2. SOX -AUDITING STANDARD 5
• Section 404, an enterprise is made responsible for reviewing, documenting,
and testing its own internal accounting controls, with those review results
passed on to the enterprise’s external auditors who are charged with then
reviewing and attesting to that work as part of their audit of the reported
financial statements.
Elements
1. A formal management statement acknowledging the enterprise’s
responsibility for establishing and maintaining an adequate internal control
structure and procedures for financial reporting
2. An assessment, as of the end of the most recent fiscal year, of the
effectiveness of the enterprise’s internal control structure and procedures
for financial reporting
3. COMMITTEE OF SPONSORING
ORGANIZATION ENTERPRISE RISK
MANAGEMENT—
INTEGRATED FORMAT (COSO ERM)
• This is an approach that allows an enterprise and internal audit to consider
and assess risks at all levels, whether in an individual area , such as for an
information technology (IT) development project, or in global risks regarding
an international expansion.
4. RISK MANAGEMENT FUNDAMENTALS
STEPS:
1.Risk Identification
2.Quantitative or Qualitative Assessment of Documented Risk
3.Risk Prioritization and Response Planning
4.Risk Monitoring
5. A.) RISK IDENTIFICATION
• management should identify all possible risk that may impact the success of
the enterprise, ranging from the larger or more significant over business risk
down to the less important risk associated with individual projects or smaller
business units in a reasonable time period.
• A better approach is to identify people at all levels of the enterprise to serve
as key assessor. Within each significant operation unit, key people should
identified from the operation, finance/acctg, IT, and unit management. Their
goal would be identify and then help assess risk in their units built around a
risk identification model framework. This is led by CEO and an enterprise risk
management group.
6. QUESTION TO ASK:
• Is the risk common across the overall enterprise or unique to one bus group?
• Will the enterprise face this risk because of internal or through external
events?
• Are the risk related, such that one risk may cause another to occur?
7. B.) KEY RISK ASSESSMENTS
• Assess their likelihood and relative significance.
• Questionnaire approach:
What is the likelihood of this risk occurring over the next one-year period?
Using a score of 1 to 9, assign a best-score as follows:
Score 1 if you see almost no chance of that risk happening during the period.
Score 9 if you feel the event will almost certainly happen during the period.
Score 2 through 8 depending on hpw you feel the likelihood fall between these two
ranges.
What is the significance of the risk in terms of cost to the overall enterprise?
Again using 1 to 9 scale, scoring ranges should be set depending on the financial
significant of the risk.
9. LIKELIHOOD
1. Probability and uncertainty
management thinks of the individual
estimated risk likelihood and occurrences
ranging 0.01-0.99.
PR(Event1) x PR(Event2) = PR(both Events)
2. Risk interdependence
must always be considered and
evaluated throughout organization
3. Risk ranking
10. QUANTITATIVE RISK
ANALYSIS
1. Expected Values and Response
Planning
Estimating the cost impact of incurring
some identified risk and then to apply it to
a risk factor probability to derive expected
value or cost of the risk.
Question to be considered by the front-line
people:
1. What is the best-case cost estimate of
incurring the risk?
2. What would a sample of
knowledgeable people estimate for
the cost?
3. What is the expected value or cost of
incurring the risk
4. What is he worst-case cost of incurring
the risk?
2. Risk Monitoring
11. COSO ERM: Enterprise Risk Management
• COSO Enterprise Risk Management is a framework to help
enterprises to have a consistent definition of their risks.
• Enterprise risk management is a process, effected by an
entity’s board of directors, management and other personnel,
applied in a strategy setting and across the enterprise,
designed to identify potential events that may affect the entity,
and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity
objectives.
12. • ERM is a process
• ERM process is implemented by people in the enterprise.
• ERM is applied through the setting of strategies across the
overall enterprise.
• Concept of risk appetite must be considered.
• ERM provides reasonable but not positive assurance on
objective achievements.
• ERM is designed to help achieve objectives.
13. COSO ERM Framework
COSO ERM Framework is a three-dimensional cube with the components of:
- Four vertical columns representing the strategic objectives of enterprise risk.
