CHAPTER 2

A RISK-BASED APPROACH TO ASSESS INTERNAL CONTROL OVER FINANCIAL REPORTING (ICFR)

Tim J. Leech, FCA-CIA-IT, CFE, CCSA

Jeffrey C. Thomson, MS

2.1 A RISK-BASED APPROACH TO ASSESSING ICFR

(a) Introduction

2.2 DETERMINE KEY STAKEHOLDERS

2.3 ESTABLISH THE RISK MANAGEMENT CONTEXT

(a) General

(b) Risk Criteria—Big Picture Corporate Level

(c) Risk Criteria—Subsidiary Level

(d) Risk Criteria—Account/Note Disclosure Level

2.4 RISK RATING AND RISK IDENTIFICATION

(a) Risk Rating Assurance Contexts for ICFR

(b) Identifying Risks to Assurance Contexts Selected for Additional Analysis

2.5 ANALYZE AND EVALUATE RISKS

2.6 TREAT/MITIGATE RISKS

(a) Treat Risks Using COSO 1992 Control Criteria

(i) Using COSO 1992 for Control Criteria Centric Assessments

(ii) Using COSO 1992 for Risk-Based ICFR Assessments

(b) Treat Risks Using CARD®model, a COSO-Linked Framework

(c) Treat Risks Using COBIT/ISO 17799/ITIL

(d) Treat Risks Using the OCEG Foundation Framework

2.7 IDENTIFY, ASSESS, AND REPORT ON RESIDUAL RISK STATUS

(a) Types of Residual Risk Status Information

2.8 CONCLUDING REMARKS

NOTES

Note: This guide is a condensed version of a more comprehensive Institute of Management Accountants (IMA) discussion paper titled "A Global Perspective on Assessing Internal Control over Financial Reporting" circulated for comment globally and filed with the SEC in September 2006. The full text can be found at www.imanet.org/pdf/IMAmanagementguidancetoSEC906.pdf.

2.1 A RISK-BASED APPROACH TO ASSESSING ICFR

Get Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.