P1 CORPORATE GOVERNANCE, RISKS & ETHICS

A) Corporate Governance (CG):

Why CG?
Globalization (Parity of treatment for local and foreign investors and characteristics of individual cultures)
High profile corporate scandals, failures and general dissatisfaction with financial reporting standards
Definitions of CG:
CG is a system by which companies are directed and controlled in the interest of shareholders and other
stakeholders: Cadbury Report (1992).
CG is a set of relationships between directors, shareholders and other stakeholders. It also provides the structure
through which the objectives of the company are set and determined and also provides the means of achieving
those objectives and monitoring performance: OECD.
Business Case/Benefits of CG: (FOCUS-IS-BAGS)
FFramework for pursuing organizational strategies
OOperation of appropriate and adequate control system with risk management
CConfidence and trust of shareholders
UUnderpins capital market confidence
SSafeguards companies assets and shareholders interests
IIncrease in management accountability
SSustainable wealth creation
BBetter management leads to better financial performance
AAttraction for institutional investors
GGovernance dividend (Benefit of increase in share price that shareholders receives from good
CG)
SSocially responsible dividend (Benefit of increase in revenue and share price that company
receives from customers and investors)
Purpose and Objective of CG:
In Private Sector:
Purpose:
Monitor those parties within a company who control resource owned by shareholders.
Objective:
Contribute to improved corporate performance and accountability in creating long-term
shareholder value.
In Public & Not-For-Profit Sector:
Purpose and objective within these organizations varies and is complex. Such organizations are often appraised
according to the Value-for-money that they generate. A detail discussion is made later in this chapter.
What is Value-for-money?
Value-for-money may be defined as performance of an activity to simultaneously achieve three Es i.e.
Economy, Efficiency and Effectiveness. In literal meaning, maximizing benefits for the lowest costs.
1

Concepts of CG: (HAIRDRIFTIS)

The foundation of governance is the action of an individual. These actions are guided by individuals moral
stances and an appropriate set of moral stances includes the following:
HHonesty/Probity (Not only reporting the true financial position but also not misleading)
AAccountability (This stems from acceptance of responsibility and as a results of which being
accountable for actions and decisions)
IIndependence (Avoidance of being unduly influenced by vested interests and taking an objective
position)
RResponsibility (Maintaining conscious behavior and willingness to accept liability for outcome
of governance decisions)
DDecisions/Judgments (Balancing competing interests and possessing sound business and its
surrounding knowledge to reach meaningful conclusions to numerous issues and giving each
issue due consideration)
RReputation (Developing and maintaining personal reputation and moral stance of company)
IIntegrity (Steadfast adherence to ethical standards and maintaining straightforward dealing)
FFairness (Sense of equality in dealing with all stakeholders and reaching equitable judgments)
TTransparency/Openness (Clear and open disclosures including voluntary disclosures and lack of
withholding relevant information unless necessary)
IInnovation (Transforming knowledge and ideas into new products, processes and systems for the
benefit of company and its stakeholders. In CG context, innovating reporting and communication
medium with shareholders)
SSkepticism (Critically assessing evidences and maintaining an attitude which includes
questioning mind and being alert to conditions which may indicate possible misstatement due to
fraud or error)
History & Development of UK CG Code:
(i)
Cadbury Report (1992): Code of best practice
(ii)
Greenbury Report (1995): Directors remuneration and disclosures in annual reports
(iii)
Hampel Report (1998): Substituted principles for details where possible
(iv)
Combined Corporate Governance Code (1998): Issued by LSE London Stock Exchange
(v)
Turnbull Report (1999, Revised 2005): Risk Management and Internal Control System
(vi)
Smith Report (2003): Role of audit committee
(vii) Higgs Report (2003): Role of non-executive directors
(viii) UK CGC Corporate Governance Code (2010): Revision with name change.
Governance other than CG:
Public Sector:
Here, principals (stakeholders) and agents are different than for private sector. In public sector, principals are
mainly taxpayers, electors or users of the services (e.g. patients in state hospitals) whilst agents in this case
becomes the political leaders who in turn are principal to their agents i.e. elected officials/executive officers.
Funders and users of the services are therefore sometimes the same people (e.g. taxpayers placing their children
in state school).
Public sector organizations tend to be concerned with a social purpose and aims to achieve Value-for-money
by delivering their services efficiently, effectively and economically.
2

This is often depicted as the three Es:

Efficiency:
Yielding an acceptable return on the money invested.
Effectiveness: To deliver the best service for which organization was created to provide given a level of
resource input.
Economy:
To deliver service on time and within budget to create a shared value for taxpayers,
workers and users.
NGOs/Charities:
Often privately funded, such organizations tends to be task oriented (e.g. eradication of poverty) and driven by
people having a common interest of providing variety of services and humanitarian functions (e.g. Red Cross,
Edhi, Make-a-wish Foundation etc.). They also differ from for profit & public sector organizations in terms
of regulation, strategic purpose, societal expectation, stakeholders and governance arrangements.
Such organizations are managed by executives and non-executives directors/managers/boards who act as agent
and answerable to the trustees of the organization, whereas trustees then in turn act as agent for the
donors/beneficiaries. Trustees are placed to make sure that NGO/Charity operates in line with its stated
purpose.
Governance Arrangement: Oversight Body:
Since, control and monitoring is complex in sectors other than private, therefore to achieve accountability, a
system of reporting and oversight needs to be established.
In Public Sector:
Board of Governors
In NGOs/Charities: Board of Trustees
An oversight body is an external body, comprising of executives and non-executives, formed to act in the
interest of providers of finance i.e. taxpayers/donors to make sure services being delivered on time and is for the
benefit of the users. The roles of oversight body include:
Ensure service compliance with prescribed rules.
Ensure performance targets are met.
Set and monitor performance against budgets.
Oversee senior/key appointments.
Monitor management performance.
Removing underperformers.
Report to higher authorities.
Agency Theory: (Shareholders, Directors & Auditors)
Agency theory is a group of concepts describing the nature of agency relationship that exists between principal
(shareholders) and agent (directors or auditors). In the context of CG and public company, shareholders appoint
directors to run the affairs of the company on their behalf and this leads to separation of management and
ownership. This separation results in conflict of interest as agent objectives (higher salary, bonuses, status) will
differ from those of principals (maximization of shareholders wealth). Issues also arise because directors and
shareholders have different attitude to risk taking. All these issues can be addressed but at Agency Cost.
An agency relationship is one of trust and confidence between an agent and principal, which obliges agent to
meet the objectives placed upon him and to discharge its Fiduciary Duty to the principal.
3

What is Agency Cost?

This cost is borne by principal and arise largely from principal monitoring activities of agent and also indirectly
incurred as agent spends time and resources on certain activities. This could be in monetary terms and resources
or time consumed (e.g. audit fees, directors incentives, cost of annual report preparation and analysis reports,
AGMs, committee activity, cost of meetings, residual losses resulting from directors furnishing themselves with
cars and planes).
What is Fiduciary Duty?
A duty imposed upon person because of the position of trust and confidence in which they stand in relation to
another. The duty is more onerous than generally arises under a contractual or tort relationship. It requires full
disclosures, accounting for profit received as a result of the relationship and to avoid conflicts of interest.
Duties of Directors as Agents:
Fiduciary duty is owed to entity, not to individual shareholders (Section 170, Companies Act 2006)
171. Act within their powers.
172. Promote the success of the company.
173. Exercise independent judgment.
174. Exercise reasonable skill, care and diligence.
175. Avoid conflicts of interest.
176. Not to accept benefits from third parties.
177. Declare an interest in a proposed transaction or arrangement.
Overcoming Agency Problems:
Profit related pay
Share issue schemes
Share option schemes
Regular meeting between directors and key institutional investors.
B) CG Stakeholders:
Stockholder vs. Stakeholder Theory:
Stockholder Theory: Milton Friedman was of the view that shareholders alone have a legitimate claim to
influence over the company (as they own it). An organization and its management are solely responsible for
profit maximization for shareholders.
Stakeholder Theory: Donaldson & Preston draws two motivational theories for organizations and its
management describing a moral case for business to know how its decision effects people both inside and
outside the organization. Modern corporations are so powerful socially, economically and politically that their
unrestrained use of power will inevitably damage other peoples rights. Therefore a company must consider the
interest for a range of stakeholders. Following are two views towards stakeholders theory:
Instrumental View: Fulfillment of responsibilities towards stakeholders is desirable because it
ultimately contributes to companies attaining their objectives of profit maximization. Therefore
stakeholders are to be used as instrument to pursue other objectives. It lacks moral consciousness.
Normative View: This stems from moral consciousness as accommodating stakeholders is an end in
itself organizations must accept moral duties towards stakeholders as it is important to consider
concerns and opinion of others else not doing so will result in breakdown of social cohesion.
4

