Assessing Financial Statement Risks and Internal Controls A Suggested Approach for Companies.
-
Upload
ambrose-york -
Category
Documents
-
view
218 -
download
0
Transcript of Assessing Financial Statement Risks and Internal Controls A Suggested Approach for Companies.
Assessing Financial Assessing Financial Statement Risks and Internal Statement Risks and Internal
ControlsControls
A Suggested Approach for A Suggested Approach for CompaniesCompanies
OverviewOverview
This presentation describes:This presentation describes:• Financial statement risksFinancial statement risks• Reasons for identifying risksReasons for identifying risks• Examples and sources of risksExamples and sources of risks• Internal control components, control Internal control components, control
objectives, and key controlsobjectives, and key controls• An approach forAn approach for——
– Identifying financial statement risksIdentifying financial statement risks– Assessing whether controls are adequate to Assessing whether controls are adequate to
mitigate the risksmitigate the risks
Reasons for This Reasons for This PresentationPresentation
• To assist you in fulfilling your To assist you in fulfilling your responsibilities for financial reportingresponsibilities for financial reporting
• To assist our firm in meeting To assist our firm in meeting professional requirements when professional requirements when performing your auditperforming your audit
• To help minimize your audit feesTo help minimize your audit fees
What are Financial Statement What are Financial Statement Risks?Risks?
• Risks that affect the achievement of Risks that affect the achievement of financial reporting objectivesfinancial reporting objectives
• Conditions or indications that Conditions or indications that something could go wrong in the something could go wrong in the financial statementsfinancial statements
• May relate to error or fraudMay relate to error or fraud• May be pervasive to the financial May be pervasive to the financial
statements or related to specific statements or related to specific transactions, accounts, or disclosurestransactions, accounts, or disclosures
Why Identify and Understand Why Identify and Understand Risks?Risks?
• Risk assessment is a key component of Risk assessment is a key component of internal controlinternal control
• Identifies what could go wrong in the Identifies what could go wrong in the financial statementsfinancial statements
• Allows an evaluation of the likelihood and Allows an evaluation of the likelihood and magnitude of potential misstatementsmagnitude of potential misstatements
• Provides a foundation for assessing Provides a foundation for assessing whether controls are properly designed whether controls are properly designed and implementedand implemented
Considering Financial Considering Financial Statement AssertionsStatement Assertions
• Existence or occurrenceExistence or occurrence• CompletenessCompleteness• Rights or obligationsRights or obligations• Valuation or allocationValuation or allocation• Accuracy or classificationAccuracy or classification• CutoffCutoff
Examples of RisksExamples of Risks
Risk IndicatorRisk IndicatorFinancial Statement Financial Statement
RiskRiskInventory is highly liquid Inventory is highly liquid Overstatement of inventory Overstatement of inventory
due to theft (Existence)due to theft (Existence)
Inventory cost accounting Inventory cost accounting method is highly complex and method is highly complex and subjectivesubjective
Overstatement or Overstatement or understatement of inventory understatement of inventory due to improper cost due to improper cost accounting (Valuation and accounting (Valuation and Accuracy)Accuracy)
Key customers are Key customers are concentrated in an industry concentrated in an industry facing economic downturnfacing economic downturn
Understatement of the Understatement of the allowance for doubtful allowance for doubtful accounts (Valuation)accounts (Valuation)
The company is facing a The company is facing a number of lawsuits by number of lawsuits by customerscustomers
Failure to disclose contingent Failure to disclose contingent liabilities (Completeness)liabilities (Completeness)
Possible Sources of RiskPossible Sources of Risk
• Structure, ownership, governance, and Structure, ownership, governance, and related partiesrelated parties
• Industry, regulatory, and other external Industry, regulatory, and other external factorsfactors
• The nature of the company, for example:The nature of the company, for example:– Revenue sourcesRevenue sources– Types of products, services, and marketsTypes of products, services, and markets– Nature of assets, liabilities, expenses, Nature of assets, liabilities, expenses,
investments, and financinginvestments, and financing– Accounting policies Accounting policies – Uses of the financial statementsUses of the financial statements– IT systemsIT systems
Possible Sources of RiskPossible Sources of Risk(Continued)(Continued)
• Objectives and strategiesObjectives and strategies• Key performance measuresKey performance measures• Going concern issuesGoing concern issues• Potential fraudPotential fraud
– Incentives/pressuresIncentives/pressures– OpportunitiesOpportunities– Attitudes/rationalizationsAttitudes/rationalizations
Internal ControlInternal Control
• Process employed by the company to Process employed by the company to provide reasonable assurance of achieving provide reasonable assurance of achieving financial reporting objectivesfinancial reporting objectives
• Consists of five interrelated componentsConsists of five interrelated components• To be effective, all components should be To be effective, all components should be
in placein place• Applies to all companiesApplies to all companies—both small and —both small and
largelarge• Helps prevent, or detect and correct, Helps prevent, or detect and correct,
