At its most basic level, risk is defined as the probability of not achieving, or reaching, certain outcomes (goals). Risk is measured in terms of the effect that an event will have on the degree of uncertainty of reaching stated objectives. Risk is commonly thought of in this context as a negative connotation: the risk of an adverse event occurring.
This article discusses the risks faced by accounting firms in Australia, and gives an overview of the new risk management standard (APES 325) issued by the professional standards board.
WHAT IS RISK IN ACCOUNTING FIRMS?
In the context of the professional Accounting Firm, risk is not a new concept for practitioners: it has been attached to the profession for as long as accountants have offered services in a commercial setting. However, as the number and size of legal claims against professional public accountants has increased over the years, so too has the issue of risk and risk management also increased in importance.
Risk management is the system by which the firm seeks to manage its over-arching (and sometimes, conflicting) public-interest obligations combined with managing its business objectives. An effective risk management system will facilitate business continuity, enabling quality and ethical services to be supplied and delivered to clients, in conjunction with ensuring that the reputation and credibility of the firm is protected.
WHY IS A STANDARD REQUIRED?
The Accounting Professional & Ethical Standards Board (APESB) recognised that public interest and business risks had not been adequately covered in existing APES standards, notably APES 320 (Quality Control for Firms). In releasing the standard, the APESB replaces and extends the focus of a range of risk management documents issued by the various accounting bodies. Accordingly, APES 325 (Risk Management for Firms) was released, with mandatory status from 1 January, 2013.
The intention of APES 325 is not to impose onerous obligations on accounting firms who are already complying with existing requirements addressing engagement risks. All professional firms are currently required to document and implement quality control policies and procedures in accordance with APES 320/ASQC 1. Effective quality control systems, tailored to the activities of the firm, will already be designed to deal with most risk issues that arise in professional public accounting firm. However, APES 325 does expect firms to consider the broader risks that impact the business generally, particularly its continuity.
THE NEW REQUIREMENTS
The process of risk management in the Professional Accounting Firm requires a consideration of the risks around governance, business continuity, human resources, technology, and business, financial and regulatory environments. While this is a useful list of risks to consider, it will be risks that are relevant to the operations of the practice that should be given closest attention.
The ultimate objective for compliance with the Risk Management standard is the creation of an effective Risk Management Framework which allows a firm to meet its overarching public interest obligations as well as its business goals. This framework will consist of policies directed towards risk management, and the procedures necessary to implement and monitor compliance with those policies. It is expected that the bulk of the Firm’s quality control policies and procedures, (developed in accordance with APES 320) will be embedded within the Risk Management Framework, thus facilitating integration of the requirements of this standard and that of APES 320, and ensuring consistency across all the Firm’s policies and procedures.
A critical component of the Risk Management Framework is the consideration and integration of the Firm’s overall strategic and operational policies and practices, which also needs to take account of the Firm’s Risk appetite in undertaking potentially risky activities.
Whilst the standard allows for the vast majority of situations that are likely to be encountered by the accounting firm, the owners should also consider if there are particular activities or circumstances that require the Firm to establish policies and procedures in addition to those required by the Standard to meet the stated aims.
Establishing & Maintaining
Ultimately, it is the partners (or owners) of the Accounting Firm that will bear the ultimate responsibility for the Firm’s Risk Management Framework. So it is this group (or person if solely owned) that must take the lead in establishing and maintaining a Risk Management Framework, as with periodic evaluation of its design and effectiveness.
Often times, the establishment and maintenance of the Risk Management Framework is delegated to a single person (sometimes not an owner), so the Firm must ensure that any Personnel assigned responsibility for establishing and maintaining its Risk Management Framework in accordance with this Standard have the necessary skills, experience, commitment and (especially), authority.
