#3 ICFR implementation: Identification and assessment of risks
In my previous article , I ended with the conclusion that formalized and standardized business processes make it easier to identify any weaknesses or missing internal controls, which should be added or modified to effectively protect businesses from errors in financial reporting, and diminish the effect of external negative events or fraud of personnel.?
What steps should be taken to start the process of identification and assessment of risks?? What is the definition of risk applicable to the business process???
The business process risk is a potential (non-monetarized) or accomplished (monetarized) negative outcome, which causes losses or other negative consequences for management or shareholders.
Risk assessment approach
In order to decide, which risks are significant or non-significant for the company and require permanent monitoring, it is crucial to identify risk criteria, which are to be assessed.? Usually, there are two factors, which are considered:?
Materiality
As an example, the materiality of outcomes could be:?
The materiality could be linked in some cases to the materiality assessment during the audit (the reconciliation with internal/external auditing programs should be performed). However, it could be different depending on the control priorities of the management.? Usually, the audit materiality level is higher due to the fact that in most cases the goal of the audit is to prove that the financial statements of the company are true and fair in all material respects.
Probability (an example)
Sometimes the case could be not material but if, for example, it happens 20-30 times per month, the cumulative negative effect (loss) could be very significant for the company.
In addition to the above-mentioned two criteria, the companies take into account also non-monetary risk factors, which could adversely affect the business. These are:
a) Health, safety and environmental issues?
b) Reputation.??
Based on the assessment of all criteria the company may divide the risk acceptance level into 3 zones:
See an example below:
For practical purposes all criteria could be weighted and overall assessment could be done using ratios.?
Depending on the key interests and values of shareholders and management some individual criteria or factors could lead to a critical zone even If they are not material in monetary terms.? For example, the shareholder is keen on its reputation and any negative article is assessed as a critical incident.? Or the shareholder is very sensitive to staff turnover, i.e. turnover percentage could be a critical risk assessment factor.
In order to make this risk assessment work it is better to formalize the above-mentioned process in the form of internal procedures and re-assess all criteria on a regular basis.
领英推荐
Identification of risks within a business process
As soon as you are aware of what potential negative outcome is sensitive to your business the next step is to go through your formalized business process and critically assess what are the potential risks at each step.? There are two ways of identification of weak or missing controls and risky places in the process:??
1) to get statistics of monetarized negative issues/risks???
2) to look at the process from the point of view of best practices.
The first approach is called incident management and we will discuss it separately in one of the next articles.??
The second approach covers different reliable sources of information on risks attributable to the different business process areas. These sources could cover audit programs, and different materials from reliable sources such as the Association of Certified Fraud Examiners, the Institute of Internal Auditors and others.?
You can assign certain numbers to all identified risks and apply those on the business process map.? In addition, all risks and their brief description are included in the corresponding risk matrix.? It is not mandatory but important to classify the type of risk or risk assertion.
Examples:? valuation, cut-off, accuracy, bona fides and others.?
Control procedures versus risks
When business process risks are identified it is important to investigate if they are supported and mitigated by corresponding control procedures.?
The control procedures could be of different types:? a) preventive b) detective c) warning d) monitoring.
Preventive controls – the controls which prevent the process role from wrong-doing or mistake.? For example, the input data field has a maximum allowable digit number for posting the invoice value.? This prevents the accountant from mistake of posting incorrect values.??
Detective controls – cover detective actions in order make check for possible mistakes. ? As an example, just before closing the cash account, the accountant performs reconciliation among books, bank statements and some other sources of information.??
Warning controls - warn the participants of the process about the risk.??
Monitoring controls – cover monitoring actions to prove the correctness of the result.? As an example, after closing the reporting period, the financial controller performs an analytical comparison of revenue for the reporting period with the previous period and corresponding factor analysis in order to prove the increase/decrease.? The controller should identify all material logical explanations: as an example, an increase in selling price for XX%, an increase in volumes for XX%, change of sales mix for XX. ? If any unclear difference remains after the monitoring procedure, it can signal a potential cut-off problem (unrecorded invoice).
The controls could be automatic or manual.?
If when documenting the business process, you properly, step by step, recorded the business process, you most likely already described existing control procedures. In this case, you should highlight and numerate controls on the process map and put them into the risks and controls matrix.??
The contents of the risk matrix could be different depending on the priorities of the matrix owner.
Usually, it includes risk description, risk assessment, name of the control procedure, description, type, regularity, control executor, control status (active or planned) and some other information (e.g. IT system involved, references to the internal procedures etc.).? An example of a risk matrix is below.
When you formalise your business process and identify risks in the process and corresponding control procedures, which mitigate these risks, the next step is to assess how effective your control system is.? This topic will be covered in my next article.