1. Assessing Financial Statement Risks and Internal Controls
A Suggested Approach for Companies
I’m here today to talk to you about how you can identify and assess your company’s financial statement risks and evaluate whether your internal controls are adequate to prevent, detect, and correct material misstatements in your financial statements.

2. Overview This presentation describes: Financial statement risks
Reasons for identifying risks
Examples and sources of risks
Internal control components, control objectives, and key controls
An approach for—
Identifying financial statement risks
Assessing whether controls are adequate to mitigate the risks
The main points of my presentation will include:
What is meant by the term “financial statement risks.”
Reasons for identifying financial statement risks.
Examples of financial statement risks.
Sources of risks.
Internal control components, control objectives, and key controls.
How to identify and assess your controls in the context of financial statement risks.
An open question and answer period.

3. Reasons for This Presentation
To assist you in fulfilling your responsibilities for financial reporting
To assist our firm in meeting professional requirements when performing your audit
To help minimize your audit fees
This presentation is designed to assist you in fulfilling your responsibilities related to financial reporting. Those responsibilities include:
Establishing and maintaining effective internal controls.
Selecting and applying appropriate accounting principles.
Presenting your company’s financial position, results of operations, and cash flows fairly in the financial statements.
Although our firm can assist you in various ways in fulfilling these responsibilities, such as by making suggestions for improvement as part of our audit or advising you about the application of accounting principles, you are ultimately responsible for the analysis, decision-making, and implementation of policies and procedures that lead to accurate financial reporting.
The topics discussed in this presentation will provide you with a process, along with supporting tools, to assist you in fulfilling your responsibilities, primarily the responsibility to establish and maintain effective internal controls. The process I present will help you assess the adequacy of your controls in terms of achieving the objectives of a sound control system.

4. Your assessment of internal control also assists our firm in meeting its professional requirements. As part of your audit, our firm is required by professional standards to perform certain procedures to understand your company, the company’s environment—such as your industry—and your internal controls. The purpose of obtaining this understanding is to identify areas where material misstatement of your financial statements is most likely to occur. This helps us tailor an audit approach that is the most effective—and efficient—for your circumstances. As part of that process, we consider how you have identified and assessed risks that might affect your financial statements and the controls you have designed and implemented to address those risks.
To the extent that you have made a self-assessment of your financial statement risks and the adequacy of your internal controls, that information can assist us in fulfilling our responsibilities under the auditing standards.
Finally, the performance of a robust self-assessment can help minimize your audit fees. If the assessment is well-documented, it helps provide a roadmap for our efforts in planning the audit and assessing whether adequate controls exist and have been implemented. As a result, we can perform a more efficient audit. Be advised, however, that we are still required to perform procedures to verify your assessment, including making inquiries and observations, reperforming your procedures, and inspecting documentation as we consider necessary to fully understand your company, your environment, and your internal controls.

5. What are Financial Statement Risks?
Risks that affect the achievement of financial reporting objectives
Conditions or indications that something could go wrong in the financial statements
May relate to error or fraud
May be pervasive to the financial statements or related to specific transactions, accounts, or disclosures
Financial statement risks are risks that affect the achievement of financial reporting objectives. In general terms, financial reporting objectives include the following:
The financial statements comply with generally accepted accounting principles.
Disclosures in the financial statements are understandable, informative to users, and fairly presented.
Accounting policies are appropriate for the industry and the company’s underlying transactions.
Account balances, transactions, and other events reflected in the financial statements:
Occurred or exist,
Are complete,
Represent the rights or obligations of the company,
Are properly valued, and
Are recorded in the right account, amount, and period.
All companies are subject to risks that can affect the achievement of these financial reporting objectives. For example, if the company has a concentration of sales to customers in an industry that is facing severe economic issues, there is a risk that the allowance for uncollectible accounts may be understated.

6. Thus, at their broadest level in the context of financial reporting objectives, financial statement risks represent conditions or indications that something could go wrong in the financial statements. For each transaction or event, account balance, and disclosure in the financial statements, there is always an element of risk to achieving the related financial reporting objective. For example, one financial reporting objective might be that all accounts payable transactions have been recorded in the financial statements in the proper period. The associated risk for that objective is that all accounts payable transactions have not been recorded in the proper period.
In some cases, you might think of risks in terms of fraud, that is, intentional misstatement of the financial statements or theft of assets. However, risks may relate to either error or fraud. For example, errors can result from:
Inaccuracy in gathering or processing data.
Misapplication of accounting principles.
Omission of transactions.
Incorrect accounting estimates due to oversight or misinterpretation of facts.
Misinterpretation of the company’s policies and procedures.
Also, risks may be pervasive to the financial statements as a whole or they may be related to specific transactions, account balances, or disclosures. A pervasive risk might occur, for example, when a company does not perform a background check on prospective employees or otherwise ensure that key financial employees performing accounting functions are competent to perform their assigned duties. In other words, financial misstatements that might arise from this risk could occur in many places in the financial statements. Other risks tend to be specifically associated with certain transactions, account balances, or disclosures, for example, a risk of inventory obsolescence or failure to disclose guarantees.

