Skydda is a global pharmaceutical company listed on a major stock exchange. It is currently undertaking a major project to develop a new medical drug to cure influenza. If it is successful, this research could result in the company’s most profitable product ever and strengthen its already dominant market position. Skydda has gained an excellent track record for developing medical solutions by employing the best research scientists in the field and constantly investing in cutting edge technology. It has a large modern research facility, where it encourages all its staff to suggest ideas which could be taken forward through the development process.
Although large amounts of cash are required to operate the research facility, the high levels of returns from commercial successes delivered by the company has meant that it has never had a problem raising finance from either equity or debt sources. The company’s level of financial gearing is high relative to other companies in the industry, but since it is a cash generative business it can easily service its debt.
The board historically has had a good long-term relationship with the majority of the investors, particularly the institutional shareholders, because Skydda continues to deliver high returns on capital employed and excellent earnings per share. The company has established an extensive and very effective range of internal controls covering all primary business areas including:
(i) Marketing. Regular examinations of the pharmaceutical market are undertaken to identify propositions which could result in potentially lucrative commercial products. Suitable propositions are then submitted to a board level steering committee who assign a team who evaluate their feasibility and make appropriate recommendations.
(ii) Research. Prior to the commencement of any new research, a detailed and fully costed project proposal must be submitted to the steering committee for approval. Only then, are the required resources assigned to the research project and permission granted to proceed.
(iii) Financial management. Annual capital budgets are agreed by the board at the start of every financial year. These budgets are absolute limits and cannot be exceeded without the expressed permission of the board.
(iv) Internal control reports. All research projects are required to produce and submit regular reports detailing progress achieved and expenditure incurred against budget.
The board regularly provides voluntary reports on its internal controls to shareholders, which further inspires confidence in the company and provides reasonable assurances on the safeguarding of their investments.
Required:
Evaluate the main elements or components of the internal control system at Skydda using a suitable framework, including an assessment of the importance to Skydda of each element or component.
Internal controls
The main elements/components of the internal control system at Skydda can be evaluated using the COSO enterprise risk management framework:
Control environment
This establishes the basis for how risk is viewed throughout the company and includes establishing the risk appetite, which for a pharmaceutical company like Skydda engaged in expensive research is likely to be quite risk seeking. The Skydda control environment includes the commitment of the board to maintain a sound system of internal control, which will be encapsulated in the company’s culture. This ‘tone at the top’ of Skydda describes the management style, how authority is delegated throughout the organisation, and the commitment of the board of directors to a robust and effective internal control system. The fact they have implemented a range of internal controls in all primary business areas suggests a good control environment.
Risk assessment
All risks are assessed in terms of their likelihood and probable impact on the company, which in turn defines the risk and return profile which shareholders have bought into and accept. Skydda invests significant funds in research with the aim of developing pharmaceutical products with significant future commercial values, however, this is a high-risk strategy with no guarantees of success. Good practice, as described in the COSO framework for example, encourages the use of a wide range of both quantitative and qualitative techniques to appraise any investment opportunity to ensure that any residual risk is within the company’s risk appetite. At Skydda the requirement for a costed project proposal suggests that only those projects which deliver a satisfactory return for the risks faced will be approved to proceed.
Control activities
The board of Skydda should establish appropriate policies and procedures to ensure that appropriate responses to the risks assessed are effectively carried out. Such control activities are relevant at all levels within the company, and will include authorisations to conduct research, commitment of capital expenditure from approved budgets, and periodic performance and progress reviews. Collectively these control activities are usually referred to simply as internal controls.
Information and communication
Systems need to be developed to enable relevant control information to be gathered and then communicated to the right people in the organisation so that they can carry out their duties and discharge their responsibilities. This will include both internally and externally sourced information so that business decisions can be fully informed, essential for a company like Skydda where the quality of its information systems is critical to this aspect of internal control. Indeed, by effectively communicating internal control information, such as project progress reports, this will strengthen Skydda’s control environment and improve overall risk awareness.
Monitoring activities
The entire internal control system must be monitored and supervised with any significant issues reported to senior management. At Skydda operational performance, such as project progression, will be monitored by relevant management, but ultimately the board is held accountable for all aspects of business performance.
