IFAC
[pic] | |
|Foreningen af Statsautoriserede Revisorer |
|Kronprinsessegade 8, 1306 København K. Telefon 33 93 91 91 |
|Telefax nr. 33 11 09 13 e-mail: fsr@fsr.dk Internet: fsr.dk |
The Technical Director of
International Auditing and Assurance Standards Board
535 Fifth Avenue, 26th Floor
New York, New York 10017 USA
14 April 2003
msr/nea/dor (X:\Udvalg\REVU\KOR\2003\Letter140403_IAASB.doc)
Dear Sir
Audit Risk; Proposed International Standards on Auditing and Proposed Amendment to ISA 200 “Objective and Principles Governing an Audit of Financial Statements”
We appreciate the opportunity to provide our comments to the proposed international standards on auditing “Audit Risk” and the proposed amendment to ISA 200 “Objective and principles governing an audit of financial statements.”
General
We appreciate that the ISAs generally are drafted to contain basic principles and essential procedures together with related guidance that apply to the audits of financial statements of any entity, irrespective of the size. However, in Denmark, and probably in other countries as well, there are a significant numbers of small and medium sized entities (SMEs) requiring a full scope audit in accordance with the ISAs, as the ISAs are in the process of being implemented in Denmark as standards on auditing for all entities. Accordingly, in order for auditors’ to ensure that the audit of SMEs are planned and performed in accordance with these standards on auditing we propose that the ISAs in general include special audit considerations applying to the audit of SMEs, and especially, that the new proposed standards where the requirements are more extensive than previously include special audit considerations applying to the audit of SMEs, preferably in a separate chapter or in an appendix to the standards.
In relation to the proposed standards for “Understanding the entity and its environment and assessing the risks of material misstatements” we suggest that special audit considerations applying to the audit of SMEs include a description of the required considerations, procedures, discussions and documentation of the main chapters, being “Risk assessment procedures and sources of information about the entity and its environment, including its internal control”, “Understanding the entity and its environment, including its internal control” and “Assessing the risks of material misstatement”.
ISA XX “Understanding the entity and its environment and assessing the risks of material misstatements”
The concept of objectives and strategies and related business risks as described in paragraphs 36 – 44 is theoretically correct and relevant. However, applying this in practise is in our opinion difficult. According to our experience the vast majority of all companies do (?) not have a formalised risk assessment process in place. Furthermore, in relation to SME’s there are certain factors which complicate these considerations as well.
Attached as exhibit 1 we have drafted these considerations which may be helpful to consider for IAASB when providing guidance on the concept of a risk assessment process as well as considerations in relation to SME’s. This exhibit should be viewed as a supplement to the existing appendix 2.
We have identified five factors that should be considered in evaluating the impact of size on risk and risk management as follows:
Resistance to internal and external change generally increases as size increases
Expertise is harder to develop in smaller businesses
Awareness is heightened in a smaller business where management is close to the front line
Communication is more direct in smaller businesses
Objectivity decreases with size because management generally has fewer sources of information
Resistance
The size of a business affects its resistance to internal and external change. The ability of a business to withstand adverse conditions reduces with size. But smaller businesses also have greater potential for management to move swiftly to seize new opportunities. Reduced resistance to change is a source of strength and weakness to smaller businesses.
The management of growing businesses may struggle to adapt to increasing resistance to change. They can become frustrated that they cannot “make things happen” as easily as they used to do. They may also appear paranoid to outsiders if they continue to regard themselves as the “little guys” when that is no longer the case. The management of a business that has been downsized or spun out of a larger group can also struggle to adapt to being smaller. They are likely to be too cautious in introducing change and too slow in reacting to it.
Expertise
Because smaller businesses have fewer people, there is less opportunity to develop specialist expertise. Hence management is less likely to have access internally to expertise across many of the disciplines required to be successful. This may be reflected not only in accounting matters but also in other areas such as in marketing, production or product development. This will create extra risks as well as opportunities to outsource or enter into alliances and networks with other businesses.
The management of a growing business often struggle to adapt to the new roles that are relevant in a larger business. Step changes occur when the business recruits a Finance Director (after previously relying on a bookkeeper and the auditors) and when the Chief Executive is expected to stop being a soloist (such as the company’s leading salesman or designer) and become a conductor. In a business that has downsized, management faces the opposite challenge. They need to release expensive specialists who are not central to the business or ask them to take on broader responsibilities. The chief executive may also need to “get his hands dirty” and “pay for himself” instead of organizing everyone else.
Awareness
In a smaller business, management has a high degree of involvement in the running of the business and is close to the “front line”. The consequence of this can be greater risk awareness. However, there is a danger that management may be too closely involved to see the wood for the trees.
In growing business management will need to introduce new reporting systems to find out what is happening on the ground. They will be in danger of losing contact with reality if they continue to rely too heavily on direct observation and personal contact. By contrast, unless they do more “management by walking about” the management of a business that has downsized is likely to be criticized for “sitting in an ivory tower” and relying on bureaucratic reporting procedures.
Communication
Having shorter lines of communication not only affects smaller businesses’ awareness of their environment. It also affects the way that management communicates with and controls those who work on the front line and how employees communicate with management. Communication is more direct.
For a growing business the challenge is to recognize that communication will actually get worse if management continue to rely on one-to-one contact. It will take too long for messages to be transmitted and they will become distorted. Management will have to use new types of mass communication and feedback. However, in situations where face-to-face communication is possible, management will lose respect if they use formal and impersonal types of communication appropriate to a large organization. This is a particular danger when a company has downsized or been spun out of a larger group but management are wary about dismantling established reporting and control structures.
Objectivity
Smaller businesses with fewer people have fewer independent sources of information and experience. Where information and experience can be cross-checked and challenged it is naturally easier for management to be objective. The difficulty of getting two or more views of the same transaction is at the heart of concerns about the lack of segregation of duties in smaller businesses.
In a growing business, management may find it difficult to acknowledge the different viewpoints and experiences as well as the skepticism that characterize a large organization. This may in turn lead to secrecy, efforts to bypass approval and authorization procedures and individualistic behavior, which are harmful to the business. For a business, which has downsized, management will need to address the concern that irreplaceable knowledge and experience have been lost forever and that as a result avoidable mistakes will be made.
Attached as exhibit 2 we have drafted considerations in relation to typical business risks and included definitions considered helpful for the auditor to understand. Furthermore, we have included guidance in respect of how these typical business risks apply to SME’s (i.e., Red means that they are relevant to SME’s, Yellow means neutral in relation to relevance and finally Green means that they are typically not relevant to SME’s). This exhibit should be viewed as a supplement or replacement to the existing appendix 3.
