Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
CGFOA 2020 VIRTUAL CONFERENCEDemystifying Risk Assessment & Assessing Risk at the Appropriate Level
TODAYS PRESENTERS
Audrey DonovanSenior
Manager, Specialty Services
Paul Kane Partner,
Assurance Services
Doug Cash Senior
Manager, Specialty Services
David Rowan Senior
Manager, Specialty Services
HOLISTIC RISK ASSESSMENT
Internal Audit RiskInternal Audit Risk Financial Audit RiskFinancial Audit Risk
Fraud RiskFraud Risk Information Technology Risk
Information Technology Risk
Integrated Approach
Integrated Approach
HOLISTIC RISK ASSESSMENTInternal
AuditExternal
AuditFraud / Forensic
AuditInformation
Technology Audit
Scope of Work
• Organizational Operations • Fiscal Financial Records • Fraudulent financial reporting and misappropriation of assets.
• Information Systems (IS) environment
Focus• Governance, • Risk Management, • Process Improvement
• Financial Reports Internal Controls related to Financial Reporting
• Proving the nature and extent of a particular fraud
• Controls within an information technology infrastructure
Review & Testing Level Lower Higher Lower Lower
Range of Risks Broad Narrow Narrow Broad
Time Horizon Current Historical Historical Current
Why Performed
• Assess and improve the effectiveness of governance, risk management, and control over critical processes.
• Provide the board and management with information and assurance related to their duties.
• Validate, or provide reasonable assurance, the material accuracy of financial reports from the organization to its stakeholders.
• Recreate past financial transactions for a specific purpose.
• Determine whether information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives
Primary Audience• Board• Executive Management
• Shareholders• Investors • Public interests
• Board• Executive Management • Outside parties• Public interests
• Board• Executive Management
YOU WANT SOMEONE WHO WILL…
Value is in the eye of the beholder.
Ask yourself. How would you truly evaluate the value you bring to the relationship?
LISTEN HELP YOU THINK THROUGH YOUR
CHALLENGES
PROVIDE PROVOCATIVE
IDEAS
CHALLENGE YOUR THINKING
PROVIDE INDUSTRY INSIGHTS
SHARE STORIES (SUCCESS/FAILURE)
BE YOUR ADVOCATE HELP YOU PERSONALLY
INTERNAL AUDITRISK ASSESSMENT
RISK ASSESSMENT OVERVIEWRisk - The possibility or uncertainty of an event occurring that will have a negative impact on the achievement of objectives. Measured in terms of impact and likelihood.
Risk Assessment - A process for identifying, measuring, and prioritizing ‘risks’ (the, possibility or uncertainty of events occurring) that have the potential for impacting the achievement of objectives.
Risk assessment – In a nut shell• Clarifying objectives• Assessing risks to the achievement of
objectives• Identifying controls to address risks
RISK ASSESSMENT FACTORS
Risk Factors
Fraud
Financial
Legal
OperationalTransactional
Compliance
Strategic
Reporting Reputational
TechnologyEmergingVendor
Outsourcing
Investment Performance
Credit
Governance
Data
Cyber Security
Public
RISK ASSESSMENT – EXAMPLE
RISK ASSESSMENT– EXAMPLE
Strategic GoalStrategic Objective Risk
Inherent Impact
Inherent Likelihood
Inherent Risk Score Controls
Residual Impact
Residual Likelihood
Residual Risk Score
Quality of Life & Community
Promote educational, cultural, and recreational
opportunities that contribute to the
health and well-being of our
community.
Implement Regional
Transportation Committee (RTC) Complete Streets
policies.
Streets go unrepaired
causing cost for future repairs to increase.
High Medium Medium
Completed Streets monitoring program. Completed Streets
Study. Citizens call in and report
repair/patch/fill needs.
Medium Low Medium
FINANCIAL AUDIT RISK ASSESSMENT
FINANCIAL REPORTING RISK ASSESSMENTA formal risk assessment is a key ingredient helping to assess the adequacy of an organization’s controls.
Why identify and understand risks?
1. A risk assessment is a key component of internal control.
2. Identify what could go wrong in the financial statements.
3. Allows management to evaluate the likelihood and magnitude of potential misstatements.
4. Provides the foundation needed for assessing whether controls are properly designed and implemented.
FINANCIAL REPORTING RISK ASSESSMENT
Risk assessment should answer the following questions:
1. Which controls are necessary to address the organization’s risks?
2. How many controls does the organization need?
3. What is “just enough” for the organization’s internal controls over financial reporting?
Risk assessment should include both:
1. Specific financial reporting objectives.
2. The identification of the relevant risks.
RISK ASSESSMENT
Identify Risks
Assess Risks
Respond to Risks
WHAT ARE FINANCIAL STATEMENT RISKS?
Risks that may affect the entities ability to achieve financial reporting
objectives.
