risk assessment – does your approach need a … county/iia oc...•inability of auditors or...

Risk Assessment –Does Your Approach Need a Refresh?

Presented by:Jason Greenlee, Audit Senior ManagerDeloitte & Touche LLP

March 15, 2018

2 Copyright © 2017 Deloitte Development LLC. All rights reserved.

Discuss and assess factors that may indicate your risk assessment activities may require a refresh

Share leading practices to transform the risk assessment program from a reactive to a proactive approach

Discuss how an effective risk assessment serves to achieve the desired objective of providing reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external reporting purposes in accordance with generally accepted accounting principles (GAAP).

Objectives

Copyright © 2017 Deloitte Development LLC. All rights reserved.3

01MODULE

02MODULE

03MODULE

05MODULE

06MODULE

• Regulatory requirements • Data on material weakness

• Timing • Participants

• COSO Linkage to risk assessment• Risk assessment process

• Innovation when performing risk assessments

• Desired outcome of an effective risk assessment

04 • Leading practices to help avoid common risk assessment pitfalls

MODULE

Agenda – Risk assessment refresh

07MODULE

• Resources

Module 1 – Risk Assessments • Regulatory requirements

• Focus area by regulators

• Maturity model

• Cost of a less mature internal control over financial reporting (ICFR) program

• Opportunities

• Data on material weaknesses


Regulatory requirements Management Auditor

404

Fram

ewor

k

SOX Act Section 404(a) requires management of issuers that meet certain criteria (established by SEC rulemaking) to perform an annual assessment of the effectiveness of ICFR as of the entity’s year-end date and to present its assertion as to the effectiveness of the entity’s internal control over financial reporting in the annual Form 10-K filing (referred to as “management’s assessment”).

Sarbanes-Oxley Act Section 404(b) requires the auditors of certain entities subject to Section 404(a) to annually attest to, and report on, management’s assessment in accordance with

the standards of the PCAOB (i.e., perform an audit of ICFR). The

PCAOB standards are relevant to auditors, as these standards set forth the requirements that need to

be addressed by auditors as they conduct integrated audit.

SEC Rules 13a-15(c) and 15d-15(c) states that the framework must be a suitable, recognized control framework that is established by a body or a group that has followed due-process procedures, including broad distribution of the framework for public comment

PCAOB AS5 requires that the auditor use the same suitable, recognized framework to perform the audit as management uses for it’s annual evaluation of the effectiveness of the company’s ICFR.


2013 COSO Framework Regulatory requirements

Information andcommunication13. Uses relevant,

quality information

14. Communicates internally

15. Communicates externally

Control environment

1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibilities

3. Establishes structure, authority, and responsibility

4. Demonstrates commitment to competence

5. Enforces accountability

Risk assessment

6. Specifies suitable objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

Controlactivities

10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys through policies and procedures

Monitoringactivities

16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies

• The COSO 2013 Internal Control – Integrated Framework is the framework used by management to perform its assessment

• While the 5 components operating together in an integrated manner, principles 6 – 11 are most relevant to the risk assessment.


Increased focus by the SEC & PCAOB on ICFRFocus area by regulators

• ICFR continues to be a key focus for financial regulators, preparers, auditors, and audit committees

• Wesley Bricker, chief accountant in the SEC’s Office of the Chief Accountant and others offered their views on the importance of internal controls

“We are routinely reminded through our interactions with investors that they continue to believe that strong and effective internal controls and audits are an important component of the ability of companies to communicate credible financial reporting information in order to raise the capital needed to operate, grow and compete….it is hard to think of an area more important than ICFR to our mission of providing high-quality financial information that investors can rely on. If left unidentified or unaddressed, ICFR deficiencies can lead to lower-quality financial reporting and ultimately higher financial reporting restatement rates and higher cost of capital.”

Wesley R. Bricker, Chief Accountant, on December 5, 2016 in keynote address before the 2016 AICPA Conference on Current SEC and PCAOB Developments.


