Step1:
Risk assessment is conducted for all the business cycles of company, for every process and sub-process therein.
The exercise should be started from the Trial Balance of company.
Step 2: How to identify the business cycles of a company?
What is a business cycle?
Business Cycle of a company is basically a functional cycle, which covers a process from its cradle till grave. This consists of many sub-processes. For eg..Purchase to Payable is a business cycle...which includes Planning, Vendor Managment, Requisition, Ordering, Recieving, Invoicing and Payment. Hence all these sub-processes makes a business cycle of Purchase to Payable (P2P).
How to identify the business cycles of a company for the purpose of Risk Assessment (for general purpose/Clause 49 compliance/SOX compliance)?
Business cycles should always be identified through Trial Balance. All the trial balance accounts should get covered in maximum 9-10 business cycles. This will give an assurance to the person doing the risk assessment that none of the accounts (whether material/non-material) has been covered in some or the other process.
Generally the common business cycles which every company has are:
Revenue & Receivables, Purchase to Pay, Payroll, Fixed Assets, Treasury & Risk Management, Taxation, General Ledger & Financial Reporting....so try whether all your TB accounts gets covered under these cycles...
Other business cycles may be dependent upon the industry type..for eg..in case of a manufacturing company...following cycles may get added- Manufacturing,Inventory & Consumption (MIC) Management, Order to Cash (replaced by Revenue & Receivables).
Trial Balance is the mirror of a company which depicts all the activities of a company through financial numbers. And before doing the Risk Assesment, first you need to know that where does the risk lies...so first u need to identify the material accounts which give high risk exposure to the company...after identifying such accounts u need to asceratin that what departments and processes cater to such numbers..then you need to identify the risks underlying such processes....so its all about hitting the bull's eye...
Step3:
After identifying business cycles, we need to identify the sub-processes under each cycle...
for eg..
in Purchase to Payables Cycle: the sub-processes will be Procurement Planning & Budgeting, Vendor Selection, Master & Maintenance, Purchase Requisitioning, Ordering, Advance Payment, Receiving, Quality Check, Invoicing, Payments, Credit Notes and Vendor Reco...
Step4:
Now we need to map the identified sub-processes (corresponding to respective business cycle) to each account of Trial Balance.
For eg...Plant & Machinery Account: will fall under the Fixed Asset Business Cycle and will fall under the sub-processes of Vendor Selection & Maintenance, Requisitioning, Ordering, Receipt of Asset, Caplitalization and Depreciation......
This exercise can prove to be quite cumbersome if one doesn't have the knowledge of the nature of accounts and what impacts wll that account have on financials
However, this exercise can also prove to be useful to identify any suspense or suspicious accounts.
Step5:
After identfying the sub-processes within each cycle, we need to understand and identfy the basic Control Objectives which we need in a process to work smoothly and efficiently..for eg..in Fixed Assets Management...control objectives for Receipt of Assets process can be:
1. To ensure that goods received at the Company's Premises are properly recorded in the Inventory records.
2. To ensure that assets received are recorded completely & accurately in the books of accounts
3. To ensure that duties are adequately segregated for ordering and receiving function
4. To ensure that access to create/ update the data in the Fixed Assets Register is restricted to authorized personnel only.
Hence, in such manner....we need to know and highlight that what are the objectives basis which we need to institute controls in our system...
Step6:
After identifying the Control Objectives, we need to identify the Risks against each sub-process corresponding to the control objectives.
Such risks can be of 4 types:
Strategic, Financial, Operational or Compliance
For eg..risks for sub-process Receipt of Fixed Assets can be:
1. Assets received may not be properly recorded in the Inventory records.
2. Assets received may not be correctly/ completely recorded in the Fixed Assets Register
3. Duties may not be adequately segregated.
4. Data in FA Module may be created/ updated by unauthorized personnel.
In the same way..the risks for all sub-processes identified under each business cycle need to be documented.
Step7;
After identifying all the risks against the sub-proceses, we need to give each risk a likelihood rating..
which means that what is the likelihood that such risk can occur...it can be defined as
Rare, Unlikely, Moderate, Likely and Almost Uncertain....
This rating is given keeping in mind that no controls exist in the company..
Step8:
Agaisnt each risk..depending upon the likelihood rating...we need to give an Impact Rating to each risk..
This means that we need to assess the impact of each risk on 5 parameters: which are Strategic, Financial, Operational, Legal Compliance and Reputation...
Such impacts can be categorized into:
Severe, Major, Moderate, Minor and Insignificant
This exercise will help us assess the impacts on our process, if such risks are not mitigated...
Step9:
After we have assessed the liklihood rating and impact rating of a risk.....we will be able to assess the inherent rating of a risk (the susceptibility of an
account balance or class of transactions to misstatement that could be material...assuming that there were no related internal controls..is called as Inherent Risk(IR)).
Catgorization of risks will be High, Significant, Moderate and Low
For eg. If Likelihood is Almost Certain and Impact is Insignificant or Minor, then IR wil be Moderate, if Impact is Moderate, then IR will be Significant, and if Impact is Major/Severe, the IR will be High.
Similarly the permutation & combination to be made for others...
Step10:
Against each risk, we need to document the As-Is or existing controls which are prevalent in the organization/department.
This would mean that to mitigate a risk what controls are we having in the process..these can be approvals, maker-checker controls, segregation of duties etc...dependent upon the corresponding risks...
Step 11:
After documenting the Existing Controls, we need to identify and assess the Controls Rating, which can be categorized into Poor, Fair, Adequate and Excellent....i.e. we need to categorize the controls into these four parameters...
This would be done..considering the nature of risk and then assessing whether the Existing Control would be able to fully remove the possibility of such risk or would be able to mitigate the risk to some extent or to a great extent...
Though this exercise is judgemental..but if one has the good knowledge of Best Practices, then this exercise would become somewhat easier...
Step 12:
After we have identified the Inherent Risk (IR) and the Controls Rating (CR), we need to assess the Residual Risk (RR) Rating...
This means that we need to ascertain the left over risk (if any) after considering the prevalent controls in a process...
for eg..if the IR was High and CR is Poor/Fair, then the RR will be High
whereas if the IR was high and CR is Adequate, then the RR will be Significant
and if IR-High & CR-Excellent, then RR is Moderate
Similarly..IR-Significant, CR-Poor/Fair, RR-Significant
IR-Significant, CR-Adequate/Excellent, RR-Moderate
In this fashion, all the permutations and combinations can be made..
This will give the management an assurance and an insight to the balance risks that they need to take care of ...
Step 13:
After the residual risks have been identified..company needs to emphasise more upon the High and Significant risks..
Against such risks company needs to identify and document the Remediate Action Plans to mitigate/resolve such Residual Risks..
This was the whole exercise for conducting a Risk Assessment exercise...
In case you have any other tips..pls do share..
hi admin.good.It was really helpful.Thank you so much for sharing that blog. Fixed Assets Audit | Vendor Reconciliation | Customer Helpdesk
ReplyDeleteIt's excessively instructive blog and I am getting combinations of information's about confirmation. A debt of gratitude is in order for sharing. Duplicate Payment Review | Continuous Transaction Monitoring
ReplyDeletekd shoes
ReplyDeletejordan retro
yeezy shoes
paul george shoes
golden goose
bape hoodie
Jordan Travis Scott
bapesta shoes
golden goose sneakers
nike sb