Paragraphs 50 through 94 deals with internal control including the requirement to obtain an understanding of the components of internal control and guidance on obtaining the understanding. Appendix 2 contains further guidance to assist the audit in understanding the components of internal control, including their application to small entities.
This additional guidance is somewhat helpful in the auditors understanding of the components of internal control, including their application to small entities. However, we find that guidance as to how the understanding of the components of internal controls, especially for small entities, affect the auditors’ understanding of the entity’s environment and the assessed risks of material misstatement limited, and consequently it seems unclear, how the auditor’s procedures in response to the assessed risks will be affected.
Generalizations should not be made regarding the effectiveness or ineffectiveness of controls for small, owner-managed companies until a specific assessment is made. Many owner-managers have very good controls over their core business activities, despite needing assistance or process improvements in accounting and financial reporting areas. The direct involvement of the owner-manager in critical areas of the business is a very effective control and can often compensate for other control weaknesses, including instances where segregation of duties is not ideal.
Attached as exhibit 3 we have included considerations in relation to SME’s as it relates to key audit risk areas for the following:
Accounting Principles and Practices
Judgements and Estimates
Critical Business Processes
Financial Reporting Process
The above issues are primarily dealt with in paragraph 77 and 80 and it may be considered to expand the current appendix 2 in this respect for SME’s.
ISA XX “The auditor’s procedures in response to assessed risks”
When the auditor plans to rely on controls that have not changed since they were last tested, paragraph 38 requires the auditor to test the operating effectiveness of such controls at least every third audit.
We concur with the proposed limitation in the ability of the auditor to use evidence obtained in a prior audit. We also concur with the proposed limitation of every third audit.
Documentation
In the proposed international standards on auditing the IAASB considers that documentation requirements are important as a means of ensuring that auditors comply with significant requirements of the standards. The requirements are more extensive than previously.
We find that it is appropriate for the IAASB to establish detailed documentation requirements. We also find the proposals practical.
Other comments
We have discussed the concepts of “risk of material misstatement” and “significant risks”. It is our opinion that the concepts are connected with some uncertainty as the latter does not seem to be defined in the new standards. If a risk is significant when, together with other risks, it can lead to a material misstatement, it makes sense and supports the fact that the auditor in his planning must deal with lower criteria of materiality on the level of audit considerations than on the superior level. However, we are not convinced that the standards will be interpreted in this way everywhere around the world which is why we recommend a clarification.
For example in ISA 200, paragraph 16, the expression “material to the financial statement taken as a whole” is used. Previously we have called for a reasonable explanation of “taken as a whole”, as according to the ISAs an assessment of whether the financial statement on a superior level contains a material misstatement is not enough for the auditor. The auditor is expected to decide whether the relevant users of financial statements risk to be misguided by for instance incorrect part results or central single statements in the financial statement. We call for necessary guidance.
---oo0oo---
Please do not hesitate to contact us if you require further clarifications or comments.
Yours sincerely
Morten S. Renge Niels Ebbe Andersen
Chairman of the Auditing Technical Director
Standards Committee
|Activity |Definition |Impacts of small size and management ownership |
| | | |
|1 Establish goals and objectives |1. Senior management defines the |Values |
| |organisation’s risk management goals and |Personal goals become organizational goals. Impact of owners’ attitudes to personal risk and security. Depends on stage |
| |objectives: |of life, family succession plans, and retirement goals. |
|[pic] |Risk Assessment Process |May be reluctant to share "private" goals and objectives beyond the family, so that employees do not understand the aims |
| |Risk Tolerances/ Boundaries/Limits |of the business. |
| | |May be diversity and inconsistency of goals. There may also be disagreement between family members and uncertainty about |
| | |objectives because of the lack of a succession plan. |
| | |Personal goals may be to pursue profit by any means or to minimize tax. |
| | |Traditional family owned companies may be reluctant to articulate their goals for the business and may be hindered by a |
| | |paternalistic approach. |
| | |Management are more likely to show a commitment to achieve goals and objectives that is absent in a business where |
| | |management and ownership are split. An owner can become a clear embodiment of what the business stands for. |
| | | |
| | | |
| | |Expertise |
| | |Lack of expertise may mean that managers are unable to articulate clear goals. |
| | |Management are less likely to know how to quantify risk tolerances and limits, for example in relation to financial |
| | |exposures (currency, interest rates, gearing etc). |
| | |Although there may be outside stakeholders (e.g. bank or venture capitalists), management may not be used to dealing with |
| | |them. In the absence of an open relationship, there may be confusion about outsiders’ objectives. |
| | | |
| | | |
| | |Communication |
| | |Easier to communicate goals and objectives informally and on a day to day basis to a smaller organization, providing |
| | |management have an open style. |
| | | |
| | | |
| | |Objectivity |
| | |Because of small number of people, less potential diversity of attitudes and experience amongst management and less scope |
| | |for “reality checks”. |
|2 Assess Business Risks |2. Senior management evaluates changes in |Values |
| |the environment, in key assumptions |Wider range of external factors need to be taken into account (e.g. changes in personal tax regime, family circumstances |
| |underlying business strategies and in |etc.). |
|[pic] |business lines, products and business |Personally motivated to track risks that affect personal wealth and lifestyle. |
| |processes and the impact of these changes | |
| |on potential risks to the entity. |Expertise |
| | |Reliance on professional advisers to help with risk identification, e.g. banks, accountants and lawyers. However, none of|
| | |these advisers may be explicitly involved in helping analyze the underlying financial risks of the business, e.g. what are|
| | |the economic effects of changes in exchange and interest rates and commodity prices on input and output markets and |
| | |competitiveness. |
| | |Franchisees rely on franchisers' expertise to identify many risks e.g. product development. |
| | |Small businesses have to protect their distinctive competitive advantage and so tend to closely monitor the competitive |
| | |environment in order to avoid dilution of their expertise. Effort will be directed towards niche opportunities that the |
| | |business can exploit. |
| | |Due to lack of wide expertise, management may need to use industry and government training and awareness schemes to |
| | |appreciate risks facing the business. |
| | |Standalone small companies cannot access parent company expertise. |
| | | |
| | |Awareness |
| | |Typically close to the market with good industry knowledge and awareness of risks. However, may be too close to the |
| | |detail to be aware of wider economic influences on the business. |
| | | |
| | |Communication |
| | |Small number of people means more direct formal and informal communication from and to managers. However, documentation |
| | |of identification and prioritization or risk (e.g. in board minutes) less likely due to close contact and communication. |
| | | |
| | |Objectivity |
| | |Management may have too high an opinion of themselves and their ability to manage the business epitomized by an attitude |
