Page 217 - COSO Guidance Book
P. 217

Risk assessment

            The framework defines risk as the possibility that an event will occur and have an adverse effect on the
            achievement of objectives. Risk tolerance is defined as the acceptable level of variation in performance
            relative to the achievement of objectives.

            Risk tolerance is normally established as part of the objective-setting process (operating, financial, and
            compliance objectives). Risk tolerance levels need to be set before risk responses and related controls
            can be developed. Control activities (one of the five components of internal control) are designed based
            on management’s risk tolerance.

            Many entities use performance measures to assist entities in operating within certain risk tolerance
            levels. For example, the governance body for a school district might establish a goal that each school
            should try to achieve a pass rate of 90% on a national test, but the governing body accepts that only
            70% may pass. The lower limit of risk tolerance is a 70% pass rate. Performance below that rate would
            result in corrective action.


            Management may be more flexible in establishing risk tolerance and managing risks when there are no
            external requirements. However, when there are external requirements, such as those relating to external
            reporting and compliance objectives, management considers risk tolerance in light of these external
            requirements. An example of an external reporting requirement is that an entity’s loan covenant
            agreement might stipulate that the entity provide the lender with quarterly reviewed financial reports
            prepared in accordance with generally accepted accounting principles (external standard).




            AU-C section 315: Circumstances that create risk

            AU-C section 315 also addresses risk and states that risk can arise or change due to circumstances such
            as the following:

              Changes in the operating environment — Changes in the regulatory or operating environment can
               result in changes in competitive pressures and significantly different risks.
              New personnel — New personnel may have a different focus on, or understanding of, internal control.
              New or revamped information systems — Significant and rapid changes in information systems can
               change the risk relating to internal control.
              Rapid growth — Significant and rapid expansion of operations can strain controls and increase the
               risk of a breakdown in controls.
              New business models, products, or technology — Entering into business areas or transactions with
               which an entity has little experience may introduce new risks associated with internal control.
              Corporate restructuring — Restructurings may be accompanied by staff reductions, changes in
               supervision, and segregation of duties that may change the risk associated with internal control.
              Expanded foreign operations — The expansion or acquisition of foreign operations carries new and
               often unique risks that may affect internal control, such as additional or changed risks from foreign
               currency transactions.
              New accounting pronouncements — Adoption of new accounting principles or changing accounting
               principles may affect risks in preparing financial statements.


            © 2020 Association of International Certified Professional Accountants. All rights reserved.    4-3
   212   213   214   215   216   217   218   219   220   221   222