76,99 €
76,99 €
oder
-100%
Sammeln Sie Punkte in unserem Gutscheinprogramm und kaufen Sie E-Books und Hörbücher mit bis zu 100% Rabatt.
Mehr erfahren.
Mehr erfahren.
- Herausgeber: John Wiley & Sons
- Kategorie: Fachliteratur
- Sprache: Englisch
Praise for Enterprise Risk Management and COSO: A Guide for Directors, Executives, and Practitioners "Enterprise Risk Management and COSO is a comprehensive reference book that presents core management of risk tools in a helpful and organized way. If you are an internal auditor who is interested in risk management, exploring this book is one of the best ways to gain an understanding of enterprise risk management issues." --Naly de Carvalho, FSA Times "This book represents a unique guide on how to manage many of the critical components that constitute an organization's corporate defense program." --Sean Lyons, Corporate Defense Management (CDM) professional "This book provides a comprehensive analysis of enterprise risk management and is invaluable to anyone working in the risk management arena. It provides excellent information regarding the COSO framework, control components, control environment, and quantitative risk assessment methodologies. It is a great piece of work." --J. Richard Claywell, CPA, ABV, CVA, CM&AA, CFFA, CFD "As digital information continues its exponential growth and more systems become interconnected, the demand and need for proper risk management will continue to increase. I found the book to be very informative, eye-opening, and very pragmatic with an approach to risk management that will not only add value to all boards who are maturing and growing this capability, but also will provide them with competitive advantage in this important area of focus." --David Olivencia, President, Hispanic IT Executive Council Optimally manage your company's risks, even in the worst of economic conditions. There has never been a stronger need for sound risk management than now. Today's organizations are expected to manage a variety of risks that were unthinkable a decade ago. Insightful and compelling, Enterprise Risk Management and COSO reveals how to: * Successfully incorporate enterprise risk management into your organization's culture * Foster an environment that rewards open discussion of risks rather than concealment of them * Quantitatively model risks and effectiveness of internal controls * Best discern where risk management resources should be dedicated to minimize occurrence of risk-based events * Test predictive models through empirical data
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 510
Veröffentlichungsjahr: 2009
0,0
Bewertungen werden von Nutzern von Legimi sowie anderen Partner-Webseiten vergeben.
Legimi prüft nicht, ob Rezensionen von Nutzern stammen, die den betreffenden Titel tatsächlich gekauft oder gelesen/gehört haben. Wir entfernen aber gefälschte Rezensionen.
Ähnliche
Table of Contents
Title Page
Copyright Page
About the Contributors
Acknowledgements
Preface
SECTION I - Organizational Risk Management
Organizational Risk Management
The Risk Assessment Process
Risk Management at the Board Level
The Importance of Proper Risk Management
Preview of Section I
Notes
CHAPTER 1 - An Introduction to Risk
Definition of Risk
The Risk Management Strategy
The Scope of a Risk Management Engagement
Influences in Risk Assessments
Summary
CHAPTER 2 - Key Tenets of Enterprise Risk Management
Organizational Culture and Risk Management
Emphasizing Accountability
Planning for Black Swans
Benefits of a Risk Management-Focused Culture
Issues in Managing Risk
Summary
Notes
CHAPTER 3 - Mitigating Operational Risks Through Strategic Thinking
Strategic Behavior
An Analogy to Sports
Risk Mitigation Through Strategic Behavioral Analysis
Competitive Analysis
Scorecard for Competitive Analysis of Future Market Players
Scorecard for Analysis of Current Market Players
Benefits of Unpredictability
Quantification of Strategic Risks
Estimation Procedures
Summary
Notes
CHAPTER 4 - Mitigating Risks in Internal Investigations and Insurance Coverage
Scenario
Courses of Action
Assess the Risks
Develop a Plan
Carry Out the Investigation and Analyze the Results
Develop a Plan to Correct Deficiencies and Remediate Harm
Conclusion
SECTION II - Quantitative Risk Management
Why Is a Quantitative Approach Important?
Summary
CHAPTER 5 - Recognized Control Frameworks
Control Frameworks and Professional Standards
Managing Risk and Internal Control
Holistic Risk Assessments and ERM
Organizational Risks
The COSO-ERM Framework
Summary
Notes
CHAPTER 6 - Other Control Frameworks
Professional Standards for CPAs
Other Control Principles and Frameworks
Insurance Model Audit Law
Summary
Notes
CHAPTER 7 - Qualitative Control Concepts
What Is Control?
