Sei sulla pagina 1di 68

+91 800 8000 311

Risk Assessment, Controls,


and Risk Management
Session 1
Risk Assessment, Controls,
and Risk Management
Content

•This section is 15%of Part 1

• Four larger categories of topics are included in this section

Risk assessment, controls and risk management


Internal auditing
Systems controls and security measures
Internet security
Internal Controls
COSO – 1992
The Committee of Sponsoring
Organizations.
• The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) is a joint initiative to combat corporate
fraud. It was established in the United States by five private
sector organizations, dedicated to guide executive management
and governance entities on relevant aspects of organizational
governance, business ethics, internal control, enterprise risk
management, fraud, and financial reporting.
• COSO has established a common internal control model against
which companies and organizations may assess their control
systems.
• COSO is supported by five supporting organizations, including:
1. The institute of management accountants (IMA),
2. The American accounting association (AAA),
3. The American institute of certified public
accountants (AICPA),
4. The institute of internal auditors (IIA), and 
5. Financial executives international (FEI).
•The internal controls of a company are an important part of its
overall operations.

• A strong internal control system will provide benefits:


 Lower external audit costs,
 Better control over and usage of company assets, and
 More reliable information that may be used for decision
making by managers and others in the company.

•A company with weak internal controls is putting itself at risk for


employee theft, loss of control over the information relating to
operations, and other inefficiencies in operations and decision-
making.
•Internal control is the method or process performed by a
company that is designed to provide reasonable assurance that
three things will be achieved:

1. Effectiveness and efficiency of operations,


2. Reliability of financial reporting, and
3. Compliance with applicable laws and regulations.

•Objectives #2 and #3, the financial reporting and compliance


objectives, are based on standards imposed by external entities
(example: SEC). Internal control only provides reasonable
assurance, not a guarantee, that these goals will be achieved.
• Regarding point #1: an internal control system cannot provide
reasonable assurance that operations objectives will be met.

•It provides only reasonable assurance that management and the


board of directors are made aware in a timely manner about the
progress towards achieving operational objectives.

•Therefore, internal control can be judged effective if management


has reasonable assurance that:
 They understand the extent to which the company’s
operations objectives are being achieved;
 Published financial statements are prepared reliably
 Applicable laws and regulations are being complied with.
•There are a number of diverse parties that are interested in the internal
control system of a company:
Investors and potential investors rely on the IC system to be able to
evaluate management and the performance of the company.
External auditors will base the amount of work that they performing
part on the effectiveness of the IC system.
Legislative and regulatory bodies rely on the IC system to help ensure
that the company is operating in compliance with applicable laws and
regulations.
Management uses the information that comes out of the internal
systems so management needs to make certain that the information
that they receive is correct.
Customers may benefit from a strong internal control system because
it may reduce the costs of production and therefore also the products
´ costs.
Who is Responsible for Internal Control?
•The COSO report, Internal Control – Integrated Framework (1992)
defined the responsibility of the group or person listed below to
maintain and assess internal controls as follows:

 The board of directors is responsible for overseeing the internal control


system, providing governance, guidance and insight.
 The CEO is ultimately responsible for the internal control system and the
“tone at the top”.
 Senior managers delegate responsibility for establishment of specific
internal control policies and procedures to personnel responsible for
each unit’s functions.
•Financial officers and their staffs are central to the exercise of
control

• Internal auditors play a monitoring role by evaluating the


effectiveness of the internal controls.

•Virtually all employees are involved in internal control:

 They produce information used in the internal control system or carry out
activities that put the internal control systems into effect
 They inform their managers if they become aware of problems in
operation or that rules or policies are being violated.
INTERNAL CONTROLS - COMPONENTS
•The COSO report, Internal Control – Integrated Framework lists
five interrelated components that make up internal control:

1. The Control Environment


2. Risk Assessment,
3. Control Activities,
4. Information and Communication
5. Monitoring.

• Note: These elements may be remembered by the mnemonic


CRIME as identified by the bold letters in the list above.
The Control Environment
•This is the most important element of internal controls because it
is the basis on which the other elements are built.

