ACT1110

Fundamental Concepts of
Risk Management and Internal Control System
 a) Explain different definitions of Risk and Risk Management
b) Discuss globally accepted frameworks on risk management internal control (i.e.,
COSO, ISO 31000, CoCo, COBIT)
c) Discuss the Risk Management Process according to COSO
d) Explain the definition of Controls and Internal Control
e) Differentiate roles and responsibilities to Risk Management and Internal Control
System

Learning Objectives
 OBJECTIVES CONTROLS
Defined, intended Increase the likelihood of
outcomes achieving objectives

RISKS
Possibility of an event occurring that will have an impact on the
achievement of objectives

GOVERNANCE
Ensure entity effectively and efficiently directs toward meeting the
objectives

Overview
Illustration
 Objective
Wake up at 4:30am to go to school as early as possible
Risk
Oversleeping
Insomnia
Controls
Set up alarm clock
Drink milk or take herbal sleeping medicine
Inform other people
Governance
Parents advise you before you sleep
Sermon

Illustration
What is risk?
 Risk
The possibility of an event occurring that will have an impact on the achievement
of objectives. Risk is measured in terms of impact and likelihood.

If realized (or if it happens) , would Occurring over a

affect the company. predefined time period
Factors that define
impact rating
- Financial effect
- Reputation
- Ability to achieve key
objectives

Definition of Terms
 Residual Risk
after a risk response

Opportunity
event will occur and positively affect the achievement of objectives

Risk Appetite
amount of risk is willing to accept in pursuit of value

Risk Tolerance
specific maximum risk that an organization is willing to take regarding each
relevant risk

Definition of Terms
 Objective Risk

To win; Losing - which

To have enough may lead to
money to eat hunger and
and afford a sleeping on
jeepney ride the street
home after
playing

Example – Risk Appetite & Tolerance

 Example - color game (P100)

Low Level – P1 - 10
Risk Appetite – P11 – 50
Risk Tolerance – additional P10 loss

Definition of Terms
 Risk should read as if something went wrong and what the impact of this would
be

Example:
Unauthorized changes are made to the payroll master data resulting in payments to
fictitious employees

Risk should not be:

- A negative control or absence of control
- A process

Recognition
 Risk Management
A process to identify, assess, manage, and control potential events or situations to
provide reasonable assurance regarding the achievement of the organization's
objectives

Definition of Terms
 COSO ERM - Integrated
Framework
- Enterprise Risk Management (ERM) -
Integrated Framework
- Published by the Committee of
Sponsoring Organizations of the
Treadway Commission (COSO)
- A structure which Defines essential
components, suggests a common
language, and provides clear direction
and guidance for enterprise risk
management.

Risk Management
Framework
 COSO was established initially to sponsor research into the causes of fraudulent financial reporting.

Risk Management
Framework
Enterprise Risk Management
- a process, effected by an entity's board
of directors, management and other
personnel, applied in strategy setting and
across the enterprise, designed to identify
potential events that may affect the
entity, and manage risks to be within its
risk appetite, to provide reasonable
assurance regarding the achievement of
entity objectives.

Risk Management
Framework
Risk Management
Framework
Risk Management
Framework
 RISK MANAGEMENT OBJECTIVES
1. Strategic – high-level goals, aligned
with and supporting its mission

2. Operations – effective and efficient use

of resources

3. Reporting – helps ensure accuracy,

completeness and reliability of internal
and external company reports of both
financial and non-financial nature.

4. Compliance – compliance with

applicable laws and regulations.

Risk Management
Framework
 ENTITY AND UNIT LEVEL COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
RISK COMPONENTS

Risk Management
Framework
 ISO 31000:2018 Risk
Management – Guidelines
- Published by the International
Organization for Standardization (ISO)
- Provides principles and guidelines for
effective risk management.
- Standards that Provide foundations for
discussing risk management and
undertaking a critical review of an
organization’s risk management process

Increase the likelihood of achieving objectives, improve the identification of opportunities

and threats and effectively allocate and use resources for risk treatment.

