“Risks” as in Internal Audit

Risk is defined as ‘the possibility of an event occurring that will have an impact on the achievement of objectives’. In simple words, risk management is concerned with positive and negative aspects of risk. Risk can have an adverse impact as well as can have potential benefit.

Content

Types of risks

Risk management framework

Steps in a Risk management framework

Different frameworks for risk management

17 principles of COSO framework’s effective internal control

“Risks” as in Internal Audit

Types of risks

There are three types of risks. These are as follows:

  1. Inherent risk
    This kind of risk could not be detected by entity’s internal controls. It could happen as a result of complexity of the client’s nature of business or transactions.
  2. Control risk
    This is the risk that potential material misstatements would not be detected or prevented by a client’s control system.
  3. Detection risk
    This risk states that the audit procedures used are not capable of detecting a material misstatement.

Risk management framework

Risk management framework is a structured process which defines the strategy for reducing or eliminating the impact of risks, as well as the mechanisms to effectively monitor and evaluate the strategy, for an organisation.

Steps in a Risk management framework

  • Identification of potential threats
  • Measure or analyse threats
  • Mitigation
  • Reporting & Monitoring
  • Governance

What are the different frameworks for risk management?

The some of the common used frameworks are as follows:

  • COSO: In 1992, the Committee of sponsoring organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. The COSO model defines internal control as ‘a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:
    • Effectiveness and efficiency of operations
    • Reliability of financial reporting
    • Compliance with applicable laws and regulation

Five components of COSO are:

    • Control environment
    • Risk assessment
    • Information and communication
    • Monitoring activities
    • Existing control activities

17 principles of COSO framework’s effective internal control are:

Internal control component Principles
Control environment 1.      Demonstrate commitment to integrity and ethical values

2.      Ensure that board exercises oversight responsibility

3.      Establish structures, reporting lines, authorities and responsibilities

4.      Demonstrate commitment to a competent workforce

5.      Hold people accountable

Risk assessment 6.      Specify appropriate objectives

7.      Identify and analyse risks

8.      Evaluate fraud risks

9.      Identify and analyse changes that could significantly affect internal controls

Control activities 10.  Select and develop control activities that mitigate risks

11.  Select and develop technology controls

12.  Deploy control activities through policies and procedures

Information and communication 13.  Use relevant, quality information to support the internal control function

14.  Communicate internal control information internally

15.  Communicate internal control information externally

Monitoring 16.  Perform ongoing or periodic evaluations of internal controls (or a combination of the two)

17.  Communication internal control deficiencies

  • COCO:

Coco (confidential consortium) is an open source block chain framework designed by Microsoft. Microsoft announced the ‘Coco’ in August 2017 in their whitepaper ‘Coco Framework Technical Overview’. Coco is not just a standalone block chain protocol like bitcoin or ethereum rather it provides a platform for building trusted networks using any of the existing protocols.

The Coco framework outlines the criteria for effective controls in the following four areas:

  • Purpose
  • Commitment
  • Capability
  • Monitoring and learning
  • COBIT:

COBIT is an acronym for “Control Objectives for Information and Related Technologies”. This is the only business framework for the Governance and Management of enterprises IT developed by ISACA (information systems audit and control association) and launched in April 2012.

Principles of COBIT:

  • Meeting stakeholder needs
  • Covering the enterprise end to end
  • Applying a single integrated framework
  • Enabling a holistic approach
  • Separating governance from management

Main focus areas of COBIT are:

  • Planning & organizing
  • Delivery and support
  • Acquiring and implementation
  • Monitoring and evaluating
Scroll to Top