CGFOA 2020 VIRTUAL CONFERENCEDemystifying Risk Assessment & Assessing Risk at the Appropriate Level

TODAYS PRESENTERS

Audrey DonovanSenior

Manager, Specialty Services

Paul Kane Partner,

Assurance Services

Doug Cash Senior

Manager, Specialty Services

David Rowan Senior

Manager, Specialty Services

HOLISTIC RISK ASSESSMENT

Internal Audit RiskInternal Audit Risk Financial Audit RiskFinancial Audit Risk

Fraud RiskFraud Risk Information Technology Risk

Information Technology Risk

Integrated Approach

Integrated Approach

HOLISTIC RISK ASSESSMENTInternal

AuditExternal

AuditFraud / Forensic

AuditInformation

Technology Audit

Scope of Work

• Organizational Operations • Fiscal Financial Records • Fraudulent financial reporting and misappropriation of assets.

• Information Systems (IS) environment

Focus• Governance, • Risk Management, • Process Improvement

• Financial Reports Internal Controls related to Financial Reporting

• Proving the nature and extent of a particular fraud

• Controls within an information technology infrastructure

Review & Testing Level Lower Higher Lower Lower

Range of Risks Broad Narrow Narrow Broad

Time Horizon Current Historical Historical Current

Why Performed

• Assess and improve the effectiveness of governance, risk management, and control over critical processes. 

• Provide the board and management with information and assurance related to their duties.

• Validate, or provide reasonable assurance, the material accuracy of financial reports from the organization to its stakeholders.

• Recreate past financial transactions for a specific purpose.

• Determine whether information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives

Primary Audience• Board• Executive Management

• Shareholders• Investors • Public interests

• Board• Executive Management • Outside parties• Public interests

• Board• Executive Management

YOU WANT SOMEONE WHO WILL…

Value is in the eye of the beholder.

Ask yourself. How would you truly evaluate the value you bring to the relationship?

LISTEN HELP YOU THINK THROUGH YOUR

CHALLENGES

PROVIDE PROVOCATIVE

IDEAS

CHALLENGE YOUR THINKING

PROVIDE INDUSTRY INSIGHTS

SHARE STORIES (SUCCESS/FAILURE)

BE YOUR ADVOCATE HELP YOU PERSONALLY

INTERNAL AUDITRISK ASSESSMENT

RISK ASSESSMENT OVERVIEWRisk - The possibility or uncertainty of an event occurring that will have a negative impact on the achievement of objectives. Measured in terms of impact and likelihood.

Risk Assessment - A process for identifying, measuring, and prioritizing ‘risks’ (the, possibility or uncertainty of events occurring) that have the potential for impacting the achievement of objectives.

Risk assessment – In a nut shell• Clarifying objectives• Assessing risks to the achievement of

objectives• Identifying controls to address risks

RISK ASSESSMENT FACTORS

Risk Factors

Fraud

Financial

Legal

OperationalTransactional

Compliance

Strategic

Reporting Reputational

TechnologyEmergingVendor

Outsourcing

Investment Performance

Credit

Governance

Data

Cyber Security

Public

RISK ASSESSMENT – EXAMPLE

RISK ASSESSMENT– EXAMPLE

Strategic GoalStrategic Objective Risk

Inherent Impact

Inherent Likelihood

Inherent Risk Score Controls

Residual Impact

Residual Likelihood

Residual Risk Score

Quality of Life & Community

Promote educational, cultural, and recreational

opportunities that contribute to the

health and well-being of our

community.

Implement Regional

Transportation Committee (RTC) Complete Streets

policies.

Streets go unrepaired

causing cost for future repairs to increase.

High Medium Medium

Completed Streets monitoring program. Completed Streets

Study. Citizens call in and report

repair/patch/fill needs.

Medium Low Medium

FINANCIAL AUDIT RISK ASSESSMENT

FINANCIAL REPORTING RISK ASSESSMENTA formal risk assessment is a key ingredient helping to assess the adequacy of an organization’s controls.

Why identify and understand risks?

1. A risk assessment is a key component of internal control.

2. Identify what could go wrong in the financial statements.

3. Allows management to evaluate the likelihood and magnitude of potential misstatements.

4. Provides the foundation needed for assessing whether controls are properly designed and implemented.

FINANCIAL REPORTING RISK ASSESSMENT

Risk assessment should answer the following questions:

1. Which controls are necessary to address the organization’s risks?

2. How many controls does the organization need?

3. What is “just enough” for the organization’s internal controls over financial reporting?

Risk assessment should include both:

1. Specific financial reporting objectives.

2. The identification of the relevant risks.

RISK ASSESSMENT

Identify Risks

Assess Risks

Respond to Risks

WHAT ARE FINANCIAL STATEMENT RISKS?

Risks that may affect the entities ability to achieve financial reporting

objectives.

Conditions that could result in

something going wrong in the

financial statements.

