Please enable JavaScript.
Coggle requires JavaScript to display documents.
COSO Component 3: Performance (P10: Identifies risk (Group risks by…
COSO Component 3: Performance
P10: Identifies risk
change in business objectives
change in business context
Group risks by category
different levels
strategy/ business objective
entity level business model
done apart from risk assessment
Audit implications of business risks
5 categories
1. Expectations:
Knowledge of a risk condition will influence what an auditor expects to see in the financial results
2. Client viability:
If the risk is severe enough, it may indicate that an organisation is no longer viable given its current business plan and target market
3. Audit risks:
Some risk may indicate that certain FS assertions may be inaccurate.
e.g. new entrant -> inventory obsolescence -> valuation of inventory
4. Control environment:
Risk may put pressure on the control environment such that management may engage in earnings management or other manipulation to disguise economic failures
5. Comments for client:
Risks may simply require auditor to identify and communicate unmet risks (no adequate response) to client management and audit committee
Risk analysis
(Identify risk events)
Strategic risk analysis
Entity-level business model
Identify events
Link to corporate objectives (affect achievement of)
Negative impact (risk) and/or positive impact (opportunity)
Process risk analysis
Business process analysis template
Types (Risks and KPIs)
Customer service process
Supply chain and production
Identify events
from both external and internal sources
potentially affect achievement of business process objectives
Negative impact (risk) and/or positive impact (opportunity)
Risk Assessment
P11: Assess severity of risk
at different levels of entity
e.g. does risk only affect business objective 1?
P12: Prioritise risks
establish criteria
e.g. complexity, velocity, persistence
prioritise risks using criteria (e.g. same impact and likelihood but have different persistence and velocity)
risk appetite to prioritise risks
(e.g. cannot have business interruption)
COSO 2004
qualitative/ quantitative technique
2 perspectives: impact and likelihood
Time horizon used in assessment should be consistent with the related (business) objective
Impact should be measured in the same terms that objective is measured in
Types of risk: inherent (without any management action), residual (risk that remains after management risk response)
Risk Response
:explode: Response type:
Avoidance, sharing, reduction, acceptance
Need to consider unintended consequences
#
P14: Take a portfolio view
From an entity-wide perspective. Look at each division/ operating unit (e.g. some operating units have higher risk, but overall risk is still within entity's risk appetite)
Consider relevant business objective
Time frame should be consistent with business objective
Impede?