presented by pam lebold, cpa director, not-for-profit services

Presented by Pam Lebold, CPADirector, Not-for-Profit Services

Implemented in 2007 Auditors can longer default to max control

risk◦ Must gain an understanding of relevant controls◦ Which controls are important? Those that

mitigate risks that may affect the financial statements

Many “canned” programs to assist auditors in this endeavor

“Obtain a sufficient knowledge of the entity’s risk assessment process to understand how management identifies business risks that may affect the financial statements…and determine how to address those risks”

Auditor should determine whether:◦ Management has established practices for the

identification of risks affecting the entity.◦ Management considers the entire organization as

well as its extended relationships in its risk assessment process.

◦ Management evaluates and mitigates risk appropriately.

One more item on your “to-do” list

Benefits – do they outweigh the costs?

What are your organizational risks? Things to consider:

◦ Financial risk◦ Compliance/legal risk◦ Operational risk◦ Reputational risk

Where to start?

START WITH YOU!!(who else??)

Many different approaches One possible approach:

◦ Consider the “owner” of this process◦ Determine who else should be involved◦ Consider who can be involved on an “as needed”

basis◦ Definitely consider involvement of general

counsel

Have each department head identify “what could go wrong”

OR

“What keeps you up at night?”

Summarize information on a template:◦ Issue(s)◦ Date presented◦ Dept/Responsible person◦ Impact/Severity (high/mod/low)◦ Probability of Occurrence (high/mod/low)◦ Mitigation measures implemented (should explain

the rating above)◦ Overall current risk rating

By creating this template you can see which items are higher risk than others

Other things to consider:◦ Perceptions (what’s high risk to some may not be

high risk to the entire organization)◦ Cost benefit (could consider adding cost of

impact)

Once you have templates from the appropriate departments, then what do you do?◦ Depends on who was the “owner” in the first

place◦ Decision needs to be made to rank the items by

importance, then assign “homework”

Templates are useful to keep track of “wins”

If you are the owner, suggest a few early “wins”

Templates are also useful to keep track of who didn’t perform necessary tasks

Hot spots:◦ Grants management◦ IT◦ Construction◦ Student affairs/services◦ And of course, don’t forget finance!