This paper analyzes the present situation of enterprise risk assessment at home and abroad. According to the characteristics and development trend of enterprises, this paper points out the practical significance of internal control risk assessment, and probes into how to establish the internal control risk assessment system of Chinese enterprises from the aspects of comprehensive risk management objectives, collecting initial information of risk management, risk identification, risk analysis, risk assessment and risk management strategies. Keywords internal control; Risk assessment; Management Strategy In order to strengthen and standardize enterprise internal control, improve enterprise management level and risk prevention ability, according to relevant national laws and regulations, the Ministry of Finance, together with the CSRC, the Audit Commission, the China Banking Regulatory Commission and the China Insurance Regulatory Commission, formulated the Basic Standards for Enterprise Internal Control. This standard has been implemented in listed companies since July 1 2009, and large and medium-sized unlisted enterprises are encouraged to implement it. China's "Basic Standards for Enterprise Internal Control" puts forward that the basic elements of internal control in China include internal environment, risk assessment, control activities, information and communication, and internal supervision. , and a separate chapter in the Basic Standards stipulates the relevant contents of risk assessment. This shows that the state and enterprises have realized the important role of risk assessment in enterprise internal control. So from what aspects should enterprises strengthen the identification of enterprise risks, establish a risk assessment system and further improve internal control? I. Overview of the research on enterprise risk assessment system at home and abroad The research on internal control abroad has a long history. 1988 the American institute of certified public accountants issued announcement No.55 on auditing standards, and put forward three elements of internal control structure: control environment, accounting system and control procedures. After entering the 1990s, COSO put forward the report Internal Control-Overall Framework, which divided internal control into five parts: control environment, risk assessment, control activities, information and communication, and supervision, and achieved a leap from three elements to five elements. Since then, risk assessment has been incorporated into the internal control system. The latest research results of internal control show that internal control and risk management tend to be consistent, and some contents also overlap greatly. COSO also started the risk management research from 200 1. From the initial incorporation of risk assessment as an element into the overall framework of internal control to the present risk management research, we can see the convergence of internal control and risk management and the increasingly important role and position of risk as an element in internal control. In recent years, the theoretical and practical circles in China have paid more and more attention to the research and application of internal control, and scholars have done a lot of work in the introduction and research of theoretical concepts. The first Basic Standard for Internal Control of Enterprises jointly issued by the Ministry of Finance, China Securities Regulatory Commission and other five ministries and commissions is a good proof. Second, the practical significance of internal control risk assessment. Historian Toynbee once said: "The decline of a country and even a nation begins from the inside, and external force is only the last blow before its death." The same is true for the survival of enterprises. Since the decline of enterprises also starts from the inside, it is necessary to start from the inside in order to seek the way of survival and development of enterprises. Based on this, internal control has attracted the attention of theoretical and practical circles all over the world. At the same time, the market economy is a kind of risk economy from the microscopic point of view. As the basic unit of the market, enterprises are always exposed to risks. The more open and developed the market economy, the greater the risks and uncertainties involved. With the maturity of market economy and the improvement of market openness, risk has become the focus of enterprise attention and management. As the core of enterprise internal management, internal control must be constantly enriched and developed to keep up with the pace of market development. It is on this basis that the concept of risk has gradually entered the category of internal control. Reducing or avoiding risks is the goal of internal control activities, and various risk factors are the objects of internal control. Therefore, if an enterprise wants to implement effective internal control, it must identify and measure the risks it faces and its risk factors, which is the basis and prerequisite for taking effective control activities. Identifying and measuring risks here is risk assessment. At present, the overall framework of COSO and China's "Basic Standards for Enterprise Internal Control" both incorporate risk assessment as a basic element into the internal control framework, which is the inevitable result of the theory adapting to objective and practical development. It is of great practical significance to study internal control and risk assessment: the lack and imperfection of internal control is one of the fundamental reasons leading to the proliferation of accounting fraud; The extreme lack of internal control system and the neglect of risks are the fundamental reasons for the short life cycle of enterprises in China. The success of state-owned enterprise reform is inseparable from perfect internal control system and risk management and control; Risk assessment is the basis for internal control system to design control activities and play its due role. Risk assessment is a basic part of internal