Continuing our ongoing chat with our examiner about the components of risk assessments. We are not in total agreement as to which considerations are components of inherent risks versus controls. We have tehse as inherent risk identifiers:potential fines, fees, restitutuion, volutility of the law, regulation, sufficiency of staff, complexity of the products, contribution to the bottom line, complexity of the law/reg, potential for reputation risk, volume/exposure and trend, key management or personnel changes. We have these as control considerations: audit findings, hot button, level of automation, policies and procedures, training, response to findings signaling deficiences in controls, control design effectiveness, control execution effectiveness, new vendor/core system impact, key management changes.

Let me know if you agree/disagree with the ctegories we are putting these considerations into: inherent risk or controls. thanks

I do not agree with your control considerations. You can have all the policies and procedures you want but if they are not being followed, it does not matter. I would not include audit findings in this either.

OK. So, what if we say written procedure, including checklists and dual control, for example,s which are tested during audits?

What do you mean by "control considerations"? Controls are usually evaluated on their type and strength. Do you have preventative controls in place to make sure a mistake cannot happen - those would include systems stops or pre-close checks on loans to make sure disclosures are correct, that proper flood insurance is in place, etc. Detective controls that occur after the fact don't help much.

Usually you list (somewhere, in the risk assessment or a backup document) your controls and the type and then determine strength.

I thought so, too. I built my list based on material from various seminars, webinars, etc.They are all over the place in defining controls. I think I will go back to my original definitions/examples 9that is what I meant by considerations) and not include some of these gray area examples.

So, what about my inherent risk factors? Do you see any issues with those? Sometimes its not a good thing to have lots of examples/sources as they start conflicting with one another!

Have you tried either the AICPA or IIA websites?

Those should give you some good information.

And I disagree with the policies and procedures comment. They may not be a "hard" control, but policies and procedures are a type of "soft" control and should be included/considered. (Think of it in terms if you didn't have any policies/procedures in place - I would consider that to be a deficiency).

You find out if they are being followed (aka if the control is working) through testing by audit, compliance, or someone else.