Overview

Having established an effective control environment, management assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses. Management assesses the risks the entity faces from both external and internal sources.

Principles

6. Management should define objectives clearly to enable the identification of risks and define risk tolerances.


7. Management should identify, analyze, and respond to risks related to achieving the defined objectives.


8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks.


9. Management should identify, analyze, and respond to significant changes that could impact the internal control system.

Principle 6 - Define Objectives and Risk Tolerances

6.1 Management should define objectives clearly to enable the identification of risks and define risk tolerances.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

• Definitions of Objectives


• Definitions of Risk Tolerances

Definitions of Objectives

6.2 Management defines objectives in specific and measurable terms to enable the design of internal control for related risks. Specific terms are fully and clearly set forth so they can be easily understood. Measurable terms allow for the assessment of performance toward achieving objectives. Objectives are initially set as part of the objective-setting process and then refined as they are incorporated into the internal control system when management uses them to establish the control environment.

6.3 Management defines objectives in specific terms so they are understood at all levels of the entity. This involves clearly defining what is to be achieved, who is to achieve it, how it will be achieved, and the time frames for achievement. All objectives can be broadly classified into one or more of three categories: operations, reporting, or compliance. Reporting objectives are further categorized as being either internal or external and financial or nonfinancial. Management defines objectives in alignment with the organization’s mission, strategic plan, and performance goals.

6.4 Management defines objectives in measurable terms so that performance toward achieving those objectives can be assessed. Measurable objectives are generally free of bias and do not require subjective judgments to dominate their measurement. Measurable objectives are also stated in a quantitative or qualitative form that permits reasonably consistent measurement.

6.5 Management considers external requirements and internal expectations when defining objectives to enable the design of internal control. Legislators, regulators, and standard-setting bodies set external requirements by establishing the laws, regulations, and standards with which the entity is required to comply. Management identifies, understands, and incorporates these requirements into the entity’s objectives. Management sets internal expectations and requirements through the established standards of conduct, oversight structure, organizational structure, and expectations of competence as part of the control environment.

6.6 Management evaluates and, if necessary, revises defined objectives so that they are consistent with these requirements and expectations. This consistency enables management to identify and analyze risks associated with achieving the defined objectives.

6.7 Management determines whether performance measures for the defined objectives are appropriate for evaluating the entity’s performance in achieving those objectives. For quantitative objectives, performance measures may be a targeted percentage or numerical value. For qualitative objectives, management may need to design performance measures that indicate a level or degree of performance, such as milestones.

Definitions of Risk Tolerances

6.8 Management defines risk tolerances for the defined objectives. Risk tolerance is the acceptable level of variation in performance relative to the achievement of objectives. Risk tolerances are initially set as part of the objective-setting process. Management defines the risk tolerances for defined objectives by ensuring that the set levels of variation for performance measures are appropriate for the design of an internal control system.

6.9 Management defines risk tolerances in specific and measurable terms so they are clearly stated and can be measured. Risk tolerance is often measured in the same terms as the performance measures for the defined objectives. Depending on the category of objectives, risk tolerances may be expressed as follows:

• Operations objectives - Level of variation in performance in relation to risk.
• Nonfinancial reporting objectives - Level of precision and accuracy suitable for user needs, involving both qualitative and quantitative considerations to meet the needs of the nonfinancial report user.
• Financial reporting objectives - Judgments about materiality are made in light of surrounding circumstances, involve both qualitative and quantitative considerations, and are affected by the needs of financial report users and size or nature of a misstatement.
• Compliance objectives - Concept of risk tolerance does not apply. An entity is either compliant or not compliant.

6.10 Management also evaluates whether risk tolerances enable the appropriate design of internal control by considering whether they are consistent with requirements and expectations for the defined objectives. As in defining objectives, management considers the risk tolerances in the context of the entity’s applicable laws, regulations, and standards as well as the entity’s standards of conduct, oversight structure, organizational structure, and expectations of competence. If risk tolerances for defined objectives are not consistent with these requirements and expectations, management revises the risk tolerances to achieve consistency.

