The Risk Intelligent Enterprise ACCOUNTING INFORMATION SYSTEMS The Crossroads of Accounting & IT Chapter 12 The Risk Intelligent Enterprise Enterprise Risk Management © Copyright 2012 Pearson Education. All Rights Reserved.

When You Need Advice About Enterprise Risk Management, Whom Do You Call? Meet the CFO. CFOs, not only are more frequently overseeing IT functions, but are also overseeing enterprise risk management. ERM may be housed in legal, a separate risk management department, or in the financial area headed by the CFO. © Copyright 2012 Pearson Education. All Rights Reserved.

83% of chief financial officers advise on risk mitigation. Given the higher percentage of CFOs that are asked advice about ERM, it is an important topic for accounting professionals to understand. © Copyright 2012 Pearson Education. All Rights Reserved.

72% of chief financial officers advise regarding IT. Again, given the higher percentage of CFOs who are expected to provide advice and recommendations regarding IT, it has become even more important for accounting professionals to have a sound understanding of IT issues. © Copyright 2012 Pearson Education. All Rights Reserved.

The SEC acknowledged that the root cause of the recent economic downturn was lack of risk management competency in corporate America. Firms that had sound ERM practices in place were found to have weathered the economic downturn better than those that did not. © Copyright 2012 Pearson Education. All Rights Reserved.

Enterprise Risk Management Enterprise risk management (ERM) goes beyond security and controls. It is not possible to develop security and controls to address every threat that an enterprise might face. Identifying, assessing, and mitigating risks has been shown to produce better business performance. © Copyright 2012 Pearson Education. All Rights Reserved.

© Copyright 2012 Pearson Education. All Rights Reserved.

Understanding risk is necessary to understanding controls. © Copyright 2012 Pearson Education. All Rights Reserved.

Currently, ISO 31000 is gaining in popularity as an ERM standard. This is the same organization that provides ISO quality standards used globally. © Copyright 2012 Pearson Education. All Rights Reserved.

Risk Intelligence The risk intelligent enterprise moves beyond security and controls to managing risk and then to using risk to create value. Risk intelligence can be categorized into: Unrewarded risks: No positive payoff. Only a downside or negative result associated with the risk. Example: the risk of unauthorized access and theft of confidential customer credit card information. Rewarded risks: Possibility of a positive payoff. Example: risks associated with a business acquisition or merger. Although some view risk as entirely negative, there are rewarded risks. Some risks are undertaken with the possibility of a positive payoff. An acquisition of a new company may have risk associated with it, but also the possibility of a higher return. © Copyright 2012 Pearson Education. All Rights Reserved.

ERM Three rings: IT controls Internal controls Enterprise risk management How do IT controls, Internal Controls, and ERM fit together? Internal controls encompass IT controls. ERM encompasses both internal controls and IT controls. © Copyright 2012 Pearson Education. All Rights Reserved.

ERM IT controls can be viewed as three zones: Entity-level controls for top management Application controls for business processes IT general controls for IT services IT controls consist of 3 zones: 1) Entity-level IT controls, such as controls that affect the entire organization 2) Application controls, such as controls for accounting software 3) IT General controls, such as controls for networks, databases, and hardware © Copyright 2012 Pearson Education. All Rights Reserved.

COSO defines ERM as: Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO, 2004). © Copyright 2012 Pearson Education. All Rights Reserved.

ERM Cube Three dimensions to the ERM cube: ERM units. ERM objectives. ERM components. The COSO ERM framework encompasses the COSO internal control framework. COSO expanded the Internal control cube to create the ERM cube. Notice that portions of the ERM cube are similar to the COSO internal control cube. © Copyright 2012 Pearson Education. All Rights Reserved.

ERM Units Enterprise units may consist of: Entity-level units Divisions Business units and/or Subsidiaries © Copyright 2012 Pearson Education. All Rights Reserved.

