Jim Tholey

Gambling With or Managing Risks ?

2

A. Business Environment1. Management Team2. Risk Management/Evaluation3. 4.

B. Financial & Operating Env.5. Susceptible to misappropriat., fraud, loss6. Compl./Adequacy of Internal Mgmt Rpt7. 8. 9. 101112

C. Info Tech Financial Automation

D. Governance, Intrnl Cntrl & Compl13. Corporate Governance14. Internal Control Environment15. 16. 17.

Risk Factors

TOTAL – RISK QUANTIFICATION

Impact

100

Fin/AcctWgt HR

Dept2

Legal Compl ITPurchas-

ingAdmin Mrktg

Dept B

Dept C

PR Div 1 Sub A

218 163 249 157 166 277 191 145 246 153 174 142 218 186

Fin/AcctWgt HR Reg’s Legal Compl IT

Purchas-ing

Admin MrktgDept

BDept

CPR Div 1 Sub A

1. Impact2. Risk3. Risk –.

TOTAL – IMPACT QUANTIFICATION 100 220 180 300 200 220 260 140 100 240 180 260 180 220 220

Risk Rating: Low (0-130) Medium (131-210) High (211-300)

RISKY INC.RISK ASSESSMENT MODEL – 2007

3

Relative weights 15% 10% 20% 15% 15% 5% 15% 5% 100%

ABC Corporation

2007Business Processes

Complexity/Volume of Trans-actions

Level of Auto-

mation(inverse scoring)

Level of Estimation/Judgment

Reporting

Complexity/

Prior Period

Changes

Process Nature/Inherent

Risks

RoutineNon-

routine

Susceptibility of loss

due to errors/ fraud

Related Party Trans- actions

 

Weighted Average

Risk Score

Financial Closing & Reporting High Med Med High High Med Med Low High

Fixed Assets Low Med Med Low Low Med Med Low Low

Purchasing, AP & Disbursements Med Med Low Low High Low High Low Med

Treasury/Equity Med High High Med Med High Med Low High

Revenue, AR & Receipts Med Med Med Low High Low High Low Med

Inventory Med Med Med Med Med Med High Low Med

Record & Monitor Debt Low Med Low Low Low Low Low Low Low

Commitments & Contingencies Low Med Med Low Med Med Low Low Med

Payroll & Benefits Low Med Low Low Med Low Med Low Low

Income Tax High Med High High Med Med Med Low High

Intangibles and Impairment Med High High High High High Med Low High

Cash Handling Med Med Low Low Med Low High Low Med

Consolidations Med Med Med Med Med Med Med Low Med

Note: Level of Automation evaluation text relates directly to automation of the process. The risk scoring is inverted (i.e. High = more automation thus less risk, while Low = less automation more risk)

Sample SOX Qualitative Risk Assessment (Heat Map)

4

Qualitative Assessment of Accounts/Processes

Qualitative Risk Factors (from PCAOB AS2) WeightsCategory 1 Category 2 Category 3

Rate Score Rate Score Rate Score

● Estimation 20

● Routine/Non-routine 10

● Automatic/Manual 10

● Account/Reporting Complexity/Changes from Prior Period

10

● Susceptibility of Loss Due to Errors or Fraud 10

● Complexity/Homogeneity & Volume of Activity 10

● Nature of Accounts (Suspense/Reserve, etc.) 10

● Likelihood of Significant Contingent Liabilities 10

● Existence of Related Party Transactions 10

● TOTAL 100 100 100 100

Risk Ratings Rating

No Risk or N/A

0

Low 1

Medium Low 2

Medium 3

Medium High 4

High 5

Risk Score Score

Low 0-150

Medium 150-300

High 300-500

Risk Factors are taken directly

from AS2/AS5

Risk Factors are taken directly

from AS2/AS5

5

Risk & Impact Analysis – Risky Company

RISK

IMPACT

BUSINESS UNIT HEAT MAP

HIGH

MED

LOW

• Information Technology

• Supply Chain Management

• Finance/Acctg

• Compliance• Marketing

• Purchasing

• Investor Relations

• Human Resources• Legal

• Administration • Public Relations

6

Risk/Impact Corridor – Risky Company

RISK

IMPACT

RISK CORRIDOR

HIGH

MED

LOW

BUSINESS UNIT HEAT MAP

• Investor Relations

• Public Relations

• Information Technology

• Supply Chain Mgmt

• Finance/Acctg• Compliance

• Marketing• Purchasing

• Human Resources• Legal

• Administration

7

Risk & Impact Analysis – Risky Company

Audits are in italics

AUDITUNIVERSE HEAT MAP

RISK

IMPACT

HIGH

MED

LOW

• Capacity Planning

• Business Continuity Planning

• Disaster Recovery

• Plant Operations• Supply Chain

• SOX Compliance

• Financial Reporting

• Compliance

• Revenue Receivables

• Cash Receipts

• Human Resources• Cash Reimbursements

• Purchasing

• Marketing

• Accounts Payable

• Investments

• Public Relations• Physical Security

• T&E Reporting• Budgeting

• Bank Reconciliations

• Payroll

• Facilities

• Fixed Assets

• Legal – Corp Secretary

8

Risk & Impact Corridor – Risky Company

AUDITUNIVERSE HEAT MAP

RISK

IMPACT

HIGH

MED

LOW

RISK CORRIDOR• Capacity Planning

• Business Continuity Planning

• Disaster Recovery

• Plant Operations• Supply Chain

• SOX Compliance

• Financial Reporting

• Compliance

• Revenue Receivables

• Cash Receipts

• Human Resources• Cash Reimbursements

• Purchasing

• Marketing

• Accounts Payable

• Investments• Public

Relations

• T&E Reporting• Budgeting

• Physical Security

• Bank Reconciliations

• Payroll• Facilities

• Fixed Assets

• Legal – Corp Secretary