking 21·59% 24·00% Personal financial services 26·24% 26·31% Private banking 5·00% 4·84% Commercial banking 30·00% 38·00%

The RONA table above indicates quite wide variations in the returns earned across the different lines of business, and the allocation of assets across the different areas needs to take this into account. At the same time, however, consideration needs to be given to the fact that additional earnings may require the business to take on additional risk. Alternative methods by which evaluation of the profit performance of individual businesses could be carried out include absolute profits, comparison with prior year, comparison with budget, EVA or residual income calculation after deducting the cost of capital, etc. Both the returns and the assets invested in private banking are very small, and so it is not an area that the bank needs to worry unduly about. More important is that fact that the RONA in all of the other three categories has fallen between the two years, and quite dramatically in the case of commercial banking. In deciding how to allocate assets across the different areas of business the bank therefore needs to take account of both the potential returns and the associated levels of risk in order to determine a risk adjusted required rate of return. In this way, any extra risks are rewarded by higher profitability and shareholders can see that there is a clear risk -return relationship. The allowances for credit losses may be used as a proxy for risk, but the question provides very limited detail, other than the fact that commercial loans appear to be lower risk than personal loans. If, for example, all personal loans were made via the personal financial services division, this would imply that private banking carried a zero default risk. Under such circumstances, if the weighted average required return across the group as a whole is set as, say, 22%, but private banking carries zero credit risk, then the rate of return required on assets here may be very low. Consequently, the 5% shown in the RONA table above may be quite acceptable in these circumstances and virtually guaranteed. Commercial banking earns better returns than personal financial services, but it appears from note (iii) to be less risky. This would suggest that assets should be diverted into that line of business because it can earn returns in excess of the required risk adjusted level. In order to use this system for asset allocation, the bank must have a clear idea of the relative risks of each different business line. It must also know the minimum investment required in order to maintain its market position in each area. Beyond that, investment in additional assets is discretionary and will reflect the bank’s willingness to take risks in order to generate returns, and the compensation that is required in return for the additional risk. The use of a risk adjusted return system to determine asset allocations is very similar to the concept of residual income as a divisional performance measure, and is intended to maximise the efficient use of capital, which is regarded as a scarce resource. In principle, therefore, the use of such a system should serve to increase shareholder value.

P3 22 May 2005

Private banking is not creating value and future prospects do not look favourable, although in many organisations one or more business units may be accepted as more valuable than they appear to be on the basis of RONA. They may be loss leaders necessary as part of the organisation’s overall competitive strategy. For example, private banking may lead to more lucrative commercial banking business.

May 2005 23 P3

SECTION B Answer to Question Two Requirement (a) The risks facing BJP can be considered in two areas: first, the lack of control over the activities of sales representatives that may result in them not spending their time efficiently and effectively on business activities; and second, the incurrence of costs that are unauthorised or unnecessary. The first results in paying salaries for representatives but obtaining inadequate or inappropriate efforts from them. This has both a financial and an opportunity cost. The second results in excessive financial costs. Both are largely a problem of agency in which there is information asymmetry between the sales representative and regional manager. There is also an issue of moral hazard in which there is the potential for ‘shirking’ behaviour. Risks may be classified either as business risks where value for money is not obtained (i.e. waste) or fraud risk in which there is a deliberate attempt to use business time and/or expenses for non-business purposes. These risks are particularly important where there are staff working without direct supervision and where regional management is remote from staff and from Head Office. Risk management practices involve assessing the likelihood and consequences of risk and putting in place appropriate management. Prior to the approach by Finance to regional managers, there appears to have been no assessment, reporting or mitigation of risk in BJP. The controls that should be introduced should include an appropriate mix of financial controls, non-financial quantitative controls, and non-financial qualitative controls In relation to sales activities:

• Contract of employment and policies covering expectations of sales representative performance e.g. planning calls to minimise mileage and accommodation, number of calls expected per day, etc.

