A risk assessment can be performed by a certified risk assessor in one of three ways: a compilation, review or audit. All three forms of a risk assessment are performed by collecting qualitative data on a nonpublic company. The amount and type of qualitative data collected varies by the type of risk assessment performed.
All risk assessments require the risk assessor to (1) Collect data on over 65 risk factors, (2) assess the risk associated with each factor in accordance with MyRiskControl’s system of measurement, (3) prepare a statement that summarizes the severity of the overall company risk, and (4) submit the risk data to MyRiskControl for a risk analysis
In turn, MyRiskControl prepares a report indicating the results of the analysis in the form of a score and rating, along with recommendations to address the areas of high risk.
Each assessment requires compliance with MyRiskControl’s Statement of Standards for Risk Assessment Services, which provides data collection guidelines for making substantive inquires and collecting supporting evidence.
- Interview: Performing inquiries of management but expressing no assurance that the data collected to perform an assessment is accurate.
- Observation: Performing inquiries of management and making observations of business practices to express limited assurance that the data collected to perform an assessment is accurate, but only to the extent of the observations made.
- Examination: Performing inquiries of management and examining documents to verify all observations and express assurance that the data collected to perform an assessment is accurate without reservation.
The standards for assessment have very specific requirements for the collection and verification of the qualitative data for the purpose of performing the risk assessment, varying by the type of risk assessment performed. Please refer to the following outline for a summary of the differences between the types of assessment as found in the Statement of Standards for Risk Assessment Services:
Summary of Differences between Interview, Observation and Examination
| Task |
Interview |
Observation |
Examination |
| Obtain knowledge of the typical business conditions
and practices of the entity's industry. |
X |
X |
X |
| Establish an understanding with the entity regarding the nature and limitations of the services to be performed. |
X |
X |
X |
| Communicate with entity’s management in advance of the site visit to obtain access to personnel, documents and information. |
X |
X |
X |
| Obtain an understanding of the entity’s organizational structure. |
X |
X |
X |
| Obtain knowledge of the typical business conditions and practices of the entity's industry. |
X |
X |
X |
| Conduct inquiries of top management. |
X |
X |
X |
| Study strategic decision making of top management to identify predictable patterns. |
X |
X |
X |
| Make inquiries of top management about planned changes that would have a material effect on a future risk assessment. |
X |
X |
X |
| Make observations of the current business practices in place for the entity. |
|
X |
X |
| Collect detailed evidence to support observations made of business practices in place for the entity. |
|
|
X |
| Verify all data collected from verbal representations. |
|
|
X |
| Make an assessment of the qualitative data collected to determine level of risk. |
X |
X |
X |
| Obtain a management representation letter. |
|
|
X |
| Modify the assessment if a change in conditions or practices was not adequately disclosed that materially impacts the assessment. |
X |
X |
X |
| Maintain independence with respect to the entity. |
X |
X |
X |