Risk Management
Framework
 International Organization for Standardization

Risk Management
Framework
 1. Risk Identification
- Performed for the entire entity
- Audit/ Risk Universe
- Brainstorming, SWOT (strengths, weaknesses, opportunities, threats),
scenario analysis

Risk Management Process

 1. Risk Identification
- Performed for the entire entity
- Audit/ Risk Universe
- Brainstorming, SWOT, scenario analysis
Accounting Liquidity
Capital
and and Market Tax
structure
reporting credit
Market Sales and
Dynamics Marketing

Major Supply
initiatives Financial Chain
reporting

Mergers,
Acquisitions, Information
and Technology
divestiture
Strategic Audit Universe Operations

Planning
People/
and
Human
Resource
Resources
Allocation
Compliance
Governance Hazards

Communication Physical
and investor Code of Assets
Regulatory Legal
Relations Conduct

Risk Management Process

 2. Risk Assessment and Prioritization
- Probabilities and potential effects of the risk events identified are used to
prioritize risks

Involves
- Estimate significance/impact
- Assess likelihood
- Consider means to manage

Risk Modeling
- Qualitative methods – listing, ranking and mapping
- Quantitative methods – probabilistic models, weighted

Risk Management Process

 2. Risk Assessment and Prioritization
Heat Map
Overall risk assessment

►High ►M ►H ►H
Impact
►Moderate ►L ►M ►H

►Low ►L ►L ►M

► Low ► Moderate ► High

Likelihood

Risk Management Process

 3. Risk Response

Risk Avoidance
ends the activity
Ex. Risk of having a pipeline sabotaged can be avoided by selling the pipeline

Risk Retention
accepts the risk
Ex. self-insurance; sinking funds

Risk Management Process

 3. Risk Response

Risk Reduction
lowers the level of risk
Ex. Risk of system penetration can be reduced by maintaining a robust information
security function within the entity

Risk Sharing
transfer some loss potential
Ex. Risk of car crash can be accepted through insurance

Risk Exploitation
pursue a high return on investment
Ex. Risk of winning or losing a lottery

Risk Management Process

 4. Risk Monitoring
- Tracks identified risks
- Evaluates current risk response
- Monitors residual risks
- Identifies new risks

Risk Management Process

Practice Question
 Which of the following is the correct order of steps in the risk
management process?

1. Identify risks
2. Monitor risk responses
3. Formulate risk responses
4. Assess and prioritize risks
5. Identify context

A. 5, 1, 4, 3, 2.
B. 1, 4, 3, 2, 5.
C. 1, 3, 5, 4, 2.
D. 1, 5, 4, 3, 2.

THE CORRECT
Practice Question ANSWER IS..
 A chief audit executive is reviewing the following enterprise-wide
risk map:

Which of the following is the correct prioritization of risks,

considering limited resources in the internal audit activity?
A. Risk B, Risk C, Risk A, Risk D.
B. Risk C, Risk A, Risk D, Risk B.
C. Risk C, Risk A, Risk B, Risk D.
D. Risk A, Risk B, Risk C, Risk D.

THE CORRECT
Practice Question ANSWER IS..
 Which risk response reflects a change from acceptance to sharing?
A. An insurance policy on a manufacturing plant was not renewed.
B. Management purchased insurance on previously uninsured
property.
C. Management sold a manufacturing plant.
D. After employees stole numerous inventory items, management
implemented mandatory background checks on all employees.

THE CORRECT
Practice Question ANSWER IS..
 Many organizations use electronic funds transfer to pay their
supplier instead of issuing checks. Regarding the risk associated
with issuing checks, which of the following risk management
techniques does this represent?
A. Avoiding
B. Transferring
C. Controlling
D. Accepting

THE CORRECT
Practice Question ANSWER IS..
 Inherent risk
A. The risk when management has not taken action to reduce the
impact or likelihood of an adverse event
B. The risk after management takes action to reduce the impact or
likelihood of an adverse event
C. A potential event that will adversely affect the organization
D. Risk response

THE CORRECT
Practice Question ANSWER IS..
What is control?
 Control
Any action taken by management, the board and other parties to manage risk
and increase the likelihood that established objectives and goals will be achieved.

Direct responsible
Guidance, direction and
oversight
Frontline Personnel – minimum of
what is expected
Auditor– evaluate and monitor

Definition of Terms
 Internal Control
A process effected by an entity’s board of directors, management and other
personnel designed to provide reasonable assurance of the achievement of
objectives.