• Setting targets for the number of sales calls and volume and value of business generated by each representative;

• Setting of appropriate bonus schemes to ensure that incremental effort is rewarded and that bonuses are not paid on business that would be generated in any event;

• Monitoring of sales call reports by regional manager to ensure workload is adequate; • Confirming with customers that visits have taken place and customer is satisfied with the

quality of the visit; • Determining success rates by representatives in turning prospects into customers; • Monitoring comparative performance between individual representatives.

In relation to expenses:

• Expense policies to specify what costs can be incurred and charged to the business and which constitute private expenditure, e.g. use of mobile phone for private calls, private use of motor vehicle;

• Procedures for negotiating with hotel chains, petrol stations and similar suppliers to obtain quantity and loyalty discounts;

• Setting of a budget for expenses, possibly as a percentage of sales revenue; • Setting limits for individual items of expenditure; • Monthly expense reporting for each representative showing the cost incurred and the

reason for its incurrence, including the customer/prospective customer the expense was incurred in relation to;

• The company should strive to pay, wherever possible, for expenses directly via invoicing or corporate credit card rather than reimbursing expenses to representatives.

P3 24 May 2005

• Monitoring of expenses by regional manager and pre-authorisation of expenses over agreed limits;

• Reduction of bonuses by a factor reflecting the level of representative expenses incurred; • Comparison of budget and actual expenditure and investigation of material variances; • Monitoring of vehicle mileage, maintenance, insurance claims, parking and speeding

penalties and mileage rates by representative to identify higher than expected use or careless driving;

• Monitoring of comparative expenditure by individual representatives; • Representative expenses should be subject to internal audit.

All expenses must be documented, authorised, necessary for business purposes, and not private expenditure which the employee seeks to have paid for by the organisation. Organisations need to establish policies and procedures to recover business expenditure used for private purposes, e.g. private mileage, use of business telephones for personal calls, etc. Generally:

• Effective recruitment including checking of prior references; • Performance appraisal covering both sales activities and results and expenses; • Appropriate training programmes to ensure effective sales techniques; • Awareness, and influencing, of the informal socialisation processes in the organisation,

especially where the culture of sales representatives may encourage behaviour not consistent with policies;

• Disciplinary process and appropriate rewards and sanctions to support other processes. Requirement (b) Internal control system and the control environment Internal control is the whole system of financial and other internal controls established in order to: provide reasonable assurance of effective and efficient operation; internal financial control; and compliance with laws and regulations. While the internal control system includes all the policies and procedures, the control environment is the overall attitude, awareness and actions of directors and management regarding internal controls and their importance to the organisation and encompassing management style, corporate culture and values. A system of internal control will reflect its control environment and include: control activities; information and communication processes; and processes for monitoring the effectiveness of the internal control system. The system of internal control should be embedded in the operations of the company and form part of its culture; be capable of responding quickly to evolving risks; and include procedures for reporting immediately to appropriate levels of management any significant control failings or weaknesses. Costs, benefits & limitations The costs of internal control will comprise the time of regional managers and any opportunity costs resulting from this plus costs associated with introducing and operating new systems and reports. However, it is difficult to differentiate between internal controls and policies and procedures that are simply good business practice, e.g. human resource practices and accounting procedures. A cost of internal control may be restrictions on the flexibility, creativity and responsiveness of the organisation. The benefits of internal control may be difficult to identify but can be largely considered to be an improvement in the efficiency and effectiveness by which sales representatives use their time to win business, and the improved management of costs associated with their activities. These are largely concerned with eliminating both waste and fraud. Losses incurred from ineffective internal control can be estimated based on their level compared to targets or by benchmarking representatives against each other or by observing the trend over time. To the extent that effective internal control provides assurance to external auditors it can be used in negotiations to reduce the external audit fee.

