 Hello and welcome to the session in which we will discuss risk assessment, the second component of the COSO internal control framework. In the prior session we looked at the control environment and the control environment is the attitude of top management, shareholders, board of directors, senior executives about the internal control. And what is the internal control? The internal control is this fort right here. And part of that internal control is the control environment, the people on the top, their attitude about the internal control. In this session we would look at the second component of internal control which is risk assessment. So notice we have five components, one, two, three, four and five. We are already done with control environment and this session will focus on risk assessment. Then we will discuss control activities, information and communication in separate sessions. Before we proceed any further I have a public announcement about my company farhatlectures.com. Farhat Accounting Lectures is a supplemental educational tool that's going to help you with your CPA exam preparation as well as your accounting courses. My CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true-false questions as well as exercises. Go ahead start your free trial today. What is risk? Risk could be both internal and external and risks are event or anything that's threatening the companies and achieving its objective especially those the ones that are related to financial statement preparation. This is what we'll name by risk here. Now how does the company assess its own risk? What we're looking at here when we're studying the internal control it's not how we assess, it's not how we means the auditor assess the risk of the company. It's how the company assess its own risk, how do they assess its own risk. Risk assessment involves identifying, assessing and strategizing a strategy and handling those risks. So each company will have a different type of risks. There are many type of risks depending on which company you are running, what industry you are in. For example, if you're in the food industry, the risk is food poisoning, you could have a problem with your supply where you cannot have enough material to make your food. For airline company, it could be a major risk could be safety, different companies will have different type of risks. Do companies as part of their internal control framework identify those risks, assess those risks and strategize how to handle them and simply put, do they consider the event probability happening? What is the probability of the event happening and if that happened? What can we do? What's the potential impact and what are we doing to prevent or mitigate this risk? Are we actively, actively we mean management is actively identifying those risks? The first thing is you identify them, assess them, what's the likelihood of occurring? Then what are we doing to either prevent or in case something happened, how to handle it? Now why perform risk assessment? Why do we need to perform? Why do we need to discuss first of all, why do we need to discuss risk assessment? Now companies perform risk assessment to protect themselves, but why do we need to discuss it as auditors? What is the relevancy for us? Well, for auditors, the reason why we need to learn about the risk assessment, the company's risk assessment, it's going to guide our audit. It's going to tell us how much work to do, determine the nature, timing and extent. What type of auditing procedures are we going to perform? The timing, when are we going to do it and how much of it? Why? Because if we identify a higher, higher risk areas would require more extensive testing. So if the company don't assess the risks properly, there's a lot of risks and they don't handle it, we're going to be more careful as auditor. If management effectively mitigate risk, auditor usually need to collect less evidence compared to when management don't address those risks properly. So simply put, if the company don't handle the risks, they are riskier. And if that's the case, we need to perform more work. Now again, what do we do as auditors? We have to gain insight into the management risk assessment process. We have to understand how management identify relevant financial reporting risks. Do they have a list of them? Evaluate their significance and the probability of occurrence. How do they do that? And what are their plan in mitigating those risks? So as auditors, we have to look at their process and evaluate this process to determine whether they are from a risk assessment or they handling the risk properly. Now, what are some factors that could increase the risk and that risk could run into the financial reporting? Well, rapid growth of the organization. Okay, sometime management is not up to the challenge and the company grow very fast. Well, that could be a risk. Believe it or not, for financial reporting. For example, a company in point is as kind. It's healthy snacks. They produce healthy snacks. And what they did, they grow very fast when another company purchased them, invested in them. And they went from a sampling budget of $800 to a sampling budget of $800,000. What happened overnight is they were distributing those kind, healthy snacks to everyone. Rather than budgeting $800, they were budgeting $800 million. What happened? The company experienced rapid growth. And when that happens, the company may not be able to keep up. And as a result, we have a risk here and the risk of growing fast. It's a good risk. Nevertheless, it's the risk versus a company like Wawa. Wawa don't grow fast. Wawa is a convenient store. Practically, if they open anywhere, they will have customers. They will have revenues. But Wawa don't do that. Wawa are careful in expanding. They want to make sure they don't sacrifice quality. They want to make sure that their supply chain is proper. In other words, they can supply their stores efficiently. So they are very careful on how they manage their growth. But rapid growth could be a risk factor. Another risk factor is any changes in regulatory environment or changes in technology affecting production processes or information system. A case in point, the New York Times. The New York Times, when the internet came about and started to become more prevalent in 97, 98, the New York Times basically ignored it. They did not care about the internet. They kept believe in the actual newspaper. Basically, they were also buying radios and physical newspaper while in reality, they should have been investing on their website. Same thing with Kodak. Kodak, they did not believe in digital camera because it's what's going to eat up their Kodak, their film, their traditional product. The same thing as Polaroid, Borders Book. Well, what happened is Amazon took over. They did not really change. So any changes in technology could affect your company negatively, which in turn could affect your financial reporting. As I mentioned, changes in regulatory environment or operating environment, new accounting pronouncement, like for example, if there's changes in revenue recognition and you can't keep up with that, well, that's a risk. If the auditor is aware that you don't have enough competent people understanding the new revenue recognition that's a risk for the auditor. Changes in key personnel. Okay, no one may not be familiar or they may not know what they are doing. If people kept leaving your company and more additional and new people are coming in, what's gonna happen is you're gonna lose those experienced people. And the new people, they might have to learn the system. It may need to take some time. A learning curve and that's not good. That's a risk for you as a company because they are not as familiar as with the people before them. When you implement or modify the information system, you have a new accounting information system or a new computer system, there's a risk because that system may not be producing the latest or the reports that we want. If you introduce a new line of business, product or processes, again, that will increase the risk which in turn might flow into the financial reporting risks. So all of these are factors that could increase the risk of financial reporting. Now, in this session, as I mentioned, we looked at the risk as a factor. In the prior session, we looked at the control environment. In the next session, we would look at control activity. So what we're doing is we are building this internal control, fourth internal control risk. And now we're gonna look at the control activities in the next session. Understanding internal control from A to Z, there are five components, control environment, risk assessment, control activities, information communication and monitoring is important because as an auditor, we have to understand the internal control of the company. So we have to understand what is internal control? Therefore, we are going to do our own assessment. So this is the risk assessment that the company makes. We're gonna make our own risk assessment about the internal control. And we'll do that in the next few sessions. For now, what should you do? Go to Farhat Lectures, look at additional MCQs, true false questions that's gonna help you understand this concept. Good luck, study hard, and of course, stay safe.