Enterprise Risk Management, Internal Controls, & Business Processes (17-27%) Flashcards
(35 cards)
What is ERM (Enterprise Risk Management)?
A process effected by an entity’s board of directors, management and other personnel, applied in strategy setting & across enterprise, designed to identify potential events that may affect entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding achievement of entity objectives
What is the purpose of ERM (Enterprise Risk Management)?
To provide an all-encompassing framework for managing risk throughout all activities of entity
What is COSO?
COSO = Committee of Sponsoring Organization
Joint initiative to combat fraud - is a framework for designing, implementing and evaluating internal control for organizations, providing enterprise risk management
What are the 5 components of COSO ERM Model?
GRIPS 1 - Governance & culture 2 - Strategy & objective-setting 3 - Performance 4 - Review & revision 5 - Information, communication, & reporting
What are the 4 main objectives of COSO ERM Model?
ORCS
1 - STRATEGIC - high-level goals that align with and support the mission of entity
2 - OPERATIONS - effective and efficient use of entity’s resources
3 - REPORTING - reliable reporting
4 - COMPLIANCE - compliance with applicable laws and regulations
What are the limitations of the COSO ERM Model?
SIMILAR to that of the INHERENT LIMITATIONS of an INTERNAL CONTROL system
- human judgement and human error
- cost vs. benefits
- simple errors can lead to big mistakes
- circumvention of controls or processes due to collusion
- management override
What are the 5 Core Principles within the Governance & Culture Component in the COSO ERM Model? (G in GRIPS)
1 - EXERCISES BOARD RISK OVERSIGHT - of strategy and carries out governance responsibilities to support management in achieving strategy and business objectives
2 - ESTABLISHES OPERATING PROCEDURES - establishes operating structures in pursuit of strategy and business objectives
3 - DEFINES DESIRED CULTURE - defines the desired behaviors that characterize entity’s desired culture
4 - DEMONSTRATES COMMITMENT TO CORE VALUES - at all levels demonstrates a commitment to core values
5 - ATTRACTS, DEVELOPS and RETAINS CAPABLE INDIVIDUALS - committed to building human capital in alignment with strategy and business objectives
What are the 4 Core Principles within the Strategy & Objective-Setting Component in the COSO ERM Model? (S in GRIPS)
1 - ANALYZES BUSINESS CONTEXT - considers potential effects of business context on risk profile
2 - DEFINES RISK APPETITE - in the context of creating, preserving, and realizing value
3 - EVALUATES ALTERNATIVE STRATEGIES - and potential impact on risk profile
4 - FORMULATES BUSINESS OBJECTIVES - considers risk while establishing business objectives at various levels that align and support strategy
What are the 5 Core Principles within the Performance Component in the COSO ERM Model? (P in GRIPS)
1 - IDENTIFIES RISK - that impacts performance of strategy and business objectives
2 - ASSESSES SEVERITY OF RISK
3 - PRIORITIZES RISKS - for a basis for selecting responses to risk
4 - IMPLEMENTS RISK RESPONSES - identifies and selects
5 - DEVELOPS PORTFOLIO VIEW - develops and evaluates portfolio view of risk
What are the 3 Core Principles within the Review & Revision Component in the COSO ERM Model? (R in GRIPS)
1 - ASSESSES SUBSTANTIAL CHANGES - that may substantially affect strategy and business objectives
2 - REVIEWS RISK and PERFORMANCE
3 - PURSUES IMPROVEMENT IN ENTERPRISE RISK MANAGMENT
What are the 3 Core Principles within the Information, Communication, and Reporting Component in the COSO ERM Model? (I in GRIPS)
1 - LEVERAGES INFORMATION SYSTEMS and TECHNOLOGY
2 - COMMUNICATES RISK INFORMATION - through channels to support
3 - REPORTS ON RISK, CULTURE and PERFORMANCE - at multiple levels and across the entity
What is Expected Value for the ERM (Enterprise Risk Model)?
Calculates the likelihood of losses and the amount of losses (most helpful metric)
What is COSO’s definition of Internal Control?
A PROCESS that is affected by all members of an organization that is designed to provide REASONABLE ASSURANCE regarding the achievement of OBJECTIVES related to OPERATIONS, REPORTING and COMPLIANCE
What are the 5 Components of Internal Control System?
CRIME - C - Control Activities (policies & procedures) R - Risk Assessment I - Information & Communication M - Monitoring E - Control Environment (tone at top)
What are the 3 main objectives of COSO?