May 2005 25 P3

A system of internal control cannot eliminate: poor judgement in decision-making; human error; the deliberate circumvention of control processes (especially where collusion occurs); the over-riding of, or lack of emphasis on, controls by senior management; and unforeseeable circumstances. Requirement (c) Analytic review involves the examination of ratios, trends and changes, between periods, to obtain a broad understanding of financial position and the results of operations. It can help to identify any items requiring further investigation. It is an important audit technique used to identify errors, fraud, inefficiency and inconsistency. Its purpose is to understand what has happened in a system, to compare this with a standard and to identify weaknesses in practice or unusual situations that may require further examination. Appropriate analytic review techniques for BJP may include:

• Ratio analysis of sales expenses to sales revenue with comparisons over time and between regions and sales representatives. Benchmarking data may be available from other sources or internally developed from identified best practice;

• Review, by sales representative, the proportions of new and existing business generated; • Compare data, by representative, on the loss of customers.

Answer to Question Three Report to Board of Directors Introduction: Context and Purpose of the Report AMF has already decided to implement an enterprise resource planning (ERP) system. ERP systems take a whole-of-business approach by capturing transaction data for accounting purposes, operational data, and customer and supplier data which are then made available through a data warehouse against which custom-designed reports can be produced. ERP system data can be used to update performance measures in a Balanced Scorecard system and can be used for activity-based costing, shareholder analysis, strategic planning, customer relationship management and supply chain management. Outsourcing enables organisations to concentrate on their core activities while subcontracting support activities to those organisations which are specialists. Services are provided to an agreed level of service, at an agreed cost and for an agreed period of time. AMF’s decision as to whether or not to outsource should be within the context of its information systems (IS), information technology (IT) and information management (IM) strategies. IS strategies are focused on the business unit, enabling it to satisfy internal and external customer demand. IT strategies are supply oriented, focusing on business activities and the technology needed to support those activities. IM strategies are management focused and concerned with the methods by which information is stored and available for access. Advantages and disadvantages of outsourcing The main potential advantages of outsourcing IT are: more accurate prediction of costs and more accurate budgetary control; using services only when necessary; improved quality and service; economies of scale available to the outsource service provider; the organisation is relieved of the burden of recruiting and managing specialist staff, especially where skills are in short supply; the outsourced service supplier has a better knowledge of changing technologies; saving management time and effort. The main potential disadvantages of outsourcing IT are: the difficulty of agreeing a service level agreement that clearly identifies the obligations of each party; the loss of flexibility and inability to quickly respond to changing circumstances and the possibility of ending up with a less customised system; the risk of unsatisfactory quality and service, or even failure of the supplier;

P3 26 May 2005

the risk of a lack of security over confidential or critical information; a short-term cost-savings focus may be at the expense of long-term strategy considerations; ignoring an unchanged overhead burden; poor management of the changeover or of the supplier; increasing costs of outsource provision over time, difficulty of changing the outsourced supplier or of returning to an in-house provision, and a loss of internal IM/IT/IS capability leading to dependence on outside suppliers. In cost terms, the costs of in-house provision need to be compared with outsourcing. The costs of in-house provision can be estimated quite easily, comprising staffing and equipment costs, maintenance, accommodation, etc. For outsourcing, cost estimation is more complex because many costs are ‘hidden’. A transactions cost approach will consider not only the direct costs of the outsource supplier but also costs associated with negotiation, monitoring, administration, insurance, etc. These hidden costs involve time commitments, opportunity costs and are associated with legal, moral and power conditions. Understanding these costs and conditions may reveal that it is more economic to carry out an activity in-house than to accept a market price which appears less costly but which may incur transaction costs that are hidden in overhead costs. Evaluation of risks associated with outsourcing The major risks facing AMF are business, financial and reputation. The risk of poor performance or failure of the supplier or the ERPS such that AMF is not able to support its business operations may lead to a failure to satisfy customers. This may well incur a financial loss. There is a consequential reputation risk to AMF if the failure of the ERPS causes it to fail to meet its business obligations. However, there is also likely to be a risk even if AMF carries out the ERPS function in-house. Due to its expertise, the outsource supplier may be in a better position to identify, assess, and manage the risks than can AMF. It may mitigate risks if AMF retains some in-house IT expertise, although this will be at a cost to AMF. The size and structure of the IT department retained by AMF will depend on its service level agreement with the outsource supplier and its assessment of risk. AMF needs to consider its ability to maintain and modify existing systems, its ability to support users, and the adequacy of system controls. The risk of outsourcing can be partly offset by retaining a small group of IT specialists in-house to monitor and work with the outsource supplier. Another option is to include in the service level agreement a requirement that a member of the supplier’s staff (an ‘implant’) is permanently located at AMF’s premises to act as liaison between client and contractor. Risk can also be reduced by building a long-term partnership between both companies rather than merely a contractor/client relationship. Mitigation of risk through internal controls and internal audit In an information systems environment, there are four types of control, and AMF or its outsource supplier needs to ensure the adequacy of:

• General controls to ensure appropriate use of computer systems and security from loss of data. This will be a responsibility both of AMF and the outsource supplier for controls over personnel recruitment, training and supervision and the separation of duties. Logical and physical access controls through password and other security devices will be important at both the supplier’s and AMF’s site. Business continuity planning will be the responsibility of the outsource supplier but AMF’s risk management needs to assess its adequacy.

• Application controls for input, processing and output are necessary for each individual ERPS application and are designed to prevent, detect and correct transaction processing errors. These need to be developed jointly by AMF and the outsource supplier and be reviewed by AMF’s internal audit.

• Software controls ensure that software used by the organisation is authorised. This is the outsource supplier’s responsibility.

• Network controls must exist to prevent unauthorised access to data transmitted over networks and to secure the integrity of data. This is especially important to prevent hacking, viruses, eavesdropping, errors, or malfunctions between the outsource supplier’s site and that of AMF.

May 2005 27 P3

Mitigation of risk could also be carried out by AMF:

• seeking legal guarantees from the outsource supplier; • monitoring the financial health of the outsource supplier; • seeking assurances as to the appropriateness of staff employed by the outsource

supplier on the implementation and operation of its systems. AMF’s own internal audit function needs to be involved during system design (as described above) and continuously thereafter to ensure that risks are adequately addressed by controls designed-in during the development phase; to ensure that financial and non-financial information is accurate and complete and suitable for its intended purpose; to identify potential problems in data collection, input, processing and output; to ensure an adequate audit trail; and to review the scope for possible fraud. Internal audit can only achieve these by working closely with the in-house and outsourced project team and steering committee. Internal audit should also be involved in a post-completion audit of the project. It is essential that AMF’s internal auditors have access to the outsourced supplier’s site, staff and databases to enable the necessary audit functions to be carried out on AMF’s data. Processes and controls to achieve successful transition If the Board decides to outsource the ERPS, there are two main issues to be addressed:

– Management of the implementation of the new ERPS by the outsource supplier; and – The changeover from the existing system.

The processes and controls that AMF should adopt to achieve a successful transition to the outsource supplier should be embedded in a project with a project team, project manager and steering committee. The project team should have responsibility for:

• Project planning and definition of user needs • Obtaining management support throughout AMF • Resource planning and allocation to support the system • Quality control and progress monitoring • Liaising with AMF’s suppliers and customers about how the way they interface with AMF

will be affected by the changes • Identification, assessment and management of risks • Detailed systems design and approval • System testing and implementation • User participation and involvement • Communication and co-ordination • User education and training.