Common theme and differences between management and auditor

Focus area by regulators

RISK ASSESSMENT

(RA) PLAN FOR

ICFR

Understand reasoning when

there are differences in risk assessments or in

the selection of controls to test

Frequent discussions on RA and impact to audit of ICFR

Close to full agreement on controls

Judgments

Materiality

Differences in ROMMS

Communication

Causes for differences Potential

Efficiencies


Indicators of a less mature ICFR framework and program

Control Environment

• Culture does not demonstrate a commitment to the importance of ICFR

• Roles and responsibilities for ICFR are not clearly defined or understood

• ICFR onboarding is not conducted when changes impacting roles occur in the organization, (i.e., restructuring or acquisitions).

Risk Assessment

Control Activities

Information & Communication

Monitoring

• Performed as a check the box exercise

• Not considering qualitative factors

• Not considering all financial statements and disclosures at the appropriate disaggregated level

• Failure to involve key stakeholder with relevant knowledge (i.e., business unit, geographic, complex accounts)

• Failure to consider and monitor changes throughout the period as its relates to ICFR

• Failure to consider IT or outside service provider risks as part of the risk assessment

• High number of recurring deficiencies

• Identified material weakness and significant deficiencies

• Auditor identified adjustments; consider significant #or materiality of adjustments

• Failure to design or implement controls over the completeness and accuracy of information or data used in controls

• Control documentation does not reflect current state, or is not sufficiently detailed

• Design of controls are not evaluated when selecting controls to mitigate risks

• Lack of segregation of duties across multiple systems or manual processes

• Control documentation does not reflect current state, or is not sufficiently detailed

• Failure to consider Information Technology (IT) dependencies when selecting controls to mitigate risks

Maturity model


Compliance Costs

• Additional effort to address inefficiencies from an immature ICFR program• Time and resources spent on deficiency assessment, remediation and retesting • Fraud assessment, investigation, remediation and retesting• Additional testing procedures resulting from deficiencies or fraud• Fines and penalties

Missed Cost Savings

• Inability of external auditors to use management’s testing • Inability of external auditors to take a control reliance approach to reduce substantive testing• Inability of auditors or internal audit/management to establish baseline testing year to reduce extent of

testing in the future

Market/Business

• Loss of investor confidence • Reputation and brand may be impacted upon required disclosures of material weaknesses and frauds• Diversion of attention from running business or other important initiatives to fixing problems

Costs of ineffective controls include fraud costs:

• Fraud costs the typical organization about 5% of revenues in a given year, according to the Report to the Nations on Occupational Fraud and Abuse (the “Report”) released March 30, 2016 by the Association of Certified Fraud Examiners1.

• The good news, according to the biennial Report, is that anti-fraud controls reduced losses by as much as 50% at organizations that had them compared with organizations that did not1.

1 - 2016 Global fraud study report to the nations on occupational fraud and abuse by Association of Certified Fraud Examiners

Cost of a less mature ICFR system


Data on material weaknessesMW data by GAAP financial issues – Integrated audits 2

17%

11%

11%

9%8%

7%

7%

6%

5%

4%

2%2%

2% 9%

Tax expense/benefit/deferral/other (FAS 109)

Revenue recognition

Unidentified/inapplicable FASB/GAAP

Liabilities, payables, reserves & accrualestimate failuresAccounts/loans receivable, investment & cash

Inventory, vendor, and cost of sales issues

PPE , intangible or fixed asset

M&A , disposal or reorganization

Expense recording (payroll, SG&A)

Foreign, related party, affiliated and/orsubsidiaryCF statement (FAS 95) classification

Deferred, stock-based or executive comp

Consolidation, (Fin46r) & foreign currencytranslationOther Issues

2 - Based on data from Audit Analytics for annual reports submitted to the SEC during 2017 based on a download as of April 14, 2017.Data - Depicts percentage of each issue against the total 296 GAAP issues identified in 147 adverse opinions (out of 2,635 filers).


Data on material weaknessesMW data by internal control issues – Integrated audits 2

2 - Based on data from Audit Analytics for annual reports submitted to the SEC during 2017 based on a download as of April 14, 2017. Chart excludes issues around ‘Accounting documentation, policy and/or procedures’ as 99% of filers had this as a MW IC issue.Data - Depicts percentage of each issue against the total 353 IC issues identified in 147 adverse opinions (out of 2,635 filers).

