May 2005 Examinations

Strategy Level





Paper P3 Management Accounting
Risk and Control Strategy




Question Paper 2

Examiners Brief Guide to the Paper 15

Examiners Answers 16





The answers published here have been written by the Examiner and should provide a helpful
guide for both lecturers and students.

Published separately on the CIMA website (www.cimaglobal.com) from the end of September
2005 is a Post Examination Guide for this paper, which provides much valuable and
complementary material including indicative mark information.





2005 The Chartered Institute of Management Accountants. All rights reserved. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical,
photocopying, recorded or otherwise, without the written permission of the publisher.




P3 2 May 2005


Management Accounting Pillar
Strategic Level Paper
P3 Management Accounting
Risk and Control Strategy
26 May 2005 Thursday Morning Session
Instructions to candidates
You are allowed three hours to answer this question paper.
You are allowed 20 minutes reading time before the examination begins
during which you should read the question paper, and if you wish, make
annotations on the question paper. However, you will not be allowed, under
any circumstances, to open the answer book and start writing or use your
calculator during this reading time.
You are strongly advised to carefully read the question requirement before
attempting the question concerned. The question requirements are contained
in a dotted box.
Answer the ONE compulsory question in Section A on pages 2 and 3.
Answer TWO questions only from Section B on pages 4 to 9.
Maths Tables and Formulae are provided on pages 11 to 14. These pages
are detachable for ease of reference.
Write your full examination number, paper number and the examination
subject title in the spaces provided on the front of the examination answer
book. Also write your contact ID and name in the space provided in the right
hand margin and seal to close.
Tick the appropriate boxes on the front of the answer book to indicate which
questions you have answered.

P
3

R
i
s
k

a
n
d

C
o
n
t
r
o
l

S
t
r
a
t
e
g
y



May 2005 3 P3

SECTION A 50 MARKS
[the indicative time for answering this section is 90 minutes]
ANSWER THIS QUESTION


Question One

Company Overview

IDAN is a large banking and financial services group that is listed on both the London Stock
Exchange and the New York Stock Exchange. The group has over 20 million customers
throughout the world and operates in 35 countries on four continents. The IDAN Group is
composed of a mix of retail and commercial businesses that include corporate and investment
banking, private banking and commercial banking.

Trends within the Financial Services Sector

The Board of Directors of IDAN is aware that a number of trends within the sector will require
the bank to substantially re-design a number of its operating and information systems and
review the nature of the interface between the internal audit and risk management functions.
Current issues that are having an impact on the financial services sector include:

A new European Union law requiring banks to provide details of interest paid on
personal savings accounts held by non-residents. A withholding tax of 15% is to be
imposed on such income and details must be sent by the bank to the tax authorities in
the EU country where the recipient resides.

Forecast rises in interest rates over the next two years.

The elimination within the UK of the use of personal signatures as the authorisation
method for credit and debit card transactions and their replacement with personal
identification (PIN) numbers.

The increasing use, by personal customers, of both telephone and internet banking
services. Over 40% of bill payments, standing order amendments and balance
transfers by such customers were processed in this way during the last 12 months
compared with 28% the previous year.

A growth in the number of cases being sent to the financial ombudsman or the financial
industry regulator relating to claims of mis-selling or incorrect advice on the part of
financial services companies in the supply of a range of savings and investment
products.

As a result of threats of terrorist activity, money laundering legislation has been
introduced or tightened in all of the countries in which IDAN has banking operations.

Analysis by Type of Business

(i) Net assets Year Ended
31 December 2004 31 December 2003
m m
Corporate and investment banking 15,824 12,286
Personal financial services 9,250 6,400
Private Banking 2,320 1,755
Commercial banking 11,186 9,364
38,580 29,805




P3 4 May 2005


(ii) Profit on ordinary activities before tax Year Ended
31 December 2004 31 December 2003
m m
Corporate and investment banking 3,416 2,949
Personal financial services 2,427 1,684
Private Banking 116 85
Commercial banking 3,356 3,558
9,315 8,276

(iii) Within the commercial banking portfolio, the allowance for credit losses equalled one per
cent of the assets compared with two and a half per cent in personal financial services and
private banking.

(iv) Profits from Private Banking are viewed as being influenced by a range of factors including
the state of the world economy and sentiment and performance in the equity markets. The
current outlook for the global economy remains uncertain and depressed equity markets are
expected to recover slowly over the coming financial year.


Required:

(a) Discuss the main categories of risk that are faced by a bank such as IDAN and the
advantages of risk categorisation in the design of a risk management system.
(10 marks)

(b) For every one of the six issues identified in the question, recommend the controls
that might be introduced to minimise IDANs exposure to such risks.
(15 marks)

(c) Compare and contrast the roles played by internal audit and risk management in
organisations. Discuss the likely nature of the interaction between these two
activities.
(10 marks)


The performance of the Managing Directors of the four types of business within IDAN is
evaluated on the basis of the profits of their individual businesses. It has now been suggested
by the Board that the strategy of the group, future investment opportunities and the profitability
of each business should be evaluated against a risk-adjusted hurdle rate.


Required:

(d) Critically discuss this suggestion by making reference to the information provided in
the question.
(15 marks)


(Total for Question One = 50 marks)


(Total for Section A = 50 marks)


End of Section A. Section B starts on the next page


May 2005 5 P3

SECTION B 50 MARKS
[the indicative time for answering this section is 90 minutes]
ANSWER TWO QUESTIONS ONLY


Question Two

BJP is an organisation involved in making business-to-business sales of industrial products. BJP
employs a sales team of 40 representatives and assigns each a geographic territory that is quite
large. Sales representatives search for new business and follow up sales leads to win new
business, and maintain contact with the existing customer base.

The sales representatives spend almost all their time travelling to visit clients. The only time
when they are not doing this is on one day each month when they are required to attend their
regional offices for a sales meeting. Sales representatives incur expenses. They have a mobile
telephone, a fully maintained company car and a corporate credit card which can be used to pay
for vehicle expenses, accommodation and meals and the cost of entertaining potential and
existing clients.

The performance appraisal system for each sales representative is based on the number and
value of new clients and existing clients in their territory. All sales representatives are required to
submit a weekly report to their regional managers which gives details of the new and existing
clients that they have visited during that week. The regional managers do not get involved in the
daily routines of sales representatives if they are generating sufficient sales. Consequently,
sales representatives have a large amount of freedom.

The Head Office Finance department, to whom regional managers have a reporting relationship,
analyses the volume and value of business won by sales representatives and collects details of
their expenses which are then reported back monthly to regional managers. At the last meeting
of regional managers, the Head Office Finance department highlighted the increase in sales
representatives expenses as a proportion of sales revenue over the last two years and
instructed regional managers to improve their control over the work representatives carry out
and the expenses they incur.


Required:

(a) Advise regional managers as to the risks facing BJP as a result of the lack of
apparent control over sales representatives and their expenses and recommend
the controls that should be implemented by regional managers to rectify this
situation.
(12 marks)

(b) Explain what an internal control system is, how it relates to the control environment
and its likely costs, benefits and limitations.
(8 marks)

(c) Recommend how analytic review could be used in the internal audit of BJPs sales
representatives expenses.
(5 marks)

(Total for Question Two = 25 marks)








P3 6 May 2005

Question Three

AMF is a market leading, high technology manufacturing organisation producing components for
the computer industry. AMF has adopted a lean approach to all its functions and has already
made a decision to implement a new enterprise resource planning system (ERPS) to support
the management of its customers, suppliers, inventory, capacity planning, production
scheduling, distribution and accounting functions. The Board of AMF is considering the
outsourcing of the design, delivery, implementation and operation of the ERPS to a specialist
contractor that has an excellent reputation within the computer industry. A team would be set up
within AMF to manage the transition.


Required:

Write a formal report to the Board of AMF that:

discusses the advantages and disadvantages of outsourcing the ERPS system as
suggested above;
(5 marks)

identifies the main risks involved in outsourcing the ERPS and suggests how these
risks might be mitigated through internal controls and internal audit;
(10 marks)

recommends the processes and controls that AMF should adopt to manage a project
for successful transition to a chosen outsource supplier should that be the decision
of the Board.
(5 marks)

(Total for Question Three= 25 marks including 5 marks for style, coherence and
presentation of the report)













Section B continues on the next page


May 2005 7 P3

Question Four

AL and Co. is a London-based building contractor, with an annual turnover of almost 15 million.
The company employs 50 people, the majority of whom are skilled tradesmen or apprentices in
the areas of plumbing, electrical work, plastering, carpentry, glazing and hard landscaping. AL
and Co. specialises in renovation work for private clients by offering a fast all service facility
that suits busy professional people seeking to renovate properties either for their own
occupation or for investment purposes. As a result of the property boom, turnover has grown by
over 30% in the last two years.

Day-to-day management of the business is shared by two executive directors, one of whom
manages the financial and legal aspects of the business (Director X), while the other is
responsible for operational activities including work scheduling, agreeing quotes with the sales
staff, and all procurement (Director Y). The two directors have a mutual respect and trust for one
another and therefore do not check or verify each others work.