•Factors that influence the scope and effectiveness of the control


environment include:

 Integrity and ethical values of the entity´s people


A commitment to competence
The attention and direction provided by the board of directors
and/or audit committee
Management´s philosophy and operating style
The company´s organizational structure
•Factors that influence the scope and effectiveness of the control
environment include (cont´d):

The way management assigns authority and responsibility for


operating activities

Human resource policies and practices


•Internal controls are more likely to function well if management
believes that the controls are important and communicates that
support to all employees. They set a positive “tone at the top” by:

Transmitting guidance both verbally and by example,


communicating the entity’s values and code of conduct
Fostering a “control consciousness” by setting formal and
clearly communicated policies and procedures
Specifying the competence level needed for particular jobs and
delegating authority accordingly
Working closely with a board of directors who help ensure the
company is operating in the best interest of the shareowners
Risk Assessment
•Once the company objectives are defined, risk identification can
begin.
Risks can exist at the entity level or the activity level
Risks can be both internal and external

•After the company has identified its entity-level and activity level
risks, it should performa risk analysis:
To estimate the significance of each risk
To assess the likelihood or frequency of each risk’s occurring
To consider how each risk should be managed by assessing
what actions need to be taken.
•Within the control environment management is responsible for
assessment of the risks that the company faces.

•Risk assessment is the process of identifying, analyzing and


managing the risks that have the potential to prevent the
organization from achieving its objectives.

The company’s objectives must be established before the risks


to them can be assessed. Objective setting is therefore a key
part of the management process of risk assessment.
•Once the significance and likelihood of risks have been assessed,
the following steps should be taken to manage the identified risks:

The amount of potential loss from each identified risk should


be estimated to the extent possible.
Consider how each risk should be managed by determining
what can be done and analyzing the costs, if any, associated
with managing each risk.
Procedures should be established to ensure that the plans for
implementing the risk management are implemented. These
procedures are the control activities.
•After the risks have been assessed, controls should be designed to
limit the risk. To accomplish this, control activities are implemented.

•These activities are the policies that are developed to address the
risks of the company, and procedures that ensure the policies will
be followed.

•Any control implemented must have a benefit that is greater than


the cost of that control.
Because of this, not all controls are implemented and the
control environment cannot provide a guarantee that all risks
are eliminated.
Control Activities- PDDCC
Control activities may be classified by their objective:
Preventive controls attempt to prevent the mistake or problem
from ever occurring in the first place.
Directive controls attempt to ensure the occurrence of a
desirable event,
Detective controls attempt to find the mistake or problem after
it has occurred,
Corrective controls attempt to fix the problem after it has
occurred, and
Compensating controls attempt to address a weakness in
controls in one place by setting up additional controls in a
related area
Examples of control activities are:

1. Top level reviews


2. Direct functional or activity management
3. Information processing
4. Independent checks
5. Performance indicators
6. Physical controls to safeguard assets
7. Documents and records
8. Authorization
9. Segregation of duties
Information and Communication
•Information needs to be obtained and communicated to people to
allow them to perform their duties.

Communication must be ongoing


Duties and responsibilities need to be communicated to all
effected parties so that they are able to communicate significant
information upstream
Reports containing operational, financial, and compliance
information must be available for informed decisions
Some information must be communicated to those outside the
organization and must also be available from external sources
•Some examples of communication that should take place include:

Information systems must provide reports to appropriate


personnel so they can carry out their responsibilities.
All personnel need to receive clear communication from top
management that their internal control responsibilities must be
taken seriously. Each person needs to understand his or her role
in the internal control system and how the system works.
People need to know what behaviour is expected of them and
what behaviour is unacceptable.
Employees need to know that if they report a suspected
violation of the company’s code of conduct, they will not get
into trouble for it
•Some examples of communication that should take place include:

Communications between management and the Board of


Directors are vital. Senior management must inform board
members about performance, new developments, major
initiatives, potential risks, and other relevant information.
Appropriate communication is also needed with those who are
outside of the organization. Communications from outside
parties such as external auditors can provide important
information about the functioning of the internal control
system.
Any outsider dealing with the company must be informed that
improper actions such as kickbacks or other improper incentives
from vendors will not be tolerated.
Monitoring
•Monitoring is the process of reviewing the controls over time to
make sure that they are still relevant and still functioning as they
were intended.
As technologies change and business operations change, some
of the controls that had been relevant may no longer be
relevant.
Monitoring needs to be undertaken on a regular (if not relatively
constant) basis.
Monitoring can be done in two ways:
1. ongoing monitoring during normal operations
2. Separate evaluations by management with the assistance
of the internal audit function
•Duties need to be divided among various employees to reduce the
risk of errors or inappropriate activities. No single individual should
have enough responsibility to be in a position to both perpetrate
and conceal irregularities.

•Note: Different people must always perform the following four


functions:
Authorizing a transaction.
Recording the transaction, preparing source documents,
maintaining journals.
Keeping physical custody of the related asset
The periodic reconciliation of the physical assets to the recorded
amounts for those assets.
+91 800 8000 311
Risk Assessment, Controls,
and Risk Management
Session 2
Audit Committee
•Audit committees of the boards of directors were first
recommended by the SEC in 1972. Stock exchanges began
requiring or at least recommending that listed companies have
audit committees. Thereafter responsibilities of audit committees
increased over the years and have been formalized by statute.

•The Sarbanes-Oxley Act of 2002 increased audit committees’


responsibilities further. It also increased the qualifications required
for members of audit committees and it increased the authority of
audit committees.
Audit Committee Requirements
•The major requirements for audit committees and their members:
The consist of at least 3 members
Members must be independent (example: not employed by
the company)
At least one member must have accounting or financial
management expertise
All members must be financially literate (at the time of
appointment or shortly thereafter)
New York stock exchange requires a 5 year “cooling off” period
during which former employees of the company or its external
auditor are not allowed to serve on the audit committee
Audit Committee Responsibilities
•The responsibilities of the Audit Committee include:

Being an intermediary between management, the external


auditor and the internal auditor,
Nominate an external auditor,
Discuss the scope of the audits with the internal and external
auditors,
Review the results of the audits,
Review evaluations of internal controls,
Review the work of the internal auditors,
Review the interim and annual financial statements.
Audit Committee Authorities
•Authority to Hire Advisers

One of the provisions of the Sarbanes-Oxley Act states that the


Audit Committee must have the authority to hire an outside
auditing firm, independent counsel, and other advisers the
Committee determines are necessary to carry out its duties. The
company is required to fund any such activities that the Audit
Committee deems as necessary to
Fulfil its duties.
Audit Committee Authorities

•Handling of Complaints

Another stipulation of the Act requires the Committee to


establish procedures for the receipt, retention, and treatment
of any complaints regarding accounting, internal controls
related to accounting, or auditing. More specifically, the Audit
Committee must assure that any complaints regarding
accounting or auditing matters can be submitted confidentially
and anonymously.
Legislative Initiatives
On
Internal Control FCPA,SOX
•There are a handful of legislative initiatives regarding internal
control issues that we will look at in more detail:

1. The Foreign Corrupt Practices Act,


2. Sarbanes-Oxley Act
3. SEC Release 33-8810
1. The Foreign Corrupt Practices Act of 1977 (FCPA)
•This Act was passed in response to the discovery in the 1970’s that
American companies were making large, questionable or illegal
payments to foreign governments, officials or politicians.

•This is an amendment to the 1934 Securities Exchange Act.

•There are two main provisions:


Anti-bribery provisions
Accounting provisions
•The anti-bribery provisions apply to all companies, whether or not
the are publicly traded and registered with the SEC.

•The accounting provisions are applicable only to companies that


are under the regulation of the SEC.