| | |of "it won't happen to me". Lack of objectivity due to small number of people and narrow range of experience. |
| | |Lack of broad experience may prompt networking with peers to understand risks, e.g. Chamber of Commerce and trade |
| | |associations. |
|2 Assess Business Risks |3. Senior management implements processes |Expertise |
| |or activities to assess business risks and|Core processes often controlled by key management themselves who occupy their position in the business precisely because |
| |information and information processing |of their skills in these processes. |
|[pic] |risks (identify, source, measure) at the | |
| |business process/activity level. |Awareness |
| | |Management more likely to be involved in the front line and aware of developments in environment and critical processes. |
| | |There is no formal planning cycle to prompt updating of knowledge about the environment. Management are therefore |
| | |reactive rather than proactive in updating their awareness. |
| | | |
| | |Communication |
| | |Senior managers lead by example and are highly visible in a compact environment. |
| | |Formal policy and role definition unlikely. Informal communication can lead to duplication of effort or key processes not|
| | |being covered. |
| | | |
|Develop Business Risk Management Strategies |4. Senior management implements processes |Resistance |
| |or activities to assess business risks and|Fewer risk management strategies are available to a small business. For example, it probably cannot afford investment to |
| |information and information processing |diversify its portfolio of risks. |
|[pic] |risks (identify, source, measure) at the |The selection of the right risk management strategy is more likely to be critical to survival. |
| |business process/activity level. |Without the backing of key individuals, employees may be powerless. |
| | | |
| | |Expertise |
| | |Outsourcing of a variety of functions is likely as a consequence of lack of expertise, and might include: |
| | |~ Close the books process and preparation of financial statements to auditors |
| | |~ Payroll processing to a bureau |
| | |~ Sales to retail franchisees or product development to a franchisor |
| | |~ Market intelligence to industry body or external researchers |
| | |~ Factoring of debts to third party to manage collection and cash flow |
| | |~ Formulation of business plans to consultants and advisors |
| | |~ Overseas debt insurance to government agencies |
| | |~ Other insurance needs to brokers. |
| | |Heavy reliance placed on bankers to help select appropriate simple financing/treasury strategies, including: |
| | |~ Choice of overdraft or loan at variable or fixed interest rates |
| | |~ Forward currency buying on specific transactions. |
| | |Potential lack of sophistication in briefing and controlling outsourcing suppliers. |
| | |No proper cost/benefit analysis of different risk management strategies (e.g. credit extension controls v. pricing, |
| | |quality control v. replacement policy) |
| | | |
| | |Communication |
| | |Short lines of communication allow management to identify changes quickly and develop new strategies. No need for a |
| | |formal approval process. |
| | |Short lines of communication also allow changes to be implemented quickly and effectively. |
| | | |
| | |Objectivity |
| | |Small number of people to allocate roles to particularly for new risks; less resource for developing strategies and |
| | |potential lack of objectivity. |
| | |Less potential for segregation of duties as a consequence of size. May necessitate other strategies apart from control to|
| | |manage risk. |
|Design/Implement Risk Control Processes |5. Senior management ensures that risk |Resistance |
| |managers and process/activity owners: |Easier for management of small business to identify, address and overcome resistance to change. Dissidents and |
| | |foot-draggers cannot hide. |
|[pic] |Have the requisite skills and expertise to| |
| |design and implement risk control | |
| |processes/ activities (commensurate with |Expertise |
| |the risk management strategies). |Core processes often directly controlled by top manager or owner who is in that position precisely because of their skill |
| | |in that area. However, in other areas management may lack the knowledge to supervise others effectively. |
| |Assume responsibility for and understand |Smaller companies have less chance to consult inhouse expertise and need to outsource more skills due to lack of |
| |their accountability for managing |specialist knowledge. |
| |significant risks. |Small growing companies may not have the finances to recruit the best most experienced people. The impact of effective |
| | |recruitment is higher when there are few people. |
| | | |
| | | |
| | |Awareness |
| | |Easy to manage “entity wide” risks due to size. |
| | | |
| | | |
| | |Communication |
| | |Close supervision due to size of organization ensures people are aware of their responsibilities and assessment of |
| | |performance is easy. |
| | |Formal and detailed job descriptions unlikely - responsibilities communicated orally |
| | |Unlikely to have clear written policies communicating criteria for promotion and advancement: achieved through oral |
| | |communication and personal feedback. |
| | |Lack of formality can lead to confusion, fear of asking “stupid questions” and mistakes (e.g. in relation to covering |
| | |currency risks, insuring special risks, etc.) |
| | |Unlikely to have sophisticated rewards schemes and performance measures to establish and reinforce accountability and |
| | |responsibilities. |
| | | |
| | | |
| | |Objectivity |
| | |Small number of people makes segregation of incompatible duties harder to achieve, although objectivity may be achieved |
| | |where there are users of information outside the area in which information is sourced. |
|4 Design/Implement Risk Control Processes |6. Senior management effectively assesses |Awareness |
| |the timeliness, efficiency and |Management typically have close day to day involvement in the business and so are aware of how it is going. |
| |effectiveness of the design of new or |Management are probably more cost-conscious and keen to measure the impact of new measures, look for quick results and |
|[pic] |improved risk control processes. |assess whether controls are cost-effective. |
| | |Typically very aware of and closely monitor sales orders, cash and the bottom line. |
| | | |
| | | |
| | |Communication |
| | |In a smaller company environment it is easier to communicate responses to control exceptions. |
| | | |
| | | |
| | |Objectivity |
| | |Close management identification with controls may lead to an “Emperor’s clothes” syndrome about their effectiveness. |
|Monitor Business Risk Management Process |7. Senior management effectively |Values |
|Performance |measures/monitors/ |Personal interest likely to stimulate passion for monitoring. |
| |assesses the performance effectiveness of |Likely to benchmark against own expectations, personal standards and targets required to maintain standard of living. |
| |the BRMP: | |
|[pic] | | |
| |Identifying and managing specific risks |Awareness |
| |(including the utilization of all “audit” |Size of business makes it easier for management to have an all-encompassing holistic awareness of performance. |
| |opportunities) and in executing strategies|Shorter chain of communication means less distinction between process owners and senior management. |
| |to create value. |Often operating at the margin, monitoring is crucially important. At a minimum, typically review performance monthly. |
| | |Usually very focused on cash monitoring. |
| |Benchmarking against competitors and best | |
| |practices. | |
| | |Objectivity |
| | |Size means less likely to have an inhouse internal audit function to monitor effectiveness although ISO 9000 audits may be|
| | |performed. |
| | |Opportunities for benchmarking outsourcing. |
| | |Publicly available benchmark partners for businesses of similar size may be limited. |
| | |Benchmarking to peers more typically done informally on the golf course rather than formally using GBP, stock betas, etc. |
| | |Standalone entity cannot benchmark against other divisions within the group. |
|Improve Business Risk Management Process |8. Senior management ensures that risk |Values |
| |assessment, control and monitoring |Nepotism may mean that owners are unlikely to fire family members |
