Summary
Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed. A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives. Management also considers the suitability of the objectives for the entity. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.
All entities, regardless of size, structure, nature, or industry, encounter risks at all levels. Risk is defined in the Framework as the possibility that an event will occur and adversely affect the achievement of objectives.
The use of the term “adversely” in this definition does not ignore positive variances relating to an event or series of events. Large positive variances may still create adverse impacts to objectives. For instance, consider a company that forecasts sales of 1,000 units and sets production schedules to achieve this expected demand. Management considers the possibility that actual orders will exceed this forecast. Actual orders of 1,500 units would likely not impact the sales objectives but might adversely impact production costs (through incremental overtime needed to meet increased volumes) or customer satisfaction targets (through increased back orders and wait times). Consequently, selling more units than planned may adversely impact objectives other than the sales objective.
As part of the process of identifying and assessing risks, an organization may also identify opportunities, which are the possibility that an event will occur and positively affect the achievement of objectives. These opportunities are important to capture and to communicate to the objective-setting processes. For instance, in the above example, management would channel new sales opportunities to the objective-setting processes. However, identifying and assessing potential opportunities such as new sales opportunities is not a part of internal control.
Risks affect an entity’s ability to succeed, compete within its industry, maintain its financial strength and positive reputation, and maintain the overall quality of its products, services, and people. There is no practical way to reduce risk to zero. Indeed, the decision to be in business incurs risk. Management must determine how much risk is to be prudently accepted, strive to maintain risk within these levels, and understand how much tolerance it has for exceeding its target risk levels.
Risk often increases when objectives differ from past performance and when management implements change. An entity often does not set explicit objectives when it considers its performance to be acceptable. For example, an entity might view its historical service to customers as acceptable and therefore not set specific goals on maintaining current levels of service. However, as part of the risk assessment process, the organization does need to have a common understanding of entity-level objectives relevant to operations, reporting, and compliance and how those cascade into the organization.
Risk Tolerance
Risk tolerance is the acceptable level of variation in performance relative to the achievement of objectives. Operating within risk tolerance provides management with greater confidence that the entity will achieve its objectives. Risk tolerance may be expressed in different ways to suit each category of objectives. For instance, when considering financial reporting, risk tolerance is typically expressed in terms of materiality, whereas
for compliance and operations, risk tolerance is often expressed in terms of the acceptable level of variation in performance.
Risk tolerance is normally determined as part of the objective-setting process, and as with setting objectives, setting tolerance levels is a precondition for determining risk responses and related control activities. Management may exercise significant discretion in setting risk tolerance and managing risks when there are no external requirements. However, when there are external requirements, such as those relating to external reporting and compliance objectives, management considers risk tolerance within the context of established laws, rules, regulations, and external standards.
As well, senior management considers the relative importance of the competing objectives and differing priorities for pursuing these objectives. For instance, a chief operating officer may view operations objectives as requiring a higher level of precision than materiality considerations in reporting objectives, and vice versa for the chief financial officer. However, it would be problematic for public companies to overemphasize operational objectives to an extent that adversely impacts the reliability of financial reporting. These views are considered as part of the strategic-planning and objective-setting process with tolerances set accordingly. This kind of decision may also impact the level of resources allocated to pursuing the achievement of those respective objectives.
Principles relating to the Risk Assessment component
Specifies Suitable Objectives
Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning:
A precondition to risk assessment is the establishment of objectives, linked at various levels of the entity. These objectives align with and support the entity in the pursuit of its strategic direction. While setting strategies and objectives is not part of the internal control process, objectives form the basis on which risk assessment approaches are implemented and performed and subsequent control activities are established. As part of internal control, management specifies objectives and groups them within broad categories at all levels of the entity, relating to operations, reporting, and compliance. The grouping of objectives within these categories allows for the risks to the achievement of those objectives to be identified and assessed.
