tentative risk assessments

CHAPTER 4TENTATIVE RISK ASSESSMENTS

CONTENTS

Tentative Evaluations of Risks 4.01Specific Activity Level Risk Identification 4.02Combined Activities Risk Identification 4.09Specific Activity Level Risk Assessment 4.09Risk and Materiality 4.12Tentative Consideration of the Likelihood of Risks 4.19Tentative Considerations about Risk Management 4.21

ExhibitsExhibit 4-1: Questionnaire/Checklist for Identifying

Basic and Underlying Process Risks 4.22Exhibit 4-2: Evaluation of Significance/Potential Materiality

of Financial Reporting Processes 4.24Exhibit 4-3: Tentative Analysis of Financial Reporting

Processes Having No Significant Risk 4.26Exhibit 4-4: Tentative Considerations for Improvement to

Internal Controls 4.27

TENTATIVE EVALUATIONS OF RISKS

The identification of the financial reporting processes and how theyoperate, as discussed in Chapter 3, “Mapping the Organization,”provides a starting point for making management’s assessment ofinternal controls over financial reporting. Having identified theway that the various financial reporting processes operate placesmanagement in a position to determine whether there are sufficienteffective internal controls within, between, and among thoseprocesses to mitigate the risk of material misstatement in the finan-cial statements. Similarly, the identification of the way that the var-ious reporting processes related to financial statement disclosuresoperate puts management in a position to determine whether dis-closure controls are sufficient to mitigate the risk of material mis-statement in the financial statement disclosures. Keeping in mindthat management must be able to demonstrate that controls haveboth been designed, and actually operate, to prevent or detect

4.01

material misstatements or omissions, the identification of financialreporting processes and how they operate permits an analysis ofwhether controls have been appropriately designed to mitigatethese risks. Following the analysis and assessment of the design ofits internal controls, management will be in a position to test theiractual operation.

Specific Activity Level Risk Identification

With respect to internal controls over financial reporting one canstart by considering the ways by which a material misstatement inthe financial statements might occur. From a general standpoint,material misstatements occur as a result of errors, including deliber-ate fraudulent acts.

Paragraph 13 of Accounting Principles Board Opinion No. 20(APB-20), Accounting Changes, describes errors in financial state-ments as matters that “result from mathematical mistakes, mistakesin the application of accounting principles, or oversight or misuse offacts that existed at the time the financial statements were pre-sented.” The recently issued Statement of Financial AccountingStandards No. 154 (FAS-154), Accounting Changes and Error Corrections,supercedes APB-20 but carries forward its description of errors infinancial statements. Any one of the three items that are described asan error can be unintentional or intentional. Naturally, intentionalerrors are usually deliberate fraudulent acts.

It is important to keep in mind the COSO notion of “RiskAssessment” as discussed in Chapter 1, “Overview ofRequirements.” In the summary to Chapter 3 of the COSO InternalControl—Integrated Framework, “Risk Assessment” is described as“the entity’s identification and analysis of relevant risks to achieve-ment of its objectives, forming a basis for determining how risksshould be managed.” As more fully discussed within the COSOFramework, an entity’s identification and analysis of risks will nec-essarily include risk identification at the entity level and the activitylevel. At both the entity level and the activity level, risk identifica-tion must be related to objectives. In the COSO Framework,Objectives include “Operations Objectives,” “Financial ReportingObjectives,” and “Compliance Objectives.” As noted in the COSOFramework, there are overlaps between “Operations Objectives,”“Financial Reporting Objectives,” and “Compliance Objectives.”Therefore, companies should consider Operations Objectives andCompliance Objectives that also have a financial reporting aspect tothem. At the Activity Level (or individual process level), risk iden-tification can be directly related to the definition of internal controlset forth by the SEC (see Chapter 1, “Overview of Requirements”).The conditional items in this SEC definition of internal control havea correlation with the items in APB-20’s description of errors in

4.02 Chapter 4: Tentative Risk Assessments

financial statements. Specifically, by the SEC’s definition, internalcontrol is a process that “(1) maintains records that in reasonabledetail accurately and fairly reflect the transactions and dispositionsof the assets . . . (2) records transactions as necessary to permitpreparation of financial statements in accordance with generallyaccepted accounting principles, and permits receipts and expendi-tures of the registrant to be made only in accordance with authori-zations of management and directors . . . [and] (3) prevents orprovides for timely detection of unauthorized acquisition, use ordisposition of the registrant’s assets.” In order to meet these threequalifications in the SEC definition of internal control, the account-ing and financial reporting system must by necessity produce finan-cial statements that are relatively free of “mathematical mistakes,mistakes in the application of accounting principles, or oversightsor misuse of facts that existed at the time the financial statements,”which are items from APB-20. Stated another way, any system of“internal controls over financial reporting” that has the potential toproduce errors as defined by APB-20, cannot qualify under theSEC’s definition of “internal control over financial reporting.”

Thinking through the ways that errors may occur will go a longway toward identifying the risks of material misstatements in thefinancial statements. A simple chart or table can be developed fromthe three types of errors—mathematical mistakes, mistakes in theapplication of accounting principles, or oversight or misuse offacts—and from knowledge gained about business processes. InChapter 3, “Mapping the Organization,” the basic idea that account-ing records consist of initial, intermediate, and final records thatfeed into financial statements was pointed out. Also noted was theidea that each process, manual or IT, used to compile the financialstatements involves using information from one or more datasources to produce one or more new data sets. Building on thesenotions and considering the possibility for error can identify risks.Considering the possibility for errors in the context of the five broad,implicit management assertions behind the preparation of financialstatements adds an additional element of clarity to risk identifica-tion. The following are some basic ways that errors might occur, asthey relate to the three-part description of an error from APB-20.

