skip to content
Primary navigation

Risk Assessment & Control Activities

Risk Assessment is the second of five components in the Green Book's internal control framework, and it is a critical element of an effective internal control system. Having established an effective control environment, management assesses the risks facing the entity as it seeks to achieve its objectives. This assessment provides the basis for developing appropriate risk responses. Management assesses the risks the entity faces from both external and internal sources.

The Green Book lists four principles that must be implemented and effectively working together to achieve the risk assessment internal control standard. These principles are:

  1. Management should define objectives clearly to enable the identification of risks and define risk tolerances.
  2. Management should identify, analyze, and respond to risks related to achieving the defined objectives.
  3. Management should consider the potential for fraud when identifying, analyzing, and responding to risks.
  4. Management should identify, analyze, and respond to significant changes that could impact the internal control system.

Pursuant to Minnesota Statute Section 16A.057, Subdivision 8, risk assessments must be performed on all high profile, key business processes in order to support the agency head's annual certification of internal control structure.

Control Activities is the third of five components in the Green Book's internal control framework, and it is also a critical element of an effective internal control system. Control activities are the actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the entity's information system. An entity is in a position to thoroughly assess its control activities only after performing a risk assessment.

The Green Book lists three principles that must be implemented and effectively working together to achieve the control activities internal control standard. These principles are:

  1. Management should design control activities to achieve objectives and respond to risks.
  2. Management should design the entity's information system and related control activities to achieve objectives and respond to risks.
  3. Management should implement control activities and respond to risks.

The following links provide information and guidance to agencies with their risk assessment efforts, control activities management, and internal control structure certification compliance responsibilities:

back to top