Definition of Terms
 CoCo Internal Control
Framework
- Guidance on Control (commonly
referred to as CoCo based on its original
title Criteria of Control)
- Published by the Canadian Institute of
Chartered Accountants (CICA)

A person performs a task, guided by an understanding of its purpose (the objective to be achieved) and
supported by capability (information, resources, supplies and skills). The person will need a sense of
commitment to perform the task well over time. The person will monitor his or her performance and the
external environment to learn about how to do the task better and about changes to be made. The same is
true of any team or work group. In any organization of people, the essence of control is purpose,
commitment, capability, and monitoring and learning

Internal Control
Framework
 Turnbull Report
- Guidance on Risk Management, Internal
Control and Related Financial and
Business Reporting
- Published by the Financial Reporting
Council (FRC) of the UK

A report which brings together elements of best practice for risk management; prompt boards to consider
how to discharge their responsibilities in relation to the existing and emerging principal risks faced by the
company; reflect sound business practice, whereby risk management and internal control are embedded in
the business process by which a company pursues its objectives; and highlight related reporting
responsibilities.

Internal Control
Framework
 COBIT 2019 Framework
- Control Objectives for Information and
Related Technology (COBIT)
- Created by ISACA for optimizing
enterprise IT governance (to help
businesses develop, organize and
implement strategies around information
management)

Effective governance over information and technology is critical to business success, and this new release
further cements COBIT’s continuing role as an important driver of innovation and business transformation

Internal Control
Framework
 COSO Internal Control – Integrated
Framework 2013

Internal Control
Framework
 COSO Internal Control – Integrated
Framework 2013
Objectives of Internal Control
- Published by the Committee of Sponsoring
Organizations of the for determining what constitutes
effective internal control. Treadway Commission
(COSO)
- Help​​organizations design and implement internal
control in light of many changes in business and
operating environments, broaden the application of
internal control in addressing operations and
reporting objectives, and clarify the requirements

Internal Control
Framework
 COSO Internal Control – Integrated
Framework 2013
Objectives of Internal Control
A. Operations
- To achieve entity’s mission
- Safeguard of assets

B. Reporting
- Reliable, timely, and transparent financial and
nonfinancial information
- Prepared for use by the organization and stakeholders

C. Compliance
- Laws, rules, and regulations that set minimum
standards of conduct

Internal Control
Framework
Components and Principles
Control Environment 1.Demonstrates commitment to integrity and ethical values
2.Exercises oversight responsibility
3.Establishes structure, authority and responsibility
4.Demonstrates commitment to competence
5.Enforces accountability

6.Specifies suitable objectives

Risk Assessment
7.Identifies and analyzes risk
8.Assesses fraud risk
9.Identifies and analyzes significant change

10.Selects and develops control activities

Control Activities
11. Selects and develops general controls over technology
12.Deploys through policies and procedures

13.Uses relevant information

Information & Communication
14.Communicates internally
15.Communicates externally

Monitoring Activities 16.Conducts ongoing and/or separate evaluations

17.Evaluates and communicates deficiencies

Internal Control
Framework
Components and Principles

Control Environment

Internal Control
Framework
Components and Principles

Risk Assessment

Internal Control
Framework
Components and Principles

Control Activities

Internal Control
Framework
Components and Principles

Information & Communication

Internal Control
Framework
Components and Principles

Monitoring Activities

Internal Control
Framework
Roles and Responsibilities
Practice Question
 The policies and procedures helping to ensure that management
directives are executed and actions are taken to address risks to
achievement of objectives describes
A. Risk assessments
B. Control environments
C. Monitoring
D. Control activities

THE CORRECT
Practice Question ANSWER IS..
 Which of the following control models is fully incorporated into the
broader integrated framework of enterprise risk management
(ERM)?
A. CoCo.
B. COSO.
C. Electronic Systems Assurance and Control.
D. COBIT.

THE CORRECT
Practice Question ANSWER IS..
 Which of the following is the common name for Internal Control:
Guidance for Directors on the Combined Code?
A. CoSO
B. Turnbull Report
C. CoCo
D. COBIT

THE CORRECT
Practice Question ANSWER IS..
 Which of the following are elements of the control environment?
A. Integrity and ethical values
B. Organizational structure
C. Assignment of authority and responsibility
D. All of the answers are correct

THE CORRECT
Practice Question ANSWER IS..
 The COSO framework treats internal control as a process designed
to provide reasonable assurance regarding the achievement of
objectives related to
A. Effectiveness and efficiency of operations
B. Reliability of financial reporting
C. Compliance with applicable laws and regulations
D. All of the answers are correct

THE CORRECT
Practice Question ANSWER IS..
Questions
Thank you