•The responsibility for compliance with the Act is given to the


company as a whole.
Responsibility is not placed with a specific person or position,
but with everyone within the organization.
However, individuals are personally liable for their actions.
•It is illegal to offer or authorize corrupt payments to any foreign
official, foreign party chief or official or a candidate for political
office in a foreign country.
It is also illegal to make these payments through another party
(an intermediary)
•A corrupt payment is one that intends to cause the recipient to
misuse their position in order to direct business to the payer of
the corrupt payment.
A payment is corrupt simply by the fact it is made. Even if the
benefits that were expected are not received, the payment was
corrupt.
•Management is required to maintain records and books and
accounts that represent transactions properly.

•Management must also develop and implement a system of


internal controls.

The logic is that if the company has an effective internal


control system, it will be more difficult for corrupt payments
to be made.
•Fines for making illegal payments are:

Up to $2 million in fines against the company, and


Up to $100,000 in fines and 5 years of imprisonment for
individuals who make or authorize an illegal transaction.

•Companies can also be prevented from participating in


government contracts and have their export license revoked.
Shareholders are also able to file lawsuits against the company for
illegal payments.
Sarbanes- Oxley Internal Control Provisions
The Sarbanes-Oxley Act was enacted in 2002. Its provisions with
respect to internal control are:

Audit committees to be responsible for the appointment,


compensation and oversight of the registered public
accounting firm.
Audit committees to have the authority and funding to engage
independent counsel and advisors as deemed necessary.
Auditors are to report directly to the audit committee.
Members of the audit committee must be truly independent.
Sarbanes-Oxley

•It is unlawful for any corporate officer or director or person acting


under their direction to fraudulently influence, coerce, manipulate
or mislead any accountant engaged in preparing an audit, for the
purpose of causing the audit report to be materially misleading.

•The company’s annual report filed with the SEC must be


accompanied by a statement of management that management is
responsible for creating and maintaining adequate internal
controls, along with a statement of management’s assessment of
the effectiveness of these controls.
Sarbanes-Oxley
•There are several main aspects of Sarbanes-Oxley (SOX) that we
will now cover in more detail. They include:

1. The Public Company Accounting Oversight Board (PCAOB)


2. SOX Section 302 – Corporate Responsibility for Financial
Reports
3. SOX Section 404 – Management Assessment of Internal
Controls
4. The PCAOB Auditing Standard 5 and the preferred
approach to auditing internal controls
Public Company Accounting Oversight Board

•Title 1 of the Sarbanes-Oxley Act established the Public Company


Accounting Oversight Board (PCAOB) to oversee the auditing of
public companies that are subject to the securities laws.
•The board:
Contains 5 board members appointed by the SEC
Includes only members who are financially literate and must be
from the private sector
Only 2 of the board members can be CPAs.
•The PCAOB has many responsibilities. Its role to provide guidance
to auditors on their auditing of internal controls is just one
responsibility.
•The primary responsibilities of the PCAOB include:

Registering accounting firms that audit public companies.


Establishing standards related to the preparation of audit reports
regarding auditing, quality control, ethics, and independence
Conducting inspections of registered public accounting firms with the
Sarbanes-Oxley Act, the rules of the Board, the rules of the SEC, and
other professional standards
Enforcing compliance with appropriate laws and professional standards
relating to audit reports and the obligations of accountants for them.
Conducting investigations and disciplinary proceedings and imposing
appropriate sanctions.
SOX Section 302
•Section 302 relates to the corporate responsibility for financial
reports.
•Each annual or quarterly report of a company must include
certifications by the CEO and CFO that:
They have reviewed the report
The report does not contain any untrue material statement or
mot to state any material fact that could make the report
misleading
Based upon their knowledge the financial statements fairly
present in all material aspects the financial condition and results
of operations of the company
They understand that they are responsible for internal controls in
the company
SOX Section 302
•Each annual or quarterly report of a company must include
certifications by the CEO and CFO that (cont´d):

• They have disclosed required information to the company´s


auditors and audit committee of the board of directors including:
Any fraud that involves management or other employee with
significant responsibilities in the company´s internal controls
All deficiencies in the design or operation of the company
internal control.

