Tool 1 example: Risk analysis for financial statements

Purpose
A risk analysis framework establishes the analysis required for each financial statement line
item and accompanying notes to:
 assist in the prioritisation of resources

 to determine if sufficient controls are in place to mitigate the risk of material

misstatement to an acceptable level, to achieve necessary outcomes.
For example, a high-level financial reporting risk, will require ongoing and sustained
resource requirement and likely to involve complex internal control, higher level of
documentation and disclosure, and accounting issues or balances that require estimation or
judgement. A low level of financial reporting risk will require minimal resource commitment
and likely to involve routine control and accounting issues.

Risk management practices and processes

The entity should adopt best practices that formalise a policy for the risk assessment, based
on a number of factors, including the complexity of the statements and the maturity of the
process. The process should include:
 a regular cycle for reviewing financial statement line item risks

 reporting to governance committees

 a standard format, detailed analysis and information against each account.

Risk assessment steps

Step 1: Specifying objectives

A pre-condition to the conduct of risk assessment is establishing objectives. Entity
management should specify high-level objectives and sub-objectives relating to the
preparation of financial statements.
An example of a high-level objective is for the entity to prepare reliable financial statements
that are in accordance with AAS and TIs/LG Regs.
Sub-objectives relate to account and business processes and activities and include
accounting policies, financial statement assertions and qualitative characteristics.
Examples of sub-objectives include:
Property, plant and equipment held and recorded as of year-end meet the classification and
valuation financial statement assertions.

Step 2: Conduct financial reporting risk assessment

In identifying risks to the achievement of financial reporting objectives noted in Step 1,
management should consider the financial reporting risk factors related to each financial
statement account and the associated financial statement assertions. Each entity should
decide on the financial reporting risk factors most appropriate to its own operations and
circumstances and the weightings to be applied to each factor.
The process of identifying and analysing risk factors includes both quantitative and
qualitative factors. Examples of factors that can impact financial reporting risk include

Western Australian Public Sector Financial Statements – Better Practice Guide

materiality, volume of transactions, operating environment, the level of judgement involved,
reliance on third party data, manual intervention, disparity of data sources, evidence of fraud,
system changes and results of previous audits by internal audit and the OAG.
Apply risk ratings to determine overall financial reporting risk assessment based on entity’s
risk management framework.
An example risk analysis for the item property, plant and equipment is below. The example
serves as an illustration only and does not cover all financial statements items.

Risk factor Rating

Key questions to consider Reason/analysis
(See Note 1) (See Note 1)

Materiality How significant is the item The item represents 12% of total
as a percentage of total assets.
income, expenses, assets or
liabilities?
How significant is the item to H The item is topical because of
the key users of the financial recent parliamentary interest.
statements?
How material are individual About 40% of transactions have
transactions? high dollar values.
Volume of Is there a significant number A significant number of individual
transactions of transactions in the M transactions are processed each
population? year.
Operating Are there any legislative or This factor is not applicable.
environment regulatory changes?
Are there significant budget
constraints or other financial
pressures?
Are there any changes in
the key cost/revenue
drivers?
Are there plans to outsource N/A
services or move to a
shared service
arrangement?
Is there likely to be any new
significant contracts
/arrangements entered into
during the financial year?
Are there any changes to
accounting processes?
Reporting Are there any complex or None identified.
requirements new accounting
requirements? L
Are there any significant None identified.
compliance issues?
Level of Does the item require Judgement is required for
judgement considerable judgement to capitalisation threshold, useful
record the account balances lives and revaluations.
and transactions correctly? H
Does it require estimates, Judgement is required in
management judgement or determining whether the asset

Western Australian Public Sector Financial Statements – Better Practice Guide

Risk factor Rating
Key questions to consider Reason/analysis
(See Note 1) (See Note 1)

specific knowledge and belongs to other related entities.

skills of the item and related
accounting standards?
Extent of Is the accuracy of data Significant reliance on business
reliance on dependent on areas, areas to provide information.
third parties systems, experts or related
entities outside the control
of the finance team?
Does experience suggest Data provided in prior year had
that such data is provided in H significant errors.
a timely and accurate
manner? Reliance on external experts with
respect to valuation.
Reliance on related entities to
manage and correctly record
assets in regional offices.
Level of Is the level of manual Manual adjustments are generally
manual intervention used to initiate, required to reflect revaluations and
intervention record, process or report impairments of property, plant and
transactions significant? equipment.
Is manual intervention M The level of manual intervention is
appropriate? appropriate because judgement is
required to initiate and record the
adjustments.