May be throughout the financial statements or

related to specific transactions, accounts or disclosures.

May relate to error or fraud.

COMPONENTS OF RISK ASSESSMENT

INHERENT RISK

Expectation of material

misstatement

CONTROL RISK

Risk that internal controls

would not detect material misstatement.

RISK OF MATERIAL MISSTATEMENT

Risk that relevant

assertions related to account

balances, classes of

transactions, or disclosures are

materially misstated.

FACTORS TO CONSIDER:

• Size and what makes up the account.• How susceptible is account to fraud or errors? • What is the exposure to losses? • Level of judgment involved in recording transactions.• The volume of activity in the account.• The complexity of the class of transactions in the

account.• Nature of the transactions- Are they routine and

automated or manual?• Existence of related-party transactions.

Factors to consider

when looking at specific financial statement accounts

SUMMARY OF RISK FACTORS TO INCLUDE

• Materiality • Reporting requirements • Level of Judgement• Extent of reliance• Transaction numbers • Manual processes involved• Data Sources• Integrity & availability of source docs

Risk Factors to include in

your risk assessment

NATURE OF CONTROLS Next step is to identify key controls over the financial statement transaction class being assessed; Document controls and evaluate final risk based on controls that may be in place to respond to the noted risks.

• To be effective, all components should be present and functioning

Final risk assessment for each financial statement transaction class:

1. What are remaining risks after existing controls have been considered?

2. What is the overall risk rating?

INTERNAL CONTROLSBE SURE TO CONSIDER CHANGES TO CONTROLS THAT MIGHT HAVE OCCURRED AS A RESULT OF COVID-19:

Two or more sets of controls:• Controls prior to remote working

and/or reduced workforce• Working remotely – modified

controls

Processes:• Change AP from check runs to

EFTs• Modify IT environment for offsite

access

DETERMINE RISK RATING

High• Poses a significant financial reporting risk. • Will most likely require ongoing sustained resources.• Complex accounting issues or balances that include significant

estimates or judgement.

Medium• Poses a moderate financial reporting risk.• Will involve less resources.• Involves less complex controls and accounting issues.

Low• Minimal financial reporting risk.• Require low level of resources.• Routine control and accounting issues.

AREAS TO ASSESS

Cash/Investments Accounts Receivable/ Revenues

Accounts Payable/ Expenses

Payroll Capital Assets Long-Term Debt

Financial Reporting Journal EntriesOther Significant Accounts: Inventory,

prepaids, deferred revenues, significant estimates, etc.

RESPONDING TO SPECIFIC RISKS

The significance of the risk.

The likelihood of material misstatement.

The characteristics of the class of transactions, account balances, or disclosures involved.

The nature of controls and whether they are automated or manual.

Identify gaps and prioritize actionable responses

FINANCIAL STATEMENT RISK ASSESSMENT SUMMARY

Consider aspects of financial

statements that are

sources of risks

Gather information

that indicates potential risks

Identify risksIdentify key controls that address the

risks

Assess whether

controls are properly

designed and implemented

Identify gaps and prioritize deficiencies and risks in

which improvements are required.

COVID IMPACT ON FINANCIAL STATEMENTS

Risks Identified Related to COVID and CARES act funding:

• GASB Technical Bulletin – 2020-1, Issued in June 2020.

• Clarifies application of GASB recognition requirements to resources received from certain programs established by CARES Act.

• Also, clarifies presentation of certain inflows of CARES act and the unplanned outflows of resources incurred in response to COVID.

FRAUD RISK ASSESSMENT

ACFE REPORT TO THE NATIONS 2020

RECOVERING FRAUD LOSSES

Source: ACFE 2020 Report to the Nation.

In a remote work environment, the common “Red Flags” of

identifying either questionable employee behavior and/or work duties, becomes even more difficult to identify.

ACFE REPORT TO THE NATIONS 2020

RED FLAGS – EMPLOYEE BEHAVIORS

Source: ACFE 2020 Report to the Nation

ACFE REPORT TO THE NATIONS 2020

RED FLAGS – EMPLOYEE WORK DUTIES

Source: ACFE 2020 Report to the Nation

The presence of anti-fraud controls was correlated with lower losses and

quicker fraud detection.

Proactive data monitoring was associated with 54% lower losses

and frauds detected in half the time.

ANTI-FRAUD CONTROLS = LOSS REDUCTIONHow does the presence of anti-fraud controls relate to the duration of fraud?

ANTI-FRAUD CONTROLS = INCREASED DETECTIONWhat are the primary internal control weaknesses that contribute to occupational fraud?

TONE AT THE TOP

The most important aspect of a successful set of internal controls!

Tone at the top is used to define the management and the board of director’s leadership and commitment to being honest and ethical.

Tone at the top was popularized due to numerous corporate accounting scandals such as Enron, WorldCom, Adelphia, etc.

