CHAPTER 4 – Internal Control and Risk Management

LEARNING OBJECTIVES
Upon completion of this chapter, you will

 Understand what is meant by internal control using Committee on Sponsoring Organizations

(COSO) Framework.
 Identify the objectives, components, and principles of an effective internal control framework.
 Know the roles and responsibilities each group in an organization has regarding internal control.
 Identify the different types of controls and the appropriate application for each of them.
 Obtain an awareness of the process for evaluating the system of internal controls and its
limitations.
 Define risk and enterprise risk management.
 Explore the elements and the processes of the risk management processes that can organizations
adopt in establishing effective risk management framework.
 Examine the objectives, components, roles, and responsibilities of the 2017 COSO Enterprise
Risk Management Framework and ISO 31000:2018.
 Describe the different roles the internal audit function can play in enterprise risk management.
 Evaluate the impact of enterprise risk management on internal audit activities.

OVERVIEW
Life is full of uncertainty. If you stop to think about it, there are many day- to-day activities about which
you simply do not know what the outcome will be in advance. How you deal with those uncertainties
determines what kind of success you will have in life.

Operating a business is no different. Organizations face uncertainties in all aspects of conducting

business, and their success is dependent on how well they manage those uncertainties. Operational
auditing can be a key enabler to that success.

Internal control plays an important role in how management meets its stewardship or agency
responsibilities. Management has the responsibility to maintain controls that provide reasonable assurance
that adequate control exists over the entity's assets and records. Proper internal control not only ensures
that assets and records are safeguarded but also creates an environment in which efficiency and
effectiveness are encouraged and monitored. Management also needs a control system that generates
reliable information for decision making. If the information system does not generate reliable
information, management may be unable to make informed decisions about issues such as product
pricing, cost of production, and profit information.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of
the five private sector organizations listed on the right and is dedicated to providing thought leadership
through the development of frameworks and guidance on enterprise risk management, internal control
and fraud deterrence. COSO is composed of the following organizations:

 American Institute of Certified Public Accountants

 Financial Executives International
 Institute of Management Accountants
 Institute of Internal Auditors
 American Accounting Association

INTERNAL CONTROL
According to COSO's Internal Control-Integrated Framework, internal control is designed and effected by
an entity's board of directors, management, and other personnel to provide reasonable assurance about the
achievement of the entity's objectives in the following categories: (1) reliability of financial reporting, (2)
effectiveness and efficiency of operations, and (3) compliance with applicable laws and regulations.
An internal control system consists of all the policies and procedures (i.e., related to internal control) and
processes adopted by the management of an entity to assist in achieving management's objective of
ensuring, as far as practicable, the orderly and efficient conduct of its business.

ROLE OF INTERNAL AUDITOR FOR INTERNAL CONTROL

While management, under the leadership of the CEO, has ultimate responsibility for the adequate design
and effective operation of the system of internal controls, internal auditors play a significant role in
verifying that management has met its responsibility. Initially, management performs the primary
assessment of the system of internal controls, and then the internal audit function independently validates
management's assertions. The internal audit function provides reasonable assurance that the system of
internal controls is designed adequately and operating effectively, increasing the likelihood that the
organization's business objectives and goals will be met. The COSO framework defines the role of the
internal auditor similarly, although in more general terms: "...internal auditors provide assurance and
advisory support to management on internal control...the internal audit [function] includes evaluating the
adequacy and effectiveness of controls in responding to risks within the organization's oversight,
operations, and information systems..." Moreover, the scope of internal auditing is typically expected to
include oversight, risk management, and internal control, and assist the organization in maintaining
effective control by evaluating their effectiveness and efficiency and by promoting continual
improvement. Internal audit communicates findings and interacts directly with management, the audit
committee, and/or the board of directors." Because of its organizational position and authority in an
entity, an internal audit function often plays a significant monitoring role.

LIMITATIONS OF INTERNAL CONTROL

Internal control can do much to protect against both errors and fraud and to ensure the organization's
objectives are achieved. Still, it is important to recognize the existence of inherent limitations of internal
control. Custom, culture, and the corporate governance system may inhibit fraud, but they are not
absolute deterrents. Mistakes may be made in the performance of controls as a result of a
misunderstanding of instructions, mistakes of judgment, carelessness, distraction, or fatigue. Errors in
judgment may also occur in designing, maintaining, or monitoring controls. Control activities- whether
manual or automated-dependent upon separation of duties may be circumvented by collusion among two
or more people. In addition, inappropriate management may override of internal control. Management, for
example, may enter into side agreements with customers that alter the terms and conditions of the
company's standard contract in ways that would preclude revenue recognition, or management may
improperly modify the accounting records.
The extent of the controls adopted by a business also is limited by cost considerations. It is not feasible
from a cost standpoint to establish controls that provide absolute protection from fraud and waste;
reasonable assurance in this regard is generally the best that can be achieved.

ELEMENTS OF INTERNAL CONTROL

To achieve the specific objectives for each of these categories of objectives, the COSO report defines five
basic components of a properly designed internal control system. The five components are (1) control
environment, (2) risk assessment, (3) control activities, (4) monitoring, and (5) information and
communication. It is important to point out that the five components should not operate independently of
each other. Instead, they should be considered as working in an interrelated manner to support the internal
control system's overall effectiveness.

CONTROL ENVIRONMENT
The control environment sets the tone of an organization, influencing the control consciousness of its
people. It is the foundation for all other components of internal control, providing discipline and structure.
The importance of control to an entity is reflected in the overall attitude, awareness of, and actions of the
board of directors, management, and owners regarding control. The control environment can be thought
of as an umbrella that covers the entire entity and establishes the framework for implementing the entity's
accounting systems and internal controls. Factors that affect the control environment are as follows
(ICHAMPO):

 Integrity and Ethical Values communication and enforcement

 Commitment to Competence
 Human Resources Policies and Practices
 Assignment of Authority and Responsibility
 Management's Philosophy and Operating Cycle
 Participation of those Charged with governance (Board of Directors/Audit Committee)
 Organizational Structure

Integrity and Ethical Values Communication and Enforcement

The effectiveness of an entity's internal controls is influenced by the integrity and ethical values of the
individuals who create, administer, and monitor the controls. An entity needs to establish ethical and
behavioural standards that are communicated to employees and are reinforced by day-to-day practice. For
example, management should remove incentives or opportunities that might lead personnel to engage in
dishonest, illegal, or unethical acts. Some examples of incentives that may lead to unethical behaviour are
pressures to meet unrealistic performance targets and performance-dependent rewards. Examples of
opportunities include an ineffective board of directors, a weak internal audit function, and insignificant
penalties for improper behaviour. Management can best communicate integrity and ethical behaviour
within an entity by example and through the use of policy statements, codes of conduct, and training.
Senior management and the board of directors are expected to lead by example in establishing values and
expectations regarding appropriate behaviour. When this is done well the organization is said to have a
strong tone at the top. This commitment to integrity and ethical values is communicated through the
organization's standards of conduct, and emphasized through directives, actions, and behaviour. An
organization should also establish processes to enforce standards of conduct, ensuring that deviations are
identified and remedied on a timely and consistent basis.

Commitment to Competence
Competence is the knowledge and skills necessary to accomplish the tasks that define an individual's job.
Conceptually, management must specify the competence level for a particular job and translate it into the
required level of knowledge and skills. For example, an entity should have a job description for each job.
Management then must hire employees who have the appropriate competence for their jobs. Good human
resource policies help attract and retain competent and trustworthy employees.

Human Resource Policies and Procedures

The quality of internal control is directly related to the quality of the personnel operating the system. The
entity should have sound personnel policies for hiring, orienting, training, evaluating, counselling,
promoting, compensating, and taking remedial action. For example, in hiring employees, standards that
emphasize seeking the most qualified individuals, with emphasis on educational background, prior work
experience, and evidence of integrity and ethical behaviour, demonstrate an entity's commitment to
employing competent and trustworthy people. Research into the causes of errors in accounting systems
has shown personnel-related issues to be a major cause of error.

