Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assessing Financial Statement Risks and Internal Controls

Published byNoah Benson Modified over 5 years ago

Similar presentations

Presentation on theme: "Assessing Financial Statement Risks and Internal Controls"— Presentation transcript:

1 Assessing Financial Statement Risks and Internal Controls
A Suggested Approach for Companies I’m here today to talk to you about how you can identify and assess your company’s financial statement risks and evaluate whether your internal controls are adequate to prevent, detect, and correct material misstatements in your financial statements.

2 Overview This presentation describes: Financial statement risks
Reasons for identifying risks Examples and sources of risks Internal control components, control objectives, and key controls An approach for— Identifying financial statement risks Assessing whether controls are adequate to mitigate the risks The main points of my presentation will include: What is meant by the term “financial statement risks.” Reasons for identifying financial statement risks. Examples of financial statement risks. Sources of risks. Internal control components, control objectives, and key controls. How to identify and assess your controls in the context of financial statement risks. An open question and answer period.

3 Reasons for This Presentation
To assist you in fulfilling your responsibilities for financial reporting To assist our firm in meeting professional requirements when performing your audit To help minimize your audit fees This presentation is designed to assist you in fulfilling your responsibilities related to financial reporting. Those responsibilities include: Establishing and maintaining effective internal controls. Selecting and applying appropriate accounting principles. Presenting your company’s financial position, results of operations, and cash flows fairly in the financial statements. Although our firm can assist you in various ways in fulfilling these responsibilities, such as by making suggestions for improvement as part of our audit or advising you about the application of accounting principles, you are ultimately responsible for the analysis, decision-making, and implementation of policies and procedures that lead to accurate financial reporting. The topics discussed in this presentation will provide you with a process, along with supporting tools, to assist you in fulfilling your responsibilities, primarily the responsibility to establish and maintain effective internal controls. The process I present will help you assess the adequacy of your controls in terms of achieving the objectives of a sound control system.

4 What are Financial Statement Risks?
Risks that affect the achievement of financial reporting objectives Conditions or indications that something could go wrong in the financial statements May relate to error or fraud May be pervasive to the financial statements or related to specific transactions, accounts, or disclosures Financial statement risks are risks that affect the achievement of financial reporting objectives. In general terms, financial reporting objectives include the following: The financial statements comply with generally accepted accounting principles. Disclosures in the financial statements are understandable, informative to users, and fairly presented. Accounting policies are appropriate for the industry and the company’s underlying transactions. Account balances, transactions, and other events reflected in the financial statements: Occurred or exist, Are complete, Represent the rights or obligations of the company, Are properly valued, and Are recorded in the right account, amount, and period. All companies are subject to risks that can affect the achievement of these financial reporting objectives. For example, if the company has a concentration of sales to customers in an industry that is facing severe economic issues, there is a risk that the allowance for uncollectible accounts may be understated.

5 Why Identify and Understand Risks?
Risk assessment is a key component of internal control Identifies what could go wrong in the financial statements Allows an evaluation of the likelihood and magnitude of potential misstatements Provides a foundation for assessing whether controls are properly designed and implemented Why should you identify an understand financial statement risks? Identifying risks to achieving financial reporting objectives and determining how to manage those risks is a key component of an effective internal control system. In a few minutes, we’ll discuss the internal control process and the underlying components that are critical to achieving effective internal control over financial reporting. Also, identifying risks within the context of financial reporting objectives allows you to articulate what could go wrong in the financial statements. In other words, what is the potential impact of the risk on the financial statements? For example, if a company engages in bill-and-hold transactions, it might determine that there is a risk of overstating inventory if the customer’s inventory is inadvertently included in the year-end physical count. This articulation of risks allows the company to take action to prevent financial errors from occurring. Finally, identifying risks and what could go wrong in the financial statements allows you to assess the magnitude and likelihood of potential misstatements that could occur. Evaluating the magnitude, or size, of the potential financial statement misstatement and the likelihood of it occurring helps focus you on addressing and managing those risks that could result in material misstatement to the financial statements. Remember, however, that magnitude is not limited only to quantitative considerations. Some consideration also should be given to the qualitative aspects of misstatements. In certain cases, implications of potential misstatements that might otherwise be small could be considered important to financial statement users. The way you address and manage risks is by implementing controls to prevent financial statement misstatements or to detect and correct them if they do occur. Thus, the identification of risks can help you assess whether controls are properly designed to mitigate the risks. We’ll discuss this more later in the presentation.

