AE 117: GOOD GOVERNANCE, RISK MANAGEMENT AND INTERAL CONTROL

Definitions of risk:
• The Oxford English Dictionary definition of risk is as follows: ‘a chance or possibility of danger, loss,
injury or other adverse consequences’, and the definition of at risk is ‘exposed to danger’. In this context, risk is
used to signify negative consequences. However, taking a risk can also result in a positive outcome. A third
possibility is that risk is related to uncertainty of outcome.
• The Institute of Risk Management (IRM) defines risk as the combination of the probability of an event
and its consequence. Consequences can range from positive to negative. This is a widely applicable and
practical definition that can be easily applied.
• The international guide to risk-related definitions is ISO Guide 73, and it defines risk as the ‘effect of
uncertainty on objectives’. This definition appears to assume a certain level of knowledge about risk
management and it is not easy to apply to everyday life. The meaning and application of this definition will
become clearer as the reader progresses through this book.
• The Institute of Internal Auditors (IIA) defines risk as the uncertainty of an event occurring that could
have an impact on the achievement of objectives. The IIA adds that risk is measured in terms of consequences
and likelihood.

Types of Risk:
1. Compliance Risk (Mandatory)
2. Hazard Risk (Pure)
3. Control Risk (Uncertainty)
4. Opportunity (Speculative)
Note: In general terms, organizations will seek to minimize compliance risks, mitigate hazard risks, manage
control risks and embrace opportunity risks.

Risk Classification:
• Likelihood
• Severity/Magnitude

Risk management in accountancy involves systematic processes to identify, assess, and mitigate financial and
operational risks, leveraging accounting expertise to safeguard organizational stability.

Risk management is a critical aspect of any successful business, and organizations of all sizes strive to identify,
evaluate, and mitigate potential risks that could impact their financial stability, operations, and reputation.
Accountants possess a unique set of skills and knowledge that enables them to assist businesses in effectively
managing risks and ensuring their long-term sustainability.

Risk management strategy is aimed at keeping the losses to a minimum during the occurrence of any
unfortunate event. As a businessman, implementing a dedicated strategy for the accounting department is a
necessity simply because certain eventualities are beyond anyone’s control and accounting operations are
generally indispensable.

Scenario: Mid-Sized Retail Company Facing Revenue Recognition Risks

Risk Identified: Potential errors in revenue recognition due to manual processes and complex sales contracts,
risking financial misstatements and regulatory penalties[^1^][^6^].

Risk Management Steps

1. Risk Identification
o Data Analysis: Accountants detect discrepancies between reported revenue and cash flow
trends during monthly closes[^4^].
o Audit Trail Review: Manual journal entries for deferred revenue lack documentation, increasing
error risk[^1^].
2. Risk Assessment
 o Likelihood: High (due to reliance on spreadsheets for multi-element contracts).
o Impact: Severe (material misstatements could trigger SEC investigations or shareholder
lawsuits)[^1^][^6^].
3. Mitigation Strategies
o Automation: Implement AI-driven tools (e.g., Reach Reporting) to automate revenue allocation
based on contract terms, reducing human error[^6^].
o Internal Controls: Enforce dual approvals for manual adjustments and mandate audit trails for
all entries[^4^].
o Training: Educate staff on ASC 606 standards to ensure proper revenue recognition timing[^1^].
4. Risk Monitoring
o Continuous Analysis: Use dashboards to track revenue vs. cash flow in real time, flagging
anomalies[^6^].
o Scenario Testing: Model impacts of contract modifications or delayed payments using
predictive analytics[^6^].

Outcome

Automation reduces errors by 90%, while enhanced controls ensure compliance. Transparent reporting
rebuilds investor trust and avoids regulatory fines[^1^][^6^].