Assignment of Authority and Responsibility

This control environment factor includes how authority and responsibility for operating activities are
assigned and how reporting relationships and authorization hierarchies are established. It includes policies
regarding acceptable business practices, knowledge, and experience of key personnel, and resources
provided for carrying out duties. It also includes policies and communications directed at ensuring that all
personnel understand the entity's objectives, know how their individual actions interrelate and contribute
to those objectives, and recognize how and for what they will be held accountable.
An entity can use a number of controls to meet the requirements of this control environment factor. For
example, the entity can have a well-specified organizational chart that indicates lines of authority and
responsibility. Further, management and supervisory personnel should have job descriptions that include
their control-related responsibilities.
Management's Philosophy and Operating Style
Establishing, maintaining, and monitoring the entity's internal controls are management's responsibility.
Management's philosophy and operating style can significantly affect the quality of internal control.
Characteristics that may signal important information to the auditor about management's philosophy and
operating style include the following:

 Management's approach to taking and monitoring business risks.

 Management's attitudes and actions toward financial reporting (conservative or aggressive
selection from available alternative accounting principles, and the conscientiousness and
conservatism with which accounting estimates are developed)
 Management's attitudes toward information processing and accounting functions and personnel.
For example, does management take significant risks, or is it risk averse? Are sales and earnings targets
unrealistic, and are employees encouraged to take aggressive actions to meet those targets? Can
management be described as "fat and bureaucratic," "lean and mean," dominated by one or a few
individuals, or is it "just right"? Understanding these and similar aspects of management's philosophy and
operating style gives the auditor a sense of management's attitude about internal control.

Participation of those charged with governance (Board of Directors/Audit Committee)

The board of directors and the audit committee significantly influence the control consciousness of the
entity. As mentioned in Chapter 1, the audit committee is a subcommittee of the board of directors that is
normally composed of directors who are not part of the management team. The board of directors and the
audit committee must take their fiduciary responsibilities seriously and actively oversee the entity's
accounting and reporting policies and procedures.
Factors that can impact the effectiveness of the board or audit committee include the following:

 Its independence from management.

 The experience and stature of its members.
 The extent of its involvement with and scrutiny of the entity's activities.
 The appropriateness of its actions.
 The information it receives.
 The degree to which difficult questions are raised and pursued with management.
 Its interaction with the internal and external auditors.

Some of the more important duties of the audit committee are:

 Appointment, compensation, and oversight of the public accounting firm conducting the entity's
audit.
 Resolution of disagreements between management and the audit team.
 Oversight of the entity's internal audit function.
 Approval of non-audit services provided by the public accounting firm performing the audit
engagement.
 Oversight of the anonymous fraud hotline which is designed to provide employees a confidential
and effective manner in which to report possible financial reporting issues.
Small and midsize entities may implement the control environment factors differently than larger entities.
For example, smaller entities might not have a written code of conduct but instead develop a culture that
emphasizes the importance of integrity and ethical behaviour through oral communication and by
management example. Similarly, a smaller entity may not have an independent or outside member on its
board of directors.

Organizational Structure
The organizational structure defines how authority and responsibility are delegated and monitored. It
provides the framework within which an entity's activities for achieving entity-wide objectives are
planned, executed, controlled, and reviewed. An entity develops an organizational structure suited to its
needs. Establishing a relevant organizational structure includes considering key areas of authority and
responsibility and appropriate lines of reporting.
The appropriateness of an entity's organizational structure depends on its size and the nature of its
activities. Factors such as the level of technology in the entity's industry and external influences such as
regulation play a major role in the type of organizational structure used. For example, an entity in a high-
tech industry may need an organizational structure that can respond quickly to technological changes in
the marketplace. Similarly, an entity that operates in a highly regulated industry, such as banking, may be
required to maintain a very tightly controlled organizational structure in to comply with regulatory laws.

CONTROL ACTIVITIES
Control activities are the policies and procedures that help ensure that management's directives are carried
out and are implemented to address risks identified in the risk assessment process. Control activities may
be either automated or manual. Those control activities that are relevant to the audit include (PIPS):

 Performance reviews.
 Information processing controls, including authorization and document-based controls.
 Physical controls.
 Segregation of duties.

Performance Reviews. A strong accounting system should have controls that independently check the
performance of the individuals or processes in the system. Some examples include comparing actual
performance with budgets, forecasts, and prior-period performance; investigating the relationship of
operating and financial data followed by analysis, investigation of unexpected differences, and corrective
actions; and reviewing functional or activity performance.

Information Processing Controls. A variety of controls are used to check accuracy, completeness, and
authorization in the processing of transactions. The two broad categories of information systems control
activities are general controls and application controls. General controls relate to the overall information
processing environment and include controls over data center and network operations; system software
acquisition, change, and maintenance; access security; and application system acquisition, development,
and maintenance. For example, an entity's controls for developing new programs for existing accounting
systems should include adequate documentation and testing before implementation. Application controls
apply to the processing of individual applications and help ensure the occurrence (validity), completeness,
and accuracy of transaction processing. Two examples are (1) the entity should have controls that ensure
that each transaction that occurs in an entity's accounting system is properly authorized and (2) the entity
should design documents and records so that all relevant information is captured in the accounting
system.

Physical Controls. These controls include the physical security of assets, Physical controls include
adequate safeguards, such as secured facilities, authorization for access to computer programs and data
files, and periodic counting of assets such as inventory and comparison to control records.

Segregation of Duties. It is important for an entity to segregate the authorization of transactions,

recording of transactions, and custody of the related assets. Independent performance of each of these
functions reduces the opportunity for any one person to be in a position to both perpetrate and conceal
errors or fraud in the normal course of his or her duties. For example, if an employee receives payment
from customers on account and has access to the accounts receivable subsidiary ledger, it is possible for
that employee to misappropriate the cash and cover the shortage in the accounting records.

Control activities can be categorized as:

Preventive: Preventive controls are those activities that act before the error or omission can occur and
reduce the likelihood and/or impact of the event.

Detective: Detective controls identify errors or anomalies after they have occurred and alert the need for
corrective action.

Directive: Directive controls are temporary controls that are implemented to redirect employee actions.
They are sometimes referred to as corrective controls because they are put in place when an undesirable
action has occurred, even when there were preventive and detective controls in place. For example, if
employees have received training instructing them to tether themselves to the handrail walking on a
scaffold more than 10 feet high, yet employees are found to ignore that requirement anyway, the breach in
safety protocol may compel management to have everyone attend refresher training to reinforce the
importance of that requirement and that it is expected of everyone, every time.

Another example could be employees who went through orientation and were told that sexual harassment
is unacceptable, yet some engage in sexual harassment in the workplace anyway. In this case, all
employees could be sent to sexual harassment training to remind them of the importance of adhering to
the company's policy.
Compensating: Compensating or mitigating controls are those that are put in place when a control is not
where it is expected as proper design would stipulate. For example, if there is a lack of segregation of
duties, and more employees cannot be hired to address the weakness, then a supervisory review can be
implemented to verify that all transactions performed are business appropriate. This could occur in a
small office where an individual makes purchases, receives the items, and performs bank reconciliations.
This employee could make inappropriate purchases without detection, so to mitigate this risk, the district
manager could review all purchases periodically to make sure they were appropriate, the items were
delivered to the company facilities, and were put into legitimate business use.
Generally speaking, preventive controls are preferable to detective controls because while detective
controls are important and useful, they identify issues after the fact. When issues are identified after they
occur, they must be corrected and transactions reprocessed, so they create rework. Preventive controls on
the other hand, thwart problems from occurring so activities are performed one-time only. The general
objective in all operating units and activities should be: "Done once, done right."

INFORMATION SYSTEMS AND COMMUNICATION

An information system consists of infrastructure (physical and hardware components), software, people,
procedures (manual and automated), and data. The information system relevant to the financial reporting
objective includes the accounting system and consists of the procedures (whether automated or manual)
and records established to initiate, authorize, record, process, and report an entity's transactions and to
maintain accountability for the related assets and liabilities.

