ACT1110

Fundamental Concepts of
Risk Management and Internal Control System
 a) Explain different definitions of Risk and Risk Management
b) Discuss globally accepted frameworks on risk management internal control (i.e.,
COSO, ISO 31000, CoCo, COBIT)
c) Discuss the Risk Management Process according to COSO
d) Explain the definition of Controls and Internal Control
e) Differentiate roles and responsibilities to Risk Management and Internal Control
System

Learning Objectives
Risk defined
Risk is the possibility of something bad happening.
Risk involves uncertainty about the
effects/implications of an activity with respect to
something that humans value, often focusing on
negative, undesirable consequences.
Risk implies future uncertainty about deviation from
expected earnings or expected outcome. Risk
measures the uncertainty that an investor is willing
to take to realize a gain from an investment.
 9 types of investment risk
1. Market risk
• The risk of investments declining in value because of economic developments or
other events that affect the entire market. The main types of market risk are equity
risk, interest rate risk and currency risk.
1. Equity risk – applies to an investment in shares.
• The market price of shares varies all the time depending on demand and supply. Equity risk is
the risk of loss because of a drop in the market price of shares.
2. Interest rate risk – applies to debt investments such as bonds.
• It is the risk of losing money because of a change in the interest rate. For example, if the
interest rate goes up, the market value of bonds will drop.
3. Currency risk – applies when you own foreign investments.
• It is the risk of losing money because of a movement in the exchange rate.
2. Liquidity risk
• The risk of being unable to sell your investment at a fair price and get your money
out when you want to. To sell the investment, you may need to accept a lower
price. In some cases, such as exempt market investments, it may not be possible to
sell the investment at all.
3. Concentration risk
• The risk of loss because your money is concentrated in 1 investment or type of
investment. When you diversify your investments, you spread the risk over
different types of investments, industries and geographic locations.
 9 types of investment risk

4.Credit risk
• The risk that the government entity or company that issued the bond will run into financial difficulties and won’t
be able to pay the interest or repay the principal at maturity. Credit risk applies to debt investments such as bonds.
You can evaluate credit risk by looking at the credit rating of the bond. For example, long-term Canadian
government bonds have a credit rating of AAA, which indicates the lowest possible credit risk.
5.Reinvestment risk
• The risk of loss from reinvesting principal or income at a lower interest rate. Suppose you buy a bond paying
5%. Reinvestment risk will affect you if interest rates drop and you have to reinvest the regular interest payments
at 4%. Reinvestment risk will also apply if the bond matures and you have to reinvest the principal at less than 5%.
Reinvestment risk will not apply if you intend to spend the regular interest payments or the principal at maturity.
6.Inflation risk
• The risk of a loss in your purchasing power because the value of your investments does not keep up with inflation.
Inflation erodes the purchasing power of money over time – the same amount of money will buy fewer goods and
services. Inflation risk is particularly relevant if you own cash or debt investments like bonds. Shares offer some
protection against inflation because most companies can increase the prices they charge to their
customers. Share prices should therefore rise in line with inflation. Real estate also offers some protection because
landlords can increase rents over time.
7.Horizon risk
• The risk that your investment horizon may be shortened because of an unforeseen event, for example, the loss of
your job. This may force you to sell investments that you were expecting to hold for the long term. If you must sell
at a time when the markets are down, you may lose money.
8.Longevity risk
• The risk of outliving your savings. This risk is particularly relevant for people who are retired, or are nearing
retirement.
9.Foreign investment risk
• The risk of loss when investing in foreign countries. When you buy foreign investments, for example, the shares of
companies in emerging markets, you face risks that do not exist in Canada, for example, the risk of nationalization.
The 5 Components
There are at least five crucial components that must
be considered when creating a risk management
framework. They include:
1. Risk identification
2. Risk measurement and assessment
3. Risk mitigation
4. Risk reporting and monitoring
5. Risk governance
Risk Identification
• The first step in identifying the risks a company
faces is to define the risk universe. The risk
universe is simply a list of all possible risks.
Examples include IT risk, operational risk, 
regulatory risk, legal risk, political risk, strategic risk,
and credit risk.
• After listing all possible risks, the company can then
select the risks to which it is exposed and
categorize them into core and non-core risks.
• Core risks are those that the company must take in
order to drive performance and long-term growth.
• Non-core risks are often not essential and can be
minimized or eliminated completely.
Risk Measurement
• Risk measurement provides information on the quantum
of either a specific risk exposure or an aggregate risk
exposure, and the probability of a loss occurring due to
those exposures. When measuring specific risk exposure
it is important to consider the effect of that risk on the
overall risk profile of the organization.
• Some risks may provide diversification benefits while
others may not. Another important consideration is the
ability to measure an exposure. Some risks may be easier
to measure than others. For example, market risk can be
measured using observed market prices, but measuring
operational risk is considered both an art and a science.
Risk Mitigation
• Having categorized and measured its risks, a
company can then decide on which risks to
eliminate or minimize, and how much of its core
risks to retain.
• Risk mitigation can be achieved through an outright
sale of assets or liabilities, buying insurance,
hedging with derivatives, or diversification.
Risk Reporting and Monitoring
• It is important to report regularly on specific and
aggregate risk measures in order to ensure that risk
levels remain at an optimal level.
• Financial institutions that trade daily will produce daily
risk reports.
• Other institutions may require less frequent reporting.
• Risk reports must be sent to risk personnel who
have that authority to adjust (or instruct others to
adjust) risk exposures.
Risk Governance
• Risk governance is the process that ensures all
company employees perform their duties in
accordance with the risk management framework.
• Risk governance involves defining the roles of all
employees, segregating duties and assigning
authority to individuals, committees and the board
for approval of core risks, risk limits, exceptions to
limits and risk reports, and also for general
oversight.
 OBJECTIVES CONTROLS
Defined, intended Increase the likelihood of
outcomes achieving objectives

