Control and Risk Management 42021 Essay Example

5.1 Process Objectives

5.2 Process Description

5.3 Risk Tolerance for Distribution Process

6. Control Environment Analysis

6.1 Segregation of Duties

6.2 Regular Verifications and Checks

6.3 Proper Documentation, Securities and Access Authorities

6.4 Integrated Information Systems

7. Analysis of Risk Events and Risk Responses

8. Recommendations and Justification

9. Limitations

10. Conclusion and Moving Forward

11. Feedback from Dragon Link Granite Pte Ltd

12. Appendices

13. Glossary

14. References

1. Executive Summary

1.1 Core Objective of Project

Risk events can significantly hamper a company’s efforts at achieving its strategic and business objectives. It is imperative that a company understands and critically evaluates the potential risks that may arise from its business setting and to develop controls and monitoring tools to ensure the smooth operation of the company. In sum, a company needs to align its risk appetite to its strategy while maintaining the delicate balance between risks and opportunities. Applying the Enterprise Risk Management framework in strategy setting and across all the company’s activities will aid management in identifying, assessing and managing risks in light of uncertainties.

The main objective of this Integrated Control and Environment Exercise (iCEE) is to identify, examine, assess and document the Distribution Process of Dragon Link Granite Pte Ltd. The cruxes of the analysis are on the risks that impede the achievement of process objectives, the existing controls and our recommendations to contain these threats.

1.2 Scope of Project

We will first begin with the critical analysis of the external environment of the company, followed by the internal environment using the Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission

(COSO), which begins with deriving the risk appetite and culture of the organization and the information on internal control environment. Next, we will do a thorough analysis of the Distribution Process, articulate its process objectives and risk tolerance level in order for us to identify the risk events that will affect the achievement of the company’s objectives. We will then evaluate its control environment to ascertain if there are any existing controls and responses to risks before we determine its residual risks and subsequently, recommend further controls to bring the risks within the company’s risk appetite.

1.3 Methodologies

Our Group has adopted various methodologies including PESTEL, Porter’s 5 Forces Framework, Internal Control Questionnaires (ICQ), KPMG’s Entity Level Business Model (ELBM), Business Process Analysis (BPA) as well as the Risk Matrix.

1.4 Summary of Key Findings and Recommendations

Our team’s preliminary assessment of the Distribution Process had led us to identify 14 potential risks. Among them, 4 had residual risks which fell outside the risk appetite of the company and thus had established the focus of our analysis. These 4 key risks evaluated include the loss of human capital comprising skilled and experienced workers, data inaccuracy and integrity in the system, skiving employees due to lack of supervision and the wrong quantity and specification of tiles being delivered to the clients. All these risks may lead to dire consequences such as customer dissatisfaction, which would threaten the achievement of the company’s objectives. To deal with this problem, our main recommendations are to obtain and review employees’ feedback regularly, engage an external party to conduct regular checks on accounts, restructuring the hierarchy of employees and to set

the right culture and finally to provide training for production staff.

2. Background of Dragon Link Granite Pte Ltd – Appendix B

2.1 Objective

Dragon Link places great emphasis on the quality of their granite and ensures that all its granite exceed industry standards. Dragon Link also pledges prompt and fast delivery time to their clients, so as to bring customer satisfaction and generate steady profit growth.

2.2 Core Business Processes

The company specializes in the processing and supplying of all types of natural stones, with their specialty being in granite. For its distribution process, it runs from the time when the manufacturing factory in China ships the materials to the sales office in Singapore until the time when the materials are ultimately delivered to the clients.

2.3 Alliances

Strategic alliances are formed with industry players to obtain additional stock in times of shortages so as to ensure that its clients are able to receive the goods on time. The company also works continuously with clients who are actually resellers of the goods.

2.4 Customers

Dragon Link’s customers comprise mainly the property sectors and other construction developers. Some of the more notable projects include SIM Clementi Campus, Istana House, Changi Airport Tower, Jurong Island project and several terrace houses and even HDB parks. The customers generally have a long-standing relationship with the company.

-------------------------------------------------------------------------------------------------------------

3. Engagement Terms of Reference

3.1 Objectives and Scope of Project

The core objective of this project is to evaluate Dragon Link’s risk exposure and ascertain its alignment with the risk appetite of the organization. Since the company’s main granite processing process cannot be studied as the factory is situated in

China, the Distribution process analyzed in this report involves only the distribution of the processed stones from the factory to its ultimate clients. To gain competitive advantage in a fast-paced and highly-uncertain industry, Dragon Link must constantly monitor both its internal and external environment to identify and mitigate risks that hinder its objectives.

3.2 Methodologies

Our group adopts Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as the basis of our analysis of the effectiveness of the Distribution Process. As for our client’s external environment, it will be evaluated using the PESTEL and Porter’s 5 Forces Framework. The KPMG’s Entity Level Business Model (ELBM) will be utilized to reflect our client’s specific niche and idiosyncrasies. For its internal environment, it will be assessed using the Internal Controls Questionnaire (ICQ). The Business Process Analysis (BPA) is used to understand the existing core business process while the Risk Matrix aids the identification of risk events. Applying these individual models will allow us to investigate the various components from different standpoints, thus enabling us to perform a more complete analysis of its business process.

-------------------------------------------------------------------------------------------------------------

4. Environmental Analysis

4.1 External Environment Analysis

There are many external forces and agents affecting the company’s operations. Entrance of new competitors and substitute products like ceramic tiles may affect its market share.

There are also many competitors especially from China which may pose a serious threat because the nature of this industry is such that the products are commodities and brand awareness is low. Demographic lifestyle changes also affect customers’ tastes and preferences from time to time. With a wide variety of choices, they can easily demand

high quality products at low prices. The growth of the property sector is an opportunity for the company with an increased demand for tiles. Technology poses a threat to the company because it has created homogeneous tiles that resembled marble tiles. Adverse weather conditions like typhoon can also affect the delivery time of goods to the clients.

4.2 Internal Environment Analysis – Appendix C, D

4.2.1 Organizational Structure

There is a well-defined and decentralized organizational structure across China and Singapore with a Managing Director. It also fosters the empowerment of employees .

4.2.2 Management’s Philosophy and Operating Style

The Managing Director makes most major decisions and concerns himself with good work performance and meeting budget and other goals. Despite the absence of written policies and procedures of the company, these are still well-communicated to its employees.

4.2.3 Value Drivers

The employees form the main value drivers of the company. Having understood their roles and responsibilities, they play a critical role in ensuring that they deliver what their clients expect of them, eg. prompt delivery of goods, which leads to customer satisfaction.

4.2.4 Risk Drivers

The major risk driver of the company is its human capital. Miscommunication between the employees in Singapore and those in China could lead to wrong specifications of goods and hence customer dissatisfaction. Employees leaving the company could also pose a serious problem because it takes time and resources to train the new employees to be competent enough to understand the industry practices and to perform their job well.

4.2.5 Human Resource Policies and Practices

The company is financially-oriented and customer-oriented by seeking to retain customers which in turn will lead to

profitable financial results. There is a probation period for the to-be-employees of the company to monitor their performance before they are actually hired. Although the compensation process is not formally documented, the promotion criteria and rewards are verbally made known to the employees.

4.2.6 Risk Culture and Appetite

The company’s risk appetite ranges moderate to risk averse. Having a 15% decrease in revenue is deemed out of its risk appetite. The company also particularly selects projects with fewer risks. If there are requirements which are not easily realizable, it will re-negotiate the terms with those particular clients to achieve a less risky position for itself.

