Add to collection(s) Add to saved
  1. Business
  2. Finance

Risk Assessment/COSO Framework Case Study: Instructions

Auditing
KPMG’s Risk Assessment/COSO Internal Control Framework Project
The Risk
experience
statements.
knowledge
Assessment/COSO Framework Project provides students with valuable real-life
focusing on risk assessment, internal controls, and the impact of risks on financial
The project also provides students with the opportunity to develop a working
of the PCAOB’s AS No. 5 and how to apply its concepts in a realistic setting.
Primary Learning Objectives
 Develop a working understanding of a company’s general business processes and how those
processes drive both the financial statement balances and the risks inherent to the company.
 Perform a financial statement analysis and risk assessment.
 Determine the impact of risk attributes on financial statements.
 Consider COSO entity-level and process-level Controls (as defined by AS5).
 Determine the nature and impact of internal control (IC) deficiencies.
 Understand how certain ICs may compensate for or mitigate IC deficiencies.
 Present the risk assessment approach and findings to a company’s audit committee
 Collaborate in a team environment
Case Requirements
Documents required to complete the case study include:
1. Most recent 10K (representing one company from a specific Industry)
2. Financial Statement Analysis and Risk Assessment Worksheet.xls
3. Control Deficiencies.pdf
4. COSO Entity-Level and Process-Level Controls.xls
5. Framework Workpaper.doc
6. Deficiency Evaluation Framework.pdf
Additional suggested reading:
1.
2.
3.
SEC’s Interpretive Guidance Regarding Management’s Report on Internal Control Over
Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934
(http://www.sec.gov/rules/interp/2007/33-8810.pdf)
PCAOB Auditing Standard No. 5 (AS5)
(http://www.pcaob.org/Rules/Rules_of_the_Board/Auditing_Standard_5.pdf)
Committee of Sponsoring Organizations (COSO) at http://www.coso.org/
Assignment
Part A – Interim Reporting
1. From the following list you will be assigned an Industry with which to work (See Industry
Assignment sheet):









Airline
Automotive Retail
Healthcare
International Manufacturing
Manufacturing
Mining
Retail
Software
Wholesale Technology
2. Once you have your team’s Industry assignment, you will need to download a company’s most
recent 10K filing related to that specific Industry, which is generally accessible using links
provided on the Investors page of the Company’s website or via the SEC’s EDGAR database
(http://www.sec.gov/edgar.shtml). Due Date: 10:00 a.m. on Friday, March 27th. [Note:
Once one member of your team email me the name of your selected Company, I will email you
the appropriate industry-specific .zip file with necessary documents. Please “cc” all team
members in the email.]
3. The first phase of this case involves using what you will learn by reading about the Company
for your specific Industry, (the more you study about your Company, the better you will be able
to address the specific questions of risk throughout the entire case), to perform a Financial
Statement Risk Assessment. Through this first phase you will assess risk that resides within the
Company at the Financial Statement line item level before considering the presence of any
internal control; this is referred to as Inherent Risk.
4. In the second phase you will build upon the Risk Assessment by considering the specific
attributes of risk you identify and how each would affect the Financial Statements, in
conjunction with various Entity-Level and Process-Level Controls; the risk remaining in the
Financial Statements after these considerations is the Residual Risk.
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the
KPMG network of independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved.
Finally, in phase three, you will complete the process by determining which internal control
deficiencies noted, if any, should be categorized as either Significant Deficiencies or Material
Weaknesses, in light of everything you have learned and agreed upon during phases one and two.
A. Using the documents provided and the steps listed below, populate the Financial Statement
Analysis and Risk Assessment Sheet.xls. Note you must complete all non-grayed cells to
earn the full point allotment.
1). Familiarize yourself with the Company’s 10K (specifically the Management Discussion
& Analysis (MD&A), the Financial Statements and the Notes to the Financial
Statements) and the Control Deficiencies.doc. Your team will need to develop a
working understanding of your Company’s general business processes and how those
processes drive both the Financial Statement balances and the risks inherent to the
Company.
2). Review each line item and determine the relevant assertions, as defined in AS5
(columns G-K). For those assertions that are highly applicable, rank High (H). For those
that are moderately applicable, rank Moderate (M). Those that are only tangentially
applicable should be ranked Low (L).
3). Using the knowledge you’ve gained from your team’s review of the 10K and the
Control Deficiencies.doc, analyze each Attribute Risk (Columns MW) for Potential of
Misstatement, Risk of Control Failure and/or both as designated by tick mark “M” and
“C” across the top of the attribute columns. Assign a High, Moderate, or Low ranking
(H, M or L) as appropriate. In the “t/m” column next to each Attribute Risk, add a tick
mark which references to the reasoning behind your conclusion. Add a tick mark legend
(see textbook) on a separate tab that documents your conclusions. You have been
provided suggested Financial Statement Line Item accounts related to each control
deficiency to help guide your efforts and focus.
