home

Articles

Blog

Books

Tools

Links

FAQ Page


Internal Control and Risk Assessment

Google
 
Web www.software-risk.co.uk

Internal control and risk assessment are an essential part of assessing a control's effectiveness.

Risk assesment is one five elements that go to make up an Internal Control according to the COSO framework. (Committee Of Sponsoring Organisations of the Treadway Commission.)

Overall rating. As with all the other elements in the COSO framework, risk assessment should not be taken in isolation. Indeed it should be seen as part of a holistic whole.

COSO sees risk assessment as an exercise in determining the risks involved for entity to achieve its objectives.

Risk assessment is seen at both the entity level and the business process activity level. Management can set objectives based on critical success factors.

COSO lays down three categories of objectives:- operations, compliance, financial reporting.

As far as Sarbanes-Oxley is concerned we only need the financial reporting one.

COSO defines financial reporting objectives as

The preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases.

Managemers need to identify risk. No one methodology is promoted by COSO, except that the one chosen must is comprehensive and considers all factors.


  * Personnel quality
  * Changes to the business environment. E.g. regulation, competition etc.
  * Past experience of failure to spot risk
  * distributed activities particularly if they are foreign
  * the impact of an activity
  * the complexity of an activity

Assess and Manage risks. Attack risk, otherwise it will attack you! The mantra borrowed from Tom Gilb is apt here. Once the risk has been identified, management have to deal with it. Hence risk management. Techniques include risk avoidance, risk transfer, risk mitigation. An alternative is just to accept the risk and carry on.

Manage change. The time more than any other when an entity is vulnerable to risk is during change. It is at this juncture that risk management meets change management.COSO draws special attention to certain parts of change management.

These include, changes to the operating environment, for example regulatory or competitively. New personnel, who will perform the activities of the people they replace. New IT systems which are particularly prone to change.

Rapid growth, new technology, new products all contribute to change management requirements.

Restructurings and foreign operations are full of externally generated risk.

Related Articles
SEC Proposes Years Exemption on 404
RiskWatch On IT Risk
Sarbanes-Oxley Debacle
Republican Attack on Sarbanes-Oxley
COX - Sooner Rather than Later on SOX Reform
Caterpillar and Internal Controls
GAO Supports SOX Cost Claims
Panelists Named for Sarbanes-Oxley Roundable

Similar Areas

Security Items

Risk Management Items

Sarbanes-Oxley Items

Finance Items

Regulation Items

Selected Books

Keywords

internal control

internal control and risk

risk

risk assessment

section 404

Sarbanes-Oxley

Sarbanes-Oxley compliance

COSO

treadway commission

risk management

entity level

business process

management

financial reporting

Sarbanes Oxley

manage risk

change management


See our Sarbanes-Oxley compliance, load testing and Financial Glossary pages.
Articles   Books   FAQ Page   home   Jobs   Links   Reviews Page   Tools  
Booklist   books   Measurement   Testing   Tools