RISKS
Possibility of an event occurring that will have an impact on the
achievement of objectives

GOVERNANCE
Ensure entity effectively and efficiently directs toward meeting the
objectives

Overview
Illustration
 Objective
Wake up at 4:30am to go to school as early as possible
Risk
Oversleeping
Insomnia
Controls
Set up alarm clock
Drink milk or take herbal sleeping medicine
Inform other people
Governance
Parents advise you before you sleep
Sermon

Illustration
What is risk?
 Risk
The possibility of an event occurring that will have an impact on the
achievement of objectives. Risk is measured in terms of impact and likelihood.

If realized, would affect Occurring over a

the company. predefined time period
Factors that define
impact rating
- Financial effect
- Reputation
- Ability to achieve key
objectives

Definition of Terms
Residual Risk
after a risk response

Opportunity
event will occur and positively affect the achievement of objectives

Risk Appetite
amount of risk is willing to accept in pursuit of value

Risk Tolerance
specific maximum risk that an organization is willing to take regarding each
relevant risk

Definition of Terms
Risk should read as if something went wrong and what the impact of this
would be

Example:
Unauthorized changes are made to the payroll master data resulting in
payments to fictitious employees

Risk should not be:

- A negative control or absence of control
- A process

Recognition
 Risk Management
A process to identify, assess, manage, and
control potential events or situations to provide
reasonable assurance regarding the achievement
of the organization's objectives

Definition of Terms
COSO ER
The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) ERM framework is
one of two widely accepted risk management
standards organizations use to help manage
risks in an increasingly turbulent,
unpredictable business landscape
COSO ERM - Integrated
Framework
- Enterprise Risk Management
(ERM) - Integrated Framework
- Published by the Committee of
Sponsoring Organizations of the
Treadway Commission (COSO)
- Defines essential components,
suggests a common language, and
provides clear direction and
guidance for enterprise risk
management.

Risk Management
Framework
ISO 31000:2018 Risk Management –
Guidelines
- Published by the International
Organization for Standardization (ISO)
- Provides principles and guidelines for
effective risk management.
- Provides foundations for discussing risk
management and undertaking a critical
review of an organization’s risk
management process

Risk Management
Framework
 1. Risk Identification
- Performed for the entire entity
- Audit/ Risk Universe
- Brainstorming, SWOT, scenario analysis

Risk Management Process

1. Risk Identification
- Performed for the entire entity
- Audit/ Risk Universe
- Brainstorming, SWOT, scenario analysis

Accounting Liquidity
Capital
and and Market Tax
structure
reporting credit

Market Sales and

Dynamics Marketing

Major Supply
initiatives Financial Chain
reporting

Mergers,
Acquisitions, Information
and Technology
divestiture

Strategic Audit Universe Operations

Planning
People/
and
Human
Resource
Resources
Allocation

Compliance

Governance Hazards

Communication Physical
and investor Assets
Relations Code of
Regulatory Legal
Conduct

Risk Management Process

2. Risk Assessment and Prioritization
- Probabilities and potential effects of the risk events identified are used to prioritize
risks

Involves
- Estimate significance/impact
- Assess likelihood
- Consider means to manage

Risk Modeling
- Qualitative methods – listing, ranking and mapping
- Quantitative methods – probabilistic models, weighted

Risk Management Process

 2. Risk Assessment and Prioritization
Heat Map
Overall risk assessment

►High ► M ► H ► H
Impact

►Moderate ► L ► M ► H

►Low ► L ► L ► M
► Low ► Moderate ► High
Likelihood

Risk Management Process

3. Risk Response

a.) Risk Avoidance - ends the activity

Ex. Risk of having a pipeline sabotaged can be avoided by selling the
pipeline

b.) Risk Retention - accepts the risk

Ex. self-insurance; sinking funds

Risk Management Process

3. Risk Response

c.) Risk Reduction

lowers the level of risk
Ex. Risk of system penetration can be reduced by maintaining a robust
information security function within the entity

d.) Risk Sharing

transfer some loss potential
Ex. Risk of car crash can be accepted through insurance

e.) Risk Exploitation

pursue a high return on investment
Ex. Risk of winning or losing a lottery

Risk Management Process

4. Risk Monitoring
- Tracks identified risks
- Evaluates current risk response
- Monitors residual risks
- Identifies new risks

Risk Management Process

Practice Question
 Which of the following is the correct order of steps in the risk
management process?

1. Identify risks
2. Monitor risk responses
3. Formulate risk responses
4. Assess and prioritize risks
5. Identify context

A. 5, 1, 4, 3, 2.
B. 1, 4, 3, 2, 5.
C. 1, 3, 5, 4, 2.
D. 1, 5, 4, 3, 2.
THE CORRECT
Practice Question ANSWER IS..
 A chief audit executive is reviewing the following enterprise-wide
risk map:

Which of the following is the correct prioritization of risks,

considering limited resources in the internal audit activity?
A. Risk B, Risk C, Risk A, Risk D.
B. Risk C, Risk A, Risk D, Risk B.
C. Risk C, Risk A, Risk B, Risk D.
D. Risk A, Risk B, Risk C, Risk D.

THE CORRECT
Practice Question ANSWER IS..
 Which risk response reflects a change from acceptance to sharing?
A. An insurance policy on a manufacturing plant was not renewed.
B. Management purchased insurance on previously uninsured
property.
C. Management sold a manufacturing plant.
D. After employees stole numerous inventory items, management
implemented mandatory background checks on all employees.

THE CORRECT
Practice Question ANSWER IS..
 Many organizations use electronic funds transfer to pay their
supplier instead of issuing checks. Regarding the risk associated
with issuing checks, which of the following risk management
techniques does this represent?
A. Avoiding
B. Transferring
C. Controlling
D. Accepting

THE CORRECT
Practice Question ANSWER IS..
 Inherent risk
A. The risk when management has not taken action to reduce the
impact or likelihood of an adverse event
B. The risk after management takes action to reduce the impact or
likelihood of an adverse event
C. A potential event that will adversely affect the organization
D. Risk response

THE CORRECT
Practice Question ANSWER IS..
What is control?
 Control
Any action taken by management, the board and other parties to manage risk
and increase the likelihood that established objectives and goals will be achieved.

Direct responsible
Guidance, direction and
oversight
Frontline Personnel – minimum of
what is expected
Auditor– evaluate and monitor

Definition of Terms
 Internal Control
A process effected by an entity’s board of directors, management and other
personnel designed to provide reasonable assurance of the achievement of
objectives.

Four basic purpose of internal control

(1) Safeguard assets.
(2) Promote operating efficiency.
(3) Ensure financial statement reliability.
(4) Encourage compliance with management directives.

Definition of Terms
 CoCo Internal Control
Framework
- Guidance on Control (commonly
referred to as CoCo based on its original
title Criteria of Control)
- Published by the Canadian Institute of
Chartered Accountants (CICA)

Internal Control
Framework
Purpose
• The model starts with the need for a clear direction and
sense of purpose.
• This includes objectives, mission, vision and strategy; risks
and opportunities; policies; planning; and performance
targets and indicators.
• It is essential to have a clear driver for the control criteria
and since controls are about achieving objectives, it is right
that people work to the corporate purpose. Much work can
be done here in setting objectives and getting people to
have a stake in the future direction of the organization. The
crucial link between controls and performance targets is
established here as controls must fit in with the way an
organization measures and manages performance to make
any sense at all.
Commitment
• The people within the organization must understand and
align themselves with the organization's identity and values.
• This includes ethical values, integrity, human resource
policies, authority, responsibility and accountability, and
mutual trust.
• Many control systems fail to recognize the need to get
people committed to the control ethos as a natural part of
the way an organization works.
• Where people spend their time trying to 'beat the system',
there is normally a lack of commitment to the control
criteria.
• The hardest part in getting good control is getting people to
feel part of the arrangements.
Capability
• People must be equipped with the resources and competence to
understand and discharge the requirements of the control model.
• This includes knowledge; skills and tools; communication processes;
information; co-ordination; and control activities.
• Where there is a clear objective, and everyone is ready to
participate in designing and installing good controls, there is still a
need to develop some expertise in this aspect of organizational life.
• Capability is about resourcing the control effort by ensuring staff
have the right skills, experience and attitudes not only to perform
well but also to be able to assess risks and ensure controls make it
easier to deal with these risks.
• Capability can be assisted by training and awareness seminars,
either at induction or as part of continuing improvement
programmes.
Action
• This stage entails performing the activity that is
being controlled.
• Before employees act, they will have a clear
purpose, a commitment to meet their targets and
the ability to deal with problems and opportunities.
• Any action that comes after these prerequisites has
more chance of leading to a successful outcome.
Monitoring and learning
• People must buy into and be part of the organization's evolution.
• This includes monitoring internal and external environments, monitoring
performance, challenging assumptions, reassessing information needs and
information systems, follow-up procedures, and assessing the effectiveness of
control.
• Monitoring is a hard control in that it fits in with inspection, checking, supervising
and examining.
• Challenging assumptions is an important soft control in that it means people can
develop and excel.
• Each activity is seen as part of a learning process that lifts an organization to a
higher dimension.
• Some organizations employ people who have tried and failed to start their own
high risk venture, on the basis that they have had invaluable experiences that, if
they have learnt lessons from, will make them stronger and much more resilient
in growing a new business.
• Organizations that are based around blame cultures will not encourage positive
learning experiences, and will interpret controls as mechanisms for punishing
people whose performance slips.
• The CoCo criteria encourages a positive response to feedback on activities.
Turnbull Report
- Guidance on Risk Management, Internal Control and
Related Financial and Business Reporting
- Published by the Financial Reporting Council (FRC)
of the UK
- The committee which wrote the report was
chaired by Nigel Turnbull of The Rank Group plc.
- The report informed directors of their
obligations under the Combined Code with
regard to keeping good "internal controls" in
their companies, or having good audits and
checks to ensure the quality of financial
reporting and catch any fraud before it becomes
a problem. Revised guidance was issued in
2005. The report was superseded by a further 
FRC guidance issued in September 2014.

