Formal risk assessment procedures allow your organization to anticipate and mitigate risks, rather than respond reactively. If your organization does not yet have risk assessment procedures in place, it’s important to start the planning process as soon as possible.
To help you make the transition from a reactive to a proactive response, we’ve outlined several risk assessment best practices that our team has identified over the years of performing financial statement audits for various organizations.
- Mechanisms should be in place to identify risks potentially affecting the achievement of the entity’s objectives, such as:
- Changes in operating, economic and regulatory environments
- Participating in new programs or activities
- Communication at various levels of management
- Application processes
- Information technology infrastructures and processes
- Periodic reviews should be performed to, among other things, anticipate and identify routine events or activities that may affect the entity’s ability to achieve its objectives.
- Risks potentially affecting the achievement of financial reporting objectives should be identified, including determining which balances, transactions or disclosures are susceptible to those risks.
- Management should identify risks related to laws or regulations that may affect financial reporting.
- Risks related to the ability of an employee to initiate and process unauthorized transactions should be appropriately identified.
- The entity’s assessment of fraud risk should consider incentives and pressures, attitudes and rationalizations, and opportunities to commit fraud.
- The entity should assess the potential for fraud and high-risk areas, including revenue recognition, management override, accounting estimates, and nonstandard journal entries.
- Management should identify all significant relationships, such as service providers, suppliers, donors, volunteers, creditors, etc.
- The accounting department should have a process in place to identify and address changes in Generally Accepted Accounting Principles (GAAP).
- Ongoing monitoring should be built into operations throughout the entity and include explicit identification of what constitutes a deviation from expected control design or performance, thereby signaling a need to investigate both potential control problems and changes in risk profiles.
Once you have risk assessment procedures in place, it’s best that they be announced by the Board of Directors to the rest of your organization so that all parties know how to mitigate future risk.