6 Considering Financial Statement Assertions
Existence or occurrence Completeness Rights or obligations Valuation or allocation Accuracy or classification Cutoff The concept of assertions is very useful when identifying and evaluating financial statement risks. Assertions describe conditions that should be present related to the recognition, measurement, presentation, and disclosure of information in the financial statements. In terms of assertions, you consider what could go wrong in the financial statements related to: Existence or occurrence. Recorded transactions and events actually occurred and pertain to the entity, and recorded assets, liabilities, and equity interests actually exist. Completeness. All transactions and events, assets, liabilities, and equity interests that should have been recorded have been recorded. Rights or obligations. The company holds or controls the rights to recorded assets, and liabilities are the obligations of the entity. Valuation or allocation. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded. Accuracy or classification. Amounts and other data related to transactions and events have been recorded correctly and in the proper accounts. Cutoff. Transactions and events have been recorded in the correct accounting period. In my previous example of a company engaging in bill-and-hold transactions, the risk relates to the rights or obligations assertion because merchandise included in the physical count may not belong to the company. By considering “what could go wrong” in terms of assertions, you can more easily consider the potential severity and implications of risks on the financial statements.

7 Financial Statement Risk
Examples of Risks Risk Indicator Financial Statement Risk Inventory is highly liquid Overstatement of inventory due to theft (Existence) Inventory cost accounting method is highly complex and subjective Overstatement or understatement of inventory due to improper cost accounting (Valuation) Key customers are concentrated in an industry facing economic downturn Understatement of the allowance for doubtful accounts (Valuation) The company is facing a number of lawsuits by customers Failure to disclose contingent liabilities (Completeness) As I mentioned previously, when identifying risks, it is important to describe what could go wrong in the financial statements, and risks generally should be stated in terms of financial statement assertions. To assist in assessing risks and determining whether internal controls are properly designed and implemented to address them, it is important to be as specific as possible when describing risks. For example, the description should include: The cause of the risk. The account balance, class of transactions, or disclosure affected and how it is affected (that is, overstatement or understatement). For fraud risks, the type of fraud (that is, theft of assets or fraudulent financial reporting). The assertion affected (or that the risk is pervasive to the financial statements). This slide provides some examples of financial statement risks described in terms of what could go wrong in the financial statements, including the relevant assertion.

8 Possible Sources of Risk
Structure, ownership, governance, and related parties Industry, regulatory, and other external factors The nature of the company, for example: Revenue sources Types of products, services, and markets Nature of assets, liabilities, expenses, investments, and financing Significant or unusual transactions Accounting policies Uses of the financial statements Information technology, including general controls Risks to achieving the company’s financial reporting objectives may arise from a number of sources both internal and external to the company. I’ll discuss some of these possible sources and provide examples of risk indicators that might relate to each source. Structure, ownership, governance, and related parties includes factors such as: The type of legal entity. Whether the company is closely or more broadly held. The number and types of subsidiaries. The centralization, background, and experience of management. The significance of related-party relationships and transactions. The role and function of the board of directors or audit committee. Examples of possible risk indicators from this source might include: The board of directors exercises little oversight over the company’s operations. The structure of the company is overly complex. The number of related parties and extent of transactions with them are significant.

