Skip to main content
Updated Mar 07, 2026
Version history

Management Accounting & GRC Practice Lab

"A cash flow forecast is not a prediction. It is a controlled experiment — you test what happens to the business under conditions you design, and the quality of the experiment depends entirely on the quality of the conditions you choose."

In Lessons 5 and 6, you mapped management accounting and GRC advisory across the Gen-AI and Agentic AI spectrum. In Chapter 18, you learned the IDFA methodology for building intent-driven financial models with Named Ranges. Now you will apply those foundations to four complete professional deliverables that span the management accountant's most critical output and the compliance advisor's most operationally valuable tool.

This lab contains four exercises across two domains. Exercises 18-19 cover management accounting — the 13-week cash flow forecast and the monthly board pack. Exercises 20-21 cover governance, risk and compliance — the enterprise risk register and the regulatory compliance calendar. Choose one or two exercises to complete fully. Review all four to understand how AI agents transform both the operational and advisory dimensions of CA/CPA practice.

Lab Format

Choose 1-2 exercises to complete fully. Each exercise is self-contained with its own time estimate and deliverables. Review all four for professional context even if you only complete one or two.

Requirements for all exercises: Cowork (Team or Enterprise) with finance@knowledge-work-plugins installed. Exercise 19 also requires Claude in PowerPoint.

Companion files: These exercises use hypothetical data provided inline. For a Pakistan regulatory obligations reference, see the companion repository: compliance-calendar/.

Management Accounting Exercises

Exercise 18: Rolling 13-Week Cash Flow Forecast (50 min)

What you'll build: A fully automated 13-week rolling cash flow model with receipts waterfall, disbursements schedule, revolving credit facility logic, stress testing, and weekly automated updates.

Requirements: Cowork with finance@knowledge-work-plugins installed and Claude in Excel. Familiarity with IDFA Named Range conventions from Chapter 18.

Company context: A manufacturing company. Monthly invoicing: PKR 45M. Revolving credit facility: PKR 50M limit, PKR 22M current drawdown. Minimum operating cash requirement: PKR 2M.

Steps

  1. Design the cash flow categories. Before building the model, ask Cowork to design cash flow categories using the direct method: (a) Receipts — all categories of cash in, including customer receipts by payment term bucket (current, 30 days, 60 days overdue); (b) Disbursements — all categories of cash out in standard weekly order; (c) Financing — bank facility drawdowns and repayments. For each category, specify the driver that determines the weekly amount.

  2. Build the model structure in Excel. Ask Cowork to create the model at /outputs/13-week-cashflow.xlsx using IDFA conventions from Chapter 18. Use Named Ranges for all inputs. Structure: Row 1 = Week labels (W1 to W13 with dates); Column A = Cash flow categories; Named Range inputs for customer payment terms, supplier payment terms, payroll frequency, VAT payment month, and bank facility parameters.

  3. Build the receipts forecast. Model weekly customer receipts using a receipts waterfall. Payment profile: 30% received in the month of invoice, 50% one month later, 15% two months later, 5% bad debt. Build a waterfall that tracks invoice cohorts week by week. Use Named Ranges for all percentage assumptions.

  4. Build the disbursements forecast. Model weekly disbursements: (a) Suppliers — PKR 28M per month, 60% paid in 30 days, 40% in 45 days; (b) Payroll — PKR 8M on the last working day of each month; (c) Utilities — PKR 0.8M first week of each month; (d) Bank interest — PKR 1.2M on the 15th; (e) VAT — net payable from two months prior, paid on the 15th.

  5. Build the revolving credit facility model. Model the facility: each week, calculate closing cash before facility movements. If closing cash is negative, draw on the facility to restore cash to PKR 2M minimum. If closing cash exceeds PKR 5M, repay facility. Cap drawdown at PKR 50M. Flag any week where the limit would be breached.

  6. Stress test. Run two stress scenarios: (a) Collections slow — the 30% current-month collection rate drops to 15% for weeks 1-4; (b) Revenue drop — invoicing falls 25% in weeks 3-7. For each scenario, document the minimum weekly closing cash balance, maximum facility drawdown, and whether the facility limit is breached.

