FAQ’s

What is the Boards Exposure to Identified Business Fraud

What is the board’s liability /exposure to identified business fraud?

Corporate criminal laws are being revised and strengthened across the globe to respond to the development of sophisticated fraud schemes, advancements in technology facilitating these schemes, and in the wake of corporate collapses arising from business fraud. Fraud schemes range from the simple to the complex in terms of how these are perpetrated and can take many forms. Whether this be internal or external fraud, ranging from asset misappropriation and embezzlement, through to cyber attacks and supplier or customer fraud, the cost on your business can be significant.

You can read about internal and external fraud here.

Core Principles owed to Corporate Entities

To understand the board’s potential liability to identify business fraud, we must give consideration to fundamental principles relating to directors and their obligations to a company. This includes understanding the concept of the “corporate veil” – that is, the legal distinction between a corporation and its shareholders, directors, and officers.

This principle establishes that a company is a separate legal entity from its owners, thus protecting them from personal liability for the company’s debts and obligations. Conceptually, the “corporate shield” protects directors’ personal assets from business-related risks and liabilities.

For companies incorporated and operating in Australia, directors and officeholders owe strict duties and obligations to the company. These obligations, often referred to as fiduciary duties, are derived from common law, equity and statute. The four main legal duties based on general law and statute are to:

  1. Act in good faith and for a proper purpose
  2. Act with reasonable care, skill and diligence
  3. Not to improperly use information or position
  4. Disclose and manage conflicts of interest

Hands around glowing digital padlock

What about Charities and NFPs?

Importantly, for charities and not-for-profits, including those incorporated associations and those registered with the Australian Charities and Not-for-Profit Commission (ACNC), the directors or committee members are obliged under the governance standards and held to the same level of responsibility and accountability.
These duties, summarised below, are extracted from ACNC Governance Standards 5: Duties of Responsible Persons:

  • To act with reasonable care and diligence;
  • To act honestly and fairly in the best interests of the charity and for its charitable purposes;
  • Not to misuse their position or information they gain as a responsible person;
  • To disclose conflicts of interest;
  • To ensure that the financial affairs of the charity are managed responsibly; and
  • Not to allow the charity to operate while it is insolvent.

When the “Horrible” Happens

When a business fraud occurs, the spotlight is inevitably turned to the directors and officers of the company. The questions asked include:

  • What did the directors and other officers do to minimise the risk of organisational fraud occurring?
  • Can the directors and other officers be held personally liable for what has occurred?
  • Can those directors and other officers demonstrate that they have adequately discharged their duties when the organisation falls victim to fraud?

Strategies to Reduce Personal Liability from Business Fraud

As they say, prevention is better than cure. From the onset, an organisation is best placed to mitigate fraud occurring through measures including:

  • Promoting a strong ethical corporate culture and “tone at the top”;
  • Implementing a carefully designed and effectively operating internal control environment;
  • Ensuring there are documented policies, procedures and protocols bolstered with ongoing training and awareness;

Establishing a Framework for Managing Fraud Risks

It is crucial for organisations to have checks and balances in place to identify and prevent fraud. You can read about ‘recognising the red flags’ and obtain practical suggestions to combat business fraud here. Other advisable measures for directors and office holders includes deeds of indemnity and insurance.

Understanding Deeds of Indemnity

A deed of indemnity is a contractual agreement between a company and a company director. A deed of indemnity can help to indemnify a director against liabilities or legal costs incurred in his or her professional capacity as a director of the company.

It also commonly deals with matters such as access to documents and insurance. Importantly, the indemnity and insurance clauses detail specifically:

  1. The company’s indemnity in favour of the director (including the rights and obligations of the parties in the event that a party seeks to rely on the indemnity), and
  2. Each parties’ rights and obligations in relation to directors’ and officers’ (D&O) liability insurance which can include the type and term of insurance cover to be maintained, respectively.

It is preferable for a dirctor to enter into a separate deed with the company to provide protection for a director, particularly for that period of time after they cease serving as a director of the company. The scope of each deed of indemnity will depend on the position agreed by the company and the director.

It is prudent for the director to obtain independent legal advice before entering the deed of indemnity

Exploring D&O Insurance

Directors and officers (D&O) insurance indemnifies a director for liabilities incurred in the role of director. It is similar to a deed of indemnity but provides important additional protection where the company:

  • is legally prohibited from indemnifying a director;
  • decides not to indemnify a director; and/or
  • is unable to indemnify a director because, for example, it is insolvent.

D&O insurance offers additional benefits such as continuity of cover (after a director ceases holding office) and clarity regarding the ongoing rights and obligations of the directors and the company.

There are new and emerging risks that can lead to legal actions and claims, including allegations and instances of business fraud, breach of privacy, environmental liability, employment practice liability, and other disclosure and regulatory issues.

Directors and officers should consider their personal risk appetite to ensure any material business risks are captured in the relevant deed of indemnity and insurance policy.

A Word of Caution

As noted earlier, the concept of the “corporate veil” can potentially be “lifted” (or figuratively “pierced”) ultimately reducing or eliminating the protections afforded by the corporate shield to directors’ personal assets being exposed to business-related risks and liabilities.

Directors can be personally exposed in circumstances including:

  1. Breaches in fiduciary duties: This includes not acting in the best interests of the company, not managing material conflicts of interest, failing to exercise their powers and discharge their duties in good faith, or intentional dishonesty.
  2. Fraud: If a director uses the company for fraudulent purposes, they can be personally liable for the company’s liabilities.
  3. Insolvent Trading: Directors can be personally liable if they allow the business to incur debt while insolvent.
  4. Avoiding Legal Obligations: If a director uses the corporate structure to avoid legal responsibilities, courts may lift the veil to hold them personally accountable. This includes illegal phoenix activity.
  5. Statutory Regimes: Various laws, including the Corporations Act 2001, Australian Consumer Law, and Tax Administration Act 1953, can impose personal liability on directors for specific violations.
  6. Personal Guarantees: Directors or shareholders may voluntarily accept personal liability for business debts.

hands shielding paper family and home

Safeguard Against Personal Liability Due to Business Fraud

A strong ethical culture, carefully designed and effectively operating internal control environment and ongoing internal and external audit activity offers the greatest preventative protection for your business against fraud. Obtaining relevant indemnities and insurance policies offers directors additional defensive protection in the event of an allegation or instance of business fraud. 

For an obligation-free chat, get in touch with the Bishop Collins Audit team. We can assist you with audit and assurance services, during which our experts will provide advice and guidance on how to protect your business against fraud, or how to deal with any fraudulent activity you suspect.

If you’re interested in learning more about internal and external audit, fraud risk management, and awareness training, get in touch with us for an obligation-free chat or simply call us on (02) 4314 8020.

Fraud Prevention

Recognising the Red Flags: Signs of Employee Embezzlement

Man holding piggy bank behind his bank

In our complex and sophisticated business environment, fraud is an ongoing risk and concern for businesses. New scams and patterns emerge as new opportunities present themselves and fraudsters find ways around detection and prevention measures.

However, there are known fraud schemes that occur again and again, across different geographies, business types, and industry sectors. These schemes are often simple, but the impact on your business can be significant. Sadly, these fraud schemes are most often perpetrated internally by the organisation. These cases are known as internal fraud, the most common type of which is embezzlement.

At Bishop Collins, we specialise in audit and assurance services designed to protect your business against internal and external fraud. This guide will explore what embezzlement entails, red flags to watch out for, and strategies you can use to help combat internal fraud in your organisation.

Internal vs External Fraud

Business fraud can occur internally and externally in an organisation. Internal fraud is any criminal act committed by someone associated with a business. This could be a staff member, a member of management or a member of governance. For example, an employee making deposits into their account or paying personal expenses on the corporate account.

External fraud is committed against an organisation from the outside. This might be technological threats courtesy of hackers, suppliers who lie about the work they did or services provided, and sadly, customers who attempt to return imitated or stolen products.