misstatements resulting from risksmisstatements resulting from risks
Five Components of Internal Five Components of Internal ControlControl
• Control EnvironmentControl Environment
• Risk AssessmentRisk Assessment
• Information and CommunicationInformation and Communication
• MonitoringMonitoring
• Control ActivitiesControl Activities
Control Objectives and Key Controls
•A control objective states the purpose of a control
•Controls are effectively designed if they achieve the objective
•Key controls are those that are most important in achieving the objective
Control Environment Control Environment ObjectivesObjectives
• Those charged with governance are actively involved and Those charged with governance are actively involved and have influence over financial reportinghave influence over financial reporting
• Management demonstrates character, integrity, and Management demonstrates character, integrity, and ethical valuesethical values
• Management’s philosophy and operating style are Management’s philosophy and operating style are consistent with a sound control environmentconsistent with a sound control environment
• The organizational structure is appropriate to support The organizational structure is appropriate to support effective financial reportingeffective financial reporting
• Human resource policies and procedures promote Human resource policies and procedures promote integrity, ethical behavior, and competenceintegrity, ethical behavior, and competence
• Authority and responsibility are appropriately assignedAuthority and responsibility are appropriately assigned
• The company is committed to competenceThe company is committed to competence
Control Environment Control Environment ExamplesExamples
ObjectiveObjective Control ExampleControl Example
Participation of Participation of those charged those charged with with governancegovernance
Those charged with governance provide input and Those charged with governance provide input and oversight of the entity’s financial statements, oversight of the entity’s financial statements, including the application of GAAP and use of including the application of GAAP and use of accounting judgmentsaccounting judgments
CommunicatinCommunicating integrity and g integrity and ethical valuesethical values
A code of conduct or ethics policy existsA code of conduct or ethics policy exists
Management’s Management’s philosophy and philosophy and operating styleoperating style
Management exemplifies attitudes and actions in Management exemplifies attitudes and actions in line with its mission, vision, and values to support line with its mission, vision, and values to support an effective control environmentan effective control environment
Organizational Organizational structurestructure
The entity defines key areas of authority and The entity defines key areas of authority and responsibility, including management’s responsibility, including management’s responsibility for business activities, and how they responsibility for business activities, and how they affect the business as a whole.affect the business as a whole.
Control Environment Control Environment ExamplesExamples
(Continued)(Continued)ObjectiveObjective Control ExampleControl Example
Human Human resource resource policies and policies and proceduresprocedures
Employee recruitment and retention practices Employee recruitment and retention practices for key financial positions are guided by for key financial positions are guided by principles of integrity and by the necessary principles of integrity and by the necessary competencies associated with the positionscompetencies associated with the positions
Assignment of Assignment of authority and authority and responsibilityresponsibility
Job descriptions, reference manuals, or other Job descriptions, reference manuals, or other forms of communication inform personnel of forms of communication inform personnel of their duties their duties
Commitment Commitment to competenceto competence
The entity establishes competencies The entity establishes competencies (knowledge, skills, abilities, and credentials) (knowledge, skills, abilities, and credentials) prior to hiring of key positionsprior to hiring of key positions
Risk Assessment ObjectivesRisk Assessment ObjectivesFinancial reporting objectives: Financial reporting objectives: • Financial reporting objectives are Financial reporting objectives are
established, documented, and established, documented, and communicated communicated
• Accounting principles are properly appliedAccounting principles are properly applied
Management of financial reporting risks: Management of financial reporting risks: • Practices are established for identifying risks Practices are established for identifying risks • When assessing risks, the entire organization When assessing risks, the entire organization
and extended relationships are considered and extended relationships are considered • Mechanisms are implemented to anticipate, Mechanisms are implemented to anticipate,
identify, and react to changesidentify, and react to changes • Risks are properly evaluated and mitigatedRisks are properly evaluated and mitigated
Risk Assessment ObjectivesRisk Assessment Objectives(Continued)(Continued)
Consideration of Consideration of fraudfraud risks: risks: • An appropriate fraud risk assessment and An appropriate fraud risk assessment and
monitoring process existsmonitoring process exists
Risk Assessment ExamplesRisk Assessment ExamplesObjectiveObjective Control ExampleControl Example
Financial Financial reporting reporting objectivesobjectives
• Financial reporting objectives align with theFinancial reporting objectives align with the requirements of GAAP (or an OCBOA) requirements of GAAP (or an OCBOA)
Management of Management of financial financial reporting risksreporting risks