-------------------------------------------------------------------------------------------------------------

5. Process Analysis

5.1 Process Objectives – Appendix E

The main objective of this distribution process is to ensure timely delivery and excellent services. This would attain the utmost customer satisfaction and thus improve the customer retention rate. The company places emphasis on efficiency of the distribution process and strives to minimize any unexpected delays which lower costs and maximize its returns.

5.2 Process Description – Appendix F

The process begins with the China coordinator receiving the goods from the suppliers or factory. He then packs the goods into crates and prepares the packing list, which will be sent to Singapore. The warehouse man in Singapore will do another round of verification with the packing list attached to the crates. After which he will pack the goods accordingly to the sales orders and send them to the respective customers.

5.3 Risk Tolerance for Distribution Process

The managing director is relatively risk adverse and has zero tolerance for delays. Any delays would result in a decrease in customer satisfaction. Since

process efficiency is an important competitive advantage, the company does not tolerate any risks such as delays. Though in reality, delays do occur in unexpected circumstances, the company would put itself in a losing situation to minimize the delays so as to satisfy their customers.

-------------------------------------------------------------------------------------------------------------

6. Control Environmental Analysis – Appendix D

6.1 Segregation of Duties

There is a clear segregation of duties and every employee understands their roles and responsibilities. Most employees are experienced and have well-honed skills and knowledge. The top management occasionally monitors the employees.

6.2 Regular Verifications and Checks

Each of the department manager and supervisor does regular checks on the workers’ output and performance. The managers are required to submit a monthly report to the managing director. The managing director also makes frequent trips to China to perform verification on the data or information that has flowed between China office and Singapore office.

6.3 Proper Documentation, Securities and Access Authorities

The company has proper documentation procedures. This is mandatory so that checks and verification can be done. Confidential information is kept in the computer and is accessible only to the managing director, the managers and the accountant with password controls.

6.4 Integrated Information Systems

The company does not have an integrated information system between the China and Singapore offices. Transferring information through emails often result in poor coordination and errors, which greatly affect the reliability and integrity of the information.

-------------------------------------------------------------------------------------------------------------

7. Analysis of Risk Events and Risk Responses – Appendix G, H, I

R4: Loss of human capital, which includes skilled and experienced workers

Risk Event Description

In this industry, besides timely delivery of high quality goods to

the clients, the quality of service rendered by the employees of the company plays a big role too. The smooth process of delivery depends on the competency of the employees. As Mr. Pek travels to the factory in China very frequently, it is imperative for Dragon Link to retain the skilled and experienced workers. Loss of such human capital can result in decreased productivity and ultimately, leaving customers dissatisfied, which poses high costs to the company.

Existing Internal Controls

Preventive controls

• Being a small company, Mr. Pek tries to foster close ties with his employees and offers small rewards for outstanding performance.

Risk Response

Dragon Link recognizes its risk exposure to the loss of human capital and has taken steps to mitigate the likelihood of occurrence of the risk through the implementation of preventive controls.

Residual Risk

• Likelihood: Moderate

The likelihood of occurrence remains unchanged as humans are practical. Therefore, token rewards and good working environment are insufficient to retain the employees, especially if competitors or other industries are offering much higher salaries.

• Impact: Major

Dragon Link will definitely suffer in terms of productivity and customer satisfaction in the event that the current employees leave the company. The impact of risk remains unchanged with only preventive controls in place.

R8: Threat of data inaccuracy and integrity in the system

Risk Event Description

Dragon Link uses the accounting package AccMan, which is accessed and managed by a single person in the finance department. As a result, there is a lack of checks and controls to ensure that this person enters accurate figures. This can cause customer dissatisfaction when particulars and details of transactions

are not updated on a timely basis. Costs will also be incurred in identifying and rectifying the errors.

Existing Internal Controls

Preventive controls

• Access to the system is only limited to the finance officer so as to prevent duplication of data and to maintain integrity of the information entered.

Detective controls

• Regular checking and screening of the financial reports by Mr. Pek every three months to ensure that no error occurs.

Risk Response

Dragon Link has in place both preventive and detective controls to both mitigate the likelihood of occurrence of the risk. However, the controls are slightly lagging as reviews by Mr. Pek are only done every three months.

Residual Risk

• Likelihood: Likely

Regular reviews of reports by Mr. Pek limit the authority and freedom of the finance officer to alter the figures as errors can be detected. Restricting the access to only one finance officer also increases accountability, which makes it even harder for the finance officer to enter inaccurate data.

• Impact: Major

The impact of the risk in the event that it does occur remains the same, despite the controls in place.

R10: Risk of skiving employees

Risk Event Description

As the company operates in two different countries, it is difficult for Mr. Pek to supervise every employee. Hence, this presents an opportunity for his employees to take time off for personal activities. Also, he evaluates all employees’ performance based on department’s performance (except for salesperson) so some employees may shirk their responsibilities to others. Such actions can cause a drain in Dragon Link’s resources that lower the efficiency and maximum utility of human capital.

Existing Internal Controls

The nature of the control makes use of performance-based compensation method to deter skiving employees and monitor their activities even in the absence of Mr. Pek’s.

Preventive Control

• Sales personnel are compensated using variable pay structures. Commission is issued to them for meeting sales target.

Detective Control

• Dragon Link assesses and monitors their employees’ performance (except for salesperson) based on department’s performance which is shown on the financial statements.

• Mr. Pek conducts constant spot checks in China to ensure that their workers are not skiving.

Risk Response

Dragon Link adopts a passive approach to control any undesirable opportunistic behaviour. This approach of risk reduction is justified by the impracticality and immense cost of constant monitoring of all employees. Further, Dragon Link places trust and confidence in its employees and managers to give honest feedback and reports for evaluation.

Residual Risk

• Likelihood: Likely

Feedback from an independent third party (customers) ensures prompt detection of skiving activities of sales personnel. For other departments, skiving activities can be detected from the quarterly reports submitted to Mr. Pek for performance evaluation. The fear of punishments also acts as a deterrent. However, there is no monitoring mechanism to detect skiving employees within each department. Hence, the opportunity still exists for employees to skive and shirk their responsibilities to other people in the same department.

• Impact: Moderate

As sales personnel are rewarded based on commission, they are motivated to meet the sales target so the chances of skiving activities are greatly reduced, hence lowering the impact. However, variable pay structures may de-motivate the sales personnel if they deemed the sales target as unachievable. Also, as mentioned

above, there are still chances for other employees to display opportunistic behavior which lowers the efficiency of the operations.

R11: Wrong quantity and specification of tiles are delivered to the customers

Risk Event Description

Communication with customers and fellow employees is important for attaining process efficiency. As product specifications are written down, then faxed or emailed to the factory manager, this may lead to misinterpretation of the specifications. This is especially so as the diagrams may not be accurate in dimensions and the words are illegible. Time is needed to rectify the errors so leading to delays and customer dissatisfaction.

Existing Internal Controls

Preventive Control

• Dragon Link has stringent hiring process whereby they hire only Chinese who is fluent in communicating in Mandarin.

• To ensure that goods are delivered in correct amounts, China workers conduct manual checks once before they are shipped to Singapore and they always shipped extra quantity, in case the fragile tiles are broken during shipment.

• To ensure that goods are of correct specifications, factory managers will show one sample to Mr. Pek before they are mass-produced.

Risk Response

Getting the right candidate for the job and checking the goods produced will reduce the likelihood of wrong quantity and specification of tiles delivered to the customers. Thus, he has adopted the risk adoption approach.