Point of sale fraud by an employee

Types of Internal Fraud

Internal, or occupational, fraud generally falls into three categories:

  • Asset misappropriation: Involves an employee stealing or misusing the employer’s resources.
  • Financial statement fraud schemes: Where the perpetrator intentionally causes a material misstatement or omission in the organisation’s financial statements.
  • Corruption: This includes offences such as bribery, conflicts of interest, and extortion.

In this article, we’ll focus on the widespread issue of embezzlement as a main type of asset misappropriation fraud. This type of internal fraud is also known as occupational fraud.

Asset Misappropriation Fraud: The Prevalence of Embezzlement

Embezzlement is among the most damaging types of asset misappropriation fraud businesses face. Employees can exploit their position within a company to commit acts of theft which, in many cases, goes undetected for long periods.

Embezzlement usually falls within two distinct categories: physical cash (including receipts or disbursements) and inventory or other assets.

Physical Cash, such as petty cash, can be simply taken by a perpetrator. Cash receipts fraud includes taking amounts received from customers which should, ordinarily, be banked. This includes schemes such as ‘skimming’ and cash larceny.

Disbursement fraud is becoming more commonplace in our technologically connected and complex business environment. This includes billing schemes, payroll schemes, expense reimbursement schemes, payment tampering, and register (or point-of-sale) disbursements.

Inventory and other assets frauds involve the misuse of employer assets as well as larceny. Larceny of other assets includes asset requisitions and transfers, fabricated sales and shipping, and purchasing and receiving schemes.

Embezzlement vs Larceny

Interestingly, there are subtle legal differences between embezzlement and larceny. These differences depend on the jurisdiction of the offence that occurred (as well as the specific circumstances).

In broad terms, the main difference is based on who had possession of the asset when it was taken. If the property was in the possession of the perpetrator, then it would be treated as embezzlement. If the asset was taken when in possession of the employer, however, then the matter will potentially be treated as larceny.

Who is at Risk of Internal Fraud?

All organisations have a susceptibility to internal and external fraud. Businesses with fewer than 100 employees are at much higher risk for employee fraud and embezzlement than larger corporations are.

Moreover, organisations with the fewest employees have a higher median loss in employee fraud cases. Small businesses also struggle more heavily to recover from these losses compared with larger businesses.

Fraud arising from dishonest behaviour not only undermines profits, operating efficiencies and reliability, but it can also severely damage an organisation’s reputation.

Employee reviewing financial documents

How Does Internal Fraud Occur?

In nearly 50% of internal fraud that occurs, the opportunity for fraud to be perpetrated was a result of either inadequate internal controls or internal controls simply being bypassed.

Interestingly, there is an inverse relationship between the internal control weakness and the character of the perpetrator. For example, employees perpetrating fraud do so through a lack of internal control or override of existing controls.

In contrast, executives largely override existing controls or there is an inadequate ethical culture (i.e. ‘tone at the top’) rather than there being a lack of internal control. For executives, it’s often their level of influence, authority and access within an organisation that affects how they can perpetrate fraud in this manner.

Unsurprisingly, the frequency of embezzlements committed by executives was less than by employees; although the financial loss incurred was markedly greater by about six times.

The Red Flags of Embezzlement

When a person is engaged in internal fraud, particularly embezzlement, that person will often display certain behavioural traits that tend to be associated with fraudulent conduct. It’s important to watch out for these red flags in efforts to identify, manage, and ultimately prevent employee fraud from occurring at your workplace.

Organisations with potentially greater exposure to internal fraud might have employees exhibiting the following characteristics, at least one of which has been exhibited by over 80% of reported fraudsters:

  • Unwilling to share duties, or avoid having others assist or relieve them.
  • Work long hours, including returning to work after hours and days off (including weekends).
  • Resist taking annual, long service or sick leave.
  • Resign or leave suddenly.
  • Have a large number of void transactions, or conversely, have a low number of transactions.
  • Replacing existing suppliers with suppliers that they have a close connection with.
  • Refusal to implement, or adhere to, internal controls (e.g. skipping approvals, failing to keep appropriate or accurate records or receipts).
  • Are unusually or overly inquisitive about the company’s payment system, or seek access to areas which they should not be able to access.
  • Exhibiting financial hardship, such as always appearing unable to meet financial liabilities, or seeking loans and pay advances.
  • Having past legal and/or compliance problems.

In addition, employees engaging in embezzlement may start to exhibit other unusual behaviours or attitudes. Look out for people who seem to live a lifestyle above their means, or who start to lavish expensive gifts on their colleagues.

You might also see bullying of other employees, a fraudster being affected by significant personal stress, displaying a strong sense of entitlement, or simply being openly unhappy with their employer (such as complaints about pay or leave entitlements).

Human Resources conducting a staff check-in meeting

How You Can Combat Embezzlement

As we often say at Bishop Collins about issues like fraud, prevention is always better than a cure. Every process, especially those involving cash and assets, should have checks and balances in place to identify and prevent fraud.

Our experts offer practical tips on how to reduce the risk of internal fraud within your business, which can go a long way in safeguarding your assets, finances, and reputation.

Promote an Ethical Culture in Your Entity

This is often referred to as the ‘tone at the top’. A good ethical culture also includes having clear policies and protocols relating to fraud prevention and detection, embezzlement awareness training (including refresher training), conflicts of interest, related party transactions and secondary employment.

Establish Strong Human Resource Management

This includes employee screening, implementing an equitable remuneration system, and providing job descriptions that segregate duties. It can also be beneficial to provide adequate training and education for your employees in the areas of fraud detection and management.

It’s important to effectively communicate policies and expectations of compliance to your team so they understand the far-reaching negative effects of embezzlement, which goes a long way in deterring unwanted behaviours. Finally, ensure your company understands things like audit regimes and the consequences of non-compliance.

Separate Duties and Delegations

As the old saying goes, be wary of putting all your eggs in one basket. Having only one or two employees responsible for key areas of finances and reporting can be risky.

Instead, delegate various tasks to more people within the business to ensure an even, safer spread of responsibilities. This includes appropriate and independent management oversight as well as restricted thresholds for transaction processing.

Review and Update IT Accesses and Transaction Processing

Access privileges should be assigned with care and due diligence and make a note of who controls what. This is also referred to as access on a need-to-know basis.

You may also want to consider restricting access to transaction processing or placing dollar value limits on transactions. This can help to keep larger processing amounts away from potential fraudsters, reducing the risk of fraud temptation and occurrence.

Invest in Strong Security Measures

Oftentimes, embezzlement and internal fraud can be caught at the very first instance (or even, ideally, prevented due to recognising red flags) thanks to good quality security measures within a workplace.

Invest in physical security like safes, CCTV, and physical access restrictions to ensure the safety of your business assets.

It’s also a good idea to actively and regularly test existing internal controls and fraud countermeasures, which may involve security and other measures you implement in your organisation. Watch for gaps, failures, or anything that doesn’t have the desired effect, and make changes where necessary.

Actively Monitor Employee Functions and Leave

No company wants to be overbearing, but there is a way to actively and supportively monitor your employees’ movements without being ‘that boss’. Ensure you’re up to date with your staff members’ functions and leave balances by taking an active approach to management.

Consider regularly rotating staff in high-risk positions and establishing requirements for staff to take annual leave regularly. Check in with your team via routine meetings and progress reports, and take a vested interest in their wellbeing. This not only allows you to stay close to goings-on in the business but also positions you as an attentive boss – one who cares, and one who won’t miss potential embezzlement attempts.

Regularly Audit Your Business

Regular accounts auditing is one of the most effective ways to spot anomalies that could signal fraud is taking place. External audits are mandatorily required by many businesses, but others elect to undertake these voluntarily. An internal audit can also help identify anomalies and irregularities.

At Bishop Collins, we specialise in conducting audits for a wide range of organisations. If you require assistance with your audit, get in touch with our team.