Conditions that could result in
something going wrong in the
financial statements.
May be throughout the financial statements or
related to specific transactions, accounts or disclosures.
May relate to error or fraud.
COMPONENTS OF RISK ASSESSMENT
INHERENT RISK
Expectation of material
misstatement
CONTROL RISK
Risk that internal controls
would not detect material misstatement.
RISK OF MATERIAL MISSTATEMENT
Risk that relevant
assertions related to account
balances, classes of
transactions, or disclosures are
materially misstated.
FACTORS TO CONSIDER:
• Size and what makes up the account.• How susceptible is account to fraud or errors? • What is the exposure to losses? • Level of judgment involved in recording transactions.• The volume of activity in the account.• The complexity of the class of transactions in the
account.• Nature of the transactions- Are they routine and
automated or manual?• Existence of related-party transactions.
Factors to consider
when looking at specific financial statement accounts
SUMMARY OF RISK FACTORS TO INCLUDE
• Materiality • Reporting requirements • Level of Judgement• Extent of reliance• Transaction numbers • Manual processes involved• Data Sources• Integrity & availability of source docs
Risk Factors to include in
your risk assessment
NATURE OF CONTROLS Next step is to identify key controls over the financial statement transaction class being assessed; Document controls and evaluate final risk based on controls that may be in place to respond to the noted risks.
• To be effective, all components should be present and functioning
Final risk assessment for each financial statement transaction class:
1. What are remaining risks after existing controls have been considered?
2. What is the overall risk rating?
INTERNAL CONTROLSBE SURE TO CONSIDER CHANGES TO CONTROLS THAT MIGHT HAVE OCCURRED AS A RESULT OF COVID-19:
Two or more sets of controls:• Controls prior to remote working
and/or reduced workforce• Working remotely – modified
controls
Processes:• Change AP from check runs to
EFTs• Modify IT environment for offsite
access
DETERMINE RISK RATING
High• Poses a significant financial reporting risk. • Will most likely require ongoing sustained resources.• Complex accounting issues or balances that include significant
estimates or judgement.
Medium• Poses a moderate financial reporting risk.• Will involve less resources.• Involves less complex controls and accounting issues.
Low• Minimal financial reporting risk.• Require low level of resources.• Routine control and accounting issues.
AREAS TO ASSESS
Cash/Investments Accounts Receivable/ Revenues
Accounts Payable/ Expenses
Payroll Capital Assets Long-Term Debt
Financial Reporting Journal EntriesOther Significant Accounts: Inventory,
prepaids, deferred revenues, significant estimates, etc.
RESPONDING TO SPECIFIC RISKS
The significance of the risk.
The likelihood of material misstatement.
The characteristics of the class of transactions, account balances, or disclosures involved.
The nature of controls and whether they are automated or manual.
Identify gaps and prioritize actionable responses
FINANCIAL STATEMENT RISK ASSESSMENT SUMMARY
Consider aspects of financial
statements that are
sources of risks
Gather information
that indicates potential risks
Identify risksIdentify key controls that address the
risks
Assess whether
controls are properly
designed and implemented
Identify gaps and prioritize deficiencies and risks in
which improvements are required.
COVID IMPACT ON FINANCIAL STATEMENTS
Risks Identified Related to COVID and CARES act funding:
• GASB Technical Bulletin – 2020-1, Issued in June 2020.
• Clarifies application of GASB recognition requirements to resources received from certain programs established by CARES Act.
• Also, clarifies presentation of certain inflows of CARES act and the unplanned outflows of resources incurred in response to COVID.
FRAUD RISK ASSESSMENT
ACFE REPORT TO THE NATIONS 2020
RECOVERING FRAUD LOSSES
Source: ACFE 2020 Report to the Nation.
In a remote work environment, the common “Red Flags” of
identifying either questionable employee behavior and/or work duties, becomes even more difficult to identify.
ACFE REPORT TO THE NATIONS 2020
RED FLAGS – EMPLOYEE BEHAVIORS
Source: ACFE 2020 Report to the Nation
ACFE REPORT TO THE NATIONS 2020
RED FLAGS – EMPLOYEE WORK DUTIES
Source: ACFE 2020 Report to the Nation
The presence of anti-fraud controls was correlated with lower losses and
quicker fraud detection.
Proactive data monitoring was associated with 54% lower losses
and frauds detected in half the time.
ANTI-FRAUD CONTROLS = LOSS REDUCTIONHow does the presence of anti-fraud controls relate to the duration of fraud?
ANTI-FRAUD CONTROLS = INCREASED DETECTIONWhat are the primary internal control weaknesses that contribute to occupational fraud?
TONE AT THE TOP
The most important aspect of a successful set of internal controls!
Tone at the top is used to define the management and the board of director’s leadership and commitment to being honest and ethical.