Alternative Scenarios

1. Fraud Risk (Accounting Firm)

o Trigger: A client’s suspicious transactions suggest money laundering[^1^].
o Action:
 Freeze flagged accounts and file a Suspicious Activity Report (SAR).
 Conduct forensic accounting to trace fund origins[^1^].
o Tool: AML software integrated with client ledgers for real-time monitoring[^6^].
2. Market Volatility (Investment Advisory)
o Trigger: Sudden stock market downturn threatens client portfolios.
o Action:
 Rebalance portfolios toward defensive assets (e.g., utilities, bonds).
 Communicate hedging options to clients via scenario-based reports[^6^].
o Tool: Value-at-Risk (VaR) models to quantify exposure[^3^].
3. Cybersecurity Breach (Cloud Accounting)
o Trigger: Ransomware attack encrypts client financial data.
o Action:
 Isolate affected systems and restore backups.
 Notify clients and regulators under data breach laws[^1^].
o Tool: Multi-factor authentication and encrypted data storage[^1^].

Key Takeaways

 Proactive Measures: Regular risk assessments and automation prevent crises[^4^][^6^].

 Compliance Focus: Aligning with standards (e.g., GAAP, IFRS) minimizes legal risks[^1^].
 Communication: Transparent reporting to stakeholders builds confidence during disruptions[^6^].

What is the Role of the Accountancy Profession In Terms of Managing Risk?

The accountancy profession plays a vital role in managing risk by providing expertise in financial analysis,
internal controls, compliance, and strategic decision-making. Accountants help businesses identify, assess, and
mitigate risks, ensuring financial stability and sustainable growth.

How Are Accounting and Risk Management Connected?

Accounting and risk management are closely interconnected as accounting provides the foundation for
effective risk management. Accounting systems generate crucial financial information that helps identify,
assess, and manage risks. Accurate and reliable financial data enables informed decision-making, supports risk
analysis, and facilitates the implementation of risk mitigation strategies.

Additionally, accounting frameworks and reporting standards provide guidelines for disclosing risk-related
information, ensuring transparency and accountability in risk management practices. In summary, accounting
and risk management work hand in hand to provide businesses with the necessary tools and insights to
effectively navigate and mitigate risks.
Here's how they interconnect:

Core Components
Risk Identification: Accountants use financial statements, internal audits, and data analysis to detect
anomalies, compliance gaps, or market vulnerabilities.

Identifying and Assessing Risks: The Accountant’s New Frontier

Accountants are uniquely positioned to identify and assess risks because of their intimate knowledge of
a company’s financial data. They understand potential vulnerabilities in cash flow management, debt
levels, or revenue fluctuations. This insight allows them to foresee potential risks before they
materialize, providing businesses with the opportunity to address these issues proactively.
Additional Insight:
Traditional risk assessments might have been limited to financial audits or periodic reviews, but today’s
accountants are expected to conduct continuous risk assessments, integrating financial data from
various departments. With Reach Reporting, accountants can seamlessly monitor financial metrics
visually, helping identify emerging risks.

Assessment: They evaluate risks by analyzing financial data trends (e.g., budget vs. actuals) and operational
processes to determine potential impacts.

Identify
Identify potential risks that could negatively impact a process or project
Analyze
Use a risk analysis to determine potential consequences
Evaluate
Evaluate how likely the risk is to occur and if each risk is an acceptable part of doing business
Mitigate
Assess the greatest risks and develop controls specific to those higher-level risks
Monitor
Continuous monitoring and tracking existing (and new) risks will be part of the process

Mitigation: Strategies include refining internal controls, developing metrics to track risk mitigation
effectiveness, and advising on risk disclosures in financial reports.

Identifying and Assessing Risks: The Accountant’s New Frontier

Accountants are uniquely positioned to identify and assess risks because of their intimate knowledge of
a company’s financial data. They understand potential vulnerabilities in cash flow management, debt
levels, or revenue fluctuations. This insight allows them to foresee potential risks before they
materialize, providing businesses with the opportunity to address these issues proactively.