What Can Go Wrong: Causes of Exposures
Effects of Computers and Automation on Problems
The System of Internal Control
Control Assessment
Understand the System
List the Potential Problems
Estimate the Inherent Risk of Each Problem
Segregate Controls and Fundamental Activities
Classify the Controls
Functions of Controls
Assess the Effectiveness of Controls
Assess the Adequacy of Control Over Each Problem
Appraise Adverse Resulting Consequences
The Control Evaluation Matrix
How Much Control Is Enough or Too Much?
Summary
Notes
CHAPTER 8 - Quantitative Control Relationships
Moving from Qualitative to Quantitative
Systems Control Functions
Preliminary Risk and Potential Incidents
Anyone Can Build A Model ...
Precision of Results
Sensitivity of Results
Summary
Note
CHAPTER 9 - Excel Applications
The Environment
Applications of Excel Worksheets
What Can Go Wrong with Excel Applications?
Excel Controls
An Excel Model
Summary
Note
CHAPTER 10 - Interdependent Systems
Interdependencies
Hierarchy of Systems
Summary
CHAPTER 11 - Documentation
Documentation Objectives
Elements of Control Documentation
Common Documentation Formats
Documentation Tools
Summary
Notes
CHAPTER 12 - The Process for Assessing Internal Control
How Does This Fit into COSO?
System Assessment Steps
Summary
Note
CHAPTER 13 - Monitoring Internal Controls
COSO Monitoring Guidance
The Control Environment
Potential Monitoring Problems
Controls Over Controls to Assure Effective Monitoring
Assessing the Monitoring Function Under COSO
Summary
Note
CHAPTER 14 - Accounting Policies and Procedures
The Accounting Environment
Conversion from GAAP to IFRS
What Can Go Wrong with Accounting Policies and Procedures?
Reliance on Application Systems
Controls Over Accounting Policy Selection and Application
Notes
CHAPTER 15 - Business Process Applications
Application Components, Structure, and Architecture
What Can Go Wrong with Applications?
Typical Application Controls
An Application Assessment Model
Summary
CHAPTER 16 - General and Infrastructure Systems
The Environment
CobiT for Control of IT
What Can Go Wrong with General Systems?
Controls over General Systems
Infrastructure Model
Summary
CHAPTER 17 - Trusted System Providers
The Environment
How Much to Trust Trusted Systems?
Provider Problems
Internal Controls Over Trusted Systems
A Trusted Provider Assessment Model
Summary
CHAPTER 18 - Reporting on Internal Control
The Environment
Results of Modeling
Perception of Risk
Summary
Notes
CHAPTER 19 - Review and Acceptance of Assessments
Summary Description of the Assessment Model
Basic Modeling Concept
Questions for an Assessment Review
Summary
Glossary
Appendix - Internal Control Sections of the Sarbanes-Oxley Act
Index
Copyright © 2009 by John Wiley & Sons, Inc.
Copyright to the formulas and related algorithms © 2009 William C. Mair. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
Fair Use of This Intellectual Property
The modeling formulae and related algorithms presented in this book are the intellectual property of William C. Mair, and all Copyrights are reserved, including derivative works, except as granted below. William C. Mair hereby grants fair use to Qualifying Purchasers of this book to utilize these formulae and related algorithms in their assessments of internal control and risks within the organization that purchased the book. “Qualifying Purchaser” is defined broadly to include corporations, their consolidated subsidiaries, limited liability companies, partnerships, proprietorships, governmental entities, and universities, but does not include independent public accountants, consultants, or professional firms for their use on clients. Any other distribution of the modeling formulae and related algorithms, or any derivative work incorporating these formula or related algorithms, is absolutely prohibited unless agreed to in writing by the intellectual property owner in accordance with copyright laws and treaties.
The modeling formulae and related algorithms are provided in “open” format with the intention that users must modify and adapt them for their applicable use. Any use or derivation of these modeling formulae and related algorithms are without warranty of fitness for use and are provided “as is” to users. The user is solely and entirely responsible for the validation and reliability of any model he or she develops. Notwithstanding the title of this book, none of the original materials in this book have been reviewed or endorsed by the Committee of Sponsoring Organizations of the Treadway Commission (a.k.a. COSO), and the authors do not intend that anyone should presume that this text has any official standing in the eyes of the SEC, PCAOB, AICPA, or COSO.