Tone at the top was popularized due to numerous corporate accounting scandals such as Enron, WorldCom, Adelphia, etc.
Tone at the top carries a significant impact on a company’s cultural environment and corporate values.
2
3
4
1THIS MAY BE!
WHAT IS THE TONE AT THE TOP?
“Tone at the top, commonly referred to in auditing, is
used to define a company’s management and board of
director’s leadership and their commitment to being honest and ethical. The tone at the top sets forth a company’s cultural environment and
corporate values.”
Source: Corporate Finance Institute
COMMON AREAS OF FRAUD IN GOVERNMENTSMisappropriation Misuse of Office Misleading Financials
Payment adjustments Kickbacks Revenue overstatements
Payments made to fictitious entities
Bribes Unrecorded liabilities
Nonexistent employees / beneficiaries
Conflicts of Interest Unrecorded expenses
Personal purchasesAbuse of Title - ‘Do you know who I am??’
Misleading statements in bond documents
False timekeeping
Expense reimbursements
Electronic skimmers (credit card readers)
Theft of assets
IT RISK ASSESSMENT• IT Risks• Logical Access Path• Impact of Information Technology
TOP RISKS FOR THE UNITED STATES PER DEPARTMENT OF
DEFENSE1. Cyber threats2. Terrorism3. Transnational Organized
Crime
“The severity and impact of cyberthreats have changed the
landscape in which governments, corporations, individuals and,
specifically, institutions of all sizes and complexities operate.”
Source: US Department of Defense
RISK IS EVERYWHEREMost Common Threats:
• Malicious software or "malware“
• Distributed denial of service attacks
• Data Leakage
• Third-party/Cloud Vendor Risks
• Mobile/Web Application Vulnerabilities
• Weaknesses in Project Management or Change Management
• Ransomware
THE LOGICAL ACCESS PATH
Business processes
ACCESS TO UNDERLYING OS NEEDS TO BE TESTED BECAUSE LOGIC ALLOWS:
The ability to perform administrative procedures over the underlying operating system is crucial to
the security of the database as it impacts:
Access to configuration, physical data files and logs
Access to start, shut down and tune the database
Access to database utilities and services
Access to database services
MULTIPLE LOGICAL ACCESS PATHS INCREASE THE RISK OF INAPPROPRIATE ACCESS…
UserDatabase Administrator
System Administrator
INTEGRATED SYSTEMS
DATA
WHAT’S THE PROBLEM IN THE STRUCTURE?
• Potential for gross inefficiencies in data
• Potential for redundant systems / wasteful spending
• Disaster recovery issues
• Piracy / hacking
• Upgrades / migration of hardware
• Data analytics / performance management
• Fraud, waste and abuse
IMPACT OF INFORMATION AND INFORMATION TECHNOLOGY
• Information is a key resource for all enterprises.
• Enterprises constantly collect or create information, use it, store it, share it and eventually destroy it (we hope).
• Information Technology (IT) is a key enabler of the above.
• IT is pervasive and ubiquitous in all areas of public and private enterprise, and personal life.
• High dependency on information requires that it be safeguarded from unauthorized access or misappropriation, have integrity and be made available when required.
• Mobile technology and “Bring Your Own Device” are additional threats that may require IT auditing, policies, procedures and laws.
EXAMPLES OF IT OBJECTIVES TO BE ACHIEVED AND RISKS TO BE MITIGATED
IT OBJECTIVES• Efficient and successful
operations• Data integrity• Protected systems• Safeguarded assets• Data and system availability• Enhanced reputation (e.g. security
of PII)• Statutory Compliance
IT RISKS• Information Loss (accidental or
malicious)• Financial Reporting Errors• Loss of data and/or system
integrity confidence• Computer fraud• System failure and downtime• Increased cost of operation• Inaccurate data = poor decisions• Unauthorized release of PII• Compliance failure
RISK ASSESSMENT IMPACT
Security is NOT a one-size-fits-all proposition.
Build a security strategy into your controls framework and risk assessment.
Build a monitoring plan into your ongoing process and update the risk assessment based on changes in the environment.
This process never sleeps!
WRAP UPInternal Audit,
Financial, Fraud & Information Technology
Risk Assessment
This presentation is presented with the understanding that the information contained does not constitute legal, accounting or other professional advice. It is not intended to be responsive to any individual situation or concerns, as the contents of this presentation are intended for general information purposes only. Viewers are urged not to act upon the information contained in this presentation without first consulting competent legal, accounting or other professional advice regarding implications of a particular factual situation. Questions and additional information can be submitted to your Eide Bailly representative, or to the presenter of this session.
QUESTIONS?
eidebailly.com
THANK YOUAudrey DonovanSenior Manager
Paul KanePartner
Doug CashSenior Manager
David RowanIT Risk Advisory Senior Manager
eidebailly.com
Find us online: