Internal Audit Indonesia's

Juli 14, 2010

Entity Level Controls – Risk Assessment Questionnaire

Filed under: Artikel seputar Internal Audit — internalauditindonesia @ 9:14 am

What is risk assessment?

Risk assessment is the component of the entity’s internal control that involves identifying and analyzing risks internally and externally. Risk assessment is relevant to achieving business objectives as well as objectives related to the preparation of reliable financial statements.

What is the objective of risk assessment?

The objective of the entity’s risk assessment process is to establish and maintain an effective process to identify, analyze, and manage risks relevant to achieving business objectives and/or the preparation of reliable financial statements. The questionnaire includes the following 31 points of focus/control objectives for risk assessment entity-level controls:

COSO Attribute
Point of Focus/Control Objective
Entity-Wide Objectives Management has a business planning process in place that examines existing objectives and establishes new objectives when necessary.
Entity-Wide Objectives Management establishes business plans and budgets with realistic goals, and incentives for achievement of plans are balanced.
Entity-Wide Objectives The business planning process is a bottom-up process. Each functional leader, with the assistance of their direct reports, is responsible for identifying specific goals/priorities for their areas of responsibility that will satisfy the company’s overall priorities for the year.
Entity-Wide Objectives Management has established and clearly communicated the company’s mission, strategy and business objectives.
Entity-Wide Objectives Objectives are communicated at the appropriate levels and are understood and adopted by the responsible parties.
Entity-Wide Objectives Management has established a process to periodically review and update entity-wide strategic plans and objectives.
Entity-Wide Objectives Entity-wide objectives provide sufficiently broad statements and guidance on what the entity desires to achieve, yet are specific enough to relate directly to the entity.
Entity-Wide Objectives The Board of Directors reviews all entity-wide objectives and business plans, providing feedback and/or formal approval when necessary.
Activity-Level Objectives Activity-level objectives are linked with entity-wide objectives and strategic plans.
Activity-Level Objectives Activity-level objectives are consistent with each other (e.g., objectives for the sales organization are consistent with the manufacturing organization).
Activity-Level Objectives Resources are generally sufficient to achieve objectives for processes in key business functions, and plans are in place to acquire additional resources as needed.
Activity-Level Objectives Management has identified what must go right or where failure must be avoided, for entity-wide objectives to be achieved.
Activity-Level Objectives Capital spending and expense budgets are based on management’s analysis of the relative importance of objectives.
Activity-Level Objectives Objectives serving as critical success factors provide a basis for particular management focus.
Activity-Level Objectives All appropriate levels of management are involved in objective setting and demonstrate commitment to the objectives.
Risk Identification & Management Management identifies risks related to each of the established objectives.
Risk Identification & Management Management has mechanisms in place to identify business risks resulting from entering new markets, lines of business or from offering new products and services.
Risk Identification & Management Management identifies financial reporting risks that result from operations or compliance with laws and regulations.
Risk Identification & Management There have not been financial reporting or disclosure related issues identified by internal or external auditors.
Risk Identification & Management Management identifies fraud risk factors, including management override of controls.
Risk Identification & Management Identifying risks includes estimating the significance of the risks identified, assessing the likelihood of the risks occurring, and determining the need for action.
Risk Identification & Management Risks are evaluated as part of the business planning process.
Risk Identification & Management Senior management develops plans to mitigate significant identified risks.
Risk Identification & Management The responsibilities and expectations for the entity’s business activities and the entity’s philosophy about identification and acceptance of business risk, are clearly communicated to the executives in charge of separate functions.
Risk Identification & Management Risks are reviewed periodically with the appropriate corporate governance functions (e.g., executive management, disclosure committee, audit committee, and legal).
Risk Identification & Management There are effective processes in place for sourcing, measuring and monitoring internal business risks.  For example, process risk and information for decision-making risk.
Manage Change The business planning process includes a broad spectrum of personnel with collective knowledge of all areas of the entity.
Manage Change The business planning process includes consideration of changes in the business environment, including the industry, competitors, the regulatory environment and customers.
Manage Change Mechanisms exist to anticipate, identify, and react to routine events or activities that affect achievement of entity – or activity-level objectives.
Manage Change Changes in risks are identified in a timely manner.
Manage Change Changes are appropriately communicated to the proper level of management (depending on the significance).
Manage Change Management has identified the resources needed to achieve the objectives and has plans to acquire the necessary resources.
Manage Change Budgets and forecasts are updated throughout the year to reflect changing conditions such as changing market conditions, competing priorities, resource allocation, etc.  These changes are clearly documented to allow future reference to reason why change occurred.


Tinggalkan sebuah Komentar »

Belum ada komentar.

RSS feed for comments on this post. TrackBack URI

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:


You are commenting using your account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s

Buat situs web atau blog gratis di

%d blogger menyukai ini: