Summary Internal Control and Risk Management
2024
Chapter 1-3
Examples of real life cases where there was no internal control:
1. Theranos
-> healthcare company founded by Elisabeth Holmes which claimed to be able to
perform a full set of tests using just a couple of drops of blood. It turned out they
weren’t complying with the rules and regulations surrounding blood testing. Their
financial statements were audited in 2017 and one year later the company
collapsed
2. Wirecard
-> payment processing company founded in Germany which faked bank
statement information to convince investors they had enough cash on hand. They
went bankrupt in 2020.
3. Luckin Coffee
-> a coffee company founded in 2017. It was discovered in 2020 that they
inflated their 2019 revenue by 310 million dollars by booking sold vouchers are
revenue, even though they vouchers had not yet been redeemed.
4. Enron, WorldCom, Arthur Andersen
-> Corporate debacles involving Enron and WorldCom, and the resulting demise
of Arthur Andersen audit firm led to the Sarbanes-Oxley Act (SOX) in 2002. This
act had to restore investor confidence in the capital markets and the audit
profession.
Section 302: CEO’s and CFO’s of companies are responsible for internal control:
they need to evaluate the effectiveness of these controls and report this
evaluation
Section 404: mandates the annual filling of an internal control report to the
Securities and Exchange Commission (SEC)
Preventive internal controls:
1. Segregation of duties
= splitting an activity in parts and have these different parts be performed by
different people
2. Procedures
= any form of formal steps that need to be
performed
Detective internal controls:
3. Analytical reviews
= checking something that is against something that
should be
Using the diagrams:
Circles: economic events
Squares: information transformation points
, Arrows: information flows (can introduce errors into the process)
Dashed squares: organizational goals
Dashed arrows: control activities
Introduction college:
Enterprise risk management (ERM) = the comprehensive process of
identifying, categorizing, prioritizing, and responding to a company’s risks
Four steps of ERM are:
1. Identify
2. Categorize
3. Prioritize
4. Respond
Risk statement contains two parts:
1. The issue
2. The possible outcome
Categorizing risks:
▪ Internal (= occur throughout a company’s operations and arise during normal
operations)
1. Operational
= these risks are a priority because they result from inadequate or failed
procedures within the company
-> technology risk is an operational risk and exists when technology failures have
the potential to disrupt business
2. Financial
= specifically refers to money going into and out of a company and the potential
loss of a substantial sum
3. Reputational
= occurs when the reputation of a company is damaged
▪ External (= not related to business operations and come from outside the
company)
1. Compliance
= occurs when a company fails to follow regulation and legislation and is
subjected to legal penalties
2. Strategic
= the inevitable risk that results when a strategy becomes less effective
3. Physical
= threats such as adverse weather, crimes, and physical damage
The most common way to determine seriousness of a risk is by severity
-> this is the likelihood of risks occurring and their potential impact on the
company
A quantitative approach to assess risks is applying a 1-5 point score to the
2024
Chapter 1-3
Examples of real life cases where there was no internal control:
1. Theranos
-> healthcare company founded by Elisabeth Holmes which claimed to be able to
perform a full set of tests using just a couple of drops of blood. It turned out they
weren’t complying with the rules and regulations surrounding blood testing. Their
financial statements were audited in 2017 and one year later the company
collapsed
2. Wirecard
-> payment processing company founded in Germany which faked bank
statement information to convince investors they had enough cash on hand. They
went bankrupt in 2020.
3. Luckin Coffee
-> a coffee company founded in 2017. It was discovered in 2020 that they
inflated their 2019 revenue by 310 million dollars by booking sold vouchers are
revenue, even though they vouchers had not yet been redeemed.
4. Enron, WorldCom, Arthur Andersen
-> Corporate debacles involving Enron and WorldCom, and the resulting demise
of Arthur Andersen audit firm led to the Sarbanes-Oxley Act (SOX) in 2002. This
act had to restore investor confidence in the capital markets and the audit
profession.
Section 302: CEO’s and CFO’s of companies are responsible for internal control:
they need to evaluate the effectiveness of these controls and report this
evaluation
Section 404: mandates the annual filling of an internal control report to the
Securities and Exchange Commission (SEC)
Preventive internal controls:
1. Segregation of duties
= splitting an activity in parts and have these different parts be performed by
different people
2. Procedures
= any form of formal steps that need to be
performed
Detective internal controls:
3. Analytical reviews
= checking something that is against something that
should be
Using the diagrams:
Circles: economic events
Squares: information transformation points
, Arrows: information flows (can introduce errors into the process)
Dashed squares: organizational goals
Dashed arrows: control activities
Introduction college:
Enterprise risk management (ERM) = the comprehensive process of
identifying, categorizing, prioritizing, and responding to a company’s risks
Four steps of ERM are:
1. Identify
2. Categorize
3. Prioritize
4. Respond
Risk statement contains two parts:
1. The issue
2. The possible outcome
Categorizing risks:
▪ Internal (= occur throughout a company’s operations and arise during normal
operations)
1. Operational
= these risks are a priority because they result from inadequate or failed
procedures within the company
-> technology risk is an operational risk and exists when technology failures have
the potential to disrupt business
2. Financial
= specifically refers to money going into and out of a company and the potential
loss of a substantial sum
3. Reputational
= occurs when the reputation of a company is damaged
▪ External (= not related to business operations and come from outside the
company)
1. Compliance
= occurs when a company fails to follow regulation and legislation and is
subjected to legal penalties
2. Strategic
= the inevitable risk that results when a strategy becomes less effective
3. Physical
= threats such as adverse weather, crimes, and physical damage
The most common way to determine seriousness of a risk is by severity
-> this is the likelihood of risks occurring and their potential impact on the
company
A quantitative approach to assess risks is applying a 1-5 point score to the