1. Mathematical mistakes occur when:a. A specified mathematical operation is not correct.b. The specified mathematical operation is not correctly per-

formed.2. Mistakes in the application of accounting principles occur

when:a. The accounting principle to be applied is not correct.b. The accounting principle identified is not correctly applied.

Chapter 4: Tentative Risk Assessments 4.03

3. Oversight or misuse of facts occurs when:a. The facts (input) are not correct.b. The facts are not correctly interpreted (applied).

The addition of the five broad assertions of management aboutthe preparation of financial statements—(1) Existence or occurrence,(2) Completeness, (3) Rights and obligations, (4) Valuation or alloca-tion, and (5) Presentation and disclosure—into the consideration,leads to the conclusions that in each specific process involved in theoverall financial reporting process one must be sure that:

One. The facts (i.e., input) are correct. This relates to error type3.a., above and to financial statement preparation asser-tions (1), Existence or occurrence, and (2), Completeness.

Two. The facts are correctly interpreted (i.e., applied). Thisrelates to error type 3.b., above and to financial statementpreparation assertions (2), Completeness, and (3), Rightsand obligations.

Three. Any specified mathematical operation to be applied tothe facts is correct. This relates to error type 1.a, aboveand overlaps with error type 3.b., above; as well as tofinancial statement preparation assertion (4), Valuationor allocation.

Four. The accounting principle to be applied is correct. Thisrelates to error type Item 2.a, above and overlaps witherror type 3.b. above; as well as to financial statementpreparation assertion (5), Presentation and disclosure.

Five. The accounting principle identified is correctly applied.This relates to error type 2.b., above and to financialstatement preparation assertions (4), Valuation or alloca-tion, and (5), Presentation and disclosure.

Six. Specified mathematical operations are correctly per-formed. This relates to error type 1.b, above and overlapswith error type 2.b., above; as well as to financial state-ment preparation assertion (4), Valuation or allocation.

These six items can be restated and characterized as the basicrisks of each individual activity in the financial reporting process.

Basic Risk 1 The facts (i.e., input) are not correct or complete.Basic Risk 2 The facts are not correctly interpreted or applied.Basic Risk 3 Specified mathematical operations to be applied to

the facts are not appropriate to the circumstances.Basic Risk 4 The accounting principle to be applied is not appro-

priate to the circumstances.


Basic Risk 5 The accounting principle identified is not correctlyapplied.

Basic Risk 6 Specified mathematical operations are not correctlyperformed.

These basic risks relate to each of the specific activities performedin any of the “routes” identified in mapping the organization. All ofthe basic risks may not apply to an activity because of its nature. Forexample, in the payroll route illustration in Chapter 3, one of theactivities was the Assistant Personnel Manager’s procedure ofentering employee data such as pay rates into the EmployeeDatabase. In that case, Basic Risks 3 through 6 would not applybecause the activity does not involve mathematical operations (i.e.,addition, subtraction, multiplication, etc.) or any decision about theapplication of an accounting principle. Basic Risk 1 would applybecause the input data could be incorrect and Basic Risk 2 wouldapply because the input data could be entered into the EmployeeDatabase incorrectly.

These basic risks are universal.The next step in the risk identification process is to identify the

conditions that could precipitate the risk and the possible causes ofsuch conditions. Many of the potential conditions, or underlyingrisks, identified in this phase are still universal-type risks. That is,they are risks present in all entities; however, some underlying riskscould be identified that are related to the specific process being eval-uated. For that reason, it becomes important to “brainstorm” or con-sider what could happen.

In order to effectively consider risks or “what could happen,” it’simportant to avoid the tendency to dismiss possibilities becausethey are thought to have little chance of occurring. One way ofthinking about a risk is that it is something that could occur. Therisk identification process should involve consideration of anythingthat could occur within the realm of common sense, even when thepossibility of the event actually taking place is thought to beremote. The risk assessment or analysis process will involve consider-ations about the likelihood of events. Chapter 3 of the COSOFramework points out the usefulness of a “ ‘clean sheet of paper’approach” to risk identification but it also states: “It doesn’t makemuch sense to consider the risk of a meteor falling from space ontoa company’s production facility, while it may be reasonable to con-sider the risk of an airplane crash for a facility located near an air-port runway.”

The risks underlying the basic activity level risks related to finan-cial reporting can be identified using the “brainstorming” or “ ‘cleansheet of paper’ approach.” The following is a presentation of theunderlying activity level risks related to financial reporting that maybe identified by brainstorming.


Underlying Activity Level Financial Reporting RiskIdentification

Basic Risk 1—The facts [input] are not correct or complete.Conditions Precipitating Risk (Underlying Risks)

1. External data is not correct or complete.2. Results of preceding process are not correct.3. External data or results of preceding process are altered.4. Management intervention.5. Other.

Basic Risk 2—The facts are not correctly interpreted or applied.Conditions Precipitating Risk (Underlying Risks)

1. Meaning of data is not understood.2. Purpose of activity is not understood.3. Manner of data application is not understood.4. Management intervention.5. Other.

Basic Risk 3—Specified mathematical operations to be applied tothe facts are not appropriate to the circumstances.Conditions Precipitating Risk (Underlying Risks)

1. Purpose of activity is not understood.2. Mathematical operation is not understood.3. Circumstances are not understood.4. Alternatives are not understood.5. Management intervention.6. Other.

Basic Risk 4—The accounting principle to be applied is not appro-priate to the circumstances.Conditions Precipitating Risk (Underlying Risks)

1. Applicability of accounting principle is not known or understood.2. Required conditions are not understood.3. Alternatives are not understood.4. Management intervention.5. Other.


