!31
The Security and Exchange Commission (SEC) and the Public Company Accounting
Oversight Board (PCAOB) in the United States have repeatedly stressed that companies should apply a top-down/risk-based approach to assessing Internal Control Over
Financial Reporting (ICFR) for Sarbanes-Oxley (SOX) Section 404
An Institute of Management Accountants (IMA) research project completed in 2006 titled COSO (Committee of Sponsoring Organizations) 1992 Control Framework and Management Reporting on Internal Control: Survey and Analysis of Implementation Practices indicated that SEC registrants, their advisers, and auditors have widely
divergent views on how to actually complete a top-down/risk-based review of ICFR
This disparity of definition and application of “risk-based” was confirmed in
numerous comment letters sent to the SEC and PCAOB in response to their December 2006 exposure drafts relating to management and auditor assessments of ICFR for SOX To provide a solid basis for discussion on this topic, the IMA drafted and exposed for
comment a paper titled “ A Global Perspective on Assessing Internal Control over
Financial Reporting.
Key Step in Risk Based Approach
!32
Statements of
desired end results. They can relate to
customer service, product quality, cost control, revenue maximization, regulatory compliance, fraud prevention,
safety, reliable business information, and others.
Business/Quality Objectives
Threats to Achievement?
Control Portfolio— the controls selected:
(consciously or unconsciously)
These are
possible problems or situations that could result in non achievement of an
Controls are methods,
procedures, equipment, or other things that provide additional assurance objectives will be
achieved.
Residual Risk Status
Information that helps decision makers assess
the acceptability of residual risk. Status data includes indicator data, impact information, impediments, risk transfer/insurance
information, and any concerns.
Acceptable?
Portfolio Optimized?
Risk Transfer/
Insurance
Is the residual risk status acceptable to the work unit? Management? The board? Other key stakeholders?
Yes No
Reexamine control design and/or business/quality
objectives and develop an action
plan.
Yes- Move on No
Is this the lowest- cost set of controls given
our risk tolerance?
Determine Key Stakeholders
Goal of Sarbanes- Oxley Act 2002:
To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to
securities laws, and for other purposes.
All security regulators around the world that want to ensure the fairness and attractiveness of their capital markets share this goal
Capital market investors, venture capitalists, banks and other lenders, credit rating agencies, employees, pensioners, suppliers, customers, and many others rely to varying degrees on information contained in
external financial disclosure
the senior management team of all organizations should care whether their internal accounting processes are producing reliable information for investors externally and for resource allocations and strategic
decision making internally.
Risk Criteria—Big Picture Corporate Level
!34
1. Implications to the company’s credit rating 2. Implications to the company’s reputation
3. Implications to the company’s cost of capital.
4. Personal implications to senior executives and board 5. Audit firm resignations/refusals
6. Impact on the company’ s share price
7. Personal philosophy of the company’s CEO, CFO, and board
8. Likelihood external auditor opinion on financial
Risk Management Process (AS/ANZ 4360:1999)
AS/NZS 4360:1999 Risk Management
Determine existing controls
Estimate level of risk
Assess risks
Establish the context
Analyse risks
Evaluate risks
Yes No
Treat risks
Communicate and consult Monitor and review
■ The strategic context
■ The organisational context
■ The risk management context
■ Develop criteria
■ Decide the structure
■ Identify treatment options
■ Evaluate treatment options
■ Select treatment options
■ Prepare treatment plans
■ Implement plans
■ Compare against criteria
■ Set risk priorities
Accept risks Determine
likelihood
Determine consequences Identify risks
■ What can happen?
■ How can it happen?
Figure 4.1 Risk management process
Licensed to Ken Madill on 15 Sep 2003. 1 user personal user licence only. Storage, distribution or use on network prohibited.
Risk Rating and Risk Identification
!36
Risk Rating (AS/NZ 4360)
help refine the accounts/ areas in a company that would most benefit from more rigorous and
formal risk and control assessment.
Example :
Risk Identification (AS/NZ 4360):
the process of determining what, where, when, why, and how something could happen.
Technique for identification
• Research and observation, finding common risk from public company from magazine, web (www.auditanalytic.com)
• Company-specific history, learning from fault history and maturity
• Experience of senior level staff
• Industry-specific Scenario Analysis, using all three technique above when currently control can no mitigate.eg. Basel II doing scenario analysis to detect and prevent next big
disclosure disaster that has not happened yet elsewhere
• Risk Source Analysis, using list of potential source risk e.g. Card menu model
!37
Semi-Quantitative Analyze (AS/ANZ 4360:1999)
Risk Analyze and Sensitivity Analyze
Qualitative Analyze (AS/ANZ 4360:1999)
Qualitative analysis uses word form or descriptive scales to describe the magnitude of potential consequences and the likelihood that those consequences will occur. These scales can be adapted or adjusted to suit the circumstances, and different descriptions may be used for different risks.
In semi-quantitative analysis, qualitative scales such as those described above are given values. The number allocated to each description does not have to bear an accurate relationship to the actual magnitude of consequences or likelihood.
Sensitivity Analyze (AS/ANZ 4360:1999)
Since some of the estimates made in quantitative analysis are imprecise, a sensitivity analysis should be carried out to test the effect of changes in assumptions and data.
Quantitative Analyze (AS/ANZ 4360:1999)
Quantitative analysis uses numerical values (rather than the descriptive scales used in qualitative and semi-quantitative analysis) for both consequences and likelihood using data from a variety of sources
!38