Internal Audit and Fraud Detection Archives

Retail Analytics using Computer-Assisted Audit Tools and Techniques

Internal Audit

Introduction :

Retail Performance Management enables decision-making for
retailers of all sizes and segments, by empowering them with comprehensive
relevant Enterprise Business Intelligence, across technology platforms.

With Computer Assisted Audit Tools (CAATs), users can
jumpstart their analytic journey, and enjoy improved margins, better customer retention, inventory efficiency, promotion
effectiveness with fewer markdowns.

CAATs help accelerate your retail organisation’s analytic
maturity, taking you one step closer to achieving excellence. CAATs creates such
business benefits by delivering enhanced usability, speaking and thinking
retail, anticipating the evolving
needs of decision-makers, and ensuring a faster adoption rate.

Through simple screen guided analytics, CAATs empowers every
decision-maker in every role in your retail organisation. And it takes the load
off the IT Group, by being easily extendable and maintainable.

By implementing CAATs, you avoid the latency, cost and
project management challenges associated with a traditional BI deployment, and
enjoy unparalleled speed to benefits.

CAATs transform business intelligence from being a ‘Decision
Support System’ to a ‘Decision-Making System’. CAATs make business intelligence
pervasive across the retail business by impacting the top line and bottom line
performance of the business.

CAATs take on a whole new revolutionary role in retail
analytics where the tool is used for continuous monitoring by process owners
rather than the erstwhile traditional continuous auditing by Internal Auditors.
The significance of the CAAT is greatly accentuated by the understanding of the
underlying business process by the process owner.

Retail analytics can deliver immeasurable business benefits :

Merchandising & Assortment :

It’s a well known fact that shoppers prefer to visit places
that offer them the maximum options, deals and not to forget a good shopping
experience.

As a retailer, one does everything to retain their customers
— providing excellent customer service, providing variety, running regular
promotions, ensuring products have been priced appropriately and not to forget
ensuring customers are satisfied. While one aims at providing a range of
products, it is not possible to offer everything.

Here is where merchandise and assortment planning comes in.
CAATs provide merchandisers an analytic framework to plan and analyse business
activities related to merchandise and assortment planning.

Compare historical, planned or forecasted data against actual data to define
and optimise merchandise plans

Analyse merchandise hierarchy across departments, categories, product lines
and Stock Keeping Units (SKUs)

Increase customer loyalty by providing merchandise that caters to their
requirements

Provide a range of optimally priced products, including private labels

Analyse performance of new products and their impact on similar products in
the same category

Determine seasonal and store-specific product assortments.

Loss prevention :

In the retail industry, it is well known that losses due to
fraudulent transactions, theft, pilferage, excessive stocking, wastage,
shoplifting, internal theft, refunds, exchanges and excessive discounting are
inevitable. While one can’t do away with these problems, retailers are always on
the look-out for ways to minimise losses while keeping costs minimum.

Loss prevention analytics help you diagnose the root cause of
the problem, identify exceptions, take corrective measures. CAATs substantiate
its analyses with historical, geographic, and demographic trends.

Incorrect or fraudulent refunds

Spoilage, damage and write-offs

Price overrides and improper discounting

Supplier or warehouse issues

Administrative errors

Fraudulent sales to customers with dubious shopping records

Erroneous entries for product returns.

Supplier performance :

Being able to forecast optimal levels of inventory, optimise
lead time, manage orders, improve fill rates, negotiate trade promotions, manage
risks and improve supply chain efficiency — these are just a few challenges
faced by retailers when it comes to managing supplier performance.

While supplier performance management is an area that tends
to get neglected, focussing on this area can help you bring down operation costs
drastically.

CAATs provide a decision-making framework that enables you to
identify new areas of synergy and avenues for bringing about operational
excellence.

Optimally manage inventory by tracking slow and fast moving goods, measuring loss due to out of stock situations and optimising lead time for a product

Manage vendors more effectively by tracking lead time, fill rate, service levels, customer satisfaction levels and product returns per vendor

Reward performing vendors, improve performance of, or replace non-performing vendors

Negotiate trade promotions to get better deals, longer credit periods and shorter delivery cycles

Fraudulent sales to customers with dubious shopping records

Identify ways and opportunities to streamline operations, reducing operation costs

Manage supply-related risks and take corrective measures proactively.

Store productivity and benchmarking?:

To survive in today’s ever-changing retail world, it is essential for retailers to understand their business, know their customers, recognise their edge over competition, identify potential for growth, and realise their weaknesses. In an endeavor to stay ahead, retailers are proactively gathering data about how they are performing vis-à-vis market trends and analysing ways to improve and optimise store productivity.

CAATs provide retail operation managers a framework to analyse store performance and productivity.

Reclassify stores by local demographics, competitive density, store locations, size and age

Reclassify merchandising categories based on the relationship between the customer, product and store

Analyse group peer and merchandising assortment

Measure contribution and competence of store employees by monitoring their contribution to total sales

Benchmark, compare and rank peer groups based on metrics like yield per square area and average price per item sold.

Customers?:

Customer data has long been touted as a key determinant in better merchandising decisions; however it is an asset most retailers have struggled to use to its maximum potential. CAATs provide you with the critical platform you need to leverage customer loyalty data, sales transaction data, and store data to improve merchandise planning and tactics.

CAATs unveil hidden relationships between your customer, product and store data sets. These deep and significant insights help you implement key emerging practices such as consumer-centric merchandising, store-specific assortments and micro-merchandising.

Promotion performance :
Analyses plan v. achievement across key metrics in pre-promotion, during and post-promotion periods.

Campaign effectiveness :
Once a campaign is launched, then its effectiveness can be studied across different media and in terms of costs and benefits.

Loyalty analysis :
Provides insights on retention, churn and acquisition of trends across segments.

RFM scoring :
Identifies your company’s best customers based on recency, frequency and monetary value.

Product affinity and market basket :
Product affinity and market basket analysis involves leveraging point -of-sale data to improve business strategies and uncover hidden relationships between products. Point- of-sale data provides insight into the types of products customers typically buy together, the time of year sales for a combination of products go up, destination items that pull customers to the store, and reasons for boost in product sales.

CAATs provide an analytic framework for identifying patterns in customer product purchases and store visits, improving the effectiveness of marketing, sales and merchandising strategies, and understanding links between tactical initiatives like allocation, shelf presentation, promotions, price changes and purchase determinants.

Understand product affinity i.e., identifying products that are likely purchased together

Identify and manage destination items i.e., items that cause a customer to visit your store

Identify seasonal sales trends for items i.e., time of the year when sales for a particular item go up or down

Analyse customer purchase behaviour to understand the role a product plays in a basket i.e., an impulse item or a destination item

Analyse trips by purchase patterns and classifying shopping trips into categories like weekly grocery trips or special occasions

Analyse the impact of promoted products on the overall basket with emphasis on parameters like cross-selling and cannibalisation

Analyse brand affinity, penetration, switching and private label impact

Define baskets that allow you to up-sell and cross-sell

Correlate store performance with overall market performance.

Conclusion :
CAATs create an environment where the process owners can make informed decisions real-time on :

Which customer segments are the most profitable ?

Which prospects should my campaign target ? When should I communicate with a customer, and how ?

Which customers should I spend money on retaining ?

To which customers should I cross-sell, and what products ?

We are at the dawn of mature retail analytics for the discerning retail customer.

Nirav Shah

Computer-Assisted Audit Tools (CAATs) — Effective use of CAATs by Audit Firms

Internal Audit

Preface :

Dhruva is a Practice Director — Data Analytics with M/s.
Assurance & Associates. M/s. Assurance & Associates are Practice leaders in the
field of governance, risk management and control analytics for the last 5 years.
In a short span of 5 years this dynamic firm had managed to establish a
footprint in the accounting and finance segment which was the erstwhile arena
for large accounting and audit majors. This fast-paced growth was fuelled by a
small group of ‘razor sharp’ smart professionals who delivered consistent value
propositions to all their clients by riding on the backbone of contemporary
audit technology.

M/s. Assurance & Associates leveraged audit technology like
general audit softwares, audit administration tools and enterprise risk
management applications to deliver above-the-board, high-return results to all
the clients from retail to manufacturing, to logistics and healthcare.

Dhruva was solely responsible for overseeing all data
analytic projects, assignments and academic ventures for the firm.

In a recent meet of mid-rung audit firms, Dhruva was
presenting on the role of ‘The Power of Analytics’ and ‘Analytics made Simple’.
Dhruva spoke firmly, confidently and charismatically about his association with
general audit tools and the outstanding benefits which accrued to him and the
firm over the last 5 years through the power of analytics. There was a twinkle
in his eye as he drew a colorful picture about his journey with general audit
softwares. His oration captivated the audience and laid the foundations for
prolific use of CAATs by all audit firms in the days to come.

Dhruva presented on general audit softwares and their lineage with
manufacturing entities :

Manufacturing companies have many of the standard ledgers;
purchasing and payroll can be key concerns. However, the main business area is
inventories.

Inventories (stocks) and work-in-progress :

There is normally a master or balances file that contains
details of inventory holdings at a particular date. Costs may be held in a
separate file. Transaction history can be particularly useful although file
sizes are often quite large. Selling prices normally have to be picked up from a
separate file.

Tests conducted included, but were not limited to :

Analysis :

Age stock by date of receipt

Compute the number of month’s stock of each item held, based on either sales
or purchases. Produce a summary of this information

Stratify balances by value bands

Statistically analyse usage and ordering to improve turnover

Summarise products by group, location, type, etc.

Report of products in order of profitability

Reconcile physical counts to computed amounts

Calculations :

Total the file, providing sub-totals of the categories of inventory

Re-perform any calculations involved in arriving at the final stock quantities
and values

Re-perform material and labour cost calculations on assembled items

Exception tests :

Identify and total stock held in excess of maximum and minimum stock levels

Identify and total obsolete or damaged stock

Identify any items with excessive or negligible selling or cost prices

Identify differences arising from physical stock counts

Test for movements with dates or reference numbers not in the correct period
(cut-off)

Identify balances which include unusual items (e.g., adjustments)

Identify work in progress which has been open for an unreasonable period

Identify stocks acquired from group companies

Isolate products with cost greater than retail price, with zero quantities or
with zero prices

Gaps and duplicates:

Test for missing stock ticket numbers
Test for missing transaction numbers
Identify duplicate stock items

Matching and comparing:

Compare files at two dates to identify new or deleted stock lines or to identify significant fluctuations in cost or selling price
Compare cost and selling price and identify items where cost exceeds net realisable value
Compare value of physical counts to generate ledger amounts
Check work orders for accuracy against original sales orders

Other typical areas of tests include:

Cash disbursements:

Reconcile intercompany transfers
Summarise cash disbursements by account, bank, group, vendor, etc.
Generate vendor cash activity summary for contract negotiations

Purchase orders :

Extract pricing and receipt quantity variations by vendor and purchase order
Track scheduled receipt dates versus actual receipt dates
Identify duplicate purchase orders or receipts without purchase orders
Reduce inventory by comparing projected receipts to available stock
Analyse late shipments for impact on jobs, projects or sales orders due
Reconcile receipts by comparing accrued payable to received items

Work-in progress:

Use net demand analysis against inventory and purchase orders to generate a quick material requirement planning report
Check work orders, by size, priority, for lease to shop floor
Produce shop floor activity report by any item
Generate comparison of planned versus actual labour, materials and time
Reconcile job tickets or time cards to work order line items

Dhruva glorified general audit software and its power in working analysis with retail entities:

Retailers often have point-of-sale systems which collect large volumes of useful data which audit tools can analyse. The main tests on inventories are similar to manufacturing companies with perhaps more emphasis on movement, margins and shrink-age.

Additional tests include:

Gross profit analyses
Items past their shelf life
Comparisons between stores on holdings and inventory turnover per product line
Price adjustment transactions

Other typical areas of tests include:

Cash disbursements:

Monitor cash disbursements for stores
Track cash disbursements for contractor and vendor services
Summarise cash disbursements by account, bank, group, vendor, etc.

Loss prevention:

Compare ‘No Sale’ transactions to cash voided transactions by associate
Identify stores with significant allowances
Isolate duplicate return transactions
Identify incomplete exchange transactions
Look for check purchases and refunds within 15 days
Find credit card purchases and refunds to different credit cards (same day)
Identify potential fraudulent or improper transactions through selling price differences between stores

Purchase order management:

Reconcile order received to purchase order to identify shipments not ordered
Extract pricing receipt quantity variations by vendor and purchase order
Track scheduled receipt dates versus actual receipt dates
Compare vendor performance by summarising item delivery and quality

Compare accrued payable to received items to reconcile to general ledger

Distribution and Service:

Typical areas of tests include:

Sales analysis:

Generate sales/profitability reports by sales representative, product, customer
Recap product sales by region, customer, category, etc.
Identify high volumes by region, customer, category, etc.
Extract all sales data for audit by customer, product, region, etc.
Compare ratios of current sales to open receivable (high-low; low-high)
Summarise shipments by warehouse for product distribution analysis

Sales order control:

Report on correlation between items shipped and items ordered
Analyse open orders and open invoices by customer for credit control
Isolate detail and average backlog by customer, item, location, etc.
Reconcile booked items to inventory reserved (on hold) items
Control profits by calculating line item margins before shipment
Analyse product demand by summarising products ordered by due date

Service management:

Create real-time service tracking reports in any format to manage fieldwork
Co-ordinate multiple service personnel to maxi-mise performance in real time
Quickly recap routes and times of service calls by employee, area, etc.
Compare arrival and service times for field service representatives
Calculate cost of service by call for labour, materials and transportation
Compare service report time to time-sheet hours from payroll

Dhruva exemplified general audit software and their relevance to the healthcare segment:

Typical areas of tests include:

Accounts receivable, Patient billing and Managed care:

Calculate average days from discharge to bill, bill to payment, by payer or department
Determine appropriate level of contractual allowance and doubtful accounts reserves
Age receivables on date of service rather than invoice date to recalculate cash flow
Analyse rejected payments by financial class, procedure code, cost centre
Evaluate managed care payer performance
Identify underpaid managed care accounts
Determine profit margin by physician, financial class, etc.

Charges:

Identify late charges by department, by month, etc.
Look for invalid, high dollar or duplicate charges on patient bills
Look for lost charges by matching supplies used to supplies billed
Check procedure codes and billed charges to identify inappropriately billed charges
Clinical subsystems:
Compare patient visit data on clinical sub-systems to patient master
Identify interface failures
Identify pricing discrepancies between sub-systems and master

Marketing:

Develop patient statistics by post codes or other demographic data
Look for incomplete or miscoded patient demographic information
Identify profitable segments of patient population

Materials management:

Analyse usage and ordering to improve inventory reordering
Report on stock and high-value balances using any selection criteria
Identify obsolete inventory by turnover analysis
Compare speed and accuracy of delivery by product and vendor
Profile supply usage by month, by department, etc.

Medical claims :

Analyse timeliness of claims payments by comparing claim date, date claim received, and date claim paid

Look for duplicate billings and claim payments based on patient, provider, date of service and amount

Medical records :

Identify duplicate medical records for same patient
Track diagnosis coding deficiencies, incomplete records, etc.
List incomplete records and incompatible coding
Report on procedure codes by physician, department or patient

Specialists:

Determine specialist! doctor contract compliance
Evaluate specialist! doctor practice history by patient type, payer, etc.
Report on incomplete specialist! doctor profiling information

Purchase order management:

Report on purchasing performance by location
Identify pricing and receipt quantity variations by vendor and purchase order
Identify duplicate purchase orders and receipts without purchase orders
Reconcile receipts by comparing accrued payables to received items

Compare vendor performance by summarising item delivery and quality

Brilliant ending:

Dhruva received a standing ovation from the group. He ended his presentation in all humility by citing that General Audit Tools are time-tested, stable, robust, powerful, internationally acclaimed and user-friendly applications. He added that no Tool is a ready substitute for the auditor’s acumen and judgment, but is a powerful, cost-effective facilitator. He encouraged all the members present to embrace Tools and reap the benefits of an idea whose time has come.

Nirav Shah

Using forensic skills in contemporary auditing

Nirav Shah

Legal Risk — A Case Study

Overview :

Definition :

Legal risk is risk from uncertainty due to legal issues, impact of legislation, actions or uncertainty in the applicability or interpretation of laws and regulations that affect the organisation and its operations and activities. Such impact can arise due to contracts and contractual claims, third party obligations, torts and operation of law. Depending on the circumstances, legal risk may entail such issues as broadly listed out below.

Issues for consideration :

A number of issues that can give rise to risks that are external in nature are outlined below. The issues can be generally divided into two segments. One relating to contracts that constitute the basis for majority of interaction and activity in a civilised society. The other part relates to the different laws adopted by society for smooth functioning and their implications and impacts.

Contract formation :

What constitutes a legitimate contract ? Is an oral agreement sufficient, or must there be a legal document ? What documentation is required ?

Intra vires and ultra vires contracts :

Certain contracts are intra vires and others ultra vires. The latter can have serious unintended consequences for the contracting parties in terms of incomplete (in choate) contracts.

Capacity :

Does a counterparty have the capacity to enter into a transaction ? For example, in 1992, the United Kingdom’s House of Lords determined that the London Borough of Hammersmith and Fulham lacked capacity to transact in derivatives linked to interest rates. Not only were contracts dating back to the mid-1980s with that borough declared void, but contracts with over 130 other councils were effectively invalidated. A number of derivatives dealers suffered losses.

Legality of derivatives transactions :

In some jurisdictions there are issues relating to whether certain derivatives could be deemed gambling contracts and thus made unenforceable. This was a significant concern during the early days of OTC derivatives markets.

Perfection of an interest in collateral :

A claim is perfected if it is senior to any existing or future third-party claims in the event of bankruptcy. A perfected interest represents a lien on collateral. Requirements to perfect a claim can be complex and vary by both jurisdiction and the nature of the collateral.

Netting agreements :

Under what circumstances will a close-out netting agreement be enforceable ?

Incomplete contracts, quasi contracts, contract with minors and insane persons also give rise to legal risks.

Contract frustration :

Unforeseen circumstances may invalidate a contract. E.g., if a contract is linked to an index or currency which ceases to exist, the contract could become invalid.

Another dimension of legal risk :

Legal risk is the risk arising out of infraction of the law. If business and organisational activities and operations are tainted by illegality or result in a legal insult or impact that has legal consequences, this risk is attached.

In fact whenever information systems and Internet technology is used, this can attract emerging legislation like cyber laws which can give rise to legal risk for such activities.

Given the nature of legal risks and issues, this is an external high-level risk that is difficult to control. Dealing with legal risk is not an easy task and needs a proactive approach.

Legal risks can affect the functioning of a business and may even result in its closure in extreme circumstances. A procedural or lower level infraction of law can result in disruption and damage to business and reputation. These legal risks range from serious risks at one end of the spectrum to technical and procedural risks at the other. Thus legal issues that arise in serious risks are fundamental in nature, affecting the ownership, organisation, operations and continued existence & functioning of a business.

Technical aspects of legal risks would cover legal risks relating to compliance with regulatory requirements, formalities and business laws like Companies Act, Partnership Act, Taxation Laws, Labour laws and other legal requirements.

Procedural aspects of legal risks would involve legal risks relating to operations and procedures and functioning of the organisation and its day-to-day activities. e.g., when employing or terminating the services of an employee whether due process of law has been followed ?

Techniques for raising awareness of legal risk:

One of the most effective ways of dealing with legal risks is to raise awareness of the employees and staff. Here, we will focus on some practical ways in which the effective management of legal issues and disputes can create greater efficiencies in a company’s continuing business relations with its various stakeholders including customers, suppliers and joint venture partners.

The following are some of the important ‘hard’ and ‘soft’ elements of the legal dimension of risk and techniques of dispute management that are relevant for understanding and appreciating legal risks.

1) General awareness raising:

This involves presentations, workshops and ‘road shows’ to offices in the parent country and around the world, to as many employees, associates and business partners as possible, in order to raise awareness and increase familiarity with aspects of legal risk and the methods the company or organisation uses to minimise and avoid it. This should include clear identification and designation of a contact point (in the legal or compliance department) whom the employee can call, as a demonstration of commitment and back-up behind the communication programme.

2) ‘Legal Audits’ :

These help identify areas of strength and weakness, for example:

a review of current litigation,arbitration and/ or other conflict resolution techniques used to assess internal and external costs, likelihood of success, settlement options and likely outcomes.

a review of standard contracts to assess whether the dispute resolution mechanisms are the most appropriate for the type of activity covered by the contract.

a review of existing contractual relationships with suppliers, distributors, customers and joint venture partners to assess whether there are any ongoing disputes that can be avoided, or potential disputes that are likely to escalate into litigation, to tackle.

3) Training in ‘alternative’ dispute resolution skills (ADR):

In addition to building an awareness of the strengths and weaknesses of different types of more formal dispute resolution techniques (such as seminars on arbitration options), better awareness can be achieved by introducing a series of workshops on, for example, mediation and how the mediation process works. This will enhance core communication and negotiation skills if well presented.

Warning signs – things to consider avoiding, during negotiations and whilst the contract is being performed:

an unusual amount of time spent on negotiation of non-commercial terms

lawyers spending increasing time discussing non-commercial or non-core terms

business people not in control of the commercial elements of the negotiation

key commercial terms are not clearly set out, or there is delay in clarifying them

changes in the pattern of negotiation (e.g., from face to face, to more written exchanges, or vice versa)

after signature, there is a personnel change which breaks continuity in the relationship be-tween parties, or understanding of the commercial rationale for the contract and its intended implementation

poor preparation and planning before negotiations start, inadequate follow-up either internally or with the counterpart, so that lack of clarity as to the process exacerbates lack of clarity as to the content, and as to the eventual commercial objectives.

Warning signs – what to look for to avoid disputes developing

increasingly late payments

late response or non-response

move from verbal to written communication

tone of verbal/written communications – more fractious questioning or legalistic rhetoric

internal time spent on analysis of legal position

internal disagreements as to strategy and/ or approach (are there hidden agendas ?)

loss of product or service quality Ill. change of personnel

different messages reaching different layers of the organisation from the counterpart company

in a joint venture: misalignment of interests which are dealt with as minor differences, but which could conceal longer-term strategic differences, arguments over budgets, technical objectives, marketing campaigns, etc.

The impact of legal risks has a far-reaching effect on the constitution, organisation structure, function-ing and performance of organisations.

Normally it is the legal department or the secretarial department that deals with legal risks.

Apart from the classification suggested at the begin-ning of the article, legal risks can also be classified according to their severity, significance, area it affects or even its applicability ani pervasiveness.

Like most other external risks they pose a challenge and threat to business as well as present opportunities for growth in business and destabilise and/ or pose problems for others. They thus result in a shake out that results in changes to the playing field.

The example picked up for this month’s case study is that of a pharmaceutical company that is engaged in development, manufacture and sale of drugs, formulations and medicines.

Quick Care Ltd. is a pharma company operating in India for over twenty years now. It has developed formulations and drugs for skin infections, allergies and asthma. It is manufacturing and marketing these medicines under the name ‘Life Care’ and ‘Total Care’.

The company has registered its products both as brands and trademarks in India.

With the changes in intellectual property rights post-WTO regime the company has become conscious of the stricter legal regime that it faces.

As the risk manager of the company the CEO has asked you to examine the legal risks in the following areas as well as the organisation wide legal issues involved:

i) On a preliminary enquiry you discover that ‘Life Care’ is also a brand registered in Australia by another company, though in the field of healthcare and nursing.

ii) A company in the US named True Care has a logo that has the letters TC in it. The logo of the company ‘Total Care’ which also uses the letters TC look identical and have a close re-semblance to each other.

iii) On enquiries you find that your key employee who led the team that formulated the anti-allergy and asthma drug was earlier employed with an international pharma company and was working on similar research. It is likely that he had signed a non-disclosure/non-complete agreement before he left that company two years back.

iv) In respect of certain drug trials on monkeys and on human beings, a particular NGO has been writing articles about the issues involved and generally against such practices. The name of the company was also mentioned once in a television programme on this issue.

v) The company has recently acquired a small subsidiary making syringes and other medical devices. This company has certain pending labour disputes and tax cases that have not been fully resolved.

vi) The company had recently been awarded a contract to supply drugs to a rural hospital aided by the World Bank. The CEO is concerned whether any unfair means have been used, as this could result in the company being blacklisted.

You are required to make a brief report on the legal risks involved and how the same could be dealt with.

Solution to the case study:

1. In case of the Australian brand name, it poses a greater legal risk for the ‘Life Care’ brand registered in India if the Co. in Australia has signed the World Intellectual Property Organisation (WIPO) convention. The WIPO in Geneva administers these conventions. WIPO now has a ‘new’ convention, the Madrid Protocol (1989). Lifecare brand in India may be liable for trademark infringement or dilution – with potential risks of an injunction, disgorgement of profits, payment of damages, and more – for use of the name. H it hasn’t, Indian company should not delay in signing WIPO conventions. The company should also do trade-off analysis in justifying the fees to be paid for signing up or to change the brand name itself.

The company ‘Life Care’ may change its name to a similar name which will be more attractive and will gain customers’ attention. It may propagate or spread awareness among its customers about the change assuring them about the quality of the product. But before that they must also check whether there is any other company existing with the same name to avoid facing same circumstances again.

2. ‘True Care’ company in the US may sue the company in India for infringement of trademark by using identical and similar logo, though it may not have the same business and there is no competitive overlap. TRUE CARE company in the US may also be liable for trademark dilution by using the famous mark of another company in case the company is famous in the US and can claim huge compensation or a huge share in the profits of the company. Other way to tackle this issue is to make an attempt in resolving the dispute internally, whereby either of the companies will sign mutual agreement to not to interfere in each others’ business operations.

3. If the keyman has Signed a non-disclosure agreement with the company where he was previously employed, then the international pharma company may sue him as well as the company in which he is presently employed, as there is chance of using the same or similar formulae or strategy by him which would have been used in the previous company. The international pharma company may ask for certain percentage of their turnover or profit as compensation due to which the company may incur heavy loss or they may bring a stay on the experiment which formulated the anti-allergy and asthma drugs because of which the company may incur heavy losses.

4. In the event of the issue raised by an NGO for conducting tests on monkeys, the company must find another alternative for drug trials such as rats, guinea pigs, etc., as there is a risk that the name or goodwill of the company may go down as there will be more and more awareness, and more and more people may agitate for the same.

5. The company should resolve all the labour disputes as it may cause strikes in the company, the production may be at a stand still and hence there will be a shortage of goods in the company, the company should also resolve the tax cases as it may cause a heavy burden to the company.

6. For the World Bank developmental project, the CEO of the company must make sure that there is no unfair practice in obtaining the contract or in the actual execution of the contract, such as insufficient drugs supplied to the hospital or any adulteration in the drugs has taken place. As this would result in the company being blacklisted by the World Bank due to which none of the financial institutions in India as well as in foreign countries will grant loan to the company in case of financial crunch or will trade with the company as it is being blacklisted.

Other pre-emptive and protective solutions:

Risk management strategies not only serve their primary purpose, which is to layoff potential risks, but may also act as a vital business development tool.

1. When planning for a drug discovery, the following issues should be addressed:

The type of disease to be treated and the patient population;

How it should be delivered to the patient (delivery system);

In what form it should be made (capsule, pill, ointment, or liquid);

The route of administration (injection, oral, inhalation, or skin absorption);

How and where to do the research and formulation; and

Whether it is going to be outsourced or will be manufactured in-house.

Not only legal managers but also corporate counsels have an opportunity to contribute their ideas to issues pertaining to IP Rights, dispute management, identifying the business by plugging loop-holes and adding to operational and client assurance.

Rather than assigning a separate in-house legal team or appointing an external consultant, the CEO can create a mix team of both of them. Internal employees will give the consultants the correct picture at micro level, whereas consultants with their expertise and experience provide solutions at macro level.

Explain the drug development process to their patients in a subtle way;

The drug company or sponsor performs these tests to discover how the drug works and whether it is likely to be safe and works well in humans. Next, a series of tests is conducted among patients to determine whether the drug is safe when used to treat a disease and whether it provides a real health benefit. This will help address and neutralise adverse public opinion that may have been generated.

Apart from this the company will do well to identify and implement some of the strategies outlined below:

Identify essential development and pre-clinical requirements;

Identify requirements for characterisation of pharmaceutical products;

Assess and implement good manufacturing (GMP) and good laboratory (GLP) practices; and

Describe and formulate a regulatory submission.

The marketing authorisation application (NDA) can be submitted in two different formats: the traditional format, or the Common Technical Document (CTD) format.

These together will help the company to keep legal risks in control.

Nirav Shah

Management Risk — Case Study

Overview :

Management Risk arises from the activity of managing an organisation, be it a Company pursuing a profit — wealth maximisation motive or a non profit organisation pursuing social welfare and charitable objects. The risk that every organisation has is that of an ineffective, non-performing, underperforming or reckless management that destroys rather than build.

This is because management is in charge of governance. It is management that provides the vision, mission, direction and strategy which take the organisation forward in pursuit of its goals and objectives. A management that either for reasons of incompetency, ineffectiveness or self interest sacrifices and sabotages the entity’s objectives is detrimental to the interests of stakeholders. These give rise to ‘management risks’.

The definition of management risk provided in ‘Investopedia’ sums up the term very well.

‘Management risk refers to the chance that Company managers will put their own interests ahead of the interest of the Company and shareholders. Management risk also applies to investment managers, whose decisions and actions may divert from the investors’ wishes or reduce the value of an investment portfolio. The risk therefore is that either the management is ineffective, inefficient and/or incompetent, or fails to handle a situation, or has its own personal self interest which is conflicting with the objectives of the Company and its stakeholders. An additional risk is that of management turning against its own company by colluding with one of the interested groups and committing frauds and misappropriation to the detriment of the company and the larger body of stakeholders’. Examples of the above abound in the multitude of mega scams often described as management frauds or scams, worldwide. Some of the classic recent examples are of WorldCom and Enron abroad and Satyam and Maytas in India

In these cases, the management acted in a manner detrimental to the interests of the Company and destroyed shareholder wealth and confidence in the system and the economy.

The sub-prime crisis which shook the world’s financial market is a striking example of ‘self interest’ of financial managers. Hence, dealing with management risk requires a good management life cycle.

Some of the risk mitigating steps are :

selection of the CEO and members of his team based on professionalism and devoid of favouritism.

continuous monitoring of business performance.

periodic review of procedures to ensure transparency.

periodic review whether internal controls and ethical practices are being adhered to by the CEO and his team.

developing a succession plan for the CEO and his entire top management team.

remuneration and reward system. The need for this is highlighted; even G 20 is discussing the level of managerial remuneration in financial industry.

In addition to this there should exist in the top team a system of checks and balances against dictatorial tendencies.

The example of this month’s case study on management risk is that of a company operating in the food processing industry that manufactures and markets jams, fruit juices, fruit concentrates and pulp in India and overseas under the brand name ‘Madhur’, ‘Meetha’ and ‘Rasbhari.

The Company has its factory in Uttar Pradesh which is about 50 years old. The Company initially had operations restricted to the State of Uttar Pradesh. It has expanded over the last 10 years to cover the whole of India.

About two years back a new professional management team has been inducted who have been pushing for modernisation, expansion overseas, greater market penetration by appointing franchisees and having captive bottling/canning plants to service the growing market. The large resources required for this, are proposed to be raised through a public issue. The management team wishes to go in for financial reengineering in order to show the investors the golden future that awaits the company post modernisation and public issue.

The owner/promoter who wish to proceed with caution, as well as the existing bankers are wary of the plan, as they do not want to lose control of the situation and prefer continuing the entity as a private limited company.

The Company management is torn between two options and there are the old guard who want status quo and the new entrants who wish to go public and modernise.

Outline the management risks in the given situation and suggest an approach to the case.

Solution to the case study :

The Company owners and stakeholders have three options before them. The first is to continue the status quo. This may not be such a good option given that the factory is already over 50 years old and without modernisation and expansion the company as it stands will not be able to face competition and survive in the market. Competitors are bound to emerge who will fast overtake the company which will lose out even its home ground to them in the course of time.

The other choice is to modernise and expand the factory and business by raising public funds through an IPO and going in for a big bang expansion by appointing franchisees and using captive bottling units.

A third choice is also possible where the company will put in a place a modernisation program, which will be gradual and will be funded by internal accruals. This will ensure that control is retained by the existing promoters and management and at the same time enable the organisation to meet its objectives.

The first option which eventually involves doing nothing is potentially disastrous and has to be ruled out. The second option is risky in terms of losing control and also magnifying management risks. However, the rewards also will be substantial, if it goes through smoothly.

The third option is a viable via media if the existing management is not sure if it can manage and handle the higher level of management risks posed by going public.

To conclude, depending on the strengths of the existing promoter / owners and their ability to control and manage the professional management team on the parameters hereinabove enumerated, they should choose between the second option of going public and the third option of moderate expansion along with inducting strong management to oversee both in-house franchise operations.

Nirav Shah

Credit Rating Risk : Risk Management — Case study

Risk

A credit rating estimates the credit worthiness of an entity,
be it a corporation, company, individual, public corporation or a
non-governmental organisation or even a country!

Credit rating involves evaluation of the potential borrower’s
credit worthiness in terms of borrowing capacity and the ability to repay,
including the ability to service the debt in terms of repayment of interest and
principale.

Credit rating primarily is of two types. The first is a
personal credit rating or the credit rating of an individual borrower.
Generally, the factors that influence this rating are: the ability of the
individual to repay the loan; the rate of interest; the relative use of credit
vis-à-vis his/her own capital; the saving and investment pattern; the purpose of
the loan; the spending pattern; background credit account enquiries; the
duration of credit history; activity and wealth; the nature and type of debt,
etc.

The other is corporate credit rating which is more of an
indicator to potential investors about the standard and rating of the entity
issuing the debt security.

The credit ratings of corporate entities take into account
the issuers’ credit worthiness, that is, the ability to repay the loan, interest
rate, credit scores depending on track record, profile, history, proposed usage,
capital structure, industry analysis and other factors.

Some of the prominent credit rating agencies abroad and in
India are: S & P (Standards and Poor), Moody’s, and Fitch Ratings
(International); and CRISIL and ICRA (in India), etc.

Generally credit rating agencies for corporate debt offerings
issue ratings like AAA+, AAA, BBB, CCC right down to D, E, F & S, etc. These
indicate ‘rating status’ indicating borrowing strength of the corporate. In the
case of individual borrowers, an assessment is done of the borrower’s ability to
repay. In case of corporates, the rating is at the request of the borrower; and
in case of individual borrowing, the rating is generally done at the instance of
the lender, though normally at the cost of the borrower.

The risk associated with credit rating is that of rating an
entity better than its real standing, resulting in an increased exposure of the
investor/lender. This is probably what led to the Global financial crisis.

Credit rating agencies have been under a cloud and their role
and relevance is being questioned. In India, the credit rating agencies had
failed to downgrade Satyam’s ratings and did so only when the scam was out in
the open — after the event!

The criticism of rating agencies stems from:

1. The nexus that they have with the market, analysts, the
market players and the corporate management.

2. Rating agencies are often wiser after the event.

3. Ratings affect interest rates and borrowing capacity

4. A premature negative rating can trigger corporate
failure.

5. Agencies go more by formulae and lack business acumen.

6. Agencies lack expertise in evaluating ‘green field’
projects.

Services of ‘rating agencies’ are critical in
evaluating risk where

(1) Companies that do not have a credit history or new
companies.

(3) Existing companies are undertaking diversification.

(4) Market risk – where commodities are
involved.

(5) Predicting specific business cycles.

Case study of the Month:

DuPont is a multinational which has a presence in the agro,
nutrition, energy utilities, consumer, government and healthcare sectors,
offering a bouquet of products like flooring materials, lubricants, coatings
like Teflon and a host of other products. Currently it has a net worth of around
7.2 billion US dollars, a long-term debt of 9.5 billion US dollars and a total
debt of 11 billion US dollars.

DuPont up to the 1960’s was known for its financial stability
and low debt to equity ratio and this protected the company from financial
constraints.

Competition increased post 1970, forcing the company to go in
for inorganic growth through acquisitions, and it had to deviate from a zero /
low debt company and start borrowing.

Debt financing resulted in dividend cuts, but with the use of
internal accruals for funding projects, the company managed to maintain a AAA
bond rating.

However, as time passed, the company stopped reducing debt
and went on borrowing, especially for M & A activity.

Increase in debt downgraded the rating to AA. The current
debt rating is lower, being A by Fitch, A2 by Moody’s and A by S & P. The
company is thus faced with a credit rating risk, with the outlook assessment of
all three rating companies being negative.

As a risk management consultant, you are asked for your
inputs and advice in this given situation.

Solution to the Case Study:

The risk manager’s advice is:

(1) Dupont should adopt a conservative capital structure for
the future which will help restore confidence and give the firm greater
financial freedom to fund research projects and diversification and pursue new
projects.

(2) In the interregnum raise the debt equity ratio to 2 to 1
by issue of convertible bonds for a period of 2 to 3 years – conversion at 10%
discount over market price on the date of conversion. This is suggested that the
increased leverage will adversely impact earnings before Tax and also PAT but it
will grant stability in cash flow.

(3) With consolidation and better performance PAT and PE will
increase over a period of 3 years. This is based on the Business plan and profit
projections given by the company and evaluated by the ‘risk manager’.

(4) In the current scenario a better option would be to move
to a higher leveraged position with more debt issued (the company easily can go
up to a debt equity ratio of 2.5 or 3:1. This way it can take advantage of the
tax shield and the revival phase of the economy and manage by issuing much
lesser debt at better rates to finance further activity.

(The case study and solution are not intended to be in the nature of
comments on the functioning or management of the companies but represent one of
the possible approaches selected by the author for demonstrating the concept
and issues of risk management)

Nirav Shah

Bhopal Gas Tragedy

Risk Management

This month’s case study is a
live case of an Industrial Disaster Risk. — the Bhopal Gas tragedy.

Since the early days of the
industrial revolution till date there have been many incidents, mishaps and
unfortunate accidents — both large and small in which many lives have been lost,
damage has occurred and financial loss has been suffered. Industrial activity
that harnesses technology has always been prone to the risk of disasters — be it
the Chernobyl nuclear incident or the Exxon Valdez oil spill. These have ranged
from explosions, crashes, fires, leaks causing massive loss of life to
contamination and environmental and financial damage.

Even with modern-day systems
and risk management and mitigation procedures in place and proactive steps
including effective disaster management mechanisms by governments and corporates
alike, this continues to be a key area of concern and the size, scale and scope
of disasters has not reduced significantly.

The Bhopal gas tragedy that
occurred in the early hours of December 3rd, 1984 — over 200 years after the
industrial revolution, was by far one of the biggest industrial disasters in the
modern times. It has been described as an endless nightmare for those who
suffered it.

Bhopal is once again in the
news with eight UCIL executives including former chairman Keshub Mahindra being
convicted of criminal negligence and sentenced to two years in jail on 7th June,
2010. The sentences are under appeal. On June 24, the Union Cabinet of the
Government of India approved a Rs.1265 cr aid package. It will be funded by the
Indian Government.

Twenty-five years have
elapsed since that night that witnessed a ‘dance of death’ in Bhopal,
which saw a cloud of deadly gases emerging out of a faulty tank in a pesticide
factory and silently spread into the homes of unsuspecting sleeping multitude.
Although no official count of casualties has ever been done, estimates based on
hospital and rehabilitation records show that about 20,000 people died and about
5 to 6 lakh suffered bodily damage, making it by far the world’s worst
industrial disaster ever. Disasters can strike at any time, at any place.
Disasters keep happening all the time, but the tragedy still remains, a
catastrophe with no parallel.

What really happened ?

In the early hours of
December 3, 1984, from the Union Carbide factory at Bhopal manufacturing the
pesticide ‘Carbaryl’, an estimated 43 tonnes of deadly Methyl Isocyante (MIC)
gas leaked out from the tank No. 610C and escaped into the atmosphere. The
sleeping city of Bhopal was converted into a gas chamber.

MIC as a gas has to be
stored in a liquid form. A potentially lethal practice since water reacts
exothermically with MIC releasing heat that can cause a violent explosion.

On the day of the disaster
water leaked into the tank No. 610C causing a build-up of pressure and
temperature. The management decided to release the gas into the atmosphere
rather than have the tank explode which could have caused a greater damage.

The release of gas into the
air was a contingency that was planned and known to the factory management and
accordingly safety systems existed, but they failed.

What was the setting ?

The Union Carbide plant was
set up in 1968. However the plant had no long-term permission for storage of
MIC. In December 1982 there was a massive gas leak of Chlorine. 16 workers were
affected. The issue of danger to Bhopal from a pesticide plant was raised in the
Legislative Assembly of the State. While the gas leaked, Union Carbide’s works
manager exhibited a rather chilling overconfidence. He stated “The gas leak
cannot be from my plant. The plant shuts down automatically”.

The Time Line of the
Disaster

— December 02/3, 1984 :

— 10.30 p.m. the
late-night shift at the plant starts.

— 12.00 a.m. (midnight)
the operator checks MIC tank No. 610C and finds that the rupture disc has
burst; the gas has started leaking into the atmosphere.

— 12.06 a.m. MIC vapors
leak into the atmosphere through the 33m high-flare tower
December 03, 1984 12.06 a.m. — 12.15 a.m.

— gas starts leaking
from MIC tank No. 610C safety systems collapse and efforts to ignite the gas
fail as the pilot flare system is inoperable.

— workers panic and
abandon all efforts to contain the leak.

— control room is
notified, and the rest is history.

Probable causes identified :

— Effect of MIC on
humans and the antidotal treatment was not known to the medical fraternity
and such knowledge if available was not disseminated to the emergency
services.

— Poor plant maintenance
practices.

— Economy measures,
overriding safety concerns.

— Densely populated
areas around the plant.

— Lack of effective
emergency medical facilities.

— People sleeping in
exposed areas, jhuggies, road-side, on pavements/ railway platforms.

— Administration
collapsed with key functionaries running for their lives instead of manning
key positions.

— Relief
operations became difficult as the disaster caused total confusion and
affected the ability and mental strength of those entrusted with
emergency relief.

Lessons learnt:

— knowledge of the chemicals that were being stored.

— Emergency — accident — management manual should exist.

— Emergency procedures should be rehearsed at pre-prescribed intervals.

— Maintenance procedures and schedules should be strictly followed.

— knowledge of nearest medical facilities

— System of contacting top factory management.

— Residents living in the vicinity should be aware of the risks and trained to respond to emergency services.

The
leak was a watershed in formulating environmental legislation the world
over. The laws also require civic bodies and local officials to plan on
how to address a potential disaster situation.

Hindsight and way ahead:

Sheila
Jasanoff in her book ‘Learning from Disaster?: Risk Management after
Bhopal’ has provided a deeper insight into what are the issues to be
really addressed and the lessons we need to learn from such disasters
that not only provide a wider perspective to risk management, but also
give us, as human beings, food for thought.

“Although ‘hard’
engineering played its part in precipitating the events, the plant’s
defective components — the leaking valve, the broken refrigeration
system, the malfunctioning warning signal, and the inadequate storage
tank — were themselves the symptoms of more deep-seated social problems.

These
included the dearth of medical and scientific knowledge about an
extremely hazardous technology, the imperfections of information
transfer across national boundaries, the lack of regulatory resources in
a still developing country, the absence of workable relief and
rehabilitation plans, and the profound imbalance of economic power and
legal and managerial expertise between nations of the North and the
South.

Many of these deficiencies became apparent only in the
aftermath of Bhopal. Corrective policies have to address not only the
design of artifacts, but also (indeed, perhaps even more so) the human
practices and presuppositions that determine their management and use.
Seen from this perspective, a serious technological mishap ceases to be
merely accidental, for it opens windows onto previously unsuspected
weaknesses in the social matrix surrounding the technology.

Stringent
environmental regulations in developed countries have driven ‘dirty’
technologies to developing countries, where they operate under
disaster-prone conditions. Disasters are particularly likely to happen
when there is a sharp disjunction between the social order that gives
birth to a technology and the one in which it is eventually deployed.”

The
recent ‘oil spill’ in the Gulf of Mexico has again highlighted the need
for availability and strict adherence to mitigation procedures as
non-availability of these impact the very existence of the entity.

Nirav Shah

Manufacturing Risk Management

Risk Management

We have covered strategic risks; we now begin with
operational risks. The first of the operational risks is ‘Manufacturing Risk.’
As we move from strategic risks to operational risks it becomes more hands on
and more of detailing. Thus while strategic risks are dealt with more at a
higher level, operational risks have to be tackled where, as they say, the
action is.

However in dealing with manufacturing risk, one has to deal
with it right from the design stage which is conceptual and hence this borders
on strategy.

Manufacturing process per se is a very complex
process, especially if it is technology-dependent, therefore it requires
effective risk management. There are six stages of ‘manufacturing’.

First : Concept stage — this is where a
product/tool is conceived, and is still an idea.

Second : Material solution stage — provides it
with a shape, size, form and matter — giving it a tangible form.

Third : Technology development — identifies the
components and systems needed for manufacture.

Fourth : Engineering and manufacturing development

Fifth : Production and deployment, and

Six : Operations and support.

In the present day scenario integrating risk management in
the production process is very important. It is necessary to do right
from the design and development stage itself. Yet a note of caution should be
extended here, for ‘risk management’ process to be successful, it should be
introduced in designing the process and then diligently managed throughout until
the product finally comes out. This risk management process can become extremely
crucial in some industries. For example, successful risk management is critical
to the design and development of safe and effective medical devices.

Hence, manufacturing risk covers a wide range of risks
ranging from concept design, choice of technology and equipment to minimise
tooling manufacturing defects, operational breakdowns, maintenance costs by
prescribing procedure and schedules. All this is to control the risk of
escalation in ‘manufacturing’ cost.

Manufacturing risks can be very substantial as mentioned
above, as it covers performance and product warranties/guarantees.

Even in case of tested products there are risks of changes in
materials, specification, regulatory standards and norms or even technology
obsolescence.

These risks vary according to the complexity involved in the
product and/or the process of manufacturing the product. The recent ‘Nano’
catching fire exemplifies ‘manufacturing risk’.

The case study for this month for manufacturing risks is that
of a car manufacturer.

Big Boss Motors is a leading car manufacturer operating in
the large and medium-sized passenger cars and goods vehicle segment. The company
has a relatively good track record and has earned a good name and reputation in
the market.

It plans to diversify operations and expand its market share
in the passenger car segment and has therefore launched a small people’s car
‘Beta’, that is very reasonably priced. The fortunes of the company are on the
rise, however the company has received sudden setbacks. The first is that the
tried and tested mid-size passenger car model ‘Gamma’ developed a sway at high
speeds and the entire batch/lot of cars produced in October, November and
December 2009 of over 60,000 vehicles had to be withdrawn from the market. The
new car ‘Beta’ though well appreciated has its own share of problems. In three
different cities newly delivered Beta cars suddenly burst into flames attracting
consumer ire and attention of authorities.

As a responsible car manufacturer, the CEO requests you as
the risk manager to outline possible course of action.

The risk adviser recommends :

1. Checking of cars of a particular make by its service stations/approved accredited service stations and replacement of even slightly defective parts — both checking and replacement — free of cost to the customer — though costly is an important PR function to retain the customer and build customer confidence.

2. R & D and quality control department to check all ‘outsourced’ parts — components which could have led to failure.

3. Identifying the vendor who has supplied the defective part component.

4. Increasing supervision at all vendors’ manufacturing facilities.

5. Review vendors’ agreements for assuring product warranty, guarantee and liability.

6. Review inspection procedures on receipt of outsourced parts — components.

7. Lastly, review in-house manufacturing and assembling processes.

The importance of timely root-cause analysis supported by
ongoing research, and effective customer communication addressing product issue
in managing manufacturing risks needs to be kept in mind.

As reported in The Economic Times dated 22-4-2010, Toyota
motors beset by huge safety recalls and host of lawsuits over deaths linked to
its cars, slipped down from 3 to 360th on the annual Forbes list of worlds’
leading companies. The damage could have been minimised by timely identification
of the defect and a service recall of the defective cars.

Let us not forget : ‘Good products build customers and
markets — defective products kill the market’. Hence effectively managing
manufacturing risk is key to success of an operation and acceptance of the
product.

The case study and solution are not intended to be in the
nature of comments on the functioning or management of the companies, but
represent one of the possible approaches selected by the author for
demonstrating the concept and issues of risk management.

levitra

Nirav Shah

RISK de jure

Risk Management

1. Introduction :

Risk — we have been using this word frequently these days (or
more precisely in the last decade) particularly after the corporate scandals in
the early 2000. The word has legion synonyms and is perhaps one of the few words
in English taxonomy to have so many twins. Call it uncertainty, randomness,
chaos, entropy, volatility, catastrophe, threat, complexity, vulnerability or
‘black swans’ (a word coined by Nicholas Taleb in his book Black Swan to refer
to the impact of highly improbable events); or simply call it risk, the list is
long. Interestingly its thesaurus list is just as long as is the list of its
definitions. The avalanche in the definitions of ‘risk’ and ‘risk management’,
by different theorists, epistemologists, institutes, text books and consultants
makes ‘risk’ and ‘risk management’ one of the most debated concepts of
management literature. Ironically, the confusion and differences in the
understanding of this subject also makes it a lucrative business option for
consultants to leverage upon.

The debate is not restricted to the management hemisphere.
Even the physicists are busy doing auto-psy of this term (albeit in different
context) for more than half a century to find the answers of origin of this
universe and thereby refining our Weltanschauung. The Heisenberg’s Uncertainty
Principle, which is frequently used by Einstein in explaining ‘General
Relativity’, has for decades created a similar anxiety among physicists as it
has among the management literates. Stephen Hawkings, a renowned physicists and
noble laureate, quotes the following words in his book ‘A Brief History of Time
: From Big Bang to Black Holes’ in explaining the ‘uncertainty’ principle :

“Quantum mechanics does not predict a single definite result
for an observation. Instead, it predicts a number of different possible outcomes
and tells us how likely each of these is. That is to say, if one made the same
measurement on a large number of similar systems, each of which started off in
the same way, one would find that the result of the measurement would be A in
certain number of cases, B in different number and so on. One could predict the
approximate number of times that the result would be A or B, but one could not
predict the specific result of an individual measurement. Quantum mechanics
therefore introduces an unavoidable element of unpredictability or randomness
into science. Einstein objected this very strongly, despite the important role
he had played in the development of these ideas. Einstein was awarded the Nobel
Prize for his contribution to quantum theory. Nevertheless, Einstein never
accepted that the universe was governed by chance; his feelings were summed up
in his famous statement — God does not play dice.”

According to me, ‘risk’ is more a subject of behavioural
science and psychology than a subject of organisational management. This is
because each individual has its own definition of risk and has its own approach
of practising risk. We all have different risk appetites or risk taking
abilities. And this in turn is the function of the manner in which we have
grown, the environment to which we have been exposed to and myriad events that
have shaped our lives. Our society, beliefs, perceptions, value system and
culture have an equal role to play. It is not only that the risk taking ability
differs from individual to individual, but for one individual also it keeps
varying from time to time. Risk is not a word that is discussed only at board
and executive level; we have been frequently using this word or its twin even in
our day-to-day life to refer to different events that shape our ‘risk appetite’.

Not mooting as to what constitutes precise definition of risk
and narrowing its application to the theory of business organisation, this
article tries to initiate a discourse and provoke thought process on the
following two aspects of risk management :

Integrated assessment of risk that considers interplay and interdependencies
of risks, and

Significance of behavioural and group dynamics in risk management process that
may dilute the likely benefits from risk management exercise.

2. Risk Management :

Committee of Sponsored Organisation (‘COSO’) of Treadway
Commission, published a technical paper on risk management titled ‘Enterprise
Risk Management — Integrated Framework’, wherein it has extensively detailed the
approach, methodology and framework for managing risk across the enterprise.
Ever since its publication, the framework has been incorporated into policy,
rule, and regulation, and used by thousands of enterprises to improvise their
governance and risk management processes. According to the paper, the threads of
risk management include — Internal environment, objective setting, event
identification, risk assessment, risk response, control activities, information
and communication and monitoring.

Amongst the above, one of the most difficult thread to
implement is ‘risk assessment’. The paper provides a different perspective and
also a technique, to assess risk, be it in quality or quantity terms. While
quantification of risk is still in its nascent stage, the enterprises have been
largely assessing risk in quality terms based on the parameters of impact and
likelihood. While quantification of risk in numbers has its own advantages, it
is against the management wisdom that says that one should manage ‘business’ and
not ‘numbers’. Further, quantification has its limitations as it is subject to
number of assumptions and hypothesis, which may again become a matter of debate.
Due to its simplicity and pragmatism and its advantage of providing better
perspective of risk, qualitative risk assessment is more favoured by risk
experts and business executives (sparing the banking and financial industry)
over quantitative risk assessment. The qualitative assessment score, when
plotted on 2 x 2 graph, assists in concocting risk response strategies.

Akin to any other decision-making activity, risk management is also a group and consensus seeking exercise, wherein the intelligence of many is preferred over wisdom of an individual. There are many social, behavioural and psychological factors that operate behind any such group exercise that can exacerbate it or invigorate it. The identification of risks and its assessments are culmination of ratings of different executives, divisional and functional managers (alias process owners or risk champions). As a corollary, the risk management exercise is also vulnerable to symptoms of behavioural decision-making, which in majority of cases in real world tends to dilute the real benefit that is purportedly expected from risk management exercise. This paper also discusses some of these symptoms, which a risk manager should be cautious of, for effective traction of benefits of risk management.

2.1 Risk Assessment: Measuring the Domino Effect of Risk:

In real world, risks seldom operate in isolation. A particular risk interacts with various other risks with varying intensities; these interactions further keep varying at different point of time and so does their intensities. The complexity, dynamism and frequency of change of the systems in real world, be it ecological system or financial system or economic system or company’s internal control system, contribute to these very characteristic, making accurate risk assessment an utopia.

This characteristic of risk is also colloquially referred to as domino effect of risk. The physicists also refer to it as the butterfly effect or chain effect and allusion of which is also reflected in Edward Lorenz Chaos Theory. The domino effect is a chain reaction that occurs when a small change causes a similar change nearby, either on linear trajectory or in skewed manner.

The integration of global financial and commodity markets, urge of world economies to adopt the capitalist framework, avalanche of cross-border acquisitions, spree of local companies to go global, emergence of black swan known to be cloud computing and information technology and various similar other black swans, increases the domino effect in an exponential manner, making the understanding of risk (in right spirit) similar to arranging of desks on a sinking Titanic. There can be myriad instances that can be quoted to exemplify the domino effect of risks:

The recent sub-prime crises and financial melt-down creating cues of the Great Depression of 1930’s.

The volcanic eruption in Iceland creating turbulence in network of flights.

Greece crises dimming the hope of economic recovery and depressing corporate revival strategies.

Threat of global warning compelling large corporate to re-engineer their strategies to make it more sustainable.

The snow-balling effects of corporate failures of early 2000 on the entire fraternity of economists, accountants and directors.

For a manufacturing operation increase in inflation adversely impacts cost of inputs and compels it to modify its marketing and pricing strategies to pass on additional cost to the customers; its inability to pass the burden of inflation to the customers, may force the companies to adopt lay-off and retrenchment strategies in order to sustain its survival — a phenomenon which we recently observed, particularly in west, before the recovery cues.

Sporadic interest rates triggering volatility in exchange rates, which in turn may lead company to hive off its foreign investments or postpone is global expansion plans or cease its import or export transactions.

A decision to enter a new line of business, with significant incentives tied to reported performance, can increase risks of error in application of accounting principles and of fraudulent reporting.

The combined effect of such interdependent risks, which although individually may be of low magnitude (low impact and low likelihood), may create apocalyptic massacre for a company. And rectifying such injury may either become impossible or would necessitate a complex surgery.

The following words of Nicholas Taleb from his book ‘The Black Swan — Impact of Highly Improbable Events’, are apt to exemplify the domino effect of risk, particularly in era of globalisation:

“Globalisation creates interlocking fragility, while reducing volatility and giving the appearance of stability. In other words, it creates devastating Black Swans. We have never lived before under the threat of a global collapse. Financial Institutions have been merging into a smaller number of very large banks. Almost all banks are interrelated. So the financial ecology is swelling into gigantic, incestuous, bureaucratic banks — when one fails, they all fall. The increased concentration among banks seems to have the effect of making financial crises less likely, but when they happen, they are more global in scale and hit us very hard. We have moved from a diversified ecology of small banks, with varied lending policies, to a more homogeneous framework of firms that all resemble one another. True, we now have fewer failures, but when they occur . . . . I shiver at the thought.

Banks hire dull people and train them to be even more dull. If they look conservative, it’s only because their loans go bust on rare, very rare occasions. But (. . .) bankers are not conservative at all. They are just phenomenally skilled at self-deception by burying the possibility of a large, devastating loss under the rug. The government-sponsored institution Fannie Mae, when I look at its risks, seems to be sitting on a barrel of dynamite, vulnerable to the slightest hiccup. But not to worry : their large staff of scientists deemed these events ‘unlikely’ ”.

The COSO framework categorically emphasises that looking at interrelationships of risk likelihood and impact is an important management responsibility, since it can significantly impact company’s perspective of risks. However, the framework does not explicitly discern the techniques to measure and assess the interplay of risk, as it does for assessment of individual risks. In practice, consideration of risk interplay becomes a paper exercise and is seldom implemented while performing risk assessments. Due to limited guidance on the measurement of risk interactions, risk assessments are often performed for individual risks only, which in all probability is likely to give deluding picture of risk, if not incorrect.

This domino effect can be measured using statistical tool viz. correlation coefficient (r). This would, of course, envisage the following additional threads in addition to those in existing COSO framework.

Identification of Risk Baskets :

Identifying interrelated risks (i.e., the risks that are interdependent on each other) and creating risk baskets or risk portfolios.

Measuring Risk Correlation

Measuring the correlation between the risks within a risk basket. For establishing such correlation, individual risk scores for reasonable period in the past would be necessitated. Using the historical individual risk scores and establishing the trend in their manoeuvrability, we can measure strength of nexus between risks in the risk baskets.

Assessment Matrix and Risk Response Strategy:

Plotting of consolidated scores of a risk basket and its correlation coefficient on a 2 x 2 matrix, provides better perspective of entity’s risk exposure and also assists in prioritising risks and strategising risk responses. Such prioritisation of risk baskets based on correlation coefficient can lead to different risk strategies, as against prioritisation of individual risks without measuring their interrelation.

Allusion is drawn to an article on risk management published by Wharton on the cloud (www.knowledge.wharton.upenn.edu)

“. . . . Risk management has no silver bullet. As a result, many companies need to develop a more integrated view of risk. ‘We have seen a tendency to separate risks into rigid silos — operational risk, market risk, credit risk and so on,’ says Wharton’s Herring. ‘But what we have found is that major shocks and problems do not come that way. For instance, in the financial world, you would see trading desks staffed with people who were experts in market risk, but they were trading instruments that were laden with credit risk. The skills you need to think about each of those kinds of risk are very distinctive, and unless you have an integrated view of risk, you could encounter major problems.’ . . .

. . . Historic data does not shape the future anymore, given how rapidly the world is changing. We usually look at the known issues and make a nice diagram with probability on one axis and impact on the other. That’s Risk Management 1.0. Risk Management 2.0 is (going) beyond the known issues to look at the links and interdependencies. You can no longer look at the risks independently of each other …”

2.2 Breaking the Abilene Paradox:
The Abilene anecdote goes something like this:

On a hot afternoon visiting in Coleman, Texas, the family is comfortably playing dominoes on a porch, until the father-in-law suggests that they take a trip to Abilene (53 miles north) for dinner. The wife says, ‘Sounds like a great idea.’ The husband, despite having reservations because the drive is long and hot, thinks that his preferences must be out-of-step with the group and says, ‘Sounds good to me. I just hope your mother wants to go.’ The mother-in-law then says, ‘Of course I want to go. I haven’t been to Abilene in a long time.’

The drive is hot, dusty, and long. When they arrive at the cafeteria, the food is as bad as the drive. They arrive back home four hours later, exhausted.

One of them dishonestly says, ‘It was a great trip, wasn’t it?’ The mother-in-law says that, actually, she would rather have stayed home, but went along since the other three were so enthusiastic. The husband says, ‘I wasn’t delighted to be doing what we were doing. I only went to satisfy the rest of you.’ The wife says, ‘I just went along to keep you happy. I would have had to be crazy to want to go out in the heat like that.’ The father-in-law then says that he only suggested it because he thought the others might be bored.

The group sits back, perplexed that they together decided to take a trip which none of them wanted. They each would have preferred to sit comfortably, but did not admit to it when they still had time to enjoy the afternoon …”

The Abilene paradox is a paradox in which a group of people collectively decide on a course of action that is counter to the preferences of any of the individuals in the group. It involves a common breakdown of group communication in which each member mistakenly believes that their own preferences are counter to the group’s and, therefore, does not raise objections. A common phrase relating to the Abilene paradox is a desire to not ‘rock the boat’.

This is what typically happens in any management meet, particularly when it is discussing intricate subject such as risk. A risk, which each individual process owners may perceive as high, may get rated as low or medium as each process owner may think that his/her risk perception is counter to that of the group. The paradox may also be contagious during risk identification and risk mitigation threads, rendering the exercise to be fragile. The snowballing effect of such Abilene’s assumption may significantly dilute the benefits of risk management exercise, keeping the board & executives under self-deluding folly of having effective risk management framework.

2.3 Handling Delphi carefully:
Qualitative risk assessment is essentially based on average score of risk ratings perceived by each process owner, within risk management team. The scores (be it in terms of 1 to 5 rating scale or in terms of high, medium or low) by selected process owners are consolidated and averaged out to derive singular risk rating.

This technique, which is theoretically termed as Delphi technique, is widely used in any group decision-making process. However, a major limitation of Delphi which can rob all its benefits is that it tacitly tends to avoid the extremes and mild the ratings of a risk, which purportedly was a black swan. The resultant risk score and big picture becomes distorted. It brings in a myopic and conservative sense of ‘All is well’, when in fact the company is boarding on sinking Titanic. It blinds the management from potential and actual black swans, satiating them with complacency syndrome. Delphi tends management to satisfy itself with non-existence of black swan and then landing them with surprise of ‘How did we, suddenly, landed in such complex situation?’, when potential black swan triggers.

While Delphi continues to gain favours of risk managers, it should be used with caution of its tendency to preclude traction of extremes.

