What is the significance of assessing risk in the internal control process? Please explain in own words. Please see paragraphs below to get an idea and raise thoughtful questions, analyze relevant issues, build on ideas, synthesize across the readings below, expanding the perspective, and appropriately challenge assumptions and perspectives.

Risk assessment requires an organization to identify and analyze the significant risks inherent in achieving its goals and objectives. Risks may arise both from internal and external sources. Risk assessment goes hand-in-hand with internal control because it influences the nature and extent of the controls and strategies adopted to manage the risks. For example, the trustees of a government pension fund may want to invest in a certain type of security because the potential for income is high. But the potential for loss of principal may also be high. Based on the assessment, the trustees may decide to avoid the risk of loss by not making any investment in that type of security, or they may decide to accept some risk and manage it by limiting the amount that can be invested in that type of security and requiring biweekly reporting of each investment's value Because governments exist to protect the health, safety and welfare of its citizens, some of its activities are subject to significant risk, both internal and external to the agency responsible for administering the function. Identifying the risks and assessing their relative significance helps managers use their limited resources in the most effective manner. Without understanding those risks, there is increased likelihood that management will misallocate resources or fail to meet their objectives. Managers also need to recognize that risks and opportunities are related, because not identifying opportunities to improve operations can affect meeting an entity's objectives as much as failing to identify risks. To visualize and manage the risks affecting their functions, managers must: Clearly identify their goals and objectives, because the risks that need to be addressed are those affect the efficient and effective accomplishment of goals and objectives. Understand the economic, social, and political environments within which they operate, because significant risks stem from those environments Recognize that risks result from the choices they make about how they function including their operating decisions and their business practices and systems. Recognize that risks extend to their financial and physical resources, the clients they serve, the people they employ, and the information they use.

Risk assessment requires a systematic and disciplined approach. This is not to suggest that managers must use complex mathematical models, although that would certainly be usefulin some situations. Rather, managers can apply a qualitative and judgmental yet systematic approach to assessing risk. Further, the actual process for identifying risks may vary. For example, risks can be identified during a strategic planning session, in internal "brainstorming" conferences specifically devoted to risk identification, or in meetings with other jurisdictions performing similar functions. The catalog of risks may be updated as a result of new regulations issued by a higher-level government or as a result of findings appearing in audit reports or other assessments of the agency To perform a risk assessment of the identified risks, the manager needs to focus on two things The likelihood that something will go wrong . The impact (expressed in terms of cost or program results) of something going wrong Obviously, if the potential for something going wrong is high and the potential impact is high, you will want to devote a proportionately larger share of your resources to that subject. If the likelihood is low and the impact is negligible, the area warrants a relatively smaller share of resources. Managers need to exercise judgment in reviewing the factors that increase or decrease likelihood and impact, and in knowing what constitutes "impact" in the public sector.

Public sector problems also tend to have great impact because governments exist to provide services to people. Breakdowns in providing services, such as services to children, are likely to create significant public outcry. The point is that government managers face a different environment than their private sector counterparts. Managers need to develop a heightened awareness of how the public may perceive spending decisions and service breakdowns. At the same time, a government manager should not manage for the media. One way to help avoid this is to have a systematic process for assessing risk and to document the decisions made. To dothis, the manager must clearly define the organization's mission, establish goals and objectives, and list what can go wrong, both from internal and external causes, in meeting its goals and objectives.

Management should evaluate each risk they identify in terms of its impact if some negative event were to occur and the likelihood the negative event will occur. Impact is a measure of the magnitude of the effect on an organization and the people it serves if an unfavorable event were to occur. When determining the significance of each risk, management should consider the effect of the risk. The effect is the ultimate harm that may be done or the opportunity that may be lost. Managers should quantify this if possible, or at least state the effect in specific terms to help define the significance of the risk . Likelihood is the probability that an unfavorable event would occur if there were no control activities to prevent or reduce the risk from occurring. Management should estimate the likelihood for each identified risk. The following chart graphically depicts an approach to evaluating risks, with quadrant I representing the lowest priority and quadrant III representing the highest priority risk Management should use judgment to establish priorities for each risk based on significance, or impact, and likelihood of occurrence. The priority should rank the risks from the most significant (high impact) and most likely to occur (high likelihood) as indicated in quadrant III to the least significant (low impact) and least likely to occur (low likelihood), as indicated in quadrant I of the graph.