Classification of Stakeholders:
Internal (directors, company secretary, management, employees, trade union)
vs. Connected (shareholders, customers, suppliers, lenders, competitors)
vs. External (auditors, regulators, government, stock exchange, small & institutional investors)
Direct (Such stakeholders having straightforward claims and are unambiguous)
vs. Indirect (Such stakeholders are voiceless e.g. individual customer of large company, environment,
wildlife, future generations)
Primary (Those required by organization to continue its existence e.g. shareholders, customers,
suppliers, government)
vs. Secondary (Not essential for organization e.g. wider community)
Narrow (Those most affected by organizations strategies e.g. shareholders, employee, customers)
vs. Wide (Those less affected by organizations strategies e.g. government, wider community)
Voluntary (Those involved with organization of their free will e.g. management, employee, customer)
vs. Involuntary (Involved due to reasons e.g. regulators, government, community)
Active (Those who participates in organizations activities e.g. management, employee, customers)
vs. Passive (Those who do not wish to participate e.g. shareholders, government, community)
Legitimate (Those who are rightful in their claims e.g. employee, shareholders, customers)
vs. Illegitimate (Those who have no legal status of their claims)
Managing Stakeholder Relation (Mendelow Matrix Model):
Segment A: Typically small shareholders and general public having lack of
power and interest to influence CG. They require minimal efforts.
Segment B: Staff, customers, suppliers and environmental pressure groups is
placed in this segment. They normally try to persuade high power group to
take actions. They must be kept informed.

Segment C: Institutional investors and national government are placed in this

segment. They must be treated with care and kept satisfied.
Segment D: Major customers, large shareholders, directors and trade unions are found in this segment.
Organizations strategies and actions must be acceptable to them.
C) Approaches to CG:
Principles Based Approach:
The UK model is principles based and is governed through Stock Exchange Listing Rules which requires only
public listed companies to state in its annual reports that how they have complied with the requirements of CG
codes or explains in case they have not.
Characteristics (FLAWS):
F Flexible and focuses on objectives
L Lays stress upon areas where rules cannot be applied (e.g. culture, relationship with stakeholders)
A Applied to cross jurisdiction
W Works on comply or explain basis
S Stock exchanges have prime role in setting standards
5

Rules Based Approach:

The US model is rules based where compliance with CG is enshrined into law by Sarbanes-Oxley Act (SOX).
Characteristics (MENDOS):
M More emphasis on definite approach
E Easy to see compliance as simply box-ticking exercise whether comply or not
N No leeway, deviation or escapes
D Difficult to deal in questionable situation where not enough guidelines in rulebook
O Obeying the letter of law rather than its spirit
S Standardization for all companies.
Which approach to use for a country?
Dominant ownership structure (bank, family or multiple shareholder)
Legal system and its power/ability
Government structure and policies
State of the economy
Culture and history
Level of capital inflows or investment coming into the country
Global economic and political climate
Sarbanes-Oxley Act (SOX):
In 2002, following a number of corporate failures and scandals like Enron and WorldCom, US developed tough
and rigid CG regulations known as SOX. Key provisions in SOX are as follows,
Application. Applies to all US listed companies and to all subsidiaries in the world if it has US based
parent company.
Accuracy of Financial Statements. All listed companies must provide a signed certificate (by CEO and
Chairman) to SEC vouching the accuracy of their financial statements.
Incase financial statements are restated due to material non-compliance than CEO and CFO must forfeit
bonuses received in previous 12 months.
Auditor Independence. Auditors are restricted to perform audit related work (and tax) and refrain from
non-audit work.
Audit Committee. Companies must have an audit committee if they are to continue their trade.
Audit Partner. Senior audit partner working on clients audit must change every 5 years.
Restrictions on dealing. Directors prohibited from dealing in shares at sensitive times.
Increased Financial Disclosures. Detailing off-balance sheet transactions.
Internal Control Report. Annual report must contain statement regarding the system of internal control.
Public Entity Oversight Board. Independent body comprising of 5 members and is responsible for
enforcing professional standards in accounting and auditing.
Insider/Outsider System of Governance:
Insider System:
Jurisdiction where most listed companies are controlled by small family group or handful of
shareholders.
Formal and robust CG is not really required as agency issues do not generally arises here.
The system promotes long-term view of investment.
Suitable for under-developing countries.
6

Outsider System:
Dispersed and wide-spread shareholding.
Most suitable for advance and developed countries.
More robust and formal CG is required here to protect the interest of all shareholders.
Succession issues can be planned more easily and effectively.
The system promotes short-term view of investment.
D) Board of Directors:
Board Structures:
(i) Unitary Board Structure. Single tier board comprising of executive and non-executives directors where all
directors have equal responsibilities and play an active role. Especially, presence of NEDs in board is not
limited to supervising, but running of the company as well. Since all directors need to actively participate,
decision making imposes time constraints but however NEDs have better access to information they need.
(ii) Two-Tier (Dual) Board Structure. It consists of two sub-boards where lower tier is management board
and upper tier is supervisory board. There is clear and formal separation between those monitoring
(NEDs) and those being monitored (EDs). Lower tier board is responsible for day-to-day running of the
company and is led by CEO, while upper tier board, consisting of wide range of stakeholders (e.g. employee
representative, pressure groups, institutional investors etc.)is responsible to appoint, supervise and advice
management board and led by Chairman. Such type of board exists in high ethics bound country like
France, Germany.
Board Diversity:
Board should comprise of individuals belonging to different backgrounds. It could bring better governance,
effective decision making, utilization pool of expertise and enhances corporate reputation. A board could be
diversified using a range of demographic variables like race, ethnics, age, gender, education, status, religion etc.
Professionals like international experienced, lawyers, accountants, doctors or directors of private companies can
also be considered.
Board Meetings:
An agenda should be placed which consider short-term and long-term issues and every director should
have his/her input on the agenda.
Meetings should be regular and all directors should attend it and each director must commit to provide
sufficient time. (CG discourages appointment of full-time ED to more than one NED/Chairman position
in FTSE 100 companies.)
Chairman should direct meeting proceedings considering sufficient time and input from everyone.
Potential Problems for Board:
Mostly boards rely on information provided by management and therefore may not have that time or
skills to look at every detail, thus allowing management obscure problem and true state of the company.
Occasionally meetings in the board may cause unfamiliarity within board members and therefore
difficult to question the management.
Most of the times, CEOs have forceful personalities and sometimes they exercise it too much to
influence rest of the board.
Performance of CEO is judged by directors who appoints him/her
7

Appointment of Directors:
The first directors are nominated by promoters of the company and retire at first AGM. However, after first
nomination, Articles of Association (AoA) governs this issue and Table A provides yearly-rotation-based
election system under which one-third of the directors retires every year (not including CEO and those offering
themselves for reelection). For large listed companies (FTSE 350), EDs should face re-election every year and
for small listed companies, EDs may face election every 3 years.
UK CGC (2010) suggests that NEDs should normally serve for 6 years. If incase, an NED serve longer than 6
years than an explanation should be provided. Higgs Report suggests that NEDs should face reelection after 9
years.
Removal of Directors:
Removal of ED is possible by a simple ordinary resolution (though this may be in breach of service contract).
However, AoA provide additional ways to remove a director.
Directors Personality & Skills:
Personality: Motivated, proactive and experienced (been there, done that)
Skills: Listening, Questioning, Negotiating, Leadership, Specialist Knowledge, General Business Knowledge
Role & Responsibilities of EDs: (DEEP.SEA.DR.SEM)
UK CGC (2010) provides key roles and responsibilities of directors which are as follows,
Providing entrepreneurial leadership of the company.
Represent company view and account to public.
Decide on a formal schedule of matters to be reserved for board decisions.
Determine the companys mission and purpose (strategic aims).
Select and appoint the CEO, Chairman and other board members.
Set the company values and standards.
Ensure that the companys management is performing its job correctly.
Establish appropriate internal controls that enable risk to be assessed and managed.
Ensure that the necessary financial and human resources are in place for the company to meets its
objectives.
Ensure that its obligations to its shareholders and other stakeholders are understood and met.
Meet regularly to discharge its duties effectively.
For listed companies;
Appoint appropriate NEDs
Establish remuneration committee
Establish nomination committee
Establish audit committee
Assess its own performance and report it annually to shareholders.
Submit themselves for reelection at regular intervals. All directors in FTSE 350 companies should face
reelection every year.