2.4 Avoiding GroupThink syndrome:
GroupThink is yet another syndrome that carries with it the bacteria, similar to Abilene & Delphi and has potential to brittle risk management process. The term was first coined by Irvis Janis in early seventies and occurs when a group makes faulty decisions because group pressures lead to a deterioration of mental efficiency, reality testing, and moral judgment. Groups affected by GroupThink ignore alternatives and tend to take irrational actions. A group is especially vulnerable to groupthink when its members are similar in background, when the group is insulated from outside opinions, and when there are no clear rules for decision-making. The psychologist has prescribed following symptoms of GroupThink, which a risk manager must be aware of:

GroupThink occurs when groups are highly cohesive and when they are under considerable pressure to make a quality decision. When pressures for unanimity seem overwhelming, members are less motivated to realistically appraise the alternative courses of action available to them. This leads to carelessness and irrational thinking.

A risk group is also often diagnosed of the above GroupThink symptoms, which a risk manager and risk group should be careful about.

3. Conclusion:

Following cues can be drawn from the above:

It is imperative to realise that interdependencies of risks can be more jeopardising than individual risk/s. A couple of interrelated risks with medium rating can be together become a potential black swan and can be more jeopardising than an individual risk with high rating

There is need to have an integrated view of risk and measure the risk domino effect using the ‘r’ factor. The Board/CEO today can have only 5-10 key risks on tips of fingers, rather than have a plethora and long list of risks in their risk register, which lends them nowhere

A risk manager should be cautious and aware of behavioural & psychological factors that can paralyze any group & consensus seeking exercise like risk management. These factors alone can risk the risk management exercise, despite of having contemporary frameworks and models

A risk management team should comprise of members who can independently and emphatically put forth their opinions and assessments, without getting carried away by group opinions

A risk manager should be aware of limitation of Delphi and should not be oblivion of extremes that often gets buried under shelter of law of averages

It is desirable to have an independent and external perspective during risk management exercise who can constructively challenge the decisions, thinking and assumptions of risk management team and break their self-deluding complacency.

Risk management, like any other science of management, is function of intuition, imagination, pragmatism and leadership. There is greater need to change the organisation mindset and culture towards risk, rather than change systems and adopt new models and frameworks, which many times may be appealing and glittering but are seldom gold.

God not only plays dice, but He also sometimes throws the dice where they cannot be seen . . . . He still has few tricks up His sleeves.

— Professor Stephen W. Hawking

Nirav Shah

Managing Service Failure Risk

Risk Management

Service failure :

Failure of customer service is a phenomenon widely
encountered in today’s times. The business environment has become so complex and
the points of failure have grown so many, that ‘service failure’ is encountered
at a level much higher than in the past.

However it is important to note here that service failure is
not necessarily a disaster which spells ‘death knell’ for a company, but it
certainly damages ‘goodwill’. If the service recovery — the actions taken in
response to the failure — is handled well, then customer satisfaction, trust and
loyalty in effect actually increases.

What is a matter of greater concern is ‘facing’ a service
recovery failure. In short, failing to redress customer grievances in time and
address service failure is categorised as ‘service recovery failure’.

Dealing with service failure :

‘Service failure’ can be overcome with ‘good service’. Good
service response, in fact represents commitment and builds trust between the
company and the customer. This increases customer satisfaction and loyalty.
Customers are likely to talk positively about the company that redresses their
grievances. This enhances company’s image. Even though it may seem like a
paradox, the whole experience of ‘service failure’ can at times generate more
goodwill than if nothing had gone wrong in the first place.

In contrast, service recovery failure — even for a relatively
small issue — can increase customer dissatisfaction and frustration. This makes
the customer feel greater negativity about the company, damaging its image and
potentially turning other customers away.

Service recovery :

The proactive steps taken by a company to handle customer
complaints, service failure issues, and customer grievances go a long way in
building customer goodwill, and thereby retaining customers. This is the core of
service recovery that addresses service failure. This process rises above mere
complaint handling, which is reactive in nature. Service failure is addressed at
three levels. First by redressal — such as tendering an apology, refund or
product replacement. The second level is to make the recovery process work
smoothly without taxing the customer and repeat call. The third level is the
tone, tenor and manner of the interaction and communication with the customer.
This should neither be apologetic, nor patronising, but should treat the
customer as a valuable associate of the organisation.

Case study of the month :

The CEO of a well-known biscuit manufacturer is surprised to
receive a small envelope in his mail. The envelope contains a biscuit wrapped in
a letterhead. He opens the biscuit to find a piece of thread inside. Curious
about the incident he hands over the letter/packet to you as the risk manager of
the company, rather than to the sales department. You are asked to outline your
line of action and the probable reason of the letter being written to the CEO
for a relatively minor incident.

Solution to the case study :

The first step as a risk manager would be to understand the
scale and magnitude of the problem. It is evident that unless the customer had
felt severely wronged at the point of first contact, either the shopkeeper or
the dealer, he would not have taken the step of posting the biscuit with the
thread in it to the CEO of the company. This is reflective of the seething
discontent of the customer.

The ‘risk manager’ took upon himself to contact the customer
on telephone, apologised and thanked him for bringing the defect to the notice
of the CEO. He followed up the call by sending the customer six packets of
various products of the company.

On telephone he had also enquired about the :

the
date of purchase.

the
name of the store from which the product was purchased.

whether any complaint had been made to the store or the shopkeeper, and

their
response.

The first step of making a telephone call ensured customer
loyalty.

He also carried out a survey of the complaints received by
the sales department regarding ‘product quality’, ‘product delivery’ and
‘product availability’. His survey yielded that there were very few product
quality complaints and those that were received were virtually not attended to.

His suggestions to the CEO were :

(1) to establish a system where ‘product quality’
complaints on a regular basis were reported to the Sales Director along with
redressal measures.

(2) placards at retail level giving toll-free telephone
number where the customer could complain about ‘product availability’ and
‘product quality’.

(3) create a system of quick response to the customer’s
complaint.

His suggestions were accepted and over a period of 6 months
the sales improved as the steps communicated to the customer/consumer the
company’s concern for his (consumer’s) satisfaction.

levitra

Nirav Shah

Capital Inadequacy Risk : Risk Management Case Study

Risk Management

Capital is one of the four
factors of production. The other three are Land (infrastructure), Labour
(workforce), and Enterprise (business acumen, activity and spirit). Capital is a
very critical input to ensure success of any commercial business venture.

Capital can be divided into
two parts. Equity or ‘own capital’ that is risk bearing and Debt or ‘External
Funds that bear a relatively lower level of risk.

Traditionally debt or
external funds are secured by a charge on the assets of the enterprise and also
enjoy a priority in repayment in case of failure of business or similar
unforeseen eventualities.

Equity capital on the other
hand is the capital that is ‘risk bearing’, but is also entitled to
participate in the returns (profits) of a venture to a greater extent than other
forms of capital.

The essential basis of
capital adequacy and the risk arises from the fact that if an entity uses its
own capital to the exclusion of all other forms of external debt (funding), the
return on its business and
assets would directly determine its return on equity/capital.

After the emergence of joint
stock companies and the separation of ownership and management, professional
managers started tapping external debt/ borrowings as a source of capital as it
was available at a fixed lower rate interest cost than the return on the
business/assets. This enabled these companies to enjoy a high financial leverage
and enjoy a very high rate of return on equity. However the risk lies in a
reverse scenario happening. If the return on assets falls below the cost of
external borrowing, then the multiplier leverage acts in reverse and the equity
capital will have a negative/much lower return than the actual return. It is
essentially this risk/return trade-off that decides the extent of ‘own capital’
and how much leverage a firm/entity should select for its operations.

For business entities,
capital adequacy is decided/ judged by using the debt-equity ratio which is
2 : 1, i.e., for every Rupee of equity of own capital, the debt to be
raised is generally Two Rupees or twice the equity capital.

In case of banks, the Basel
norms prescribe capital adequacy norms. However, these are based on the
risk-weighted assets value and are generally considered at 10% of the value of
such assets.

The capital adequacy ratio	=	Core Capital
The capital adequacy ratio	=	Assets

	=	Tier one + Tier two capital
	=	Risk-weighted assets
		10%

In the past we had the
office of the Controller of Capital Issues that decided the capital structure of
listed/public companies.

In the present liberalised
deregulated globalised scenario, these decisions are best left to the entities
themselves and market forces. The fact remains that for every entity, depending
on the type of the activity, size, scope and scale of the operations and its
risk profile and the asset/business/investment/ portfolio, there is a minimum
capitalisation level that has to be met. Leverage gives higher returns and
improves financial efficiency, but it needs to be balanced with stability and
risk in order to ensure safety.

Capital adequacy norms for
banks were first introduced in 1989 by the BASEL Accord. It has been over twenty
years yet we had a number of crises after that — the South Asian crisis and
thereafter the major financial meltdown faced the world over.

To answer the question of
why did institutions fail despite capital adequacy norms, one has to look at
three things/areas which still remain substantially uncovered :

1. The norms though
well-accepted in banking have not been adopted for NBFCs and other business
entities.

2. The quality of assets, existence of sub-prime assets, risks associated with off balance sheet exposure, especially derivative instruments is not effectively captured in the capital adequacy norms.
3. The entire approach because of the formula-based working gets reduced to a mechanical exercise and coupled with VAR (Value at Risk) approach gives a feeling of preciseness to an analysis that is at best judgmental. It is essential to keep in our mind that decision-making starts where formulae end, and it is never more true than for issues like capital adequacy.

Business/Industry practices?:

Capital adequacy and capital structure also depends upon industry/business norms and practices. Thus those businesses that are high risk, e.g., construction industry, film and entertainment industry often reveal a paradoxical situation where minimal funding is out of own or structured capital and maximum funding is from private external sources.

One explanation for this phenomenon could be that the owners themselves as well as the formal sources of finance find these ventures too risky. Hence, as a fallout these businesses have to raise external funds at a very high cost even up to 3% per month (36% per annum) to meet and balance the risk return trade-off.

The less risky, more stable and efficient the venture, the lower would be the need for expected return and higher the borrowing capacity.

Case study of the month?:

Tata Motors one of the flagship Indian Corporate multinational companies of the Tata Group was adequately funded, had a good capital adequacy and was generally successful in all its ventures. The business of Tata Motors continues to thrive even today with the success of the Nano and the Manza.

However, a very significant event happened in June 2008 when Tata Motors acquired Jaguar and Land Rover from the US-based Ford Motors for approx. USD $ 2.3 billion. Tata Motors planned to raise Rs. 72 billion through rights issues which did not meet much success as the share market fell on weak global cues and they were available in the market at prices much lower than the offer price. On tak-ing the bridge loan the debt-equity ratio increased to 1.21 from the previous debt-equity ratio of 0.53 in March 2006 and 0.8 in March 2008. The dilemma which an entrepreneur always faces is balancing ‘risk’ and ‘progress’.

During the economic recession the price of its equity share from the high of Rs.750 to Rs.800 per share in January 2008 came down to a level of around Rs.150 in December 2008 and Rs.130 in February 2009. The right issue was priced at Rs.340 per share which naturally found few takers.

Other option to fund the acquisition like divesting stake in group companies or an international GDR/ADR issue were also abandoned due to adverse markets.

The third and final effort of the company was to raise funds by way of private deposits to refund the bridge loan due by June 2009. Even this effort met with limit-ed success and despite repayment of USD 1 billion till 2008, the bridge loan had to be rolled over in part.

As a risk manager, identify the issues and outline additional strategies that could have been attempted in the given scenario.

Solution to the case study?:

The issues are primarily those that deal with the basis of capital budgeting, fund management and planning the capital structure?:

1. The acquisition of JLR was an effort by Tata Motors to stay ahead of the competitors using inorganic growth.
2. The global meltdown and recession in the world economy adversely affected the market putting the company into a tight spot.

3. The availability of funds in the Indian markets shrank due to the meltdown, credit squeeze, withdrawal of FIIs and adverse market sentiment.

The causative factor primarily was the fact that in the heat of the moment and rush of the deal the short-term sources of funds were used for a long-term use of funds — namely, capital acquisition.

As Warren Buffet the legendary investor says, “It is always easier to think clearer and comment in hindsight.”

The way out and that is what Tata Motors tried is to?:

   i) Diversify into different segments including small cars
   ii) Improve profitability
   iii) Raise resources including by way of deposits for company products from customers.

And ultimately wait and watch for the right time to raise long-term funds to replace the short-term sources tapped for the long-term uses and bring back stability to the financial structure of the company.

Ultimately, if the company had maintained capital adequacy throughout the deal and not jumped in using bridge finance, probably the outcome would have been different.

Postscript?: Now, because of the steps taken the price is back to Rs.842 in January 2010 and around Rs.750 in March 2010. Crisil upgraded Tata Motors’ short-term debt to A+ as reported in March 2010. Hence capital adequacy impacts risk ratings and borrowing capacity in the market.

(The case study and solution are not intended to be in the nature of comments on the functioning or management of the companies but represent one of the possible approaches selected by the author for demonstrating the concept and issues of risk management.)

Nirav Shah

Event Risks — Case Study

Preamble:
Case studies have been an excellent teaching and learning tool, especially in a live setting. Thus, even though formal academic training relies primarily on texts, lectures and tests, in a less formal setting, especially for continuing education, the case study method is preferred.

In fact the tales of the Pancliatanira and Hitopadesha are excellent examples of how this method can transform people, making them smart, intelligent, successful, wise and knowledgeable.

I personally prefer case studies, as a case study cannot and does not have one right answer. In fact no answer given with enough understanding and application of mind can ever be wrong.

The case gives a situation, often a problem and seeks responses from the reader. The approach is to study the case, develop the situation, fill in the facts and suggest a solution.

Depending on the approach and perspective the solutions will differ but they all lead to a likely feasible solution. Ideally a case study is left to the imagination of the reader, as the possibilities are Immense.

Readers’ inputs and solutions on the case are invited and will be shared with others in the next issue. A suggested solution from the author’s personal viewpoint has also been provided for guidance.

Overview:
Event risk is a contingent risk as it depends on and materialises on the happening of an external event that is often calamitous having far reaching consequences. It being an external risk on which the organisation has little/minimal control it is a high-level risk that is difficult to predict, prepare for and handle.

Such events generally create a shakeout and destabilise / change the business, economic, social and cultural environment. Examples of such events in the recent past range from the tsunami, which was caused by nature, to man made events like the terrorist attack on 26/11 in Mumbai.

Event risks can also be classified in different ways as can be seen from the figure below:

External events by their impact on different dimensions and functional areas of the business pose a threat as well as present opportunities for growth of business and development of new lines of business. Post-tsunami, agencies involved in disaster management and relief work and those connected with insurance got a substantial boost.

Similarly, post 26/11, businesses dealing with security — physical, information security, etc. as well as those providing security cover and selling security devices and equipments are also witnessing a substantial boost.

In terms of stock market analysis, event risk can be described as a risk that comes from unexpected and unpredictable events such as a negative industry report, a competitor reporting unexpected poor financial results, or a ratings downgrade by an analyst or by a rating agency. (reference www.yourdictionary.com/event-risk).

Event risk can then be summarised as risks due to unforeseen events partaken by or associated with the company. These are extreme portfolio risks marked by substantial changes in market price. The example picked up for this month’s case study is that of a company employed in conducting corporate training programmes.

Capable Corporate Trainers Limited has been in the business of corporate training for over fifteen years now. It operates in major metros — Mumbai, Kolkata, Delhi and Chennai as well as in Bangalore and Pune.

The business model of the company consists of identifying training needs, developing programmes tailored to suit existing as well as emerging topics and delivering these through own (in-house) and outsourced faculty. Currently the company has two in-house trainers. All others are taken on contract basis as and when required.

The company has managed to hold its own against growing competition due to its good marketing, strong faculty, winning programmes, training ideas, etc.

The recent series of events and incidents have however, adversely affected the company.

1. The terrorist attack incident in Mumbai in November, has depressed the training market in Mumbai, the commercial capital.

2. The economic slowdown, meltdown and downturn, coupled with the stock market crash have been severe events with far reaching impact on the economy as a whole and on the training space in particular.

3. Changed policy of hotels regarding bookings and security measures in light of the fallout of the terrorist attacks on 26/11 have also been affecting the programmes.

Thus although currently the training calendar is set for the months of January to March 2009, sustaining the programme schedules and numbers of participants may prove difficult with cancellations and dropouts being the order of the day.

The top management has decided to have a Board meeting to sort out these issues and address the event risk faced by the company. The consultant to the company has compiled and furnished following further information for our reference.

The likelihood of another terrorist attack in any of the metros, larger cities and sensitive states is quite high. According to analysts, the financial downturn, economic meltdown and stock market crash are likely to adversely affect business till the end of 2009 and depress corporate training demand.

These various aspects and issues reflect a strong event-risk in operation.

As a risk manager, you are expected to identify and analyse these risks and advise the company on the best course of action, and come up with a ‘contingency plan’.

The Solution: The suggested strategy is outlined and implemented as below:

After identifying the risks, the company must put in place safeguards to eliminate or minimise the associated risks to the company based on the level of the risk.

For example, terrorist attacks pose a dual risk to the company. Firstly there is an inherent risk from where the buildings that the company is operating may be at risk of terrorist attack. The company must look at their insurance plan to see that it covers such risks. Secondly, the company must consider alternative storage for critical documents, training records, etc. The other risk is that of the possibility of harm to the faculty of the organisation while traveling to corporate clients’ offices to conduct training programmes. This can be addressed by a specific insurance plan for the faculty, which will not only take care of any company liability but also reassure the faculty with regards to the financial safety of their families. In addition to this, the company must also consider commencing security awareness and training programmes, particularly aimed at the staff of hotels and corporate offices. The demand for such programmes will naturally be high, given civic concerns.

The economic slowdown is the single biggest risk to the company’s business. With this in mind, the company must concentrate on those training programmes and clients which are the most profitable. The company may consider offering benefits in the form of discounts to loyal clients who generate a minimum guaranteed amount of business in a particular year. The company may also start looking at the business of training videos in CDs (DVDs), computer based programs, etc. This will reduce the risk to the company’s faculty and the cost to the client, while at the same time generating a new source of revenue.

Changes in hotel policies and booking arrangements can be addressed by tying up with chain of hotels (to be identified via enquiries through travel agents) that will reduce the formalities for bookings by identifying standardised documents, and other procedures to be followed. Further, the company may consider asking local clients to arrange for the booking themselves to be paid for by either the client or the company itself.

The risk of subsequent terrorist attacks may be minimised by considering online interactive training programmes at a subsidised cost, that will not only mini mise travel inconveniences and risks, but also the associated costs for the company.

To meet the dual risk of economic slow down (cost) and another attack (safety) the risk advisor also suggested:

Change of venue from star hotels to other comparable facilities available in the town.

Many of these suggestions may require investment by the company in technology, particularly information technology. However, sound marketing of these new training measures coupled with judicious use of money and other company resources may lead to sustenance and higher profits in the long term.

Nirav Shah

Group Risk Management

Overview :

‘Group Risk’ refers to risks that arise to an organisation either internally or externally as part of a ‘group’. The group consists of entities and organisations (mostly companies) under the same management.

Generally, especially in India, businesses were started and developed by families that are often referred to as ‘Groups’. These companies are under the same management, operating under the same umbrella. They often share the same ideology, may have similar style of management and functioning and may share some common facilities and may even have shared/common employees and consultants. In such a case, risk that affects any one company can spread to others within the group and also to the entire group due to ‘contagion effect’. This risk may pertain to issues like failure of controls and occurrence of fraud, which will result in tainting of the entire group.

How, to what extent and why the risk will spread within the group and affect it, will depend on the type of risk, the nature and functioning of the group.

There are certain risks that are self-limiting that will not spread out and affect beyond certain limit, whereas others, especially non physical ones where emotions and sentiments are at play may even spread across the entire group.

Thus physical risks like flood or fire may affect only those units in the group that share common facilities or infrastructure or physical space and are inter-connected in that sense. Certain non physical risks like image risk may spread easily across the group with a common management.

The example selected for this month’s case study is that of a group led by a flagship company that makes rubber products and has other companies dealing in construction and real estate, software, consumer goods, travel and tourism, advertising and printing within the group.

Supreme Rubber Products Ltd. is the flagship company of the Biju group of companies. Biju group was founded and came into prominence during the lifetime of Biju Sirkar, who set up number of units and became a well-known successful first generation entrepreneur about 50 years back, in the post independence era. The group consists of about 20 companies with interests in rubber products, construction, real estate, software, consumer goods, travel and tourism, advertising and printing.

Some of these companies are listed, others are subsidiaries or closely held, but all of them are under the same management and share a common logo. These companies operate from three main centers in Kolkata, Bhubaneshwar and Hyderabad. They share a common brand and group logo, and organisational and management practices including HR and training facilities.

Biju is now advanced in age and although the Chairman of the flagship company, is looking for a successor.

Out of the companies, the flagship company and the consumer goods company are doing extremely well. The travel and tourism, printing, real estate and the construction company are facing difficulties due to economic downturn. The software company however belying expectations and market trends, is doing quite well.

Biju being advanced in age the pressure of work and handling of diverse businesses is telling on him. His health is a cause of concern as he had a heart problem that was detected a few months back hence he quickly needs to find a successor. There are two major factions in the group. The elder son of Biju — Gopal and the other his nephew Randhir are power centres and each has been running a company. Gopal manages real estate and construction and Randhir the software company. Both have aspiration to head and control the group.

Although well respected in the market the group has an autocratic style of functioning and relies on discipline and loyalty rather than on professional managers, systems processes, procedures, controls and governance.

It is rumored that Randhir has aligned himself with the opposition in the state, and the ruling party at the centre has not taken it well.

There is some anxiety among the employees about Biju’s health. They are concerned as to what will happen to the companies in Biju’s absense. This has unsettled them.

The real estate and construction company had received a notice of enquiry regarding excess utilisation of FSI and charging that the higher floors in its latest high rise are unauthorised. The media which was generally appreciative of the group had shown some signs of discomfort in the tone of their reporting of this incident.

There are unrelated developments, for example :

the auditor of the advertising company which had come out with a public issue last year has resigned citing personal reasons.

the consumer goods company that had the largest number of employees in the group is facing worker unrest, as they wanted a raise to gain parity with pay scales of other group companies.

the flagship rubber products company has received a show cause notice from the pollution control board in respect of effluent discharged from its factory near Bhubaneshwar.

The above various aspects and issues involve potential risk to the group as a whole apart from the companies that are involved.

As a risk manager for the group you are expected to deal with the risk and present an action plan at the ensuing group meeting that is even otherwise expected to be stormy due to the power struggle within the group.

The solution:

The suggested strategy is outlined and implemented as below:

Any risk analysis requires that we first identify the nature of the risk and the level to which it may affect the company or its operations. Since all risks identified here (with the exception of the pollution incident) are man-made and internally focussed, the solutions need to be internally directed. The pollution incident is a man-made external event.

The first and foremost risk, in our opinion, is the power struggle within the group that may end up splitting the group. The group has to firstly formulate a succession plan, that would involve identifying the successor. This could be achieved by identifying fixed production/profit targets that need to be achieved (through honorable means) within an agreed timeframe. This would ensure an open and impartial evaluation as to who is best placed to lead the group into the future and would eliminate the need for internal conflicts.

The immediate problem is the incident of pollution control, that too involving the flagship company. It is not only an environment risk, but may also result in the closing down of the company due to legislative controls. The Company has to consider:

taking immediate cleaning efforts to mitigate the effects of the pollution.

training and sensitisation Company’s management and staff with the environmental regulations.

taking steps to implement safe good manufacturing practices And put in place environmental controls.

The other immediate problem is that of labour unrest. The group needs to:

identify the differences in salaries and other benefits between companies within the group, and between companies in the same industry.

control the labour unrest that would affect productivity.

take corrective action which would help retain the top talent by rationalising salary and pay scales.

develop cogent and common HRD practices.

develop a system of inter-changing medium level personnel within functions and group companies.

The next risk is to the group’s name/reputation that may result from the malpractices that have been reported in the press regarding the construction company, the labor unrest, and environment issues.

The steps suggested are:

the construction company must forthwith undergo a serious examination of all current and past projects to identify questionable practices and take corrective action, if any, required. The group needs to identify a system of internal control that will ensure that transgression of law are avoided.

to identify laws which need to be complied by all group companies.

to identify laws, rules and regulations to distinctly identifiable business.

to put in place processes to ensure compliance with laws.

This exercise may even highlight suspect practices indulged in by the two contenders who wish to head the group.

The group should also have an effective media policy nad have a media manager and public relations expert to project the company viewpoint to the various stakeholders and the public.

Lastly, the company must identify and address the concerns of the employees regarding the failing health of the group’s patron and the future of the group. This will not only fortify the group’s already failing morale but also help stem the tide of senior personnel who are apparently leaving for personal reasons. Further, as a long term plan the group should consider succession plans for all key personnel within the organisation, to help ensure transparency, a future road map for prospects for promotion, career development and growth for the employees. Such a plan will also ensure continuity of operations for the companies within the group.

The solution is indicative and illustrative in nature and represents the author’s views. The actual solution will vary, as there cannot be a single right or feasible solution or otherwise.

Nirav Shah

Human Resources Risk Management — Case study

Human Resources :

1. Success of an organistation depends on its people – they make or mar an organisation. ‘Human resources’ is a term used to refer to how people are managed by organisations. The field has moved from a traditionally administrative function to a strategic one that recognises the link between talented and engaged people and organisational success. The field draws upon concepts developed in Industrial/Organisational Psychology and System Theory. Human resources have, at least two related interpretations depending on context. The original usage was in economics, where it was traditionally called labour, one of four factors of production viz., land, labour, capital and enterprise. This perspective is changing because of ongoing research into more strategic approaches to HR. Today ‘human resources development’, goes beyond just organisations and national economies, and encompasses global developments. However, the traditional meaning of HR — Human resources management within corporations and businesses refers to the individuals — department — within an organisation that deals with recruiting, training, retaining and removing — in short, managing people.

Human Resources and Risks :

HRD has a role in risk management — for example :

People per se are a source of risk, e.g., shortage of employees, people doing sloppy work, people frequently committing mistakes, individuals refusing to take on additional responsibility or people leaving within a short time after completion of a one-year training programme and above all, key persons leaving the organisation.

People are important for handling risk, e.g., using their ingenuity and being proactive in solving unexpected problems and unforeseen situations, employees going the extra mile for the good of the organisation, a key employee redesigning his/her own job to improve performance, or an employee persuading a talented friend to apply for a position in the organisation.

HRD contributes to the synergy of the organisation, where the sum of the whole is greater than the sum of the parts.

2. The risks are :

attrition at a rate more than industry average.

lack of commitment to the job exhibited by sloppy work.

people committing or repeating the same mistake.

people shunning responsibility.

people not completing assignment within the prescribed time frame.

trainees leaving within a short period of completing their training.

HR covers people working at all levels. In short, HRD’s activities would cover from ‘president to peon’.

3.1 The function of the HRD is to ensure congenial working environment in an organisation and thereby extracting the best out of everyone for the benefit of the organisation. This is achieved by :

clear job description.

adequate training.

selecting right people — by checking background, education and experience of the candidate.

reasonable clarity about growth prospects within an organisation.

motivating individuals to do more than expected to ensure individual growth.

motivating — encouraging people to innovate in performing their assignments.

avoiding shocks by having a clear succession plan for key functions — that is — developing leaders.

dialogue with key personal at regular intervals to understand issues and the dialogue should be both at the individual and group levels.

timely ‘performance appraisal’ and ensuring timely encouragement to avoid dissatisfaction and attrition.

quick reprimand and punishment for failures.

establishing clear lines of communication with labour leaders.

3.2 The organisation needs to periodically evaluate and review its :

HR strategy, policy design and processes

Employee compensation, equity plans

Retirement and benefit plans

Executive and labour contracts

Employment and labour law compliance

Executive and management structure

Cultural compatibility/change readiness assessment

Communications audit

Development of transition plan — key tasks/activities

Regular monitoring of these issues will ensure that HR risks are kept within manageable levels.

4. Extended scope of Human Resources :

Human resources include more than regular full-time employees. They include: all management and labour personnel, family and non-family members, full-time and part-time people, and or seasonal and year-around employees. In fact with the advent of concept of outsourcing, external contractors, and consultants and contract employees are also a part of the review of HRD.

5. Managing Human Resource Risk :

Risk specialists have traditionally focussed mostly on important causes of risk, such as weather, disease and natural calamities, and ways to deal with these risks. Risk management has paid little attention to human resources and human calamities, such as divorce, chronic illness, accidental death or the impact of interpersonal relations on businesses and families. Including human resources in risk management reflects the fact that people are fundamental to accomplishing organisational goals. Human resources affect operations such as : production, financial and marketing decisions. People can help in or obstruct accomplishing what managers have planned. Smaller family businesses do not escape the impact of people. In these businesses as in larger businesses, people are a source of risk and are important to the business’ ultimate success or failure. Overdependence on family members to manage HR can at times negatively affect family business effectiveness and efficiency because of over-powering character of a family member.

6. Implementation of Risk Management :

Effective HR activities are necessary to keep human resources in harmony with the risk management tools adopted by the management team. Risk management decisions are carried out by people. Having the ‘right’ people in place, trained, motivated and rewarded are essential to success in risk management.

7. This month’s case study is on Human Resources Risk Management :

Corporate Consultants Private Limited are a leading consultancy company in the field of media and entertainment. The company is one of the top ten firms in the industry and has some of the leading companies in the region as its clients. The company also has some of the best names in media, advertisement and entertainment on its advisory board, among its consultants and full-time staff.

Of late, retaining key personnel especially at senior management level has become an issue. The Chairman of the company is concerned at the growing instances of employees leaving at short notice and few instances of complaints of insubordination and also of victimisation.

Hence, the company seems to be facing some HR problems which could have serious consequences on client relationship, retention and on the operations of the company.

The Chairman has approached you as an HR consultant to diagnose the malaise and devise a strategy.

8.1 The plan devised is to :

have a detailed discussion with the :

Chairman himself to understand from him his perception of the organisation and the reasons for the problem.

the existing key personnel on one-to-one basis.

some of the middle-level executives.

some of the members of the staff including helpers in the organisation.

meet the key people in the clients organisation who were being serviced by individuals who have left the organisation during the last six months.

compile and study compensation plan in the industry and the organisation.

if possible meet some of the executives who have left the organisation during the last six months.

The plan was discussed with the chairman who approved of the same and assisted in identifying the clients and executives — who had left the organisations for inputs.

The HR consulted in the absence of detailed employee records first studied the data available on the existing executives and those who had left the organisation during the last six months. He especially concentrated on identifying the status of their family relationships and problems.

8.2 The HR consultant and his team after two months of going through records and holding several meetings identified the following :

Mr. A — the so-called right-hand man of the Chairman — had created a coterie of about four midlevel executives and was abrasive and authoritative with his peers thus alienating his colleagues and others in the office — resulting in those juniors working with him ignored even the other seniors in the office, resulting in insubordinate behaviour.

lack of availability of family data of senior and midlevel executives.

lack of system of annual appraisal and discussion with the concerned executive.

lack of a plan identifying growth prospects following the good old saying ‘either you are moving up or moving out’.

9. The HR consultant recommended :

immediate removal of Mr. A and at least two of his colleagues out of four, who were supposed to be very close to him.

introduction, maintance and annual updating of employee family data.

introducing a system of annual appraisal of the entire staff by the department head and discussion with the appraisee.

introducing a system of annual appraisal of the senior and mid-level executives by the managing director along with the HR consultant followed by a discussion with the appraisee.