4). Using your completed Assertions Covered and Attribute Risk sections, analyze the
Financial Statement Assertions (columns Y-AH), again considering Potential for
Misstatement and Risk of Control Failure. Assign a High, Moderate, or Low ranking as
appropriate. Note that once complete, this is your Company’s Inherent Risk, on a
Financial Statement line item level.
B. Through review of the controls listed in the COSO Entity-Level and Process-Level
Controls.xls spreadsheet, determine which Entity-Level controls, if any, could mitigate the
Inherent Risk associated with each line item. These are the Entity-Level controls you would
select for testing. Document the Entity-Level control number in the Applicable Entity-Level
Controls column (column AJ). To receive the full point allotment your team must utilize at
least one Entity-Level control (“ELC”) from each of the COSO components listed (column
C of the COSO Entity-Level and Process-Level Controls.xls). Note that multiple EntityLevel controls may apply to each line item and one Entity-Level control may apply to
several line items; however, a total of four ELCs must be selected for each line item and of
the four, at least two must be unique to that line item.
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the
KPMG network of independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved.
Part A - Interim Reporting Due Date Wednesday, April 15th
Once your team completes the Financial Statement Analysis and Risk AssessmentSheet.xls, your
team will now need to draft a Financial Statement Risk Assessment Memo. This will be a two-part
memo, no more than three pages long and in a memo format (using bullets, numbers) of your
team’s choosing. For all significant* Financial Statement line items evaluated:
1). Explain your Risk Assessment process, specifically describing your assessment of the Attribute
Risk, Inherent Risk and resulting Residual Risk.
2). Document the rationale behind your selection of the specific ELCs you deem to mitigate each
control.
*Those Financial Statement line items deemed “significant” will be deemed so by your team. The
expectation will be that all line items correlated to the direct operations and results of the
Company will be included in your memo. Other line items should be included at your discretion. Be
prepared to defend in the oral presentation why certain subsets of line items may not have been
deemed significant.
Deliverables (for your selected Company)**:
1). Financial Statements (Most recent)
2). Financial Statement Analysis and Risk Assessment Sheet.xls
3). Financial Statement Risk Assessment Memo
Make sure that each document is professional in appearance and contains all the team
members’ names.
**Submit
 Electronic version in Digital Drop Box no later than 9:00 a.m. on April 15 th
 Hard Copy at beginning of class on April 15th
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the
KPMG network of independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved.
Part B – Final Reporting
1. Please see your professor to obtain the password that will unlock the results of your ELC
testing within the COSO Entity-Level and Process-Level Controls.xls spreadsheet, indicating
which of your selected ELCs passed testing and which failed. Using these results, you will then
asses the remaining risk relevant to the line item; this is called the Residual Risk. Reassess the
Financial Statement Assertions to determine the extent to which the Inherent Risk is mitigated
by the selected ELCs to assign the Residual Risk using the same High, Moderate and Low
rankings, as appropriate.
a.
For line items requiring additional Process-Level control testing, review the COSO EntityLevel and Process-Level Controls.xls spreadsheet and select applicable Process-Level
controls to test. Document the selected Process-Level controls in the Applicable ProcessLevel Controls column (Column AR). Only line items with a Residual Risk of Moderate
or High will require additional Process-Level control testing.
b.
Note: If no Process-Level controls appear applicable in the COSO Entity-Level and
Process-Level Controls.xls and testing is required denote CTBD (Control to Be
Determined).
2. Now that you have completed the Risk Assessment portion of the process, and have become
familiar with your Company’s operations and the deficiencies noted during audit fieldwork,
you will move to the final phase of the process – determining whether a significant deficiency
or material weakness exists.
3. Return to the Control Deficiencies.pdf as your team will now need to walk each of the
Company’s control deficiencies through the Internal Control Deficiency Framework. Using the
included document Deficiency Evaluation Framework.pdf, follow the decision tree for each of
your Company’s five deficiencies to determine if they should be considered significant
deficiencies or material weaknesses.
a.
Each step and decision in the framework should be carefully considered in light of the
Residual Risks and overall control environment, and must be thoroughly documented in
the Framework Workpaper.doc.
b.
Directions for completing the deficiency evaluation can be found in the Framework
Workpaper.doc. Note that many of the decisions that you will be making as you work
through the framework will be conceptual, guided by the overall impact attributed to the
relevant Financial Statement line items in the teams recently completed Financial
Statement Analysis and Risk Assessment Sheet.xls
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the
KPMG network of independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved.
4. Prepare a brief presentation of your completed analysis and findings. Your team will play
the role of the company’s Internal Audit group, having just completed preparations for the
external auditor’s year-end visit, and will be presenting to your Company’s Audit Committee
(a.k.a., your professor and/or team of KPMG professionals).
5. Since the goal is not only to have management and the Audit Committee prepared for what the
external auditor may uncover, but also to provide ample opportunity for management to make
adjustments to its ICFR in advance of external audit’s visit, suggestions may be provided for
such improvements.