- Eight horizontal rows or risk components.
- Multiple levels to describe any enterprise.
14. Internal Environment Component
• Defines the basis for all other components in an enterprise’s
ERM model, influencing how strategies and objectives should
be established, how risk-related business activities are
structured, and how risks are identified and acted on.
15. Elements of Internal Environment Component
• Risk management philosophy
• Risk appetite
• Board of Directors attitudes
• Integrity and ethical values
• Commitment to competence
• Organizational structure
• Assignments of authority and responsibility
• Human resource standards
16. Objective Setting
• An enterprise must establish a series of strategic objectives,
aligned with its mission and covering operations, reporting,
and compliance activities.
20. Control Activities
These are the policies and procedures necessary to
ensure action on identified risk responses.
Having selected appropriate risk responses, an
enterprise should select control activities necessary
to ensure that the risk responses are executed in a
timely and efficient manner.
21. Many control activities under COSO internal controls are fairly easy to identify
and test due to their accounting nature. These control activities generally
include these internal control areas:
Separation of duties. Essentially, the person who initiates a
transaction should not be the same person who authorizes that
transaction.
Audit trails. Processes should be organized such that final results
can be easily traced back to the transactions that created those
results.
Security and integrity. Control processes should have appropriate
control
procedures such that only authorized persons can review or modify
them.
Documentation. Processes should be appropriately documented.
22. An enterprise often faces a more difficult task in identifying control activities to support
its ERM framework. Although there is no accepted or standard set of ERM control
activities at this time, the COSO ERM documentation suggests several areas:
Top-level reviews. Senior managers should be very aware of the
identified risk events within their organizational units and perform
regular top-level reviews on the status of identified risks.
Direct functional or activity management This is particularly
important where control activities take place within the separate
operating units with the need for communications and risk resolution
across enterprise channels.
Information processing. Appropriate control procedures should be
established with an emphasis on enterprise IT processes and risks.
23. Performance indicators. The typical enterprise today employs a
wide range of financial and operational reporting tools that also can
support risk-event-related performance reporting. Where necessary,
performance tools should be modified to support this important ERM
control activity component.
Segregation of duties. The person who initiates certain actions
should not be the same person who approves them.
24. Information & Communication
Pertinent information must be identified, captured and
communicated in a form and timeframe that enable people
to carry out their responsibilities.
Information systems produce reports, containing
operational, financial and compliance-related information,
that make it possible to run and control the business. They
deal not only with internally generated data, but also
information about external events, activities and conditions
necessary to informed business decision-making and
external reporting.
Effective communication also must occur in a broader
25. There is a need for a common risk language
throughout the enterprise regarding their risk
management roles and responsibilities. COSO ERM
will be of little value to an enterprise unless its
importance is communicated to all stakeholders in a
common and consistent manner.
26. Monitoring
ERM monitoring is necessary to determine that
all installed ERM components work effectively.
People in the enterprise change, as do
supporting processes and both internal and
external conditions, but the monitoring
component helps ensure that ERM is working
effectively on a continuous basis.
27. The COSO ERM Application Framework document suggests that
monitoring could
include these types of activities:
Implementation of ongoing management reporting mechanisms such
as for cash positions, unit sales, and key financial data. An
enterprise should not have to wait until fiscal month-end for these
types of status reports, and quick-response flash reports should be
initiated.
Periodic risk-related alert reporting processes should monitor key
aspects of established risk criteria, including acceptable error rates
or items held in suspense. Such reporting should emphasize
statistical trends and comparisons both with prior periods and with
other industry sectors.
28. Current and periodic status reporting of risk-related findings and
recommendations from internal and external audit reports, including
the status of ERM-related SOx identified gaps.
Updated risk-related information from sources such as government-
revised rules,industry trends, and general economic news. Again,
this type of economic and operational reporting should be available
for managers at all levels.
Separate or individual evaluation monitoring refers to detailed
reviews of individual risk processes by a qualified reviewer, such as
internal audit.
30. Entity-Level Risks
• Risks should be identified and managed within each significant organizational
unit.
• Risks should be considered on a unit by unit basis to as low a level as
necessary.
