tentative risk assessments

Download TENTATIVE RISK ASSESSMENTS

Post on 29-Jul-2015

539 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

1. CHAPTER 4 TENTATIVE RISK ASSESSMENTS CONTENTSTentative Evaluations of Risks4.01 Specific Activity Level Risk Identification 4.02 Combined Activities Risk Identification 4.09 Specific Activity Level Risk Assessment 4.09 Risk and Materiality4.12 Tentative Consideration of the Likelihood of Risks4.19 Tentative Considerations about Risk Management4.21 Exhibits Exhibit 4-1: Questionnaire/Checklist for IdentifyingBasic and Underlying Process Risks 4.22 Exhibit 4-2: Evaluation of Significance/Potential Materialityof Financial Reporting Processes 4.24 Exhibit 4-3: Tentative Analysis of Financial ReportingProcesses Having No Significant Risk 4.26 Exhibit 4-4: Tentative Considerations for Improvement toInternal Controls4.27TENTATIVE EVALUATIONS OF RISKSThe identification of the financial reporting processes and how they operate, as discussed in Chapter 3, Mapping the Organization, provides a starting point for making managements assessment of internal controls over financial reporting. Having identified the way that the various financial reporting processes operate places management in a position to determine whether there are sufficient effective internal controls within, between, and among those processes to mitigate the risk of material misstatement in the finan- cial statements. Similarly, the identification of the way that the var- ious reporting processes related to financial statement disclosures operate puts management in a position to determine whether dis- closure controls are sufficient to mitigate the risk of material mis- statement in the financial statement disclosures. Keeping in mind that management must be able to demonstrate that controls have both been designed, and actually operate, to prevent or detect4.01 2. 4.02 Chapter 4: Tentative Risk Assessments material misstatements or omissions, the identification of financial reporting processes and how they operate permits an analysis of whether controls have been appropriately designed to mitigate these risks. Following the analysis and assessment of the design of its internal controls, management will be in a position to test their actual operation.Specific Activity Level Risk IdentificationWith respect to internal controls over financial reporting one can start by considering the ways by which a material misstatement in the financial statements might occur. From a general standpoint, material misstatements occur as a result of errors, including deliber- ate fraudulent acts. Paragraph 13 of Accounting Principles Board Opinion No. 20 (APB-20), Accounting Changes, describes errors in financial state- ments as matters that result from mathematical mistakes, mistakes in the application of accounting principles, or oversight or misuse of facts that existed at the time the financial statements were pre- sented. The recently issued Statement of Financial Accounting Standards No. 154 (FAS-154), Accounting Changes and Error Corrections, supercedes APB-20 but carries forward its description of errors in financial statements. Any one of the three items that are described as an error can be unintentional or intentional. Naturally, intentional errors are usually deliberate fraudulent acts. It is important to keep in mind the COSO notion of Risk Assessment as discussed in Chapter 1, Overview of Requirements. In the summary to Chapter 3 of the COSO Internal ControlIntegrated Framework, Risk Assessment is described as the entitys identification and analysis of relevant risks to achieve- ment of its objectives, forming a basis for determining how risks should be managed. As more fully discussed within the COSO Framework, an entitys identification and analysis of risks will nec- essarily include risk identification at the entity level and the activity level. At both the entity level and the activity level, risk identifica- tion must be related to objectives. In the COSO Framework, Objectives include Operations Objectives, Financial Reporting Objectives, and Compliance Objectives. As noted in the COSO Framework, there are overlaps between Operations Objectives, Financial Reporting Objectives, and Compliance Objectives. Therefore, companies should consider Operations Objectives and Compliance Objectives that also have a financial reporting aspect to them. At the Activity Level (or individual process level), risk iden- tification can be directly related to the definition of internal control set forth by the SEC (see Chapter 1, Overview of Requirements). The conditional items in this SEC definition of internal control have a correlation with the items in APB-20s description of errors in 3. Chapter 4: Tentative Risk Assessments 4.03 financial statements. Specifically, by the SECs definition, internal control is a process that (1) maintains records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets . . . (2) records transactions