Enterprise Risk Management Best Practices E-Book

Contents

Cover

Endorsenment

Title Page

Copyright

Dedication

Preface

CHAPTER ONE: Overview of Enterprise Risk Management

ERM INTRODUCTION

GUIDANCE: HISTORY AND RELATIONSHIP

ORGANIZATION VIEW

ERM TODAY

INCREASED PRESSURE TO MANAGE RISK

ADDITIONAL EVIDENCE

PERCEIVED BARRIERS TO RISK MANAGEMENT

BUILDING THE BUSINESS CASE FOR ERM: VALUE AND BENEFITS

KEYS TO SUCCESS

SUMMARY

NOTES

CHAPTER TWO: Corporate Governance and Roles and Responsibilities

BOARD BEHAVIOR

CORPORATE CULTURE

ROLES AND RESPONSIBILITIES

SUMMARY

CHAPTER THREE: ERM Defined

DEFINITIONS AND CONCEPTS

RISK CATEGORIES

INTERNAL ENVIRONMENT

SUMMARY

NOTE

CHAPTER FOUR: The ERM Process: Step by Step

STEP 1: STRATEGY AND OBJECTIVE DEFINITION

STEP 2: EVENT IDENTIFICATION

STEP 3: RISK ASSESSMENT

STEP 4: RISK RESPONSE

STEP 5: COMMUNICATION

STEP 6: MONITORING

OVERSIGHT

SUMMARY

NOTES

CHAPTER FIVE: COSO Framework and Financial Controls

FOCUS ON FINANCIAL CONTROLS

CONTROL ENVIRONMENT

INTEGRITY AND ETHICAL VALUES

BOARD OF DIRECTORS

MANAGEMENT’s PHILOSOPHY AND OPERATING STYLE

ORGANIZATIONAL STRUCTURE

FINANCIAL REPORTING COMPETENCIES

AUTHORITY AND RESPONSIBILITY

HUMAN RESOURCES

SUMMARY

NOTES

APPENDIX FIVE A: Excerpt from a Code of Ethics Policy

OUR GUIDING PRINCIPLES AND VALUES

CONFLICTS OF INTEREST

CONFIDENTIAL INFORMATION; INTELLECTUAL PROPERTY

APPENDIX FIVE B: Whistleblower Program

REPORTS REGARDING ACCOUNTING MATTERS

INVESTIGATION OF SUSPECTED VIOLATIONS

DISCIPLINE FOR VIOLATIONS

APPENDIX FIVE C: Approval Policy and Procedures

POLICY

PURPOSE

SCOPE

APPROVALS/DOCUMENTATION

CHAPTER SIX: Financial Controls and Risk Assessment

RISK ASSESSMENT

FINANCIAL REPORTING OBJECTIVES

FINANCIAL REPORTING RISKS

FRAUD RISK

ENTITY-LEVEL CONTROLS

EXAMPLE: RISK ASSESSMENT AND FINANCIAL CONTROLS

EVALUATING DEFICIENCIES

SUMMARY

NOTES

APPENDIX SIX A: Entity-Level Control Assessment

CONTROL ASSESSMENT OVERVIEW

CONTROL ENVIRONMENT

OVERALL EVALUATION OF CONTROL ENVIRONMENT

RISK ASSESSMENT

OVERALL EVALUATION OF RISK ASSESSMENT

CONTROL ACTIVITIES

OVERALL EVALUATION OF CONTROL ACTIVITIES

INFORMATION AND COMMUNICATION

OVERALL EVALUATION OF INFORMATION AND COMMUNICATION

MONITORING

OVERALL EVALUATION OF MONITORING

SUMMARY ASSESSMENT

OVERALL ASSESSMENT OF INTERNAL CONTROLS

APPENDIX SIX B: Accounts Payable: Preliminary Controls Assessment Questionnaire

PURCHASING CONTROLS QUESTIONNAIRE

INTERNAL CONTROL ASSESSMENT

APPENDIX SIX C: Fraud Risk Factors: AU Section 316

RISK FACTORS RELATING TO MISSTATEMENTS ARISING FROM FRAUDULENT FINANCIAL REPORTING

CHAPTER SEVEN: Ongoing Compliance Overview

ORIGIN OF THE SARBANES-OXLEY ACT

GENERATING VALUE FROM COMPLIANCE

MOVING BEYOND INITIAL COMPLIANCE

REEVALUATING THE COMPLIANCE PROGRAM

SUMMARY

CHAPTER EIGHT: Ongoing Compliance Challenges

FUTURE STATE OPPORTUNITY: COMPLIANCE OPTIMIZATION

ISSUES TO CONSIDER WHEN OPTIMIZING COMPLIANCE

ONGOING COMPLIANCE PLAN

ROLE OF INTERNAL AUDIT: BALANCING THE COMPLIANCE AND AUDIT FUNCTIONS

EVOLVING ROLE OF THE AUDIT COMMITTEE

SUMMARY

CHAPTER NINE: Addressing Compliance and Risk Management Challenges through Automation