Disparity of Can data be easily and Three different registers are used
M
data sources reliably retrieved? to manage and control assets.
System Are there new/significant This factor is not applicable
changes changes to systems or N/A
feeder systems?
Evidence of Is there any evidence of None identified.
fraud significant internal or L
external fraud?
Audit issues How significant are previous Previous internal audit and OAG
identified audit findings in respect of audit findings remain outstanding.
this item? M Corrective action is in progress.
Have these findings been
adequately addressed?
Financial reporting risk summary    
Financial Based on the assessment H Key contributing factors:
reporting above: Materiality of the balance.
risk  Have key financial Level of judgement required in
reporting risk been determining correct asset
identified? classification and valuation.

Western Australian Public Sector Financial Statements – Better Practice Guide

 Risk factor Rating
Key questions to consider Reason/analysis
(See Note 1) (See Note 1)
 What are the key High level of reliance on business
contributing inherent areas to correctly identify assets
risk factors for the for capitalisation.
item?

 What is the overall Reliance on other related entities

financial reporting risk to manage some key assets.
rating?

Note 1: Different weightings should be given to each risk factor. The materiality of the financial
statement item would be expected to have the greatest weighting

Step 3: Conduct a residual risk assessment

An effective system of internal control helps prevent material misstatements, errors and
fraud. Key controls1 must be designed and implemented in such a way that they will prevent
or detect on a timely basis, potential material misstatements related to the identified financial
statement assertions.
A residual risk assessment for each financial statement assertion should take into account
the preventative and detective control framework and identification of other existing
mitigating controls.

(i) Preventative controls: Pre month-end assurance framework

The entity should adopt best practices that control system access, security, procurement,
payment of invoices, receipting and segregation of duties. In addition, the entity should adopt
a risk-based control framework to prevent material errors going undetected and incorrect
financial information being reported. This includes:
 journals being prepared and reviewed by 2 separate officers prior to posting

 processing the reversal of all accrual journals at the beginning of each month and re-
accrual, as appropriate
 establishing a hierarchy of journal endorsement, such as:
o executive endorsement for journals larger than an appropriate specified amount

o CFO endorsement for:

 journals directly affecting equity

 journals larger than an appropriate specified amount.
These controls combined with other pre month-end assurance processes are essential for
preventing, identifying and correcting errors before the general ledger closing. To improve
the accuracy, veracity and usefulness of the monthly management reports and reduce the
need for post-close adjustments, the entity should adopt a pre month-end assurance
process that includes finance team officers undertaking:
 a review of the reasonableness of the entity’s financial statements (revenue, expense,
assets, liabilities and equity) prior to the general ledger closing

1
‘A key control is usually the only control that covers a risk of material misstatement and is indispensable to cover its control
objective’ - SAICA, Guidance on the CFO/FD Sign-Off on Internal Financial Control, August 2020, p.11.

Western Australian Public Sector Financial Statements – Better Practice Guide

 substantive testing (if large, unusual, complex or non-recurring items were identified to
have material impact on period-end closing balances)
 investigation and further analysis where the movement is not considered reasonable
when comparing:
o actuals to budget (greater than X% or $X million variance to revised budgets)

o monthly movement (greater than X% or $X million variance to expectations)

o negative accounts

o relationship to other items and external information

 correction of all identified material errors prior to the general ledger closing.

