CHAPTER 5

COSO Internal Control Components: Risk Assessment

EVERY ENTERPRISE FACES A VARIETY of risks from both internal and external sources. Risk here is defined as the possibility that an event may occur that adversely affects the achievement of enterprise objectives. Risk assessment is an interactive process for identifying and assessing those risks that may limit the achievement of enterprise objectives. Risks to achieve these objectives are considered relative to risk tolerances established by the enterprise.

Risks are defined in the COSO internal control framework as the possibility that an event may occur that will adversely affect the achievement of some enterprise objectives. As part of the process of identifying and assessing risks, an enterprise may also identify opportunities when the occurrence of a risk-related event may positively affect the achievement of enterprise objectives. These opportunities are important to capture and to channel back to the enterprise strategy and/or objective-setting processes. However, the identification and assessment of potential risk-related opportunities are often not directly part of enterprise internal controls but are sometimes dependent on external factors.

Risks affect an enterprise’s ability to succeed, compete within its industry, maintain its financial strength and positive reputation, and maintain the overall quality of its products, services, and people. There is no practical way to reduce risk to zero, because all business ...

Get Executive's Guide to COSO Internal Controls: Understanding and Implementing the New Framework now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.