🛡️

Understanding Risk and Internal Control

Sep 20, 2024

Risk and Internal Control

Understanding Risk

  • Definition of Risk: Unforeseen obstacles or events that prevent achieving organizational or personal objectives.
  • Examples of Risk:
    • Hacker Attack: Unauthorized access to a university's information system, altering grades.
    • Interest Rate Increase: Higher borrowing costs for firms.
    • Competitor Innovation: New technology threatening business viability.

Risk Management Overview

  • Risk Management Department: Responsible for regular risk assessments to identify vulnerabilities.
  • Risk Assessment: Identifying risks (A, B, C, etc.) and determining responses.

Five Responses to Risk

  1. Risk Acceptance: Acknowledging the risk and preparing to manage it.
  2. Risk Avoidance: Choosing not to engage in risky activities.
  3. Risk Sharing/Transfer: Sharing risk with insurance or partners.
  4. Risk Mitigation: Implementing controls to reduce impact of risk.
  5. Risk Exploitation: Actively seeking out risks to leverage potential benefits.

Internal Control Systems

  • Purpose: To mitigate risks through a system of check and balance.
  • Components of Internal Control:
    • Reconciliations
    • Independent Checks
    • Verifications
    • Physical Observations

Cost vs. Benefit of Controls

  • Each control incurs costs vs. benefits. Example: Costs of auditors vs. benefits of reduced risk.

Risk Quantification

  • Quantifying Risk: Assessing severity of consequences and probability of occurrence.
    • Example Calculations:
      • 90% chance of a $10 million loss = Expected loss of $9 million.
      • 8% chance of a $200 million loss = Expected loss of $16 million.
      • 2% chance of a $30 billion loss = Expected loss of $600 million.
  • Decision Making: Prioritize controls for high-impact, low-probability risks.

Audit Risk Model (AICPA)

  • Types of Risk:
    • Inherent Risk: Risk in the nature of business or objectives (e.g., gold trading).
    • Control Risk: Risk that controls fail to prevent obstacles.
    • Detection Risk: Risk that obstacles are not detected before loss occurs.

Internal Control Foundations

  • Definition of Internal Control: A management-established system ensuring orderly operations, adherence to policies, safeguarding of assets, and accurate record-keeping.
  • Responsibility: Management designs and implements internal controls, overseen by the board of directors.

COSO Framework

  • Internal Control Objectives (ERC):
    • Efficient and Effective Operations
    • Reliable Financial Reporting
    • Compliance with Laws and Regulations
  • Five Components of Internal Control (CRIME):
    1. Control Environment: Foundation of internal control system.
    2. Risk Assessment: Identifying and analyzing risks.
    3. Control Activities: Policies and procedures to ensure directives are executed.
    4. Information and Communication: Ensuring stakeholders are informed of their roles.
    5. Monitoring: Ongoing assessment of internal control effectiveness.

Roles in Internal Control

  • Board of Directors: Oversees management, ensures fiduciary duties are upheld.
  • Management: Implements and monitors internal controls.
  • Internal Auditors: Assess the effectiveness of internal controls, report to the audit committee and CEO.
  • External Auditors: Conduct independent audits, report on financial statements and internal control systems.

Conclusion

  • Internal control is essential for managing risk and ensuring effective organizational operations. The COSO framework provides a structured approach to internal control, focusing on risk management and compliance.

Full transcript