For an example, an effective accounting system gives appropriate consideration to establishing methods
and records that will:

 Identify and record all valid transactions.

 Describe on a timely basis the transactions in sufficient detail to permit proper classification of
transactions for financial reporting.
 Measure the value of transactions in a manner that permits recording their proper monetary value
in the financial statements.
 Determine the time period in which transactions occurred to permit recording of transactions in
the proper accounting period.
 Properly present the transactions and related disclosures in the financial statements.

Communication involves providing an understanding of individual roles and responsibilities pertaining to

internal control over financial reporting. It includes the extent to which personnel understand how their
activities in the financial reporting information system relate to the work of others and the means of
reporting exceptions to an appropriate higher level within the entity. Policy manuals, accounting and
reporting manuals, and memoranda communicate policies and procedures to the entity's personnel.
Communications can also be made electronically, orally, or through the actions of management.
A well-designed information system that is operating effectively can reduce the risk of material
misstatement. The auditor must learn about each business process that affects significant account balances
in the financial statements. This includes understanding how transactions are initiated and authorized,
how documents and records are generated, and how the documents and records flow to the general ledger
and financial statements. Understanding the information system also requires knowing how IT is involved
in data processing. The auditor should understand the automated and manual procedures used by the
entity to prepare financial statements and related disclosures.

High-quality information must be communicated appropriately. This interdependency is why COSO

combines information and communication in this component. Relevant, accurate, and timely information
must be available to individuals at all levels of an organization who need such information to run the
business effectively. Information must be provided to specific personnel as appropriate to support
achievement of their operating, reporting, and compliance responsibilities. Additionally, communication
must take place more broadly relative to expectations, responsibilities of individuals and groups, and
other important matters. Communications with external parties also are important and can provide critical
information on the functioning of controls. These parties include, but are not limited to customers,
suppliers, service providers, regulators, external auditors, and shareholders.

Clearly, the culture of an organization plays an important role in communicating its priorities. Typically,
organizations that have established a culture of integrity and transparency have an easier time with
communication than do other organizations.

MONITORING
To allow for continuous improvements and consider changes in the entity's operating environment,
management needs to monitor its internal control systems. The fundamental principles of monitoring
include:

 On-going and separate evaluations. On-going evaluations of controls that are separate from
other types of evaluations (e.g., operational) enable management to determine whether the other
components of internal control continue to function over time.
 Reporting deficiencies. Internal control deficiencies are identified and communicated in a timely
manner to those parties for taking corrective action and to management and the board as
appropriate.

It is important to note that monitoring does not include regular management and supervisory control
activities and other actions that employees take in performing their everyday duties. Effective monitoring
involves ongoing evaluation of the controls. Some common monitoring controls include:

 Periodic evaluation of controls by internal audit.

 Analysis of and appropriate follow-up of operating reports or metrics that might identify
anomalies indicative of a control failure.
 Supervisory review of controls, such as reconciliation reviews as a normal part of processing.
  Self-assessments by boards and management regarding the tone they set in the organization and
the effectiveness of their oversight functions.
 Audit committee inquiries of internal and external auditors.
 Quality assurance reviews of the internal audit department.

As you can see, some of the control activities explained earlier in this chapter also serve as monitoring
activities. For example, analyzing customer complaints for follow-up is a control activity, but analyzing
them to determine whether the complaints result from a weakness in other controls (e.g., a failure to
compare shipping documents to customer orders) is a monitoring activity.

Although the preceding procedures provide management daily monitoring opportunities, the oversight
provided to the entity by the board of directors (and, more specifically, the audit committee) provides the
highest level of monitoring.

On-going monitoring activities of small and midsize entities are more likely to be informal and are
typically performed as a part of the overall management of the entity's operations. Management's close
involvement in operations often will identify significant variances from expectations and inaccuracies in
financial, operations, and compliance data.

RISK ASSESSMENT
Risk, under COSO, is the possibility that events will occur and affect the achievement of a strategy and
objectives. Organizations ordinarily face a variety of risks from external and internal sources that threaten
their ability to meet their in the areas of operations, reporting, and compliance. Risk is a concept used by
auditors and managers to express concerns about the probable effects of an uncertain environment. Risk
assessment is management's process for identifying, analyzing, and responding to such risks. In
performing effective risk assessment, organizations should:

 Clearly specify objectives to allow the identification and assessment of risks related to those
objectives.
 Identify and analyze risks to the achievement of its objectives to determine how they may be
managed.
 Consider potential fraud relating to the achievement of objectives.
 Identify and assess changes that could impact internal control.

An entity's risk assessment process is its process for identifying responding to business risks. This process
includes how management identifies risks relevant to the preparation of financial statements, their
significance, assesses the likelihood of their occurrence, and decides on how to manage them. For
example, the entity's risk assessment process may address how the entity identifies and analyses
significant estimates recorded in the financial statements.
Effective risk assessment requires the establishment of performance measures to assess the achievement
of objectives. This allows management to establish risk tolerance for its various objectives and manage
these risks. Risk tolerance is the acceptable level of variation in performance relative to the achievement
of objectives. Risks may exist at the entity level or the transaction level. Entity-level risks arise from
external or internal factors, such as economic, regulatory, technology, and personnel factors. Transaction-
level are found within divisions, operating units, or functions of the organization.

Assessing risk involves evaluating likelihood of occurrence and potential impact. It also involves
consideration of the velocity or speed of occurrence and duration of impact of the risk. This assessment
allows management to identify the significant risks that require a response.
Risk begins with strategy formulation and setting of business objectives. An organization is in business to
achieve particular strategies and business objectives. Risks represent the barriers to successfully achieving
those objectives as well as the opportunities that may help achieve those objectives. Therefore, because
each organization has somewhat different strategies and business objectives, they also will face different
types of risks.

Business and Process Risk

This is the risk that the organization's processes are not effectively obtaining, managing, and disposing
their assets, that the organization is not performing effectively and efficiently in meeting customer needs,
is not creating value or is diluting value by suffering the degradation of financial, physical, and
information assets.

 Capacity risk: Insufficient capacity limits the ability to meet demand in the short and long term,
or excess capacity threatens the firm's ability to generate competitive profit margins.
 Execution risk: Inability to produce consistently without compromising quality.
 Supply chain risk: Being unable to maintain a steady stream of supplies when needed.
 Business interruption risk: This risk stems from the unavailability of raw materials, IT, skilled
labour, facilities, or other resources that threaten the organization's ability and capacity to
continue operations.
 Human resources risk: A lack of knowledge, skills, and experiences among the organization's key
personnel that threatens the ability to achieve business objectives.
 Product or service failure risk: Faulty or nonperforming products and services that do not meet
customer expectations can expose the organization to customer complaints, warranty claims,
returns, field repairs, product liability claims, litigation causing lost revenues, lower market share,
and damage to the business' reputation.
 Product development risk: Ineffective product development threatens the organization's ability to
meet or exceed customers' expectations consistently over the long term.
 Cycle time risk: Unnecessary activities threaten the organization's capacity to develop, produce,
market, and deliver goods and services in a timely manner.
 Health and safety risk: Failure to provide a safe working environment for workers exposes the
organization to compensation liabilities, loss of business reputation, and other costs.
 Leadership risk: Workers are not being led effectively resulting in lack of direction, motivation to
perform, customer focus, management credibility, and trust.
  Outsourcing risk: Outsourcing activities to third parties could result in these third parties not
performing in a way that is consistent with the organization's strategies, objectives, values, and
behavioral standards and expectations.
 Competitor risk: The risk that actions by competitors may threaten then organization's
competitive advantage or even its survival.
 Catastrophic loss risk: The risk that a catastrophe threatens the organization's ability to continue
operating and provide goods and services.
 Industry risk: Changing conditions that affect the attractiveness of the industry.
 Planning risk: Lack of, unrealistic, irrelevant, or unreliable planning information could result in
poor conclusion and decisions. This risk is often triggered when plans and budgets are unrealistic,
not based appropriate assumptions or performance metrics, is not relevant to organization goals,
or unaccepted by managers and workers.
 Organization structure risk: The organization's structure does not support change, flexibility, or
the organization's strategies. An ineffective organizational structure can threaten its ability to
change.
 Integrity and fraud risk: Risk of management or employee fraud, illegal or unauthorized acts that
could result in reputation loss.

