MAKERERE
UNIVERSITY
COLLEGE OF BUSINESS AND MANAGEMENT SCIENCES
SCHOOL OF STATISTICS AND PLANNING
DEPARTMENT OF PLANNING AND APPLIED STATISTICS
BACHELOR’S DEGREE OF SCIENCE IN BUSINESS STATISTICS.
COURSE WORK ASSIGNMENT
F0R
RISK MANAGEMENT FOR BUSINESS (BBS 3206)
DETAILS OF MEMBERS
NAME
REGISTRATION
NUMBER
STUDENT
NUMBER
NANTONGO LYDIA
20/U/0393
2000700393
NABWONSWO PHIONA
ELIZABETH
20/U/12046/PS
2000712046
SSERWADDA FAHAD
20/U/11937/PS
2000711937
SIGNATURE
QUESTION ONE
Over a decade ago, the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) issued Internal Control – Integrated Framework to help businesses and other entities
assess and enhance their internal control systems. That framework has since been incorporated
into policy, rule, and regulation, and used by thousands of enterprises to better control their
activities in moving toward achievement of their established objectives. The Committee of
Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal
Control – Integrated Framework (2013 Framework).
(a) Define the term internal control as stipulated in the 2013 Framework.
(b) The 2013 Framework lists three categories of objectives, similar to the 1992 Framework. List
and explain them.
(c) The five components of internal control are the same in both the 1992 and 2013 Frameworks;
State and explain the five components as well as their respective principles as per the 2013
framework.
(d) What are the limitations of Internal Control as acknowledged by the 2013 Framework?
(e) The 2013 Framework further points out the importance of effective documentation of the
organization’s system of internal control. State the reasons why?
1a) Define the term internal control as stipulated in the 2013 Framework
The Committee of Sponsoring Organizations of the Treadway commission was organized in
1985 and its goal is to provide thought leadership dealing with three interrelated subjects:
enterprise risk management, internal control and fraud deterrence. In 1992 COSO published
Internal Control – Integrated Framework which was revised and rereleased in May 2013 with
various changes to its objectives.
The 2013 COSO Framework defines internal control as a process effected by an entity’s board of
directors, management, and other personnel, designed to provide reasonable assurance regarding
the achievement of objectives relating to operations, reporting, and compliance.
1b) The 2013 Framework lists three categories of objectives, similar to the 1992
Framework. List and explain them

Operations objectives
This is meant to focus on efficiency of operations which looks at whether the
operations procedures are efficient, effectiveness of operations which looks at
whether the controls are properly designed and operating effectively, operation
and financial performance goals which looks whether the goals are realistic and
safeguarding assets against loss which looks at whether the organization
safeguards its assets against loss.

Reporting objectives
This meant to focus on internal and external financial and non-financial reporting
to stakeholders. This looks at whether the organizations reports are;
reliable i.e. free from bias, errors or misleading information
timely i.e. delivered or produced promptly within expected or required timeframe
transparency i.e. providing a comprehensive view of data, methods and
assumptions used to produce report findings.

Compliance objectives
This meant to focus on adhering to laws and regulations by the entity. This
ensures that the entity remains in compliance with the standards and regulations
that its clients care about.
1c) The five components of internal control are the same in both the 1992 and 2013
Frameworks; State and explain the five components as well as their respective principles as
per the 2013 framework
 Control Environment
The control environment is the set of standards, processes, and structures that provide the
basis for carrying out internal control across the organization.
Control environment factors include; integrity, ethical values and competence of the
entity’s people.
The principles of the control environment as per 2013 framework include;
 Management establishes, with board oversight, structures, reporting lines, and
appropriate authorities and responsibilities in the pursuit of objectives.
 The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.
 The organization demonstrates a commitment to ethical values and integrity by setting
the tone at the top and establishing a culture that promotes ethical behavior.
 The board of directors demonstrates independence from management and
exercises oversight of the development and performance of internal control.
 The organization holds individuals accountable for their internal control responsibilities
and takes corrective action when necessary.
