Game Analysis of Internal Control and Risk Management

Based on examining links and differences between internal control and risk management from their definition, this paper mainly analyzes their relation with game theory. A complete information static game model is established and payoff functions for managers and investors are designed. The result shows that the decrease of business risk cannot be realized by severe penalties, instead, the frequency of internal control in risk monitoring must be taken into consideration, and otherwise it will stimulate enterprise risk monitoring paradox. It is an effective way for enterprises to reduce risk by lowering the cost of internal control in risk monitoring and improving the ability of risk prevention.


Introduction
In 1992, COSO (the Committee of Sponsoring Organization) issued the reports "Internal Control -Integrated Framework" (IC framework), which was supplemented in 1994.In order to achieve the effectiveness of interal control, IC framework indicates that five components, including control environment, risk assessment, control activities, information and communication, and monitoring are needed.Due to the scientificity and rationality, IC framework has been adopted directly or indirectly by many countries.For the sake of identifying, assessing, and managing enterprise risk effectively, COSO published "Enterprise Risk Management -Integrated Framework" (ERM framework) in April 2004.ERM framework notes that internal control is an integral part of enterprise risk management and states that the components of enterprise risk management include internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.Obviously, there is some links between intenal control and risk management.Thus, what is internal control?What is risk manamgement?How about the the ralationship between them?These are the first to be examined in this paper.From the view of institutional economics, as an institutional arrangement, internal control has its specfic functions, including decrease of internal transaction cost in enterprises, supplument of incomplete contracts, and so forth.However, to reduce management risk of enterprises is the nautre and power of internal control development (Li & Li, 2009).As we all know, many extra-large financial frauds and management failure cases occured after entering the new century, such as Enron and WorldCom in the United States, Kanebo and Seibu Railway in Japan, Sanjiu and Yili in China.The failure of these cases can be summarized as follows: (1) loose internal controls in financial management; (2) non-normal rent-seeking behavior (i.e., diversified investments) that failed to be effectively checked; (3) serious liabilities caused by excessive over-investment.The main content of the papaer is to analyze internal control and risk management with game theory.Baesd on the results of game analysis, the last part of the paper presents implications to implementation of internal control monitoring.

Concepts of Internal Control and Risk Management
IC framework defines internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives, including effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations" (COSO, 1992).The IC framework points out that in order to achieve the effectiveness of internal controls, the following five interrelated components are needed: control environment, risk assessment, control activities, information and communication, and monitoring (COSO, 1992).Since the release of the COSO report, IC framework has been adopted by many countries in the world.Based on IC framework, some theorists and practitioners recommended that the establishment of internal control framework should be combined with enterprise risk management.ERM framework explores IC framework, inherits and contains main contents of IC framework.ERM framework provides a benchmark for enterprises to consider in evaluating and improving their enterprise risk management processes.It defines enterprise risk management as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives" (COSO, 2004).It also expands components of the IC framework from 5 to 8. Thus the components of enterprise risk management include internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.It fully reflects the integration of internal control and risk management.
In China, "Guidelines on Overall Risk Management of Central Enterprises" (SASAC, 2006), issued by State-owned Assets Supervision and Administration Commission in June 2006, is a milestone of Chinese enterprise risk management.It explicitly requests that central enterprises should attach great importance to and carry out overall risk management.Overall risk management is defines as a process and methods of an enterprise to provide reasonable assurance regarding the achievement of the enterprise's objectives, by implementing basic procedures of risk management in all aspects of the management and process, creating healthy culture of risk management, establishing and perfecting risk management systems, including risk management strategy, risk financing measurement, organizing function system of risk management, information system of risk management and internal control system (SASAC, 2006).Thus, internal control is well integrated in risk management.However, the latest concept of internal control in China is the definition of the MOF (Ministry of Finance) and the relevant regulatory agencies.In order to strengthen and standardize internal controls, improve business management and risk prevention capacity, and promote sustainable development of enterprises, in July 2006, the MOF, together with relevant government authorities, formed an Enterprise Internal Control Standard Committee in accordance with the instructions of State Council.It began to develop standard for enterprise internal control with uniformity, legibility and scientificity.Consequently, "Basic Standard for Enterprise Internal Control" (Basic Standard) (MOF et al., 2008) was announced in June 2008 jointly by the MOF, China Securities Regulatory Commission (CSRC), National Audit Office (NAO), China Banking Regulatory Commission (CBRC) and China Insurance Regulatory Commission (AIRC).In April 2010, "Application Guidelines for Enterprise Internal Control", "Guidelines for Assessment of Enterprise Internal Control" and "Guidelines for Audit of Enterprise Internal Control", collectively the "Implementation Guidelines for Enterprise Internal Control" (Implementation Guidelines), as the detailed guidelines for implementing the Basic Standard were further issued by said relevant government regulatory agencies.Basic Standard and Implementation Guidelines provide such a system of internal control standard for the construction and evaluation of the enterprise internal control that is guided by the Basic Standard and supplemented by Implementation Guidelines, which is an important milestone for the norms of internal control.They require that a listed company or an unlisted large and medium-sized company should establish, conduct an effective self-assessment of its internal control and report on that on an annual basis, and engage an accounting firm to audit the effectiveness of its internal control over financial reporting and report on that.It is effective for: (1) companies listed, both domestically and abroad, from January 1, 2011; (2) companies listed on the main board of the Shanghai Stock Exchange and Shenzhen Stock Exchange from January 1, 2012; and (3) companies listed on the Small and Medium Enterprise Board and ChiNext Board in due course.Early adoption is encouraged for unlisted large and medium-sized companies.The formulation of the Basic Standard and Implementation Guidelines focuses on issues of internal control standards and system, comprehensive risk management and integration of internal control and risk management.Internal control in the Basic Standard is defined as a process, effected by an enterprise's board of directors, board of supervisors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives (MOF, 2008).The objectives of enterprise internal control are to provide reasonable assurance of: (1) compliance with relevant laws and regulations; (2) safeguarding of assets; (3) authenticity and integrality of financial reporting and related information; (4) effectiveness and efficiency of operations; and (5) achievement of development strategy [Article 3].Five components of internal control include internal environment, risk management, control activities, information and communication and internal monitoring (MOF, 2008).It also shows that COSO frameworks play an important role in establishing internal Control system for China.It induces five components in the IC framework of the COSO report and reflects the nature of eight primary elements in ERM framework.
We believe that companies should not just aim at observing Basic Standard and Implementation Guidelines to carry out the construction and evaluation of internal control work.Basic Standard does not require companies to tear down the existing management system and reconstruct it, but to sort out and identify key risks, improve the corresponding control mechanism, and find and correct internal management problems under the guidance of the Basic Standard and its Implementation Guidelines so that companies can take this opportunity to raise awareness of a comprehensive internal control and risk management.