    Designing the right stress scenarios is the most important professional contribution in this exercise. The agent can run any scenario through the model. Choosing scenarios that test what actually threatens the business requires knowing the company's specific risks — customer concentration, supplier dependencies, seasonal patterns. An agent cannot design these without your instruction.

  7. Set up the weekly update scheduled task. Write a /schedule task: every Monday at 7:30 AM, advance the week counter, update actual receipts from /inputs/bank-statement.csv, recalculate the full forecast, flag weeks where facility drawdown exceeds 80% of the limit or closing cash falls below PKR 2M, and save the updated model.

Check your work:

  • The receipts waterfall correctly tracks invoice cohorts through payment term buckets
  • Named Ranges are used for all input assumptions (not hardcoded numbers)
  • The facility model automatically draws and repays within the defined parameters
  • Both stress scenarios produce documented results showing the impact on cash and facility usage
  • The scheduled task advances the rolling window and updates with actuals

Exercise 19: Full Board Pack Automation — Cross-App Cowork Workflow (55 min)

What you'll build: A complete monthly board pack — from raw financial data through Excel analysis to a polished, board-ready PowerPoint presentation — orchestrated as a single Cowork workflow.

Requirements: Cowork (Max, Team, or Enterprise) with finance@knowledge-work-plugins installed and Claude in PowerPoint. Management accounts for one period (from earlier exercises or your own data).

Steps

  1. Define the board pack structure. Ask Cowork to design a standard board pack for a manufacturing company. The board meets on the third Thursday of each month, and the pack must be distributed 48 hours before. For each section: what data source feeds it, and what is the one thing the board must understand from it.

  2. Run the management accounts. Using your month-end financial data:

    /income-statement monthly
    /variance-analysis monthly

    Confirm both outputs are saved in /outputs/.

  3. Build the financial summary in Excel. Ask Cowork to produce a five-sheet Excel financial summary at /outputs/board-financial-summary.xlsx: (1) P&L — actual vs budget vs prior year with variance columns; (2) Key ratios — gross margin, EBITDA margin, interest coverage, current ratio; (3) Revenue bridge — waterfall from prior year to current period; (4) EBITDA bridge — waterfall from budget to actual; (5) Cash summary.

  4. Generate the management commentary. Ask Cowork to draft management commentary from the CFO's perspective. Structure: (1) Headline — one sentence on overall performance; (2) Revenue — two to three sentences on revenue with the key driver; (3) EBITDA — two to three sentences on margin; (4) Cash — one sentence on position; (5) Outlook — one sentence on current quarter trajectory. Write in active voice, connected prose — no bullet points.

    Management commentary is not a summary of the numbers. It is the CFO's interpretation of what the numbers mean for the business. The agent can produce technically accurate summaries. Your professional value is in the interpretation — connecting numbers to strategy, explaining why a variance matters or does not, and framing the outlook in business terms the board can act on.

  5. Cross-app: build the PowerPoint board pack. Ask Cowork to create the presentation at /outputs/board-pack-[month].pptx. Slides: (1) Cover; (2) Executive summary; (3) P&L with traffic light indicators (Green within 5% of budget, Amber 5-15% unfavourable, Red >15% unfavourable); (4) Revenue bridge waterfall; (5) EBITDA bridge waterfall; (6) Key ratios dashboard; (7) Cash flow summary; (8) Management commentary; (9) Outlook and next steps.

  6. Quality review. Ask Cowork to review the presentation for: (a) internal consistency — do numbers tie across all slides and back to the Excel source? (b) visual clarity — charts labelled with units and period? (c) narrative coherence — does commentary align with financial data? Resolve every inconsistency before finalising.

  7. Set up the scheduled board pack task. Write a /schedule task: on the 10th of each month at 6:00 AM, run management accounts, build the Excel summary, generate the PowerPoint, flag Red-zone metrics for urgent CFO review, and save both files.