 Risk assessment
This is the identification and analysis of the relevant risks to achievement of objectives,
forming a basis for determining how the risks should be managed.
Risk assessment are performed to evaluate internal and external factors. Assessments
provide reasonable assurance that organizations are managing risks to an acceptable
tolerance.
The principles of the risk assessment as per 2013 framework include;
 The organization specifies its objectives at the entity, division, and operating
unit levels and identifies risks to the achievement of those objectives.
 The organization identifies and analyzes risks to the achievement of its
objectives, considering both the likelihood and impact of those risks.
 The organization assesses the risk of fraud that could result in a material
misstatement of the financial statements, and evaluates the design and
effectiveness of the related controls.
 The organization identifies and assesses changes that could significantly
impact its internal control system, including changes in personnel, systems,
and processes, as well as changes in the external environment.
 Control activities
This refers to policies, procedures and practices that an organization puts in place to
minimize the risk of errors, fraud or other irregularities. They include a range of activities
such as approvals, authorizations, verifications, reconciliations, review of operating
performance and security of assets.
The three principles relating to Control Activities as per 2013 framework are;
 The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.
 The organization selects and develops general control activities over technology
to support the achievement of objectives.
 The organization deploys control activities through policies that establish what is
expected and in procedures that put policies into action.
 Information and communication
Information is necessary for an organization to carry out internal control responsibilities
such as generating reports and providing feedback to management in support of
achievement of organizations objectives
Effective communication must occur in a broader sense, flowing down across and up the
organization this enables personnel to understand internal control responsibilities and
there importance to achievement of the objectives
The three principles relating to Information and Communication as per 2013 framework
are;
 The organization obtains or generates and uses relevant, quality information to
support the functioning of internal control.
 The organization internally communicates information, including objectives and
responsibilities for internal control, necessary to support the functioning of
internal control.
 The organization communicates with external parties about matters affecting the
functioning of internal control.
 Monitoring Activities
Monitoring is a process that assesses the quality of the systems performance over time.
The purpose of monitoring is to identify potential weaknesses or failures in internal
control, to correct them and provide feedback to management about effectiveness of
internal control. Evaluations are made to find out each of the five components of the
internal control are present and functioning.
The two principles relating to Monitoring Activities are:
 The organization selects, develops, and performs ongoing and/or separate
evaluations to ascertain whether the components of internal control are present
and functioning.
 The organization evaluates and communicates internal control deficiencies in a
timely manner to those parties responsible for taking corrective action, including
senior management and the board of directors, as appropriate.
1d) What are the limitations of Internal Control as acknowledged by the 2013 Framework?
Internal control is a vital component of any organization, and it is recognized as a means of
ensuring that the organization achieves its objectives. However, the 2013 Framework on Internal
Control acknowledges that there are some limitations to internal control.
Below are the limitations of Internal Control as acknowledged by the 2013 Framework
Management Override: Managers of the organization in some situations may ignore established
internal control measures to achieve their goals. This can take form of misappropriating assets
for personal gains, intentionally ignoring control weaknesses which limits internal control as
acknowledged by the 2013 Framework.
Cost: Implementation of internal control systems is expensive especially for small businesses.
For example, hiring external consultants, purchasing software and hardware, redesigning existing
processes. This limits the implementation of internal control system due to the failure to meet the
related costs.
Limited Scope: Internal control only provides reasonable assurance that the objectives of the
organization are achieved. But does not guarantee that the organization's objectives will be fully
met. For instance, an internal control system may not detect all fraudulent activities, and it is not
a guarantee that a company will avoid financial losses caused by economic factors beyond its
control.
Collusion: This refers to the conspiring of two or more people with an aim of achieving a
fraudulent or illegal objective. For instance, a sales agent may team up with a customer to
fabricate sales transactions. Such collusion can bypass the internal control system, leading to
financial misstatements.
Human error: People who design and put into effect the internal control systems are prone to
making errors For example, an accountant may post a transaction to the wrong account or enter
wrong figures in financial statements which may lead to misinterpretation of the financial
position of the company.