Additional Insight:
Traditional risk assessments might have been limited to financial audits or periodic reviews, but today’s
accountants are expected to conduct continuous risk assessments, integrating financial data from
various departments. With Reach Reporting, accountants can seamlessly monitor financial metrics
visually, helping identify emerging risks.

Key Responsibilities
Stewardship: Safeguarding assets through accurate financial reporting and compliance with regulations.
Compliance: Ensuring adherence to tax laws, financial standards, and industry regulations to avoid penalties.

Ensuring Compliance and Regulatory Adherence

Another critical aspect of risk management is ensuring that the company adheres to all relevant
regulations and compliance requirements. Accountants are responsible for staying up-to-date with the
latest changes in tax laws, financial reporting standards, and industry regulations, ensuring that the
company is not exposed to legal or financial penalties.

Additional Insight:
Reach Reporting simplifies compliance by automating many reporting processes, ensuring that all
financial documents are accurate and up-to-date. This reduces the risk of non-compliance and the
associated penalties.

Strategic Advisory: Transitioning from traditional number-crunching roles to advising leadership on data-driven
risk mitigation strategies.

Types of Risks Addressed

Financial: Poor investments, liquidity issues, or misallocations.
Operational: Process inefficiencies, system failures, or supply chain disruptions.
Compliance: Legal penalties from regulatory violations.
Environmental/Physical: Natural disasters or equipment damage.

Tools and Techniques

Data Analytics: Generating comparative reports (e.g., year-over-year performance) to pinpoint risks.
Automation: Using software like Reach Reporting to streamline compliance and monitoring.
Internal Controls: Implementing checks to prevent fraud and errors.

By integrating accounting practices with risk management, organizations gain actionable insights to preempt
threats and ensure long-term resilience.

What is compliance risk?

Compliance risk is exposure to legal penalties, financial forfeiture and material loss an organization
faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best
practices. Compliance risk is also sometimes known as integrity risk. Many compliance regulations are enacted
to ensure that organizations operate fairly and ethically. For that reason, compliance risk is also known as
integrity risk.

The elements of an Effective Compliance Program may be listed as under:

1. High level company personnel who exercise effective oversight : The organization’s governing body
should be knowledgeable about the effective compliance program and should have oversight of it. The
governing body should have the overall responsibility for the compliance program and shall ensure the
effectiveness of it. Specific individuals shall have overall responsibility for the day to day operations of
the compliance program. A Compliance Officer shall be designated by the organization’s governing
body, who shall periodically report to the higher level management/ governing body. The Compliance
Officer should be given adequate resources with appropriate authority and direct access to the
governing body.
2. Written policies and procedures : The employees of the organization should be made known the legal
requirements so that employees understand their obligations. The employees should be encouraged to
report suspected fraud and other irregularities without fear.
3. Training and education : The employees of the organization should be provided reasonable training to
understand the organization’s compliance programe and its policies and process.
4. Lines of communication : Information about the compliance program must be widely communicated at
all levels of an organization. To enhance the effectiveness of the compliance program, the program
must establish lines of communication whereby, employees and agents may seek guidance and report
concerns, including the opportunity to report anonymously (such as a compliance hot line); There are
assurances that there will be no retaliation for good faith reporting.
 5. Standards enforced through well-publicized disciplinary guidelines : The organization’s compliance
and ethics program should be promoted and enforced consistently through well-publicized guidelines
that provide, incentives to support the compliance and ethics program, disciplinary measures for
disobeying the law, the organization’s policies, or the requirements of the compliance and ethics
program.
6. Internal compliance monitoring : The organization shall take reasonable steps, including monitoring
and auditing, to, ensure that the organization’s compliance and ethics program is followed, periodically
evaluate the effectiveness of the organization’s compliance program.
7. Response to detected offenses and corrective action plans : After monitoring and auditing of the
compliance program, the organization shall take reasonable steps to, respond appropriately to any
violations of the law or policies to prevent future misconduct, modify and improve the organization’s
compliance and ethics program.