Basic Risk 5—The accounting principle identified is not correctlyapplied.Conditions Precipitating Risk (Underlying Risks)

1. Proper manner of application of accounting principle is not knownor understood.

2. Required conditions are not properly applied.3. Alternatives are not understood.4. Management intervention.5. Other.

Basic Risk 6—Specified mathematical operations are not correctlyperformed.Conditions Precipitating Risk (Underlying Risks)

1. The proper manner of application of mathematical operation is notknown or understood.

2. Management intervention.3. Other.

The COSO Framework makes a distinction between “EntityLevel” risks and “Activity Level” risks. Generally, the entity levelinvolves external and internal factors relating to the achievement ofobjectives, while the activity level involves specific internal activitiesrelated to the achievement of objectives. Specific activities can beaffected by external factors but the activity level risks are the risksrelated to the objectives of the activity, while entity level risks relate tothe objectives of the entity. As with most areas involving financialreporting, there is overlap between the entity level and the activitylevel. So, for example, in our payroll process example in Chapter 3,“Mapping the Organization,” there is the activity of maintaining theemployee data base, one specific financial reporting objective ofwhich is to enable the computation of the employee payroll. Thatactivity is part of the full set of payroll processing activities, whichmay have the financial reporting objectives of (1) recording and pay-ing payroll liabilities and (2) distributing the cost of payroll to inven-tory, departments, cost centers, etc. That full set of payrollprocessing activities is part of the overall financial reporting processand it may provide data to an inventory system and/or an account-ing system that captures costs by department. A combined financialreporting objective of the payroll process, the inventory system, orthe departmental reporting system may be to provide informationabout the entity. However, the risks associated with the combinedoperation of the payroll process, the inventory system, and the


departmental reporting system could still be referred to as the activ-ity level because they are concerned with the combined objectives ofthe specific activities involved. In contrast, the risks associated withthe combined operation of the payroll process, the inventory system,and the departmental reporting system would be referred to as theentity level when they relate to entity-wide objectives. Frequently,entity-wide objectives may be more operational or compliance-ori-ented, for example, when the payroll process, the inventory system,and the departmental reporting system are parts of a cost account-ing system used to help manage operational activities. Overlapbetween the objectives described in the COSO Framework as“Operations Objectives,” “Financial Reporting Objectives,” and“Compliance Objectives” occurs when the achievement of one typeof objective affects the achievement of another. In the payroll pro-cessing example, if the financial reporting objective of appropriatelyaccounting for payroll is not met, then the cost accounting mecha-nisms at the company will not be useful in managing operationalactivities. Further, there can be a “snowball” effect. If a companydoes not properly compute and pay its payroll, it will not haveachieved a legal compliance objective, which in turn may cause dis-rupted operations and lawsuits, penalties, or other fines that allmust be accounted for in the financial reporting process. Risk iden-tification and assessment at the individual activity level, at the set ofactivities level, and at the level of interaction between and amongactivities is a necessary part of management’s assessment of internalcontrols over financial reporting.

The “mapping” of the financial reporting processes covered inChapter 3, “Mapping the Organization,” can lead directly to theidentification of the basic and underlying risks applicable to each ofthe individual activities and sets of activities. Exhibit 4-1 is a ques-tionnaire/checklist that may be used to identify basic and underly-ing risks presented above. Using these procedures should result inthe conclusion that each of the basic and underlying risks discussedabove is either present or not applicable because if the risk is appli-cable, there is always a chance that an error will occur. Therefore,Exhibit 4-1 provides a portion of the documentation trail linkingfinancial reporting processes (i.e., activities) with risk assessment(discussed below) and then with internal controls over financialreporting. Each of the basic risks discussed above has, as an under-lying risk, the chance that management intervention (as well asintervention by the board of directors) could produce an error.Those underlying risks of management (or board of directors) inter-vention are part of the linkage, discussed in Chapter 3, betweenmanagement and financial reporting. It is important to observe thatwhile management intervention or intrusion at the level of per-forming individual activities may have some negative connotationsconcerning intentional errors, management involvement at a


review and control level is necessary to prevent errors. The linkagebetween management and financial reporting can exist at both thelevel of performing individual activities and at the review and con-trol level.

Combined Activities Risk Identification

The identification of risks and control activities through this pointhas been limited to the risks associated with individual activities.But as is noted above, the overall financial reporting process consistsof the combined operation of all the specific activity level processes.Therefore, risk analysis must address risks that might arise as aresult of the interaction of activities. Again, as with the considerationof risks related to any specific activity, risk analysis related to theinteraction of two or more activities can begin by considering thepotential for error. Thinking through the ways that errors stemmingfrom the interaction of activities might occur is also a useful “brain-storming” exercise.

Activities, other than control activities, interact with each otherthrough their inputs and outputs, that is, the results of one activityare used by another activity to complete the activity. Thus, the iden-tification of risk associated with the interaction of activities shouldfocus on the potential for error identification related specifically tothe interaction of activities. If the results of activity A are incorrectand cause activity B to produce an incorrect result, that is not some-thing related to the interaction of activities, it is an error directlyrelated to activity A. However, errors related to the interaction ofactivities occur when the results of the first activity are not properlyused by the second activity. Thus, risks related to the interaction ofactivities are the same risks as those related to the input of informa-tion required to perform a specific activity.

Specific Activity Level Risk Assessment

Because the overall financial reporting process consists of the com-bined operation of all the specific activity level processes, the assess-ment of internal controls should include an assessment of thecontrols specifically within each activity, the controls between anytwo activities, and the controls among all the combined specificactivities. Risk assessment at the individual activity and set of activ-ity levels logically follows the identification of the basic and under-lying risks as presented above and in Exhibit 4-1.

In Chapter 3 of the COSO Internal Control—Integrated Frame-work, risk analysis is described as a process that includes threeparts:


• Estimating the significance of the risk;• Assessing the likelihood (or frequency) of the risk occurring; and• Considering how the risk should be managed—that is, an

assessment of what actions need to be taken.