A steering committee is important in bringing together the sponsor of the project who should be a senior manager who has been involved in authorising the project and is committed to its success; the project manager who is responsible for the day-to-day delivery of the project; specialist IT staff both in-house and from the outsource supplier with responsibility for delivering the project; user representatives with responsibility for accepting the system; and an internal audit representative with responsibility for ensuring the adequacy of internal controls and system testing in conjunction with users. While many of the technical tasks may be carried out by the outsource supplier, it is essential that the management of the project remains within AMF. The changeover from the existing system requires an implementation plan which will cover parallel running, where the ERPS is operated in conjunction with AMF’s existing system until such time as users are satisfied with the new system and are confident about discontinuing the existing system. If there is a changeover without parallel running, as will be the case in new features of ERPS that do not exist within existing systems, then testing prior to implementation becomes more important and additional monitoring may be needed during the early stages of implementation.

P3 28 May 2005

Particular care needs to be taken in converting data from existing systems. This needs to be properly planned and sufficient resources allocated to carry out the conversion. Adequate controls need to be implemented to ensure the consistency of data as it is transferred from the old to the new system, identifying any duplications and omissions. Conclusion An ERP system is to a large extent integrated into the daily working practices of an organisation and AMF will become highly dependent on the system for the management of its customers, suppliers, inventory, capacity planning, production scheduling, distribution and accounting functions as well as for the information that will flow to management from the ERPS data warehouse. Therefore, the question for management becomes how best risk can be managed and how the advantages of cost, quality and staffing can be balanced with disadvantages of loss of flexibility and the need to manage the outsource supplier. An outsourcing decision needs to be carried out on the basis of a competitive bidding process and implemented according to the information systems development process described above. Adequate internal controls need to be established and the involvement of AMF’s internal audit function is essential. Answer to Question Four Report to Directors of AL & Co. Author: Accountant Subject: Internal Control Systems within AL & Co. Terms of Reference: The contents of this report are based upon the findings in relation to internal controls arising from the tests and investigations conducted in the course of the external audit for the year ended 31st XXX 2004. The auditors have raised a number of concerns to which I am unable to respond, and which require your immediate attention in your role as directors of AL & Co. Inadequacies in existing internal control and costing systems, and suggestions for improvement The internal control system within AL and Co is very limited in its sophistication in the context of a medium sized business. The limited resources within the company mean that we do not have either an internal auditor or a dedicated HRM manager. Their absence serves to limit the level of internal control, and as a result it would seem that the company is at high risk of exposure to both internal and external fraud. The current organisational structure grants operational responsibility to Director Y, whilst Director X retains responsibility for accounting, financial and legal matters. The working relationship between directors is based upon trust and so there is no control system for validation of each other’s work, except in the form of the external audit. This system might be acceptable if tight controls over finance and operations were in existence lower down the managerial ladder, but these also appear to be absent, which leaves scope for the possibility of collusive fraud between a director and other managers. There is a duty on the part of the board of directors of a company to ensure that internal controls are established that will minimise the risk of fraud and/or error. It is the opinion of the external auditors that as Directors you have yet to establish such systems. The specific inadequacies in the internal controls and management accounting systems within AL & Co are detailed below, together with some suggestions for how they may be improved.

May 2005 29 P3

• There does not appear to be any budgeting system in place, which would be helpful for both planning and control purposes. Monthly control accounts should be produced by the accounts manager, comprising a profit and loss account and cash flow for the period together with opening and closing balance sheets. Exception reports should be drafted to highlight any material changes to trends, or variations from budgeted results. Copies of these reports should be sent to both Directors.

• The management accounting system records materials against individual jobs as they

are issued from stock, but no controls exist for monitoring their use on site, and recording variances between estimated and actual usages. All materials should be booked out to a job and removed from store only by the end user and not the job foreman. The foreman should then book all unused items back into stock. By separating out responsibility in this way, control over the potential theft of goods is tightened.

• The profitability of individual jobs should be monitored and significant cost variances

investigated. I suggest that you begin by introducing a job costing system that includes an apportionment of overheads. Computation of the staff time per job could be relatively easily achieved, and other overheads could be apportioned on a relatively simple basis such as £X per labour hour, given that labour is the main cost in the contracting business. Knowledge of the cost per job would facilitate improved budgeting which would in turn highlight unexpected trends in particular costs. Consequently, general financial control would be tightened.