Residual Risk

• Likelihood: Likely

Verifications of new samples by Mr. Pek will reduce the likelihood of wrong specifications. For repeated products, factory manager will use his experience to make decisions, which seldom goes wrong unless there is a change in dimension. Since the worker only counts the goods once before dispatch, it is still

likely that quantity delivered may be incorrect.

• Impact: Major

The current controls do not reduce the impact of the event. Wrong specification or wrong quantity delivered may have huge impact on the customers, in terms of real financial costs and delays, resulting in customers’ dissatisfaction. This will lead to a domino effect of poor performance and negative reflection on Dragon Link’s competency and reputation.

-------------------------------------------------------------------------------------------------------------

8. Recommendation and Justification – Appendix J

R4: Loss of human capital, which includes skilled and experienced workers

Recommendation – Regularly obtaining and reviewing employees’ feedback and opinions (formal)

Fostering close ties with employees and occasionally offering token rewards for employees are preventive controls that serve to mitigate the likelihood of the occurrence of the risk. If these are coupled with the regular review of employees’ feedback, which is a detective control, the risk can be better controlled.

Dragon Link encourages the employees to provide feedback to the management. This will give the employees a stronger sense of belonging and appreciation to the company. Ultimately, they might even be willing to give up the more competitive salaries for the good working environment. This includes conducting regular formal feedback sessions and more channels of communication to the management, especially Mr. Pek himself. Freedom of expression allows employees to voice out their concerns to Mr. Pek without fearing that any misunderstandings will arise. The “tone from the top” also plays a part. To create a transparent culture with a favourable working environment, the management should encourage employees to voice out their concerns and make it known to them that their welfare is of utmost importance to the company.

Benefits:

• Sense

of belonging to the company, leading to a greater commitment by the employees

• Increase in productivity with lesser tension among employees

• Loyalty to the company, leading to lower turnover rates

Costs:

• Time and effort spent in conducting formal feedback sessions

R8: Threat of data inaccuracy and integrity in the system

Recommendation – Engage an external and independent party to conduct regular checks on the accounts (eg. Fortnightly)

Having only one person to enter data and to consolidate the accounts introduces the risk of overlook of errors and the lack of integrity in data entry. The existing control of having Mr. Pek to personally review the financial statements quarterly is insufficient to accurately identify the errors. Besides, even if errors are identified, they are already ‘lagging’ indicators. Therefore, a more relevant control would be to engage an external and independent party to conduct more regular checks on the accounts, such as every fortnight.

Benefits:

• A more objective view of the company’s performance

• Errors can be identified and rectified earlier before damage is done to the company

Costs:

• Extra costs involved in engaging an external party

R10. Risk of skiving employees

Recommendation – Restructure the hierarchy of the employees and cultures

To enhance the level of supervision, a leader can be appointed in each department. The leader should act as a role model by displaying qualities like integrity, leadership and commitment and detect skiving employees within his/her department. The management should also emphasize a culture whereby company’s interests should be above self and that opportunistic behaviour will not be condoned. He can conduct in-door feedbacks session with each sales personnel regularly

to review their performance and the achievability of the sales target. In addition, a clock-in system can be implemented in China where employees need to clock in the time they reach and leave the office. Moreover, a CCTV can be installed to deter employees skive during working hours.

Benefits:

• Better allocation of resources and increase in productivity.

• Management time and effort can be channeled to tackle the strategic issues faced by Dragon Link.

Costs:

• Time for employees to adapt to a new structure as they may be resistant to changes.

R11. Wrong quantity and specification of tiles are delivered to the customers

Recommendation – Training for Production staff and increase number of checks

With regard to the problem of wrong specification, we suggest that the production unit should always start work way before the deadlines so that errors can be discovered at the early stage and be rectified in time. Also, instead of relying solely on the factory manager to make decisions regarding repeated products, Dragon Link can train other employees like the three production officers, to identify errors in the production process. Hence, it will reduce stoppage during production process when factory manager is not around to make decisions and reduce specification errors made due to his wrong discretion.

To further minimize the likelihood of wrong quantity of tiles delivered, we suggest to increase the number of checks. First, quantity is checked before shipment to Singapore. Second, quantity is double-checked with the packing list when the goods arrived in Singapore in case any loss during shipment. Third, just before delivery, quantity of goods is to be checked again. With numerous rounds

of detailed check conducted, the likelihood of mistakes will be reduced.

Benefits:

• Have a back-up person in charge if the factory manager quits. Thus, reducing any stoppage or delay that may occur.

Costs:

• Resources needed to train the production officers

• Time wastage due to the numerous rounds of check conducted

-------------------------------------------------------------------------------------------------------------

9. Limitations

Our team has collected information for this project through interviews without having any hands-on involvement in the process or site-visits. In addition, we were unable to access the information system to examine the risks related information processing due to time constraints. This report thus evaluates the design instead of the actual implementation of the controls.

Moreover, owing to time constraints, we were unable to conduct interviews with other relevant personnel. Hence, this has limited our access to the quantity of information which may present differing perspectives and beliefs of the company.

-------------------------------------------------------------------------------------------------------------

10. Conclusion and Moving Forward

Control and risk management is a requisite, if not, mandatory for a company to operate effectively and efficiently. The management should constantly assess the company’s risks and review the current risk responses and controls. Our recommendations serve to provide an outsiders’ view and insights of the company’s risk status. We hope that the management will benefit from our project and have better control in the company’s risks.

11. Feedback from Dragon Link Granite Pte Ltd

12. Appendices

Appendix A: Acceptance letter

Appendix B: Entity Level Business Model

Entity Level Business Model for Dragon Link Granite Pte Ltd

External Forces and Agents

• Demographic Lifestyle Trends: Customers’ tastes change from time to time - their preferences range from marble tiles to ceramic tiles

to granite tiles

• Regulators: Government regulation in China- export tax rebate

• New Entrants: New competitors and substitute products like ceramic tiles

• Customers: Mainly property sector and other construction projects

• Suppliers: Goods usually obtained from the same suppliers

• Competitors: Many competitors, especially from China producing the same goods and offering competitive prices

• Economy: Economic recession, growth of property sector

• Technology: Homogeneous tiles resembling marble tiles created, new discoveries of quarries

.

Markets/ Formats Business Processes Alliances Core Services/ Products Customers

Its major markets are in:

- Singapore

- China Its core business processes include:

- Production

- Finance

- Distribution

- Sales Strategic alliances are formed with:

- Industry players

- Resellers of their goods

Its core products include:

- All types of natural stones, eg. Granite

- Tiles Its main customers include:

- Property sector

- Other construction project developers

Appendix C: Organizational Structure

Dragon Link Organization Chart

As at 7 March 2008

Appendix D: Internal Controls Questionnaire

INTERNAL CONTROLS QUESTIONNAIRE

This questionnaire aims to analyze the internal environment of the company and identify internal and external factors that have given rise, or may give rise, to events. As such, this questionnaire is divided into 5 sections, namely the control environment, risk assessment, control activities, information and communication and monitoring.

SECTION 1 – CONTROL ENVIRONMENT

1 – Organizational Structure

Description of Factor Questions Assessment of Factor

Yes No

Organization charts Do you have an updated copy of the organization chart? ?

Complexity of the organizational structure Is the complexity of the structure proportionate to the organization’s size, lines of reporting clear and documentation timely? ?

Size

of the management group Is the size able to cope with the complexity of the unit and its growth? ?

Consistency of the management group Is the turnover rate low? ?

2 – Management’s Philosophy and Operating Style

Description of Factor Questions Assessment of Factor

Yes No

Compliance to laws and regulations Is there a great emphasis on complying with the law? ?