Check your work:

  • The Excel financial summary contains all five sheets with correct calculations
  • The management commentary reads as CFO interpretation, not data summary
  • The PowerPoint presentation has all nine slides with consistent numbers
  • The quality review identified and resolved any inconsistencies
  • The scheduled task automates the full monthly cycle
Global Perspective

IFRS: Management commentary follows IFRS Practice Statement 1 (Management Commentary) — a non-mandatory framework providing guidance on narrative reporting. US GAAP / SEC: MD&A (Management Discussion and Analysis) is a mandatory component of SEC filings — more prescriptive than IFRS guidance. UK FRS: The Strategic Report (Companies Act 2006, Section 414A-D) requires directors to provide a fair review of the company's business and a description of principal risks — the UK equivalent of management commentary.

Governance, Risk and Compliance Exercises

Exercise 20: Enterprise Risk Register — Build and Scheduled Maintenance (45 min)

What you'll build: A complete enterprise risk register for a hypothetical entity — from risk identification through scoring, heat map visualisation, and scheduled quarterly maintenance.

Requirements: Cowork with finance@knowledge-work-plugins installed.

Entity context: A Pakistan mid-market pharmaceutical distributor. Regulated by DRAP (Drug Regulatory Authority of Pakistan). Three business lines: branded prescription medicines, generic over-the-counter products, and medical devices. 200 employees, PKR 800M revenue.

Steps

  1. Risk identification by category. Ask Cowork to identify enterprise risks using the COSO Enterprise Risk Management framework across five categories: (1) Strategic risks, (2) Operational risks, (3) Financial risks, (4) Compliance/regulatory risks, (5) Reputational risks. For each category, identify the four most significant risks specific to this entity and sector. For each risk: name it, describe how it could materialise, and identify the stakeholder most affected.

  2. Risk assessment. For each of the 20 risks, assess: (a) Inherent likelihood (1-5: rare to almost certain); (b) Inherent impact (1-5: negligible to catastrophic); (c) Inherent risk score (likelihood times impact); (d) The primary control currently mitigating this risk; (e) Residual risk score after applying controls.

  3. Build the risk register in Excel. Ask Cowork to create the register at /outputs/risk-register.xlsx with columns: Risk ID, Category, Description, Owner (role), Inherent Likelihood, Inherent Impact, Inherent Score, Primary Control, Control Effectiveness, Residual Likelihood, Residual Impact, Residual Score, Risk Response, Action Required, Due Date, Status. Populate all 20 risks.

  4. Build the heat map. Create a risk heat map on a separate sheet. Plot all 20 risks on a 5x5 grid (x-axis = impact, y-axis = likelihood). Colour code: red = score 16-25, amber = 8-15, yellow = 4-7, green = 1-3. Produce both inherent and residual heat maps side by side to show how controls reduce risk.

  5. Identify the top 5 risks. For each of the five highest residual-score risks: (a) Is the current control effective? (b) What additional mitigation would reduce the residual score? (c) What is the early warning indicator — what would the company start to see before this risk materialises?

    Early warning indicators are the highest-value professional contribution. The agent can list generic indicators. You must identify signals specific to this entity — what would a pharmaceutical distributor's finance team actually see in their data before a supply chain disruption, a regulatory action, or a credit event? This requires knowing the business.

  6. Write the quarterly update scheduled task. Write and activate: /schedule — on the first Monday of each quarter, review the risk register, check status updates from /inputs/risk-updates.xlsx, update the register, identify risks where the residual score has increased, and produce a risk management update report highlighting changes and emerging risks.

  7. Board risk report. Produce a one-page board risk report: top 5 risks by residual score with heat map excerpt; three risks where residual score increased this quarter; one emerging risk not yet on the register; and the Risk Manager's overall assessment — Improving, Stable, or Deteriorating — with one-sentence justification.