?a ballot appraisal of the managing director by senior and midlevel executives.

holding of an annual office get-together including everyone from the ‘president to the peon’.

holding bi-annual gathering of senior and mid level executives with spouses.

holding of quarterly meeting with the senior and midlevel executives to review company operations and plans including financial targets.

having a succession policy as it is a family controlled operation.

identifying a successor for every key assignment in every department to avoid shocks on sudden attrition.

development of job specification.

developing a recruitment policy after considering business growth plans.

10. The first recommendation was immediately accepted and acted upon — which acted as shock therapy. This gave visible results by improving discipline in the office and client service.

The managing director personally called on some of the key clients and deputed senior executives to others. This improved client relationship thus avoided loss of clients. This was the damage control strategy suggested by the HR consultant.

11. The HR consultant got the assignment to look into other recommendations and identify a midlevel executive from the organisation to assist him and take over the function of HR executive probably in addition to his executive assignment — thus opening an opportunity for a deserving individual for improving his prospects.

Nirav Shah

Disaster Risk : Risk Management — Case study

Risk

Disasters can be broadly classified as ‘Natural’ and
‘Man-made’. The following are a few examples:

Natural Disasters:
earthquakes, cyclones, tsunamis, hurricanes, famines, floods and droughts, etc.

Man-made Disasters –
wars, riots and terrorist attacks (it is not known when and where a terrorist
strike will take place), etc.

According to a United Nation study, the annual economic loss
associated with natural disasters averaged US $75.5 billion in the sixties, US
$18.4 billion in seventies, US $213.9 billion in the eighties and US $659.9
billion in the nineties. Most of these losses were incurred by developed
countries. The study also points out that:

The severest impact is on the people in the low
income groups, and

85% of the people exposed to natural disasters
live in less or underdeveloped communities/countries.

Disaster Risk Reduction
– DRR – is a term adopted by the United Nations for developing an international
strategy on promoting disaster risk reduction, as it is shown to be
cost-effective. Initiatives that are focused on disaster risk reduction will
either seek to reduce the likelihood of a disaster occurring (flood protection
work by way of construction of dykes, levees and stopbanks, for example) or
enhance the community’s ability to respond to an emergency (ensuring three days
food and water). Initiatives also include increasing knowledge and creating
legal and policy frameworks. Disaster results in people being homeless, becoming
economically weak, education coming to a standstill, infrastructure being
damaged and normal everyday activity being virtually paralysed. The 2001
earthquake in Gujarat is an example of what disaster entails.

A living example of man-made or industrial disaster is the
Bhopal Gas Leak tragedy that resulted in widespread death and has left many
surviving victims still suffering without resolution of the social or legal
issues and reparation of the damages suffered, even after more than two decades!
The anniversary of the tragedy is still observed in Bhopal and religiously
reported by the media, but little action is taken, it seems, beyond paying lip
service to the cause. Hence, businesses operating in hazardous areas or
involving hazardous materials should look at their own risk exposure and
vulnerabilities, and consider appropriate ways of reducing their risks through
appropriate actions and investments in hazard monitoring and risk mitigation,
and by creating resilience. Many governments and international NGOs have begun
to look more carefully at DRR as an important part of sustainable human
development.

Businesses planning for resilience, through financial and
operational risk mitigation measures, also contribute to the resilience of the
local economic environment. This can be achieved by supporting appropriate
regulations and building social capital, as employers and employees are a part
of the community living in the area where the business operates.

Let us not forget that a disaster, wherever it may occur,
impacts both the social and economic environment of the people living in the
affected area, and also the society at large.

Disaster risk and business

Disaster at micro level adversely impacts the businesses
operating in the area where disaster happens. At the macro level it adversely
affects insurance companies. The hospitality industry in Mumbai, especially the
hotels attacked by terrorists in 2008, have still not fully restored the damage
caused to the infrastructure. The economic loss has been shared by the
shareholders in terms of their expected and actual returns, the government in
terms of loss of tax revenue and costs incurred, and the insurance companies in
terms of the compensations and losses, not to forget the trauma suffered by the
public, especially the inhabitants of South Mumbai. On the other hand, the
businesses of security agencies, suppliers of security personnel and insurance
companies, post 26/11, have increased. The Government of Maharashtra, in
collaboration with the Government of India, is, therefore, adopting DRR
measures.

Case study of the month: A beverage company

Coolsip Ltd. is a beverage company that produces and
distributes the Coolcan range of beverages like juices, soft drinks and colas in
Mumbai and across several locations in India and across the Middle East.

The CEO of the company recently attended a seminar on
“Dealing with Disasters” and is wondering whether in the event of a disaster
like a major fire, earthquake or flood or even a man-made one like a terror
strike, the company’s facilities, supply chain, distribution facilities are
well-protected and secured; and whether the company will be able to withstand a
major disaster, especially in view of what happened to the plant in Mumbai
during the 2006 floods.

He consults the CFO on the matter, who is of the opinion that
disasters are practically insurmountable and too large for a company to cope
with and are best left to the government and authorities. The other argument he
put forth was that since its inception 25 years ago, the company or its
facilities have not been affected by any major disaster except once during the
Mumbai 2006 floods, when operations were resumed within two days and losses were
covered by the insurance company. Also, if disaster strikes, with the
authorities and everyone acting swiftly, the situation normalizes in a few days.
In his opinion, the loss to physical assets is insured and, therefore, the
actual loss would work out to be much lesser compared to the elaborate costs of
being prepared for disasters. Therefore, he advised status quo.

The CEO approaches you, an external consultant, for your
views. Give your comments.

The risk management advisor’s first suggestion was that he
should be allowed to:

1. Initially visit at least two facilities including the
one in Mumbai which was affected by the 2006 flood;

2. Talk to the people at the selected two plants to
understand risks involved;

3. Discuss and determine the risks involved with a few key
executives at the corporate office in Mumbai.

After assessment work spread over three weeks, the Risk Management Consultant suggested the following ‘Disaster Risk Reduction’ – DRR measures:

1. Initially, to create a water drainage facility next to the plant in Mumbai to reduce water clogging;

2. Raising the plinth level of the area in which critical machines were installed to reduce the risk of damage;

3. Acquire on rent a godown/storage facility outside the plant premises in Mumbai for storing enough finished goods to meet at least 3 days’ demand, in order to ensure continuity of supply to customers. The plant was already carrying four days inventory of finished goods. The additional cost involved was only rent and cost of a few persons. He suggested that HRD be consulted whether some existing persons could be shifted to reduce additional cost. This was to minimize loss of revenue and retain customer loyalty.

4. The other facility he visited was at Chiplun, a city close to Koyna, an earthquake sensitive area. The suggestion was to consult an architect and ascertain how to strengthen the construction and enable it to withstand earthquake shocks, as mild tremors continue to occur. Even in January of 2010, mild tremors originating in Koyna were felt in Mumbai.

5. He also suggested a detailed review of electrical installations at both the plants to assess the likely impact of floods and/or earthquakes on them, as damage to the power receiving and/or generating facilities could affect production.

6. To insure against ‘loss of profit’ by making a ‘loss of profit’ insurance policy.

7. To consider the possibility of insuring people and property against acts of terrorism.

The CEO and even the CFO who was initially sceptical of the exercise, appreciated and implemented the suggestions. The Risk Management Consultant was also commissioned to carry out a detailed review and suggest DRR measures.

Nirav Shah

Computer-Assisted Audit Tools (CAATs) — Effective use of CAATs by Bank Auditors in conducting Compliance Audits

Preface :

George is a Director — Analytics, with Control Analytics Inc. Control Analytics Inc. are market leaders in the field of governance, risk management and control analytics for the last decade and pioneers in the implementation of audit process tools. In a short span of time this bell weather firm has managed to establish a footprint in the accounting and finance segment which was the erstwhile arena for large accounting and audit majors. This fast paced growth was fuelled by a group of professionals who delivered consistent value propositions to all their clients by riding on the backbone of contemporary assurance technology.

Control Analytics Inc. leveraged audit technology like general audit softwares, data mining tools, work paper administration tools, reporting applications and enterprise risk management applications to deliver value-added, high-return results to all the clients from retail, to manufacturing, to information technology and healthcare.

Control Analytics Inc. was solely responsible for overseeing all data analytic projects, and applied research projects for the firm.

In a recent banking conclave, George was presenting on the role of ‘Compliance Reviews through CAATs’.

Introduction :

The importance of internal control in banks cannot be over-emphasised. Banks deal primarily with cash and readily encashable documents. It is essential that they take every precaution to guard themselves against errors and frauds committed by their constituents or by its own employees.

The following are the main principles of internal control in a bank :

Every transaction should be checked and authorised by authorised persons before it actually takes place.

Every transaction should be entered in the books before the next transaction is authorised.

The routine procedure should be such as to prevent and detect errors and frauds in the normal course and before interests of the bank are adversely affected.

There should be a regular as well as surprise checks by inspectors and internal auditors who should constantly review the working of all departments.

The Statement on Standard Auditing Practices (SAP) 1, Basic Principles Governing an Audit, issued by the Institute of Chartered Accountants of India, states (paragraphs 19-20) :

“The auditor should gain an understanding of the accounting system and related internal controls and should study and evaluate the operation of those internal controls upon which he wishes to rely in determining the nature, timing and extent of other audit procedures. Where the auditor concludes that he can rely on certain internal controls, his substantive procedures would normally be less extensive than would otherwise be required and may also differ as to their nature and timing.”

Internal control evaluation is a key phase in Compliance Audits. In the case of audit of banks, it assumes even greater importance due to the enormous volume of transactions entered into by banks. Evaluation of the design and operation of internal control system enables the auditor of a bank to perform more effective audits. Therefore, the auditor of a bank should study and evaluate the design and operation of internal controls. This would assist him in determining the nature, timing and extent of substantive procedures in various mainstream bank areas, depending upon whether the internal controls are adequate and observed in practice.

CAATs facilitate the internal control evaluation through deployment of comprehensive analytical routines to detect control failures and missing controls.

Presentation on compliance review of controls in Banks through CAATs :

George wanted to drive home the efficacy of general audit tools to the conclave of banking participants comprising auditors, investigators, risk managers, IT security professionals and more. He decided to help the participants visualise the utility of audit tools (GAS) through a few live banking case studies and discussions. These case studies served as a primer for a general awareness and appreciation amongst the participants.

Banking case studies presented were :

Introduction of current accounts by an account-holder other than current :

Account maintenance procedures require a current account-holder to be introduced by another current account-holder from the same bank.

In this case the ‘Retail Liability Account Master’ file was taken up for scrutiny within the GAS.

Here George juxtaposed the introducer customer number, corresponding account number/s, and product type/s to the primary current account and product type through file join operations.

He then performed an ‘extraction-query’ with the condition ‘Introducer product type is not a current account and the introduced account product type is a current account’.

George was able to cull out a number of current accounts introduced by a savings account holder and also some accounts introduced by staff members from the branch.

Non-resident saving accounts where a resident Indian is a joint-holder :

Account maintenance procedures mandate through statutory regulation that a non-resident savings account-holder cannot have a resident Indian as a joint account holder.

Here George took up the ‘Joint Holder Account Master’ file as the base file for monitoring within the GAS.

He performed a ‘summarisation – consolidation’ on the constituent member product types for the non-resident saving account-holders. Based on the summarisation result George filtered out queried product types containing the sub-string character representation ‘Resident’.

This exercise yielded negative non-compliances.

Incorrect interest application on premature closure of term deposits:

Revenue charge procedures stipulate that in case of premature closure of term deposits, the Core Banking System must apply the Rate of Interest (ROI) for the deposit tenor actually run, less the penalty rate as decided by the Bank. The penalty rate is generally metered as 1% or 2%.

In this control assertion the ‘Term Deposit Account Master File’ was imported into the GAS.

The ROI applicable on the deposit for the contracted tenor is readily available in the master file. ROI applicable on premature withdrawal is a variable/ system computed field which varies from case-to-case depending on the tenor of the deposit run.

This data is normally not available as a ready native field within the database. This field may be computed through Database Query Logic like SQL and provided for further analysis along with the native fields.

Premature deposits are term deposits where the maturity date of the deposit is greater than the system date and account closure date is before the deposit maturity date.

George wrote a ‘Criteria – Query’ within the GAS to identify specific premature instances where the contracted ROI was paid in place of the actual ROI. A few premature withdrawal instances were identified where incorrect interest i.e., contracted ROI was applied and paid. In some of the cases, the term deposit was closed within 15 days of opening and contracted ROI was still paid. Based on George’s representation/findings, the branch accepted the error in interest application which was due to over-sight. The excess interest paid was reversed through a manual interest adjustment entry.

Tax Deducted at Source (TDS) not deducted in respect of interest payments/accruals above Rs. 10,000 per annum:

The Income Tax Rules stipulate that interest accruals/payments on term deposits exceeding Rs. 10,000 This test revealed specific loan and loan collaterals per annum per customer should attract TDS. The which had not been insured.

Rules also lay down that TDS should not be deducted where the deposit holder submits either Form l5G or Form ISH for a given previous year.

Here the ‘Term Deposit Ledger’ File was captured within the GAS.

Then the file was summarised by ‘interest debits’, customer number wise through the ‘Summarisation-consolidation’ function.

From the above summarisation result, all customer numbers having sum of interest debits greater than Rs.10,000 for a given financial year were extracted through ‘Data Extraction – Query’.

The file generated above was joined with the ‘Tax Waiver File’ i.e., File for Form l5G/15H submissions using the ‘Join File’ utility within the tool.

Finally, all term deposits where the tax waiver flag was not enabled (non-waiver cases) were matched with the ‘TDS Ledger File’ using the ‘Join File’ utility within the tool. ‘Records with no Secondary Match’ were selected and specific customers were culled out where interest debits were more than Rs. 10,000 per annum for which TDS had not be deducted at all.

The test revealed certain deviations which were primarily on account of non-updation of the submit-ted Form l5G/Form ISH Certificates within the Core Banking System.

Loans have collateral security where insurance not taken by borrower:

Retail assets are secured through collateral security like stock, plant and machinery, building, etc. These collateral securities need to be insured on an ongoing basis and the details of insurance coverage need to be submitted to the branch for updation within the ‘Collateral Security Insurance Master’ in the Core Banking System.

George imported the ‘Loan Collateral Insurance’ File into the GAS.

He detected missing insurance policy numbers in the ‘Loan Collateral Insurance file’ for specific loans and loan collaterals using the ‘Extraction-Query’ command in the GAS.

This test revealed specific loan and loan collaterals which had not been insured.

This control condition breach presents a clear and present risk for the bank in case of any untoward incident on the secured collateral.

George also concluded that at times the collateral is insured but not in time and not within the grace period for premium payment. He recognised that breaks in insurance coverage could be as perilous as non-insurance coverage.

He set out identifying instances of break in insurance from the ‘Loan Collateral Insurance’ file. George added an additional field to the file upon import. In this field he extracted the date component from the ‘Maturity Date’ for example ’25’ was extracted into a new field from ‘25.06.2009’.

With dates available for the same loan collateral for a period of 5 years, George was able to successfully pull out unique instances of ‘Same Collateral Different Date’. In one such instance a ‘Special Watch Borrower’ having multiple credit facilities had delayed the renewal of insurance on a cache of 5 collaterals. The delay coincided with a natural calamity which fully damaged the collateral. This situation posed a common threat to the Branch leading to material financial exposures.

Conclusion:

George culminated his presentation by reiterating that general audit tools are time-tested, stable, robust, powerful, internationally acclaimed and user-friendly applications designed by auditors for auditors. He added that no tool is a ready substitute for the Auditors’ acumen and judgment, but is a powerful, cost-effective facilitator. He encouraged all the bank auditors present to embrace tools and reap the benefits of an idea whose time has come. He closed his presentation with a parting remark Reserve Bank of India’s Department of Banking Supervision also uses audit tools in their banking supervisory role and we should draw inspiration from the regulator themselves in this matter’.

Nirav Shah

Control Self Assessment — A Case Study

Internal Audit

Background :

An engineering manufacturing company was facing competition
from small and medium-size operations despite its product having impeccable
quality. The margins were under pressure and it was even perceived that the
operations may have to be scaled down or closed. The internal audit was being
conducted by a firm of chartered accountants. The Managing Director of the
company discussed the situation with the partner in charge, who had been there
for the last several years. As a matter of fact the partner in charge had for
the last two years been reporting on increasing costs and loss of market share.

The internal auditor instead of carrying out a detailed
survey himself suggested to the Managing Director to approach the problem by
adopting ‘Control Self Assessment’ approach with the internal auditor acting as
a facilitator. He suggested the creation of teams for different areas and
involving the teams in finding solutions. He identified the following areas for
creating teams :

1. Accounts Receivables

2. Accounts Payables

3. Inventory Management

and he himself acting as facilitator during discussions.

Methodology :

Before we go into the operations and results of the effort
let us briefly understand what is ‘Control Self Assessment’.

‘Control Self Assessment’ is a workshop facilitation
technique where the internal auditor acts as a facilitator. The internal auditor
selects certain objectives to be achieved and then selects participants, of the
area concerning the objectives, from amongst the employees. The internal auditor
also conducts walkthroughs and does some data analysis prior to holding
workshops (usually two to three workshops) for the selected participants, with
the objective of arriving at action points for the selected objective/s. The
internal auditor basically facilitates the discussion focussing on the
objective/s and the employees themselves arrive at the action points for
achieving the objectives.

In the engineering company since Accounts Receivables was
considered to be a problem area, the internal auditor studied this area from the
time the material leaves the organisation to the time the payment come — that is
received. The ‘team for receivables’ comprised representatives from sales
department, accounts department, stores — inventory management, specially for
goods returned and transportation There were number of issues which came up
during the four one-day workshops conducted over three weeks and the action
points for improvements which came up by employees themselves are given below :

Objectives of the Control Self Assessment — CSA workshop are :

à
To reduce duplication.

à
Increase revenue.

à
Avoid control weaknesses in form of likely weak control — leakage points.

Action points decided in the workshop :

1. Cancelled invoices report to be generated from the
software.

2. Manual checking of total value — cross-checking by
accounts department on daily basis for assessable value, excise duty and sales
tax (from customer for receipt of goods) to be strengthened.

3. All acknowledgements to be received for passing of freight
bills within the country — No control over double billing of freight payable
presently and to be brought in by amending software to ensure that each
transporter bill is tagged to each despatch. Further reconciliation required for
all outwards vs. freight bills vs. acknowledgements vs.
service tax paid input credit taken.

4. Proper freight register to be maintained by shipping
department.

Details of register

Invoice No.

Date

Transporter Bill No.

Date

Amount

Acknowledge with Tpt

Signature/Initial

Freight D. Note No.

Date

Amount

Initial

Date of Submission Document with Bank

5. Debit Note to be raised on timely basis on the party for
any charges as per purchase order of the party — double-check through outwards
register. Major control which is lacking at present if someone misses out on
raising debit notes.

6. Time taken to submit the documents to the customer to be
tracked by accounts and deviation report to be given to head of department’s
office if delayed beyond 2-3 days.

7. Delay in clearance of documents by customer — to be
tracked by accounts.

8. Details of cheque/DO received from customer – register as well as excel sheet – duplication of efforts – to be done only by Shipping. Recording of reasons for short receipts – tagging of ‘on account’ payments received to be done properly to avoid problems in debtors accounts where credit and debit both are lying untagged. The details of cheque/DO may be entered by shipping on receipt rather than again sending it to accounts for entry purposes.

9. Bank charges to be debited to customer for cheque bounced immediately on cheque getting bounced – management policy for amount to be charged to the customer – presently not followed.

10. Timely clearance of outstation cheques.

a) Whether payment through RTGS possible?

b) To claim interest from bank for delayed clearance of outstation cheques.

c) To get at par cheques from customers.

d)Whether the cheques can be deposited locally by customers in core banking environment.

This will save substantial interest on working capital.

11. Weekly review of debtors – meeting to be held with aging analysis, presently not being held regularly.

12. Weekly reminders to debtors about payments duel overdue – by email.

13. Policy for write-offs – authority levels to be decided.

14. Debtors’ confirmation to be obtained on yearly basis – once the records of accounts and shipping department are reconciled.

15. Details of sales tax forms to be fed in ERP – separate excel records/register to be closed/ stopped – to be reconciled and separate records/ excel sheets to be stopped. Presently 3 registers being maintained – one by shipping, one by accounts and one by sales tax in accounts who compute this again manually invoicewise – waste of manpower efforts.

16. To track commission payment to agents to avoid double payment.

The suggestions when implemented resulted in

1) Reducing receivable from an average of 65 days to 45 days, thus reducing interest costs.

2) Increased customer satisfaction as customers’ complaints were attended to at short notice, as the defect was rectified or equipment replaced.

3) Improvement in transaction costs for receivable area.

4) Improved control over billings by vendors, thereby avoiding duplicate billings and raising of debit notes which were missed out.

Conclusion:

This exercise of facilitating discussion amongst employees from different departments and the employees themselves arriving at action points for improvements was a success and resulted in number of improvements. Since it meant that solution came from employees with internal auditor acting as facilitator, the acceptability and respect for the internal audit function was quite high. The management also commended the excellent work done by internal auditor and requested the partner of the firm to extend this to other important problem areas.

The effort of the internal auditor in creating a multi-disciplinary team to solve the problem by involving the concerned people and by creating a sense of solution ownership was very much appreciated not only by the managing director but also by the Board of Directors.

Nirav Shah

Audit of transport and logistics

Nirav Shah

Exploring Benford’s Law — Digital Analysis with Computer-Assisted Audit Tools (CAATs)

Nirav Shah

Financial black holes : Financial Misstatements

SAP

Accounts manipulation is the deliberate misreporting or
concealment of facts in order to create profit or loss in the current period; to
defer profit or loss to a subsequent period; or to misreport performance
statistics and management information. Under both the common and the statutory
law, this is treated as fraudulent activity. In case of deliberate misreporting,
the possibility of repetition of the event is higher, since they are intentional
and for a specific fraudulent purpose. In such a situation, the organisation in
question needs to be more vigilant and stringent with their policies as well as
people. It is, however, important to recognise that financial misstatement can
also happen because of error or systematic problems. In either case, it can
leave an organisation exposed to both the market forces and the regulatory
challenges.

In this article, I have set out some danger signs to look for
and provide an overview of actions to consider in the event that such misconduct
is discovered. I hope this helps to ensure that the ‘modesty’ of many
organisations continues to be preserved.

The potential impact :

The shockwaves caused by accounts manipulation can be severe
and invariably spread far wider than the organisation concerned; the sector as a
whole may be affected or at a larger level, the economy may be hit as well. The
demise of Enron is an obvious example. Another case in point is Satyam, where
the stakeholders are shocked at the size as well as the duration of time for
which the fraud went unnoticed.

The discovery of accounts manipulation will inevitably have a
far-reaching impact, even if it has not caused the victim organisation an actual
cash loss. Loss of reputation is a bigger loss than cash loss, as this loss is
not quantifiable and has far-reaching effects on the organisation as a whole.
The management will be distracted from effective operational stewardship; time
and focus will be lost as they seek to determine the facts of the manipulation,
and then develop and execute a communication and remediation strategy with
various stakeholders. Management credibility is also likely to suffer, the event
has come to light ‘on their watch’ irrespective of where the blame actually lies
— a robust response is a good start in this battle (the related elements are
discussed further
below).

Stakeholders in the outcome of any investigation and
remediation are numerous, and will include the organisation’s lenders and
shareholders and may also include regulators and law enforcement agencies. Any
restatement of the financial statements may lead to, or indicate, lending
covenants being breached, with the consequence that finance lines are withdrawn
or renegotiated. In the current lending environment, this is to be taken very
seriously. Shareholders, especially ‘active’ or institutional investors, may
take the view that their investment decisions have been taken on the basis of
misleading information and commence court action. The potential for the share
price to suffer is also high.

The cost and impact of regulatory and law enforcement
involvement is also significant due to the need to involve external lawyers and
accountants. This is especially relevant if the organisation is a listed entity.
Not only will the share price fall, but it will also adversely affect the
capability of the organisation to raise further capital from public in future.
Even non-listed companies would be adversely affected in terms of their future
listing capabilities. Individual management, the staff as well as the
organisation itself may be targets, with criminal as well as civil sanctions
available.

One impact that is often given less consideration is that the
perpetrators may be in senior positions in the organisation. Through their
dismissal, the
organisation may suffer a shortage of skills or experience, with a likely period
of flux as their replacements bed down into their new roles.

Drivers, risk areas and red flags :

What then, are the indicators that one should be vigilant
for ? In this section, I will examine three areas : the organisational factors
that could put an organisation at risk; the areas within financial statements
that are vulnerable to manipulation; and the signs that something may already be
wrong.

Drivers :

Many cases of accounts manipulation have their roots in
organisational change within the victim organisation. Many organisations choose
decentralisation as a key strategy and encourage the staff to be more
competitive and entrepreneurial. Normally, the empowered local management team
is rewarded on performance, particularly by reference to profitability and the
achievement of budgets. The stakes are also rising, with many more layers of
management now receiving a material proportion of pay linked to performance
targets. Decentralisation can often be accompanied by much of the control
function at head office being removed; as well as division of profile leading to
specialisation. This will result in the lessons learnt in one part of a business
being no longer
effectively communicated across the business as
a whole. Not surprisingly, this combination can make an organisation vulnerable
to accounts
manipulation.

Where accounts manipulation has been orchestrated by the
senior group management and
key management personnel, it can be difficult to detect and investigate, often
involving
either the collusion of a number of senior staff or a very dominant personality
who commands fear within the organisation. The organisation’s
control environment is also a vital factor : it is likely to be weak; or, in the
case of senior
management orchestration, capable of being overridden and window dress the
financial statements. Fraud motivation at this level can be
varied, and is usually more complex than simply financial gain.

Risk areas :

Experience gained through assisting clients, as well as my
observations of other reported events has shown that certain items within the
financial statements are especially prone to manipulation. These, together with
the forms that the manipulation can take, are illustrated in the figure below :

(An illustrative list only)

Red flags :

Warning signs are usually present in the financial
information of a subsidiary, division, joint venture or a group; and, can
sometimes be painfully obvious with hindsight. While the precise signs are
dependent on the sector or industry in which the organisation operates, I have
highlighted a few generic indicators as shown below : (an illustrative list
only)

‘Red Flags’ — A few Classic Examples

Reported results are consistently in line with the budget. This may be accompanied by soft accruals to align the actuals with the budget

Areas of low scrutiny or lack of clarity of accountability for some costs, often accompanied by a failure to perform reconciliations or maintain adequate control accounts

Items within the profit and loss account are based on judgment rather than hard data

High levels of manual journals and accruals without automatic adjustment

Unusual fluctuations in sales or forward purchase orders, particularly around the year end

Revenue and profit trends appear inconsistent with other known information

Profits do not appear to be converted into cash
Poor quality or patchy management accounts, which typically comprise only a profit and loss account

Undue concern about audit visits

Employees feeling of lack of job security in the organisation without proper reasoning from the higher management

No proper basis regarding the provisions made in the financial statements.

Auditors’ responsibility for fraud detection?: Stakeholders of the companies and the general public rely on the auditors for unearthing indications of financial statement fraud. We have observed in recent times how the competencies of the auditors have been questioned for not being able to detect the signals of fraud early enough. Although audit is not a fact-finding exercise, but rather a review of the financial statements, yet it is possible to detect the warning signals by adopting appropriate procedures. Some of these are discussed below?:

Professional Skepticism?: Auditors need to overcome some natural tendencies — such as over reliance on client representations — and approach the audit with a skeptical attitude and questioning mind. They should set aside past relationships and not assume that all clients will be totally transparent.

Discussion among engagement personnel?: Extensive brainstorming among the engagement teams at different stages of the engagement about the client’s susceptibility to fraud will help to identify the critical areas for audit.

Identification and assessment of fraud risk?: Identify the fraud risk and perform an assessment of the identified risks to determine where the client is most vulnerable to material misstatement due to fraud, the types of frauds that are most likely to occur and how those material misstatements are likely to be concealed.

Developing audit procedures to mitigate the identified fraud risks?: The key to designing effective audit tests is to perform an effective synthesis of the identified risks. Appropriate procedures should be developed so as to detect any indication of fraud.

Considering client’s anti-fraud programmes and controls?: Review client’s anti-fraud programmes and controls that mitigate or exacerbate the identified risks of material misstatement due to fraud. Such review will help the auditor to identify potential control weaknesses.

Risk of management override of internal controls?: Auditor should be aware of the fact that executives can perpetrate financial reporting frauds by overriding established control procedures and recording unauthorised or inappropriate journal entries or other post-closing modifications (for example, consolidating adjustments or reclassifications). To address such situations, auditor should test the appropriateness of journal entries recorded in the general ledger and other adjustments.

Retrospective review of accounting estimates?: Accounting estimates are particularly vulnerable to manipulation, because they depend heavily on judgement and the quality of the underlying assumptions. Auditors should perform a retrospective review of prior-year accounting estimates for the purpose of identifying bias in management’s assumptions underlying the estimates.

Business rationale for significant unusual transactions?: Many financial reporting frauds have been perpetrated or concealed by using unusual transactions that are outside the normal course of business. Auditor should use his knowledge about the client and the industry to recognise any unusual transactions. Auditor should then obtain appropriate business rationale for such unusual transactions.

Evaluating audit evidence?: Auditor should evaluate the evidence gathered through analytical and substantive procedures to assess whether such evidence indicate any indication of misstatement that was not considered earlier.

Last but not the least, the auditor should demonstrate highest standard of professional integrity and must be independent not only in spirit, but must also appear as independent to all reasonable persons.

How to respond effectively??

Corporate Governance may be defined as ‘A set of systems, processes and principles which ensure that a company is governed in the best interest of all stakeholders.’

It ensures commitment to values and ethical conduct of a business, transparency in business transactions, statutory and legal compliance, adequate disclosures and effective decision-making with a view to achieving corporate objectives.

Clause 49 of the SEBI guidelines on Corporate Governance (which came into effect from 31st December 2005) has made major changes in the definition of independent directors, strengthening the responsibilities of audit committees and improving the quality of financial disclosures, including those relating to related-party transactions and proceeds from public/rights/preferential issues, which call for CEO/CFO certification, the adoption of a formal code of conduct by the Boards and the improvement of disclosures to shareholders. Certain non-mandatory clauses like a whistle-blower policy and the restriction of the term of independent directors have also been included.

According to the Internet, the revised version of Clause 49 has come into effect since 1st Jan. 2006.

In the event that an instance of accounts manipulation is uncovered, it is imperative that the organisation responds both effectively and robustly. A dedicated committee (containing requisite financial expertise) should be considered to oversee the response. Convening such a body not only enables the management to remain operationally focussed, but also ensures that the response is independently managed and free of any perception of conflict of interest.

The committee should aim at rapidly mobilising an investigation team to identify the root cause and quantum of the problem. This will help determine the immediate measures that will need to be taken to mitigate the impact on the business and should also assist in a complete identification of stakeholders.

The latter exercise will enable the reporting and ongoing communication needs of each issue to be assessed and a strategy to be developed. The importance of a credible engagement with the stakeholders at the earliest opportunity cannot be underestimated.

The next stage is to consider whether and to what extent the organisation wishes to utilise external professional advisors. Often, forensic accountants and lawyers are key resources who can contribute with their rich experience and perspective from previous investigations, as well as strategic and investigative input, including assistance with the capture of data to the standards required by regulators or the courts.

Ensuring that the relevant hard and soft copy data is gathered in an evidentially sound manner is a vital element of the response. This will require some preliminary consideration of the accounts affected — for example, customer and supplier details may be kept in a different module from financial statement data. An organisational chart will help identify individuals who process and manage data in the affected area. This will inform the custodians about which employee data needs to be analysed. The organisation should also consider issuing a data preservation notice to all relevant employees.