Good work performance Is the management concerned with doing the job without any errors? ?

Emphasis on meeting budget and other goals Is there active monitoring and follow-up on the results? ?

If deviations occur, is corrective action taken as necessary? ?

Approach to decision making Is the decision making process both formal and consistent? ?

Are there procedures and policies to ensure that appropriate supervision is involved in decision making process? ?

3 – Integrity and Ethics

Description of Factor Questions Assessment of Factor

Yes No

Conflicting interests Are your employees aware of the company’s policies regarding potential conflicting interests?

For eg. Between their outside business investments. ?

Codes of conduct and appropriate practices Do your employees understand the codes of conducts and practices, with regard to relationships with suppliers, creditors, customers and the public at large? ?

Integrity Does management set a good example for the employees? ?

Does management set high standards for integrity and ethical values to the employees? ?

4 – Delegation of Authority and Responsibility

Description of Factor Questions Assessment of Factor

Yes No

Assignment of authority and responsibility Is the assignment of authority and responsibility clearly defined to the extent that each individual is held accountable for results? ?

Experience and know-how Does management delegate authority to key personnel who are sufficiently experienced and knowledgeable? ?

Extent of authority Are the authority limits defined clearly in writing or communicated effectively to the employees? ?

Delegated signature authority Is the delegation of signature authority clearly defined and understood by employees?

For example, who is allowed to sign on behalf of another party? ?

5 – Commitment to Competence

Description of Factor Questions Assessment of Factor

Yes No

Knowledge and skills Does management understand the knowledge and skills needed for task accomplishment? ?

Job descriptions Are the roles and responsibilities clearly defined in writing or communicated in an appropriate mode? ?

Competency of employees Does management keep track of employee’s competency levels and take actions when the competency is low?

For example, increased training and supervision to its employees. ?

6 – Human Resource Policies and Practices

Description of Factor Questions Assessment of Factor

Yes No

Selection of personnel Is there a formal hiring procedure in which the hiring personnel select potential employees based on job requirements? ?

Training Do the training programs have clear objectives and are treated as high priority? ?

Supervision Are the personnel adequately supervised? ?

Inappropriate behavior Is there prompt and fair treatment to those who exhibit inappropriate behavior with no regard of his/her position? ?

Methods of compensation Is there a formal compensation process in place and if so, is its relationship to the performance evaluation process defined and communicated throughout the company? ?

Evaluation of personnel Is there a consistent and procedural evaluation process in place? ?

Staffing of critical functions Are critical functions adequately staffed such

that workloads are reasonable and manageable? ?

Turnover in non-managerial positions Is turnover rate low? ?

Does management understand the root cause of the turnover? ?

SECTION 2 – RISK ASSESSMENT

7 – Goals and Objectives

Description of Factor Questions Assessment of Factor

Yes No

Company-wide objectives Do you have a set of targets or goals that are communicated to the management and the employees? ?

Activity-level objectives Are all targets and objectives set realistically? ?

Measurement of objectives Are consistent / periodic evaluations of your company’s goals and their measurement criteria done? ?

Critical success factors Do you allocate resources according to the importance of the critical success factors (eg. Customer satisfaction, timely delivery etc)? ?

Employee involvement Do all your employees work towards achieving the same company goals? ?

Budgeting Are budgets developed realistically and do they help in achieving the company’s objectives? ?

8 – Risks

Description of Factor Questions Assessment of Factor

Yes No

Identification and consideration of external risk factors Does your company have any process in place that helps to identify and to consider the implications of external risk factors (eg. Economic changes, lifestyle changes, technological developments etc) on your company’s goals and plans? ?

Identification and consideration of internal risk factors Does your company have any process in place that helps to identify and to consider the implications of internal risk factors (eg. Changes in employees’ roles and responsibilities, new IT systems, new staff etc) on your company’s goals and plans? ?

Prioritization of risks Do you consider and evaluate the potential risks that your company faces, according to the likelihood of occurrence and the

potential impact? ?

Approach to risk evaluations Do you consider the potential costs and benefits of a particular plan / decision before committing to it? ?

Process for mitigation of risks Do you have a process in place to minimize the potential risks in every business deal / decision? ?

9 – Managing Change

Description of Factor Questions Assessment of Factor

Yes No

Commitment to change Is your company receptive to new business ideas and changes required to meet the goals set? ?

Support of change Is your company willing to commit resources for proposed changes? ?

SECTION 3 – CONTROL ACTIVITIES

10 – Controls

Description of Factor Questions Assessment of Factor

Yes No

Management reviews Any review of actual operating performance against budgets and forecasts? ?

Any review on company’s performance against competitors or industrial standards? ?

Any analytical review performed on variance of current year’s figures against prior years’? ?

Do you review expenses and cash flows of the company? ?

Independent checks and verification Are there any checks executed to ensure strategic and process objectives are met? ?

Is there an internal audit committee to perform independent checks and balances on the company? ?

Activity or direct functional management Is review of performance reports, which includes operational and financial results, segregated by process? ?

Is there compliance with the accounting and industrial standards?

(eg. Financial Reporting Standards) ?

Reconciliations Are accounts reconciled timely?

(eg. Bank reconciliations) ?

Key performance indicators Does the company perform analysis on the company’s key performance indicators and carry out follow-up actions? ?

Information processing Are there controls to ensure data

access is limited only to authorized personnel, accounting records are kept properly, transaction numbers run sequentially?

(eg. Pre-defined data listings, restricted input format) ?

Safeguarding of assets Are there physical counts and security measures available to safeguard your company’s assets?

(eg. Cash, inventory and equipment) ?

Segregation of duties Are there separate personnel for the handling of different duties?

(eg. Is there a different person in charged for each of the responsibilities: authorizing transactions, recording them and handling assets of the company?) ?

Maintaining of records Are books and records of the company properly kept? ?

11 – Policies and Procedures

Description of Factor Questions Assessment of Factor

Yes No

Communication of policies and procedures Are your company’s policies and procedures communicated to your employees either orally or through other communication channels? ?

Understandability of policies and procedures Are your company’s policies and procedures easily understandable and well-understood by your employees? ?

Implementation of policies Are your company’s policies implemented conscientiously and consistently with a sharp focus? ?

Follow-up on procedures Are follow-up actions taken after the procedures are effected to examine and take appropriate corrective actions? ?

12 – Controls over Information Systems

Description of Factor Questions Assessment of Factor

Yes No

Business Continuity Planning Do you have a business continuity plan in place to maintain systems availability that is communicated to key personnel? ?

Backup Do you do backup of your key data and information in your computer system on a regular basis? ?

Do you have an off-site storage backup for your company’s information system in case any breakdowns and loss of information occur? ?

Security management Is

your computer system installed with anti-virus (AV) software to filter incoming email and to detect and deter viruses? ?

Do you have a virtual private network (VPN) which uses the public Internet for private communication, accomplished through encryption? ?

Application controls Do your computer applications ensure completeness, accuracy, validity of data capturing and processing? ?

SECTION 4 – INFORMATION AND COMMUNICATION

13 – Information Accessibility

Description of Factor Questions Assessment of Factor

Yes No

External information Does everyone in the company have access to external information such as legislation, development and economic changes that might affect the company? ?

Management reporting system Do the employees report to the top management regularly in a well-defined procedure or system? ?

Management of information security Is information analyzed and classified by the degree of integrity, confidentiality and availability? ?

14 – Communication

Description of Factor Questions Assessment of Factor

Yes No

Trust Does the company delegate responsibilities and tasks to the employees based on trust? ?

