Committee of Sponsoring Organizations (COSO)
Internal Control Integrated Framework

Risk Assessment

Summary

Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed. A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.

All entities, regardless of size, structure, nature, or industry, encounter risks at all levels. Risk is defined in the Framework as the possibility that an event will occur and adversely affect the achievement of objectives.

The use of the term “adversely” in this definition does not ignore positive variances relating to an event or series of events. Large positive variances may still create adverse impacts to objectives. For instance, consider a company that forecasts sales of 1,000 units and sets production schedules to achieve this expected demand. Management considers the possibility that actual orders will exceed this forecast. Actual orders of 1,500 units would likely not impact the sales objectives but might adversely impact production costs (through incremental overtime needed to meet increased volumes) or customer satisfaction targets (through increased back orders and wait times). Consequently, selling more units than planned may adversely impact objectives other than the sales objective.

As part of the process of identifying and assessing risks, an organization may also identify opportunities, which are the possibility that an event will occur and positively affect the achievement of objectives. These opportunities are important to capture and to communicate to the objective-setting processes. For instance, in the above example, management would channel new sales opportunities to the objective-setting processes. However, identifying and assessing potential opportunities such as new sales opportunities is not a part of internal control.

Risks affect an entity’s ability to succeed, compete within its industry, maintain its financial strength and positive reputation, and maintain the overall quality of its products, services, and people. There is no practical way to reduce risk to zero. Indeed, the decision to be in business incurs risk. Management must determine how much risk is to be prudently accepted, strive to maintain risk within these levels, and understand how much tolerance it has for exceeding its target risk levels.

Risk often increases when objectives differ from past performance and when management implements change. An entity often does not set explicit objectives when it considers its performance to be acceptable. For example, an entity might view its historical service to customers as acceptable and therefore not set specific goals on maintaining current levels of service. However, as part of the risk assessment process, the organization does need to have a common understanding of entity-level objectives relevant to operations, reporting, and compliance and how those cascade into the organization.

Risk Tolerance
Risk tolerance is the acceptable level of variation in performance relative to the achievement of objectives. Operating within risk tolerance provides management with greater confidence that the entity will achieve its objectives. Risk tolerance may be expressed in different ways to suit each category of objectives. For instance, when considering financial reporting, risk tolerance is typically expressed in terms of materiality, whereas for compliance and operations, risk tolerance is often expressed in terms of the acceptable level of variation in performance.

Risk tolerance is normally determined as part of the objective-setting process, and as with setting objectives, setting tolerance levels is a precondition for determining risk responses and related control activities. Management may exercise significant discretion in setting risk tolerance and managing risks when there are no external requirements. However, when there are external requirements, such as those relating to external reporting and compliance objectives, management considers risk tolerance within the context of established laws, rules, regulations, and external standards.

As well, senior management considers the relative importance of the competing objectives and differing priorities for pursuing these objectives. For instance, a chief operating officer may view operations objectives as requiring a higher level of precision than materiality considerations in reporting objectives, and vice versa for the chief financial officer. However, it would be problematic for public companies to overemphasize operational objectives to an extent that adversely impacts the reliability of financial reporting. These views are considered as part of the strategic-planning and objective-setting process with tolerances set accordingly. This kind of decision may also impact the level of resources allocated to pursuing the achievement of those respective objectives.

 

 

Principles relating to the Risk Assessment component

  1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

  3. The organization considers the potential for fraud in assessing risks to the achievement of objectives.

  4. The organization identifies and assesses changes that could significantly impact the system of internal control.

Specifies Suitable Objectives

Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

A precondition to risk assessment is the establishment of objectives, linked at various levels of the entity. These objectives align with and support the entity in the pursuit of its strategic direction. While setting strategies and objectives is not part of the internal control process, objectives form the basis on which risk assessment approaches are implemented and performed and subsequent control activities are established. As part of internal control, management specifies objectives and groups them within broad categories at all levels of the entity, relating to operations, reporting, and compliance. The grouping of objectives within these categories allows for the risks to the achievement of those objectives to be identified and assessed.

