Cash:

Risk Assessment Considerations —

Illustrative Example

Introduction
This document is intended to provide a framework for executing a fact-based risk assessment relating to the
cash account balance — a balance that primarily contemplates cash held in banks. It highlights broad risk
factors that are usually present in the account balance, identifies items that affect those risk factors and
relates such items to the standard account balance assertions. It is the basis for the related guided risk
assessment (GRA). The example does not illustrate potential documentation to support our risk assessment
conclusions. The fact-based evidence that should be gathered is outlined in the related GRA.

An appropriate risk assessment for cash begins with a thorough understanding of the processes that affect
cash (e.g., purchase to pay, order to cash, treasury cycles). Obtaining an understanding of the controls and
processes related to cash is generally relevant to assist in our understanding of the cash account balance.
Generally, recording cash transactions is not an overly complicated process, and applying the related
accounting under these circumstances is not complex in nature.

However, there are certain nuances that could increase the level of risk associated with cash. The following
broad risk categories are generally relevant to assist in our understanding of the cash account:

• An understanding of the nature of the transactions in the cash cycle.

• A thorough understanding of the requirements of accounting for cash under the applicable financial
reporting framework, and the application of such requirements to the entity’s cash transactions.
• An understanding of the relevant controls and processes, and the competence of the individuals and/or
the reliability of the systems that execute those controls and processes.

Certain facts and circumstances relative to the broad risk factors listed previously can affect our risk
assessment and our development of risks of material misstatement (RoMMs) related to the assertions
relevant to this account. For example, an entity with a completely automated treasury cycle likely would have
a different level of inherent risk across all relevant assertions compared to an entity that has a semi-
automated or completely manual process.
As depicted in the image to the right, the
discussions in this document fit in the general
framework set forth in Risk Assessment: A
Practical Guide to Auditing, particularly with
respect to identifying risks of misstatement and
determining how to evaluate which of those rise
to a RoMM.

To assist engagement teams in performing their

risk assessment, we have (1) highlighted various
factors and assumptions that can influence our
risk assessment and (2) set forth examples of
situations with varying levels of risk and the
underlying drivers of those risks. The ultimate
objective of this process is to establish what the
specific RoMMs are so that focused audit
responses can be developed.

This example and the related GRA do not contemplate the following unique considerations. These are to be
analyzed separately because of their unique GAAP characteristics or unique risk profile, and such
considerations are not part of this document. If applicable, the GRA allows us to document deliberative
RoMMs for these considerations and design tailored audit responses.

• Customer funds (i.e., custodial cash).

• Cryptocurrency.

• Cash equivalents (as defined in the accounting literature).

• Fraud risks.

In addition, all of the “bottom-up” risk assessment factors included below are to be supplemented by risk
assessment evidence from our “top-down” risk assessment procedures — procedures that are executed in
order to gain an understanding of the entity as a whole (including industry factors and general economic
environment factors) and that could directly or indirectly affect the cash assertions.

Aggregation/Disaggregation Considerations
Disaggregation of financial information within a financial statement line item (FSLI) may be necessary to be
able to perform appropriate risk assessment procedures. Such disaggregation to lower level transaction
groupings occurs in the significant account identification process. Differences in how transactions are
processed, differences in controls, or differences in risk characteristics between transaction groupings are all
indicators that disaggregation of financial information may be necessary and a separate GRA may need to be
completed.

For example, prior to performing the detailed risk assessment procedures, we might consider if a group of
cash accounts are governed by the same processes and controls or exhibit similar risk characteristics and
define that as a disaggregated significant/material account. For example, an entity may use separate cash
accounts to receive payments from customers, to pay for the purchase of raw materials and supplies, or to
maintain margin requirements for certain investments. The accounts may be held at different financial
institutions, may be subject to unique processes that record transactions and/or reconcile activity, or may
have separate accounting complexities; any of which might lead us to conclude that the disaggregation of the
cash FSLI to multiple significant accounts may be appropriate. The following factors may be relevant when
disaggregating the FSLI for purposes of performing risk assessment:

2
 • Accounting and reporting complexity.