Management fraud is the intentional misstatement of financial and operational reports that negatively
affect external stakeholders' decisions. Fraud could also be perpetrated by suppliers, customers, agents,
and brokers against the organization for personal gain. Illegal acts committed by managers and employees
can result in fines, penalties, sanctions, loss of licenses to operate, loss of customers, and reputation
damage.

Note: Managing the risk of fraud and corruption is the responsibility of management. Audit procedures
alone, even when performed with due professional care, cannot guarantee that fraud or corruption will be
detected. Internal audit does not have responsibility for the prevention or detection of fraud and
corruption. Internal auditors will, however, be alert in all their work to risks and exposures that could
allow fraud or corruption. Internal audit may be requested by management to assist with fraud
examination work.

 Trademark erosion risk: The erosion of a trademark or brand over time threatens the demand for
the organization's products and services. It also limits its ability to develop and grow future
revenue streams.
 Reputation risk: Risk of loss generally related to ethics, safety, security, quality, innovation, and
sustainability causing lost revenue, higher capital and regulatory costs, lower stock price, or
difficulties raising capital due to a potentially criminal event. Reputation risk may also cause loss
of customers, profits, and the ability to compete.
 Data integrity: Reliability and completeness of data flows, inbound and outbound from/to
customers, vendors, regulators, investors, and other stakeholders. It also relates to the
authorization, completeness, and accuracy of transactions as they are input, processed, and
reported.
  Infrastructure risk: Risk that the organization's IT infrastructure is obsolete, or lacks the IT
infrastructure, such as hardware, software, networks, and people it needs to effectively support
the information requirements of the organization to remain viable in the short and long term.
 Commerce risk: Events that compromise Business-to-business (B2B), and business-to-customer
(B2C)'s financial and data flows, data integrity, and security.
 Access risk: Failure to adequately restrict access to information could result in unauthorized use
of confidential information. Conversely, overly restrictive access to information could limit the
ability of personnel to perform their assigned responsibilities.
 Availability risk: Unavailability of information when needed could threaten the continuity of the
organization's operations processes.

Technological and Information Technology Risks

These risks relate to conditions where IT is not operating as intended, the integrity and reliability of data
is compromised, and significant assets are exposed to potential loss or misuse. It also relates to the
inability to maintain critical systems and processes. It includes:

 Data and system availability risk: Uptime of systems, machines, and other tools to support the
needs of workers, customers, suppliers, and other stakeholders of the organization. This involves
data acquisition, maintenance, use, distribution, storage, and destruction.
 Data integrity risk: Accuracy and consistency of data stored, processed, retrieved, and destroyed
when it reaches the end of its life cycle.
 System capacity risk: Optimizing the amount of storage and computing ability systems possess.
 Data integrity: Reliability and completeness of data flows, inbound and outbound from/to
customers, vendors, regulators, investors, and other stakeholders. The authorization,
completeness, and accuracy of transactions as they are input, processed, and reported.
 Infrastructure risk: Risk that the organization's IT infrastructure is obsolete, or lacks the IT
infrastructure, such as hardware, software, networks, and people it needs to effectively support
the information requirements of the organization to remain viable in the short and long term.
 Commerce risk: Events that compromise B2B, and B2C financial and data flows, data integrity,
and security.
 Access risk: Failure to adequately restrict access to information could result in unauthorized use
of confidential information. Conversely, overly restrictive access to information could limit the
ability of personnel to perform their assigned responsibilities.
 Availability risk: Unavailability of information when needed could threaten the continuity of the
organization's operations and processes.

Personnel Risks
Personnel risks relate to conditions that limit the organization's ability to obtain, deploy, and retain
sufficient numbers of suitably qualified and motivated workers. As organizations increasingly rely on
their workforce to produce goods and services that add value to their customers, management is
confronted with the risk that personnel shortages limit their ability to deliver consistently with high
quality in the short and long terms.
  Availability risk: Sufficient workers and subject matter experts to support the organization's
present and future needs.
 Competence risk: Workers' ability to perform their duties efficiently and successfully.
 Judgment risk: Workers' capacity to make sensible decisions based on relevant circumstances.
 Malfeasance risk: Wrongdoing perpetrated by employees, contractors, suppliers, or customers.
 Motivation risk: Demotivated workers fail to apply creativity and discipline to their tasks
resulting in lower production, lower quality, poor service, and higher turnover and absenteeism.

Financial Risks
Financial risks can result in poor cash flows, currency and interest rate fluctuations, and an inability to
move funds quickly and without loss of value to where they are needed. Examples include:

 Resources risk: Availability of funds when needed and their judicious use for business purposes.
 Commodity prices risk: Fluctuations in prices expose the organization to lower margins or trading
losses.
 Foreign currency risk: Changes in foreign exchange rates can result in the economic loss of some
of the value of the asset.
 Liquidity risk: This is the loss exposure due to an inability to meet cash flow obligations, or the
lack of buyers and sellers in a market (i.e., illiquid market).
 Market risk: Movements in prices, rates, and indices affect the value of the organization's
financial assets and stock price. This could also affect its cost of capital and its ability to raise
capital.

Environmental Risks
Environmental risk relates to the actual or potential threat of negative effects on the environment by
emissions, wastes, and resource depletion. This can be caused by an organization's activities and it
influences living organisms, land, air, and water. Examples include:

 Energy and other resources risk: Inability to obtain reliable supplies at a reasonable price.
 Natural disaster risk: Events such as floods, earthquakes, fires, hurricanes, and tornadoes, also
the lack of potable water and other resources needed in company facilities.
 Pollution risk: Regulations and stakeholder demands affecting the source of energy supplies, and
the quantity and manner of wastes allowable. Also, excessive pollution that limit the
organization's employees' health and safety. These activities can be harmful to the environment
and expose the organization to liabilities for bodily injury, property damage, removal costs, and
punitive damages, among others.
 Transportation risk: Ensuring the availability of adequate means of transportation. Some depend
on natural means such as navigable rivers, lakes, and coastlines, or are directly or indirectly
affected by natural or human actions, such as having unobstructed roads and working railroads.
 Pandemic risk: Bacteria or viruses that disrupt the organization's supply chain or availability of
its workforce to perform its duties.
Political risk
This is a type of risk faced by organizations, investors, and governments. It refers to the effects that
political decisions, events, or conditions can cause when they affect the profitability of a business, or the
ability to operate freely. It has to do with the complications organizations may encounter as a result of
political decisions. Examples include:

 Regulations and legislation risk: New or changes to existing regulations that limit the
organization's ability to engage in its normal business activities.
 Public policy risk: Stakeholder demands affecting the organization's operations.
 Instability risk: Civil or military unrest that disrupts the organization's activities.

Social Risk
Social risk relates to dynamics where an issue affects stakeholders who can form negative perceptions
that can cause some form of damage to the organization. Social risk can be influenced by strategic and
operational decisions management makes that affect issues stakeholders care about. The way society
perceives organizations' ways of conducting business is becoming increasingly important and drives
decisions related to climate change, obesity, workers' rights, poverty, and other social and environmental
issues. Current and prospective customers are increasingly responding to these dynamics by buying,
commenting publicly through social media, or lobbying with power brokers to exert pressure on
organizations to behave in ways that reflect their wishes.