| |processes/activities are continuously |Owners may be reluctant to make changes to a business, which is integral to their lifestyle. |
|[pic] |improved throughout the organization. |Attitude to improvement driven by personal goals and objectives. |
| | | |
| | | |
| | |Resistance |
| | |It is easier for top management in a small business to decide that improvements will be made and to flush out objections |
| | |and skepticism. |
| | |Small size enables a flexible approach and quicker implementation changes. |
| | | |
| | | |
| | |Expertise |
| | |Small company with less expertise should be more responsive to ideas and suggestions from external auditors. Typically |
| | |have close relationship with audit partner/manager and ask for advice. |
| | |Increasingly, smaller businesses are signing up for ISO 9000 type schemes with an element of continuous improvement |
| | |philosophy. |
| | | |
| | | |
| | |Communication |
| | |Close proximity of different functions facilitates cross-fertilization of improvement ideas. |
| | |Free communication of suggestions for improvement should be easy unless there are personality conflicts, and communication|
| | |of changes should be easily achieved. |
| | |Less need to rewrite formal policies and documentation to reflect changes. |
| | | |
| | | |
| | |Objectivity |
| | |Management may be happy with the way they are running the business on the basis that they "have managed OK so far". |
| | |In a smaller business it is harder to get an objective view of alternative ways of doing things and possibilities for |
| | |improvement. |
|Information for Decision Making |9. Senior management ensures there is |Expertise |
| |adequate communication and information for|Management information may not be prepared monthly in the smallest businesses although operational rather than financial |
| |decision making: |information may be more closely monitored. |
|[pic] | |Opportunities for outsourcing management reporting. |
| |Enabling them to know that all BRMP | |
| |activities are performed as intended. | |
| | |Awareness |
| |Enabling risk managers and |Close observation of the business and awareness of performance are possible due to the size of the organization. |
| |process/activity owners to clearly |There is less need for formal documentation. |
| |understand their responsibilities and | |
| |accountabilities | |
| | |Communication |
| | |Small size can mean that open and candid communication is naturally achieved as part of day to day life. On the other |
| | |hand, a dominant individual can intimidate easily. The character of the individual is a more important factor than in a |
| | |larger business. |
| | |Formal documentation and policy statements less likely. Oral communication is more important in a close environment. |
| | |Distinctions between the information needs of the Board, senior management, risk managers and process owners are less |
| | |relevant. |
| | | |
| | | |
| | |Objectivity |
| | |Objectivity in decision making impaired because fewer sources of information are available in smaller businesses. |
Exhibit 2: The Impact of Size and Management Ownership on Business Risks
|Business Risk (Red) |Risk definition |The small size and management ownership increases relevance |
| | | |
|Environment risk | | |
|Capital availability |Insufficient access to capital threatens the organization’s capacity to |Capital constraints where management is not prepared to give up management ownership. |
| |grow, execute its strategies and generate future financial returns. |Generally, investor concerns about lack of resistance to adverse conditions will also limit |
| | |access to capital providers. |
|Competitor |Actions of competitors or new entrants to the market threaten the |Because of size and therefore potential vulnerability/lack of resistance, inherent risk is |
| |organization’s competitive advantage or even its ability to survive. |higher unless the business is a niche player with a particular expertise resulting in reduced |
| | |sensitivity. |
|Financial markets |Movements in prices, rates, indices, etc. threaten the value of the |In view of size and management ownership, generally higher leverage. This leads to higher |
| |organization’s financial assets. |sensitivity to changes in rates/prices etc. |
|Labor availability |The recruitment of skilled laborers is threatened, as there has been |Because of size, there are fewer resources to recruit labor with appropriate expertise. |
| |recent downsizing, smaller labor pools, increased competition, and the |Vulnerability and lack of resistance may also make the business an unattractive employer for job|
| |shift to a white-collar business environment. |security reasons and management ownership may block advancement prospects. Small businesses |
| | |tend to be understaffed and employees typically have more all-round skills. |
|Sensitivity |Over commitment of resources and expected future cash flows threatens the |Equivalent to concept of resistance. Higher inherent risk as a consequence of financial |
| |organization’s capacity to withstand changes in environment (e.g., |leverage and the reduced financial and labor resources of a small size organization. However, |
| |interest rates, market demand, changes in regulations, etc.) forces beyond|small size can enhance ability to respond quickly. |
| |its control. | |
| | | |
|Process risk | | |
|Business interruption |Business interruptions stemming from the unavailability of raw materials, |Generally less capital and fewer skilled labor resources mean inherently higher risk. Absence |
| |information technologies, skilled labor or other resources threaten the |of size and expertise reduces resistance. |
| |organization’s capacity to continue operations. | |
|Capacity |Insufficient capacity threatens the organization’s ability to meet |Resistance issue. Generally higher inherent risk of insufficient capacity due to small size and|
| |customer demands, or excess capacity threatens the organization’s ability |therefore vulnerability; tendency to understaffing due to economies forced by size. |
| |to generate competitive profit margins. | |
|Labor/employee |The risk that the management of operations does not possess the necessary |Expertise issue. Significantly higher inherent risk due to economies of scale/size of |
| |knowledge, skills, experience and authority to ensure that critical |organization. Generally more all-round and less specialized skilled labor. |
| |business objectives are achieved. | |
|Trademark/Brand name erosion |Erosion of a trademark or brand name over time threatens the demand for |Generally higher inherent risk as more at stake. Generally name/reputation is a key |
| |the organization’s products or services. |differentiating factor for a small company/niche player. Reputation often linked to expertise |
| | |of individuals or awareness of, and responsiveness to, market needs. |
|Outsourcing |Outsourcing activities to third parties may result in the third parties |Inherently higher risk as generally higher occurrence of outsourcing for small companies because|
| |not acting within the intended limits of their authority or not performing|size limits availability of expertise and resources. |
| |in a manner consistent with the organization’s strategies and objectives. | |
| | | |
|Access |Failure to adequately restrict access to information (data or programs) |Generally significantly higher likelihood in view of size of organization: less capacity for |
| |may result in unauthorized knowledge and use of confidential information, |segregation of duties so access rights need to be wide with potential consequences for |
| |or overly restricting access to information may preclude personnel from |objectivity of information. Less likely to have formal procedure/role for communication and |
| |performing their assigned responsibilities. |monitoring of user access rights. On the other hand, significance of risk might be lower in |
| | |view of awareness and supervision of management. Management ownership may also lead to undue |
| | |protectiveness. |
|Management fraud |Management fraud (e.g., intentional misstatement of financial statements) |Linked primarily to issues of resistance, communication, objectivity and values. Small |
| |may adversely affect external stakeholders' decisions. |businesses are more likely to have high bank borrowings and loan covenants and/or to give |
| | |personal guarantees to the bank. This can result in pressure to meet covenants and protect |
| | |personal guarantees. The owner manager’s dominant position can override internal controls |
| | |leading to an increased risk of management fraud. Reputation of management is closely linked |
| | |with reputation of the company particularly in owner-managed businesses (“management is the |
| | |company”). |
|Liquidity-cash flow |The inability of a company to fund its operational or financial |Inherent risk higher in view of generally reduced availability of capital resources due to |
| |obligations which may lead to default or loss of production. |values or lack of resistance. Smaller businesses may not have the expertise to budget and |
| | |forecast operations. May use strong awareness and communication to manage current cash flow |
| | |(timing of payments and follow up on collections) but not develop projections of future cash |
| | |needs. |
|Liquidity-concentration |The risk of loss resulting from the inability to liquidate financial |Probably higher inherent risk of (excessive) reliance on a few customers and stock lines which |
| |market exposures in a "thin" market. |weakens the firm’s resistance to predatory pricing and adverse changes in demand. |
|Liquidity-opportunity cost |The use of funds in a manner that leads to the loss of economic value, |Lack of treasury expertise can lead to missed opportunities. |
| |including time value losses, transaction costs and other causes of loss of| |
| |value. | |
|Price interest rate |Significant movements in interest rates away from forecasts expose the |As aspect of the resistance issue. Higher risk as generally smaller companies have higher |
| |organization to higher borrowing costs and lower investment yields. |leverage and are more sensitive to interest rate fluctuations. May also not have the expertise |
| | |to identify problems and appropriate risk-reducing strategies. |
|Information for decision making risk | | |
|Regulatory reporting (Operational) |Incomplete, inaccurate and/or untimely regulatory reporting of required |Higher inherent risk; small size means that less expertise and resource are available for |
| |operating information might result in fines, penalties or sanctions. |regulatory reporting. However, maintaining membership of professional bodies and appropriate |
| | |approvals may be crucial to the business. |
|Regulatory reporting (Financial) |Reports of financial information required by regulatory agencies are |Higher inherent risk; size means that less expertise and resource are available for regulatory |
| |incomplete, inaccurate, or untimely, exposing the company to fines, |reporting. Complying with regulatory reporting requirements may however be crucial to the |
| |penalties and sanctions. |credibility of the business. |
|Business Risk (Green) |Risk definition |The small size and management ownership reduces relevance |
| | | |
|Environment risk | | |
|Globalization |Globalization can result in foreign company competition, geographical |Small size generally means that the business is unlikely to have global operations and is more |
| |dispersion of company functions, tariff and restricted trade issues, tax |likely to be a local niche player. However, smaller businesses may lack awareness of global |
| |issues, and work ehic differences. |issues that actually affect them significantly. |
|Sovereign/Political |Adverse political actions in a country in which the organization has |Small size probably means less exposure because the business is unlikely to have operations |
| |invested significantly, is dependent on a significant volume of business |abroad or in sensitive countries. However, the business is unlikely to have the expertise to |
| |or has entered into a significant agreement with a counterparty subject to|cope with sovereign/political risks if they arise. |
| |the laws of that country threaten the organization. | |
|Technological innovation |The failure to recognize changes in market demand, new and different |Less inherent risk because of awareness that results from management being closer to the market.|
| |technologies, advances in IT technologies, and new uses of existing |The business will also generally have less capital and specialized resources invested in |
| |technologies. |existing technology and will show less resistance to change. |
|Process risk | | |
|Compliance |Non-compliance with customer requirements, prescribed organizational |Generally lower inherent risk due to closer awareness and communication concerning client |
| |policies and procedures or laws and regulations may result in lower |satisfaction and quality of product/service. |
| |quality, higher production costs, lost revenues, unnecessary delays, | |
| |penalties, fines, etc. | |
|Customer satisfaction |A lack of focus on customers threatens the organization’s capacity to meet|Generally higher awareness of customer needs and closer management contacts with customers. |
| |or exceed customer expectations. | |
|Cycle time |Unnecessary activities threaten the organization’s capacity to produce and|Size reduces organization’s resistance to change and inertia. Inherently low risk due to short |
| |deliver goods or services on a timely basis. |lines of communication and management’s natural awareness of efficiency issues due to |
| | |constraints on resources and capacity. |
|Performance gap |Inability to perform at world class levels in terms of quality, costs |Resistance and awareness issue. Lower inherent risk. Generally, a key success factor for a |
| |and/or cycle time due to inferior operating practices threatens the demand|smaller company lies in differentiating itself from larger companies. Nevertheless, small |
| |for the organization’s products or services. |companies may not appreciate what world class companies can achieve because they lack expertise |
| | |or objectivity. |
|Product development |The Company’s product development process creates products that customers |Generally significant less capital and expertise resources available for product development. |
|and acceptance |do not want or need that are priced at a level customers are not prepared |For typical small company/niche player generally not relevant/applicable because of management |
| |to pay or that meet a need but are late in reaching the market that a |awareness. |
| |competitor reached first. | |
|Product/service quality |Faulty or nonperforming products or services expose the organization to |Lower inherent risk of occurrence due to awareness, more pride in product and focus on quality |
| |customer complaints, warranty claims, field repairs, returns, product |and customer needs. However, generally higher significance because of reduced resistance to |
| |liability claims, litigation, and loss of revenues, market share and |warranty and litigation costs. |
| |business. | |
|Accountability |Accountability risk is the lack of clarity in the assignment of authority |Generally significant lower inherent risk; short lines of communication and clearer and fewer |
| |and responsibility for the execution of key business strategies, operating|levels of authority and responsibility. |
| |activities and the establishment of reporting relationships and | |
| |authorization protocols. | |
|Authority/Limit |Authority Risk. Ineffective lines of authority may cause managers or |Generally significantly lower inherent risk; short lines of communication and clearer and fewer |
| |employees to do things they should not do or fail to do things they |levels of authority and responsibility. |
| |should. | |
|Change readiness |The people within the organization are unable to implement process and |Generally significantly lower inherent risk; small organizations show less resistance to change |
| |product/service improvements quickly enough to keep pace with changes in |if management take a lead. Smaller organizations are inherently more flexible and have a labor |
| |the marketplace. |force which is more versatile and less specialized. |
|Communications |Ineffective communication channels may result in messages that are |Generally significantly lower inherent risk. Communication enhanced by smaller size although |
| |inconsistent with authorized responsibilities or established performance |personalities can cause problems. |
| |measures. | |
|Performance incentives |Unrealistic, misunderstood, subjective or non-actionable performance |Inherently lower risk because of generally higher visibility and linkage between performance of |
| |measures may cause managers and employees to act in a manner inconsistent |employees and the effect on the business, customer satisfaction, etc. Management has a greater |