The COSO framework draws a clear distinction between the ongoing monitoring by management which allows for regular corrective actions, and the periodic review of the internal control system often conducted by the internal audit function which might identify more fundamental root causes of problems.
Explain the need to report on internal controls to the shareholders of Skydda, and describe the main content of an effective report on internal control for Skydda.
Internal control reporting
By reporting on the effectiveness of internal controls to its shareholders, the board of Skydda will inspire greater confidence in the company’s performance. This is critical when the company engages in capital intensive research activities as it illustrates that the board is managing risks responsibly and not taking excessive risks beyond the agreed appetite. External reporting can act as a stimulus and control on directors’ decision making because it defines their accountabilities. They are unlikely to take unnecessarily risky decisions and will obtain further information in areas where internal controls have been identified as weak or ineffective.
To provide shareholders with the necessary assurance they require, the board should conduct an annual review of the effectiveness of the company’s internal control systems, which should then be formally reported to shareholders. The Skydda annual review should cover all material controls, including financial, operational and compliance controls, as well as risk management systems. The review should be conducted against the COSO elements, thereby providing a holistic assessment of the effectiveness of the internal control systems.
The main content which should be included in an effective report on internal controls at Skydda includes:
(i) A formal statement declaring the company’s willingness to take on risk (i.e. its ‘risk appetite’), together with its required supporting culture and whether this culture has been successfully embedded within the company.
(ii) Detail of the operation of internal control systems, which should also cover its design, implementation, monitoring and review. There should be a description of the main features of the company’s internal control and risk management systems in relation to its financial reporting processes.
(iii) Identification of risks and the determination of those which are considered significant to the company. Any incidence of significant control failings or weaknesses which have been identified at any time during the reporting period which may have caused material losses. This should include the extent to which they have, or could have, resulted in any unforeseen impact.
(iv) Significant changes in the nature, likelihood and impact of principal risks, alongside Skydda’s ability to respond to changes in its business and the external environment. This should include how the integration of risk management and internal controls has been incorporated into the business strategy.
(v) The extent, frequency and quality of the communication of the results of management’s monitoring to the board which enables it to build up an aggregate assessment of the state of control in the company and the effectiveness with which risk is being managed or mitigated. This in turn determines the effectiveness of the company’s external reporting processes.
Explain the need for adequate information flows to management for the purposes of managing internal controls at Skydda.
Information flows
Internal control and risk management are fundamental aspects of good corporate governance, which in effect means that the board is responsible for the identification and management of all risks facing the company. For the Skydda board to manage risks and review the overall effectiveness of the company’s internal control systems, it will need adequate information flows from all areas of the business.
Such information would then be used by internal audit if they are tasked to identify any control weaknesses or significant risks within the system. In this context, the control information needs to provide a complete and up to date picture of the dynamic risks facing the company, and how well the internal controls are at addressing them. For Skydda, which operates in a highly regulated environment, any changes to the protocols governing clinical trials for new drugs could have a significant impact on the time required to take a newly developed product to market.
Directors require access to information from wide and varied sources to supervise and manage the internal control systems in Skydda. The sources will come from both formal periodic reporting and ad hoc communications from stakeholders who wish to raise concerns. It is important that the information can be integrated and reconciled to provide management with a complete and accurate picture of the situation, as failure to do so could further exacerbate any control deficiency and increase the risks faced by the company. This might include analyses of major competitors to determine if they are progressing their research at a faster rate than Skydda, since if they get an influenza cure to market first it would diminish the value of any research undertaken at a high cost to the company.
Internal control systems provide the core operational information necessary to manage day to day activities in Skydda. This information will be predominantly internally sourced, detailed and prepared very frequently so that any required corrective action can be effected without delay. Operational control information will be used by organisational functions to report on a regular basis to senior management and the board about the effectiveness of all business activities. In Skydda this could include research programme managers submitting reports on product developments, including: costs against budget; progress against predetermined milestones; and notable achievements.
The assembly of accurate internal control information will be required to compile reports to shareholders and other external stakeholders. If the board is to retain the confidence and support of its shareholders it must be able to prove to them that their investments are safeguarded and likely to deliver an acceptable level of return. Internally generated financial information provides an objective basis for its shareholders to decide if they wish to retain, increase or dispose of their investment in Skydda, which is fundamental to the company’s ongoing success.