For support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.
For more information about Wiley products, visit our web site at www.wiley.com.
Library of Congress Cataloging-in-Publication Data:
Cendrowski, Harry.
Enterprise risk management and COSO : a guide for directors, executives, and practitioners / Harry Cendrowski, William C. Mair. p. cm.
Includes bibliographical references and index.
eISBN : 978-0-470-55381-7
1. Risk management. 2. Corporate governance. I. Mair, William C. II. Title.
HD61.C443 2010
658.15 5—dc22
2009020135
About the Contributors
Harry Cendrowski, CPA, ABV, CFF, CFE, CVA, CFD, CFFA, is a founding member of Cendrowski Corporate Advisors, Cendrowski Selecky PC, and The Prosperitas Group. Harry has served as an expert witness in numerous economic damages analyses, contract disputes, lost profit analyses, business valuations, and partnership disputes. He has served as court-appointed receiver in several multimillion-dollar estates, and as the accountant to the trustee in high-profile bankruptcy cases.
Harry is the co-author of The Handbook of Fraud Deterrence and Private Equity: History, Governance, and Operations, published by John Wiley & Sons, Inc., and has authored articles in several professional publications. These publications include a chapter in Computer Fraud Casebook: The Bytes that Bite, a textbook centered on fraud examination.
Along with Jim Martin of CCA, Harry is a co-author of the Certified Fraud Deterrence Analyst (CFD) training materials for the International Association of Consultants, Valuators and Analysts (IACVA). He serves as IACVA’s Director of Fraud and Forensic Services. He is also a co-author of the training materials used by the National Association of Certified Valuation Analysts (NACVA) in certifying Certified Forensic Financial Analysts (CFFA).
William C. (Bill) Mair is a director with Cendrowski Corporate Advisors. Bill is the originator of some of the key concepts applied in the structure of the early risk management and control assessment materials. A mathematician and accountant by education, during various phases of his career Bill’s roles have included being a military commander, EDP auditor, educator, author, technology consultant, CPA firm partner, professional standards consultant, expert witness, bank internal audit director, insurance company financial executive, corporate director, public investment company trustee, webmaster, and a number of other functions.
The Information Systems Audit and Control Association voted Bill the fourth most influential person among the pioneers of information systems auditing in a study published by The EDP Auditor Journal, while his 1972 book, Computer Control & Audit, was voted the second most influential book. Bill is the creator of many systems control concepts and audit techniques now so established as to be viewed as “traditional.”
In recent years, Bill has focused on bridging quantitative risk analysis with effective communication to the board level.
Adam A. Wadecki is a manager with Cendrowski Corporate Advisors. Adam specializes in operational analyses, business valuations, and quantitative risk management modeling. He has academic and professional experience in lean manufacturing tenets and the Six Sigma methodology. Adam has helped numerous Fortune 500 companies assess, improve, and monitor the operations of their production facilities. Additionally, in conjunction with the CCA team, he has provided business valuations of publicly traded and private firms that have served as the basis of legal cases, and assisted private equity general partners with their financial due diligence.
Adam is also active in academia. He has authored articles on supply chain management, operational assessments, quantitative risk management, and fraud deterrence, in addition to co-authoring Private Equity: History, Governance, and Operations. He has served as a graduate student instructor at the University of Michigan for courses in venture capital finance, private equity, business valuation, and process assessment and improvement.
Adam holds a Master’s degree in Operations Research, and graduated magna cum laude with Bachelor’s of Science degrees in Mechanical and Industrial and Operations Engineering, all from the University of Michigan.
Carolyn H. Rosenberg, Esq. is a partner in Reed Smith LLP’s Chicago office. She is a member of the firm’s Executive Committee as well as the firm’s Audit Committee, and heads the firm’s Talent Committee. She frequently advises corporations, directors and officers, risk managers, insurance brokers, lawyers, and other professionals on insurance coverage, corporate indemnification, and litigation matters nationwide and internationally. Carolyn also assists clients in evaluating insurance coverage and other protections when negotiating transactions and represents them in resolving coverage disputes.
