{"id":154,"date":"2020-09-14T11:58:29","date_gmt":"2020-09-14T11:58:29","guid":{"rendered":"https:\/\/pkchopra.com\/blog\/?p=154"},"modified":"2024-03-12T10:16:47","modified_gmt":"2024-03-12T10:16:47","slug":"risks-as-internal-audit","status":"publish","type":"post","link":"https:\/\/pkchopra.com\/blog\/index.php\/risks-as-internal-audit\/","title":{"rendered":"\u201cRisks\u201d as in Internal Audit"},"content":{"rendered":"<p><strong>Risk<\/strong>-based internal audit is an internal methodology which is primarily focused on the inherent risks involved in the activities or system and provide assurance that risk is being managed by the management within the defined risk appetite level.<\/p>\n<p><strong>Risk\u00a0<\/strong>is defined as \u2018the possibility of an event occurring that will have an impact on the achievement of objectives\u201d. In general, risk management is concerned with positive and negative aspects of risk. The risk can have an adverse impact (downside risk) or it can\u00a0also have potential benefit (upside risk). It can be applied holistically, and also used on specific activities, from the strategic to the operational.<strong>\u00a0<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" class=\"size-full wp-image-157 aligncenter\" src=\"https:\/\/pkchopra.com\/blog\/wp-content\/uploads\/2020\/09\/Untitled-6.png\" alt=\"\" width=\"607\" height=\"312\" srcset=\"https:\/\/pkchopra.com\/blog\/wp-content\/uploads\/2020\/09\/Untitled-6.png 607w, https:\/\/pkchopra.com\/blog\/wp-content\/uploads\/2020\/09\/Untitled-6-300x154.png 300w\" sizes=\"(max-width: 607px) 100vw, 607px\" \/><\/p>\n<p><strong>Types of Risks:<br \/>\n<\/strong>\u2666 Inherent risk<br \/>\n\u2666 Control risk<br \/>\n\u2666 Detection risk<strong>\u00a0<\/strong><\/p>\n<p><strong>Inherent risk:\u00a0<\/strong>The risk that could not be protected or detected by the entity\u2019s internal controls. This risk could happen as a result of the complexity of the client\u2019s nature of business or transactions.<\/p>\n<p><strong>Control risk:<\/strong>\u00a0This is the risk that potential material misstatements would not be detected or prevented by a client\u2019s controls system.<\/p>\n<p><strong>Detection risk:<\/strong>\u00a0This is the risk that the audit procedures used are not capable of detecting a material misstatement.<\/p>\n<h2><strong>Risk Management Framework<\/strong><strong>\u00a0<\/strong><\/h2>\n<p>Risk management framework (RMF) is structured process to define the strategy for eliminating or minimising the impact of risks, as well as the mechanisms to effectively monitor and evaluate the strategy, for an organisation.<strong>\u00a0<\/strong><\/p>\n<h2><strong>Steps in a Risk Management Framework (RMF)\u00a0<\/strong><\/h2>\n<p>\u21d2\u00a0<strong>Step 1\u00a0<\/strong>Identification (Identify potential threats (Risks))<br \/>\n\u21d2\u00a0<strong>Step 2<\/strong>\u00a0Measurement (Analyze Risks)<br \/>\n\u21d2\u00a0<strong>Step 3\u00a0\u00a0<\/strong>Mitigation (Define the strategy for eliminating\/ minimising impact of risks)<br \/>\n\u21d2\u00a0<strong>Step 4\u00a0<\/strong>Reporting &amp; Monitoring (Decide &amp; apply mechanisms to effectively monitor<br \/>\n\u21d2\u00a0<strong>Step 5<\/strong>\u00a0<strong>\u00a0<\/strong>Governance<\/p>\n<p>Risk Management Frameworks<\/p>\n<p>A number of Frameworks are in use: brief description of some of the commonly used frameworks, is given below.<\/p>\n<p><strong>A. COSO<\/strong>: The COSO framework is one of two widely accepted risk management standards organizations use to manage risks. COSO stands for The Committee of Sponsoring Organizations of the Treadway Commission (COSO). The initial mission of COSO was to study financial reporting and develop recommendations to prevent frauds. This framework is commonly used in the United States and around the world.<\/p>\n<p>The original COSO framework was published in 1992 and later updated in 2013.