Principle 7 - Identify, Analyze, and Respond to Risks

7.1 Management should identify, analyze, and respond to risks related to achieving the defined objectives.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

• Identification of Risks


• Analysis of Risks


• Response to Risks

Identification of Risks

7.2 Management identifies risks throughout the entity to provide a basis for analyzing risks. Risk assessment is the identification and analysis of risks related to achieving the defined objectives to form a basis for designing risk responses.

7.3 To identify risks, management considers the types of risks that impact the entity. This includes both inherent and residual risk. Inherent risk is the risk to an entity in the absence of management’s response to the risk. Residual risk is the risk that remains after management’s response to inherent risk. Management’s lack of response to either risk could cause deficiencies in the internal control system.

7.4 Management considers all significant interactions within the entity and with external parties, changes within the entity’s internal and external environment, and other internal and external factors to identify risks throughout the entity. Internal risk factors may include the complex nature of an entity’s programs, its organizational structure, or the use of new technology in operational processes. External risk factors may include new or amended laws, regulations, or professional standards; economic instability; or potential natural disasters. Management considers these factors at both the entity and transaction levels to comprehensively identify risks that affect defined objectives. Risk identification methods may include qualitative and quantitative ranking activities, forecasting and strategic planning, and consideration of deficiencies identified through audits and other assessments.

Analysis of Risks

7.5 Management analyzes the identified risks to estimate their significance, which provides a basis for responding to the risks. Significance refers to the effect on achieving a defined objective.

7.6 Management estimates the significance of the identified risks to assess their effect on achieving the defined objectives at both the entity and transaction levels. Management estimates the significance of a risk by considering the magnitude of impact, likelihood of occurrence, and nature of the risk. Magnitude of impact refers to the likely magnitude of deficiency that could result from the risk and is affected by factors such as the size, pace, and duration of the risk’s impact. Likelihood of occurrence refers to the level of possibility that a risk will occur. The nature of the risk involves factors such as the degree of subjectivity involved with the risk and whether the risk arises from fraud or from complex or unusual transactions. The oversight body may oversee management’s estimates of significance so that risk tolerances have been properly defined.

7.7 Risks may be analyzed on an individual basis or grouped into categories with related risks and analyzed collectively. Regardless of whether risks are analyzed individually or collectively, management considers the correlation among different risks or groups of risks when estimating their significance. The specific risk analysis methodology used can vary by entity because of differences in entities’ missions and the difficulty in qualitatively and quantitatively defining risk tolerances.

Response to Risks

7.8 Management designs responses to the analyzed risks so that risks are within the defined risk tolerance for the defined objective. Management designs overall risk responses for the analyzed risks based on the significance of the risk and defined risk tolerance. These risk responses may include the following:

• Acceptance - No action is taken to respond to the risk based on the insignificance of the risk.
• Avoidance - Action is taken to stop the operational process or the part of the operational process causing the risk.
• Reduction - Action is taken to reduce the likelihood or magnitude of the risk.
• Sharing - Action is taken to transfer or share risks across the entity or with external parties, such as insuring against losses.

7.9 Based on the selected risk response, management designs the specific actions to respond to the analyzed risks. The nature and extent of risk response actions depend on the defined risk tolerance. Operating within the defined risk tolerance provides greater assurance that the entity will achieve its objectives. Performance measures are used to assess whether risk response actions enable the entity to operate within the defined risk tolerances. When risk response actions do not enable the entity to operate within the defined risk tolerances, management may need to revise risk responses or reconsider defined risk tolerances. Management may need to conduct periodic risk assessments to evaluate the effectiveness of the risk response actions.

Principle 8 - Assess Fraud Risk

8.1 Management should consider the potential for fraud when identifying, analyzing, and responding to risks.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

• Types of Fraud


• Fraud Risk Factors


• Response to Fraud Risks

Types of Fraud

8.2 Management considers the types of fraud that can occur within the entity to provide a basis for identifying fraud risks. Types of fraud are as follows:

• Fraudulent financial reporting - Intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. This could include intentional alteration of accounting records, misrepresentation of transactions, or intentional misapplication of accounting principles.
• Misappropriation of assets - Theft of an entity’s assets. This could include theft of property, embezzlement of receipts, or fraudulent payments.
• Corruption - Bribery and other illegal acts.

8.3 In addition to fraud, management considers other forms of misconduct that can occur, such as waste and abuse. Waste is the act of using or expending resources carelessly, extravagantly, or to no purpose. Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary operational practice given the facts and circumstances. This includes the misuse of authority or position for personal gain or for the benefit of another. Waste and abuse do not necessarily involve fraud or illegal acts. However, they may be an indication of potential fraud or illegal acts and may still impact the achievement of defined objectives.

Fraud Risk Factors

8.4 Management considers fraud risk factors. Fraud risk factors do not necessarily indicate that fraud exists but are often present when fraud occurs. Fraud risk factors include the following:

• Incentive/pressure - Management or other personnel have an incentive or are under pressure, which provides a motive to commit fraud.
Opportunity - Circumstances exist, such as the absence of controls, ineffective controls, or the ability of management to override controls, that provide an opportunity to commit fraud. Attitude/rationalization - Individuals involved are able to rationalize committing fraud. Some individuals possess an attitude, character, or ethical values that allow them to knowingly and intentionally commit a dishonest act.

8.5 Management uses the fraud risk factors to identify fraud risks. While fraud risk may be greatest when all three risk factors are present, one or more of these factors may indicate a fraud risk. Other information provided by internal and external parties can also be used to identify fraud risks. This may include allegations of fraud or suspected fraud reported by the office of the inspector general or internal auditors, personnel, or external parties that interact with the entity.

Response to Fraud Risks

8.6 Management analyzes and responds to identified fraud risks so that they are effectively mitigated. Fraud risks are analyzed through the same risk analysis process performed for all identified risks. Management analyzes the identified fraud risks by estimating their significance, both individually and in the aggregate, to assess their effect on achieving the defined objectives. As part of analyzing fraud risk, management also assesses the risk of management override of controls. The oversight body oversees management’s assessments of fraud risk and the risk of management override of controls so that they are appropriate.

8.7 Management responds to fraud risks through the same risk response process performed for all analyzed risks. Management designs an overall risk response and specific actions for responding to fraud risks. It may be possible to reduce or eliminate certain fraud risks by making changes to the entity’s activities and processes. These changes may include stopping or reorganizing certain operations and reallocating roles among personnel to enhance segregation of duties. In addition to responding to fraud risks, management may need to develop further responses to address the risk of management override of controls. Further, when fraud has been detected, the risk assessment process may need to be revised.

Principle 9 - Identify, Analyze, and Respond to Change

9.1 Management should identify, analyze, and respond to significant changes that could impact the internal control system.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

• Identification of Change


• Analysis of and Response to Change

Identification of Change

9.2 As part of risk assessment or a similar process, management identifies changes that could significantly impact the entity’s internal control system. Identifying, analyzing, and responding to change is similar to, if not part of, the entity’s regular risk assessment process. However, change is discussed separately because it is critical to an effective internal control system and can often be overlooked or inadequately addressed in the normal course of operations.

9.3 Conditions affecting the entity and its environment continually change. Management can anticipate and plan for significant changes by using a forward-looking process for identifying change. Management identifies, on a timely basis, significant changes to internal and external conditions that have already occurred or are expected to occur. Changes in internal conditions include changes to the entity’s programs or activities, oversight structure, organizational structure, personnel, and technology. Changes in external conditions include changes in the governmental, economic, technological, legal, regulatory, and physical environments. Identified significant changes are communicated across the entity through established reporting lines to appropriate personnel.

Analysis of and Response to Change

9.4 As part of risk assessment or a similar process, management analyzes and responds to identified changes and related risks in order to maintain an effective internal control system. Changes in conditions affecting the entity and its environment often require changes to the entity’s internal control system, as existing controls may not be effective for meeting objectives or addressing risks under changed conditions. Management analyzes the effect of identified changes on the internal control system and responds by revising the internal control system on a timely basis, when necessary, to maintain its effectiveness.

9.5 Further, changing conditions often prompt new risks or changes to existing risks that need to be assessed. As part of analyzing and responding to change, management performs a risk assessment to identify, analyze, and respond to any new risks prompted by the changes. Additionally, existing risks may require further assessment to determine whether the defined risk tolerances and risk responses need to be revised.