coso erm
DESCRIPTION
Enterprise Risk ManagementTRANSCRIPT
CHAPTER 6 RISK MANAGEMENT: COSO ERM
Risk Management Fundamentals
(a) Risk Identification
(b) Key Risk Assessments
(c) Quantitative Risk Analysis
SOX -AUDITING STANDARD 5
• Section 404, an enterprise is made responsible for reviewing, documenting, and testing its own internal accounting controls, with those review results passed on to the enterprise’s external auditors who are charged with then reviewing and attesting to that work as part of their audit of the reported financial statements.
Elements
1. A formal management statement acknowledging the enterprise’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting
2. An assessment, as of the end of the most recent fiscal year, of the effectiveness of the enterprise’s internal control structure and procedures for financial reporting
COMMITTEE OF SPONSORING ORGANIZATION ENTERPRISE RISK MANAGEMENT—INTEGRATED FORMAT (COSO ERM)
• This is an approach that allows an enterprise and internal audit to consider and assess risks at all levels, whether in an individual area , such as for an information technology (IT) development project, or in global risks regarding an international expansion.
RISK MANAGEMENT FUNDAMENTALS
STEPS:
1.Risk Identification
2.Quantitative or Qualitative Assessment of Documented Risk
3.Risk Prioritization and Response Planning
4.Risk Monitoring
A.) RISK IDENTIFICATION
• management should identify all possible risk that may impact the success of the enterprise, ranging from the larger or more significant over business risk down to the less important risk associated with individual projects or smaller business units in a reasonable time period.
• A better approach is to identify people at all levels of the enterprise to serve as key assessor. Within each significant operation unit, key people should identified from the operation, finance/acctg, IT, and unit management. Their goal would be identify and then help assess risk in their units built around a risk identification model framework. This is led by CEO and an enterprise risk management group.
QUESTION TO ASK:
• Is the risk common across the overall enterprise or unique to one bus group?
• Will the enterprise face this risk because of internal or through external events?
• Are the risk related, such that one risk may cause another to occur?
B.) KEY RISK ASSESSMENTS
• Assess their likelihood and relative significance.
• Questionnaire approach:What is the likelihood of this risk occurring over the next one-year period?
Using a score of 1 to 9, assign a best-score as follows: Score 1 if you see almost no chance of that risk happening during the period. Score 9 if you feel the event will almost certainly happen during the period. Score 2 through 8 depending on hpw you feel the likelihood fall between these two
ranges.What is the significance of the risk in terms of cost to the overall enterprise? Again using 1 to 9 scale, scoring ranges should be set depending on the financial
significant of the risk.
RISK ASSESSMENT ANALYSIS MAP
LIKELIHOOD
1. Probability and uncertainty
management thinks of the individual estimated risk likelihood and occurrences ranging 0.01-0.99.
PR(Event1) x PR(Event2) = PR(both Events)
2. Risk interdependence
must always be considered and evaluated throughout organization
3. Risk ranking
QUANTITATIVE RISK ANALYSIS
1. Expected Values and Response PlanningEstimating the cost impact of incurring some identified risk and then to apply it to a risk factor probability to derive expected value or cost of the risk.
Question to be considered by the front-line people:1. What is the best-case cost estimate of
incurring the risk?2. What would a sample of knowledgeable
people estimate for the cost?3. What is the expected value or cost of
incurring the risk4. What is he worst-case cost of incurring
the risk?
2. Risk Monitoring
COSO ERM: Enterprise Risk Management
• COSO Enterprise Risk Management is a framework to help enterprises to have a consistent definition of their risks.
• Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
• ERM is a process• ERM process is implemented by people in the enterprise.• ERM is applied through the setting of strategies across the
overall enterprise.• Concept of risk appetite must be considered.• ERM provides reasonable but not positive assurance on
objective achievements.• ERM is designed to help achieve objectives.
COSO ERM Framework
COSO ERM Framework is a three-dimensional cube with the components of:- Four vertical columns representing the strategic objectives of enterprise risk.- Eight horizontal rows or risk components.- Multiple levels to describe any enterprise.
Internal Environment Component
• Defines the basis for all other components in an enterprise’s ERM model, influencing how strategies and objectives should be established, how risk-related business activities are structured, and how risks are identified and acted on.
Elements of Internal Environment Component
• Risk management philosophy• Risk appetite• Board of Directors attitudes• Integrity and ethical values• Commitment to competence• Organizational structure• Assignments of authority and responsibility• Human resource standards
Objective Setting
• An enterprise must establish a series of strategic objectives, aligned with its mission and covering operations, reporting, and compliance activities.
Risk Appetite Map
COSO ERM Objective-setting components
CONTROL ACTIVITIES, INFORMATION AND COMMUNICATION, MONITORING
Control Activities
These are the policies and procedures necessary to ensure action on identified risk responses.
Having selected appropriate risk responses, an enterprise should select control activities necessary to ensure that the risk responses are executed in a timely and efficient manner.