• An enterprise with four major operating divisions and with multiple business
units under each would have ERM framework that reflects all of these units.
31. a.) Risk Encompassing the Entire Organization
• Individual unit risks should be reviewed and consolidated first to identify any
key risks that may impact the overall organization.
• An enterprise has to think of all risks as potentially significant.
32. b) Business Unit-Level Risks
• Risks issues here can cause embarrassment to the overall enterprise
• Risk must be considered in each significant organizational unit
Push down process – where corporate-level management formally outline
major risk-related concerns and asks responsible management at each major
divisions.
33. • COSO ERM is designed to:
- identify potential events that may affect the entity
- manage risks to be within its risk appetite
- to provide reasonable assurance regarding the
achievement of entity objectives
- provides clear direction how to manage risks
34. Auditing Risk and COSO ERM Processes
• Internal auditor will encounter risk and risk management issues in many areas of the audit
universe where there are performing reviews.
• That’s why auditor should have a CBOK level of knowledge of basic risk management.
• Internal audit reviewers of controls need to develop a strong understanding of COSO ERM
controls and processes.
35. Tools to review enterprise-wide ERM processes
• Process flowcharting
- can be useful in describing how risk management operates in an
enterprise.
• Reviews of risk and control materials
- ERM process often results in a large volume of guidance materials,
documented procedures, report formats, and the like.
• Benchmarking
- the process of looking at functions in another environment to assess
their operations and to develop improved approaches based on the
best practices of others.
• Questionnaires
- can be sent out to designated stakeholders with requests for
specific information
36. Audit Procedure
1. Meet with appropriate managers to gain an understanding of the enterprise’s ERM implementation strategy, its
planned scope, and current implementation status
2. Develop a strategy for reviewing ERM processes
3. Develop internal audit plans for the components selected for reviews and publish engagement letters
announcing the planned audits
4. Review enterprise-wide ERM guidance materials in place .
5. Risk Management philosophy and appetite.
5.1 Meet with appropriate members of management
5.2 Through surveys or interviews
6. Risk management integrity and ethical values.
6.1 Review published codes of conduct and other materials to determine if risks-related
ethical values are being communicated
6.2 Review a sample of enterprise communication and assess whether attention
is given to ERM philosophies
37. 7. Risk management organization structure.
7.1 Meet with human resource management.
7.2 Review code of conduct records
7.3 Based on a review of organization charts and other
documentation.
8. Select one subsidiary or enterprise unit
8.1 Assess compliance with ERM internal objectives for the
selected business units.
8.2 Assess compliance with ERM objectives setting processes for the selected business
units
8.3 Assess compliance with ERM event notification processes for the selected business
unit.
38. 8.4 Assess compliance with ERM risk assessment for the selected business
unit.
8.5 Assess compliance with ERM risk response processes for the selected business
units.
8.6 Assess compliance with ERM control activity processes for the selected
business unit.
8.7 Assess compliance with ERM information and communication
processes for the selected business unit.
8.8 Assess compliance with ERM risk monitoring processes for the selected
business unit
39. Risk Management and COSO ERM in Perspective
• Risk management
- the identification, assessment, and prioritization of risks. It is
an insurance-related concept where an individual or
enterprise uses insurance mechanisms to provide protection
from those risks.
• COSO ERM
- is a framework to help enterprises to have a consistent
definition of their risks.
- the three dimensional ERM framework helps to place risk and
internal control issues in a better perspective in evaluating
Sox compliance.
40.
41. External or internal incidents or occurrences in an enterprise
that affect the implementation of an ERM strategy and the
achievement of its objectives.
42. External economic events
Natural environmental events
Political events
Social factors
Internal infrastructure events
Internal process-related events
External and internal technological events
43. Event inventories
Facilitated workshops
Interviews, questionnaires, and surveys
Process flow analysis
Leading events and escalation triggers
Loss event data tracking
44. framework’s core
2 perspectives:
Likelihood- the probability or possibility that a risk will occur
Impact- how a risk event affects enterprise objectives
47. Monitoring has been the role of internal
auditors, who perform reviews to assess
compliance with established procedures;
however, COSO now takes a broader
view of monitoring.