As a medium sized company, AL and Co. is subject to an annual external audit, but it has no
internal audit function and both its internal control and management accounting systems are
very basic. Management accounting procedures record the costs of materials associated with all
contracts via a job costing system, but other costs are not charged to individual contracts. The
system is thus unable to identify whether any specific contract is profitable, and can only
compute aggregate profit. One consequence of this system is that the company profitability
depends on there being a close match between the actual time taken to complete jobs and the
sales teams estimate of the times required: however, the time variances are neither calculated
nor monitored.

The systems have never been questioned or refined because, to date, an average gross
markup of 25% has always been achieved. This margin has ensured that both directors earn
high salaries which have risen year on year, and there has therefore been little incentive to
improve controls and manage costs.

Two staff are employed to issue written quotes in response to customer enquiries, with prices
being calculated on the basis of estimated labour and material costs plus 25%. The quotes are
reviewed by Director Y before they are sent to customers. All payments are due on completion
of the work.

In drafting the work schedules Director Y has full knowledge of which quotes are accepted by
customers. Additionally, given his role of supervising procurement, he regularly gives
administrative staff the names of new suppliers for inclusion in the accounting system.

Six months ago, Director Y found himself over-committed financially, and devised a way of
diverting company funds from AL and Co. for his own personal use. He began adding 10% to
the figures quoted for all jobs requiring the use of more than three separate services (plastering,
electrical etc), thereby raising the gross markup to 375% in such cases. The intention was to
fraudulently redirect the additional income for his personal use. This was achieved by the
submission to AL and Co., on the completion of a job, of an invoice (for the 10% additional
charge) in the name of a fictitious supplier of small tools and consumables. Director Y would
code the associated costs as variable overhead in the accounting system. The timing of the
invoices could easily be matched to the job completion dates in view of his knowledge of work
schedules, and he set up a separate bank account in the fictitious name to receive these
payments.

You are an accountant in AL and Co. and have been assigned responsibility for liaison with the
external auditors. You find that you are unable to resolve their concerns about the escalation in
variable overhead expenses over the course of the last year, most of which have been charged
to a non-local suppliers account. You are having difficulty clarifying the precise nature of the
expenses incurred because telephone calls to the business number always request that a
message be left but no calls are ever returned. All other aspects of the audit are satisfactory.




P3 8 May 2005


Required:

Write a report for the Directors of AL and Co. that:

Details the inadequacies of the current internal control system within the company
and possible changes that could be made to improve the system;

(10 marks)

Explains why the rise in variable overhead costs is a matter of concern from both an
external audit and an internal control perspective, and thus requires immediate
agreement on a co-ordinated response to investigate the possibility of fraud;

(5 marks)

Briefly explains the limits of the responsibility of external auditors to detect fraud;

(5 marks)

Explains why the company should prepare a fraud response plan, and outlines the
issues to be considered in drafting such a plan.

(5 marks)

(Total for Question Four = 25 marks)














Section B continues on the next page


May 2005 9 P3

Question Five

SDT plc is a UK based manufacturer of a wide range of printed circuit boards (PCBs) that are
used in a variety of electrical products. SDT exports over 90% of its production to assembly
plants owned by large multinational electronics companies all around the world. Two companies
(A and B) require SDT to invoice them in a single currency, regardless of the export destination
of the PCBs. The chosen currencies are the Japanese Yen (Company A) and the US$
(Company B) respectively. The remaining export sales all go to European customers and are
invoiced in Euros.

The variable cost and export price per unit PCB are shown below.

Market Unit variable cost () Unit export sales price
Company A 275 Yen 63250
Company B 480 US$ 102678
Europe 625 Euro 12033

Goods are supplied on 60 day credit terms.

The following receipts for export sales are due in 60 days:

Company A Yen 9,487,500
Company B US$ 82,142
Europe Euro 66,181

The foreign exchange rates to be used by SDT in evaluating its revenue from the export sales
are as follows:

Yen/ US$/ Euro/
Spot market 198987-200787 17620-17826 14603-14813
2 months forward 197667-200032 17550-17775 14504-14784
3 months forward 196028-198432 17440-17677 14410-14721
1 year forward 188158-190992 16950-17311 14076-14426

The Managing Director of SDT believes that the foreign exchange markets are efficient and so
the likelihood that SDT will make foreign exchange gains is the same as the likelihood that it will
make foreign exchange losses. Furthermore, any exchange risk is already diversified across
three currencies, each from countries in very different economic regions of the world. The
Managing Director has therefore recommended that the Treasury Department should not hedge
any foreign exchange risks arising from export sales.





P3 10 May 2005


Required:

(a) Critically comment on the validity of the views and recommendations expressed by
the Managing Director and explain how currency hedging might nevertheless be
beneficial to SDT.
(6 marks)

(b) Calculate the sterling value of the contribution earned from exports to each of the
customers (A, B and Europe) assuming that SDT

(i) hedges the risk in the forward market;
(3 marks)

(ii) does not hedge the risk and the relevant spot exchange rates in two months
time are as follows:

Two month spot
Yen/ 20018-20263
US$/ 17650-17750
Euro/ 14600-14680

(3 marks)

(iii) aims to maximise its contribution to sales ratio, calculate the average
contribution to sales ratio in each of the above scenarios and advise SDT
accordingly on whether to hedge its foreign exchange exposure.

(3 marks)

(Total for requirement (b) = 9 marks)

(c) Comment on why (based on relative risk analysis) a company might seek to
generate higher rates of return from export sales compared to domestic sales.

(6 marks)

(d) If the payment from Company B is received late, briefly explain what risk SDT is
taking in hedging Bs payment in the forward market, and how this risk could be
avoided?
(4 marks)

(Total for Question Five = 25 marks)




(Total for Section B = 50 marks)



End of question paper

Maths Tables and Formulae are on pages 11 to 14


May 2005 11 P3





P3 12 May 2005

PRESENT VALUE TABLE

Present value of $1, that is ( )
n
r

+ 1

where r = interest rate; n = number of periods until
payment or receipt.

Interest rates (r) Periods
(n) 1% 2% 3% 4% 5% 6% 7% 8% 9% 10%
1 0.990 0.980 0.971 0.962 0.952 0.943 0.935 0.926 0.917 0.909
2 0.980 0.961 0.943 0.925 0.907 0.890 0.873 0.857 0.842 0.826
3 0.971 0.942 0.915 0.889 0.864 0.840 0.816 0.794 0.772 0.751
4 0.961 0.924 0.888 0.855 0.823 0.792 0.763 0.735 0.708 0.683
5 0.951 0.906 0.863 0.822 0.784 0.747 0.713 0.681 0.650 0.621
6 0.942 0.888 0.837 0.790 0.746 0705 0.666 0.630 0.596 0.564
7 0.933 0.871 0.813 0.760 0.711 0.665 0.623 0.583 0.547 0.513
8 0.923 0.853 0.789 0.731 0.677 0.627 0.582 0.540 0.502 0.467
9 0.914 0.837 0.766 0.703 0.645 0.592 0.544 0.500 0.460 0.424
10 0.905 0.820 0.744 0.676 0.614 0.558 0.508 0.463 0.422 0.386
11 0.896 0.804 0.722 0.650 0.585 0.527 0.475 0.429 0.388 0.350
12 0.887 0.788 0.701 0.625 0.557 0.497 0.444 0.397 0.356 0.319
13 0.879 0.773 0.681 0.601 0.530 0.469 0.415 0.368 0.326 0.290
14 0.870 0.758 0.661 0.577 0.505 0.442 0.388 0.340 0.299 0.263
15 0.861 0.743 0.642 0.555 0.481 0.417 0.362 0.315 0.275 0.239
16 0.853 0.728 0.623 0.534 0.458 0.394 0.339 0.292 0.252 0.218
17 0.844 0.714 0.605 0.513 0.436 0.371 0.317 0.270 0.231 0.198
18 0.836 0.700 0.587 0.494 0.416 0.350 0.296 0.250 0.212 0.180
19 0.828 0.686 0.570 0.475 0.396 0.331 0.277 0.232 0.194 0.164
20 0.820 0.673 0.554 0.456 0.377 0.312 0.258 0.215 0.178 0.149

Interest rates (r) Periods
(n) 11% 12% 13% 14% 15% 16% 17% 18% 19% 20%
1 0.901 0.893 0.885 0.877 0.870 0.862 0.855 0.847 0.840 0.833
2 0.812 0.797 0.783 0.769 0.756 0.743 0.731 0.718 0.706 0.694
3 0.731 0.712 0.693 0.675 0.658 0.641 0.624 0.609 0.593 0.579
4 0.659 0.636 0.613 0.592 0.572 0.552 0.534 0.516 0.499 0.482
5 0.593 0.567 0.543 0.519 0.497 0.476 0.456 0.437 0.419 0.402
6 0.535 0.507 0.480 0.456 0.432 0.410 0.390 0.370 0.352 0.335
7 0.482 0.452 0.425 0.400 0.376 0.354 0.333 0.314 0.296 0.279
8 0.434 0.404 0.376 0.351 0.327 0.305 0.285 0.266 0.249 0.233
9 0.391 0.361 0.333 0.308 0.284 0.263 0.243 0.225 0.209 0.194
10 0.352 0.322 0.295 0.270 0.247 0.227 0.208 0.191 0.176 0.162
11 0.317 0.287 0.261 0.237 0.215 0.195 0.178 0.162 0.148 0.135
12 0.286 0.257 0.231 0.208 0.187 0.168 0.152 0.137 0.124 0.112
13 0.258 0.229 0.204 0.182 0.163 0.145 0.130 0.116 0.104 0.093
14 0.232 0.205 0.181 0.160 0.141 0.125 0.111 0.099 0.088 0.078
15 0.209 0.183 0.160 0.140 0.123 0.108 0.095 0.084 0.079 0.065
16 0.188 0.163 0.141 0.123 0.107 0.093 0.081 0.071 0.062 0.054
17 0.170 0.146 0.125 0.108 0.093 0.080 0.069 0.060 0.052 0.045
18 0.153 0.130 0.111 0.095 0.081 0.069 0.059 0.051 0.044 0.038
19 0.138 0.116 0.098 0.083 0.070 0.060 0.051 0.043 0.037 0.031
20 0.124 0.104 0.087 0.073 0.061 0.051 0.043 0.037 0.031 0.026