Tone at the top carries a significant impact on a company’s cultural environment and corporate values.

2

3

4

1THIS MAY BE!

WHAT IS THE TONE AT THE TOP?

“Tone at the top, commonly referred to in auditing, is

used to define a company’s management and board of

director’s leadership and their commitment to being honest and ethical. The tone at the top sets forth a company’s cultural environment and

corporate values.”

Source: Corporate Finance Institute

COMMON AREAS OF FRAUD IN GOVERNMENTSMisappropriation Misuse of Office Misleading Financials

Payment adjustments Kickbacks Revenue overstatements

Payments made to fictitious entities

Bribes Unrecorded liabilities

Nonexistent employees / beneficiaries

Conflicts of Interest Unrecorded expenses

Personal purchasesAbuse of Title - ‘Do you know who I am??’

Misleading statements in bond documents

False timekeeping

Expense reimbursements

Electronic skimmers (credit card readers)

Theft of assets

IT RISK ASSESSMENT• IT Risks• Logical Access Path• Impact of Information Technology

TOP RISKS FOR THE UNITED STATES PER DEPARTMENT OF

DEFENSE1. Cyber threats2. Terrorism3. Transnational Organized

Crime

“The severity and impact of cyberthreats have changed the

landscape in which governments, corporations, individuals and,

specifically, institutions of all sizes and complexities operate.”

Source: US Department of Defense

RISK IS EVERYWHEREMost Common Threats:

• Malicious software or "malware“

• Distributed denial of service attacks

• Data Leakage

• Third-party/Cloud Vendor Risks

• Mobile/Web Application Vulnerabilities

• Weaknesses in Project Management or Change Management

• Ransomware

THE LOGICAL ACCESS PATH

Business processes

ACCESS TO UNDERLYING OS NEEDS TO BE TESTED BECAUSE LOGIC ALLOWS:

The ability to perform administrative procedures over the underlying operating system is crucial to

the security of the database as it impacts:

Access to configuration, physical data files and logs

Access to start, shut down and tune the database

Access to database utilities and services

Access to database services

MULTIPLE LOGICAL ACCESS PATHS INCREASE THE RISK OF INAPPROPRIATE ACCESS…

UserDatabase Administrator

System Administrator

INTEGRATED SYSTEMS

DATA

WHAT’S THE PROBLEM IN THE STRUCTURE?

• Potential for gross inefficiencies in data

• Potential for redundant systems / wasteful spending

• Disaster recovery issues

• Piracy / hacking

• Upgrades / migration of hardware

• Data analytics / performance management

• Fraud, waste and abuse

IMPACT OF INFORMATION AND INFORMATION TECHNOLOGY

• Information is a key resource for all enterprises.

• Enterprises constantly collect or create information, use it, store it, share it and eventually destroy it (we hope).

• Information Technology (IT) is a key enabler of the above.

• IT is pervasive and ubiquitous in all areas of public and private enterprise, and personal life.

• High dependency on information requires that it be safeguarded from unauthorized access or misappropriation, have integrity and be made available when required.

• Mobile technology and “Bring Your Own Device” are additional threats that may require IT auditing, policies, procedures and laws.

EXAMPLES OF IT OBJECTIVES TO BE ACHIEVED AND RISKS TO BE MITIGATED

IT OBJECTIVES• Efficient and successful

operations• Data integrity• Protected systems• Safeguarded assets• Data and system availability• Enhanced reputation (e.g. security

of PII)• Statutory Compliance

IT RISKS• Information Loss (accidental or

malicious)• Financial Reporting Errors• Loss of data and/or system

integrity confidence• Computer fraud• System failure and downtime• Increased cost of operation• Inaccurate data = poor decisions• Unauthorized release of PII• Compliance failure

RISK ASSESSMENT IMPACT

Security is NOT a one-size-fits-all proposition.

Build a security strategy into your controls framework and risk assessment.

Build a monitoring plan into your ongoing process and update the risk assessment based on changes in the environment.

This process never sleeps!

WRAP UPInternal Audit,

Financial, Fraud & Information Technology

Risk Assessment

This presentation is presented with the understanding that the information contained does not constitute legal, accounting or other professional advice. It is not intended to be responsive to any individual situation or concerns, as the contents of this presentation are intended for general information purposes only. Viewers are urged not to act upon the information contained in this presentation without first consulting competent legal, accounting or other professional advice regarding implications of a particular factual situation. Questions and additional information can be submitted to your Eide Bailly representative, or to the presenter of this session.

QUESTIONS?

eidebailly.com

THANK YOUAudrey DonovanSenior Manager

adonovan@eidebailly.com303.586.8533

Paul KanePartner

pkane@eidebailly.com303.459.6758

Doug CashSenior Manager

dcash@eidebailly.com303.586.8504

David RowanIT Risk Advisory Senior Manager

drowan@eidebailly.com303.586.8526

eidebailly.com

Find us online: