and assessment. A further suggestion would be for the controls documentation project manager to make a template of accounts and balances based on the recent financial statements. Both the balance sheet and the income statement are relevant, so include them along the left column of a multicolumn spreadsheet. In most financial reports, the detailed accounts listed in the consolidated auditor's report are material in amount, or else they likely would have been summarized in some way. Enumerate them in the spreadsheet. Decide on some meaningful way of expressing the different parts of the business across the top rows: say, by segments/divisions/locations/types of revenues, and so on, that describe your entity. (I will call these “segments” for discussion purposes.) Leave a column between each segment. Now, using data relating to each of the identified segments, break out the aggregate consolidated numbers into the individual segments. In some commercial companies, there exist sales subsidiaries for which a sales activity is the only activity associated with the location; order fulfillment and other activities are accounted for elsewhere. In such entities, do not be surprised if some such segments only have one relevant or significant process or transaction cycle (sales to cash).
Have the spreadsheet compute for you the percentage of the consolidated total of each segment. What you should see emerging from this analysis is the ability for you to identify the central core of your entity. You may wish to give special consideration to the implications of transactions (or transfers of costs and revenues) between segments (if there are any) when they are present, even though they may be eliminated during the consolidation process.
In Table 2.2, the financial statement data is used to identify those accounts and cycles that are to be included in the scope of the documentation and assessment project.
Table 2.2 Using the Financial Statements to Set the Scope – Summary Categories
This example shows summary financial data only as an illustration. The New York location is a headquarters and a first-stage manufacturing center; sales transactions are conducted out of the Connecticut facility, which finalizes the product to specifications for shipment. By including the assets and liabilities and expenses at corporate and the revenues at the primary sales location, most of the core business can be covered. The income row is not a very meaningful one from which to make inclusion or exclusion decisions in this example; however, it may be in some situations. Note that in the Barings Bank implosion, the previously significant Singapore-based contributions to consolidated earnings from trading currencies originated from a tiny operation, one that would not be detectable if assets were used to determine scope. The same was true with Orange County, CA, where the profits (before the collapse) from interest rate derivative trades were far more significant than any associated fixed assets or even expenses. Even in the areas that are not identified as the core, a risk assessment, some documentation, and some analysis regarding key controls may need to be developed, since the amounts in the noncore areas are not often trivial.
Do not be surprised if the largest revenue and the largest cost contributors are not in the same segment or location. The key is to look at the entity as a whole and identify where the revenues and costs are accumulating. In some universities, revenues (e.g., day tuition, graduate tuition, night school tuition, fees, etc.) are meticulously segregated, but the costs of undergraduate, graduate, and distance learning faculty may be all accounted for in the aggregate and not separated. In a municipality, the budget may also be an excellent tool for risk assessment and scoping.
You may have to slice and dice your entity several different ways (e.g., product line, location, revenue type such as cash sales and Internet sales) in order to find a logical entity profile or use these different perspectives in ensuring all important areas and scoped into the assessment. However, this actually results in an excellent documentation of your thought process as to what portion of your entity is considered your core and why it is or is not included in the scope of your documentation project. Public companies should clearly document the rationale associated with decisions, particularly ones that limit or scope out certain areas from the assessment.
Plan to update this analysis annually going forward to have it respond to changes in the business. Along the way you may even need to reconsider the bases used to assess the entity. If location was a logical base to use for the assessment initially, product line may be a more logical and cost-effective base to use in future years. Don't get stuck in a rut. COSO has included in the risk assessment component a new principle that management should be updating the risk assessments for changes in the business environment (Principle 9).
Consider Risks, Not Just Quantitative Measures
I mentioned risk several times in conjunction with what to include in and what to exclude from your documentation project. As you can see by now, I am skittish about excluding accounts and processes because they are judged to be low risk, since if you exclude an item from the scope of your procedures, you may not identify until it is way too late that the item, account, or process is in fact not low risk. There are lots of examples of low-risk areas becoming major problems. Fraud has a tendency to migrate to the weakest links in the chain of controls. As Walter Matthau noted in the movie The Fortune Cookie, “Every time you build a better mousetrap, the mice get smarter.”
No businessperson or auditor in their right mind starts out deliberately taking chances that a risky area will allow a material misstatement to occur that will cause the financial statements to be misstated. As skilled and as experienced as many managers and auditors are, the auditors of public entities, and the businesses they audit, have many painful reminders of the consequences of making bad judgments regarding risks. The reminders are in terms of income loss and reputation effects, and they stretch back over decades.
Nevertheless, risk judgments are made, and in order for audits and entity projects to be economical, they will continue to be. But very few financial statement elements are inherently and by their nature always low risk in all circumstances. Generalizing from experiences with other businesses or from other audit engagements gives a distorted view of risk, because the only risk that counts is the one specific to the entity and engagement right here and now. The probable low assessment of risk in the cash account did nothing to protect the shareholders and auditors of Parmalat, an Italian dairy company, from financial ruin when it was discovered that the auditors were served a bogus confirmation of a Bank of America account of over $3 billion. This led to the discovery that a significant portion ($13 billion) of the reported entity was bogus, and had been growing for years.
Go ahead, name some low-risk areas. Auditors generally pick fixed assets as a low inherent risk area for many businesses. Well, that was not the way it worked out at WorldCom, where major reclassifications of expenses were charged to fixed assets and doing so inflated reported income. In the previous decade the capitalization of garbage (literally) led to litigation and fines for the management and auditors of Waste Management. The poster child for audit skepticism and fixed assets risk was ZZZBest, a Wall Street darling start-up with interests in building restoration projects and all kinds of growth potential. In reality, the company was building files of fraudulent documents and misleading its auditors into thinking that it had interests in various buildings and fixed assets, when it did not.
Barings Bank and Orange County, CA, were stung some years ago when financial instruments and currency trading that in the past had been profitable went sour and what had been profitable ventures for the entities wound up creating huge losses and financial exposures that generated financial disaster, well beyond just the loss of income from these operations. Care needs to be taken to understand what risks various types of transactions and activities can expose the entity to; do not just look at the measure of revenue, asset, or income measurement in a “normal” year. Different thinking is required when derivative financial instruments are assessed.
It is hard to think of an inherently safe area in the financial statements and processes that does not deserve some level of consideration or scrutiny every once in a while. Consequently, it is
