risk assessment – does your approach need a … county/iia oc...•inability of auditors or...
TRANSCRIPT
Risk Assessment –Does Your Approach Need a Refresh?
Presented by:Jason Greenlee, Audit Senior ManagerDeloitte & Touche LLP
March 15, 2018
2 Copyright © 2017 Deloitte Development LLC. All rights reserved.
Discuss and assess factors that may indicate your risk assessment activities may require a refresh
Share leading practices to transform the risk assessment program from a reactive to a proactive approach
Discuss how an effective risk assessment serves to achieve the desired objective of providing reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external reporting purposes in accordance with generally accepted accounting principles (GAAP).
Objectives
Copyright © 2017 Deloitte Development LLC. All rights reserved.3
01MODULE
02MODULE
03MODULE
05MODULE
06MODULE
• Regulatory requirements • Data on material weakness
• Timing • Participants
• COSO Linkage to risk assessment• Risk assessment process
• Innovation when performing risk assessments
• Desired outcome of an effective risk assessment
04 • Leading practices to help avoid common risk assessment pitfalls
MODULE
Agenda – Risk assessment refresh
07MODULE
• Resources
Module 1 – Risk Assessments • Regulatory requirements
• Focus area by regulators
• Maturity model
• Cost of a less mature internal control over financial reporting (ICFR) program
• Opportunities
• Data on material weaknesses
Copyright © 2017 Deloitte Development LLC. All rights reserved.5
Regulatory requirements Management Auditor
404
Fram
ewor
k
SOX Act Section 404(a) requires management of issuers that meet certain criteria (established by SEC rulemaking) to perform an annual assessment of the effectiveness of ICFR as of the entity’s year-end date and to present its assertion as to the effectiveness of the entity’s internal control over financial reporting in the annual Form 10-K filing (referred to as “management’s assessment”).
Sarbanes-Oxley Act Section 404(b) requires the auditors of certain entities subject to Section 404(a) to annually attest to, and report on, management’s assessment in accordance with
the standards of the PCAOB (i.e., perform an audit of ICFR). The
PCAOB standards are relevant to auditors, as these standards set forth the requirements that need to
be addressed by auditors as they conduct integrated audit.
SEC Rules 13a-15(c) and 15d-15(c) states that the framework must be a suitable, recognized control framework that is established by a body or a group that has followed due-process procedures, including broad distribution of the framework for public comment
PCAOB AS5 requires that the auditor use the same suitable, recognized framework to perform the audit as management uses for it’s annual evaluation of the effectiveness of the company’s ICFR.
6 Copyright © 2017 Deloitte Development LLC. All rights reserved.
2013 COSO Framework Regulatory requirements
Information andcommunication13. Uses relevant,
quality information
14. Communicates internally
15. Communicates externally
Control environment
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibilities
3. Establishes structure, authority, and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
Risk assessment
6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
Controlactivities
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
Monitoringactivities
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
• The COSO 2013 Internal Control – Integrated Framework is the framework used by management to perform its assessment
• While the 5 components operating together in an integrated manner, principles 6 – 11 are most relevant to the risk assessment.
7 Copyright © 2017 Deloitte Development LLC. All rights reserved.
Increased focus by the SEC & PCAOB on ICFRFocus area by regulators
• ICFR continues to be a key focus for financial regulators, preparers, auditors, and audit committees
• Wesley Bricker, chief accountant in the SEC’s Office of the Chief Accountant and others offered their views on the importance of internal controls
“We are routinely reminded through our interactions with investors that they continue to believe that strong and effective internal controls and audits are an important component of the ability of companies to communicate credible financial reporting information in order to raise the capital needed to operate, grow and compete….it is hard to think of an area more important than ICFR to our mission of providing high-quality financial information that investors can rely on. If left unidentified or unaddressed, ICFR deficiencies can lead to lower-quality financial reporting and ultimately higher financial reporting restatement rates and higher cost of capital.”
