Risk is a frequently used term found in internal control standards and procedures. The Committee of Sponsoring Organizations' (COSO's) internal control framework, discussed in Chapter 4, stressed the importance of understanding and recognizing risks when building and assessing internal controls; many other topics in this book, such as Chapter 5 on CobiT or Chapter 8 on ITIL, discuss the importance of considering risks in today's Sarbanes-Oxley (SOx) internal control environment. However, risk has too often in the past been one of those terms where many professionals have said, "Yes, we must consider risks!" even though their understandings and assessments of risk have not been that consistently well defined. One professional's concept and understanding of risk may be very different from someone else's, even though they are both working for the same enterprise and in similar areas. Among professionals working to improve SOx-related compliance, there has not been a consistent understanding of the concept of risk.

As our use and understanding of SOx rules and compliance matures, internal auditors and professionals need to have a better understanding of risk and how it impacts their processes and procedures for building and developing effective internal controls. Chapter 3 on AS5 introduced the newer risk-based considerations that are now part of this public corporation auditing standard. As discussed in that chapter, when the Public ...