In considering the suitability of objectives, management may consider such matters as:
Where objectives within these categories are unclear, where it is unclear how these objectives support the strategic direction, or where there are concerns that the objectives are not suitable based on the facts, circumstances, and established laws, rules, regulations, and standards applicable to the entity, management communicates this concern for input to the strategy-setting and objective-setting process.
Operations Objectives
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning:
Specifies Suitable Objectives
Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning:
Reporting Objectives
Reporting objectives pertain to the preparation of reports that encompass reliability, timeliness, transparency, or other terms as set forth by regulators, standard-setting bodies, or by the entity’s policies. This category includes external financial reporting, external non-financial reporting, internal financial reporting, and internal non-financial reporting. External reporting objectives are driven primarily by laws, rules, regulations, and standards established by governments, regulators, standard-setting bodies, and accounting bodies. Internal reporting objectives are driven by the entity’s strategic directions, and by reporting requirements and expectations established by management and the board of directors.
External Financial Reporting
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning as it relates to external financial reporting objectives:
External Non-Financial Reporting
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning as it relates to external non-financial reporting objectives:
Internal Reporting Objectives
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning as it relates to internal reporting objectives:
Specifies Suitable Objectives
Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
Compliance Objectives
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning as it relates to compliance objectives:
Identifies and Analyzes Risk
Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning:
Assesses Fraud Risk
Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives.
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning:
Identifies and Analyzes Significant Change
Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.
Points of Focus
The following points of focus may assist management in determining whether this principle is present and functioning:
Overview
Having established an effective control environment, management assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses. Management assesses the risks the entity faces from both external and internal sources.
Principles
6.1 Management should define objectives clearly to enable the identification of risks and define risk tolerances.
Attributes
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
Definitions of Objectives
6.2 Management defines objectives in specific and measurable terms to enable the design of internal control for related risks. Specific terms are fully and clearly set forth so they can be easily understood. Measurable terms allow for the assessment of performance toward achieving objectives. Objectives are initially set as part of the objective-setting process and then refined as they are incorporated into the internal control system when management uses them to establish the control environment.
6.3 Management defines objectives in specific terms so they are understood at all levels of the entity. This involves clearly defining what is to be achieved, who is to achieve it, how it will be achieved, and the time frames for achievement. All objectives can be broadly classified into one or more of three categories: operations, reporting, or compliance. Reporting objectives are further categorized as being either internal or external and financial or nonfinancial. Management defines objectives in alignment with the organization’s mission, strategic plan, and performance goals.
6.4 Management defines objectives in measurable terms so that performance toward achieving those objectives can be assessed. Measurable objectives are generally free of bias and do not require subjective judgments to dominate their measurement. Measurable objectives are also stated in a quantitative or qualitative form that permits reasonably consistent measurement.
6.5 Management considers external requirements and internal expectations when defining objectives to enable the design of internal control. Legislators, regulators, and standard-setting bodies set external requirements by establishing the laws, regulations, and standards with which the entity is required to comply. Management identifies, understands, and incorporates these requirements into the entity’s objectives. Management sets internal expectations and requirements through the established standards of conduct, oversight structure, organizational structure, and expectations of competence as part of the control environment.
6.6 Management evaluates and, if necessary, revises defined objectives so that they are consistent with these requirements and expectations. This consistency enables management to identify and analyze risks associated with achieving the defined objectives.
6.7 Management determines whether performance measures for the defined objectives are appropriate for evaluating the entity’s performance in achieving those objectives. For quantitative objectives, performance measures may be a targeted percentage or numerical value. For qualitative objectives, management may need to design performance measures that indicate a level or degree of performance, such as milestones.
Definitions of Risk Tolerances
6.8 Management defines risk tolerances for the defined objectives. Risk tolerance is the acceptable level of variation in performance relative to the achievement of objectives. Risk tolerances are initially set as part of the objective-setting process. Management defines the risk tolerances for defined objectives by ensuring that the set levels of variation for performance measures are appropriate for the design of an internal control system.