Team members doing fraud awareness training

The Bottom Line: Develop a Fraud Risk Management Framework

A fraud risk management framework, encompassing internal and external audits, offers greater protection for a business against fraud. This kind of comprehensive fraud risk management encompasses awareness, prevention, and detection, making it a crucial prevention strategy to understand and recognise red flags.

The secret to creating a good fraud risk management framework lies in investing in regular fraud awareness education for your employees. These training sessions help educate your employees on what constitutes internal fraud, corruption, and employee misconduct, as well as the common red flags that are exhibited by those committing fraud.

Early detection, and encouraging employees to speak up and report concerns, allow your business to limit your losses due to internal fraud.

Protect Yourself Against Fraud With Bishop Collins

Internal fraud and embezzlement can come at a serious cost to your business, both financially and in terms of reputation. It’s something that can get out of hand very quickly if the proper safeguards are not in place.

Internal fraud management can seem daunting – with so many moving pieces and important strategy aspects to consider, it can feel like a full-time job. This is where the team at Bishop Collins can help.

We can chat through your concerns and pinpoint areas of improvement within your business, as well as conduct thorough audits and training to ensure you’re protected against embezzlement.

If you’re interested in learning more about internal and external audit, fraud risk management, and awareness training, get in touch with us for an obligation-free chat or simply call us on (02) 4353 2333.

Taxation & Tax Tips

How Tax Audit Insurance Can Protect Your Business

What Is Tax Audit Insurance?

Tax audit insurance is an insurance policy that can be obtained for an individual, company, self managed super fund (SMSF) or company directors. Depending on the scope of the policy, this insurance assists cover the professional fees of your accountant or advisor in assisting you to respond to an audit, inquiry, investigation, review or examination of returns lodged with the Australian Taxation Office (ATO) or other government revenue authorities.

The probability of a review occurring has escalated due to government authorities increasingly using data matching, artificial intelligence, and even social media, to compare disclosures made in your lodged tax returns to those of other taxpayers or benchmarks. The use of Single Touch Payroll (STP) for example allows the ATO to identify businesses (registered for STP) that have not met their PAYG and SG payment requirements. This facilitates greater compliance cross-checking leading to more audit activity.

Should the ATO or other government revenue authorities undertake one of these audits or reviews of lodged returns or financial compliance obligations, the costs and resources dedicated to responding to their queries can potentially be quite substantial.

Accordingly, the tax audit insurance policy is designed to protect you and your business (or SMSF) from the unexpected costs incurred in responding to the review or audit by reimbursing you for the related professional fees and costs.

Why is Tax Audit Insurance Important?

Tax audits are no longer targeted at simply big businesses and the wealthy. Small to medium enterprises, SMSFs, individuals with rental properties or trust structures are subject to review and investigation by the ATO.

Noticeably, taxpayers with cryptocurrency assets and those with excessive work-related deductions are potentially earmarked for scrutiny. The ATO also utilises benchmarks to hone in on the ‘cash economy’ to identify businesses not declaring all of their income. Non-compliance in these areas attracts a greater chance of being audited.

The most common audits are those undertaken by the ATO in relation to personal or business returns, however, compliance audits are also becoming more common, particularly those in relation to payroll tax obligations.

Should you or a related entity be selected for review, the audit or investigation process can be quite time-consuming. Depending on the type of audit, the scope of the review and the number of periods being audited, the related professional fees can add up.

audit insurance is important for businesses of all sizesWhich Entities Can be Covered?

Tax Audit Insurance Policies vary between insurers (or brokers). However, some common policies include cover for the following:

  • business audit only;
  • business and directors audit;
  • individual cover (for insured parties that are not a corporation);
  • self-managed superannuation fund cover.

The particular policy may also include additional coverage for things such as investigation cover and other such items.

You should speak with your broker or advisor to determine which policy and cover might be relevant to your circumstances.

tax laws can be complicatedWhich Tax-Related Laws Do Tax Audit Insurance Policies Typically Cover?

There are a number of laws and regulations that may be covered in a tax audit insurance policy. These include:

  1. Income Tax Assessment Act 1936 (Cth);
  2. Income Tax Assessment Act 1997 (Cth);
  3. Taxation Administration Act 1953 (Cth);
  4. Fringe Benefits Tax Assessment Act 1986 (Cth);
  5. A New Tax System (Goods and Services Tax) Act 1999 (Cth);
  6. Superannuation Guarantee (Administration) Act 1992 (Cth);
  7. Termination Payments Tax (Assessment and Collection Act) 1997 (Cth); or
  8. any legislation of an Australian State or Territory relating to payroll tax.

Additionally, your policy cover might include coverage of the professional costs associated with certain types of audits and reviews, including:

  • BAS/GST Compliance
  • Capital gains tax
  • Borrowing rules (LRBAs)
  • FBT
  • Income, Land and Payroll Tax
  • Record Keeping
  • Self-Managed Superannuation Funds and SIS contraventions
  • Superannuation Guarantee and Compliance
  • Workers Compensation / WorkCover

Some policies also include retrospective protection (that is, previously lodged returns are covered) as well as specialist fee cover (that is, fees of any other external specialists such as taxation lawyers or consultants).

audit insurance ensures you’re coveredA Word of Caution…

Before taking out a tax audit insurance policy, ensure you obtain advice and review the inclusions and exclusions of the policy carefully. Items generally not covered by tax audit insurance policies can include:

  • Fines or penalties imposed or for any amounts payable pursuant to an amended notice of assessment or adjustment. This includes for example any additional tax, duty or similar payments.
  • Matters in relation to applications, assessments or reviews of government benefits, entitlements, grants and any form of activity involving a review relevant to you maintaining industry status (e.g. licence compliance, membership).
  • Costs for work incurred which should have been undertaken prior to the audit activity (e.g. outstanding lodgements).
  • Audit activity where notification was given prior to the inception of cover;
  • Excess superannuation contribution tax issues.

Bishop Collins – The Compliance and Risk Management Experts

If you would like to discuss the benefits of tax audit insurance or have an in-depth discussion about your business structure, tax affairs and compliance obligations, or audit and risk management requirements, the team at Bishop Collins would be delighted to have an obligation-free and confidential discussion. Get in touch with us today to see how we can help!

Audit & Assurance

Learn more about audit reports to prepare your business

Team preparing a business audit report

Preparing for a business audit can save your organisation time and money. An audit doesn’t have to disrupt your business: it can effortlessly form part of your operational processes and not impose many additional demands on your resources.

Our top tips for preparing for a business audit include:

  • Prior planning prevents poor performance
  • Ensure accounts are reconciled before an audit of your financial statements
  • Identify significant changes which may affect the process of your financial audit
  • Designate a key contact in the preparation of a financial audit
  • Professional development and training
  • Ask questions about your financial audit
  • Learn from the experience

What Is an Audit: A Refresher

An audit is a reasonable assurance engagement where the auditor provides an opinion about whether a company’s financial report is prepared in accordance with particular requirements or legislative framework (e.g. the Corporations Act 2001 or the Australian Charities or Not-for-profits Commission Act 2012). This includes giving a true and fair view of the financial position of a company at year end, and of its financial performance for the period ending on that date, and complying with Australian Accounting Standards and certain legislative requirements (e.g. Corporations Regulations 2001 or Australian Charities or Not-for-profits Regulation 2013).

Many other types of entities are also required to have their financial report audited, including unlisted companies over a certain size threshold and large charities.

You can read more about the distinction between assurance services here.

What information is audited and supported by the audit report?

Only certain sections of a company’s annual report are audited. The auditor’s report provides an opinion on the financial report, which comprises the financial statements, the notes to the financial statements and the directors’ (or responsible entities’) declaration.

As the directors’ (or responsible entities’) report is intended to complement and support the financial report, it may appear to be part of the audited financial information. It is important to note however, that although the information provided in the directors’ report is not audited (with the exception of the remuneration report of listed companies) the auditor still needs to consider and report on whether it contains material inconsistencies with either the financial report, knowledge gained through the audit, or appears to be materially misstated.

