PDF Risk Assessment - Does Your Approach Need a Refresh?

Risk Assessment ? Does Your Approach Need a Refresh?

Presented by: Jason Greenlee, Audit Senior Manager Deloitte & Touche LLP

March 15, 2018

Objectives

Discuss and assess factors that may indicate your risk assessment activities may require a refresh

Share leading practices to transform the risk assessment program from a reactive to a proactive approach

Discuss how an effective risk assessment serves to achieve the desired objective of providing reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external reporting purposes in accordance with generally accepted accounting principles (GAAP).

2

Copyright ? 2017 Deloitte Development LLC. All rights reserved.

Agenda ? Risk assessment refresh

01

MODULE

02

MODULE

03

MODULE

04

MODULE

05

MODULE

06

MODULE

07

MODULE

3

? Regulatory requirements ? Data on material weakness

? Timing ? Participants ? COSO Linkage to risk assessment ? Risk assessment process

? Leading practices to help avoid common risk assessment pitfalls

? Innovation when performing risk assessments

? Desired outcome of an effective risk assessment

? Resources

Copyright ? 2017 Deloitte Development LLC. All rights reserved.

Module 1 ? Risk Assessments

? Regulatory requirements ? Focus area by regulators ? Maturity model ? Cost of a less mature internal control over financial

reporting (ICFR) program ? Opportunities ? Data on material weaknesses

Regulatory requirements

Management

Auditor

SOX Act Section 404(a) requires management of issuers that meet certain criteria (established by SEC rulemaking) to perform an annual assessment of the effectiveness of ICFR as of the entity's year-end date and to present its assertion as to the effectiveness of the entity's internal control over financial reporting in the annual Form 10-K filing (referred to as "management's assessment").

Sarbanes-Oxley Act Section 404(b) requires the auditors of certain entities subject to Section 404(a) to annually attest to, and report on, management's assessment in accordance with

the standards of the PCAOB (i.e., perform an audit of ICFR). The PCAOB standards are relevant to

auditors, as these standards set forth the requirements that need to be addressed by auditors as they conduct integrated audit.

404

Framework

SEC Rules 13a-15(c) and 15d15(c) states that the framework must be a suitable, recognized control framework that is established by a body or a group that has followed due-process procedures, including broad distribution of the framework for public comment

5

PCAOB AS5 requires that the auditor use the same suitable, recognized framework to perform the audit as management uses for it's annual evaluation of the effectiveness of the company's ICFR.

Copyright ? 2017 Deloitte Development LLC. All rights reserved.

Regulatory requirements

2013 COSO Framework

? The COSO 2013 Internal Control ? Integrated Framework is the framework used by management to perform its assessment

? While the 5 components operating together in an integrated manner, principles 6 ? 11 are most relevant to the risk assessment.

Control environment

1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibilities

3. Establishes structure, authority, and responsibility

4. Demonstrates commitment to competence

5. Enforces accountability

Risk assessment

6. Specifies suitable objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

Control activities

Information and communication

10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys through policies and procedures

13. Uses relevant, quality information

14. Communicates internally

15. Communicates externally

Monitoring activities

16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies

6

Copyright ? 2017 Deloitte Development LLC. All rights reserved.

Focus area by regulators

Increased focus by the SEC & PCAOB on ICFR

? ICFR continues to be a key focus for financial regulators, preparers, auditors, and audit committees

? Wesley Bricker, chief accountant in the SEC's Office of the Chief Accountant and others offered their views on the importance of internal controls

"We are routinely reminded through our interactions with investors that they continue to believe that strong and effective internal controls and audits are an important component of the ability of companies to communicate credible financial reporting information in order to raise the capital needed to operate, grow and compete....it is hard to think of an area more important than ICFR to our mission of providing high-quality financial information that investors can rely on. If left unidentified or unaddressed, ICFR deficiencies can lead to lower-quality financial reporting and ultimately higher financial reporting restatement rates and higher cost of capital."

Wesley R. Bricker, Chief Accountant, on December 5, 2016 in keynote address before the 2016 AICPA Conference on Current SEC and PCAOB Developments.

7

Copyright ? 2017 Deloitte Development LLC. All rights reserved.

Focus area by regulators

Common theme and differences between management and auditor

Potential Efficiencies

Close to full agreement on controls

RISK ASSESSMENT

(RA)

PLAN FOR ICFR

Communication

Causes for differences

Judgments

Frequent discussions on RA and

impact to audit of ICFR

Understand reasoning when

there are differences in risk assessments or in

the selection of controls to test

Materiality

Differences in ROMMS

8

Copyright ? 2017 Deloitte Development LLC. All rights reserved.

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download