Assessing Financial Statement Risks and Internal Controls A

Assessing Financial Statement Risks and Internal Controls A Suggested Approach for Companies

Overview This presentation describes: Financial statement risks Reasons for identifying risks Examples and sources of risks Internal control components, control objectives, and key controls • An approach for— • • – Identifying financial statement risks – Assessing whether controls are adequate to mitigate the risks

Reasons for This Presentation • To assist you in fulfilling your responsibilities for financial reporting • To assist our firm in meeting professional requirements when performing your audit • To help minimize your audit fees

What are Financial Statement Risks? • Risks that affect the achievement of financial reporting objectives • Conditions or indications that something could go wrong in the financial statements • May relate to error or fraud • May be pervasive to the financial statements or related to specific transactions, accounts, or disclosures

Why Identify and Understand Risks? • Risk assessment is a key component of internal control • Identifies what could go wrong in the financial statements • Allows an evaluation of the likelihood and magnitude of potential misstatements • Provides a foundation for assessing whether controls are properly designed and implemented

Considering Financial Statement Assertions • • • Existence or occurrence Completeness Rights or obligations Valuation or allocation Accuracy or classification Cutoff

Examples of Risks Risk Indicator Financial Statement Risk Inventory is highly liquid Overstatement of inventory due to theft (Existence) Inventory cost accounting method is highly complex and subjective Overstatement or understatement of inventory due to improper cost accounting (Valuation) Key customers are concentrated in Understatement of the allowance an industry facing economic for doubtful accounts (Valuation) downturn The company is facing a number of lawsuits by customers Failure to disclose contingent liabilities (Completeness)

Possible Sources of Risk • Structure, ownership, governance, and related parties • Industry, regulatory, and other external factors • The nature of the company, for example: – Revenue sources – Types of products, services, and markets – Nature of assets, liabilities, expenses, investments, and financing – Significant or unusual transactions – Accounting policies – Uses of the financial statements – Information technology, including general controls

Possible Sources of Risk (Continued) • • Objectives and strategies Key performance measures Going concern issues Potential fraud – Incentives/pressures – Opportunities – Attitudes/rationalizations

Internal Control • Process employed by the company to provide reasonable assurance of achieving financial reporting objectives • Consists of five interrelated components • To be effective, all components should be present and functioning and operating together • Applies to all companies—both small and large • Helps prevent, or detect and correct, misstatements resulting from risks

Five Components of Internal Control • • • Control Environment Risk Assessment Information and Communication Monitoring Control Activities

Control Objectives, Principles, and Key Controls • A control objective states the purpose of a control • Principles represent the fundamental concepts associated with each component of internal control • Controls are effectively designed if they achieve the objective/principle • Key controls are those that are most important in achieving the objective

Control Environment Principles • The entity demonstrates a commitment to integrity and ethical values • The board of directors demonstrates independence from management in exercising oversight of the development and performance of internal control over financial reporting • With board oversight, management establishes structures, reporting lines, and appropriate authorities and responsibilities to achieve financial reporting objectives • The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with financial reporting objectives • The entity holds individuals accountable for their internal control responsibilities

Control Environment Examples Principle The entity demonstrates a commitment to integrity and ethical values Control Example A process exists by which those charged with governance are made aware of key developments that may affect financial reporting The board of directors demonstrates The board of directors is sufficiently independence from management in independent of management so that exercising oversight of the necessary questions are raised development and performance of internal control over financial reporting With board oversight, management established structures, reporting lines, and appropriate authorities and responsibilities to achieve financial reporting objectives Management periodically evaluates the entity’s organizational structure and makes necessary changes based on changes in the business and/or industry

Control Environment Examples (Continued) Principle Control Example The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with financial reporting Employee recruitment and retention practices for key financial positions are guided by principles of integrity and by the necessary competencies associated with the positions The entity holds individuals accountable for their internal control responsibilities Employees are empowered to correct problems or implement improvements in their assigned processes

Risk Assessment Principles • The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to financial reporting objectives • The entity identifies risks to achieving its objectives and analyzes risks to determine how the risks should be managed • The entity considers the potential for fraud in assessing risks to the achievement of financial reporting objectives • The entity identifies and assesses changes that could significantly impact the system of internal control

Risk Assessment Examples Principle Control Example The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to financial reporting objectives Management identifies risks related to laws or regulations that may affect financial reporting The entity identifies risks to achieving its objectives and analyzes risks to determine how the risks should be managed Periodic reviews are performed to, among other things, anticipate and identify routine events or activities that may affect the entity’s ability to achieve its objectives The entity considers the potential for fraud in assessing risks to the achievement of financial reporting objectives The entity’s assessment of fraud risk considers incentives and pressures, attitudes and rationalizations, as well as the opportunity to commit fraud The entity identifies and assesses changes that could significantly impact the system of internal control Management communicates the risk assessment and changes in the business environment to all appropriate employees

Information and Communication Principles Information: • The entity obtains or generates and uses relevant, quality information to support the functioning of internal control over financial reporting

Information and Communication Principles (Continued) Communication: • The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control over financial reporting • The entity communicates with external parties regarding matters affecting the functioning of internal control

Information Examples Principle Control Example The entity obtains or generates and uses relevant, quality information to support the functioning of internal control over financial reporting Relevant operating information is used to develop accounting and financial information and whether it serves as a basis for reliable financial reporting, including the basis for accounting estimates

Communication Examples Principle Control Example The entity internally communicates information, including objectives and responsibilities for internal control, to support the functioning of internal control over financial reporting Management has developed communication approaches that specify individual responsibilities in dealing with inappropriate behavior The entity communicates with external parties regarding matters affecting the functioning of internal control There is a process for tracking communications from customers, vendors, regulators, and other external parties

Monitoring Principles • The entity selects, develops, and performs ongoing and/or separate evaluations to determine whether the components of internal control are present and functioning • The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate

Monitoring Examples Principle Control Example The entity selects, develops, and performs ongoing and/or separate evaluations to determine whether the components of internal control are present and functioning Management’s ongoing monitoring serves as a primary indicator of both control design and operating effectiveness and of risk conditions The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and board of directors, as appropriate Findings of an internal control deficiency are reported to (1) the appropriate person who is in the position to take corrective actions and, if applicable, (2) at least one level of management above that person

Control Activities Principles • The entity selects and develops activities that contribute to the mitigation of risks to the achievement of financial reporting objectives to acceptable levels. • The entity selects and develops general control activities over technology to support the achievement of financial reporting objectives. • The entity deploys control activities through policies and procedures that put policies into action.

Control Activities Examples Principle Control Example The entity selects and develops activities that contribute to the mitigation of risks to the achievement of financial reporting objectives to acceptable levels The company’s control activities include periodic inventory observations and reconciliations to the general ledger The entity selects and develops general control activities over technology to support the achievement of financial reporting objectives The IT general controls include periodic backups of databases and operating systems, including periodically testing for recoverability The entity deploys control activities through policies and procedures that put policies into action. The company has defined policies and procedures regarding confidentiality of databases included in the system security.

Types of Control Activities • • • Performance reviews Information processing controls Physical controls Segregation of duties Accountability

Control Activities Objectives— Processing Cash Receipts • Cash receipts information is valid and processed only once (E/O, R/O) • Cash receipts are appropriately safeguarded (E/O) • Cash received is posted in the proper period (CO) • Cash receipts information is recorded in the correct account (A/CL) • Recorded cash receipt amounts are correct (A/CL) • All cash receipts are recorded (C) • Foreign currency cash received is correctly valued (V)

Control Activities Examples— Processing Cash Receipts • Lockbox receipts are compared to customer remittances (E/O, C, R/O, A/CL, CO) • Cash receipts are reconciled to general ledger postings daily (E/O, V, R/O, CO) • Bank reconciliations are prepared and reviewed in a timely manner (E/O, C, V, R/O, A/CL, CO)

Putting It All Together: A Process for Identifying Risks and Assessing Controls • Consider the aspects of the company that are sources of risk • Gather information that indicates potential risks • Accumulate and synthesize the information to identify risks • Identify key controls that address the risks by focusing on control objectives • Assess whether controls are properly designed and implemented to achieve the objectives • Identify gaps and prioritize deficiencies for improvement

A Practical Approach to Reviewing Internal Control • Supporting tools to help you assess entitylevel controls: – Complete (or update) a narrative describing your entity-level controls using “Understanding the Design and Implementation of Internal Control” – Supplement the documentation by completing the related “Entity-level Control Form”

A Practical Approach to Reviewing Internal Control (Continued) • Supporting tools to help you assess activitylevel controls: – Complete (or update) a narrative describing your activity-level controls using “Financial Reporting System Documentation Form―Financial Close and Reporting, Significant Transaction Classes” – Supplement the documentation by completing the related “Control Activities Form”

A Practical Approach to Reviewing Internal Control (continued) Evaluate controls to determine if: • Key controls are present to achieve control objectives/principles and address relevant financial statement risks • Controls are properly designed to prevent, or detect and correct, misstatements • Controls are in place to address all identified risks

A Practical Approach to Reviewing Internal Control (continued) If controls are “missing” or improperly designed, determine: • Whether another control could mitigate the deficiency • The likelihood and magnitude of potential errors • The pervasiveness of potential errors • The priority for corrective action

Conclusion Risk Assessment: • A key component of internal control • Allows the company to evaluate whether controls are adequate • Establishes a framework for prioritizing the correction of control deficiencies • Assists in the audit process

Questions?