Links between Internal Control and Risk Management
Firstly, internal control is a necessary part of risk management and internal control is driven by the awareness and management of business risk (COSO, 2004).It can be seen from the definition, internal control provides reasonable assurance to achieve the objectives of the organizations.The achievement of effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations can be reasonably guaranteed through establishing and implementing sound internal control system.While compliance with relevant laws and regulations, authenticity and integrality of financial reporting and effectiveness and efficiency of operations are also the fundamental states that enterprise risk management pursues.Secondly, risk management involves internal control.Besides three objectives and five components in the IC framework, ERM framework develops one objective (i.e., strategy) and three components (i.e., objective setting, event identification and risk response).

Differences of Internal Control and Risk Management
Firstly, they have different scopes.Internal control is only a function of management and achieves its objectives mainly through post and process controls.Risk management goes through all aspects of the management process, which include not only beforehand control but also afterwards control.What's more important is that full consideration is given to the existence of risk when setting goals in advance.Moreover, risk management has more objectives to be achieved than internal control.Secondly, their activities are inconsistent.It is not necessary for internal control to do all the risk management activities.The current risk management includes objective and strategy setting of risk management, method choices of the risk assessment, staff hiring, budget and administrative management, and reporting procedures and so on (Hao & Lu, 2006).However, internal control is responsible for important activities which occur during the process of risk management, such as risk assessment and implementation of control activities, information and communication, supervision and review, correction of defects, and etc.The significant difference between them is that internal control does not take charge of setting business objectives specifically, but assesses the establishment process on the objectives, especially risks existing in setting objectives and strategic planning.Thirdly, risk is defined differently in IC framework and ERM framework.ERM framework defines risk as the possibility of the incident that has negative impact on business objectives while it defines the incident that has positive impact as opportunity.Thus risk and opportunity is distinguished.However, there is no distinction between risk and opportunity in IC framework.Finally, they deal with risk with different measures.ERM framework introduces some concepts and methods including risk preference, risk tolerance, risk countermeasures, stress testing, scenario analysis and etc. (Zhang & Zhu, 2004).Therefore, based on the risk measurement, ERM framework is conducive to the consistency of development strategy and risk preference, the capital allocation associated with growth, risk and return, and use of risk information to support decision-making processes, all of which will finally help the board and senior management to achieve the four objectives of risk management.These contents are not involved in the IC framework.
We believe that internal control and risk management should be organically integrated.Both of them are dynamic processes, changing and adjusting constantly to adapt to organizational environment changes.Only if they are integrated, the best effects can be achieved.From the perspective of institutional economics, internal control, as an internal institutional arrangement, has specific functions on reducing internal transaction costs, supplementing incomplete contracts of companies.On the core problem of internal control, we argue that reducing business risks is the essential nature and the ultimate motivation to promote and develop internal control.

