1. Managing Risk In NonprofitOrganizationsCharles F. Tate, CPAManaging PartnerTate & Tryon, CPAs and ConsultantsWashington, DCJanuary 13, 2012

2. What Well Discuss Today1. Overview of COSO and Publications2. COSOs ERM3. COSOs Internal Control4. Relationship of COSO to Auditing Standards

3. 1. Overview of COSO and Publications

4. COSO is the Acronym For:A. Class of Service OverridesB. Combat Oriented Supply OperationsC. Committee of Sponsoring Organizations Answer C: Committee Of Sponsoring Organizations of the Treadway Commission

5. What is the Treadway Commission?A. Governmental CommissionB. Presidential CommissionC. Congressional CommissionD. All of the AboveE. None of the Above Answer E: The Treadway Commission is a Joint Private Sector Initiative

6. Which Organization is not Part of the Private SectorInitiative (i.e., a Sponsoring Organization)?A. American Accounting Association (AAA)B. American Institute of CPAs (AICPA)C. Association of Financial Professionals (AFP)D. Financial Executives International (FEI)E. Institute of Internal Auditors (IIA)F. Institute of Management Accountants (IMA) Answer C: AFP is not part of the 5 member Sponsoring Committee

7. COSO Publications

8. COSO Publications

9. Which Prominent Accounting FirmAuthored a COSO Publication?A. Price Waterhouse Coopers (PWC)B. Grant Thornton (GT)C. Tate & Tryon (T&T)D. Coopers & Lybrand (C&L)E. Both A. and D.F. Bothe A. B. and D. Answer F: PWC, GT, and C&L all authored a COSO Publication

10. COSOs Definitions and ObjectivesA process, effected by an entitys board of directors,management and other personnel, designed to providereasonable assurance regarding the achievement ofobjectives in the following categories: ERM Internal Control1. Strategy setting 1. Effectiveness and2. Identify & manage efficiency of operations. potential events 2. Reliability of financial3. Manage risks to be reporting. within its risk appetite 3. Compliance with laws and regulations.

11. Which Individual Did Not Influence SOXLegislation? A. B. C. D. Answer D: Michael M. Tryon Had No Influence on SOX

12. 2. COSOs ERM

13. COSO Enterprise Risk Management Integrated Framework Componentsunique to ERM

14. COSO Internal Control Integrated Framework

15. Comparison of COSO IC and ERM

16. Relationship of COSO Objectives Internal ControlEnterprise Risk Internal Control Over Financial Management (1992) Reporting (2004) (2006) Strategic Operations Operations Compliance Compliance Financial Financial Financial Reporting Reporting Reporting

17. ERM Expands on Internal Control AddingThree Components Control Environment ERM Objective Control Activities Setting ERM Event Identification Monitoring ERM Risk Information & Response Communication Risk Assessment

18. ERM Expands on Internal Control Objective Setting Strategic Objectiveshigh level Related Objectivesoperations, reporting, & compliance Achievement of Objectivesreasonable assurance Risk Appetiteguidepost in strategy setting Risk Tolerancesacceptable levels of variation

19. Forming Risk Appetite (Exhibit 3.5 ERM Guidance)

20. ERM Expands on Internal Control Event Identification Events can be positive, negative impact, or both Events are interdependentnot isolated Events are driven by external and internal factors

21. Implementation Event IdentificationExternal FactorsExternal Internal Economic Infrastructure Natural Environment Personnel Political Process Social Technology Technological

22. COSO Components & PrinciplesERM Risk Response Avoidance, reduction, sharing, acceptance Evaluation of risk likelihood and impact Assessing costs versus benefits Opportunities in response to options Portfolio view

23. Implementation Risk ResponseAvoidance Sharing Disposing of a program Buy insurance Deciding not to engage in Joint venture/outsource new initiatives/activities Hedging risks Risk ResponseReduction Acceptance Diversifying/rebalance Self insure Limits/processes Accept risk that conforms to risk tolerance

24. Simplified Process For ERM Strategy & Objectives Event Identification & Likelihood Risk Response & Quantification Financial Model

25. Financial Impact of Key ScenariosMajor Annual Increase Potential Scenario ProbabilityActivity (H-M-L) Amount (Decrease) (in millions) Terrorist or political uprising H 100Donations 1,000 Donation mismanagement L -20Biomedical Virus M -400 2,400Services War, natural disaster H -600Fundraising Weather L 50 -0-Events Pandemic LGovernment Economic downturn H -40 60Grants Contract mismanagement M -0-Investments Financial meltdown M -30 90& other Fraud (Madoff or Stanford) M -10Total 3,600 -1,000

26. 3. COSOs Internal Control

27. COSO ComponentsInternal Control Control Environment Risk Assessment Control Activities Information & Monitoring Communication

28. COSO Internal Control Components &Principles Environment Principles Management Philosophy Board of Directors Integrity and Ethical Values Commitment to Competence Organizational Structure Assignment of Authority and Responsibility Human Resource Standards Risk Appetite

29. Control Environment/Internal Environment isthe Foundation of the 5 Components

30. COSO Internal Control Components &Principles Risk Assessment Principles Specify objectives Risk identification & analysis Inherent and residual risk

31. Risk Assessment Matrix Characteristics As % Entity- Impact Fraud OverallBalance Sheet Account of Business wide on F/S Account Risk Rating Total Process FactorsASSETSCash & cash equivalents 5% L M L H L LPledges receivable 15% M H H M M HInvestments 40% H H H L L HProperty & equipment 35% H M M H M MPrepaid & other assets 5% L L L L L L Total Assets 100%LIABILITIESAccounts Payable 5% L M M H M MDeferred Revenue 20% H H H L H HMortgage (IRB) 25% H H L L M MPension & post retirement 10% M H H L H H Total Liabilities 60%Net Assets 30% H M L L L LTotal Liabilities and Net Assets 100%

32. Implementation Risk Assessment Significant Assertions Significant AssertionsBalance Sheet Account Valuation or Rights & Presentation Existence Completeness Allocation Obligations & DisclosureCash & cash equivalents Pledges receivable Investments Property & equipment Prepaid & other assets Accounts Payable Deferred Revenue Mortgage (IRB) Pension & post retirement Net assets

33. COSO Internal Control Components &Principles Control Activities Principles Integration with risk assessment Selection and development of control activities Controls over information systems/technology Policies and procedures are communicated

34. COSO Internal Control Components &Principles Information & Communication Principles Quality of information Internal & external communication Means of communication Strategic and integrated systems

35. COSO Internal Control Components &Principles Monitoring Principles Ongoing monitoring activities Reporting deficiencies

36. 4. Relationship of COSO to Auditing Standards

37. Auditing Standards Risk Assessment Identifying risks through considering: The entity and its environment, including its internal control Classes of transactions, account balances, and disclosures Relating the identified risks to what could go wrong at the relevant assertion level

38. Intersection of COSO and the AuditorsResponsibilities COSO (2004) Broader Objectives Enterprise Risk More than Internal Control Management COSO (1992) Operations Financial Reporting Internal Control Compliance with Integrated Framework Laws/Regulations COSO (2006) Internal Control over Financial Reporting Financial Reporting SAS 109 Understand Five Components Understanding of the Focus on Controls Relevant Entity & Environment to Financial Reporting

39. Summary of Risk Assessment StandardsNo. Concept Expands the definition of reasonable assurance as a high level of104 assurance Internal control is replaced by the entity and its environment,105 including its internal control Use of managements assertions in obtaining audit evidence 106 recognition, measurement, presentation and disclosure Reduce audit risk to a low level that is, in the auditors professional judgment,107 appropriate for expressing an opinion on the financial statements108 Adequately plan the work and must properly supervise any assistants Sufficient understanding of the entity and its environment, including109 its IC, to assess the risk of material misstatement Sufficient appropriate audit evidence to afford a reasonable basis for an110 opinion111 Enhanced guidance on tolerable misstatement

40. Auditors Assessment of Material Misstatement SAS 106 Classes of Presentation and Account Balances Transactions Disclosures Occurrence/Rights and Occurrence Existence obligations Completeness Rights and obligations Completeness Classification and Accuracy Completeness understandability Cutoff Valuation and allocation Accuracy and valuation Classification

41. GAAS & COSO Use of FinancialStatement Assertions to Assess Risk GAAS COSO Risk Assessment Standards Internal Control Over Financial SAS 106 Reporting/1. Existence Existence or Occurrence Occurrence Completeness Completeness Rights and Obligations Valuation and Allocation Rights and Obligations Accuracy Cutoff Valuation or Allocation Classification Presentation and Disclosure Understandability/1. Source: SAS 31, Evidential Matter prior to amendment by SAS 106

42. Audit Risk Assessment and COSO Financial Statements Investments & Receivables & Real Estate & Payables & Deferred Net Assets & Income Revenue Debt Expenses Revenue Restrictions Assertions Rights & Presentation & Completeness Existence Valuation Obligations Disclosure Risks Processes Competency IT Infrastructure Fraud Risk Entity-Wide Factors Control Objectives Appropriate Statements Classification Reflect Transactions Reflect Materiality Accounting Informative Appropriate Entity-Wide Controls Process-Level Controls Preventive or Detective Manual or AutomatedAdapted from an article by Michael Ramos CPA, entitled Risk-Based Audit Practices, Journal of Accountancy, Dec., 2009

43. COSO is the Acronym For:A. Class of Service OverridesB. Combat Oriented Supply OperationsC. Committee of Sponsoring Organizations Answer C: Committee Of Sponsoring Organizations of the Treadway Commission

44. What is the Treadway Commission?A. Governmental CommissionB. Presidential CommissionC. Congressional CommissionD. All of the AboveE. None of the Above Answer E: The Treadway Commission is a Joint Private Sector Initiative

45. Which Organization is not Part of the Private SectorInitiative (i.e., a Sponsoring Organization)?A. American Accounting Association (AAA)B. American Institute of CPAs (AICPA)C. Association of Financial Professionals (AFP)D. Financial Executives International (FEI)E. Institute of Internal Auditors (IIA)F. Institute of Management Accountants (IMA) Answer C: AFP is not part of the 5 member Sponsoring Committee

46. Which Prominent Accounting FirmAuthored a COSO Publication?A. Price Waterhouse Coopers (PWC)B. Grant Thornton (GT)C. Tate & Tryon (T&T)D. Coopers & Lybrand (C&L)E. Both A. and D.F. Bothe A. B. and D. Answer F: PWC, GT, and C&L all authored a COSO Publication