Database Reference
In-Depth Information
According to COSO "Every entity faces a variety of risks from external and internal
sources that must be assessed. A precondition to risk assessment is establishment of
objectives, linked at different levels, and internally consistent. Risk assessment is the
identification and analysis of relevant risks to achievement of the objectives forming
a basis for determining how the risks should be managed. Because economic,
industry, regulatory, and operating conditions will continue to change, mechanisms
are needed to identify and deal with the special risks associated with change."
Effective risk assessment requires:
• Deined business objectives
• Identiication of risks for achieving objectives
• Risk rating method
• Actions to mitigate risks
If any one of these factors is absent, an unsatisfactory rating is generally warranted.
Furthermore, audit inquiries and tests should be designed to determine if there
are key risks, which are not contemplated by the management. If such risks are
identified and deemed critical, an unsatisfactory rating should be rendered on that
basis alone, even if all the other factors listed are present.
Holistic risk assessment—COSO ERM
Organizations that have adopted a more holistic view of risk assessment have
included an Enterprise Risk Management (ERM) into the risk assessment plans.
COSO defines ERM as, "A process, affected by an entity's board of directors,
management, and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity, and
manage risks to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives." Implementation of controls is one
common method management can use to manage risks within its risk appetite.
Internal auditors audit the key controls and provide assurance on the management
of significant risks.
Risk managers and auditors include two fundamental risk measurement concepts,
when conducting a risk assessment. They measure and track inherent risk and
residual risk (also known as current risk). Inherent risk measurements assess the
susceptibility of information or data to a material misstatement, assuming that
there are no related mitigating controls. The IIA's International Standards for
the Professional Practice of Internal Auditing (Standards) define residual risk as,
"the risk remaining after the management takes action to reduce the impact and
likelihood of an adverse event, including control activities in responding to a risk".
Current risk is often defined as the risk managed within existing controls or
control systems.
Search WWH ::
Custom Search