<\/p>\n<p><strong>5 components of COSO are:<\/strong><\/p>\n<p>\u2013 control environment<br \/>\n\u2013 risk assessment<br \/>\n\u2013 information and communication<br \/>\n\u2013 monitoring activities, and<br \/>\n\u2013 existing control activities<\/p>\n<h2><strong>17 principles of COSO\u00a0framework\u2019s effective internal control are:<\/strong><\/h2>\n<table width=\"513\">\n<tbody>\n<tr>\n<td width=\"198\"><strong>Internal Control Component<\/strong><\/td>\n<td width=\"378\"><strong>Principles<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Control environment<\/td>\n<td width=\"378\">1. Demonstrate commitment to integrity and ethical values2. Ensure that board exercises oversight responsibility<\/p>\n<p>3. Establish structures, reporting lines, authorities and responsibilities<\/p>\n<p>4. Demonstrate commitment to a competent workforce<\/p>\n<p>5. Hold people accountable<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Risk assessment<\/td>\n<td width=\"378\">6.Specify appropriate objectives7. Identify and analyze risks<\/p>\n<p>8. Evaluate fraud risks<\/p>\n<p>9. Identify and analyze changes that could significantly affect internal controls<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Control activities<\/td>\n<td width=\"378\">10. Select and develop control activities that mitigate risks11. Select and develop technology controls<\/p>\n<p>12. Deploy control activities through policies and procedures<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Information and communication<\/td>\n<td width=\"378\">13. Use relevant, quality information to support the internal control function14. Communicate internal control information internally<\/p>\n<p>15. Communicate internal control information externally<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Monitoring<\/td>\n<td width=\"378\">16. Perform ongoing or periodic evaluations of internal controls (or a combination of the two)17. Communicate internal control deficiencies<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>B. CoCo:<\/strong>\u00a0The CoCo (Criteria of Control) framework was developed by the Canadian Institute of Chartered Accountants (CICA) in 1995. This model builds on COSO and is thought to be more concrete and user-friendly by some. This framework outlines 20 control criteria that management can use to manage company performance and improve its decision-making.<\/p>\n<p>The CoCo framework outlines criteria for effective controls in the following four areas:<\/p>\n<ul>\n<li>Purpose<\/li>\n<li>Commitment<\/li>\n<li>Capability<\/li>\n<li>Monitoring and learning<strong>\u00a0<\/strong><\/li>\n<\/ul>\n<p><strong>C. COBIT: Stands for Control Objectives for Information and Related Technology.\u00a0<\/strong>This framework is created by the ISACA (Information Systems Audit and Control Association) for IT governance and management. The COBIT control model guarantees integrity of the information system. It allows to control IT operations of the company so that risk can be minimized and work power enhanced in a disciplined manner. It allows managers to fill the gap between technical issues, control requirements, and business risks.<\/p>\n<p><strong>5. Principles of COBIT:<\/strong><\/p>\n<p>1. Meeting stakeholder needs<br \/>\n2. Covering the enterprise end to end<br \/>\n3. Applying a single integrated framework<br \/>\n4. Enabling a holistic approach<br \/>\n5. Separating governance from management<\/p>\n<p>Main focus areas of the Cobit are:<\/p>\n<ul>\n<li>Planning and Organizing<\/li>\n<li>Delivery and Support<\/li>\n<li>Acquiring and Implementation<\/li>\n<li>\u00a0Monitoring and Evaluating<strong>\u00a0<\/strong><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Risk-based internal audit is an internal methodology which is primarily focused on the inherent risks involved in the activities or system and provide assurance that risk is being managed by the management within the defined risk appetite level. Risk\u00a0is defined as \u2018the possibility of an event occurring that will have an impact on the achievement &hellip;<\/p>\n","protected":false},"author":1,"featured_media":155,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":""},"categories":[3],"tags":[84,88,86,87,85],"_links":{"self":[{"href":"https:\/\/pkchopra.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/154"}],"collection":[{"href":"https:\/\/pkchopra.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pkchopra.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pkchopra.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pkchopra.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=154"}],"version-history":[{"count":6,"href":"https:\/\/pkchopra.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/154\/revisions"}],"predecessor-version":[{"id":207,"href":"https:\/\/pkchopra.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/154\/revisions\/207"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pkchopra.com\/blog\/index.php\/wp-json\/wp\/v2\/media\/155"}],"wp:attachment":[{"href":"https:\/\/pkchopra.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pkchopra.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pkchopra.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}