Consideration of how the risk should be managed (or is managedin an established financial reporting system) follows the estimationsof significance and assessments about the likelihood of the risksidentified. By their nature, those estimations and assessments arematters of subjective judgment. Consequently, it is important thatmanagement carefully document its judgments about the signifi-cance of risks and the likelihood of their occurring.

Chapter 3 of the COSO Internal Control—Integrated Frameworkalso indicates that the significance of the risk should be estimated interms of its potential effect on the entity. It states:

There are numerous methods for estimating the cost of aloss from an identified risk. Management should beaware of them and apply them as appropriate. However,many risks are indeterminate in size. At best they can bedescribed as “large,” “moderate” or “small.”

A useful starting point for determining the significance of a riskis to consider the significance of the activity to which it relates. Inthe context of internal control over financial reporting, that may beaccomplished by relating the importance of the process of whichthe activity is a part to the financial statements as a whole. As dis-cussed in Chapter 2, “Planning the Assessment,” processes mayinvolve the accumulation of financial statement information byorganization, by class of transaction, or by financial statement ele-ment. In each case, if the risk is relative to a significant part of theoverall organization, a significant class of transaction to be reflectedin the financial statements, or a significant financial statement ele-ment to be reflected in the financial statements, then it may be a sig-nificant risk.

For purposes of the Act, the significance of risks should be esti-mated in terms of the concepts of significant control deficiencyand/or material weakness in internal controls, as discussed inChapter 1, “Overview of Requirements.”

☛ PRACTICE POINTER: PCAOB Audit Standard No. 2, para-graphs 9 and 10 state:

A significant deficiency is defined as a control deficiency, orcombination of control deficiencies, that adversely affects thecompany’s ability to initiate, authorize, record, process, or reportexternal financial data reliably in accordance with generally


accepted accounting principles such that there is more than aremote likelihood that a misstatement of the company’s annualor interim financial statements that is more than inconsequentialwill not be prevented or detected.

A material weakness is a significant deficiency, or combi-nation of significant deficiencies, that results in more than aremote likelihood that a material misstatement of the annualor interim financial statements will not be prevented ordetected.

As discussed below, these issues are pertinent to manage-ment’s assessment of internal controls over financial reportingwhere it relates to issues involving cooperation with the inde-pendent auditors and the effect that the quality of manage-ment’s assessment and documentation thereon can have onthe extent of procedures the independent auditors perform.

A material misstatement in the financial statements may be theresult of any single error. Financial statements are produced basedon the combined operations of all the financial reporting processes(i.e., activities), and internal controls must be designed and mustoperate to prevent the errors that may cause a material misstate-ment. Like the links of a chain, an individual activity in a financialprocess (i.e., route or set of activities) affects the operation of theentire process (i.e., route or set of activities). Therefore, when man-agement considers the significance of any single risk, as it relates toany single activity, it should do so in terms of the significance of thepotential errors to the financial statements that could result. Forexample, the risk of an incorrect depreciation calculation for a par-ticular group of assets might be judged as insignificant because anyerror in reported depreciation would not be material to the financialstatements. Consequently, deficiencies in the controls designed toprevent incorrect depreciation calculations would not be judged tobe significant deficiencies. Thus, a part of the evaluation of risk sig-nificance may be accomplished by evaluating the size of a potentialerror. Since the risk, whatever the specific nature of it may be, is thatthe error is occurring all or most of the time, the potential errorevaluation should be made using the assumption that the erroroccurs all of the time and that such errors are not just partial, butcomplete errors. That sort of potential error evaluation can flowdirectly from the risks identified, using the means presented aboveand described in Exhibit 4-1. The risk identification methodology,in order to be comprehensive, is a process of elimination becauseerrors are always possible if the circumstances apply. Building onthat notion, the first part of risk assessment, the analysis of thepotential significance of possible errors, provides a “second round”in the process of elimination. The evaluation of potential errorsfrom all applicable risks may be made from the perspective of the


process involved. Again, Chapter 2, “Planning the Assessment,”points out that financial statement information is accumulated fromthree different perspectives—the financial statement element, thebusiness transaction process, and the organizational approach.Significance, therefore, should be evaluated from these perspec-tives. While it may be overly simplistic to hold that each of theaccounting or financial reporting processes accumulate financialstatement information strictly from one of these three perspectives,it can be a useful analytical tool to categorize each set of activities,referred to as “routes” in Chapter 3, “Mapping the Organization,”as operating from a primary, secondary, and tertiary perspective.Therefore, if a financial reporting process operates primarily toaccumulate information by class of transaction, the business trans-action process perspective would be its primary perspective. If thatsame process is limited to a particular portion of the total organiza-tion, the secondary perspective would be the organizational andthe tertiary perspective for the process would be the financial state-ment elements that are affected by the process or set of activities. Ifone set of activities relates to sales transactions, sales volume wouldbe the primary perspective from which risk significance should bejudged. If that set of activities related to only part of the total organ-ization, then sales for only that portion would be the point of refer-ence for judging significance. If that set of activities was furtherlimited to the sales accounts for a particular product or productline, those accounts would be a third consideration in judging risksignificance.

Risk and Materiality

Significance in relation to internal controls over financial reportingrelates to the risk of material misstatement to the financial state-ments. The risk of material misstatement is not the same as a mate-rial misstatement. The risk is directly related to whether theprocesses function to properly produce the financial statements.Therefore, the true significance of a risk can only indirectly beassessed from the significance of the financial statement items towhich the risk relates. As previously discussed, the risks are moredirectly related to whether the five broad assertions are implicit inmanagement’s preparation and presentation of the financial state-ments. Again, those are (1) existence or occurrence, (2) complete-ness, (3) rights and obligations, (4) valuation or allocation, and (5) presentation and disclosure. The risk that these assertions willnot be achieved cannot be fully quantified because the assertionsconsist of qualitative as well as quantitative factors. However, quan-titative analysis of potential material misstatements provides a prac-tical way of managing the task of assessing internal control overfinancial reporting.