control system. In order to make the control system play its due role, enterprises must be clear about the risks they face, evaluate the risks of the whole enterprise qualitatively or quantitatively, and then take corresponding control activities according to the results of risk assessment. In fact, internal control is also a risk management and control activity. If there is no risk, there is no need to spend a lot of manpower, financial resources and material resources to engage in internal control. Because the existence of risk is the reason of control, risk assessment has become the basis and key of the whole internal control system. No matter from the international environment or from the specific situation of our country, the research and application of internal control is very important. However, risk assessment, as a basic condition for effective implementation of internal control, has not been fully developed. People who study accounting and auditing have long been familiar with system-based auditing, but the concept of risk-based control is still a new concept, and a relatively perfect system has not yet been established. Therefore, it is undoubtedly of great practical significance to study internal control and risk assessment. Three. Construction of risk assessment system In view of the application of risk assessment in China's internal control, the author believes that a risk assessment system can be established through the following steps. (1) Determining the target risk of comprehensive risk management refers to all uncertainties that an enterprise will face in its future operations and may affect the realization of its business objectives. Risk assessment refers to the timely identification and systematic analysis of risks related to the realization of internal control objectives in business activities, and the reasonable determination of risk response strategies. Total risk management refers to the process and method that an enterprise formulates a risk management strategy around the overall goal, implements the basic process of risk management in all aspects of enterprise management and all links of business process, implements risk financial management measures, cultivates a good risk management culture, and establishes and improves the organizational system, information system and internal control system of risk management. Enterprise goal is the embodiment of enterprise purpose and the end point of all enterprise management activities. The primary task of enterprise risk management is to determine the target. Only by establishing the goal first can the management determine the risk according to the goal and take necessary actions to manage the risk. To determine the overall risk management objectives, we should: communicate with employees when determining the enterprise risk management objectives; Enterprise plans and budgets are consistent with risk management objectives, strategic plans and the current situation; The risk objectives of business activities should be specific; The leadership participates in the formulation of enterprise risk objectives and is responsible for them. (2) Collect the initial information of risk management and implement comprehensive risk management. Enterprises should extensively and continuously collect internal and external initial information related to their own risks and risk management, including historical data and future forecasts. The division of responsibilities for collecting initial information should be implemented in all relevant functional departments and business units. 1. In terms of financial risks, the enterprise should at least collect the following information (1) liabilities, contingent liabilities, debt ratio and solvency. (2) Cash flow, accounts receivable and their proportion in main business income, and capital turnover rate. (3) Accounts payable and their proportion in the purchase amount. (4) Cost and management expenses, financial expenses and operating expenses. (5) Business processes or links that have occurred or are prone to errors in cost accounting, fund settlement and cash management. 2. In terms of market risk, enterprises should at least collect the following information about product prices and changes in supply and demand (1). (2) Adequacy, stability and price change of product supply. (3) Credit status of major customers and suppliers. (4) Potential competitors, competitors and their main products. 3. In terms of operational risks, enterprises should at least collect the following information: (1) new market development and marketing strategies. (2) Organizational efficiency, management status, corporate culture, knowledge structure and professional experience of middle and senior managers and professionals in important business processes. (3) Business processes or links that have occurred or are prone to errors in quality, safety, environmental protection and information security management. (4) The enterprise suffers losses or the business control system fails due to the moral hazard of internal and external personnel. (5) The present situation and ability of enterprise risk management. Enterprises should screen, refine, compare, classify and combine the collected initial information for risk assessment. (III) Risk Identification The identification of enterprise risks should be carried out in a systematic way to ensure that all major activities and risks of the company are included and effectively classified. According to the actual situation and technical level of the enterprise, qualitative identification method is the main method of risk identification, and quantitative identification method is properly combined. At the same time, according to the continuous improvement of business development and management level, quantitative identification methods are gradually introduced and added. Enterprises should choose appropriate risk identification methods to ensure the standardization and scientificity of risk identification. The specific measures are: 1. Establish a scientific risk identification method system to provide guidance for enterprises and functional departments to pay attention to the risks existing in enterprise activities at any time. 2. Standardize and institutionalize risk identification methods to ensure that enterprises and functional departments use a unified identification method system to describe risk identification results. 