Risk General Definition: exposure to the chance of adverse effects or loss; a hazard or dangerous chance Examples of risks to a company: Erroneous Financial.
Published byModified over 5 years ago
Presentation on theme: "Risk General Definition: exposure to the chance of adverse effects or loss; a hazard or dangerous chance Examples of risks to a company: Erroneous Financial."— Presentation transcript:
Risk General Definition: exposure to the chance of adverse effects or loss; a hazard or dangerous chance Examples of risks to a company: Erroneous Financial Statements Loss of money Incorrect shipments Damage to reputation/brand
Risk Response Accept – Accept the likelihood and impact of risk; do not act to prevent or mitigate Share – Split the risk with someone else (e.g. buy insurance, outsource activity, etc.) Avoid – Do not engage in the activity that produces the risk (e.g. sell portion of business, exit a product line, do not expand, etc.) Reduce-implement an effective Internal Control system
Controls General Definition: Process of exercising a restraining or guiding influence over the activities of an object, organism, or system Examples of controls in a company: Authorization of Journal entries Bank account reconciliation Use customer P.O. as pick list Product quality reviews/analysis
Objective of Internal Controls To reduce likelihood that a threat will come to pass and result in a unacceptable loss to the organization. (Mitigate risk) NOTE: The objective of Internal Controls incorporates the risk components.
How to achieve IC objective? Identify risks inherent in company, industry, etc. Use risk components to assess the qualitative and/or quantitative value of risks identified Determine Management’s risk appetite Identify and evaluate existing internal controls Answer the question: Do the existing internal controls mitigate the identified risk to the level management is comfortable with?
External Reporting Internal Controls Established to provide reasonable assurance that financial information is: Prepared in accordance with GAAP Not materially misstated A fair representation of the activity of the company Supported by appropriate source documents and detail NOTE: Sarbanes-Oxley Act’s main pervue
Internal controls Based on the risk assessment and risk appetite determinations, a company can establish an appropriate internal control structure for their company
Internal Control philosophy Controls permeate, not dominate Controls are everybody's, not just the accountant’s Controls are part of the operation Controls are built into the system
IC Factors to Consider Pressures against adequate IC: Lack of manpower Cost (actual or perceived) Reduction to productivity Restriction to flexibility Time constraints
Practicality and Internal Controls Constant weighing of the risk associated with a process and the cost of implementing ideal controls. Remember theory and practice may not always coincide. A less than ideal control can be appropriate depending on the company’s business, management’s risk threshold and compensating controls.
Types of Controls: Preventive – Catches a problem before occurs; high risk level Detective – Catches an issue after the fact; high to medium risk level Monitoring – Catches an item after the fact, usually only high level (i.e. large dollar amount, percentage change, etc.); low risk level Examples?
Internal Control Systems (i.e. structure/ framework) Internal control structure: The methods a business uses to - safeguard assets provide accurate, reliable information Comply with applicable laws and regulation (i.e. OSHA, FDA, GAAP, etc.) promote and improve operational efficiency encourage adherence to prescribed managerial policies Basically, the internal controls put in place to mitigate the companies risks
COSO Internal Control Framework? Guidelines developed by the professional organizations most directly involved Recognized standard by the industry, including Sarbanes-Oxley regulations
COSO Internal Control Framework Considers internal controls a process: o effected by an entity’s board of directors, management and other personnel o which provides reasonable assurance of achieving management’s objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations
5 Components of COSO IC Model 1.Control environment -tone at the top 2.Risk assessment -identification and analysis of risks 3.Control activities -policies and procedures 4.Information and communication -processing info for people to do their jobs 5.Monitoring -assess quality of internal control over time
Enterprise Risk Management Model ERM is a process, effected by an entity’s board of directors, management and other personnel, Applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Moves from emphasis on risks relating to financial reporting and compliance to emphasis on ALL risks of the business -examples?
ERM Framework vs. COSO Framework ERM incorporates COSO IC Framework, not a replacement Adds three additional elements: Objective Setting Event Identification Risk Response ERM recognizes that risks can be accepted, avoided, diversified, shared or transferred as well as being controlled. COSO focuses on past problems and concerns. The ERM framework takes a risk-based, rather than controls-based, approach to the organization, oriented toward future and constant change.
Commitment to integrity and ethics Management’s philosophy and style Organizational structure Audit committee and the board (function) Methods of assigning responsibility Human resources policies and practices External influences The Internal (control) Environment
Internal Control Environment BOD need to be active and involved Necessary check and balance with management if they ask questions, scrutinize financials, oversee policy decisions/changes Audit committee should exist (SOX requirement)
Objective Setting Top management, with board approval, must articulate why the company exists and what it hopes to achieve (the corporate vision or mission). The objectives need to be easy to understand and measure, prioritized, and aligned with the company’s risk appetite. For each set of objectives, critical success factors must be defined and performance measures should be established.
Events/Threats(negative) Business threats (economic, environmental, social, political…) Internal or external Occurs at wrong time, wrong sequence, wrong actors, wrong place… Information threats Recording/Processing/Reporting Tools for identifying
Risk Assessment - COSO Determine threats to the company Estimate probability of threat occurring Estimate exposure from each threat Identify set of controls to guard against threat Estimate costs and benefits of implementing controls Evaluate whether to put controls in place Implement controls (including training) Monitor
Risk Assessment—ERM Objective setting What does the enterprise wish to do? Event identification What could go wrong? Risk assessment Likelihood of event, exposure, cost/benefit? Risk response Avoid, reduce, share, accept…
Risk Assessment & Response Calculate expected loss Determine costs of controls Benefit = reduction in expected loss Consider special reasons for investing in control even when cost > benefit Risk appetite Avoid, accept, share, reduce
Control Activities Authorization of transactions Segregation of incompatible duties Independent checks on performance Safeguarding assets and information Design and use of adequate records Management and review of activities
Communication and information AIS objectives related to communication & information Record all, valid transactions Classify Valuation Periodicity Presentation and disclosure Risks?
Monitoring Effective supervision, including for upper mgmt (i.e. BOD, Audit Committee, etc.) Responsibility accounting Internal auditing/SOX Fraud controls (i.e. rotation of duties, mandatory continuous 1 week vacations, etc.) Modifications management Edit reports Whistleblower system (SOX requirement)
Modifications (Change Management) Risks and controls are not static. Neither is the environment in which they operate. Effective internal control structure requires monitoring of changes for potential impact. Events to monitor: Turnover Control deficiency IT system upgrade/replacement Department restructuring
Overall IC considerations Means to an end, standard controls are a guideline only System - with goals, interrelated components Management’s responsibility Requires competence, honesty, ethical behavior Reasonable assurance, not perfection Cost-benefit Controls need context – the company, what it stands for, what level of risk management is willing to tolerate, industry risks involved, etc.
IC Fact People are key to the success of any Internal Control Framework. An effective internal control system design will fail without: Support from management (tone from the top) Effective communication to employees (policies, procedures and training) Monitoring – including an active and involved BOD and Audit Committee