May 2005 13 P3

Cumulative present value of $1 per annum, Receivable or Payable at the end of each year for n
years
r
r
n
+ ) (1 1


Interest rates (r) Periods
(n) 1% 2% 3% 4% 5% 6% 7% 8% 9% 10%
1 0.990 0.980 0.971 0.962 0.952 0.943 0.935 0.926 0.917 0.909
2 1.970 1.942 1.913 1.886 1.859 1.833 1.808 1.783 1.759 1.736
3 2.941 2.884 2.829 2.775 2.723 2.673 2.624 2.577 2.531 2.487
4 3.902 3.808 3.717 3.630 3.546 3.465 3.387 3.312 3.240 3.170
5 4.853 4.713 4.580 4.452 4.329 4.212 4.100 3.993 3.890 3.791
6 5.795 5.601 5.417 5.242 5.076 4.917 4.767 4.623 4.486 4.355
7 6.728 6.472 6.230 6.002 5.786 5.582 5.389 5.206 5.033 4.868
8 7.652 7.325 7.020 6.733 6.463 6.210 5.971 5.747 5.535 5.335
9 8.566 8.162 7.786 7.435 7.108 6.802 6.515 6.247 5.995 5.759
10 9.471 8.983 8.530 8.111 7.722 7.360 7.024 6.710 6.418 6.145
11 10.368 9.787 9.253 8.760 8.306 7.887 7.499 7.139 6.805 6.495
12 11.255 10.575 9.954 9.385 8.863 8.384 7.943 7.536 7.161 6.814
13 12.134 11.348 10.635 9.986 9.394 8.853 8.358 7.904 7.487 7.103
14 13.004 12.106 11.296 10.563 9.899 9.295 8.745 8.244 7.786 7.367
15 13.865 12.849 11.938 11.118 10.380 9.712 9.108 8.559 8.061 7.606
16 14.718 13.578 12.561 11.652 10.838 10.106 9.447 8.851 8.313 7.824
17 15.562 14.292 13.166 12.166 11.274 10.477 9.763 9.122 8.544 8.022
18 16.398 14.992 13.754 12.659 11.690 10.828 10.059 9.372 8.756 8.201
19 17.226 15.679 14.324 13.134 12.085 11.158 10.336 9.604 8.950 8.365
20 18.046 16.351 14.878 13.590 12.462 11.470 10.594 9.818 9.129 8.514

Interest rates (r) Periods
(n) 11% 12% 13% 14% 15% 16% 17% 18% 19% 20%
1 0.901 0.893 0.885 0.877 0.870 0.862 0.855 0.847 0.840 0.833
2 1.713 1.690 1.668 1.647 1.626 1.605 1.585 1.566 1.547 1.528
3 2.444 2.402 2.361 2.322 2.283 2.246 2.210 2.174 2.140 2.106
4 3.102 3.037 2.974 2.914 2.855 2.798 2.743 2.690 2.639 2.589
5 3.696 3.605 3.517 3.433 3.352 3.274 3.199 3.127 3.058 2.991
6 4.231 4.111 3.998 3.889 3.784 3.685 3.589 3.498 3.410 3.326
7 4.712 4.564 4.423 4.288 4.160 4.039 3.922 3.812 3.706 3.605
8 5.146 4.968 4.799 4.639 4.487 4.344 4.207 4.078 3.954 3.837
9 5.537 5.328 5.132 4.946 4.772 4.607 4.451 4.303 4.163 4.031
10 5.889 5.650 5.426 5.216 5.019 4.833 4.659 4.494 4.339 4.192
11 6.207 5.938 5.687 5.453 5.234 5.029 4.836 4.656 4.486 4.327
12 6.492 6.194 5.918 5.660 5.421 5.197 4.988 7.793 4.611 4.439
13 6.750 6.424 6.122 5.842 5.583 5.342 5.118 4.910 4.715 4.533
14 6.982 6.628 6.302 6.002 5.724 5.468 5.229 5.008 4.802 4.611
15 7.191 6.811 6.462 6.142 5.847 5.575 5.324 5.092 4.876 4.675
16 7.379 6.974 6.604 6.265 5.954 5.668 5.405 5.162 4.938 4.730
17 7.549 7.120 6.729 6.373 6.047 5.749 5.475 5.222 4.990 4.775
18 7.702 7.250 6.840 6.467 6.128 5.818 5.534 5.273 5.033 4.812
19 7.839 7.366 6.938 6.550 6.198 5.877 5.584 5.316 5.070 4.843
20 7.963 7.469 7.025 6.623 6.259 5.929 5.628 5.353 5.101 4.870





P3 14 May 2005

Formulae

Annuity
Present value of an annuity of 1 per annum receivable or payable for n years, commencing in
one year, discounted at r% per annum:

PV =

n
r
r
] 1 [
1
1
1


Perpetuity
Present value of 1 per annum, payable or receivable in perpetuity, commencing in one year,
discounted at r% per annum:
PV =
r
1


Growing Perpetuity
Present value of 1 per annum, receivable or payable, commencing in one year, growing in
perpetuity at a constant rate of g% per annum, discounted at r% per annum:
PV =
g r
1






May 2005 15 P3


The Examiners for Management Accounting Risk and Control Strategy offer to
future candidates and to tutors using this booklet for study purposes, the
following background and guidance on the questions included in this
examination paper.
Section A Question One Compulsory
Question One is designed to test the candidates ability to categorise risk, recommend
appropriate controls in relation to such risks, recognise the function of internal audit and risk
management and how hurdle rates may be used in the risk-return trade-off. The syllabus topics
being tested are mainly B (Risk and Internal Control), C (ii, internal audit) and D (Financial Risk).
The question meets the learning outcomes by providing a case study in the financial services
industry which identifies trends and performance data. Candidates are expected to apply their
understanding of risk management, internal control and internal audit to a financial services
case.
Section B answer two of four questions
Question Two is designed to test the candidates ability to make recommendations in relation to
internal controls, understand the costs and benefits of internal control and show how analytic
review can be used in internal audit. The syllabus topics being tested are mainly C (Review and
Audit of Control Systems) and B (Internal Control Systems). The question meets the learning
outcomes by providing a scenario of an organisation that appears to have little control over
sales representative expenses. Candidates are expected to apply their understanding of risks,
internal controls and internal audit to the scenario.

Question Three is designed to test the candidates ability in relation to risk in information
systems in general and outsourcing of IT in particular and show how internal controls and
internal audit can mitigate the risk. The syllabus topics being tested are mainly E (Risk and
Control in Information Systems). The question meets the learning outcomes by providing a
scenario in which an ERPS system is to be outsourced. Candidates are expected to apply their
understanding of IT systems, risk and control and to write a report identifying the advantages
and disadvantages of outsourcing, evaluating the main risks and recommending appropriate
controls.

Question Four seeks to test the candidates ability to identify shortcomings in internal controls
systems, and the parties responsible for fraud management and detection. By placing the
question in the context of a small sized business, the need for fraud control across all types and
sizes of business is emphasised. The syllabus topics being tested range across both B (Risk
and Internal Control) and C (Review and Audit of Control Systems). Candidates are expected to
recognize that control of directors is central to fraud management and to identify mechanisms
for improving internal controls, as well as understand the limited role of the external auditors in
relation to fraud detection. The design of a fraud response plan forms the final part of the
question.

Question Five tests the candidates understanding of the management of financial risk.
(syllabus section D) and specifically currency risk. A little over one third of the marks go for
computational exercises, with the remaining marks allocated for critical commentary on various
issues related to foreign exchange risk. Candidates are expected to understand the pros and
cons of currency hedging and be able to interpret spot and forward rate data to estimate
revenue flows. Understanding of the limitations of forward contracts is also tested. Additionally,
candidates are asked to comment upon the relative risk:return requirements for domestic versus
overseas sales.






P3 16 May 2005




The Examiner's Answers for Management
Accounting Risk and Control Strategy

The answers that follow are fuller and more comprehensive than would have been
expected from a well-prepared candidate. They have been written in this way to aid
teaching, study and revision for tutors and candidates alike.

