Beginning Your Evaluation
Step 1 — Identifying Financial Reporting Risks, and Controls That Address Them
Identifying risks in your company's financial reporting starts with what you know best: how your business works. Use your knowledge of your company, as well as of how generally accepted accounting principles apply to the business, to identify which parts of the financial reporting process could lead to material misstatements. Think about "what could go wrong" by considering:
- Risk factors inherent in your business, both internal and external
- Risks in the way you authorize, process and record transactions that are reflected in the financial statements
- Your company's vulnerability to fraud
To identify which controls address those risks, consider the following:
- How do your entity-level controls relate to financial reporting elements? With what level of precision do they operate?
- Is there more than one control that addresses the same financial reporting risk? If so, which one provides the most efficient way for you to evaluate how well it works?
- Is the control automated? If so, how sturdy are the relevant IT controls? Or is the control manual — and if so, what is the risk of human error?
- Not every control within a particular process needs to be identified — only those that adequately address financial reporting risks.
Exactly how you go about identifying your company's financial reporting risks and the controls to address them will depend on your company's size, complexity, and organizational structure — as well as the particulars of the financial reporting process you use. In a smaller company with centralized financial reporting, management's daily involvement with the business may provide it with adequate knowledge to identify the financial reporting risks and related controls.
At the end of this process, you will have identified the financial reporting risks that are specific to your company, as well as the controls that will permit you to most efficiently determine whether the company's financial reporting is reliable.