| |with the organization’s objectives, strategies and ethical standards, and |awareness of employee performance and communication of feedback is easier and more direct. |
| |with prudent business practice. | |
|Availability |Unavailability of important information when needed threatens the |Due to lack of expertise this risk is normally subject to outsourcing. Should be |
| |continuity of the organization’s critical operations and processes. |straightforward to replace PC and off the shelf package in the event of theft or damage. |
| | |Unlikely to have IT support function to deal with problems, but typically have maintenance |
| | |contract with supplier. |
|Information system integrity |Loss of integrity in the management of the information system |Due to lack of expertise this risk is normally subject to outsourcing. Significantly lower |
| |infrastructure may result in unauthorized access to data, irrelevant data |risk; use of unmodified off the shelf packages reduces risk that integrity is compromised. |
| |or untimely delivery of data, or loss of integrity in the application |Relatively easy to replace system as not tailor-made. |
| |systems that support the organization’s business. | |
|Infrastructure |The risk that the organization does not have an effective information |Inherently lower risk: probably less sensitive to existence of effective information technology |
| |technology infrastructure (e.g., hardware, networks, software, people and |infrastructure as closer communication within the organization and with customers/suppliers and |
| |processes) to effectively support the current and future needs of the |awareness of issues may substitute for reliance on technology. However, may not have the |
| |business in an efficient, cost-effective. |expertise to identify adequacy of infrastructure compared to needs. |
|Relevance |Irrelevant information created or summarized by an application system may |Inherently lower risk. Probably less reliance on information from systems themselves. Closer |
| |adversely affect users' decisions. |communication within organization and with customers/suppliers and awareness of issues reduces |
| | |need for system generated reports. |
|Unauthorized used |Unauthorized use of the organization’s physical, financial or information |Inherently lower likelihood risk; detection more likely due to short lines of communication and |
| |assets by employees or others expose the organization to unnecessary waste|awareness of supervisors and managers. Significance inherently higher in view of limited |
| |of resources and financial loss. |financial resources. |
|Credit-default |Default of a counterparty on a contract passed to a dealer who |Lack of expertise generally precludes use of relevant financial instruments although this may |
| |subsequently defaults exposes the organization to financial loss. |not apply in certain industries. |
|Credit-settlement |Different settlement times between the capital markets of the organization|Lack of expertise generally precludes use of relevant financial instruments although this may |
| |and its counterparties expose the organization to a short-term risk of |not apply in certain industries. |
| |counterparty default on obligations. | |
|Price-equity |Equity risk is the exposure to fluctuations in the income stream from |Lack of expertise generally precludes use of relevant financial investments although this may |
| |and/or value of equity ownership in an incorporated entity which may arise|not apply in certain industries. |
| |as a result of investment in shares of publicly traded entities, private | |
| |placements, etc. | |
|Information for decision making risk | | |
|Contract commitment |Lack of relevant and/or reliable information concerning contractual |Lower inherent risk due to awareness and communication aspects of size. Generally, |
| |commitments outstanding as of a point in time may result in subsequent |management/owner heavily involved in contractual commitment process and therefore reduced risk |
| |incremental contractual commitment decisions that are not in the best |of inadequate knowledge. |
| |interest of the organization. | |
|Performance measurement |Process performance measures do not provide a reliable portrayal of |Lower inherent risk due to awareness and communication aspects of size. Generally, management |
| |business performance and do not accurately reflect reality (i.e., they are|close to business and have opportunity to assess even without sophisticated performance |
| |not reliable information about reality because they do not "tell the |measurement reporting. |
| |story" as to what is really happening within | |
|Process alignment |Failure to align business process objectives and performance measures with|Lower inherent risk due to awareness and communication aspects of size of organization. Risk is|
| |organizational objectives and strategies may result in conflicting, |further reduced where management ownership means that values of owner are reflected in the |
| |uncoordinated activities throughout the organization. |business. |
|Product costing |The risk of incorrect product pricing techniques resulting in inaccurate |Lower inherent risk. Small size reduces indirect cost allocation issues. Generally, close |
| |or meaningless information. |management involvement and awareness give better overview of direct and indirect costs without |
| | |sophisticated cost measurement techniques. In some industries, lack of expertise and |
| | |objectivity resulting from small size may cause problems. |
|Accounting information |Over-emphasis on financial accounting and/or actuarial information to |Risk greatly reduced where there is management ownership and there is no distinction between the|
| |manage the business may result in the manipulation of outcomes to achieve |values of managers and owners. In other small businesses, lack of expertise in accounting |
| |financial targets at the expense of not meeting customer satisfaction, |matters and enhanced awareness reduces the risk. However, presumption of lower risk may be |
| |quality and efficiency objectives. |inappropriate where personal assets are dependent on reported results. |
|Compensation |Incomplete and/or inaccurate information pertaining to compensation and |Inherent risk lower because lack of expertise leads to outsourcing. |
|and benefits |benefits (i.e., pension plans, deferred compensation plans, retiree | |
| |medical plans, etc.) may preclude the organization from meeting its | |
| |defined obligations to employees on a timely basis | |
|Pension fund |Incomplete and/or inaccurate information pertaining to compensation and |Inherent risk lower; generally outsourced due to lack of expertise. |
| |benefits (i.e., pension plans, deferred compensation plans, retiree | |
| |medical plans, etc.) may preclude the organization from meeting its | |
| |defined obligations to employees on a timely basis. | |
|Taxation |Failure to accumulate and consider relevant tax information may result in |Inherent risk generally lower because taxation is outsourced due to lack of expertise. However,|
| |non-compliance with tax regulations or adverse tax consequences that could|management ownership may increase risk where owners’ values lead to hostility to maintaining |
| |have been avoided had transactions been structured differently. |records that “help” the tax authorities. |
|Business portfolio |Lack of relevant and reliable information that enables management to |Significantly lower risk as small size reduces the opportunities for diversification. Where it |
| |effectively prioritize its products or balance its businesses in a |exists, good management awareness mitigates the risk. |
| |strategic context may preclude a diversified organization from maximizing | |
| |its overall performance. | |
|Environment monitoring |Changes in the external environment, which have implications and risks for|Lower inherent risk due to better awareness in smaller businesses; closer contact with |
| |the Company and need to be understood in order to have correct management |environment means changes are identified sooner. Lower resistance also means that the |
| |decision making. |organization is more flexible and can react faster. Quality of understanding of changes and |
| | |therefore the appropriateness of the reaction may however be dependent on expertise. |
|Organization design |Management lacks the information needed to assess the effectiveness of |Significantly lower risk; lines of communication and high awareness mean that underperformance |
