[Jimm]

I believe risk assessment is looking at the impact and probability.

TARA is for risk planning = risk management strategies.

COSO is for Internal control = looking at 5 areas. I remember this by thinking CRIME
It would be a crime not to remember COSO haha

1.Control Activities = OAPSPASM
2.Risk Assessment = part of internal control is assessing risk
3.Information and communication flow = this looks at how company communication is, is there a culture if secrecy? if there is then internal control is probably not effective.
4. Monitoring = Overall responsibility of CEO but delegated to Audit Committee which is further delegated to internal audit dept.
5. Environment = this is the tone at the top, what are directors attitude re internal control, if they don’t care generally, this attitude will probably cascade down to employees.

Your second paragraph is answered above – how to monitor effectiveness = CRIME

Hopefully this overall process clarify your confusion (Mike Little = Please correct me here if I am wrong!)

1. Company strategy = this is what the company wants to achieve.
2. Risks = there are risks that company faces in meeting their objectives, these can be minimised by sound internal control.
3. How sound internal control is = assessed using COSO framework (CRIME)
R of cRime is Risk Assessment = this is looking at impact x likelihood = urgency
based on the assessment, company can employ TARA strategy to manage risks of not achieving their stated objetives at point 1.

[Author]

Posts