Game Analysis of Internal Control Based on Risk Management
An enterprise is an organic combination with a set of (incomplete) contracts, which is a way of property rights transaction (Wang et al., 2003).Due to the complexity of the real world and limited rationality and opportunism of economic man, this set of contracts is usually incomplete.Therefore, there is a big risk when property rights are transacted.Internal control based on risk management is a risk control mechanism constructed within the enterprise, in order to obtain low transaction costs and high trading profit, as well as making up for the incompleteness of contracts.

Basic Idea of the Game
Although Prisoner's Dilemma is a very simple game, it reflects the fundamental characteristics of a game very well.Prisoner's Dilemma is also a very effective basic model and paradigm for explaining many economic phenomena (Xie, 2001).In order to analyze the existence of incentive paradox, this paper will establish a complete information static game model to discuss how managers make decision on rent-seeking.The basic idea of the game is that there are two sides existing in the game.One is the managers relatively close to the enterprise (mainly the board of directors and managers); the other is investors which are far from the enterprise (mainly shareholders and creditors).The both sides are rational, that is to say they take benefits and costs into account when make decisions to maximize their earnings (Quan, 2003).The static game is the game that both players choose their strategies simultaneously, that is, when decisions are made, neither players knows what the other player's choice is.Complete information refers to that each player has a full understanding of strategy space and revenue functions etc. Otherwise it is incomplete information (Zheng, 2009).Despite the possibility of uncertainty, the punishment for the management is quite clear.Both management and investors are familiar with each other's revenue functions.From the sequence of moves, investors and managers take actions almost at the same time, thus we can define the model as a static game model with complete information.

Game Model I
Assumption 1: the managers' strategy (rent-seeking, not rent-seeking).Rent-seeking refers to the fact that managers capture additional rents when internal control mechanisms cannot work; not rent-seeking refers to the fact that managers take normal interest-seeking actions when internal control mechanisms work well.Note that this definition of rent-seeking in this paper is different from traditional rent-seeking definition.According to Kruger, the originator of rent-seeking theory, rent-seeking is wealth transfer activities carried out by people under the protection of government (Liu, 2008).In addition, the difference between rent-seeking in this assumption and normal investment should be noted.Normal investment is carried out under normal cash flow conditions, and will not impede the normal business, which can bring additional income for enterprises.Rent-seeking is that managers seek their own wealth by using corporate capital disregard of the owner's interests.
Assumption 2: The investors' strategy (risk supervision on internal control, no risk supervision on internal control).Risk supervision on internal control is that investors put manpower and material resources into internal control and make internal control mechanisms work.No risk supervision on internal control is that the internal control mechanisms can't work when the investors do the same thing.
Assumption 3: I is the general economic interests of the enterprise, A is the manager's economic interests obtained by the normal operation; B is the cost of using internal control mechanism (assuming rent-seeking will be controlled as long as the internal control mechanism works ); C is the loss that investors don't implement the internal control mechanism (that is, punishment due to without implementation of the internal control mechanism); D is the managers' rent-seeking interest for their own; E is the punishment that managers bear because of their rent-seeking under the implementation of internal control mechanism (assuming that rent-seeking will be found as long as the investors implement the monitoring mechanism ).The payoff matrix of the game is as follows: Table 1.Payoff matrix of managers and investors

Rent-seeking Not rent-seeking risk supervision on internal control I-A-B+E, A+D-E I-A-B, A no risk supervision on internal control I-A-C, A+D I-A, A
It is necessary to define the Nash equilibrium formally before analysis of the game model, because the Nash equilibrium plays an important role in our analysis.Suppose that G refers to a game, S refers to all strategies of each players that can be chosen, U refers to payoff of both players, the definition of Nash equilibrium is as follows: In the game G={S1,…, Sn; U1,…, Un }, let Si be a strategy profile of player i and S-i be a strategy profile of all players except for player i.When each player i chooses strategy Si resulting in strategy profile (S1, ..., Sn) and player i 's strategy i s are, the best response strategy for the rest of the game player's profile, i.e. for any ) constitutes a Nash equilibrium.Nash equilibrium strategy can be divided into pure strategy and mixed strategy.A pure strategy is that only one action is chosen in each decision node.When players are bound by a finite set of pure strategies, there does not exist a Nash equilibrium in many simultaneous games.
Apparently, in our game, there is no pure strategy Nash equilibrium.Only mixed strategy Nash equilibrium exists, because investors and mangers will change their decisions in their strategy space in the game.That is, their strategies meet a certain probability distribution.Suppose P is the managers' rent-seeking probability under the situation that risk supervision on internal control cannot work well; r is the probability that investors carry out risk supervision on internal control.The expected payoff when investors carry out risk supervision on internal control (r=1) and when investors do not carry out risk supervision on internal control (r=0) are respectively as follows:

