COSO and ERM framework Flashcards Preview

Undeleted > COSO and ERM framework > Flashcards

Flashcards in COSO and ERM framework Deck (58):

3 areas SOX addresses

1. C-orporate responsibility
2. E-nhanced Financial Disclosures
3. F-raud


What is the primary roles of the audit committee?

1. Report-Auditor reports directly to the audit committee
2. Resolving disputes


Assertions made by CEO CFO signing F/S's

4. R-esponsibility assumed for controls
6. C-hanges significant
7. R-eviewed Report
3. O-missions- none
2. U-ntrue statements none
5. D-isclosures to auditor's and audit committee
3. S-tandingF/S fairly represent financial of company


Enhanced Financial Disclosures

1. R-eports(Periodic)-disclosures
2. C-onflict of interest provisions-Disclosures
3. T-ransactions involving Management and principal Stocholders Disclosures
4. I-nternal Control assessment by management
5. I-nvestment Companies are exempt
6. C-ode of Ethics for Senior Officers disclosure
7. A-udit Committee Financial Expert disclosure
8. S-EC enhanced review of periodic disclosures by issuer


Code of ethics standards promote?

1. Honest and Ethical conduct
2. Full, Fair, Accurate, and timely disclosures(periodic F/S)
3. Compliance with laws, rules, and regulations


Knowledge of the Financial Expert should include

1. UNDERSTANDING of audit committee functions
2. P-reparation experience or auditing of F/S for comparable issuers
3. U-nderstanding of GAAP
4. G-AAP application
5. E-xperience with Internal Controls


What is COSO?

COSO (Treadway Commission) : an independent private sector initiative, was initially established in the mid-1980s to study the factors that lead to fraudulent financial reporting. The private " Sponsoring organizations" include the 5 major financial associations in the US.


What is the COSO Framework?

Widely regarded as an appropriate and comprehensive basis to document the assessment of IC over financial reporting.


What is the definition of IC?

Process-effected by those charged with governance, management, and other personnel-designed to provide reasonable assurance about the achievement of the entity's objectives. Objectives represent what an entity strives to achieve.


3 categories of an entities objectives

1. R-eliability of financial reporting
2. E-ffectiveness and efficiency of operations
3. C-ompliance with applicable laws and regulations


5 Components of COSO

1. C-ontrol environment
2. R-isk Assessment
3. I-nformation and Communication Systems
4. M-onitoring
5. E-xisting Control Activities


Control Environment definition

The overall tone of the organization


Risk Assessment definition

Management's identification of risk


Information and Communication Systems definition

A means of recording transactions and communicating responsibilities


Monitoring Definition

Assessment of internal control performance over time


Existing Control Activities definition

Control policies and procedures


Control Environment 7 principles

1. P-hilosophy and operating style of management
2. H-uman Resources
3. R- eporting Competencies(Financial)
4. A-uthority and Responsibility
5. S- tructure of the organization
6. E-thical values and integrity
7. D-irectors(Board)


Philosophy and operating style of management definition

The shared belief and attitudes of management that impact the entire organization are defined by the risk management philosophy


Human resources attributes

The commitment to hiring the most qualified people will influence the internal environment. Minimum educational and experience requirements, background checks, and the like demonstrate the commitment and promote individual and corporate accountability.


Reporting Competencies attributes(Risk Appetite)

The amount of risk an organization will accept in the pursuit of value is defined by risk appetite. Factors heavily into balancing strategy with return


A-uthority and Responsibility attributes

The degree to which individuals are given appropriate authority to handle their responsibilities and the degree to which they are held accountable influences the internal environment


Structure of the organization

The organizational structure should support the entity's enterprise risk management system


Directors(Board) attributes

The degree of involvement and appropriate oversight provided by the board of directors establishes an organization-wide tone that recognizes authority and accountability


Risk assessment attributes

1. GAAP accordance
2. Financial Reporting Objectives
3. F/S reporting risks
4. Fraud Risk


Information and Communication attributes

Definition: Identify, capture, process, and distribute information supporting the accomplishment of financial reporting objectives.

1. Financial Reporting:Current, accurate, timely
2. IC Information: IC designed to capture compliance data and trigger responses where appropriate
3. Internal Communication: communication with personnel and outside the normal chain of command
4. External Communication: Open communication with everyone involved with the organization


Monitoring Attributes

Definition: Provides an assessment of the performance of the system of IC over time.