In considering the suitability of objectives, management may consider such matters as:

  • Alignment between established objectives and strategic priorities
  • Articulation of risk tolerances for objectives
  • Alignment between established objectives and established laws, rules, regulations, and standards applicable to the entity
  • Articulation of objectives using terms that are specific, measurable or observable, attainable, relevant, and time-bound
  • Cascading of objectives across the entity and it subunits
  • Alignment of objectives to other circumstances that require specific focus by the entity
  • Approval objectives within the objective-setting process

Where objectives within these categories are unclear, where it is unclear how these objectives support the strategic direction, or where there are concerns that the objectives are not suitable based on the facts, circumstances, and established laws, rules, regulations, and standards applicable to the entity, management communicates this concern for input to the strategy-setting and objective-setting process.

Operations Objectives

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

  • Reflects Management’s Choices—Operations objectives reflect management’s choices about structure, industry considerations, and performance of the entity.
  • Considers Tolerances for Risk—Management considers the acceptable levels of variation relative to the achievement of operations objectives.
  • Includes Operations and Financial Performance Goals—The organization reflects the desired level of operations and financial performance for the entity within operations objectives.
  • Forms a Basis for Committing of Resources—Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance.

Specifies Suitable Objectives

Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

Reporting Objectives

Reporting objectives pertain to the preparation of reports that encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard-setting bodies, or by the entity’s policies. This category includes external financial reporting, external non-financial reporting, internal financial reporting, and internal non-financial reporting. External reporting objectives are driven primarily by laws, rules, regulations, and standards established by governments, regulators, standard-setting bodies, and accounting bodies. Internal reporting objectives are driven by the entity’s strategic directions, and by reporting requirements and expectations established by  management and the board of directors.

External Financial Reporting

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning as it relates to external financial reporting objectives:

  • Complies with Applicable Accounting Standards—Financial reporting objectives are consistent with accounting principles suitable and available for that entity. The accounting principles selected are appropriate in the circumstances.
  • Considers Materiality—Management considers materiality in financial statement presentation.
  • Reflects Entity Activities—External reporting reflects the underlying transactions and events to show qualitative characteristics and assertions.

External Non-Financial Reporting

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning as it relates to external non-financial reporting objectives:

  • Complies with Externally Established Standards and Frameworks—Management establishes objectives consistent with laws and regulations, or standards and frameworks of recognized external organizations.
  • Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs and as based on criteria established by third parties in non-financial reporting.
  • Reflects Entity Activities—External reporting reflects the underlying transactions and events within a range of acceptable limits.

Internal Reporting Objectives

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning as it relates to internal reporting objectives:

  • Reflects Management’s Choices—Internal reporting provides management with accurate and complete information regarding management’s choices and information needed in managing the entity.
  • Considers the Required Level of Precision—Management reflects the required level of precision and accuracy suitable for user needs in non-financial reporting objectives and materiality within financial reporting objectives.
  • Reflects Entity Activities—Internal reporting reflects the underlying transactions and events within a range of acceptable limits.

Specifies Suitable Objectives

Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Compliance Objectives

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning as it relates to compliance objectives:

  • Reflects External Laws and Regulations—Laws and regulations establish minimum standards of conduct which the entity integrates into compliance objectives.
  • Considers Tolerances for Risk—Management considers the acceptable levels of variation relative to the achievement of compliance objectives.

Identifies and Analyzes Risk

Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

  • Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels—The organization identifies and assesses risks at the entity, subsidiary, division, operating unit, and functional levels relevant to the achievement of objectives.
  • Analyzes Internal and External Factors—Risk identification considers both internal and external factors and their impact on the achievement of objectives.
  • Involves Appropriate Levels of Management—The organization puts into place effective risk assessment mechanisms that involve appropriate levels of management.
  • Estimates Significance of Risks Identified—Identified risks are analyzed through a process that includes estimating the potential significance of the risk.
  • Determines How to Respond to Risks—Risk assessment includes considering how the risk should be managed and whether to accept, avoid, reduce, or share the risk.

Assesses Fraud Risk

Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

  • Considers Various Types of Fraud—The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
  • Assesses Incentive and Pressures—The assessment of fraud risk considers incentives and pressures.
  • Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity’s reporting records, or committing other inappropriate acts.
  • Assesses Attitudes and Rationalizations—The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.

Identifies and Analyzes Significant Change

Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.

Points of Focus

The following points of focus may assist management in determining whether this principle is present and functioning:

  • Assesses Changes in the External Environment—The risk identification process considers changes to the regulatory, economic, and physical environment in which the entity operates.
  • Assesses Changes in the Business Model—The organization considers the potential impacts of new business lines, dramatically altered compositions of existing business lines, acquired or divested business operations on the system of internal control, rapid growth, changing reliance on foreign geographies, and new technologies.
  • Assesses Changes in Leadership—The organization considers changes in management and respective attitudes and philosophies on the system of internal control.


U.S. Government Accountability Office (GAO)
Standards for Internal Control in the Federal Government

Risk Assessment

Overview

Having established an effective control environment, management assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses. Management assesses the risks the entity faces from both external and internal sources.

Principles

  1. Management should define objectives clearly to enable the identification of risks and define risk tolerances.

  2. Management should identify, analyze, and respond to risks related to achieving the defined objectives.

  3. Management should consider the potential for fraud when identifying, analyzing, and responding to risks.

  4. Management should identify, analyze, and respond to significant changes that could impact the internal control system.


Principle 6 - Define Objectives and Risk Tolerances

6.1 Management should define objectives clearly to enable the identification of risks and define risk tolerances.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

  • Definitions of Objectives

  • Definitions of Risk Tolerances

Definitions of Objectives

6.2 Management defines objectives in specific and measurable terms to enable the design of internal control for related risks. Specific terms are fully and clearly set forth so they can be easily understood. Measurable terms allow for the assessment of performance toward achieving objectives. Objectives are initially set as part of the objective-setting process and then refined as they are incorporated into the internal control system when management uses them to establish the control environment.

6.3 Management defines objectives in specific terms so they are understood at all levels of the entity. This involves clearly defining what is to be achieved, who is to achieve it, how it will be achieved, and the time frames for achievement. All objectives can be broadly classified into one or more of three categories: operations, reporting, or compliance. Reporting objectives are further categorized as being either internal or external and financial or nonfinancial. Management defines objectives in alignment with the organization’s mission, strategic plan, and performance goals.

6.4 Management defines objectives in measurable terms so that performance toward achieving those objectives can be assessed. Measurable objectives are generally free of bias and do not require subjective judgments to dominate their measurement. Measurable objectives are also stated in a quantitative or qualitative form that permits reasonably consistent measurement.

6.5 Management considers external requirements and internal expectations when defining objectives to enable the design of internal control. Legislators, regulators, and standard-setting bodies set external requirements by establishing the laws, regulations, and standards with which the entity is required to comply. Management identifies, understands, and incorporates these requirements into the entity’s objectives. Management sets internal expectations and requirements through the established standards of conduct, oversight structure, organizational structure, and expectations of competence as part of the control environment.

6.6 Management evaluates and, if necessary, revises defined objectives so that they are consistent with these requirements and expectations. This consistency enables management to identify and analyze risks associated with achieving the defined objectives.

6.7 Management determines whether performance measures for the defined objectives are appropriate for evaluating the entity’s performance in achieving those objectives. For quantitative objectives, performance measures may be a targeted percentage or numerical value. For qualitative objectives, management may need to design performance measures that indicate a level or degree of performance, such as milestones.

Definitions of Risk Tolerances

6.8 Management defines risk tolerances for the defined objectives. Risk tolerance is the acceptable level of variation in performance relative to the achievement of objectives. Risk tolerances are initially set as part of the objective-setting process. Management defines the risk tolerances for defined objectives by ensuring that the set levels of variation for performance measures are appropriate for the design of an internal control system.

6.9 Management defines risk tolerances in specific and measurable terms so they are clearly stated and can be measured. Risk tolerance is often measured in the same terms as the performance measures for the defined objectives. Depending on the category of objectives, risk tolerances may be expressed as follows:

  • Operations objectives - Level of variation in performance in relation to risk.
  • Nonfinancial reporting objectives - Level of precision and accuracy suitable for user needs, involving both qualitative and quantitative considerations to meet the needs of the nonfinancial report user.
  • Financial reporting objectives - Judgments about materiality are made in light of surrounding circumstances, involve both qualitative and quantitative considerations, and are affected by the needs of financial report users and size or nature of a misstatement.
  • Compliance objectives - Concept of risk tolerance does not apply. An entity is either compliant or not compliant.

6.10 Management also evaluates whether risk tolerances enable the appropriate design of internal control by considering whether they are consistent with requirements and expectations for the defined objectives. As in defining objectives, management considers the risk tolerances in the context of the entity’s applicable laws, regulations, and standards as well as the entity’s standards of conduct, oversight structure, organizational structure, and expectations of competence. If risk tolerances for defined objectives are not consistent with these requirements and expectations, management revises the risk tolerances to achieve consistency.