Conclusion?:

Economic indicators suggest that the current climate is likely to persist for the next couple of years. It is challenging in a business context, both in terms of the trickling effect from the recession in the US and current lack of resources. At the same time, the costs of inputs have been rising. Organisations continue to be under pressure to produce growth and returns for shareholders and to comply with lenders’ covenants. This environment may provide a stimulus for accounts manipulation to take place and organisations would be well advised to be vigilant.

Nirav Shah

Expressing data meaningfully — a technique useful in fraud detection

Nirav Shah

CONTROL SELF ASSESSMENT IN RETAIL STORE AUDITS

Internal Audit

Every successful audit is based on sound planning and an
atmosphere of constructive involvement and communication between the auditor and
the auditee. The purpose of writing this article is to provide insights on the
use of a tool for organisations with dispersed geographical locations,
especially the retail sector.

Any corporate body establishes Internal Controls & Procedures
to ensure that employees abide by laws, regulations and human resources policies
when performing tasks. One of the many tools available to gauge internal control
effectiveness for organisations is the Control Self Assessment (CSA) activities.

Definition of Control :

The Institute of Internal Auditors (IIA) defines control and
control processes as :

“A control is any action taken by management, the board, and
other parties to manage risk and increase the likelihood that established
objectives and goals will be achieved. The management plans, organises, and
directs performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved.

Control processes are the policies, procedures, and
activities that are part of a control framework, designed to ensure that risks
are contained within the risk tolerances established by the risk management
process. Risk management is a process to identify, assess, manage, and control
potential events or situations to provide reasonable assurance regarding the
achievement of the organisation’s objectives.”

Generally, controls are of two types :

Preventive controls :

Designed to discourage errors or prevent irregularities from
occurring. They are proactive controls that help prevent a loss. Examples :
Separation of duties, proper authorisation, adequate documentation, and physical
control over assets.

Detective controls :

Designed to find errors or irregularities after they have
occurred. Examples : Reviews, analyses, variance analyses, reconciliations,
physical inventories and audits.

Internal controls are policies and instructions within an
organisation that top leadership puts into place to prevent losses resulting
from malfunction, employee carelessness, error, fraud and neglect. The
Sarbanes-Oxley Act of 2002, introduced as a consequences of internal control
failures across the globe, has emphasised that the need for internal control
compliance & documentation.

From a retail perspective, there is an increased attention to
governance, compliance and risk management spread across many thousands of
locations. This necessitates retailers to implement an appropriate store
compliance process in order to monitor the identification of issues and remedial
measures. Primary focus of retailers is on reducing costs, increasing margins,
reducing shrinks, balancing inventory levels, managing vendors, tackling
regulators and attracting customers.

An effective store compliance process can be achieved through
traditional store audits or through a self assessment technique.

Traditional Audits :

In a traditional audit, the internal audit team
identifies issues and suggests remedial measures. The field work is
undertaken by the audit team which visits the stores. The major challenge in
this traditional approach is that all stores may not be visited and/or there
can be infrequent coverage. The audit team personnel require training,
travel budgets and their presence ‘interrupts’ store operations. Undoubtedly
such an approach is costly, untimely and at times ineffective.

Control self assessment :

Control self assessment is operations oriented. It provides auditors with
additional hands and eyes, specialised expertise, operational knowledge and a commitment to implement internal audit recommendations. To
implement the CSA methodology, it is imperative that there is a buy-in by
the top management. Training to all operating managers is another critical
pre-requisite. CSA is a cost effective and efficient alternative for wider
store audit coverage. Wider coverage leads to increased availability of
information for managing and monitoring retail operations. CSA significantly
increases the accountability of the store managers who, in any case, are the
control owners and places the responsibility of control in their hands.

Why CSA ?

Who is responsible for internal control? The auditors, right?
Wrong! Everyone plays a part in the internal control system. Ultimately, it is
the management’s responsibility to ensure that controls are in place. That
responsibility is delegated to each area of operation, which must ensure that
internal controls are established, properly documented and maintained. Every
employee has some responsibility towards the functioning of this internal
control system. Therefore, all employees need to be aware of the concept and
purpose of internal controls. Internal audit’s role is to assist management in
their overlooking and operating responsibilities through independent audits and
consultations designed to evaluate and promote the systems of internal control.

This is where CSA, as a technique, can play an important
role. Modern Internal Auditors need to understand and practise this technique.

CSA defined :

The Institute of Internal Auditors (IIA) defines Control Self
Assessment as :

“Control self assessment (CSA) is a technique that allows
managers and work teams directly involved in business units, functions or
processes to participate in assessing the organisation’s risk management and
control processes. In its various forms, CSA can cover objectives, risks,
controls and processes.”

Internal auditors can utilise CSA programmes for gathering
relevant information about risks and controls; for focussing audit work on high
risk, unusual areas; and to forge greater collaboration with operating managers
and work teams. Business Managers can utilise CSA programmes to clarify business
objectives and to identify and deal with the risks in achieving those
objectives.

Internal auditors, in a consulting role, often act as facilitators to help managers in the assessment of risks and controls. Involvement of people working in evaluation of risks and controls utilises the expertise of the organisation, increases buy-in to any action items and focusses efforts on important business activities.

However, CSA is not a complete process by itself. It does not substitute the auditing effort. The audit function has to validate the CSA results, develop the remedial action plan and ensure a timely follow-up on issues identified during the CSA process. This combined effort is the most cost effective and result-oriented method of monitoring all stores on a regular basis.

Benefits of CSA in retail:

Better buy-in of results because of the participative and collaborative approach.

Does not require a battalion of internal auditors.

Ensures complete coverage of all stores.

Optimum utilisation of all resources for an audit.

Cost effective.

Better appreciation of issues since the store managers have a more intimate eye on store operations.

Focus is on key risks & controls which is monitored by the corporate audit team.

Store managers can give more appropriate remedial measures requiring corporate audit only to review and follow-up on the remedial plans.

Helps store managers to understand and assume responsibility and accountability for effective control and risk.

Pre-requisites of an effective CSA in retail:

Mature state of operations.

Corporate culture should support and value communication, openness and trust.

Organisation should have clear objectives.

Internal Audit should study existing processes deeply.

Clearly defined parameters for CSA.

System to collect, corroborate and analyse information collected through CSA.

Training of staff.

Lastly, ‘above par’ facilitation skills of the Internal Auditor. In most successful implementation of CSA, the top-most reason for successes has been the facilitation skills of the Internal Auditor.

Undoubtedly, CSA is an integrated part of the audit process for mitigating risks and adding value to the organisations, especially in retail.

Sr.

Review
area

Compliance status

No.

(Yes/No/NA)

Cashiering

Entire cash sales for the day is deposited

Yes / No / NA

All
credit card sales for the day are supported by credit card slips

Yes / No / NA

Sales
through other mode of payments (MOP) such as gift coupons, etc. are

backed by the MOP

Yes / No / NA

Petty
cash, float cash & sales cash are kept separately

Yes / No / NA

Petty
cash expenditure is authorised by store manager

Yes / No / NA

Petty
cash expenditure is recorded on a daily basis

Yes / No / NA

Inventory

Goods
receipt notes are prepared for all goods received in the store

Yes / No / NA

Damaged
goods are segregated and kept separately in the backroom

Yes / No / NA

Expired
goods are identified and kept separately in the backroom

Yes / No / NA

All
damaged and expired goods received during the month are sent back to the

distribution centre/vendor in the last week of the month

Yes / No / NA

Physical
inventory verification is carried out as per plan

Yes / No / NA

Front Office Management

Goods
are arranged on the shelves as per the planogram of the store

Yes / No / NA

Correct
labels are displayed on the shelves

Yes / No / NA

High-shrink
items are kept near the cashier

Yes / No / NA

Near-expiry
items are identified and marked down as per policy

Yes / No / NA

Promotion
schemes launched in the store are properly updated in the billing

software

Yes / No / NA

Legal & Compliance

All
certificates requiring mandatory display are displayed

Yes / No / NA

All
certificates expiring during the month are sent for renewal

Yes / No / NA

Notice,
if any, received from any government department is immediately

communicated to the central legal department of the company

Yes / No / NA

Nirav Shah

Using Generalised Audit Software (GAS) for Fraud Detection

Internal Audit

Introduction :

Ray the Head — Audit, Risk Management and Forensics of a
manufacturing major — ‘D & B’ was making a presentation on ‘Role of Internal
Audit and Management Assurance Services in detecting indicators of frauds — that
is — red flags’ to the Audit Committee, because the Audit Committee had
queried :

“To what extent should internal audit be responsible to
detect indicators of frauds and provide early warning signals ?”

The presentation sought to present the role of the internal
auditor in the context of the new IT-enabled business environment and the focus
of the assurance teams on IT controls, risk management, physical document-based
audits and compliance requirements under various regulations. One important tool
that could be used in this scenario is Generalised Audit Softwares (GAS). These
tools aid an assurance team to identify trends, patterns and query data for
other indicators of fraud while maintaining the cost of review and timeliness of
conclusions.

The Audit Committee was supportive of the presentation made
by Ray and asked him to implement the GAS and present the red flags detected as
a result of the forensic review in the next quarter meeting.

Methodology :

The Chief Internal Auditor set up a mid-size team within the
department to take the initiative of implementing the GAS in the Company. The
team comprised 2 senior audit officials (who among them had a wide range of
experience in various process activities of the company like procurement, sales,
finance and administration), a Certified Fraud Examiner and an Information
Systems Auditor. The team also retained the services of a retired CBI Officer
who was an expert in economic offence interrogations.

The entire audit manual was reviewed and specific forensic
objectives were mapped for possible audit tests that could be conducted using a
GAS and otherwise. The method of using the GAS was debated and discussed by the
group in a way that data integrity, confidentiality and availability of the
production server was not compromised and the objectives were also met.

While it was not possible to log onto the production server
due to access restrictions maintained by the Database Administrator, the team
was faced with a challenge to import data for further analysis.

The team decided to connect to specific data dumps (Print
Report Dumps from various modules of the ERP like materials, sales, etc.)
provided by the DGM-IT. The data dump was provided by running a File Transfer
Protocol (FTP) on the Reporting Server, which is also used for reporting tools
like Discoverer.

Illustrative observations highlighting the red flags detected

(In all these instances, the audit scope was suitably
modified and was followed through to its conclusion)

Accounts payables :

Potential employee-vendor nexus :

The engagement team obtained key master data concerning
vendors and employees. The vendor master data had crucial field data like
telephone number, address, tax code, and bank account number. The employee
master data had vital fields like date of birth, bank account number, PAN, etc.

The team solicited special approvals from the ‘Supply Chain
Management Wing’ and the ‘Human Resources Wing’ to obtain confidential and
privileged master data. Upon getting the data in hand, the team extracted the
data into the GAS and set up the imported data for key comparisons.

The JOIN function was used to link the two databases on the
telephone number and bank account field individually. A quick review of the
result indicated some unexpected linkages, for example, the
address fields for some of the vendors and employees seemed to resemble each
other — similar but not the same. Interrogation followed this crucial data
crunching exercise, where surprise calls were placed to the registered telephone
numbers. On the basis of voice recognition and investigative visits, it was
conclusively stated that key vendor-employee links existed within the company.

Payroll :

Employees who have not availed of sick leave, casual leave or
travel leave in the last 3 years.

The investigation team consulted with the Human Resources
Wing of the company. Employees who tend to attend work regularly without leave
are normally watched by forensic auditors. These employees could be at the heart
of a long-drawn, deep-rooted system fraud as they normally assume key roles in
the organisation without much segregation of duty for long tracts of time. Their
supervisors never suspect their actions and continued service is considered a
merit.

The data under consideration was ‘leave availed’ data for the
last 3 years and employees on company rolls for the last 3 years.

Upon flat file report import, all the employees who had
consumed leave in the last 3 years were summed up. This summation file was
excluded from the file of all employees on the company rolls for the last 3
years using the JOIN function.

The resultant file brought to the fore existing employees of
long-standing nature, who had never consumed leave. In fact on a closer review
with the HR Wing, many of the cases detected were also on the CLOSE-WATCH
OVERTIME list.

The input was used to modify the audit objectives and tests
for identifying any irregularity.

Accounts Receivables :

Inconsistent scheme discount rates offered by Billing to different customers against the same scheme.

The fields of reference relevant to the red-flag being tested were identified as :

Authorised by

Scheme number

Scheme discount rates

Gross sale value.

The process of interrogation followed was as such:

Field manipulation, appending a computed virtual numeric field discount % with the criteria (Scheme discounts*100/Gross sale value), rounded off to the nearest integer.

Navigating to analysis in the menu tool bar and selecting duplicate key exclusion – Celebrated De-Dup Test.

In duplicate key exclusion, identifying different discount % values for the same scheme number.

A list of cases where varying discount % had been applied for the same scheme number was easily identified.

Some cases were extremely glaring, with the discount % being as high as 45%, where the scheme warranted a discount of 15% only.

These cases were taken up for one on one interrogation with the Billing clerks, to ascertain their motive.

Information Technology:

Detecting transactions out of office hours in Access Logs

The fields of reference relevant to the objective being tested were:

Start time

End time

User ID

User name

Particulars

The process of interrogation in the GAS was elaborate and clear.

Extraction on the Access Log File.

A criterion was designed using the function .NOT. @betweenagetime(StartTime, 1/10:00:001/, 1/22:00:001/) .OR… NOT. @betweenagetime(End Time, 1/10:00:001/, 1/22:00:001/)

This criterion helped isolate all transactions out of the normal working hours of 10 AM to 10 PM. Here both Start time and End time were trapped.

The Indexed Direct Extraction function of GAS is very popular on large databases, say, upwards of 100 million transactions. The function first sorts the entire database and then runs the equation through the sorted database. Hence, the results are processed faster as compared to running a direct extraction command on an unsorted database.

Cases observed revealed extensive prolonged login sessions by the Database Administrator during late night sessions. Few cases revealed attempted access by an unknown user with super-user rights. It was later discovered that this user was created during the last system migration with unlimited access and change modification rights. Ironically his user profiles had not been deleted or disabled permanently within the system.

Conclusion:

Some of the indicators that were highlighted using the GAS existed all these years. But the auditor did not have the tool to identify the same within a reasonable timeframe and also provide assurance in other areas. It therefore allowed the audit team to move beyond the ‘priority’ set by the Audit Committee. The IT was also excited about the possibilities which such a tool could have for their forensic security reviews also on a regular basis and initiated a review of the same with special watch on cyber security. Further, Ray made it mandatory for the company’s outsourced internal auditors to use a GAS for their branch audits using similar methodologies as them.

As a seasoned user of the GAS, Ray laid down the structure for Continuous Control Monitoring of specific forensic objectives through automation of tasks and scheduling within the GAS.

The Audit Committee appreciated the innovative steps taken by Ray, including his efforts at clarifying the role of internal auditor in fraud identification. All audit plans included some dimension of fraud reviews without going in for full investigation.

Nirav Shah

Competition risk — Case study

Overview :

Inherent in business is the ‘risk of competition’, which can be local, regional, national and transnational. Surf faced it from Nirma and both are facing it from Ghadi and other regional brands. Despite the ‘risk of competition’, competition is the ‘breath and blood’ of business. Competition motivates managements to innovate. It creates entrepreneurs. Competition and competitiveness are necessary to meet the challenges of tomorrow. It improves both the cost and quality of the product. It would not be wrong to say that competition even changes the taste of the customer.

However, it is also necessary at this stage to see the impact of absence of competition. Its absence results in monopoly, deterioration in quality, increase in prices and consumer being short-charged. The automobile industry is an outstanding example of what absence and existence of competition has done in India. Padmini and Ambassador were both bad in quality and delivery. It used to be said that :

the only thing that works is the horn, and

one needs to book a car when a child is born.

Look at the market today. Competition has led not only to increased availability, but also improved quality and variety of models and makes. Cars at every price point are now available. ‘Nano’ the innovative product from Tata’s is changing the market. Many international car manufacturers are making India as the hub for producing small car. Again care for environment is internationally increasing competition for introducing hybrids. GM is working on a hybrid electric car which will give 230 miles per gallon. Daimler’s smart car will give 300 miles per gallon and Nissan’s product is expected to give 367 miles per gallon — Time 31 Aug. 2009.

Another outstanding example of what competition can do is our ‘telecom’ sector. It is the only product where cost to customer has reduced since the advent of mobile phone about a decade and half back. Today the customer pays not per minute of use but per second of use.

Nations fight for markets. That is what Doha is all about. Opening of services is expected to improve the quality of services. Even during the recent and current financial crises the impacted markets were inherently against taking protective measures as that would lead to lack of competition and result in a closed market which is against the interest of the consumer.

There are a number of factors that attract competition in a given business and industry. The primary factor of course is the prospect of earnings, and growth potential in term of revenues, profits, value addition, market share and customer base and loyalty. Hence, the challenges are :

A. The first real challenge is knowing your competitors, in being able to judge (i) the market segments that are exposed to the risk, (ii) the level and resources of the threat which they pose, (iii) the source of competition risk in respect of the particular competitors in terms of the 4ps of marketing, (iv) their relative strengths and weakness.

B. The second real challenge is in knowing what makes your products and services click in the market in the teeth of competition and why and how you are able to score over the competitors. These two aspects generally enable us to judge the extent of competition and its impact on our business.

C. The third aspect of competition risk pertains to potential and future competition. This is given by the attractiveness of the market, controlled by the extent and difficulty of entry barriers and the competition regulations and trade practices.

Competition encompasses not just the marketing and sales dimension of the organisation covering advertising, brand building and publicity, but affects the entire life cycle of the product and the organisation right from infrastructure planning, supply chain and sourcing, production, human resource to distribution, selling, after-sales service and even research and development.

The demand-supply equation, the entry barriers, the customer preferences, industry size, local, regional and global position all these determine the type and extent of competition an organisation is likely to face.

However ‘competition risk’ is not merely about the risk that your competitors will overtake you and make your product obsolete and your service look much poorer in comparison to theirs, or that they will beat you in the price or in reaching and occupying the market place and the hearts and minds of the consumers. ‘Competition risk’ could be both local and global. Apart from the 4ps of product, price, promotion and place which is the traditional sparring battle ground for competition, competition may also arise and manifest itself in location, policies, product mix, branding, recruitment and even reward and incentive schemes to staff as well as to customers.

‘Competition risk’ often goes much beyond into the realm of opportunities, possibilities, chance, market segments and niches that an organisation fails to spot and cash in on and the competitors are able to capitalise on. In fact creativity, innovative thinking and out-of-the-box approach often are the only offence and defense for dealing with competition.

Effectively dealing with the external risk of competition requires :

A thorough understanding of the market

An analysis of the environment, political, social, economic and cultural.

An understanding of selective strengths and weaknesses of the organisation and its products and services vis-à-vis the competition.

An understanding of potential competitors and the entry and exit barriers.

A strategic and operational knowledge of competitor activity and customer expectations.

Thus, as can be seen from the above, it is indeed a very complex and daunting task, but it is nevertheless essential as without this, one cannot survive the competition.

The example for this month’s case study on competition risk is that of a company operating holiday tours and travel packages.

‘Sweet Memories’ is a tour company that was started about 15 years back in Mumbai. This company initially catered to the middle and lower middle-class segment and according to the budgets and the general trends in these times, arranged tours – and holiday packages to places of interest and cultural themes. It initially arranged tours to the West and South. This was followed by covering Rajasthan and the North.

Around four to five years back it started operating tours overseas to destinations in South-East Asia, Far East, Australia, New Zealand and is now arranging tours even to Europe and U.S.A. The customers are still essentially budget travellers belonging to the ” middle-class segment.

Of late the owners who have been casual in their approach and relying on word-of-mouth publicity ‘ and offering value for money to customers as their mainstay to survive in the market have found business difficult with the new entrants and bigger travel companies coming in with innovative concepts like theme tours, budget tours, action packed tours, exotic destinations and even sports-based tourism like the IPL South Africa tours.

Revenues of Sweet Memories have fallen and the management is at a loss as to how to deal with this” threat of sudden onslaught of competition with high-end tours, large publicity budgets, beautiful travel brochures, exotic destinations and innovative ideas.

They therefore approach you as a professional risk manager and consultant to identify and analyse competition risks and advise the tour company on the next course of action and develop an immediate plan to stop customers from migrating to competition. ‘

Suggested solution for competition risk:

Competition risk analysis needs to be done of the, potential tour market based on :

Identifying existing and future risk for Sweet Memories:

An analysis of the situation reveals the following major issues:

Challenges and risks encountered from competition:

1. Judging the high-end tourist market segments’ needs and expectations.

2. Identifying strategies of new entrants – e.g., price.

3. Developing a positioning strategy and organised approach from the existing casual unorganised approach.

4. Expanding own share in the pie and expanding the pie itself.

5. Review existing marketing plan: Product, pricing, promotion and locational access.

Strategies for overcoming existing competition risk:

1. SWOT analysis:

a. First step is to evaluate internal capabilities and identify areas which require improvement.

b. Determine the scope of improvement.

c. Making small modifications to eliminate un-productive activities. This process requires ‘persistence’.

d. Conducting ABC analysis of revenue generating tourists and repeat tourists.

e. Identifying opportunities – that is – creating new untapped space in the market. e.g., International business exhibition tours, grooming and training with leisure tours for corporate executives, etc.

2. Study regional and international top 5 tour operators:

a. Complete package of offerings

b. Value added features like pickup and escorting services.

c. Customised onboard meal: Veg, Non-Veg. [ain, etc.

d. Event based tours: Brazil Carnival, New Year in Australia

e. Theme based tours: African safari, Buddhist circle, gaming, Dassera in Mysore and Christmas in Jeurusalem.

f. Promotion and Branding strategies

g. Hospitality training to their guides, cooks, other professionals

3. Strong Brand Building and positioning activities will lead towards reaching the customer’s Evoked Set (Unconscious Mind) and help in discriminating customer preferences and choice.

a. Providing a travel kit with most common and essential items with a logo mark.

b. Attractive and innovative brochures with graphics and a colorful appeal.

c. Positioning themselves as High-end quality of service with cost benefit.

d. Creating jingles, slogans, a cartoon character, modified colorfullogo, uniform dressing style for their professionals, etc.

4. Keeping a track of environmental happenings and events directly or indirectly influencing the industry: Social, Legal, Economical, Political, Technological and Cultural environments.

a) Assigning a representative in major interna-tionallocations will help in identifying key events and happening, which are not captured by major media agents.

b) Preparing a calendar with notes of future happening events and subsequently designing tour packages around those happenings – for example, Olympics in China and forthcoming Commonwealth games in Delhi.

6. Optimising Entry and Exit Barriers

a. Creating a niche in the market which becomes a trademark and difficult to imitate by other competitors

b. Besides risk of existing competition, organisation should also open up their vision for other threats like:

1. Bargaining power of customers

2. Bargaining power of suppliers

3. Threat from new entrants

4. Threat from substitute products

Porter’s 5 forces for an organisation’s risk:

– Risk of customer consistently demanding better quality product at reduced price.

– Suppliers demand higher volumes with sufficient margins and shorter payment cycle.

– New entrants possess more features with enhanced strengths like distribution power, innovative promotion, etc.

– Substitute product like jewellery or watches; amusement parks and resorts for tour operators; Nano car for two-wheelers’ market, etc. threatens the ability to cover large market share.

7. Adopting combination of marketing competition warfare strategies:

Sweet Memories depending on the market conditions and result of market study and analysis can adopt a combination of one or more of the following strategies to ward off competition risk.

a. Offensive marketing warfare strategies – are used to secure competitive advantages; market leaders, runner-ups or struggling competitors are usually attacked.

b. Defensive marketing warfare strategies – are used to defend competitive advantages; lessen risk of being attacked, decrease effects of attacks, strengthen position.

c. Flanking marketing warfare strategies – Operate in areas of little importance to the competitor.

d. Guerrilla marketing warfare strategies – Attack, retreat, hide, then do it again, and again, until the competitor moves on to other markets.

e. Deterrence strategies – Deterrence is a battle won in the mind of the enemy. You convince the competitor that it would be prudent to keep out of your markets.

f. Pre-emptive strike – Attack before you are attacked.

g. Frontal attack – A direct head-on confrontation.

h. Flanking attack – Attack the competitor’s flank.

i. Sequential strategies – A strategy that consists of a series of sub-strategies that must all be sue” – cessfully carried out in the right order.

j. Alliance strategies – The use of alliances and partnerships to build strength and stabilise situations.

k. Position defence – The erection of fortifications.

l. Mobile defence – Constantly changing positions.

m. Encirclement strategy – Envelop the opponent’s position.

n. Cumulative strategies – A collection of seemingly random operations that, when complete, obtain your objective.

o. Counter-offensive – When you are under attack, launch a counter-offensive at the attacker’s weak point.

p. Strategic withdrawal – Retreat and regroup so you can live to fight another day.

q. Flank positioning – Strengthen your flank.

r. Leapfrog strategy – Avoid confrontation by bypassing enemy or competitive forces.

To summarise, once competition risk has been identified, it has to be dealt with using a combination of strategies and tackled at all levels to keep competition out of the way. The selection of the strategy, techniques, tools will depend on your own financial and marketing strength, the competitor’s strength and the existing and expected market conditions.

Initially, the ‘risk advisor’ advised Sweet Memories to:

– renegotiate terms with suppliers

– add features to its tours, e.g., air conditioned buses

– develop advertising material in the form of brochures

– employ strategy of distributing brochures through newspaper vendors

– hold low-cost customer meetings prior to the departure of a tour

– distribute travel kits at such meetings

– give specific information on places covered by the tour – e.g.,famous temples, churches, historic buildings, museums, gardens, etc. This information is normally available in local brochures.

The above low-cost strategy has worked in increasing the inflow of customers and the efforts of the ‘risk adviser’ were appreciated. It however needs to ‘- be noted that ‘competition risk’ is an always existing risk and the management has to be vigilant and pro-active at all times.

Nirav Shah

Risk Management Case Study

Risk

Preamble :

Case studies have been an excellent teaching and learning tool especially in a live setting. Thus, even though formal academic training relies primarily on texts, lectures and tests, in a less formal setting, especially for continuing education, the case study method is preferred.

In fact the tales of the Panchatantra and Hitopadesha are excellent examples of how this method can transform people making them smart, intelligent, successful, wise and knowledgeable.

I personally prefer case studies, as a case study cannot and does not have one right answer. In fact no answer given with enough understanding and application of mind can ever be wrong.

The case gives a situation, often a problem and seeks responses from the reader. The approach is to study the case, develop the situation, fill in the facts and suggest a solution.

Depending on the approach and perspective the solutions will differ but they all lead to a likely feasible solution. Ideally a case study is left to the imagination of the reader, as the possibilities are immense.

Strategic and Business Environment Risks :

Managing a business in modern times is an exercise in maximising shareholder value. Economic Value Added — EVA — and shareholder wealth maximisation are looked upon as key metrics in achieving this success.

In this context the entire business focus from setting vision, mission, goals and objectives leading to formulation of strategy for managing business processes, human resources, technology, environment and even down to operational level details is for providing value through mitigating and managing risks — that is — uncertainty. Hence, organisations
that expect to successfully meet stakeholder expectations whilst operating in a regulated civil society environment, need to have a ‘risk-based’ approach to business.

This and the following set of articles in the series aim to consider different risks that are faced by businesses at several levels of operation — viz. — the strategic, middle-management and operational level. We will cover in some detail diverse risks ranging from ‘difficult-to-control,’ ‘high-level’, ‘environmental’ and also internally controllable risks also in this series.

Each article will begin with a brief write-up and provide a case study covering each type of risk.

Overview of Strategic and Business Environment Risks : Strategy formulation requires understanding and dealing with the external-macro, as well as internal-micro environment, which is depicted in Figs. 1 and 2 below.

Macro environment of business :

A look at the business environment depicted above throws up a number of such examples of organisations formulating strategy and dealing sometimes successfully and at other times unsuccessfully with macro and micro environment changes and risk.

An example of this strategy is that of commercial banks. In India, commercial banks moved to having a greater emphasis on retail banking using Internet technology on the one hand and got into investment banking and portfolio management space for high net worth individuals on the other.

In the USA we saw the strategy of pushing complex financial products based on mortgages that ultimately turned out to be worth less/suspect floundering, and causing economic devastation not only in the USA but also in the entire economic world.

Strategy formulation and tackling changes in business environment need vision, foresight and an open mind. An organisation especially its top management needs to be focussed, alert, responsive and open to adopting changes to be successful. Many big organisations have been overcome and fallen by the wayside having been humbled by modern-day ‘Davids’.

The case study for this month’s study is a company selling ice-creams and milk products that turned itself around and is now on the threshold of taking off.

Koolkat Icecreams Ltd. has been in the business of dairy products especially ice-creams for the last 40 years with a factory in the interior of Karnataka. It has been pulling along and has maintained some name in the market despite having a good product.

Over the years it has seen itself being overtaken by the better known, well advertised brands and seen itself being edged off the shelf in most big cities. Even in its hometown and towns it does not have a significant presence.

What has helped Koolkat survive are the canteen sales through rate contract with many Government offices and departments and also contracts for supplying ice-creams in milk booths and kiosks operated by the Karnataka state dairy, that does not itself make ice-cream.

Hence, though having a good product, it has lost market share and not even attempted to seriously compete in the restaurant or even the low-end street vendor segment. In fact if one were to visit even the restaurants in small towns close to the factory, the company’s products are conspicuous by their absence. However, the factory operates at about 70% to 80% capacity and is doing reasonably well.

The young amongst the owners — that is — the top management have realised the changing market conditions and have decided to formulate strategy to deal with the various issues and risks.

Understanding the Environment :

Prior to the meeting that was called to formulate the strategy an analysis of the environment was made.

Political : Likely change expected in the ruling political party at the state level. Exit polls have indicated a 5% swing in favour of the opposition. New administration may be unfriendly leading to loss of assured government business.

Social/Cultural: The prevailing market conditions favour high-end and high-visibility products. The increasing middle class seems to be moving to international ‘and or high-end brands in ice-creams and dairy products. A recent market survey by a leading publication has shown a 20% shift in consumer preferences among the middle class towards high-end products.

Economic: The economic conditions with low level of liquidity, increasing borrowing costs and stringent market conditions indicate difficult times ahead.

Technological : Better infrastructure, transportation, communication and food preservation/manufacturing technology have lowered entry barriers. The distinction between international brands and smalltime manufactures in terms of both cost and quality is getting blurred.

The Company is currently dependent for its marketing effort on its dealer network and distributors/ agents who are being given incentives as per company scheme based on their performance. The entire marketing expenses and advertisements are locally incurred and fragmented. There is no centralised advertisement and marketing activity. The benefits from the schemes is mostly retained and used up by distributors and it does not contribute to building the brand. The complex duty structure and differential rates for products from outside the state are proving to be a problem, as the entire output supplied throughout India comes from the factory in Karnataka. The cost and quality of packing material is also posing issues due to rising costs. Finally, street vendors and local small-scale manufacturers are also giving the company a tough time due to low cost and better reach.

These aspects have strategic and environmental risks that need to be addressed.

These factors independently and in conjunction with other factors like internal conflicts may result in business risk. As a ‘risk manager/adviser’ you are expected to identify and analyse these risks and advise the company on strategy formulation, and come up with an implementable road map.