• Gross margins per client should be monitored and benchmarked according to job type. Data should also be grouped according to the staff managing a job in respect of both the sales staff producing the quote and the job foremen. Reports on the findings should be submitted to the Board of Directors on a regular basis. In other words, the introduction of a simple form of performance related pay or responsibility management would be beneficial.

• The only controls over Directors in a small or medium sized business are those imposed

by their fellow directors. The culture of trust in AL and Co. assumes that no such controls are necessary, but this may be a misplaced assumption. Systems should be established to ensure the integrity of data, control over cash and general safeguarding of resources. For example, there does not appear to be a routine procedure for verification of the validity of invoices presented for payment.

• It is well recognised that overstatement of expenses is a common method of fraud, but

the financial control systems within the company appear to be very limited, and focus primarily on achievement of a target profit margin. Tighter monitoring of accounting records is required.

Unusual Cost Trends, the Possible Implications and Suggested Course of Action A key aspect of the role of external auditors is to gain assurance that the financial statements provide a true and fair view of the financial performance and position of the company. Consequently, it is necessary to seek full explanations of any unusual cost trends identified in the course of the audit. It would seem that the pattern of cost changes is broadly in line with both the trend of increased sales activity and the changes in prices paid for external supplies, and hence profitability levels have remained above the target 25% gross return that is required. Nonetheless, the figure for variable overhead has shown a disproportionate increase over the same period, the cause of which appears to be payments to a new supplier that was recently introduced. The invoices relate to purchases of small tools and consumables, but there does not appear to be a system for tracking the issue and use of these tools. The audit trail can only be completed by more detailed questioning of a number of staff across the company, including you as Directors. It is assumed that the introduction of new suppliers is subject to some system of formal review by at least two different members of staff including one

P3 30 May 2005

of the directors, and the auditors are seeking assurance that such procedures were followed in relation to this specific case. Similarly, they require written evidence that the relevant invoices relate to costs necessarily incurred in the course of the business. In the absence of such evidence, it will be necessary to initiate a formal investigation into possible fraudulent activity, and notify the police of a possible offence under section 186 of the Theft Act (1968). The auditors wish to assure you that this is not a course of action that will be pursued lightly, but would be an inevitable consequence of lack of evidence relating to the nature of the relevant expenses. The limits of the responsibility of external auditors to detect fraud SAS110 states that “auditors plan, perform and evaluate their audit work in order to have a reasonable expectation of detecting material misstatements in the financial statements arising from error or fraud. However, an audit cannot be expected to detect all instances of fraudulent or dishonest conduct.” (SAS110, para.18). In other words, there is an unavoidable risk that the auditor may not detect fraud, and the primary responsibility for effective internal control systems rests with the company directors. The case for, and issues to be considered in drafting a fraud response plan I suggest that you need to immediately devise a fraud response plan and instigate an immediate investigation into the matter. The Fraud Advisory Panel in the United Kingdom suggests that the following issues should be considered in drafting a response:

• Who will lead the investigation? Is there adequate internal expertise, or should you request outside expert help?

• The investigation method to be used – eg interviews; creation of “fake contracts” etc • The systems required to mitigate the risk of future fraud via improved controls • How to secure evidence without alerting the fraudster • How to deal with suspects • How/when to involve the police