What is the result of an audit?

The result of an audit is the auditor’s opinion which is included in the audit report. An audit report is a document that auditors attach to the statutory audit report that reflects their opinion of the audit. The audit report also contains a range of other information to explain the context in which that opinion has been reached. Similarly, an auditor’s review report contains the auditor’s conclusion on the financial report, which provides a lower level of assurance than an opinion, and also  explains the context in which that conclusion was reached.

an audit report casts a magnifying glass over your businessWhat Information Does an Audit Report Include?

An audit report , which is appended to the financial report, includes the following information:

  • Title and addressee
  • Auditor’s opinion (More on this later!)
  • Basis for the opinion, which includes important information about the auditor’s opinion, including:
  • That the audit was conducted in accordance with Australian Auditing Standards:
    • A reference to the section of the auditor’s report that describes the auditor’s responsibilities under the Australian Auditing Standards;
    • A statement that the auditor is independent of the company in accordance
    • The relevant ethical requirements and fulfilment of the auditor’s other ethical responsibilities
    • A statement whether the auditor believes that the audit evidence they obtained is sufficient and appropriate to provide a basis for the auditor’s opinion.

NOTE: When the auditor modifies the opinion on the financial report, the heading ‘Basis for Opinion’ is amended in accordance with the type of modified opinion (see modified auditor’s opinions below) and within this section, the auditor includes a description of the matter giving rise to the modification.

Key audit matters

For listed entities, Key Audit Matters (“KAMs”). These are matters which are, in the auditor’s professional judgement, of most significance in the audit. KAMs are selected, in consultation with the directors or audit committee, on the basis of needing significant auditor attention in performing the audit. The reasoning for this may include areas of higher assessed risk of material misstatement or significant judgement and estimates. The KAM section includes, at a minimum:

  • Why the matter was considered to be a KAM
  • Reference to the related disclosure
  • How the matter was addressed in the audit.

Other information:

  • Responsibilities for the financial report
  • Auditor’s Responsibilities for the Audit of the Financial Report
  • Other Reporting Responsibilities.

an audit won’t disrupt your businessTypes of Audit Report Opinions

Auditors have the option of selecting amongst four different types of auditor opinion reports.

Unmodified Opinion (Clean Opinion)

Auditor’s reports containing an unmodified auditor’s opinion are the most common type of report a user is likely to come across. This is in part because management usually addresses most of the matters which the auditor has raised by adjusting the financial information or including further disclosures when finalising the content of the financial report before it is issued. An unmodified auditor’s opinion, also referred to colloquially as a “clean” audit opinion, for a public company in Australia will state that in the auditor’s opinion the financial report is in accordance with the Corporations Act 2001, including giving a true and fair view, and complying with accounting standards and the Corporations Regulations 2001.

Even where there is a clean opinion, it is important to look for and pay attention to the KAMs raised and any Emphasis of Matter, Other Matter or Material Uncertainty relating to Going Concern paragraphs. These additional paragraphs highlight matters of significance contained in the financial report and contribute to the overall understanding of the report.

Unqualified Opinion

An unqualified opinion is considered a clean report. This is the type of report that auditors give most often. This is also the type of report that most companies expect to receive. An unqualified opinion doesn’t have any kind of adverse comments and it doesn’t include any disclaimers about any clauses or the audit process. This type of report indicates that the auditors are satisfied with the company’s financial reporting. The auditor believes that the company’s operations are in good compliance with governance principles and applicable laws. The company, the auditors, the investors and the public perceive such a report to be “free” from material misstatements (emphasis added).

Modified Opinion

Modified auditor’s opinions are issued in circumstances when the auditor believes the financial report contains a material misstatement, or when the auditor is unable to obtain enough evidence to form an opinion. Such an opinion should be a red flag for readers, as it indicates that part or all of the financial report cannot be relied upon.

If the audit opinion is modified it can be either a Qualified opinion or an Adverse Opinion.

Qualified Opinion

If you’ve ever wondered “what is a qualified audit report?” then this one is for you. A clean opinion is provided “except for” the matter identified. This might occur when an auditor isn’t confident about any specific process or transaction that prevents them from issuing an unqualified audit report. Auditors write up a qualified opinion in much the same way as an unqualified opinion, with the exception that they state the reasons they’re not able to present an unqualified opinion. An example where a qualified opinion might be issued includes where a company didn’t conduct a stocktake on inventory, or didn’t recognise and present its investments at fair value in accordance with Australian Accounting Standards.

Disclaimer

The auditor cannot provide an opinion because the auditor has not been able to obtain sufficient appropriate audit evidence to provide a basis for that opinion. When an auditor issues a disclaimer of opinion report, it means that they are distancing themselves from providing any opinion at all related to the financial statements. Some of the reasons that auditors may issue a disclaimer of opinion are because they felt like the company limited their ability to conduct a thorough audit (also known as a management-imposed scope limitation) or they couldn’t get satisfactory explanations to their queries or information requests (for example, where records might have been destroyed by natural disaster). Importantly, a disclaimer of audit opinion signifies that the effects on the financial report are likely to be material and pervasive. Accordingly a disclaimer of opinion is often interpreted as a severe position and consequently it potentially creates an adverse image of the company.

Adverse Opinion

The final type of audit opinion is an adverse opinion. Auditors who aren’t satisfied with the financial statements or who discover a high level of material misstatements or irregularities know that this creates a situation in which stakeholders (including investors, suppliers, customers and even the government) will mistrust the company’s financial reports. An auditor’s adverse opinion is a considerable red flag. An adverse audit report usually indicates that financial reports contain gross misstatements. There is also a higher susceptibility to the potential for fraud. Adverse opinions send out a high alert that the company’s records haven’t been prepared according to accounting principles or the law. Financial institutions and investors take this opinion seriously and will reject doing any kind of business with the company. Auditors use all types of qualified reports to alert the public as to the transparency, reliability and accountability of companies. Unsurprisingly, companies, investors and the public highly value unqualified audit reports.

audit report expertsBishop Collins – The Audit Experts

It’s simple; with Bishop Collins Accountants, there are no surprises. We listen. We educate. We deliver. If you would like to discuss your organisation’s external audit requirements, the accounting experts at Bishop Collins would be delighted to have an obligation-free and confidential discussion with you. We provide solutions beyond compliance and help you to protect your assets and move toward achieving your goals.  Get in touch with us today to see how we can help!

Audit & Assurance

Tax Audits: Triggers and 5 Tips to Minimise the Risks

Help with tax audits

Every year, the Australian Taxation Office (ATO) contacts over one million Australian taxpayers to clarify or question information provided in their tax returns. This is usually prompted by what has, or has not been, included (or excluded) in a tax return. This might include unreported income, unusually high deductions claimed, or potentially non-business related expenditure. Whilst the ATO has been relatively “understanding and sympathetic” during the pandemic (yes, many taxpayers have received leniency in mistakes made in reporting to the ATO, as well as concessions on interest and penalties), the ATO is reverting to a more assertive approach to its compliance program.

The ATO has many tools to assist in identifying potential non-compliance which includes data-matching and ATO-prefilling of information. You can read the specifics on these triggers in the ATO tax audit article written by our colleague, and one of the Bishop Collins resident tax experts, Tim Ricardo, here.

Despite accurate and honest declarations, even those completed with the assistance of a qualified accountant, a taxpayer can still be fortunate enough to be selected for a tax audit or review by the ATO. This occurs when the ATO recognises you, or your business, as a compliance risk. Initially, you will get notified of a tax review. The purpose of a tax review is to determine if any compliance issues need to be further examined. A tax review is usually conducted by an ATO delegate over the phone or face-to-face with a view to clarifying elements of your tax return. You’ll get the chance to resolve any issues and avoid escalating the matter to a full tax audit.

