Eight questions for a holistic risk assessment

Internal control has emerged from isolation.

In recent years, according to an International Federation of Accountants (IFAC) report, internal control has come to be viewed as an integral part of risk management and governance rather than a separate concept unto itself.

This integration demands that individual risks be assessed holistically rather than in a linear or unconnected way, according to the report, Evaluating and Improving Internal Control in Organizations. The report explains how accountants can ask the right questions to ensure a proper risk assessment that determines the overall effect of uncertainty on an organisation’s goals.

All important business decisions should be made with this comprehensive risk assessment in mind, the report says. To assess risk across an organisation, the report recommends that accountants ask:

  • Are the various departments that deal with a specific risk or have responsibility for associated controls working together?

  • Does the organisation have an accurate and comprehensive understanding of its current risks?

  • Does the organisation understand how various risks might have common causes or mutually reinforcing consequences?

  • Are the organisation’s risks within the limits for risk-taking as determined in its risk-management strategy and policies on internal control?

  • Are risks treated on an individual basis or does the organisation understand the overall effect of uncertainty on its objectives?

  • Does the organisation sufficiently know the effectiveness of its controls and how they could be further improved?

  • How can the organisation be certain it knows the correct answers to the preceding questions?

  • What are the processes for monitoring and evaluating, and are the processes effective?

The role of successful internal control as a driver of prudent business decisions is expanding as organisations take a proactive approach towards risk assessment and its integration into governance.

University of Wisconsin professor emeritus Larry Rittenberg, CPA, Ph.D., CIA, explained during a recent telephone interview that understanding controls themselves and whether they are working is an important step that leads to opportunities for organisations to improve.

Rittenberg is a former chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which has another key internal control document under development. COSO’s Internal Control—Integrated Framework is undergoing an update that was released in an exposure draft in December and is scheduled for a final release in the first quarter of 2013.

Rittenberg said that when he served on the board of directors of one of the world’s largest oil companies, PetroChina, the audit committee and top management carefully examined the company’s controls and processes with the goal of improving them.

“They believed it would lead to more efficiency and effectiveness as well,” Rittenberg said. “I think the whole idea of changing the mind-set [from] just the compliance activity into a proactive approach [is important].”

That idea is reinforced by the IFAC report’s practical guidance. The report describes nine key principles for evaluating and improving internal control:

  • Supporting the organisation’s objectives.

  • Determining roles and responsibilities with respect to internal control.

  • Fostering a culture that motivates members to support risk-management strategies and policies.

  • Linking internal control achievement to individual performance objectives.

  • Ensuring that participants in governance are competent to fulfill internal control responsibilities.

  • Responding to risk.

  • Communicating regularly.

  • Monitoring and evaluating.

  • Providing for transparency and accountability to stakeholders.

An effective internal control system is one of the best defences against business failure and an important driver of business performance, according to the report. And it says accountants play a key role in internal control as creators, enablers, preservers and reporters of sustainable value creation for organisations.

Ken Tysiac ( is a CGMA Magazine senior editor.