Principle 7 - Identify, Analyze, and Respond to Risks

7.1 Management should identify, analyze, and respond to risks related to achieving the defined objectives.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

  • Identification of Risks

  • Analysis of Risks

  • Response to Risks

Identification of Risks

7.2 Management identifies risks throughout the entity to provide a basis for analyzing risks. Risk assessment is the identification and analysis of risks related to achieving the defined objectives to form a basis for designing risk responses.

7.3 To identify risks, management considers the types of risks that impact the entity. This includes both inherent and residual risk. Inherent risk is the risk to an entity in the absence of management’s response to the risk. Residual risk is the risk that remains after management’s response to inherent risk. Management’s lack of response to either risk could cause deficiencies in the internal control system.

7.4 Management considers all significant interactions within the entity and with external parties, changes within the entity’s internal and external environment, and other internal and external factors to identify risks throughout the entity. Internal risk factors may include the complex nature of an entity’s programs, its organizational structure, or the use of new technology in operational processes. External risk factors may include new or amended laws, regulations, or professional standards; economic instability; or potential natural disasters. Management considers these factors at both the entity and transaction levels to comprehensively identify risks that affect defined objectives. Risk identification methods may include qualitative and quantitative ranking activities, forecasting and strategic planning, and consideration of deficiencies identified through audits and other assessments.

Analysis of Risks

7.5 Management analyzes the identified risks to estimate their significance, which provides a basis for responding to the risks. Significance refers to the effect on achieving a defined objective.

7.6 Management estimates the significance of the identified risks to assess their effect on achieving the defined objectives at both the entity and transaction levels. Management estimates the significance of a risk by considering the magnitude of impact, likelihood of occurrence, and nature of the risk. Magnitude of impact refers to the likely magnitude of deficiency that could result from the risk and is affected by factors such as the size, pace, and duration of the risk’s impact. Likelihood of occurrence refers to the level of possibility that a risk will occur. The nature of the risk involves factors such as the degree of subjectivity involved with the risk and whether the risk arises from fraud or from complex or unusual transactions. The oversight body may oversee management’s estimates of significance so that risk tolerances have been properly defined.

7.7 Risks may be analyzed on an individual basis or grouped into categories with related risks and analyzed collectively. Regardless of whether risks are analyzed individually or collectively, management considers the correlation among different risks or groups of risks when estimating their significance. The specific risk analysis methodology used can vary by entity because of differences in entities’ missions and the difficulty in qualitatively and quantitatively defining risk tolerances.

Response to Risks

7.8 Management designs responses to the analyzed risks so that risks are within the defined risk tolerance for the defined objective. Management designs overall risk responses for the analyzed risks based on the significance of the risk and defined risk tolerance. These risk responses may include the following:

  • Acceptance - No action is taken to respond to the risk based on the insignificance of the risk.
  • Avoidance - Action is taken to stop the operational process or the part of the operational process causing the risk.
  • Reduction - Action is taken to reduce the likelihood or magnitude of the risk.
  • Sharing - Action is taken to transfer or share risks across the entity or with external parties, such as insuring against losses.

7.9 Based on the selected risk response, management designs the specific actions to respond to the analyzed risks. The nature and extent of risk response actions depend on the defined risk tolerance. Operating within the defined risk tolerance provides greater assurance that the entity will achieve its objectives. Performance measures are used to assess whether risk response actions enable the entity to operate within the defined risk tolerances. When risk response actions do not enable the entity to operate within the defined risk tolerances, management may need to revise risk responses or reconsider defined risk tolerances. Management may need to conduct periodic risk assessments to evaluate the effectiveness of the risk response actions.



Principle 8 - Assess Fraud Risk

8.1 Management should consider the potential for fraud when identifying, analyzing, and responding to risks.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

  • Types of Fraud

  • Fraud Risk Factors

  • Response to Fraud Risks

Types of Fraud

8.2 Management considers the types of fraud that can occur within the entity to provide a basis for identifying fraud risks. Types of fraud are as follows:

  • Fraudulent financial reporting - Intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. This could include intentional alteration of accounting records, misrepresentation of transactions, or intentional misapplication of accounting principles.
  • Misappropriation of assets - Theft of an entity’s assets. This could include theft of property, embezzlement of receipts, or fraudulent payments.
  • Corruption - Bribery and other illegal acts.