In Chapter 3, several approaches to managing the task of assess-ing internal controls over financial reporting were discussed—anOrganizational Approach, a Transaction Type Approach, and aFinancial Statement Element Approach. Evaluating the potential sig-nificance of risks is a further part of both performing management’sassessment of internal controls over financial reporting and plan-ning further procedures to be performed. As was noted previously,management does not have the same luxury as the independentauditors with respect to picking locations, transaction types, oraccounts to be included in its assessment. Management has respon-sibility for all locations, transaction types, and accounts; therefore,all items must be subject to management’s assessment of internalcontrols over financial reporting. The independent auditors maysample from management’s work because they are auditing thatwork, but part of their job as auditors is to satisfy themselves thatmanagement has made a comprehensive assessment. A comprehen-sive assessment does not mean that management must examine indetail each and every set of activities (i.e., the routes) necessary toprepare the financial statements. However, it does mean that allactivities should be subject to a detailed assessment by manage-ment. Since management’s responsibilities extend to significant defi-ciencies/material weaknesses in internal control, which may causematerial misstatements in the financial statements, its assessmentshould focus on potential significant deficiencies/material weak-nesses in internal control. Significant risks, of course, underlie sig-nificant deficiencies/material weaknesses in internal control.However, that does not mean that management can simply elimi-nate those processes that are not thought to have significant risksassociated with them from further consideration. Because risks thatare not individually significant may add up to be significant, man-agement must plan and conduct its assessment so that the total ofthose areas that it has not examined in detail is not considered tobe significant.

When applying an Organizational Approach, a reporting entitycould start by considering the size of each organization (consistingof all the subsidiaries, divisions, and/or branches) that are to beincluded in the financial statements. Subsidiaries, divisions, and/orbranches, which are not considered material, might be tentativelydismissed from further consideration. In a similar way, using aTransaction Type Approach, a reporting entity might consider theclasses of transactions that make up its business operations and ten-tatively dismiss all of those business processes that are not a materialpart of the total business from further consideration. Using aFinancial Statement Element Approach, the reporting entity couldlook at the financial statement elements (i.e., account balances) andtentatively dismiss immaterial accounts from further consideration.The word tentatively is emphasized because at this point, that is, thepoint of eliminating the insignificant from the significant, it is


important to make sure that the “sum” of the risks dismissed asinsignificant is not itself significant.

Because the assessment of internal controls over financial report-ing must concern itself with the risk of material misstatement to thefinancial statements, it is also important to give consideration toauthoritative positions relative to materiality. In that regard, theSEC staff expressed its views in Staff Accounting Bulletin No. 99(SAB 99), Materiality, issued in August 1999. Those views are nowcontained in the Codification of Staff Accounting Bulletins, Topic 1,Item M (SAB Topic 1M). SAB Topic 1M emphasizes that quantita-tive factors alone are not sufficient to fully assess materiality. Itstates:

Materiality concerns the significance of an item to users ofa registrant’s financial statements. A matter is “material”if there is a substantial likelihood that a reasonable personwould consider it important. In its Concepts Statement 2,the FASB stated the essence of the concept of materialityas follows:

The omission or misstatement of an item in a finan-cial report is material if, in the light of surroundingcircumstances, the magnitude of the item is suchthat it is probable that the judgment of a reasonableperson relying upon the report would have beenchanged or influenced by the inclusion or correc-tion of the item.

This formulation in the accounting literature is in sub-stance identical to the formulation used by the courts ininterpreting the federal securities laws. The SupremeCourt has held that a fact is material if there is—

a substantial likelihood that the…fact would havebeen viewed by the reasonable investor as havingsignificantly altered the “total mix” of informationmade available.

Under the governing principles, an assessment of materi-ality requires that one views the facts in the context of the“surrounding circumstances,” as the accounting literatureputs it, or the “total mix” of information, in the words ofthe Supreme Court. In the context of a misstatement of afinancial statement item, while the “total mix” includesthe size in numerical or percentage terms of the misstate-ment, it also includes the factual context in which the userof financial statements would view the financial statementitem. The shorthand in the accounting and auditing litera-ture for this analysis is that financial management and theauditor must consider both “quantitative” and “qualita-tive” factors in assessing an item’s materiality.


Although in the case of assessing internal control over financialreporting, management is concerned with the risk of material mis-statement to the financial statements, as compared with an actualmaterial misstatement, the principle of considering both “quantita-tive” and “qualitative” factors should still be abided by whenassessing the risk of material misstatement. SAB Topic 1M providesan exemplary list of considerations that might make a quantitativelysmall item material:

• Whether the misstatement arises from an item capa-ble of precise measurement or whether it arisesfrom an estimate and, if so, the degree of impreci-sion inherent in the estimate

• Whether the misstatement masks a change in earn-ings or other trends

• Whether the misstatement hides a failure to meetanalysts’ consensus expectations for the enterprise

• Whether the misstatement changes a loss intoincome or vice versa

• Whether the misstatement concerns a segment orother portion of the registrant’s business that hasbeen identified as playing a significant role in theregistrant’s operations or profitability

• Whether the misstatement affects the registrant’scompliance with regulatory requirements

• Whether the misstatement affects the registrant’scompliance with loan covenants or other contrac-tual requirements

• Whether the misstatement has the effect of increas-ing management’s compensation—for example, bysatisfying requirements for the award of bonuses orother forms of incentive compensation

• Whether the misstatement involves concealment ofan unlawful transaction.