Social risk is also influenced by societal dynamics affecting the workforce and target customers, such as
their age, racial composition, national origin, and family structure decisions. Examples of social risks
include:

 Demographics risk: Changes that affect purchasing preferences, staff availability, or the cost to
maintain a healthy workforce.
 Privacy risk: Preferences that curtail the capture, storage, use, and dissemination of personal
information.
 Corporate Social Responsibility Risk: Requirements for social involvement and investment that
diverts time and other resources from the organization's primary activities.
 Mobility risk: Dynamics that change the preferences of workers and customers to work and live in
ways that support the organization's needs and products. Risk assessment requires management to
consider the impact of possible changes in the external environment and within their own
business model that could make internal control ineffective. This includes focusing on clearly
articulating objectives relating to operations, reporting, and compliance so any risks to those
objectives can be identified and assessed. Also take into consideration the need to assess
suitability of objectives to assess effectiveness. Effectiveness relates to the achievement of
objectives and the degree to which these are achieved.

Effects of Risk

 Loss of assets
  Negative publicity
 Erroneous decisions
 Customer dissatisfaction
 Fraudulent financial or operational reporting Erroneous record keeping and accounting
 Noncompliance with rules and regulations Purchase of resources uneconomically
 Failure to accomplish established goals

ENTERPRISE RISK MANAGEMENT (ERM)

According to COSO, Enterprise Risk Management (ERM) is the culture, capabilities, and practices,
integrated with strategy-setting and performance, that organizations rely on to manage risk in creating,
preserving, and realizing value.

A more in-depth look at the definition of enterprise risk management emphasizes its focus on managing
risk through:

 Recognizing culture.
 Developing capabilities.
 Applying practices.
 Integrating with strategy-setting and performance.
 Managing risk to strategy and business objectives.
 Linking to value.

This enterprise risk management framework is geared to achieving an entity's objectives, set forth in four
categories:

 Strategic - high-level goals, aligned with and supporting its mission.

 Operations-effective and efficient use of its resources.
 Reporting - reliability of reporting.
 Compliance - compliance with applicable laws and regulations.
The Framework itself is a set of principles organized into five interrelated components:
1. Governance and Culture: Governance sets the organization's tone, the reinforcing importance of,
and establishing oversight responsibilities for, enterprise risk management. Culture pertains to
ethical values, desired behaviors, and understanding of risk in the entity.
2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work
together in the strategic-planning process. A risk appetite is established and aligned with strategy;
business objectives put strategy into practice while serving as a basis for identifying, assessing,
and responding to risk.
3. Performance: Risks that may impact the achievement of strategy and business objectives need to
be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The
organization then selects risk responses and takes a portfolio view of the amount of risk it has
assumed. The results of this process are reported to key risk stakeholders.
 4. Review and Revision: By reviewing entity performance, an organization can consider how well
the enterprise risk management components are functioning over time and in light of substantial
changes, and what revisions are needed.
5. Information, Communication, and Reporting: Enterprise risk management requires a continual
process of obtaining and sharing necessary information, from both internal and external sources,
which flows up, down, and across the organization.

ERM uses an iterative process. Just because an organization has issued risk reports doesn't mean the work
is finished. With information about risk treatments and processes in hand, a review and refinement of
governance, strategy, and risk management processes can and should take place.

RISK MANAGEMENT PROCESS (per ISO 31000:2018)

The risk management process involves the systematic application of policies, procedures and practices to
the activities of communicating and consulting, establishing the context and assessing, treating,
monitoring, reviewing, recording and reporting risk. This process is illustrated in figure below per ISO
31000:2018.

The risk management process should be an integral part of management and decision-making and
integrated into the structure, operations, and processes of the organization. It can be applied at strategic,
operational, program or project levels.

There can be many applications of the risk management process within an organization, customized to
achieve objectives and to suit the external and internal context in which they are applied. The dynamic
and variable nature of human behavior and culture should be considered throughout the risk management
process. Although the risk management process is often presented as sequential, in practice it is iterative.

Communication and consultation

The purpose of communication and consultation is to assist relevant stakeholders in understanding risk,
the basis on which decisions are made and the reasons why particular actions are required.
Communication seeks to promote awareness and understanding of risk, whereas consultation involves
obtaining feedback and information to support decision-making. Close coordination between the two
should facilitate factual, timely, relevant, accurate and understandable exchange of information, taking
into account the confidentiality and integrity of information as well as the privacy rights of individuals.
Communication and consultation with appropriate external and internal stakeholders should take place
within and throughout all steps of the risk management process.
Communication and consultation aims to:
- bring different areas of expertise together for each step of the risk management process;
 - ensure that different views are appropriately considered when defining risk criteria and when
evaluating risks;
- provide sufficient information to facilitate risk oversight and decision-making;
- build a sense of inclusiveness and ownership among those affected by risk.

Scope, context, and criteria

The purpose of establishing the scope, the context and criteria is to customize the risk management
process, enabling effective risk assessment and appropriate risk treatment. Scope, context and criteria
involve defining the scope of the process, and understanding the external and internal context.
a. Defining the scope
The organization should define the scope of its risk management activities.
As the risk management process may be applied at different levels (e.g. strategic, operational,
programme, project, or other activities), it is important to be clear about the scope under consideration,
the relevant. objectives to be considered and their alignment with organizational objectives.
When planning the approach, considerations include:
- -objectives and decisions that need to be made;
- outcomes expected from the steps to be taken in the process;
- -time, location, specific inclusions and exclusions;
- appropriate risk assessment tools and techniques;
- resources required, responsibilities and records to be kept;
- relationships with other projects, processes and activities.

b. External and internal context

The external and internal context is the environment in which the organization seeks to define and
achieve its objectives.
The context of the risk management process should be established from the understanding of the external
and internal environment in which the organization operates and should reflect the specific environment
of the activity to which the risk management process is to be applied.
Understanding the context is important because:

 - risk management takes place in the context of the objectives and activities of the organization;
 - organizational factors can be a source of risk;
 - the purpose and scope of the risk management process may be interrelated with the objectives of
the organization as a whole.

The organization should establish the external and internal context of the risk management process by
considering the factors mentioned in 5.4.1.
c. Defining risk criteria
The organization should specify the amount and type of risk that it may or may not take, relative to
objectives. It should also define criteria to evaluate the significance of risk and to support decision-
making processes. Risk criteria should be aligned with the risk management framework and customized
to the specific purpose and scope of the activity under consideration. Risk criteria should reflect the
organization's values, objectives and resources and be consistent with policies and statements about risk
management. The criteria should be defined taking into consideration the organization's obligations and
views of stakeholders.
While risk criteria should be established at the beginning of the risk assessment process, they are dynamic
and should be continually reviewed and amended, if necessary.
To set risk criteria, the following should be considered:
- the nature and type of uncertainties that can affect outcomes and bjectives (both tangible and
intangible);
- how consequences (both positive and negative) and likelihood will be defined and measured;
- time-related factors;
- consistency in the use of measurements;
- how the level of risk is to be determined;
- how combinations and sequences of multiple risks will be taken into account;
- the organization's capacity.

Risk assessment
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.
Risk assessment should be conducted systematically, iteratively and collaboratively, drawing on the
knowledge and views of stakeholders. It should use the best available information, supplemented by
further enquiry as necessary.

a. Risk identification
The purpose of risk identification is to find, recognize and describe risks that might help or prevent an
organization achieving its objectives. Relevant, appropriate and up-to-date information is important in
identifying
The organization can use a range of techniques for identifying uncertainties that may affect one or more
objectives. The following factors, and the relationship between these factors, should be considered:
- tangible and intangible sources of risk;
- causes and events;
- threats and opportunities;
- vulnerabilities and capabilities;
- changes in the external and internal context;
- indicators of emerging risks;
- the nature and value of assets and resources;
 - consequences and their impact on objectives;
- limitations of knowledge and reliability of information;
- time-related factors;
- biases, assumptions and beliefs of those involved.

The organization should identify risks, whether or not their sources are under its control. Consideration
should be given that there may be more than one type of outcome, which may result in a variety of
tangible or intangible consequences.

b. Risk analysis
The of risk analysis is to comprehend the nature of risk and its characteristics including, where
appropriate, the level of risk. Risk analysis involves detailed consideration of uncertainties, risk sources, a
consequences, likelihood, events, scenarios, controls and their effectiveness. An event can have multiple
causes and consequences and can affect multiple objectives.

Risk analysis can be undertaken with varying degrees of detail and complexity, depending on the purpose
of the analysis, the availability and reliability of information, and the resources available. Analysis
techniques can be qualitative, quantitative or a combination of these, depending on the circumstances and
intended use.
Risk analysis should consider factors such as:
- the likelihood of events and consequences;
- the nature and magnitude of consequences;
- complexity and connectivity;
- time-related factors and volatility;
- the effectiveness of existing controls;
- sensitivity and confidence levels.
The risk analysis may be influenced by any divergence of opinions, biases, perceptions of risk and
judgements. Additional influences are the quality of the information used, the assumptions and exclusions
made, any limitations of the techniques and how they are executed. These influences should be
considered, documented and communicated to decision makers.
Highly uncertain events can be difficult to quantify. This can be an issue when analyzing events with
severe consequences. In such cases, using a combination of techniques generally provides greater insight.
Risk analysis provides an input to risk evaluation, to decisions on whether risk needs to be treated and
how, and on the most appropriate risk treatment strategy and methods. The results provide insight for
decisions, where choices are being made, and the options involve different types and levels of risk.

Imagine a simple case. An organization has a large amount of loose cash. The inherent risk is how much
damage would probably be done to the organization if the cash were carelessly left lying around in full
view and completely accessible to strangers. The gross risk is the risk that the organization is exposed to
after taking account of the active and passive controls that, fortuitously or by design, are in place. In
practice, when management and staff brainstorm about risk, they usually find it easier to conceptualize
about gross risk than about inherent risk as they naturally factor into their consideration what they know
about active and passive controls that are in place.

To start at the inherent risk position requires answering the question: "Imagine we had no active or
passive controls at all: what would we judge the scale of the threat to be, in terms of likelihood and
impact?" If we were then to plot the inherent risk on our graph, the figure below suggests the appropriate
control approach to concentrate upon in order to mitigate inherent risks most effectively.

A. An inherent risk judged to be within quadrant A of the graph is very likely to occur and to have a large
impact on the organization. Overlaid upon a judicious application of control approaches appropriate to the
mitigation of inherent risks plotted as being within the other of the graph, there must be constant attention
to the mitigation of this threat by top management, with review by the board.
B. An inherent risk within quadrant B is not very likely to occur but will have a large impact on the
organization were it to occur. There are alternative control approaches here. The organization may seek to
terminate this risk, for instance by having duplicate data centers in different geographic regions, so that a
physical disaster or a withdrawal of staff at one location will enable essential data processing to continue
at the other location. Alternatively, or additionally, the organization may develop and test a contingency
plan, thereby putting in place the exceptional measures that will be followed contingent upon the threat
materializing.
C. An inherent risk plotted as being within quadrant C is one that is very likely to occur, perhaps
repeatedly, in the absence of measures to mitigate the risk, but is unlikely to have a large impact on the
business. An example might be invoicing with incorrect unit prices. Clearly it is necessary to get these
things right first time, and so organizations largely depend on control procedures (what COSO calls
"control activities") to achieve this.

D. A risk in quadrant D has been judged not very likely to occur and of no great likely significance if it
does. It is likely to be enough to develop and apply monitoring measures which are largely intended to
check that the threat remains within this quadrant and so does not require other mitigation approaches to
contain the threat. Monitoring may be a matter of management reviewing exception reports, of software
monitoring exceptions and trends over time, of the compliance function reviewing processes and outturns,
and so on.

c. Risk evaluation
The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of
the risk analysis with the established risk criteria to determine where additional action is required. This
can lead to a decision to:
- do nothing further;
- consider risk treatment options;
 - undertake further analysis to better understand the risk;
- maintain existing controls;
- reconsider objectives.
Decisions should take account of the wider context and the actual and perceived consequences to external
and internal stakeholders.
The outcome of risk evaluation should be recorded, communicated and then validated at appropriate
levels of the organization.

Risk treatment
The purpose of risk treatment is to select and implement options for addressing risk.
Risk treatment involves an iterative process of:
- formulating and selecting risk treatment options;
- planning and implementing risk treatment;
- assessing the effectiveness of that treatment;
- deciding whether the remaining risk is acceptable;
- if not acceptable, taking further treatment.

a. Selection of risk treatment options

Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits derived in
relation to the achievement of the objectives against costs, effort or disadvantages of implementation.
Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. Options
for treating risk may involve one or more of the following:
- avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
- taking or increasing the risk in order to pursue an opportunity;
- removing the risk source;
- changing the likelihood;
- changing the consequences;
- sharing the risk (e.g., through contracts, buying insurance);
- retaining the risk by informed decision.
Justification for risk treatment is broader than solely economic considerations and should take into
account all of the organization's obligations, voluntary commitments and stakeholder views. The selection
of risk treatment options should be made in accordance with the organization's objectives, risk criteria and
available resources.
When selecting risk treatment options, the organization should consider the values, perceptions and
potential involvement of stakeholders and the most appropriate ways to communicate and consult with
them. Though equally effective, some risk treatments can be more acceptable to some stakeholders than
to others.
Risk treatments, even if carefully designed and implemented might not produce the expected outcomes
and could produce unintended consequences. Monitoring and review need to be an integral part of the risk
treatment implementation to give assurance that the different forms of treatment become and remain
effective.
Risk treatment can also introduce new risks that need to be managed. If there are no treatment options
available or if treatment options do not sufficiently modify the risk, the risk should be recorded and kept
under ongoing review. Decision makers and other stakeholders should be aware of the nature and extent
of the remaining risk after risk treatment. The remaining risk should be documented and subjected to
monitoring, review and, where appropriate, further treatment.
b. Preparing and implementing risk treatment plans
The purpose of risk treatment plans is to specify how the chosen treatment options will be implemented,
so that arrangements are by those involved, and progress against the plan can be The treatment plan
should clearly identify the order in which risk treatment should be implemented.
Treatment plans should be integrated into the management plans and processes of the organization, in
consultation with appropriate stakeholders.
The information provided in the treatment plan should include:
- the rationale for selection of the treatment options, including the expected benefits to be gained;
- those who are accountable and responsible for approving and implementing the plan;
- the proposed actions;
- the resources required, including contingencies;
- the performance measures;
- the constraints;
- the required reporting and monitoring;
- when actions are expected to be undertaken and completed.

Monitoring and review

The purpose of monitoring and review is to assure and improve the quality and effectiveness of process
design, implementation and outcomes. Ongoing monitoring and periodic review of the risk management
process and its outcomes should be a planned part of the risk management process, with responsibilities
clearly defined.
Monitoring and review should take place in all stages of the process. Monitoring and review includes
planning, gathering and analysing information, recording results and providing feedback. The results of
monitoring and review should be incorporated throughout the organization's performance management,
measurement and reporting activities.

Recording and reporting

The risk management process and its outcomes should be documented and reported through appropriate
mechanisms. Recording and reporting aims to:

 - communicate risk management activities and outcomes across the organization;

  - provide information for decision-making;
 - improve risk management activities;
 - assist interaction with stakeholders, including those with responsibility and accountability for
risk management activities.

Decisions concerning the creation, retention and handling of documented information should take into
account, but not be limited to: their use, information sensitivity and the external and internal context.
Reporting is an integral part of the organization's governance and should enhance the quality of dialogue
with stakeholders and support top management and oversight bodies in meeting their responsibilities.
Factors to consider for reporting include, but are not limited to:
- differing stakeholders and their specific information needs and requirements;
- cost, frequency and timeliness of reporting;
- method of reporting;
- relevance of information to organizational objectives and decision- making.

THE SCOPE OF INTERNAL AUDIT'S ROLE IN RISK MANAGEMENT

Management is responsible for carrying out all activities of an organization, including ERM. In fact,
management is responsible for aspects of all five components of ERM. However, these responsibilities
will vary, depending on the level in the organization and the organization's characteristics.

Note that IIA Standards extends the internal audit remit beyond providing assurance on risk management
processes to an internal audit responsibility to evaluate all sorts of risk exposures facing the organization.
The implication is that internal audit must advise the board and management on the adequacy of risk
management processes, and also draw their attention to significant risks that they may be overlooking or
focusing upon inadequately in the estimation of internal audit. There is a range of enterprise risk
management activities some of which fit into the internal auditor's assurance role and others into their
consulting role, while of course others are the responsibility of management and should not be undertaken
by internal audit. Figure below provides a useful of the position. This diagram is taken from "Position
Statement: The Role of Internal Audit in Enterprise- wide Risk Management", reproduced with the
permission of the Institute of Internal Auditors - UK and Ireland.

Management and the board are responsible for their organization's risk management and control
processes. However, internal auditors acting in a consulting role may be asked to assist the organization
in identifying, evaluating, and implementing risk management methodologies and controls to address
those risks. In situations where the organization does not have formal risk management processes, the
CAE should formally discuss with management and the board their obligations to understand, manage,
and monitor risks within the organization and the need to satisfy themselves that there are processes
operating within the organization, even if informal, that provide the appropriate level of visibility into the
key risks and how they are being managed and monitored. The CAE should obtain an understanding of
senior management and the board's expectations of the internal audit function in the organization's risk
management process. This understanding should be codified in the internal audit charter, or some other
formal way.

Ultimately, it is the role of senior management and the board to determine the role of internal audit in the
risk management process. Their view on the internal audit function's role is likely to be determined by
factors such as the culture of the organization, ability of the internal audit staff, and local conditions and
customs of the country. However, taking on management's responsibility regarding the risk management
process and the potential threat to the internal audit function's objectivity requires a full discussion and
board approval.

In summary, it is important for the CAE to bring the lack of a risk management process to management's
attention along with suggestions for establishing such a process. If requested, internal auditors can play a
proactive role in assisting with the initial establishment of a risk management process for the
organization. A more proactive role supplements traditional assurance activities with a consultative
approach to improving fundamental processes. If such assistance exceeds normal assurance and
consulting activities conducted by internal auditors, objectivity could be impaired. In these situations,
internal auditors should comply with the disclosure requirements of the Standards.

Control Objectives for Risk Management Processes

a. Organizational objectives support and align with the organization's mission
b. Significant risks are identified and assessed
c. Appropriate risk responses are selected that align risks with the organization's risk appetite
d. Relevant risk information, enabling staff, management, and the board to carry out their
responsibilities, is captured and communicated in a timely manner across the organization,
enabling staff, management, and the board to carry out their responsibilities.

RISK MANAGEMENT CHALLENGES

We end this chapter by pointing out some of the limitations of risk management as practiced by most
organizations today.
1. Major Risks that are Concealed
Major risks that organizations are exposed to may not be on top management's radar screen. Top
management may tend to be focused on achieving their goals to the extent of being blind to the
unanticipated consequences of their policies. Major risks in effect may be buried in the woodwork of the
organization, like a woodworm invisibly weakening the organization. It is possible that some staff, even
some with management responsibilities, may be aware of the problems but do not consider that they are
responsible for doing anything about them.
A risk-based approach to audit planning should not mean that the internal audit activity only undertakes
audits of business processes that are considered (by the board, top management, and the chief audit
executive) to be of high risk. A proportion of internal audit time should be allocated to undertake audits of
areas of the business not perceived to represent significant risk-in case there are concealed risks in those
parts of the organization.

2. The Extra Risks of Less Democratic Organizations

Hierarchically organized businesses, and those with more of a command culture than a participative
culture, are less likely to ventilate their problems. If staff find they are penalized for being frank about
weaknesses, then they will not be frank. Clearly the culture of the organization can, of itself, pose a threat
to the organization.

3. Multiple Simultaneous Risks Materializing

When organizations fail or almost fail it is often because several threats come to fruition at the same time.
These threats may or may not be independent of each other. In most organizations, risk management is
inadequate to identify and assess the risk of multiple simultaneous failures. The techniques of risk
management, including those discussed in this chapter, would become too complex to use, understand and
rely upon if they were adapted to accommodate the risk of multiple simultaneous failures. But the human
mind can almost intuitively process the complexity of such scenarios quite well. Every organization
should consider what risks they face that more than one untoward event might happen at the same time,
what those events might be and whether the organization has in place what will be needed to manage a
way through the multiple crises, should this Occur.

4. Opportunities as well as Threats

We should note that this chapter's discussion of risk management has been in the context of threats to the
business which must be identified, assessed and responded to. We should not overlook that the tools of
risk management can and should be applied to opportunities as well as to threats. Organizations should
seek to identify what might happen in the future which could offer an opportunity to an organization if
that organization was positioned to exploit that opportunity at the time, notwithstanding that it might not
be within the organization's business plan. Consideration should be given to advance development of the
capability to exploit such an opportunity should it occur. Any opportunity missed can be interpreted as a
threat that has not been avoided.

5. Too Risk Averse?

Finally, we should not be too risk averse. Profit is the reward for taking risk. Drucker (1977)
"The main goal of management science must be to enable business to take the right risk. Indeed, it must
be to enable business to take greater risks-by providing knowledge and understanding of alternative risks
and alternative expectations; by identifying the resources and efforts needed for desired results; by
mobilizing energies for contribution; and by measuring results against expectations; thereby providing
means for early correction of wrong or inadequate decisions. All this may sound like mere quibbling over
terms. Yet the terminology of risk minimization does induce a hostility to risk-taking and risk-making-
that is, to business enterprise."

COSO takes a more cautious view:

"No entity operates in a risk-free environment, and enterprise risk management does not seek to move
towards such an environment. Rather, enterprise risk management enables management to operate more
effectively in environments filled with risk."

Discussion Questions
1. How does COSO define internal control?
2. What are objectives? What three categories of objectives are set forth in the COSO framework?
3. What are the five components of internal control covered in the COSO framework?
4. What does the control environment comprise?
5. What does risk assessment involve?
6. What are control activities? What types of control activities are present in a well-designed system
of internal controls?
7. What is high-quality information? Why must high-quality information be communicated?
8. When are monitoring activities most effective? Who performs monitoring activities? What
distinguishes separate evaluations from ongoing monitoring activities?
9. How does internal auditors' perspective of internal control differ from management's perspective?
10. What are the two common factors used when assessing risks?
11. How does COSO define risk? How does ISO define risk?
12. What are the five COSO ERM components?
13. How does COSO define risk appetite?
14. What are some ERM assurance activities the internal audit function may perform? What are some
ERM consulting activities the internal audit function may perform if appropriate safeguards are
implemented? What ERM activities should the internal audit function not perform?
15. What are COSO's five categories of risk response?
Multiple Choice Questions
1. Which of the following is not one of the three primary objectives of effective internal control?
Reliability of financial reporting.
Efficiency and effectiveness of operations.
Compliance with laws and regulations.
Assurance of elimination of business risk.

2. Which of the following are considered control environment elements?

(Commitment to Competence)No; (Detection Risk)Yes; (Organizational Structure)No
(Commitment to Competence)Yes; (Detection Risk)Yes; (Organizational Structure)Yes
(Commitment to Competence)Yes; (Detection Risk)No; (Organizational Structure)Yes
(Commitment to Competence)No; (Detection Risk)No; (Organizational Structure)Yes

3. Which of the following statements concerning the relevance of various types of controls to a financial
statement audit is correct?
All controls are ordinarily relevant to a financial statement audit.
Controls over safeguarding of assets and liabilities are of primary importance, while controls over the
reliability of financial reporting may also be relevant.
Controls over the reliability of financial reporting are ordinarily most directly relevant to a financial
statement audit, but other controls may also be relevant.
An auditor may ordinarily ignore a consideration of controls when a substantive audit approach is
taken.

4. An auditor should consider two key issues when obtaining an understanding of an internal controls.
These issues are
The effectiveness and efficiency of the controls.
The frequency and effectiveness of the controls.
The design and implementation of the controls.
The implementation and efficiency of the controls.

5. Authorizations can be either general or specific. Which of the following is not an example of a general
authorization?
 Automatic reorder points for raw materials inventory.
A sales manager's authorization for a sales return.
Credit limits for various classes of transactions.
A sales price list for merchandise.

6. An auditor should obtain sufficient knowledge of an entity's information system, including the related
business processes relevant to financial reporting, to understand the
Policies used to detect the concealment of fraud.
Process used to prepare significant accounting estimates.
Safeguards used to limit access to computer facilities.
Procedures used to assure proper authorization of transactions.

7. Which of the following controls most likely would provide reasonable assurance that all credit sales
transactions of an entity are recorded?
The accounting department supervisor controls the mailing of monthly statements to customers and
investigates any differences reported by customers.
The accounting department supervisor independently reconciles, on a monthly basis, the accounts
receivable subsidiary ledger to the accounts receivable control account.
The billing department supervisor matches prenumbered shipping documents with entries in the sales
journal.
The billing department supervisor sends copies of approved sales orders to the credit department for
comparison to authorized credit limits and current customer account balances.

8. Physical control used to minimize incompatible functions at work refers to

Segregation of Duties
Accounting Records
Supervision
Independent Verification

9. Physical control used to capture the economic essence of transactions and provide an audit trail of
economic events refers to
Segregation of Duties
 Accounting Records
Supervision
Access Control

10. Auditors assessing the integrity of the organization's management and using investigative agencies to
report on the backgrounds of key managers is one of the five components of the COSO framework.
Control environment
Risk assessment
Monitoring
Information and communication

11. The authorization of a transaction to ensure that all material transactions processed by the information
system are valid and in accordance with management's objectives is one of the five components of the
COSO Framework.
Control environment
Control activities
Monitoring
Information and communication

12. The classes of transactions that are material to the financial statements and how those transactions are
initiated is one of the five components of the COSO framework.
Control environment
Risk assessment
Control activities
Information and communication

13. A change in the organizational structure resulting in the reduction and/or reallocation of personnel
such that business operations and transaction processing are affected is one of the five components of the
COSO Framework.
Control environment
Risk assessment
Monitoring
 Information and communication

14. Physical control used to ensure that only authorized personnel have access to the firm's assets refers to
Segregation of Duties
Accounting Records
Access control
Independent Verification

15. Every system of internal control has limitations on its effectiveness. These include
The concept that the company should establish and maintain a system of internal control.
The possibility of error---no system is perfect.
Circumvention---personnel may circumvent the system through collusion.
B and C only.

16. In the COSO enterprise risk management organization's overall tone relates most closely to:
framework, an
Internal environment
Objective setting
Event identification
Monitoring
17. Miguel and Rafaela were developing a risk management plan for their company following the COSO
framework. One of the company's goals is to have sufficient cash available for operations; that goal had
been difficult to achieve due to seasonal fluctuations in sales. To reduce that risk, Miguel and Rafaela
recommended their company invest some cash in short-term securities that could be liquidated quickly
and easily. Which element of the COSO framework is most related to their recommendation?
Internal environment
Monitoring
Control activities
Risk response
18. In a conversation about risk management, Miguel and Rafaela produced a ranked list of their
company's risk exposures. The ranked list is most closely related to which element of the COSO
framework?
Information and communication
Risk assessment
Risk response
Monitoring

19. COSO has published integrated frameworks for both internal control and for enterprise risk
management. Which of the following statements about the frameworks is most true?
The internal control framework is more useful than the enterprise risk management framework.
The enterprise risk management framework is more useful than the internal control framework.
Management attitudes are an element of both frameworks.
Both frameworks are required.

20. Which of the following best pairs an element of the COSO enterprise risk management framework
with an example of that element?
Objective setting, determining which elements of the COSO
Event identification, identifying needed internal controls framework to use
Risk assessment, annual management retreats focused on the ERM plan
Risk response, diversifying risk by expanding internationally

21. One of the steps in the generalized model of business process management discussed in the text
focuses on collecting process- related data. If Laurie and Milton are concerned about the risks created by
inefficiency in the company's current fixed asset purchasing process, they could collect data related to: I.
the average length of time between an order for a fixed asset and its delivery, II. the costs incurred in the
fixed asset purchasing process.
I only
II only
Both I and II
Neither I nor II
Case Analyses
Case 1 (Risk Assessment) You are the Chief Executive Officer of a large USA multinational company
operating in the energy sector. Your company has operations in 23 different countries, some of which are
developing economies, and it has raised debt finance, as well as equity finance, in 17 of these countries.
You are aware that there have been protests from environmental lobby groups in several areas regarding
oil pipelines. There have also been demonstrations about the impact of operations on local communities.

Your company has an internal audit committee, an audit committee, and a reasonably well-developed
system of internal control loosely structured around the Turnbull Report's recommendations. However,
the board has decided that perhaps it should form a new committee, a 'risk committee', which will deal
with risk management and internal control specifically.

Requirement:
Accordingly, the board has asked you to prepare a memo which summarizes the main risks facing the
business at present, and the relative importance of these risks to the business, to highlight where the
primary exposures are likely to be.

Case 2 - (Control Environment) Raiza Motors Company, a diversified manufacturer, has five divisions
that operate throughout Singapore and Australia, Raiza Motors has historically allowed its divisions to
operate autonomously. Corporate intervention occurred only when planned results were not obtained.
Corporate management has high integrity, but the board of directors and audit committee are not very
active. Raiza Motors has a policy of hiring competent people. The company has a code of conduct, but
there is little monitoring of compliance by employees. Management is fairly conservative in terms of
accounting principles and practices, but employee compensation packages depend highly on performance.
Raiza Motors Company does not have an internal audit department, and it relies on your firm to review
the controls in each division.

Don Gisean is the general manager of the Fabricator Division. The Fabricator Division produces a variety
of standardized parts for small appliances. Gisean has been the general manager for the last seven years,
and each year he has been able to improve the profitability of the division. He is compensated based
largely on the division's profitability. Much of the improvement in profitability has come through
aggressive cost cutting, including a substantial reduction in control activities over inventory.

During the last year, a new competitor has entered Fabricator's markets and has offered substantial price
reductions in order to grab market share. Gisean has responded to the competitor's actions by matching
the price cuts in the hope of maintaining market share. Gisean is very concerned because he cannot see
any other areas where costs can be reduced so that the division's growth and profitability can be
maintained. If profitability is not maintained, his salary and bonus will be reduced.
Gisean has decided that one way to make the division more profitable is to manipulate inventory because
it represents a large amount of the division's balance sheet. He also knows that controls over inventory are
weak. He views this inventory manipulation as a short-run solution to the profit decline due to the
competitor's price cutting. Gisean is certain that once the competitor stops cutting prices or goes bankrupt,
the misstatements in inventory can be corrected with little impact on the bottomline.

Requirements:
a. Evaluate the strengths and weaknesses of Raiza Motors Company's control environment.
b. What factors in Raiza Motors Company's control environment have led to and facilitated Gisean's
manipulation of inventory?

Case 3 (Control Activities) A company's accountant was able to approve payment of invoices and write
company checks to a family member, with whom the accountant would split the proceeds. The accountant
covered up the theft with journal entries in the accounting information system.

Requirement:
Which duties should be separated to prevent such problems in the future?

Case 4 (Internal Controls and Risk Management) Payswell Company, a small manufacturer, has been
in business for 10 years. Senior management is thinking about outsourcing the company's payroll process.

Requirements:
a. What are three important objectives of a payroll process?
b. What are the key risks that threaten the achievement of those objectives?
c. What are the potential benefits of outsourcing the payroll process?
d. What new risks may arise if the process is outsourced?
e. How should Payswell's management:
1. Identify the key controls over the outsourced payroll process?
2. Determine whether those controls are designed adequately and operating effectively?