• Mechanisms are in place to identify risks Mechanisms are in place to identify risks potentially potentially affecting achievement of the entity’s financial affecting achievement of the entity’s financial reporting objectives reporting objectives
• Periodic reviews are performed to, among other Periodic reviews are performed to, among other things, anticipate and identify routine events or things, anticipate and identify routine events or activities that may affect the entity’s ability to activities that may affect the entity’s ability to achieve achieve its objectives its objectives
• Risks related to the ability of an employee to Risks related to the ability of an employee to initiate initiate and process unauthorized transactions are and process unauthorized transactions are appropriately identified appropriately identified
Consideration Consideration of fraud risksof fraud risks
• The assessment of fraud risks considers The assessment of fraud risks considers incentives andincentives and pressures to commit fraud, opportunities to carry pressures to commit fraud, opportunities to carry itit out, and attitudes and rationalizations to justify out, and attitudes and rationalizations to justify itit
Information and Information and Communication ObjectivesCommunication Objectives
Information:Information:
• Information is identified, captured, and used at all Information is identified, captured, and used at all levels of the entity levels of the entity
• Information needed to facilitate the functioning of Information needed to facilitate the functioning of internal control is identified, captured, used, and internal control is identified, captured, used, and distributed in a form and timeframe that enables distributed in a form and timeframe that enables personnel to carry out their internal control personnel to carry out their internal control responsibilitiesresponsibilities
Information and Information and Communication ObjectivesCommunication Objectives
(Continued)(Continued)
Communication:Communication:
• Communication exists between management and Communication exists between management and those charged with governance to enable role those charged with governance to enable role fulfillmentfulfillment
• All personnel receive a clear message that All personnel receive a clear message that internal control responsibilities are to be taken internal control responsibilities are to be taken seriouslyseriously
• There is effective upstream communicationThere is effective upstream communication
Information ExamplesInformation Examples
ObjectiveObjective Control ExampleControl Example
Identification Identification and use of and use of information at information at all levels all levels
Operating information is used as the basis for Operating information is used as the basis for financial reporting and relevant operating financial reporting and relevant operating information is used as the basis for accounting information is used as the basis for accounting estimates estimates
Identification Identification and use of and use of information in information in accordance accordance with the with the entity’s control entity’s control processesprocesses
Accounting procedures are formal enough to Accounting procedures are formal enough to determine whether the control objective is met, determine whether the control objective is met, documentation supporting the procedures is in documentation supporting the procedures is in place, and personnel routinely know the place, and personnel routinely know the procedures that need to be performedprocedures that need to be performed
Communication Examples
ObjectiveObjective Control ExampleControl Example
Effective Effective communicatiocommunication between n between management management and and governancegovernance
The effectiveness of those charged with The effectiveness of those charged with governance is supported by timely governance is supported by timely communications with managementcommunications with management
CommunicatioCommunication of control n of control responsibilitieresponsibilitiess
Employees receive adequate information to Employees receive adequate information to complete their job responsibilitiescomplete their job responsibilities
Effective Effective upstream upstream communicatiocommunicationn
All reported potential improprieties are All reported potential improprieties are reviewed, investigated, and resolved in a reviewed, investigated, and resolved in a timely mannertimely manner
Monitoring ObjectiveMonitoring Objective
Management monitors controls over Management monitors controls over financial reporting through:financial reporting through:
• Ongoing monitoring Ongoing monitoring
• Independent evaluationsIndependent evaluations
• Remediation of identified deficienciesRemediation of identified deficiencies
Monitoring ExamplesMonitoring Examples• Ongoing monitoring includes identification Ongoing monitoring includes identification
of what constitutes a deviation from of what constitutes a deviation from prescribed controls and requires prescribed controls and requires investigation of potential control problems investigation of potential control problems
• Deficiencies are reported to (1) the Deficiencies are reported to (1) the appropriate person for corrective action appropriate person for corrective action and (2) if applicable, at least one level of and (2) if applicable, at least one level of management above that personmanagement above that person
Control ActivitiesControl Activities
• Can be either automated or manualCan be either automated or manual
• Directed toward transaction processingDirected toward transaction processing
• Can be associated with one or more Can be associated with one or more assertionsassertions