32%

18%11%

8%

7%

6%

3%

3%3%

2%2%2%

1% 2% Accounting personnel resources,competency/trainingMaterial and/or numerous auditor /YEadjustmentsInformation technology, software, security &access issueInadequate disclosure controls (timely,accuracy, completeness)Non-routine transaction control issues

Segregations of duties/ design of controls(personnel)Untimely or inadequate accountreconciliationsRestatement or nonreliance of company filings

Senior management competency, tone,reliability issuesJournal entry control issues

Treasury Control Issues

Ineffective, non-existent or understaffed auditcommitteeRestatement of previous 404 disclosures

Other issues

Module 2– Risk Assessments • Timing

• Leading practices

• Participants


Initially at onset of year in planning.

Update risk assessment on a planned periodic basis, and as changes arises

• If, at any point in the annual period, changes occur that could have a significant impact on internal control, management should assess the change and revise the initial risk assessments as necessary

• Leading practice companies have programs and controls in place to identify changes.

• Leading practice companies coordinate frequently and timely with external audit.

Timing Iterative nature of risk assessment


Programs and controls that are often leveraged to identify and/or assess changes

Leading practices

Include considerations of ICFR, impact on cash flows, footnotes and disclosures

Non-routine technical memo

Require risk committees to assess areas that could significantly impact ICFR and report to SOX team for assessment.

Risk Committees

Management Review Controls Certain controls, such as monthly balance sheet reviews, incorporate changes that may impact ICFR. Such meetings may serve to identify changes

302 CertificationsLeverage the identification of changes; consider incorporating reporting of anticipated future changes.


Responsibilities

Exte

rnal

Aud

itorsManagement

(1st Line of Defense)

Own and manage risk and control

• Owns the risk, and the design and execution of controls to respond to risks

SOX Compliance Team

(2nd Line of Defense)

Monitor risk and control in support of management

• Provide management with expertise, process excellence, and work with first line to monitor effectiveness of risk assessment and control activities

Internal Audit(3rd Line of Defense)

Provide independent assurance to the board and senior management

• Assess effectiveness of both the first and second line’s efforts consistent with the expectations of the board and senior management

The Three Lines of Defense Model enhances understanding of risk management and control by clarifying roles and duties3

Reg

ulat

ors

Senior Management

Board / Audit Committee

3 The Institute of Internal Auditors Position Paper, Leveraging COSO across the three lines of defense. IIA Position Paper - The three lines of defense in effective risk management and control, January 2013

Using the lens of the Three Lines of Defense ModelParticipants

Module 3– Risk Assessments • COSO Linkage to risk assessment

• All-encompassing risk assessment process

• inherent risk

• Leading practices


Complies with applicable accounting standard

Considers materiality

Reflects the entities activities

Financial reporting objectives are consistent with accounting principles suitable and available for that entity.

Output: Identification of accounting principles (i.e., US GAAP, IFRS, etc.)

Management considers materiality in financial statement presentation.

Output: Materiality calculation.

External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions.

Output: Financial statements identified for risk assessment

2013 COSO Framework – Principle 6: Specifies Suitable Objectives

Risk assessment considerations


Financial / business

performance

Organizational changes

External events

Change to accounting standards

IT applications

and infrastructure

Process changes

Potential impact on financial reporting

Dynamic risk-based approach to SOX

testing

Operational events (fraud,

system errors, etc.)

