Risk management for firms

APES 325 Risk Management for Firms was released by the Accounting Professional and Ethical Standards Board (APESB) in December 2011 and is to take effect from 1 January 2013. The new standard describes the broad principles by which accounting firms will have to develop their own more detailed risk management plans, and includes mandatory requirements and guidance for firms to establish, maintain, monitor and document a risk management framework (RMF).

by | Feb 1, 2012

The proposed standard applies to professional services, ie, services requiring accountancy or related skills performed by a member in public practice including accounting, auditing, taxation, management consulting and financial management services. There are individual ethical standards on such service offerings. APES 325 is the umbrella standard for risk management of audit and related standards, as well as the APES pronouncements that address non-assurance services. A firm’s quality control policies and procedures, developed in accordance with APES 320 Quality Control for Firms, need to be embedded within the RMF. So there is much to be done.

The scope

APES 325 sets standards for members in public practice to establish and maintain an RMF in their firms for the provision of quality and ethical professional services. Members have a responsibility, whether as owner, partner or employee, to ensure that the firm implements the requirements of the standard. The level of responsibility will depend on the position held by each member in the firm, but as a minimum all members should participate in the firm achieving the objectives of the standard. The standard adopts the firm as the overarching entity which must implement the requirements of the standard, but it is the firm’s members in public practice who have responsibility to ensure this occurs.

Risk management framework

Risk management framework (RMF) is defined as the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the firm. The foundations include the policy, objectives, mandate and commitment to manage risk and the organisational arrangements include plans, relationships, accountabilities, resources, processes and activities. Risk management means coordinated activities undertaken by a firm, to direct and control the activities of the firm with regard to risk (the effect of uncertainty on objectives).

An effective RMF should assist a firm to meet its overarching public interest obligations as set out in the Code as well as its business objectives by:

 

 

  • facilitating business continuity

 

 

  • enabling high quality services to be rendered to clients, and

 

 

  • protecting the reputation and credibility of the firm.

 

 

An RMF should consist of policies designed to achieve the above objectives, and procedures necessary to implement and monitor compliance with those policies. The RMF should be embedded within the firm’s overall strategic and operational policies and practices.

Establishing and maintaining an RMF

A firm must establish and maintain an RMF, taking into consideration its public interest obligations. The firm must periodically evaluate the design and effectiveness of the RMF. It must include policies and procedures that identify, assess and manage the following risks: governance; business continuity (including succession planning); business; financial; regulator; human resources; technology and stakeholder.

Additional risks specific to the firm can be identified through the use of other relevant standards or guidance.

The nature and extent of the policies and procedures developed by a firm will depend on various factors such as the size and operating characteristics of the firm, and whether it is part of a network.

A firm must require the firm’s chief executive officer (or equivalent) or the firm’s managing board of partners (or equivalent) – collectively the firm’s leadership – to assume ultimate responsibility for the RMF. The firm’s leadership and the examples it sets significantly influence the internal culture of the firm. The adoption of an appropriate internal culture by a firm is dependent on clear, consistent and frequent actions and messages from all levels within the firm that emphasise the firm’s risk management policies and procedures.

A firm must ensure that the personnel assigned responsibility for establishing and maintaining its RMF have the necessary skills, experience, commitment and authority.

Firms may refer to the following documents for guidance:

 

 

  • AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines which provides useful guidance to develop a framework for Risk Management, and

 

 

  • Module 7: Risk Management of the Guide to Practice Management for Small and Medium-sized Practices issued by the Small and Medium Practices Committee of the International Federation of Accountants.

 

 

Monitoring risk management policies and procedures

A firm must establish a monitoring process designed to provide reasonable assurance that the risk management policies and procedures relating to the RMF are relevant, adequate, and operating effectively. A firm’s monitoring process should identify whether there are any instances of non-compliance with the risk management policies and procedures thereby enabling the firm’s leadership to take appropriate action.

Documentation

A firm must document its RMF. The form and content of documentation of the RMF is a matter of judgment and depends on a number of factors, including:

 

 

  • the number of personnel and offices of the firm

 

 

  • the nature and complexity of the firm’s practice, and

 

 

  • the services provided.

 

 

A firm must document its risk management policies and procedures and communicate them to the firm’s personnel. Communication of risk management policies and procedures to the firm’s personnel should include a description of them and the objectives they are designed to achieve, and a message that each individual has a personal responsibility for risk management and is required to comply with the policies and procedures. In recognition of the importance of obtaining feedback on the firm’s RMF and policies and procedures, firm personnel should be encouraged to communicate their views and concerns on risk management matters. The firm’s documentation should include:

 

 

  • procedures for identifying potential risks

 

 

  • the firm’s risk appetite

 

 

  • risks identified

 

 

  • procedures for assessing and managing risks

 

 

  • treatment of identified risks

 

 

  • documentation processes

 

 

  • procedures for dealing with non-compliance

 

 

  • training of staff in relation to risk management, and

 

 

  • procedures for regularly reviewing the RMF.

 

 

The firm must retain all relevant documentation for a sufficient time to permit those performing the firm’s monitoring function to evaluate its compliance with its RMF to comply with applicable legal or regulatory requirements for record retention.

Action items

The following action items may assist public practitioners in dealing with the RMF requirements:

 

 

  • place on partners’ agenda and discuss implications for the practice (and, where applicable, for the network)

 

 

  • assign responsibility for RMF monitoring, implementation and maintenance

 

 

  • consider timing and resourcing for the RMF project, including the use of external resources

 

 

  • schedule risk management training and a workshop for partners and senior staff

 

 

  • integrate existing policies re service lines (eg assurance, compilations, insolvency, management consulting, forensic, taxation, valuations and APES 320 Quality Control of Firms) into a coherent RMF

 

 

  • update QA and staff manuals

 

 

  • organise a quality assurance review of the new/revised RMF and changes to policies and procedures regarding the service lines

 

 

  • train staff on revised policies and procedures

 

 

  • determine frequency of reviews to comply with APES 320 monitoring requirements

 

 

  • consider the impact on the professional indemnity insurance policy of the firm – a number of such policies require a description of risk management policies and procedures, and

 

 

  • leverage off the work done on the RMF as new service offering to clients.

 

 

In summary

An effective RMF should assist a firm to meet its overarching public interest obligations as set out in APES 110 Code of Ethics of Professional Accountants as well as its business objectives by facilitating business continuity, enabling high quality services to be rendered to clients, and protecting the reputation and credibility of the firm.

APES 325 Risk Management for Firms will be of particular value to small-to-medium private practices in helping them to consider and manage the strategic and operational risks that come with running a professional practice.

Understanding and implementing an RMF may pose a significant challenge for many. Start early and look at benefits, and do not view APES 325 as merely a compliance exercise.

More from Public Accountant

Beyond the grid: AI inventors target Excel’s formula

Beyond the grid: AI inventors target Excel’s formula

Make Google Chrome work harder for your practice

Make Google Chrome work harder for your practice

New insights into accounting specialisation

New insights into accounting specialisation

The surprising power of ‘I don’t know’

The surprising power of ‘I don’t know’

From compliance to counsel: the hard part

From compliance to counsel: the hard part

Invoice fraud gets an AI upgrade

Invoice fraud gets an AI upgrade

Share This