Many control activities under COSO internal controls are fairly easy to identify and test due to their accounting nature. These control activities generally include these internal
control areas:
Separation of duties. Essentially, the person who initiates a transaction should not be the same person who authorizes that transaction.
Audit trails. Processes should be organized such that final results can be easily traced back to the transactions that created those results.
Security and integrity. Control processes should have appropriate control
procedures such that only authorized persons can review or modify them.
Documentation. Processes should be appropriately documented.
An enterprise often faces a more difficult task in identifying control activities to support its ERM framework. Although there is no accepted or standard set of ERM control activities at this time, the COSO ERM documentation suggests several areas:
Top-level reviews. Senior managers should be very aware of the identified risk events within their organizational units and perform regular top-level reviews on the status of identified risks.
Direct functional or activity management This is particularly important where control activities take place within the separate operating units with the need for communications and risk resolution across enterprise channels.
Information processing. Appropriate control procedures should be established with an emphasis on enterprise IT processes and risks.
Performance indicators. The typical enterprise today employs a wide range of financial and operational reporting tools that also can support risk-event-related performance reporting. Where necessary, performance tools should be modified to support this important ERM control activity component.
Segregation of duties. The person who initiates certain actions should not be the same person who approves them.
Information & Communication
Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities.
Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting.
Effective communication also must occur in a broader sense, flowing down, across and up the organization.
There is a need for a common risk language throughout the enterprise regarding their risk management roles and responsibilities. COSO ERM will be of little value to an enterprise unless its importance is communicated to all stakeholders in a common and consistent manner.
Monitoring
ERM monitoring is necessary to determine that all installed ERM components work effectively. People in the enterprise change, as do supporting processes and both internal and external conditions, but the monitoring component helps ensure that ERM is working effectively on a continuous basis.
The COSO ERM Application Framework document suggests that monitoring could
include these types of activities:
Implementation of ongoing management reporting mechanisms such as for cash positions, unit sales, and key financial data. An enterprise should not have to wait until fiscal month-end for these types of status reports, and quick-response flash reports should be initiated.
Periodic risk-related alert reporting processes should monitor key aspects of established risk criteria, including acceptable error rates or items held in suspense. Such reporting should emphasize statistical trends and comparisons both with prior periods and with other industry sectors.
Current and periodic status reporting of risk-related findings and recommendations from internal and external audit reports, including the status of ERM-related SOx identified gaps.
Updated risk-related information from sources such as government-revised rules,industry trends, and general economic news. Again, this type of economic and operational reporting should be available for managers at all levels.
Separate or individual evaluation monitoring refers to detailed reviews of individual risk processes by a qualified reviewer, such as internal audit.
Entity-Level Risks
• The third dimension of the COSO ERM framework.
Entity-Level Risks• Risks should be identified and managed within each significant organizational
unit.
• Risks should be considered on a unit by unit basis to as low a level as necessary.
• An enterprise with four major operating divisions and with multiple business units under each would have ERM framework that reflects all of these units.
a.) Risk Encompassing the Entire Organization
• Individual unit risks should be reviewed and consolidated first to identify any key risks that may impact the overall organization.
• An enterprise has to think of all risks as potentially significant.
b) Business Unit-Level Risks
• Risks issues here can cause embarrassment to the overall enterprise
• Risk must be considered in each significant organizational unit
Push down process – where corporate-level management formally outline major risk-related concerns and asks responsible management at each major divisions.
• COSO ERM is designed to:
- identify potential events that may affect the entity
- manage risks to be within its risk appetite
- to provide reasonable assurance regarding the
achievement of entity objectives
- provides clear direction how to manage risks
Auditing Risk and COSO ERM Processes
• Internal auditor will encounter risk and risk management issues in many areas of the audit universe where there are performing reviews.
• That’s why auditor should have a CBOK level of knowledge of basic risk management.
• Internal audit reviewers of controls need to develop a strong understanding of COSO ERM controls and processes.
Tools to review enterprise-wide ERM processes
• Process flowcharting
- can be useful in describing how risk management operates in an
enterprise.• Reviews of risk and control materials
- ERM process often results in a large volume of guidance materials,
documented procedures, report formats, and the like.• Benchmarking
- the process of looking at functions in another environment to assess
their operations and to develop improved approaches based on the
best practices of others.• Questionnaires
- can be sent out to designated stakeholders with requests for
specific information
Audit Procedure
1. Meet with appropriate managers to gain an understanding of the enterprise’s ERM implementation strategy, its planned scope, and current implementation status
2. Develop a strategy for reviewing ERM processes
3. Develop internal audit plans for the components selected for reviews and publish engagement letters announcing the planned audits
4. Review enterprise-wide ERM guidance materials in place .
5. Risk Management philosophy and appetite.
5.1 Meet with appropriate members of management
5.2 Through surveys or interviews
6. Risk management integrity and ethical values.
6.1 Review published codes of conduct and other materials to determine if risks-related
ethical values are being communicated
6.2 Review a sample of enterprise communication and assess whether attention
is given to ERM philosophies
7. Risk management organization structure.
7.1 Meet with human resource management.
7.2 Review code of conduct records
7.3 Based on a review of organization charts and other
documentation.