If the compliance risk is found to be significant, the outcome of a tax review can lead to a full tax audit where the ATO will further scrutinise your tax affairs. The ATO may request records for up to 5 years from the date of lodgement, as well as conduct intensive analysis on business transactions and interview staff. Unfortunately, getting audited by the ATO isn’t a relaxing affair – it can be a stressful and intimidating process – even more so if you’re not adequately prepared. Frankly, the best way to mitigate this problem is to take appropriate measures to prevent it from happening in the first place.

Top tip: It is also important to note that although some tax audits are random selections, some are triggered by certain factors.

no one likes being auditedWhat Factors Could trigger a Tax Audit?

There are numerous factors which might trigger a tax audit. However common factors (in no particular order of preference) include:

  • Running a cash business. The ATO targets businesses that make a lot of cash transactions because they are perceived to be at a higher risk of not declaring all of their income.;
  • Not paying staff enough superannuation;
  • Discrepancies between the tax return and business activity statements (BAS);
  • Poor record of lodging tax returns, including several years’ of returns outstanding. You may be perceived as not taking compliance obligations seriously.
  • Significant fluctuations in income and expenses between years. Mismatches in income, such as capital gains, dividends, and foreign income can be readily identified by the sophisticated data matching systems used by the ATO. The ATO can also cross check your tax return against information provided by businesses and financial institutions you’ve transacted with. Excessive work-related deductions will raise concerns with the ATO. Note that a deduction can only be claimed in the year it is incurred. Claiming for deductions you are not entitled to, claiming the same deduction twice and poor record keeping are at the forefront of the ATO surveillance regime.;
  • Financial performance above or below industry benchmarks – you or your business might be considered an outlier;
  • Income inconsistent with assets (not just business, but personal ones as well!). This includes inconsistencies between your lifestyle and your reported income and unexplainable surprise wealth. The ATO can assess your assets and work out how much income you need to maintain your current lifestyle;
  • Consistently reporting operating losses;
  • International transactions and dealings.

tax audit5 Tips to Reduce the Risk

Our top 5 tips to reducing the risk of an ATO audit are:.

1. Recording ALL Taxable Income

Include all taxable income in your tax return from all sources. This includes business income, capital gains (e.g. on assets such as property and investments (i.e. shares)), cash transactions, foreign income from property, shares or employment and bank interest.

2. Only Claim Deductions you are Entitled to

The deduction must be directly related to earning assessable income. Deductions can only be claimed on work-related expenses. Ensure you keep good records to prove your expenses and their relationship to being both work-related and connected to earning income.

3. On-Time Tax Lodgements

Ensure tax lodgments are on time and up-to-date. Build a positive image for you and your business by lodging your tax returns, BAS, and FBT on time. Review your tax returns and reconcile your BAS regularly to ensure there are no variances.

4. Maintain Accurate Records

Maintaining accurate records and keeping invoices and receipts is a must. Keep your personal and business expenditure separate to reduce the likelihood of claiming a personal expense as a business expense. Have minimal variances between tax returns and BAS.

5. Pay Super On-time

Pay the correct amount of superannuation on time for your employees. Note that directors can be held personally liable for unpaid superannuation contributions as well.

BONUS: Insure Yourself!

Take out an audit insurance policy. Having audit insurance in place can take the pressure off by not having to worry about the professional fees which will be incurred in handling an ATO audit.

Handy hint: An audit insurance policy for tax compliance covers only the professional costs in reviewing and responding to the ATO audit program. This insurance does not cover the direct and indirect costs of unpaid tax liabilities, penalties and interest. Again, more incentive to get it right the first time.

If The Inevitable Happens…

It always helps to be honest and upfront with the ATO and own up to your mistakes. Your cooperation with the ATO during a tax audit will be looked upon favourably. In many cases, the ATO has maintained leniency to taxpayers who have cooperated in full and conceded an inadvertent omission or error.

audits can be distressingSpeak to Bishop Collins about Tax, Audit and Risk Management

The experts are here to help! It’s simple; with Bishop Collins Accountants, there are no surprises. We listen. We educate. We deliver. We provide solutions to protect your assets, and assist you with minimising your tax and moving toward your goals. Speak with one of our team today.

Please reach out to us at Bishop Collins if you would like to seek professional advice on your tax needs.

Audit & Assurance

Internal Vs. External Auditing: What’s the Difference?

Internal auditor explaining data on whiteboard

Both internal and external audits are completed with a high degree of independence, diligence and ethics. However the difference between an internal audit vs external audit is not always clearly understood. Both internal and external audits seek to provide an independent opinion about a company’s finances or practices. However, they differ significantly when it comes to who performs the audit, its overall purpose, and its scope.

Comparing Internal Audit vs External Audit

Here is a brief snapshot of these differences:

Scope

Internal audits usually focus on a specific area of a company, while external audits look at all relevant financial information and any other practices that could confirm the veracity of financial statements and disclosures. In some circumstances, an external audit might be scoped to provide an opinion on a specific line item or financial schedule.

Purpose

Internal audits focus on measuring current performance or compliance with particular policies or procedures and finding areas for improvement. An internal audit is primarily focused on helping an organisation improve and helping to achieve your business objectives while managing risk. An internal business audit is beneficial to evaluate and improve the effectiveness of risk management, control and governance processes. You can read more about the “flavours” of internal audit here.

External audits, on the other hand, focus on verifying the accuracy and veracity of financial statements, thus providing reliable information about the results of a company’s operations, its financial position, and its cash flows. You can read more about external audits here.

Auditor

External auditors are from a third party (i.e. independent firm) while internal auditors can either be internally appointed and work on behalf of a company, or an external firm, and report independently to the audit committee or Board.

auditor presenting to boardKey Differences Between Internal Audit and External Audit

Let’s take a look at some of the key differences between an internal audit and an external audit in a bit more detail.

1. Appointment

Generally, external auditors are appointed by the shareholders of a company, while internal auditors are often employees of a company, although in some cases, they can be appointed externally. In either case, the internal auditor reports independently to the audit committee or board of directors. Bishop Collins Audit provides both internal audits and external audits, along with IT, fraud prevention and risk management expertise.

2. Area of Focus

Internal auditors generally focus on an organisation’s processes and control systems, providing evaluations on financial and operational business activities. They analyse and bolster the risk management, internal control and governance processes of the company. Internal audits are aimed at identifying how well risks are managed including whether the right processes are in place, and whether agreed procedures are being adhered to. Internal audits also identify areas where improvements and efficiencies might be achieved.

External auditors mostly focus on ensuring that the policies and procedures of the organisation are adequate and meet regulatory requirements and standard practices. The focus is primarily on financial compliance and accuracy. In Australia, external auditors are registered with the Australian Securities and Investments Commission (ASIC). Importantly, there are a variety of benefits in undertaking an external audit (whether legislatively imposed or voluntarily), including:

  • Fraud deterrence and prevention;
  • Confirm compliance or departures from relevant legislation (e.g. the Corporations Act 2001 or Australian Charities and Not-for-profits Commission Act 2012);
  • Provide confidence to stakeholders (e.g. customers, shareholders, creditors and the general public) that the company is financially sound;
  • Identify ineffective or inefficient business or operational practices.

3. Engagement Period

internal auditorsInternal auditors generally provide auditing and control services related to the company’s finances, business practices and risks over an extended period of time. This might be on an annual basis, or over several years, depending on the internal audit plan and broader assessment of risks. External auditors are appointed, and generally hold office, until either their resignation, removal or death (hopefully not the latter!). Each annual audit engagement runs for a certain period and once the audit is completed, this engagement is finalised until the next year.

Is It a Requirement to Have an Audit?

Well, that depends on your specific requirements, risk appetite and perspective. Internal audits are a fundamental way of improving your company’s systems and developing sound risk management practices. However, internal audits are discretionary.

Many large organisations, including publicly listed companies, have established internal audit functions to satisfy and boost shareholder and market confidence as well as mitigate broader risks. Progressive private companies also voluntarily undergo internal audits to access the benefits internal audit can provide to their organisation. This includes:

  • Ensuring accounting processes are efficient and effective,
  • Identifying, understanding and managing high risk areas,
  • Ensuring compliance with policies, procedures, laws and regulations,
  • Streamlining operations,
  • Safeguarding assets and ensuring efficient use of resources,
  • Ensuring governance and risk assessment processes are in line with best practice,
  • Preventing and detecting fraud.