• They have disclosed in the report any material changes in the


company internal controls that have occurred after the report date
but prior to its publication
SOX Section 404
•Section 404 relates to the management assessment of internal
control.
•Each annual report required by the SEC must contain an
assessment by management of the adequacy of the company’s
internal control over financial reporting (ICFR for short). This
internal control report shall:
State the responsibility of management for establishing and
maintaining an adequate internal control structure and
procedures for financial reporting
Contain an assessment of the effectiveness of the internal
control structure and procedures of the company for financial
reporting as of the fiscal yearend
SOX Section 404
•The SEC provided interpretative guidance (SEC release No 33-
8810) to implement Section 404.
The guidance is organized around two broad principles:

1. Management should determine whether it has


implemented controls that adequately address the risk that a
material misstatement of the financial statements would not be
prevented or detected in a timely manner.
2. Management’s evaluation of evidence about the operation
of its controls should be based on its assessment of risk.
PCAOB Auditing Standard #5
•PCAOB Auditing Standard No. 5 calls for a top-down, risk-based
approach to assessing and attesting to internal controls.
Important details regarding this approach are:
A risk-based approach begins by identifying the risks that a
material misstatement of the financial statements would not
be prevented or detected in a timely manner.
The auditor should perform procedures such as inquiry,
inspection of documents, or walkthroughs – which is a
combination of the preceding procedures, to understand and
identify the likely sources of potential misstatements
A fraud risk assessment should be taken into account during
the audit of internal controls.
•The steps to follow in a top-down risk based auditing approach
are:
1. Start with entity level controls
2. Identify entity level controls
3. Identify significant accounts and disclosures and their
relevant financial statement assertions
4. Understand the likely sources of misstatement
5. Select controls to test
6. Test design effectiveness and operating effectiveness of the
controls
7. Evaluate identified deficiencies
3. SEC Release 33-8810
•SEC Release 33-8810, the guidance for management in assessing its
internal control over financial reporting, also contains information
about how a risk-based, top-down approach to assessing internal
control over financial reporting should be performed. It reports the
following steps to follow:
1. Identify financial reporting risks and controls
2. Evaluate evidence of the operating effectiveness of the
internal controls over financial reporting
3. Consider impact of multiple locations adequately (rely on
central controls? review of remote locations, etc)
4. Evaluate control deficiencies to determine whether they are a
material weakness
What Internal Controls Can and Cannot Do
•Internal controls can help an organization get to where it wants to go.

•Internal controls can help an organization achieve its goals and prevent
loss of resources.

•Internal controls can ensure reliable financial reporting.

•Internal controls can ensure that the organization complies with laws
and regulations.

•Internal controls cannot provide a guarantee. They can provide only


reasonable assurance to management and the board of directors
regarding achievement of the entity’s objectives.
Internal Controls - Limitations
•Control Override:
An internal control system is only as effective as the people who are
responsible for its functioning. Consistent management override
sends the message that standard procedures are not important.
•Human Error:
The effectiveness of an internal control system is limited by the
reality that human beings are not perfect. Errors may occur due to
employee carelessness, distrac-tion, or fatigue.
• Decisions
are often made under time pressures, based on limited
information, and rely heavily on human judgment. Additionally,
management may fail to anticipate certain risks and ultimately fail
to design and implement appropriate controls to mitigate those
risks.
•Cost vs. Benefit:
The concept of reasonable assurance recognizes that the cost of
internal controls should not exceed the benefits derived and
also recognizes evaluation of these factors requires estimates
and judgments. Prohibitive costs prevent management from
implementing the perfect internal control system. Management
accepts certain risks because the cost of preventing such risks
cannot be justified.

•Collusion:
Two or more employees acting together to perpetrate and
conceal an action from detection can often circumvent the most
effective system of internal control.
Thank You

Potrebbero piacerti anche