Recommendations for improvement Does the company encourage employees to contribute ideas for improvement and are they rewarded for their contributions? ?

Formal communications Is important information (such as policies, performance reports etc) communicated in a formal manner? ?

Communication channels Do the employees have more than 1 communication channels? Are they able to communicate directly to the various managers? ?

SECTION 5 – MONITORING

15 – Management Supervision

Description of Factor Questions Assessment of Factor

Yes No

Management routine checks Does the management perform routine checks on the operational activities? ?

Involvements by employees Do the employees understand the importance and measures used in the routine checks? ?

Performance supervision Do the management monitor the employees’ performance? ?

16 – Outside Sources

Description of Factor Questions Assessment of Factor

Yes No

External environment analysis Is data evaluated and analyzed to identify changes in the market? ?

Response to external parties Are there investigations done on complaints or inquiries from external parties such as customers and suppliers? ?

External auditors Does the management consider and act on the information given by the external auditors? ?

Regulatory compliance Are regulatory requirements implemented into the internal management system? ?

17 – Response Mechanisms

Description of Factor Questions Assessment of Factor

Yes No

Management follow-up on violation of policies Does the management take timely actions on violations of policies? ?

Management follow-up on external events Does the management take timely actions on external events that affect the company?

?

18 – Self-Assessment Mechanisms

Description of Factor Questions Assessment of Factor

Yes No

Monitoring of internal environment Does the management evaluate the effectiveness of the organization structure? ?

Does the management review the effectiveness of the policies and procedures regularly? ?

Risk assessment Does the management carry out risk assessment regularly? ?

Does the management review the effectiveness of the risk assessment procedures? ?

Information and communication system assessment Does the management evaluate the effectiveness of the information and communication system ?

Appendix E: Business Process Analysis

Distribution Process

Process Objective: • Ensure high quality of their granite and that all its granite exceed industry standards.

• Prompt and fast delivery time to their clients, so as to bring customer satisfaction and generate steady profit growth.

Inputs: • Sales orders

• Forwarders

list

• Packing lists

• Warehouse inventory list

• Weight and dimension of the crates of goods

• Delivery orders

Process activities: The process begins with the China coordinator receiving the goods from the suppliers or factory. He checks the goods with the sales order given to him earlier by the sales department. He then packs the goods into crates, prepare the packing list and files back the sales order. Two copies of packing lists are emailed to the Singapore coordinator. He will also select a forwarder from a list depending on the weight and dimension of the crates. Additional packing lists are packed into each of the crate for easy verification by the forwarder. The crates of goods are then collected by the forwarders and sent to Singapore.

Sometimes, goods are sent directly to the customers by the forwarders. However, in most cases the goods are sent to the Singapore coordinator as the customers have requested for later date receipt. The coordinator will then verify the goods with the packing list. However, the crates are not opened up for detailed quantity check. He merely checks for correct number of crates and recipients with the packing lists. The 1st copy of the packing list is filed, while the 2nd copy is passed to the warehouse along with the verified goods.

The warehouse store man will do the same verification as the coordinator accordingly to the packing list. He then files the packing list as well for documentation and stock checking. Regularly, the store man retrieves the sales order, which was given to him earlier by the sales department, and check the inventory list to see

if any of the sales orders can be fulfilled with the current stock count. If the sales orders cannot be fulfilled, he will wait for further receipts of goods and then files the sales orders. If a sales order can be fulfilled, he will pack the goods and prepare a delivery order according to the sales order. The sales order is filed back for documentation purposes as well. He will also select a forwarder, who will then collect the goods and the delivery order, and send them to the respective customers.

Output: • Stock-count report

• Signed delivery order

• Packing list

Systems • AccMan – recording of all transactions

• Warehouse storage and stock count system

Classes of Transactions Routine transactions

• Fulfilling sales orders, matching the goods in stock with sales orders

• Verify goods received

Risks that threaten objectives 1. Natural disasters

2. Data entry error

3. Theft of goods

4. Wrong quantity and specifications of goods delivered

Controls linked to risks Refer to appendix H

Other symptoms of poor performance • Customers complaints

• Customers/projects lost to competitors

• Increase number of delays

Appendix F: Business Process Flowchart page1

Appendix F: Business Process Flowchart page2

Appendix G: Risk Descriptors

22nd February 2008

Risk Descriptors Definition

Likelihood Dimension Probability of Occurrence

(For Strategic Risks) Frequency of Occurrence

(For Operational Risks)

Almost Certain Will happen within this half year Will have >20 incidents in 100 jobs

Likely Will happen within this year Will have <15 incidents in 100 jobs

Moderate Will happen within these 2 years Will have <10 incidents in 100 jobs

Unlikely Will not happen within these 2 years Will have

<3 incidents in 100 jobs

Impact Dimension Impact on Efficiency of Distribution Impact on Customer Satisfaction Financial Impact

Increases total

number of delays by X % Increase number of ‘lost’ customers by X% % decrease in revenue or % increase in

additional cost

Major X >15% X > 10% > 25%

Moderate 10% < X ? 15% 5% < X ? 10% 15% < X ? 25%

Minor 5% < X ? 10% 2% < X ? 5% 5% < X ? 15%

Insignificant X ? 5% X ? 2% X ? 5%

Appendix H

Risk Event Risk Inherent Risk Within Risk Appetite? (Y/N) Controls in place Residual Risk within Risk Appetite? (Y/N) Residual Risk

Likelihood Impact Likelihood Impact

Strategic Risks

R1 Threat of new competitors Almost certain

Mr Pek mentioned that in the construction materials industry, new competitors emerge very rapidly and frequently. Therefore, it will most likely occur within half a year Minor

In this industry, clients often switch to competitors and new entrants if they can offer a more competitive price, but as Mr Pek has mentioned, most of these clients will eventually return back to Dragon Link as they are more familiar with the company. Therefore, % of ‘lost’ clients is between 2-5%. Y Preventive Controls

• Foster good relationship with clients through excellent service delivery (timely delivery and quality of products).

• Constant communication with clients throughout the whole project and attending to their feedback when necessary.

Y Risk acceptance

R2 Economic crisis (eg. Asian financial crisis and sub-prime crisis) Unlikely

The possibility of an economic crisis occurring is too low and hence it will

not happen within these 2 years Major

During economic crisis, many clients often default payments, resulting in large amounts of bad debts written off. The increase in costs is hence >25%. Y Preventive Controls

• For larger projects, the company will request for progressive payments, which lowers the eventual loss, if any.

