In Part II of our series to better understand the COSO Framework, we covered the first component of internal control, the Control Environment. This article will focus on Risk Assessment, which is the second of the five internal control components of the COSO Framework.
There are four principles related to the Risk Assessment component of internal control.
1) The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to financial reporting objectives.
Before the process of assessing risks can begin, an entity must first specify their overall objectives. Without suitable objectives in place an entity cannot assess the risks that will hinder them from achieving their objectives. Identifying objectives can fall into several categories: operational, external financial reporting, external non-financial reporting, internal reporting and compliance objectives. The objectives set by management should be clear and concise, but should still be comprehensive.
2) The entity identifies risks to achieving its objectives and analyzes risks to determine how the risks should be managed.
Identifying risks, specifically those associated with the achievement of organization objectives should be an all-inclusive process. In the risk assessment process, relationships between the entity and any relevant third parties should be considered. Third parties that may impact risks include: employees, customers, suppliers, investors, creditors, competitors, regulatory agencies or the media. Additionally, both internal and external factors may affect risk. External factors such as regulatory and legislative changes, or competitive pressures may be identified as a result of considering relationships with regulatory agencies or competitors. Internal factors such as developments with information systems, personnel turnover or reorganizations may impact risks identified with employees or investors and shareholders. Overall, organizations should use a variety of techniques to help identify external and internal factors that contribute to risk.
Analyzing risks is also part of the second principle of the Risk Assessment component. Analyzing risks should include a process whereby management assesses the likelihood that identified risks are occurring, the significance of the risks and what steps can be taken to mitigate or manage the risks.
3) The entity considers the potential for fraud in assessing risks to the achievement of financial reporting objectives.
The third principle requires that the organization consider fraud and the potential for fraud when assessing risks. The organization’s risk assessment process should include management’s assessment of risks related to fraudulent financial reporting, which would include an assessment of the incentives, pressures and attitudes present that may lead to fraud occurring. The response to fraud risks will align with the entity’s level of risk tolerance. Those organizations with a lower tolerance for risk will be less likely to accept the risk associated with fraud and ensure that mitigating controls are established.
4) The entity identifies and assesses changes that could significantly impact the system of internal control.
The identification and analysis of risks is a dynamic process. Appropriate levels of management should consistently be monitoring risks and changes to their internal and external environments that could have an impact on their organization and the achievement of their objectives.
Future KT newsletters will review the remaining three components of internal control and their corresponding COSO Framework Principles. Please contact Traci Hanson, Shelley Goodrich, or Sandra Weaver with specific questions. The Framework can be purchased from COSO’s website at www.coso.org.