(ii) Detective controls: Post month-end assurance framework

Account reconciliations and analytics are the primary tools for detecting misstatements and
internal control issues.
To complete the account reconciliations within the required timeframes, with the requisite
levels of quality and analysis, the entity should adopt best practices that formalise a policy
for appropriate staff in the finance team to reconcile and review all accounts, including:
 Undertaking a risk assessment of all accounts to determine a risk rating. Accounts that
have a higher financial reporting risk of material misstatement should then be subject
to more frequent reconciliations, analytical procedures, substantive testing and peer
review to reduce risks to an acceptable level.
 Completing assessments to identify opportunities to redesign, reduce or remove
compliance activities without significantly impacting on the outcomes.
 Adopting a cycle for reconciling, analysing and testing accounts based on the risk. For
example, higher risk may require monthly reconciliations.
 Requiring reconciliations to be prioritised, based on risk and variance thresholds, with all
reconciliations due for completion by the 10th working day of the subsequent month.
 Using a standard format and analysis for information against each account.

 Assigning 1 preparer and 1 reviewer to each account with each person understanding
the: business activities; key drivers; purpose; source of documentation; and analysis to
obtain a reasonable level of assurance over the account balance and reduce the risk
of misstatement to an acceptable level.
 A review of the inherent risk assessment and mitigating controls where there are
indications that the nature, materiality or risk profile of the account may have changed.
The effectiveness of existing controls is then assessed and an overall residual reporting risk
rating of high, medium or low is assigned for each financial statement item. An example
residual risk assessment for the property, plant and equipment example is provided below.

Analysis of existing key controls    

Western Australian Public Sector Financial Statements – Better Practice Guide

 Existing key controls in place are:
 Monthly reconciliation of property, plant and equipment movement schedules showing
opening balances, additions, disposals, transfers, depreciation, impairments and closing
balances is performed to ensure completeness of all asset movements in the asset registers
and FMIS.

 Year-end review is undertaken to ensure assets are categorised by class and appropriately
disclosed in the financial statements, including movement tables.

 Asset stocktakes are conducted in accordance with the policy on assets and stocktake
reports are reconciled to the asset registers and FMIS. Stocktake reports are endorsed by
management.

 Year-end reviews of valuation reports are conducted.

 Annual review for impairment in accordance with Accounting Standard AASB 136
Impairment of Assets is carried out to ensure property, plant and equipment value is not
overstated.

 Service agreements with related entities are reviewed annually to ensure that their
management controls are adequate to minimise material misstatements in recording and
ownership.

Residual risk summary:

Risk
Key questions to consider Rating Reason/analysis
factor
Residua Based on the analysis of existing controls Key contributing factors:
l risk above: Controls in place are relatively
 Have all existing key controls been mature and are subject to periodic
identified? review.

 What are the key contributing risks M However, the item is material and
remaining after existing controls improvements are still required by
have been exercised? business areas to provide more
timely and accurate information.
 What is the overall residual risk
rating?

Step 4: Summarise risk ratings and key actions taken or required

It is recommended that entities summarise their risk ratings in a format such as a risk and
control matrix which identifies and classifies each of the risks within the internal financial
reporting control environment that supports the transactions. Collate all individual risk ratings
for each financial statement assertion to give an overall picture of the reporting risk for all
financial statement items.
Determine required treatments, having regard to the entity’s risk appetite. It is essential to
identify those risk activities that require additional actions taken or required to reduce the risk
to an acceptable level.
Entities may find it useful to present the summary table below to the audit committee for
review of progress.
A risk and control matrix should be regularly reviewed and updated as the business,
operations, technologies and processes change and evolve.

Western Australian Public Sector Financial Statements – Better Practice Guide

Financial Financial Effect of the Risk Mitigating Residual Date Findings Key actions Sign-
reporting statement financial rating control for risk control taken or off
risk assertion reporting risk financial rating tested required
reporting
risk

AASB 116 Valuation of Property, plant High Year-end Moderate June Control Valuation Fixed
revaluation property, and equipment reviews of 202x functioning estimate and asset
adjustment plant and may be valuation as assumptions officer
is incorrect equipment misstated and reports are documented will be
fair values are conducted reviewed and
incorrect approved by
accountable
authority and
audit
committee

Western Australian Public Sector Financial Statements – Better Practice Guide