Risk appetite is the total exposed amount that an organization wishes

to undertake on the basis of risk-return trade-offs for one or more

desired and expected outcomes.

Risk tolerance is the amount of uncertainty an organization is pre-

pared to accept in total or more narrowly within a certain business
unit, a particular risk category or for a specific initiative.

Risk culture consists of the norms and traditions of behavior of individuals and of groups within
an organization that determine the way in which they identify, understand, discuss and act on
the risk the organization confronts and takes.

The COSO Framework is a system for implementing internal controls into corporate operations.
These controls, taken together, provide reasonable assurance that the organization is operating
ethically, transparently, and in compliance with industry norms.

ISO 31000 is an international risk management standard developed by the International

Organization for Standardization (ISO).

A risk target is a desired level of risk that the organization believes is

optimal to meet its objectives.

Risk attitude is the organization’s or individuals’ view/perspective of the perceived qualitative

and quantitative value that may be gained in comparison to the related potential loss or losses.

Risk capacity is the amount of risk an organization can actually bear.

The CoCo framework starts with the employee and contains standards in the areas of:
Purpose: set objectives, identify risks, and communicate strategies. Accountability and
responsibility are two aspects of commitment. Competence, communication, and departmental
harmony are all examples of capability.

COBIT framework helps organizations meet business challenges in regulatory compliance, risk
management and aligning IT strategy with organizational goals.
Definition of Internal Control and Objectives
Internal Control – Integrated Framework: Illustrative Tools for Assessing
Effectiveness of a System of Internal Control (Illustrative Tools), which
provides templates to assist users in documenting their assessment
of principles, components, the overall system of internal control, and
scenarios of how the templates could be used
a process, effected by an entity’s board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives relating to
operations, reporting, and compliance.”

Operations Objectives – related to the effectiveness and efficiency of the entity’s operations,
including operational and financial performance goals, and safeguarding assets against loss. In
the 1992 Framework, the operations objective was limited to “effective and efficient use of the
entity’s resources.”

Reporting Objectives – related to internal and external financial and non-financial reporting to
stakeholders, which would encompass reliability, timeliness, transparency, or other terms as
established by regulators, standard setters, or the entity’s policies. In the 1992 Framework, the
reporting objective was called the financial reporting objective and it was described as “relating
to the preparation of reliable financial statements.”

Compliance Objectives – related to adhering to laws and regulations that the entity must
follow. In the 1992 Framework, the compliance objective was described as “relating to the
entity’s compliance with applicable laws and regulations.” The 2013 Framework considers the
increased demands and complexities in laws, regulations, and accounting standards that have
occurred since 1992.

Components
Control Environment. “The control environment is the set of standards, processes, and
structures that provide the basis for carrying out internal control across the organization. The
board of directors and senior management establish the tone at the top regarding the
importance of internal control and expected standards of conduct.”

Risk Assessment. “Risk assessment involves a dynamic and iterative process for identifying
and analyzing risks to achieving the entity’s objectives, forming a basis for
determining how risks should be managed. Management considers possible changes in the
external environment and within its own business model that may impede its ability to achieve
its objectives.”
Control Activities. “Control activities are the actions established by the policies and procedures
to help ensure that management directives to mitigate risks to the achievement of objectives are
carried out. Control activities are performed at all levels of the entity, at various stages within
business processes, and over the technology environment. They may be preventive or detective
in nature and may encompass a range of manual and automated activities such as
authorizations and approvals, verifications, reconciliations, and business performance reviews.
Segregation of duties is typically built into the selection and development of control activities.
Where segregation of duties is not practical, management selects and develops alternative
control activities.”

Information and Communication.“Information is necessary for the entity to carry out internal
control responsibilities in support of achievement of its objectives. Communication occurs both
internally and externally and provides the organization with the information needed to carry out
day-to-day internal control activities. Communication enables personnel to understand internal
control responsibilities and their importance to the achievement of objectives.”

Monitoring Activities. “Ongoing evaluations, separate evaluations, or some combination of the

two are used to ascertain whether each of the five components of internal control, including
controls to effect the principles within each component, are present and functioning. Findings
are evaluated and deficiencies are communicated in a timely manner, with serious matters
reported to senior management and to the board.”

https://feuph.instructure.com/courses/25361/files/4388111?module_item_id=614375

23 Sep