When designing the framework, the firm requires policies and procedures to be developed that identify, assess and manage the key organisational risks being faced. These risks generally fall into 8 areas:
- Governance risks and management of the firm;
- Business continuity risks (including succession planning, and disaster recovery (non-technology related);
- Business operational risks;
- Financial risks;
- Regulatory change risks;
- Technology risks (including disaster recovery);
- Human resources; and
- Stakeholder risks.
The nature and extent of the policies and procedures developed will depend on various factors such as the size and operating characteristics of the Firm and whether it is part of a Network. In addition, if there are any risks that happen to be specific to a particular firm – caused by its particular operating characteristics – these also need to be identified and catered for. At all times, a Firms public interest obligation must be considered.
A key factor in any risk management process is the leadership of the firm, as it is the example that is set and maintained by the Firms leadership that sets the tone for the rest of the firm. Consequently, adopting a risk-aware culture by a Firm is dependent on the clear, consistent and frequent actions and messages from and to all levels within the Firm. These messages and actions need to constantly emphasise the Firm’s Risk Management policies and procedures.
An essential component of the Risk Management process is monitoring the system, to enable the Firm overall to have reasonable confidence that the system works. The system works when risks are properly identified and either eliminated, managed, or mitigated. Most risks cannot be entirely eliminated, so the focus of the system needs to be on managing risks down (preventing occurrences as far as practicable), or mitigating the risk (handling the event should it occur).
As part of the system, a process needs to be installed that constantly ensures that the Framework is – and will continue to be – relevant, adequate and operating effectively, and that any instances of non-compliance with the Firm’s Risk Management policies and procedures are detected and dealt with. This includes bringing such instances to the attention of the Firm’s leadership who are required to take appropriate corrective action.
The Framework needs regular monitoring (at least annually), and by someone from within the Firm’s leadership (either a person or persons) with sufficient and appropriate experience, authority and responsibility for ensuring that such regular reviews of the Firm’s Risk Management Framework occurs when necessary.
A Risk Management system needs to be properly and adequately documented, so that all the necessary requirements can be complied with, and referred to (if necessary). The form and content of the documentation is a matter of judgment, and depends on a number of factors, including: the number of people in the firm; the number of offices the Firm operates, and; the nature and complexity of the Firm’s practice and the services it provides.
Proper and adequate documentation enables the Risk Management policies and procedures to be effectively communicated to the Firm’s personnel. A key message that must be included in all such communications is that each individual in the firm has a personal responsibility for Risk Management and are required to comply with all such policies and procedures. In addition, and in recognition of the importance of obtaining feedback, personnel should be encouraged to communicate their views and concerns on Risk Management matters.
In documenting the risk framework, the Firm needs to include and cover following aspects:
- The procedures to be followed for identifying potential Risks;
- The Firm’s risk appetite;
- The actual identification of risks;
- Procedures for assessing and managing, and treating the identified risks;
- Documentation processes;
- Procedures for dealing with non-compliance with the framework;
- Training of Staff in relation to Risk Management; and
- Procedures for regular review of the Risk Management Framework.
In alignment with the monitoring of the Risk Management system, all instances of non-compliance with the Firm’s Risk Management policies and procedures detected though its Monitoring process need to be documented, as with the actions taken by the Firm’s leadership in respect of the non-compliance.
Finally, all relevant documentation pertinent to the Risk Management process needs to be retained by the Firm for sufficient time to permit those performing the monitoring process to evaluate compliance with the Risk Management Framework, and also to follow applicable legal or regulatory requirements for record retention.
Risk is an ever-present and growing component of delivering professional accounting services to clients, and is not confined to taking on client work that can put the firm’s reputation into decline. It is the everyday business conditions and decisions made that can weigh heavily on a firm.
The modern accounting firm is in the unique position of having all the operating risks of a main-stream business, with the addition of those imposed by the various regulators and authorities.
A comprehensive and effective Risk Management Framework will assist owners of firm in identifying deficiencies and blind-spots that can impact a firm, as well as placing a commercial assessment on the probability of an occurrence, and putting in place clear plans on what to do and when.