1 / 24

Enterprise Risk Management: Integrated Framework A COSO-Based Approach

Slide 2. .

Lucy
Download Presentation

Enterprise Risk Management: Integrated Framework A COSO-Based Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Slide 1 Enterprise Risk Management: Integrated Framework A COSO-Based Approach presented by Larry Hubbard 14th Annual NYS Leadership & Accountability Conference

    2. Slide 2 Controls are OK John C. Egan May 4, 2005

    3. Slide 3 Topics/Agenda What is COSO Overview of I/C and ERM Hard and Soft Controls Some of the Evaluation Tools Wrap-up

    4. Slide 4 Internal Control and ERM Management owns I/C and ERM Internal auditors, and others, provide information Internal Control is broadly defined, and includes ISO, TQM, process improvement, Balanced Scorecards, Six Sigma, etc. Enterprise Risk Management is broader than, and encompasses, I/C One definition

    5. Slide 5 One Definition of IC and ERM COSO stands for the Committee Of Sponsoring Organizations of the Treadway Commission. The sponsoring organizations are: Institute of Internal Auditors (IIA) American Institute of Certified Public Accountants (AICPA) American Accounting Association (AAA) Institute of Management Accountants (IMA) Financial Executives Institute (FEI) Later, also endorsed by GAO, Federal agencies and SEC

    6. Slide 6 COSO Background 1992 - Internal Control (I/C) Integrated Framework Framework volume Evaluation Tools volume 2004 - Enterprise Risk Management (ERM) Integrated Framework Framework volume Example techniques

    7. Slide 7 ERM Definition Enterprise risk management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Objective categories: Strategic high-level goals, aligned with and supporting its mission Operations effective and efficient use of its resources Reporting reliability of reporting Compliance compliance with applicable laws and regulations

    8. Slide 8 Definition of Internal Control Internal control is a process, effected by an entitys board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting (SOX Focus) Compliance with applicable laws and regulations

    9. Slide 9 Components of Internal Control Control Environment The core of any business is its people their individual attributes, including integrity, ethical values and competence and the environment in which they operate. They are the engine that drives the entity and the foundation on which everything rests. Risk Assessment The entity must be aware of and deal with the risks it faces. It must set objectives, integrated with the sales, production, marketing, financial and other activities so that the organization is operating in concert. It also must establish mechanisms to identify, analyze and manage the related risks. Control Activities Control policies and procedures must be established and executed to help ensure that the actions identified by management as necessary to address risks to achievement of the entity's objectives are effectively carried out. Information and Communication Surrounding these activities are information and communication systems. These enable the entity's people to capture and exchange the information needed to conduct, manage and control its operations. Monitoring The entire process must be monitored, and modifications made as necessary. In this way, the system can react dynamically, changing as conditions warrant.

    10. Slide 10 Key Concepts an ongoing process that flows throughout the organization effected by people. Its not just policy manuals and forms, but people at every level of an organization ... applied in strategy setting and across the organization can be expected to provide reasonable assurance, not absolute assurance, to an entitys management and board is geared to the achievement of objectives in one or more separate but overlapping categories

    11. Slide 11 Focus on Soft Controls Hard controls tend to be: formal objective quantitatively measurable the map Soft controls tend to be: informal subjective intangible the real terrain

    12. Slide 12 COSO Internal Control

    13. Slide 13

    14. Slide 14 Effective I/C, or ERM, Means: That Management has a flow of reliable information about each component of control for all the objectives, from all areas of the organization. COSO does not specify who should provide what information, just that management should be receiving and acting on the information. Many different sources, or flows, of information exist in an organization. Soft controls relate to the people doing the work to meet the objectives of the organization; hard controls relate the processes and activities those people do.

    15. Slide 15 Effective Enterprise Risk Management Means:

    16. Slide 16 Limitations Reasonable, not absolute, assurance Different levels of assurance for different objectives The future is uncertain Other limiting factors Judgment, breakdowns Collusion, management override Cost versus benefits Not part of IC or ERM The objectives selected to be achieved The responses taken to the risks

    17. Slide 17 Other Thoughts on I/C and ERM Controls for reliability of financial reporting are mainly in finance areas (Financial) Controls over effective and efficient operations (Operational) and compliance with laws and regulations (Compliance) are mainly in operational areas Discussing objectives, risks and responses is the most valuable part of ERM Anyone can put together a list of risks and controls, but true ERM can only be done by those directly responsible for achieving the objectives The same soft controls in the COSO I/C framework also apply to the ERM framework. I/C is fully incorporated into ERM. ERM does not replace good management practices, does not replace setting the right objectives, and does not replace the business experience needed to have the right vision of where an organization should be heading.

    18. Slide 18 SOX Section 404 404 requires that annual reports contain: A statement that management is responsible for maintaining an adequate internal control structure and procedures for financial reporting An assessment, as of the end of the most recent fiscal year, of the effectiveness of the internal control structure and procedures for financial reporting Attestation of this assessment by the external audit firm All based on a nationally accepted framework COSO is the one being used

    19. Slide 19 OMB Circular A-123 Managements Responsibility for Internal Control Annual assessment of internal control over financial reporting in Federal agencies, effective for FY 2006 Based on COSO

    20. Slide 20

    21. Slide 21 Evaluation Tools - Entity Level Soft Control Questionnaires CSA/RSA Workshops CSA/RSA Questionnaires Structured Interviews

    22. Slide 22 Sample Questions (Rate each 1 to 5) Management demonstrates a commitment to integrity and ethical behavior by example in their day-to-day activities. Employees in your function feel they are adding value within the Companys overall strategy. Management addresses and resolves violations of behavioral and ethical standards consistently, timely, and equitably in accordance with the provisions of the Companys Code of Conduct. The process used to analyze risks in your function is clearly understood and includes estimating the significance of risks, assessing the likelihood of their occurring, and determining steps to mitigate them. The current organizational structure facilitates the flow of information both up and down within your function and across to other functions. Control activities described in policy and procedure manuals are actually applied the way they are intended to be applied and relate clearly to identified risks. Control deficiencies are identified by on-going monitoring activities of the Company, including managerial activities and everyday supervision of employees. Taking into consideration my evaluation of the components of internal control in previous sections of this survey, the internal control objective of reliability of financial reporting has been met.

    23. Slide 23 Evaluation Tools - Activity Level Risk and Control Matrix CSA/RSA Workshops CSA/RSA Questionnaires Structured Interviews

    24. Slide 24 Final Thoughts on I/C and ERM Anyone can put together a list of risks and controls, but true ERM can only be done by those directly responsible for achieving the objectives The same soft controls in the COSO I/C framework also apply to the ERM framework. I/C is fully incorporated into ERM. ERM does not replace good management practices, does not replace setting the right objectives, and does not replace the business experience needed to have the right vision of where an organization should be heading. The discussions about the risks are the controls its all about readiness for the unknown

    25. Slide 25 More Information? Larry Hubbard Larry@LHubbard.com (301) 529-8118 www.LHubbard.com

More Related