ACCOUNTING INFORMATION SYSTEM

THE STAGES OF RISK ASSESSMENT OF INTERNAL CONTROL

BY
INNEY SILDA LATIFAH
1410532040
INTERNATIONAL ACCOUNTING
1.INTRODUCTION
Internal control is a very important for the company's goals can be achieved. In the
absence of internal controls, the company objectives can not be achieved effectively and
efficiently. The larger the company the more important it is the meaning of internal controls
in the company.

According to COSO (The Committee of Sponsoring Organizations of the Treadway

Commission): Internal Control is a process generated by the Board of Directors, Management
and Personnel Other, which is designed to provide assurance that reasonable attention to the
achievement of the objectives of the following categories:

Effective and operating effeciency

credibility (Reliabillity) Financial Statements
Subject to applicable laws and regulations.

Meanwhile,Risk assessment is the part of the internal control component that also
important to do. The risk assessment for a particular issue forms the foundation for making a
decision about future actions. That decision may be to perform additional analyses, to perform
activities that reduce the risk, or to do nothing at all.

2.DEFENITION OF RISK ASSESSMENT

Risk assessment is the identification of the entity and an analysis of relevant risks to
achieving its objectives, forming a basis for determining how risks should be managed.
Determination of the risk of financial reporting purposes is the identification of the
organization, analysis and management of risks associated with the manufacture of the
financial statements presented in accordance with generally acceptable accounting
principles.

Risks can arise or change due to circumstances as follows:

1. Changes in the operating environment
2.new personnel
3.The information system of new or repaired
4.new technologies
5. The product line, product, or new activities
6.corporate restructuring
7. Operations abroad
8. New accounting standards

All entities have a risk depends on the size, structure, properties, or types of
companies. The risk can be either external and internal risks, and all must be controlled.
Changes in economic, industry, regulatory and operating conditions made possible a distinct
risk that must be immediately addressed by the management.

Auditor concerned to understand the knowledge of the risk assessment carried out by
management, such as the identification of risks to the financial statements, evaluating the
possibility of the occurrence, management decisions on action to be taken.

3.BASIC GOALS OF RISK ASSESSMENT

Identify potentially hazardous situations, Apply appropriate methods to estimate the

likelihood that a hazard occurs, and the uncertainty in that estimate,

Provide alternative solutions to reduce the risk doing one or more of the following:

1. Eliminating any possibility of the hazard occurring,

2. Reducing the likelihood that the hazard occurs,
3. Limiting any negative consequences of the hazard,
4. Estimate the effectiveness of those solutions,
5. Provide information to base a risk management decision, and
6. Estimate the uncertainty associated with the analysis.
4.THE IMPORTANT OF RISK ASSESSMENT

Risk assessments are very important They help to:

1. Create awareness of hazards and risks.

2. Identify who may be at risk (employees, cleaners, visitors, contractors, the public, etc).
3. Determine if existing control measures are adequate or if more should be done.
4. Prevent injuries or illnesses when done at the design or planning stage.
5. Prioritize hazards and control measures.

5.STAGES OF THE RISK ASSESSMENT

Companies should be concerned and agreed to face the risks. Need to be made
through integrated destination of all value chain activities (chain activities) are there, so the
company is operating properly. After the objective have been set, then the company should
identify risks to achieve these objectives and to analyze and develop ways to manage it
internal control system by using risk management strategies below.
1. Identify threats.
2. Estimate the risk
3. Estimate the Risk Exposure
4. Identification of control.
5. Estimate the costs and benefits.
6. Establish cost-effectiveness and benefits.
7. Document the results Identification and Measurement of Risk (Risk Register)
Here are the real application example in using template in the identification and
measurement of risk:

5.1.Risk Identification

a) Identification (determination of classification) Assets

The first column is an asset, filled with the names or types of assets generated in
running the bank's business processes and assets that support the implementation of the
business process. The assets in question is not an asset to the accounting, but everything
that has value to the organization and should be secured Including the data, software,
hardware, networking and the data communications, supporting facilities and human
resources. Determine the asset owner and the identification of important levels or
absence of (critical) such assets for unit labor units and users of IT providers.Assets have
been classified According to sensitivity analysis and determination of critical levels as in
the above table and then specified in column 1 in the form Risk Register.
Example: customer information in hardcopy.

b) Risk identification and evaluation of risks associated with the asset.

Column 2 in the Risk Register is filled with the identification and evaluation of IT user
providers and against potential failure or shortcomings of existing security processes /
Applied Bank assets that have been defined, Thus Significantly Affect the Bank's
performance. One asset can have some risks. Example inclusion in Column 2 (Description of
risk): Information leaked to unauthorized parties.

c)Vulnerability analysis
Column 3 Risk Register is filled with Gristle factors that could cause failures or weaknesses of
IT security (risk) that have been identified in column 2. Each risk can have some insecurity.
Example inclusion in column 3:
-Security of archive storage cabinets inadequate;
- Customer information is not stored properly in its proper place.
5.2. Risk Measurement

The magnitude of the effect of risk can be identified by assessing the likelihood of risks
and impacts that can be the caused by such risks to business processes. Measurement
criteria used refer to the risk assessment methods are applicable in the Bank. This process is
Carried out by personnel who know the business processes and the security of the
information in the process. Column 4, 5, and 6 is filled with the results of measurements
Bank of trends and the impact of the risks before control is Carried out on the risk assets.
While columns 8, 9 and 10 is filled with the results of measurements Bank of trends and the
impact of risk after control is Carried out on the risk assets.
a) Measurement Trends (Probability)

Column 4 Risk Register is filled with inherent tendencies the which is the likelihood of
risk before Reviews their control. Column 8 is filled with a tendency Residual roomates is the
likelihood of risks after the control. The tendency can be measured with a measurement
criteria, the quantitative value of the likelihood of risks Mentioned in the description of the
risk. Quantification trends can be the size of the risk in units of time such as the frequency of
occurrence every day, every week, every month, or every year. Examples inclination
measurement criteria:
Examples of the inclusion of the measurement results trend Inherent in column 4 in the form
Risk Register:Level4
Example inclusion of the results of measurements Residual trend in column 8 in the form
Risk Register: Level 3

Measurement of Impact (impact / severity)

b)Column 5 Risk Register is filled with Impact Inherent that describes the level of damage the
caused by the occurrence of risk relative to assets before / implementation of control.
Column 9 is filled with residual impacts that describe the level of damage the caused by the
relative risk of the assets after the last / control implementation.

Examples of impact classification:

Examples of the impact of inclusion of the measurement results in column 5 in the form Risk
Register:Level5
Examples of the impact of inclusion of the measurement results in column 8 in the form Risk
Register: Level 2
c). Determination of Value Risk

Column 6 Risk Register filled Risk Value Basic (NRD) that the levels of risk assets before /
implementation of control. Column 10 Risk Register is filled with Final Risk Value (NRA) that
the levels of risk assets after the last / control implementation. As explained in Chapter I, the
Bank may Determine its own method of ranking the risk assessment matrix. The risk
assessment in this example was measured using three levels include: Low, Medium, and
High as follows:
Example NRD inclusion determination result in column 6: High
Example inclusion NRA determination result in column 10: Medium
5.3.Identify Control Implemented
Column 7 Risk Register is filled with control measures that have been implemented by the
Bank to reduce the risk on assets identified as:
- The Bank's policies and procedures related assets;
- The use of certain technologies to automatically control the risk or tersistem such as audit
logs, on line approval, the parameter value in the system.
Examples of inclusion of control in column 7 for assets such as customer information in
hardcopy form:
- Provisions regarding the management of archives;
- Access to the archives should use a PIN;
- The use of CCTV.

5.4. Risk Expected Value

Over all identified assets should the Bank Determine the value of expected risk (risk
limits). For example, if the expected risk of leakage of confidential customer information
should be on a low level, the column 11 is filled Low.
5.5. Risk Value Analysis
after all the steps above is done, then the sample filling Form Risk Register is as
follows:
Once the form is filled Risk Register Bank to analyze the value of the risk of each asset
identified. The difference between the NRA Medium High NRD shows reduced the likelihood
of risks and impacts occur when the risk is not as if the control (risk control systems) are not
applied. Banks should analyze Whether there is a risk that has not been controlled, but can
be applied to a particular form of control. The comparison between the NRA Rated expected
risks of various asset identified is a basic parameter for the Necessary steps to mitigate the
risks. For example, if the expected risk of leakage of confidential customer information must
be at Low level, it is Necessary to control the extra when its Final Risk Value Bank still further
stipulates Medium Risk Management Plan for the asset. For example Banks need to improve
risk control system for the security of information, update the security policies and
procedures
A Risk is the amount of harm that can be expected to occur during a given time period due
to specific harm event (e.g., an accident). Statistically, the level of risk can be calculated as
the product of the probability that harm occurs (e.g., that an accident happens) multiplied by
the severity of that harm (i.e., the average amount of harm or more conservatively the
maximum credible amount of harm). In practice, the amount of risk is usually categorized
into a small number of levels because neither the probability nor harm severity can typically
be estimated with accuracy and precision.

6.RISK MATRIX

A Risk Matrix is a matrix that is used during Risk Assessment to define the various levels of
risk as the product of the harm probability categories and harm severity categories. This is a
simple mechanism to increase visibility of risks and assist management decision making.

Although many standard risk matrices exist in different contexts (US DoD, NASA, ISO),[1][2]
[3] individual projects and organizations may need to create their own or tailor an existing
risk matrix.

For example, the harm severity can be categorized as:

Catastrophic - Multiple Deaths

Critical - One Death or Multiple Severe Injuries

Marginal - One Severe Injury or Multiple Minor Injuries

Negligible - One Minor Injury

The probability of harm occurring might be categorized as 'Certain', 'Likely', 'Possible',

'Unlikely' and 'Rare'. However it must be considered that very low probabilities may not be
very reliable.

The resulting risk matrix could be

 The company or organization then would calculate what levels of Risk they can take with
different events. This would be done by weighing up the risk of an event occurring against the cost to
implement safety and the benefit gained from it

7.CONCLUSION

based on the discussion above,we can conclude,that very important for companies to
do the risk assessment.each company will face their risk .the risk of each companies
depending on the size, structure, properties, or types of the company .it is many factors that
rise the risk and also uncertainty. the basic goal of risk assessment is to eliminate the risk, at
least reduce that risk, limiting the negative consequences of a hazard,
estimating the effectiveness of the solution,, providing information to base risk
management decisions, and estimating the uncertainty associated with the analysis.why the
company need to do risk assessment.this is because risk assessment as the part of the
internal control component have the big role in achieving the companys goals.the
probability of the risk ,how big the risk,the impact of the risk and etc that will be inhabiting
in achieving the companys goals.there are several stages in risk assessment. That are risk
identification,risk meansurement,determination of risk value,risk axpected value and the
last is risk value analysis.

REFERENCES

Senfht,Sandra.2013.Information Technology Control And Audit Fourth Edition.Crc Press

1999.Risk identification, assessment and management in the mining and

metallurgical industries. H. Simonsen and J. Perry.
http://www.saimm.co.za/Journal/v099n06p321.pdf.

2011. Journal of Hazard Mitigation and Risk Assessment. Henry L. Green, Hon. AIA.
https://www.wbdg.org/pdfs/jhaz_spring11.pdf

2009.Risk Matrix.https://en.wikipedia.org/wiki/Risk_Matrix.