3. Pay attention to future events such as population changes, new market conditions and competitors' behaviors by using historical events such as default payment and product price changes, and analyze and pay attention to risks. 4. Establish a database of loss events, and identify risks by means of event list, event classification, internal analysis, promotion of discussion and talks, and process analysis. And determine the development trend and root causes of risk factors. (IV) Risk Analysis There are many methods to analyze and evaluate the risks of enterprises. Using quantitative analysis methods, especially using mathematical models for risk analysis, can make risk management based on science and provide reliable basis for final decision. Risk analysis and measurement need to comprehensively obtain the number of times an enterprise has suffered various risks and losses in a historical year. The longer the statistical period, the higher the accuracy of risk assessment. Risk assessment should not only know the frequency of various risks in history, but also fully consider whether the objective environment of risks has changed. If there is any change, it is necessary to correct the trend analysis of historical data. In practice, it is difficult to quantify the possibility of many risks, and at most, it can only be characterized as "big", "medium" or "small" risks. Enterprises can take the following measures when analyzing the possibility (or frequency, probability) and conditions of risk occurrence: 1. Enterprises analyze and evaluate the probability of risk occurrence according to the results of risk identification, and choose to use terms such as expected estimation or scenario evaluation to express the potential possibility, or use data or charts to describe and evaluate the probability of risk occurrence. 2. The enterprise establishes a risk analysis model, analyzes the conditional factors of risk occurrence and determines the specific conditions of risk occurrence through quantitative technical means such as key risk indicator management methods, stress testing and scenario analysis, and qualitative evaluation techniques such as talks and working group meetings. 3. The combination of enterprise self-inspection and external inspection, and the combination of pre-inspection and post-inspection. 4. Enterprises introduce technical means, start with daily business data and financial data, and make early warning tips according to the established model. (V) Risk Assessment Enterprise risk assessment is a process of evaluating the possible impact of risks on enterprises and determining the importance of risks on the basis of risk identification and risk analysis. Enterprise risk assessment includes two aspects, that is, analyzing the possible impact of risks and determining the importance of risks. Enterprise risk assessment is usually carried out at the same time as risk analysis, so its method is the same as risk analysis. The control measures for enterprise risk assessment are: 1. Enterprises should determine the impact quantity caused by various possibilities through quantitative analysis technology, so as to provide scientific basis for enterprises to take corresponding risk countermeasures. 2. The enterprise shall sort the risks according to the possible impact of the risks, and make clear the important risks and general risks. 3. Enterprises should pay special attention to important risks and avoid the great losses that important risks may bring to enterprises. (VI) Risk management strategy Generally speaking, for strategic, financial, operational and legal risks, methods such as taking risks, avoiding risks, transforming risks and controlling risks can be adopted. 1. The enterprise establishes procedures and methods to determine risk response measures for various risks, giving priority to risks with high probability of occurrence and significant impact. 2. Establish a set of widely applicable risk decision criteria, that is, determine different decisions according to the severity of risks and the risk tolerance of enterprises. 3 enterprises to reduce the risk level of the cost of a reasonable analysis, assessment of the cost and benefits of risk response measures. 4. After the enterprise chooses the risk treatment measures, it shall correct the risks according to the residual risks. 5. Enterprises should continuously obtain risk change information, effectively control and manage risks, and prevent the emergence of new risks. 6. Real-time monitoring of important risks. Four. Conclusion Enterprise risk assessment is a repetitive process, and one risk assessment cannot be done once and for all. Enterprises should combine different development stages and business expansion, continuously collect information related to risk changes, carry out risk identification and risk analysis, and adjust risk response strategies in time according to changes in the situation to avoid affecting the realization of internal goals because the initially selected risk response strategies are invalid. Especially when the external environment of the enterprise changes, the enterprise must maintain its due sensitivity and make corresponding risk assessment according to the changed external environment, so as to realize the enterprise's goals in the changed external environment. Only by establishing a relatively perfect risk assessment system can China enterprises truly improve their internal control and promote their further development. Reference [1] Li Yuhuan. Risk Assessment in Internal Control [J]. Friends of Accounting, 2008 (10). [2] Ma. Problems and Countermeasures of Enterprise Internal Control System [J]. Research on Finance and Accounting, 2007(4). [3] issued the "basic norms of enterprise internal control".