Non-Executive Directors (NEDs):

(i) Role of NEDs: (StRiP-Performance)
St Strategic Role (Contribution in strategy development, challenging strategies and offering advices)
Ri Risk Role (Ensure that company has adequate systems of internal controls and systems of risk
management in place)
P People Role (Contribution in committees working; remuneration, nomination and audit committee
where deciding remuneration and nomination of EDs and attending regular meetings with shareholders.)
Performance Scrutiny Role (Reviewing performance and holding EDs and management to account for
objectives, decisions and results)
(ii) Independence for NEDs:
UK CGC (2010) states that the board should include balance of NEDs and EDs. This balances power towards
executives. The board should contain half of NEDs excluding Chairman and one such NED should be directly
available to shareholders if they have concerns which cannot be dealt with other appropriate channels like
Chairman, CEO or Finance Director. NEDs primary holds fiduciary duty to companys shareholders. An NED
to be independent means,
They should avoid business, financial or personal interests with the company (including share options
and pensions). Also, Cross Directorship should be avoided.
Appointment should be for a specific period and the whole board should decide on their remuneration.
Part of independence is that, NEDs should be able to question intelligently, debate constructively,
challenge rigorously and decide dispassionately.
(iii) Threats to Independence:
Material business relationship with the company in last 3 years
Employee in last 5 years
Cross directorship in other companies
Receiving other remuneration from the company besides NED fee
Close family ties with EDs
Significant shareholding
Serving on board for more than 9 years
(iv) Recruiting NEDs:
Recruiting those with relevant industry experience can bring in higher technical knowledge, network and sound
awareness of business issues within the industry. However, these elements could also make the NED less
independent as objectivity may be compromised.
Chairman:
Roles of Chairman: (FREE-TREE)
F Facilitate board appraisal (at least once a year)
R Running the board (e.g. setting board agenda and planning board meetings)
E Ensure timely and accurate information to board
E Encourage active involvement of all (especially NEDs)
T Taking the lead in board development (e.g. succession planning, composition, structure and size of
the board)
R Reporting in and signing of accounts
9

E Ensure effective two-way communication with shareholder and asks questions on behalf of
shareholders (public face) and also between EDs and NEDs
E Ensure sufficient time being allocated for controversial issues

CEO
CEO is the leader of management and at below the board level. CEO is responsible for running the business of
the company and implementing the strategies and decisions of the board and reporting to Chairman/Board.
Roles of CEO: (BRIBE)
B Business objectives and strategies development and management
R Risk management (in line with risk appetite accepted by the board) and giving ownership to
organizations control
I Investment and financing opportunities examined
B Board and committee composition recommendation
E Evaluating structure of organizational operation, performance appraisal and remuneration
suggestions
Why Chairman and CEO should not be the same person?
It is vital for good CG to separate the roles of Chairman and CEO to avoid unfettered decision-making
power in the hands of single individual.
Separation is also necessary as CEO have greater deal of influence in appointment of EDs while
Chairman over NEDs.
CEO becoming Chairman will results in interference in executive matters.
Separation of roles also brings division of responsibilities as Chairman is the leader of the board and
CEO is leader of management.
Separation of roles is also a reflection that these two positions are demanding.
E) Board Committees:
There are four types of board sub-committees;
(i) Nomination Committee (Majority NEDs, Structure & composition of board, Induction of new EDs)
The committee should comprised wholly or partially of NEDs. The nomination procedure should be
formal, rigorous and transparent. Essentially, a nomination committee has three roles as follows,
Future Role - Succession Planning. It should objectively consider, on a regular basis, the desirable size
of the board, skills, knowledge and experience possessed by the current board, the need to maintain a
balance between EDs and NEDs, succession planning and the need for diversity.
Past Role - Appraisal. Performance of the board, its committees and individual directors should be
assessed once a year. The appraisal should cover a review of the boards systems, performance
measurement, responses to problems/crisis, level of information board has, quality of information,
fulfillment of legal requirements, contribution by individual directors, assessment of level of delegation,
ability to learn lessons from experience, team-work, focus on long-term or too much involvement on
day-to-day matters etc.
Present Role - Induction. The nomination committee is also responsible for induction process. An
effective induction program should aim to:
Build an understanding of the nature of the company, its business and its markets (culture,
values, products, services, group structure, constitution, procedures, principal assets and
liabilities, contract, major competitor, regulatory constraints etc.)
10

 Build an understanding of the companys people (meeting, visits to main sites)

Build an understanding of the companys main relationships (customers and suppliers etc.)
(ii) Remuneration Committee (100% NEDs, Policies, decisions & reports on pay & other benefits of EDs)
The committee to comprise only NEDs and to determine the organizations general policy on remuneration of
EDs. It has four main roles,
Setting overall remuneration policy
Decision on individual remuneration
Reporting
Compliance with law
UK CGC (2010) suggests that the packages need to attract, retain and motivate directors. Directors should be
assessed by non-financial matrices. There should be a balance between basic rewards and incentives (e.g.
transaction, loyalty bonus, share options). Bonuses should be related to measureable performance (Greenbury).
Voluntary elements of pay should be capable of being reclaimed in case of misstatement/misconduct.
NEDs should not be offered share options, however EDs could be offered share options with vesting period not
less than 3 years.
Benefits in kind and pensions should also be considered. Care, however needs to be taken in case of loans to
directors. Length of service contract should not be too long. Most codes recommend the period to be no longer
than 12 months. Singapore codes suggest a notice period of 6 months or less.
Annual accounts should disclose remuneration policy and packages of individual directors.
(iii) Risk Committee (Majority NEDs, Company risk exposure & strategies)
Discussed Later.
(iv) Audit Committee (100% NEDs, Controls, internal audit and external audit)
Discussed Later.
F) Board and Shareholders:
UK CGC (2010) emphasizes on a regular dialogue between the directors (particularly senior NEDs) and the
shareholders (particularly with institutional shareholders).
The main forum for such dialogues is the AGMs. Board should actively encourage shareholders to attend
general meetings. Ideally, the board should provide business presentations during the AGM, while the
chairpersons of the board committees should also be present to answer any questions.
UK Stewardship Code recommends that institutional shareholders should attend AGM and not only vote but
also provide their clients with details of how they have voted. They may even place requisition for general
meeting if needed.

11

G) Reporting on CG:
Disclosures help reduce Information Asymmetry. The LSE requires the following disclosures to be made,
A narrative statement of how companies have applied the principles set out in CGC, providing any necessary
explanations and statement on compliance with CGC throughout the accounting period. In case of noncompliance, the relevant provisions need to be disclosed along with the reasons for the non-compliance.
Additionally, a Directors Report should also be published which contains,
Information about directors
Responsibilities of directors (including preparation of accounts)
Attendance details
Brief details of committee workings
Relationship with auditors and shareholders
Effectiveness of internal controls
Business review (operational & financial review)
Voluntary/Additional Disclosures: (Qualitative in nature, Non-numerical)
Besides the above, the companies should make voluntary disclosures (perhaps in consultation with the
investors) as this helps provide a wider information perspective, different focus (mostly future oriented) on
information and assurance about managements commitment. Examples of voluntary disclosures includes,
chairman statement, CEO review statement, environmental policies, risk policies etc.
Reasons/Benefits of Voluntary/Additional Disclosures: (BRACoS)
Brings accountability
Reduce information asymmetry
Attracts investors
Compliance with laws and regulations
Service to range of stakeholders

12

H) Internal Controls & Risk:

Corporate Governance & Risk Management:
CG requires directors/board to:
Establish appropriate controls and mechanism for dealing with the risks faced by the organization.
Monitor risks themselves by performing regular review.
Disclose their risk management policies and processes in the annual report.
I) Internal Control Systems: (The Control Environment)
What are Internal Controls?
Internal control is any action taken by the management to enhance the likelihood that established objectives and
goals will be achieved. It provides management with reasonable assurance that strategic objectives will be met
(Turnbull Report).
The principles and rules based approach discussed earlier in the context of CG equally applies to Internal
Control System as well.
UK Turnbull Report identifies the following characteristics of an internal control system:
Be embedded in the operation of the company and be a part of its culture.
Be capable of responding quickly to evolving risks.
Include mechanisms and procedures for highlighting/reporting immediately to management about
significant controls failures.
Benefits of Internal Controls: (TAPASA)
T Timely reporting
A Achieves orderly business conduct
P Preventing and detecting fraud
A Avoiding errors
S Safeguard assets
A Adherence to policies
COSO Framework Enterprise Risk Management (ERM):
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission lists the following as the
characteristics of ERM;
It is a process (ideally embedded),
Operated by people at every level,
Applied across the enterprise (each unit manager assessing his units risks),
Geared to achievement of objectives,
Provides reasonable assurance to management,
Applied in strategy setting,
Designed to identify risks and manage them within risk appetite.
Benefits of Enterprise Risk Management (ERM): (MIS-CLARP)
M Minimizes surprises and losses
I Identify and manage risks across the organization
S Seize opportunities
13

C Choose best risk response

L Link growth, risk and return
A Alignment of risk appetite and strategy
R Rationalizes capital
P Provide responses to multiple risks

Process of Control:
Internal/control environment (how strong do the controls need to be?)
Objective setting
Event/risk identification
Risk assessment (controllable/uncontrollable)
Risk response (avoidance, reduction, transfer, acceptance)
Control activities/procedures (policies, codes etc.)
Information and communication (following up, down and across)
Monitoring (to make necessary modification and changes)
Limitations of Internal Controls: (CHOCCUP2)
C Cost of control
H Human error/fraud
O Overestimation of risks
C Collusion between employees
C Control being dependent on method of data processing
U Unforeseen circumstances
P Poor judgment
P Possibility of controls being by-passed by employee/directors
J) Risk Attitudes & Internal Environment:
Risk Appetite:
Even a Risk Averse business will tolerate risk up to a point provided that it yield an acceptable return. Risk
Seeking business may not be bothered by level of risks, but must manage such risks. Risk management is
analyzing what the key value drivers are and the risks tied up with those value drivers.
Among the other factors shaping Risk Appetite are personal views, shareholders demand, organizational
history, experience (e.g. significant losses in the past), size (e.g. large companies can afford risk management
experts and diversification), structure and lifecycle stage of the organization.
An organizations attitude towards risk will generally be influenced by the priorities of its shareholders. The
stakeholders include shareholders (who may be more interested in dividends and/or long-term capital gains).
Creditors (who may prohibit excessive risk taking), employees (who will be interested in job security and
health and safety issues), customers and suppliers, government/regulatory authorities as well as the wider
community.

14

Embedding Risk Awareness:

E&Y in their report Managing Risk across the Enterprise emphasize that risk assessment should evolve into a
consistent, embedded activity rather than be executed as a stand-along process. The elements identified for such
embedded approach are;
Focus on risks to stakeholders values (future growth opportunities and core business operations, rather
than risk to processes)
Consistent action-oriented risk assessment criteria (monitoring, improvement, focus, accountability)
Common reporting elements and styles
Risk management is included within the control systems
Approval and support from the board
Risk Embedding can be considered at two levels;
Embedding risk in systems
Embedding risk in culture
Process of Embedding Risk Management:
1) Identify the controls that are already operating within the organization
2) Monitor those controls to ensure that they work
3) Improve and refine the controls as required
4) Document evidence of monitoring and control operation.
Risk Culture:
Culture is the pattern of basic assumptions that a given group has invented, discovered or developed, in
learning to cope with its problems of external adaptation and internal integration, and that have worked well
enough to be considered valid and therefore to be taught to new members as the correct way to perceive, think
and feel in relation to these problems.; Schien.
Changing The Culture:
Communication with all concerned is a must here.
Such communication may be through regular briefings, newsletter, intranet, workshops, refresher courses,
making policies and procedures readily available to the employees, employees consultation inter se, induction
sessions for new employees.
ERM should be integral part of everyones job description; staff should understand the need to resist pressure
for superiors to participate in improper activities and to report this to authorities (COSO). Risk management
should be included as a part of performance appraisal.
Training is another must. Employees should be taught why risks should be managed and be involved in the
process.
Employees may resist change as it involves extra efforts of unlearning and relearning, there may be selfinterests to protect, or they may misunderstood or disagree with the change or simply mistrust the management
and not be bothered about the change.
15

Organization should ensure job satisfaction, leading by example, peer confirmation through learning
experiences and proper infrastructure to achieve successful change.
Organizations should have clear risk policy statements and risk registers (listing and prioritizing main risks,
responsibility index and actions taken).
Risk Management Responsibilities:
The primary responsibility for determining risk management strategy and monitoring risks is that of the board.
The board also sets appropriate policies on internal controls and seeks assurance that the controls are
functioning effectively.
The CEO takes the ownership of risk management and internal control system and must monitor other directors
and senior staff.
Although limited in scope, the internal and external audit committee functions deal with risks as well.
Turnbull stresses upon the role of management in implementation of risk management system. Both managers
and staff should know their responsibilities and how to report on them.
Board Risk Management Committee:
Although the boards audit committee may serve this purpose, a large company should have separate risk
management committee of its board. UK Walker Report recommends such committees for FTSE-100 banks and
life insurance companies.
This committee will have more time, focus and powers than the audit committee to manage risk. Unlike the
backward looking focus of audit committee, the risk management committee can have forward looking focus of
determining risk appetite and monitoring appropriate limits.
Among its functions would be approving risk management strategy, reviewing reports on key risks, monitoring
overall exposure, assessing effectiveness of risk management systems and providing early warning to the board.
Role of Risk Committee: (SEEM-R)
S Strategies and policies
E Early warning indicator
E Effectiveness of risk management system
M Monitoring risk exposure
R Reviewing report on key risks
Risk Management Specialists: (PRICE-DEED)
A specialist risk manager could be hired to provide following functions;
P Providing overall leadership, vision and direction for ERM
R Reporting to CEO on progress and recommendations
I Implementing set of risk indicators and reports
C Championing ERM competence and awareness throughout organization
E Establishing integrated ERM framework
16

De Developing policies
E Establishing common ERM language
D Dealing with insurance companies

Objective Setting:
Internal control is all about achieving objectives by managing risks. Granger identifies 3 types of objectives:
Mission (general objective, open-ended)
Corporate objective (concerned with whole firm, quantifiable)
Unit objective (at divisional, business units and subsidiary levels)

COSO divides objectives in 4 categories:

Strategic
Operational
Reporting
Compliance
K) Risks:
Risk is an unrealized future loss arising from a present action or inaction. Return is, on average, a function of
risk (David Campbell). Risk is simply what can go wrong.
Risks can be strategic/business (for the board to determine) and operational (for the line or unit management
mainly). The former relates to fundamental decisions that directors take about the future of the organization and
the latter relate to matters that can go wrong on a day-to-day basis. Usually, operational risks can be managed
by having internal control systems.
Operational risks include;
Human error
IT failure
Fraud
Business interruption
Loss of key person
Non-compliance with regulations/internal procedures
Poor quality production
Not having input materials at the required time
Strategic Risk:
Strategic risks may be threat to profits which depend on the decisions made by the management about the
products and services it supplies (obsolescence, change in technology etc.) or they may be threats that do not so
depend (e.g. natural disaster). Strategic risks are capable of affecting the overall mission of the company.
Relevant factors to consider strategic risk include;
Types of markets within which organization operates
State of economy
17

Competitors
Dependence upon inputs
R&D capacity
Stage in product/organization lifecycle

Example of Business Risks:

Financial Risk
Financing Risk (lack of financier/excessive commitments/wrong sort of debt/restrictive covenants by
creditors)
Liquidity Risk & Cash Flow Risk (assets cannot be liquidated quickly and fairly/mismatch of cash
inflow and outflow)
Gearing Risk (This is a risk arising from exposure to high financial gearing and large amounts of
borrowings.)
Credit Risk (Credit risk is the possibility of losses due to non-payment or late payment by customers)
Currency Risk (Currency risk or foreign exchange risk arises from the possibility of movements in
foreign exchange rates and the value of one currency in relation to another.)
Interest Rate Risk (Interest rate risk is the risk of unexpected gains or losses arising as consequences of a
rise or fall in market interest rates.)
Derivatives Risk (It refers to the risks due to the use of financial instruments.)
Product Risk (The risk that customers will not buy new products (or services) provided by the organization or
the sales demand for current products and services will decline unexpectedly. Failing to innovate may also
result in risk.)
Technology Risk (These risks arise from the possibility that technological change will occur and render the
current technological system of an organization.)
Environmental Risk (Normally faced by in agricultural, chemical and transportation sectors and arises due to
environmental effects of companys operation. For e.g. pollution or restriction of supply of natural resources to
business due to scarcity or environmental factors)
Economic Risk (It refers to the risks facing by an organization from change in economic condition. For e.g.
economic growth, recession, govt. spending policy, taxation policy, unemployment ratio, international trading
conditions)
Business Probity Risk (This risk could arise of way of governance and ethics of the organization. For e.g.
leaking confidential information, lack of trust in business dealings, bribery, corruption etc.)
Property Risk (Damage or destruction to property)
Disruption Risk (For e.g. IT failure, employee errors, loss of employee/supplier etc.)
Organizational Risk (Grouping and lobbying within organization. For e.g. labor unions)

18

Reputation Risk (Image of company suffers due to anything that went wrong. For e.g. production of poor
quality products, product recalls, adverse publicity, unethical advertising, poor CG, poor ethics etc.)
Market Risk (Risks which derive from the sector in which the business is operating and loss due to an adverse
move in the market e.g. fall in value of assets, lack of resources, customer dissatisfaction etc.)
Legal or Litigation Risk (This risk arises from the possibility of legal action being taken against an
organization. For e.g. penalties, suits filed from customers, suppliers, competitors etc.)
Political Risk (This risk depends largely to the extent of political stability in the countries in which companies
operates and the attitude of governments towards protectionism.)
Regulatory Risk (Risk that regulatory bodies will affect the way an organization has to operate.)
Compliance Risk (It is the risk of losses, possibly fines resulting from non-compliance with laws or regulation.)
Health & Safety Risk (These are inherent risks arising from particular industry in which an organization
operates like oil rigs, factories, coal mines etc. For e.g. injury, loss of life, compensation for defaults etc.)
Fraud Risk (This risk arise from intentional and willful acts. For e.g. ghost employees/suppliers, data
falsification, hacking, alteration in programs, theft of information)
Knowledge Management Risk (This risk arises from unauthorized use of knowledge resources. For e.g. misuse
of intellectual property)
Entrepreneurial Risk (This is the necessary risk which is associated with every new business or product
venture or opportunity in the new or existing market. For e.g. major investment failing to deliver)
L) Risk Assessment & Response to Risks:
Risk Assessment:
While not always easy, organization must assess and respond to risks dynamically.
Risk assessment determines mitigation or management strategies. Underestimation of risks or exaggeration can
both result in additional costs and inefficient resource allocation (Stop and Go Errors!).
It is important therefore, not only to assess all relevant risks but also the severity and frequency of risks.
Risks quotient may change due to organizations own strategic decisions or those by the competitors, suppliers,
customers etc. Other factors influencing risk include technology and general social, economic and political
factors etc.
Objective Approach to Risk Assessment: Accounting Ratios
Debt Ratio (Total Debt / Total Assets) x 100 [50% is the benchmark]
Gearing Ratio (Interest Bearing Debt / Shareholders Equity Interest Bearing Debt) x 100 [50% is the
benchmark)
19

Interest Cover (PBIT / Interest Charges) [Interest cover of 3 times or below is worryingly low]
Cash Flow Ratio (Net Cash Inflow / Total Debts)
Current Ratio (Current Assets / Current Liabilities) [Ideally excess of 1]
Quick Ratio (Current Assets less Inventories / Current Liabilities) [Ideally at least 1]

Other significant warnings include;

Significant fall in revenue
Large increase in costs of capital
Increase in variables/inventories
Dependence on short-term credit

Risk Interrelation:
Risks may be inter-related (correlation or covariance). In case of positive correlation, risks will increase or
decrease together (product fault risk and reputation risk). In case of negative correlation, one risk will increase
as the other decreases (expenditure on controls reduces most risks but increases financial risks.)
Subjective Approach to Risk Assessment: (Likelihood/Consequences Matrix)
Including Risk Response Strategies (Accept, Reduce, Transfer, Avoid)
Consequences (Impacts/Hazards)
Low

ACCEPT

REDUCE
Likelihood (Risk Probability)

Low

High

TRANSFER

AVOID
High

Even when risk has to be accepted, judgment will be involved in deciding what level of risk is as low as
reasonably practicable (ALARP Principle).
A dynamic environment requires constant risk assessment and flexibility in approach.
Transfer: Risk may be transferred through insurance, hold harmless agreements and limitation of liability.
Avoidance: Organization needs to consider if it is really desirable?
Reduction: Policies need to be in place, which will be achieved through Risk Mitigation Techniques. Reduction
may also involve contingency planning (identifying the post-loss needs). Physical (e.g. safety devices) and
psychological (e.g. awareness and commitment) factors should be employed to effect loss control.

20

A good policy is risk diversification, i.e. avoiding having all of the risks positively correlated. This can be done
(though perhaps not by all organizations) through a mix of higher and lower risk investment, mix of debt and
equity financing, separate divisions and subsidiaries, forward and backward integration and international
portfolio diversification.
Acceptance: Sometimes the risk is unavoidable or risk may be insignificant or too costly to manage. In these
cases, the risk is generally accepted. Self/captive insurance may be considered here.
Financial Risk Management:
Advantages of financial risk management include;
Reduction in earnings volatility
Reduced average tax liability
Improved credit rating
More opportunities to invest
Protection of cash flow
Better reputation
Methods of financial risk management include;
Risk diversification
Risk sharing
Risk transfer
Internal strategies (e.g. vesting and monitoring of and ceilings of credit limits with credit triggers)
Risk hedging (future and forward contract, call or put options, swaps)
Risk Hedging:
Forward Contract (Commitment to undertake a future transaction at a set time and price)
Future Contract (Commitment to an additional transaction in the future)
Call or Put Options (Grants an option on a party to buy or sell at a certain price in the future)
Swaps (Parties agree to exchange payments on different terms, e.g. a borrower borrowing at floating rate
may exchange this liability with one who borrowed at a fixed rate)
What is ALARP Principle?
Risk cannot be eliminated fully; therefore ALARP Principle simply states that residual risk should be as low as
reasonably practicable, taking into account the costly nature of risk reduction.
ALARP simply states that cost of reducing the risk should not exceed the benefit of reducing it.
Such principles are applied to areas which are generally not in the control of the company, like health
and safety risks at oil rigs, construction, chemical, coal mines companies.
Control Activities: (SPAM-SOAP)
S Segregation of Duties (Each duty and task should be taken separately and should have different
persons responsible for running it. Each task then runs effectively, which reduces the risk of error.)
P Physical Control (Tight security and procedures is needed to control the access to assets. Access
must be limited to the authorized personnel only.)
A Authorization and Approval (Approval for every document is needed with specified limitation to the
authority.)
21

M Management Controls (Four control functions ORIS)

(i) Overall supervisory controls
(ii) Review of management accounts and comparison with budgets
(iii)Internal audit function
(iv) Special review procedures
S Supervisory Controls (Centralization will help supervision across management so each transaction
and recording can be supervised.)
O Organization as a Control (Enterprises should have a planning, control and decision making
function to define and allocate responsibilities and identify lines of reporting for all aspects of the
enterprises operations specified in the delegation of the authority. Responsibility should be clear.)
A Arithmetical and Accounting Control (Auditing job must be authorized and correctly recorded and
accurately processed.)
P Personnel Control (Person in a specific job must have specific responsibilities with appropriate
capabilities.)

Other Control Activities: (GF-CoMBA2T-VPD)

G General and application controls (computer related)
F Financial and non-financial controls
Co Corporate control (general policies)
M Management control
B Business process control (authorization limits etc.)
A Administrative control (division of responsibilities etc.)
A Accounting control (accurate accounting records)
T Transaction control (complying with procedures etc.)
V Voluntary and mandatory control (regulatory license etc.)
P Prevent, detect and correct control
D Discretionary and non-discretionary control (ATM pins etc.)
M) Information, Communication & Monitoring:
Information:
Strategic Information: Required to plan the objectives of the organization and to see if the objectives are being
met. Examples include future market prospects, availability and accost of new funds, total manning level etc. It
is prepared on ad-hoc basis.
Tactical Information: Used to decide how resources of business should be employed and then monitor that, e.g.
productivity measurement, variance analysis and short-term purchase requirement etc. it is prepare o routine
basis.
Operational Information: Used to plan and carry out specific operational tasks.
Direct Information: Substantiates the operation of controls, obtained by observing and testing controls in
operation.
Indirect Information: It is other relevant information, including operating statistics, key risk and performance
indicators etc.
22

Qualities of Good Information: (ACCURATE)

A Accurate
C Complete
C Cost beneficial
U User targeted
R Relevant
A Authoritative
T Timely
E Easy to use
Information should be used effectively. Information from different sources should be compared and any
discrepancies found must be followed up and addressed. Information should be passed on to all relevant
persons.
Information Sources:
Directors own efforts (walking about, visits)
Reports from subordinates (COSO recommends two-way taling)
Lines of communication (whistle blowing with no reprisals, staff attitude survey, staff should believe that
organization wants to learn about their problem)
Reports from control functions (internal audit/audit committee, HR)
Reports on certain activities (e.g. IT and other projects)
Reports on resolution of weaknesses
Results of checks (right sort of checks, random checks)
Exception/variance reporting (factors to consider include materiality, controllability, variance trends, costs,
inter-relationship of variances)
Feedback from customers
Communication:
Turnbull report emphasizes how each employee has responsibility for internal control and must therefore have
the necessary skills, knowledge and understanding of the relevant risks.
Communication with employees is therefore important. It may be through regular briefings, newsletter, intranet,
workshops, refresher courses, making policies and procedures readily available to the employees, employees
consultation inter se, induction sessions for new employees. Risk management should be an integral part of
everyones job description and training days should be encouraged. The effect of cultural factors upon control
functions should also be kept in mind.
Information to be communicated may include customer relations, service levels, health and safety, security of
assets, expenditure, accounting, financial and other reporting.
23

Monitoring:
COSO provides that the entirety (not just financial) of ERM should be monitored (assessment by appropriate
personnel of design and operation of control on a suitable timely basis) and modifications made as necessary.
Any weaknesses should be reported, assessed and root causes to be corrected (control procedures only makes
correction, monitoring corrects root cause of the problem).
This may be achieved through ongoing management activities (routine review of reconciliations etc.), separate
evaluations (by audit committee/internal audit, includes annual reviews of control procedures) or both.
Effective and efficient monitoring requires:
A proper foundation (proper tone at the top of organization, effective organizational structure, people
with appropriate skills and authority, objectivity and competencies)
Monitoring procedures based on prioritizing risks and identifying persuasive information
Assessing and reporting results
Monitoring Procedures: (QuaSC-ASAP)
Qua Quality assurance reviews
S Self assessment
C Continuous monitoring programs
A Analysis/follow up of operating reports
S Supervisory review of controls
A Audit committee enquiries
P Period evaluation and testing of controls by internal audit
Internal Audit:
Internal audit is an independent appraisal function established within an organization to examine and evaluate
its activities as a service to the organization. The objective of internal audit is to assist members of the
organization in the effective discharge of their responsibilities. To this end, internal audit furnishes them with
analysis appraisals, recommendations, counsel and information concerning the activities reviews: UK Institute
of Internal Auditors.
Role of Internal Audit Function:
Review of accounting and internal control system
Examination of financial and operating information
Review of economy, efficiency and effectiveness of operations
Review of compliance with laws
Review of safeguarding of assets
Review of implementation of corporate objectives (effectiveness of planning, CG, communication etc.)
Identification and assessment of significant risks, monitoring overall risk management policy and
reporting to (Risk Audit)
Special investigations into particular areas (e.g. suspected fraud)
Turnbull report recommends that listed companies without internal audit function should annually review the
need to have one and those having such function should annually review the scope, authority and resources.
24

Whether or not an organization needs an internal audit function would depend on:
Scale and diversity of operations
Number of employees
Change in key risks
Problems with internal control systems
Increased number of unexplained events
Risk Audit:
Risk identification
Risk assessment
Review of internal controls
Reporting
Risk Audit can be performed by Internal and External Auditors.
Internal Auditor vs. External Auditor:
Internal Auditor
An activity designed to add value to organizations
operations.
Reports to board or audit/risk committee
Often an employee of an organization

External Auditor
An exercise leading to an expression of opinion on the
financial statements.
Reports to shareholders
Independent of the management and the company

Role of Audit Committee: (CLARISSA)

C Create a climate of discipline and control
L Land an air of credibility and objectivity
A Assists CFO/FD
R Reviews financial statements
I Independent judgments by NEDs
S Strengthens the position of Internal Audit
S Strengthens communication with External Audit
A Assists in resolution of disputes
Audit committee must not however act as a barrier between the external auditor and the main board or allow the
board to abdicate its responsibilities in audit area. UK Smith Report recommends that the audit committee
should consist entirely of NEDs; one of them should at least have significant and recent financial experience.
Boards Role:
Board review is the last stage of the audit process. Turnbull recommends that review of internal controls should
be an integral part of the companys operations. The board should regularly review reports, concentrating on
what the risks are, effectiveness of management and internal control system, how risks are monitored and how
any weaknesses are handled, what actions are taken to reduce risks etc.

25

M) Ethics & Social Responsibility:

Ethical Theories (Approaches to Ethics):
1) Absolutism vs. Relativism Theory:
Absolutism
There is unchanging and only one set of moral/ethical
rules and they are always true in all situations.
These set of moral rules are common to all societies.

Relativism
There are many sets of moral rules and these rules will
change over time in one society.
These sets of moral rules will be different in different
societies.
In absolutism, truth in one culture may be imposed as
Truth is less likely to be imposed because of
truth in another culture.
acceptance of different sets of moral rules and beliefs.
Now, absolutism tends to believe that each culture (or In relativism, ethics and moral beliefs continue to
society) has its own truths and that truth should be
change as due to acceptance of ideas from different
protected in that culture.
races, religions, sects etc.
However, some truths are universal (or international)
Since, greater acceptance of moral and ethical codes,
irrespective of culture, religion or geography. For e.g. truths will continue to evolve and may change over
murder anti-social act, not killing women and children. times.
Advantage: This theory lays unambiguous rules that
Advantage: Flexibility and acceptance of values and
people are able to follow to know that their actions are beliefs of others. More inclined towards justification
right.
of an action and conditions behind it.
Disadvantage: Failure to take account of evolving
Disadvantage: Anything goes philosophy.
norms (Is it ok tell a lie to save an innocent life?).
Dogmatic vs. Pragmatic Approach:
The idea of absolutism and relativism can be illustrated further with two similar concepts;
Dogmatic Approach: It takes the view that there is one truth and this truth is to be imposed in all
situations. This viewpoint corresponds to absolutism.
Pragmatic Approach: It attempts to find the best route through a specific moral situation. This
corresponds to relativism as attempting to find a solution based on given belief
system of the individuals involved.
2) Deontological & Teleological Theory:
Deontological
Right or wrong is based on the action itself.
A non-consequentialist approach.

Teleological
Whether a decision is right or wrong depends on the
consequences or outcomes of that action.

A consequentialist approach.
An action can only be deemed right or wrong when the
morals/attitude behind taking that action is known,
As long as the outcome is right (beneficial), the action
hence not dependent upon the outcome of decision.
is irrelevant.
Key Maxims: An action to be morally right need to
satisfy all these three tests;
Consistency. Acts that are desirable to become
universal law, mean action can only be right if
everyone can follow the same underlying
principle.

