Risks assessments are performed by external auditors to develop plans to meet the audit’s objectives. However, risk assessments can also be performed internally and used as a valuable management tool to determine if internal control structures are functioning as originally designed or if changes are necessary. In an everchanging regulatory environment as well as inevitable organizational changes, internal risk assessments should be periodically completed to identify outdated processes, changes in employee duties or changes in accounting systems, among other things.
Internal risk assessments may include narrative memos, matrices and flowcharts to detail the processes and internal control structures of each accounting and/or compliance related area. A combination of Word and Excel documents can be used to document the relevant risk areas, processes, internal controls, testing and conclusions of the risk assessments. The following steps are not inclusive of completing a risk assessment but provide a brief description of the typical risk assessment procedures that an organization may perform.
- The first step is for management to identify the key financial accounts and the operational functions of the entity that will be the focus of the risk assessments. Common areas to review for most entities include cash collections and revenues, customer billing and accounts receivable, capital assets, purchasing and procurement, payroll and compliance with grant requirements.
- The second step is to document the current process for each account or function from beginning to end. At a minimum, the documentation should include a written procedural memo of each significant step of the process that is currently in place including identifying the employees involved and the sequence of the procedures performed. Additional documentation to consider in this step is to develop flowcharts that visually demonstrate the flow of information within the procedures.
- The final step is to identify the relevant internal controls in the current processes and determine what could go wrong or how those controls could be circumvented. If adequate internal controls are in place to detect and/or prevent the situations identified, then no further action may be necessary. However, if weaknesses are identified, they should be analyzed to determine the changes required to the internal controls within the processes. Once changes have been made, or even if no changes were necessary, testing the internal controls of each of the processes through various samples of historical data will help to ensure they are in place and operating effectively.
This can be time consuming, but Henry+Horne is available as a resource to help you navigate your way through the process.
Aaron Funk, CPA