Wesley R. Bricker, Chief Accountant, on December 5, 2016 in keynote address before the 2016 AICPA Conference on Current SEC and PCAOB Developments.
8 Copyright © 2017 Deloitte Development LLC. All rights reserved.
Common theme and differences between management and auditor
Focus area by regulators
RISK ASSESSMENT
(RA) PLAN FOR
ICFR
Understand reasoning when
there are differences in risk assessments or in
the selection of controls to test
Frequent discussions on RA and impact to audit of ICFR
Close to full agreement on controls
Judgments
Materiality
Differences in ROMMS
Communication
Causes for differences Potential
Efficiencies
Copyright © 2017 Deloitte Development LLC. All rights reserved.9
Indicators of a less mature ICFR framework and program
Control Environment
• Culture does not demonstrate a commitment to the importance of ICFR
• Roles and responsibilities for ICFR are not clearly defined or understood
• ICFR onboarding is not conducted when changes impacting roles occur in the organization, (i.e., restructuring or acquisitions).
Risk Assessment
Control Activities
Information & Communication
Monitoring
• Performed as a check the box exercise
• Not considering qualitative factors
• Not considering all financial statements and disclosures at the appropriate disaggregated level
• Failure to involve key stakeholder with relevant knowledge (i.e., business unit, geographic, complex accounts)
• Failure to consider and monitor changes throughout the period as its relates to ICFR
• Failure to consider IT or outside service provider risks as part of the risk assessment
• High number of recurring deficiencies
• Identified material weakness and significant deficiencies
• Auditor identified adjustments; consider significant #or materiality of adjustments
• Failure to design or implement controls over the completeness and accuracy of information or data used in controls
• Control documentation does not reflect current state, or is not sufficiently detailed
• Design of controls are not evaluated when selecting controls to mitigate risks
• Lack of segregation of duties across multiple systems or manual processes
• Control documentation does not reflect current state, or is not sufficiently detailed
• Failure to consider Information Technology (IT) dependencies when selecting controls to mitigate risks
Maturity model
Copyright © 2017 Deloitte Development LLC. All rights reserved.10
Compliance Costs
• Additional effort to address inefficiencies from an immature ICFR program• Time and resources spent on deficiency assessment, remediation and retesting • Fraud assessment, investigation, remediation and retesting• Additional testing procedures resulting from deficiencies or fraud• Fines and penalties
Missed Cost Savings
• Inability of external auditors to use management’s testing • Inability of external auditors to take a control reliance approach to reduce substantive testing• Inability of auditors or internal audit/management to establish baseline testing year to reduce extent of
testing in the future
Market/Business
• Loss of investor confidence • Reputation and brand may be impacted upon required disclosures of material weaknesses and frauds• Diversion of attention from running business or other important initiatives to fixing problems
Costs of ineffective controls include fraud costs:
• Fraud costs the typical organization about 5% of revenues in a given year, according to the Report to the Nations on Occupational Fraud and Abuse (the “Report”) released March 30, 2016 by the Association of Certified Fraud Examiners1.
• The good news, according to the biennial Report, is that anti-fraud controls reduced losses by as much as 50% at organizations that had them compared with organizations that did not1.
1 - 2016 Global fraud study report to the nations on occupational fraud and abuse by Association of Certified Fraud Examiners
Cost of a less mature ICFR system
Copyright © 2017 Deloitte Development LLC. All rights reserved.11
Data on material weaknessesMW data by GAAP financial issues – Integrated audits 2
17%
11%
11%
9%8%
7%
7%
6%
5%
4%
2%2%
2% 9%
Tax expense/benefit/deferral/other (FAS 109)
Revenue recognition
Unidentified/inapplicable FASB/GAAP
Liabilities, payables, reserves & accrualestimate failuresAccounts/loans receivable, investment & cash
Inventory, vendor, and cost of sales issues
PPE , intangible or fixed asset
M&A , disposal or reorganization
Expense recording (payroll, SG&A)
Foreign, related party, affiliated and/orsubsidiaryCF statement (FAS 95) classification
Deferred, stock-based or executive comp
Consolidation, (Fin46r) & foreign currencytranslationOther Issues
2 - Based on data from Audit Analytics for annual reports submitted to the SEC during 2017 based on a download as of April 14, 2017.Data - Depicts percentage of each issue against the total 296 GAAP issues identified in 147 adverse opinions (out of 2,635 filers).
