Managing Risk In Nonprofit Organizations

Charles F. Tate, CPA Managing Partner Tate & Tryon, CPAs and Consultants Washington, DC January 13, 2012

What Well Discuss Today

1. Overview of COSO and Publications 2. COSOs ERM 3. COSOs Internal Control 4. Relationship of COSO to Auditing Standards

1. Overview of COSO and Publications

COSO is the Acronym For:

A. Class of Service Overrides B. Combat Oriented Supply Operations C. Committee of Sponsoring Organizations Answer C: Committee Of Sponsoring Organizations of the Treadway Commission

What is the Treadway Commission?

A. Governmental Commission B. Presidential Commission C. Congressional Commission D. All of the Above E. None of the Above Answer E: The Treadway Commission is a Joint Private Sector Initiative

Which Organization is not Part of the Private Sector Initiative (i.e., a Sponsoring Organization)?

A. American Accounting Association (AAA) B. American Institute of CPAs (AICPA) C. Association of Financial Professionals (AFP) D. Financial Executives International (FEI) E. Institute of Internal Auditors (IIA) F. Institute of Management Accountants (IMA) Answer C: AFP is not part of the 5 member Sponsoring Committee

COSO Publications

COSO Publications

Which Prominent Accounting Firm Authored a COSO Publication?

A. Price Waterhouse Coopers (PWC) B. Grant Thornton (GT) C. Tate & Tryon (T&T) D. Coopers & Lybrand (C&L) E. Both A. and D. F. Bothe A. B. and D. Answer F: PWC, GT, and C&L all authored a COSO Publication

COSOs Definitions and Objectives

A process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: ERM 1. Strategy setting 2. Identify & manage potential events 3. Manage risks to be within its risk appetite

Internal Control

1. Effectiveness and efficiency of operations. 2. Reliability of financial reporting. 3. Compliance with laws and regulations.

Which Individual Did Not Influence SOX Legislation?

A. B. C. D.

Answer D: Michael M. Tryon Had No Influence on SOX

2. COSOs ERM

COSO Enterprise Risk Management Integrated Framework

Components unique to ERM

COSO Internal Control Integrated Framework

Comparison of COSO IC and ERM

Relationship of COSO Objectives

Enterprise Risk Management (2004)

Strategic Operations Compliance Financial Reporting

Internal Control (1992)

Internal Control Over Financial Reporting (2006)

Operations Compliance Financial Reporting

Financial Reporting

ERM Expands on Internal Control Adding Three Components

Control Environment ERM Objective Setting Control Activities

ERM Event Identification

Monitoring

ERM Risk Response

Information & Communication

Risk Assessment

ERM Expands on Internal Control

Objective Setting
Strategic Objectiveshigh level Related Objectivesoperations, reporting, & compliance Achievement of Objectivesreasonable assurance Risk Appetiteguidepost in strategy setting Risk Tolerancesacceptable levels of variation

Forming Risk Appetite (Exhibit 3.5 ERM Guidance)

ERM Expands on Internal Control

Event Identification
Events can be positive, negative impact, or both Events are interdependentnot isolated Events are driven by external and internal factors

Implementation Event Identification External Factors

External
Economic Natural Environment Political Social Technological

Internal
Infrastructure Personnel Process Technology

COSO Components & PrinciplesERM

Risk Response
Avoidance, reduction, sharing, acceptance Evaluation of risk likelihood and impact Assessing costs versus benefits Opportunities in response to options Portfolio view

Implementation Risk Response

Avoidance Disposing of a program Deciding not to engage in new initiatives/activities Sharing Buy insurance Joint venture/outsource Hedging risks

Risk Response Reduction Diversifying/rebalance Limits/processes Acceptance Self insure Accept risk that conforms to risk tolerance

Simplified Process For ERM

Strategy & Objectives Event Identification & Likelihood

Risk Response & Quantification

Financial Model

Financial Impact of Key Scenarios

Major Activity Donations Biomedical Services Fundraising Events Government Grants Investments & other Total Probability
(H-M-L)

Potential Scenario Terrorist or political uprising Donation mismanagement Virus War, natural disaster Weather Pandemic Economic downturn Contract mismanagement Financial meltdown Fraud (Madoff or Stanford)

Annual Amount
(in millions)

Increase (Decrease) 100 -20 -400 -600 -0-40 -0-30 -10 -1,000

H L M H L L H M M M

1,000 2,400 50 60 90 3,600

3. COSOs Internal Control

COSO ComponentsInternal Control

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring

COSO Internal Control Components & Principles

Environment Principles
Management Philosophy Board of Directors Integrity and Ethical Values Commitment to Competence Organizational Structure Assignment of Authority and Responsibility Human Resource Standards Risk Appetite

Control Environment/Internal Environment is the Foundation of the 5 Components

COSO Internal Control Components & Principles

Risk Assessment Principles

Specify objectives Risk identification & analysis Inherent and residual risk

Risk Assessment Matrix

As % of Total Characteristics Impact on F/S Account Business Process Fraud Risk EntityOverall wide Rating Factors