Y Uncontrollable

Risk acceptance

R3 Natural disasters (eg. Floods, earthquakes and snowstorms in China) Unlikely

The possibility of a natural disaster occurring is too low and hence it will not happen within these 2 years Major

When natural disasters strike, many supplies will get cut off as they are obtained from quarries, and shipments get delayed, resulting in >15% of delays. Y Preventive Controls

• Keep inventory in warehouse to minimize delays

Y Uncontrollable

Risk acceptance

R4 Loss of human capital, which includes skilled and experienced workers Moderate

The employees of the company have worked there for many years and the turnover rate is very low. Therefore, it will not happen within 2 years Major

Service to the clients is of utmost importance in this industry. If experienced workers leave, it can have a major impact on customer satisfaction, with a >10% ‘lost’ customers. N Preventive Controls

• Foster good relationships with the employees

• Constantly review the employees’ feedback on the management

N Moderate

Being a small company, it is unable to provide employees with extra remuneration to retain them. As salaries in other companies become more competitive, Dragon Link still face the risk of losing the experienced workers. Major

R5 Changing demographics and lifestyles Moderate

People’s lifestyles and preferences are always changing, hence it will happen within these

2 years Major

When people’s lifestyles and preferences change, the mass market will move towards substitutes, such as ceramics. This results in a decrease of >25% in revenue. N No control N Moderate Major

R6 Price fluctuations in raw materials Moderate

Although not frequent, price fluctuations occur occasionally due to certain factors such as availability of the natural stones and number of suppliers of the stone. Therefore it will occur within 2 years Insignificant

Prices of raw materials causes costs to increase, but as Mr Pek has mentioned, this affects the whole industry, and hence the impact on customer satisfaction is insignificant. Y Uncontrollable Y Risk acceptance

R7 Default of payment from clients Likely

Mr Pek claims that such occurrences are common even though the frequency is not as high as during economic downturn. Therefore it will most likely happen within 1 year Moderate

Dragon Link always pays for supplies on behalf of their clients first. When clients default payment, the increase in costs amount to 15-25%. N Preventive Controls

• For larger projects, the company will request for progressive payments, which lowers the eventual loss, if any.

• Careful review of clients’ credit position by the MD before accepting the sales Y Moderate Minor

Business Process Risks

Inputs Risks

R8 Threat of data inaccuracy and integrity in the system Almost certain

ACCMAN is entirely managed by one person in the Finance Department so there may be lack of integrity and accurate information. Major

Customer satisfaction might be reduced if the particulars and details of transactions are not updated on a real time basis. Costs may have to be incurred to verify and

obtain the correct information. N Preventive Controls

• ACCMAN is restricted to the access of finance officer so as to prevent duplication of information and maintain integrity of info.

Detective Controls

• Checking of financial reports by Mr Pek every 3 months N Likely Major

R9

Data entry errors in the computer system

(Customer details and Sales details)

Moderate

Data entry by salesperson is not verified and checked by another party. Moderate

Wrong data inputs would cause wrong analysis and cause disruptions in distribution. Wrong customer details would result in delays (inefficiencies) and customer dissatisfaction. This might also incur additional costs as they may engage the deliverymen for making extra trips.

Y Detective Controls

• Perform system checks

• ACCMAN ensures validity and completeness checks. Y Moderate Minor

Performing occasional checks are enough to mitigate wrong inputs and rectify these mistakes in time. (Risk reduction)

Process Risks

R10 Risk of skiving employees Almost certain

Mr Pek stays in Singapore office most of the times so there is high chance of skiving employees in China. Moderate

Efficiency would be affected as skiving employees could have used that time more productivity. This would lead to resource wastage and excessive manpower. N Preventive Controls

• Performance-based compensation for sales personnel

Detective Controls

• Constant spot checks in China

• Evaluate employees’ performance using dept’s performance

• Customer feedbacks N Likely

Managers are to generate reports for department’s performance evaluation and customer feedbacks on quality of services and goods may act as deterrence. Moderate

The sales person and customers may collude so the impact will still not be reduced.

R11

Wrong quantity and specification of tiles are delivered

to the customers

Almost certain

Miscommunication between employees due to language differences. Major

Goods with wrong specifications mass-produced may lead to additional costs to verify the problem. Time is needed to re-produce the goods so leading to delays and customer dissatisfaction. N Preventive Controls

• Hire only Chinese who is fluent in communicating in Mandarin.

• Manual checks done before goods are produced and shipped to Singapore N Likely

Chinese coordinator will reduce chances of miscommunication with customers, China’s suppliers and factory manager. Checks to avoid wrong quantity delivered to customers. Major

The existing controls only help to reduce the possibility of the risk occurring.

R12 Theft of goods at the warehouse Moderate

The goods are only managed by 1 storekeeper. Insignificant

Loss of unwanted scraps of tiles will have no major impact on the company performance. Packed tiles are too heavy to be stolen. N Preventive Controls

• Restrict people having access to physical goods

Detective Controls

• Periodic counts of inventory and compared with amounts on control records N Unlikely

Only storekeeper will have actual access to goods so reduce the likelihood of theft. Insignificant

With periodic checks and regular reports to be submitted to Mr Pek, impacts of lost items can be mitigated quickly.

R13 Extension of deadlines due to more time needed on the job Unlikely

Due to high penalty, Mr Pek rather buys from competitors at higher rate than breach the contracts. Major

Customers will be dissatisfied if there are delays in the delivery of goods. Higher costs arise from purchasing from competitors. Y • No controls Y Risk acceptance

Output Risks

R14 Inaccurate reports from warehouse ( to

check for timeliness of deliveries, aging reports) Unlikely Moderate

As long as the company ensures there are sufficient stocks to distribute to the customers, some slight differences in the reports will not affect normal operations. Y

• Customer feedbacks Y Risk acceptance

Appendix I: Risk Matrix

Appendix J: Recommendation Timelines

R4: Loss of human capital, which includes skilled and experienced workers

R8: Threat of data inaccuracy and integrity in the system

R10. Risk of skiving employees

R11. Wrong quantity and specification of tiles are delivered to the customers

Appendix K: 1st Meeting Minutes

NANYANG TECHNOLOGICAL UNIVERSITY

AA205 iCEE Project

Minutes for meeting

Client: Dragon Link Granite Pte Ltd

Members present: Chai Jun Yang

How Shu Ying (Minutes-taker)

Ou Lijuan Lynette

Tay Wen Xia (Facilitator)

Date of meeting: 18 February 2008

Time of meeting: 3pm to 5pm

AGENDA OF MEETING

Our first interview with our client commenced on 18 February 2008 from 3pm to 5pm. Our team started our interview with Mr. Pek Tiong Hin, Managing Director of Dragon Link Granite Pte Ltd by explaining to him what our iCEE project is about and the objectives of the project. We also stated our chosen process – distribution and sought his assistance in helping us to learn more about the company and the distribution process.

The following items were discussed during the interview:

• Organizational structure of the company

Mr. Pek, being the Managing Director of the company sits at the top of the organization and is the overall in charge of the company. He will oversee the operations both in Singapore and also in China where the production of goods

takes place. The factory in China operates very independently and all matters are handled by the factory manager, who will give monthly reports to Mr. Pek. In Singapore, there are two salespersons in charge of sales and two accounts and administration staff, one of whom is a coordinator who is responsible for liaising with the staff in China. There is also a storekeeper in charge of the warehouse and passing duties to the deliverymen, who are external independent persons.

• Objectives of the distribution process

Basically, the objectives of the distribution process are to ensure that goods can be delivered on time, are of a high quality and of a competitive price.

• Distribution process flow

Our team then learnt about the distribution process and how it actually works so that we will be able to flowchart out the process using Microsoft Visio.

• Competitors

Mr. Pek mentioned that the company has many competitors. There are competitors in Singapore and from other countries, especially those from China. In China alone, there are about 400 factories in the same industry producing tiles. He added that in this industry, the products are in fact commodities; there are no particular brands to them. The only differentiating factors between companies are in the processing quality and the servicing of the clients. Some companies will perform better in these factors, while others may not do them as well. For Dragon Link Granite, Mr. Pek expressed that there are certain steps taken to control the quality and color consistency of the tiles.

• Customers

As for the company’s customers, Mr. Pek stated that the customer turnover rate is quite low. It

would be quite difficult for the company to penetrate other customers because most often than not, the customers would stick to those companies that they have worked and enjoying working with.

To deal with any uncertainties, the company will usually work with selective customers based on past history records and experience and those that pose fewer risks to them.

• Suppliers

The company usually obtains their raw materials from the same suppliers, especially for those raw materials which are produced in one and only one quarry. For new suppliers, there is a need to look at the finished products and carry out inspection before deciding whether or not to sign a contract with them. Mr. Pek would usually inform the purchasing staff in China about the market expectations in Singapore and educate them constantly on the acceptable standard of quality of the materials.

In Singapore, there is no inspection done on the boxes of tiles upon receipt from the factory in China. Inspection of the goods is only carried out at the customer’s job site whereby if there are any discrepancies, they will contact the salespersons and inform them of the errors. The company will have spare buffer stock or otherwise known as ‘wastage’ of about 5% to 10% to be provided to the customers in order to ensure that there are no delays in the customers’ construction projects.

• Government regulation

There is not much restriction from the government on the company.

• Human resource policies

There is a probation period for the to-be-employees of the company to monitor their performance before Mr. Pek actually decides whether or not to hire the employees. With

regards to the sales employees, their performance would be assessed based on their sales quota.

• Potential and existing threats

Mr. Pek expressed that there are many threats to the company, as stated below:

o Substitutes: Ceramic tiles

o Demographic lifestyle changes: Customers’ tastes change from time to time. Their preferences range from marble tiles to ceramic tiles to granite tiles.

o New discoveries/New quarries

o Growth of property sector: Whether the property sector is growing or not has an impact on the sales of the company

o Technology: Technology has created homogeneous tiles that looks like marble tiles

o Bad weather eg. Typhoon: The vessel cannot leave the dock if there are bad weather conditions in China.

• Business alliances

The company does buy products from its competitors, even though the prices may be higher, just to ensure that they are able to complete their jobs on time.

The company also forms alliances and works with clients who are actually resellers of the products. They are smaller suppliers who do not have their own factories. Each time they have a job, they will send their specifications to the company. They will usually continue to work with the company if they are satisfied with what the company has delivered.

• Financial position of the company

Mr. Pek mentioned that their current gross profit is a positive value. However, he expressed that this figure may fluctuate depending on the market because the industry they are in is a volatile one. During the Asian Financial Crisis, the company had incurred bad debts and it is only in these few years that they are recovering from the crisis.

Currently, their liquidity position is enough. The company does borrow loans from banks, especially to finance big projects. There are usually no problems in returning the loans from the banks. The company generally collects their money from customers after they have delivered the goods to them, but for jobs which are of a large size, they will usually collect progressive payments from customers. The payment terms will be stated up front and agreed upon by the customers when they sign the contract with the company.

• Measurement of process performance

Mr. Pek mentioned that their company has no measures with regards to process performance. He added that the most critical point is to ensure that goods are delivered on time to their customers. Their company cannot afford to have any delays. In fact, he brought up that there is 0% tolerance for the occurrence of delays. If they foresee a delay happening, they will try to rectify it at all costs, even if they end up having a loss because they feel that it would be better than to have any delays in delivery of goods to the customers. If the cause of the delay was due to a natural disaster, the customers would give some leeway to the company. There is no record of customer satisfaction rate. They will just learn about their customers through the customer feedback that they provide.

• Risk appetite

Given a range of 1 to 10, Mr. Pek described his company’s risk appetite as moderate and gave a figure of 4 out of 10. He stated that their company would not take up jobs where the risks are high.

They would be selective in their choice of customers, for instance depending on whether their customers are those unreasonable in expectations or not.

• Controls

The company uses an accounting package of a local company known as ACCMAN to document all their figures and sales orders. Backup of the information is done on a regular basis. As for the access control, Mr. Pek mentioned that only the accounts staff is able to view confidential information such as the Profit and Loss Statement.

As for physical security measures, Mr. Pek stated that there are none because he reasoned that the tiles are heavy and thus, it would not be easy for anyone to steal away the tiles.

List of questions asked:

o What is the organizational structure of the company like?

o What are the roles and responsibilities of each employee?

o Who are the people involved in the distribution process?

o Is there a mission and vision of the company?

o What are the core objectives of the distribution process?

o Can you describe the whole distribution process?

o Can you tell us more about your competitors?

o Can you tell us more about your customers?

o Is the customer turnover rate high or low?

o How does the company deal with uncertainties?

o Does the company obtain its raw materials from the same suppliers or different ones?

o How do you go about choosing new suppliers?

o Is there inspection done on the products?

o Is there any government regulation on the company?

o What are your procedures for hiring people?

o Are there are criteria for hiring people?

o What are the potential

and existing threats of the company?

o Does the company have any business alliances?

o What is the financial position of the company like?

o Does the company incur any debts?

o What is the liquidity position of the company?

o Is the company able to repay any loans from banks?

o How do you measure the company’s process performance?

o Are there any sources of indicators?

o What is the company’s risk tolerance like?

o Given a range of 1 to 10, can you describe the company’s risk appetite?

o Is there any use of Information Technology for documentation eg. Accounting package?

o Are there any physical security measures of the company?

Appendix L: 2nd Meeting Minutes

NANYANG TECHNOLOGICAL UNIVERSITY

AA205 iCEE Project

Minutes for meeting

Client: Dragon Link Granite Pte Ltd

Members present: Chai Jun Yang (Facilitator)

How Shu Ying

Ou Lijuan Lynette

Tay Wen Xia (Facilitator & minutes-taker)

Date of meeting: 23 February 2008

Time of meeting: 1pm to 3.30pm

AGENDA OF MEETING

Our second interview with our client commenced on 23 February 2008 from 1pm to 3.30pm. Our team started our interview with Mr. Pek Tiong Hin, Managing Director of Dragon Link Granite Pte Ltd by refreshing topics discussed in the previous interview and giving him ICQ to complete. We explained the ICQ objectives and clarified some doubts over some questions during the process. After that, we continued to ask him questions with more refined details relevant to risk assessment.

The following items were discussed during the interview:

• Organizational structure of the company

From previous interview, we have drawn an organizational chart for Mr

Pek’s verification. It is then clear that the factory manager is the chief in-charge in China, above the other managers in the hierarchy and the 40 to 50 outsourced workers are managed by the Production Department. These outsourced workers are from different companies and are managed by the coordinator, in particular. In Singapore, the storekeeper and deliverymen are under the control of finance officers. Though there are 2 persons in both finance and sales departments, there is no distinct difference in job title among them. Thus the chart is relatively flat yet decentralized.

• Audit checks

The company did hire external auditors periodically to assist them to prepare financial statements. The auditors merely help them to improve the presentation of the reports, without providing recommendations on improving the operations of the company. When auditors advised them on wrong categorization of items on the face of P/L, the management will immediately take appropriate actions.

• More external risk events

1) Prices of competitor’s

2) Entry of new competitors

3) Credit default from customers- He explains that this is especially the case in times of economic recession and those who delays payment are often regular customers. However, they have existing controls in place. For instance, they ensure that they bill their customers on partial basis to avoid default in payment. Also, Mr Pek himself will check the aging reports and other financial reports every 3 months to detect the ‘bad customers’.

4) Government regulation in China- export tax rebate depending on the complexity of the organization. In the case of his company, they got tax rebate of only about 1%. This may be a threat to increase

costs. Nevertheless, it was mentioned that the effects will still be offset eventually.

• More internal risk events

1) Risk of skiving workers- this is especially the case as he is seldom in China so there is a high probability of them ‘slacking’. To curb this problem, he pays his salespeople on commission basis to provide them with incentives to work. He also sets a sales target for them. For others, he just evaluates them based on the results.