We often get asked how often do businesses get audited? Well, external audits must be assessed on a case-by-case basis, however for the most part, public companies, large private companies and many not-for-profit organisations are required by law to have an audit at various times. For example:

  • The Australian Charities and Not-for-profits Commission (ACNC) and State Departments of Fair Trading (e.g., NSW Fair Trading in New South Wales), which are the regulators of charities, not-for-profits, and associations, also have audit requirements. For example, medium-sized charities with annual revenue of more than $1,000,000 must have their financial statements reviewed or audited, while large charities with annual revenue of more than $3 million must have their financial reports audited.
  • Large Companies: When a company becomes a large proprietorship, it must be audited, under the Corporations Act. From 1 July 2019, the Australian Securities, and Investments Commission (ASIC) defines a proprietary company as being “large” if, at the end of the financial year, the company and any entities it controls meets two of the below three criteria:
    • A consolidated revenue of $50 million or more;
    • Consolidated gross assets of $25 million or more; and
    • 100 or more employees.

Small private companies may also be required to undergo an audit, including those which are foreign-owned or those companies subject to a shareholder direction under s293 of the Corporations Act 2001. In certain circumstances, ASIC might direct a company to undergo an audit. Take a peek at our article on whether you need to have an audit completed on your financial statements here.

audit expertsThe Experts Are Here to Help!

If you would like to discuss your organisation’s external and internal audit requirements the accounting experts at Bishop Collins would be delighted to have an obligation-free and confidential discussion with you. Please reach out to us if you would like to seek professional help with internal and external audits. Get in touch with us today to see how we can help!

Audit & Assurance

Why do I Need an Internal Business Audit?

Magnifying glass on a laptop keyboard

The difference between an Internal Audit and External Audit is not always clearly understood. Both internal and external audits are completed with a high degree of independence, diligence and ethics, however, there are key differences in the essential elements of these audits, including purpose and objectives, focus, reporting and outcomes.

What are Internal and External Audits?

Firstly, let’s have a brief refresher on the distinction between internal and external audits.

External Audits

Many businesses and organisations are required to prepare financial information for stakeholders. This is achieved by preparing financial statements. The purpose of financial statements is to provide information about the results of a company’s operations, its financial position, and its cash flows. This information provides transparency and accountability of management’s stewardship of the organisation’s resources to these stakeholders.

Accompanying the financial report is the audit opinion, which is the independent evaluation of the financial report of an organisation. Therefore the purpose of an external audit is “to enhance confidence for intended users in the financial report”. These users might be shareholders, members, lenders, or other stakeholders. You can read more about external audits here.

two business woman discussing internal auditInternal Audits

An internal audit on the other hand, is primarily focused on helping an organisation improve and helping to achieve your business objectives while managing risk.  An internal business audit is beneficial to evaluate and improve the effectiveness of risk management, control and governance processes. Our internal auditors work with you to review systems and operations. These internal business audits, or reviews, are aimed at identifying how well risks are managed including whether the right processes are in place, and whether agreed procedures are being adhered to. Internal audits also identify areas where improvements and efficiencies might be achieved. You can read more about the “flavours” of internal audit here.

The Role of the Auditor in Internal and External Audits

The role of the auditor vastly differs between internal and external audits. External auditors focus on the accuracy of the annual report and financial statements, whereas the internal auditor has a surprisingly broad mandate which considers anything which might be important to an organisation’s success.

Attributes of Internal and External Audits

We’ve assembled this overview to assist in understanding the differences between the attributes of internal and external audits.

Attribute Internal Audit External Audit
Appointment Outsourced provider or designated employee or function within an organisation Appointed externally (e.g. via shareholders (if a public company) or members
Independence Independent of activities subject to internal audit scope and management Independent of the governing body and management.
Reports to The audit committee (if established) or the board of directors (or committee members) Shareholders, members and the board of directors (or committee members)
Objective Varies according to the internal audit scope. Importantly the focus is on evaluating controls to facilitate an organisation achieving its goals and objectives. Forming an opinion on the financial report of the organisation.
Focus Forward-looking Historical
Fraud May be directly concerned with the prevention of fraud in any activity reviewed Directly concerned when financial statements may be materially affected by fraud. Incidentally concerned with  prevention and detection of fraud.
Outcome Assists an organisation enhance and protect

organisation value and accomplish objectives.

Opinion on financial statements

open plan officeWhy do you Need an Internal Audit?

In a nutshell, internal business audits help evaluate and improve the effectiveness of risk management, control and governance processes. For example, internal audits can look at and assist in the following review areas:

  • Ensuring your accounting processes are efficient and effective,
  • Identifying, understanding and managing high risk areas,
  • Ensuring compliance with policies, procedures, laws and regulations,
  • Streamlining operations,
  • Safeguarding assets and ensuring efficient use of resources,
  • Achieving strategic and operational objectives and goals,
  • Ensuring governance and risk assessment processes are in line with best practice,
  • Preventing and detecting fraud; Take a sneaky peek at our article on fraud exposures here, and download our tips to prevent fraud here.

As is indicated above, internal auditors work across all areas of an organisation and provide independent audit reports to the audit committee or Board. Auditors go beyond statutory compliance and aim to provide insight into multiple areas of your business beyond financial controls and transactions. Whether it be IT, operations (e.g. production, supply chain, environmental, human resources etc.), as well as intangible elements such as culture and ethics. Frankly, any system or protocol that has an impact on the efficient and effective operation of an organisation could be subject to internal audit and included in the internal audit plan.

business women conducting internal auditThe Relationship Between Internal and External Auditors

At times, the work performed by a company’s internal audit function can overlap with the work conducted by the external auditor. This includes, for example, specific financial review areas such as expenditure, revenue and the like, or areas dealing with the assessment of control processes such as their design, implementation and operational effectiveness. Accordingly, an opportunity presents itself whereby the external auditor, rather than duplicating these procedures, may be able to place reliance on the work carried out by the internal auditor.

Having a cohesive working relationship between the internal and external auditors may provide the following benefits:

  • Strengthened relationship between the external and internal auditors through a more effective dialogue. This also promotes efficiencies within the organisation subject to audit (e.g. not having to cover the same ground with two separate functions etc.),
  • The external auditor can gain additional insights into the entity leveraging from the experience and knowledge of the internal auditor,
  • The external auditor can use internal auditors who may have relevant expertise in particular areas,
  • The external audit team can focus on the more significant audit issues.

internal audit processHow an Internal Audit is Delivered

Internal auditors work in all sectors, be it public, private or not-for-profit. Depending on the size of your organisation, the internal audit function could be properly internal (e.g. with an in-house employee or team fulfilling this role) or through an external service provider. Common factors considered by organisations in making a decision on how to implement and deliver an internal audit function are:

  • Independence of the auditors,
  • Expertise of the auditors (e.g. experience with similar organisations, fields or skill sets),
  • In relation to the organisation:
    • Geographic spread
    • Nature of business
    • Technology,
  • Budget for internal audit function.

Some organisations adopt a hybrid internal business audit model, also known as ‘co-sourcing’. Co-sourcing allows an organisation to rely on the expertise of a professional auditing firm while still participating to the extent that your in-house team is able. For some organisations, the need for a co-sourced internal audit team is needed to address specific and complex issues or to perform a highly specialised review area. This model can be incredibly efficient as it allows resources to be directed to other areas of the organisation, allows access to specialised expertise and potentially promotes cost savings.

two men shaking handsWhere to from Here?

If you would like to discuss your organisation’s internal business audit requirements, the establishment of an internal audit function or facilitating the outsourcing (or co-sourcing) of your internal audit function, the team at Bishop Collins would be delighted to have an obligation-free and confidential discussion.
Please reach out to us at Bishop Collins if you would like to seek professional help to explore your internal audit options.

