Professional Documents
Culture Documents
2
o While reporting objectives pertain to internal and external
financial and non-financial reporting encompassing
reliability, timeliness, transparency
o And lastly, Compliance objectives pertain to adherence to
laws and regulations governing the entity.
3
To differentiate risk tolerance and risk appetite,
risk appetite is a higher-level statement that
broadly considers the levels of risk that the entity
deems acceptable, while risk tolerances are
narrower and set at per specific performance
measures.
Moving on, we have inherent risk which is the risk to
the achievement of objectives in the absence of any
actions management might take to alter either the risk
likelihood or impact. On the other hand, residual risk
is the risk that remains after management’s
responses have been designed and implemented.
And lastly, the risk response is defined as the
decision to accept, avoid, reduce or share risk.
So those are the five concepts that entities consider in a risk
assessment. Going back to defining the five components, we
have Control Activities next,
4
Well what’s more interesting is that COSO depicted the
relationship between them in the form of a cube.
- Let’s look at it in the next slide, please –
5
o Reporting objectives comprising external financial reporting
and internal non-financial reporting
o And lastly, compliance objectives
NEXT SLIDE, PLEASE
The first step in this principle is to first set the objectives before
management can identify potential events affecting their
achievement. The management first identify its mission (the
purpose and why they exist) and their vision, where they want to
go) then their strategy in achieving their objectives.
6
entity and analyzes risks as a basis for determining how the risks should be managed.
7
Likelihood is the possibility that a given event will occur and the
impact is the magnitude of effect of the given event. The table
below illustrates the correlation between the likelihood and the
impact of a given event.
Next slide please.
In the risk analysis of impact, we have Low, Moderate and High.
Low is usually indicated when there is no potential impact on
market share, or impact on brand value of the company or issues
can be easily resolved by the junior management and staff.
Low to Moderate has consequences that can be absorbed under
normal operating conditions.
Moderate is when market share and/or brand value will be
affected in the short term and the event will require senior and
middle management intervention.
Moderate to High is a serious diminution of brand value and
market share with adverse publicity
High, for extremities, is the sustained serious loss in market
share of the entity.
So now that we have identified and analyzed the risks, we shall now
determine how to respond to these risks, whether we should:
8
1. Accept (where no action is taken to affect risk likelihood or
impact
2. Avoid (which may involve exiting a product line, declining
expansion to a new geographical market or overall selling a
division
3. Reduction (where we devise an action to ensure reduction of risk
likelihood or impact
And four, Sharing (where we reduce the likelihood or impact by
transferring or sharing a portion of risk, which is commonly done
by insurance companies with reinsurance companies through a
treaty stating their shares in the risks actualized by a bordereaux
sent by the insurance companies based on the timetable stated
in their treaty.
9
Management also has to get to the bottom of the problem: which is
why do people commit fraud. Here we have the fraud triangle
outlining three components that contribute to increasing risk of
fraud: Opportunity, Pressure and Rationalization.
Pressure/Motive is the need to commit a fraud, most commonly
is financial struggle.
Opportunity arises when a situation enables fraud to occur (i.e.,
when internal controls are weak or non-existent)
And rationalization where the fraudster is justifying the
committed fraud in his own mind.
10
Some circumstances that require blah blah
11