Carolyn was selected by Corporate Board Member magazine as one of the country’s 12 Legal Superstars and the top D&O liability insurance lawyer in August 2001 and she was confirmed as the nation’s top D&O liability insurance lawyer by Corporate Board Member magazine in a feature on superstar corporate attorneys in July 2004. In addition, Carolyn has been recognized as one of the top lawyers in her field by Chambers USA 2008-2009: America’s Leading Lawyers for Business.
Efrem M. Grail, Esq. defends entities and individuals in “white-collar” criminal investigations, prosecutions, and administrative enforcement actions involving allegations of securities, health-care, and business fraud; government contracting, false claims, foreign corrupt practices, and domestic political corruption; and tax and environmental violations. Efrem also litigates complex business disputes, handles injunctions and civil trials in federal and state court, and advises on compliance matters.
A former prosecutor, Efrem has represented clients in confidential matters before federal grand juries and in criminal prosecutions nationwide. He has also represented clients before numerous federal government agencies in administrative enforcement actions.
The Allegheny County Bar Association’s Public Service Committee and the Allegheny County Bar Foundation’s Pro Bono Center selected Efrem to receive their 2007 Pro Bono Award for Outstanding Individual Attorney and their 2005 Law Firm Pro Bono Award as director of Reed Smith’s Pittsburgh pro bono effort. In 2008 and 2009, Efrem was selected for inclusion in The Best Lawyers in America in the area of White Collar Criminal Defense. In addition, Efrem has been named a “Pennsylvania Super Lawyer” in the area of White Collar Criminal Defense in 2005, 2006, and 2009.
Acknowledgments
We are sincerely grateful to several individuals for their unique contributions to this book. Adam Wadecki was instrumental in helping us develop ideas throughout the manuscript authoring process. He also assisted us in editing and authoring the manuscript. Adam’s contributions helped shape the book that now rests in your hands.
We would also like to acknowledge Carolyn Rosenberg, Esq. and Efrem Grail, Esq. of Reed Smith LLP for contributing a chapter to this book. Their insight into how boards and Chief Risk Officers can quickly identify and contain risks is invaluable to directors whose firms participate in our ever-changing, global environment.
Preface
Recent financial crises have proven that risk management practices are essential for organizations large and small. Publicly traded companies, privately-held firms, and nonprofit organizations were all wounded by the events of 2008 and 2009. Scars from these largely unanticipated or “black swan” events continue to manifest themselves in the growing national unemployment rates, low levels of consumer confidence, and the contracting U.S. gross domestic product (GDP). However traumatic these events have been for our economy, they also provide business leaders and risk practitioners with insights into how we can heal these wounds and prevent them from recurring in the future.
We believe the process of risk management fits within the broader context of organizational management. Risk itself is a driving force in strategic, operational, reporting, and governance decisions. It is a critical cog in the organizational machine—one that can operate with little fanfare, or one that can cause a critical failure. In today’s highly competitive world, it is imperative that board members, executives, managers, and employees are involved in the risk management process. The knowledge possessed by each of these individuals allows unique perspectives to be married into a single assessment designed for safeguarding the organization against the many forms of risk.
Until recently, risk management was not generally seen as a component central to the operation of many firms. While detailed risk management activities took place in areas of many organizations, holistic risk management has only recently come into vogue. Many professional organizations such as the National Association for Corporate Directors (NACD) are pushing for significant changes in the way board members and executives evaluate risks. These changes are being made largely in response to recent crises that began in the financial services sector. Indeed, the banking sector is also advocating change in risk management policies with the recent finalization of the Basel Committee’s second capital accord (Basel II). While the document was not finalized until 2006, the initial capital accord touched off a discussion on the importance of risk management that began nearly 10 years ago. It is our hope that this text continues this discussion of risk management, highlighting its importance to directors and executives while also providing insightful information for practitioners.
This book is organized in two sections. In accordance with the aforementioned emphasis on risk management at high levels of the organization, we have grouped material relevant to directors and executives in our first section, “Organizational Risk Management.” The second section, entitled “Quantitative Risk Management,” is catered to risk management practitioners. We have authored both sections as standalone entities: Readers can elect to focus on either section, or read the book in its entirety.