• Nature of cash accounts (e.g., disbursement accounts, receipt accounts, special deposits).

• Nature of the underlying controls and processes, and the competence of the individuals and/or the
reliability of the systems that execute those controls and processes.

• Nature and characteristics of the financial institutions involved.

• Currency type (denomination).

As noted earlier, sometimes these factors will require different GAAP and/or GAAS considerations and fall
outside of the scope of this document; other times, they will be representative of populations with different
RoMMs that need to be disaggregated for purposes of risk assessment.

When performing risk assessment, we first disaggregate the account balance and transactions, then allow our
evaluation of the broad risk factors to inform our conclusions as to the RoMMs and the level of risk associated
with such RoMMs with respect to these specific disaggregated balances.

Factors and Assumptions

While not exhaustive, the following table presents factors and assumptions that commonly give rise to risks
and have an impact on our assessment of those risks related to the cash account balance. The factors in this
table directly correlate with the risk assessment questions in the GRA. The table also presents potential
underlying drivers that can influence the level of risk associated with each factor or assumption. This table
intentionally excludes certain broader factors (e.g., whether the entity is public or private, whether the entity
is operating in a stable environment). Refer to Risk Assessment: A Practical Guide to Auditing for
considerations pertaining to such broader factors. Note that we are required to obtain a sufficient
understanding of internal control as part of our base of knowledge from which we identify risks of
misstatement and ultimately assess which are RoMMs (see PCAOB AS 2110.18-20, AICPA AU-C 315.13 and
AU-C 315.A49, and ISA 315.12 and ISA 315.A50). When using the factors in the following table to
identify risks and ultimately define and assess RoMMs, evidence (i.e., facts) provided from risk
assessment procedures is needed to support our assessment of the risk factors and the perceived
location on the risk spectrum. For example, when assessing whether there have been changes in the
entity’s process in the current period, we may provide evidence supporting our conclusion as to this risk
factor by referring to the walkthrough procedures performed.

Factors and Less Risk More Risk Drivers

Assumptions

Quantitative

Degree of unexpected No unexpected or Unexpected or Purchasing and sales

or inconsistent inconsistent fluctuations inconsistent fluctuations environment, growth
fluctuations or or relationships or relationships exist stage, investments
relationships

Changes in volume or No or slight changes Significant changes Sales environment,

activity within account growth stage, macro- or
micro-economic
conditions,
management strategy,
changes in competition
or laws and regulations

Distribution of value of Consistent transaction Inconsistent transaction Nature of cash

transactions size size transactions
3
 Volume of transactions Low volume High volume Nature of cash
over the course of the transactions
period

Impact on financial Low impact on critical High impact on critical Financial reporting
reporting ratios (e.g., external reporting ratios external reporting ratios ratios
current ratio) or metrics or metrics

Processes

Deficiencies in process No deficiencies or Significant Nature of process

identified in prior or deficiencies with deficiencies or
current year compensating or material weaknesses
redundant
controls

Changes in entity No changes or slight Significant changes Changes in laws or

policies changes regulations

Past misstatements, No history of History of Nature of process

history of errors, late misstatements, errors,
adjustments or late adjustments;
or misstatements are
of low quantitative and
qualitative significance
for such items
misstatements, errors,
or late adjustments;
or misstatements are
of high quantitative
and qualitative
significance

Changes in No changes or slight Significant changes Changes in nature of

nature of process changes process or controls
or controls
Variability in Little to no variability in Transactions may be Nature of process,
processing of how transactions are processed differently, or variability in customers
transactions processed the process is ad-hoc in or types of sales
nature

Continuity or High competence, low Low competence, Nature of process

competence of turnover, high efficacy, significant turnover, low
individuals or service no application changes efficacy, application
providers, or efficacy changes
of applications
responsible for
processing
transactions