The Solution :

The suggested strategy is outlined and implemented as below:

Strategic Options :

Marketing Thrust and Image Makeover:

The current marketing is entirely relying on dealer network and sub-distributors with very little central effort and advertisement support. Sales effort is scheme based with distributors enjoying benefit of schemes against offtake of products.

The proposed strategy is :

(1) to increase spend on marketing and advertising and launch the existing product itself in a new ‘avatar’ and consider manufacturing at multiple locations.

(2) to rationalise incentive schemes, especially those schemes that are bleeding the company.

(3) to consider phasing out schemes which are not yielding results.

(4) to utilise money saved to increase high-end visibility – that is – increase initially local advertising rather than newspaper or magazine advertising.

(5) use local language TV channels which are cheaper than national TV channels.

Production through licences, franchises and tieup units:

Considering the nature of the product, transportation/logistic requirements and taxation structure, it is beneficial for foodstuffs to be manufactured and sold locally. The company should formulate a plan to increase production through tie-ups to at least 10 locations across different states initially and expand to 14 by year end and to 24 by end of year 2.

Ancillary activities:

Consider – investigate setting up facility for making plastic cups, spoons to reduce costs and ensure supply of quality packing material. This would also control counterfeiting. In the alternative seek a dedicated small-scale manufacturer – that is – a sole supplier – who would produce under company’s supervision to ensure quality.

Low-end Penetration:

To consider employing strategy of de-risking its operations by lowering costs of production, cutting frills and targeting low-end consumers by introducing another brand through street vendors. The strategy advised and adopted was:

* change in packaging of the established brand – that is – for the existing product.

* introduce a low-end product under a new brand name with different packaging.

Note:

The company successfully implemented this strategy over a period of 12 months. This increased its market share in both low-end and high-end products. It today competes with local low-end brands and high-end brands like Kwality and Baskins and Robins.

Nirav Shah

Banking Revenue Assurance using CAATs

Internal Audit

Introduction :

The Banking Regulation Act, 1949 requires the auditor of a
banking company to state whether the profit and loss account shows a true
balance of profit and loss for the period covered by such account.

The profit and loss account as set out in Form B of the Third
Schedule to the Act has three broad heads : income, expenditure and
appropriations.

Interest/discount on advances/bills and interest on deposits
form a valuable component of income.

The auditor should, on a systematic sample basis, check the
rates of interest, etc., with sanctions and agreements and physical existence of
collateral security.

He should examine with the aid of Computer Assisted Audit
Tools (CAATs) — General Audit Software whether :

Interest has been
charged on all performing accounts up to the date of the balance sheet.
According to the guidelines for income recognition, asset classification,
etc., issued by the Reserve Bank of India, a bank cannot take to income
unrealised interest on any non-performing advance;
Discount on bills
outstanding on the date of the balance sheet has been properly apportioned
between the current year and the following year;
Interest on
inter-branch balances has been eliminated in the consolidated profit and loss
account of the bank; and
Any interest
subsidy received (or receivable) from the Reserve Bank of India in respect of
advances made at a concessional rates of interest is correctly computed.

The CAAT auditor may also co-relate the interest on
advances/deposits with the amount of outstanding advances/deposits outstanding
using advanced statistical functions like correlation.

Practical case studies on use of CAATs — Illustrations on
banking revenue assurance :

Account maintenance :

Control objective : Non-recovery of service charges on
non-maintenance of minimum balance in saving and current accounts.

Control objective description : Saving and current
account holders need to mandatorily maintain a minimum quarterly balance in
their accounts.

The minimum balance to be maintained depends upon the type of
account (Saving general, current etc.), type of customer (Individual, staff,
pensioner, corporate salary account, etc.), cheque book issue status (issued,
not issued) and type of branch (urban, rural, etc.).

The minimum balance required to be maintained by each account
holder is entered in the core banking system by the branch under the field
‘minimum balance required’, in the CASA Master. Since this activity is performed
at the branch level and not the central IT level, it may be subject to branch
errors of commission.

Non-maintenance of the required minimum balance attracts a
system-levied service charge. Once again this service charge may be waived with
due permission (in case of dormant accounts for instance) or possibly with
certain mal-intentions at the account level by the branch by applying a flag ‘N’
in the field ‘SC MIN BAL FLAG’ in the CASA Master.

The bank auditor must verify the accuracy of both the
‘minimum balance required’ and ‘SC MIN BAL’ to be maintained in the CASA Master.

Procedure within GENERAL AUDIT SOFTWARE?:

Open the CASA Master file within GENERAL AUDIT SOFTWARE.
SAVING ACCOUNT WITH CHEQUE BOOK AND INCORRECT MIN BALANCE REQUIRED TO BE MAINTAINED — Perform data — Direct extraction on the CASA Master by applying the command?:

[@list(product code, “SB GEN”) .AND. cheque-book issued flag = “Y” .AND. @nomatch(customer type code, “STAFF”, ‘EX STAFF”, “PENSIONER”)

.AND. minimum balance required <> 1000].

This report will provide a list all saving accounts (other than NRE), who are not STAFF, EX-STAFF, PENSIONER, having a cheque-book facility and where minimum balance required to be maintained in the account as per the system is other than

Rs.1000. Rs.1000 is defined by the bank policy.

SAVING ACCOUNT WITHOUT CHEQUE-BOOK AND INCORRECT MIN BALANCE REQUIRED TO BE MAINTAINED — Perform data — Direct extraction on the CASA Master by applying the command?:

[@list(product code, “SB GEN”) .AND. chequebook issued flag = “N” .AND. @ nomatch(customer type code, “STAFF”, ‘EX STAFF”, “PENSIONER”) .AND. minimum balance required <> 500].

This report will provide a list all saving accounts (other than NRE), who are not STAFF, EX-STAFF, PENSIONER, having no cheque book facility and where minimum balance required to be maintained in the account as per the system is other than Rs.500. Rs.500 is defined by the bank policy.

CURRENT ACCOUNT WITH CHEQUE BOOK AND INCORRECT MIN BALANCE REQUIRED TO BE MAINTAINED — Perform data — Direct ex-traction on the CASA Master by applying the command?:

[@list(product code, “CURRENT”) .AND. chequebook issued flag = “Y” .AND. minimum balance required <> 5000].
This report will provide a list of all current accounts, having a cheque-book facility and where minimum balance required to be maintained in the account as per the system is other than Rs.5000. Rs.5000 is defined by the bank policy.

Transaction maintenance:

Control objective: Non-recovery of folio charges on saving accounts.

Control objective description: Folio charges are to be recovered in case of saving accounts having withdrawals in excess of 50 numbers/lines per half year. The charges per withdrawal in excess of 50 may differ from bank to bank and the type of saving account.

Procedure within GENERAL AUDIT SOFTWARE:

1. Open the CASA Ledger within GENERAL AUDIT SOFTWARE.

2. SAVING ACCOUNT WITH WITHDRAWALS FOR HALF YEAR — Perform data — Direct extraction on the CASA Ledger by applying the command:

[@isini(“SAVING”, product name) .AND. @ list(tran code, 1001, 6101, 1006, 1013) .AND. @betweendate(tran date, “20080401”, “20080930”)]

This intermediate report will provide a list of all withdrawals through cash (1001), cheque (6101), debit funds transfer (1006) for all Saving accounts for the half-year transaction period April 2008 to September 2008.

3. SAVING ACCOUNTS WITH CUMULATIVE WITH- DRAWALS FOR HALF YEAR — Perform Analysis — Summarisation on the above intermediate report. “Fields to Summarise” to be selected from drop down field list as “account number”. This intermediate report will provide an account wise summary of all withdrawals — cash, cheque, debit funds transfer for all SAVING accounts for the transaction period 8th April to 8th September 08 along with the number of withdrawals (i.e., entries).

4. COMPUTATION OF SERVICE CHARGES — Perform — Data — Field manipulation — Append
— Virtual numeric field having name “Service Charges” to the intermediate report generated at Step 3 above. Enter the command no_of_recs

* 1 in the parameter. This new field will provide service charges (folio charges) to be recovered from the account holder towards excess with-drawals over 50 entries.

5. IDENTIFYING SAVING ACCOUNTS WITH WITH-DRAWALS IN EXCESS OF 50 — Perform data — Direct extraction on the intermediate report generated at step 4 above by applying the command:

(no_of_recs > 50)

This final report will provide all SAVINGS ac-counts where half-yearly withdrawals are greater than 50 entries along with service charges to be recovered.

These cases can be checked physically with the Statement of Accounts for the relevant saving accounts in the final report for recovery of folio charges and the accuracy of charges recovered.

Cheque maintenance:

Control objective: Non-recovery of cheque-book issue charges on saving accounts.

Control objective description: Cheque-book issue charges are to be recovered in case of saving accounts, having a cheque leaves issued in excess of 60 numbers per year. The charges per cheque leaf issued in excess of 60 may differ from bank to bank and type of saving account.

Procedure within General Audit Software:

1. Open the Cheque Report within the General Audit Software.

2. SAVING ACCOUNTS WITH CHEQUES ISSUED DURING ANY YEAR — Perform data — Direct extraction on the Cheque Report by applying the command:

[@isini(“SAVING”, product name) .AND. @ betweendate(cheque issue date, “20080101”, “20081231”) .AND. cheque leaves > 60 .AND. .NOT. @isini( “staff”, product name)]

This intermediate report will provide a list all cheque leaves issued in excess of 60 leaves for SAVING NON STAFF accounts in the transaction period of January 2008 to December 2008.

3. COMPUTATION OF CHEQUE ISSUE CHARGES — Perform — Data — Field Manipulation — Append — Virtual numeric field having name “Cheque Issue Charges Savings” to the intermediate report generated at step 2 above. Enter the command (cheque leaves-60) * 2. This new field will provide cheque issue charges to be recovered from the account holder.

4. CHEQUE-BOOK ISSUE CHARGES RECOVERED DURING ANY YEAR — Perform data — Direct Extraction on the CASA Ledger by applying the command:

[tran descp = “SC For Cheque-Book Issue” .AND. @isini(“SAVING”, product name)]

This intermediate report will provide a list of transactions on SAVING accounts where service charges for cheque-book delivery have been recovered.

5. CHEQUE-BOOK ISSUE CHARGES NOT RECOV-ERED DURING ANY YEAR — Perform — File —Join — select the intermediate report generated in step 2 above as the Primary File. Select the intermediate report generated in Step 4 above as the Secondary File. Click on Match. Match the two files on matching key — “account number” in Primary file and “account number” in Secondary file. Use the Join condition “Records with no Secondary Match”.

This final report will provide a list of saving accounts where cheque leaves issued in any year are more than 60 (annual free cheque leaves entitlement) and cheque-book issue charges have not been recovered.

Temporary Overdraft Interest Charges:
Non-recovery of interest on Temporary Overdrafts (TODs) granted to saving accounts.

Introduction:

TODs are granted by the bank to an account holder when the account holder is short of available balance to meet specific payments on his account. The TOD is granted under the assurance by the account holder that the temporary overdraft would be made good through incoming funds in transit. TODs can be System TODs or Adhoc TODs. An account holder should normally not be granted multiple TODs, until earlier TODs are regularised. TODs which are not regularised within the limit end date should be specially taken up for scrutiny. Consistent delay in regularisations on few accounts should be dealt with strictly through punitive action.

Method within General Audit Software:
1. Open CASA TOD Ledger within the General Audit Software.

2. SAVING ACCOUNT TOD INSTANCES GRANTED — Perform data — Direct extraction on the CASA TOD Ledger by applying the command — (product name = “SAVING”)

3. Open CASA ledger within GENERAL AUDIT SOFTWARE.

4. INTEREST CHARGED on SAVING ACCOUNT TOD INSTANCES — Perform data — Direct extraction on the CASA Ledger by applying the command– (tran code = 5002 .AND. product code = 101)

Tran code 5002 stands for INTEREST DEBITS and PRODUCT CODE 101 stands for SAVING GENERAL accounts.

5. ACCOUNT SUMMARY LIST OF SAVING TODs – Perform Analysis — Summarisation on the intermediate report generated at Step 2. Select ‘account number’ as Fields to Summarise.

6. ACCOUNT SUMMARY LIST OF INTEREST CHARGED ON SAVING TODs — Perform Analysis — Summarisation on the intermediate report generated at Step 4. Select ‘account number’ as Fields to Summarise.

7. INTEREST NOT CHARGED ON SAVINGS TODs GRANTED — Perform — File — Join — select the intermediate report generated in Step 5 above as the Primary file. Select the intermediate report generated in step 6 above as the Secondary file. Click on Match. Match the two files on matching key — “account number” in Primary file and “account number” in Secondary file. Use the Join condition “Records With No Secondary Match”.

Conclusion:
General Audit Software Programmes are time-tested, stable, robust, powerful, internationally acclaimed and user-friendly applications designed by auditors for auditors. No tool is a ready substitute for the Auditors acumen and judgment, but tools are a powerful, cost-effective facilitator to large-scale electronic data analysis running into millions of records.

Revenue assurance in the banking sector can be made convenient and effective through the use of such tools.

Under a more evolved Enterprise Wide Continuous Monitoring Framework, General Audit Software Programmes can be used to automate the process of exception generation, issue escalation, resolution, feedback and learning for the business process handling Revenue Assurance.

Nirav Shah

Internal Audit Planning – A Case Study

Background

An external audit firm is conducting internal audit in an engineering company since the last two years. The audit committee chairman had a one to one meeting with the partner–in-charge for a review of the present internal audit reports and the internal audit process. During the discussions, the chairman asked the internal auditor to present an annual internal audit plan that takes into account the bigger picture rather than smaller issues and really adds value to the business. Based on recent corporate events and the Board’s responsibilities in the matter of Transparency and Control, the Audit Committee Chairperson enquired with the – Chief Audit Executive – CAE, the status of implementation of Standards of Internal Audit of ICAI.

The CAE highlighted that a Risk Based Audit Planning process is being currently followed. However, the process has not been benchmarked against the Standards. The CAE affirmed that the entire activity will be aligned with Indian Standards and a report presented in the next Audit Committee.

Methodology

The internal audit function has a five member team. The internal auditor therefore has to select projects (areas) with high risk to the organisation and direct the limited resources towards such projects. Frequency of high risk areas needs to be high – maybe twice a year whereas in cases of low risk or almost zero risk areas, the frequency may be once in three years and so on.

A benchmark against the standard was carried out by the team to identify further areas for improvement.

Opportunities for Improvement

Overall, the Standard sought to address Audit Planning from 2 dimensions –

1. Overall Annual Audit Plan

2. Audit engagement or each specific audit project

For the Overall Annual Audit Plan, the areas identified were –

1. The existing Audit Charter adequately explained the ‘purpose, authority and responsibility’ of the Internal Audit function. The Audit Charter designed earlier had not been reviewed and revised for the last two years. During the last two years, the auditee had implemented an ERP and adopted a Balanced Scorecard strategy for evaluating performance. Efforts of Cost Reduction have rationalised middle level management.

a. The CAE and the team felt that the focus of audit needed to be revised through use of Audit Tools and the possibility of taking on a leading role in implementing Continuous Auditing.

b. One of the overall objectives that the standard expects the Internal Audit to achieve is to “strengthen overall governance, particularly strategic risk management”. The Audit Charter had not mentioned any specific responsibility for this objective. The audit team appreciated the following fact however with this objective that:

i. When strategic risks are taken, there is no audit involvement.

ii. The operating management does not perceive any specific role of the internal auditors in strategic risk management.

iii. The Internal Auditor is expected not to be a part of the decision. In this way, he/she retains their independence. If he is a part of this process, it may be a barrier to his independence at a later date, when the decision might not achieve the desired objectives. The Internal Auditor’s role as an assurance provider may get compromised if the internal auditor is involved in decision making.

One of the internal audit team members pointed out however that if he gets additional information at a later date, should he not then advise review of the decision rather than wait for issuance of the report?

This change was therefore sought to be introduced and highlighted specifically for discussion. The CAE took a stand that while the Internal Auditor could be a part of the Strategic Risk Management process, it should be seen as a ‘facilitator role’ and not as member of the decision making team.

2. While the Audit Plan was provided to the Audit Committee for approval, there was hardly any debate on the same and it was approved. The CAE thought that in the current practice, they were not really benefiting from the experience and knowledge of the Audit Committee Members. He therefore thought it fit to arrange for meetings with each of the Audit Committee Members to gain individual input prior to the next Audit Committee Meeting, where his first report would be presented. These meetings helped the CAE improve the audit plan.

3. The Risk Based Audit Planning process as currently implemented ( Refer article of BCAJ IAS article in March/April, 2003) was generally found to be robust. The process included the following –

a. Identify the Audit Universe (comprehensive list of Audit Areas),

b. Established weights and ranks for criteria which will form the basis of ranking the audit areas and cut off score

c. Applying criteria to the various audit areas

d. Arrive at scores for each area

e. Applying the Cut off criteria and shortlisting the areas of audit for the year. This forms a part of the Annual Audit Plan.

4. The revised Annual Audit Plan was also reviewed alongwith the first report. In order to ensure continuing relevance of the audit plan, a process of a half yearly review of the audit plan with the Audit Committee was suggested and approved.

For the Audit Engagement or Each Specific Audit Project –

A brainstorming on the issues and difficulties faced by the Audit Team Members in Audit Engagements was undertaken. A few of the difficulties that came up from all members was –

the general appreciation of raising the right business issues in the audit reports,

the adequacy of time for performance of the audit – at times, key areas of audit were left out given the demands of completing the report.

the team members voiced their concern that the response that the CAE gets from officials was not the same as that received by them. They felt that the auditees employees did not give the required seriousness, which resulted in avoidable delays.

The team thought of the options that the Standard provided towards overcoming these difficulties. The following were the guidelines that they felt could overcome the difficulties –

1. Preliminary Review – A visit by the CAE along with the audit team members of the audit area was planned to be conducted 15 days prior to the actual start date. This audit visit was to understand the business process area and operational realities within which the team performs, the expectations of the auditee and the auditor are discussed and firmed up, the data and time requirements from the auditees are discussed and the JOINT objectives of the audit process are laid down. The auditee’s person-in-charge is made aware of the audit objectives, methodology and the ways that risk and control needs to be looked at within the Risk Management Framework implemented. Apprehensions of the Auditee team are laid to rest in these interactions. This meeting is also sought to be used as a means to improve auditee’s person-in-charge responses.

2. Audit Engagement Planning – The Prelimi-nary Review meeting was also to be used to study past reports . The larger participa-tion of all team members in identification of potential risk and control focus in each area was scheduled for at least once a fortnight in such a way that no area is taken up without the inputs received from all team members.

These measures would also ensure that the issues that are relevant to the organisation and the auditee team are addressed. This will also ensure that there is an ongoing value addition out of the audit process.

3. The CAE decided to improve the following areas –

a. Resource allocation in line with the scope

The knowledge and skills required for each audit was sought to be formally identified and matched with the ability of the team members. In case there was a mismatch, the CAE considered the option of training a team member in the area in advance and also involving an outside professional for the specific aspect of audit as part of the on the job training for the team. The option of including a guest auditor from within the organisation also was considered.

b. Detailed Audit Programme with specific priority for audit checks

Normally the Audit Programmes were packed with all possible tests to be con-ducted during an audit for all identified risks and controls. The team decided to identify which controls significantly mitigate the risk (Key Control). Single control mitigating multiple risks were also sought to be specifically identified in a list of controls. The audit priority was focused on key controls. This focus improved audit effectiveness.

Conclusions

These measures were implemented in the quarter and some significant improvements were observed. The gaps identified vis a vis the standard and the measures already taken and thus impact were shared with the Audit Committee. The initia-tives taken were highly appreciated by the Audit Committee members.

All the action of CAE were based on Internal audit standard issued by the Institute of Chartered Accountant of India.

EXHIBIT 1 – Standards of Internal Audit – 1 of The Institute of Chartered Accountants of India The internal auditor should, in consultation with those charged with governance, including the audit commit-tee, develop and document a plan for each internal audit engagement to help him conduct the engagement in an efficient and timely manner.

The internal audit plan should be comprehensive enough to ensure that it helps in achieving of the above overall objectives of an internal audit. The internal audit plan should, generally, also be consistent with the goals and objectives of the internal audit function as listed out in the internal audit charter as well as the goals and objectives of the organisation. An internal audit charter is an important document defining the position of the internal audit vis a vis the organisation. The internal audit charter also outlines the scope of internal audit as well as the duties, responsibilities and powers of the internal auditor(s). In case the entire internal audit or the particular internal audit engagement has been out-sourced, the internal auditor should also ensure that the plan is consistent with the terms of engagement.

A plan once prepared should be continuously reviewed by the internal auditor to identify any modifications required to bring the same in line with the changes, if any, in the audit environment. However, any major modification to the internal audit plan should be done in consultation with those charged with governance. Further, the internal auditor should also document the changes to the internal audit plan.

Internal audit plan should cover areas such as:

Obtaining the knowledge of the legal and regulatory framework within which the entity operates.

Obtaining the knowledge of the entity’s accounting and internal control systems and policies.

Determining the effectiveness of the internal control procedures adopted by the entity.

Determining the nature, timing and extent of procedures to be performed.

Identifying the activities warranting special focus based on the materiality and criticality of such activities, and their overall effect on operations of the entity.

Identifying and allocating staff to the different activities to be undertaken.

Setting the time budget for each of the activities.

Identifying the reporting responsibilities.

The internal audit plan should also identify the benchmarks against which the actual results of the activities, the actual time spent, the cost incurred would be measured.

The internal auditor should obtain a level of knowledge of the entity sufficient to enable him to identify events, transactions, policies and practices that may have a significant effect on the financial information.

The audit universe and the related audit plan should also reflect changes in the management’s course of action, corporate objectives, etc. The internal auditor should periodically, say half yearly, review the audit universe to identify any changes therein and make necessary amendments, to make the audit plan responsive to those changes.

The establishment of such objectives should be based on the auditor’s knowledge of the client’s business, especially a preliminary understanding and review of the risks and controls associated with the activities forming the subject matter of the internal audit engagement.

The internal auditor should also document the results of his preliminary review so conducted.

For this purpose, the internal auditor should prepare an audit work schedule, detailing aspects such as:

activities/ procedures to be performed;

engagement team responsible for performing these activities/ procedures and

time allocated to each of these activities/ procedures.

18. While preparing the work schedule, the internal auditor should have regard to aspects such as:

any significant changes to the entity’s missions and objectives, business processes, and management’s strategies to counter these changes, for example, changes in the entity’s controls structure or changes in the risk assessment and management structures

any changes or proposed changes to the governance structure of the entity. The engagement work schedule should, however, be flexible enough to accommodate any unanticipated changes as well as professional judgment of the engagement team in the components of the audit universe as discussed above. The work schedule should also reflect the internal auditor’s assessment of risks associated with various areas covered by the particular internal audit engagement and the priority attached thereto.

19. The internal auditor should also prepare a formal internal audit programme listing the procedures essential for meeting the objective of the internal audit plan. Though the form and content of the audit programme and the extent of its details would vary with the circumstances of each case, yet the internal audit programme should be so designed as to achieve the objectives of the engagement and also provide assurance that the internal audit is carried out in accordance with the Standards on Internal Audit.

Nirav Shah

Using Computer-Assisted Audit Tools (CAATs) for IT Audits

Nirav Shah

Using Computer-Assisted Audit Tools (CAATs) for Prevention and Detection of Frauds in Healthcare Industry

Internal Audit

Introduction :

’Health and Wellness’ is a private general insurance company.
Jacob — head of ‘Claims Forensics department was presenting on the role of his
department in detecting indicators of frauds and red flags to the Board of
Directors The question asked to Jacob was “To what extent should evidence be
gathered to provide assurance on the indicators of frauds ?” Jacob’s attempt was
to explain the role of the investigator in terms of IT control, review of risks
in assurance services, physical document based investigations,
cross-examinations apart from compliance with various directives and statutes
and requirements of regulatory authorities.

As a means of increasing the extent of evidence gathering —
quantity and quality by his investigation team and reducing cost of operations,
Jacob proposed the implementation of a Generalised Audit Software (GAS) which
could help the inspection team query the system for better results and help in
identifying trends, patterns, and indicators of fraud.

The Board was supportive of the presentation made by Jacob
and asked him to implement the GAS and present the red flags detected as a
result of the forensic review at the next quarter meeting.

Methodology :

Jacob set up a mid-size team within the department to take
the initiative of implementing the GAS. The team comprised of 2 senior audit
officials who had a wide range of experience in various process activities like
claim acceptance, settlement, dealing with surveyors and key business functions
of finance and administration, a Certified Fraud Examiner and an IT auditor (CISA).
The team also retained the services of a retired medical expert from the Red
Cross, who was an expert in complex medical diagnostics.

The entire audit manual was reviewed and specific forensic
objectives were mapped for possible audit tests that could be conducted using
GAS and otherwise. The method of using the GAS was debated and discussed by the
group in a way that data integrity, confidentiality and availability of the
production server was not compromised and the objectives were also met.

While it was not possible to log on to the production server
due to access restrictions maintained by the Database Administrator, the team
was faced with a challenge to import data for further analysis.

The team decided to connect to specific data dumps (Print
Report Dumps from various modules of the Medical Management System like Claims
Acceptance, Claims Settlement, etc.) provided by the DGM-IT. The data dump was
provided by running a File Transfer Protocol (FTP) on the Reporting Server,
which is also used for Reporting Tools like SAS.

Bird’s-eye view of red flags which were detected using the
GAS

Excessive procedure billing for same diagnosis, same
procedures

Objective :

To identify instances of excessive medical procedure billing
for the same diagnosis and medical procedure.

Method :

In this exercise, the Healthcare Claims transaction file was
linked with the master file on the basis of the Diagnosis Code.

A computed numeric field was added to arrive at instances
where excessive procedural charges had been claimed by the insured, in
comparison to the current master charge list.

Cases were extracted where the difference exceeded 15%
(Hypothetical acceptable variance norm across hospitals).

GAS functionality covered :

The exercise used the following GAS functionalities :

l
Join files :

The Healthcare Claims transaction file is opened and chosen
as the active database. This file is the primary database. The master file for
procedure rates is chosen as the secondary file.

The two files are linked together based on the similar field
Diagnosis Code. The field is named differently in both the primary and secondary
file as Diagnosis Code and Diagnosis Reference Code, respectively. The link is
still possible as both the fields are the same in nature.

The option ALL RECORDS IN PRIMARY FILE is used as the joining
command.

l
Append a computed numeric field :

As the existing field values could not be altered in the
joined database without disturbing the data integrity, a computed field of
numeric nature was added to the existing database. This computed field contained
the values linked to diagnosis code from the master file.

l
Use the Equation Editor to write the criteria in the computed numeric
filed :

A command is entered through the Equation Editor to arrive at
the difference in medical procedure charges as per the transaction file and
masters captured from the master file.

The command can be checked for syntax and validated for field
nomenclature and construction.

l
Data extraction to filter out the exceptions :

Data extraction involves filtration of transactions from the
joined file which meets the filtration command criteria. The values in the
computed numeric field above are filtered for non-zero cases.

Zero values indicate billing of medical procedure charges as
per the master table of charges. Non-zero cases represent deviations from the
master table of medical procedure rates.

Non-zero cases were trapped through the Data extraction —
Equation Editor facility using the command “Audit Charge <> 0”. Here “<>” refers
to NOT EQUAL TO.

Normally billings should proceed as per the master table of rates. However, options are available within the Med-Plus software for overriding the master charges and applying manual charges on a case-to-case basis. These manual overrides were specifically investigated to determine reasons for change.

Identify excessive number of procedures per day or place of service per day/per patient:

Objective:

To identify instances of excessive number of medical procedures conducted per day or place per patient.

Method:

In this exercise, the Healthcare Claims transaction file was used as the basis for the red-flag check.

A duplicate check was run on the insured name, policy number, and hospitalisation date to identify possible duplicate claims for excessive medical procedures for the same insured patient. This test was further corroborated by a summarisation/ consolidation of claims based on the insured name and policy number to generate multiple claim instances in excess of one hospitalisation/medical procedure.

Cases were identified where multiple medical procedures had been conducted on the same insured at the same hospital. The cases were referred by the team to the expert medical officer who clearly identified the claims as unrelated and fictitious. For ” example – a cornea transplant of the eye was followed by a hernia operation which was medically absurd.

GAS functionality covered:

The exercise used the following GAS functionalities :

• Duplicate detection:

In the duplicate test, exact vertical matches are detected within specific field or fields designated.

The transactions file was used as the basis for the test.

The insured name, policy number, and hospitalisation date were selected as the key fields on the basis of which duplicates were to be detected.

In the GAS, an auto key field indexing was performed on the insured name, policy number, and hospitalisation date to fasten the process of duplicate key detection.

The duplicate test revealed a list of vertical matches which were to be investigated.

• Summarisation:

The GAS had a popular transaction consolidation function called summarisation. The advantage of this function was that multi-field summarisation was possible with generation of valuable insightful statistics like MIN, MAX, AVG, VAR, DEVIATION and more. This superior functionality was accompanied by generation of multi-chart and multi-graph utilities in user-friendly colour-rich formats which could be ported across office applications.

Summarisation/ consolidation of claims was performed based on the insured name and policy number to generate a report of multiple claim instances in excess of one hospitalisation/medical procedure. Here the key statistic used was COUNT rather than SUM.

Just like in the first stage duplicate test, summarisation was also preceded by an auto index facility on the key objective fields to increase the through-put of results.

• Data extraction to filter out the exceptions:

Data extraction involves filtration of transactions from the joined file which meets the filtration command criteria.

Multiple claim instances in excess of one hospitalisation/medical procedure were trapped through the Data extraction – Equation Editor Facility using the command “Count > 1”.

These vital cases and potential red-flag indicators were immediately taken up for scrutiny with the Chief Medical Officer at the concerned hospital. Patient health history reports were also studied to provide allowance for multi-health issues and failures on the same day warranting multi-medical procedures.

Identification of diagnosis and treatment that was clearly inconsistent with patient age and / or gender:

Objective:

To identify diagnosis and treatment that was clearly inconsistent with the patient/ insured age and gender.

Method:

The team set up value bands from the Claim Trans-action file. The value bands were set up for 0-20000, 20001-50000, 50001-100000, 100001-200000, and more. The high-value bands were designated as “A Class High Risk”. “A Class High Risk” band cor-responded to 10, 00,000 to 20,00,000. All the claims in this category were culled into a separate dump within the GAS.

All the claims in the A Class category were examined through the search function for the insured details like age, gender, past medical history.

Specific instances were observed with the assistance of the ace team medical expert, wherein open-heart surgeries were conducted for minors even though the medical history suggested otherwise. In one critical high-value instance, the insured (a male) had claimed large amounts for complex medical procedures normally conducted on elderly women.

GAS functionality covered:

The exercise used the following GAS functionalities :

• Stratified Random Sampling:

In Stratified Random Sampling credence is given to distribution of individual transaction values between low, medium and high.

Judgment on the interpretation of low, medium and high rests with the GAS user based on consultation with the medical expert and past industry experience of the team members.

The team set up intervals from the Claim Transaction file. The intervals were set up for 0-20000, 20001-50000, 50001-100000, 100001-200000, and more. The high-value bands were designated as “A Class High Risk”. “A Class High Risk” band corresponded to 10, 00,000 to 20, 00,000. All the claims in this category were culled into a separate dump within the GAS using the random number table within the GAS.

The random number table generates a list of random numbers from the” A Class High Risk” interval based on its internal algorithms and generates a separate file of such instances.

• Data search:

Data search is an advanced tool within the GAS which can undertake simple, complex, structured, unstructured, fuzzy, single word or multi-word searches quite similar to a web portal search engine.

