Flashcards in COSO and ERM framework Deck (58):
3 areas SOX addresses
1. C-orporate responsibility
2. E-nhanced Financial Disclosures
What is the primary roles of the audit committee?
1. Report-Auditor reports directly to the audit committee
2. Resolving disputes
Assertions made by CEO CFO signing F/S's
4. R-esponsibility assumed for controls
6. C-hanges significant
7. R-eviewed Report
3. O-missions- none
2. U-ntrue statements none
5. D-isclosures to auditor's and audit committee
3. S-tandingF/S fairly represent financial of company
Enhanced Financial Disclosures
2. C-onflict of interest provisions-Disclosures
3. T-ransactions involving Management and principal Stocholders Disclosures
4. I-nternal Control assessment by management
5. I-nvestment Companies are exempt
6. C-ode of Ethics for Senior Officers disclosure
7. A-udit Committee Financial Expert disclosure
8. S-EC enhanced review of periodic disclosures by issuer
Code of ethics standards promote?
1. Honest and Ethical conduct
2. Full, Fair, Accurate, and timely disclosures(periodic F/S)
3. Compliance with laws, rules, and regulations
Knowledge of the Financial Expert should include
1. UNDERSTANDING of audit committee functions
2. P-reparation experience or auditing of F/S for comparable issuers
3. U-nderstanding of GAAP
4. G-AAP application
5. E-xperience with Internal Controls
What is COSO?
COSO (Treadway Commission) : an independent private sector initiative, was initially established in the mid-1980s to study the factors that lead to fraudulent financial reporting. The private " Sponsoring organizations" include the 5 major financial associations in the US.
What is the COSO Framework?
Widely regarded as an appropriate and comprehensive basis to document the assessment of IC over financial reporting.
What is the definition of IC?
Process-effected by those charged with governance, management, and other personnel-designed to provide reasonable assurance about the achievement of the entity's objectives. Objectives represent what an entity strives to achieve.
3 categories of an entities objectives
1. R-eliability of financial reporting
2. E-ffectiveness and efficiency of operations
3. C-ompliance with applicable laws and regulations
5 Components of COSO
1. C-ontrol environment
2. R-isk Assessment
3. I-nformation and Communication Systems
5. E-xisting Control Activities
Control Environment definition
The overall tone of the organization
Risk Assessment definition
Management's identification of risk
Information and Communication Systems definition
A means of recording transactions and communicating responsibilities
Assessment of internal control performance over time
Existing Control Activities definition
Control policies and procedures
Control Environment 7 principles
1. P-hilosophy and operating style of management
2. H-uman Resources
3. R- eporting Competencies(Financial)
4. A-uthority and Responsibility
5. S- tructure of the organization
6. E-thical values and integrity
Philosophy and operating style of management definition
The shared belief and attitudes of management that impact the entire organization are defined by the risk management philosophy
Human resources attributes
The commitment to hiring the most qualified people will influence the internal environment. Minimum educational and experience requirements, background checks, and the like demonstrate the commitment and promote individual and corporate accountability.
Reporting Competencies attributes(Risk Appetite)
The amount of risk an organization will accept in the pursuit of value is defined by risk appetite. Factors heavily into balancing strategy with return
A-uthority and Responsibility attributes
The degree to which individuals are given appropriate authority to handle their responsibilities and the degree to which they are held accountable influences the internal environment
Structure of the organization
The organizational structure should support the entity's enterprise risk management system
The degree of involvement and appropriate oversight provided by the board of directors establishes an organization-wide tone that recognizes authority and accountability
Risk assessment attributes
1. GAAP accordance
2. Financial Reporting Objectives
3. F/S reporting risks
4. Fraud Risk
Information and Communication attributes
Definition: Identify, capture, process, and distribute information supporting the accomplishment of financial reporting objectives.
1. Financial Reporting:Current, accurate, timely
2. IC Information: IC designed to capture compliance data and trigger responses where appropriate
3. Internal Communication: communication with personnel and outside the normal chain of command
4. External Communication: Open communication with everyone involved with the organization
Definition: Provides an assessment of the performance of the system of IC over time.
