March 16, 2018

COSO Series, Part 3 of 6: The following article is part three of a six-part series exploring the high-level basics of the COSO Integrated Internal Control Framework.1 The following article provides a high-level overview of the second component of the framework: Risk Assessment.

There are numerous types of business risk that can impair an organization’s ability to reach its objectives.  Some of these risks include financial, liquidity, exchange-rate, strategic or systematic risk.  But how does a business assess what risks they face and, more importantly, how do those risks get managed?

To answer these questions, the organization must perform a risk assessment process from which they can lay the groundwork for risk response and management.  Performing a risk assessment is an iterative, ongoing process and considers the unique variables and risks that an organization faces.

The COSO Internal Control Framework helps us to understand the underlying principles behind risk assessment.  COSO defines risk as the possibility that an event will occur and adversely affect the achievement of objectives.

The Four Principles of Risk Assessment

Risk assessment can be broken down into four distinct principles (related concepts) as follows:

Specify objectives with sufficient clarity in order to identify and assess risks relating to objectives.

Prior to specifying objectives, management must consider their risk tolerance and determine what an acceptable level of risk is.  Within that pre-determined framework, objectives are considered for operations (e.g., operations and financial performance goals), external financial reporting (e.g., complying with accounting standards), external non-financial reporting (e.g., compliance with laws and regulations), internal reporting (e.g., management reporting) and compliance (e.g., minimum standards of conduct as established by laws and regulations).

Identify risks to the objectives and analyze risks as a basis for determining how the risks should be managed.

The identifying and analyzing phase should be comprehensive in scope.  Management considers risk at all organizational levels and how those risks might impact the organization from a severity and likelihood perspective.  There are many types of risks to consider, two of which are external and internal risks.  Some external risks might include economic (e.g., barriers to competitive entry), regulatory (e.g., new anti-trust law), natural environment (e.g., earthquakes or other natural disasters), and foreign operations (e.g., change of government in a country with operations).  Internal risks might include personnel (e.g., quality of new hires), infrastructure (e.g., use of capital resources), and technology (e.g., disruption in information systems).  After identifying the risk, management must consider whether they want to take no action (accept), stop the activity giving rise to the risk (avoid), take action to mitigate the risk (reduce), or transfer some of the risk (share).

Consider the potential for fraud in assessing risks to the achievement of objectives.

The consideration of fraud should include multiple areas, including fraudulent financial reporting, loss of assets and the possibility of corruption.  Like the concept of the “Fraud Triangle,” this consideration takes into account incentives and pressures, opportunities, and potential rationalizations that might arise that would lead someone to commit fraud.  Generally, internal controls are put into place to mitigate the risk of fraud and can vary considerably, depending on the organizational structure and individual risks.

Identify and assess change that could significantly impact the system of internal control.

Management must consider the possibility and effect of change to the external environment (e.g., regulatory, economic, physical), business model (e.g., new business lines, newly acquired business operations) and leadership (e.g., resulting in a new philosophy on the system of internal control).  Consideration of change and risk are very similar.  However, it should be discussed separately from the regular risk assessment process due to its importance to the effectiveness of internal control.  Consideration of change should lead to forward-looking mechanisms that can easily anticipate and plan for potential change.

These principles mentioned in this article represent a high-level and basic overview of the risk assessment process.  As you begin performing a risk assessment, it is important that you consider all the underlying principles and how they uniquely apply to your organization.  This can be complicated, but Clark Nuber can help with this process. Contact Mike Nurse for more information.

For complete and detailed information about the Framework, Components and Principles, we encourage you to explore and learn more at

1COSO is an acronym for Committee of Sponsoring Organizations of the Treadway Commission. It was formed in 1992 as a joint initiative of five organizations, including the American Institute of CPAs and the Institute of Internal Auditors, among others. Since that time, the committee has been developing and refining frameworks and guidance around enterprise risk management, internal control and fraud deterrence, with the most recent revisions of the Internal Control – Integrated Framework model in 2013.

© Clark Nuber PS and Focus on Fraud, 2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Developing News with appropriate and specific direction to the original content.

This article contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.