Assessing Financial Statement
Risks and Internal Controls
A Suggested Approach for
Companies
Overview
This presentation describes:
• Financial statement risks
• Reasons for identifying risks
• Examples and sources of risks
• Internal control components, control objectives,
•
and key controls
An approach for—
– Identifying financial statement risks
– Assessing whether controls are adequate to mitigate
the risks
Reasons for This Presentation
• To assist you in fulfilling your
responsibilities for financial reporting
• To assist our firm in meeting professional
requirements when performing your audit
• To help minimize your audit fees
What are Financial Statement
Risks?
• Risks that affect the achievement of
financial reporting objectives
• Conditions or indications that something
could go wrong in the financial statements
• May relate to error or fraud
• May be pervasive to the financial
statements or related to specific
transactions, accounts, or disclosures
Why Identify and Understand
Risks?
• Risk assessment is a key component of internal
•
•
•
control
Identifies what could go wrong in the financial
statements
Allows an evaluation of the likelihood and
magnitude of potential misstatements
Provides a foundation for assessing whether
controls are properly designed and implemented
Considering Financial Statement
Assertions
• Existence or occurrence
• Completeness
• Rights or obligations
• Valuation or allocation
• Accuracy or classification
• Cutoff
Examples of Risks
Risk Indicator
Financial Statement Risk
Inventory is highly liquid
Overstatement of inventory due to
theft (Existence)
Inventory cost accounting method
is highly complex and subjective
Overstatement or understatement
of inventory due to improper cost
accounting (Valuation and
Accuracy)
Key customers are concentrated in Understatement of the allowance
an industry facing economic
for doubtful accounts (Valuation)
downturn
The company is facing a number
of lawsuits by customers
Failure to disclose contingent
liabilities (Completeness)
Possible Sources of Risk
• Structure, ownership, governance, and related
•
•
parties
Industry, regulatory, and other external factors
The nature of the company, for example:
– Revenue sources
– Types of products, services, and markets
– Nature of assets, liabilities, expenses, investments,
and financing
– Accounting policies
– Uses of the financial statements
– IT systems
Possible Sources of Risk
(Continued)
• Objectives and strategies
• Key performance measures
• Going concern issues
• Potential fraud
– Incentives/pressures
– Opportunities
– Attitudes/rationalizations
Internal Control
• Process employed by the company to provide
•
•
•
•
reasonable assurance of achieving financial
reporting objectives
Consists of five interrelated components
To be effective, all components should be in
place
Applies to all companies—both small and large
Helps prevent, or detect and correct,
misstatements resulting from risks
Five Components of Internal
Control
• Control Environment
• Risk Assessment
• Information and Communication
• Monitoring
• Control Activities
Control Objectives and Key Controls
• A control objective states the purpose of a
control
• Controls are effectively designed if they
achieve the objective
• Key controls are those that are most
important in achieving the objective
Control Environment Objectives
• Those charged with governance are actively involved and
•
•
•
•
•
•
have influence over financial reporting
Management demonstrates character, integrity, and ethical
values
Management’s philosophy and operating style are consistent
with a sound control environment
The organizational structure is appropriate to support
effective financial reporting
Human resource policies and procedures promote integrity,
ethical behavior, and competence
Authority and responsibility are appropriately assigned
The company is committed to competence
Control Environment Examples
Objective
Control Example
Participation of
those charged
with governance
Those charged with governance provide input and
oversight of the entity’s financial statements, including
the application of GAAP and use of accounting
judgments
Communicating
integrity and
ethical values
A code of conduct or ethics policy exists
Management’s
philosophy and
operating style
Management exemplifies attitudes and actions in line
with its mission, vision, and values to support an
effective control environment
Organizational
structure
The entity defines key areas of authority and
responsibility, including management’s responsibility for
business activities, and how they affect the business as a
whole.
