Risk

Andi Nurul Istiyana, S.ST., M.Acc., CAT., CRMO

 The Definition
of RISK
• Risk is de ned as the possibility or chance of loss,
damage, or harm occurring as a result of a particular
action, event, or situation. In other words, risk refers to the
uncertainty and potential negative consequences that may
arise from a particular decision or course of action.

• In the context of internal control, risk is de ned as the

possibility that an event or action could negatively
impact an organization's ability to achieve its
objectives.

• Risks can arise from a variety of sources, such as external

factors like economic or political conditions, internal
factors like operational processes and human behavior, or
inherent uncertainties in a particular industry or market.

• E ective internal control involves identifying, assessing,

and managing risks to minimize the potential negative
impacts on the organization's objectives.

• This includes implementing controls and procedures to

mitigate identi ed risks and continuously monitoring and
evaluating the e ectiveness of the internal control system.
ff
fi
fi
ff
fi
 The Definition
of CONTROL RISK
• Control risk in the context of internal control
refers to the risk that a material misstatement or
error could occur in an organization's nancial
statements as a result of inadequate or
ine ective internal control systems.

• In other words, control risk is the risk that a

control failure could occur and not be detected
or corrected in a timely manner, resulting in a
material misstatement in the nancial
statements.

• Control risk can arise from a variety of sources,

such as ine ective or poorly designed control
procedures, lack of segregation of duties, or
inadequate monitoring and oversight.

• Managing control risk is a key element of

e ective internal control and involves
implementing appropriate control procedures,
regularly monitoring the e ectiveness of those
procedures, and taking corrective action as
necessary to minimize the risk of material
misstatements in the nancial statements
ff
ff
ff
fi
ff
fi
fi
 RISK
Internal control is an important component of
an organization's risk management framework.
Internal controls are policies, procedures, and
processes that are designed to provide
reasonable assurance that the organization's
objectives will be achieved in an e cient,
e ective, and compliant manner.

From the perspective of internal control, risk is

viewed as the possibility that an event or
action could adversely a ect the organization's
ability to achieve its objectives. Internal control
helps to mitigate risk by providing a structured
approach to identifying, assessing, and
managing risk across the organization.

Threats and opportunities are two di erent concepts that are often used in the context of risk management.

A threat is an event or condition that has the potential to negatively impact an organization's ability to achieve its
objectives. Threats may arise from a variety of sources, such as changes in the external environment, competitive
pressures, regulatory changes, or internal weaknesses or vulnerabilities.

On the other hand, an opportunity is an event or condition that has the potential to positively impact an
organization's ability to achieve its objectives. Opportunities may arise from changes in the external environment,
such as shifts in consumer preferences or emerging market trends, or from internal strengths or capabilities that can be
leveraged for strategic advantage.
ff
ff
ff
ffi
The Process of Risk Management
The Process of Risk Management
Identify Risk
As part of their role in risk management, internal auditors should
identify and assess risks that could impact the organization's
ability to achieve its objectives. Here are some key points that
internal auditors should consider when identifying risks:

1. Understand the organization's objectives

2. Internal auditors should assess the organization's internal and

external environment to identify factors that could impact its ability
to achieve its objectives.

3. Consider risks across all functions and processes

4. Use a risk-based approach.

5. Involve key stakeholders.

By following these key points, internal auditors can identify and assess
risks that could impact the organization's ability to achieve its
objectives, and develop e ective strategies to mitigate those risks.
ff
 Risk Assesment
Risk assessment is an important part of the internal auditor's role, and involves identifying and
assessing risks that could impact the organization's ability to achieve its objectives. The
following are some of the steps that an internal auditor may take to perform risk assessments:

1. Identify the areas of the organization that are most susceptible to risk

2. Determine the risk factors

3. Evaluate the likelihood and potential impact of each risk

4. Prioritize the risks

5. Develop a risk mitigation plan

Overall, the internal auditor's role in risk assessment is to provide assurance to management
and other stakeholders that the organization's risks are being e ectively managed. By
identifying and assessing risks, and developing strategies to mitigate them, the internal auditor
helps to ensure that the organization is well-positioned to achieve its objectives in an e cient,
e ective, and compliant manner.
ff
ff
ffi
 Risk Assesment
Likelihood is a measure used in risk assessment to describe the probability or chance
of a risk occurring. In other words, it is an assessment of how likely it is that a particular
event or scenario will happen. Likelihood can be expressed in qualitative terms, such as
low, medium, or high, or it can be expressed as a quantitative measure, such as a
percentage or a ratio.