Prior audit results (IAD, SOX, State Examiners)

Senior management

meetings Management risk self

assessments

Outsource service

providers

Inpu

ts

Out

puts

Risk assessment considerations2013 COSO Framework – Principle 7: Identify and analyze risks

Financial transactions and events


Risk assessment considerations2013 COSO Framework – Principle 8: Assess fraud risk As part of the risk assessment process, organizations should identify the various ways that fraudulent financial reporting can occur, considering the COSO Points of Focus:

Types of fraud

Incentive and

pressures

Attitudes and

rationalizations

Opportunities

Fraud Risk


Changes in leadership

Changes in the business

model

2013 COSO Framework – Principle 9: Identify and assess change

Potential impact on financial reporting

Dynamic risk-based approach to SOX

testing

Inpu

ts

Out

puts

Risk assessment considerations

Changes in the external environment


Right People Tools & TechniquesEffective Processes

SAFE FOOD PROGRAM

RISK DIAGNOSTIC

OUTSIDE SERVICE

PROVIDERS (OPSs)

INFORMATION TECHNOLOGY

CONSIDER CHANGES

Calculate Materially

RA at Financial

Statement Footnote & Disclosure

RA at Business Unit Level

RA at Account Balance

(ROMMS)

Review & Assess

Sufficiency of plan

Approval of planned

RA Control Activity

Selection

Test of D&I and

O&E

Evaluation of Results

Report Results

Leading Practices in Risk Assessment

Risk assessment processIt is through the risk assessment process that a company can report with confidence the number and types of controls necessary to have an effective ICFR system.

Outputs• Financial Statement RA & scoping

analysis, including IT and OPSs• Annual plan supporting management

404a assessment

• ROMM templates and controls at account balance

• Documentation of approach & report to the audit committee


Start at financial statement line items

Top Down

Bottom Up

Risks of material misstatement, significant accounts, and relevant assertions

Start at business cycle, process flow or transaction type level

Process for identifying risks of material misstatement


Degree of complexity and judgment

The complexity

of transactions

Degree of complexity

or judgment

Degree of judgment /

objectivity in accounting

process

Susceptibility to

misstatement due to error or

fraud

Nature of the account

Nature and composition of the account

Size and composition

of the account

Effect of quantitative

and qualitative

factors

Volume of activity,

complexity, and

homogeneity

Other factors

Existence of related party

transactions

Economic, accounting, or

other developments

Risk of fraud

Transactions outside of

normal course of business

Possibility of significant contingent liabilities

Changes from the

prior period

Exposure to losses

Complexity / simplicity of

related calculations

Accounting and

reporting complexities

Degree of automation /

manual intervention

Factors relevant to assessing inherent risk


2013 COSO Framework

COSO Principle 7Annual review and updates of risk assessment: o Discuss, review, and

revise with input from the key functional and component managers

o Response to each of the relevant risks identified.

Significance of ROMMs (i.e., low, higher or significant) is identified and considering in testing plan.

COSO Principle 8Performance of annual fraud risk assessment to identify potential fraud schemes associated with external reporting, taking into account input from the key functional and component managers. o Results are discussed

with the audit committee.

COSO Principle 9Management (with input from functional or component management, third-party specialists, or both) determines whether a change or event gives rise to new or modified risks, including those related to fraud.

COSO Principle 10 and 11The entity selects control activities that mitigate the risks identified in the risk assessment (also taking into account the fraud risk assessment), including control activities related to the IT environment.

Leading internal control practices

Module 4 – Leading practices to help avoid common risk assessment pitfalls


ROMMs go unidentified.

Common risk assessment pitfalls

Pitfall Potential MW

Likely.

Example

Non-routine transactions are scrutinized and

assessed, with a focus on recording the transactions

correctly, but often management does not

assess the ROMMs, relevant assertions and

controls for financial reporting, disclosures or

cash flows. This has contributed to non-routine transactions being cited in 7% of reported material

weaknesses for integrated filers in 2017.


ROMMs are identified, but not described at a sufficient level of granularity.



Possibly.

Example

A ROMM addressing the valuation assertion for a warranty accrual is noted as ‘accruals are subjective in nature and may be manipulated to project certain financial results’ versus a more granular description of ‘the entity uses incorrect significant assumptions (historical claim rates and warranty periods) and underlying data (sales subject to warranty and historical repairs) to calculate and record warranty expenses.’


ROMM identified, but the right control is not selected to mitigate the risk.



Likely.

Example

In the warranty reserve scenario above, the granular ROMM more precisely articulates the true risk of material misstatement. Often times, management are selecting controls that relate to period end account reconciliations or rollfowards which may not focus on the review of the underlying inputs and assumptions that are not found in a management review control.


