Page 112 - Rižnar, Igor, and Klemen Kavčič (ed.). 2017. Connecting Higher Education Institutions with Small and Medium-Sized Enterprises. Koper: University of Primorska Press
P. 112
Tatjana Horvat and Franko Milost
• Evaluate the impact of the risk response – the company must be
aware that the response to a risk may be different in its effect on
the probability of an event and on the result of the event itself.
• Assess the costs and benefits of the risk responding – the assets
used in the company’s responses to risks are limited, so it is nec-
essary to examine the costs and benefits associated with each re-
sponse.
• Consider that the risk can represent an opportunity in the enter-
prise’s operations.
The internal auditor would not take on the following responsibilities
(The Institute of Internal Auditors 2009, 5):
• determine the acceptable level of risk,
• instead of the management, taking on the responsibility for the
risk management processes for the effective and efficient function-
ing of risk management system,
• instead of the management, making decisions on risks responses
and their implementation.
Assessment of Control Procedures
Control activities are policies and procedures that help the management
achieve its goals. In other words, to help the management to ensure the
implementation of the right things at the right time and in the cor-
rect manner (Committee of Sponsoring Organizations of the Treadway
Commission 2004, 32).
Control activities include the following policies and procedures (In-
ternal Control Standards Committee 2004, 25–7):
• Procedures for approval and confirmation: Carried out by authorised
persons only. Approval procedures must include the specific con-
ditions and terms under which approval is carried out. Ensuring
attention is paid to the certification of approval means that em-
ployees comply with the regulations and act within the restrictions
introduced.
• The separation of task areas (approving, implementation, recording,
reviewing): To reduce the risk of errors, any individual or group
should not control all the key stages of the event or transaction.
• Control over access to records and facts: Access is limited to autho-
rised persons who are responsible for the custody and/or use of
facts (minimising the risk of unauthorised use or loss).
110
• Evaluate the impact of the risk response – the company must be
aware that the response to a risk may be different in its effect on
the probability of an event and on the result of the event itself.
• Assess the costs and benefits of the risk responding – the assets
used in the company’s responses to risks are limited, so it is nec-
essary to examine the costs and benefits associated with each re-
sponse.
• Consider that the risk can represent an opportunity in the enter-
prise’s operations.
The internal auditor would not take on the following responsibilities
(The Institute of Internal Auditors 2009, 5):
• determine the acceptable level of risk,
• instead of the management, taking on the responsibility for the
risk management processes for the effective and efficient function-
ing of risk management system,
• instead of the management, making decisions on risks responses
and their implementation.
Assessment of Control Procedures
Control activities are policies and procedures that help the management
achieve its goals. In other words, to help the management to ensure the
implementation of the right things at the right time and in the cor-
rect manner (Committee of Sponsoring Organizations of the Treadway
Commission 2004, 32).
Control activities include the following policies and procedures (In-
ternal Control Standards Committee 2004, 25–7):
• Procedures for approval and confirmation: Carried out by authorised
persons only. Approval procedures must include the specific con-
ditions and terms under which approval is carried out. Ensuring
attention is paid to the certification of approval means that em-
ployees comply with the regulations and act within the restrictions
introduced.
• The separation of task areas (approving, implementation, recording,
reviewing): To reduce the risk of errors, any individual or group
should not control all the key stages of the event or transaction.
• Control over access to records and facts: Access is limited to autho-
rised persons who are responsible for the custody and/or use of
facts (minimising the risk of unauthorised use or loss).
110
