Enterprise Risk Management and COSO
eBook - ePub

Enterprise Risk Management and COSO

A Guide for Directors, Executives and Practitioners

  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

Enterprise Risk Management and COSO

A Guide for Directors, Executives and Practitioners

Book details
Book preview
Table of contents
Citations

About This Book

Praise for Enterprise Risk Management and COSO: A Guide for Directors, Executives, and Practitioners

" Enterprise Risk Management and COSO is a comprehensive reference book that presents core management of risk tools in a helpful and organized
way. If you are an internal auditor who is interested in risk management, exploring this book is one of the best ways to gain an understanding of enterprise risk management issues."
ā€” Naly de Carvalho, FSA Times

"This book represents a unique guide on how to manage many of the critical components that constitute an organization's corporate defense program."
ā€” Sean Lyons, Corporate Defense Management (CDM) professional

"This book provides a comprehensive analysis of enterprise risk management and is invaluable to anyone working in the risk management arena. It provides excellent information regarding the COSO framework, control components, control environment, and quantitative risk assessment methodologies. It is a great piece of work."
ā€” J. Richard Claywell, CPA, ABV, CVA, CM&AA, CFFA, CFD

"As digital information continues its exponential growth and more systems become interconnected, the demand and need for proper risk management will continue to increase. I found the book to be very informative, eye-opening, and very pragmatic with an approach to risk management that will not only add value to all boards who are maturing and growing this capability, but also will provide them with competitive advantage in this important area of focus."
ā€” David Olivencia, President, Hispanic IT Executive Council

Optimally manage your company's risks, even in the worst of economic conditions.

There has never been a stronger need for sound risk management than now. Today's organizations are expected to manage a variety of risks that were unthinkable a decade ago. Insightful and compelling, Enterprise Risk Management and COSO reveals how to:

  • Successfully incorporate enterprise risk management into your organization's culture

  • Foster an environment that rewards open discussion of risks rather than concealment of them

  • Quantitatively model risks and effectiveness of internal controls

  • Best discern where risk management resources should be dedicated to minimize occurrence of risk-based events

  • Test predictive models through empirical data

Frequently asked questions

Simply head over to the account section in settings and click on ā€œCancel Subscriptionā€ - itā€™s as simple as that. After you cancel, your membership will stay active for the remainder of the time youā€™ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlegoā€™s features. The only differences are the price and subscription period: With the annual plan youā€™ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Enterprise Risk Management and COSO by Harry Cendrowski, William C. Mair in PDF and/or ePUB format, as well as other popular books in Business & Auditing. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Wiley
Year
2009
ISBN
9780470553817
Edition
1
Topic
Business
Subtopic
Auditing
Index
Business
SECTION II
Quantitative Risk Management
In this section we examine quantitative, scalable risk assessment modeling procedures. The first chapters in this section discuss key components of our quantitative risk management methodology, while the remaining chapters discuss potential applications of our methodology.
Within this section we concern ourselves with developing an assessment framework that seeks to quantify risks to the organization and provides a methodology for checking the predictive power of our models. These risks might pertain to financial reporting, operations, compliance with laws and regulations, operations, or the safeguarding of assets. Although state-of-the-art risk assessment tools used by professionals currently include quantitative risk assessment methods, these types of risk assessments often focus on micro-level risks. Technological advances have made it easier for organizations to quantify risks from force majeure events such as hurricanes and severe weather patterns, using models that break existing weather conditions into ā€œcellsā€ and simulate their interactions. They have also helped the construction industry better forecast decay in steel-reinforced concrete bridges using nonlinear regression models; the airline industry to better comprehend the fracture toughness of aircraft materials using models of strain developed from stress testing; and the health-care industry to model outbreaks of new flu strains using relational models of disease transmission. However, these types of risk modeling are not the subject of the second portion of this text. Rather, we focus on a quantitative approach to assessing risks at all levels of the organization according to their causes.
The methods in this section are intended to augment the COSO Internal Control (COSO-IC) and COSO Enterprise Risk Management (COSO-ERM) Frameworks by adding quantitative assessment and interdependent systems features. The additions are an expansion of the Control Activities component of COSO-IC, but the other COSO-IC components remain unchanged. Furthermore, the methods in this book do not conflict with most of the various frameworks espoused for security, financial information, or information technology. The correlations are explained in the forthcoming chapters.
COSO-IC is intended to be a high-level view of internal control and deliberately does not, for example, concern itself with the technology used to support information processing or control implementation. Most commonly, a methodology known as CobiT serves to fill this gap. We also addresses CobiTā€™s framework within this section.
Because the Sarbanes-Oxley Act (SOX) applies only to public companies in the United States, so too do COSOā€™s frameworks. The American Institute of Certified Public Accountants (AICPA) has issued auditing standards applicable to internal controls of private companies. Still other pronouncements exist that are more narrowly directed to security and information technology. These other pronouncements do not directly reference COSOā€™s frameworks, but they are compatible with it.
Most readers who have experience in performing control and risk assessments should already be familiar with most of the concepts described in the first chapters in this section regarding control frameworks. However, we provide a brief refresher for readers who have not had the opportunity to study or apply the qualitative assessments specified by these frameworks and to give all readers a common starting point.
As previously stated, our quantitative assessments are designed to assist managers in understanding the specific and ultimate risks in the areas of financial reporting, operations, and governance. We extend existing qualitative frameworks (e.g., COSO-IC, COSO-ERM, and CobiT ) to a quantitative methodology, allowing the reader to better understand the impact of risks to the organization.

Why Is a Quantitative Approach Important?