Copyright © 2017 Deloitte Development LLC. All rights reserved.12
Data on material weaknessesMW data by internal control issues – Integrated audits 2
2 - Based on data from Audit Analytics for annual reports submitted to the SEC during 2017 based on a download as of April 14, 2017. Chart excludes issues around ‘Accounting documentation, policy and/or procedures’ as 99% of filers had this as a MW IC issue.Data - Depicts percentage of each issue against the total 353 IC issues identified in 147 adverse opinions (out of 2,635 filers).
32%
18%11%
8%
7%
6%
3%
3%3%
2%2%2%
1% 2% Accounting personnel resources,competency/trainingMaterial and/or numerous auditor /YEadjustmentsInformation technology, software, security &access issueInadequate disclosure controls (timely,accuracy, completeness)Non-routine transaction control issues
Segregations of duties/ design of controls(personnel)Untimely or inadequate accountreconciliationsRestatement or nonreliance of company filings
Senior management competency, tone,reliability issuesJournal entry control issues
Treasury Control Issues
Ineffective, non-existent or understaffed auditcommitteeRestatement of previous 404 disclosures
Other issues
Module 2– Risk Assessments • Timing
• Leading practices
• Participants
Copyright © 2017 Deloitte Development LLC. All rights reserved.14
Initially at onset of year in planning.
Update risk assessment on a planned periodic basis, and as changes arises
• If, at any point in the annual period, changes occur that could have a significant impact on internal control, management should assess the change and revise the initial risk assessments as necessary
• Leading practice companies have programs and controls in place to identify changes.
• Leading practice companies coordinate frequently and timely with external audit.
Timing Iterative nature of risk assessment
Copyright © 2017 Deloitte Development LLC. All rights reserved.15
Programs and controls that are often leveraged to identify and/or assess changes
Leading practices
Include considerations of ICFR, impact on cash flows, footnotes and disclosures
Non-routine technical memo
Require risk committees to assess areas that could significantly impact ICFR and report to SOX team for assessment.
Risk Committees
Management Review Controls Certain controls, such as monthly balance sheet reviews, incorporate changes that may impact ICFR. Such meetings may serve to identify changes
302 CertificationsLeverage the identification of changes; consider incorporating reporting of anticipated future changes.
Copyright © 2017 Deloitte Development LLC. All rights reserved.16
Responsibilities
Exte
rnal
Aud
itorsManagement
(1st Line of Defense)
Own and manage risk and control
• Owns the risk, and the design and execution of controls to respond to risks
SOX Compliance Team
(2nd Line of Defense)
Monitor risk and control in support of management
• Provide management with expertise, process excellence, and work with first line to monitor effectiveness of risk assessment and control activities
Internal Audit(3rd Line of Defense)
Provide independent assurance to the board and senior management
• Assess effectiveness of both the first and second line’s efforts consistent with the expectations of the board and senior management
The Three Lines of Defense Model enhances understanding of risk management and control by clarifying roles and duties3
Reg
ulat
ors
Senior Management
Board / Audit Committee
3 The Institute of Internal Auditors Position Paper, Leveraging COSO across the three lines of defense. IIA Position Paper - The three lines of defense in effective risk management and control, January 2013
Using the lens of the Three Lines of Defense ModelParticipants
Module 3– Risk Assessments • COSO Linkage to risk assessment
• All-encompassing risk assessment process
• inherent risk
• Leading practices
Copyright © 2017 Deloitte Development LLC. All rights reserved.18
Complies with applicable accounting standard
Considers materiality
Reflects the entities activities
Financial reporting objectives are consistent with accounting principles suitable and available for that entity.
Output: Identification of accounting principles (i.e., US GAAP, IFRS, etc.)
Management considers materiality in financial statement presentation.
Output: Materiality calculation.
External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions.
Output: Financial statements identified for risk assessment
2013 COSO Framework – Principle 6: Specifies Suitable Objectives
Risk assessment considerations
Copyright © 2017 Deloitte Development LLC. All rights reserved.19
Financial / business
performance
Organizational changes
External events
Change to accounting standards
IT applications
and infrastructure
Process changes
Potential impact on financial reporting
Dynamic risk-based approach to SOX
testing
Operational events (fraud,
system errors, etc.)
Prior audit results (IAD, SOX, State Examiners)
Senior management
meetings Management risk self
assessments
Outsource service
providers
Inpu
ts
Out
puts
Risk assessment considerations2013 COSO Framework – Principle 7: Identify and analyze risks
Financial transactions and events
Copyright © 2017 Deloitte Development LLC. All rights reserved.20
Risk assessment considerations2013 COSO Framework – Principle 8: Assess fraud risk As part of the risk assessment process, organizations should identify the various ways that fraudulent financial reporting can occur, considering the COSO Points of Focus:
Types of fraud
Incentive and
pressures
Attitudes and
rationalizations
Opportunities
Fraud Risk
Copyright © 2017 Deloitte Development LLC. All rights reserved.21
Changes in leadership
Changes in the business
model
2013 COSO Framework – Principle 9: Identify and assess change
Potential impact on financial reporting
Dynamic risk-based approach to SOX
testing
Inpu
ts
Out
puts
Risk assessment considerations
Changes in the external environment
Copyright © 2017 Deloitte Development LLC. All rights reserved.22
Right People Tools & TechniquesEffective Processes
SAFE FOOD PROGRAM
RISK DIAGNOSTIC
OUTSIDE SERVICE
PROVIDERS (OPSs)
INFORMATION TECHNOLOGY
CONSIDER CHANGES
Calculate Materially
RA at Financial
Statement Footnote & Disclosure
RA at Business Unit Level
RA at Account Balance
(ROMMS)
Review & Assess
Sufficiency of plan
Approval of planned
RA Control Activity
Selection
Test of D&I and
O&E
Evaluation of Results
Report Results
Leading Practices in Risk Assessment
Risk assessment processIt is through the risk assessment process that a company can report with confidence the number and types of controls necessary to have an effective ICFR system.
Outputs• Financial Statement RA & scoping
analysis, including IT and OPSs• Annual plan supporting management
404a assessment
• ROMM templates and controls at account balance
• Documentation of approach & report to the audit committee
Copyright © 2017 Deloitte Development LLC. All rights reserved.23
Start at financial statement line items
Top Down
Bottom Up
Risks of material misstatement, significant accounts, and relevant assertions
Start at business cycle, process flow or transaction type level
Process for identifying risks of material misstatement
Copyright © 2017 Deloitte Development LLC. All rights reserved.24
Degree of complexity and judgment
The complexity
of transactions
Degree of complexity
or judgment
Degree of judgment /
objectivity in accounting
process
Susceptibility to
misstatement due to error or
fraud
Nature of the account
Nature and composition of the account
Size and composition
of the account
Effect of quantitative
and qualitative
factors
Volume of activity,
complexity, and
homogeneity
Other factors
Existence of related party
transactions
Economic, accounting, or
other developments
Risk of fraud
Transactions outside of
normal course of business
Possibility of significant contingent liabilities
Changes from the
prior period
Exposure to losses
Complexity / simplicity of
related calculations
Accounting and
reporting complexities
Degree of automation /
manual intervention
Factors relevant to assessing inherent risk
25 Copyright © 2017 Deloitte Development LLC. All rights reserved.
2013 COSO Framework
COSO Principle 7Annual review and updates of risk assessment: o Discuss, review, and
revise with input from the key functional and component managers
o Response to each of the relevant risks identified.
Significance of ROMMs (i.e., low, higher or significant) is identified and considering in testing plan.
