Scoping and Risk assessment 1427



  • Our Company is currently going through it’s Annual Scoping and Risk Assessment. No. 2 gives guidance for this process, but I would like to actually see a hard example showing the criteria used in identifying risks as high, medium, low (or some other similar ranking). Is there something out there?



  • There are many examples of Risk Assessments that you can find on the internet. The risk model that you use will need to be tailored to your business model and risk tolerance.
    I’ve seen some risk models that involve consideration of materiality based on the likelihood and potential impact on financial reporting. Other risk models use qualitative measures…high, moderate, low, and do not require quantification of risk assessment.
    What is important is that a consistent and logical method is used to rank the controls based on risk. It is not necessary to develop or use a complicated risk model or risk assessment methodology.
    You might check out:
    auditnet.org
    for example risk assessments. Of course, there are other sources of good information and you might also find some links on this Forum for additional guidance.
    Good luck,
    Milan





  • Hi - This thread might tie into the requirements process somewhat also … You may have seen it but will highlight just in case.
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1425



  • Thanks for the help.



  • After we identified accounts and processes, we broke those processes down to sub-processes. We then risk ranked sub-processes and used the factors: volume of transactions, large monetary amounts, impact on disclosures, accounting complexity, recent changes in process/accounting, potential for errors, potential for fraud, and prior year results. We gave each one a subjective H, M, L which accumulated to an overall H, M, L. We then varied our testing levels for the risks/controls associated with each process based on this ranking.
    We are thinking of changing this methodology a little (although it worked fantastic and our auditors were okay with it) this year to not breakdown the processes by sub-process and just list the risks for each process then consider the likelihood/impact of each risk. This ranking would then affect our level of testing for the controls associated with the risk. See the other thread on risk assessment that someone above me recommended. There is a discussion going there.


Log in to reply