8.3 In addition to fraud, management considers other forms of misconduct that can occur, such as waste and abuse. Waste is the act of using or expending resources carelessly, extravagantly, or to no purpose. Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary operational practice given the facts and circumstances. This includes the misuse of authority or position for personal gain or for the benefit of another. Waste and abuse do not necessarily involve fraud or illegal acts. However, they may be an indication of potential fraud or illegal acts and may still impact the achievement of defined objectives.

Fraud Risk Factors

8.4 Management considers fraud risk factors. Fraud risk factors do not necessarily indicate that fraud exists but are often present when fraud occurs. Fraud risk factors include the following:

  • Incentive/pressure - Management or other personnel have an incentive or are under pressure, which provides a motive to commit fraud.
  • Opportunity - Circumstances exist, such as the absence of controls, ineffective controls, or the ability of management to override controls, that provide an opportunity to commit fraud. Attitude/rationalization - Individuals involved are able to rationalize committing fraud. Some individuals possess an attitude, character, or ethical values that allow them to knowingly and intentionally commit a dishonest act.

8.5 Management uses the fraud risk factors to identify fraud risks. While fraud risk may be greatest when all three risk factors are present, one or more of these factors may indicate a fraud risk. Other information provided by internal and external parties can also be used to identify fraud risks. This may include allegations of fraud or suspected fraud reported by the office of the inspector general or internal auditors, personnel, or external parties that interact with the entity.

Response to Fraud Risks

8.6 Management analyzes and responds to identified fraud risks so that they are effectively mitigated. Fraud risks are analyzed through the same risk analysis process performed for all identified risks. Management analyzes the identified fraud risks by estimating their significance, both individually and in the aggregate, to assess their effect on achieving the defined objectives. As part of analyzing fraud risk, management also assesses the risk of management override of controls. The oversight body oversees management’s assessments of fraud risk and the risk of management override of controls so that they are appropriate.

8.7 Management responds to fraud risks through the same risk response process performed for all analyzed risks. Management designs an overall risk response and specific actions for responding to fraud risks. It may be possible to reduce or eliminate certain fraud risks by making changes to the entity’s activities and processes. These changes may include stopping or reorganizing certain operations and reallocating roles among personnel to enhance segregation of duties. In addition to responding to fraud risks, management may need to develop further responses to address the risk of management override of controls. Further, when fraud has been detected, the risk assessment process may need to be revised.



Principle 9 - Identify, Analyze, and Respond to Change

9.1 Management should identify, analyze, and respond to significant changes that could impact the internal control system.

Attributes

The following attributes contribute to the design, implementation, and operating effectiveness of this principle:

  • Identification of Change

  • Analysis of and Response to Change

Identification of Change

9.2 As part of risk assessment or a similar process, management identifies changes that could significantly impact the entity’s internal control system. Identifying, analyzing, and responding to change is similar to, if not part of, the entity’s regular risk assessment process. However, change is discussed separately because it is critical to an effective internal control system and can often be overlooked or inadequately addressed in the normal course of operations.

9.3 Conditions affecting the entity and its environment continually change. Management can anticipate and plan for significant changes by using a forward-looking process for identifying change. Management identifies, on a timely basis, significant changes to internal and external conditions that have already occurred or are expected to occur. Changes in internal conditions include changes to the entity’s programs or activities, oversight structure, organizational structure, personnel, and technology. Changes in external conditions include changes in the governmental, economic, technological, legal, regulatory, and physical environments. Identified significant changes are communicated across the entity through established reporting lines to appropriate personnel.

Analysis of and Response to Change

9.4 As part of risk assessment or a similar process, management analyzes and responds to identified changes and related risks in order to maintain an effective internal control system. Changes in conditions affecting the entity and its environment often require changes to the entity’s internal control system, as existing controls may not be effective for meeting objectives or addressing risks under changed conditions. Management analyzes the effect of identified changes on the internal control system and responds by revising the internal control system on a timely basis, when necessary, to maintain its effectiveness.

9.5 Further, changing conditions often prompt new risks or changes to existing risks that need to be assessed. As part of analyzing and responding to change, management performs a risk assessment to identify, analyze, and respond to any new risks prompted by the changes. Additionally, existing risks may require further assessment to determine whether the defined risk tolerances and risk responses need to be revised.