The first section examines risk management at a macro level. In this section, we emphasize risk management practices most important to board members, C-suite executives (e.g., CEOs and CFOs), and high-level managers. We focus on risk management from a top-down perspective, emphasizing the manner in which executives and directors can cultivate the culture necessary for an organization to possess effective risk management policies. Many pages are spent discussing how these individuals can set an appropriate “tone at the top” that will foster a culture of risk awareness. We have purposefully emphasized understandability over mathematical modeling within this section, given our potential audience members’ diverse backgrounds.
The second section details a quantitative framework for analysis that can be used by risk practitioners who perform risk assessments of enterprises, divisions, systems, and processes. This section presents mathematical formulations as well as example assessments of various systems for the practitioner. While the models in this section are mathematical in nature, our goal has been to emphasize practicality over mathematical rigor. The tools illustrated in this section can be employed by practitioners looking for a framework that demonstrates how enterprise risk management policies, similar to those presented in the Committee of Sponsoring Organization’s (COSO) Enterprise Risk Management framework, may be implemented.
Our hope is that this book provides a comprehensive resource not only for those in corporate America, but also for individuals in the public sector; risk management practices for governmental organizations are inarguably equal in importance to such practices in private industry.
Many governmental agencies are receiving funds through the American Recovery and Reinvestment Act of 2009 (ARRA). The Obama Administration has made transparency and accountability a primary goal of ARRA in hopes of mitigating risks associated with waste, fraud, and abuse. Decreasing the chance such risks occur will require considerable planning and oversight by administrators, from program inception through conclusion. We believe the quantitative models and framework for analysis contained within this book can help administrators of governmental bodies ensure program goals are achieved, and greater economic impact is realized.
Our risk management framework can also help directors and executives of private companies receiving stimulus funds to mitigate risks. Many private infrastructure companies are receiving major infusions of stimulus dollars for new, capital-intensive projects. Our quantitative models can also assist these firms with mitigating risks associated with cost and time-related overruns that sometimes plague such projects.
Finally, we wish to note that this book is not a comprehensive treatise on risk management techniques or models. Complicated probability models and distributions are not our central focus in this text. Rather, we endeavor to introduce models and risk assessment procedures to the reader that are easily understood and practical in nature. Our goal throughout the authoring process has been to present the reader with a text that is thought provoking, accessible and understandable.
We sincerely hope this book is able to assist the reader in assessing risks irrespective of his or her position or employing organization. We also hope that it will encourage readers to further their knowledge in this essential twenty-first-century discipline.
Harry Cendrowski William C. Mair Chicago, ILSeptember 2009
SECTION I
Organizational Risk Management
Risk management is a necessary part of our lives. Risk is present in any situation in which decisions must be made under uncertainty with imperfect information. Our minds constantly assess risks as we drive our cars and even pay our bills. In each of these instances, the mind enumerates the risks associated with the activity, quantifies the risk, and then compels us to make a decision based on this assessment.
When operating a vehicle, we are never sure that surrounding drivers will operate their cars in a rational manner. However, we enter such a situation with an a priori belief that other drivers are indeed rational. After all, they must pass a test to obtain a driver’s license. When we’re driving down the road, our minds are continually evaluating and updating this a priori belief with respect to every car that is within a personal “envelope of concern.”
Driving at a steady speed on the highway, we are not very concerned with the actions of those far behind us. While we can see other cars in the rearview mirror, the likelihood that such a driver’s actions impact our own decisions is low. If a far-behind driver loses control, it does not impact us, although it could impact a group of drivers behind us. However, we are very concerned with the actions of those in front of us—most particularly, those immediately ahead of our own vehicle—and those to our side. If these individuals make an error in judgment, the consequences to us could be severe. Our envelope of concern is thus concentrated to the front and sides of our vehicle rather than behind it.
With this simple example we have introduced two central notions of risk assessment: probability and magnitude. The probability that a random driver loses control is identical no matter where this driver is located with respect to us. However, the magnitude of the risk differs based on the location of the driver. Our minds evaluate both magnitude and probability when we are assessing risks. This assessment is then used to make decisions based on information we perceive. Whether or not we are conscious of it, our minds quantify these risks, and we make decisions based on this quantification.
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
Lesen Sie weiter in der vollständigen Ausgabe!