We need to meet as soon as possible so that I can present you with the evidence provided to date by the auditors, and further to that meeting the external audit team are available to assist in the investigation if required. The hope is that this matter can be resolved internally and will not cause excessive disruption to the company. Answer to Question Five Requirement (a) The managing director’s observation that the efficiency of the foreign exchange markets means that SDT is equally likely to make either foreign exchange gains or losses is only partially correct. Market efficiency is dependent upon the existence of a large number of both buyers and sellers in order to create high levels of liquidity in the marketplace, and exchange rates that are determined within an environment of freely floating currencies. In practice, the level of liquidity is likely to vary between currencies, as is the amount of information freely available to the market, and the extent to which exchange rates are freely determined and not “managed” via government intervention. For major world currencies such as the Yen and the US dollar, information levels are very high and the market prices thus accurately reflect the relative demand and supply pressures. For currencies that are less commonly traded, however, supply may be controlled by government policies, and/or be less predictable, leading to more volatile pricing and an illiquid market. The case scenario indicates that SDT is only exposed to foreign exchange risk in respect of major world currencies, the markets for which are deemed to be efficient. Consequently, for each individual currency exposure, the Managing Director is correct in suggesting that gains or losses are equally likely. However, the company is faced with simultaneous exposure to three currencies, the exchange rates of which may or may not be correlated. The data presented in

May 2005 31 P3

the question in fact show that sterling is expected to weaken against all three other currencies. As a result it is an oversimplification to suggest that gains or losses are equally likely across the portfolio of risk because the diversification may serve to either increase or decrease the total risk exposure, depending upon the correlation between the currencies. The Managing Director’s view is thus incorrect in this regard. The fact that the Euro, Yen and US dollar are all currencies from different continents and economic regions indicates that SDT has diversified its currency risk, but this does not necessarily imply that any remaining risk should not be hedged. The economic regions represented by these three currencies are commonly referred to as the Triad, and denote the consumer based economies of the developing world. Increasing globalisation of markets has resulted in a growing interdependence between the world’s economic regions with the result that the economies of the Triad tend to follow common trends. A slowdown in spending in the USA, for example, can lead to a reduction in output in either SE Asia or Europe and vice versa. This interdependence means that it is very likely that the three currencies will move in tandem with one another, and so the diversification of risk is less than might be initially expected. At the same time, while markets may be efficient on the basis of information available at any point, new information does continuously come to light which changes rates. Unexpected events such as September 11th 2001 can have a substantial impact on an economy in a manner that could not have been predicted, and hedging enables a company to minimise its exposure to the consequential unpredictable changes in exchange rates. In other words, even if, on average, one does not expect to make a net benefit (or avoid a net loss) by hedging, it can still be valuable as an insurance against risk. This is particularly the case for a company such as SDT that exports over 90% of its production. We can therefore conclude that the diversification resulting from receiving export income denominated in Yen, Euros and US Dollars is insufficient justification for choosing not to hedge foreign exchange risk in SDT. Currency hedging may be advantageous to SDT for a number of reasons including:

• Ensuring certainty of cash flows and profit margins on transactions invoiced in a foreign currency

• Improved planning and budgeting in view of the above • Reduced risk in selling into any market where the currency can be bought/sold on the

forward market The disadvantage of hedging using externally purchased instruments is the associated transaction cost. It is therefore important for the Board of Directors of the company to define its attitude to risk, and decide whether the risk of any exchange rate movements that accompany a non- hedging strategy is acceptable or not. Hedging will then be used if the estimated risks are believed to be intolerably high.

P3 32 May 2005

Requirement (b)

(i) If SDT hedges the risk in the forward market then the revenue from the export sales can be determined by reference to the relevant two month forward rates.

Company A Sum due: ¥9,487,500 Two month forward rate for selling Yen is ¥200·032/£ Sterling value of receipts is thus ¥9,487,500/200·032 = £47,430 Units sold = 9,487,500/632·50 = 15,000 At cost of £2·75 per unit, variable cost = £41,250 Contribution is revenue less variable cost = £47,430 - £41,250 = £6,180

Company B Sum due: US$82,142 Two month forward rate for selling US$ is $1·7775/£ Sterling value of receipts is thus $82,142/1·7775 = £46,212 Units sold = 82,142/10·2678 = 8,000 At cost of £4·80 per unit, variable cost = £38,400 Contribution is revenue less variable cost = £46,212 - £38,400 = £7,812