9 Possible Sources of Risk (Continued)
Objectives and strategies Key performance measures Going concern issues Potential fraud Incentives/pressures Opportunities Attitudes/rationalizations Objectives and strategies include factors such as: Future trends, expectations, objectives, and strategies related to— Products and services. Marketing and sales. Research and development. Technology. Business expansion or restructuring. Workforce or compensation. Examples of possible business risks that might affect the company’s ability to achieve its objectives or execute its strategies include: Industry developments that may affect the entity’s ability to achieve its objectives. Inadequacy of personnel or expertise. Increased legal exposure or regulatory requirements. Rapid changes in technology or product obsolescence. Explicitly stated strategic objectives that are only moderately achieved.

10 Internal Control Process employed by the company to provide reasonable assurance of achieving financial reporting objectives Consists of five interrelated components To be effective, all components should be present and functioning and operating together Applies to all companies—both small and large Helps prevent, or detect and correct, misstatements resulting from risks Simply stated, effective internal control is a way that the company manages risks, specifically financial statement risks. Later in my presentation, we’ll talk more about a process you can use to identify your financial statement risks and assess the controls you have in place to manage those risks. But first, over the next few minutes, I want to provide an overview of internal control. For some of you this may be familiar territory. Internal control is a process, effected by an entity’s board of directors, management and other employees, designed to provide reasonable assurance regarding the achievement of financial reporting objectives. Internal control also includes the safeguarding of assets against unauthorized use, destruction, or disposition. While internal control can also relate to other objectives such as the efficiency and effectiveness of operations or compliance with laws and regulations, for purposes of this presentation, we are focusing on internal control as it relates to achieving the company’s financial reporting objectives. We spoke about financial reporting objectives earlier in the presentation. Internal control is commonly described within a framework. The most commonly used framework in the United States is a four volume report titled Internal Control—Integrated Framework (referred to as the COSO Report) which was issued by Committee of Sponsoring Organizations of the Treadway Commission (COSO). The SOSO framework is in the process of being reviewed and updated. The projected publication date of the update framework is fall 2012.

11 Five Components of Internal Control
Control Environment Risk Assessment Information and Communication Monitoring Control Activities Let’s spend a few minutes recapping the nature and purpose of the five interrelated components of internal control as outlined in the COSO framework. Control Environment. The control environment sets the tone of a company and influences the control consciousness of its people. The control environment is the foundation for all other components of internal control and provides structure and discipline. Among the important elements of the control environment are the attitude, awareness, and actions of management, as well as those charged with governance, concerning internal control. Risk Assessment. As we discussed earlier, risk assessment is key component of internal control. Risk assessment is the process of setting objectives; prioritizing and linking those objectives; and identifying, analyzing, and managing risks relevant to achieving those objectives. With respect to the objective of reliable financial reporting, the risk assessment process involves the identification, analysis, and management of the risks of material misstatement of the financial statements. Information and Communication. Information refers to the financial reporting system, which includes the accounting system and encompasses the procedures and records established to initiate, authorize, record, process, correct, transfer to the general ledger, and report the entity’s transactions. It also includes the accountability over assets, liabilities, and equity. An information system may be computerized, manual, or a combination of the two depending on the size and complexity of the entity. Communication is the process of providing an understanding of roles and responsibilities to individuals within the organization regarding internal control over financial reporting.

