Exhibit 3-5 — COSO model of internal controls






































            The risk assessment element is an iterative and dynamic set of activities and procedures used to identify
            and assess the composite risks, both general business and accounting processes, that are significant
            enough to impair the entity’s ability to achieve its business goals or control objectives. Every entity has its
            own external and internal risks that need to be identified, assessed, and managed (mitigated).
            Management’s risk assessment activities should naturally lead to a risk assessment document that the
            CITP would want to review in the context of an audit (public accounting), or in most risk-related reviews
            or audits (B&I). Because the internal and external environments are constantly changing, and thus risks
            are constantly changing, this document is dynamic (a living document) rather than static, so
            management would want to make regular updates to the entity’s risk assessment document.

            Two key roles of risk assessment are financial reporting risks and IT risks. If management assesses risk
            effectively, it will identify both financial reporting risks and IT risks. This information could be beneficial to
            the CITP in procedures, audits, and activities related to evaluating financial reporting, controls, and
            various types of IT reviews.

            Risk assessment is fundamental to effective control activities, monitoring elements, and the successful
            mitigation of risks, including IT-related risks; it is a critical element of the system of internal controls.

            The control activities element involves the internal controls operating on a day-to-day basis.





            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-23