Europe Sum due: €66,181 Two month forward rate for selling Euro is €1·4784/£ Sterling value of receipts is thus €66,181/1·4784 = £44,765 Units sold = 66,181/12·033 = 5500 At cost of £6·25 per unit, variable cost = £34,375 Contribution is revenue less variable cost = £44,765 - £34,375 = £10,390 Total contribution from export sales when hedged = £24,382

(ii) If the risk is not hedged, the variable costs remain unchanged but the revenue will reflect a different rate of exchange as follows:

Company A Sterling value of receipts @ ¥202·63 is £46,822, hence the contribution becomes £5,572

Company B Sterling value of receipts @ US$1·7750/£ is £46,277, yielding a contribution of £7,877 Europe Two month forward rate is €1·4680/£ giving receipts of £45,082 and a contribution of £10,707 Total contribution from export sales if left unhedged = £24,156

(iii) Scenario 1 (Hedging) Total receipts from exports = £47,430 + £46,212 + £44,765 = £138,407 Total contribution from exports = £6,180 + £7,812 + £10,390 = £24,382

Average Contribution:Sales ratio is thus 17·62%

May 2005 33 P3

Scenario 2 (Unhedged) Total receipts from exports = £46,822 + £46,277 + £45,082 = £138,181 Total contribution from exports = £5,572 + £7,877 + £10,707 = £24,156 Average Contribution:Sales ratio is thus 17·48%

SDT is therefore advised to hedge its foreign exchange risks because this leads to a slightly higher average contribution: sales ratio on the overseas sales, ignoring transaction costs. Requirement (c) A company may wish to earn a higher average rate of return from exporting than from domestic sales because of the increased risks, and costs that are associated with foreign sales, combined with the fact that export management may also require additional capital investment. Additional risks include higher risks of loss/damage in transit due to increased delivery distances; potentially higher credit risks because of lack of knowledge of foreign customers and slower payment mechanisms or extended payment terms and transaction risks arising from foreign exchange rate movements. In addition, a company may incur additional expenses in buying in foreign language experts, treasury skills and export documentation services in order to service the foreign markets. Furthermore, the ongoing monitoring of foreign debtors is likely to be more expensive, and political and business risks will be higher in countries with which senior managers are less familiar. Overall, therefore, the combination of potential additional capital investment and additional risk, implies that the return required on export sales will be higher than that for domestic sales if targets are set in terms of a risk adjusted rate of return (or risk adjusted value added).The only circumstances when this view might not be valid is if export sales are managed via an agent and invoiced in the domestic currency, because in such a situation there is little material increase in risk involved in the overseas sales. Requirement (d) In choosing to hedge the risk via a forward contract, SDT is committed to delivering the contracted amount of the forward currency on the specified date. Under such circumstances the company would be forced to purchase the dollars at the prevailing spot market rate, and sell them at the rate agreed in the forward contract. There will be transaction costs incurred in the process, and it is also possible that the exchange rate will have moved against SDT further increasing the costs of the transaction. The risk of being unable to fulfil the forward contract could be mitigated by taking out an option forward contract instead, which may be exercised within a prescribed range of dates. An option forward contract would relieve SDT of a firm date for committing to the forward contract, but it would also cost more in fees. In addition, the exchange rate that is used in such contracts is the least favourable rate over the option period, and so the costs of such a deal are in reality even higher. A possible alternative method of reducing the risk would be for SDT to offer a discount to Company B in return for prompt payment. As long as the cost of the discount does not exceed the potential cost of breaching a standard forward contract, then it would make sound financial sense. Similarly, the imposition of penalties for late payments would help to reduce the cost of any resulting problems, but in practice it is often extremely difficult to collect penalty fees, especially from overseas customers.

Documents

May 2005 Examinations - Chartered Institute of … 2005 Examinations Strategy Level Paper P3 – Management Accounting Risk and Control Strategy Question Paper 2 Examiner’s Brief