IT risks were not considered as part of the risk assessment process



Likely.

Example

Cyber risk that has been perpetrated involves a wire fraud scheme were business emails are compromised through either a hacked employee or the creation of a look-alike domain, whereby a fictitious email is sent from someone pretending to be a high-level executive, requesting a targeted employee to transfer funds for an urgent transaction.


ROMMS are identified, but no differentiation in the level of risk is stated, for example, lower, higher or significant.



Possibly.

Example

An entity challenged the risk level of a ROMM by performing a top down approach for a material flow of transactions that is highly automated, concluding that a previously identified normal risk is a lower risk. As a result, the entity was able to reduce the extent of testing by reducing the control sample sizes and the varying the nature of testing.


A risk assessment framework or methodology has not been developed, or is ineffective, as a basis to perform the risks assessment.



Possibly.

Example

Example of leading practice tools include: •Data analytics to identify trends and analyze populations•Visualization tools to provide deeper insights and enhanced business analysis •Modeling tools that examine a wide range of industry data and predicts potential risks using trend and regression analysis.


ROMMs are identified, but are incorrectly assessed as potential material misstatements when they are not.



Minimal.

Example

An entity is in the last year of a restructuring program, where the remaining program costs are immaterial to the financial statements, but the entity continues to identify ROMMs associated with the program and test related controls.


Control selection is not challenged to determine if the mix of control activity types is the most beneficial, considering resources and cost, to the company.



Minimal.

Example

Many entities are not taking advantage of the following in new or existing systems: •Automated controls•Continuous monitoring controls, including the use of data analytics •Automating spreadsheets into a system-generated report•Robotics solutions for repetitive control activities

Module 5 –Innovation ‘The art of the possible’


Data analytics can be used to develop analyze, model, and visualize data.

Analyze complete populations

Identify trends in the underlying data

Hone in on risks of material

misstatement

Provide deeper insights and enhanced

business analysis

Leading practice companies leverage data analytics and visualization tools.

Innovation – Risk assessments


In the context of a risk assessment, analytics can be used to help management:

Better plan and execute management’s testing by focusing on areas that have a higher likelihood of misstatement

Better process, understand and analyze large volumes of data

Perform more real-time (continuous) auditing

Evaluate complete populations of electronic data

…and can include any or all of the following activities:

• Discovering and analyzing patterns in data

• Extracting useful information from a population

• Identifying outliers • Automating data aggregation and recalculating balances

• Revealing relationships • Visualizing data

• Mapping data across operating units, systems, products, or other dimensions

• Building statistical or other exploratory or predictive models

Innovation – Data analytics explained


Analyze the visualization – what are your observations?Analyze the visualization – what are your observations?

Significant increase in days

in receivable (blue bar graph)

AFDA has

(green line graph)

AFDA has remained

consistent with PY (green line graph)

Allowance for

Doubtful accounts (AFDA)

DA

YS

IN

REC

EIV

AB

LEData analytics – Risk assessment example


Tools and services exist to assist management with risk integrity checks associated with complex spreadsheets


Count Attribute Comments

9711 Unused numeric value This test finds cells that contain numeric values that are not referenced in any calculations.

1144 Referencing external workbook This test finds formulas which reference cells in external workbooks.

756 Referencing blank cells This test finds formulas which contain references to blank cells. These references may be unintended.

624 Hidden row/column This shows cells hidden by the range's 'Hidden' property.

411 Number formatted as textThis test identifies data cells which contain numbers formatted as text. Numbers formatted as text may or may not be included in Excel's formula calculations.

110 Broken formula region Finds formula regions that are inconsistently sized compared to nearby formula regions.

100 Constant in formulaThis test finds formulas which contain hard-coded constants in them. Constants embedded in formulas are often difficult to update.

40 Formula fails to cover area This test finds formulas which reference part, but not all, of a group of similar cells. This is usually unintended.