Here with the aid of the medical expert specific key strings and character occurrences were trapped. Suspicious transactions were studied in depth along with the patient’s casepaper file.

Conclusion:

While specific audit reports gave regular feedback to the process owners about process flow control gaps, the identification of potential red flags in the process were greatly met using the GAS, which went beyond the set standard traditional norms. Further, it allowed the audit team to move beyond the ‘priority’ set by the Board and were able to complete their investigations within time, with specific unusual drill-down capabilities and results through a third-eye watch. The IT was also excited about the possibilities which such a tool could have for their forensic security reviews on a regular basis and initiated a review of the same with special watch on cyber security i.e., lodging of e-claims, Further, the Head – Forensics also made it mandatory for the Company’s outsourced medical examiners to use a GAS for their branch audits using similar methodologies as them.

As a seasoned user of the GAS, Jacob laid down the structure for Continuous Control Monitoring of specific forensic objectives through automation of tasks and scheduling within the GAS.

Nirav Shah

Our perspective

Internal Audit

Introduction :

1.1 Corporate governance, as we all know, has been under a
strong and critical public spotlight currently and in recent years, because of a
succession of blows to capital market confidence, particularly in the United
States but also echoed in India and other countries. The stakeholders’
expectations of boards and senior management, and of those charged with
providing an independent review of a company’s operations and
financial statements, have increased. To meet those expectations,
governments and regulatory authorities around the globe have initiated concerted
efforts to improve standards of corporate behaviour and transparency through :

stress on efficacy of internal controls both in the Sarbanes-Oxley Act in the
U.S.A. and clause 49 of the listing agreement in India.

mandatory compliance with accounting standards to ensure adequacy and
uniformity in disclosure practices — this will further get strengthened with
the adoption of IFRS in India.

emphasis on risk assessment and risk mitigating procedures.

1.2 Clause 49 of the Listing Agreement casts an obligation on
the ‘Audit Committee’ to :

Ensure adequacy of internal controls.
Review internal audit reports.
Recommend appointment and remuneration of internal auditors.
Ensure independence of internal auditors.

Clause 49 also requires CEO and CFO to certify the
effectiveness of the internal controls in the company.

1.3 With the emphasis on the above issues internal audit has
become an integral tool of corporate governance. An internal auditor today
reviews not only accounting procedures, but also reviews and reports on the
effectiveness of manufacturing and marketing function. Hence, internal audit in
the present context is a multi-disciplinary function.

1.4 This article offers our perspective on the role of
internal audit and its structure.

The role of Internal Audit :

2.1 Paragraph 3.1 of the Preface to the Standards on Internal
Audit, issued by the Council of the Institute of Chartered Accountants of India
in 2004, describes internal audit as follows :

“Internal audit is an independent management function,
which involves a continuous and critical appraisal of the functioning of an
entity with a view to suggest improvements thereto and add value to and
strengthen the overall governance mechanism of the entity, including the
entity’s strategic risk management and internal control system.”

2.2 The definition of internal audit approved by the Board of
Directors of the Institute of Internal Auditors is :

“Internal auditing is an independent, objective assurance
and consulting activity designed to add value and improve an organisation’s
operations. It helps an organisation accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, control, and governance processes.”

2.3 The above definitions are highly contextual as a
distinction between internal audit and risk management needs to be drawn. As
we see it, the basic function of internal audit is an independent appraisal of
an organisation’s internal controls, including controls over financial reporting
and business processes having financial ramifications. It does not stop at only
pointing out weakness, but extends to making of recommendations on internal
control and process improvements that could be made to increase efficiency of
operations.

2.4 Risk management, on the other hand, is about
identifying and assessing inherent risks in the products and activities of an
organisation, and ensuring that appropriate risk management limits, control
mechanisms and mitigation strategies are in place to contain risk within the
organisation’s risk appetite and capital adequacy. A monitoring function
(similar to internal audit) is often involved to ensure that the risk control
framework is in place and operating as intended. Internal audit plays a
facilitative role in evaluating whether the controls are practical and
functional and whether they can be circumvented. The distinction is that ‘risk
management’ team has the continuous responsibility of understanding how actual
risks facing the organisation are changing. This requires continuous review by
the management.

2.5 The function of the internal auditor in risk
management is to review and report on the adequacy of the procedures and report
on adherence to the limits prescribed by the Board or senior management. Barring
of U.K. went down because limits prescribed by senior management in London were
not adhered to by a dealer in Singapore. Recently, the century-old France Union
General — a financial institution — failed because of speculative lending where
internal control limits were not adhered to.

2.6 The above view is in line with what is prescribed in Para
15 of the Internal Audit Standard 4 dealing with ‘Reporting’ amongst other
issues includes as a function of internal audit :

‘evaluating the overall entitywide risk management and
governance framework.’

2.7 This cooperation between the internal auditor and risk management team is also recognized in an alternative definition which is given in an HA Research Foundation publication of 1999 – Competency : Best Practices and Competent Practitioners.

“Internal auditing is a process by which an organisation gains assurance that the risk exposures it faces are understood and managed appropriately in dynamically changing contexts.”

This is a functional definition and in our view a direct appreciation of the current expectations from internal audit.

Structure and resources, independence and approach:

3.1 The starting point is evaluating whether the internal audit function is in-house or outsourced, and whether this arrangement is appropriate in given circumstances. The following crucial benchmarks need to be in place for internal audit team keeping in mind the standards and professional practice advisories and guidelines of The Institute of Internal Auditors.

i) Structure and resources:

The structure of the internal audit function is established and an assessment made about the key internal audit personnel, their roles and responsibilities, skillsand experience, irrespective ofwhether the internal audit function is ‘in-house’ or ‘outsourced.’

ii) Independence:

Firstly, the company board should ensure that independence of the internal audit function is maintained. The internal auditor should not report to CFO,but should report to CEO and the audit committee or the Board of Directors.

It needs to be mentioned that managements in India have been resisting the concept of internal auditor reporting directly to the CEO or the audit committee. However, we believe it is essential to have direct reporting to ensure independence. We also believe that reporting to the CEO or the audit committee should be after discussion and having obtained response of the management, because the CEOand/ or the audit committee would callfor the response of the management on any issue reported by the internal auditor. This mode of reporting also meets with the criteria of transparency.

Secondly, the internal auditor should not be directly involved in execution of risk management or operations. The internal audit function may provide valuable input to those responsible for risk management or operations, but should not have direct risk management responsibilities. In practice, some organisations (particularly small ones) may give internal audit initial responsibility for developing a risk management programme. Where this is the case, organisations should see that the responsibility for day-to-day risk management is an independent function. We reiterate that internal auditor should in no manner be involved in operations, though the internal auditor should understand operations.

Thirdly, significant issues raised by the internal auditor even if satisfactorily resolved need to be reported to the CEO and the audit committee.

Fourthly, where the internal audit function is outsourced there should not be any conflicts of interest – for example – internal auditor should not be involved in rendering other services. The Institute of Chartered Accountants of India have recently barred an internal auditor from being appointed even as a Tax auditor.

iii) Approach:

The approach taken by internal audit should be clear. It could be :

risk-based – the focus is on the high-risk areas of the organisation;

review-based – the focus is on review of various parts of the organisation, usually chosen both at random or in line with a predetermined internal audit plan;

compliance-based – the focus is on compliance with policies and procedures.

It could however be a combination of all three. Normally, it would be a combination of at least two of the above.

The board and/ or the audit committee should approve the approach. However, there should be sufficient scope to change the emphasis where necessary on an ongoing basis in order to react quickly to issues that get identified and require internal audit involvement – for example – recent losses incurred by companies in foreign exchange derivatives. In short, the internal auditor has to be agile to respond to changing environment. He should always be vigilant.

i) Establishing the authority of internal audit:

The CEO must send out a clear message that internal audit function is necessary and not a compliance gimmick. The seriousness and the attitude of the CEO is the only means of establishing internal auditor’s authority.

Internal audit must be recognised as a core part of governance and not as some form of necessary burden or add-on. On the other hand, the internal auditor by the professionalism and quality of internal audit work should show boards, management, regulators and even those whose work he reviews and comment on that the function does add value. It should be understood that the message that internal audit sends will not carry weight unless it can be demonstrated that the message is founded on both technical and commercial competence – a balancing of technique and real world experience.

In other words the internal auditor has to establish that his function goes beyond compliance. To achieve this the team skill mix needs to be broad embracing accounting, compliance checking, industry specialist, IT skills and if possible to include a strategist – CAATs. This at times can be achieved by:

where necessary, ‘in-sourcing’ or ‘out-sourcing’ (if not already done) by having specialist skills to supplement full-time audit resources;

ensuring that internal audit technology keeps pace with developments in the business – for example – use of Balanced Score Card, Self Assessment, CAATs; and

demonstrating professionalism and objectivity by standing strong amidst the management and others, when this is justified in the interests of other stakeholders.

ii) Conflict situation:

Regulators can cite many examples where weak corporate governance exists because of an overbearing CEO who has undermined the financial soundness of an organisation, whether through unfocussed expansion – that is – pursuit of growth for growth’s sake, or the dominant desire to always give ‘good news’ – show growth where there is none or cover up losses. The recent Satyam fiasco is a startling example of an overbearing CEO. Internal auditor should be alert to such and similar signs of weakness and raise these issues with the Audit Committee. This kind of approach, though at times goes beyond the normal call of duty, will add immense value. Let us not forget that virtually all analysts have come to the conclusion that the current financial crisis which has gripped the world economy is because of the desire of CEOs and the corporate managements to achieve one of the two or both the objectives. Somewhere in fulfilling these objectives both the internal control procedures and risk limits have been violated. We believe that though it may be a tough call, the internal auditor will have to bite the bullet. The newspapers report that in the case of Satyam, SEBI’s investigation is being extended to Satyam’s internal auditors – Business Standard 16 Jan. 2009.

3.2 To retain his independence and effectiveness the internal auditor should also be conscious of the fact that:

no controls are absolutely perfect and will always require improvement.

managements are always tempted to by-pass controls, sometimes in the interest of business and at times in self-interest.

Hence, he should be aware of what is happening in the entity and should also never lose sight of ‘professional skepticism’.

3.3 Ultimately, it is the board, which has to take ownership of problems and institute appropriate remedies. The issues is :

What should the internal auditor do where the organisation is facing major problems and the management continues to ignore or take remedial action?

There is no easy answer, since each situation is unique. Nonetheless, it is surely incumbent on the internal auditor to take the right professional action and not let the situation fester. In the end, the head of internal audit or the internal auditor might have to step down and part ways gracefully if the organisation’s culture does not allow internal audit to function appropriately and serious problems are not being addressed. This is the ultimate test of the professionalism and ethics. This is a hard decision. The fact is that after any failure the internal auditor is inevitably one of the sacrificial lambs on the altar of accountability. In these difficult situations, professional standards, support from the professional body and peers and where appropriate, support of the regulators can help to strengthen the position of the internal auditor. Internationally regulators have required external auditors to whistleblow to the regulator in extreme circumstances, while granting them protection in the form of qualified privilege. We may need to consider similar protection for internal auditor in our environment.

Concluding remarks :

The ever-increasing pressure on organisations to manage their affairs and risks prudently poses considerable challenges for corporate governance structures including internal audit, a key line of defence in these structures. Every challenge, however, is an opportunity. For ‘internal audit’ as a profession, the current business environment is both an opportunity and a challenge to cement our presence in corporate India to demonstrate our skills and resolve to play a contributory role. We have full support of the regulator and the audit committees. We perceive that in addition to an opportunity and challenge the ‘internal audit profession’ has an obligation to assist in making corporate governance transparent and effective. Let us therefore “look at the right things, whilst doing the right thing”.

Nirav Shah

IFRS convergence — Implications for the internal audit function

Article

As corporate India approaches IFRS convergence commencing
from 1st April 2011 (and extending over the next few years for most companies),
internal audit function arises within most corporate entities need to consider
what this process of convergence means to them and what is it that they should
be doing to participate in the process to safeguard the interests of their
organisations.

In many organisations, the IFRS convergence process is led by
and primarily owned by the finance and reporting function and other support
groups like taxation, information technology and systems and internal audit have
a relatively limited role to play in practice.

However, given that IFRS convergence means a fundamental
change in financial reporting and measurement processes, the implications and
therefore the onus on internal audit is significant. While it is obvious that
internal audit needs to look at the training and skill enhancements relating to
IFRS for the internal audit team itself, there are a number of areas where
internal audit can, and should, look to provide assurance to senior
management/board of directors on whether the process of convergence itself
(within a company) is being handled appropriately.

I have tried to set out below five of the top
areas for internal audit to focus on as this process unfolds.

Organisational readiness :

Internal audit function should assess how the organisation
has planned and is implementing the IFRS convergence process. Critical factors
to consider include :

How have teams been staffed and is the organisational commitment (people,
infrastructure and technology) to the process of rolling out IFRS adequate
in the context of the organisation ?

Are there adequate knowledge and skills in the hands of the persons who
are leading this project i.e., are the project leaders/team members suitable
for the task ?

Have aspects such as budgeting and planning moved to an IFRS basis ? If
not, what is the organisational roadmap to address potentially different
basis for financial reporting and performance management ?

In the case of future acquisitions and business combinations, is there an
ability to manage and measure financial performance on a basis different
from historical cost accounting (i.e., given that IFRS requires acquisition
date fair valuation; the basis and results will be different) ? Also are the relevant reconciliations and related controls in place to ensure that IFRS financial
data and performance is adequately understood and analysed within the
organisation ?

Training, skills and awareness :

IFRS convergence brings with it a significant challenge in
terms of technical skills and the need to learn new concepts and unlearn old
practices for most affected parties. Internal audit function should consider how
structured and thought through the training and awareness plan relating to IFRS
convergence is and consider the following key factors :

What is the quality, timeliness and breadth of training available to all
interested/affected parties ?

Have current recruitment practices recognised the change imposed by IFRS
and are those skills being actively sought

For existing staff (including senior management) what is the incentive/dis-incentive
to learn and unlearn as required by IFRS ?

What has been the external communication strategy to create awareness
around IFRS convergence and how it affects the organisation (with parties
such as investors, bankers and lenders, credit rating agencies, key
suppliers and customers, etc.) ?

Information technology change management :

One of the areas that is often neglected by companies working
on IFRS convergence is the impact that IFRS changes could cause to information
technology infrastructure within the organisation. Internal audit functions
should ideally focus on this area from an early stage as a poorly executed IT
change program can have significant and long-lasting repercussions for entities.
Key areas to focus on include consideration of how MIS, taxation and other
statutory/regulatory-related reporting and IT needs are going to be catered for
on a post-IFRS convergence basis; what are the checks and controls (including
reconciliation controls) that are being put in place for this purpose and the
robustness of the IT solution being implemented.

Another fundamental area relating to IT changes would be in
the context of business acquisitions and carve-outs proposed in the Indian
context. For business combinations/acquisitions, etc., given that the IFRS
standards require fair valuation to be performed on the acquisition date, the
post-consolidation cost basis would differ from the standalone cost basis for
various financial statement captions. Accordingly, entities need to have the
systems and IT ability to be able to manage the reporting and measurement
requirements on a parallel basis post acquisition. Additionally, if theentity
desires to report/measure performance on pure IFRS (as issued internationally by
the IASB) in addition to the Indian IFRS like standards (IND AS) because it is
listed overseas or wants to provides such information to its investors, IT
systems need to be able to cope with these requirements too. Internal audit
teams should consider the robustness of all IT solutions that are being applied
in the context of the above challenges.

Keyman risk :

There is a dearth of IFRS conversant and experienced resources in India currently. Accordingly talent management and control over key-man/ personnel risk is an important aspect for organisations to think about as they approach IFRS convergence. If too few people are involved in the IFRS convergence process, it can create/accentuate concentration and keyman risk and exposes organisations to more risk than they budget for.

It is critical therefore this risk is recognised and dealt with appropriately from an early stage. Adequate consideration should be given to the size of team involved in the IFRS convergence process, succession planning and most importantly the level and quality of documentation of the process and decisions associated with IFRS convergence, so that organisational interests are protected and the collateral of knowledge/decisions is retained even if there is an increase in staff turnover levels.

Quality control:

Probably the most tricky and challenging aspect of managing the IFRS convergence process in an organisation is ensuring quality control. This aspect is both difficult to measure and often even if a process is managed poorly, the effects may not be evident till well after the convergence process is considered complete. In today’s age where accounting restatements and errors can cause serious reputational and organisational damage, maintaining quality in the convergence process is critical. Internal audit should focus on what are the checks and balances in place to ensure a certain level of quality is maintained in the convergence process and the post convergence environment. For instance, a few areas that require careful consideration are:

has an adequate benchmarking exercise with peers been conducted of the process followed by the company as part of the convergence process;

are the accounting policies in line with industry peers (locally and internationally);

how robust has been the consideration of choices and what is the quality of those choices in the context of the organisation’s operating philosophy;

is there adequate communication to people in positions of governance (senior management, audit committees and boards of directors) of the choices proposed to be made and has their feedback been adequately factored into the convergence process;

what is the quality of the review process of actual work done and adjustments computed relating to IFRS transition;

are all people in reviewing positions adequately informed, skilled and aware about IFRS to discharge their functions adequately in a post-IFRS environment?

are external auditors adequately involved in the IFRS convergence process and do they have appropriate skills to be able to perform the audits in a post-convergence environment?

Conclusion:

IFRS convergence is certainly a significant challenge for many organisations and internal audit functions would best serve their organisational mandate if they did not only react to the change once it happens, but instead look to provide their inputs and insights into the process by which convergence is being achieved. A number of board of directors and audit committees are interested in understanding these aspects and internal audit can provide an independent and timely view that assists them in steering the organisation through the maze that is IFRS convergence in a effective and efficient manner.

Nirav Shah

Regulatory Risk – Case Study

Overview:

It is the duty of every government of a civilised society to regulate economic activity. The function of regulation is to encourage economic activity with ethics which benefits society. However, our (Indian) experience has been that of having ‘over-regulation’ leading to corruption and unethical practices. Reversal of ‘over-regulation’ in the past two decades has changed the environment to an extent, but over regulation and desire to increase the same continues to manifest itself. Let us not forget that too many and that too, complex laws convert ordinary honest citizens into criminals – e.g. – everyone who drinks in areas where prohibition prevails becomes converted from an ordinary citizen into a criminal in the eyes of law. Today there exist many laws which impact normal economic activity. In addition to laws which are common to all businesses – there are industry-specific laws, e.g. – pharma, food, health, chemicals, refineries etc. Compliance with the applicable laws, rules and regulation is an integral part of running a business.

Hence, business runs the risk of non-compliance with laws, rules and regulations resulting at times even in the suspension or closure of business in addition to the levy of penalties, legal action by customers, bureaucratic hassles and corruption.

Non-compliance also at times entails prosecution and imprisonment.

Regulatory Risk is the risk that a change in laws and regulations will materially impact a business, industry and activity, an organisation or an entity. However there is another dimension to regulatory risk. This is the risk of government agencies exercising control over the functioning of commercial and other activities of various entities.

Thus on the one hand a change in laws and regulations can disturb a level playing field; it can give skewed advantage to certain entities, organisations and companies. These regulations can be those pertaining to taxes, duties, licences, other regulations and procedures or relating to human operations.

On the other hand regulatory authorities at the behest of the government, the public or even on its own may step in to regulate, control and guide business or other activity by way of certain norms, rules and regulations which have to be followed and involve a cost, compliance load, and impact the operations, returns and profitability of enterprises. e.g. Drug price control order and the rules there-under is a case in point. The website – ‘Investopedia’ has given the well known example of utility companies like electricity companies to explain regulatory risk. The government through legislation and administrative orders introduces a significant amount of regulation in the way they operate, set their tariffs and even the quality of infra-structure and the controls on the system. Regulations also affect investment market and investment activity which means that any change in these (for example margin requirements) can affect prices, returns and valuations.

The first significant characteristic of regulatory risk is that it is an additional source of risk due to the wide variation in regulations across countries, regions, industries and even regulators. The second significant characteristic is that due to the diversity of cause and effect, the nature of regulatory risks is difficult to understand, perceive, capture and communicate. As a result such risk is not well understood and consequently at times difficult to quantify, estimate, measure and manage.

Also many times this type of risk materialises without any warning or indication and takes most of us by surprise. Thus on the one hand a change in laws and regulations can disturb a level playing field; it can give skewed advantage to certain entities, organisations and companies. These regulations can be those pertaining to taxes, duties, licences, other regulations and procedures or relating to human operations.

The first step for mitigating the risk of violation is to identify applicable laws and put in place, compliance procedures. To ensure compliance there should also exist means of ensuring that the pre-scribed procedures are followed. This is normally achieved by having an effective internal audit or periodic review of functioning of ‘internal controls’.

The regulatory risk can be captured as under:

Regulatory risk

Risk of changes in legislation and its impact.

Risk of changes in rules and regulations and its impact

Risk emanating from government agencies exercising controls by way of regulations and compliances on business.

Risk of corrective controls and palliative measures that can affect businesses and organisations.

A formal analysis of this risk is difficult because it is an external risk that is affected by the frequency of changes in the several laws applicable to a business. The risk also depends directly on the duration of regulation, nature of regulation, whether involving strategy, operations or procedures and finally the extent of discretion exercised by the regulatory agencies. In fact business and industry would do well to study and understand regulatory preferences, styles, policies and trends. To summarise, regulatory risk even in the least regulated free environment is inevitable. The magnitude of risk is inversely proportional to the credibility, accountability and- stability, of the regulators.

The example for this month is the case study of a company engaged in conducting coaching classes for students in the context of regulatory risk. Expert Coaching Classes Ltd is one of the leading coach-ing classes for the 10th SSC and ICSE examinations, the 11th & 12th HSC, CBSE and for entrance exami-nations of lIT like JEE and Engineering and Medi-cal CET and others.

Expert Coaching Classes began as a small venture in the living room of Sri Prakash – a retired senior teacher from Vidya Mandir School about twenty years back with three students. Today it has over 50 in house faculty, 25 visiting faculty, 5000 + students and over 10 branches in two metro cities. In the good old days students were charged Rs.SO per month, today the fees for a year is in lakhs. The business model comprises holding awareness and introductory lectures that are attended by students and their parents. This is followed by a rigorous program for students using in-house well developed material and question bank. The course is inter-spersed with tests, the results of which are periodically communicated to the parents directly apart from communicating the same to the students. Intensive coaching takes place and students’ doubts are cleared. Expert coaching classes thus imparts quality education by limiting the number of students in a batch. Discussions are also held with parents of non-performing students.

There is some turnover in staff and faculty, and at times the advent of new classes means losing a few existing and potential students. Of late on the heels of the use of ‘Right to Information Act’ to uncover overcharging of fees by schools and the ever increasing pressure on the education system following issues have emerged:

i) There is a growing awareness of the need for quality education with adequate facilities, infrastructure and good faculty at school among students and their parents.

ii) After regulating functioning of schools, their admission procedures and fees, there is now a demand to regulate coaching classes.

iii) There is a move to mandate registration for coaching classes which is fast gaining ground.

At present ‘coaching classes’ are fairly independent of the regulatory system except obtaining some municipal licenses. Hence, coaching classes do not face any serious regulation. The risk is that some serious regulation is likely to be put in place. If this happens it is bound to affect the infrastructure needs, working, and functioning of the classes substantially in as much as the fees charged per student are likely to be also regulated. This change will affect both the top and bottom line. Further with conflicting reports emerging about scrapping of CETs, it is not clear if students would continue to patronise these coaching classes. It is in this context that the CEO of the classes has invited you, as the risk manager, to prepare a note identifying, estimating and measuring risks likely to be faced and advise the possible course of action to prevent, protect and mitigate the identified risks and come up with an action plan.

Regulatory Risk Analysis & Solution:

An analysis of the case reveals the following issues:

Well drafted regulations when fairly implemented help in the smooth functioning of business. Hence fair monitoring of certain sets of activities is necessary for implementation of law. However experience tells us clear language is rare and the absence of clear language leads to chaos and corruption. This has a bad impact on both the business and the organisation. It is because of this aspect that business advocates free market with minimum regulation and giving a free hand to the market forces. The following challenges and their impact have been identified:

changes in law and regulations will impact size, fees and profitability.

cost of compliance will increase.

possible increase in unhealthy practice by unregistered, flyby night, small operators.

possible increase in working school teachers conducting private tuitions.

lower profitability.

lower profitability could lead to lower standards

cost cutting measures could lead to increase in faculty turnover – impacting quality.

reduction in visiting faculty to reduce cost – impacting quality.

reduction in investment in infrastructure – impacting quality.

reduction in the number of students because of the above and proposed abolition of Std. X exams – impacting profitability.

Solutions for Expert Coaching Classes (ECC) :

The possible solution to deal with this risk is out-lined in the steps given below:

1. Preparing a sensitivity analysis and assessing its impact on revenue and faculty related concerns.

2. Channelise existing cash flow into higher savings to meet unforeseen contingencies.

3. Centralise operations to reduce costs.

4. Preparing online version of coaching sessions whereby it gives flexibility of time to students, reduces dependence on faculty and investment in infrastructure and reduces operating costs. – encourage e-learning.

5. Identifying areas of diversification – e.g. – corporate training, starting hobby classes, starting health education classes.

6. Initiate a network of coaching classes and form a trade association to take on unfair regulations.

Anticipating risk and taking planned and persistent steps are today essential elements of running a successful business. Suggestions made by the risk adviser have been appreciated by the management. The management has initiated steps in line with the suggestions made.

Nirav Shah

Fraud by illusion and trickery

Nirav Shah

Nuances in Internal Audit of Luxury Hospitality Operations

Article

Dilemma :

It is often said
‘. . . . when hospitality becomes an art, it loses its very soul’. Yet, delivery
of soulful services requires unfettered independence. Controls and curbs in such
a scenario are inhibitions, to say the least. Where subjectivity is the name of
the game, the truth may be puzzling. It may take some work to grapple with. It
may be counter-intuitive. It may contradict deeply held prejudices. It may not
be consonant with what we desperately want to be true. But our preferences do
not determine what’s true. We have a method, and that method helps us to reach
not absolute truth, only asymptotic approaches to the truth — never there, just
closer and closer, always finding vast new oceans of undiscovered possibilities.

Approach :

‘We make our world
significant by the courage of our questions and the depth of our answers’. We
can judge our progress by our willingness to embrace what is true rather than
what feels good. In the business of hospitality, the guest is god — begin by
respecting the dictum. After all, class in the business of hospitality is always
more subtle, more intricate, more elegant than what most auditors would like to
imagine.

Knowledge gathering :

Trade nuances :

You have to know the past to
understand the present. Inquiry and interaction are handy tools. In exchange for
freedom of inquiry, the auditor is obliged to appreciate the subtlety of the
oft-hidden controls. A gentle ‘housekeeping’ turndown service in the evening,
for instance, doubles up as a reality check on the profile and preferences of
guests, even room occupancy discrepancies. Numerous are such nuances of the
trade; universally true, and not difficult at all for an open minded auditor to
pick up, gauge or rely upon. Obsolescence, though, is an important word here.
With the changing times, customs need to be tested and disproved assertions be
proved worthless.

Marketing innovations :

From dynamic demand-based
pricing concepts to global distribution systems, luxury hospitality today
embraces the A to Z of marketing, perceptions that auditors often grapple to
come to terms with, not to speak of the efforts to evaluate these. Experience
shows however, that even modern techniques such as these are often prone to
fallacies, and the cure for such fallacious arguments is better arguments. To
counter fallacies, auditors need imagination and skepticism both; not to be
afraid to speculate, but careful to distinguish speculation from fact.

Technological advancements :

Like most trades, high-end
hospitality products and services imbibe the best of technology in all spheres,
be it environment consciousness, information technology or engineering marvels.
Unfortunately, there is no short cut here — either go through the grind yourself
or seek help of experts.

Statutes :

Name a statute and it is
applicable to hotels — ranging from labour laws, indirect and direct taxes,
licences for almost everything you see in operation, food and hygiene,
pollution, GAAPs — the list is endless . . . . this is possibly an area however,
where not much advocacy would be required for auditors; supposed to be their
core competence. I may however caution here that ‘while it is of interest to
note that some dolphins are reported to have learned English — up to fifty words
used in correct context — no human being has been reported to have learned
dolphinese.’ Over confidence does no good.

Creating checkpoints :

Prevention :

Finding the occasional straw
of truth awash in a great ocean of confusion and bamboozle requires
intelligence, vigilance, dedication, and courage. But if we don’t practise these
tough habits of thought, we cannot hope to solve the truly serious problems that
face us.’ Easier said than done — eh ! Not really. For instance, like banks,
hotels have daily revenue closing systems such as ‘Night Audits’ and ‘Income
Audits’. The real challenge in a typical hospitality set-up is the multiplicity
of transaction points; while you rack your brains to repair one leak, another
one crops up. The best use of the gigantic risk and control matrices most
hospitality giants employ, to my mind, would be when robots eventually replace
human employees in the hospitality industry — human brains are far too suave and
thoughtful to be restricted by a ‘risk and control’ matrix.

Inquisitiveness :

Far from straightjacket
operations, the hospitality industry renders detective controls by far the most
effective tool in the hands of internal auditors. A probing mind together with
IT-empowered tools such as CAATs do wonders to dig out clues from unsuspecting
areas. Contrarian thoughts such as ‘The hen is the egg’s way of making
another egg’ work wonders, says experience. ‘What is called for is an exquisite
balance between two conflicting needs : the most skeptical scrutiny of all
hypotheses that are served up to us and at the same time a great openness to new
ideas. If you are only skeptical, then no new ideas make it through to you. On
the other hand, if you are open to the point of gullibility and have not an
ounce of skeptical sense in you, then you cannot distinguish useful ideas from
the worthless ones . . . .’

Conclusion :

The luxury hospitality
industry is in perpetual ‘floatation’, so to say; thus straightjacket auditing
means are often ineffective. Given the multiplicity and voluminous transaction
points, this industry is particularly susceptible to irregularities/frauds. To
get a grip, one must sway with the wave to be in total control.

levitra

Nirav Shah

Risk Management

Article

Introduction :

1.1 Over the years, risk and its management have been the
focus of human activity. Risk coexists with change, and it has been a facet of
human life whether it is culture, race, religion, personal life, political,
economic or social activities . . . . risk is an inseparable part of all human
endeavour.

1.2 However, depending on the prevailing attitudes and the
ground situation, in terms of the environment, setting, context and background,
risk has had a lesser or greater importance depending on the role it had to
play. In times of prosperity, growth and wellbeing, risk was and still often is
the farthest from human thought. That it applies equally to the modern world is
evidenced by the severe turbulence and swings and the consequent losses
witnessed in the stock market in the recent past when risk was not top of the
mind for the players in the financial market.

1.3 The current heightened interest and importance of risk
assessment is due to the unique situation that the world is in. Unlike in the
past, in times of the industrial revolution, which had its fair share of risks,
the modern world in the era of Information and Communication technology is a
globalised and networked world where the forces of disintermediation,
virtualisation, convergence, knowledge management and empowerment are at play.
The scope, scale and speed of operations in modern times are far beyond what was
even thought of in the past, the shortened fuse wire of decisions and the
worldwide impact of local actions and reactions are extremely difficult to
predict.

1.4 This transformation has on the one hand magnified
rewards, but on the other hand, has also enhanced risk. Enhanced risk is the
price we pay in this modern globalised world.