49. SEPARATE INTERNAL
CONTROL EVALUATION
COSO suggests that “ it
may be useful to take a
fresh look from time to
time” at the
effectiveness of internal
controls through
separate evaluations.
COSO emphasizes that
these evaluations may
be performed by direct
line management
through self-assessment
reviews.
50. INTERNAL CONTROL EVALUATION PROCESS
1
Develop an
understanding of
the system
design
3
develop
conclusions
based on the test
results
2
test key
controls
51. REPORTING INTERNAL CONTROL DEFICIENCIES
Determine
what should be
reported, given
the large
number of
details that
may be
encountered
And to whom the
reports should be
directed.
52. A deficiency
in design exists
when (a) a control
necessary to meet
the control
objective is missing
or (b) an existing
control is not
properly designed
so that, even if the
control operates as
designed, the
control objective
would not be met.
A deficiency
in operation exists when a
properly designed control
does not operate as
designed, or when the person
performing the control does
not possess the necessary
authority or competence to
perform the control
effectively.
53. COSO internal control states that “ internal
control deficiencies that can affect the entity’s
attaining its objectives should be reported to
those who can take necessary action.”
54. COSO internal control suggests that all of these
should be identified and reported and that even
the most minor of errors should be investigated to
understand if they were caused by any overall
control deficiencies.
55. Findings on internal control deficiencies
usually should be reported not only to the
individual responsible for the function or
activity involved, who is in the position to
take corrective action, but also to at least
one level of management above the directly
involved person.
59. Calls for the identification of risks for each enterprise unit.
Internal audit reviews or surveys of persons directly
impacted by these risks can help to gather more detailed
background information on potential operations risks.
Internal auditors should act as eyes and ears and report
all observed operations risks.
60. Hazard Risk Probability
A condition with the potential
to cause personal injury or
death, property damage, or
mission degradation.
An expression of
possible loss in
terms of severity and
probability.
The likehood that a hazard will
result in a
mishap or loss.
62. This risk objective covers the reliability of an enterprise’s
reports of internal and external financial and nonfinancial
data.
Inaccurate reporting can cause problems in the future.
ERM is concerned about the risk of authorizing and
releasing inaccurate reports.
63. Any type of enterprise must comply with a wide range of
laws and government imposed or industry standards
regulations.
The nature of compliance risks needs to be
communicated and understood through all levels of an
enterprise.
Hinweis der Redaktion
This is an approach that allows an enterprise and
internal audit to consider and assess risks at all levels, whether in an individual area,
such as for an information technology (IT) development project, or in global risks
regarding an international expansion.
COSO ERM can be an important internal audit tool to better
understand and evaluate the risks surrounding internal controls at all levels.
caused by a new and aggressive competitor or the damage
and even loss of life caused by a major weather disturbance
Most of us think of injury or damage when we think of hazards. But, remember the last part of this definition...anything which can cause mission degradation is a hazard. That includes enemy threats, security threats, inefficient use of assets, training degradation, something which could damage command image and credibility, etc.
The operational risk management process is a simple five-step process.
The concept of applying a standard, systematic approach to minimizing risk was originally developed to improve safety in the development of weapons, aircraft, space vehicles and nuclear power. It has been embraced by many civilian corporations and the Army, and is now being implemented in the Navy, MC, Air Force and Coast Guard.
Although a risk management process like this has been part of the NAVOSH program for years, it has traditionally been applied primarily to workplace hazards. However, this process is also effective when applied to planning, operations, training and procedures. Recently, in an effort to emphasize these other applications, the Navy/MC has encouraged the use of “operational risk management”.
The five steps are:
1 Identify potential causes of injury, damage or mission degradation.
2 For each hazard identified, determine the associated risk in terms of severity and probability.
3 Develop risk control options, then decide if benefit outweighs risk. Seek further controls or guidance from CoC, if necessary.
4 Once risk decision is made, implement selected controls.
5 Follow-up to ensure controls are working and watch for changes.
Strong internal controls should minimize the risk of errors, and an enterprise should always consider the risks associated with inaccurate reporting.