Internal Control
Framework
Turnbull Report
• It aims to bring together elements of best practice
for risk management; prompt boards to consider
how to discharge their responsibilities in relation to
the existing and emerging principal risks faced by
the company; reflect sound business practice,
whereby risk management and internal control are
embedded in the business process by which a
company pursues its objectives; and highlight
related reporting responsibilities.
COBIT 2019 Framework
COBIT is a framework for the governance and
management of enterprise information and
technology (Enterprise I&T), aimed at the whole
enterprise. Enterprise I&T means all the technology
and information processing the enterprise puts in
place to achieve its goals, regardless of where this
happens in the enterprise. In other words, enterprise
I&T is not limited to the IT department of an
organization, but certainly includes it.
COBIT 2019 Framework
- Control Objectives for Information and
Related Technology (COBIT)
- Created by ISACA for optimizing
enterprise IT governance
- COBIT’s continuing role as an important
driver of innovation and business
transformation

Internal Control Framework

 COSO Internal Control – Integrated
Framework 2013

Internal Control Framework

COSO Internal Control – Integrated
Framework 2013
Objectives of Internal Control
- Published by the Committee of Sponsoring
Organizations of the for determining what
constitutes effective internal control. Treadway
Commission (COSO)
- Help​​ organizations design and implement
internal control in light of many changes in
business and operating environments, broaden
the application of internal control in addressing
operations and reporting objectives, and clarify
the requirements

Internal Control
Framework
COSO Internal Control – Integrated
Framework 2013
Objectives of Internal Control
A. Operations
- To achieve entity’s mission
- Safeguard of assets

B. Reporting
- Reliable, timely, and transparent financial and nonfinancial
information
- Prepared for use by the organization and stakeholders

C. Compliance
- Laws, rules, and regulations that set minimum standards of
conduct

Internal Control
Framework
Components and Principles

Control Environment 1.Demonstrates commitment to integrity and ethical values

2.Exercises oversight responsibility
3.Establishes structure, authority and responsibility
4.Demonstrates commitment to competence
5.Enforces accountability

6.Specifies suitable objectives

Risk Assessment
7.Identifies and analyzes risk
8.Assesses fraud risk
9.Identifies and analyzes significant change

10.Selects and develops control activities

Control Activities
11. Selects and develops general controls over technology
12.Deploys through policies and procedures

13.Uses relevant information

Information & Communication
14.Communicates internally
15.Communicates externally

Monitoring Activities 16.Conducts ongoing and/or separate evaluations

17.Evaluates and communicates deficiencies

Internal Control
Framework
Roles and Responsibilities
Practice Question
 The policies and procedures helping to ensure that management
directives are executed and actions are taken to address risks to
achievement of objectives describes
A. Risk assessments
B. Control environments
C. Monitoring
D. Control activities

THE CORRECT
Practice Question ANSWER IS..
 Which of the following control models is fully incorporated into the
broader integrated framework of enterprise risk management
(ERM)?
A. CoCo.
B. COSO.
C. Electronic Systems Assurance and Control.
D. COBIT.

THE CORRECT
Practice Question ANSWER IS..
 Which of the following is the common name for Internal Control:
Guidance for Directors on the Combined Code?
A. CoSO
B. Turnbull Report
C. CoCo
D. COBIT

THE CORRECT
Practice Question ANSWER IS..
 Which of the following are elements of the control environment?
A. Integrity and ethical values
B. Organizational structure
C. Assignment of authority and responsibility
D. All of the answers are correct

THE CORRECT
Practice Question ANSWER IS..
 The COSO framework treats internal control as a process designed
to provide reasonable assurance regarding the achievement of
objectives related to
A. Effectiveness and efficiency of operations
B. Reliability of financial reporting
C. Compliance with applicable laws and regulations
D. All of the answers are correct

THE CORRECT
Practice Question ANSWER IS..
Questions