Balance Sheet Account ASSETS Cash & cash equivalents Pledges receivable Investments Property & equipment Prepaid & other assets Total Assets LIABILITIES Accounts Payable Deferred Revenue Mortgage (IRB) Pension & post retirement Total Liabilities Net Assets Total Liabilities and Net Assets

5% 15% 40% 35% 5% 100% 5% 20% 25% 10% 60% 30% 100%

L M H H L

M H H M L

L H H M L

H M L H L

L M L M L

L H H M L

L H H M H

M H H H M

M H L H L

H L L L L

M H M H L

M H M H L

Implementation Risk Assessment Significant Assertions

Significant Assertions Balance Sheet Account Cash & cash equivalents Pledges receivable Investments Property & equipment Prepaid & other assets Accounts Payable Deferred Revenue Mortgage (IRB) Pension & post retirement Net assets Existence Completeness Valuation or Allocation Rights & Obligations Presentation & Disclosure

COSO Internal Control Components & Principles

Control Activities Principles

Integration with risk assessment Selection and development of control activities Controls over information systems/technology Policies and procedures are communicated

COSO Internal Control Components & Principles

Information & Communication Principles

Quality of information Internal & external communication Means of communication Strategic and integrated systems

COSO Internal Control Components & Principles

Monitoring Principles
Ongoing monitoring activities Reporting deficiencies

4. Relationship of COSO to Auditing Standards

Auditing Standards Risk Assessment

Identifying risks through considering: The entity and its environment, including its internal control Classes of transactions, account balances, and disclosures

Relating the identified risks to what could go wrong at the relevant assertion level

Intersection of COSO and the Auditors Responsibilities

COSO (2004) Enterprise Risk Management COSO (1992) Internal Control Integrated Framework COSO (2006) Internal Control over Financial Reporting SAS 109 Understanding of the Entity & Environment
Broader Objectives More than Internal Control Operations Financial Reporting Compliance with Laws/Regulations

Financial Reporting

Understand Five Components Focus on Controls Relevant to Financial Reporting

Summary of Risk Assessment Standards

No.
104

Concept
Expands the definition of reasonable assurance as a high level of assurance

105 106
107 108

Internal control is replaced by the entity and its environment, including its internal control Use of managements assertions in obtaining audit evidence recognition, measurement, presentation and disclosure
Reduce audit risk to a low level that is, in the auditors professional judgment, appropriate for expressing an opinion on the financial statements Adequately plan the work and must properly supervise any assistants

109
110 111

Sufficient understanding of the entity and its environment, including its IC, to assess the risk of material misstatement
Sufficient appropriate audit evidence to afford a reasonable basis for an opinion Enhanced guidance on tolerable misstatement

Auditors Assessment of Material Misstatement SAS 106

Classes of Transactions
Occurrence Completeness Accuracy Cutoff Classification

Account Balances
Existence Rights and obligations Completeness Valuation and allocation

Presentation and Disclosures

Occurrence/Rights and obligations Completeness Classification and understandability Accuracy and valuation

GAAS & COSO Use of Financial Statement Assertions to Assess Risk

GAAS Risk Assessment Standards SAS 106
Existence Occurrence Completeness Rights and Obligations Valuation and Allocation Accuracy Cutoff Classification Understandability

COSO Internal Control Over Financial Reporting/1.

Existence or Occurrence Completeness Rights and Obligations Valuation or Allocation Presentation and Disclosure

/1. Source: SAS 31, Evidential Matter prior to amendment by SAS 106

Audit Risk Assessment and COSO

Financial Statements
Investments & Income Receivables & Revenue Real Estate & Debt Payables & Expenses Deferred Revenue Net Assets & Restrictions

Assertions
Completeness Existence Valuation Rights & Obligations Presentation & Disclosure

Risks
Processes Competency IT Infrastructure Fraud Risk Entity-Wide Factors

Control Objectives
Appropriate Accounting Statements Informative Classification Appropriate Reflect Transactions Reflect Materiality

Entity-Wide Controls
Process-Level Controls Preventive or Detective Manual or Automated
Adapted from an article by Michael Ramos CPA, entitled Risk-Based Audit Practices, Journal of Accountancy, Dec., 2009

COSO is the Acronym For:

A. Class of Service Overrides B. Combat Oriented Supply Operations C. Committee of Sponsoring Organizations Answer C: Committee Of Sponsoring Organizations of the Treadway Commission

What is the Treadway Commission?

A. Governmental Commission B. Presidential Commission C. Congressional Commission D. All of the Above E. None of the Above Answer E: The Treadway Commission is a Joint Private Sector Initiative

Which Organization is not Part of the Private Sector Initiative (i.e., a Sponsoring Organization)?

A. American Accounting Association (AAA) B. American Institute of CPAs (AICPA) C. Association of Financial Professionals (AFP) D. Financial Executives International (FEI) E. Institute of Internal Auditors (IIA) F. Institute of Management Accountants (IMA) Answer C: AFP is not part of the 5 member Sponsoring Committee

Which Prominent Accounting Firm Authored a COSO Publication?

A. Price Waterhouse Coopers (PWC) B. Grant Thornton (GT) C. Tate & Tryon (T&T) D. Coopers & Lybrand (C&L) E. Both A. and D. F. Bothe A. B. and D. Answer F: PWC, GT, and C&L all authored a COSO Publication