Risk Assessments and Internal Controls

From innocent but costly mistakes to deliberate fraud, all organizations are subject to risks that can jeopardize financial reporting or lead to the loss of corporate assets. That’s why it is imperative to establish a robust system of internal control to reduce or prevent such threats and strengthen financial reporting.

Internal controls are policies, procedures, and other activities implemented by a business to assure that it can achieve its objectives. Among those objectives are reliable financial reporting, compliance with laws and regulations, operational efficiency, and fraud avoidance. There are three types of internal controls: detective, preventative, and corrective.

An internal control system is a company’s set of all internal controls plus the tools the company uses to monitor those controls. The system should mitigate an organization’s risk of fraud and loss while safeguarding corporate assets and helping the business to achieve its objectives.

Every company will have its own unique internal control system, depending on its size, industry, history, and operations. That said, all effective systems of internal control operate in roughly the same manner and have the same fundamental components.

Risk assessments are one such component, and a crucial one at that. A risk assessment identifies the risks that might threaten the company’s ability to achieve its objectives, and then considers whether the design and operation of the company’s internal controls deliver the protection the company needs.

Why Is Risk Assessment Important in Internal Controls?

Risk assessments are important because they identify weak spots in your system of internal control. For example, you might identify new external threats that can overcome the internal controls you have; or you might discover that some internal controls no longer work as well as intended because your business operations have changed. With so much complexity and innovation in the modern enterprise, internal controls need constant monitoring and improvement to avert existing or emerging threats.

Internal controls and risk management are not goals in and of themselves. Rather, they are the means a company can use to keep achieving its objectives in the modern business world. Internal controls must always be considered when establishing and implementing corporate initiatives to achieve objectives. Flaws in internal control can emerge when new initiatives are not coordinated with risk management principles.

A proper risk assessment can help an organization to manage risks and improve decision-making. It assures that efforts have been made to identify risk, implement preventative controls where possible, and mitigate damages.

One of the most versatile and widely used frameworks for internal control is the one published by COSO, the Committee of Sponsoring Organizations. COSO first published its internal control framework in 1992, followed by a modern-day overhaul in 2013. A system of internal control based on the COSO framework will have five components. Risk assessment is one; the others are:

• Control environment. This is the foundation of an organization’s internal control system. It sets management’s tone for expectations, separation of duties, and the importance of internal controls within the overall company culture.
• Control activities. These are the policies, procedures, and mechanisms that make up the organization’s risk management strategy.
• Information and communication. Internally generated reports periodically summarize audit results and control activities for auditors and stakeholders to consider.
• Monitoring activities. Ongoing monitoring assures that control activities are implemented and enforced in day-to-day operations.

Those five components of internal control should all support each other. None can do much good for the management team without the others; they are meant to operate as a single, integrated system.

What Are the Different Types of Internal Control Risks?

To guard against risk, organizations must do more than set up internal controls, fraud prevention activities, and internal control testing. Companies must consider specific risks when implementing a comprehensive system of internal controls.

Common internal control problems include a lack of a sound internal control environment, poorly designed business processes, weak ethical values and integrity, and IT security risks. The most common issues can be classified into the following categories:

Inherent Risk

Inherent risk is the level of risk — inaccurate financial statements, cybersecurity threats, compliance failures, and so forth — that exists when an organization has no controls in place whatsoever to guard against the danger.

Control Risk

Control risk is the chance that an internal control fails to work as intended. For example, a company policy might require the board of directors to approve all contracts above $100,000. If management then executes a $150,000 agreement without board approval, that indicates a control failure: the organization didn’t have mechanisms in place to enforce the policy.

Residual Risk

Residual risk is the risk that remains after internal controls have been implemented. For example, as an anti-fraud control, a company may require two signatures for all payments over $40,000. There is, however, a residual risk that a transaction might still be fraudulent even after two signatures. (Maybe the two signing executives are conspiring together.) If the organization is unwilling to accept this residual risk, it should review its policies related to internal controls for cash.

Operational Risk

Operational risk refers to unexpected failures in the organization’s day-to-day operations caused by personnel, processes, or external factors. It is often related to control and residual risks. They include fraud, security failure, legal breaches, environmental hazards, or natural disasters.

