Identification,

Assessment and
Measurement of Risk
Module - 3
 Contents
• Framework of Risk management - COSO’s Enterprise Risk Management
• Concept of risk appetite and risk response - Strategic & operational risk -
Strategies to mitigate the risks – TARA approach - Diversification strategies -
Risk mapping - Role of risk committee in corporate governance framework
• Features of effective internal control system – information flow for internal
control – evaluating effectiveness of internal control system – role of internal
control systems to help prevent fraud, errors and waste
• Internal audit function - Turnbull criteria to assess the need for Internal audit
- reporting to the audit committee - value for money audit - IT audits - Best
value audits, financial audits -operational audits - differences between internal
and external audit - Ethical principles of auditors – audit independence –
effective audit committee – reporting on internal control & audit – linkage
with financial reporting
 RISK
• A risk can be defined as an unrealised future loss arising from
a present action or inaction.
• Risks are the opportunities and dangers associated with
uncertain future events.
• Risks can have an adverse ('downside exposure') or favourable
impact ('upside potential') on the organisation’s objectives.
Why to take risk?
Benefits of taking risks
 As Low As Reasonably Practicable
Principle” (ALARP)
• As we cannot eliminate risk altogether the ALARP principle,
simply states that residual risk should be as low as reasonably
practicable.
 Risk management
• Risk management is therefore the process of reducing the
possibility of adverse consequences either by reducing the
likelihood of an event or its impact, or taking advantage of
the upside risk.
RISK MANAGEMENT
Risk identification: Strategic and
operational risks
Risk identification: Business risks
Cont…
Managing, monitoring
and mitigating risk
The Role of Board in managing Risk
 Risk appetite
•Risk appetite is a measure of the general attitude
to accepting risk.
• Risk capacity – the amount of risk that the
organisation can bear, and
• Risk attitude – the overall character of the board, in
terms of the board being risk averse or risk seeking.
 Risk Averse
(Seeking to avoid risk)

Risk
Appetite Risk Seeking
(Higher the risk, higher the return)
 Risk appetite factors
•Nature of product being manufactured
•The need to increase sales
•The background of the board
•Amount of change in the market
•Reputation of the company
 Risk committee
• Though corporate governance codes do not specifically
require a risk committee to be established, many companies
will set up a separate risk committee or establish the audit
committee as a ‘risk and audit committee’.
• The risk committee is sometimes referred to as a risk
management committee.
• Where no risk committee is formed, the audit committee will
usually perform similar duties.
Roles of risk committee
Role of the risk manager
 Risk management: TARA (or SARA)
• Strategies for managing risks can be explained as TARA (or
SARA): Transference (or Sharing), Avoidance, Reduction or
Acceptance.
 Risk management using TARA
•Transference
•Risk sharing
•Avoidance.
•Reduction/mitigation
 Risk avoidance and retention
•Risk avoidance: the risk strategy by which the
organisation literally avoids a risk by not
undertaking the activity that gives rise to the risk
in the first place.
•Risk retention: risk strategy by which an
organisation retains that particular risk within the
organisation.
Diversifying / Spreading Risk
ANSOFF’s Matrix
INTERNAL
CONTROL
 Internal control definitions
• Controls attempt to ensure that risks, those factors which stop
the achievement of company objectives, are minimised.
• An internal control system comprises the whole network of
systems established in an organisation to provide reasonable
assurance that organisational objectives will be achieved.
• Internal management control refers to the procedures and
policies in place to ensure that company objectives are
achieved.
• The control procedures and policies provide the detailed
controls implemented within the company.
 Objectives of an internal control system
• The orderly and efficient conduct of its business, including
adherence to internal policies
• The safeguarding of assets of the business
• The prevention and detection of fraud and error
• The accuracy and completeness of the accounting records
• The timely preparation of financial information.
 Benefits of an internal control system
• Effectiveness and efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.
Limitations of internal control systems
• Poor judgement in decision-making
• Human error can cause failures although a well-designed internal
control environment can help control this to a certain extent.