12 Control Objectives, Principles, and Key Controls
A control objective states the purpose of a control Principles represent the fundamental concepts associated with each component of internal control Controls are effectively designed if they achieve the objective/principle Key controls are those that are most important in achieving the objective It is often helpful to consider control objectives during the process of identifying controls and assessing their adequacy. A control objective states the purpose of a control (or controls) in relation to risks and “what could go wrong” in the financial statements. For example, “All property, plant, and equipment additions are recorded,” might be a control objective that addresses a risk of fixed asset transactions not being properly tracked and recorded (that is, completeness of fixed assets). Failure to achieve that control objective could potentially result in understatement of fixed assets and depreciation expense, as well as misstatements in other income statement accounts. Control objectives may relate to entity-level controls, such as control environment and monitoring controls, or to controls over specific account balances, transactions, and disclosures. By considering control objectives and how they relate to risks and what could go wrong in financial statement assertions, you might find it easier to identify your existing controls. When existing controls are identified, you can evaluate whether those controls, if operating effectively, would fully achieve the objectives or whether deficiencies exist because of improper design or missing controls. In general, controls are effectively designed if they achieve their control objectives. You don’t have to evaluate all controls and control activities that might exist in your system of internal control. Typically, you should focus your attention on those controls that are most important in achieving particular control objectives. Often, a company has multiple controls that contribute to achieving its control objectives. However, certain of those controls, referred to as key controls, are considered primary to achieving the objectives. When identifying controls and assessing their adequacy, it is generally most effective to focus on key controls. Many times, these are the controls that you believe are the most effective and reliable in operation to fully address a control objective. When identifying key controls, ask yourself the question, “What controls do I believe are the most critical in preventing or detecting a material financial reporting failure related to this risk?”

13 Control Environment Principles
The entity demonstrates a commitment to integrity and ethical values The board of directors demonstrates independence from management in exercising oversight of the development and performance of internal control over financial reporting With board oversight, management establishes structures, reporting lines, and appropriate authorities and responsibilities to achieve financial reporting objectives The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with financial reporting objectives The entity holds individuals accountable for their internal control responsibilities In the next few slides, I’m going to discuss the objectives of each internal control component and provide examples of key controls for those objectives. The following control objectives exist for the control environment: Those charged with governance are actively involved and have significant influence over the entity’s internal control environment and its financial reporting. Management, through its attitudes and actions, demonstrates character, integrity, and ethical values. Sound integrity and ethical values, particularly of top management, are developed and set the standard of conduct for the organization and financial reporting. Management’s philosophy and operating style are consistent with a sound control environment and have a pervasive effect on the entity. Management views accounting as a means to monitor and control the various activities of the organization, and adopts accounting policies that reflect the economic realities of the business. The organizational structure of the entity is appropriately designed to promote a sound control environment. Authority and responsibility, appropriate reporting lines, and free flow of information across the organization provide unfettered influence to effectively run the entity and support effective financial reporting, including the identification of related party relationships and transactions. Human resource policies and procedures send messages to employees regarding expected levels of integrity, ethical behavior, and competence. The entity assigns authority and responsibility to provide a basis for accountability and control. The entity is committed to competence in the requirements of particular jobs and in translating those requirements into knowledge and skills.

14 Control Environment Examples
Principle Control Example The entity demonstrates a commitment to integrity and ethical values A process exists by which those charged with governance are made aware of key developments that may affect financial reporting The board of directors demonstrates independence from management in exercising oversight of the development and performance of internal control over financial reporting The board of directors is sufficiently independent of management so that necessary questions are raised With board oversight, management established structures, reporting lines, and appropriate authorities and responsibilities to achieve financial reporting objectives Management periodically evaluates the entity’s organizational structure and makes necessary changes based on changes in the business and/or industry This and the following slide provide examples of controls that relate to the control environment and its control objectives. Consider, as we review these, whether they are present in your organization.

15 Control Environment Examples (Continued)
Principle Control Example The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with financial reporting Employee recruitment and retention practices for key financial positions are guided by principles of integrity and by the necessary competencies associated with the positions The entity holds individuals accountable for their internal control responsibilities Employees are empowered to correct problems or implement improvements in their assigned processes