When E (r = 1) = E (r = 0), P = B/(E+C)
The results show that when the managers' rent-seeking probability under the situation that risk supervision on internal control cannot work well P is equal to B/(E+C) (i.e., P=B/(E+C)), the expected payoff when investors carry out risk supervision on internal control and the expected payoff when investors do not carry out risk supervision on internal control are same.When the managers' rent-seeking probability under the situation that risk supervision on internal control cannot work well P is smaller than B/(E+C) (i.e., P<B/(E+C)), the expected payoff when investors carry out risk supervision on internal control is smaller than the expected payoff when investors do not carry out risk supervision on internal control (EP+I-A-B < I-A-CP).Therefore, the optimal choice of investors is not to input economic resources to carry out risk supervision on internal control.When the managers' rent-seeking probability under the situation that risk supervision on internal control cannot work well P is larger than B/(E+C) (i.e., P>B/(E+C)), the expected payoff when investors carry out risk supervision on internal control is larger than the expected payoff when investors do not carry out risk supervision on internal control (EP +I-A-B >I-A-CP).Therefore, the optimal choice of investors is to input economic resources to carry out risk supervision on internal control.Suppose r is the probability that risk supervision on internal control works well resulting from that investors choose to input costs element B, the expected payoff when managers choose to take normal interest-seeking actions under the situation that risk supervision on internal control works well (P=1) and the expected payoff when managers choose to take rent-seeking actions under the situation that risk supervision on internal control does not work well (P=0) are respectively as follows: The results show that when the probability that risk supervision on internal control works well resulting from that investors choose to input costs r is equal to D/E (P=B/E), the expected payoff when managers choose to take normal interest-seeking actions and the expected payoff when managers choose to take rent-seeking actions are same.When the probability that risk supervision on internal control works well r is smaller than D/E (r<D/E), the expected payoff when managers choose to take rent-seeking actions is larger than the expected payoff when managers choose to take normal interest-seeking actions (A+D-Er>A).Therefore, the optimal choice of managers is rent-seeking.When the probability that risk supervision on internal control works well r is larger than D/E (r>D/E), the expected payoff when managers choose to take rent-seeking actions is smaller than the expected payoff when managers choose to take normal interest-seeking actions.Therefore, the optimal choice of managers is normal interest-seeking.
In summary, given the basic assumptions of each player, the probability that investors choose to input factors to carry out risk supervision on internal control is D/E, and the probability that managers chooses rent-seeking is B/E.Clearly, the penalty for managers' rent-seeking by risk supervision on internal control E (in other words, a reward for investors because they find managers' rent-seeking actions) and the probability of choosing rent-seeking by managers is inversely proportional, the bigger the punishment, the less likely managers choose rent-seeking.Moreover, the penalty for managers' rent-seeking by risk supervision on internal control E and the probability that investors making the choice to implement internal risk control is inversely proportional; that is, the bigger the punishment, the less the cost investors input for internal risk control.
In addition, from the analysis of payoff matrix, we can get the result that as long as C<E-B, investors do not supervise risks of internal control.Therefore, only when punishment is increased or input cost is reduced, i.e., C>E-B, the risk supervision on risk control mechanism can be strengthened.