as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and permits receipts and expendi- tures of the registrant to be made only in accordance with authori- zations of management and directors . . . [and] (3) prevents or provides for timely detection of unauthorized acquisition, use or disposition of the registrants assets. In order to meet these three qualifications in the SEC definition of internal control, the account- ing and financial reporting system must by necessity produce finan- cial statements that are relatively free of mathematical mistakes, mistakes in the application of accounting principles, or oversights or misuse of facts that existed at the time the financial statements, which are items from APB-20. Stated another way, any system of internal controls over financial reporting that has the potential to produce errors as defined by APB-20, cannot qualify under the SECs definition of internal control over financial reporting.Thinking through the ways that errors may occur will go a long way toward identifying the risks of material misstatements in the financial statements. A simple chart or table can be developed from the three types of errorsmathematical mistakes, mistakes in the application of accounting principles, or oversight or misuse of factsand from knowledge gained about business processes. In Chapter 3, Mapping the Organization, the basic idea that account- ing records consist of initial, intermediate, and final records that feed into financial statements was pointed out. Also noted was the idea that each process, manual or IT, used to compile the financial statements involves using information from one or more data sources to produce one or more new data sets. Building on these notions and considering the possibility for error can identify risks. Considering the possibility for errors in the context of the five broad, implicit management assertions behind the preparation of financial statements adds an additional element of clarity to risk identifica- tion. The following are some basic ways that errors might occur, as they relate to the three-part description of an error from APB-20.1. Mathematical mistakes occur when:a. A specified mathematical operation is not correct.b. The specified mathematical operation is not correctly per- formed. 2. Mistakes in the application of accounting principles occurwhen:a. The accounting principle to be applied is not correct.b. The accounting principle identified is not correctly applied. 4. 4.04 Chapter 4: Tentative Risk Assessments3. Oversight or misuse of facts occurs when: a. The facts (input) are not correct. b. The facts are not correctly interpreted (applied). The addition of the five broad assertions of management about the preparation of financial statements(1) Existence or occurrence, (2) Completeness, (3) Rights and obligations, (4) Valuation or alloca- tion, and (5) Presentation and disclosureinto the consideration, leads to the conclusions that in each specific process involved in the overall financial reporting process one must be sure that: One. The facts (i.e., input) are correct. This relates to error type 3.a., above and to financial statement preparation asser- tions (1), Existence or occurrence, and (2), Completeness.Two. The facts are correctly interpreted (i.e., applied). This relates to error type 3.b., above and to financial statement preparation assertions (2), Completeness, and (3), Rights and obligations.Three. Any specified mathematical operation to be applied to the facts is correct. This relates to error type 1.a, above and overlaps with error type 3.b., above; as well as to financial statement preparation assertion (4), Valuation or allocation.Four.The accounting principle to be applied is correct. This relates to error type Item 2.a, above and overlaps with error type 3.b. above; as well as to financial statement preparation assertion (5), Presentation and disclosure.Five.The accounting principle identified is correctly applied. This relates to error type 2.b., above and to financial statement preparation assertions (4), Valuation or alloca- tion, and (5), Presentation and disclosure.Six. Specified mathematical operations are correctly per- formed. This relates to error type 1.b, above and overlaps with error type 2.b., above; as well as to financial state- ment preparation assertion (4), Valuation or allocation.These six items can be restated and characterized as the basic risks of each individual activity in the financial reporting process.Basic Risk 1 The facts (i.e., input) are not correct or complete. Basic Risk 2 The facts are not correctly interpreted or applied. Basic Risk 3 Specified mathematical operations to be applied tothe facts are not appropriate to the circumstances. Basic Risk 4 The accounting principle to be applied is not appro-priate to the circumstances. 5. Chapter 4: Tentative Risk Assessments 4.05 Basic Risk 5The accounting principle identified is not correctly applied. Basic Risk 6Specified mathem