16 Risk Assessment Principles
The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to financial reporting objectives The entity identifies risks to achieving its objectives and analyzes risks to determine how the risks should be managed The entity considers the potential for fraud in assessing risks to the achievement of financial reporting objectives The entity identifies and assesses changes that could significantly impact the system of internal control An entity’s risk assessment objectives can be divided into three categories: Financial reporting objectives. Management of financial reporting risks. Consideration of fraud risks. The following control objectives exist for each of these elements: Financial reporting objectives: Entity and financial reporting objectives are established, documented, and communicated. • Accounting principles are properly applied in the preparation of the financial statements. Management of financial reporting risks: Management has established practices for the identification of risks affecting the entity. • Management considers the entire organization as well as its extended relationships in its risk assessment process. • Management has implemented mechanisms to anticipate, identify, and react to changes. • Management evaluates and mitigates risk appropriately.

17 Risk Assessment Examples
Principle Control Example The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to financial reporting objectives Management identifies risks related to laws or regulations that may affect financial reporting The entity identifies risks to achieving its objectives and analyzes risks to determine how the risks should be managed Periodic reviews are performed to, among other things, anticipate and identify routine events or activities that may affect the entity’s ability to achieve its objectives The entity considers the potential for fraud in assessing risks to the achievement of financial reporting objectives The entity’s assessment of fraud risk considers incentives and pressures, attitudes and rationalizations, as well as the opportunity to commit fraud The entity identifies and assesses changes that could significantly impact the system of internal control Management communicates the risk assessment and changes in the business environment to all appropriate employees This slide provides examples of controls that relate to risk assessment and its control objectives. Again, please consider if you have these types of controls in place at your company.

18 Information and Communication Principles
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control over financial reporting As noted previously, information refers to the financial reporting system, which includes the accounting system and encompasses the procedures and records established to initiate, authorize, record, process, correct, transfer to the general ledger, and report the entity’s transactions. Communication is the process of providing an understanding of roles and responsibilities to individuals within the organization regarding internal control over financial reporting. The following control objectives relate to the information control component: Information is identified, captured, used, at all levels of the entity, and distributed in a form and timeframe that supports the achievement of financial reporting objectives. Information needed to facilitate the functioning of internal control is identified, captured, used, and distributed in a form and timeframe that enables personnel to carry out their internal control responsibilities.

19 Information and Communication Principles (Continued)
The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control over financial reporting The entity communicates with external parties regarding matters affecting the functioning of internal control The following control objectives relate to the communication control component: Communication exists between management and those charged with governance (if separate from management) so that both have relevant information to fulfill their roles with respect to governance and to financial reporting objectives. All personnel, particularly those in roles affecting financial reporting, receive a clear message from top management that both internal control over financial reporting and individual control responsibilities must be taken seriously. Personnel have an effective and safe method to communicate significant information upstream in the entity.

20 Information Examples Principle Control Example
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control over financial reporting Relevant operating information is used to develop accounting and financial information and whether it serves as a basis for reliable financial reporting, including the basis for accounting estimates This slide provides examples of controls that relate to the information control objectives.

21 Communication Examples
Principle Control Example The entity internally communicates information, including objectives and responsibilities for internal control, to support the functioning of internal control over financial reporting Management has developed communication approaches that specify individual responsibilities in dealing with inappropriate behavior The entity communicates with external parties regarding matters affecting the functioning of internal control There is a process for tracking communications from customers, vendors, regulators, and other external parties This slide provides examples of controls that relate to the communication control objectives. 21

22 Monitoring Principles
The entity selects, develops, and performs ongoing and/or separate evaluations to determine whether the components of internal control are present and functioning The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate As noted earlier, the monitoring component of internal control is a process by which an entity assesses the quality of its internal control over time. The control objective over the monitoring component is relatively straight-forward. It might be described as “management monitors controls over financial reporting through ongoing monitoring, independent evaluations, and remediation of identified deficiencies.”