Check your work:

  • All 20 risks are specific to the pharmaceutical distribution sector (not generic business risks)
  • Inherent and residual scores differ meaningfully — controls are reducing risk
  • The heat maps visually show the impact of controls
  • Early warning indicators are entity-specific, not generic
  • The board risk report provides an overall assessment with clear justification
Global Perspective

COSO: The Committee of Sponsoring Organizations framework is the most widely adopted enterprise risk management standard globally. ISO 31000: An alternative risk management framework used in many jurisdictions — compatible with COSO but structured differently. UK Corporate Governance Code: Requires boards to carry out a robust assessment of emerging and principal risks — the UK equivalent of the enterprise risk assessment in this exercise. King IV (South Africa): Provides governance guidance widely adopted across African jurisdictions, with specific risk governance requirements.

Exercise 21: Regulatory Compliance Calendar — Automated Weekly Monitoring (40 min)

What you'll build: The most operationally valuable GRC tool in CA/CPA practice — a compliance calendar that monitors every regulatory obligation, tracks preparation status, and alerts when action is needed, automatically every week.

Requirements: Cowork with finance@knowledge-work-plugins installed and scheduled tasks activated.

Entity type: Pakistan listed public company with obligations to: SECP (Securities and Exchange Commission of Pakistan), PSX (Pakistan Stock Exchange), FBR (Federal Board of Revenue), SBP (State Bank of Pakistan for foreign exchange compliance), and EOBI (Employees' Old-Age Benefits Institution).

Steps

  1. Build the obligation inventory. Ask Cowork to produce a complete regulatory obligation inventory for a Pakistan listed public company. For each regulator (SECP, PSX, FBR, SBP, EOBI), list every periodic filing obligation: the filing name, frequency, deadline, penalty for late filing, and the key information required for preparation.

  2. Build the compliance calendar in Excel. Ask Cowork to create the calendar at /outputs/compliance-calendar.xlsx with: (1) Master obligation sheet — all obligations with regulator, deadline formula, days-until-due formula, RAG status (Green = >21 days, Amber = 8-21 days, Red = 0-7 days, Overdue = past due); (2) Monthly view — calendar showing all due dates colour-coded by regulator; (3) Current week view — obligations due in the next 14 days with preparation checklist.

  3. Build preparation checklists. For the five highest-volume obligations (monthly tax withholding return, quarterly SECP return, annual accounts filing, PSX announcement schedule, EOBI monthly contribution), produce a preparation checklist — the specific information items and documents required, the responsible person, and the lead time needed. Save each as a separate sheet.

  4. Write the weekly monitoring scheduled task. Write and activate: /schedule — every Monday at 7:00 AM, update days-until-due calculations, identify obligations moving from Green to Amber (21 days or fewer), identify Red obligations (7 days or fewer), check whether Red obligations are marked In Progress or Complete, send priority alerts for any Red obligation not yet started (including obligation name, due date, regulator, penalty, and unchecked preparation items), and produce a weekly status report.

  5. Test the exception path. Manually change one obligation's status to show it is in the Red zone and not yet started. Run the scheduled task manually. Confirm the priority alert fires with correct information.

  6. Build the penalty matrix. Create a penalty matrix sheet showing: for each obligation, the penalty structure (fixed fine, daily fine, percentage of tax, or combination), the cumulative penalty at 7 days late, 30 days late, and 90 days late, and any criminal liability provisions. Highlight obligations where the penalty exceeds PKR 500,000 or where criminal liability attaches.

    The penalty matrix converts deadline tracking into risk-stratified compliance management. When the calendar shows five obligations due in the same week, the penalty matrix tells you which ones carry catastrophic consequences and which carry minor fines. This prioritisation is a professional judgment that transforms compliance from a clerical function into a risk management discipline.

  7. Produce the quarterly compliance report. Produce a quarterly report for the Audit Committee: (1) all obligations that fell due — filed on time, late, or missed; (2) any penalties incurred; (3) obligations due next quarter with risk rating; (4) any new regulatory requirements effective in the next 12 months.