Incentive Paradox Based on the Model
According to general understanding, whether the rent-seeking chosen by managers is directly related to penalty level and whether risk supervision on internal control chosen by investors is related to monitoring cost.The results in our paper and intuitive knowledge are quite different, which might be the reason that generates incentive paradox.We will continue to analyze this.
In practice, some enterprises try to punish managers to curb rent-seeking.In theory, this seems to be an effective method, because the punishment will lead to investors to implement risk monitoring of internal control, and then the rent-seeking will be curbed.However, it is not the case.Currently, the policies made by enterprises emphasize increasing punishment for managers with rent-seeking.Rent-seeking has been curbed in short-term.In the long run, on the other hand, the tendency that the managers taking rent-seeking actions is intensified (Zhang, 2004).These are specific results of incentive paradox that exists in implementation of risk monitoring.The calculation results can explain this incentive paradox phenomenon to some extent.In the long run, investors try their best to minimize the rent-seeking probability and make it close to 0 under the balanced stated.The results show that there are only two ways for investors to reduce the rent-seeking probability P, one is reducing monitoring costs B and the other is increasing punishment E. However, the reality is, monitoring costs cannot be minimized unlimitedly, and so is punishment.
Besides, under the circumstances the probability that investors supervises and implements internal risk controls doesn't change, increasing penalty E can reduce managers' expected payoff, reducing the probability of rent-seeking in the short term.However, the probability of investors supervises and implements internal risk controls (r) can be adjusted in the long run.The investors will lower the probability of implementing internal risk control (r) because of low rent-seeking probability (P).Then, the probability of rent-seeking (P) will increase because of the decreased probability of risk supervision on internal control (r).Eventually, the probability of rent-seeking remains unchanged.

Game Model II
In model I, we assume that investors are able to find rent-seeking activities through the implementation of risk supervision on internal control.In practice, this assumption is not the necessarily true.Therefore, based on model I, this assumption will be revised to "the probability that investors are able to find rent-seeking activities is b when they implement risk supervision on internal control." The difference of payoff functions between Model II and model I is the possible situation that investors implement risk supervision on internal control but fail to find rent-seeking.At that situation, investors must pay the monitoring cost B and bear the damage C resulting from rent-seeking.The remaining assumption is the same as model I .Payoff matrix of the Model II is as follows:  We still solve the mixed strategy Nash equilibrium, the probability can be calculated with this particular case that rent-seeking is curbed.The expected payoff when investors carry out risk supervision on internal control.(r=1) and when investors do not carry out risk supervision on internal control (r=0) are respectively as follows: clues and signs after broadening the scope of investors.Meanwhile, enterprises should strengthen related training to help the employees identify and report rent-seeking behavior.These initiatives will help to reduce risk monitoring costs and increase detected probability of rent-seeking.

Learning Advanced Concepts to Enhance the Capacity of Risk Prevention
Evidence from model analysis shows that probability of rent-seeking and frequency of internal control risk monitoring can be reduced by enhancing investors' ability of finding rent-seeking.Therefore, investors should pay more attention to training and strengthen the capacity of finding rent-seeking continuously.Since risk is always hidden in nature, enterprises cannot be so sure whether they can find it or not.However, risk is always related to misconduct and illegal activities, and evolves from those activities.Therefore, ideas emphasized on results of violation examination should be shifted to those emphasized on violation behavior examination.It will increase the detected probability (since violations are relatively easier to be found), and prevent the risk in time while first sign appears.

Reducing the Implementation Costs of Internal Control Risk Monitoring to Protect the Interests of Investors
Model testing results show that decreased (the decrease of) risk monitoring cost of internal control implementation can help to reduce the rent-seeking probability effectively.Complicated rent-seeking behaviors and difficult monitoring cause high regulatory cost.Since the supervision resources for investors are limited, the high supervision cost results in a low level of monitoring frequency, inducing rent-seeking behaviors.Consequently, it is very important for enterprises to make as many efforts to reduce supervision costs (supervision cost) as possible, such as the full implementation of internal control which is based on risk management evaluation mechanism, new internal control system involving risk management, and comprehensive auditing re-supervision.The former two are addressed as follows.

Using Modern Internal Control Evaluation Method Based on Risk Management
Under the circumstance of great changes in the economic and social environment, enterprises have been facing increasingly greater uncertainty, which indicates that the focus of corporate management has changed to risk prevention mode from traditional and high-level standardized one.A new internal control evaluation model, an internal control evaluation model based on risk control, emerged as time required.The roles of the model are to monitor enterprises operations continuously, and evaluating risk management and internal control regularly so that the operating performance can be improved (Yang, 2009).Compared to traditional quantitative evaluation methods, the important virtues of such internal control evaluation model include concentrating resources and attentions, emphasizing on the keys and weaknesses, determining audit priorities, and focusing on the high-risk areas to provide more relevant and reliable information for management and the board to ensure the interests of the investors and reduce supervision costs.

Constructing New Internal Control Mechanism that Reflects Risk Management
ERM framework deliberately increases three components associated with risk and concerns on risk will be raised to an unprecedented level.It suggests that various kinds of risks have become the focuses of internal control such as management risk, financial risk, and credit risk.Construction of a new internal control mechanism which is reasonable and reflects the risk management can reduce input costs when enterprises implement the internal control risk monitoring mechanism.It will control the risk within the acceptable range effectively.

Table 2 .
Payoff matrix of managers and investors