23 Monitoring Examples Principle Control Example
The entity selects, develops, and performs ongoing and/or separate evaluations to determine whether the components of internal control are present and functioning Management’s ongoing monitoring serves as a primary indicator of both control design and operating effectiveness and of risk conditions The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and board of directors, as appropriate Findings of an internal control deficiency are reported to (1) the appropriate person who is in the position to take corrective actions and, if applicable, (2) at least one level of management above that person This slide provides examples of controls that relate to the monitoring control objective.

24 Control Activities Principles
The entity selects and develops activities that contribute to the mitigation of risks to the achievement of financial reporting objectives to acceptable levels. The entity selects and develops general control activities over technology to support the achievement of financial reporting objectives. The entity deploys control activities through policies and procedures that put policies into action. As noted earlier, control activities are the policies and procedures that help ensure that management directives are carried out. Unlike the “entity-level” controls previously discussed, control activities are referred to as “activity-level” controls and include the financial reporting system. The following principles exist for control activities: The entity selects and develops activities that contribute to the mitigation of risks to the achievement of financial reporting objectives to acceptable levels. The entity selects and develops general control activities over technology to support the achievement of financial reporting objectives. The entity deploys control activities through policies and procedures that put policies into action.

25 Control Activities Examples
Principle Control Example The entity selects and develops activities that contribute to the mitigation of risks to the achievement of financial reporting objectives to acceptable levels The company’s control activities include periodic inventory observations and reconciliations to the general ledger The entity selects and develops general control activities over technology to support the achievement of financial reporting objectives The IT general controls include periodic backups of databases and operating systems, including periodically testing for recoverability The entity deploys control activities through policies and procedures that put policies into action. The company has defined policies and procedures regarding confidentiality of databases included in the system security. This slide provides examples of controls you might consider when evaluating principles relating to control activities.

26 Types of Control Activities
Performance reviews Information processing controls Physical controls Segregation of duties Accountability As noted earlier, control activities are those actions that are taken to address risks that threaten the entity’s ability to achieve its objectives, one of which is reliable financial reporting. Control activities, which can be either automated or manual, are performed at various levels within the entity. Control activities are generally directed to one or more types of transactions and can be associated with one or more assertions. Control activities are policies and procedures that generally pertain to the following: Performance reviews, which are comparisons of current financial reports to other information. Information processing controls, which are controls performed to check accuracy, completeness, and authorization of transactions. For information systems, there are two broad categories of processing controls—application controls and general controls. Physical controls, which pertain to the physical security of assets including adequate safeguards that limit access to assets, computer programs, and files; and periodic counting and comparison to control records. Segregation of duties, which involves the assignment of different people to authorize transactions, record transactions, and maintain custody of assets. Asset accountability, which encompasses controls relating to reconciliations of the detailed records to the general ledger.

27 Control Activities Objectives— Processing Cash Receipts
Cash receipts information is valid and processed only once (E/O, R/O) Cash receipts are appropriately safeguarded (E/O) Cash received is posted in the proper period (CO) Cash receipts information is recorded in the correct account (A/CL) Recorded cash receipt amounts are correct (A/CL) All cash receipts are recorded (C) Foreign currency cash received is correctly valued (V) As I noted, control activities generally relate to transaction processing and can be associated with one or more assertions. As a result, control objectives will vary depending on the type of transaction. This slide illustrates possible control objectives related to processing cash receipts. It also indicates parenthetically the assertions that each control objective addresses. As we previously discussed, control objectives address one or more underlying financial statement risks or assertions. For example, “Cash receipts are appropriately safeguarded” might address the risk “Employees with access to cash may misappropriate funds.” The assertions related to the objectives are abbreviated as follows: “E/O” signifies existence or occurrence. “C” signifies completeness. “R/O” relates to rights or obligations. “V” signifies valuation or allocation. “A/CL” relates to accuracy or classification. “CO” denotes cutoff.