8. Select one subsidiary or enterprise unit
8.1 Assess compliance with ERM internal objectives for the
selected business units.
8.2 Assess compliance with ERM objectives setting processes for the selected business units
8.3 Assess compliance with ERM event notification processes for the selected business unit.
8.4 Assess compliance with ERM risk assessment for the selected business unit.
8.5 Assess compliance with ERM risk response processes for the selected business units.
8.6 Assess compliance with ERM control activity processes for the selected business unit.
8.7 Assess compliance with ERM information and communication
processes for the selected business unit.
8.8 Assess compliance with ERM risk monitoring processes for the selected business unit
Risk Management and COSO ERM in Perspective
• Risk management
- the identification, assessment, and prioritization of risks. It is
an insurance-related concept where an individual or
enterprise uses insurance mechanisms to provide protection
from those risks.• COSO ERM
- is a framework to help enterprises to have a consistent
definition of their risks.
- the three dimensional ERM framework helps to place risk and
internal control issues in a better perspective in evaluating
Sox compliance.
EVENT IDENTIFICATION
External or internal incidents or occurrences in an enterprise that affect the implementation of an ERM strategy and the achievement of its objectives.
Events
External economic events Natural environmental events Political events Social factors Internal infrastructure events Internal process-related events External and internal technological events
Monitoring processes include:
Event inventories Facilitated workshops Interviews, questionnaires, and surveys Process flow analysis Leading events and escalation triggers Loss event data tracking
Risk identification approaches:
framework’s core
2 perspectives:
Likelihood- the probability or possibility that a risk will occur Impact- how a risk event affects enterprise objectives
RISK ASSESSMENT
4 basic ways of handling risk responses:
AvoidanceReductionSharingAcceptance
RISK RESPONSE
Monitoring
Monitoring has been the role of internal auditors, who perform reviews to assess compliance with established procedures;
however, COSO now takes a broader view of monitoring.
1 Operating
management normal
functions
2Communicatio
ns from external parties
3Enterprise
structure and supervisory
activities
4Physical
inventories and asset
reconciliation
ONGOING MONITOR ACTIVITES
SEPARATE INTERNAL CONTROL EVALUATION
COSO suggests that “ it may be useful to take a fresh look from time to time” at the effectiveness of internal controls through separate evaluations.
COSO emphasizes that these evaluations may be performed by direct line management through self-assessment reviews.
INTERNAL CONTROL EVALUATION PROCESS
1 Develop an understanding of the system
design
3 develop
conclusions based on the test results
2
test key controls
REPORTING INTERNAL CONTROL DEFICIENCIES
Determine what should be reported,
given the large
number of details that
may be encountered
And to whom the reports should be
directed.
A deficiency in design exists
when (a) a control
necessary to meet the control
objective is missing or (b)
an existing control is not
properly designed so
that, even if the control operates as designed, the control objective
would not be met.
A deficiency in operation exists when
a properly designed control does not operate as designed, or when the
person performing the control does not possess the necessary authority
or competence to perform the control
effectively.
COSO internal control states that “ internal control deficiencies that can
affect the entity’s attaining its objectives should be reported to those
who can take necessary action.”
COSO internal control suggests that all of these should be identified and reported and that even the most
minor of errors should be investigated to understand if they were caused by any overall control deficiencies.
Findings on internal control deficiencies usually should be
reported not only to the individual responsible for the function or activity involved, who is in the
position to take corrective action, but also to at least one level of
management above the directly involved person.
Other Dimensions of COSO ERM:Enterprise Risk Objectives
Three-Dimensional Space of Enterprise Risk Objectives
Operations Risk Management Objectives
Reporting Risk Management Objectives
Legal and Regulatory Compliance Risk Management Objectives
Operations Risk Management Objectives
Calls for the identification of risks for each enterprise unit.
Internal audit reviews or surveys of persons directly impacted by these risks can help to gather more detailed background information on potential operations risks.
Internal auditors should act as eyes and ears and report all observed operations risks.
ORM Terms
Hazard Risk Probability
A condition with the potential to cause personal injury or death, property damage, or mission degradation.
An expression of possible loss in terms of severity and probability.
The likehood that a hazard will result in amishap or loss.
ORM Process
Identify Hazards
Assess Hazards
Make Risk Decisions
Implement Controls Supervise
Reporting Risk Management Objectives
This risk objective covers the reliability of an enterprise’s reports of internal and external financial and nonfinancial data.
Inaccurate reporting can cause problems in the future.
ERM is concerned about the risk of authorizing and releasing inaccurate reports.
Legal and Regulatory Compliance Risk Management Objectives
Any type of enterprise must comply with a wide range of laws and government imposed or industry standards regulations.
The nature of compliance risks needs to be communicated and understood through all levels of an enterprise.