COSO Principle 8Performance of annual fraud risk assessment to identify potential fraud schemes associated with external reporting, taking into account input from the key functional and component managers. o Results are discussed
with the audit committee.
COSO Principle 9Management (with input from functional or component management, third-party specialists, or both) determines whether a change or event gives rise to new or modified risks, including those related to fraud.
COSO Principle 10 and 11The entity selects control activities that mitigate the risks identified in the risk assessment (also taking into account the fraud risk assessment), including control activities related to the IT environment.
Leading internal control practices
Module 4 – Leading practices to help avoid common risk assessment pitfalls
27 Copyright © 2017 Deloitte Development LLC. All rights reserved.
ROMMs go unidentified.
Common risk assessment pitfalls
Pitfall Potential MW
Likely.
Example
Non-routine transactions are scrutinized and
assessed, with a focus on recording the transactions
correctly, but often management does not
assess the ROMMs, relevant assertions and
controls for financial reporting, disclosures or
cash flows. This has contributed to non-routine transactions being cited in 7% of reported material
weaknesses for integrated filers in 2017.
28 Copyright © 2017 Deloitte Development LLC. All rights reserved.
ROMMs are identified, but not described at a sufficient level of granularity.
Common risk assessment pitfalls
Pitfall Potential MW
Possibly.
Example
A ROMM addressing the valuation assertion for a warranty accrual is noted as ‘accruals are subjective in nature and may be manipulated to project certain financial results’ versus a more granular description of ‘the entity uses incorrect significant assumptions (historical claim rates and warranty periods) and underlying data (sales subject to warranty and historical repairs) to calculate and record warranty expenses.’
29 Copyright © 2017 Deloitte Development LLC. All rights reserved.
ROMM identified, but the right control is not selected to mitigate the risk.
Common risk assessment pitfalls
Pitfall Potential MW
Likely.
Example
In the warranty reserve scenario above, the granular ROMM more precisely articulates the true risk of material misstatement. Often times, management are selecting controls that relate to period end account reconciliations or rollfowards which may not focus on the review of the underlying inputs and assumptions that are not found in a management review control.
30 Copyright © 2017 Deloitte Development LLC. All rights reserved.
IT risks were not considered as part of the risk assessment process
Common risk assessment pitfalls
Pitfall Potential MW
Likely.
Example
Cyber risk that has been perpetrated involves a wire fraud scheme were business emails are compromised through either a hacked employee or the creation of a look-alike domain, whereby a fictitious email is sent from someone pretending to be a high-level executive, requesting a targeted employee to transfer funds for an urgent transaction.
31 Copyright © 2017 Deloitte Development LLC. All rights reserved.
ROMMS are identified, but no differentiation in the level of risk is stated, for example, lower, higher or significant.
Common risk assessment pitfalls
Pitfall Potential MW
Possibly.
Example
An entity challenged the risk level of a ROMM by performing a top down approach for a material flow of transactions that is highly automated, concluding that a previously identified normal risk is a lower risk. As a result, the entity was able to reduce the extent of testing by reducing the control sample sizes and the varying the nature of testing.
32 Copyright © 2017 Deloitte Development LLC. All rights reserved.
A risk assessment framework or methodology has not been developed, or is ineffective, as a basis to perform the risks assessment.
Common risk assessment pitfalls
Pitfall Potential MW
Possibly.
Example
Example of leading practice tools include: •Data analytics to identify trends and analyze populations•Visualization tools to provide deeper insights and enhanced business analysis •Modeling tools that examine a wide range of industry data and predicts potential risks using trend and regression analysis.
33 Copyright © 2017 Deloitte Development LLC. All rights reserved.
ROMMs are identified, but are incorrectly assessed as potential material misstatements when they are not.
Common risk assessment pitfalls
Pitfall Potential MW
Minimal.
Example
An entity is in the last year of a restructuring program, where the remaining program costs are immaterial to the financial statements, but the entity continues to identify ROMMs associated with the program and test related controls.