In risk assessment, likelihood is often evaluated in conjunction with the potential impact
or consequences of a risk event. By assessing the likelihood of risks, internal auditors
can prioritize their e orts and focus on the risks that are most likely to occur and have
the greatest potential impact.
ff
 Impact in Risk Assesment
Impact is a measure used in risk assessment to describe the potential consequences or
e ects of a risk event. In other words, it is an assessment of the magnitude or severity of the
harm that could be caused if a particular event or scenario were to occur. Impact can be
expressed in qualitative terms, such as low, medium, or high, or it can be expressed as a
quantitative measure, such as a dollar amount or a numerical rating.

In risk assessment, impact is often evaluated in conjunction with the likelihood of a risk event.
By assessing the impact of risks, internal auditors can prioritize their e orts and focus on the
risks that have the greatest potential consequences or e ects. This enables them to develop
e ective risk mitigation strategies and provide assurance to management that the organization's
risks are being e ectively managed.
ff
ff
ff
ff
ff
 Manage Risk
Risk management is a dynamic process for taking all reasonable steps to nd out and deal with
risks that impact on our objectives. Organizational resources and processes are aligned to handle
risk wherever it has been identi ed. We are close to preparing the risk management cycle and
incorporating this into our original risk model. Before we get there we can turn to project
management standards for guidance on the bene ts of systematic risk management which include:

• More realistic business and project planning.

• Actions implemented in time to be e ective.

• Greater certainty of achieving business goals and project objectives.

• Appreciation of, and readiness to exploit, all bene cial opportunities.

• Improved loss control.

• Improved control of project and business costs.

• Increased exibility as a result of understanding all options and associated risks.

• Fewer costly surprises through e ective and transparent contingency planning.

Armed with the knowledge of what risks are signi cant and which are less so, the process requires
the development of strategies for managing high impact, high likelihood risks. This ensures that all
key risks are tackled and that resources are channelled into areas of most concern, which have
been identi ed through a structured methodology.
fl
fi
fi
ff
ff
fi
fi
fi
fi
 Review Risk
Internal audit reviews risk by conducting a systematic and comprehensive risk
assessment process. The process typically involves the following steps:

1. Evaluate the existing controls: The next step is to evaluate the

e ectiveness of the existing controls in mitigating the identi ed risks.
Internal audit reviews the design and operating e ectiveness of the
controls and identi es any gaps or weaknesses in the control environment.

2. Develop recommendations: Based on the results of the risk assessment

and control evaluation, internal audit develops recommendations to
improve the control environment and mitigate the identi ed risks. These
recommendations may include changes to policies and procedures,
implementation of new controls, or improvements to existing controls.

3. Monitor and report on the implementation of recommendations: Internal

audit monitors the implementation of the recommendations and reports on
the progress to management and the board. This ensures that the
identi ed risks are e ectively managed and the control environment is
strengthened.

ff
fi
fi
ff
ff
fi
fi
 COSO Philosphy
The philosophy of COSO emphasizes that e ective internal
control is essential for organizations to achieve their objectives
and succeed in their mission. By adopting the COSO framework,
organizations can design and implement internal control systems
that are tailored to their speci c needs and risks. The framework
provides a comprehensive and integrated approach to internal
control that helps organizations to identify and manage risks,
improve performance, and ensure the reliability of nancial
reporting.

COSO de nes risk as "the possibility that an event will occur and
adversely a ect the achievement of objectives." In other words, risk
refers to the uncertainty associated with achieving objectives.

COSO's de nition of risk highlights the importance of identifying and

managing risks that may prevent an organization from achieving its
objectives. According to COSO, e ective risk management involves a
systematic and ongoing process of identifying, assessing, prioritizing, and
responding to risks that threaten the achievement of organizational
objectives.

fi
fi
ff
fi
ff
ff
fi
 COSO Philosophy
COSO recognizes that not all risks are
negative, and that some risks may present
opportunities for organizations to achieve
their objectives. The framework distinguishes
between two types of risk:
COSO emphasizes the importance of integrating risk
management into an organization's overall
1. Inherent risk: This refers to the risk that management process. This includes identifying and
exists before any management action is assessing risks, developing strategies to manage
taken to address it. Inherent risk is those risks, and monitoring the e ectiveness of risk
determined by external factors, such as management activities over time. By adopting a risk-
market conditions or regulatory based approach to management, organizations can
requirements, as well as internal factors, better understand the risks they face, make informed
such as the nature of the organization's decisions about how to allocate resources, and
ultimately achieve their objectives more e ectively.
operations and the quality of its internal
controls.