The use of a quantitative approach offers several advantages over a purely qualitative one:
ā€¢ Risks and controls can be modeled to predict specific levels of residual risk.
ā€¢ The model provides a communication structure by which several people can collaborate and pool their knowledge of systems, risks, and controls.
ā€¢ The model can be validated by comparing it to observed incidences.
ā€¢ The model can be used to identify and focus on only those controls necessary to achieve the objectives of external financial reporting or other selected objectives.
ā€¢ The model can be used to plan audits more effectively by quantitatively understanding the risks of material misstatements.
ā€¢ The model can be used for ā€œwhat-ifā€ scenarios to test sensitivity, optimize costs and benefits, and consider alternatives for improved design.
ā€¢ The logic behind the assessment is documented for review and discussion.
ā€¢ Quantitative measures can reduce the extent of debate arising from differing assessments.
ā€¢ Multiple instances of a system can be assessed and compared.
ā€¢ The exposures from multiple systems can be aggregated for the entire enterprise.
Some skeptics question the possibility that a quantitative model of such a complex problem can ever be reliable. However, at the same time, they accept the conclusions of professional judgment in qualitative assessments.
Research has suggested that to be considered experts, individuals should have 10 years of concentrated experience in the specific discipline of their expertise. Without this experience, an individual who makes a ā€œprofessional judgmentā€ might do so without the necessary background on which to base this judgment. It is essential that board members, managers, and risk management professionals keep this in mind when they are selecting risk management experts to perform assessments. Moreover, directors and managers should select a committee of risk practitioners to perform risk assessments, as individuals on their own may not be able to elaborate all relevant risks; a committee of risk practitioners will be more likely to capture all risks faced by the organization.
The authors have great admiration for the capabilities of the human brain. It can estimate, in an instant, the exact force, direction, and elevation to send a basketball swooshing through a net. It is not as accurate at performing similar estimates for a cannon to hit a distant target. For that, the human brain invented the first computer.
Professional judgment also has its limitations. The financial statements of a public company are usually the product of many systems, which often are quite complex by themselves as well as in their interrelationships. We do not believe that intuition, judgment, or any other solely qualitative assessment could be better than one that enlists the aid of quantitative relationships. This does not mean that we endorse blind acceptance of quantitative results, for they, too, can omit or distort essential issues. It does mean that quantitative measures will usually produce sounder answers than ā€œguesstimating.ā€

Predicting Residual Risk

Our business and personal lives are filled with desires to predict what is going to happen. We seek weather predictions to know what to wear and to plan activities. We predict the next monthā€™s and quarterā€™s profits to inform top management and investors. Predicting risks is no different.
A quantitative approach affords us the possibility of predicting what we deem residual risks, or those risks that remain after internal control systems have had a chance to prevent, detect, and correct potential issues. Other qualitative approaches do not allow for such estimation techniques.

Collaborating with Subject-Matter Experts

The explicit listing of risks and controls in our quantitative model provides a structure for people from different disciplines and viewpoints to contribute and blend their knowledge. This is especially evident when accountants and information technology experts work together. A single person is rarely so broadly knowledgeable as to prepare a model alone. Usually someone skilled in modeling works together with several subject-matter experts to construct a model that is complete and realistic. Subject-matter experts contribute their experience and knowledge regarding potential problems, their risks, effectiveness of control design, reliability of control implementation, and likelihood of various consequences.

Validity of Modeling

With the tools built into ExcelĀ® and other computer software, one need not be a meteorologist or a mathematician to build a predictive model. Building a model that works with reasonable reliability, however, is still a tricky task. Every model should be validated or ā€œprovenā€ before it is relied on. This can be accomplished via two methods.
Some mathematical models are regression equations containing relatively few variables. Such models can be validated by making a series of observations and then comparing them to the modelā€™s predictions. The accuracy of the model can be measured by calculating coefficient of correlation or by graphing the differences. In preparing such a plot, one can verify how predicted values deviate from actual values. Most control assessment models contain too many variables to permit the use of regression techniques. Instead, we apply the techniques of cross-validation in our quantitative model.
Cross-validation requires that a practitioner partition a dataset into subsets for future use. Analysis is performed on a subset of the total available data and then validated using data from a separate subset. For example, a practitioner may first acquire historical data regarding the actual occurrence of incidents. Then, using cross-validation techniques, he can exclude the most recent period and use the prior periods to predict values for the most recent period. If the actual data for the most recent period and the prediction are approximately equal, that presents evidence that the model is valid.
An alternative approach is to use recent data to predict the forthcoming period and then wait to see whether what happens is approximately equal to the prediction. This approach requires waiting, but it might be necessary if insufficient historical data is available to apply the first approach. This approach is also appropriate for ongoing monitoring of recurring predictions.
If the results from either of these validation methods are significantly different from reality, the model must be reconsidered and revised to improve it.

Focusing on Objectives

Many financial information application systems serve operating and compliance objectives as well as financial reporting ones. The accuracy and integrity needed for the operating and compliance objectives often exceed the level needed for financial reporting within the boundaries of materiality. How can someone pick out just those controls necessary to financial reporting? Most of the time they will err in the direction of selecting more controls than necessary. Using quantitative methods, the selection of so-called key controls and the scope of testing can be substantially reduced from the numbers commonly selected.

Performing Sensitivity and ā€œWhat-Ifā€ Analyses...

Table of contents

  1. Title Page
  2. Copyright Page
  3. About the Contributors
  4. Acknowledgements
  5. Preface
  6. SECTION I - Organizational Risk Management
  7. SECTION II - Quantitative Risk Management
  8. Glossary
  9. Appendix - Internal Control Sections of the Sarbanes-Oxley Act
  10. Index