1 / 34

Risk

Risk. General Definition: exposure to the chance of adverse effects or loss; a hazard or dangerous chance Examples of risks to a company: Erroneous Financial Statements Loss of money Incorrect shipments Damage to reputation/brand. Risk. Components of risk? Threat Likelihood Exposure.

deron
Download Presentation

Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Risk General Definition: exposure to the chance of adverse effects or loss; a hazard or dangerous chance Examples of risks to a company: • Erroneous Financial Statements • Loss of money • Incorrect shipments • Damage to reputation/brand

  2. Risk Components of risk? • Threat • Likelihood • Exposure

  3. Risk Response • Accept – Accept the likelihood and impact of risk; do not act to prevent or mitigate • Share – Split the risk with someone else (e.g. buy insurance, outsource activity, etc.) • Avoid – Do not engage in the activity that produces the risk (e.g. sell portion of business, exit a product line, do not expand, etc.) • Reduce-implement an effective Internal Control system

  4. Controls General Definition: Process of exercising a restraining or guiding influence over the activities of an object, organism, or system Examples of controls in a company: • Authorization of Journal entries • Bank account reconciliation • Use customer P.O. as pick list • Product quality reviews/analysis

  5. Objective of Internal Controls To reduce likelihood that a threat will come to pass and result in a unacceptable loss to the organization. (Mitigate risk) NOTE: The objective of Internal Controls incorporates the risk components.

  6. How to achieve IC objective? • Identify risks inherent in company, industry, etc. • Use risk components to assess the qualitative and/or quantitative value of risks identified • Determine Management’s risk appetite • Identify and evaluate existing internal controls Answer the question: Do the existing internal controls mitigate the identified risk to the level management is comfortable with?

  7. External Reporting Internal Controls Established to provide reasonable assurance that financial information is: • Prepared in accordance with GAAP • Not materially misstated • A fair representation of the activity of the company • Supported by appropriate source documents and detail NOTE: Sarbanes-Oxley Act’s main pervue

  8. Internal controls Based on the risk assessment and risk appetite determinations, a company can establish an appropriate internal control structure for their company

  9. Internal Control philosophy • Controls permeate, not dominate • Controls are everybody's, not just the accountant’s • Controls are part of the operation • Controls are built into the system

  10. Definitions • Compensating controls- • Key controls- • Entity level controls-

  11. IC Factors to Consider Pressures against adequate IC: • Lack of manpower • Cost (actual or perceived) • Reduction to productivity • Restriction to flexibility • Time constraints

  12. Practicality and Internal Controls Constant weighing of the risk associated with a process and the cost of implementing ideal controls. Remember theory and practice may not always coincide. A less than ideal control can be appropriate depending on the company’s business, management’s risk threshold and compensating controls.

  13. Types of Controls: • Preventive – Catches a problem before occurs; high risk level • Detective – Catches an issue after the fact; high to medium risk level • Monitoring – Catches an item after the fact, usually only high level (i.e. large dollar amount, percentage change, etc.); low risk level Examples?

  14. Internal Control Systems (i.e. structure/ framework) Internal control structure: The methods a business uses to - • safeguard assets • provide accurate, reliable information • Comply with applicable laws and regulation (i.e. OSHA, FDA, GAAP, etc.) • promote and improve operational efficiency • encourage adherence to prescribed managerial policies Basically, the internal controls put in place to mitigate the companies risks

  15. COSO Internal Control Framework? • Guidelines developed by the professional organizations most directly involved • Recognized standard by the industry, including Sarbanes-Oxley regulations

  16. COSO Internal Control Framework Considers internal controls a process: • effected by an entity’s board of directors, management and other personnel • which provides reasonable assurance of achieving management’s objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations

  17. 5 Components of COSO IC Model • Control environment -tone at the top • Risk assessment -identification and analysis of risks • Control activities -policies and procedures • Information and communication -processing info for people to do their jobs • Monitoring -assess quality of internal control over time

  18. Enterprise Risk Management Model ERM is a process, effected by an entity’s board of directors, management and other personnel, Applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Moves from emphasis on risks relating to financial reporting and compliance to emphasis on ALL risks of the business -examples?

  19. ERM Framework vs. COSO Framework • ERM incorporates COSO IC Framework, not a replacement • Adds three additional elements: • Objective Setting • Event Identification • Risk Response • ERM recognizes that risks can be accepted, avoided, diversified, shared or transferred as well as being controlled. • COSO focuses on past problems and concerns. The ERM framework takes a risk-based, rather than controls-based, approach to the organization, oriented toward future and constant change.

  20. Commitment to integrity and ethics Management’s philosophy and style Organizational structure Audit committee and the board (function) Methods of assigning responsibility Human resources policies and practices External influences The Internal (control) Environment

  21. Internal Control Environment BOD need to be active and involved • Necessary check and balance with management if they ask questions, scrutinize financials, oversee policy decisions/changes Audit committee should exist (SOX requirement)

  22. Objective Setting • Top management, with board approval, must articulate why the company exists and what it hopes to achieve (the corporate vision or mission). • The objectives need to be easy to understand and measure, prioritized, and aligned with the company’s risk appetite. • For each set of objectives, critical success factors must be defined and performance measures should be established.

  23. Events/Threats(negative) Business threats (economic, environmental, social, political…) Internal or external Occurs at wrong time, wrong sequence, wrong actors, wrong place… Information threats Recording/Processing/Reporting Tools for identifying

  24. Risk Assessment - COSO • Determine threats to the company • Estimate probability of threat occurring • Estimate exposure from each threat • Identify set of controls to guard against threat • Estimate costs and benefits of implementing controls • Evaluate whether to put controls in place • Implement controls (including training) • Monitor

  25. Risk Assessment—ERM Objective setting What does the enterprise wish to do? Event identification What could go wrong? Risk assessment Likelihood of event, exposure, cost/benefit? Risk response Avoid, reduce, share, accept…

  26. Risk Assessment & Response Calculate expected loss Determine costs of controls Benefit = reduction in expected loss Consider special reasons for investing in control even when cost > benefit Risk appetite Avoid, accept, share, reduce

  27. Control Activities Authorization of transactions Segregation of incompatible duties Independent checks on performance Safeguarding assets and information Design and use of adequate records Management and review of activities

  28. Communication and information AIS objectives related to communication & information • Record all, valid transactions • Classify • Valuation • Periodicity • Presentation and disclosure Risks?

  29. Monitoring • Effective supervision, including for upper mgmt (i.e. BOD, Audit Committee, etc.) • Responsibility accounting • Internal auditing/SOX • Fraud controls (i.e. rotation of duties, mandatory continuous 1 week vacations, etc.) • Modifications management • Edit reports • Whistleblower system (SOX requirement)

  30. Modifications (Change Management) Risks and controls are not static. Neither is the environment in which they operate. Effective internal control structure requires monitoring of changes for potential impact. Events to monitor: • Turnover • Control deficiency • IT system upgrade/replacement • Department restructuring

  31. Overall IC considerations • Means to an end, standard controls are a guideline only • System - with goals, interrelated components • Management’s responsibility • Requires competence, honesty, ethical behavior • Reasonable assurance, not perfection • Cost-benefit Controls need context – the company, what it stands for, what level of risk management is willing to tolerate, industry risks involved, etc.

  32. IC Fact People are key to the success of any Internal Control Framework. An effective internal control system design will fail without: • Support from management (tone from the top) • Effective communication to employees (policies, procedures and training) • Monitoring – including an active and involved BOD and Audit Committee

  33. Chapter 6 Problems Problem 6.8

More Related