7. Why Identify and Understand Risks?
Risk assessment is a key component of internal control
Identifies what could go wrong in the financial statements
Allows an evaluation of the likelihood and magnitude of potential misstatements
Provides a foundation for assessing whether controls are properly designed and implemented
Why should you identify an understand financial statement risks? Identifying risks to achieving financial reporting objectives and determining how to manage those risks is a key component of an effective internal control system. In a few minutes, we’ll discuss the internal control process and the underlying components that are critical to achieving effective internal control over financial reporting.
Also, identifying risks within the context of financial reporting objectives allows you to articulate what could go wrong in the financial statements. In other words, what is the potential impact of the risk on the financial statements? For example, if a company engages in bill-and-hold transactions, it might determine that there is a risk of overstating inventory if the customer’s inventory is inadvertently included in the year-end physical count. This articulation of risks allows the company to take action to prevent financial errors from occurring.
Finally, identifying risks and what could go wrong in the financial statements allows you to assess the magnitude and likelihood of potential misstatements that could occur. Evaluating the magnitude, or size, of the potential financial statement misstatement and the likelihood of it occurring helps focus you on addressing and managing those risks that could result in material misstatement to the financial statements. Remember, however, that magnitude is not limited only to quantitative considerations. Some consideration also should be given to the qualitative aspects of misstatements. In certain cases, implications of potential misstatements that might otherwise be small could be considered important to financial statement users.
The way you address and manage risks is by implementing controls to prevent financial statement misstatements or to detect and correct them if they do occur. Thus, the identification of risks can help you assess whether controls are properly designed to mitigate the risks. We’ll discuss this more later in the presentation.

8. Considering Financial Statement Assertions
Existence or occurrence
Completeness
Rights or obligations
Valuation or allocation
Accuracy or classification
Cutoff
The concept of assertions is very useful when identifying and evaluating financial statement risks. Assertions describe conditions that should be present related to the recognition, measurement, presentation, and disclosure of information in the financial statements. In terms of assertions, you consider what could go wrong in the financial statements related to:
Existence or occurrence. Recorded transactions and events actually occurred and pertain to the entity, and recorded assets, liabilities, and equity interests actually exist.
Completeness. All transactions and events, assets, liabilities, and equity interests that should have been recorded have been recorded.
Rights or obligations. The company holds or controls the rights to recorded assets, and liabilities are the obligations of the entity.
Valuation or allocation. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded.
Accuracy or classification. Amounts and other data related to transactions and events have been recorded correctly and in the proper accounts.
Cutoff. Transactions and events have been recorded in the correct accounting period.
In my previous example of a company engaging in bill-and-hold transactions, the risk relates to the rights or obligations assertion because merchandise included in the physical count may not belong to the company. By considering “what could go wrong” in terms of assertions, you can more easily consider the potential severity and implications of risks on the financial statements.

9. Financial Statement Risk
Examples of Risks
Risk Indicator
Financial Statement Risk
Inventory is highly liquid
Overstatement of inventory due to theft (Existence)
Inventory cost accounting method is highly complex and subjective
Overstatement or understatement of inventory due to improper cost accounting (Valuation and Accuracy)
Key customers are concentrated in an industry facing economic downturn
Understatement of the allowance for doubtful accounts (Valuation)
The company is facing a number of lawsuits by customers
Failure to disclose contingent liabilities (Completeness)
As I mentioned previously, when identifying risks, it is important to describe what could go wrong in the financial statements, and risks generally should be stated in terms of financial statement assertions. To assist in assessing risks and determining whether internal controls are properly designed and implemented to address them, it is important to be as specific as possible when describing risks. For example, the description should include:
The cause of the risk.
The account balance, class of transactions, or disclosure affected and how it is affected (that is, overstatement or understatement).
For fraud risks, the type of fraud (that is, theft of assets or fraudulent financial reporting).
The assertion affected (or that the risk is pervasive to the financial statements).
This slide provides some examples of financial statement risks described in terms of what could go wrong in the financial statements, including the relevant assertion.

10. Possible Sources of Risk
Structure, ownership, governance, and related parties
Industry, regulatory, and other external factors
The nature of the company, for example:
Revenue sources
Types of products, services, and markets
Nature of assets, liabilities, expenses, investments, and financing
Accounting policies
Uses of the financial statements
IT systems
Risks to achieving the company’s financial reporting objectives may arise from a number of sources both internal and external to the company. I’ll discuss some of these possible sources and provide examples of risk indicators that might relate to each source.
Structure, ownership, governance, and related parties includes factors such as:
The type of legal entity.
Whether the company is closely or more broadly held.
The number and types of subsidiaries.
The centralization, background, and experience of management.
The significance of related-party relationships and transactions.
The role and function of the board of directors or audit committee.
Examples of possible risk indicators from this source might include:
The board of directors exercises little oversight over the company’s operations.
The structure of the company is overly complex.
The number of related parties and extent of transactions with them are significant.

