Assessing Financial Statement

Risks and Internal Controls

A Suggested Approach for

Companies
 Overview
This presentation describes:
• Financial statement risks
• Reasons for identifying risks
• Examples and sources of risks
• Internal control components, control objectives,
and key controls
• An approach for—
– Identifying financial statement risks
– Assessing whether controls are adequate to mitigate
the risks
 Reasons for This Presentation

• To assist you in fulfilling your

responsibilities for financial reporting
• To assist our firm in meeting professional
requirements when performing your audit
• To help minimize your audit fees
 What are Financial Statement
Risks?
• Risks that affect the achievement of
financial reporting objectives
• Conditions or indications that something
could go wrong in the financial statements
• May relate to error or fraud
• May be pervasive to the financial
statements or related to specific
transactions, accounts, or disclosures
 Why Identify and Understand
Risks?
• Risk assessment is a key component of internal
control
• Identifies what could go wrong in the financial
statements
• Allows an evaluation of the likelihood and
magnitude of potential misstatements
• Provides a foundation for assessing whether
controls are properly designed and implemented
 Considering Financial Statement
Assertions

• Existence or occurrence
• Completeness
• Rights or obligations
• Valuation or allocation
• Accuracy or classification
• Cutoff
 Examples of Risks
Risk Indicator
Inventory is highly liquid
Inventory cost accounting method
is highly complex and subjective
Key customers are concentrated in
an industry facing economic
downturn
The company is facing a number
of lawsuits by customers
Financial Statement Risk
Overstatement of inventory due to
theft (Existence)
Overstatement or understatement
of inventory due to improper cost
accounting (Valuation and
Accuracy)
Understatement of the allowance
for doubtful accounts (Valuation)
Failure to disclose contingent
liabilities (Completeness)
 Possible Sources of Risk
• Structure, ownership, governance, and related
parties
• Industry, regulatory, and other external factors
• The nature of the company, for example:
– Revenue sources
– Types of products, services, and markets
– Nature of assets, liabilities, expenses, investments,
and financing
– Accounting policies
– Uses of the financial statements
– IT systems
 Possible Sources of Risk
(Continued)

• Objectives and strategies

• Key performance measures
• Going concern issues
• Potential fraud
– Incentives/pressures
– Opportunities
– Attitudes/rationalizations
 Internal Control
• Process employed by the company to provide
reasonable assurance of achieving financial
reporting objectives
• Consists of five interrelated components
• To be effective, all components should be in
place
• Applies to all companies—both small and large
• Helps prevent, or detect and correct,
misstatements resulting from risks
 Five Components of Internal
Control
• Control Environment
• Risk Assessment
• Information and Communication
• Monitoring
• Control Activities
Control Objectives and Key Controls

• A control objective states the purpose of a

control
• Controls are effectively designed if they
achieve the objective
• Key controls are those that are most
important in achieving the objective
 Control Environment Objectives
• Those charged with governance are actively involved and have
influence over financial reporting
• Management demonstrates character, integrity, and ethical values
• Management’s philosophy and operating style are consistent with a
sound control environment
• The organizational structure is appropriate to support effective
financial reporting
• Human resource policies and procedures promote integrity, ethical
behavior, and competence
• Authority and responsibility are appropriately assigned
• The company is committed to competence
 Control Environment Examples
Objective Control Example
Participation of Those charged with governance provide input and
those charged oversight of the entity’s financial statements, including
with governance the application of GAAP and use of accounting
judgments

Communicating A code of conduct or ethics policy exists

integrity and
ethical values
Management’s Management exemplifies attitudes and actions in line
philosophy and with its mission, vision, and values to support an
operating style effective control environment
Organizational The entity defines key areas of authority and
structure responsibility, including management’s responsibility for
business activities, and how they affect the business as a
whole.
 Control Environment Examples
(Continued)

Objective Control Example

Human resource Employee recruitment and retention practices for key
policies and financial positions are guided by principles of
procedures integrity and by the necessary competencies
associated with the positions
Assignment of Job descriptions, reference manuals, or other forms
authority and of communication inform personnel of their duties
responsibility
Commitment to The entity establishes competencies (knowledge,
competence skills, abilities, and credentials) prior to hiring of key
positions
 Risk Assessment Objectives
Financial reporting objectives:
• Financial reporting objectives are established,
documented, and communicated
• Accounting principles are properly applied
Management of financial reporting risks:
• Practices are established for identifying risks
• When assessing risks, the entire organization
and extended relationships are considered
• Mechanisms are implemented to anticipate,
identify, and react to changes
• Risks are properly evaluated and mitigated
 Risk Assessment Objectives
(Continued)

Consideration of fraud risks:

• An appropriate fraud risk assessment and monitoring
process exists
 Risk Assessment Examples
Objective Control Example
Financial • Financial reporting objectives align with the
reporting requirements of GAAP (or an OCBOA)
objectives
Management of • Mechanisms are in place to identify risks potentially
financial affecting achievement of the entity’s financial
reporting risks reporting objectives
• Periodic reviews are performed to, among other
things, anticipate and identify routine events or
activities that may affect the entity’s ability to achieve
its objectives
• Risks related to the ability of an employee to initiate
and process unauthorized transactions are
appropriately identified
Consideration of • The assessment of fraud risks considers incentives and
fraud risks pressures to commit fraud, opportunities to carry it
out, and attitudes and rationalizations to justify it
 Information and Communication
Objectives
Information:

• Information is identified, captured, and used at all levels

of the entity
• Information needed to facilitate the functioning of
internal control is identified, captured, used, and
distributed in a form and timeframe that enables
personnel to carry out their internal control
responsibilities
 Information and Communication
Objectives
(Continued)
Communication:

• Communication exists between management and those

charged with governance to enable role fulfillment
• All personnel receive a clear message that internal
control responsibilities are to be taken seriously
• There is effective upstream communication
 Information Examples
Objective Control Example
Identification Operating information is used as the basis for financial
and use of reporting and relevant operating information is used as
information at all the basis for accounting estimates
levels
Identification Accounting procedures are formal enough to
and use of determine whether the control objective is met,
information in documentation supporting the procedures is in place,
accordance with and personnel routinely know the procedures that
the entity’s need to be performed
control processes
 Communication Examples
Objective Control Example
Effective The effectiveness of those charged with governance
communication is supported by timely communications with
between management
management
and governance
Communication Employees receive adequate information to complete
of control their job responsibilities
responsibilities

Effective All reported potential improprieties are reviewed,

upstream investigated, and resolved in a timely manner
communication
 Monitoring Objective

Management monitors controls over

financial reporting through:
• Ongoing monitoring
• Independent evaluations
• Remediation of identified deficiencies
 Monitoring Examples
• Ongoing monitoring includes identification of
what constitutes a deviation from prescribed
controls and requires investigation of potential
control problems
• Deficiencies are reported to (1) the appropriate
person for corrective action and (2) if applicable,
at least one level of management above that
person
 Control Activities

• Can be either automated or manual

• Directed toward transaction processing
• Can be associated with one or more assertions
• Include:
– Performance reviews
– Information processing controls
– Physical controls
– Segregation of duties
– Asset accountability
 Control Activities Objectives—
Processing Cash Receipts
• Cash receipts information is valid and processed only
once (E/O, R/O)
• Cash receipts are appropriately safeguarded (E/O)
• Cash received is posted in the proper period (CO)
• Cash receipts information is recorded in the correct
account (A/CL)
• Recorded cash receipt amounts are correct (A/CL)
• All cash receipts are recorded (C)
• Foreign currency cash received is correctly valued (V)
 Control Activities Examples—
Processing Cash Receipts
• Lockbox receipts are compared to customer
remittances (E/O, C, V, R/O, A/CL, CO)
• Cash receipts are reconciled to general ledger
postings daily (E/O, V, R/O, C/O)
• Bank reconciliations are prepared and reviewed
in a timely manner (E/O, C, V, R/O, A/CL, CO)
 Putting It All Together:
A Process for Identifying Risks and
Assessing Controls
• Consider the aspects of the company that are sources of
risk
• Gather information that indicates potential risks
• Accumulate and synthesize the information to identify
risks
• Identify key controls that address the risks by focusing
on control objectives
• Assess whether controls are properly designed and
implemented to achieve the objectives
• Identify gaps and prioritize deficiencies for improvement
 A Practical Approach to
Reviewing Internal Control
• Supporting tools to help you assess entity-
level controls:
– Complete (or update) a narrative describing
your entity-level controls using
“Understanding the Design and
Implementation of Internal Control”
– Supplement the documentation by
completing the related “Entity-level Control
Form”
 A Practical Approach to
Reviewing Internal Control
(Continued)
• Supporting tools to help you assess
activity-level controls:
– Complete (or update) a narrative describing
your activity-level controls using “Financial
Reporting System Documentation
Form―Financial Close and
Reporting/Significant Transaction Classes”
– Supplement the documentation by completing
the related “Control Activities Form”
 A Practical Approach to
Reviewing Internal Control
(continued)
Evaluate controls to determine if:
• Key controls are present to achieve control
objectives and address relevant financial
statement risks
• Controls are properly designed to prevent, or
detect and correct, misstatements
• Controls are in place to address all identified
risks
 A Practical Approach to
Reviewing Internal Control
(continued)
If controls are “missing” or improperly
designed, determine:
• Whether other compensating controls address
the control objective
• The likelihood and magnitude of potential errors
• The pervasiveness of potential errors
• The priority for corrective action
 Conclusion

• Risk assessment is a key component of internal

control
• Allows the company to evaluate whether
controls are adequate
• Establishes a framework for prioritizing the
correction of control deficiencies
• Assists in the audit process
Questions?