In considering the risk of material misstatement to the financialstatements for the purpose of assessing internal controls over finan-cial reporting, management should consider corresponding qualita-tive factors, such as:

• Whether the risk of misstatement relates to an item capable ofprecise measurement or whether it arises from an estimate and,if so, the degree of imprecision inherent in the estimate.

• Whether any potential misstatement might mask a change inearnings or other trends.

• Whether any potential misstatement might hide a failure tomeet analysts’ consensus expectations for the enterprise.


• Whether any potential misstatement might change a loss intoincome or vice versa.

• Whether any potential misstatement concerns a segment orother portion of the registrant’s business that has been identi-fied as playing a significant role in the registrant’s operationsor profitability.

• Whether a potential misstatement would affect the registrant’scompliance with regulatory requirements.

• Whether a potential misstatement would affect the registrant’scompliance with loan covenants or other contractual require-ments.

• Whether a potential misstatement would have the effect ofincreasing management’s compensation—for example, by sat-isfying requirements for the award of bonuses or other formsof incentive compensation.

• Whether a potential misstatement could involve concealmentof an unlawful transaction.

While the SEC staff warns that quantitative factors should not bethe sole basis for assessing materiality, it also does not object tousing quantitative guidelines as a preliminary screen. SAB Topic 1Mstates:

The use of a percentage as a numerical threshold, such as5%, may provide the basis for a preliminary assumptionthat—without considering all relevant circumstances—adeviation of less than the specified percentage withrespect to a particular item on the registrant’s financialstatements is unlikely to be material. The staff has noobjection to such a “rule of thumb” as an initial step inassessing materiality. But quantifying, in percentageterms, the magnitude of a misstatement is only the begin-ning of an analysis of materiality; it cannot appropriatelybe used as a substitute for a full analysis of all relevantconsiderations.

This principle may also be applied to risk considerations.Consequently, each step of the overall task of assessing internal con-trols over financial reporting should involve some amount ofreassessment of the qualitative factors affecting the risk of materialmisstatement to the financial statements.

The concept of “reasonable assurance” must also be taken intoaccount, otherwise management may find itself involved with theanalysis of activities or controls that are relatively inconsequential.The summary for Chapter 7 of the COSO Internal Control—Integrated Framework describes the limitations of internal controlas follows:


Internal control, no matter how well designed and oper-ated, can provide only reasonable assurance to manage-ment and the board of directors regarding achievement ofan entity’s objectives. The likelihood of achievement isaffected by limitations inherent in all internal control sys-tems. These include the realities that human judgment indecision-making can be faulty, and that breakdowns canoccur because of such human failures as simple error ormistake. Additionally, controls can be circumvented bythe collusion of two or more people, and managementhas the ability to override the internal control system.Another limiting factor is the need to consider controls’relative costs and benefits.

In order to achieve the goal of performing a comprehensiveassessment of internal control over financial reporting but at thesame time recognizing the concept of “reasonable assurance,”management should continuously reassess its planned proceduresfor completing the overall task. Such a continuous reassessmentinvolves a full coordination of the “mapping” of the activities inthe overall financial reporting process with the tentative evalua-tions of internal controls, which includes (1) risk identificationand assessment (including materiality considerations) and (2)analysis of the design of internal controls. Therefore, materialityconsiderations can start while engaged in the planning and “map-ping” as described in Chapters 2 and 3. In a sense, planning, map-ping, and making tentative assessments of internal controls arelike a simultaneous mathematical equation because of their inter-dependence.

Tentative materiality assessments may start in the initial plan-ning phase. In Chapter 2, the preliminary planning included gath-ering information about the company’s organization and workflows. Exhibits 2-1 and 2-2 are designed to assist with decisionsabout how to proceed with making management’s assessment ofinternal control over financial reporting. Management at the top orat the reporting entity level may start by making decisions con-cerning how to make the assessment of internal control and whowill make the assessment, at least to the next level below them inthe total organization. Exhibit 2-1 (Preliminary AssessmentPlanning Questionnaire/Checklist) provides information aboutthe environment, which includes qualitative factors that may beuseful in considering materiality. Management at the top or thereporting entity level next should begin to identify the generalprocesses (referred to as “routes” or sets of activities in Chapter 3,“Mapping the Organization”). Table/Chart I through Table/ChartV of Exhibit 3-1 (Questionnaire/Checklist for Identifying GeneralProcesses) are designed to identify the general sets of activities thatprovide financial reporting information. With each set of activitiesidentified, management should begin to consider the materiality of


potential errors that might be associated with that set of activities.The materiality for any given set of activities can be considered withrespect to the quantitative size of those items in the affected finan-cial statements in relation to the whole of those same items in thefinancial statements and in relation to the financial statements as awhole. In addition, qualitative considerations from Exhibit 2-1and/or elsewhere should be considered in forming a conclusionabout whether to tentatively discontinue further analysis of the set ofactivities because the risk of potential error to the financial state-ments related to that set of activities is not considered to be material.The word tentatively is again emphasized because it is important tomake sure that the “sum” of the risks dismissed as insignificant isnot itself significant. For that reason, management should be pre-pared to perform assessments of activities where such assessmentswere initially determined unnecessary because the risk of potentialerror to the financial statements related to those activities was notconsidered to be material.

As an example of an evaluation of the significance/potentialmateriality related to a general set of activities, first consider thepart of the organization, class of transaction, and all the financialstatement elements related to the process (route). Next, identify theprimary financial statement items affected by the process and esti-mate the total potential dollar effect that the process could have onthese primary financial statement items. Following that analysis,determine the estimated totals of these primary financial statementitems in the financial statements and the percentage of the poten-tial effect of the process on these primary financial statement itemsin relation to their estimated totals. These considerations will thenpermit calculation of the potential effect that a process (route) canhave on important financial ratios, such as the current ratio, thedebt-to-equity ratio, or the interest-coverage multiple. Manage-ment should then consider the results of this quantitatively ori-ented analysis in the light of qualitative factors such as theperceived importance of the matters affected by the process tointernal and external decision makers, and make a judgment aboutthe significance of the process from both a potential quantitativeand a potential qualitative viewpoint.