11. Industry, regulatory, and other external factors include:
The nature of the industry.
The regulatory environment.
Economic, political, or social conditions that affect the business.
Examples of possible risk indicators from this source might include:
The industry is experiencing rapid technological change.
The company is subject to stringent environmental regulations.
The industry experiences frequent consumer lawsuits.
The nature of the entity includes factors such as:
The company’s key products and services and how they are used.
Marketing and distribution methods.
Key customers, competitors, and suppliers.
The production process and related costs.
Major assets and liabilities, including significant estimates and contingencies.
Major types of expenses.
Significant or unusual transactions.
Compensation methods and benefit plans.
Investment activities.
Sources of financing.
Use of derivatives.
Basis of reporting and accounting policies.
How the financial statements are used.
The nature and complexity of IT systems.
The company’s revenues are dependant on a few large customers.
The company is subject to significant product warranty liabilities.
A significant merger or acquisition has occurred.
Lending agreements contain significant restrictive covenants.
Revenue recognition policies and processes are complex.
The financial statements will be used to obtain significant new financing.
There have been significant changes in IT systems.

12. Possible Sources of Risk (Continued)
Objectives and strategies
Key performance measures
Going concern issues
Potential fraud
Incentives/pressures
Opportunities
Attitudes/rationalizations
Objectives and strategies include factors such as:
Future trends, expectations, objectives, and strategies related to—
Products and services.
Marketing and sales.
Research and development.
Technology.
Business expansion or restructuring.
Workforce or compensation.
Examples of possible business risks that might affect the company’s ability to achieve its objectives or execute its strategies include:
Industry developments that may affect the entity’s ability to achieve its objectives.
Inadequacy of personnel or expertise.
Increased legal exposure or regulatory requirements.
Rapid changes in technology or product obsolescence.
Explicitly stated strategic objectives that are only moderately achieved.

13. Key performance measures, both financial and nonfinancial, are those that are important in managing and measuring the company’s results (for example, key ratios or operating statistics, variance or trend analysis, competitor analysis or benchmarking, and key performance indicators such as market share or customer satisfaction.
Examples of possible risk indicators from this source might include:
One of the entity’s internal measures has highlighted unexpected results or trends.
One of the key measures considered important by users of the financial statements creates pressure for members of management to misstatement the financial statements.
Going-concern indicators also present risks to financial reporting objectives. Examples of going concern risk indicators include:
Lack of profitability or negative cash flow.
The company is highly leveraged.
Loss of significant customers.
The company has experienced volatile operations.
The company has recently started operations.
Indications of default or other violations of significant debt agreements or other critical contracts.
Potential fraud indicators are conditions or events that indicate:
Incentives/pressures to perpetuate fraud.
Opportunities to carry out the fraud.
Attitudes/rationalizations to justify a fraudulent action.
Fraud risk indicators may be related to fraudulent financial reporting or theft of assets.
Examples of fraud risk indicators include:
The company is facing the threat of imminent bankruptcy or foreclosure. (Incentive/Pressure)
The company’s financing agreements have debt covenants that are difficult to maintain. (Incentive/Pressure)
Conditions indicate adverse relationships between the company and its employees with access to assets susceptible to theft. (Incentive/Pressure)
The company engages in significant related-party transactions. (Opportunity)
The company has assets, liabilities, revenues, or expenses based on significant estimates that involve subjective judgments or uncertainties. (Opportunity)
The company’s inventory is easily susceptible to theft (for example, due to small size, high value, etc.) or easily convertible to cash (such as bearer bonds, diamonds, or computer chips). (Opportunity)
Management fails to support or enforce the company’s values or ethics. (Attitude/Rationalization)
The company has a known history of violations of laws and regulations. (Attitude/Rationalization)
There is an excessive interest by management in maintaining or increasing the company’s earnings trend. (Attitude/Rationalization)
Employees with access to assets susceptible to theft are dissatisfied. (Attitude/Rationalization)

14. Internal Control
Process employed by the company to provide reasonable assurance of achieving financial reporting objectives
Consists of five interrelated components
To be effective, all components should be in place
Applies to all companies—both small and large
Helps prevent, or detect and correct, misstatements resulting from risks
Simply stated, effective internal control is a way that the company manages risks, specifically financial statement risks. Later in my presentation, we’ll talk more about a process you can use to identify your financial statement risks and assess the controls you have in place to manage those risks.
But first, over the next few minutes, I want to provide an overview of internal control. For some of you this may be familiar territory.
Internal control is a process, effected by an entity’s board of directors, management and other employees, designed to provide reasonable assurance regarding the achievement of financial reporting objectives. Internal control also includes the safeguarding of assets against unauthorized use, destruction, or disposition. While internal control can also relate to other objectives such as the efficiency and effectiveness of operations or compliance with laws and regulations, for purposes of this presentation, we are focusing on internal control as it relates to achieving the company’s financial reporting objectives. We spoke about financial reporting objectives earlier in the presentation.
Internal control is commonly described within a framework. The most commonly used framework in the United States is a four volume report titled Internal Control—Integrated Framework (referred to as the COSO Report) which was issued by Committee of Sponsoring Organizations of the Treadway Commission (COSO). The SOSO framework is in the process of being reviewed and updated. The projected publication date of the update framework is fall 2012.

