Enterprise Risk Management: Integrated Framework A COSO-Based Approach - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

Enterprise Risk Management: Integrated Framework A COSO-Based Approach

Description:

A COSO-Based Approach ... and includes ISO, TQM, process improvement, Balanced ... formal objective quantitatively measurable the map Soft controls ... – PowerPoint PPT presentation

Number of Views:238
Avg rating:3.0/5.0
Slides: 26
Provided by: LDH1
Category:

less

Transcript and Presenter's Notes

Title: Enterprise Risk Management: Integrated Framework A COSO-Based Approach


1
Enterprise Risk ManagementIntegrated
FrameworkA COSO-Based Approach
  • presented by Larry Hubbard
  • 14th Annual NYS Leadership Accountability
    Conference

2
  • Controls are OK
  • John C. Egan
  • May 4, 2005

3
Topics/Agenda
  • What is COSO
  • Overview of I/C and ERM
  • Hard and Soft Controls
  • Some of the Evaluation Tools
  • Wrap-up

4
Internal Control and ERM
  • Management owns I/C and ERM
  • Internal auditors, and others, provide
    information
  • Internal Control is broadly defined, and
    includes ISO, TQM, process improvement, Balanced
    Scorecards, Six Sigma, etc.
  • Enterprise Risk Management is broader than, and
    encompasses, I/C
  • One definition

5
One Definition of IC and ERM
  • COSO stands for the Committee Of Sponsoring
    Organizations of the Treadway Commission. The
    sponsoring organizations are
  • Institute of Internal Auditors (IIA)
  • American Institute of Certified Public
    Accountants (AICPA)
  • American Accounting Association (AAA)
  • Institute of Management Accountants (IMA)
  • Financial Executives Institute (FEI)
  • Later, also endorsed by GAO, Federal agencies and
    SEC

6
COSO Background
  • 1992 - Internal Control (I/C) Integrated
    Framework
  • Framework volume
  • Evaluation Tools volume
  • 2004 - Enterprise Risk Management (ERM)
    Integrated Framework
  • Framework volume
  • Example techniques

7
ERM Definition
  • Enterprise risk management is a process, effected
    by an entitys board of directors, management and
    other personnel, applied in strategy setting and
    across the enterprise, designed to identify
    potential events that may affect the entity, and
    manage risk to be within its risk appetite, to
    provide reasonable assurance regarding the
    achievement of entity objectives.
  • Objective categories
  • Strategic high-level goals, aligned with and
    supporting its mission
  • Operations effective and efficient use of its
    resources
  • Reporting reliability of reporting
  • Compliance compliance with applicable laws and
    regulations

8
Definition of Internal Control
  • Internal control is a process, effected by an
    entitys board of directors, management and other
    personnel, designed to provide reasonable
    assurance regarding the achievement of objectives
    in the following categories
  • Effectiveness and efficiency of operations
  • Reliability of financial reporting (SOX Focus)
  • Compliance with applicable laws and
    regulations

9
Components of Internal Control
  • Control Environment The core of any business is
    its people their individual attributes,
    including integrity, ethical values and
    competence and the environment in which they
    operate. They are the engine that drives the
    entity and the foundation on which everything
    rests.
  • Risk Assessment The entity must be aware of and
    deal with the risks it faces. It must set
    objectives, integrated with the sales,
    production, marketing, financial and other
    activities so that the organization is operating
    in concert. It also must establish mechanisms to
    identify, analyze and manage the related risks.
  • Control Activities Control policies and
    procedures must be established and executed to
    help ensure that the actions identified by
    management as necessary to address risks to
    achievement of the entity's objectives are
    effectively carried out.
  • Information and Communication Surrounding these
    activities are information and communication
    systems. These enable the entity's people to
    capture and exchange the information needed to
    conduct, manage and control its operations.
  • Monitoring The entire process must be
    monitored, and modifications made as necessary.
    In this way, the system can react dynamically,
    changing as conditions warrant.

