In financial auditing of public companies, SOX 404 top–down risk
assessment (TDRA) is a financial risk assessment performed to comply
with Section 404 of the Sarbanes Oxley Act. It is used to determine the
scope and required evidence to support management's testing of its
internal controls under SOX 404. It is also used by the external auditor
to issue a formal opinion on the company's internal controls. It
involves applying specific risk factors to determine the scope and
evidence required in the assessment of internal control. At each step,
qualitative or quantitative risk factors are used to focus the scope of
the SOX 404 assessment effort and determine the evidence required. The
use of risk and control matrices is central to this whole process.
Internal auditors can also use the risk and control matrix as a valuable
tool when approaching an internal audit project to focus scarce audit
resources on the key areas within a process.
Perhaps more controversially, management can use a similar matrix to assess the risks facing a business and what it is doing to reduce those risks. Process risk analysis is therefore not just for financial risks but also wider operational risks.
Process risk analysis can be used for SOX Compliance or internal Audit projects. However, it is also very useful in ensuring that risks are properly mitigated and in determining the key controls in your business process to allow active board and senior management oversight. If not planned in advance, the whole process can grind to a halt while forward thinking companies have already taken those eventualities into account. This session will consider the steps that need to be taken in developing an effective risk and control matrix that can be used within a business either as a SOX compliance or audit tool or more widely as a valuable management oversight assist.
Overview of RACM
RACM is a table (matrix) that describes the relations among risks and methodologies to control each risk (countermeasures to deal with each risk) and is deeply related to factors of internal controls i.e. "Evaluation and Response to Risks"
Companies are required to analyse and evaluate factors that could disturb the accomplishments of their own goals, which are to be considered as risks, and thereby, based on those results, the companies are required to deal with the risks. RACM is a document that aggregates the statuses of the company's internal controls over such risks. The primary purpose of RACM is "visualization of risks."
Contents of RACM
RACM (Risk and Control Matrix) is one of the three tools recommended for internal reporting system defined in Financial Products Trading Law. The important risk item in RACM is "a risk that could jeopardize the credibility of financial reports," so the control over the important risk items must be intensively considered and practiced as well as elaborated in RACM. The specific contents are shown below.
1. Risk- Details of risks specific to business process, risks which will in any way impact the financials of the company, for e.g. Incomplete/inaccurate or unauthorized figures, computations, transactions susceptible to manual interventions, inadequate segregation of duties etc.
2. Related account items - Items in statement of accounts that are affected by the risks
3. Assertion (Audit Point) - Assertions about decentness of reports by management statements. They are categorized into five types.
5. Control - Standards and procedures to prevent illegal activities, dishonest activities, and mistakes in company's business, and it aims to ensure the correctness of the information concerning business execution results by managing and monitoring the business execution based on those standards and procedures.
6. Detail: Detail of concrete measures to control risks
Contents of RACM
The process to create RACM is as follows.
3. Classifying Risks - Identified risks are classified here. The criteria for the classification are as follows.
Company-wide Risks - Company-wide risks are risks that could disturb the accomplishments of goals of the entire organization. For example, the following risks are included.
Business-process Risks - Business-process risks are risks that affect the accomplishments of a goal of each business process. The following risks are included here.
Antecedent Risks or Unprecedented Risks - Risks can be classified based on the past business history. Responses to "antecedent risks" can be plotted based on the responses taken in the past. We must pay more attention to responses to unprecedented risks. However, sometimes antecedent risks could mutate to novel risks owing to the external changes etc., so we must be careful about them
4. Analyzing and Evaluating Risks - Through the analyses of the probability of occurrence of risks above and impacts of them, we then need to estimate the significance of risks. Then, we should evaluate what countermeasures need to be taken, starting from the risk of high priority.
5. Responding to Risks - Responses to risks include the followings.
Perhaps more controversially, management can use a similar matrix to assess the risks facing a business and what it is doing to reduce those risks. Process risk analysis is therefore not just for financial risks but also wider operational risks.
Process risk analysis can be used for SOX Compliance or internal Audit projects. However, it is also very useful in ensuring that risks are properly mitigated and in determining the key controls in your business process to allow active board and senior management oversight. If not planned in advance, the whole process can grind to a halt while forward thinking companies have already taken those eventualities into account. This session will consider the steps that need to be taken in developing an effective risk and control matrix that can be used within a business either as a SOX compliance or audit tool or more widely as a valuable management oversight assist.
Overview of RACM
RACM is a table (matrix) that describes the relations among risks and methodologies to control each risk (countermeasures to deal with each risk) and is deeply related to factors of internal controls i.e. "Evaluation and Response to Risks"
Companies are required to analyse and evaluate factors that could disturb the accomplishments of their own goals, which are to be considered as risks, and thereby, based on those results, the companies are required to deal with the risks. RACM is a document that aggregates the statuses of the company's internal controls over such risks. The primary purpose of RACM is "visualization of risks."
Contents of RACM
RACM (Risk and Control Matrix) is one of the three tools recommended for internal reporting system defined in Financial Products Trading Law. The important risk item in RACM is "a risk that could jeopardize the credibility of financial reports," so the control over the important risk items must be intensively considered and practiced as well as elaborated in RACM. The specific contents are shown below.
1. Risk- Details of risks specific to business process, risks which will in any way impact the financials of the company, for e.g. Incomplete/inaccurate or unauthorized figures, computations, transactions susceptible to manual interventions, inadequate segregation of duties etc.
2. Related account items - Items in statement of accounts that are affected by the risks
3. Assertion (Audit Point) - Assertions about decentness of reports by management statements. They are categorized into five types.
- Assertion about existence and occurrence: This is an assertion about the fact that assets, liabilities, and transactions exist during the corresponding financial period. It proves that there is no record about fictitious transactions etc.
- Assertion about completeness: This is an assertion that all transactions and issues to be recorded are actually included in the documents.
- Assertion about valuation and allocation: This is an assertion that assets, liabilities, capital, profits, and costs are appropriately included in financial documents.
- Assertion about rights and obligations: This is an assertion that rights over the assets and obligations about liabilities are pertained to the company.
- Assertion about presentation and disclosure: This is an assertion that specific components in financial documents are appropriately classified, described, and disclosed.
5. Control - Standards and procedures to prevent illegal activities, dishonest activities, and mistakes in company's business, and it aims to ensure the correctness of the information concerning business execution results by managing and monitoring the business execution based on those standards and procedures.
6. Detail: Detail of concrete measures to control risks
- Frequency: How frequently the measures are executed (e.g. monthly, weekly, as needed, etc.)
- Object: The part of risk factors to be covered (e.g. Integrity, accuracy, legitimacy, continuity, etc.)
- Type: How the control measures influence the risks (e.g. automated control or manual control, proactive or heuristic, etc.)
- Control Nature : Preventive/Detective
Contents of RACM
The process to create RACM is as follows.
- Specifying Activities - First, we need to specify the range of corporate activities and define all business processes. By doing so, the activity range of the company and the details of activities are clarified. This phase is common with "business glow diagrams" and "business description documents”.
- Identifying Risks - Risks are the factors that could disturb (negatively impact) the accomplishments of company goals. More specifically, there are external factors shown below.
- Aggravation of market competition
- Change of market rates of currency exchange and materials
- Breakdown or failure of information systems
- Occurrence of fallacy and dishonest act in bookkeeping
- Divulgation of personal information or information concerning a top-level decision-making in business
3. Classifying Risks - Identified risks are classified here. The criteria for the classification are as follows.
Company-wide Risks - Company-wide risks are risks that could disturb the accomplishments of goals of the entire organization. For example, the following risks are included.
- Abnormal shift in the cash-flow status
- Dependency on some specific partners, products, technologies, etc.
- Occurrence of law cases etc.
- Dependency on the individual executive officer
Business-process Risks - Business-process risks are risks that affect the accomplishments of a goal of each business process. The following risks are included here.
- Lack of resources used in the process
- Dependency on one single task
- False reports about tasks
Antecedent Risks or Unprecedented Risks - Risks can be classified based on the past business history. Responses to "antecedent risks" can be plotted based on the responses taken in the past. We must pay more attention to responses to unprecedented risks. However, sometimes antecedent risks could mutate to novel risks owing to the external changes etc., so we must be careful about them
4. Analyzing and Evaluating Risks - Through the analyses of the probability of occurrence of risks above and impacts of them, we then need to estimate the significance of risks. Then, we should evaluate what countermeasures need to be taken, starting from the risk of high priority.
5. Responding to Risks - Responses to risks include the followings.
- Avoiding Risks - This means to stop the activities causing risks. If the probability of occurrence of risks or impact is very large or the risk management is difficult, this option is chosen.
- Mitigating Risks - This means to establish a new control to reduce the probability of occurrence of risks and impacts.
- Transferring Risks - This means to reduce the impacts of risks by transferring the risks to external entities. (E.g. buying insurance, etc.)
- Tolerating Risks - This means not to take any countermeasures and tolerate risks. This option should be taken when the cost for proactive measures outweighs the effects or when countermeasures can be taken even after the risks are actualized.
- How often they should be executed
- Which part of the risk, for example integrity, accuracy, legitimacy, and continuity, are covered
- Whether countermeasures are executed automatically or manually, and whether they are proactive measures or not
Regarding the format of Risk Control Matrix, the sample
presented in "Execution criteria of evaluation and supervision are
concerning internal control over financial reports" by Financial Service
Agency consists of the items shown below. These are considered as a
standard template for SOX purposes to document all Financial Reporting
Risks and Controls pertaining to business processes.
- Control Objective
- Risks
- Control Description
- Control Ref No
- Frequency of Control
- Control Type
- Information Processing Objectives
- Financial Statement Assertions
- COSO Component
- Control owner
- Evidence of control
- Design Deficiency
- Remediation Action Plan
No comments:
Post a Comment