Risk Asssessment

1. COSO Philoshophy
2. Who Uses Risk Assessment?
3. Expanding Risk-based Auditing
4. Audit Risk and Its Components in Financial Statements Audits
5. Control Risk
6. A Risks Inventory
7. Basic Questions on Risk
8. Bell Canadas Risk Assessment Strategy
9. Internal Auditors and EC (Electronic Commerce) Risks
10. EDI Risk
11. Risks of Management Fraud
12. Building the Risk Assessment Plan

Tambun Hutabarat 1
 Risk Assessment

13. Risk Management

14. Objectives of the Risks Management Process
15. Analytical Methods
17. Internal Control Questionaires
16. Matriks Analysis
17. Preventive and Detective Controls
18. COSO Illustrative Methodology
19. The Courtney Method
20. Another Method of Assigning Value
21. Risk Evaluation Systems
22. The Need for Several Tools
23. A Concluding Comment

Tambun Hutabarat 2
 Risk Assessment
1. COSO Philoshophy
Risk assessment is critical to management and the internal auditor. Federal
law requires annual risk assessments for certaint banks, and good
management principles encourage it in other industries and sectors. The
internal auditor must have an understanding of the risk assessment process
and the tools used to make the assessment. The internal auditor must turn
the output of the risk assessment into audit program that makes sure
needed controls are operating to the reduce risk.
The COSO study, Internal Control-Integrated Framework, begins its
discussion of risk assessment with the follwing summary:
Every entity faces a variety of risks from external and internal sources
that must be assessed. A precondition to a risk assessment is established
of objectives, linked at different levels and internally consistent. Risk
assesment is the identification and analysis of relevant risks should be
managed. Because economic, industry, regulatory and operating
conditions will continue to change, mechanism are needed to identify
and deal with the special risks associated with change.

3
 Risk Assessment

Example Risk arise form Internal and external:COSO Philosophy

1. A new law or regulation diverts resources from operations required to
meet other objectives.
2. A competitor introduces a new product or service that require
immediate action and creatses a new objective while lowering the
priority of former objectives.
3. A technological breakthrough makes one or more objectives obselete.
4. An incompetent manager puts empire building ahead of the
organization s stated objectives.

2. Who Uses Risk Assessment?

Management uses risk assessment as a part of the process of ensuring the
success of the entity; that fact is clearly discussed in the COSO study.

4
 Risk Assessment
The IIA issued Statement on Internal Auditing Standards No. 9 on risk
assessment in 1991. Currently the subject is treated in Standards 2210.A1
and further delineated in Practice Advisory 210.A1-1
The IIA issued Statement on Internal Auditing Standards No. 9 on risk
assessment in 1991. Currently the subject is treated in Standards 2210.A1
and further delineated in Practice Advisory 210.A1-1

Palnning for risk Assessent and Exposure

The audit plan should be designed to uncluded consederation of the
organizations risk . Practice Advisory 2010-2. Linking the Audit Plan to
risk and explosure.
3. Expanding Risk-based Auditing
Controling and accepting the risk, or
Avoiding or diversifying the risk, or
Sharing and transfering parts of the risk to other units

5
 Risk Assessment
This concept of the managing risk is becoming increasingly accepted
because of the inevitability of risk in all types of opeartions and the the
need to accommodate it through multiple options of ativity. The above
options included:
Controling organizational activities to reduce the risk elements in size
and number;
Accepting risk by allowing prudent risk that is necessary for progress
profits;
Avoiding risk that involves the redesign of the business process to
change the risk pattern;
Diversifying risk by spreading the total risk over a number of seperate
operations. An example using multiple vendors for critical material; and
Sharing and transfering the risk by involving contractual
arrangements with third parties to accept some or all of the risk.
Insurance isWithout
Organizations an example.
a Risk Managment Process
The IIA has recently issued to Practice Advisory 2110-1, Asseing the
Adequacy of the Risk Management Process. The latter Advisory treats the
second of the audit aspect mention above.
6
 Risk Assessment
This advisory recommends that internal auditors:
1. Assist the organization in identifying, evaluating, and implementing
risk management and Board concerns and determine how they can be
resolved by a risk management operations and controls.
2. Identify management and Board concerns and determine how they can
be resolved by a risk management process.
3. Bring to managements attention the lack of the risk management
process and provide suggestions for establishing such a process.
4. Obtain an understanding of management and the Boards espactations
as to internal audit assistance that can be provided in developing a risk
management process.
5. Obtain from management its concepts of the role that internal
auditing shuld play in the process.
6. Play a proactive role, if requested, in the development of a risk
management process, keeping in mind the exposure to independence
impairement.
7
 Risk Assessment
This advisory recommends that internal auditors:
7. Abstain from an Ownersip of risks role.

4. Audit Risk and Its Components in Financial Statements Audits

Audit and management are constantly questioning the extent and probably
of risk. Extant is the ampunt exposed; probability is teh likelihood of
occurance.

The AICPA has provided guidance in this area through several recent
Statement on Auditing Standards (No. 47, No. 53, and No. 55). Audit risk
exist of two-level the financial statement level and the account balance
(or class of transactions level). At the financial statement level, audit risk
is the risk that auditor may unknowingly fail to appropriately modify his
opinion on financial statements that are materially misstated. An auditor is
expected to plan the audit so that audit risk is limited to what in the
auditor judgement is an appropriately low level.

8
 Risk Assessment
Management Characteristics
Management decisions are dominated by a single indivual
Management has an extremely aggressive attitude toward financial
reporting
Management turnover is high.
Management places extreme empahsis on meeting earnings
projections.
Management has a poor reputation in the business community.
Operating and Industry Characteristics
Entitys profitability compared to its industry is adequate or
inconsistent.
Entitys operating results are sensitive to various economic factors.
Entity is an a declining industry.

9
 Risk Assessment

Entitys organization is decentralized without adequate

Management has an extremely aggressive attitude toward financial
reporting
Management turnover is high.
Management places extreme empahsis on meeting earnings
projections.
Management has a poor reputation in the business community.
Operating and Industry Characteristics
Entitys profitability compared to its industry is adequate or
inconsistent.
Entitys operating results are sensitive to various economic factors.
Entity is an a declining industry.

10
 Risk Assessment
Entitys organization is decentralized without adequate monitoring of
activities.
Entity may not be a going concern.

Engagement Characteristics
There are many contentious and/or difficult accounting issues.
There are significant tyransactions or balances that are difficult that
are difficult to audit.
There are significant and unusual related party transactions.
There is either a prior history of significant misstatement detected
during the audits or no prior history is available.

In considering audit risk at the account balance or class of transactions

level, an auditor must consider financial statement assertions. Assertions
are management representations that are included in an account balance,
class of transactions and disclosures.
11
 Risk Assessment
SAS identifies five general management (or financial statement)
assertions existance and occurance, completeness , rights and
obligations, valuation or allocation, and presentation and disclosure.
For example, management representing that accounts payable for a
division at June 30 amounts to $85,000 is claiming that:
The account paybale existed at balance sheet data (existence).
All accounts payable are included (completeness).
The accounts paybale are legal obligations (obligation).
The accounts paybale are properly valued (valuation or allocation).
All accounts payable are properly disclosed (presentation and
disclosure).

12
 Risk Assessment
5. Control Risk
Control risk is the risk that a material misstatement that could occur in
assertion will not be prevented or detected on a timely basis by an entity s
internal control structure, policies, or procedures .

13
Risk Assessment

14
 Risk assessment consists of an objective evaluation of risk
in which assumptions and uncertainties are clearly
considered and presented. Part of the difficulty in risk
management is that measurement of both of the quantities
in which risk assessment is concerned - potential loss and
probability of occurrence - can be very difficult to measure.
The chance of error in measuring these two concepts is
large. Risk with a large potential loss and a low probability
of occurring is often treated differently from one with a low
potential loss and a high likelihood of occurring. In theory,
both are of nearly equal priority, but in practice it can be
very difficult to manage when faced with the scarcity of
resources, especially time, in which to conduct the risk
management process. Expressed mathematically,

15
Organization Without a Risk Management Process

16
17