Impact varies based on the program, function, or activity. It can be expressed in monetary terms or in program terms. When expressed in monetary terms, impact is measurable. When expressed in program terms, it is harder to measure and sometimes it is not even apparent At other times, it is very evident. Example: What is the impact if you do not provide an educational program to an inmate at a correctional facility? The impact is not immediate, and any results may not be apparent for years to come. On the other hand, failing to staff a post in the prison will immediately jeopardize security One element to consider in assessing impact is to understand the inherent risk that exists i the program, function, or activity. Inherent risk is the risk that relates to the essential character of the program, function, or activity. What's the inherent risk with the educational program provided to inmates? If the program is not offered, the inmates' ability to become educated is reduced, and uneducated inmates have a higher rate of recidivism than educated inmates However, the inherent risk of not staffing a post in the prison is that inmates may escape In assessing the inherent risk, you must start with the organization's missions, goals and objectives. If the goal of the prison system is to rehabilitate the inmates, the need for educational programs takes on added significance. If the goal of the system is to incarcerate the inmates and segregate them from society, the need for educational programs is significantly reduced. This issue is complicated by the fact that many times there are multiple missions in an organization that must be balanced. In evaluating impact in the public sector, the manager needs to be sensitive to the public perception. In all likelihood, the public is more concerned with a prisoner escaping than with the quality of the prison's education program. Recognition of this reality will cause the manager to assign a higher priority to staffing the security posts than to the education program With the multitude of government programs, functions, and activities, it may be impossible to define all of the impact areas. When you understand the risks, it becomes easier to understand where effort should be spent to control the risk.

There is an interrelationship among the elements of internal control. No one element stands on its own. For example, to perform a good risk assessment, you need to have good information and communication systems. The following is an example of waste that went undetected for many years in a state government because of inadequate understanding of inherent risk Several elements of a good system of internal control broke down in our Audit in Action. First, management had not assessed the risks that potentially existed in the delivery practices because they did not understand the inherent risks associated with this commodity (varying delivery temperatures affect the gallons received). Second, the information and communication systems were not well established. Although the manager of the heating plant understood the characteristics of the fuel oil, he had not conveyed its importance to his staff or to his superiors. Third, the monitoring function was not working. The fact that a staff person would refuse to verify the quantity of oil delivered in the presence of the auditors is a strong indicator they would not do it on an ongoing basis. The primary cause of this problem was that management had not properly assessed the risks in this aspect of operations. Once managers understand the potential impact and likelihood of a negative event occurring, they can plan how to minimize the likelihood it will occur.

Assessing risk depends partly on management's experience and judgment. If you assess risks and develop appropriate courses of action, then when negative events occur, you will be able to avoid the reactive, crisis mode in which many managers often find themselves Judgment is a critical element in defining the likelihood and impact of a negative event. Judgment, however, is an elusive concept. A person with good judgment has the following characteristics: Discernment the ability to grasp and comprehend what is not obvious Reasoning and rationality -the skill of distinguishing what is true or appropriate Perception a quick understanding of the issues and the potential implications Penetrating mind - a searching mind that goes beyond what is obvious . . Insight- an intuitive understanding of how things work Of course, people may judge things differently. Normally, we defer to the person with more knowledge and experience. Nevertheless, sometimes the knowledge and experience gained can limit a person's ability to see new possibilities.

Governments spend taxpayer money, and many decisions made by government personnel affect the lives of people. Therefore, an entity needs sufficient documentation to support both financial and operating-type transactions, events and decisions. For example, just as doctors prepare notes of their observations when they see patients, so should caseworkers, inspectors and many other governmental staff persons prepare notes of what they observe. Policy and procedure manuals should specify when documentation is needed and the nature of the required documentation. Documentation provides evidence that transactions or events actually occurred. It permits supervisory and managerial review as well as independent audit assessment, of both work done and decisions reached. (In fact, documentation is sometimes called an audit trail.) Depending on the nature of the transaction or event, documentation may also provide evidence of the thought processes and the care exercised by people in reaching decisions. Documentation is particularly needed to support deviations from the norm, controversial decisions, and supervisory decisions that override staff conclusions. Documentation may not always be reliable. Expenditures may be made, for example, based on bogus invoices and people might write things that they did not do. Therefore, an auditor needs to be alert to the potential for fictitious documents re some examples of documentation that might be required to support transactions, events, and decisions.