Docstoc

Managing Risk in a Non Profit Organization

Document Sample
Managing Risk in a Non Profit Organization Powered By Docstoc
					Managing Risk In Nonprofit
Organizations
Charles F. Tate, CPA
Managing Partner
Tate & Tryon, CPAs and Consultants
Washington, DC
January 13, 2012
What We’ll Discuss Today


1. Overview of COSO and Publications
2. COSO’s ERM
3. COSO’s Internal Control
4. Relationship of COSO to Auditing
   Standards
1. Overview of COSO and
       Publications
COSO is the Acronym For:


A. Class of Service Overrides
B. Combat Oriented Supply Operations
C. Committee of Sponsoring Organizations
      Answer C: Committee Of Sponsoring
         Organizations of the “Treadway
                 Commission”
What is the Treadway Commission?


A. Governmental Commission
B. Presidential Commission
C. Congressional Commission
D. All of the Above
E. None of the Above
   Answer E: The Treadway Commission is a
         Joint Private Sector Initiative
Which Organization is not Part of the Private Sector
Initiative (i.e., a Sponsoring Organization)?


A. American Accounting Association (AAA)
B. American Institute of CPAs (AICPA)
C. Association of Financial Professionals (AFP)
D. Financial Executives International (FEI)
E. Institute of Internal Auditors (IIA)
F. Institute of Management Accountants (IMA)
   Answer C: AFP is not part of the 5 member
             Sponsoring Committee
COSO Publications
COSO Publications
Which Prominent Accounting Firm
Authored a COSO Publication?

A. Price Waterhouse Coopers (PWC)
B. Grant Thornton (GT)
C. Tate & Tryon (T&T)
D. Coopers & Lybrand (C&L)
E. Both A. and D.
F. Bothe A. B. and D.
 Answer F: PWC, GT, and C&L all authored a
             COSO Publication
COSO’s Definitions and Objectives

A process, effected by an entity’s board of directors,
management and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives in the following categories:

 ERM                            Internal Control
1. Strategy setting           1. Effectiveness and
2. Identify & manage             efficiency of operations.
   potential events           2. Reliability of financial
3. Manage risks to be            reporting.
   within its risk appetite   3. Compliance with laws
                                 and regulations.
Which Individual Did Not Influence SOX
Legislation?

    A.             B.         C.          D.




         Answer D: Michael M. Tryon Had
              No Influence on SOX
2. COSO’s ERM
COSO Enterprise Risk Management –
Integrated Framework




 Components
unique to ERM
COSO Internal Control – Integrated Framework
Comparison of COSO IC and ERM
Relationship of COSO Objectives


                                     Internal Control
Enterprise Risk
                  Internal Control    Over Financial
 Management
                       (1992)           Reporting
    (2004)
                                          (2006)

•   Strategic
•   Operations    • Operations
•   Compliance    • Compliance
•   Financial     • Financial        • Financial
    Reporting       Reporting          Reporting
ERM Expands on Internal Control Adding
Three Components

                        Control
                      Environment

  ERM Objective
                                     Control Activities
    Setting


      ERM Event
     Identification                     Monitoring



          ERM Risk                   Information &
          Response                  Communication


                      Risk Assessment
ERM Expands on Internal Control



   Objective Setting
   • Strategic Objectives–high level
   • Related Objectives–operations, reporting, &
     compliance
   • Achievement of Objectives–reasonable
     assurance
   • Risk Appetite–guidepost in strategy setting
   • Risk Tolerances–acceptable levels of variation
Forming Risk Appetite (Exhibit 3.5 ERM Guidance)
ERM Expands on Internal Control




   Event Identification
   • Events can be positive, negative impact, or both
   • Events are interdependent–not isolated
   • Events are driven by external and internal
     factors
Implementation – Event Identification
External Factors



External                  Internal
•   Economic              •   Infrastructure
•   Natural Environment   •   Personnel
•   Political             •   Process
•   Social                •   Technology
•   Technological
COSO Components & Principles–ERM



  Risk Response

  •   Avoidance, reduction, sharing, acceptance
  •   Evaluation of risk likelihood and impact
  •   Assessing costs versus benefits
  •   Opportunities in response to options
  •   Portfolio view
Implementation – Risk Response


Avoidance                      Sharing
• Disposing of a program       • Buy insurance
• Deciding not to engage in    • Joint venture/outsource
  new initiatives/activities   • Hedging risks


                     Risk Response


Reduction                      Acceptance
• Diversifying/rebalance       • Self insure
• Limits/processes             • Accept risk that conforms
                                 to risk tolerance
Simplified Process For ERM


                     Strategy &
                     Objectives


               Event Identification &
                    Likelihood



           Risk Response & Quantification




                  Financial Model
  Financial Impact of Key Scenarios

Major                                                           Annual           Increase
              Potential Scenario                  Probability
Activity                                             (H-M-L)    Amount          (Decrease)
                                                                (in millions)

              • Terrorist or political uprising        H                               100
Donations                                                           1,000
              • Donation mismanagement                 L                               -20
Biomedical    • Virus                                  M                              -400
                                                                    2,400
Services      • War, natural disaster                  H                              -600
Fundraising   • Weather                                L
                                                                         50             -0-
Events        • Pandemic                               L
Government    • Economic downturn                      H                               -40
                                                                         60
Grants        • Contract mismanagement                 M                                -0-
Investments   • Financial meltdown                     M                               -30
                                                                         90
& other       • Fraud (Madoff or Stanford)             M                               -10

Total                                                               3,600           -1,000
3. COSO’s Internal Control
COSO Components–Internal Control


                      Control
                    Environment




  Risk Assessment                   Control Activities




         Information &
                                  Monitoring
        Communication
COSO Internal Control Components &
Principles

   Environment
   Principles

   •   Management Philosophy
   •   Board of Directors
   •   Integrity and Ethical Values
   •   Commitment to Competence
   •   Organizational Structure
   •   Assignment of Authority and Responsibility
   •   Human Resource Standards
   •   Risk Appetite
Control Environment/Internal Environment is
the Foundation of the 5 Components
COSO Internal Control Components &
Principles


   Risk Assessment
   Principles

   • Specify objectives
   • Risk identification & analysis
   • Inherent and residual risk
  Risk Assessment Matrix

                                                     Characteristics
                                   As %                                          Entity-
                                           Impact                        Fraud           Overall
Balance Sheet Account               of                        Business            wide
                                           on F/S   Account               Risk           Rating
                                   Total                      Process            Factors

ASSETS
Cash & cash equivalents              5%      L        M          L        H        L       L
Pledges receivable                  15%      M        H          H        M        M       H
Investments                         40%      H        H          H        L        L       H
Property & equipment                35%      H        M          M        H        M       M
Prepaid & other assets               5%      L        L          L        L        L       L
  Total Assets                     100%
LIABILITIES
Accounts Payable                     5%      L        M          M        H        M       M
Deferred Revenue                    20%      H        H          H        L        H       H
Mortgage (IRB)                      25%      H        H          L        L        M       M
Pension & post retirement           10%      M        H          H        L        H       H
  Total Liabilities                 60%
Net Assets                          30%      H        M          L        L        L        L
Total Liabilities and Net Assets   100%
  Implementation – Risk Assessment
  Significant Assertions

                                                 Significant Assertions

Balance Sheet Account                                  Valuation or    Rights &     Presentation
                            Existence   Completeness
                                                        Allocation    Obligations   & Disclosure

Cash & cash equivalents                                                              
Pledges receivable                                                                  
Investments                                                                         
Property & equipment                                                                
Prepaid & other assets                                                                  
Accounts Payable                                                                     
Deferred Revenue                                                                    
Mortgage (IRB)                                                                      
Pension & post retirement                                                           
Net assets                                                                          
COSO Internal Control Components &
Principles


   Control Activities
   Principles

   •   Integration with risk assessment
   •   Selection and development of control activities
   •   Controls over information systems/technology
   •   Policies and procedures are communicated
COSO Internal Control Components &
Principles


   Information &
   Communication
   Principles
   •   Quality of information
   •   Internal & external communication
   •   Means of communication
   •   Strategic and integrated systems
COSO Internal Control Components &
Principles



   Monitoring
   Principles

   • Ongoing monitoring activities
   • Reporting deficiencies
4. Relationship of COSO to
     Auditing Standards
Auditing Standards – Risk Assessment

    Identifying risks through considering:
      The entity and its environment, including its internal
       control
      Classes of transactions, account balances, and
       disclosures
   Relating the identified risks to what could go
    wrong at the relevant assertion level
Intersection of COSO and the Auditor’s
Responsibilities

                  COSO (2004)
                                      • Broader Objectives
                 Enterprise Risk      • More than Internal Control
                  Management

                   COSO (1992)        • Operations
                                      • Financial Reporting
                 Internal Control     • Compliance with
             Integrated Framework       Laws/Regulations