2. Residual risk: This refers to the risk that

remains after management has taken
action to address inherent risk. Residual
risk is the risk that the organization must
accept in order to achieve its objectives.
ff
ff
Framework
COSO
Audit Risk
and the component of audit risk

Audit risk is the risk that an auditor will issue an incorrect

audit opinion on the nancial statements, which may result in
a material misstatement going undetected. The components
of audit risk are:

1. Inherent Risk: This is the risk that exists in the

underlying transactions and balances of an
organization, even in the absence of internal controls. It
is determined by the nature of the organization's
operations, the complexity of the transactions, and the
inherent characteristics of the industry.

2. Control Risk: This is the risk that a material

misstatement could occur and not be detected or
prevented by the organization's internal controls. It is
determined by the e ectiveness of the organization's
internal controls in preventing or detecting material
misstatements.

3. Detection Risk: This is the risk that the auditor will not
detect a material misstatement in the nancial
statements, even though it exists. It is determined by
the e ectiveness of the audit procedures performed by
the auditor.

The auditor can control the level of detection risk by

adjusting the nature, timing, and extent of audit procedures.
However, inherent risk and control risk are determined by the
nature of the organization and its internal controls, and
cannot be eliminated entirely. Therefore, the auditor must
consider the level of inherent and control risk when
assessing the level of detection risk required to achieve an
acceptable level of audit risk.
ff
ff
fi
fi
 Audit Risk
The risk of internal audit refers to the risk that an internal audit engagement does
not achieve its objectives or does not provide accurate, reliable, and relevant
information. This can include a failure to identify or report on signi cant risks or
issues, or a failure to provide appropriate recommendations for addressing those
risks or issues.

Internal audit risk can be categorized into three main areas:

1. Engagement Risk

2. Reporting Risk

3. Operational Risk.

To mitigate these risks, internal auditors must adhere to professional standards and
best practices, maintain independence and objectivity, and ensure that their
ndings and recommendations are communicated e ectively to the appropriate
stakeholders.
fi
ff
fi
 RISK audit
In internal auditing, assertions refer to
management's explicit or implicit claims
or representations about the
completeness, accuracy, existence, 1. Existence

valuation, and presentation or disclosure

of information in the nancial statements 2. Completeness

or other systems under review.

Assertions are essential to the audit 3. Accuracy

process because they help internal

auditors to evaluate the quality and 4. Valuation

reliability of the nancial statements or

other systems they are reviewing. They
also help internal auditors to determine
5. Presentation and Disclosure
the type of evidence needed to support
their audit conclusions. By testing
management's assertions, internal
auditors can provide independent and
objective assurance to stakeholders that
the nancial statements or other
systems are free from material
misstatements.
fi
fi
fi
Method for Risk Analyze

1. SWOT (Strengths, Weaknesses, Opportunities, and Threats)

2. HAZOP (Hazard and Operability)

3. Fault Tree

4. What-If

5. Monte Carlo

6. Quantitative Risk.

Method for risk analyze

In internal audit perspective, there are several methods that can be used for
risk analysis, such as:

1. Risk Assessment Questionnaires

2. Process Mapping

3. Control Self-Assessments

4. Data Analysis

5. Scenario Analysis

The selection of the appropriate risk analysis method for a speci c

organization depends on the nature of the organization, the industry it
operates in, and the speci c risks it faces. The internal auditor must carefully
evaluate the risks and determine the most e ective method to use to assess
and mitigate those risks.

fi
ff
fi
TUGAS

• Jelaskan dan sebutkan hubungan antara resiko dan

pengendalian berikan satu contoh jelas

• Jelaskan dan sebutkan apa yang dimaksud dengan ERM apa

manfaat dan kekurangan ERM

• Buat risk assesement terkait satu tujuan kalian dalam hidup serta
tambahkan pengendalian apa yang dilakukan atas resiko
tersebut.