• Control processes being deliberately circumvented by employees
and others
• Management overriding controls, presumably in the belief that
the controls put in place are inconvenient or inappropriate and
should not apply to them.
• The occurrence of unforeseeable circumstances
 Internal controls and COSO
• Committee of Sponsoring Organisations (COSO) was formed in 1985 to
sponsor the national commission on fraudulent reporting. The
'sponsoring organisations' included the American Accounting Association
and the American Institute of Certified Public Accountants.
• Effectiveness and efficiency of operations – that is the basic business
objectives including performance goals and safeguarding resources.
• Reliability of financial reporting – including the preparation of any
published financial information.
• Compliance with applicable laws and regulations
to which the company is subject.
 COSO Internal Control Framework
• https://study.com/academy/lesson/what-is-coso-internal-
control-framework-objectives-components.html
 Development of corporate governance
regarding accountability, audit and controls
• Cadbury Report (1992)
• The audit and accountability section of the Cadbury Report
recognised the importance of corporate transparency and
ensuring good communication and disclosure with
shareholders and stakeholders.
• The report confirmed that directors should establish a sound
system of internal control and review this system on a regular
basis.
 Turnbull Report (1999)
• The Turnbull report states the need for directors to review their
systems of internal control and report these to shareholders.
• Turnbull represented an attempt to formalise an explicit
framework for establishing internal control in organisations.
• This framework can be used to help establish systems of
internal control without being overly prescriptive. It provides
guidance as to how to develop and maintain internal control
systems and thus reduce risk.
• Work done by the Committee of Sponsoring Organisations
(COSO) in 1992 was referred to within this report.
 Management
internal control
systems and
reporting
 Twenty questions to enhance your internal
controls – E&Y Report
• https://www.ey.com/en_in/consulting/twenty-questions-to-
enhance-your-internal-controls
Audit and compliance
 Function and importance of internal audit
•Internal audit is a management control. The
department reviews the effectiveness of other
controls within a company.
•It is part of the control systems of a company,
with the aim of ensuring that other controls are
working correctly.
• In some regimes, it is a statutory requirement to have
internal audit. In others, codes of corporate governance
strongly suggest that an internal audit department is
necessary.
• The work of internal audit is varied – from reviewing
financial controls through to checking compliance with
legislation.
• The department is normally under the control of a chief
internal auditor who reports to the audit committee.
Roles of Internal
Audit
 Reviewing accounting and internal control
systems (financial audit)
• This is the traditional view of internal audit. The internal
auditor checks the financial controls in the company, possibly
assisting or sharing work with the external auditor. The
internal auditor would comment on whether appropriate
controls exist as well as whether they are working correctly.
In this work, the internal auditor does not manage risk, but
simply reports on controls.
 Assisting with the identification of
significant risks
•In this function, the internal auditor does start to
work on risks. The auditor may be asked to
investigate areas of risk management, with
specific reference on how the company
identifies, assesses and controls significant risks
from both internal and external sources.
 Reviewing the economy, efficiency and
effectiveness of operations (operational
audit)
•This is also called a value for money (VFM)
audit. The auditor checks whether a particular
activity is cost effective (economical), uses the
minimum inputs for a given output (efficient)
and meets its stated objectives (effective).
 Examining financial and operating
information
•Internal auditors ensure that reporting of
financial information is made on a timely
basis and that the information in the reports
is factually accurate.
 Special investigations
•Investigations into other areas of the
company’s business, e.g. checking the cost
estimates for a new factory.
Reviewing compliance with laws and other
external regulations
•This objective is particularly relevant regarding
SOX (Sarbanes-Oxley Act) where the internal
auditor will be carrying out detailed work to
ensure that internal control systems and financial
reports meet stock exchange requirements.
 Types of audit work
• Financial audit
• Operational audit
• Project audit
• Value for money audit
• Social and environmental audit
• management audit.
 Internal Audit Controls
• https://study.com/academy/lesson/internal-audit-controls-
types-objectives.html