ORC (similar to 4 main objectives of COSO ERM Model - ORCS)
1 - OPERATIONS objectives - pertaining to effectiveness and efficiency, including operational and financial performance goals, and safeguarding assets against loss
2 - REPORTING objectives - pertaining to internal control and external financial and non-financial reporting which may encompass reliability, timeliness, transparency, or other terms set by regulators, standards, or entity’s policies
3 - COMPLIANCE objectives - pertaining to adherence to laws and regulations applicable to entity
What are the 6 limitations of Internal Control identified by COSO?
Similar to limitations of COSO ERM Model (Similar to INHERENT LIMITATIONS of an INTERNAL CONTROL SYSTEM)
1 - human judgement can be faulty & subject to bias
2 - breakdowns & failures occur as long as humans involved, even from simple errors
3 - management override
4 - management or other personnel can get around controls through collusion
5 - external events simply beyond management’s control
6 - objectives for controls must be suitable as a precondition to internal controls - unrealistic or improbable objectives can be set that internal controls cant fully address
What are the 3 Core Principles within the Control Activities (C) Component of the Internal Control System?
1 - SELECTS & DEVELOPS - RISK - ACCEPTABLE LEVELS - selects & develops control activities that contribute to mitigation of risks to the achievement of objectives to acceptable levels
2 - SELECTS & DEVELOPS - TECHNOLOGY - OBJECTIVES - selects & develops general control activities over technology to support the achievement of objectives
3 - DEPLOYS - POLICIES - deploys control activities through policies that establish what is expected and procedures that put policies into action
What are the 4 Core Principles within the Risk Assessment (R) Component of the Internal Control System?
1 - SPECIFIES OBJECTIVES - ID & ASSESSMENT - specifies objectives with sufficient clarity to enable identification and assessment of risk relating to objectives
2 - IDENTIFIES RISKS - OBJECTIVES - ANALYZES - identifies risks to the achievement of its objectives across entity and analyzes risks as a basis for determining how risks should be managed
3 - CONSIDERS POTENTIAL FOR FRAUD - considers potential for fraud in assessing risks to the achievement of objectives
4 - IDENTIFIES & ASSESSES CHANGES - identifies and assesses changes that could significantly impact system of internal control
What are the 3 Core Principles within the Information & Communication (I) Component of the Internal Control System?
1 - OBTAINS, GENERATES, USES - QUALITY INFO - obtains or generates and uses relevant, quality information to support the functioning of internal control
2 - COMMUNICATES WITH INTERNAL PARTIES - internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
3 - COMMUNICATES WITH EXTERNAL PARTIES - communicates with external parties regarding matters affecting functioning of internal control
What are the 2 Core Principles within the Monitoring (M) Component of the Internal Control System?
1 - SELECTS, DEVELOPS, PERFORMS EVALUATIONS - selects, develops, and performs ongoing and/or separate evaluations to ascertain whether components of internal control are present and functioning
2 - EVALUTE & COMMUNICATE DEFICIENCIES - evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
What are the 5 Core Principles within the Control Environment (E) Component of the Internal Control System?
1 - COMMITMENT - INTEGRITY & ETHICAL VALUES - demonstrates commitment to integrity and ethical values
2 - BOD - INDEPENDENCE - board of directors demonstrates independence from management and exercises oversight of development and performance of internal control
3 - ESTABLISHMENTS FOR PURSUIT OF OBJECTIVES - establishes structures, reporting lines, and appropriate authorities and responsibilities in pursuit of objectives
4 - RETAIN COMPETENT INDIVIDUALS - demonstrates commitment to attract, develop, and retain competent individuals in alignment with objectives
5 - HOLDS INDIVIDUALS ACCOUNTABLE - holds individuals accountable for their internal control responsibilities in pursuit of objectives
What is SOX? Why was SOX passed?
Sarbanes-Oxley Act of 2002 - Implements regulations, many regarding responsibilities of corporate management and external auditors
Passed because of large financial scandals
What are some of the main corporate governance provisions of SOX?
- public companies required to have audit committees
- must be a financial expert on audit committee
- at least 3 members on audit committee
- each member on audit committee must be independent member of BOD
- officer certifications (CEO/CFO) on all 10Q and 10K reports
- rules regarding auditors (kinds of NAS can provide-can provide tax services if approved by audit committee)
- PCAOB - created as result of SOX
What is considered a Financial Expert for the Audit Committee requirement?
- understanding of GAAP and financial statements
- experience in preparing or auditing financial statements
- experience with internal auditing controls
- understanding of audit committee functions
if company does not have a ‘financial expert’, reason needs to be disclosed