Compliance or Regulatory Risk

This is the risk of failing to comply with laws or regulations, such as the Foreign Corrupt Practices Act (FCPA) or the Sarbanes-Oxley Act (SOX). For example, a public organization lacking strong internal controls over financial reporting is exposed to significant SOX compliance risk, financial penalties, and reputational damage.

How Do You Implement Internal Control Procedures?

Firms can lower their risk exposure and empower senior management to conduct business more efficiently by managing operational processes, financial information, and compliance risks.

Step 1: Create the Proper Control Environment

Organizational structure, ethics, and integrity form the foundation of any company. In addition, these aspects establish the basis for a proper control environment and access controls within a company.

Step 2: Risk Assessment and Internal Controls

Management must identify, analyze, and assess risks within an enterprise. These steps help management to understand what procedures, processes, and controls are (or aren’t) in place to mitigate the risks to business operations, financial reporting, and compliance obligations.

Step 3: Implement Control Activities

When the risk assessment identifies any controls that might not be sufficient for the risks confronting the company, management should then develop proper controls (say, policies about signing large controls, or employee training on working with third parties), and implement those controls promptly.

Step 4: Disseminate What Has Been Learned

Information and communication systems surrounding control activities should be circulated among employees to manage, monitor, and control an organization. Information and data must be provided to the appropriate personnel in a timely manner to help them do their jobs properly and drive appropriate behaviors.

Step 5: Keep Watching

Risks evolve over time; so do business operations. Plus, sometimes internal controls turn out not to work as well in practice as expected. All of this means risk management and compliance teams should monitor the performance of internal controls, perform periodic audits, and revisit risk assessments on a regular basis to be sure your system of internal control remains effective across time.

An internal control review process verifies that controls function as expected and are not negatively impacting operational efficiency. Findings and discrepancies should be evaluated and corrective actions or controls implemented to assure problems are resolved.

Best Practices for Risk Assessment

An effective internal control system starts with the five components of internal controls listed in the COSO framework. In addition, comprehensive business planning and risk assessments reduce the risks to achieving business objectives while adhering to internal controls. These best practices guide the risk assessment process and the development of adequate internal controls.

Conduct Internal Audits

Internal audits are critical to verify that a company’s internal controls, control structure, and corporate governance are applied consistently and effectively. For example, an internal auditor will review financial statements, reconcile accounting records, and evaluate segregation-of-duties controls to confirm whether financial transactions are carried out correctly and appropriately.

Develop a Mitigation Plan With Controls for Each Risk

Risk assessments require a list of items to be assessed. The list should be presented in a clear, logically designed, easy-to-follow form and include corresponding mitigation plans for each risk. As a result, assessments will be more thorough and document relevant actions.

Identify Internal and External Risks

Risks come from a variety of sources. It helps to classify internal and external risks in your risk assessment, to determine where internal controls will be most effective. Distinguishing different types of risks will allow you to define more effective internal controls.

Collect Employee Feedback

Employees can be the best critics about whether processes and controls are working effectively. Collect employee feedback to understand whether internal controls are unnecessarily cumbersome. Ask them for their perspectives on potential risks and ideas for improving your internal controls. Staff will appreciate internal control processes more when their inputs have been considered.

Monitor and Make Changes

Conducting a risk assessment and setting up internal controls are not one-time projects. A continuous commitment to risk management requires an organization to make modifications to assure that internal controls are working as expected.

Improve Your Internal Controls and Simplify Risk Management with Reciprocity ZenRisk

In the world of organizational risk management and improved internal controls, ZenRisk is the expert. The ZenRisk risk assessment modules provide valuable insight into where your financial reporting is lacking, so you can take quick action to compile the documentation you need.

ZenRisk enables you to set up, manage, and track progress within your risk management and internal control framework. For example, it can assist you in prioritizing activities so that all employees know what they need to accomplish and when they need to do it. In addition, its easy-to-use dashboards simplify reviewing tasks that need attention.

Its workflow tagging feature makes it simple to assign risk assessment, analysis, and mitigation tasks. ZenConnect also enables integration with popular tools such as Jira, ServiceNow, and Slack, assuring seamless adoption across your enterprise.

Hassle-free internal controls implementation and compliance is the Zen way! For a free consultation and demo of ZenRisk, schedule a demo.