1. Ongoing/Separate Evaluations and Reporting Evaluations (Scope and frequency of evaluations varies based on the significance of the risk b being controlled
2. Metrics, Self-assessments, Computer network testing, internal auditing,
3. Reporting deficiencies in IC report to appropriate leadership in a timely manner
Existing Control Activities attributes
Definition: Generally represent the policies and procedures used to implement IC
1. Designed to mitigate risk
2. Selection and development
3. policies and procedures
Enterprise Risk Management assists organizations in developing a comprehensive response to risk management. Intent of ERM is to allow management to effectively deal with uncertainty, evaluate risk acceptance, and build value. Value is maximized when strategy balances risks and returns as well as efficiency and effectiveness in accomplishing objectives
ERM has the following themes
1. Aligning Risk Appetite and Strategy
2. Enhancing Risk Response Decisions
3. Reducing Operational Surprises and Losses
4. Identifying and Managing Multiple and Cross-Enterprise risks
5. Seizing Opportunities
6. Improving Deployment of Capital
ERM defines enterprise objectives in 4 categories(S-etting Objectives in ERM)
ERM Components in order
1. I-nternal environment
2. S-etting objectives
3. E-vent objectives
4. A- ssessment of risk
5. R-isk response
7. I-nformation and Communication
8. M- onitoring
ERM- Internal Environment elements
1. P-hilosophy of risk management
2. H-uman resources standards
3. R-isk appetite and response
4. A-uthority and responsibility
6. E-thical values(Integrity)
8. C-ommitment to competence
E-thical values and integrity definition
Adoption and demonstration of high ethical values by leadership will shape the internal environment
C-ommiment to Competence
Management's specification of required competency levels for each job function establishes the organization-wide expectation of individual and thus corporate competence.
S-trategic objectives defined
The broad, mission-driven objectives of an organization are its strategic objectives. Remain the same year after year while the related objectives and the selected objectives are more dynamic
O-perations objectives defined
Includes efficiency, effectiveness, and profitability objectives that are subject to management discretion or style.
R-eporting Objectives Defined
External and Internal objectives associated with timeliness and accuracy are associated with both financial and non-financial data
C-ompliance objectives defined
Includes adherence to the laws, rules, and regulations associated with operations, including tax and financial reporting compliance, workplace safety, environment regulations, and other laws.
E-vent Identification defined
Events both negative(Risks) and positive(opportunities) should be identified. An internal or external occurrence that impacts strategy or the achievement of objectives. Categories include SWOT
1. Event Inventories
2. Internal Analysis
3. Escalation or Threshold triggers
A-ssessment of Risk
Risks are analyzed in relation to their likelihood and their severity and the anticipated risks that continue even after management has taken action. Supported by Inherent and residual risks, likelihood of impact, data sources, and event relationships.
The risk to an organization that exists if management takes NO action to change the likelihood or impact of an adverse event.
The risk to an organization that exists AFTER management takes action to mitigate the adverse impact of the event.
Generally drawn from past experiences with similar events.
Use of common data from organizations with similar characteristics.
Use of a range of events and impacts WITH likelihood estimated using assumptions.
Use of subjective assumptions to estimate event impact WITHOUT estimating
Management's response to risk must align with the organization's overall risk appetite. Supported by the following key elements of risk avoidance, risk reduction, risk sharing, risk acceptance.
Management may elect to avoid or terminate risk.
Management may elect to reduce or mitigate risk.
Management may reduce risk by transferring risk
The company may take no action
A-ctivities control(E in CRIME)
The policies and procedures used to effect management's response to risk.
I-nformation and Communication(I in CRIME)
Includes the identification, capture, and communication of information throughout the organization in an effective manner.
M-onitoring(M in CRIME)
Used to manage risk
Ongoing Monitoring activities
Operating or functional support managers provide ongoing monitoring activity to verify the effective operation of controls.
A fresh look at the effectiveness of IC can be highly valuable. Internal audit staff or Ad Hoc can conduct the evaluation.
Change Control Process
Consider the manner in which management monitors and authorizes changes to a variety of IT matters including software application programs, system software, database administration, networks and security, and job scheduling.