Audit & Assurance

What are General Purpose Financial Statements?

general purpose financial statement

It’s the nature of being in business that many companies and organisations have the requirement to prepare and provide their financial information to stakeholders. Financial statements are how they do this. Financial statements provide stakeholders with information covering the results of company operations, the company’s financial position, and details of its cash flow. This information offers stakeholders transparency and provides accountability of the company’s senior management. An example of stakeholders who would receive such financial statements include shareholders, members, lenders or others.

Because there can often be many recipients of financial statements, each with different tailored information needs, there is a need for a broad range of financial information required in a set of financial statements. The solution is to prepare a ‘general purpose financial report’ (“GPFR”) also called ‘general purpose financial statements’ (“GPFS”) in order to present relevant information to stakeholders. Australian Accounting Standards stipulate what information a GPFS must disclose and how it is presented.

General purpose financial statements are defined in “AASB 101 Presentation of Financial Statements” as “those intended to meet the needs of users who are not in a position to require an entity to prepare reports tailored to their particular information needs”, and needs to comply with the requirements of all applicable Australian Accounting standards.

women comparing financial statements

The Difference Between Special Purpose and General Purpose Financial Statements

The financial statements are prepared for general users, which means users who can’t directly ask for information from a business or organisation. The business prepares statements to be materiality correct and focus on what is important to their general users and stakeholders. For this reason, general purpose financial statements are standardised.

On the flipside, we have “special purpose financial statements” (“SPFS”). These are financial reports created to present financial information to specific stakeholders. In many cases, unlike the stakeholders who GPFS’s are prepared for, the stakeholders of a SPFS are in a position to command and tailor the information to satisfy their requirements, for example, owners and directors who have a direct operational stake in an organisation. Special purpose financial statements provide many small and medium-sized businesses access to greater informational flexibility. This is because the statements are often presented in a simpler format. The rules for reporting that have been established by an organisation’s directors, owners, or members are often adhered to by this straightforward financial report.

There have recently been some changes to the requirements to provide a SPFS. From 1st July 2022, special purpose financial statements will no longer be required in Australia for certain kinds of for-profit private sector enterprises. The majority of organisations that will be impacted are those in the private sector that operate for profit and are required to lodge financial statements with the Australian Securities and Investments Commission (ASIC). These entities will not be allowed to prepare and lodge SPFS for years ending on 30 June 2022.  

woman writing notepad

What Information Should General Purpose Financial Statements Provide?

A GPFS prepared in accordance with Australian Accounting Standards should provide a structured representation of the financial position, financial performance and cash flows of a business or organisation. It should provide information that is useful to a wide range of stakeholders that assist them in making economic decisions. It should also show the results of how the organisation’s management have performed and utilised the resources entrusted to it. To meet this objective, financial statements provide information about an organsiation’s:

  • assets;
  • liabilities;
  • equity;
  • income and expenses, including gains and losses;
  • contributions by and distributions to owners in their capacity as owners; and
  • cash flows.

This information, along with additional information in the notes, assists the stakeholders who use the financial statements in predicting the organisation’s future cash flow and, in particular, their timing and accuracy.

A complete set of financial statements comprises:

  • a statement of financial position as at the end of the period;
  • a statement of profit or loss and other comprehensive income for the period;
  • a statement of changes in equity for the period;
  • a statement of cash flows for the period;
  • notes, comprising significant accounting policies and other explanatory information; and
  • comparative information in respect of the preceding period

business team finance meeting

What is a Simplified Disclosure Framework?

Your business, organisation or charity can choose to prepare full General Purpose Financial Statements (Tier 1), or General Purpose Financial Statements under a simplified disclosure framework (Tier 2).

If you choose to prepare a GPFS with a simplified disclosure framework, the statements are still considered to be General Purpose Financial Statements. However the key distinction is the eligibility to provide fewer, uncomplicated disclosures.

There were some changes to the disclosure standard recently. The new simplified disclosure standard replaces the former Tier 2 Reduced Disclosure Requirements (RDR) framework, from 1 July 2021. The changes have been introduced as part of AASB 1060 General Purpose Financial Statements – Simplified Disclosures for For-Profit and Not-for-Profit Tier 2 Entities. Under AASB 1060, all relevant disclosure requirements are contained in a single standard. The changes will apply to all Tier 2 entities and do not affect which entities are permitted to apply Tier 2. The recognition and measurement requirements of Tier 2 also remain unchanged and the same as Tier 1. For more information about the changes and the new disclosures that will be required, refer to AASB 1060 on the AASB website (www.aasb.gov.au).

The Experts are Here to Help!

Remember, the need to prepare general purpose financial statements or special purpose financial statements may also require you to have these audited. Take a peek at our article on whether you need to have an audit completed on your financial statements here.

If you would like to discuss your organisation’s requirements to prepare general purpose financial statements the accounting experts at Bishop Collins would be delighted to have an obligation-free and confidential discussion with you. Please reach out to us if you would like to seek professional help with General Purpose Financial Statements.

Audit & Assurance

Risk Management: Taking Risk Off the Table

risk management analysis

Martin-Le-Marchant

Martin Le Marchant

Company Director

Taking Risk Off the Table

Managing risk is crucial for every business and organisation, from listed companies to unincorporated associations. Risk management forms part of an organisation’s broader governance framework and is a critical business practice that helps companies identify and evaluate issues, all the way to tracking and improving their risk mitigation strategies. But first, to understand risk management, we need to understand the different types of risk, positive and negative. Yes, you can have positive risks!

The International Organisation for Standardisation defines risk as “the effect of uncertainty on objectives.” (If you’re interested in the details, the specific standard is ISO 31000:2018, which provides principles and guidelines on managing risk).

Risk management aims to tell businesses about the threats in their operating environment and allows them to retroactively and preemptively minimise or combat risk. It follows that risk management is the practice and synergy of 3 key things:

  • Identification
  • Evaluation
  • Prioritisation

But what are the steps, and who should be involved in the process?

quality score risk assessment

 

The Responsibility for Managing Risk

The responsibility for overseeing and managing risk ordinarily lies with an organisation’s board and management team. The board should be accountable for regularly reviewing and approving the risk management policies and frameworks. The board is responsible for deciding on the nature and extent of the risks it’s prepared to take to meet objectives. Management is responsible for developing and implementing a risk management framework and any related internal controls.

Positive Risk?

Typically, risk is considered an afterthought, with most organisations thinking about the consequences and how it can lead to financial loss, legal liability or tarnishing of reputation. From this perspective, it’s hard to see risk as anything but a negative. But what if we take a different approach?

What about the risks you don’t take – sometimes referred to as the “do nothing” approach? The risk of not taking action, or taking ineffective action, can also spell trouble. To better understand this concept, let’s recall the great “battle” between Sony’s Betamax and JVC’s VHS in the late 1970s; or, for the younger readers, how Netflix and Amazon shot to prominence, outperforming well-established companies that focused on avoiding risk at all costs (Blockbuster).

Understanding this should give you a better grasp of the significance of risk and how it can be more than just a defensive strategy if managed accordingly. Properly managed risk can assist organisations in developing a well-rounded approach, achieving objectives and making informed decisions.

risk assessment central coast

 

Identifying Risks

Identifying emerging risks can be difficult, but there are techniques to help, such as PESTEL and SWOT analysis. PESTEL analysis assists organisations in identifying risks in the broader (or macro) environment. Risks in this environment are generally outside the control of the organisation. PESTEL stands for:
P: Political – Risks such as political stability, corruption and export or import restrictions.
E: Economic – Risks such as strikes, production recalls, and supply chain issues.
S: Socio-Cultural – These arise from factors such as demographics, consumer behaviour and changing values.
T: Technological –  Risks arising from factors such as communication technology and transport options.
E: Environmental – Risks such as natural disasters, infrastructure and environmental taxes.
L: Legal – Risks such as changes in the law.
SWOT analysis is another technique that can help an organisation understand its strengths, weaknesses, opportunities and threats. The benefit of SWOT analysis is that it is a simple and recognisable approach, providing a broader perspective on strategy or approaches. SWOT assists develop an understanding of the impact and what can be done to minimise adverse effects and maximise potential opportunities. SWOT can also be a helpful framework for thinking about the individual parts of the PESTEL analysis.