External factors: Internal control systems are designed to operate within the boundaries of the
organization. However, external factors may prevent an organization from reaching its objectives
such as changes in economic conditions, laws, and regulations can affect the effectiveness of
internal control. An example could be change in the laws that an organization is meant to comply
with, this would make the system less efficient.
Size of the organization: The size of an organization can also limit the effectiveness of internal
control systems in that, small businesses may not have the resources to implement and maintain a
fortified internal control system. For instance, a sole proprietorship may not have the staff,
technology, or financial resources required to implement internal control systems. As a result, the
owner may be forced to rely on manual processes that are prone to errors.
Unforeseeable circumstances: These are events that cannot be predicted and therefore are
invulnerable to internal controls that have been set up by an organization. Such events include
natural disasters like earthquakes that could disrupt the organizations operations even with the
most impenetrable internal controls in place.
Inherent limitations: These are limitations that arise in any system regardless of the nature of the
internal controls. They come up due to many reasons such as collusion, management override
and human error.
In conclusion, internal control systems have limitations that organizations should be aware of to
ensure that the systems are effective in achieving their objectives. Organizations should
periodically assess their internal control systems to identify weaknesses and limitations and make
necessary improvements.
1e) The 2013 Framework further points out the importance of effective documentation of
the organization’s system of internal control. State the reasons why?
The 2013 framework defines effective documentation of an organization's system of internal
control as documentation that provides a clear understanding of the organization`s system of
internal control. Below are the reasons why the 2013 Framework further points out the
importance of effective documentation of the organization’s system of internal control.
Providing Evidence of Compliance: Proper documentation of internal controls provides evidence
that the organization is complying with laws, regulations, and industry standards by providing a
record of controls that have been implemented and the processes used to manage risks and
achieve objectives. This can be useful in case of audits or legal challenges.
Improving Communication: Documentation ensures that employees understand the internal
control system hence promoting better communication among team members. This brings about
togetherness which in turn improves internal control systems and avoid errors.
Facilitating Training: Documentation can also serve as a training tool for new employees of the
organization to understand the organization's internal control system, as well as provide ongoing
training to existing employees.
Supporting Continuous Improvement. Through documentation, an organization is able to identify
gaps and weaknesses in its internal control systems and this information enables the organization
identify areas that need enhancement. Regular reviews of documentation can help refine and
strengthen internal control systems.
Enhancing Accountability: With proper documentation, individuals with specific control
activities can be identified and held accountable should errors or fraud occur. This establishes
accountability for internal control in the organization.
Facilitating Oversight: Documentation helps to facilitate oversight of internal control activities
by the board of directors, audit committee, and external auditors i.e. management and other
stakeholders get a clear understanding of the processes, procedures and controls in place to
mitigate risks. This oversight can help to identify weaknesses in the internal control system and
prevent fraud and errors.
Increasing Efficiency: Proper documentation of internal control processes can help to streamline
operations, reduce redundancies, and improve efficiency. This can result in cost savings for the
organization and better use of resources.
Enabling Risk Management: Documentation helps the organizations to better understand the
effectiveness of its internal controls and the level of risk associated with its operations. This can
enable the organization to develop risk mitigation strategies and prioritize control activities based
on their impact on the organization.
Ensuring Consistency: Documentation helps to ensure that internal control activities are
performed consistently across the organization i.e. it provides a clear understanding of the
organizations control systems across all levels of the organization. This consistency is important
for maintaining the integrity of the internal control system and achieving the organization's
objectives.
Providing Historical Records: Documentation provides a historical record of internal control
activities, which can be useful for tracking changes in the system over time and identifying
trends that may require attention.
In summary, effective documentation of an organization's system of internal control is essential
for promoting compliance, communication, training, continuous improvement, accountability,
oversight, efficiency, risk management, consistency, and historical record-keeping.
QUESTION TWO
(a) Define the term Enterprise risk management as per COSO.
(b) What are the seven fundamental concepts reflected in the definition provided in (a)
above?
(c) The enterprise risk management framework is geared to achieving an entity’s
objectives, set
forth in four categories. State and briefly explain them.
(d) Enterprise risk management consists of eight interrelated components. State and briefly
explain them.
