AMONG THE FIVE components in the COSO Framework, the one most often discussed first is the control environment (CE) component. This is because from a controls performance perspective, if this component is ineffective, most of the other components could be negatively affected. For example, if the entity operates in an environment devoid of ethical values and honesty and management has a tendency to override controls, it is unlikely that specific controls over transactions can be considered as effective. An ineffective control environment effectively trumps the lower-level controls. However, we explore the CE component in the next chapter.

A reason to discuss the risk assessment (RA) component first is because the task of scoping the assessment project and the RA component have so much in common. Indeed, from a planning and project perspective, the other components, including the CE, drive off of the identification and assessment of risks. From a project process, and not a hierarchical controls perspective, the RA tasks need to precede much of the other controls assessment and testing since the object is to do three things:

1. Identify risks to achieving organizational (and financial reporting) objectives.
2. Assess the design of controls that mitigate these risks.
3. Assess whether the controls are effective.

While these three objectives are all important to the entity, the second and third points rely on the effective identification and assessment ...