Page 218 - COSO Guidance Book
P. 218

Risk Assessment: Application to smaller entities

            AU-C section 315 states that the basic concepts of the risk assessment process should be present in
            every entity, regardless of size, but the risk assessment process is likely to be less formal and less
            structured in smaller, less complex entities than in larger ones. All entities should have established
            financial reporting objectives, but these objectives may be recognized implicitly rather than explicitly in
            smaller entities. Management may be able to learn about risks related to these objectives through direct
            personal involvement in the business.

            AU-C section 315 also notes that a smaller entity is unlikely to have an established risk assessment
            process in place. In such cases, it is likely that management will identify risks through direct personal
            involvement in the business. Irrespective of the circumstances, however, inquiry by the external auditor
            about identified risks and how they are addressed by management is still necessary.

            The principles and associated points of focus for the risk assessment component of internal control are
            discussed in detail in the material to follow. Examples have been provided to illustrate select points of
            focus in the discussion to follow.




            Risk assessment principle 6: Specifies suitable objectives


            The framework states, with respect to this principle, that the organization specifies objectives with
            sufficient clarity to enable the identification and assessment of risks relating to objectives.
            The framework provides points of focus for this principle depending on the applicable objective.


              Points of focus: Operations objectives
               –  Reflects management’s choices — Operations objectives reflect management’s choices about
                   structure, industry considerations, and performance of the entity.

                   For example, a local restaurant might establish an objective that drive-through customers should
                   wait no more than five minutes from placement to delivery of an order.

               –  Considers tolerances for risk — Management considers the acceptable levels of variation relative
                   to the achievement of operations objectives.

                   For example, the restaurant will accept a variance of an additional three minutes from placement
                   to delivery of an order during peak periods (lunchtime, day of week, or other factors).

               –  Includes operations and financial performance goals — The organization reflects the desired level
                   of operations and financial performance for the entity within operations objectives.

                   For example, the restaurant, in addition to the establishment of a service goal of completing an
                   order within five minutes, might also have a goal that the average revenue per order should be
                   $5.00. Management believes this goal can be achieved by using suggestive selling techniques
                   (“Would you like a large instead of a medium drink for just an extra 50¢?”).



            © 2020 Association of International Certified Professional Accountants. All rights reserved.    4-4
   213   214   215   216   217   218   219   220   221   222   223