                  COSO (2006)
              Internal Control over   • Financial Reporting
               Financial Reporting

                     SAS 109          • Understand Five
                                        Components
              Understanding of the    • Focus on Controls Relevant
              Entity & Environment      to Financial Reporting
 Summary of Risk Assessment Standards
No.   Concept
      Expands the definition of “reasonable assurance” as a “high” level of
104
      assurance
      “Internal control” is replaced by “the entity and its environment,
105
      including its internal control”

      Use of management’s assertions in obtaining audit evidence –
106
      recognition, measurement, presentation and disclosure

      Reduce audit risk to a low level that is, in the auditor’s professional judgment,
107
      appropriate for expressing an opinion on the financial statements

108   Adequately plan the work and must properly supervise any assistants
      Sufficient understanding of the entity and its environment, including
109
      its IC, to assess the risk of material misstatement
      Sufficient appropriate audit evidence to afford a reasonable basis for an
110
      opinion
111   Enhanced guidance on tolerable misstatement
Auditor’s Assessment of Material Misstatement –
SAS 106

      Classes of                                  Presentation and
                       Account Balances
     Transactions                                   Disclosures
                                                 Occurrence/Rights and
      Occurrence             Existence
                                                      obligations

     Completeness     Rights and obligations         Completeness

                                                   Classification and
       Accuracy           Completeness
                                                   understandability

        Cutoff        Valuation and allocation   Accuracy and valuation

     Classification
GAAS & COSO Use of Financial
Statement Assertions to Assess Risk

             GAAS                                             COSO
   Risk Assessment Standards                      Internal Control Over Financial
            SAS 106                                         Reporting/1.

               Existence
                                                         Existence or Occurrence
              Occurrence
             Completeness                                      Completeness
         Rights and Obligations
        Valuation and Allocation                          Rights and Obligations
                Accuracy
                 Cutoff                                   Valuation or Allocation
             Classification
                                                       Presentation and Disclosure
           Understandability


/1. Source: SAS 31, Evidential Matter prior to amendment by SAS 106
Audit Risk Assessment and COSO

                                                 Financial Statements
  Investments &           Receivables &           Real Estate &             Payables &               Deferred               Net Assets &
     Income                 Revenue                   Debt                   Expenses                Revenue                Restrictions


                                                            Assertions
                                                                                              Rights &                   Presentation &
     Completeness                   Existence                    Valuation
                                                                                             Obligations                   Disclosure



                                                                 Risks
       Processes                  Competency                 IT Infrastructure               Fraud Risk             Entity-Wide Factors



                                                    Control Objectives
     Appropriate                 Statements                  Classification
                                                                                      Reflect Transactions              Reflect Materiality
     Accounting                  Informative                  Appropriate



                                                 Entity-Wide Controls
         Process-Level Controls                         Preventive or Detective                          Manual or Automated

Adapted from an article by Michael Ramos CPA, entitled Risk-Based Audit Practices, Journal of Accountancy, Dec., 2009
COSO is the Acronym For:


A. Class of Service Overrides
B. Combat Oriented Supply Operations
C. Committee of Sponsoring Organizations
      Answer C: Committee Of Sponsoring
         Organizations of the “Treadway
                 Commission”
What is the Treadway Commission?


A. Governmental Commission
B. Presidential Commission
C. Congressional Commission
D. All of the Above
E. None of the Above
   Answer E: The Treadway Commission is a
         Joint Private Sector Initiative
Which Organization is not Part of the Private Sector
Initiative (i.e., a Sponsoring Organization)?


A. American Accounting Association (AAA)
B. American Institute of CPAs (AICPA)
C. Association of Financial Professionals (AFP)
D. Financial Executives International (FEI)
E. Institute of Internal Auditors (IIA)
F. Institute of Management Accountants (IMA)
   Answer C: AFP is not part of the 5 member
             Sponsoring Committee
Which Prominent Accounting Firm
Authored a COSO Publication?

A. Price Waterhouse Coopers (PWC)
B. Grant Thornton (GT)
C. Tate & Tryon (T&T)
D. Coopers & Lybrand (C&L)
E. Both A. and D.
F. Bothe A. B. and D.
 Answer F: PWC, GT, and C&L all authored a
             COSO Publication

				
DOCUMENT INFO
Shared By:
Stats:
views:63
posted:8/1/2012
language:English
pages:46
Description: Presentation from Charles Tate, Tate & Tryon about the risk issues non profits need to manage.