6. Each group will be allowed 15 minutes for their presentation, and must provide sufficient
summary of the key points driving their Risk Assessment, selection of ELCs and PLCs, and
conclusions surrounding classification of any significant deficiencies and material weaknesses.
It is up to your team to decide what key points of information should be presented to the Audit
Committee. Points will be deducted for exceeding the allotted time.
7. Each team member must speak during the presentation and demonstrate command of the
concepts of the case, the facts of the Company, and the logic used in the various components of
the Risk Assessment and deficiency evaluation.
8. Keep in mind that a question and answer session will follow the completion of your
presentation (the 15 minutes does not include the Q&A). Your team’s goal is to anticipate the
mock Audit Committee’s questions and be prepared to answer them to the best of your ability.
Part B - Final Reporting Deadline Monday, April 27th
Deliverables (for your selected Company)**:
1). Final Financial Statement Analysis and Risk Assessment Sheet.xls
2). Framework Workpaper
3). Electronic copy of the PowerPoint slides and any other supporting documentation to be
used for your oral presentation
Make sure that each document is professional in appearance and contains all the team
members’ names.
**Submit
 Electronic version in Digital Drop Box no later than 9:00 a.m. on April 27th
 Hard Copy at beginning of class on April 27th
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the
KPMG network of independent member firms affiliated with KPMG International, a
Swiss cooperative. All rights reserved.
Auditing
KPMG’s Risk Assessment/COSO Internal Control Framework Project
Grading Rubric and Points Available
Grades and points will be assigned based on how well you satisfy the specified criteria (on the likert-type scale):
Excellent
5
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
Good
4
Satisfactory
3
Fair
2
Poor
1
Team has completed the assigned tasks completely and on time
The completed assignment demonstrates literal, interpretive, and evaluative levels of comprehension of the assigned audit tasks.
The completed assignment shows completed understanding of the appropriate auditing and accounting concepts.
Team has completed a thorough risk assessment of the company
Team has completed a thorough internal control evaluation of the company
Team has completed a comprehensive analysis
The team documented its understanding of the company’s inherent risk and residual risk
Team documented its understanding of the Company’s internal control system as required.
Team completed a thorough internal control evaluation.
All documents are correctly filled out and included in the working papers.
Templates, Excel spreadsheets, flowcharts and word documents are neat, easy to read, has all correct information.
Team uses appropriate auditing and accounting skills and reasoning.
Correct terminology and notations are used, making it easy to understand what was done.
Team accurately evaluates risks, financial statement and audit implications.
Team demonstrates mastery of the skills and strategies taught in class through use within the audit project.
The submitted assignment is very neat and demonstrated great effort and creativity within the framework.
Team presents a high quality, professional prepared presentation.
Group members’ evaluations of student’s contributions.
Points
Available
Written Report
Financial Statement Analysis and Risk Assessment Sheet
Risk Assessment Memo to file re approach to assigning impact values
Internal Control Deficiencies
Overall Report quality
10
5
30
3
48
Oral Presentation
Organization, thorough presentation, & stayed within time limit (15 mins per group)
Presentation style
Visual aids
Total points awarded
6
3
3
12
60
Auditing
KPMG’s Risk Assessment/COSO Internal Control Framework Project
Industry Assignment and Presentation Date
Industry
Airline
Company
Team Members
Jonathon Cothran
Porsche Farr
Jamison Hedgepeth
Wendi White
Presentation Date
Monday, April 27th
Automotive Retail
Ashley Brooks
Shontae Clark
John Primus
Rashida Stevens
Monday, April 27th
Healthcare
Marion Williams
Angelica Stringer
Kamille Green
Hugene Fields
Wednesday, April 29th
International
Manufacturing
Hona Basnight
Ernest Monroe
Justin Moore
Steven Payne
Wednesday, April 29th
Mining
Shaneka Hallback
Brittaney Hamilton
Aaron Hare-Jordan
Melissa Vachon
Wednesday, April 29th
Software
Justine Campbell
QuaShonda Howze
Marquis Hines
Donna Johnson
Jonas Pinkney
Friday, May 1st
Wholesale
Technology
Apollonia Bowie
Fred Clarida
Bridget Hunter
CeKeithia Mattews
Friday, May 1st
Related documents
Tim Bentsen Bio
Tim Bentsen Bio
Joseph Shaveb is a senior associate in KPMG's Mergers
Joseph Shaveb is a senior associate in KPMG's Mergers
Graduate - Summer Intern Application form 2016-2017
Graduate - Summer Intern Application form 2016-2017
Randy Green KPMG 2015 SMU Bio
Randy Green KPMG 2015 SMU Bio
Summary of "A damning dissection of KPMG`s failures at New
Summary of "A damning dissection of KPMG`s failures at New
Financial Times MBA 2014
Financial Times MBA 2014
CB (13) 11 CIVIL SERVICE COMMISSION Capability Review and
CB (13) 11 CIVIL SERVICE COMMISSION Capability Review and
See slides
See slides
Download