Exhibit 4-2 is provided as an aid in making these determinations.It uses information from the preliminary planning work (containedin Exhibit 2-1), from the mapping or financial reporting process iden-tification work (contained in Exhibit 3-1), and from the risk identifi-cation work (contained in Exhibit 4-1) to make tentative assessmentsabout the significance of the risks associated with a set of financialreporting activities (i.e., route, financial reporting process, or finan-cial reporting activity set). Those financial reporting processes tenta-tively assessed as not carrying a significant risk for a materialmisstatement to the financial statements should be listed for possiblefurther analysis.


Exhibit 4-3 is a practice aid for accumulating the potential quan-titative significance of those processes not analyzed in detail becausethey are not deemed to be individually significant to financialreporting. In addition to the potential quantitative information,notations about qualitative considerations relevant to the listedprocesses should be made to facilitate judgments about the relativesignificance of potential misstatements from the processes listed dueto their effects on matters of importance from a non-financial orlegal viewpoint. Needless to say, when the aggregate of the financialreporting processes that have not been analyzed in detail indicates apotential for material misstatement to the financial statements, man-agement should choose additional processes (i.e., sets of activities)to analyze in detail.

Tentative Consideration of the Likelihood of Risks

Analyzing the likelihood of a risk occurring is different than ana-lyzing its significance. An error caused by the breakdown in a sin-gle activity in a route or set of activities must be judged as if thereis a breakdown in the entire set of activities because the singleactivities are interdependent. That is, Activity A affects Activity B,which affects Activity C, and so on. Consequently, the significanceof the risk of an error occurring in any one activity within a set ofactivities is the same as the significance of the risk that the entireset of activities is producing errors. However, the likelihood of arisk affecting one activity is not necessarily related to the likeli-hood of a risk affecting another activity within a set of activities.For example, if in keypunching pay rates (Activity A), an erroroccurs, then the pay calculation (Activity B) will yield an incorrectresult; but the likelihood of the keypunch error and the likelihoodof a pay calculation error are not related to each other. Thus,assessing the likelihood that an error might occur must be donefor each identified activity that is part of a set of activities.However, the likelihood that an error will occur may or may notneed to be assessed if the significance of any potential error isjudged not to be significant. Because likelihood (i.e., probability)can never be more than 100%, or an absolute certainty, an insignif-icant risk for error can never be more than insignificant. Full-riskanalysis involves considering both the significance of potentialerrors and the likelihood that errors will occur. Consider the fol-lowing example:

Company A has certain operations that require it to deter-mine whether it should consider itself an agent andaccount for the associated income and expenses on a netbasis, as commissions, or alternatively, consider itself a“principal” and account for the associated income andexpenses gross on its statement of income. There is a risk


that an incorrect decision will be made, which wouldresult in a deviation from GAAP.

1. If, for example, the revenues or income from thesetransactions was $10,000 and Company A has otherrevenues of $1,000,000, then the risk of an incorrectdecision about the accounting treatment could bedeemed insignificant because $10,000 is not thoughtto be significant in comparison to $1,000,000. In thatcase, it would not matter how likely it is that Com-pany A will make an incorrect decision because thetotal risk will still not be significant.

2. If, for example, the revenues or income from thesetransactions was $200,000 and Company A hasother revenues of $1,000,000, then the risk of anincorrect decision about the accounting treatmentcould be deemed significant because $200,000 isthought to be significant in comparison to$1,000,000. In that case, Company A should con-sider the likelihood of making an incorrect decisionabout the accounting treatment. If the personresponsible for making the determination is knowl-edgeable about the proper application of GAAP,then Company A might judge the likelihood of therisk of an incorrect decision to be low.

The actual evaluation of the likelihood that an error will occur inany given activity will always involve a degree of subjective judg-ment because it involves evaluating human activities. On the otherhand, the likelihood that error will result from an IT activity willfrequently be either 100% or 0%. Software will either be pro-grammed to properly execute or not properly execute its intendedfunction. Although there may be cases where a software programproduces accurate results some of the time and inaccurate results atother times, the inaccurate results will occur because the softwarehas not been properly programmed to deal with all the possible cir-cumstances it might encounter. Such circumstances are frequentlythe unexpected or unusual ones that the software programmers didnot anticipate.

When it comes to the practical aspects of making an assessmentof internal control, it frequently may be more efficient to postponemaking evaluations of the likelihood that an error will occur in anygiven activity until the later stages of the overall assessment. If man-agement plans its evaluation activities and performs its analysis ofthe design of internal controls based on significance (that is, basedon the significance of potential errors or misstatements) withoutregard for the likelihood that potential errors or misstatementsmight occur, it will have approached the task of making such evalu-ations and analysis as if there is a 100% potential for error in theactivities it evaluates and analyzes. While at first this may appear to


be unreasonable, it should be remembered that a considerabledegree of subjective judgment is involved in making the evaluationsabout the significance of potential errors that may result from activ-ities and sets of activities. Therefore, adding another level of subjec-tivity into the planning and design analysis phases of management’sassessment of internal controls can result in inadequate coverage ofthe entity’s overall system of financial reporting. Consequently, theauthor recommends that in-depth considerations about the proba-bility for errors or misstatements be left for the stage of assessing thedesign of internal controls.

