Page 221 - COSO Guidance Book
P. 221

For example, the local community bank is required daily to meet certain regulatory financial ratios
                   in order to avoid possible sanctions. The bank should have procedures in place to provide
                   assurance that the financial ratios are computed daily and compared with those required by
                   regulation.

               –  Considers tolerances for risk — Management considers the acceptable levels of variation relative
                   to the achievement of compliance objectives.

                   In the community bank example, management would want assurances that the required various
                   daily ratio calculations are precise. This level of precision provides management with a high level
                   of assurance that any unfavorable variance is reliable; management can then take appropriate
                   action if the various daily ratio calculations are outside acceptable regulatory requirements. If the
                   daily ratio calculation is not precise, then there is a likelihood that an unfavorable variance might
                   not in fact be unfavorable; management might then take possibly unnecessary actions.




            Knowledge check

            1.  “Complies with applicable accounting standards” is a point of focus of which type of objective?

                   a.  Operations.
                   b.  Internal reporting.
                   c.  External financial reporting.
                   d.  External nonfinancial reporting.



            Risk assessment principle 7: Identifies and analyzes risk


            The organization identifies risks to the achievement of its objectives across the entity and analyzes risks
            as a basis for determining how the risks should be managed.
            It is important to recognize that, according to the framework, identification and analysis of risk is a
            continuous process that considers all levels of the entity and internal and external factors, involves
            management, considers the likelihood of the risk occurring, and evaluates how to respond to the risk.

            The framework provides the following five points of focus related to this principle:

              Point of focus — Includes entity, subsidiary, division, operating unit, and functional levels

               The organization identifies and assesses risks at the entity, subsidiary, division, operating unit, and
               functional levels relevant to the achievement of objectives. For example, for those organizations that
               do not have independent members on the board of directors (those charged with governance), at the
               entity level, there is a possible risk that management could override controls to misstate financial
               statements or provide fraudulent operational reports.
               Examples of various types of risk origination are provided in the framework. One risk that is of
               particular note, in light of the expected migration of many entities to cloud computing for general




            © 2020 Association of International Certified Professional Accountants. All rights reserved.    4-7
   216   217   218   219   220   221   222   223   224   225   226