1. Ongoing/Separate Evaluations and Reporting Evaluations (Scope and frequency of evaluations varies based on the significance of the risk b being controlled
2. Metrics, Self-assessments, Computer network testing, internal auditing,
3. Reporting deficiencies in IC report to appropriate leadership in a timely manner


Existing Control Activities attributes

Definition: Generally represent the policies and procedures used to implement IC

1. Designed to mitigate risk
2. Selection and development
3. policies and procedures
4. IT


ERM Definition

Enterprise Risk Management assists organizations in developing a comprehensive response to risk management. Intent of ERM is to allow management to effectively deal with uncertainty, evaluate risk acceptance, and build value. Value is maximized when strategy balances risks and returns as well as efficiency and effectiveness in accomplishing objectives


ERM has the following themes

1. Aligning Risk Appetite and Strategy
2. Enhancing Risk Response Decisions
3. Reducing Operational Surprises and Losses
4. Identifying and Managing Multiple and Cross-Enterprise risks
5. Seizing Opportunities
6. Improving Deployment of Capital


ERM defines enterprise objectives in 4 categories(S-etting Objectives in ERM)

1. S-trategic
2. O-perations
3. R-eporting
4. C-ompliance


ERM Components in order

1. I-nternal environment
2. S-etting objectives

3. E-vent objectives
4. A- ssessment of risk
5. R-isk response

6. A-ctivities(Control)
7. I-nformation and Communication
8. M- onitoring


ERM- Internal Environment elements

1. P-hilosophy of risk management
2. H-uman resources standards
3. R-isk appetite and response
4. A-uthority and responsibility
5. S-tructure(organizational)
6. E-thical values(Integrity)
7. D-irectors

8. C-ommitment to competence


E-thical values and integrity definition

Adoption and demonstration of high ethical values by leadership will shape the internal environment


C-ommiment to Competence

Management's specification of required competency levels for each job function establishes the organization-wide expectation of individual and thus corporate competence.


S-trategic objectives defined

The broad, mission-driven objectives of an organization are its strategic objectives. Remain the same year after year while the related objectives and the selected objectives are more dynamic


O-perations objectives defined

Includes efficiency, effectiveness, and profitability objectives that are subject to management discretion or style.


R-eporting Objectives Defined

External and Internal objectives associated with timeliness and accuracy are associated with both financial and non-financial data


C-ompliance objectives defined

Includes adherence to the laws, rules, and regulations associated with operations, including tax and financial reporting compliance, workplace safety, environment regulations, and other laws.


E-vent Identification defined

Events both negative(Risks) and positive(opportunities) should be identified. An internal or external occurrence that impacts strategy or the achievement of objectives. Categories include SWOT

1. Event Inventories
2. Internal Analysis
3. Escalation or Threshold triggers


A-ssessment of Risk

Risks are analyzed in relation to their likelihood and their severity and the anticipated risks that continue even after management has taken action. Supported by Inherent and residual risks, likelihood of impact, data sources, and event relationships.


Inherent risks

The risk to an organization that exists if management takes NO action to change the likelihood or impact of an adverse event.


Residual Risks

The risk to an organization that exists AFTER management takes action to mitigate the adverse impact of the event.


Data Sources

Generally drawn from past experiences with similar events.



Use of common data from organizations with similar characteristics.


Probabilistic Models

Use of a range of events and impacts WITH likelihood estimated using assumptions.


Non-probabilistic Models

Use of subjective assumptions to estimate event impact WITHOUT estimating


R-isk Response

Management's response to risk must align with the organization's overall risk appetite. Supported by the following key elements of risk avoidance, risk reduction, risk sharing, risk acceptance.


Risk Avoidance

Management may elect to avoid or terminate risk.


Risk Reduction

Management may elect to reduce or mitigate risk.


Risk Sharing

Management may reduce risk by transferring risk


Risk Acceptance

The company may take no action


A-ctivities control(E in CRIME)

The policies and procedures used to effect management's response to risk.


I-nformation and Communication(I in CRIME)

Includes the identification, capture, and communication of information throughout the organization in an effective manner.


M-onitoring(M in CRIME)

Used to manage risk


Ongoing Monitoring activities

Operating or functional support managers provide ongoing monitoring activity to verify the effective operation of controls.


Separate evaluations

A fresh look at the effectiveness of IC can be highly valuable. Internal audit staff or Ad Hoc can conduct the evaluation.


Change Control Process

Consider the manner in which management monitors and authorizes changes to a variety of IT matters including software application programs, system software, database administration, networks and security, and job scheduling.


Total Production Ratios(TPR)

The value of all output relative to the value of all input.