Riskd – Risk Management Blog

Under the Framework there are three basic audit objectives:

• to determine whether controls provide reasonable assurance of effective and efficient operations;
• to determine whether controls provide reasonable assurance as to the reliability of financial data and reports; and
• to determine whether controls provide reasonable assurance of compliance with laws and regulations.

Each of these objectives has five components of control:

• A sound Control Environment;
• A sound Risk Assessment Process;
• Sound Operational Control Activities;
• Sound Information and Communications System; and
• Sound Monitoring Practices

1. For the Control Environment Component auditors assess

• whether managers and employees possess integrity, ethical values and competence;
• whether the nature of management’s philosophy and operating style is appropriate;
• whether there is proper assignment of authority and responsibility;
• whether there is proper organization of available resources;
• whether there is proper training and development of people; and
• whether there is proper attention and direction from management.

2. For the Risk Assessment Component auditors assess

• whether management has established a set of objectives that integrate all the organization’s resources so that the organization operates in concert;
• whether there is an awareness of and ability to deal with the risks and obstacles to successful achievement of business objectives; and
• whether management identifies, analyzes and manages the risks and obstacles to successful achievement of business objectives.

3. For the Operational Control Activities Component auditors assess

• whether management has established and executed policies and procedures to help ensure effective implementation of the actions they have identified as being necessary to address risks and obstacles to achievement of business objectives;

4. For the Information and Communications Systems Component auditors assess

• whether the information system produces the financial, operational and compliance reports needed to run the business;
• whether the reports that are produced deal with internal and external activities, conditions and events necessary to informed business decision making and external reporting;
• whether the organizations people are able to capture and exchange the information they need to conduct, manage and control operations;
• whether pertinent information is identified, captured and communicated in a form that enables people to effectively carry out their responsibilities;
• whether communications flows in all directions throughout the organization;
• whether management has made it clear to all employees that control responsibilities are to be taken seriously;
• whether employees understand their own roles in the internal control system, as well as how their individual activities relate to the work of others;
• whether all employees have the means of communicating significant information upstream; and
• whether their is effective communication with external parties.

5. For the Effective Monitoring Component auditors assess

• whether the entire control system is monitored to assess the quality of the system’s performance over time;
• whether there is on-going monitoring in the normal course of doing business, such as regular supervisory and management activities, and actions employees take in performing their normal duties;
• whether internal deficiencies are reported upstream, with serious matters reported directly to top management;
• whether there are separate, independent evaluations of the internal control system.