Manual versus Fully automated Fully manual Use of IT in accounting

automated process, interface with
financial institutions

Changes in IT None or minor changes Significant changes Use of IT in accounting

environment process, interface with
financial institutions

Simple versus complex Simple, and/or little to no Complex, and/or highly Interface with financial
(in terms of judgment judgment, and/or judgmental, and/or institutions, nature of
required, complexity of minimal calculations complex calculations cash accounts
process)

4
 Factors and Less Risk More Risk Drivers
Assumptions

Nature of Cash Accounts

Nature of accounts Simple cash account Complex cash Nature of cash

account (e.g., transactions, accounts
restricted cash,
margin deposit
account)

Reconciling items Typical reconciling Abnormal or Nature of cash

items of small value unsupported transactions, accounts
and short period of reconciling items of
existence high value and long
period of existence

Turnover of accounts Number of accounts New accounts or new Business environment

and associated financial associated financial
institutions are institutions
consistent with prior
periods

Use of account Used for normal vendor Used for nonrecurring Nature of transactions,
disbursements or for purposes accounts
cash collections from
customer

Foreign currency or No foreign currency Foreign currency Nature of transactions,

another store of liquid accounts, or foreign accounts denominated accounts
value currency accounts in relatively difficult to
denominated in value currencies (e.g.,
relatively easy to value those with exchange
currencies restrictions)

Accounting and Reporting

Method to compile Not complex, little to no Complex, significant Entity-specific

information for judgement involved, judgement involved,
required cash information is readily information is not
disclosures available readily available

Identifying and Assessing Risks of Material Misstatement

The factors and assumptions in the previous table affect each relevant assertion in a unique way. Certain
broad risk factors may apply only to certain assertions or may affect different assertions in varying degrees.
When evaluating how the broad risk factors influence our identification and assessment of RoMMs, it is
important to consider which assertions the risk factors affect.

If our evaluation of certain of the broad risk factors discussed drive us to the left side of the risk spectrum
(i.e., less risk), it is likely that our RoMM is akin to the inverse of the assertion (e.g., our RoMM for the
existence assertion may be that cash does not exist). To that end, we have established core baseline RoMMs
that relate to each of the relevant balance sheet assertions. We then base the design of our procedures on
such RoMMs when we believe that we are in situations that lend themselves to prescriptive responses. Such
RoMMs are modified when broad risk factors suggest that a more focused RoMM be set forth. In those cases,
our audit responses are more deliberative and impact the nature of testing.

5
 Figure 1: Broad Risk Factors

Consequently, our baseline RoMMs would be as follows:

Risk PR01 — Existence

Cash does not exist.

Risk PR02 – Completeness

Cash is incomplete.

Risk PR03 — Rights and Obligations

The entity does not have rights to cash.

Risk PR04 – Valuation and Allocation

Cash is not valued and/or allocated appropriately.

Risk PR06 – Presentation and Disclosure

Financial statements do not include the required disclosures for cash; or disclosed amounts are not accurate
or classified appropriately; or the disclosed events, transactions, management assertions, and other matters
may not have occurred or pertain to the entity.

However, there are some instances in which certain of the broad risk factors drive us to various points on the
risk spectrum. These broader risks then directly affect certain financial statement assertions (which, in turn,
evolve into RoMMs). The following examples demonstrate scenarios in which these broad risk factors
influence the identification and assessment of RoMMs.

6
Examples of Varying Levels of Risk
Example 1

Company A is a manufacturer of industrial equipment. A’s systems/processes are highly automated and have
no history of error. Cash accounts used for purchases of materials, employee compensation, and sales are
held at the same reputable financial institution, and all transactions are interfaced automatically with the
general ledger. The individuals who operate the systems/processes are experienced in their jobs, and there
has been very little turnover. The accounts seldom have material reconciling items. There are no restricted
cash or margin accounts.

In this example, all broad risk factors would move to the left of the risk spectrum (consistent with Figure 1),
and there would be no RoMMs other than the lower RoMMs previously described.

Example 2

Company B is a manufacturer of industrial equipment. B’s systems/processes are highly automated and have
no history of error. B purchases various futures contracts to hedge costs of purchasing certain raw materials
vital to their production activities. 1 These contracts require various margin accounts that are held at different
financial institutions. The process for accounting for cash transactions for these margin accounts is different
than other accounts and is more manual and ad hoc in nature. The accounts are reconciled less frequently,
and we have noted past deficiencies in the process for accounting for cash in these accounts.

In this example, it would be appropriate to disaggregate the cash balance to separate the normal cash
accounts from the margin accounts. For the margin accounts, several of the broader risk factors would move
to the right on the risk spectrum as shown in Figure 2 and would likely require one or more RoMMs to be
more precisely described and tailored. In this particular instance, RoMMs would be customized for the rights
and obligations assertion. RoMMs such as “The entity does not have rights to cash and cash equivalents due
to xyz accounts not being maintained in accordance with margin account agreements because of inadequate
monitoring” may be appropriate to enable us to appropriately target what could go wrong and lead us to
develop tailored audit procedures. Depending on other factors (including quantitative characteristics), the
RoMMs may be higher or significant.

Figure 2: Broad Risk Factors (margin accounts only)

1
The hedging transactions are incidental to the subject of this example.
7
Consequently, we may add the following to our existing list of RoMMs:

Risk DR0X – Rights and Obligations

The entity does not have rights to cash and cash equivalents due to xyz accounts not being maintained in
accordance with margin account agreements because of inadequate monitoring.

Risk DR0X – Existence and Completeness

Margin account cash may not exist or may not be complete because of the manual and ad hoc nature of the
process for accounting for margin account cash.

Example 3

Company C is also a manufacturer of industrial equipment. C has acquired several businesses in South
America in the current year; all of which have material cash accounts denominated in foreign currencies.
Several of the acquisitions were in countries with foreign currencies that are difficult to value due to wide
fluctuations, hyperinflation, and potential restrictions on conversion to other currencies.

In this example, it would likely be appropriate to disaggregate the cash balances related to the acquired
entities denominated in difficult to value foreign currencies. For these accounts, the risk factors related to
valuation would move very far to the right on the risk spectrum as shown in Figure 3 and would likely require
one or more RoMMs to be more precisely described and tailored. Tailored RoMMs such as “Cash and cash
equivalents are valued inappropriately due to cash accounts denominated in difficult-to-value foreign
currencies (e.g., Venezuelan Bolivar and Mexican Peso)” need to be described to target precisely what could
go wrong and lead us to develop tailored audit procedures to address that matter. Depending on other
factors (including quantitative characteristics), the RoMMs may be higher or significant. Figure 3: Broad Risk
Factors (foreign currency accounts only)

Consequently, we may add the following deliberative RoMM to our existing list of prescriptive RoMMs:

Risk DR0X – Valuation and Allocation

Cash and cash equivalents are valued inappropriately due to cash accounts denominated in difficult-to-value
foreign currencies (e.g., Venezuelan Bolivar and Mexican Peso).

8
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private
company limited by guarantee (“DTTL”), its network of member firms, and their
related entities. DTTL and each of its member firms are legally separate and
independent entities. DTTL (also referred to as “Deloitte Global”) does not
provide services to clients. In the United States, Deloitte refers to one or more of
the US member firms of DTTL, their related entities that operate using the
“Deloitte” name in the United States and their respective affiliates. Certain
services may not be available to attest clients under the rules and regulations of
public accounting. Please see www.deloitte.com/about to learn more about our
global network of member firms.

Copyright © 2019 Deloitte Development LLC. All rights reserved.

Member of Deloitte Touche Tohmatsu Limited