| |the company's organizational structure, which threatens its capacity to |of the organization is more readily apparent and there is less resistance to change. |
| |change or achieve its long-term strategies. | |
|Performance measurement |Non-existent, irrelevant or unreliable performance measures that are |Significantly lower risk; shorter lines of communication and closer awareness and span of |
|(strategic) |inconsistent with established business strategies threaten the |control by management mean that underperformance is more apparent and generally easier to |
| |organization’s ability to achieve its long-term strategies. |pinpoint. Management ownership further reduces risk because owners’ values are reflected in the|
| | |business. However, lack of objectivity due to limited sources of information may be a problem. |
|Planning |An unimaginative and cumbersome strategic planning process may result in |Inherent risk lower; strategic planning process probably more imaginative and intuitive instead |
| |irrelevant information that threatens the organization’s capacity to |of cumbersome in view of size and management ownership. However, quality of process is largely |
| |formulate viable business strategies. |dependent on capabilities of persons (i.e. management) involved and therefore lack of expertise |
| | |and objectivity may be a problem. |
|Business Risk (Yellow) |Risk definition |The size and management ownership do not affect relevance |
| | | |
|Environment risk | | |
|Catastrophic events |A major disaster threatens the organization’s ability to sustain |Chances of occurrence are equal regardless of size. Two aspects of resistance are relevant. |
| |operations, provide essential products and services or recover operating |Ability to sustain adverse external changes likely to be lower. However, provided a small |
| |costs. |business survives, it will probably be able to respond and get back on its feet more quickly. |
|Industry |Changes in opportunities and threats, capabilities of competitors, and |Industry factors more important but two aspects of resistance are relevant. Generally, a small |
| |other conditions affecting the organization’s industry threaten the |business has less ability to withstand change but can react more quickly and flexibly to it. |
| |attractiveness of the entire industry. | |
|Legal |Changing laws threaten the organization’s capacity to consummate |Industry factors more important but two aspects of resistance are relevant. Generally, a small |
| |important transactions, enforce contractual agreements or implement |business has less ability to withstand change but can react more quickly and flexibly to it. |
| |specific strategies and activities. | |
|Regulatory |Changing laws threaten the organization’s capacity to consummate important|Industry factors more important but two aspects of resistance are relevant. Generally, a small |
| |transactions, enforce contractual agreements or implement specific |business has less ability to withstand change but can react more quickly and flexibly to it. |
| |strategies and activities. | |
|Shareholder relations |A decline in investor confidence threatens the organization’s capacity to |Not relevant where there is management ownership. Otherwise, neutral in relation to size. |
| |efficiently raise capital. | |
|Social/Cultural |Social / Cultural risk includes demographic trends and how they can affect|Industry factors more important but two aspects of resistance are relevant. Generally, a small |
| |the industry's customer base and work force, societal factors such as the |business has less ability to withstand change but can react more quickly and flexibly to it. |
| |way people live, work and behave as consumers and ecological concerns such| |
| |as acid rain, global warming. | |
|Process risk | | |
|Efficiency/Productivity |Inefficient operations threaten the organization’s capacity to produce |Industry-specific. Neutral in relation to size and management ownership. |
| |goods or services at or below cost levels incurred by competitors or world| |
| |class performing companies. | |
|Environmental |Activities harmful to the environment expose the organization to |Industry-specific. Neutral in relation to size and management ownership. |
| |liabilities for bodily injury, property damage, cost of removal, punitive | |
| |damages, etc. | |
|Health and safety |Failure to provide a safe working environment for its workers exposes the |Depends to a large extent on industry. In a small company, there is increased risk due to |
| |organization to compensation liabilities, loss of business reputation and |dependence on individual employees (resistance) compensated by higher awareness of issues. |
| |other costs. | |
|Inventory |The risk that the company is not purchasing and producing the right amount|Depends largely on industry and quality of purchasing systems, rather than size. Lower |
| |of goods at the right time consequently leading to inventory shortages, |resistance to supplier power offset by greater awareness of operations. |
| |excess and obsolete inventories, inventory shrinkage and reduced cash | |
| |flow. | |
|Obsolescence |Inventory obsolescence or shrinkage exposes the organization to |Depends largely on industry, nature of inventory and its sensitivity to shrinkage and |
| |significant financial losses. |obsolescence in general. |
|Price volatility |The risk that the prices of key resources or key products are higher than |Depends largely on nature of business and industry. Increased awareness of issues and |
| |their expected levels resulting in increased costs or decreased revenues. |consequences may be offset by lack of expertise of risk management strategies. |
|Resource availability |Limited sources of energy, metals and other key commodities and raw |Depends largely on industry and nature of business. |
| |materials threaten the organization’s ability to produce quality products | |
| |at competitive prices on a timely basis. | |
|Leadership |The organization’s people are not being effectively led, which may result |Likelihood to large extent dependent on quality of individual leadership rather than size of |
| |in a lack of direction, customer focus, motivation to perform, management |organization. Short lines of communication can enhance direction, although dominance might |
| |credibility and trust throughout the organization. |affect motivation. Significance of personal impact on a small number of people higher. |
|Illegal acts |Illegal acts committed by managers or employees expose the organization to|In principle, the lack of resistance and expertise should make this a risk of higher relevance |
| |fines, sanctions, and loss of customers, profits and reputation, etc. |for small businesses. However, except in cases where values are a problem in an owner-managed |
| | |business, improved awareness and communication are likely to neutralize the increased risk. |
|Employee fraud |Fraudulent activities perpetrated by employees, customers or suppliers |Lower inherent risk as a consequence of span of control, management awareness and supervision |
| |against the organization for personal gain (e.g., misappropriation of |and short communication lines within the organization and with relevant outside parties |
| |physical, financial or information assets) expose the organization to |(customers, suppliers). However, size limits the potential for segregation of incompatible |
| |financial loss. |duties and can lead to a loss of objectivity in information. When there is management |
| | |ownership, the owners’ values will also affect employees’ attitudes towards fraud. |
|Reputation |Damage to the organization’s reputation exposes it to loss of customers, |Sensitivity of suppliers and customers to reputation depends more on industry and on positioning|
| |profits and the ability to compete. |of company in the market than on size. |
|Credit-market |A trading partner is unable to fulfil its obligations on a contract on |No particular higher/lower inherent risk related to size of company. |
| |which there is a positive mark-to-market value for the non-defaulting | |
| |party. | |
|Credit-collateral |The partial or total loss of value of an asset provided to the |Inherent risk not really dependent on size but on industry and specific circumstances of |
| |organization as collateral exposes the organization to financial loss. |business. |
|Credit-concentration |The risk of excessive loss due to inappropriate emphasis of sales volume |Inherent risk itself dependent on industry and type of business rather than size. However, |
| |or revenues on a single customer, industry or other economic segment. |smaller companies might not be able to put up much resistance against larger businesses who are |
| | |customers or fellow creditors. |
|Price-commodity |Commodity risk is considered either a financial market risk or operational|Inherent risk dependent on industry and type of business, but may be higher where small |
| |risk depending on the industry. As an operational risk, commodity risk is|companies have fewer capital resources and so cannot establish resistance to the effects of |
| |the exposure to fluctuations in prices of commodity-based materials or |price fluctuations by taking significant positions. Smaller businesses may also lack the |
| |products. |necessary expertise. |
|Price-financial instrument |Financial market risk can vary depending on the particular segment of the|Dependent on type of business and industry but generally smaller companies will lack the |
| |market to which the holder of a financial instrument is exposed, or the |expertise to invest in complex financial instruments. |
| |way in which the exposure is structured. | |
| | | |
|Price-currency |Currency risk is a market level risk and is the exposure to fluctuations |Inherent risk is similar for businesses of any size and is more dependent on industry. However,|
| |in exchange rates. |smaller companies probably have less expertise to identify measures for mitigating currency |
| | |exposure. |
|Information for decision making risk | | |
|Product pricing |Lack of relevant and/or reliable information supporting pricing decisions |Lack of resistance to customer pressure because of small size will raise risk. However, there |
| |may result in prices or rates that customers are unwilling to pay, do not |is also lower inherent risk where small size reduces indirect cost allocation issues. |
| |cover development and other costs or do not cover risk exposures assumed |Generally, close management involvement and awareness give better overview of direct and |
| |by the organization. |indirect costs without sophisticated cost measurement techniques. In some industries, lack of |
| | |expertise and objectivity resulting from small size may cause problems. |
|Budget & planning |Non-existent, unrealistic, irrelevant or unreliable budget and planning |Inherent risk probably similar overall for smaller businesses given compensating impacts of |
| |information may cause inappropriate financial conclusions and decisions. |expertise and objectivity versus awareness. |
|Financial reporting evaluation |Failure to accumulate relevant and reliable external and internal |Inherent risk generally unaffected by size as financial reporting is almost always outsourced by|
| |information to assess whether adjustments to or disclosures in financial |small businesses due to lack of expertise. Risk significantly reduced where there is management|
| |statements are required may result in the issuance of misleading financial|ownership. |
| |reports to external stakeholders. | |
|Investment evaluation |Lack of relevant and/or reliable information supporting investment |Inherent risk not clearly linked to size of organization since potential lack of expertise and |
| |decisions and linking the financial risks accepted to the capital at risk,|objectivity are compensated for by awareness and, where there is management ownership, by the |
| |may result in poor short- or long-term investments. |personal interests involved. |
|Product life cycle |Lack of relevant and reliable information that enables management to |Inherent risk less dependent on size of organization than industry. Potential lack of expertise|
| |manage the movement of its product lines and the evolution of its industry|and objectivity compensated by management’s direct awareness of market conditions. |
| |along the life cycle threatens the organization’s capacity to remain | |
| |competitive. | |
|Resource allocation |An inadequate resource allocation process and the information supporting |Although inherently risk not dependent on size of organization, the adverse effects will |
| |it may preclude the organization from establishing and sustaining |generally become apparent earlier and can have a more significant adverse impact in view of the |
| |competitive advantage or maximizing shareholder returns (e.g., channeling |lack of resistance of smaller businesses to external change. However, management is likely to |
| |scarce resources toward that opportunity. |have a close awareness of performance and a small organization can respond quickly. |
|Valuation |Lack of relevant and reliable valuation information may preclude owners or|Size of organization not a differentiating factor. Where there is management ownership, the |
| |prospective owners from making informed assessments of the value of the |focus on the owner’s values throughout the organization may make the risk less relevant. |
| |organization or any of its significant segments in a strategic context. | |
Exhibit 3: Key Risk Areas and SME’s
|Key Risk Area |Comments |
|Accounting Principles and Practices | |
|Revenue recognition |Accounting principles and practices related to revenue recognition may often be |
| |higher risk in small companies that have a greater dependency on revenues from a |
| |concentrated customer base, less formal contractual arrangements and emerging |
| |business practices. |
|New business activities |New business activities require consideration of expanded accounting principles and |
| |practices. Where internal accounting expertise is limited, the risks associated with|
| |failure to adopt appropriate accounting principles and practices may increase. |
|New accounting principles and pronouncements |New accounting principles and pronouncements frequently require substantial |
| |technical accounting expertise. When the company either does not have sufficient |
| |internal expertise or obtain external assistance, adoption and application of new |
| |principles increases risk. |
|Judgments and Estimates | |
|Sources of supporting information |The sources of supporting data and information to make significant judgments and |
| |estimates may be more limited in small, owner-managed companies that have less |
| |sophisticated information systems and less extensive access to external information.|
|Objectivity in principal assumptions |The objectivity of principal assumptions related to significant judgments and |
| |estimates can be substantially impacted by the motivations of the owner-manager |
| |including incentives related to tax avoidance, compliance with loan covenants, and |
| |managing earnings to attract future lenders or investors. |
|Critical Business Processes | |
|Completeness of capture of business transactions |The relative complexity and number of critical processes may be reduced in a small, |
| |owner-managed company. However, risks related to completeness of the capture of |
| |business transactions will likely be prevalent in most if not all of these critical |
| |processes. Use of off-the-shelf vendor software packages may reduce the likelihood |
| |of errors in processing these transactions after they are captured. |
|Financial Reporting Process | |
|Consolidation |In many small companies, significant aspects of the financial reporting process |
|Financial reporting adjustments |(including the consolidation, financial reporting adjustments and statement and |
|Statement and disclosure preparation |disclosure preparation) may be risks if there is not appropriate internal expertise.|
| |A higher interest in confidentiality may also increase the risk that disclosures may|
| |not be in compliance with generally accepted accounting principles. |
-----------------------
Exhibit 1: The Impact of Size and Management Ownership on the Risk Assessment Process (RAP)
1 Goals and Objectives
Values
Expertise
Communication
Objectivity
5 Monitor RAP
Values
Awareness
Objectivity
6 Improve RAP
Values
Resistance
Expertise
Communication
Objectivity
2 Assess Risks
Values
Expertise
Awareness
Communication
Objectivity
3 Develop Strategies
Resistance
Expertise
Communication
Objectivity
4 Control Processes
Resistance
Expertise
Awareness
Communication
Objectivity
7 Information for
Decision Making
Expertise
Awareness
Communication
Objectivity
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.