SOFTWARE CAN ADD VALUE BEYOND COMPLIANCE

MONITORING SOFTWARE

UTILIZATION OF CONTINUOUS MONITORING: CONTROL TESTING AND CONTROL AUTOMATION

BENEFITS OF CONTINUOUS MONITORING

CONTINUOUS MONITORING TOOL CONSIDERATIONS

CONTINUOUS MONITORING PROCESS

RISK MANAGEMENT SOFTWARE

UNIFYING FINANCIAL STATEMENTS, CLOSE TASKS, AND SOX CONTROLS

DETERMINING THE RIGHT SOLUTION

SUMMARY

NOTE

CHAPTER TEN: Ongoing Compliance and IFRS

INTERNATIONAL FINANCIAL REPORTING STANDARDS

COMMUNICATING THE IMPACT

PREPARING FOR IFRS

COMPREHENSIVE IFRS TRANSITION APPROACH

KEY ELEMENTS OF AN EFFECTIVE IFRS IMPLEMENTATION

SUMMARY

About the Author

Index

FOUNDED IN 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers- professional and personal knowledge and understanding.

The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management.

Copyright © 2012 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions..

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Marchetti, Anne M. Enterprise risk management best practices : from assessment to ongoing compliance / Anne M. Marchetti. p. cm. - (Wiley corporate F&A) Includes index. ISBN 978-0-470-91740-4 (hardback); ISBN 978-1-118-14951-5 (ebk); ISBN 978-1-118-14952-2 (ebk); ISBN 978-1-118-14953-9 (ebk) 1. Risk management. I. Title. HD61.M2669 2012 658.15′5—dc23 2011023737

To my parents, Jim and Barbara Marchetti, to whom I owe all my love and gratitude.

Preface

MANY ORGANIZATIONS STRUGGLE with the development and implementation of an enterprise risk management (ERM) program. Most are overwhelmed by the task. They believe they do not possess the expertise, resources, time, and/or dollars required to effectively design and build an effective risk management program. In addition, there is minimal perceived value in this activity.

My objective for this book is to demystify ERM and the risk management process in order to eliminate implementation apprehension. The goal is to simplify the explanation of related concepts and provide guidance that demonstrates a practical, cost-effective process that can be utilized by any organization.

The material addresses the development of programs in two major areas: ERM and ongoing compliance. Chapters 1 through 3 provide an introduction and overview of ERM including important components of the process as well as a corporate governance/organizational framework and definitions of roles and responsibilities.

Chapter 4 provides a detailed description of the ERM process and includes suggestions regarding implementation. Chapters 5 and 6 present an in-depth review of financial controls, including an example of the application of the risk assessment process relative to this risk category.

Chapters 7 through 10 address ongoing compliance challenges and provide insight into cost minimization and control optimization including the effective use of technology as well as future International Financial Reporting Standards considerations and implications.

It is my hope that this consolidation of information will be a useful guide through the risk management process. In addition, it is my intention to provide explanations and the basis for a solid understanding of critical components of an effective ERM program that will assist with strategy execution and achievement of overall entity objectives.

CHAPTER ONE

Overview of Enterprise Risk Management

ERM INTRODUCTION

Enterprise risk management (ERM) includes the methods and processes used by organizations to minimize surprises and seize opportunities related to the achievement of their objectives.

ERM is an approach to aligning strategy, process, and knowledge in order to curtail surprises and losses as well as to capitalize on business opportunities. Many individuals associate risk with negative outcomes. However, there is a potential value component to risk assessment and management. Risk management is about balancing risk and reward. A well-designed risk management program encourages and allows an organization to take intelligent risks. It involves assessing quantitative factors and information as well as considering management experience and judgment. An effective risk management program entails balancing people and processes. Ultimately, an entity’s risk profile is affected by the actions and decisions of its board of directors, management, and employees.