Management includes a risk identification process that identifies risks of material omission and misstatement and the likelihood of occurrence of the risks to relevant financial statement assertions for each significant account and disclosure. In preparing this analysis, management considers the business processes and business units supporting financial statement accounts and disclosures. The process of identifying the supporting business units includes discussions with each business unit or process leader. It also includes identifying the information technology systems that support those business processes that are relevant to the external financial reporting objectives.

Lionel Tetrault is the CFO of Shark Tank Co., a firearms manufacturer. He convenes a working session of the department heads of marketing, production, information technology, human resources, and administration to perform a risk analysis by functional department. Risks are rated from 1 (least risk) to 5 (most risk) based on potential impact on financial reporting and likelihood of occurrence. After the discussion sessions, the participants document the results in a table that outlines each specific risk together with the rating and factors contributing to the rating.

For example, the risk of material omission and misstatement due to revenue recognition was rated as 4 (medium-high). Contributing to this assessment was consideration of the likelihood and impact of the organization failing to:

Management identifies risks to the achievement of financial reporting objectives by considering risk factors related to each significant financial statement account and the associated financial statement assertions. The process of identifying and analyzing risk considers both quantitative and qualitative factors, including the following:

The management of Bachmann Tools, a hand tool importer, manufacturer, and distributor, identifies risks to the achievement of financial reporting objectives by considering risk factors related to each significant financial statement account and disclosure item. The criteria used for assessing risk are similar to those shown above in Approach: Assessing Risks to Significant Financial Statement Accounts. Management also links each account balance to financial statement assertions.

The resulting risk assessment is illustrated below. (Note: Additional detail underlying the risk assessment would typically be present supporting this analysis. For purposes of this example the summary of the assessment is provided.)

The management of Sure Health Care has developed a rating system to show general measures and trends of relevant risks. It now uses the ratings to determine which processes require more in-depth attention. The relevance of the financial reporting assertions for the related accounts is also considered. Management reviews the identified risks and provides a rating based on the inherent and residual risks to the entity; it updates these ratings periodically.

The information technology managers of Sure Health Care meet with finance personnel every month to discuss process, changes, and projects in each functional area relating to financial reporting. The meetings are used to update team members and discuss issues or changes to the processes. Additionally, management meets with outside legal counsel every quarter to discuss the effects of any external regulatory changes that may impact financial reporting.

The ratings are as follows:

Key finance personnel meet regularly with:

McFayden Inc. is a spirits distillation and distribution company with a dedicated information technology department. Risk assessment is driven by the number and complexity of applications that support the financial reporting process. This approach helps the company establish which information systems management relies on for financial reporting. Prior to implementing new systems, and whenever significant changes to existing systems are planned, McFayden Inc. takes the following steps:

Management analyzes the significance of identified risks based on the likelihood of the risk occurring and the inherent risk of a material omission and misstatement to the entity's external financial reporting objectives. Based on the outcomes of the analysis, management determines how to manage the risks to a tolerable level.

A social service organization with significant amounts of federal funding and operations in several foreign countries prepares an annual risk assessment of its financial reporting processes in each country. Risk factors considered include the following:

The risk assessment is prepared by the CFO, Gerald Timewell, and the COO, Inga Karran, with input from many others within the organization. The resulting assessment, for financial reporting purposes, considers the above risk factors in determining the significance of risks of material omission and misstatement related to the financial reporting assertions. For instance, management increased the assessed risk relating to existence of federal funding revenue from moderate to high after considering that there is:

Based on this risk assessment, Mr. Timewell and Ms. Karran develop preliminary positions on the risk response. These determinations are key inputs into determining required control activities.

A pet food retailer, Best Bits, uses benchmarking techniques to assess losses in physical inventory from theft. The "shrink percentage" calculated is defined as the value of lost physical inventory divided by net sales. The amount of physical loss is determined through a physical inventory count process.

The company is currently examining ways to enhance its risk response decisions to reduce the significance of the risk by altering either likelihood or impact. Given the company's current level of losses (1.6%), accepting the risk would not be acceptable, and management elects to implement control activities that reduce the likelihood of losses and can detect losses sooner.

Best Bits management also notes the level of losses other companies incur due to shrinkage. The figure below shows the shrinkage for several other similar companies within a benchmark group. Best Bits’ losses are noted underneath for comparison.

Using the data provided in this analysis, management believes that a loss rate target of 1.3% is suitable for the company (e.g., top of quartile 2) and additional control activities are developed within the receiving and shipping process (as part of the Control Activities component). Further, management accelerates the frequency of physical inventory counts to quarterly to improve the accuracy of financial reporting.

Management considers external factors that may impact the ability to achieve financial reporting objectives, such as:

Management considers internal factors that may impact the entity's ability to achieve its financial reporting objectives, such as:

Where these factors are noted, management also considers—in conjunction with the Information and Communication principles—whether some form of internal and/or external communications are needed.

As CEO of global technology company World Find, Derek Burtnyk makes time for a quarterly discussion on emerging financial accounting standards with each of the company's regional controllers. These discussions focus on potential and announced changes occurring within each jurisdiction, and whether these would require changes to the company's technology systems.

Based on the insights gathered from those discussions, Mr. Burtnyk provides feedback to the various department leaders of World Find. In turn, the department heads use this information to identify additional information requirements and potential technology changes.

In one instance, World Find determined that the accounting requirements for a new value-added tax in one jurisdiction could impact operations in that jurisdiction as well as two other jurisdictions that interact with it. Based on this assessment, management commenced a project to further refine the assessment of the risks related to the accounting of the new commodity tax, which then served as a basis for how to respond to those specific risks.

Paula Wing is the CEO of a specialty resin company with operations in nine countries. She continually reviews risks to the company by leading monthly staff meetings at which she asks senior managers to comment on any new risks identified, including those related to changes in systems, personnel processes, or activities. Ms. Wong discusses any insights she has on risks facing the company, including those that impact financial reporting. As a team, Ms. Wong and the senior managers develop the needed risk responses.

Management considers a variety of risk responses—avoid, accept, reduce, share—when evaluating whether risks are reduced to an acceptable level. In this process, management may consider unique risks related to financial reporting or a combination of risks. Management may also consider how risk responses impacting the five components of internal control interact to reduce risk to an acceptable level.

Bailey Campbell, the controller for Center Bay Packaging, assesses the risk relating to completeness of revenue. The company has grown over the past five years and now has annual revenues in excess of $50 million. Currently, Center Bay relies on a paper-based bill-of-lading system. Delivery is deemed to have occurred when the bill of lading is signed by the customer as evidence that the goods have been received.

Ms. Campbell has noted instances in the past year where shipping documentation was not provided to the finance department in a timely manner, sometimes as late as two weeks after the shipment was completed. These delays have resulted in misstatement of revenue. Ms. Campbell has determined that the risk related to revenue completeness needs to be further reduced, and so she has decided to implement a bar-code scanner shipping system to track and capture shipments and revenue.