Financial statements for external purposes are prepared in accordance with applicable accounting standards, rules, and regulations. ^{fn 2} These financial statements may include annual and interim financial statements, condensed financial statements, and selected financial information derived from such statements. These statements may, for instance, be publicly filed with a regulator or distributed through annual meetings, an entity's website, or other electronic media.

Another form of financial statements prepared for external purposes may be financial reports prepared in accordance with a special purpose framework, such as those established by taxing authorities or regulatory agencies, or those required through contracts and agreements. These financial reports are typically distributed to specified external users (e.g., reporting to a bank on financial covenants established in a loan agreement, reporting to a taxing authority in connection with filing tax returns, reporting on financial information to an energy regulatory commission).

Other external financial reporting derived from an entity's financial and accounting books and records rather than from its financial statements for external purposes may include earnings releases, selected financial information posted to an entity's website, and selected amounts reported in regulatory filings. External financial reporting objectives relating to such other financial information may not be driven directly by regulators and standard setters, but typically stakeholders expect them to align with such standards and regulations.

In specifying the suitability of external reporting objectives relating to the preparation of financial statements for external purposes, management considers the accounting standards that apply to that entity and its subunits. Management then assesses and affirms the accounting principles that are appropriate in the circumstances. For example, management may set an entity-level external financial reporting objective as follows: "Our company prepares reliable financial statements reflecting transactions and events in accordance with generally accepted accounting principles." ^{fn 4}

Management specifies suitable sub-objectives for the entity's divisions, subsidiaries, operating units, and functions with sufficient clarity to support entity-level objectives.

For example, a US company applies accounting principles generally accepted in the United States of America (US GAAP) to all subunits in preparing its consolidated financial statements; its subsidiaries also apply International Financial Reporting Standards (IFRS) to submit their subsidiary financial statements in various statutory filings in local jurisdictions.

Further, management assesses and affirms the suitability of the accounting principles to apply to transactions and events of the entity. For example, management specifies that FASB Accounting Standard Codification Topic 605 Revenue Recognition and SAB 101A Revenue Recognition in Financial Statements (US GAAP) or IAS 18 Revenue Recognition (IFRS) applies to all sales transactions as applicable to achieve the entity or subunits’ respective external financial reporting objective.

In specifying and using applicable accounting principles, management exercises judgment, particularly relating to subjective measurements and complex transactions. For instance, management judgment is essential for making assumptions and using data in developing accounting estimates, in applying accounting principles to complex transactions and events, and in preparing reliable and transparent presentations and disclosures. In addition, management regularly updates the specified accounting principles for any changes in objectives established through law, rules, regulations and standards.

Financial statement materiality sets the threshold for determining whether a financial amount is relevant. Entities must consider suitable laws, rules, regulations, and standards promulgated by regulators and standard setters. ^{fn 5}

External financial reporting must reflect the entity's transactions and events. When preparing financial statements, management implicitly or explicitly considers suitable sub-objectives categorized into a set of assertions (e.g., existence and completeness of transactions) underlying the financial statements. Accounting standard setters may set forth these assertions as well as relevant qualitative characteristics for external financial reporting.

Management makes assertions regarding the recognition, measurement, presentation, and disclosure of accounts, transactions, and events included in the entity's financial statements. For example, one grouping of assertions ^{fn 6} relating to financial statements is summarized as follows:

For example, management specifies sub-objectives for sales transactions that address relevant financial statement assertions such as:

Management specifies suitable objectives and sub-objectives with sufficient clarity to be able to identify and analyze risks to the achievement of those objectives. Financial statements for external purposes are not considered reliable or fairly presented if material omissions or misstatements exist in one or more of the amounts or disclosures. In preparing financial statements, management should identify those risks that could, individually or in combination, result in a material omission within or misstatement of the financial statements.

Management's assessment of such risks involves a dynamic and iterative process. The initial assessment undertaken by management likely requires a comprehensive effort to identify and analyze the risk of not preventing or detecting, in a timely manner, a material omission within or misstatement of the entity's financial statements. The nature and frequency of performing ongoing and periodic risk assessments vary among entities, based on individual facts and circumstances.

Even though every entity requires a process to identify and assess the external and internal factors that contribute to the risk of achieving its objectives, specific changes and rates of changes in these factors (including those that could significantly impact internal control over external financial reporting) vary from entity to entity. For example, different entities and subunits may:

Additionally, the size and complexity of the entity play a part in determining the nature and frequency of the risk assessment process. Large, complex organizations may require dedicated cross-functional and cross-territorial management and other personnel with necessary expertise to perform comprehensive risk assessments. Management of smaller entities may be able to perform its risk assessment through direct supervision and day-to-day involvement in operations.

Fraudulent reporting can occur when an entity's reports are wilfully prepared with material omissions of misstatements. This may occur by the use of unauthorized receipts or expenditures, financial misconduct, or other disclosure irregularities. A system of internal control over external financial reporting is designed and implemented to prevent or detect, in a timely manner, any material omissions within or misstatements of the financial statements due to error or fraud.

When assessing risks to the achievement of external financial reporting objectives, organizations typically consider the potential for fraud in the following areas:

As part of the risk assessment process, the organization identifies the various ways that fraudulent financial reporting can occur, considering:

Also, as part of the risk assessment process, the organization identifies risks pertaining to the completeness and accuracy of recording any material misappropriation of assets. Misstatements may arise from failing to record the material loss of assets or manipulating the financial statements to conceal such a loss.

"Management override" refers to actions taken by management in an attempt to override the entity's controls for an illegitimate purpose such as personal gain or to enhance the presentation or disclosure of the entity's financial condition or results of operation. As part of its assessment of fraud risk, management considers the risk of management override of internal control. The board of directors or subset of the board (e.g., audit committee) oversees this assessment and challenges management when warranted. The entity's control environment can significantly influence the risk of management override. The risk of management override is especially relevant for smaller entities where senior management is typically selecting, developing, and deploying controls to effect principles.

Management override should not be confused with management intervention, which represents action that departs from controls designed for legitimate purposes. At times, management intervention is necessary to deal with non-recurring and non-standard transactions or events that otherwise might be handled inappropriately. Providing for management intervention is necessary because controls cannot be designed to anticipate and mitigate every risk. Management's actions to intervene are generally overt and subject to policies and procedures or otherwise disclosed to appropriate personnel.

Illegal acts are violations of laws or governmental regulations that could have a material direct or indirect impact on the external financial report. Management considers various indicators to help identify risks relating to potential illegal acts, such as:

Management also considers possible corruption occurring within the entity. Corruption is generally relevant to the compliance category of objectives but could influence the control environment that affects achievement of the entity's external financial reporting objectives. This includes considering the incentives and pressures across the organization to achieve the entity's external financial reporting objectives while demonstrating adherence to the expected standards of conduct and the effect of the control environment, specifically actions linked to Principle 4 (Demonstrates Commitment to Competence) and Principle 5 (Enforces Accountability). Aspects of corruption typically relate to illegal acts that are considered in government statutes relevant to external financial reporting.

In assessing possible corruption, the entity is not expected to directly manage the actions of personnel within external parties, including those relating to outsourced service providers and other parties interacting with the entity. However, depending on the level of risk assessed, management may stipulate the expected level of performance and standards of conduct through contractual relations, and develop controls that maintain oversight of third-party actions. Where necessary, management responds to detected unusual actions of others.