Strengths – Strengths describe what an organisation excels at and what separates it from the competition: a strong brand, loyal customers, a strong balance sheet, unique technology, etc.

Weaknesses – What stops an organisation from performing at its best or areas where a business needs to improve to stay competitive: large fluctuations in turnover, bad debt, an inefficient supply chain, or lack of capital.

Opportunities – This refers to favourable external factors that could give an organisation a competitive advantage. For example, if a country cuts tariffs, an Australian exporter can export its products into a new market, increasing sales and market share.

Threats – Threats refer to factors that can harm an organisation. Common threats include the rising cost of materials, new competition, labour supply shortages, etc.

What is a Risk Management Framework?

A risk management framework is a set of guidelines and tools that decision-makers can use to decide how to mitigate risk. It could include, for example, policies, strategies, plans, processes and models, and statements of your organisation’s position on risk.

Risk Management Process

The five steps in a good risk management process comprise the following and can be used by any organisation:

  1. Identify risks – both current and potential risks.
  2. Analyse the likelihood of each risk you identified and the impact of each one.
  3. Prioritise which risks to focus on based on business objectives.
  4. Respond to the risk conditions.
  5. Monitor outcomes and adjust as necessary.

Whilst the steps look easy and straightforward; there is considerable effort required to complete the process. The objective is to develop a set of processes for identifying the organisation’s risks. It is important to highlight that, by definition, unless the risk has an impact, it isn’t a risk.
We often hear phrases like “risk management”, “risk assessment” and “risk analysis” used interchangeably, but what’s the difference? Whilst they are related, there is actually a difference between each.

  • Risk management is the continued process of identifying, analysing, evaluating, and treating loss exposures. These are summarised in the five steps above.
  • Risk assessment includes the processes and technologies that you use to identify, evaluate, and report on risk-related concerns. The risk assessment process is a critical aspect of the broader risk management process and is mainly concerned with the Identification and Analysis phases (steps 1 and 2 below).
  • Risk analysis can be considered the evaluation component of the broader risk assessment process, which determines the significance of the identified risk concerns. Put simply, risk analysis is the actual quantification of risk (i.e. calculating the probability and magnitude of loss).

STEP 1: IDENTIFY THE RISKS

By way of example, risk identification can be undertaken using:

  • A top-down, bottom-up approach: this involves the board and management identifying the organisation’s mission-critical processes and working with stakeholders to determine the conditions that could impede them. The bottom-up approach starts with the source of the problem (natural disasters, economic downturns, cyber-attacks, etc.), considering their potential impact on particular assets.
  • Risk categorisation: As specified by The Committee of Sponsoring Organisations of the Treadway Commission (COSO), there are 4 main categories:
    • Strategic risk (e.g. reputation, technical innovations, customer relations).
    • Financial and reporting risk (market, credit, tax).
    • Compliance and governance risk (e.g. ethics, regulatory, international trade, privacy).
    • Operational risk (e.g. IT security/privacy, supply chain, labour issues, natural disasters).

The final task in the identification step is for organisations to record their findings in a risk register. This helps track the risks through the subsequent four steps of the risk management process.

Pro tip: Leverage the collective knowledge and experience of your entire team. Ask everyone to identify risks they’ve either experienced before or may have additional insight about.

STEP 2: ANALYSE

Once you have identified the risk, it needs to be analysed. What you are looking for is; how likely the risks will occur? And if they do occur, what the ramifications could be? This is referred to as the scope of the risk. Specifically, how it impacts the organisation and how many business processes it will affect. While some risks will only be minor inconveniences, some risks can bring an entire business to a standstill should they transpire.
To analyse the risks of an event the following should be considered:

  • The likelihood of the risk happening.
  • The consequence and impact if it occurred.

From here you want to work out a rating system. For example, you could have ratings of:

  • 1 to 5 for likelihood (1 being highly unlikely and 5 highly likely)
  • 1 to 5 for consequence (1 being low and 5 for severe).

These ratings can then be utilised to help determine the risk level:
Likelihood x Consequence = Risk level
Based on our example formula, the lowest risk level you could get is 1 (1 x 1), and the highest 25 (5 x 5). You can use this to rank your risks from least urgent to most urgent.
A template of this is shown below:

STEP 3: PRIORITISE

Most risk management solutions will show different categories of risks, depending on the impact of the risk you are analysing. Prioritising the risk you have diagnosed will give you a holistic view of the possible exposure of the entire organisation. You may see that the business has several low-level risks that may not require upper management intervention. However, even just one high-rated risk can be enough to require prompt intervention.

The two types of risk assessments are either Qualitative or Quantitative Risk Assessments.

Qualitative Risk Assessment: they are inherently qualitative – however you can derive metrics from the risks, as most risks are not 100% quantifiable. For instance, the risk of climate change is one that cannot be quantified as a whole.

Note: when performing a qualitative assessment it is essential to maintain objectivity and have a standardised approach throughout your company.

Quantitative Risk Assessment: This style of risk assessment is common in the financial sector – whether it is with regards to money, metrics, interest rates, or any other form of data.

Note: quantitative risk assessments can be automated and are generally considered more objective than qualitative assessments as there is less room for bias.

STEP 4: TREAT AND RESPOND

There are four strategies to manage the threat the risk may cause, where the strategy selected depends on the risk’s likelihood and the severity of impact.

  • Risk avoidance: implementing policies, procedures, technologies, training and other steps designed to divert potential risks.
  • Risk reduction: Similar to avoidance, it is a series of measures designed to reduce risk to an acceptable level.
  • Risk transfer: contracts with a third party to bear some or all costs of a risk that may or may not occur.
  • Risk acceptance: accepts the risk because its potential to harm the organisation is very limited or the cost of mitigating it exceeds the damage it would inflict.

audit assessment

 

STEP 5: MONITOR

It has to be noted that not all risks can be eliminated – some risks are ever-present. For example, market risks and environmental risks, and they will always need to be monitored.
However, when it comes to monitoring risk, it can be thought of as manual or digital systems. Here’s what you should know about them and which you need to use.

Manual systems monitoring: This is conducted by diligent employees. These professionals must keep a close watch on all risk factors they are responsible for.

Digital systems monitoring: The risk management system monitors the entire risk framework of the organisation. If any factor or risk changes, it is immediately visible to everyone with access. Computers are also much better at being able to continuously monitor risks. Monitoring risks also allows your business to ensure continuity.

Relationship to Internal and External Audit

A company’s board needs to ensure that the risk management framework established by management is operating as intended, testing the effectiveness of the strategy from time to time through assurance providers such as internal and external audits.

An internal audit function brings an independent, systematic, disciplined approach to evaluating and continually improving the effectiveness of the organisation’s risk management and internal control processes.

The ‘three lines of defence’

This can be a helpful way to define roles and responsibilities when considering effective risk management and control:

  • First line: operational management control.
  • Second line: management assurance (risk control and compliance oversight functions established by management).
  • Third line:  independent assurance.

The board (and its committee(s) if established) are not included in the ‘three lines of defence’; instead are served by the ‘three lines’. Their role is to ensure that the ‘three lines of defence’ model is reflected in the organisation’s risk management and control processes.

Talk Risk with the Experts at Bishop Collins

If you have any questions or would like to discuss your organisation’s risk management framework and internal audit needs, the team at Bishop Collins would be happy to have an obligation-free and confidential discussion.

To learn how Bishop Collins can help you manage your organisation’s risk, visit bishopcollins.com.au or call (02) 4353 2333.

Posts navigation

Business Plan Template

Tax tips

Prevent Fraud