6.9 Management defines risk tolerances in specific and measurable terms so they are clearly stated and can be measured. Risk tolerance is often measured in the same terms as the performance measures for the defined objectives. Depending on the category of objectives, risk tolerances may be expressed as follows:
6.10 Management also evaluates whether risk tolerances enable the appropriate design of internal control by considering whether they are consistent with requirements and expectations for the defined objectives. As in defining objectives, management considers the risk tolerances in the context of the entity’s applicable laws, regulations, and standards as well as the entity’s standards of conduct, oversight structure, organizational structure, and expectations of competence. If risk tolerances for defined objectives are not consistent with these requirements and expectations, management revises the risk tolerances to achieve consistency.
7.1 Management should identify, analyze, and respond to risks related to achieving the defined objectives.
Attributes
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
Identification of Risks
7.2 Management identifies risks throughout the entity to provide a basis for analyzing risks. Risk assessment is the identification and analysis of risks related to achieving the defined objectives to form a basis for designing risk responses.
7.3 To identify risks, management considers the types of risks that impact the entity. This includes both inherent and residual risk. Inherent risk is the risk to an entity in the absence of management’s response to the risk. Residual risk is the risk that remains after management’s response to inherent risk. Management’s lack of response to either risk could cause deficiencies in the internal control system.
7.4 Management considers all significant interactions within the entity and with external parties, changes within the entity’s internal and external environment, and other internal and external factors to identify risks throughout the entity. Internal risk factors may include the complex nature of an entity’s programs, its organizational structure, or the use of new technology in operational processes. External risk factors may include new or amended laws, regulations, or professional standards; economic instability; or potential natural disasters. Management considers these factors at both the entity and transaction levels to comprehensively identify risks that affect defined objectives. Risk identification methods may include qualitative and quantitative ranking activities, forecasting and strategic planning, and consideration of deficiencies identified through audits and other assessments.
Analysis of Risks
7.5 Management analyzes the identified risks to estimate their significance, which provides a basis for responding to the risks. Significance refers to the effect on achieving a defined objective.
7.6 Management estimates the significance of the identified risks to assess their effect on achieving the defined objectives at both the entity and transaction levels. Management estimates the significance of a risk by considering the magnitude of impact, likelihood of occurrence, and nature of the risk. Magnitude of impact refers to the likely magnitude of deficiency that could result from the risk and is affected by factors such as the size, pace, and duration of the risk’s impact. Likelihood of occurrence refers to the level of possibility that a risk will occur. The nature of the risk involves factors such as the degree of subjectivity involved with the risk and whether the risk arises from fraud or from complex or unusual transactions. The oversight body may oversee management’s estimates of significance so that risk tolerances have been properly defined.
7.7 Risks may be analyzed on an individual basis or grouped into categories with related risks and analyzed collectively. Regardless of whether risks are analyzed individually or collectively, management considers the correlation among different risks or groups of risks when estimating their significance. The specific risk analysis methodology used can vary by entity because of differences in entities’ missions and the difficulty in qualitatively and quantitatively defining risk tolerances.
Response to Risks
7.8 Management designs responses to the analyzed risks so that risks are within the defined risk tolerance for the defined objective. Management designs overall risk responses for the analyzed risks based on the significance of the risk and defined risk tolerance. These risk responses may include the following:
7.9 Based on the selected risk response, management designs the specific actions to respond to the analyzed risks. The nature and extent of risk response actions depend on the defined risk tolerance. Operating within the defined risk tolerance provides greater assurance that the entity will achieve its objectives. Performance measures are used to assess whether risk response actions enable the entity to operate within the defined risk tolerances. When risk response actions do not enable the entity to operate within the defined risk tolerances, management may need to revise risk responses or reconsider defined risk tolerances. Management may need to conduct periodic risk assessments to evaluate the effectiveness of the risk response actions.
8.1 Management should consider the potential for fraud when identifying, analyzing, and responding to risks.
Attributes
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
Types of Fraud
8.2 Management considers the types of fraud that can occur within the entity to provide a basis for identifying fraud risks. Types of fraud are as follows:
8.3 In addition to fraud, management considers other forms of misconduct that can occur, such as waste and abuse. Waste is the act of using or expending resources carelessly, extravagantly, or to no purpose. Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary operational practice given the facts and circumstances. This includes the misuse of authority or position for personal gain or for the benefit of another. Waste and abuse do not necessarily involve fraud or illegal acts. However, they may be an indication of potential fraud or illegal acts and may still impact the achievement of defined objectives.
Fraud Risk Factors
8.4 Management considers fraud risk factors. Fraud risk factors do not necessarily indicate that fraud exists but are often present when fraud occurs. Fraud risk factors include the following:
8.5 Management uses the fraud risk factors to identify fraud risks. While fraud risk may be greatest when all three risk factors are present, one or more of these factors may indicate a fraud risk. Other information provided by internal and external parties can also be used to identify fraud risks. This may include allegations of fraud or suspected fraud reported by the office of the inspector general or internal auditors, personnel, or external parties that interact with the entity.
Response to Fraud Risks
8.6 Management analyzes and responds to identified fraud risks so that they are effectively mitigated. Fraud risks are analyzed through the same risk analysis process performed for all identified risks. Management analyzes the identified fraud risks by estimating their significance, both individually and in the aggregate, to assess their effect on achieving the defined objectives. As part of analyzing fraud risk, management also assesses the risk of management override of controls. The oversight body oversees management’s assessments of fraud risk and the risk of management override of controls so that they are appropriate.
8.7 Management responds to fraud risks through the same risk response process performed for all analyzed risks. Management designs an overall risk response and specific actions for responding to fraud risks. It may be possible to reduce or eliminate certain fraud risks by making changes to the entity’s activities and processes. These changes may include stopping or reorganizing certain operations and reallocating roles among personnel to enhance segregation of duties. In addition to responding to fraud risks, management may need to develop further responses to address the risk of management override of controls. Further, when fraud has been detected, the risk assessment process may need to be revised.
9.1 Management should identify, analyze, and respond to significant changes that could impact the internal control system.
Attributes
The following attributes contribute to the design, implementation, and operating effectiveness of this principle:
Identification of Change
9.2 As part of risk assessment or a similar process, management identifies changes that could significantly impact the entity’s internal control system. Identifying, analyzing, and responding to change is similar to, if not part of, the entity’s regular risk assessment process. However, change is discussed separately because it is critical to an effective internal control system and can often be overlooked or inadequately addressed in the normal course of operations.
9.3 Conditions affecting the entity and its environment continually change. Management can anticipate and plan for significant changes by using a forward-looking process for identifying change. Management identifies, on a timely basis, significant changes to internal and external conditions that have already occurred or are expected to occur. Changes in internal conditions include changes to the entity’s programs or activities, oversight structure, organizational structure, personnel, and technology. Changes in external conditions include changes in the governmental, economic, technological, legal, regulatory, and physical environments. Identified significant changes are communicated across the entity through established reporting lines to appropriate personnel.
Analysis of and Response to Change
9.4 As part of risk assessment or a similar process, management analyzes and responds to identified changes and related risks in order to maintain an effective internal control system. Changes in conditions affecting the entity and its environment often require changes to the entity’s internal control system, as existing controls may not be effective for meeting objectives or addressing risks under changed conditions. Management analyzes the effect of identified changes on the internal control system and responds by revising the internal control system on a timely basis, when necessary, to maintain its effectiveness.
9.5 Further, changing conditions often prompt new risks or changes to existing risks that need to be assessed. As part of analyzing and responding to change, management performs a risk assessment to identify, analyze, and respond to any new risks prompted by the changes. Additionally, existing risks may require further assessment to determine whether the defined risk tolerances and risk responses need to be revised.