10
Key Concepts
  • an ongoing process that flows throughout the
    organization
  • effected by people. Its not just policy
    manuals and forms, but people at every level of
    an organization
  • ... applied in strategy setting and across the
    organization
  • can be expected to provide reasonable
    assurance, not absolute assurance, to an entitys
    management and board
  • is geared to the achievement of objectives in
    one or more separate but overlapping categories

11
Focus on Soft Controls
  • Hard controls tend to be
  • formal
  • objective
  • quantitatively measurable
  • the map
  • Soft controls tend to be
  • informal
  • subjective
  • intangible
  • the real terrain

12
COSO Internal Control
Hard Controls Activities Reviews Inspections Pol
icies Reconciliations Structure Limits of
Authority Userids and Password Physical Counts
Soft Controls People Openness Shared
Values Clarity Commitment to Competence Honesty Hi
gh Expectations Communications
13
The COSO Cubes I/C and ERM
14
Effective I/C, or ERM, Means
  • That Management has a flow of reliable
    information about each component of control for
    all the objectives, from all areas of the
    organization.
  • COSO does not specify who should provide what
    information, just that management should be
    receiving and acting on the information.
  • Many different sources, or flows, of information
    exist in an organization.
  • Soft controls relate to the people doing the
    work to meet the objectives of the organization
    hard controls relate the processes and
    activities those people do.

15
Effective Enterprise Risk Management Means
16
Limitations
  • Reasonable, not absolute, assurance
  • Different levels of assurance for different
    objectives
  • The future is uncertain
  • Other limiting factors
  • Judgment, breakdowns
  • Collusion, management override
  • Cost versus benefits
  • Not part of IC or ERM
  • The objectives selected to be achieved
  • The responses taken to the risks

17
Other Thoughts on I/C and ERM
  • Controls for reliability of financial reporting
    are mainly in finance areas (Financial)
  • Controls over effective and efficient operations
    (Operational) and compliance with laws and
    regulations (Compliance) are mainly in
    operational areas
  • Discussing objectives, risks and responses is the
    most valuable part of ERM
  • Anyone can put together a list of risks and
    controls, but true ERM can only be done by those
    directly responsible for achieving the objectives
  • The same soft controls in the COSO I/C
    framework also apply to the ERM framework. I/C is
    fully incorporated into ERM.
  • ERM does not replace good management practices,
    does not replace setting the right objectives,
    and does not replace the business experience
    needed to have the right vision of where an
    organization should be heading.

18
SOX Section 404
  • 404 requires that annual reports contain
  • A statement that management is responsible for
    maintaining an adequate internal control
    structure and procedures for financial reporting
  • An assessment, as of the end of the most recent
    fiscal year, of the effectiveness of the internal
    control structure and procedures for financial
    reporting
  • Attestation of this assessment by the external
    audit firm
  • All based on a nationally accepted framework
    COSO is the one being used

19
OMB Circular A-123
  • Managements Responsibility for Internal Control
  • Annual assessment of internal control over
    financial reporting in Federal agencies,
    effective for FY 2006
  • Based on COSO

20
SOX - COSO Objectives
S T R A T E G I C
S O X
21
Evaluation Tools - Entity Level
  • Soft Control Questionnaires
  • CSA/RSA Workshops
  • CSA/RSA Questionnaires
  • Structured Interviews

22
Sample Questions (Rate each 1 to 5)
  • Management demonstrates a commitment to integrity
    and ethical behavior by example in their
    day-to-day activities.
  • Employees in your function feel they are adding
    value within the Companys overall strategy.
  • Management addresses and resolves violations of
    behavioral and ethical standards consistently,
    timely, and equitably in accordance with the
    provisions of the Companys Code of Conduct.
  • The process used to analyze risks in your
    function is clearly understood and includes
    estimating the significance of risks, assessing
    the likelihood of their occurring, and
    determining steps to mitigate them.
  • The current organizational structure facilitates
    the flow of information both up and down within
    your function and across to other functions.
  • Control activities described in policy and
    procedure manuals are actually applied the way
    they are intended to be applied and relate
    clearly to identified risks.
  • Control deficiencies are identified by on-going
    monitoring activities of the Company, including
    managerial activities and everyday supervision of
    employees.
  • Taking into consideration my evaluation of the
    components of internal control in previous
    sections of this survey, the internal control
    objective of reliability of financial reporting
    has been met.

23
Evaluation Tools - Activity Level
  • Risk and Control Matrix
  • CSA/RSA Workshops
  • CSA/RSA Questionnaires
  • Structured Interviews

24
Final Thoughts on I/C and ERM
  • Anyone can put together a list of risks and
    controls, but true ERM can only be done by those
    directly responsible for achieving the objectives
  • The same soft controls in the COSO I/C
    framework also apply to the ERM framework. I/C is
    fully incorporated into ERM.
  • ERM does not replace good management practices,
    does not replace setting the right objectives,
    and does not replace the business experience
    needed to have the right vision of where an
    organization should be heading.
  • The discussions about the risks are the
    controls its all about readiness for the
    unknown

25
More Information?
  • Larry Hubbard
  • Larry_at_LHubbard.com
  • (301) 529-8118
  • www.LHubbard.com
Write a Comment
User Comments (0)
About PowerShow.com