SECTION A


Answer to Question One

Requirement (a)

There is no universally accepted system for risk categorisation; a range of schemes are
promoted by management consulting firms, but in many cases a company chooses to devise its
own set of categories that reflect the individual needs of the business. Nonetheless, it is
possible to identify a number of key types of risk that are likely to be faced by a bank such as
IDAN.

The number of categories may vary according to the type of business undertaken by the bank,
but for a large multinational institution such as IDAN there may be considered to be six risk
categories. These are:

Credit risk
Market risk
Operational risk
Reputation risk
Compliance risk
Business risk

Most of these categories will also incorporate a number of sub categories, but for control
purposes it is often helpful to limit the number of categories to ensure clear lines of management
responsibility.

Credit, or default risk arises because a borrower may be unable to make timely interest and/or
capital repayments on a loan. IDAN has a mix of loans granted to both commercial and
individual customers in a wide range of locations around the world. The loans will be a mix of
secured and unsecured, so clearly the credit risk on unsecured loans is likely to be higher. If a
borrower cannot make payments when required under the loan contract, or defaults entirely on
the loan, this impacts on both the banks capital and its income.

Market risks are those risks that may affect a banks earnings or capital because of changes in
market prices. IDAN may, for example, engage in equities trading and if the price of any equity
assets fall, then the bank may incur losses, or see its targeted earnings reduced. One of the
most common areas of trading for a bank is in the derivatives markets, where prices can be
extremely volatile. Systems need to be devised to measure and monitor a banks exposure to
loss from such volatility, and the most commonly used models are based on the computation of
a Value at Risk (VaR).



May 2005 17 P3

Operational risk is often viewed as a catch all category, but it is intended to acknowledge that
the transaction systems, IT systems, staff behaviour and customer relations may all lead to
changes in income and threaten profits. For example, some years ago a major UK bank got into
trouble because it failed to process the mortgage payments of a large number of its customers
on the correct day of the month. Some of the customers incurred additional costs as a result,
and the bank was forced to publicly apologise and reimburse them for these costs. Clearly such
operational errors need to be minimised or eliminated via the establishment of good systems,
but they can also create another form of risk that is referred to as reputation risk.

Reputation risk arises when an institution receives unfavourable press coverage, or adverse
public opinion. For example, if a bank was rebuked by the advertising standards authority for
misleading advertising, then this bad publicity could lead to a loss of customers. Additionally, the
bank may find it even more difficult to recruit new custom. In order to protect themselves against
such risks, many banks engage in community projects such as sponsoring youth sports events
in an attempt to positively boost their public reputation.

Compliance risk is of major importance to banks, as they are required by law to conform with a
wide range of legal requirements and banking regulations. IDAN operates in 35 countries, each
of which may have slight differences in its regulatory requirements, and in addition the bank will
have to meet the demands of international regulating bodies such as the Bank For International
Settlements and the Basel Committee. An institution found to be in breach of regulatory
requirements may face the risk of a wide range of penalties including loss of the right to trade in
certain areas, heavy financial penalties, and a massive drop in public reputation.

Business risk arises because income may be threatened as a result of changes in the economic,
political or competitive environment. One example of this is the way in which the growth in sales
of financial products by supermarkets and general retailers has served to divert business away
from the traditional banks that have not got a share in these markets. Many customers may
prefer to arrange a personal loan via the internet site of their favourite supermarket, rather than
face an interview in a traditional bank setting. As the trading environment changes, new
business risks continually arise.

In order to establish a risk management system, the first thing that any company must do is
identify all of the factors that may threaten either the income stream or the value of its capital. In
practice, of course, the list is potentially endless, and so possible risks are grouped into
categories that may then be managed in common by the use of similar control systems.
Depending on the size of the company, the risk management function may comprise of a single
individual or a whole department in which different people take specific responsibility for a
particular risk type. There are several advantages arising from risk categorisation.

The first of these is that the identification of risks needs to begin at a very senior level. The
Board of Directors, in drafting a list of types of risk that need to be managed, converts what was
previously an ad hoc process into one which is more formal. Companies have always tried in
one way or another to manage their risks, but by adopting an ad hoc approach the style of
management is reactionary. Risk categorisation forces managers to be more pro-active in their
attitude to risk management.

The second big advantage is that once a risk has been identified, it becomes possible to think of
tools that may be used to control and measure it. The discipline of risk management has
developed substantially over the last decade, and risk categorisation helps managers to identify
how they can deploy lessons from the discipline.

The third advantage of risk categorisation is that it provides a framework that can be used for
the definition of lines of responsibility, design of an internal control system, and clarification of
groupings for the purposes of both internal and external risk reporting. The tightening of
corporate governance regulations means that companies need to demonstrate effective internal
control and reporting systems.

The development of a good risk management system would be extremely difficult to realise
without the completion of the initial step of grouping risks into categories. A systematic approach




P3 18 May 2005

to risk categorisation may help companies identify other related risks generally accepted to be in
each category. Categorisation can help the recognition of the extent to which individual
component risks within a category may be inter-related and likely to interact.

Requirement (b)

New EU Law
The risk that is faced here falls into the category of compliance risk. If the bank fails to keep
correct records of interest paid to non-residents, deduct the correct amount in withholding tax
and notify the appropriate overseas tax authorities then it may be subject to legal action and/or
financial penalties. Under such circumstances its reputation may also suffer damage.

The controls that are required to be put into place are operational in nature. A separate
database of overseas accounts needs to be created, and grouped into accounts according to
the relevant fiscal authority. Sample testing of the accuracy of the database also needs to take
place, and an updating schedule determined. An automated deduction system then needs to be
created that will ensure that any interest payments into such accounts are paid net of the
withholding tax, and a software programme written to compute the total liabilities due to each
individual tax authority. The internal audit department should be notified of the changes
introduced, so that an audit of the changeover and the new controls can be undertaken. A legal
review could also be carried out to ensure that contractual arrangements with depositors comply
with legal requirements.

Forecast Rises in Interest Rates
Interest rate movements represent a form of market risk, because the rate of interest represents
a change in the price of money. Interest rate exposure may come from either trading activities
or from traditional banking activities; in the latter case the interest rate risk is commonly
described as structural. The forecast rises may have an effect on both sides of IDANs balance
sheet, as well as affecting its credit risk exposure and possibly its business risk.

A key component in limiting risk exposure is the definition of the banks appetite for interest rate
exposure/risk. This is often the responsibility of the banks assets and liabilities committee
(ALCO). A range of financial instruments may be used by both the Treasury department and
ALCO to manage the risk, with the type of instrument varying by geographic location. For
example, to avoid the risk of unanticipated rises, an interest rate cap may be purchased.

The controls that need to be introduced under such circumstances will primarily involve
adjustments to the interest rate sensitivity tables, currency by currency. It is safest to assume
that not all interest rates will move together, and so interest rate risk is grouped on the basis of
currencies where rates are likely to move in unison. The forecast interest rate change is likely to
only affect a limited number of countries and so may not have a massive effect on the banks
overall interest rate exposure. Systems should already be in place to facilitate the computation
of the income effect created by each 10 basis point rise in interest rate according to the currency
group in question, and this will yield a revised figure for interest rate sensitivity across the bank
as a whole. This figure should be reported internally, and checked to ensure that it is within the
defined risk appetite.

Elimination of the use of signatures for debit/credit card authorisation
This change is likely to reduce the banks long term exposure to the risk of losses through fraud.
For credit card transactions this affects the credit risk category, but for debit card transactions it
is an operational risk that is reduced. In the short term, however, whilst the new systems are
introduced and customers have to be sent details of the PIN numbers required for
authorisations, there is a temporary increase in operational risk.

Systems need to be put in place to ensure that all relevant customers are notified of the
intended changes, and a facility established to ensure that they can obtain the necessary PIN
number. For banks such as IDAN that operate telephone and internet banking, the web site will
need updating to include new information for customers and call centre staff trained as
necessary. No assumptions can be made about the way in which a customer will become
informed multiple information channels will need to be established. If they are not, then


May 2005 19 P3

reputation risk may be increased. A detailed schedule will need to be drafted and adhered to,
that ensures that all information goes out in time to the customers. Reputation could be
destroyed if IDANs customers found they could not use their cards for purchases on the day of
the changeover. Estimates of the impact on card fraud will need to be made, and new targets
defined under the new authorisation system. Internal audit will then need to be informed of the
revised targets, and a pre- implementation audit undertaken to ensure that everything is in place
and ready for the change.

Contingency plans should be in place to accommodate systems failure (hardware or software)
and to provide business continuity. This should include, but not be limited to, off-site back-up of
data, alternative hardware and network facilities, etc.

Increased use of internet and telephone banking
The figures show that the popularity of both types of banking is increasing, and so there will be
increasing pressure being placed on the operating systems that support them. This pressure will
result in a rise in operational risks. In the case of telephone banking, the level of call monitoring
may need to be increased for a short time, or the centre subjected to a general internal audit.
This would reveal the extent to which customers are kept waiting (compared to target times) and
the speed and accuracy of the subsequent transaction processing. Operational speed and
accuracy could possibly be reduced via increased staff training or changes in working methods.
In addition, if call levels are increasing a security audit of the telephone system may be required
to ensure that there is zero risk of interception.

