Risk assessment considerations. An organization should be able to reliably provide its stakeholders with a reasonable expectation that it can manage risk to an acceptable amount. It does this by assessing the enterprise risk management practices in place. Such assessment is voluntary unless required otherwise by legislation or regulation. 

Risk Assessment Considerations

Data tracking from past events can help predict future occurrences. While historical data is used in risk assessment (based on severity experience), it may also be used to identify interdependencies and construct predictive and causal models. Third-party service providers’ databases that gather information on incidents and losses suffered by industry or area may alert the business to possible dangers. These are frequently accessible as a subscription service. Consortiums have been created in various sectors to share internal data.

Assessing Risk

Risks identified and included in an entity’s risk inventory are assessed to understand the severity of each to the achievement of an entity’s strategy and business objectives. Risk assessments inform the selection of risk responses. Given the severity of risks identified, management decides on the resources and capabilities to deploy for the risk to remain within the entity’s risk appetite.

Assessing Severity At Different Levels Of The Entity

The severity of a risk is assessed at multiple levels (across divisions, functions, and operating units) in-line with the business objectives it could impact. For example, it may be that risks assessed as important at the operating unit level may be less important at a division or entity level. At higher levels of the entity, risks are likely to have a greater impact on reputation, brand, and trustworthiness.

Using standardized risk terminology and categories helps assess risks at all levels of the organization. Common risks across business units, divisions, and functions can also be grouped. For example, multiple divisions’ risk of technology disruptions may be grouped and assessed collectively. Similarly, the risks measured at escalating levels within an entity may also be grouped. When common risks are grouped, the severity rating may change. Risks that are of low severity individually may become more or less severe when considered collectively across business units or divisions. 

The framework provides criteria for assessing and determining whether the enterprise risk management culture, capabilities, and practices collectively manage the risk of not achieving the entity’s strategy and supporting business objectives. During an assessment, the organization considers whether: the components and principles relating to enterprise risk management are present and functioning; the components relating to enterprise risk management are operating together in an integrated manner; and if the controls necessary to put into effect relevant principles are present and functioning. 

Understanding The Entity And Its Environment

The auditor is required to identify and assess the risks of misstatement, whether due to fraud or error, through understanding the entity and its environment, including its internal controls. This will involve considering factors such as: relevant industry, regulatory and other external factors, including the applicable financial reporting framework; the nature of the entity, including its operations, ownership, management structures, and types of current and planned investments; the entity’s selection and application of accounting policies, including whether they are appropriate for its business and consistent with the industry and the applicable financial reporting framework; and the entity’s objectives and strategies and those related business risks may result in risks of material misstatement. 

The measurement and review of the entity’s financial performance. Business risks are risks occurring as a result of significant conditions, events, circumstances, actions, or inactions that could affect an entity’s ability to reach its objectives and carry out its strategies. Business risks can also occur as a result of the setting of inappropriate objectives, strategies, or goals. 

Management Understanding

Management should obtain an understanding of internal controls relevant to risk management practices. Although most of the entity’s internal controls will relate to financial reporting, not all will be relevant to the audit. 

Suppose the entity has an internal audit function. In that case, the auditor shall understand the nature of the internal audit function’s responsibilities, its organizational status, and the activities performed or to be performed. The auditor should try to reach a judgment about how strong (or weak) the internal controls are to decide the amount of testing that should be carried out in the audit. 

Communication with the appropriate process owners is important to ensure effective information exchange throughout the enterprise risk management journey. It establishes a setting in which management may be kept aware of serious problems that may come to the attention of risk management professionals.

Final Thoughts

Risk assessment is an important part of developing mitigation methods to ensure that an entity’s financial reporting process is transparent, as financial statements ultimately represent organizational performance. Consider the areas where the risk of misstatement, or error, seems to exist and the nature of the risk in determining when an error should be regarded as material and when it may be ignored.