2) Goods with wrong specifications- it may be due to miscommunication and it may be due to the faults of customers too. It is arose from the misleading diagrams of the products.

3) Wrong quantity of goods- manual checking done by only 1 person

4) Theft of goods- This is not a significant impact as the tiles are packed together so it is very heavy to be stolen. However, there are many cases of unaccounted loss of unwanted tiles.

5) Customers request to extend deadlines after shipment has arrived. This is not often the case as there is presence of contracts and they often want delivery to be done as soon as possible. If not, it will lead to increased costs to keep and maintain the goods in the warehouse.

• Risk descriptors

From last interview, we have drawn up a set of possible likelihood and impact descriptors to seek his opinions. Basically, he is fine with our likelihood rating. For impact rating, he is only interested of financial values. But I explained to him that financial values are linked to customer satisfaction and efficiency of operations. He agreed.

Another issue is the differences between the

indicators for customer satisfaction (increase no. of ‘lost’ customers) and financial impacts (% increase in lost revenue or additional cost). The latter takes into consideration that some customers may be of greater importance to the company than those ‘small’ customers. Hence, the loss of such ‘major’ customers will have greater impact on the economic figures which was of greater concern to Mr Pek.

The interview ended with more clarifications regarding the business process and also with a date set for the last interview with Mr Pek in which the group will present him our final report.

List of questions asked:

o Do you have any control over the outsourced workers?

o What do you think of your organizational structure?

o Do you audit your accounts?

o What are the roles of the external audit?

o Do you face credit default from the customers?

o What exactly did you do to solve or minimize the impact of the problem?

o Did you check your accounts yourself?

o How frequent did you check them?

o Do you face any threats due to cross-boundary transactions? Tell us more about the China’s tax rebate.

o Do you face problem in which your employees are slacking during work?

o What did you do to resolve the issue?

o Do you have any encounter in which you deliver the wrong goods to customers?

o Do you face problem of theft of goods?

o Is the impact of such loss of unwanted scraps of tiles significant to your company?

o What other events can increase the costs of the operation?

o Do you think the risk descriptors adopted are of great relevance

to your company?

Appendix M: 3rd Meeting Minutes (Exit Interview)

NANYANG TECHNOLOGICAL UNIVERSITY

AA205 iCEE Project

Minutes for meeting

Client: Dragon Link Granite Pte Ltd

Members present: Chai Jun Yang

How Shu Ying

Ou Lijuan Lynette

Tay Wen Xia

Date of meeting: 12 March 2008

Time of meeting: 3pm to 5pm

AGENDA OF MEETING

Our third and last interview with our client commenced on 12 March 2008 from 3pm to 5pm. Our team started our interview with Mr. Pek Tiong Hin, Managing Director of Dragon Link Granite Pte Ltd by giving him a copy of our report and then followed by a presentation of our findings to him.

Feedback from Mr Pek, Managing Director of Dragon Link:

_________________

Signature

13. Glossary

Business Process Analysis (BPA) – A review and evaluation of a business’ value chain and core business practices to identify ways in which the existing practices can be made more efficient. Methods used in this analysis include process flowcharting as well as the identification of critical functionality, concerns and desired improvements.

Control – A check or restraint to prevent the flourishing or spreading of something undesirable.

Detective controls – Actions and checks put in place to discover and identify the existence of errors after they have occurred. The costs involved in detective controls are usually higher than that of preventive controls, but they are still necessary to control certain errors more effectively.

Enterprise risk management (ERM) – A framework for risk management, which involves identifying particular events relevant and capable of affecting an organization’s objectives (both risks and opportunities), assessing these events in terms of likelihood and

magnitude of impact, determining a response strategy, and monitoring progress. It includes the methods and processes used by organizations to manage risks (or seize opportunities) related to the achievement of their objectives.

Entity – An organization of any size which has a distinct and separate existence, set up for a particular purpose. Synonyms include organization or enterprise.

Event – An occurrence of some importance, both internal and external to the organization that has the potential of hindering the implementation of strategies and the organization’s achievement of objectives.

General controls – Controls that are present in the environment surrounding the information systems. These include the organizational and administrative structure of the IS function, the existence of policies and procedures for the day-to-day operations, availability of staff and their skills and the overall control environment . General controls support the functioning of programmed application controls.

Impact – The influence and effect of an event or action. The extent of impact can be categorized into different bands and it can be positive or negative relative to an organization’s related objectives.

Integrated control questionnaire (ICQ) – A set of questions for the organization to review its internal processes, policies and procedures, to determine the adequacy of internal controls for reliability and accuracy. It also helps the organization in evaluating its operational efficiencies and effectiveness.

Inherent risk – The risk that is automatically attributed to an audit area due to the nature of the account . It is the risk that an organization faces in the absence of any control activities or actions done to alter the risk event’s likelihood or magnitude of impact.

Internal control – A process, effected

by an organization’s people and information technology (IT) systems, designed to help the organization accomplish specific goals or objectives. It Is a means by which an organization’s resources are directed, monitored and measured .

Michael Porter’s 5 Forces Model – A framework for industry analysis and business strategy development. The five forces under this model include the threat of substitute products, the threat of new entrants, and the threat of competitive rivalry, customers’ bargaining power and suppliers’ bargaining power.

Operations – The activities and procedures that the organization engages in, which helps the organization in meeting their performance and profitability goals with its effectiveness and efficiency.

Opportunity – An occurrence of an event that positively affects the achievement of objectives, or which allows the organization to make use of the event to improve their position.

Preventive controls – Actions and measures taken to pre-empt the occurrence of errors and irregularities.

Residual risk – The risk that remains after the implementation of controls and measures to alter an organization’s risk likelihood and magnitude of impact.

Risk – The possibility of an event occurring and adversely affecting the achievement of objectives.

Risk appetite – The amount of risk that an organization is willing to bear and take up in order to pursue its organizational missions and goals.

Risk management – The identification, assessment and response to risk to a specific objective.

Risk tolerance – The amount of variation from the achievement of objectives that the organization is willing to accept.

Strategic risks – Possible events and occurrences that are capable of affecting an organization’s achievement of high-level goals that are aligned with and support its mission.

14.

References

1. Wikipedia, Online, Available: http://www.wikipedia.org

Viewed on 26 February 2008

2. Dictionary, Online, Available: http://www.dictionary.com

Viewed on 26 February 2008

3. ISACA, Definition of general controls, Online, Available: http://www.isaca.org/Template.cfm?Section=IT_Audit_Basics&Template=/ContentManagement/ContentDisplay.cfm&ContentID=11228

Viewed on 26 February 2008

4. The Committee of Sponsoring Organizations of the Treadway Commission, “Enterprise Risk Management – Integrated Framework”, Published on September 2004

Viewed on 15 January 2008

5. Timothy B. Bell, Frank O. Marrs, Ira Solomon, Howard Thomas, “Auditing Organizations Through a Strategic-Systems Lens”, Published on 14 July 1997

Viewed on 1 February 2008

6. IT Governance Institute, “Control Objectives for Information and related Technology 4.1”, Published in 1996

Viewed on 20 February 2008

7. Bangkok Companies Ultimate Contact Database, “Dragon Link Granite Pte Ltd – Stonemasons, Granite, Natural Stone Singapore Company Profiles”, Online, Available: http://www.bangkokcompanies.com/asian_company_profiles/dragonlink_granite.htm

Viewed on 2 February 2008

8. Stanford University, “Internal Control Factors” Questionnaire, Online, Available: http://www.stanford.edu/dept/Internal-Audit/docs/internal_controls.shtml

Viewed on 19 February 2008