Control Environment Examples
(Continued)
Objective
Control Example
Human resource
policies and
procedures
Employee recruitment and retention practices for key
financial positions are guided by principles of
integrity and by the necessary competencies
associated with the positions
Assignment of
authority and
responsibility
Job descriptions, reference manuals, or other forms
of communication inform personnel of their duties
Commitment to
competence
The entity establishes competencies (knowledge,
skills, abilities, and credentials) prior to hiring of key
positions
Risk Assessment Objectives
Financial reporting objectives:
• Financial reporting objectives are established,
documented, and communicated
• Accounting principles are properly applied
Management of financial reporting risks:
• Practices are established for identifying risks
• When assessing risks, the entire organization
and extended relationships are considered
• Mechanisms are implemented to anticipate,
identify, and react to changes
• Risks are properly evaluated and mitigated
Risk Assessment Objectives
(Continued)
Consideration of fraud risks:
• An appropriate fraud risk assessment and monitoring
process exists
Risk Assessment Examples
Objective
Control Example
Financial
reporting
objectives
• Financial reporting objectives align with the
Management of
financial
reporting risks
• Mechanisms are in place to identify risks potentially
requirements of GAAP (or an OCBOA)
•
•
Consideration of
fraud risks
affecting achievement of the entity’s financial
reporting objectives
Periodic reviews are performed to, among other
things, anticipate and identify routine events or
activities that may affect the entity’s ability to achieve
its objectives
Risks related to the ability of an employee to initiate
and process unauthorized transactions are
appropriately identified
• The assessment of fraud risks considers incentives and
pressures to commit fraud, opportunities to carry it
out, and attitudes and rationalizations to justify it
Information and Communication
Objectives
Information:
• Information is identified, captured, and used at all levels
•
of the entity
Information needed to facilitate the functioning of
internal control is identified, captured, used, and
distributed in a form and timeframe that enables
personnel to carry out their internal control
responsibilities
Information and Communication
Objectives
(Continued)
Communication:
• Communication exists between management and those
•
•
charged with governance to enable role fulfillment
All personnel receive a clear message that internal
control responsibilities are to be taken seriously
There is effective upstream communication
Information Examples
Objective
Control Example
Identification
Operating information is used as the basis for financial
and use of
reporting and relevant operating information is used as
information at all the basis for accounting estimates
levels
Identification
and use of
information in
accordance with
the entity’s
control processes
Accounting procedures are formal enough to determine
whether the control objective is met, documentation
supporting the procedures is in place, and personnel
routinely know the procedures that need to be
performed
Communication Examples
Objective
Control Example
Effective
communication
between
management
and governance
The effectiveness of those charged with governance
is supported by timely communications with
management
Communication
of control
responsibilities
Employees receive adequate information to complete
their job responsibilities
Effective
upstream
communication
All reported potential improprieties are reviewed,
investigated, and resolved in a timely manner
Monitoring Objective
Management monitors controls over
financial reporting through:
• Ongoing monitoring
• Independent evaluations
• Remediation of identified deficiencies
Monitoring Examples
• Ongoing monitoring includes identification of
•
what constitutes a deviation from prescribed
controls and requires investigation of potential
control problems
Deficiencies are reported to (1) the appropriate
person for corrective action and (2) if applicable,
at least one level of management above that
person
Control Activities
•
•
•
•
Can be either automated or manual
Directed toward transaction processing
Can be associated with one or more assertions
Include:
–
–
–
–
–
Performance reviews
Information processing controls
Physical controls
Segregation of duties
Asset accountability
Control Activities Objectives—
Processing Cash Receipts
• Cash receipts information is valid and processed only
•
•
•
•
•
•
once (E/O, R/O)
Cash receipts are appropriately safeguarded (E/O)
Cash received is posted in the proper period (CO)
Cash receipts information is recorded in the correct
account (A/CL)
Recorded cash receipt amounts are correct (A/CL)
All cash receipts are recorded (C)
Foreign currency cash received is correctly valued (V)
Control Activities Examples—
Processing Cash Receipts
• Lockbox receipts are compared to customer
•
•
remittances (E/O, C, V, R/O, A/CL, CO)
Cash receipts are reconciled to general ledger
postings daily (E/O, V, R/O, C/O)
Bank reconciliations are prepared and reviewed
in a timely manner (E/O, C, V, R/O, A/CL, CO)
Putting It All Together:
A Process for Identifying Risks and
Assessing Controls
• Consider the aspects of the company that are sources of
•
•
•
•
•
risk
Gather information that indicates potential risks
Accumulate and synthesize the information to identify
risks
Identify key controls that address the risks by focusing
on control objectives
Assess whether controls are properly designed and
implemented to achieve the objectives
Identify gaps and prioritize deficiencies for improvement
A Practical Approach to
Reviewing Internal Control
• Supporting tools to help you assess entitylevel controls:
– Complete (or update) a narrative describing
your entity-level controls using
“Understanding the Design and
Implementation of Internal Control”
– Supplement the documentation by
completing the related “Entity-level Control
Form”
A Practical Approach to
Reviewing Internal Control
(Continued)
• Supporting tools to help you assess
activity-level controls:
– Complete (or update) a narrative describing
your activity-level controls using “Financial
Reporting System Documentation
Form―Financial Close and
Reporting/Significant Transaction Classes”
– Supplement the documentation by
completing the related “Control Activities
Form”
A Practical Approach to
Reviewing Internal Control
(continued)
Evaluate controls to determine if:
• Key controls are present to achieve control
•
•
objectives and address relevant financial
statement risks
Controls are properly designed to prevent, or
detect and correct, misstatements
Controls are in place to address all identified
risks
A Practical Approach to
Reviewing Internal Control
(continued)
If controls are “missing” or improperly
designed, determine:
• Whether other compensating controls address
•
•
•
the control objective
The likelihood and magnitude of potential errors
The pervasiveness of potential errors
The priority for corrective action
Conclusion
• Risk assessment is a key component of internal
•
•
•
control
Allows the company to evaluate whether
controls are adequate
Establishes a framework for prioritizing the
correction of control deficiencies
Assists in the audit process
Questions?