34 Copyright © 2017 Deloitte Development LLC. All rights reserved.
Control selection is not challenged to determine if the mix of control activity types is the most beneficial, considering resources and cost, to the company.
Common risk assessment pitfalls
Pitfall Potential MW
Minimal.
Example
Many entities are not taking advantage of the following in new or existing systems: •Automated controls•Continuous monitoring controls, including the use of data analytics •Automating spreadsheets into a system-generated report•Robotics solutions for repetitive control activities
Module 5 –Innovation ‘The art of the possible’
Copyright © 2017 Deloitte Development LLC. All rights reserved.36
Data analytics can be used to develop analyze, model, and visualize data.
Analyze complete populations
Identify trends in the underlying data
Hone in on risks of material
misstatement
Provide deeper insights and enhanced
business analysis
Leading practice companies leverage data analytics and visualization tools.
Innovation – Risk assessments
Copyright © 2017 Deloitte Development LLC. All rights reserved.37
In the context of a risk assessment, analytics can be used to help management:
Better plan and execute management’s testing by focusing on areas that have a higher likelihood of misstatement
Better process, understand and analyze large volumes of data
Perform more real-time (continuous) auditing
Evaluate complete populations of electronic data
…and can include any or all of the following activities:
• Discovering and analyzing patterns in data
• Extracting useful information from a population
• Identifying outliers • Automating data aggregation and recalculating balances
• Revealing relationships • Visualizing data
• Mapping data across operating units, systems, products, or other dimensions
• Building statistical or other exploratory or predictive models
Innovation – Data analytics explained
Copyright © 2017 Deloitte Development LLC. All rights reserved.38
Analyze the visualization – what are your observations?Analyze the visualization – what are your observations?
Significant increase in days
in receivable (blue bar graph)
AFDA has
(green line graph)
AFDA has remained
consistent with PY (green line graph)
Allowance for
Doubtful accounts (AFDA)
DA
YS
IN
REC
EIV
AB
LEData analytics – Risk assessment example
39 Copyright © 2017 Deloitte Development LLC. All rights reserved.
Tools and services exist to assist management with risk integrity checks associated with complex spreadsheets
Leading practice companies leverage data analytics and visualization tools.
Count Attribute Comments
9711 Unused numeric value This test finds cells that contain numeric values that are not referenced in any calculations.
1144 Referencing external workbook This test finds formulas which reference cells in external workbooks.
756 Referencing blank cells This test finds formulas which contain references to blank cells. These references may be unintended.
624 Hidden row/column This shows cells hidden by the range's 'Hidden' property.
411 Number formatted as textThis test identifies data cells which contain numbers formatted as text. Numbers formatted as text may or may not be included in Excel's formula calculations.
110 Broken formula region Finds formula regions that are inconsistently sized compared to nearby formula regions.
100 Constant in formulaThis test finds formulas which contain hard-coded constants in them. Constants embedded in formulas are often difficult to update.
40 Formula fails to cover area This test finds formulas which reference part, but not all, of a group of similar cells. This is usually unintended.
37 Inconsistent formula Finds formulas that are unexpectedly different than those in neighboring cells.
31 Formula in data range This test finds formulas within ranges of data.
17 Formula references no other cells This test finds cells that contain formulas that do not reference any other cells.
7 Data in formula range This test finds data cells that may have overwritten formulas.
0 "#" Error This test finds error cells including: #REF!, #VALUE!, #N/A, #NULL!, #NAME?, #DIV/0!
0 Complex formula Consider simplifying these complex formulas.
0 Sheet is hidden This test finds hidden sheets.
0 Missing argument This tool checks formulas for arguments that are missing in functions, causing non default behavior.
Data analytics – Spreadsheet integrity check
40 Copyright © 2017 Deloitte Development LLC. All rights reserved.
Innovation – Robotic process automation (RPA)
Data analytics and robotics can be a catalyst to help accelerate the transformation of an ICFR system. Some benefits include:
• Enhance risk assessment to focus on risks of strategic relevance to the board and the business
• More efficient use of business and resources
41 Copyright © 2017 Deloitte Development LLC. All rights reserved.
Innovation – Robotics process automation (RPA)
(Internet protocol addresses)
42 Copyright © 2017 Deloitte Development LLC. All rights reserved.
Visualization tools can be used to analyze sufficiency of plan and reports to Audit Committees
Visualization – Risk assessments scoping
Leading practice companies leverage data analytics and visualization tools.