In the case of internet banking, the operational risk here arises primarily in the website design.
Absolute security must be guaranteed and if new staff are recruited then care must be taken to
ensure that personal security checks are not missed in the rush to expand the business.

There is also a potential business risk if the bank fails to respond to changes in customer
preferences which leads to an inability to compete effectively and thereby causing the bank to
lose market share.

Growth in the number of cases of mis-selling
This represents a compliance risk. In the UK the FSA, the law, and the banking authorities lay
down very strict rules regarding the type of information that must be provided to customers when
they are being sold financial services. IDAN can do very little about any past mistakes that have
been made but it can work to minimise the risk of future errors. This means that all promotional
material for new products, such as contracts of sale, loan contracts and all other documentation
must be subjected to rigorous checks to ensure compliance. Ideally, all such material should be
required to pass a compliance check as part of the authorisation process, before a new product
can be launched onto the market. Similarly, staff training must be extremely rigorous, to ensure
full understanding of what they can/cannot promise their potential customers. Additional controls
may be put in place via a review of staff remuneration schemes to ensure they do not
encourage active over selling.

Money Laundering
This is a compliance risk that may arise out of ineffective control of operating systems. The law
in the UK now requires that banks obtain original documentation from new customers wishing to
open an account, and certain existing account holders wishing to open a new form of account.
Good staff training needs to be put in place to ensure that all documentation is double checked
and records kept of the verification. In addition, because money laundering may involve regular
transactions both within and across national boundaries, a system needs to be implemented to
track unusual transactions on accounts that are above a specified value. The value limit for
personal accounts will be set much lower than for business accounts. The tracking process
should include follow up monitoring of any identified accounts, including follow up interviews
with customers where deemed necessary, and an automated system for notifying the police of
relevant details. In all such cases, however, compliance with data protection legislation must
also be ensured.







P3 20 May 2005

Requirement (c)

Internal audit is concerned with using staff who work within an organisation to audit and verify
the control systems within any given section of the organisation. The audit staff work
independently of all other departments and are employed to give an objective assessment of the
efficiency of the control systems, bearing in mind the type of checks that will be undertaken by
the external auditors as well.

For example, control systems will be in place to ensure that all expenditure is authorised. If the
controls are in place then an order for a personal computer, for example, can be tracked through
in terms of who placed the order, who authorised it and when, the date of and signature that
delivery is accepted and payment of the associated invoice. If any of the documentation is
missing the audit trail is incomplete and the system is thus open to potential abuse/fraud. It is
the job of internal audit to ensure that all such control systems are working effectively across all
sections of an organisation. Many but by no means all, of the controls will be related to financial
transactions. For example, if legislation requires a customer to be given copies of contract
documentation, then internal audit will undertake random checks to ensure that the controls that
initiate the distribution of such documents are working effectively.

The roles undertaken by internal audit and risk management will vary from one organisation to
another but there may be considerable overlap. The work undertaken by internal audit and risk
management will both be considered by external auditors. While internal audit will normally
report direct to the audit committee, risk management may report to the audit committee or to a
separately constituted risk committee of the board.

Traditionally, many internal audit departments have operated on a cyclical basis, resulting in
every section of an organisation being subject to audit every 1 5 years on the basis of
compliance. In such situations the audit plan was drawn up simply on the basis of the audits that
had fallen due. An alternative framework for devising an audit programme is on the basis of risk
assessment, with more risky areas being subjected to more frequent audit. In such a situation it
is business risks that determine where the internal auditors should be working, rather than a pre-
determined timetable, and the risk priorities may shift over time. A study by Selim and McNamee
found that in almost half of the firms surveyed, the Chief Internal Auditor reviewed the audit plan
on a quarterly basis and revised it according to the current assessment of business risks and
management concerns.

The risk management section in an institution performs a related, but not identical function to
that of internal audit. In essence risk management is concerned with ensuring that adequate
processes are in place to ensure that the risks to which a company may be exposed, are kept
within agreed boundaries. Risk management therefore encompasses a number of tasks
including:

Advising the Board of Directors on how to define an institutions risk appetite and the
required policies and processes necessary to fulfil that objective.
Designing and maintaining a range of risk management processes including risk
measurement systems
Monitoring risk performance against the target levels.
Nurturing a risk conscious culture within an organisation

One important aspect of the relationship between internal audit and risk management is that risk
management will itself be subject to internal audit. In other words, the way in which the risk
management department operates in terms of identifying, measuring and monitoring defined
risks will be subject to review. For example, a section of a banks branch network might be the
subject of an internal audit, in the course of which it is discovered that personal loan customers
are not being informed of their legal rights under consumer credit legislation. Such a situation is
unlikely, but possible, and it would mean that the operational risk control systems were not
sufficiently robust. The risk management department would be informed, and called upon to
redesign the control system to eradicate/minimise future risks. If a large number of such faults
were identified then a major internal audit of the risk management department would be
instigated. In a bank such as IDAN, therefore, the twin functions of risk management and


May 2005 21 P3

internal audit work closely together to ensure that risk levels do not exceed the banks risk
appetite, and that good monitoring systems are in place to ensure that risk exposures are
reported in a timely and appropriate manner.
Requirement (d)
The data divides assets and profit according to four key lines of business. In 2004, corporate
and investment banking absorbs the greatest proportion of assets (41%), closely followed by
commercial banking (29%) with private banking being the least important. In terms of profits
earned in 2004, the contribution from commercial banking is almost equivalent to that from
corporate and investment banking (3603% versus 3667%), indicating that the return on assets
in commercial banking is higher. The return on net assets (RONA) for each of the business
categories is as follows:

2004 2003
Corporate and investment banking 2159% 2400%
Personal financial services 2624% 2631%
Private banking 500% 484%
Commercial banking 3000% 3800%

The RONA table above indicates quite wide variations in the returns earned across the different
lines of business, and the allocation of assets across the different areas needs to take this into
account. At the same time, however, consideration needs to be given to the fact that additional
earnings may require the business to take on additional risk.

Alternative methods by which evaluation of the profit performance of individual businesses could
be carried out include absolute profits, comparison with prior year, comparison with budget, EVA
or residual income calculation after deducting the cost of capital, etc.

Both the returns and the assets invested in private banking are very small, and so it is not an
area that the bank needs to worry unduly about. More important is that fact that the RONA in all
of the other three categories has fallen between the two years, and quite dramatically in the
case of commercial banking. In deciding how to allocate assets across the different areas of
business the bank therefore needs to take account of both the potential returns and the
associated levels of risk in order to determine a risk adjusted required rate of return. In this way,
any extra risks are rewarded by higher profitability and shareholders can see that there is a clear
risk -return relationship.

The allowances for credit losses may be used as a proxy for risk, but the question provides very
limited detail, other than the fact that commercial loans appear to be lower risk than personal
loans. If, for example, all personal loans were made via the personal financial services division,
this would imply that private banking carried a zero default risk. Under such circumstances, if the
weighted average required return across the group as a whole is set as, say, 22%, but private
banking carries zero credit risk, then the rate of return required on assets here may be very low.
Consequently, the 5% shown in the RONA table above may be quite acceptable in these
circumstances and virtually guaranteed. Commercial banking earns better returns than personal
financial services, but it appears from note (iii) to be less risky. This would suggest that assets
should be diverted into that line of business because it can earn returns in excess of the
required risk adjusted level.

In order to use this system for asset allocation, the bank must have a clear idea of the relative
risks of each different business line. It must also know the minimum investment required in order
to maintain its market position in each area. Beyond that, investment in additional assets is
discretionary and will reflect the banks willingness to take risks in order to generate returns, and
the compensation that is required in return for the additional risk. The use of a risk adjusted
return system to determine asset allocations is very similar to the concept of residual income as
a divisional performance measure, and is intended to maximise the efficient use of capital, which
is regarded as a scarce resource. In principle, therefore, the use of such a system should serve
to increase shareholder value.






P3 22 May 2005

Private banking is not creating value and future prospects do not look favourable, although in
many organisations one or more business units may be accepted as more valuable than they
appear to be on the basis of RONA. They may be loss leaders necessary as part of the
organisations overall competitive strategy. For example, private banking may lead to more
lucrative commercial banking business.




May 2005 23 P3

SECTION B


Answer to Question Two

Requirement (a)

The risks facing BJP can be considered in two areas: first, the lack of control over the activities
of sales representatives that may result in them not spending their time efficiently and effectively
on business activities; and second, the incurrence of costs that are unauthorised or
unnecessary. The first results in paying salaries for representatives but obtaining inadequate or
inappropriate efforts from them. This has both a financial and an opportunity cost. The second
results in excessive financial costs. Both are largely a problem of agency in which there is
information asymmetry between the sales representative and regional manager. There is also
an issue of moral hazard in which there is the potential for shirking behaviour.

Risks may be classified either as business risks where value for money is not obtained (i.e.
waste) or fraud risk in which there is a deliberate attempt to use business time and/or expenses
for non-business purposes. These risks are particularly important where there are staff working
without direct supervision and where regional management is remote from staff and from Head
Office.

Risk management practices involve assessing the likelihood and consequences of risk and
putting in place appropriate management. Prior to the approach by Finance to regional
managers, there appears to have been no assessment, reporting or mitigation of risk in BJP.

