Big4Guy

Once internal controls have been evaluated, management may find certain material weaknesses which make the controls ineffective. Remediating material weakness found is a major task. The first question which most management's ask is -

"How much is it going to cost us in remediating these material weaknesses / control deficiencies?"

Management need to make a decision on the costs to be incurred in reducing risk to an acceptable level. The best way of doing this is a cost benefit analysis. Eliminating risks involves a cost element, doing a cost benefit analysis helps in knowing whether the costs to eliminate risks are justifiable. Some factors to be considered while making a formal risk assessment are given below:

1. Make a list of possible alternatives (including controls) which can help in eliminating risks.
2. Identify cost behind each alternative identified above.
3. Quantify the costs and associated risks if possible.
4. Assign probabilities to alternatives identified, taking estimated loss and frequency of occurence into account.
5. Based on above calculate the benefits of reducing risks by installing controls. This can be achieved by multiplying estimated loss with probability.
6. Now, estimate the total savings in cost due to control installed / reduced risk. This estimate should be made keeping a reasonably long time frame in mind.
7. Finally, compare the benefits vs costs. If benefits are more, it is a clear cut case for installing more controls.

Related Posts..............

> SOX Nature of Tests of Controls
> Record Retention under SOX
> Direct Evidence for Evaluating Internal Controls
> Antifraud Action Plan for SOX Compliance