Human Dignity. Act so that treating humanity.

Universality. Would the action be viewed as

morally suitable? Could it bring net benefit to
society?

Outcome can viewed with two perspectives;

Egoism (Individualism). What is best for me?
Egoist do what appears to be right in society
and which makes them feel better. However,
outcomes of the actions on all members of
society cannot be determined.

26

Utilitarianism (Society as a whole). What is

best for the greatest number? An action is
morally right if the outcome is in good for
majority number of people.

Kohlbergs Cognitive Moral Development Theory: Relativism (Individual Perspective)

There are three levels where each level is divided into two stages, giving six stages in total. Individual moves
from Level 1 to Level 3 as they get older. Most people (including business managers) found on Level 2.
Level
Explanation
Stages
Individual shows concern for self1.1 Obedience & Punishment
Level 1: Pre-conventional
interest and external rewards and
1.2 Instrumental Purpose &
punishments.
Exchange
2.3 Good Interpersonal Accord &
Individual does what is expected of them
Relationships
Level 2: Conventional
by others.
2.4 Social Accord & System
Maintenance
Individual develops more autonomous 3.5 Social Contracts & Individual
Level 3: Post-conventional
decision making based on principles of
Rights
right and justice.
3.6 Universal Ethical Principles
Level 1: Pre-conventional:
1.1 Obedience & Punishment (Individual only think of themselves and see the consequences of an action
i.e. right or wrong as a reward or punishment to them.)
1.2 Instrumental Purpose & Exchange (Individual think of the effect of their action on other but to a
very limited extent. Individual particularly thinks how they would benefit personally from particular
course of an action. Actions are therefore taken from a through process of fairness and whats in it for
me)
Level 2: Conventional:
2.3 Good Interpersonal Accord & Relationships (Actions are defined by what is expected of individual
by their immediate peers and those close to them. Approval or disapproval by immediate circle
determines morally correctness.)
2.4 Law & Order, Social Accord & System Maintenance (Consideration of social accord is extended
further from immediate peers to include broader society. Here important is maintaining a structured and
functioning society and thereby acceptance of laws and regulations.)
Level 3: Post-conventional:
3.5 Social Contracts & Individual Rights (Right and wrong are determined by reference to basic right,
values and contracts of society from an individual own perspective or interpretation rather than following
rules. Any law against benefit of society must be changed but that change must be supported by
majority.)
3.6 Universal Ethical Principles (Individual make decision based on self-chosen ethical principles which
they believe everyone should follow. Here, laws are only valid if they are grounded in justice. Obeying
law is important but bad laws should be broken. Actions here are taken based on what is the right thing to
do no matter at personal cost and not because of expectation, agreement or requirement of law.)
Criticism Kohlbergs Cognitive Moral Development Theory:
The theory is based on typical abstract principles of US males such as fairness, impartiality, rights, maintenance
of rules. A student of Kohlberg and Carol Gilligan would have liked to see ethic of care, with focus on empathy,
harmony and interdependence, not putting fairness and justice above the need to achieve peaceful settle of
problems.

27

Acceptability of solution does not necessarily depend on the method of reasoning. In fact, moral actions are not
necessarily always decided by formal reasoning.
Assuming individual development. Individuals make different decisions in different circumstances (they have
multiple ethical stances). Hence situational influences (issue-related factors such as moral intensity/magnitude
of consequences and moral framing/language and context related factors such as reward mechanism, authority,
organizational culture and national and cultural context etc.)
Positions on Social Responsibility by Gray, Owen & Adams: Relativism (Corporate Perspective)
Gray, Owen and Adams provide seven positions to view social responsibility;
1) Pristine Capitalist (Only shareholders wealth maximization is everything. Any act of socially
responsibility that reduces shareholders wealth is destroying shareholder values and is beyond the
mandate being given to agents/directors.)
2) Expedients (Recognizing some social responsibility expenditure may be necessary to strategically
position an organization to maximize its profits. Therefore, some form of social responsibility can be
taken if it increases overall image or profitability.)
3) Proponents of Social Contract (Business enjoys a license to operate which is granted by society as long
as business acts in appropriate way, so businesses need to be aware of the norms acceptable by society.)
4) Social Ecologist (Recognizes that a business has social and environmental footprints, therefore it must
accept responsibility of minimizing footprints.)
5) Socialist (Actions of business are those of the capitalist class oppressing other class of people. Business,
therefore, should be conducted in a way to redress and reprimand imbalances or inefficiencies in society
and going beyond shareholders to stakeholders.)
6) Radical Feminist (Society and business should be based on feminine characteristics such as equity,
dialogue, compassion and fairness. It is argued that society and business are based on masculine values
representing aggression, power, assertiveness, hierarchy, domination and competitiveness.)
7) Deep Ecologist (Humans have no more intrinsic right to exist than any other species. It is argued that
just because humans are able to control and subjugate social and environmental systems does not mean
that they should. A full recognition of each and every stakeholder claims would halt the business to
continue as it normally does.)
Ethics in Exam: (Solving Ethical Dilemmas)
AAA Model: (FIN-ABCD)
The American Accounting Association Model was set out in a report by Langenderfer and Rockness in 1990
and as follows;
F What are the FACTS of the case?
I What are the ethical ISSUES in the case?
N What NORM, principles and values are related to the case?
A What is the ALTERNATIVE course of action?
B What is the BEST course of action that is consistent with these norms, principles and values?
C What are the CONSEQUENCES of each possible course of action?
D What is the DECISION?

28

Tuckers 5 Question Model:

Tuckers Model can be used to determine the most ethical outcome in a particular situation. The five questions
are as follows;
Profitable? (Criticism: compared with what? Are we discussing business or moral dilemmas?)
Legal? (Criticism: will depend on the relevant jurisdiction)
Fair? (Criticism: From whose perspective?)
Right? (Criticism: Deontological vs. Teleological Theories)
Sustainable? (Criticism: Will it harm or protect environment?)
Corporate Codes of Ethics:
Codes are formal documents containing a series of statements setting out the organizations values and
explaining how it sees its responsibilities towards stakeholders. The focus is on regulating individual employee
behavior.
Amongst the purposes served by such Code of Ethics includes; (SCRIC)
S Succinctly establishing organizations values.
C Conveying organizations values to stakeholders.
R Reputation/promotion of business objectives.
I Identifying stakeholder and promotion of stakeholder responsibilities.
C Controlling/influencing individuals behavior.
For Code of Ethics to have a real impact, merely enacting them is not enough. The following also need to be
ensured;
The managements commitment.
Positively discouraging previous behaviors.
Educating staff on the need for the change.
Supplementing the code with detailed training and practical guidelines, with proper reporting
procedures.
Addressing inherent problems with the codes (inflexibility, lack of clarity, deemed irrelevancy, failed
role models etc.)
Professional Codes of Ethics:
The same principle of Rules Based vs. Principles Based applies to Professional Codes of Ethics as well. The
two main codes we need to consider are the Code of Ethics & Conduct issued by ACCA and Code of Ethics
for Professional Accountants (2009) issued by IFAC.
Among the fundamental principles are; (PICOP)
P Professional competence and due care.
I Integrity (straightforward and honest)
C Confidentiality (unless disclosure is required by law/profession)
O Objectivity (no biasness, conflict of interest or undue influence)
P Professional Behavior (avoid any action that discredits the profession)

29

Both IFAC and ACCA identify the following ethical threats to compliance with the fundamental principles;
Self-Interest Threat
1) Financial interest (e.g. owning shares)
2) Close business relationships (partnership with client, distribution/marketing for clients etc.)
3) Employment with client (staff moving to client may result in him attempting to impress future
employer, partner becoming finance director means over-familiarity with audit firms system 2
years should pass before a partner may take up such employment, other staff should let the firm
know ASAP he becomes interested in employment with a client.)
4) Partner on client board (although secretarial services may be fine as long as purely administrative)
5) Family and personal relationship (appropriate disclosures requirements should be in place.)
6) Gifts and hospitalities (unless clearly insignificant)
7) Loans and guarantees (unless by a financial institution and on normal commercial basis)
8) Overdue fees (this amounts to extending loan to client)
9) Contingent/percentage fees.
10) High percentage of fees from one client/group. (generally, should not exceed 15% of firms total
earned fee, but in cases of listed companies/public interest companies, the figure should be 10%)
11) Lowballing (quoting significantly lower fee than predecessor firm)
12) Recruitment (management decisions should not be taken by audit firm, although they may review a
shortlist prepared by the client.)
In many cases, materiality of the interest will have to be considered. Clearly insignificant interests do not pose a
threat. Where there is a risk, safeguards may include;
1) Disposing of the interest.
2) Removing the individual from team.
3) Informing the audit committee of the client.
4) Using independent partner (or professional) to review the work,
5) External/internal quality control review.
6) Modifying assurance plan/resigning.
7) Taking steps to reduce dependency on the client.
8) Consulting third parties such as ACCA.
9) Complying with all assurance standards.

Self-Review Threat
This threat may arise mainly due to multiple services that assurance service providers may offer (e.g.
book-keeping, valuation, actuarial services, internal audit, management functions, legal services, human
resources and designing and implementation of financial information systems). Sarbane-Oxley rules
prohibit these, through many are generally allowed in UK with suitable safeguards. Other services
include IT services, temporary staff cover and legal services etc.
The rules mainly deal with public listed companies and public interest companies i.e. companies which
due to their size, nature or product are in the public eye.
This threat may take the following forms:
1) Recent services with assurance client.
30

2) Preparing accounting records/financial statements or preparing source documents/changing journal

entries (as opposed to assisting management with preparation thereof and giving general advice etc.)
3) Valuation services where valuation is material to the financial statements. Clients must always
understand valuation and assumptions used and acknowledge responsibility for valuation.
4) Corporate finance services. (no promotion, dealing in or underwriting of clients shares, no binding
of client and no management decisions on behalf of the client.)
5) Provision of tax advice is generally not considered a threat. Same with internal audit (except in
USA) as long as the client acknowledges its responsibility for establishing, maintaining and
monitoring the system.

Advocacy Threat
The obvious example of this threat is when the client is offered legal advice, but other examples include
advising on debt reconstruction and negotiations with a bank on behalf of the client.
The firm should determine the materiality of the risk and ideally use different departments for these
services. Disclosures to clients audit committee should also be considered. Where the risk is too high,
withdrawal from engagement may be the only option.

Familiarity Threat
Familiarity may arise due to family/personal relationship with client, employment/recent services with
assurance client, or long association with client. Staff rotation, second partner review and independent
quality control review are the relevant safeguards.

Intimidation Threat
Intimidation may involve actual or threatened litigation or second litigation. In case of the latter, the
second firm cannot give formal audit opinion (as only the appointed auditor can do that), but the fear for
the first firm will be to lose the client to the second firm for the following year. In any event, the second
firm should seek the firsts permission before taking on the work and must ensure it has all the
information to give the opinion.

Ethical safeguards against the threats are also covered by both IFAC and ACCA. Such safeguards may be
professional/legal or internal to the firms.
Amongst professional/legal safeguards include;
Educational training and experience requirements.
Continuing professional development requirements.
Corporate governance regulations.
Professional standards.
Professional/regulatory monitoring and disciplinary proceedings.
Accountancy Profession & Public Interest:
IFACs Code of Ethics defines professionalism in terms of professional behavior. Professional behavior
imposes an obligation on professional accountants to act in the public interest. They should comply with
relevant laws and avoid any action that may discredit the profession. Public interest is the collective well-being
31

of the community of people and institutions that the professional accountant serves. These are who matter and
not individual client/employer.
Attributes of a modern professional include: maintaining confidentiality, upholding ethical standards, preparing
(and interpreting) financial information and statements, communicating effectively and managerial skills.
Critics have maintained that the accountants definition of public interest is too closely tied with their own selfinterest. The objection is that this model leads to accountant being seen as a servant of capital. It results in lack
of equality, fails to increase social welfare or equally distribute maximized profits, does not address
environment all concerns and focuses narrowly on utilitarianism. It is also said that the rules are too passive,
lacking a positive duty to detect and report fraud, prefers client confidentiality over disclosure in public interest
and provision of non-audit services etc.
Threat for Employee Accountant:
There may be inevitable conflicts for an employee accountant in the following areas:
1) Confidentiality (note the accountants duty, in the public interest, to report an errant employer)
2) Interest served (accountant has a duty to wider stakeholders group)
3) Organizational vs. Professional Norms
4) Requirements for obedience
The main threat is pressure from employer to act contrary to law or technical/professional standards or to
mislead auditor etc. Lack of time, lack of information, insufficient training/experience and inadequate resources
are other factors leading to threats, as are financial interests (inside information).
Safeguards include using formal procedures within the organization, consultation with ACCA or lawyers and
disclosures where relevant. Finding sufficient time and expertise/training will also help in certain cases.
Bribery & Corruption:
Bribery is the offering, giving, receiving or soliciting of any item of value to influence the actions of an official
or other person in charge of a public/legal duty. Corruption is deviation from honest behavior and includes not
just bribery but also abuse of a system, bid rigging and cartels etc.
Failing to report bribery is also an offence now under three Bribery Act 2011. Organizations are liable if their
employees pay bribe (unless they can show adequate procedures to prevent bribery were in place)
Bribery leads to lack of honesty, good faith and to conflict of interest (personal gain/exposure vs. duty),
misallocation of resources threatening fair market. Facilitation payments need to be carefully considered to
ensure bribe is not paid.
The UK guidance setting up adequate procedures is based on 6 principles;
1) Proportionate procedures (risk, nature, size and complexity of risk/business)
2) Top level commitment
3) Risk assessment (certain businesses/countries are more prone)
4) Due diligence
32

5) Communication (embedding awareness through formal and unambiguous statements with zero tolerance
policy, general and specific training, anti-bribery codes, strong internal controls and effective whistle
blowing/disclosures arrangements)
6) Monitoring and review (risk is dynamic)
Corporate Social Responsibility (CSR):
CSR refers to organizations considering and managing their impact on variety of stakeholders including; local
community, environment, customers, suppliers, shareholders, employees etc. A corporation is an artificial
person in law and therefore it has same rights and responsibilities as of human beings.
According to Carroll, CSR encompasses the economic, legal, ethical and philanthropic expectations placed
on organizations by society at a given point in time.
Corporate Citizenship:
Corporate Citizenship is the business strategy that shapes the vales underpinning a companys mission and the
choices made by its officers as they engage with society. Three core principles are minimizing harm,
maximizing benefit and being accountable and responsive to stakeholders.
Corporate Citizenship has also been criticized as bringing in consideration that interfere with free market
notion. Economic self-interests, it is said ,ensures maximum economic growth and hence maximum social
welfare.
Social/Environmental Effects of Economic Activity:
While businesses can certainly have positive effects, the adverse effects include depletion of natural resources,
noise and aesthetic impacts, residual air and water emissions, long-term waste disposal, uncompressed health
effects and change in the local quality of life.
Sustainability:
Sustainability is about only using resources (inputs) at a rate that allows them to be replenished and confining
emissions (outputs) of waste to levels that do not exceed the capacity of the environment to absorb them. In
other words, sustainability is not a fixed state of harmony but a process of change in which exploitation of
resources is consistent with future as well as present needs.
This concept of needs was central to the UN World Commission on Environment and Development, the report
stated that what was required was political, economic, social, production, technological, international and
administrative systems.
Sustainability raises obvious questions such as;
For whom should we sustain? (humans, other species, future generations)
How should we sustain? (social, environmental, economic sustainability)
How long should we sustain and at what cost? (compensation vs. preservation)
Week sustainability proponents argue that sustainability should only be about human beings and that natural
environment can be considered as a resource. They do however accept that a better mastery of natural resource
should be pursued. Supporters of strong sustainability, however, advocate far more fundamental changes they
33

want sustainability for all species and want a complete re-think of how man sees economic growth. They are for
preservation rather than compensation.
Reporting:
Global Reporting Initiative (GRI) is a reporting framework aiming to develop transparency, accountability,
reporting and sustainable development. Reporting on SEE (social, environmental, economic) importance should
be routine, comparable to financial reporting (triple bottom line: people, planet, profit or TBL/3BL).
The advantages of these special reporting are better risk-management, reduction in environmental footprint and
favorable publicity, but the disadvantages include higher cost, vagueness, confusing signals and
misunderstandings.

34