Check your work:

  • The obligation inventory covers all five Pakistan regulators comprehensively
  • The RAG status formula correctly calculates days-until-due and assigns colours
  • The weekly monitoring task fires alerts for Red obligations not yet started
  • The penalty matrix identifies the highest-consequence obligations
  • The quarterly report provides the Audit Committee with a complete compliance picture
Global Perspective

Pakistan: SECP, PSX, FBR, SBP, and EOBI are the primary regulators for listed companies. Filing deadlines and penalty structures are specific to Pakistan law. US: Equivalent regulators include the SEC (securities), IRS (tax), DOL (employment benefits). SOX Section 302/906 certifications add CEO/CFO personal liability. UK: FCA (financial conduct), HMRC (tax), Companies House (filings). The Senior Managers and Certification Regime (SM&CR) adds personal accountability. The pattern transfers directly: every jurisdiction has equivalent regulators with equivalent obligations. Build the calendar structure once, populate it with your jurisdiction's specific requirements.

Try With AI

Use these prompts in Cowork or your preferred AI assistant to explore management accounting and GRC concepts beyond the exercises above.

Prompt 1: Stress Scenario Design

I am the management accountant for a [YOUR INDUSTRY] company with
PKR [REVENUE] annual revenue. Our main cash flow risks are:
- [Risk 1 — e.g., customer concentration, seasonal demand]
- [Risk 2 — e.g., supplier payment terms, raw material prices]
- [Risk 3 — e.g., regulatory costs, currency exposure]

Design three stress scenarios for a 13-week cash flow forecast.
For each scenario:
1. What specific assumption changes (quantify the impact)
2. Why this scenario is realistic for my industry
3. What early warning signs would suggest this scenario is
   materialising
4. What management action could mitigate the impact

Then explain which scenario I should test first and why.

What you are learning: Stress scenario design is the professional skill that separates a mechanical forecaster from a business partner. By forcing yourself to articulate your company's specific risks and translate them into quantified assumptions, you develop the judgment to design scenarios that test what actually matters — not generic worst cases that nobody takes seriously.

Prompt 2: Board Pack Quality Review

I have produced a monthly board pack for my company. The key
financial metrics are:

- Revenue: PKR 42M actual vs PKR 45M budget (7% unfavourable)
- Gross margin: 38% actual vs 41% budget
- EBITDA: PKR 8.2M actual vs PKR 10.5M budget (22% unfavourable)
- Cash position: PKR 15M (down from PKR 22M last month)

Draft the management commentary section for this board pack.
Write from the CFO's perspective in connected prose (no bullet
points). Then review your own commentary and identify:
1. Where you summarised numbers vs interpreted them
2. One question the board will ask based on this data
3. How you would answer that question

The board is particularly concerned about margin erosion.

What you are learning: Writing management commentary forces you to shift from describing what happened to explaining why it matters. The agent can produce technically accurate summaries, but CFO-quality commentary requires connecting financial results to business drivers, competitive context, and strategic implications. By reviewing the commentary for interpretation vs summary, you train the judgment that separates adequate board packs from excellent ones.

Prompt 3: Compliance Risk Prioritisation

A Pakistan listed company has missed the following filing deadlines
in the last quarter:

1. Monthly withholding tax return (FBR) — 3 days late
2. Quarterly financial results announcement (PSX) — filed on time
   but with an error requiring resubmission
3. Annual return (SECP) — 15 days late
4. EOBI monthly contribution — 7 days late

For each:
1. What is the likely penalty (quantify if possible)
2. What is the reputational impact (Low / Medium / High)
3. Does any criminal liability attach to officers
4. What remedial action should the company secretary take

Then rank these four items by overall risk severity and explain
your ranking. Which one should the Audit Committee hear about
first, and why?

What you are learning: Compliance risk prioritisation requires weighing financial penalties, reputational damage, and personal liability for officers. By ranking actual compliance failures by overall severity rather than chronological order, you develop the judgment to present compliance status to the Audit Committee in a way that focuses their attention on what matters most — not what happened most recently.

Flashcards Study Aid

Continue to Lesson 15: Cross-Domain Capstones →