28 Control Activities Examples— Processing Cash Receipts
Lockbox receipts are compared to customer remittances (E/O, C, R/O, A/CL, CO) Cash receipts are reconciled to general ledger postings daily (E/O, V, R/O, CO) Bank reconciliations are prepared and reviewed in a timely manner (E/O, C, V, R/O, A/CL, CO) This slide provides examples of key controls that relate to the control objectives for processing cash receipts. Assertions are indicated in parentheses. A control may relate to more than one assertion because it addresses multiple types of risk.

29 Putting It All Together: A Process for Identifying Risks and Assessing Controls
Consider the aspects of the company that are sources of risk Gather information that indicates potential risks Accumulate and synthesize the information to identify risks Identify key controls that address the risks by focusing on control objectives Assess whether controls are properly designed and implemented to achieve the objectives Identify gaps and prioritize deficiencies for improvement So far, we’ve discussed: Risks to achieving financial reporting objectives. Describing risks in terms of what could go wrong in the financial statements. Possible sources of risk. The components of an effective internal control system. Focusing on key controls that achieve control objectives to address risks. Now, I’m going to discuss a process that you can employ that leads to self-assessment of the adequacy of your internal controls. You can tailor this process as you see fit. In other words, you might decide to focus on examining controls for a particular type of transaction that you consider to present the greatest amount of risk of material misstatement to your financial statements. Or you might decide to look at all of the components of internal control that we discussed, including control activities for significant transactions classes. Also, some companies might even wish to go a step further and test their controls to see if they are operating effectively. It’s up to you, considering your time and other resources, to determine the degree to which financial reporting risks and the controls you use to manage them will be assessed.

30 A Practical Approach to Reviewing Internal Control
Supporting tools to help you assess entity-level controls: Complete (or update) a narrative describing your entity-level controls using “Understanding the Design and Implementation of Internal Control” Supplement the documentation by completing the related “Entity-level Control Form” [Note: If the auditor plans to have the client complete the PPC forms as outlined in this presentation, the authors suggest providing illustrative copies of the forms to the audience as a reference source as you discuss this section. You might want to mark certain parts of the forms “for auditor use only.”] I’m going to discuss some supporting tools you can use to identify and evaluate your internal controls and control deficiencies. As I mentioned earlier, we are required by professional standards to assess your risks and understand your internal controls. Some of the tools we use to understand your internal controls may be useful for your self-assessment. While these tools were designed for the auditor, they serve as a roadmap to understanding and documenting your controls and incorporate the concepts that we’ve discussed during my presentation. Alternatively, you can develop your own documentation, and use the tools to guide you as to the components, key controls, and topics you should consider. And, by completing these tools or preparing similar documentation, you assist us with our required understanding, which helps to minimize audit fees. But, remember, we’re still required by professional standards to perform procedures to verify and confirm any documentation you prepare.

31 A Practical Approach to Reviewing Internal Control (Continued)
Supporting tools to help you assess activity-level controls: Complete (or update) a narrative describing your activity-level controls using “Financial Reporting System Documentation Form―Financial Close and Reporting, Significant Transaction Classes” Supplement the documentation by completing the related “Control Activities Form” You are now prepared for the next step in the self-assessment process, which is to assess activity-level controls. When assessing controls that operate at the activity level, that is, controls at the assertion level for your significant transaction classes, another tool, the “Financial Reporting System Documentation Form―Financial Close and Reporting/Significant Transaction Classes,” can be used. This form allows you to document the flow of information and underlying controls for each of your significant transaction classes. Remember to focus on key controls that achieve the control objectives for the transactions. Typically, on this form, you describe in narrative form how transactions are initiated and authorized; how they are entered into the accounting system; and other processing steps that lead to the inclusion of the transactions in the general ledger, along with associated key controls. The “Control Activities Form” will often be useful as a supplement to your narrative documentation. The form provides a list of key control activities for each transaction class. A control activities form is available for each major financial statement area and contains common key controls that achieve control objectives for underlying transaction classes. You can use these forms in combination with your narrative description to help identify relevant key controls and determine where gaps might exist for your company.