Concept of risk :

2.1 The concept of risk has been attempted to be captured in
many ways, but the basic definition still is relevant.

2.2 Webster’s defines risk as — possibility of loss
or injury (peril), someone or something that creates
or suggests a hazard, the chance of loss or the perils of the subject matter of
an insurance contract, the chance that an investment will lose value.

2.3 The word entered the English Language circa 1661 from the
French word ‘risqué’ and the Italian word ‘risco’.

2.4 Risk is imbedded when there is an event with more than
one possible outcome, that is, resulting in either desirable or undesirable
consequences. Each outcome has a probability of occurrence depending on the
circumstances. It is thus a potential event and not the loss itself.

2.5 In fact what may be perfectly normal and beneficial to
one in a given set of circumstances may be fraught with danger and risk to
another in the same or different setting. Thus we have the probability of early
bird catching the worm, and the possibility of early worm getting caught, but
the decision whether to be early or late depends on whether you are the ‘bird’
or the ‘worm’.

Attitude to risk :

2.6 Risk, hence, is a word of many meanings. It means
different things to different people. This perception of risk as a source of
‘threat or peril’, or as a ‘challenge and an opportunity’, depends on one’s
attitude to life and risk — that of a ‘risk averter’ or a ‘risk taker’. Risk
comes in all sizes and shapes from getting caught in rain without an umbrella
and catching pneumonia, — sickness- facing life-threatening situations like
natural calamities and of course normal and abnormal business risks involving
loss of money and reputation.

Types of risk :

3.1 An organisation faces many types of risks. These risks
range from strategy and directional risks at the one end to risks in day-to-day
operations at the other.

3.2 If one were to look at the enterprise as a whole, one is
faced with strategic risks that cover strategic issues, business
decisions and the business environment. Macro issues like political, economic,
social situation and competitor activity often affect and influence these risks.
Operational risks deal with operational issues including manufacturing
and service provision, execution, people issues, administration, communications,
etc. At a different level there are other external risks that exist in
the business environment that relate to markets, availability of finance and
changing value of money – forex. A chart showing an overview of these risks is
given in Appendix 1.

3.3 There are thus many ways of classifying risks — according
to their type or even as Systematic Risk and Unsystematic Risk.

3.4 Systematic risk covers interest rate, reinvestment rate,
purchasing power, market exchange rate and political risk, whereas unsystematic
risk covers business, financial, default, credit, liquidity and event risks.

3.5 Apart from these, risk can be physical, psychological,
social/economic, legal and even risk involving confidentiality.

4. Risk — its importance :

Risk has been with us since the beginning of time. Why is it that addressing, comprehending, analysing and managing it has become so important today? The most important reason for the increased importance of risk is that we have started appreciating the fact that uncertainty and its resultant negative impact on business is increasing with globalisation. Risk is becoming more important than ever before, because changes are rapid and all pervasive that it requires preparedness and quick reflexes to launch pre-emptive moves to counter emerging, altered, scenarios. At the same time both stakes and expectations are increasing. A time has’ come when Gandhiji’s words of wisdom, “there is enough for every man’s need, but not for every man’s greed” are palpable today.

Contributing factors – Some examples:

5.1 Legislation is becoming tougher:

Legislation is now more extensive – from compensation to environmental laws, third-party liability to PIL’s, and laws granting compensation for corporate wrongs are becoming stricter.

Legislation is more stringent – Corporate Governance – clause 49 of the listing agreement and SEBI rules are continuously reviewed and often amended. In the U.S.A. it is the Sarbanes-Oxley Act.

Labour Laws :

Risk assessment is necessary to avert legal liability – esp. in areas of health and safety.

5.2 Insurance is more expensive and difficult to obtain:

Insurance is no longer cheaply available.

Open-ended cover is not widely available.

Insurance companies expect and require clients to manage risks on their own and do not offer a blanket cover.

Insurer does not compensate full loss even if the claim is accepted.

Insurance payouts are slow and difficult to obtain.

Many risks are not covered, such as intangibles like loss of goodwill, reputation and brand equity.

Insurance ultimately is reactive and not a proactive way of mitigating risk.

5.3 Customer – Attitudes:

Clients want to pass on risks to suppliers and service providers and want to de-risk their own business.

Business is more aware of consumer awareness and this has led to claims and litigation.

Shareholders are more aware of risks – affecting business value and therefore increased risk reflects in lower stock values.

5.4 Public awareness:

People and the society at large expect higher standards of probity in corporate behaviour, which means that companies have to manage ‘corruption risk’.

6. Response Management’s attitude:

Professional and pro active managements promote risk management.

Managements are wiser, from past incidents and want risk management practices in place.

With the advent of Global Corporation, risk has become internationalised. Corporations face global concerns and short fuse wire of decisions have a greater impact on corporate bottom lines.

Privatisation – high-risk infrastructure sectors are also now in the private domain leading to greater understanding and provisioning for related business risks.

The source of risk:

7.1 Risk arises due to imperfect knowledge stemming from lack of complete or perfect information about certain facts and events on the one hand and the uncertainty and unpredictability of results of specific inputs and actions, on the other. Risk is contextual and its impact varies depending on the underlying situation and ground realities obtaining in a given situation. It also increases if you are dealing with third-party assets.

7.2 Risk is also determined by actions and moves of the associate and/or adversary, for example, in a zero sum or similar game. The well-known game Prisoner’s Dilemma is an example.

Prisoners’ dilemma:

The game known as the Prisoner’s Dilemma got its name from the following hypothetical situation : imagine two criminals arrested under the suspicion of having committed a crime together. However, the police do not have sufficient proof in order to have them convicted. The two prisoners are isolated from each other, and the police visit each of them and offer a deal: the one who offers’ evidence against the other one will be freed. If none of them accepts the offer, they are in fact cooperating against the police, and both of them will get only a small punishment because of lack of proof. They both gain. However, if one of them betrays the other one by confessing to the police, the defector will gain more since he is freed; the one who remained silent, on the other hand, will receive the full punishment, since he did not help the police, and there is sufficient proof. If both betray, both will be punished, but less severely than if they had refused to talk. The dilemma resides in the fact that each prisoner has a choice between only two options, but cannot make a good decision without knowing what the other one will do. The problem with the prisoner’s dilemma is that if both decision-makers were purely rational, they would never cooperate. Indeed, rational decision-making means that you make the decision which is best for you whatever the other actor chooses. Suppose the other one would defect, then it is rational to defect yourself: you won’t gain anything, but if you do not defect you will be stuck with a loss by way of being punished when the other goes scot-free. Suppose the other one would cooperate, then you will gain anyway, but you will gain more if you do not cooperate, so here too the rational choice is to defect. The problem is that if both . actors are rational, both will decide to defect, and none of them will gain anything. However, if both would ‘irrationally’ decide to cooperate, both would gain by being let off with minimum penalty. Thus this well-known game representing the Prisoner’s Dilemma – “If both prisoners cooperate (do not blame each other) they both benefit each being let off. However if one blames the other and the other cooperates (does not blame the first), then the blamer is let off and the one who cooperates gets arrested for a long term and vice versa. If both blame each other, both suffer a sentence but for a shorter term. Though logically it is best to cooperate, since the prisoner is not sure if the other one willget greedy, they settle blaming the other, just to be on the safe side and minimise potential risk/loss.

7.3 While risk arising from deficient information can be mitigated and reduced by gaining more information albeit at a cost, the risk arising from uncertain outcomes can only be controlled to some extent either by developing better mechanism at predicting the outcomes or better still by controlling the outcomes as much as possible.

7.4 Risk as we have seen, originates from vulnerabilities and threats and results in an adverse impact when it occurs. It is a function of threats, vulnerabilities and their impact. Vulnerabilities produce weaknesses that increase risk. Threats are external adverse factors that have a chance of occurrence. The Greater the threat, the greater the risk. The impact is adverse consequences and damages that can flow from the materialising of the threat. The greater the impact, the higher the risk. Thus minimising the chance of the threat materialising, reducing vulnerabilities and minimising the damage or impact helps to mitigate risks.

7.5 If one addresses risk with preconceived notions about its probable causes, it can lead to disastrous results as the real threat often lies else-where. What is required is clear perspective, correct approach and quick response.

7.6 Both predictive and responsive courses of action have an associated cost. The manager has to develop a strategy that ensures that the returns always exceed the cost of risk mitigation. The right way to tackle, deal with and manage risk is to adopt strategic risk management. In the absence of satisfactory definition of Risk Management …. for practical purposes, the emphasis of risk management tends to be on risk awareness, assessment and mitigation. However, strategic risk management involves :

The process by which executive management, under board supervision, identifies the risk arising from the business and establishes the priorities for control The Cadbury Report, 1992.

Basically altering in a desirable manner where something missing in the system may cause a probable damage or manage its conse-quences.

7.7 The road map to risk management can be summarised as :

Risk awareness – Management must be aware of the hazards and their impact on the business, and how they could be avoided, prevented and reduced.
Risk analysis and assessment.
Assessment – Monitor threats, assess vulnerabilities, and estimate impact.
Prioritisation – Analysis into acceptable, unacceptable and tolerable – Middle of the road risks.
Planning for the future.
Prevention of occurrence.
Strengthening the system against vulnerabilities.
Minimising damage.

7.8 Requirements for successful risk management?

Availability of appropriate facilities and equipment.
Availability of appropriate systems and procedures, including monitoring and auditing performance.
Availability of appropriate organisation, existence of sufficient level of competence, with suitable communication and training arrangements.
Availability of appropriate arrangements for detecting and handling emergency situations.
Availability of a system of active and continuous system of review of risk throughout the organisation.

7.9 Tools used for effective risk management, are:

Control
Insurance
Loss prevention
Technological innovation
Learning, information, distribution
Robustness.

8. The Mantra for success in risk management thus seems to be to ‘bear, share and insure’. Bear what you can yourself, given your risk appetite. Share risk within the industry by creating risk sharing, using averting mechanisms and finally insure what cannot be controlled and pass on the risk to insurers. Lastly, ‘monitoring and planning’ for the future involves a continuous process to adopt a ‘Plan, Do, Check and Act cycle’, in order to de-risk your business to the extent possible.

9.1 Managing risks the proactive way thus involves:

Having strategy that is : creating and putting in place proper ownership structure, carrying on your business on sound premises based on risk policies which minimise exposure to uncertainties.

Managing people is another way of managing risk. This involves:

» Setting standards from the top

» Quick adaptation to change

» Balance and experience – multitasking employees, and

» Allocate responsibility for risk management.

Manage processes: this is the nuts and bolts of risk management and involves developing and putting in place sound policies, best practices, adequate procedures, easy to implement guidelines, sufficient documentation, drills, safer solutions, isolation of threats and active protection of assets.

Spreading the risk by: outsouring processes, sharing risk, using hedging option, swaps and derivatives. Risk can also be spread by insuring for loss of profit.

Finally having a disaster recovery plan and business continuity plan to minimise the effects of the damage caused due to the adverse impact of threats materialising into reality – for example – strikes, lock-outs and natural calamities.

9.2 In short, Continuous Risk Management (CRM) is a structured plan. CRM provides a disciplined environment for proactive decision making to:

Assess continually what could go wrong (risks)
Determine which risks are most important to deal with
Implement strategies to deal with those risks
Measure and assure effectiveness of the implemented strategies.

9.3 For CRM refer Appendix 2

The effective use and implementation of CRM results in a paradigm shift in the way businesses plan, implement and operate.

Risk and the Accountant:

10.1 We have examined risks and risk management as applicable to business and industry in general. Let us now consider the risks that accountants face at the professional, strategic, operational as well as at micro level. Risk has been with the profession since its advent, because accountants certify either ‘correctness’ or ‘true and fair’ state of affairs.

10.2 The accounting profession has passed through turbulent times post Enron and World – Com abroad and our own GTBs and cooperative banking seams in India, and has reached a stage of crossroads. The message is loud and clear, the profession has to improve if the financial system and trust and faith in the profession are to survive. All concerned stakeholders – the government, the key players, the profession itself has moved with alacrity to rectify the situation. New accounting and audit standards have been adopted, the world is moving towards one set of uniform financial reporting standards. A lot has been done; a lot needs to be done. It is in this context we need to look at risk from the perspective of accountants and auditors.

10.3 Accountants play the role of score keeping and reporting. Reporting involves providing information to managements for decision making and to other stakeholders for investment, rewards, taxes, etc. From an accountant’s perspective risk is closely associated with governance, compliance and performance. Every organisation in its attempt to achieve its business objectives needs governance, compliance with laws and measurement of performance – that is profit.

10.4 The issue we will examine is : what is the role and relevance of accounting and the accounting professional, whether as an accountant or as an auditor, in the context of risk and what are the risks an accountant faces.

10.5 The accounting professional’s role in risk is on one side as the person in charge of the accounting and reporting process – the chief financial officer (CFO), and on the other side as a professional, independent auditor or internal auditor who expresses opinion on the financial statements and internal controls, etc. respectively. This is brought out in Fg.1 below.

10.6 The CFO, post SOX in the US and clause 49 and other corporate governance initiatives in India, is responsible for maintaining proper records and accounting for transactions, selection and application of proper accounting standards, computation and extraction of financial statements, true and fair reporting of the profit/loss and the state of affairs and also ensuring safeguarding of assets, control over operations and vouching for the verification and veracity of records. The CFO has thus become ‘owner’ responsible for accounting and reporting function. His liability is thus now two-fold. One of due care to the best of his skill and ability to his employer, and the second of proper service (that is not deficient) to the stakeholders. Failure to do his job using due care, diligence and professional expertise would attract action and liability.

11. Risk as Score Keeper:

The accountant as a score keeper maintains records of financial transactions. Books of accounts and accounting and financial records provide the basis for all decision making within the organisation. It is an analysis of this data using various tools and techniques that helps organisations take decisions. Decisions that are strategic like export or not, expand or shut down, diversify or continue, decisions that are operational like working in the second shift, increasing the work force, double the productions, hold stocks, as well as day-to-day decisions like accept an order, increase the price in the local market, etc.

The information provided by the CFO has to be correct, accurate, timely and relevant. In this role as a management accountant providing inputs he is part of the decision-making team.

Risk as reporter:

12.1 Financial statements provide key information to stakeholders. It is the business scorecard that gives vital information about net worth, assets and liabilities, profitability, growth, stability, liquidity, solvency, gearing and turnover.

12.2 The information provided by the accountant – CFO – who is a critical member of the management team is expected to be independent (unbiased), transparent, true and fair – that fairly represents the position of the business from the stakeholders’ perspective. In this role, the accountant faces the risk of application of wrong principles and standards, wrong accounting estimates, errors, mistakes and frauds, inaccurate particulars, window dressing and creative accounting – that is – unfair presentation, off-balance sheet items, unaccounted transactions, unprovided liabilities,watered capital, issues of capital versus revenue, deferment of revenue expenses, under-provisioning or over provisioning for expenses and liabilities, the list is endless.

12.3 Any lapse in the discharge of this responsibility can involve civil, criminal and professional action.

Risk in Audit and Assurance:

13.1 The risk in this role is twofold. The first as an internal auditor having organisational independence and the other as the independent external/ statutory auditor.

Internal Auditor:

13.2 As an internal auditor, the accountant deals with reporting on: existence and effectiveness of controls, adherence to policies and procedures, safeguarding of assets, compliance with laws and regulations, existence of appropriate and adequate documentation and MIS, fraud and error, deviations from established and prescribed procedures and at times on proper utilisation of physical and human resources.

13.3 The risks faced by the accountant as internal auditor arise from the sheer volume and complexity of transactions and are:

failure to detect lapses and weak in procedures
failure to identify areas of fraud
failure to detect frauds
maintain his independence whilst being an employee of, the company.

External Auditor:

13.4 As an external auditor the professional accountant deals with financial statement reporting, fair presentation of the position of its assets and liabilities, and true and fair reporting of its profit and loss for the period. This involves verifying the books of accounts, with supporting evidence, proper application of accounting principles and standards, verifying existence and efficacy of controls and following the set of professional audit and assurance standards developed over the years. All this enables him to express an opinion on the financial statements prepared and submitted by the management.

13.5 The external auditor can do precious little to address risks inherent in a business activity. He is not an insurer of results, but what he can and must do to the best of his professional ability is to address the risk of detection of misreporting.

He needs to display independence and professional competence, use the concepts of materiality, prudence and professional skepticism, whilst dealing with error and fraud to provide sufficient assurance to the users of financial statements that the financial statements are ‘true and fair’.

13.6 The days of the Kingston Cotton Mills’ case where the auditor was not responsible for reporting frauds and other delinquent acts of managements are gone.

13.7 A professional accountant owes a duty of care to the person who has engaged him for the work of auditing and reporting, arising out of the contract and terms of engagement and the governing laws and regulation.

13.8 The liabilities of professionals especially ‘auditors’ who do not discharge their responsibilities are broadly divided into four types. These are:

civil liability for negligence,
statutory liabilities under the Companies Act, 1956 and other statutes,
liability under the Indian Penal Code
liability for professional misconduct under the Chartered Accountants Act, 1949.

14. Auditors were not considered to owe a duty of care to third parties or individuals belonging to a group in the absence of a direct contractual relationship even if these third parties had relied on his report. The decision in the cases of De Savory vis Holden Howard & Co, (TLR) 11-1-60 and Candler vIs Crane Christmas & Co Court of Appeal, 1951 Z. K. B. 164, absolved the auditor from such responsibility. However, the dissenting judgment of Lord Denning in Candler vis Crane Christmas & Co is worth perusing. He observes :

“The accountant, who certifies the accounts of his client, is always called upon to express his personal opinion whether the accounts exhibit true and correct view of his client’s affairs, and he is required to do this not so much for the satisfaction of his own client, but more for the guidance of shareholders, investors, revenue authorities and others who may have to rely on the accounts in serious matters of business. If we should decide this case in favour of the accountants, there will be no reason why accountants should ever verify the word of the one man in a one-man company because there will be no one to complain about it. The one man who gives them wrong information willnot complain if they do not verify it. He wants their backing for the misleading information he gives them and he can only get it if they accept his word without verification. It is just what he wants so as to gain his own ends. And the persons who are misled cannot complain because the accountants owe no duty to them. If such be the law, I think it is to be regretted for it means that the Accountants’ Certificate, which should be a safeguard, becomes a snare for those who rely on it. I do not myself think that it is the law. In my opinion, accountants owe a duty of care not only to their clients, but also to all those whom they know will rely on their accounts in the transactions for which these accounts are prepared.”

This liability of owing a duty to third parties was established by the decision of Hedley Byrne and Co Ltd. vis Heller and Partners. (1964) Act 465.

15. I would refer to two Indian cases:

1. The decision of the Bombay High Court in Trisure’s case No. 1377 of 1978, dated 211 24 October 1985 re-emphasised that an auditor need not proceed with suspicions unless the circumstances are such as to arouse suspicions in a professional man of reasonable competence. The judgment also upholds the use of sampling for testing internal controls and use of sampling to complete the audit where controls are found satisfactory .

2. The observation of Justice P. T. Raman Nair in the decision in the case of “The Official Liquidator, Palai Central Bank Ltd. vis Joseph and Other, (App. No. 247 of 1963 in BCP No. 11 of 1960) are relevant:

“So far as the 8th respondent, the auditor for 1946 onwards is concerned, very lengthy arguments have been addressed regarding the duties of a familiar bloodhound as opposed to watchdog lines. But this much I suppose one would not deny and counsel for the 8th respondent has not been disposed to deny it namely, that even the tamest of watch-dog has duty not to connive with the thief.

16.1 Let us consider the present situation in which chartered accountants and auditors are viewed by the public and stakeholders as service providers. Service provided includes accounting, audit & assurance, taxation, consultancy, investment advisory, valuation and/or many other services including at times opinions and management consultancy. The issue is: Is there any exposure under the consumer protection laws for other similarly-placed professional service providers – for example – doctors and lawyers who have been recently exposed? The decision of the National Consumer Disputes Redressal Commission and later the Supreme Court of India in the case of Indian Medical Association v. V.P. Shantha, (AIR 1996 SC 550) has held that the services rendered by the medical practitioner is included and covered under the definition of ‘services’ in S. 2(1)(0) of the Consumer Protection Act, 1986. This covers not only the treating doctors but also the consultants.

This reflects the view that the watchdog bodies of the profession are not perceived to be adequate to provide justice to consumers. In its judgment dated August 6, 2007, in the case of D. K. Gandhi v. M. Mathias, the National Consumer Redressal Commission made it clear that all professionals, including lawyers, should come under the ambit of the Consumer Protection Act. If doctors can come under the fold of the Act, lawyers and all other providers of services like chartered accountants, architects and property dealers will come under the Consumer Protection Act too. This case marks a departure from the established law that professionals can be penalised only by the established Discipline procedures under the law governing the profession. Thus in the changed environment claims for deficient services will not be restricted to be dealt with by the disciplinary committee or an in-house forum of the Institute, but could be agitated before and decided upon in other fora like the consumer forum and Civil and Criminal Courts.

16.2 The accounting is changing and facing challenges like fair value accounting, inflation, intangibles, growing dependence on information systems, ERP, and last but not the least, convergence with International Financial Reporting Standards – IFRS. All these challenges are areas of risk.

The current financial crisis :

17.1 The current financial crisis beginning with the sub-prime crises in US, followed by economic meltdown, reckless investment and products, right up to the recent string of bankruptcies, near-collapse situation in the United States and the last minute bail-out has brought to fore immense risks in the world of finance.

17.2 What has caused this current crisis? Is it bad economics? Bad mathematics? Bad logic? Poor judgment? Is it a failure of rating agencies, failure of merchant bankers, investment analysts and consultants, failure of banks and financial institutions in their due diligence and homework and failure of auditors in expressing their opinion ? Failure of monitoring and regulatory bodies and government agencies, failure of Boards in their oversight? Failure in record keeping and reporting . . .. probably it is all of this in some measure. I suspect all have failed.

17.3 What would be the fallout and impact of the ongoing crises like the turbulence in the forex market and where derivative products have been sold by leading banks to mature corporates and investors with neither displaying the maturity, the seriousness, the understanding and the capacity of going through such transactions? Can this be called ‘risk’ management? The conclusion is in the negative.

18. A person can always be wiser in hindsight. But one fact that comes out glaringly out of this is that every situation, every strategy, every move, every operation, every action, every transaction, every receipt and payment, every contract, every assurance, every deal, every agreement, every statement, every acceptance …. has a financial footprint that the accountant captures, records and reports and the auditor verifies, vets, vouches, audits, comments and expresses an opinion on. Does that mean that all this is too onerous and that accountants should hide behind disclaimers, subject tos, not withstandings, ifs and buts, and the law as it stands? Professional accountants, be they CFOs, accountants or auditors, need to understand the situation and the task before them, and equip themselves to go forth and discharge their role. To quote William Shedd

“A ship in harbour is safe, but that is not what ships are built for.”

This is the challenge.

19. I repeat the way forward for accountants to counter this risk is to equip themselves with knowledge through continuing professional education, improve assurance function supported by peer review, and above all maintain independence coupled with professional skepticism and adherence to ethical standards. The need of the hour then is to convert vulnerabilities and weakness into strengths and threats into opportunities to manage change. Let us accept the challenges of change.

Appendix 1

Overview of different types of risks faced by an Enterprise :

(A) Strategic risks:

Strategy and business environment risk
Event risk, group risk, legal risk
Regulatory risk, competition risk
Management risk, organisation risk
Human resources management risk
Capital inadequacy risk
Disaster risk/Force majeure
External credit rating

(B) Operational risks: Manufacturing/Service Risks

Manufacturing failure
Service failure
Project management risk
Compliance risk
Accounting/Taxation risk

Risks in Operations

Audit compliance risk
Booking error
Business process design
Customer relationship management
Counter party failure
Confidentiality risk
Distribution channel
Documentation risk
Execution risk
Information communication risk
Information security risk
Methodology error
Model error
Money laundering
Product complexity
Settlement error
Security risks
Training gaps
Volume risks

Risks in Human Resources

Fraud
Keyman
Human error
Training gaps
Negligence

Risks in Communications

Communication interface risk
Connectivity failure
System customisation risk
Telecom failure
Third-party/vendor failure for non-IT outsourcing

(C) Market Risks:

Commodity risk
Country risk
Equity position risk
Limits risk
Price volatility

(D) Credit Risks:

Counter party risk
Credit appraisal
Credit investigation
Exposure risk
Monitoring gaps
Recovery risk
Sector downturns
Security realisation risk

(E) Finance Risks

Liquidity Risk

Funding risk
Market conditions
Time risk

Interest Rate Risk

Basis risk
Prepayment risk
Re-pricing risk
Yield curve risk

Forex Risk

FX rate
Gap risk
Settlement risk

Appendix 2

Continuous Risk Management (CRM)

1. CRM requires formulation of :

Develop Risk Management Plan
Perform risk assessment during systems analysis sub-process
Establish an initial set of risks (simplest technique is brainstorming)
RM plan and risk profile evaluated and base-lined in evaluation sub-process.

2. Implementation of CRM plan requires:

Implement risk management process defined in the plan
Implement risk tracking system
Use risk management continuously to control and mitigate risks
Use risk assessment to identify and analyse risks.

Nirav Shah

Banks and Internal Audit

Article

Corporate governance, as we all know, has been under a strong
and critical public spotlight in recent years, in the wake of a succession of
blows to market confidence and integrity, particularly in the United States, but
echoed in India and other countries as well. The community’s expectations of
Boards and senior management, and of those charged with providing an independent
review of a company’s operations and financial accounts, have been raised. To
meet those expectations, governments and regulatory authorities around the globe
have mounted a concerted campaign to improve standards of corporate behavior and
transparency through international harmonisation of accounting standards,
strengthening the principles of corporate governance, lifting the bar on the
‘fitness and propriety’ of directors and managers and introducing improved
market disclosure standards.

In this demanding environment, the Boards and senior
management need quality advice from sources that can be trusted and that can
offer an objective viewpoint. Much of the focus of Sarbanes-Oxley in the United
States and Clause 49 in India has been on the external audit function. Equally,
however, there is a need to ensure that internal audit is organised, resourced
and empowered, so that it can provide competent, impartial and fearless advice.

This article offers a perspective on the role of internal
audit. It then sets out the expectations of internal audit held by regulators at
the national level and how internal audit needs to gear up to meet these
expectations.

My comments are offered in a constructive spirit to encourage
debate within the internal audit profession.

The role of internal audit :

What better starting point for my comments than the
definition of internal audit approved by the Board of Directors of the Institute
of Internal Auditors :

I remind you of this definition because I want to draw a
distinction between internal audit and risk management. As we see it, the basic
function of internal audit is independent appraisal of an institution’s internal
controls, including controls over financial reporting. Of course, a by-product
of internal audit will be recommendations on internal control and process
improvements that could be made, an important role for internal audit in large
and complex institutions in particular.

Risk management, on the other hand, is about identifying and
assessing inherent risks in the products and activities of an institution, and
ensuring that appropriate risk management limits, control mechanisms and
mitigation strategies are in place to contain risk within the institution’s risk
appetite and capital support. The distinction is that risk management has the
important and continuous responsibility of understanding how actual risk facing
the institution is changing (day by day or month by month) and assessing if the
risk limits, controls or mitigations need updating.

Of course, the institutions need to ensure cooperation
between internal audit and risk management and a clarification of roles, so that
unintended gaps do not emerge.

The expectations of Regulators :

The pivotal role of internal audit in the corporate
governance of institutions is enshrined in international standards for
regulators, though they are high-level in nature.

In banking as a case in example, the Core Principles for
Effective Banking Supervision, developed under the auspices of the Basel
Committee on Banking Supervision, specifies the principle that banks should have
in place internal controls that are adequate for the nature and scale of the
business. These should include, inter alia, appropriate independent
internal or external audit and compliance functions to test adherence to these
controls as well as applicable laws and regulations.

In assessing adherence to this principle, the Basel
Committee’s ‘essential criteria’ for the internal audit function are that it :

has unfettered access to all the bank’s business lines and support
departments;

has appropriate independence, including reporting lines to the Board of
Directors and status within the bank to ensure that senior management reacts
to and acts upon its recommendations;

has sufficient resources and staff that are suitably trained and have relevant
experience, to understand and evaluate the business it is auditing; and

employ a methodology that identifies the key risks run by the bank and
allocates its resources accordingly.

The Basel Committee also issued a paper, Internal audit in banks and the supervisor’s relationship with auditors, in August 2001 to provide more detailed guidance to bank supervisors. The paper has wider applicability and I recommend it to those who are not familiar with it. It sets out 20 separate principles for the internal audit function, dealing with such issues as continuity, professional competence, the audit charter and relationships with the external auditor.

My Assessment on Independence of the Internal Audit Function:

Our starting ‘point is determining whether the internal audit function is in-house or outsourced, and whether this arrangement is appropriate. The following crucial benchmarks need to be in place for internal audit teams.

(i) Independence:

The Board of the institution should ensure that the independence of the internal audit function is maintained. This independence may be compromised if the function is directly involved in risk management or operational processes. The internal audit function may provide valuable input to those responsible for risk management, but should not itself have direct risk management responsibilities. In practice, some institutions (particularly small ones) may give internal audit initial responsibility for developing a risk management programme. Where this is the case, institutions should see that responsibility for day-to-day risk management is transferred elsewhere in a timely manner. Where the internal audit function is outsourced there should not be any conflicts of interest – for example, internal audit should not be a source of referral business for the institution.

Some food for thought!

I would like to offer you my thoughts on some key issues:

(i) Establishing the authority of internal audit:

It must be recognised as a core part of governance and not as some form of necessary burden or add-on. Asserting the importance of authority is one thing, earning that authority is another. In the end, it is the professionalism and quality of internal audit work that will show Boards, senior management and regulators that the function does add value. Clearly, the message that internal audit wants to send will not carry weight if it cannot demonstrate that the message is founded on both technical and commercial competence – a balancing of technique and ‘real world’ skills and experience.

(ii) Transparency and independence:

The provision of independence assurance to the audit committee (or Board) is the central tenet of internal audit. The internal audit function should report directly to the audit committee of the Board, and not to management with operational responsibilities. A direct reporting line to the Board has now become international best practice.

In my view, having internal audit answer to management creates real concerns about the independence of the review function. Internal audit must be able to directly inform the audit committee (or the Board) about the adequacy or otherwise of internal controls, including those involving high-level management. Internal audit must know that the board is its master.

(iii)Audit Committees:
The effectiveness of internal audit comes down, ultimately, to the use that the audit committee and Board decide to make of it. These days, diligent and probing Board directors want a strong and active internal audit function to assist them. They rely on internal audit’s knowledge of the risks facing the institution and the control weaknesses, and its recommendations for improvement, to help them discharge their responsibilities.

(iv) Conflict situation:
Regulators can cite too many examples where weak corporate governance has undermined the financial soundness of an institution, whether through unfocussed global expansion, pursuit of growth for growth’s sake, a dominant chief executive officer or a ‘good news’ syndrome. Internal audit should be alert to such signs of weakness and raise them with the audit committee (or Board) as governance, controls or review concerns.

Concluding remarks:
The ever-increasing pressure on institutions to manage their affairs and risks prudently poses considerable challenges for corporate governance structures and for internal audit, a key line of defence in these structures. Every challenge, however, is an opportunity. For internal auditors as a profession, the current environment is an opportunity to cement your presence in corporate India where India is Rising and Shining.

The challenges and opportunities for internal audit in this risk-focussed environment can perhaps be simply summarised as ‘looking at the right things, not just doing things right’.

Nirav Shah

Journal

Resources

About

Reach Us

Audio Version