In this second article in a series about the importance of the COSO standards of internal control, the focus is on risk assessment.
Every level of the University faces various risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of an organization’s stated objectives. Risk assessment involves a dynamic and iterative process to identify and evaluate risks that could prevent the achievement of these objectives. While all risks should be identified, not all risks will be or can be addressed. Management accepts some level of risk to each objective based on resources available and the priority of the objectives. This risk appetite, or tolerance for certain risks, impacts how identified risks will be managed.
Management should define its objectives with sufficient clarity to be able to identify and analyze risks to those objectives. Risks can usually be grouped into three areas: operations, financial reporting and compliance. Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own operational model that may render established internal controls ineffective. Risk assessments from higher levels of the University may drive operational procedures and practices at the department level.
Risk assessments at the department level may include considerations for security of cash collected at department-hosted events, evaluation of student worker access to department files and shared network drives and the information security vulnerabilities posed by maintaining a set of laptop computers for check-out by traveling faculty.
In the next several editions of Inside UNC Charlotte, articles will expand on the remaining layers of the internal controls framework. Employees who have questions about the article or who want to talk about how the framework applies to their department should call the Internal Audit Department at 704-687-5693 or email Internal_Audit@uncc.edu.