“Risks” as in Internal Audit
Risk-based internal audit is an internal methodology which is primarily focused on the inherent risks involved in the activities or system and provide assurance that risk is being managed by the management within the defined risk appetite level.
Risk is defined as ‘the possibility of an event occurring that will have an impact on the achievement of objectives”. In general, risk management is concerned with positive and negative aspects of risk. The risk can have an adverse impact (downside risk) or it can also have potential benefit (upside risk). It can be applied holistically, and also used on specific activities, from the strategic to the operational.
Types of Risks:
♦ Inherent risk
♦ Control risk
♦ Detection risk
Inherent risk: The risk that could not be protected or detected by the entity’s internal controls. This risk could happen as a result of the complexity of the client’s nature of business or transactions.
Control risk: This is the risk that potential material misstatements would not be detected or prevented by a client’s controls system.
Detection risk: This is the risk that the audit procedures used are not capable of detecting a material misstatement.
Risk Management Framework
Risk management framework (RMF) is structured process to define the strategy for eliminating or minimising the impact of risks, as well as the mechanisms to effectively monitor and evaluate the strategy, for an organisation.
Steps in a Risk Management Framework (RMF)
⇒ Step 1 Identification (Identify potential threats (Risks))
⇒ Step 2 Measurement (Analyze Risks)
⇒ Step 3 Mitigation (Define the strategy for eliminating/ minimising impact of risks)
⇒ Step 4 Reporting & Monitoring (Decide & apply mechanisms to effectively monitor
⇒ Step 5 Governance
Risk Management Frameworks
A number of Frameworks are in use: brief description of some of the commonly used frameworks, is given below.
A. COSO: The COSO framework is one of two widely accepted risk management standards organizations use to manage risks. COSO stands for The Committee of Sponsoring Organizations of the Treadway Commission (COSO). The initial mission of COSO was to study financial reporting and develop recommendations to prevent frauds. This framework is commonly used in the United States and around the world.
The original COSO framework was published in 1992 and later updated in 2013.
5 components of COSO are:
– control environment
– risk assessment
– information and communication
– monitoring activities, and
– existing control activities
17 principles of COSO framework’s effective internal control are:
| Internal Control Component | Principles |
| Control environment | 1. Demonstrate commitment to integrity and ethical values2. Ensure that board exercises oversight responsibility
3. Establish structures, reporting lines, authorities and responsibilities 4. Demonstrate commitment to a competent workforce 5. Hold people accountable |
| Risk assessment | 6.Specify appropriate objectives7. Identify and analyze risks
8. Evaluate fraud risks 9. Identify and analyze changes that could significantly affect internal controls |
| Control activities | 10. Select and develop control activities that mitigate risks11. Select and develop technology controls
12. Deploy control activities through policies and procedures |
| Information and communication | 13. Use relevant, quality information to support the internal control function14. Communicate internal control information internally
15. Communicate internal control information externally |
| Monitoring | 16. Perform ongoing or periodic evaluations of internal controls (or a combination of the two)17. Communicate internal control deficiencies |
B. CoCo: The CoCo (Criteria of Control) framework was developed by the Canadian Institute of Chartered Accountants (CICA) in 1995. This model builds on COSO and is thought to be more concrete and user-friendly by some. This framework outlines 20 control criteria that management can use to manage company performance and improve its decision-making.
The CoCo framework outlines criteria for effective controls in the following four areas:
- Purpose
- Commitment
- Capability
- Monitoring and learning
C. COBIT: Stands for Control Objectives for Information and Related Technology. This framework is created by the ISACA (Information Systems Audit and Control Association) for IT governance and management. The COBIT control model guarantees integrity of the information system. It allows to control IT operations of the company so that risk can be minimized and work power enhanced in a disciplined manner. It allows managers to fill the gap between technical issues, control requirements, and business risks.
5. Principles of COBIT:
1. Meeting stakeholder needs
2. Covering the enterprise end to end
3. Applying a single integrated framework
4. Enabling a holistic approach
5. Separating governance from management
Main focus areas of the Cobit are:
- Planning and Organizing
- Delivery and Support
- Acquiring and Implementation
- Monitoring and Evaluating