Compliance Risk Management:

Compliance risk management is the process of managing corporate compliance to meet regulations within a
workable timeframe and budget. Compliance Risk management is part of the collective governance, risk
management and compliance discipline. The three fields frequently overlap in the areas of incident
management, internal auditing, operational risk assessment, and compliance with various regulations.

Steps in Compliance Risk Management:

1. Understand compliance obligations : The primary element to manage compliance is to understand

compliance obligation in the light of strategic goals and objectives. Compliance obligations stem from: Laws
and regulations, industry or generic standards, internal policies, processes and procedures and contracts
executed with clients and other stakeholders.
It is important to understand that obligations are either requirements or commitments. Obligations that an
enterprise has no control over are termed as compliance requirements, for example, one resulting from new
laws and regulations. While obligations that an enterprise may choose to abide by – for example certain
industry standards or best practices – are termed as compliance commitments.
Here, a mechanism to ensure compliance obligations are kept up-to-date must be established. An enterprise
may choose to restrict the scope of compliance management to compliance requirement but for a higher
assurance, it may include compliance commitments, too.
2. Assess risks : Once compliance obligations are established, a compliance risk assessment exercise should be
undertaken to identify risks, causes, the areas they impact and the consequences thereof. A risk analysis to have
better understanding of the risks should follow. Such an analysis should consider the factors affecting the
consequences and likelihood of these consequences occurring as well as the controls in place. Looking at the
level of risk arrived at from the analysis exercise, a compliance risk evaluation should be done to take
appropriate decisions on treatment. This exercise is to prioritise the treatment, it should be used as a tool to
accept compliance risks. Compliance risks analysed as low should also be monitored and subjected to corrective
action.

3. Address all compliance risks : An enterprise should ensure an effective action plan to address all
compliance risks with clear ownership, responsibility, accountability and closure timelines. This can be driven
with ease, if the enterprise ensures a documented compliance policy, objectives, processes and procedures.
Further, compliance responsibilities must be clearly identified, assigned and established as part of the job
descriptions at different levels.

To ensure risks are addressed effectively, the management should ensure that all employees with compliance
obligation are competent. Periodic training and awareness must be carried out and any other medium to
communicate assigned responsibilities should be explored. A continuous communication mechanism is
required to ensure all employees understand compliance and contribute to it by reporting risks and
discharging their responsibilities effectively.

4. Evaluate Performance: A mechanism to measure and monitor the performance of the compliance practices
and its impact on strategic goals and objectives must be developed. Developing compliance performance
indicators is one of the tools. It can be as simple as the number of employees trained on compliance practices
to mature indicators such as risks of non-compliance and trends. Feedbacks from clients, stakeholders,
suppliers, vendors, employees and government agencies are a good source of data to ascertain compliance
performance. Governance mechanisms in the form of management reviews, internal audits and periodic
compliance reporting give great insights on the performance of compliance practices.

ESSENTIALS OF A SUCCESSFUL COMPLIANCE-RISK MANAGEMENT PROGRAM

Active board and senior management oversight- • An effective board and senior management oversight is
the cornerstone of an effective compliance risk management process.

Effective policies and procedures- • Compliance risk management policies and procedures should be clearly
defined and consistent with the nature and complexity of an institution’s activities.

Compliance risk analysis and comprehensive controls- • Organizations should use appropriate tools in
compliance risk analysis like self-assessment, risk maps, process flows, key indicators and audit reports; which
enables establishing an effective system of internal controls.

Effective compliance monitoring and reporting- • Organizations should ensure that they have adequate
management information systems that provide management with timely reports on compliance like training,
effective complaint system and certifications.

Testing- • Independent testing should be conducted to verify that compliance-risk mitigation activities are in
place and functioning as intended throughout the organization.