• Include:Include:– Performance reviewsPerformance reviews– Information processing controlsInformation processing controls– Physical controlsPhysical controls– Segregation of dutiesSegregation of duties– Asset accountabilityAsset accountability
Control Activities ObjectivesControl Activities Objectives——Processing Cash ReceiptsProcessing Cash Receipts
• Cash receipts information is valid and processed Cash receipts information is valid and processed only once (E/O, R/O) only once (E/O, R/O)
• Cash receipts are appropriately safeguarded (E/O) Cash receipts are appropriately safeguarded (E/O) • Cash received is posted in the proper period (CO) Cash received is posted in the proper period (CO) • Cash receipts information is recorded in the Cash receipts information is recorded in the
correct account (A/CL) correct account (A/CL) • Recorded cash receipt amounts are correct (A/CL) Recorded cash receipt amounts are correct (A/CL) • All cash receipts are recorded (C) All cash receipts are recorded (C) • Foreign currency cash received is correctly Foreign currency cash received is correctly
valued (V)valued (V)
Control Activities ExamplesControl Activities Examples——Processing Cash ReceiptsProcessing Cash Receipts
• Lockbox receipts are compared to Lockbox receipts are compared to customer remittances customer remittances (E/O, C, V, R/O, A/CL, CO) (E/O, C, V, R/O, A/CL, CO)
• Cash receipts are reconciled to general Cash receipts are reconciled to general ledger postings daily ledger postings daily (E/O, V, R/O, C/O)(E/O, V, R/O, C/O)
• Bank reconciliations are prepared and Bank reconciliations are prepared and reviewed in a timely manner reviewed in a timely manner (E/O, C, V, R/O, (E/O, C, V, R/O,
A/CL, CO)A/CL, CO)
Putting It All Together:Putting It All Together:A Process for Identifying Risks and A Process for Identifying Risks and
Assessing ControlsAssessing Controls• Consider the aspects of the company that are Consider the aspects of the company that are
sources of risksources of risk• Gather information that indicates potential risksGather information that indicates potential risks• Accumulate and synthesize the information to Accumulate and synthesize the information to
identify risksidentify risks• Identify key controls that address the risks by Identify key controls that address the risks by
focusing on control objectivesfocusing on control objectives• Assess whether controls are properly designed Assess whether controls are properly designed
and implemented to achieve the objectivesand implemented to achieve the objectives• Identify gaps and prioritize deficiencies for Identify gaps and prioritize deficiencies for
improvementimprovement
A Practical Approach to A Practical Approach to Reviewing Internal Control Reviewing Internal Control
• Supporting tools to help you assess Supporting tools to help you assess entity-level controls:entity-level controls:– Complete (or update) a narrative Complete (or update) a narrative
describing your entity-level controls describing your entity-level controls using “Understanding the Design and using “Understanding the Design and Implementation of Internal Control” Implementation of Internal Control”
– Supplement the documentation by Supplement the documentation by completing the related “Entity-level completing the related “Entity-level Control Form”Control Form”
A Practical Approach to A Practical Approach to Reviewing Internal ControlReviewing Internal Control
(Continued) (Continued) • Supporting tools to help you assess Supporting tools to help you assess
activity-level controls:activity-level controls:– Complete (or update) a narrative Complete (or update) a narrative
describing your activity-level controls describing your activity-level controls using “Financial Reporting System using “Financial Reporting System Documentation Form―Financial Close and Documentation Form―Financial Close and Reporting/Significant Transaction Classes”Reporting/Significant Transaction Classes”
– Supplement the documentation by Supplement the documentation by completing the related “Control Activities completing the related “Control Activities Form”Form”
A Practical Approach to A Practical Approach to Reviewing Internal ControlReviewing Internal Control
(continued)(continued)Evaluate controls to determine if:Evaluate controls to determine if:• Key controls are present to achieve control Key controls are present to achieve control
objectives and address relevant financial objectives and address relevant financial statement risksstatement risks
• Controls are properly designed to prevent, Controls are properly designed to prevent, or detect and correct, misstatementsor detect and correct, misstatements
• Controls are in place to address all Controls are in place to address all identified risksidentified risks
A Practical Approach to A Practical Approach to Reviewing Internal Control Reviewing Internal Control
(continued)(continued)If controls are “missing” or improperly If controls are “missing” or improperly
designed, determine:designed, determine:• Whether other compensating controls Whether other compensating controls
address the control objectiveaddress the control objective• The likelihood and magnitude of potential The likelihood and magnitude of potential
errorserrors• The pervasiveness of potential errorsThe pervasiveness of potential errors• The priority for corrective actionThe priority for corrective action
ConclusionConclusion
• Risk assessment is a key component of Risk assessment is a key component of internal controlinternal control
• Allows the company to evaluate whether Allows the company to evaluate whether controls are adequatecontrols are adequate
• Establishes a framework for prioritizing the Establishes a framework for prioritizing the correction of control deficienciescorrection of control deficiencies
• Assists in the audit processAssists in the audit process
Questions?Questions?