Presentation is loading. Please wait.

Presentation is loading. Please wait.

#127 – Risk Management Basics Deborah Frazer, CPA CISA CISSP Senior Director, Internal Audit PalmSource, Inc.

Published byAnne Higgins Modified over 7 years ago

Similar presentations

Presentation on theme: "#127 – Risk Management Basics Deborah Frazer, CPA CISA CISSP Senior Director, Internal Audit PalmSource, Inc."— Presentation transcript:

1 #127 – Risk Management Basics Deborah Frazer, CPA CISA CISSP Senior Director, Internal Audit PalmSource, Inc.

2 2 Overview Internal Control and Risk Management COSO and ERM – What, Who, Why Relevance to the Organization Risk Management Segments Risk Identification Prioritizing the Risks

3 3 What and Who is COSO? COSO, the Committee of Sponsoring Organizations of the Treadway Commission, is a private sector initiative established in 1985 by five financial professional associations: –The Institute of Internal Auditors –American Institute of Certified Public Accountants – American Accounting Association – Institute of Management Accountants – Financial Executives Institute

4 4 Why was COSO established? COSO’s goal is to improve the quality of financial reporting through a focus on corporate governance, ethical practices and internal control. Savings and Loan Crisis of the 1980’s Report of the National Commission on Fraudulent Financial Reporting – October 1987

5 5 Internal Control – Integrated Framework Familiar Cube Three objective categories Five Components Entity and organizational units

6 6 Definition of Internal Control A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.

7 7 Objective Categories Effectiveness and efficiency of operations –Performance and profitability goals –Safeguarding resources Reliability of financial reporting –Preparation of reliable published financial statements Compliance with applicable laws and regulations –To which the entity is subject

8 8 Five Interrelated Components 1.Control Environment –Sets the tone and influences control consciousness –Foundation for all other components –Provides discipline and structure –Factors include: Integrity and ethical values; competence Management’s philosophy and operating style Assignment of authority and responsibility Organizational structure and development of staff Attention and direction provided by the Board

9 9 Five Interrelated Components 2.Risk Assessment –Identification and analysis of relevant risks –Aids in the achievement of objectives –Forms a basis for managing the risks –Special risks associated with change: Economic Industry Regulatory Operating conditions

10 10 Five Interrelated Components 3.Control Activities –Policies and procedures that help ensure management objectives are carried out –Necessary actions are taken to address risk and achieve objectives –Occur at all levels and include: Approvals Authorizations Verifications Reconcilations Security of assets Segregation of duties

11 11 Five Interrelated Components 4.Information and Communication –Identification, capture and communication of information –Information systems Internally generated data External events Reporting –Communication streams

12 12 Five Interrelated Components 5.Monitoring –Assesses the performance quality of a system of internal control over time –Ongoing monitoring activities Regular management and supervisory activities –Separate evaluations Scope and frequency depend on –Risk assessment –Effectiveness of ongoing monitoring –Deficiencies should be reported upstream

13 13 Enterprise Risk Management A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

14 14 Fundamental Concepts Process –A means to an end –Not an end in itself Effected by people –Not merely policies, surveys and forms –Involves people at every level of the organization –Applied in strategy setting

15 15 Fundamental Concepts Applied across the enterprise –Every level and unit –Entity level portfolio view of risks Manages risks –Within entity’s risk appetite –Identifies events and potential effect

16 16 Fundamental Concepts Provides reasonable assurance –To Board –To management –To other stakeholders Focuses on achievement of objectives –Separate categories –Overlapping

17 17 ERM Integrated Framework Expands the original cube Four objective categories Eight Components Entity and organizational units

18 18 Objective Categories Within the entity’s control: –Reliability of financial reporting –Compliance with applicable laws and regulations Achievement depends on how well the entity’s related activities are performed Not always within the entity’s control: –Strategic objectives –Operational objectives Reasonable assurance based on timely notification

19 19 Eight Interrelated Components 1.Internal Environment –Foundation for all other components –Influences: Strategy and objectives Risk identification and assessment Design and function of control activities Information and communication systems Monitoring activities

20 20 Eight Interrelated Components 2.Objective Setting –Must exist before events can be identified –Must be aligned with and linked to strategy –Must be consistent with the entity’s risk appetite –Four categories: Strategic Operations Reporting Compliance

21 21 Eight Interrelated Components 3.Event Identification –External factors that affect event occurrence: Economic and business Natural environment Political and social Technological –Internal Factors: Reflect management’s choices Infrastructure, personnel, process, technology

22 22 Eight Interrelated Components 4.Risk Assessment –Considers how events might affect achievement of objectives –Two perspectives: Likelihood Impact –Applied to inherent risk Risk to the entity in the absence of any actions to alter likelihood or impact –Residual risk is remainder after risk response activities

23 23 Eight Interrelated Components 5.Risk Response –Fall into four categories: Avoidance Reduction Sharing Acceptance –Residual risk will always exist Scarce resources Inherent future uncertainty and limitations

24 24 Eight Interrelated Components 6.Control Activities –Policies and procedures that help ensure risk responses are properly executed –Increased focus on information systems General controls: –IT management, infrastructure, security, software acquisition, development and maintenance Application controls: –Completeness, accuracy, authorization validity of data capture and transaction processing

25 25 Eight Interrelated Components 7.Information and Communication –Information is needed at all levels of the organization Identify, assess and respond to risks Run the organization and meet objectives –Entity captures and uses historical and current data Information is the basis for communication Must meet expectations of various groups –Enables the flow of risk-based information across: Business units Processes Functional silos Externally

26 26 Eight Interrelated Components Monitoring –Assesses the performance quality of a system of internal control over time Ongoing monitoring activities –Regular management and supervisory activities Separate evaluations –Scope and frequency depend on »Risk assessment »Effectiveness of ongoing monitoring Deficiencies should be reported upstream, including Board –Additional focus on appropriate level of documentation

27 27 Integrated Frameworks: Internal Control vs ERM ERM does not replace Internal Control Enables companies to expand on what they have already put in place ERM links: –Value –Risk Strategy –Objective Setting –Performance Measurement –Risk Response –Control Processes

28 28 Determining and Prioritizing Risk Management Segments Combined view of business units and financial statement line items Apply ERM –Internal environment –Materiality –Events and identified risks –Risk assessment

29 29 Internal Environment Organizational structure –Functional units vs geographic units –Foreign and domestic –Financial processes at different locations Assignment of authority and responsibility –Centralized vs decentralized Human resources policies and practices

30 30 Materiality Impact Prioritization Scope Timing and nature of planned audits

31 31 Events and Identified Risks Company history –Private/public –Mergers and acquisitions –Organic growth –Legal issues Current state and beyond –Strategy and competition –Regulatory changes

32 32 Risk Assessment Initial risk assessment –High level –Gather information via inquiry, examination –Benchmarking Should be quick –Size of entities –Culture Risk appetite Agile vs slow

33 33 Using the ERM Framework Risk assessment –Apply the ERM components –Determine risk drivers in each area –Use weighted score to quantify Audit approach –Highest risk given highest priority –Scope and nature of testing based on risk

34 34 Risk Drivers – Internal Environment Risk management philosophy –Value –Communicate in words and actions Risk appetite –Value –Qualitative –Quantitative –Linked to strategy Risk culture –Independent –Active –Involved Board of Directors –Independent –Active –Involved Integrity and ethical values –Standards of behavior –Prerequisite –CEO example –Incentives

35 35 Risk Drivers – Internal Environment Human resource policies and practices –Qualified –Training –Compensation –Incentives and Discipline Differences in environment –Management preferences –Value judgments –Management styles Management philosophy and operating style –Formal vs informal –Conservative vs aggressive –Aligned Organizational structure –Reporting lines –Centralized/decentralized –Matrix/function/geography Assignment of authority and responsibility –Empowerment –Accountability

36 36 Risk Drivers – Objective Setting Strategic Objectives –High-level goals –Support mission/vision –Strategic choices Related Objectives –Operations –Reporting –Compliance –Safeguarding of assets Selected Objectives –Align and support –Management decision Risk Appetite –Growth, risk and return –Resource allocation –People, process and infrastructure Risk Tolerance –Acceptable variance –Unit of measure of objective

37 37 Risk Drivers – Event Identification Events –Incident –Positive and/or negative impacts Factors Influencing strategy and Objectives –Internal –External Methodology and techniques –Ongoing –Periodic –Past and future –Supporting Event inter-dependencies –Triggering events –Interrelate Event Categories –Common groupings Risks and Opportunities –Negative impact: risks –Positive impact: opportunity; offsets to risks

38 38 Risk Drivers – Risk Assessment Inherent and Residual Risk –Before management actions –After management actions –Expected and unexpected Likelihood and Impact –Expected, worse-case, distribution –Time horizons –Unit of measure –Observable data Qualitative and Quantitative Methodologies and Techniques –Qualitative –Quantitative –Inherent and residual basis Correlation –Sequence of events –Categories –Stress testing –Scenarios

39 39 Risk Drivers – Risk Response Identify risk responses –Avoid –Reduce –Share –Accept Evaluate Possible Risk Responses –Impact Likelihood –Cost versus benefit –Innovative responses Select response –Management decision Portfolio View –Entity level –Business unit level –Inherent and residual basis

40 40 Risk Drivers – Control Activities Integration with risk responses –Build directly into management processes –Interrelate Types of control activities –Policies –Procedures –Preventative –Detective –Manual –Automatic Entity-specific –Entity specific strategies and objectives –Operating environment –Complexity of the entity General controls –IT management –IT infrastructure –Security management –Software development and maintenance Application controls –Completeness –Accuracy –Authorization –Validity

41 41 Risk Drivers – Information and Communication Information –Internal –External –Manual –Computerized –Formal –Informal –Information systems architecture Strategic and integrated systems –Strategic –Operational –Past and current –Level of detail –Timeliness –Quality Communication –Internal –External –Entity-wide –Expectations and responsibilities –Framing –Means of transmission

42 42 Risk Drivers - Monitoring Ongoing –Real-time –Built-in –Day-to-day operations Separate Evaluations –Scope –Frequency –Self-assessments/Internal auditors –Extent of documentation Reporting Deficiencies –Ongoing –External parties –Protocols –Alternative channels

43 Open Discussion and Examples

44 Questions?

45 45 For More Information: Deborah Frazer, CPA, CISA, CISSP Senior Director, Internal Audit PalmSource, Inc. deborah.frazer@Palmsource.com

46 Thank you!

Download ppt "#127 – Risk Management Basics Deborah Frazer, CPA CISA CISSP Senior Director, Internal Audit PalmSource, Inc."

Similar presentations

Internal Control Integrated Framework

Internal Control Integrated Framework
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Internal Control.

Internal Control.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
The Islamic University of Gaza

The Islamic University of Gaza
Eliot M. Stenzel, CPA,CIA IIA Instructor for many years. 220-3198 Risk Based Auditing.

Eliot M. Stenzel, CPA,CIA IIA Instructor for many years Risk Based Auditing.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.

INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Applying COSO’s Enterprise Risk Management — Integrated Framework

Applying COSO’s Enterprise Risk Management — Integrated Framework
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit

Similar presentations

Ads by Google