2a) Define the term Enterprise risk management as per COSO.
Enterprise risk management is a process, effected by an entity’s board of directors, management
and other personnel, applied in strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity objectives.
2b) What are the seven fundamental concepts reflected in the definition provided in (a)
above?
Below are the seven fundamental concepts reflected in the definition in (a) above. Enterprise risk
management is:
A process: It is ongoing and continuous. It involves a series of interconnected activities or steps
that are performed over time.
Effected by people at every level of an organization: These include the board of directors,
management and other personnel of the organization. These actively make the process of
enterprise risk management happen.
Applied in strategy setting: This is by integrating risk management considerations into the
development and implementation of an organization’s overall strategic plan.
Applied across the enterprise: The enterprise risk management considerations are integrated into
all aspects of the organization, from strategic planning to daily operations.
Designed to identify potential events that, if they occur, will affect the entity: By identifying
these potential events in advance, organizations can develop strategies and plans to mitigate the
risks associated with them and minimize their impact.
Able to provide reasonable assurance to an entity’s management and board of directors: It gives
the organization confidence that it is likely to achieve its objectives
Geared to achievement of objectives in one or more separate but overlapping categories: It is
designed to help an organization achieve its objectives across multiple areas that may be distinct
but also interconnected.
2c) The enterprise risk management framework is geared to achieving an entity’s
objectives, set forth in four categories. State and briefly explain them
Compliance: This related to complying with laws and regulations applicable law to an
organization. Compliance helps organizations to ensure that they are operating within legal and
ethical boundaries, and that they are meeting their obligations to stakeholders hence mitigating
risks related to non-compliance.
Operations: This relates to efficient and effective use of an organization’s resources. Efficient
use of resource involves using resources in a way that minimizes waste and maximizes output.
Effective use of resources involves using resources in a way that contributes to the achievement
of the organization’s objectives.
Strategic: This relates to organization’s long-term goals and plans for achieving its mission and
vision. These goals and plans guide an organization’s overall direction and decision-making.
Reporting: This relates to the reporting of financial and non-financial information of an
organization. It focuses on reliability of reporting that is to say accuracy completeness and
trustworthy of reports.
2d) Enterprise risk management consists of eight interrelated components. State and
briefly explain them?
Enterprise Risk Management is a structured, continuous process used by organizations to
identify, assess, and manage potential risks that may affect their operations, goals, objectives,
and reputation. Below are the eight components of Enterprise Risk Management (ERM) that you
need to know:
Internal Environment: This component refers to the organization's culture, values, ethics, and
tone at the top. It sets the foundation for how risk management is viewed and practiced within
the organization.
Objective Setting: This component involves setting goals and objectives that are aligned with the
organization's mission and vision. It also involves identifying the risks that may affect the
achievement of these objectives.
Event Identification: This component involves identifying the events or risks that may affect the
organization's objectives. This step helps the organization to be proactive in managing risks
rather than reactive.
Risk Assessment: This component involves evaluating the likelihood and impact of identified
risks on the organization's objectives. This step helps the organization to prioritize risks and
allocate resources accordingly.
Risk Response: This component involves developing strategies to manage the risks that have
been identified. This step helps the organization to reduce, avoid, transfer, or accept risks
depending on their appetite for risk.
Control Activities: This component involves implementing policies, procedures, and processes to
manage the risks that have been identified. This step helps the organization to ensure that the risk
management strategies are effective.
Information and Communication: This component involves communicating information about
risks and their management across the organization. This step helps the organization to ensure
that everyone is aware of the risks and their roles in managing them.
Monitoring: This component involves monitoring and reviewing the effectiveness of the risk
management strategies that have been implemented. This step helps the organization to
continuously improve its risk management practices.
REFERENCES
Rejda, G. E., & McNamara, M. J. (2018). Principles of Risk Management and Insurance (14th
ed.). Pearson.
Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their
foundation. European Journal of Operational Research, 253(1), 1-13.
Hillson, D., & Murray-Webster, R. (2017). Understanding and managing risk attitude (2nd ed.).
Routledge.