The controls that should be introduced should include an appropriate mix of financial controls,
non-financial quantitative controls, and non-financial qualitative controls

In relation to sales activities:
Contract of employment and policies covering expectations of sales representative
performance e.g. planning calls to minimise mileage and accommodation, number of calls
expected per day, etc.
Setting targets for the number of sales calls and volume and value of business generated
by each representative;
Setting of appropriate bonus schemes to ensure that incremental effort is rewarded and
that bonuses are not paid on business that would be generated in any event;
Monitoring of sales call reports by regional manager to ensure workload is adequate;
Confirming with customers that visits have taken place and customer is satisfied with the
quality of the visit;
Determining success rates by representatives in turning prospects into customers;
Monitoring comparative performance between individual representatives.

In relation to expenses:
Expense policies to specify what costs can be incurred and charged to the business and
which constitute private expenditure, e.g. use of mobile phone for private calls, private
use of motor vehicle;
Procedures for negotiating with hotel chains, petrol stations and similar suppliers to obtain
quantity and loyalty discounts;
Setting of a budget for expenses, possibly as a percentage of sales revenue;
Setting limits for individual items of expenditure;
Monthly expense reporting for each representative showing the cost incurred and the
reason for its incurrence, including the customer/prospective customer the expense was
incurred in relation to;
The company should strive to pay, wherever possible, for expenses directly via invoicing
or corporate credit card rather than reimbursing expenses to representatives.




P3 24 May 2005

Monitoring of expenses by regional manager and pre-authorisation of expenses over
agreed limits;
Reduction of bonuses by a factor reflecting the level of representative expenses incurred;
Comparison of budget and actual expenditure and investigation of material variances;
Monitoring of vehicle mileage, maintenance, insurance claims, parking and speeding
penalties and mileage rates by representative to identify higher than expected use or
careless driving;
Monitoring of comparative expenditure by individual representatives;
Representative expenses should be subject to internal audit.

All expenses must be documented, authorised, necessary for business purposes, and not
private expenditure which the employee seeks to have paid for by the organisation.
Organisations need to establish policies and procedures to recover business expenditure used
for private purposes, e.g. private mileage, use of business telephones for personal calls, etc.

Generally:
Effective recruitment including checking of prior references;
Performance appraisal covering both sales activities and results and expenses;
Appropriate training programmes to ensure effective sales techniques;
Awareness, and influencing, of the informal socialisation processes in the organisation,
especially where the culture of sales representatives may encourage behaviour not
consistent with policies;
Disciplinary process and appropriate rewards and sanctions to support other processes.

Requirement (b)

Internal control system and the control environment
Internal control is the whole system of financial and other internal controls established in order
to: provide reasonable assurance of effective and efficient operation; internal financial control;
and compliance with laws and regulations. While the internal control system includes all the
policies and procedures, the control environment is the overall attitude, awareness and actions
of directors and management regarding internal controls and their importance to the
organisation and encompassing management style, corporate culture and values.

A system of internal control will reflect its control environment and include: control activities;
information and communication processes; and processes for monitoring the effectiveness of
the internal control system. The system of internal control should be embedded in the operations
of the company and form part of its culture; be capable of responding quickly to evolving risks;
and include procedures for reporting immediately to appropriate levels of management any
significant control failings or weaknesses.

Costs, benefits & limitations
The costs of internal control will comprise the time of regional managers and any opportunity
costs resulting from this plus costs associated with introducing and operating new systems and
reports. However, it is difficult to differentiate between internal controls and policies and
procedures that are simply good business practice, e.g. human resource practices and
accounting procedures. A cost of internal control may be restrictions on the flexibility, creativity
and responsiveness of the organisation.

The benefits of internal control may be difficult to identify but can be largely considered to be an
improvement in the efficiency and effectiveness by which sales representatives use their time to
win business, and the improved management of costs associated with their activities. These are
largely concerned with eliminating both waste and fraud. Losses incurred from ineffective
internal control can be estimated based on their level compared to targets or by benchmarking
representatives against each other or by observing the trend over time. To the extent that
effective internal control provides assurance to external auditors it can be used in negotiations
to reduce the external audit fee.



May 2005 25 P3

A system of internal control cannot eliminate: poor judgement in decision-making; human error;
the deliberate circumvention of control processes (especially where collusion occurs); the over-
riding of, or lack of emphasis on, controls by senior management; and unforeseeable
circumstances.

Requirement (c)

Analytic review involves the examination of ratios, trends and changes, between periods, to
obtain a broad understanding of financial position and the results of operations. It can help to
identify any items requiring further investigation. It is an important audit technique used to
identify errors, fraud, inefficiency and inconsistency. Its purpose is to understand what has
happened in a system, to compare this with a standard and to identify weaknesses in practice or
unusual situations that may require further examination.

Appropriate analytic review techniques for BJP may include:

Ratio analysis of sales expenses to sales revenue with comparisons over time and
between regions and sales representatives. Benchmarking data may be available from
other sources or internally developed from identified best practice;
Review, by sales representative, the proportions of new and existing business generated;
Compare data, by representative, on the loss of customers.


Answer to Question Three

Report to Board of Directors

Introduction: Context and Purpose of the Report
AMF has already decided to implement an enterprise resource planning (ERP) system. ERP
systems take a whole-of-business approach by capturing transaction data for accounting
purposes, operational data, and customer and supplier data which are then made available
through a data warehouse against which custom-designed reports can be produced. ERP
system data can be used to update performance measures in a Balanced Scorecard system
and can be used for activity-based costing, shareholder analysis, strategic planning, customer
relationship management and supply chain management.

Outsourcing enables organisations to concentrate on their core activities while subcontracting
support activities to those organisations which are specialists. Services are provided to an
agreed level of service, at an agreed cost and for an agreed period of time.

AMFs decision as to whether or not to outsource should be within the context of its information
systems (IS), information technology (IT) and information management (IM) strategies. IS
strategies are focused on the business unit, enabling it to satisfy internal and external customer
demand. IT strategies are supply oriented, focusing on business activities and the technology
needed to support those activities. IM strategies are management focused and concerned with
the methods by which information is stored and available for access.

Advantages and disadvantages of outsourcing
The main potential advantages of outsourcing IT are: more accurate prediction of costs and
more accurate budgetary control; using services only when necessary; improved quality and
service; economies of scale available to the outsource service provider; the organisation is
relieved of the burden of recruiting and managing specialist staff, especially where skills are in
short supply; the outsourced service supplier has a better knowledge of changing technologies;
saving management time and effort.

The main potential disadvantages of outsourcing IT are: the difficulty of agreeing a service level
agreement that clearly identifies the obligations of each party; the loss of flexibility and inability
to quickly respond to changing circumstances and the possibility of ending up with a less
customised system; the risk of unsatisfactory quality and service, or even failure of the supplier;




P3 26 May 2005

the risk of a lack of security over confidential or critical information; a short-term cost-savings
focus may be at the expense of long-term strategy considerations; ignoring an unchanged
overhead burden; poor management of the changeover or of the supplier; increasing costs of
outsource provision over time, difficulty of changing the outsourced supplier or of returning to an
in-house provision, and a loss of internal IM/IT/IS capability leading to dependence on outside
suppliers.

In cost terms, the costs of in-house provision need to be compared with outsourcing. The costs
of in-house provision can be estimated quite easily, comprising staffing and equipment costs,
maintenance, accommodation, etc. For outsourcing, cost estimation is more complex because
many costs are hidden. A transactions cost approach will consider not only the direct costs of
the outsource supplier but also costs associated with negotiation, monitoring, administration,
insurance, etc. These hidden costs involve time commitments, opportunity costs and are
associated with legal, moral and power conditions. Understanding these costs and conditions
may reveal that it is more economic to carry out an activity in-house than to accept a market
price which appears less costly but which may incur transaction costs that are hidden in
overhead costs.

Evaluation of risks associated with outsourcing
The major risks facing AMF are business, financial and reputation. The risk of poor performance
or failure of the supplier or the ERPS such that AMF is not able to support its business
operations may lead to a failure to satisfy customers. This may well incur a financial loss. There
is a consequential reputation risk to AMF if the failure of the ERPS causes it to fail to meet its
business obligations.

However, there is also likely to be a risk even if AMF carries out the ERPS function in-house.
Due to its expertise, the outsource supplier may be in a better position to identify, assess, and
manage the risks than can AMF.

It may mitigate risks if AMF retains some in-house IT expertise, although this will be at a cost to
AMF. The size and structure of the IT department retained by AMF will depend on its service
level agreement with the outsource supplier and its assessment of risk. AMF needs to consider
its ability to maintain and modify existing systems, its ability to support users, and the adequacy
of system controls. The risk of outsourcing can be partly offset by retaining a small group of IT
specialists in-house to monitor and work with the outsource supplier. Another option is to include
in the service level agreement a requirement that a member of the suppliers staff (an implant)
is permanently located at AMFs premises to act as liaison between client and contractor. Risk
can also be reduced by building a long-term partnership between both companies rather than
merely a contractor/client relationship.

