Prior to simply performing an audit, it is critical to first identify and categorize risk. A properly performed risk assessment is a critical component in understanding the complexities

and requirements of the risk assessment process, prior to identifying and testing controls to mitigate the related risks. Risk assessments should be comprised of an information gathering process to identify threats and vulnerabilities the organization is facing, determining the probability and impact of those threats, identifying existing mitigating controls, designing audit procedures test the effectiveness of those mitigating controls.

Throughout this process, a combination of collaborative discussion and reviews will occur with the business functions and supporting services being audited. What makes Schneider Downs stand out among our competitors is our ability to consider and understand the multiple layers of technology that help support business functions, while developing a personal focus to your business and the people supporting it. We believe in collaborating with multiple layers of your organization, staff, management, and C-level executives to ensure that risks are appropriately identified.

​​​The Framework defines essential enterprise risk management components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for enterprise risk management. Engaged by COSO to lead the study, PricewaterhouseCoopers was assisted by an advisory council composed of representatives from the five COSO organizations.

Within the COSO ERM framework, risk assessment follows event identification and precedes risk response. Its purpose is to assess how big the risks are, both individually and collectively, in order to focus management’s attention on the most important threats and opportunities, and to lay the groundwork for risk response. Risk assessment is all about measuring and prioritizing risks so that risk levels are managed within defined tolerance thresholds without being overcontrolled or forgoing desirable opportunities.

Events that may trigger risk assessment include the initial establishment of an ERM program, a periodic refresh, the start of a new project, a merger, acquisition, or divestiture, or a major restructuring. Some risks are dynamic and require continual ongoing monitoring and assessment, such as certain market and production risks. Other risks are more static and require reassessment on a periodic basis with ongoing monitoring triggering an alert to reassess sooner should circumstances change