Module 6 – Desired outcome of an effective risk assessment
44 Copyright © 2017 Deloitte Development LLC. All rights reserved.
The foundation and success of an effective ICFR system lies in an effective risk assessment
Desired outcome of an effective risk assessment
Risk Ranking &
Prioritization
COSO Framework
Tools & Techniques
Effective Risk Assessment
Iterative Process
Right Resources
Qualitative & Quantitative
Factors
ROMMs and Controls
45 Copyright © 2017 Deloitte Development LLC. All rights reserved.
Value add to an effective ICFR system and risk assessment
Desired outcome of an effective risk assessment
Strong foundation for an overall effective ICFR system* which uses LEADING PRACTICES to transform the risk assessment program from a REACTIVE to a PROACTIVEapproach
Designing an efficient and effective control environment that is scalable and replicablefocusing only on those relevant ROMMs
Mitigation and reduction of potential significant deficiencies and/or material weaknesses
Defendable position and basis for decisions made in relation to ICFR – Right ROMMs
*An effective ICFR system provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external reporting purposes in
accordance with GAAP.
Copyright © 2017 Deloitte Development LLC. All rights reserved.46
Accurate and reliable financial data due to a strong effective ICFR system.
Opportunities
• Refocus your lens from a reactive to a proactive approach• Refresh the risk assessment• Lead the auditors, rather than reacting• Focus on the risks that matter - the risks of material misstatement
• Opportunities and benefits
CostsReliability of financial reporting
Risk-based control structure
Work of management by auditors Mature
ICFR System
Right size resources
Decreased MW/SDs
Copyright © 2017 Deloitte Development LLC. All rights reserved.47
48 Copyright © 2017 Deloitte Development LLC. All rights reserved.
Next steps
Desired outcome of an effective risk assessment
Assess the maturity of your risk assessment Identify indicators to assess if it’s time to refocus your lens and refresh the SOX risk assessment process.
Refocus and/or Implement, as needed Based on the level of maturity of your risk assessment and/or ICFR system, take the necessary steps to refresh the SOX risk assessment process.
Incorporate InnovationApply innovative tools and techniques throughout your system of controls to create efficiencies and add value.
Ongoing & proactive Perform the risk assessment on an iterative basis to focus on the right ROMMs, on a timely basis to provide a strong foundation for the effective ICFR system.1
23
4
Module 7 – Resources
50 Copyright © 2017 Deloitte Development LLC. All rights reserved.
Resources• IIA Position Paper
– IIA Position Paper - The three lines of defense in effective risk management and control, January 2013
• COSO Framework and Tools– www.coso.org
Contacts We want to hear from you. If you have questions or comments, or would like to hear about how innovation, such as risk sensing and visualization tools, can elevate and refresh the risk assessment process, contact one of our team members:
Resources and contacts
Patty SalkinManaging DirectorDeloitte & Touche LLP+1 732 [email protected]
Michael J. CorraoSenior ManagerDeloitte & Touche LLP+1 714 [email protected]
Todd ScarpinoManaging DirectorDeloitte & Touche LLP+1 908 337-2570 [email protected]
Amy EstradaManaging DirectorDeloitte & Touche LLP+1 908 [email protected]
Q&A?
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2017 Deloitte Development LLC. All rights reserved.36 USC 220506
This presentation is provided solely for educational purposes and, in developing and presenting these materials, Deloitte is not providing accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decisions or actions that may affect your business or to provide assurance that any decision or action will be supported by your auditors and regulators. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be liable for any claims, liabilities, or expenses sustained by any person who relies on this courses for such purposes.