COSO-BASED AUDITING RISK ASSESSMENT

 Good afternoon everyone, welcome to COSO-Based Auditing Risk

Assessment virtual seminar given on March 17, 2021 by the
Institute of Internal Auditors Philippines.
- Next slide, please. -
 In this virtual seminar, we shall:
o Identify the objectives, components and principles in the
COSO Framework
o Understand and learn about various risk concepts and
terminologies
o Explain the difference between inherent risk and residual
risk and;
o Recognize the COSO Framework concepts of likelihood
and impact in determining risk significance
 A little background on Internal Controls Framework:
o In 1970’s and 80’s corrupt and unethical business practices
were rampant so Committee of Sponsoring Organizations
of the Treadway Commission or (COSO) commissioned the
Internal Controls Framework in September 1992. Since
then, it has been used by the majority of companies to
evaluate their internal control environment, particularly as it
relates to internal controls over financial reporting.
o But what exactly is COSO and why is it a suitable model?
 COSO basically illustrates that management is
required to base its assessment of the effectiveness
of the company’s internal control over financial
reporting on a suitable recognized control framework
established by a body of experts that followed due-
 process procedures, including the broad distribution
of the framework for public comment.
- Next slide, please. –

 So in 2013, Internal Controls Framework was revised to address

some changes in the business and operating environments. The
reason was that for the last 20 years, numerous major
organizations have failed because of ineffective risk management
and related internal controls. More countries including China,
Japan and many European nations now require public reporting on
internal control over financial reporting for large, publicly listed
companies.
o The revision made in 2013 was to address the changes in
business and operating environments thus the 8 main
changes in the framework. Mainly, COSO addressed the
changes in the business and operating environments.
However, what did not change is its core definition.
 The definition of internal control still remains as a process,
effected by an entity’s BOD, Management and other personnel,
designed to provide reasonable assurance regarding the
achievement of objectives relating to operations, reporting and
compliance.
- Next slide, please -
 According to COSO, to have an effective system of internal control
relating to the objectives, there are five components that must be
present and and operating together. So let’s dive in to these
objectives and components:
 First,
o Operations objectives. These pertain to effectiveness and
efficiency of the entity’s operations

2
 o While reporting objectives pertain to internal and external
financial and non-financial reporting encompassing
reliability, timeliness, transparency
o And lastly, Compliance objectives pertain to adherence to
laws and regulations governing the entity.

So those are the three main company objectives.

 Now let’s move on to the five components namely, Control

Environment, Risk Assessment, Control Activities,
Information and Communication and Monitoring Activities.
These 5 components are essential in the assessment of internal
control effectiveness.
 So let’s quickly dive into their underlying concepts:
- Next slide, please –

 1. Control Environment, in a nutshell this is the integrity and ethical

values of the organization; it’s the standards, process and structure
that provide the basis for carrying out internal control across the
organization.
 2. Risk Assessment is the dynamic and iterative process for
identifying and assessing risks to the achievement of the entity’s
objectives.
o In risk assessment, there are five concepts that entities
consider:
 Risk Tolerance – the acceptable level of variation in
performance the entity can tolerate relative to the
achievement of its objectives.
 Risk Appetite – the entity’s risk limits in its strategy in
maximizing value. It’s the amount of risk that the
entity is willing to accept in their pursuit of value.

3
  To differentiate risk tolerance and risk appetite,
risk appetite is a higher-level statement that
broadly considers the levels of risk that the entity
deems acceptable, while risk tolerances are
narrower and set at per specific performance
measures.
 Moving on, we have inherent risk which is the risk to
the achievement of objectives in the absence of any
actions management might take to alter either the risk
likelihood or impact. On the other hand, residual risk
is the risk that remains after management’s
responses have been designed and implemented.
 And lastly, the risk response is defined as the
decision to accept, avoid, reduce or share risk.
So those are the five concepts that entities consider in a risk
assessment. Going back to defining the five components, we
have Control Activities next,

3. Control Activities are the actions established through policies and

procedures that help ensure that management’s directives to
mitigate risks are carried out.
4. Information and Communication – It enables personnel to receive a
clear message from senior management that control
responsibilities must have taken seriously.
5. Monitoring Activities – Ongoing evaluations, separate evaluations or
some combination of the two are used to ascertain whether each of
the five components of internal control is present and functioning.

 So so far, we know that effective system of internal control which

means achieving the three objectives lies on the functionality and
united operations of the five components we just came across. But
how does that work exactly, you say?

4
 Well what’s more interesting is that COSO depicted the
relationship between them in the form of a cube.
- Let’s look at it in the next slide, please –

 So here we can see that there is a direct relationship between

three elements, (1) The three objectives which are represented by
the columns, (2) The five components represented by the rows,
and (3) The entity’s structure (these are its operating units, legal
entities and etcetera) represented by the third dimension.
 To govern this cube and make it efficient, COSO specified 17
principles for each component. Management exercises judgement
in determining the extent to which these principles are present and
functioning. For now, let’s focus on the principles specified for Risk
Assessment component
- Next slide, please –
For risk assessment we have 4 specified principles which are:
1. Specify suitable objectives
2. Identify and analyze risk
3. Assess Fraud Risk
4. Identify and analyze significant change

 Let’s dive in to the first principle on Risk Assessment

 Specify suitable objectives where the organization specifies
objective with sufficient clarity to enable the identification and
assessment of risks relating to objectives.
 The point focus of this principles are:
o Operations Objectives

5
 o Reporting objectives comprising external financial reporting
and internal non-financial reporting
o And lastly, compliance objectives
NEXT SLIDE, PLEASE
The first step in this principle is to first set the objectives before
management can identify potential events affecting their
achievement. The management first identify its mission (the
purpose and why they exist) and their vision, where they want to
go) then their strategy in achieving their objectives.

o Operations Objectives – reflect management choices within

the particular busines
o Reporting – external and internal

o NEXT SLIDE PLEASE

 The second principle is to identify and analyze risk

The Organization identifies risks to the achievement of its objectives across the
entity and analyzes risks as a basis for determining how the risks should be
managed. The Organization identifies risks to the achievement of its objectives across the

6
entity and analyzes risks as a basis for determining how the risks should be managed.

The board of directors, management and employees all have roles

to play in identifying and analyzing risk.
Starting from the outer line of defense, the internal audit who
provides assurance that risk management framework is effective.
The second line of defense, the risk control to measure and
monitor whether risk has occurred.
And lastly, the first line of defense, the risk ownership.

Risk identification considers both internal and external factors and

their impact on the achievement of objectives. Internal and external
events etc.
Next slide please

Here we have some examples of external and internal factors

which we will just skim through. For external factors, there are
economic, natural environment, regulatory, foreign operations,
social and technological factors. For internal factors, tehre are
infrastructure, management structure, personnel, access to assets,
and technological factors as well.
Next slide please

Let’s now move on to analyzing the identified risks through a

process that includes estimating the potential significance of risk.
So risks are analyzed, considering likelihood and impact, as a
basis for determining how they should be managed. And risks are
assessed on an inherent and a residual basis.
The common criteria used to assess significance is the likelihood
and impact of the risk.

7
 Likelihood is the possibility that a given event will occur and the
impact is the magnitude of effect of the given event. The table
below illustrates the correlation between the likelihood and the
impact of a given event.
Next slide please.
In the risk analysis of impact, we have Low, Moderate and High.
Low is usually indicated when there is no potential impact on
market share, or impact on brand value of the company or issues
can be easily resolved by the junior management and staff.
Low to Moderate has consequences that can be absorbed under
normal operating conditions.
Moderate is when market share and/or brand value will be
affected in the short term and the event will require senior and
middle management intervention.
Moderate to High is a serious diminution of brand value and
market share with adverse publicity
High, for extremities, is the sustained serious loss in market
share of the entity.

In the risk analysis of likelihood,

Rare occurs once every 10 years
Unlikely, once every 7 years
Moderate, once every 5 years
Likely, once every 3 years
And almost certain occurs once a year or more frequently.

Next slide please

So now that we have identified and analyzed the risks, we shall now
determine how to respond to these risks, whether we should:

8
 1. Accept (where no action is taken to affect risk likelihood or
impact
2. Avoid (which may involve exiting a product line, declining
expansion to a new geographical market or overall selling a
division
3. Reduction (where we devise an action to ensure reduction of risk
likelihood or impact
And four, Sharing (where we reduce the likelihood or impact by
transferring or sharing a portion of risk, which is commonly done
by insurance companies with reinsurance companies through a
treaty stating their shares in the risks actualized by a bordereaux
sent by the insurance companies based on the timetable stated
in their treaty.

Next slide please

Moving on to the third principle in Risk Assessment: Asses Fraud

Risk. Next slide, please

In assessing Fraud Risk, the entity shall:

1. Consider various types of fraud
2. Asses incentive and pressures and;
3. Assess Opportunities
Various types of fraud include the following:
1. Fraudulent Financial reporting in which READ
2. Miss-READ
3. And corruption

Next slide, please

9
 Management also has to get to the bottom of the problem: which is
why do people commit fraud. Here we have the fraud triangle
outlining three components that contribute to increasing risk of
fraud: Opportunity, Pressure and Rationalization.
Pressure/Motive is the need to commit a fraud, most commonly
is financial struggle.
Opportunity arises when a situation enables fraud to occur (i.e.,
when internal controls are weak or non-existent)
And rationalization where the fraudster is justifying the
committed fraud in his own mind.

Next slide please,

And lastly, Identify and analyze significant change

This is where the entity identifies and assesses changes that could
significantly impact the system of its internal control.
Next slide please

These changes must be assessed in three conditions:

- Changes in external environment which are the changes
to regulatory, economic and physical environment in
which the entity operates
- Changes in Business Model which consider the potential
impacts of new business lines, dramatically altered
compositions of existing business lines, acquired or
divested business operati READ
- And changes in leadership which are the changes in
management and respective attitudes and philosophies
on the system of internal control

10
Some circumstances that require blah blah

In summary, we have identified the three main objectives of internal

controls: OPERATIONS, REPORTING AND COMPLIANCE which
can be efficiently achieved through united operation of 5
components which are: CONTROL ENVIRONMENT, RISK
ASSESSMENT, CONTROL ACTIVITIES, INFORMATION AND
COMMUNICATION AND MONITORING ACTIVITIES
In this seminar, we focus on the principles in Risk Assessment:
First, Specifying suitable objectives
Next, Identifying and analyzing the risks in achieveing these
objectives where we differentiated inherent and residual risk,
clearing up that inherent risks are risks in the absence of any
actions management might take to alter either the risk likelihood
or impact. On the other hand, residual risk is the risk that
remains after management’s responses have been designed and
implemented.
Next, Assessing Fraud Risk with three types:
FRAUDULENT FINANCIAL REPORTING
MISAPPROPRIATION OF ASSETS
AND CORRUPTION
And lastly, Identiying and Analyzing Significant Changes which
could be change in External Environment, Business Model and
Leadership.

That’s it for COSO-Based Auditing Risk Assessment. Thank you

and stay safe.

11