Internal Control Risk Assessment

Based on the COSO framework, internal control consists of five integrated components:

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring Activities

We have discussed the Control Environment in a previous blog. This blog will address Risk Assessment.

Businesses face a wide range of risks, including industry risk, strategic risk, operation risk, compliance risk and financial risk. Some risks are relatively significant, which may cause loss of profits or even bankruptcy. A classic example of industry risk is when film giant Kodak filed for bankruptcy after consumers embraced the newer technology of digital cameras and the film era ended.

Internal Control Risks

Internal control risks are risks that affect the effectiveness and efficiency of internal controls and thus affect the achievement of objectives. They are a part of operation risk and compliance risk. Operation risk refers to the unexpected failure in organization’s daily operations, which could be caused by personnel and/or processes. Compliance risk is the risk of not maintaining compliance with laws or regulations, such as the Sarbanes-Oxley Act (SOX) or the Foreign Corrupt Practices Act (FCPA). For example, if the Accounts Payable process in an organization is broken, the risk of fraudulent vendors and unauthorized payments would be higher. If a public organization fails to have effective internal controls over financial reporting, the organization faces a serious compliance risk.

An effective internal control system can minimize the risks that may affect achievement of the objectives. The common internal control risks in business include lack of sound internal control environment, poorly designed business processes, IT security risk, integrity and ethic risk, human errors and fraud risk, among others.

What Is Risk Assessment?

Proper risk assessment can assist an organization in managing risks and making decisions. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Please remember that risk management and internal controls are not objectives in themselves. They should always be considered when setting and achieving organizational objectives.

How do you conduct a risk assessment? Certainly you could perform the risk assessment internally with a meeting of management, and no doubt this approach will identify some risks and is better than no risk assessment at all. However, to be more comprehensive, we will introduce you to the Risk Control Matrices (RCM) for internal control risk assessment. The following are procedures to conduct risk assessment using the RCM.

  • Inquiries of management and others within an organization.
  • Observation and inspection.
  • Review of previous years’ audit report, management letters and board minutes.
  • Business process mapping and identification.

The RCM is a risk assessment tool to help an organization directly identify the risks between objectives and controls. For example, when an organization has an objective for example that new vendors must be authorized before making a purchase, but the organization does not have an internal control in place to ensure the achievement of the objective, you know immediately that the company incurs the risk of utilizing fraudulent vendors. The next step could be to remediate the risk accordingly.

Key Components in the RCM

To obtain a better understanding of the RCM, there are some key components in the RCM you need to know.

  • Objectives: The purpose of risk assessment is to identify and manage risks that affect the achievement of objectives, so objectives are critical components in the RCM. Taking COSO compliance as an example, management in an organization should determine the appropriate COSO objective—operations, financial reporting, or compliance. If an organization’s primary objective is reliability of financial reporting, all sub-objectives of each control activity should serve the top objective.
  • Control Activities: Control activities refer to internal controls. They are actions taken to meet the predefined objectives. For example, if the objective is that “financial statements include all required disclosures," and the control activities are that the “Controller completes the SEC checklist quarterly to ensure all necessary disclosures are included in the financial reports” and “the CFO reviews disclosures to double-check completeness," the control activities help to achieve the objective.
  • Risks: Risks are really quite simple. If no control activities assist in meeting the objectives, the risk of failure to achieve objectives exists. For example, if no internal control ensures all required disclosures are included in financial statements, the risk of incomplete disclosures exists and the objective that financial statements include all required disclosures is not achieved. If the sub-objective is not achieved, the primary objective of reliable financial reporting cannot be achieved.
  • Process Owners: The process owner is a critical component in the RCM because this establishes accountability. Each control activity should hold someone accountable because accountability is the expectation that process owners are responsible for the completeness, quality and the timeliness of control activities. The process owner could be a person’s name or a position title. From experience, we recommend write a person’s name as process owner where if possible, which may make the RCM a bit more maintenance heavy, but people simply pay more attention when they see their names.
  • Financial Statement Assertions: For each internal control, management should identify relevant financial reporting assertions, including completeness, existence and occurrence, rights and obligations, valuation or allocation, and/or presentation and disclosure. The identification provides evidence that internal controls are in place for all relevant financial reporting assertions for all significant accounts and disclosures. If there are any significant gaps, an organization would remediate them accordingly. We will provide a download file to explain financial statement assertions.
  • Preventive or Detective: This component identifies if a control is a preventive control or a detective control. Detective controls are designed to detect errors or irregularities that may have occurred. Preventive controls, on the other hand, are designed to keep errors or irregularities from occurring in the first place. For example, it is a preventive control that you lock the petty cash in a locked drawer. It is a detective control that the Controller reviews and approves the monthly petty cash reconciliation. Clearly, preventive is better than detective.
  • Key or Non-key: This component displays management’s determination if a control is a key control or non-key control. The objective has direct impact on the determination of key or non-key controls. If the objective is reliability of financial reporting and a control activity most effectively and efficiently reduces the likelihood of a material misstatement being reported in the financial statements, the control is identified as a key control, or vice versa.
  • The RCM helps to directly identify risks between objectives and controls. In the meanwhile, the RCM also assists in identifying gaps in controls. Gaps exist when a stated objective is not matched with an effective control activity. For example, after conducting a risk assessment using the RCM, you may find that management does not have predefined relevant objectives, or some objectives are incompatible with broader or the top objectives.

    To better understand and apply the use of the RCM, we can provide a RCM sample for download. Please click the button below to download a RCM and let us know when you have any comments or questions.

    Download the RCM Template


    Emma Zhang is an experienced audit professional, with more than six years of internal audit & Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. Competencies include operational auditing, accounting, management consulting, Sarbanes Oxley (SOX) compliance, audit planning and risk assessments, operational/financial planning and analysis, and data analysis. Emma is a resourceful, creative thinker and analytical problem solver with demonstrated ability to independently manage tasks from planning through execution in dynamic, fast-paced, and time-sensitive environments. Emma is a CPA with a CFE certificate. Emma is also a Blackline Certified Implementation Professional and helps clients to implement Blackline system.