Page 225 - COSO Guidance Book
P. 225

For example, an entity whose IT department does not back up data and does not have a disaster
                   recovery plan might obtain business interruption and other appropriate insurance coverage. This
                   coverage allows the entity to share or transfer all of part of the costs to reconstruct data and the
                   revenue losses caused by external or internal threats that destroy data or the data center.




            Knowledge check

            2.  The point of focus, “Determines how to respond to risks,” is associated with which risk assessment
               principle?
                   a.  Specifies suitable objectives.
                   b.  Identifies and analyzes risk.
                   c.  Identifies and analyzes significant change.
                   d.  Assesses fraud risk.




            Risk assessment principle 8: Assesses fraud risk

            The organization considers the potential for fraud in assessing risks to the achievement of objectives.

            The framework provides the following four points of focus concerning this principle:

              Point of focus — Considers various types of fraud

                                                                     4
               The assessment of fraud considers fraudulent reporting,  possible loss of assets, and corruption
               resulting from the various ways that fraud and misconduct can occur.

               –  Fraudulent financial reporting
                   AU-C section 240, Consideration of Fraud in a Financial Statement Audit (AICPA, Professional
                   Standards), defines fraud as “an intentional act by one or more individuals among management,
                   those charged with governance, employees, or third parties, involving the use of deception that
                                                                                                 5
                   results in a misstatement in financial statements that are the subject of an audit.”  AU-C section
                   240 is consistent with the framework in that both have the same fraud risk factors (incentive or
                   pressure, opportunity, and attitudes or rationalizations).

                   AU-C section 240 notes that, for a smaller entity, management’s risk assessment might be
                   focused on employee fraud or misappropriation of assets. Misappropriation of assets is defined
                   and discussed in the information that follows.


                   The framework defines fraudulent financial reporting as an intentional act designed to deceive
                   users of external financial reports and that may result in a material omission from or
                   misstatement of such financial reports.



            4
              Both internal and external financial and nonfinancial reporting.
            5
              www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-C-00240.pdf

            © 2020 Association of International Certified Professional Accountants. All rights reserved.    4-11
   220   221   222   223   224   225   226   227   228   229   230