37 Inconsistent formula Finds formulas that are unexpectedly different than those in neighboring cells.

31 Formula in data range This test finds formulas within ranges of data.

17 Formula references no other cells This test finds cells that contain formulas that do not reference any other cells.

7 Data in formula range This test finds data cells that may have overwritten formulas.

0 "#" Error This test finds error cells including: #REF!, #VALUE!, #N/A, #NULL!, #NAME?, #DIV/0!

0 Complex formula Consider simplifying these complex formulas.

0 Sheet is hidden This test finds hidden sheets.

0 Missing argument This tool checks formulas for arguments that are missing in functions, causing non default behavior.

Data analytics – Spreadsheet integrity check


Innovation – Robotic process automation (RPA)

Data analytics and robotics can be a catalyst to help accelerate the transformation of an ICFR system. Some benefits include:

• Enhance risk assessment to focus on risks of strategic relevance to the board and the business

• More efficient use of business and resources


Innovation – Robotics process automation (RPA)

(Internet protocol addresses)


Visualization tools can be used to analyze sufficiency of plan and reports to Audit Committees

Visualization – Risk assessments scoping


Module 6 – Desired outcome of an effective risk assessment


The foundation and success of an effective ICFR system lies in an effective risk assessment

Desired outcome of an effective risk assessment

Risk Ranking &

Prioritization

COSO Framework

Tools & Techniques

Effective Risk Assessment

Iterative Process

Right Resources

Qualitative & Quantitative

Factors

ROMMs and Controls


Value add to an effective ICFR system and risk assessment


Strong foundation for an overall effective ICFR system* which uses LEADING PRACTICES to transform the risk assessment program from a REACTIVE to a PROACTIVEapproach

Designing an efficient and effective control environment that is scalable and replicablefocusing only on those relevant ROMMs

Mitigation and reduction of potential significant deficiencies and/or material weaknesses

Defendable position and basis for decisions made in relation to ICFR – Right ROMMs

*An effective ICFR system provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external reporting purposes in

accordance with GAAP.


Accurate and reliable financial data due to a strong effective ICFR system.

Opportunities

• Refocus your lens from a reactive to a proactive approach• Refresh the risk assessment• Lead the auditors, rather than reacting• Focus on the risks that matter - the risks of material misstatement

• Opportunities and benefits

CostsReliability of financial reporting

Risk-based control structure

Work of management by auditors Mature

ICFR System

Right size resources

Decreased MW/SDs


Next steps


Assess the maturity of your risk assessment Identify indicators to assess if it’s time to refocus your lens and refresh the SOX risk assessment process.

Refocus and/or Implement, as needed Based on the level of maturity of your risk assessment and/or ICFR system, take the necessary steps to refresh the SOX risk assessment process.

Incorporate InnovationApply innovative tools and techniques throughout your system of controls to create efficiencies and add value.

Ongoing & proactive Perform the risk assessment on an iterative basis to focus on the right ROMMs, on a timely basis to provide a strong foundation for the effective ICFR system.1

23

4

Module 7 – Resources


Resources• IIA Position Paper

– IIA Position Paper - The three lines of defense in effective risk management and control, January 2013

• COSO Framework and Tools– www.coso.org

Contacts We want to hear from you. If you have questions or comments, or would like to hear about how innovation, such as risk sensing and visualization tools, can elevate and refresh the risk assessment process, contact one of our team members:

Resources and contacts

Patty SalkinManaging DirectorDeloitte & Touche LLP+1 732 [email protected]

Michael J. CorraoSenior ManagerDeloitte & Touche LLP+1 714 [email protected]

Todd ScarpinoManaging DirectorDeloitte & Touche LLP+1 908 337-2570 [email protected]

Amy EstradaManaging DirectorDeloitte & Touche LLP+1 908 [email protected]

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Copyright © 2017 Deloitte Development LLC. All rights reserved.36 USC 220506

This presentation is provided solely for educational purposes and, in developing and presenting these materials, Deloitte is not providing accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decisions or actions that may affect your business or to provide assurance that any decision or action will be supported by your auditors and regulators. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be liable for any claims, liabilities, or expenses sustained by any person who relies on this courses for such purposes.

risk assessment – does your approach need a … county/iia oc...•inability of auditors or...

Documents