32 A Practical Approach to Reviewing Internal Control (continued)
Evaluate controls to determine if: Key controls are present to achieve control objectives/principles and address relevant financial statement risks Controls are properly designed to prevent, or detect and correct, misstatements Controls are in place to address all identified risks When documenting and assessing controls, you should determine if: Key controls are present that achieve the control objectives and address relevant financial statement risks. The controls are properly designed to prevent, or detect and correct, misstatements. The controls, as designed, have been put into operation. Controls exist that effectively mitigate and manage all identified risks. As noted earlier, some companies may even wish to take their assessment one step further by considering the operating effectiveness of the controls. That is accomplished by performing tests of your controls during the relevant period to determine that the controls are operating as expected. This might be appropriate for certain key controls that address significant risks.

33 A Practical Approach to Reviewing Internal Control (continued)
If controls are “missing” or improperly designed, determine: Whether another control could mitigate the deficiency The likelihood and magnitude of potential errors The pervasiveness of potential errors The priority for corrective action For any internal control component, if you determine that controls are missing or improperly designed (meaning they fail to achieve the control objective) you should consider the effect on the financial statements and take corrective action to address the risks. In making this assessment, consider: Whether other compensating controls exist that address the control objective. For example, if a control is missing that prevents the occurrence of a misstatement, a compensating control might exist, such as a supervisory review, that would detect the misstatement. In certain cases, the compensating control would be adequate to satisfy the control objective. (This is not to say that the company wouldn’t address the missing preventive control. However, it might affect how the company prioritizes the deficiency for follow-up and correction.) The likelihood and magnitude of potential errors. If a deficiency in a control could result in material misstatements and the likelihood of their occurrence is high, the company would likely assign the deficiency a high priority for follow-up and correction. The pervasiveness of potential errors. If an entity-level control, such as the control environment, is deficient, the impact on the company’s financial objectives could be pervasive. As an example, if a division manager has a poor attitude toward controls and ethical behavior, the impact of his influence on controls that affect financial reporting for that division could be pervasive. As a result, this type of deficiency would normally be assigned a high priority for follow-up and correction.

34 Conclusion Risk Assessment: A key component of internal control
Allows the company to evaluate whether controls are adequate Establishes a framework for prioritizing the correction of control deficiencies Assists in the audit process In conclusion: Your risk assessment process along with how you manage those risks is a key component of an effective internal control system. Your risk identification process and related assessment of controls allows you to evaluate whether controls are adequate to mitigate financial statement risks and achieve financial reporting objectives. As part of that process, you can identify gaps in controls and consider the potential magnitude of misstatements in your financial statements or theft of company assets that could result. The assessment process provides a framework for prioritizing identified control deficiencies for follow-up and corrective action. Lastly, your documented assessment assists us with our understanding of risks and internal control that is required by professional auditing standards.

35 Questions? I’ll be happy to address any questions that you have at this time.

Download ppt "Assessing Financial Statement Risks and Internal Controls"

Similar presentations

Internal Control–Integrated Framework

Internal Control–Integrated Framework
Auditing Concepts.

Auditing Concepts.
The Islamic University of Gaza

The Islamic University of Gaza
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Review of Introduction to Auditing

Review of Introduction to Auditing
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Purpose of the Standards

Purpose of the Standards
Presented By: Donna Denker, CPA Donna Denker & Associates.

Presented By: Donna Denker, CPA Donna Denker & Associates.
Nature of an Integrated Audit

Nature of an Integrated Audit
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Chapter 4 Risk Assessment.

Chapter 4 Risk Assessment.
Auditing Internal Control over Financial Reporting

Auditing Internal Control over Financial Reporting
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 3-1 Chapter Three Risk Assessment and Materiality Chapter Three.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 3-1 Chapter Three Risk Assessment and Materiality Chapter Three.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

Similar presentations

Ads by Google