ledger and transaction processing, is the risk that originates in the use of outsourced service
               providers.
              Point of focus — Analyzes internal and external factors

               The framework states that risk identification considers both internal and external factors and their
               impact on the achievement of objectives.
               Furthermore, the framework notes that crucial to the risk assessment process is the identification of
               external and internal factors that contribute to risk at an entity level. Risks also need to be identified
               at the transaction level within the entity’s units (such as at a branch of a community bank) or
               functions (which include business processes, such as the procurement process at a not-for-profit).
               An example of a risk at the entity level is the lack of a competent financial expert to review financial
               statements prepared for external purposes. An example of a risk at the transaction level is lack of
               segregation of duties in various transaction-processing systems.

               The framework provides the following types of external factors to be considered in risk identification
               (the list may not be all-inclusive; relevant examples have been added for illustrative purposes):
               –  Economic — Changes that can affect funding and entry into the marketplace

                   For example, local charitable organizations wholly or partially dependent on donations (such as a
                   food bank) might experience a decrease in contributions during economic downturns.

               –  Natural Environment — Catastrophes that can lead to changes in operations or availability of raw
                   materials (or both)

                   For example, many farmers in drought areas of the country (California, Texas, and so on) have
                   been forced out of business from lack of rain or other water sources to irrigate their fields.

               –  Regulatory — Can require changes in operating or reporting policies and strategies

                   For example, financial institutions, including local community banks, are required to document
                   contingency plans in the event of a pandemic event.

               –  Foreign operations — Governmental changes (laws, regulations, taxes) in other countries in which
                   the entity operates
                   For example, an entity with operations in France is subject to changes in the tax regulations in
                   that country.

               –  Social — Changing customer expectations that can affect product customer service

                   For example, an entity that is a local school district purchases school athletic uniforms
                   manufactured overseas. Because of pressure from a group of constituents that agitates for
                   products made in the United States, the local board of education passes a rule that only school
                   athletic uniforms manufactured domestically may be purchased by the school district.

               –  Technological — Developments that can affect the availability and use of technology-based
                   services






            © 2020 Association of International Certified Professional Accountants. All rights reserved.    4-8