Risk assessment includes management’s assessment of the risks relating to the fraudulent reporting and safeguarding of the entity’s assets. In addition, management considers possible acts of corruption, both by entity personnel and by outsourced service providers directly impacting the entity’s ability to achieve its objectives.
The actions being conducted as part of applying this principle link closely to the preceding principle (Identifies and Analyzes Risks), which assesses risks based on the presumption that the entity’s expected standards of ethical con- duct are adhered to by management, other personnel, and outsourced ser- vice providers. This principle, Assesses Fraud Risk, assesses risk in a different context, when an individual’s actions may not align with the expected stand- ards of conduct. Management may also consider the point of focus relating to the principle Identifies and Analyzes Risk when developing, implementing, and conducting internal control. For instance, responses to risks identified as part of this principle fall within the same categories noted above (accept, avoid, reduce, and share). And, as above, the selection and development of controls to effect specific risk responses chosen by management is essential to mitigating fraud risks.
Fraudulent Reporting
Fraudulent reporting can occur when an entity’s reports are wilfully prepared with omissions or misstatements. These events may occur through unauthor- ized receipts or expenditures, financial misconduct, or other disclosure irreg- ularities. A system of internal control over financial reporting is designed and implemented to prevent or detect, in a timely manner, a material omission from or misstatement of the financial statements due to error or fraud. When assessing risks to the achievement of financial reporting objectives, or- ganizations typically consider the potential for fraud in the following areas:
•
Fraudulent Financial Reporting—An intentional act designed to deceiveusers of external financial reports and that may result in a material omis- sion from or misstatement of such financial reports
•
Fraudulent Non-Financial Reporting—An intentional act designed to deceiveusers of non-financial reporting, including sustainability reporting, health and safety, or employment activity, and that may result in reporting with less than the intended level of precision
•
Misappropriation of Assets—Theft of the entity’s assets where the effectmay cause a material omission or misstatement in the external financial reports
•
Illegal Acts—Violations of laws or governmental regulations that could havea material direct or indirect impact on the external financial reports As part of the risk assessment process, the organization should identify the various ways that fraudulent reporting can occur, considering:
•
Management bias, for instance in selecting accounting principles•
Degree of estimates and judgments in external reporting•
Fraud schemes and scenarios common to the industry sectors and markets in which the entity operates•
Geographic regions where the entity does business•
Incentives that may motivate fraudulent behavior•
Nature of technology and management’s ability to manipulate information•
Unusual or complex transactions subject to significant managementinfluence
•
Vulnerability to management override and potential schemes to circumvent existing control activitiesThere may be instances where the organization is not able to directly manage the information captured for financial reporting, yet is expected to have con- trols within the entity that identify, analyze, and respond to that particular risk. For instance, management of a software vendor may not be able to pre- vent personnel within an on-line retailer from underreporting sales numbers to reduce payments to the software vendor. However, the software company can implement control activities to detect such reporting by comparing new software registration levels to sales volumes.
Further, risks pertaining to the complete and accurate recording of asset losses in the entity’s financial statements represent a reporting objective. More specifically related to financial reporting, omission or misstatements may arise from failing to record the loss of assets, manipulating the financial statements to conceal such a loss, or recording transactions outside the ap- propriate reporting period. For instance, an entity may hold its books open for an extended time after a period end to include additional sales, improp- erly account for intercompany transfers of inventory, or manipulate the amortization of its capital assets.
Return to Table of Contents Safeguarding of Assets
Safeguarding of assets refers to protecting against the unauthorized and wil- ful acquisition, use, or disposal of assets. The inappropriate use of an entity’s assets occurs to benefit an individual or group. The unauthorized acquisition, use, and disposal of assets may relate to activities such as illegal marketing, theft of assets, theft of intellectual property, late trading, and money laundering.
Safeguarding of assets typically relates to operations objectives, although certain aspects may relate to other categories of objectives. In terms of oper- ations, management may consider the inappropriate use of an entity’s assets and other resources including intellectual property and preventing loss through theft, waste, or neglect. An entity may also lose value of its assets through inefficiency or what turns out to be simply bad business de- cisions—such as selling a product at too low a price, or extending credit to bad risks. These situations relate to the operations objectives but are not dir- ectly linked to safeguarding of assets.
Where legal or regulatory requirements apply, management considers risks relating to safeguarding of assets in relation to compliance objectives. For ex- ample, an entity may intentionally prepare inaccurate regulatory reporting statements to avoid inspection and penalties.
Regardless of what objective may be affected, the responsibility and account- ability for loss prevention and anti-fraud policies and procedures reside with management of the entity and its subunits in which the risk resides.
Corruption
In addition to assessing risks relating to the safeguarding of assets and fraudulent reporting, management considers possible corruption occurring within the entity. Corruption is generally relevant to the compliance category of objectives but could very well influence the control environment that also affects the entity’s external financial reporting objectives. This includes con- sidering incentives and pressures to achieve objectives while demonstrating adherence to expected standards of conduct and the effect of the control en- vironment, specifically actions linked to Principle 4 (Demonstrates Commit- ment to Competence) and Principle 5 (Enforces Accountability). Aspects of corruption that are considered in an external financial reporting context typic- ally relate to illegal acts that are considered in government statutes relevant to the activity.
In assessing possible corruption, the entity is not expected to directly man- age the actions of personnel within third-party organizations, including those relating to outsourced operations, customers, suppliers, or advisors. However, depending on the level of risk assessed within this component, management may stipulate the expected level of performance and standards of conduct through contractual relations, and develop control activities that maintain oversight of third-party actions. Where necessary, management re- sponds to unusual actions detected in others.
Return to Table of Contents