15. According to the COSO Report, internal control can be viewed as consisting of five interrelated components. Those five components are inherent in the way management runs an organization and serve as the criteria for determining whether internal control is effective.
The five components described by COSO are:
Control environment.
Risk assessment.
Information and communication.
Monitoring.
Control activities.
For internal control over financial reporting to be effective, all five components should be in place.
The five components apply to every organization, regardless of size; however, the manner in which the components are applied depends on the nature and size of the company.
In general terms, management is concerned with whether, and how, controls prevent, or detect and correct, misstatements in the financial statements resulting from risks.

16. Five Components of Internal Control
Control Environment
Risk Assessment
Information and Communication
Monitoring
Control Activities
Let’s spend a few minutes recapping the nature and purpose of the five interrelated components of internal control as outlined in the COSO framework.
Control Environment. The control environment sets the tone of a company and influences the control consciousness of its people. The control environment is the foundation for all other components of internal control and provides structure and discipline. Among the important elements of the control environment are the attitude, awareness, and actions of management, as well as those charged with governance, concerning internal control.
Risk Assessment. As we discussed earlier, risk assessment is key component of internal control. Risk assessment is the process of setting objectives; prioritizing and linking those objectives; and identifying, analyzing, and managing risks relevant to achieving those objectives. With respect to the objective of reliable financial reporting, the risk assessment process involves the identification, analysis, and management of the risks of material misstatement of the financial statements.
Information and Communication. Information refers to the financial reporting system, which includes the accounting system and encompasses the procedures and records established to initiate, authorize, record, process, correct, transfer to the general ledger, and report the entity’s transactions. It also includes the accountability over assets, liabilities, and equity. An information system may be computerized, manual, or a combination of the two depending on the size and complexity of the entity. Communication is the process of providing an understanding of roles and responsibilities to individuals within the organization regarding internal control over financial reporting.

17. The control environment, risk assessment, information and communication, and monitoring components are often referred to as “entity-level” controls since those controls can have a pervasive effect on the company’s system of internal controls. Consequently, they can potentially influence the design and operation of other controls. The information technology (IT) environment and general computer controls also have a pervasive effect.
When assessing internal control it’s generally a good idea to focus on the control environment first since it may impact the assessment of other controls. For example, if management displays an attitude that good controls are important, then it’s more likely that controls in other components will be properly designed and operating effectively.

18. Control Objectives and Key Controls
A control objective states the purpose of a control
Controls are effectively designed if they achieve the objective
Key controls are those that are most important in achieving the objective
It is often helpful to consider control objectives during the process of identifying controls and assessing their adequacy. A control objective states the purpose of a control (or controls) in relation to risks and “what could go wrong” in the financial statements. For example, “All property, plant, and equipment additions are recorded,” might be a control objective that addresses a risk of fixed asset transactions not being properly tracked and recorded (that is, completeness of fixed assets). Failure to achieve that control objective could potentially result in understatement of fixed assets and depreciation expense, as well as misstatements in other income statement accounts. Control objectives may relate to entity-level controls, such as control environment and monitoring controls, or to controls over specific account balances, transactions, and disclosures.
By considering control objectives and how they relate to risks and what could go wrong in financial statement assertions, you might find it easier to identify your existing controls. When existing controls are identified, you can evaluate whether those controls, if operating effectively, would fully achieve the objectives or whether deficiencies exist because of improper design or missing controls. In general, controls are effectively designed if they achieve their control objectives.
You don’t have to evaluate all controls and control activities that might exist in your system of internal control. Typically, you should focus your attention on those controls that are most important in achieving particular control objectives. Often, a company has multiple controls that contribute to achieving its control objectives. However, certain of those controls, referred to as key controls, are considered primary to achieving the objectives. When identifying controls and assessing their adequacy, it is generally most effective to focus on key controls. Many times, these are the controls that you believe are the most effective and reliable in operation to fully address a control objective. When identifying key controls, ask yourself the question, “What controls do I believe are the most critical in preventing or detecting a material financial reporting failure related to this risk?”

19. Control Environment Objectives
Those charged with governance are actively involved and have influence over financial reporting
Management demonstrates character, integrity, and ethical values
Management’s philosophy and operating style are consistent with a sound control environment
The organizational structure is appropriate to support effective financial reporting
Human resource policies and procedures promote integrity, ethical behavior, and competence
Authority and responsibility are appropriately assigned
The company is committed to competence
In the next few slides, I’m going to discuss the objectives of each internal control component and provide examples of key controls for those objectives.
The following control objectives exist for the control environment:
Those charged with governance are actively involved and have significant influence over the entity’s internal control environment and its financial reporting.
Management, through its attitudes and actions, demonstrates character, integrity, and ethical values. Sound integrity and ethical values, particularly of top management, are developed and set the standard of conduct for the organization and financial reporting.
Management’s philosophy and operating style are consistent with a sound control environment and have a pervasive effect on the entity. Management views accounting as a means to monitor and control the various activities of the organization, and adopts accounting policies that reflect the economic realities of the business.
The organizational structure of the entity is appropriately designed to promote a sound control environment. Authority and responsibility, appropriate reporting lines, and free flow of information across the organization provide unfettered influence to effectively run the entity and support effective financial reporting, including the identification of related party relationships and transactions.
Human resource policies and procedures send messages to employees regarding expected levels of integrity, ethical behavior, and competence.
The entity assigns authority and responsibility to provide a basis for accountability and control. The entity is committed to competence in the requirements of particular jobs and in translating those requirements into knowledge and skills.

20. The organizational structure of the entity is appropriately designed to promote a sound control environment. Authority and responsibility, appropriate reporting lines, and free flow of information across the organization provide unfettered influence to effectively run the entity and support effective financial reporting.
Human resource policies and procedures send messages to employees regarding expected levels of integrity, ethical behavior, and competence.
The entity assigns authority and responsibility to provide a basis for accountability and control.
The entity is committed to competence in the requirements of particular jobs and in translating those requirements into knowledge and skills.

21. Control Environment Examples
Objective
Control Example
Participation of those charged with governance
Those charged with governance provide input and oversight of the entity’s financial statements, including the application of GAAP and use of accounting judgments
Communicating integrity and ethical values
A code of conduct or ethics policy exists
Management’s philosophy and operating style
Management exemplifies attitudes and actions in line with its mission, vision, and values to support an effective control environment
Organizational structure
The entity defines key areas of authority and responsibility, including management’s responsibility for business activities, and how they affect the business as a whole.
This and the following slide provide examples of controls that relate to the control environment and its control objectives. Consider, as we review these, whether they are present in your organization.

22. Control Environment Examples (Continued)
Objective
Control Example
Human resource policies and procedures
Employee recruitment and retention practices for key financial positions are guided by principles of integrity and by the necessary competencies associated with the positions
Assignment of authority and responsibility
Job descriptions, reference manuals, or other forms of communication inform personnel of their duties
Commitment to competence
The entity establishes competencies (knowledge, skills, abilities, and credentials) prior to hiring of key positions

23. Risk Assessment Objectives
Financial reporting objectives:
Financial reporting objectives are established, documented, and communicated
Accounting principles are properly applied
Management of financial reporting risks:
Practices are established for identifying risks
When assessing risks, the entire organization and extended relationships are considered
Mechanisms are implemented to anticipate, identify, and react to changes
Risks are properly evaluated and mitigated
An entity’s risk assessment objectives can be divided into three categories:
Financial reporting objectives.
Management of financial reporting risks.
Consideration of fraud risks.
The following control objectives exist for each of these elements:
Financial reporting objectives:
Entity and financial reporting objectives are established, documented, and communicated.
• Accounting principles are properly applied in the preparation of the financial statements.
Management of financial reporting risks:
Management has established practices for the identification of risks affecting the entity.
• Management considers the entire organization as well as its extended relationships in its risk assessment process.
• Management has implemented mechanisms to anticipate, identify, and react to changes.
• Management evaluates and mitigates risk appropriately.

24. Risk Assessment Objectives (Continued)
Consideration of fraud risks:
An appropriate fraud risk assessment and monitoring process exists
Consideration of fraud risks:
Management has developed an appropriate fraud risk assessment and monitoring process.
Again, the self-assessment process that we’re discussing today should satisfy the majority of these objectives, if properly applied.

25. Risk Assessment Examples
Objective
Control Example
Financial reporting objectives
Financial reporting objectives align with the requirements of GAAP (or an OCBOA)
Management of financial reporting risks
Mechanisms are in place to identify risks potentially affecting achievement of the entity’s financial reporting objectives
Periodic reviews are performed to, among other things, anticipate and identify routine events or activities that may affect the entity’s ability to achieve its objectives
Risks related to the ability of an employee to initiate and process unauthorized transactions are appropriately identified
Consideration of fraud risks
The assessment of fraud risks considers incentives and pressures to commit fraud, opportunities to carry it out, and attitudes and rationalizations to justify it
This slide provides examples of controls that relate to risk assessment and its control objectives. Again, please consider if you have these types of controls in place at your company.

26. Information and Communication Objectives
Information is identified, captured, and used at all levels of the entity
Information needed to facilitate the functioning of internal control is identified, captured, used, and distributed in a form and timeframe that enables personnel to carry out their internal control responsibilities
As noted previously, information refers to the financial reporting system, which includes the accounting system and encompasses the procedures and records established to initiate, authorize, record, process, correct, transfer to the general ledger, and report the entity’s transactions. Communication is the process of providing an understanding of roles and responsibilities to individuals within the organization regarding internal control over financial reporting.
The following control objectives relate to the information control component:
Information is identified, captured, used, at all levels of the entity, and distributed in a form and timeframe that supports the achievement of financial reporting objectives.
Information needed to facilitate the functioning of internal control is identified, captured, used, and distributed in a form and timeframe that enables personnel to carry out their internal control responsibilities.

27. Information and Communication Objectives (Continued)
Communication exists between management and those charged with governance to enable role fulfillment
All personnel receive a clear message that internal control responsibilities are to be taken seriously
There is effective upstream communication
The following control objectives relate to the communication control component:
Communication exists between management and those charged with governance (if separate from management) so that both have relevant information to fulfill their roles with respect to governance and to financial reporting objectives.
All personnel, particularly those in roles affecting financial reporting, receive a clear message from top management that both internal control over financial reporting and individual control responsibilities must be taken seriously.
Personnel have an effective and safe method to communicate significant information upstream in the entity.

28. Information Examples Objective Control Example
Identification and use of information at all levels
Operating information is used as the basis for financial reporting and relevant operating information is used as the basis for accounting estimates
Identification and use of information in accordance with the entity’s control processes
Accounting procedures are formal enough to determine whether the control objective is met, documentation supporting the procedures is in place, and personnel routinely know the procedures that need to be performed
This slide provides examples of controls that relate to the information control objectives.

29. Communication Examples
Objective
Control Example
Effective communication between management and governance
The effectiveness of those charged with governance is supported by timely communications with management
Communication of control responsibilities
Employees receive adequate information to complete their job responsibilities
Effective upstream communication
All reported potential improprieties are reviewed, investigated, and resolved in a timely manner
This slide provides examples of controls that relate to the communication control objectives. 29

30. Monitoring Objective
Management monitors controls over financial reporting through:
Ongoing monitoring
Independent evaluations
Remediation of identified deficiencies
As noted earlier, the monitoring component of internal control is a process by which an entity assesses the quality of its internal control over time. The control objective over the monitoring component is relatively straight-forward. It might be described as “management monitors controls over financial reporting through ongoing monitoring, independent evaluations, and remediation of identified deficiencies.”

31. Monitoring Examples
Ongoing monitoring includes identification of what constitutes a deviation from prescribed controls and requires investigation of potential control problems
Deficiencies are reported to (1) the appropriate person for corrective action and (2) if applicable, at least one level of management above that person
This slide provides examples of controls that relate to the monitoring control objective.

32. Control Activities Can be either automated or manual
Directed toward transaction processing
Can be associated with one or more assertions
Include:
Performance reviews
Information processing controls
Physical controls
Segregation of duties
Asset accountability
As noted earlier, control activities are those actions that are taken to address risks that threaten the entity’s ability to achieve its objectives, one of which is reliable financial reporting. Control activities, which can be either automated or manual, are performed at various levels within the entity.
Control activities are generally directed to one or more types of transactions and can be associated with one or more assertions. Control activities are policies and procedures that generally pertain to the following:
Performance reviews, which are comparisons of current financial reports to other information.
Information processing controls, which are controls performed to check accuracy, completeness, and authorization of transactions. For information systems, there are two broad categories of processing controls—application controls and general controls.
Physical controls, which pertain to the physical security of assets including adequate safeguards that limit access to assets, computer programs, and files; and periodic counting and comparison to control records.
Segregation of duties, which involves the assignment of different people to authorize transactions, record transactions, and maintain custody of assets.
Asset accountability, which encompasses controls relating to reconciliations of the detailed records to the general ledger.

33. Control Activities Objectives—Processing Cash Receipts
Cash receipts information is valid and processed only once (E/O, R/O)
Cash receipts are appropriately safeguarded (E/O)
Cash received is posted in the proper period (CO)
Cash receipts information is recorded in the correct account (A/CL)
Recorded cash receipt amounts are correct (A/CL)
All cash receipts are recorded (C)
Foreign currency cash received is correctly valued (V)
As I noted, control activities generally relate to transaction processing and can be associated with one or more assertions. As a result, control objectives will vary depending on the type of transaction. This slide illustrates possible control objectives related to processing cash receipts. It also indicates parenthetically the assertions that each control objective addresses.
As we previously discussed, control objectives address one or more underlying financial statement risks or assertions. For example, “Cash receipts are appropriately safeguarded” might address the risk “Employees with access to cash may misappropriate funds.” The assertions related to the objectives are abbreviated as follows:
“E/O” signifies existence or occurrence.
“C” signifies completeness.
“R/O” relates to rights or obligations.
“V” signifies valuation or allocation.
“A/CL” relates to accuracy or classification.
“CO” denotes cutoff.

34. Control Activities Examples—Processing Cash Receipts
Lockbox receipts are compared to customer remittances (E/O, C, V, R/O, A/CL, CO)
Cash receipts are reconciled to general ledger postings daily (E/O, V, R/O, C/O)
Bank reconciliations are prepared and reviewed in a timely manner (E/O, C, V, R/O, A/CL, CO)
This slide provides examples of key controls that relate to the control objectives for processing cash receipts. Assertions are indicated in parentheses. A control may relate to more than one assertion because it addresses multiple types of risk.

35. Putting It All Together: A Process for Identifying Risks and Assessing Controls
Consider the aspects of the company that are sources of risk
Gather information that indicates potential risks
Accumulate and synthesize the information to identify risks
Identify key controls that address the risks by focusing on control objectives
Assess whether controls are properly designed and implemented to achieve the objectives
Identify gaps and prioritize deficiencies for improvement
So far, we’ve discussed:
Risks to achieving financial reporting objectives.
Describing risks in terms of what could go wrong in the financial statements.
Possible sources of risk.
The components of an effective internal control system.
Focusing on key controls that achieve control objectives to address risks.
Now, I’m going to discuss a process that you can employ that leads to self-assessment of the adequacy of your internal controls. You can tailor this process as you see fit. In other words, you might decide to focus on examining controls for a particular type of transaction that you consider to present the greatest amount of risk of material misstatement to your financial statements. Or you might decide to look at all of the components of internal control that we discussed, including control activities for significant transactions classes. Also, some companies might even wish to go a step further and test their controls to see if they are operating effectively. It’s up to you, considering your time and other resources, to determine the degree to which financial reporting risks and the controls you use to manage them will be assessed.

36. As I discussed earlier, the process begins with a consideration of your financial statement risks―again, those conditions that might result in potential misstatement in the your accounting records and financial statements. It’s important to make a careful consideration of all aspects of the company and its environment that can be sources of risk. Ensure that you consider sources of risk that are internal as well as external to the company. Also, as I mentioned before, consider risk factors for both error and fraud.
Be sure to gather enough information to understand each area in order to identify potential risks or conditions that indicate risk. In other words, avoid preconceived notions or assumptions about an area when identifying potential risks.
Once you’ve collected information that might indicate risk, consider the factors we discussed earlier:
What type of risk is it? Does it relate to fraud? Or does the risk represent a potential error?
Is the risk pervasive or does it relate to specific account balances, transactions, or disclosures?
What could go wrong in the financial statements and what assertions are impacted?
What is the potential magnitude of the risk?
What is the likelihood of the risk occurring?
After considering these factors, clearly articulate the risks you’ve identified in terms of what could go wrong in the financial statements.
As you go through this process of identifying risks, it might be helpful to assign a risk rating to each item such as high, medium, or low (or a similar designation), with “high” meaning risks having the potential for material misstatements to your financial statements and a high likelihood of occurrence. For example, let’s assume a company has a very complex way of recognizing revenue and is subject to complicated accounting rules. Management might assign this a high risk rating if there is a material amount of revenue that is subject to the accounting rules. Also, there could be a high likelihood of misstatement if there is a substantial volume of transactions.
The next step in the process involves understanding each internal control component that we previously discussed and identifying the key controls that satisfy the control objectives for the risks you’ve identified. If you’re doing a robust assessment of your internal controls, you’ll look at the control activities for your significant transaction classes, as well as the entity-level control components of internal control. However, always keep in mind the risks you’ve identified as the focal point for your assessment. We’ll discuss this step in greater depth in a few moments.

37. As part of this process, you should assess whether the controls you identify are properly designed to either prevent, or detect and correct, misstatements to the financial statements arising from your risks. That is, do the controls achieve their control objectives? A control might exist but be ineffectively designed to meet the control objective. Also, consider whether the control has actually been implemented in the manner it was designed. Some companies have documented policies and procedures that describe elaborate controls but have never placed them in operation as they were designed.
Last, you should identify any missing or deficient controls and prioritize those situations for correction. This process if often referred to as a “gap analysis.” Normally, you’ll assign a higher priority to those “gaps” in key controls that have a high risk of material misstatement or theft. We’ll discuss missing or deficient controls in greater depth later in the presentation.

38. A Practical Approach to Reviewing Internal Control
Supporting tools to help you assess entity-level controls:
Complete (or update) a narrative describing your entity-level controls using “Understanding the Design and Implementation of Internal Control”
Supplement the documentation by completing the related “Entity-level Control Form”
[Note: If the auditor plans to have the client complete the PPC forms as outlined in this presentation, the authors suggest providing illustrative copies of the forms to the audience as a reference source as you discuss this section. You might want to mark certain parts of the forms “for auditor use only.”]
I’m going to discuss some supporting tools you can use to identify and evaluate your internal controls and control deficiencies.
As I mentioned earlier, we are required by professional standards to assess your risks and understand your internal controls. Some of the tools we use to understand your internal controls may be useful for your self-assessment. While these tools were designed for the auditor, they serve as a roadmap to understanding and documenting your controls and incorporate the concepts that we’ve discussed during my presentation. Alternatively, you can develop your own documentation, and use the tools to guide you as to the components, key controls, and topics you should consider. And, by completing these tools or preparing similar documentation, you assist us with our required understanding, which helps to minimize audit fees. But, remember, we’re still required by professional standards to perform procedures to verify and confirm any documentation you prepare.

39. Although I’m only going to provide a brief overview of the forms here today, our staff would be pleased to further describe how the forms can be used when assessing your internal controls.
A central tool is the “Understanding the Design and Implementation of Internal Control” form. This form allows for a narrative description of entity-level control components and an assessment of whether the controls are properly designed and implemented. Remember, entity-level controls relate to the control environment, risk assessment, information and communication, and monitoring components of internal control and are pervasive in nature.
Other important tools that will assist you in your understanding and assessment of entity-level controls is the “Entity-level Control Form.” These forms provide common key controls that achieve the control objectives for each entity-level internal control component (as well as general computer controls relating to IT). You can use these forms in combination with your narrative description to help identify relevant key controls and determine where gaps might exist for your company.
You also use the “Understanding the Design and Implementation of Internal Control” form to identify your company’s significant types, or classes, or transactions. Transaction classes include areas such as processing sales orders, recording purchases, costing inventory, processing accounts payable, and performing the month end close. We can provide you with a list of typical transaction classes and help you identify which ones are significant for your company.

40. A Practical Approach to Reviewing Internal Control (Continued)
Supporting tools to help you assess activity-level controls:
Complete (or update) a narrative describing your activity-level controls using “Financial Reporting System Documentation Form―Financial Close and Reporting/Significant Transaction Classes”
Supplement the documentation by completing the related “Control Activities Form”
You are now prepared for the next step in the self-assessment process, which is to assess activity-level controls. When assessing controls that operate at the activity level, that is, controls at the assertion level for your significant transaction classes, another tool, the “Financial Reporting System Documentation Form―Financial Close and Reporting/Significant Transaction Classes,” can be used. This form allows you to document the flow of information and underlying controls for each of your significant transaction classes. Remember to focus on key controls that achieve the control objectives for the transactions.
Typically, on this form, you describe in narrative form how transactions are initiated and authorized; how they are entered into the accounting system; and other processing steps that lead to the inclusion of the transactions in the general ledger, along with associated key controls.
The “Control Activities Form” will often be useful as a supplement to your narrative documentation. The form provides a list of key control activities for each transaction class. A control activities form is available for each major financial statement area and contains common key controls that achieve control objectives for underlying transaction classes. You can use these forms in combination with your narrative description to help identify relevant key controls and determine where gaps might exist for your company.

41. A Practical Approach to Reviewing Internal Control (continued)
Evaluate controls to determine if:
Key controls are present to achieve control objectives and address relevant financial statement risks
Controls are properly designed to prevent, or detect and correct, misstatements
Controls are in place to address all identified risks
When documenting and assessing controls, you should determine if:
Key controls are present that achieve the control objectives and address relevant financial statement risks.
The controls are properly designed to prevent, or detect and correct, misstatements.
The controls, as designed, have been put into operation.
Controls exist that effectively mitigate and manage all identified risks.
As noted earlier, some companies may even wish to take their assessment one step further by considering the operating effectiveness of the controls. That is accomplished by performing tests of your controls during the relevant period to determine that the controls are operating as expected. This might be appropriate for certain key controls that address significant risks.

42. A Practical Approach to Reviewing Internal Control (continued)
If controls are “missing” or improperly designed, determine:
Whether other compensating controls address the control objective
The likelihood and magnitude of potential errors
The pervasiveness of potential errors
The priority for corrective action
For any internal control component, if you determine that controls are missing or improperly designed (meaning they fail to achieve the control objective) you should consider the effect on the financial statements and take corrective action to address the risks.
In making this assessment, consider:
Whether other compensating controls exist that address the control objective. For example, if a control is missing that prevents the occurrence of a misstatement, a compensating control might exist, such as a supervisory review, that would detect the misstatement. In certain cases, the compensating control would be adequate to satisfy the control objective. (This is not to say that the company wouldn’t address the missing preventive control. However, it might affect how the company prioritizes the deficiency for follow-up and correction.)
The likelihood and magnitude of potential errors. If a deficiency in a control could result in material misstatements and the likelihood of their occurrence is high, the company would likely assign the deficiency a high priority for follow-up and correction.
The pervasiveness of potential errors. If an entity-level control, such as the control environment, is deficient, the impact on the company’s financial objectives could be pervasive. As an example, if a division manager has a poor attitude toward controls and ethical behavior, the impact of his influence on controls that affect financial reporting for that division could be pervasive. As a result, this type of deficiency would normally be assigned a high priority for follow-up and correction.

43. Conclusion Risk assessment is a key component of internal control
Allows the company to evaluate whether controls are adequate
Establishes a framework for prioritizing the correction of control deficiencies
Assists in the audit process
In conclusion:
Your risk assessment process along with how you manage those risks is a key component of an effective internal control system.
Your risk identification process and related assessment of controls allows you to evaluate whether controls are adequate to mitigate financial statement risks and achieve financial reporting objectives. As part of that process, you can identify gaps in controls and consider the potential magnitude of misstatements in your financial statements or theft of company assets that could result.
The assessment process provides a framework for prioritizing identified control deficiencies for follow-up and corrective action.
Lastly, your documented assessment assists us with our understanding of risks and internal control that is required by professional auditing standards.

44. Questions?
I’ll be happy to address any questions that you have at this time.