Mitigation of risk through internal controls and internal audit
In an information systems environment, there are four types of control, and AMF or its outsource
supplier needs to ensure the adequacy of:

General controls to ensure appropriate use of computer systems and security from loss of
data. This will be a responsibility both of AMF and the outsource supplier for controls over
personnel recruitment, training and supervision and the separation of duties. Logical and
physical access controls through password and other security devices will be important at
both the suppliers and AMFs site. Business continuity planning will be the responsibility
of the outsource supplier but AMFs risk management needs to assess its adequacy.
Application controls for input, processing and output are necessary for each individual
ERPS application and are designed to prevent, detect and correct transaction processing
errors. These need to be developed jointly by AMF and the outsource supplier and be
reviewed by AMFs internal audit.
Software controls ensure that software used by the organisation is authorised. This is the
outsource suppliers responsibility.
Network controls must exist to prevent unauthorised access to data transmitted over
networks and to secure the integrity of data. This is especially important to prevent
hacking, viruses, eavesdropping, errors, or malfunctions between the outsource suppliers
site and that of AMF.


May 2005 27 P3


Mitigation of risk could also be carried out by AMF:

seeking legal guarantees from the outsource supplier;
monitoring the financial health of the outsource supplier;
seeking assurances as to the appropriateness of staff employed by the outsource
supplier on the implementation and operation of its systems.

AMFs own internal audit function needs to be involved during system design (as described
above) and continuously thereafter to ensure that risks are adequately addressed by controls
designed-in during the development phase; to ensure that financial and non-financial
information is accurate and complete and suitable for its intended purpose; to identify potential
problems in data collection, input, processing and output; to ensure an adequate audit trail; and
to review the scope for possible fraud. Internal audit can only achieve these by working closely
with the in-house and outsourced project team and steering committee. Internal audit should
also be involved in a post-completion audit of the project. It is essential that AMFs internal
auditors have access to the outsourced suppliers site, staff and databases to enable the
necessary audit functions to be carried out on AMFs data.

Processes and controls to achieve successful transition
If the Board decides to outsource the ERPS, there are two main issues to be addressed:
Management of the implementation of the new ERPS by the outsource supplier; and
The changeover from the existing system.

The processes and controls that AMF should adopt to achieve a successful transition to the
outsource supplier should be embedded in a project with a project team, project manager and
steering committee. The project team should have responsibility for:

Project planning and definition of user needs
Obtaining management support throughout AMF
Resource planning and allocation to support the system
Quality control and progress monitoring
Liaising with AMFs suppliers and customers about how the way they interface with AMF
will be affected by the changes
Identification, assessment and management of risks
Detailed systems design and approval
System testing and implementation
User participation and involvement
Communication and co-ordination
User education and training.

A steering committee is important in bringing together the sponsor of the project who should be
a senior manager who has been involved in authorising the project and is committed to its
success; the project manager who is responsible for the day-to-day delivery of the project;
specialist IT staff both in-house and from the outsource supplier with responsibility for delivering
the project; user representatives with responsibility for accepting the system; and an internal
audit representative with responsibility for ensuring the adequacy of internal controls and system
testing in conjunction with users.

While many of the technical tasks may be carried out by the outsource supplier, it is essential
that the management of the project remains within AMF.

The changeover from the existing system requires an implementation plan which will cover
parallel running, where the ERPS is operated in conjunction with AMFs existing system until
such time as users are satisfied with the new system and are confident about discontinuing the
existing system. If there is a changeover without parallel running, as will be the case in new
features of ERPS that do not exist within existing systems, then testing prior to implementation
becomes more important and additional monitoring may be needed during the early stages of
implementation.




P3 28 May 2005


Particular care needs to be taken in converting data from existing systems. This needs to be
properly planned and sufficient resources allocated to carry out the conversion. Adequate
controls need to be implemented to ensure the consistency of data as it is transferred from the
old to the new system, identifying any duplications and omissions.

Conclusion
An ERP system is to a large extent integrated into the daily working practices of an organisation
and AMF will become highly dependent on the system for the management of its customers,
suppliers, inventory, capacity planning, production scheduling, distribution and accounting
functions as well as for the information that will flow to management from the ERPS data
warehouse.

Therefore, the question for management becomes how best risk can be managed and how the
advantages of cost, quality and staffing can be balanced with disadvantages of loss of flexibility
and the need to manage the outsource supplier.

An outsourcing decision needs to be carried out on the basis of a competitive bidding process
and implemented according to the information systems development process described above.
Adequate internal controls need to be established and the involvement of AMFs internal audit
function is essential.


Answer to Question Four

Report to Directors of AL & Co.

Author: Accountant

Subject: Internal Control Systems within AL & Co.

Terms of Reference:
The contents of this report are based upon the findings in relation to internal controls arising
from the tests and investigations conducted in the course of the external audit for the year
ended 31
st
XXX 2004. The auditors have raised a number of concerns to which I am unable to
respond, and which require your immediate attention in your role as directors of AL & Co.

Inadequacies in existing internal control and costing systems, and suggestions for
improvement
The internal control system within AL and Co is very limited in its sophistication in the context of
a medium sized business. The limited resources within the company mean that we do not have
either an internal auditor or a dedicated HRM manager. Their absence serves to limit the level of
internal control, and as a result it would seem that the company is at high risk of exposure to
both internal and external fraud.

The current organisational structure grants operational responsibility to Director Y, whilst
Director X retains responsibility for accounting, financial and legal matters. The working
relationship between directors is based upon trust and so there is no control system for
validation of each others work, except in the form of the external audit. This system might be
acceptable if tight controls over finance and operations were in existence lower down the
managerial ladder, but these also appear to be absent, which leaves scope for the possibility of
collusive fraud between a director and other managers. There is a duty on the part of the board
of directors of a company to ensure that internal controls are established that will minimise the
risk of fraud and/or error. It is the opinion of the external auditors that as Directors you have yet
to establish such systems.

The specific inadequacies in the internal controls and management accounting systems within
AL & Co are detailed below, together with some suggestions for how they may be improved.



May 2005 29 P3

There does not appear to be any budgeting system in place, which would be helpful for
both planning and control purposes. Monthly control accounts should be produced by
the accounts manager, comprising a profit and loss account and cash flow for the period
together with opening and closing balance sheets. Exception reports should be drafted
to highlight any material changes to trends, or variations from budgeted results. Copies
of these reports should be sent to both Directors.

The management accounting system records materials against individual jobs as they
are issued from stock, but no controls exist for monitoring their use on site, and
recording variances between estimated and actual usages. All materials should be
booked out to a job and removed from store only by the end user and not the job
foreman. The foreman should then book all unused items back into stock. By separating
out responsibility in this way, control over the potential theft of goods is tightened.

The profitability of individual jobs should be monitored and significant cost variances
investigated. I suggest that you begin by introducing a job costing system that includes
an apportionment of overheads. Computation of the staff time per job could be relatively
easily achieved, and other overheads could be apportioned on a relatively simple basis
such as X per labour hour, given that labour is the main cost in the contracting
business. Knowledge of the cost per job would facilitate improved budgeting which
would in turn highlight unexpected trends in particular costs. Consequently, general
financial control would be tightened.

Gross margins per client should be monitored and benchmarked according to job type.
Data should also be grouped according to the staff managing a job in respect of both
the sales staff producing the quote and the job foremen. Reports on the findings should
be submitted to the Board of Directors on a regular basis. In other words, the
introduction of a simple form of performance related pay or responsibility management
would be beneficial.

The only controls over Directors in a small or medium sized business are those imposed
by their fellow directors. The culture of trust in AL and Co. assumes that no such
controls are necessary, but this may be a misplaced assumption. Systems should be
established to ensure the integrity of data, control over cash and general safeguarding
of resources. For example, there does not appear to be a routine procedure for
verification of the validity of invoices presented for payment.

It is well recognised that overstatement of expenses is a common method of fraud, but
the financial control systems within the company appear to be very limited, and focus
primarily on achievement of a target profit margin. Tighter monitoring of accounting
records is required.


Unusual Cost Trends, the Possible Implications and Suggested Course of Action
A key aspect of the role of external auditors is to gain assurance that the financial statements
provide a true and fair view of the financial performance and position of the company.
Consequently, it is necessary to seek full explanations of any unusual cost trends identified in
the course of the audit.

It would seem that the pattern of cost changes is broadly in line with both the trend of increased
sales activity and the changes in prices paid for external supplies, and hence profitability levels
have remained above the target 25% gross return that is required. Nonetheless, the figure for
variable overhead has shown a disproportionate increase over the same period, the cause of
which appears to be payments to a new supplier that was recently introduced. The invoices
relate to purchases of small tools and consumables, but there does not appear to be a system
for tracking the issue and use of these tools.

The audit trail can only be completed by more detailed questioning of a number of staff across
the company, including you as Directors. It is assumed that the introduction of new suppliers is
subject to some system of formal review by at least two different members of staff including one




P3 30 May 2005

of the directors, and the auditors are seeking assurance that such procedures were followed in
relation to this specific case. Similarly, they require written evidence that the relevant invoices
relate to costs necessarily incurred in the course of the business. In the absence of such
evidence, it will be necessary to initiate a formal investigation into possible fraudulent activity,
and notify the police of a possible offence under section 18
6
of the Theft Act (1968). The
auditors wish to assure you that this is not a course of action that will be pursued lightly, but
would be an inevitable consequence of lack of evidence relating to the nature of the relevant
expenses.