Tentative Considerations about Risk Management

The third and final aspect of risk analysis as discussed in the COSOFramework is to consider how the risk should be managed. Oncerisks have been identified and analyzed as to their significance andlikelihood, management must determine the actions to be taken toreduce those risks to the point where it can state that there is “rea-sonable assurance” that the financial reporting objectives stated inthe COSO Framework for fairly presented, reliable financial state-ments are being met. Considerations about the ways to mitigate riskmust start back with the nature of the risk identified. As manage-ment progresses through the planning, procedural study, internalcontrol design evaluation, and internal control testing phases ofmaking its assessment, it should consider the ways that its estab-lished policies and procedures address significant identified risks inthe activities within the financial reporting process and begin todevelop any improvements to its processes. Exhibit 4-4 provides asimple format for listing tentative concerns about risks and thoughtsfor improvements as the work progresses.


EXHIBIT 4-1QUESTIONNAIRE/CHECKLIST FOR

IDENTIFYING BASIC AND UNDERLYING PROCESS RISKS

Process (Route):___________________________________________(From Exhibit 3-1)

Activity:___________________________________________________(From Exhibit 3-1)

Presence of Risk Yes No

Basic Risk 1—The facts [input] are not correct or complete.

Conditions Precipitating Risk (Underlying Risks)

1. External data are not correct or complete.2. Results of preceding process are not correct.3. External data or results of preceding process

are altered.4. Management intervention.5. Other.

Basic Risk 2—The facts are not correctly interpreted or applied.


1. Meaning of data is not understood.2. Purpose of activity is not understood.3. Manner of data application is not understood.4. Management intervention.5. Other.

Basic Risk 3—Specified mathematical operations to be applied to the facts are not appropriate to the circumstances.


1. Purpose of activity is not understood.2. Mathematical operation is not understood.


Yes No3. Circumstances are not understood.4. Alternatives are not understood.5. Management intervention.6. Other.

Basic Risk 4—The accounting principle to be applied is not appropriate to the circumstances.


1. Applicability of accounting principle is not known or understood.

2. Required conditions are not understood.3. Alternatives are not understood.4. Management intervention.5. Other.

Basic Risk 5—The accounting principle identified is not correctly applied.


1. Proper manner of application of accounting principle is not known or understood.

2. Required conditions are not properly applied.3. Alternatives are not understood.4. Management intervention.5. Other.

Basic Risk 6—Specified mathematical operations are not correctly performed.


1. Proper manner of application of mathematical operation is not known or understood

2. Management intervention.3. Other.


EXHIBIT 4-2EVALUATION OF SIGNIFICANCE/

POTENTIAL MATERIALITY OF FINANCIAL REPORTING PROCESSES

Financial Reporting Process Description: __________________________(From Exhibit 3-1, Table/Chart V)

General Nature of Activity(ies): __________________________________(From Exhibit 3-1, Table/Chart V)

Portion of Organization Related to Process (Route): _________________

Class of Transaction Related to Process (Route):____________________

Financial Statement Element Related to Process (Route): _____________

Primary Financial Statement Items Affected ________________________

Primary Item A (Describe): _________________________

Primary Item B (Describe): _________________________

1. Estimated Total Potential Dollar Effect on Primary Item A: _______________

2. Estimated Total Potential Dollar Effect on Primary Item B: _______________

3. Estimated Financial Statement Dollar Total—Primary Item A: _______________

4. Estimated Financial Statement Dollar Total—Primary Item B: _______________

5. Percentage of Potential Effect on Primary Item A ((1 � 3) � 100): _______________

6. Percentage of Potential Effect on Primary Item B ((2 � 4) � 100): _______________

7. Financial Ratios Affected by Process8. Ratio A (Describe):9. Ratio B (Describe):

10. Percentage of Potential Effect on Ratio A:11. Percentage of Potential Effect on Ratio B:

Qualitative Considerations:(From Exhibit 2-1 or elsewhere)______________________________________________________________________________________________________________________


Basic and Underlying Risks Applicable:(From Exhibit 4-1 or elsewhere)______________________________________________________________________________________________________________________Is there significant risk associated with this activity or set of activities?*Explain below:______________________________________________________________________________________________________________________

* For purposes of this analysis significant risk is considered as being present if thelargest potential error that it could cause would be material to the financial state-ments.



EX

HIB

IT 4

-3T

EN

TAT

IVE

AN

ALY

SIS

OF

FIN

AN

CIA

L

RE

PO

RT

ING

PR

OC

ES

SE

S H

AV

ING

NO

S

IGN

IFIC

AN

T R

ISK

Ass

ets

Lia

bili

ties

Pro

cess

Pre

tax

Inco

me

Net

D

escr

ipti

on

Cu

rren

tN

on

Cu

rren

tC

urr

ent

No

nC

urr

ent

Eq

uit

yIn

com

eTa

xes

Inco

me

1.D

escr

ibe

0 0

0 0

0 0

0 0

2.D

escr

ibe

0 0

0 0

0 0

0 0

3.D

escr

ibe

0 0

0 0

0 0

0 0

4.D

escr

ibe

0 0

0 0

0 0

0 0

5.D

escr

ibe

0 0

0 0

0 0

0 0

Tota

ls0

0 0

0 0

0 0

0

Not

es o

n N

on-F

inan

cial

, N

on-Q

uant

itativ

e C

onsi

dera

tions

:

EXHIBIT 4-4TENTATIVE CONSIDERATIONS

FOR IMPROVEMENT TO INTERNAL CONTROLS

Nature of Perceived Thoughts for Item Perceived Risk Potential Harm Improvement

____ _____________ _____________ ___________

____ _____________ _____________ ___________

____ _____________ _____________ ___________

____ _____________ _____________ ___________

____ _____________ _____________ ___________

____ _____________ _____________ ___________

____ _____________ _____________ ___________

____ _____________ _____________ ___________

____ _____________ _____________ ___________

____ _____________ _____________ ___________


tentative risk assessments

Documents

financial statements

significant risk

risk management4

risk of material misstatement

financial state ments

tentative considerations

closure controls

var ious reporting processes