ERM Objectives The ERM framework specifies four categories of an enterprise’s objectives: Strategic objectives relate to goals that support the entity’s mission. Operational objectives relate to the effective and efficient use of the entity’s resources. Reporting objectives relate to the reliability of the enterprise’s reporting, both internal and external. Compliance objectives relate to the entity’s compliance with all applicable laws and regulations. © Copyright 2012 Pearson Education. All Rights Reserved.

ERM Components The COSO enterprise risk management framework consists of eight interrelated components. Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring © Copyright 2012 Pearson Education. All Rights Reserved.

Internal Environment The internal environment relates to the culture of the organization and its risk consciousness. Influenced by the tone set by top management, the internal environment is also reflected in policies and procedures as well as the organizational structure. An entity’s risk management philosophy affects its risk appetite, the amount of risk it is willing to accept in pursuit of value. What is the student’s risk appetite? How many have a high risk appetite? Low risk appetite? What are some examples of actions that exceed their risk appetite? © Copyright 2012 Pearson Education. All Rights Reserved.

Objective Setting Four types of objectives: Strategic objectives Operations objectives Reporting objectives Compliance objectives Risk tolerance is the acceptable level of variation in attaining objectives. For an IT support desk, the objective might be to resolve 100% of client issues during the client’s first call. An acceptable variation might be to resolve 85% of client issues on the first call. If the objective cannot be achieved, such as 100%, then what is the tolerance for variation from the objective? How much variance is considered acceptable? With a nuclear power facility, what would be the acceptable variance? © Copyright 2012 Pearson Education. All Rights Reserved.

Event Identification Event identification involves identifying potential events that might affect the entity. Events can be either: External events, such as higher interest rates Internal events, such as fraud enacted by an employee Events can be classified as producing: Negative impacts (risk) Positive impacts (opportunities) What are the potential events that might affect the students? Are the events, internal or external? © Copyright 2012 Pearson Education. All Rights Reserved.

Risk Assessment A risk is the possibility that an event will occur and negatively impact the entity’s ability to achieve its stated objectives. Risk assessment is the process of assessing the extent to which events would impact an entity’s ability to achieve its objectives. Two aspects to risk assessment: Impact: the effect that an event will have on the entity’s ability to achieve its objectives if the event occurs. Likelihood: the possibility or probability that a potential event will occur. Risk assessment can be broken into: Impact: the effect Likelihood: the possibility or probably a potential event will occur Of the potential events students identified, what would be: 1) The impact 2) The likelihood © Copyright 2012 Pearson Education. All Rights Reserved.

Risk Assessment In assessing risk impact, pertinent questions are: What is the asset’s value? What is the value of customer payment card data stored in the enterprise database? What is the cost to the enterprise if a hacker steals the payment card information? How much is the asset, such as information, worth to the competition? These assets might include intellectual property, such as the engineering designs for the latest computer chip. What is the value of that intellectual property to the competition? What is the estimated potential loss per threat? A high value asset will have a greater impact than an asset of lesser value. © Copyright 2012 Pearson Education. All Rights Reserved.

Risk Assessment In assessing risk likelihood, pertinent questions are: 1. What is the possibility or probability of the event (threat) occurring? 2. What is the estimated frequency of the threat occurring? Possibility may refer to assessing likelihood using qualitative measures, such as high, medium, or low. Probability may refer to assessing likelihood using a quantitative measure, such as percentages. © Copyright 2012 Pearson Education. All Rights Reserved.

Risk Assessment Annual loss potential is estimated by combining the impact and the frequency of the threat. Example: A salami attack has low impact but high frequency. Impact combined with frequency determines the annual loss potential from the potential event. Possibilities include: Low frequency but high impact. High frequency but low impact. © Copyright 2012 Pearson Education. All Rights Reserved.

Risk Response Four categories of risk response: Avoidance: avoid or exit the activities that give rise to the risk. Reduction: actions taken to reduce risk likelihood, risk impact, or both. Sharing: Reduce risk likelihood or risk impact by sharing the risk with another entity, such as car insurance. Acceptance: no action is taken to affect risk likelihood or risk impact. © Copyright 2012 Pearson Education. All Rights Reserved.

Control Activities After an entity has identified risk responses, the next step is to identify the appropriate control activities to ensure that risk responses are implemented as planned. Examples of control activities include: performance reviews physical controls segregation of duties © Copyright 2012 Pearson Education. All Rights Reserved.

Information and Communication Identifying, capturing, and communicating information accurately, completely, and in a timely manner to enable employees to carry out responsibilities, including risk management responsibilities. An integrated enterprise system can provide management with additional data and information for use in making enterprise risk management assessments and decisions. Business intelligence capabilities offer management the ability to gain further insights into enterprise risk management. © Copyright 2012 Pearson Education. All Rights Reserved.

Monitoring Process of monitoring an entity’s enterprise risk management. Approaches to monitoring include: Ongoing monitoring of activities that occurs on a ongoing basis, such as weekly reviews. Separate evaluations, such as an internal audit. A combination of both ongoing monitoring and separate evaluations. © Copyright 2012 Pearson Education. All Rights Reserved.

What is Spreadsheet Risk Management? A significant risk for many enterprises is the widespread use of spreadsheets with limited controls. A spreadsheet risk management program includes using access and change controls with spreadsheets in order to be SOX compliant. While some organizations have security and controls over IT hardware and software, spreadsheets and other shadow data may be widespread and not subject to the controls used throughout the rest of the organization. © Copyright 2012 Pearson Education. All Rights Reserved.

SOX Section 404 Internal Control requirements apply to spreadsheets. © Copyright 2012 Pearson Education. All Rights Reserved.

How many in the class have ever made a cut and paste error? Imagine making a $24 million cut and paste error? What controls could have prevented an error of this magnitude? © Copyright 2012 Pearson Education. All Rights Reserved.

Spreadsheets introduce significant risks into the financial reporting process for some organizations. These organizations might have thousands of spreadsheets in shadow data. Although spreadsheet use is typically widespread, controls over spreadsheets tend to be limited. © Copyright 2012 Pearson Education. All Rights Reserved.

Global Spreadsheet Identification (SSID) Log Top Ten Tips For Spreadsheet Risk Management Tip 1 Inventory all spreadsheets using a global spreadsheet identification system. Each spreadsheet is assigned a unique spreadsheet ID number (SSID). Spreadsheets are inventoried in a global SSID log for tracking. Some organizations do not have a record or know how many spreadsheets are used throughout the organization. Taking an inventory and using a global spreadsheet ID system is a start. The SSID can be tracked in a spreadsheet log like the one shown here. Global Spreadsheet Identification (SSID) Log © Copyright 2012 Pearson Education. All Rights Reserved.

Spreadsheet Risk Assessment Top Ten Tips For Spreadsheet Risk Management Tip 2 Assign risk for each inventoried spreadsheet by assessing: Impact of a financial statement error resulting from the spreadsheet’s use, and The likelihood of a financial statement error. Assign risk for each spreadsheet by assessing: The impact of an error and the likelihood of an error. If there would be a high impact (such as $24 million) if an error occurred, that must be considered with the likelihood of an error. The likelihood of an error may depend upon the controls implemented. Does anyone else audit or crosscheck the spreadsheet results? What controls are in place to verify the accuracy of the spreadsheet? Spreadsheet Risk Assessment © Copyright 2012 Pearson Education. All Rights Reserved.

Top Ten Tips For Spreadsheet Risk Management Tip 3 Store all spreadsheets on a network server to accomplish control objectives: Access security codes. Assign access logins and password protection. Identification. A global spreadsheet ID can be assigned when the spreadsheet is stored on the server, facilitating use of a spreadsheet inventory and tracking log. Firewall protection. Network firewalls can provide extra layers of protection that a spreadsheet on a mobile laptop does not afford. Virtual private network. Users accessing the spreadsheet from offsite use a VPN (virtual private network), which provides a higher security level than storing spreadsheets on mobile IT assets, such as laptops. Spreadsheet changes. Storing the spreadsheet on the server facilitates changes made by multiple users. Storing spreadsheets on a network server improves controls. There is also now the possibility of storing the spreadsheet in the cloud if cloud computing is used. Although security may be better if the spreadsheet is stored on a network server, this may be very unpopular with accountants. Reasons accounting professionals may give for not storing the spreadsheets on a network server are confidentiality of the data, concern that the file may be inadvertently modified by someone else, accessibility to the file, and/or convenience. © Copyright 2012 Pearson Education. All Rights Reserved.

Spreadsheet Change Log Top Ten Tips For Spreadsheet Risk Management Tip 4 Implement spreadsheet change controls using two logs: User log: tracks users accessing the specific spreadsheet. Change log: documents changes made to spreadsheet design, such as changes to formulas. Change controls are required to track all changes made to the spreadsheets. This can be accomplished by using a user log to track all users of the spreadsheet and a change log to document changes made to the spreadsheet. Spreadsheet User Log Spreadsheet Change Log © Copyright 2012 Pearson Education. All Rights Reserved.

Top Ten Tips For Spreadsheet Risk Management Tip 5 Add a contents tab to the spreadsheet to create a spreadsheet table of contents. Accidental sheet deletions or unauthorized sheet additions can be tracked by comparing to the contents sheet. A contents worksheet in the spreadsheet makes it easy to track unauthorized sheet additions and deletions. Spreadsheet Contents © Copyright 2012 Pearson Education. All Rights Reserved.

Top Ten Tips For Spreadsheet Risk Management Tip 6 Add a documentation tab to record proper documentation for the spreadsheet. Include information about the purpose of the spreadsheet. Authorized users. User instructions to reduce the likelihood of user error. Developer notes such as formula specifications, formula links, and any macros and algorithms used. Document the spreadsheets, including developer notes and user instructions. © Copyright 2012 Pearson Education. All Rights Reserved.

Top Ten Tips For Spreadsheet Risk Management Tip 7 Use data validation controls in spreadsheets to reduce data entry errors. Data validation can be used for input controls, such as drop-down lists. Reduce hard-keying data entry to reduce the likelihood of typing and formatting errors in entering data. To reduce errors and increase the likelihood of only valid data being entered, data validation techniques can be used. One useful data validation technique is drop-down lists. For example, a drop down of state abbreviations prevents a user from mistyping the state name. © Copyright 2012 Pearson Education. All Rights Reserved.

Top Ten Tips For Spreadsheet Risk Management Tip 8 Use the spreadsheet protection feature for an access security control. Password protect the spreadsheet and/or specific cells to prevent unauthorized use or accidental data deletion. To prevent unauthorized access, the spreadsheet can be password protected. Or portions of the spreadsheet can be protected against accidental errors. © Copyright 2012 Pearson Education. All Rights Reserved.

Top Ten Tips For Spreadsheet Risk Management Tip 9 Test the spreadsheet to assure that it is functioning properly. Use the spreadsheet auditing tool to track errors and verify formula links. Enlist other users to test the spreadsheet to verify that it is functioning as planned. Test spreadsheet calculations. Test to see if spreadsheet logic is sound. Testing of the spreadsheet during development can help identify flaws or errors in the design or calculations. © Copyright 2012 Pearson Education. All Rights Reserved.

Top Ten Tips For Spreadsheet Risk Management Tip 10 Remember the 80/20 rule for accounting design. Accounting Insight No. 10 also applies to spreadsheet design. Invest 80 percent of your time in the design of the spreadsheet and only 20 percent of your time maintaining it. Use a proper system development life cycle (SDLC) methodology to design and build your spreadsheets. Design spreadsheets so that you never hard-key data into formulas. The 80/20 rule focuses on using 80% of the time to design and develop the spreadsheet. Only 20% of the time is then required to maintain a well designed spreadsheet. If the design is rushed and not well planned, then 80% of the time may be spent maintaining a poorly designed spreadsheet. © Copyright 2012 Pearson Education. All Rights Reserved.