The limits of the responsibility of external auditors to detect fraud
SAS110 states that auditors plan, perform and evaluate their audit work in order to have a
reasonable expectation of detecting material misstatements in the financial statements arising
from error or fraud. However, an audit cannot be expected to detect all instances of fraudulent or
dishonest conduct. (SAS110, para.18). In other words, there is an unavoidable risk that the
auditor may not detect fraud, and the primary responsibility for effective internal control systems
rests with the company directors.

The case for, and issues to be considered in drafting a fraud response plan
I suggest that you need to immediately devise a fraud response plan and instigate an immediate
investigation into the matter. The Fraud Advisory Panel in the United Kingdom suggests that the
following issues should be considered in drafting a response:

Who will lead the investigation? Is there adequate internal expertise, or should you
request outside expert help?
The investigation method to be used eg interviews; creation of fake contracts etc
The systems required to mitigate the risk of future fraud via improved controls
How to secure evidence without alerting the fraudster
How to deal with suspects
How/when to involve the police


We need to meet as soon as possible so that I can present you with the evidence provided to
date by the auditors, and further to that meeting the external audit team are available to assist in
the investigation if required. The hope is that this matter can be resolved internally and will not
cause excessive disruption to the company.


Answer to Question Five

Requirement (a)

The managing directors observation that the efficiency of the foreign exchange markets means
that SDT is equally likely to make either foreign exchange gains or losses is only partially
correct. Market efficiency is dependent upon the existence of a large number of both buyers and
sellers in order to create high levels of liquidity in the marketplace, and exchange rates that are
determined within an environment of freely floating currencies. In practice, the level of liquidity is
likely to vary between currencies, as is the amount of information freely available to the market,
and the extent to which exchange rates are freely determined and not managed via
government intervention. For major world currencies such as the Yen and the US dollar,
information levels are very high and the market prices thus accurately reflect the relative
demand and supply pressures. For currencies that are less commonly traded, however, supply
may be controlled by government policies, and/or be less predictable, leading to more volatile
pricing and an illiquid market.

The case scenario indicates that SDT is only exposed to foreign exchange risk in respect of
major world currencies, the markets for which are deemed to be efficient. Consequently, for
each individual currency exposure, the Managing Director is correct in suggesting that gains or
losses are equally likely. However, the company is faced with simultaneous exposure to three
currencies, the exchange rates of which may or may not be correlated. The data presented in


May 2005 31 P3

the question in fact show that sterling is expected to weaken against all three other currencies.
As a result it is an oversimplification to suggest that gains or losses are equally likely across the
portfolio of risk because the diversification may serve to either increase or decrease the total risk
exposure, depending upon the correlation between the currencies. The Managing Directors
view is thus incorrect in this regard.

The fact that the Euro, Yen and US dollar are all currencies from different continents and
economic regions indicates that SDT has diversified its currency risk, but this does not
necessarily imply that any remaining risk should not be hedged. The economic regions
represented by these three currencies are commonly referred to as the Triad, and denote the
consumer based economies of the developing world. Increasing globalisation of markets has
resulted in a growing interdependence between the worlds economic regions with the result that
the economies of the Triad tend to follow common trends. A slowdown in spending in the USA,
for example, can lead to a reduction in output in either SE Asia or Europe and vice versa. This
interdependence means that it is very likely that the three currencies will move in tandem with
one another, and so the diversification of risk is less than might be initially expected.

At the same time, while markets may be efficient on the basis of information available at any
point, new information does continuously come to light which changes rates. Unexpected events
such as September 11th 2001 can have a substantial impact on an economy in a manner that
could not have been predicted, and hedging enables a company to minimise its exposure to the
consequential unpredictable changes in exchange rates. In other words, even if, on average,
one does not expect to make a net benefit (or avoid a net loss) by hedging, it can still be
valuable as an insurance against risk. This is particularly the case for a company such as SDT
that exports over 90% of its production. We can therefore conclude that the diversification
resulting from receiving export income denominated in Yen, Euros and US Dollars is insufficient
justification for choosing not to hedge foreign exchange risk in SDT.

Currency hedging may be advantageous to SDT for a number of reasons including:

Ensuring certainty of cash flows and profit margins on transactions invoiced in a foreign
currency
Improved planning and budgeting in view of the above
Reduced risk in selling into any market where the currency can be bought/sold on the
forward market

The disadvantage of hedging using externally purchased instruments is the associated
transaction cost. It is therefore important for the Board of Directors of the company to define its
attitude to risk, and decide whether the risk of any exchange rate movements that accompany a
non- hedging strategy is acceptable or not. Hedging will then be used if the estimated risks are
believed to be intolerably high.




P3 32 May 2005

Requirement (b)

(i) If SDT hedges the risk in the forward market then the revenue from the export sales can
be determined by reference to the relevant two month forward rates.

Company A
Sum due: 9,487,500
Two month forward rate for selling Yen is 200032/
Sterling value of receipts is thus 9,487,500/200032 = 47,430
Units sold = 9,487,500/63250
= 15,000
At cost of 275 per unit, variable cost = 41,250
Contribution is revenue less variable cost = 47,430 - 41,250
= 6,180

Company B
Sum due: US$82,142
Two month forward rate for selling US$ is $17775/
Sterling value of receipts is thus $82,142/17775 = 46,212
Units sold = 82,142/102678
= 8,000
At cost of 480 per unit, variable cost = 38,400
Contribution is revenue less variable cost = 46,212 - 38,400
= 7,812

Europe
Sum due: 66,181
Two month forward rate for selling Euro is 14784/
Sterling value of receipts is thus 66,181/14784 = 44,765
Units sold = 66,181/12033
= 5500
At cost of 625 per unit, variable cost = 34,375
Contribution is revenue less variable cost = 44,765 - 34,375
= 10,390

Total contribution from export sales when hedged = 24,382


(ii) If the risk is not hedged, the variable costs remain unchanged but the revenue will reflect
a different rate of exchange as follows:

Company A
Sterling value of receipts @ 20263 is 46,822, hence the contribution becomes 5,572

Company B
Sterling value of receipts @ US$17750/ is 46,277, yielding a contribution of 7,877

Europe
Two month forward rate is 14680/ giving receipts of 45,082 and a contribution of
10,707

Total contribution from export sales if left unhedged = 24,156


(iii) Scenario 1 (Hedging)
Total receipts from exports = 47,430 + 46,212 + 44,765 = 138,407
Total contribution from exports = 6,180 + 7,812 + 10,390 = 24,382

Average Contribution:Sales ratio is thus 1762%



May 2005 33 P3

Scenario 2 (Unhedged)
Total receipts from exports = 46,822 + 46,277 + 45,082 = 138,181
Total contribution from exports = 5,572 + 7,877 + 10,707 = 24,156

Average Contribution:Sales ratio is thus 1748%

SDT is therefore advised to hedge its foreign exchange risks because this leads to a slightly
higher average contribution: sales ratio on the overseas sales, ignoring transaction costs.


Requirement (c)

A company may wish to earn a higher average rate of return from exporting than from domestic
sales because of the increased risks, and costs that are associated with foreign sales, combined
with the fact that export management may also require additional capital investment. Additional
risks include higher risks of loss/damage in transit due to increased delivery distances;
potentially higher credit risks because of lack of knowledge of foreign customers and slower
payment mechanisms or extended payment terms and transaction risks arising from foreign
exchange rate movements. In addition, a company may incur additional expenses in buying in
foreign language experts, treasury skills and export documentation services in order to service
the foreign markets. Furthermore, the ongoing monitoring of foreign debtors is likely to be more
expensive, and political and business risks will be higher in countries with which senior
managers are less familiar. Overall, therefore, the combination of potential additional capital
investment and additional risk, implies that the return required on export sales will be higher
than that for domestic sales if targets are set in terms of a risk adjusted rate of return (or risk
adjusted value added).The only circumstances when this view might not be valid is if export
sales are managed via an agent and invoiced in the domestic currency, because in such a
situation there is little material increase in risk involved in the overseas sales.

Requirement (d)

In choosing to hedge the risk via a forward contract, SDT is committed to delivering the
contracted amount of the forward currency on the specified date. Under such circumstances the
company would be forced to purchase the dollars at the prevailing spot market rate, and sell
them at the rate agreed in the forward contract. There will be transaction costs incurred in the
process, and it is also possible that the exchange rate will have moved against SDT further
increasing the costs of the transaction.

The risk of being unable to fulfil the forward contract could be mitigated by taking out an option
forward contract instead, which may be exercised within a prescribed range of dates. An option
forward contract would relieve SDT of a firm date for committing to the forward contract, but it
would also cost more in fees. In addition, the exchange rate that is used in such contracts is the
least favourable rate over the option period, and so the costs of such a deal are in reality even
higher.

A possible alternative method of reducing the risk would be for SDT to offer a discount to
Company B in return for prompt payment. As long as the cost of the discount does not exceed
the potential cost of breaching a standard forward contract, then it would make sound financial
sense. Similarly, the imposition of penalties for late payments would help to reduce the cost of
any resulting problems, but in practice it is often extremely difficult to collect penalty fees,
especially from overseas customers.