COSO Enterprise Risk Management
eBook - ePub

COSO Enterprise Risk Management

Establishing Effective Governance, Risk, and Compliance Processes

Robert R. Moeller

  1. English
  2. ePUB (adapté aux mobiles)
  3. Disponible sur iOS et Android
eBook - ePub

COSO Enterprise Risk Management

Establishing Effective Governance, Risk, and Compliance Processes

Robert R. Moeller

DĂ©tails du livre
Aperçu du livre
Table des matiĂšres

À propos de ce livre

A fully updated, step-by-step guide for implementing COSO's Enterprise Risk Management

COSO Enterprise Risk Management, Second Edition clearly enables organizations of all types and sizes to understand and better manage their risk environments and make better decisions through use of the COSO ERM framework. The Second Edition discusses the latest trends and pronouncements that have affected COSO ERM and explores new topics, including the PCAOB's release of AS5; ISACA's recently revised CobiT; and the recently released IIA Standards.

  • Offers you expert advice on how to carry out internal control responsibilities more efficiently
  • Updates you on the ins and outs of the COSO Report and its emergence as the new platform for understanding all aspects of risk in today's organization
  • Shows you how an effective risk management program, following COSO ERM, can help your organization to better comply with the Sarbanes-Oxley Act
  • Knowledgeably explains how to implement an effective ERM program

Preparing professionals develop and follow an effective risk culture, COSO Enterprise Risk Management, Second Edition is the fully revised, invaluable working resource that will show you how to identify risks, avoid pitfalls within your corporation, and keep it moving ahead of the competition.

Foire aux questions

Comment puis-je résilier mon abonnement ?
Il vous suffit de vous rendre dans la section compte dans paramĂštres et de cliquer sur « RĂ©silier l’abonnement ». C’est aussi simple que cela ! Une fois que vous aurez rĂ©siliĂ© votre abonnement, il restera actif pour le reste de la pĂ©riode pour laquelle vous avez payĂ©. DĂ©couvrez-en plus ici.
Puis-je / comment puis-je télécharger des livres ?
Pour le moment, tous nos livres en format ePub adaptĂ©s aux mobiles peuvent ĂȘtre tĂ©lĂ©chargĂ©s via l’application. La plupart de nos PDF sont Ă©galement disponibles en tĂ©lĂ©chargement et les autres seront tĂ©lĂ©chargeables trĂšs prochainement. DĂ©couvrez-en plus ici.
Quelle est la différence entre les formules tarifaires ?
Les deux abonnements vous donnent un accĂšs complet Ă  la bibliothĂšque et Ă  toutes les fonctionnalitĂ©s de Perlego. Les seules diffĂ©rences sont les tarifs ainsi que la pĂ©riode d’abonnement : avec l’abonnement annuel, vous Ă©conomiserez environ 30 % par rapport Ă  12 mois d’abonnement mensuel.
Qu’est-ce que Perlego ?
Nous sommes un service d’abonnement Ă  des ouvrages universitaires en ligne, oĂč vous pouvez accĂ©der Ă  toute une bibliothĂšque pour un prix infĂ©rieur Ă  celui d’un seul livre par mois. Avec plus d’un million de livres sur plus de 1 000 sujets, nous avons ce qu’il vous faut ! DĂ©couvrez-en plus ici.
Prenez-vous en charge la synthÚse vocale ?
Recherchez le symbole Écouter sur votre prochain livre pour voir si vous pouvez l’écouter. L’outil Écouter lit le texte Ă  haute voix pour vous, en surlignant le passage qui est en cours de lecture. Vous pouvez le mettre sur pause, l’accĂ©lĂ©rer ou le ralentir. DĂ©couvrez-en plus ici.
Est-ce que COSO Enterprise Risk Management est un PDF/ePUB en ligne ?
Oui, vous pouvez accĂ©der Ă  COSO Enterprise Risk Management par Robert R. Moeller en format PDF et/ou ePUB ainsi qu’à d’autres livres populaires dans Business et Auditing. Nous disposons de plus d’un million d’ouvrages Ă  dĂ©couvrir dans notre catalogue.


Chapter 1
Introduction: Enterprise Risk Management Today
Well-recognized or mandated standards are important for effective enterprise governance and management. Compliance with these standards allows the enterprise to demonstrate they are following best practices and complying with regulatory rules. For example, the enterprise's financial statements are audited by an external audit firm to determine whether they are consistent with generally accepted accounting principles (GAAP) in the United States or are fairly stated following international financial reporting standards (IFRS). This financial audit process applies to virtually all enterprises worldwide, no matter their size or enterprise structure. Investors and lenders want an external party—an independent auditor—to examine financial records and attest whether they are fairly stated. In order to attest to these financial statements, that same auditor has to determine that there are good supporting internal controls surrounding all significant financial transactions.
Internal controls cover many areas in enterprise operations. An example here is a separation of duties control where a person who prepares a check for issue to an outside party should not be the same person who approves that check for payment. Two independent people should be involved with the release of checks that take cash from the enterprise. This is a common and well-recognized internal control, and many others relate to similar situations where one person or process should always be in a position to independently check the work of another party. Good internal control processes are essential for effective risk management systems in an enterprise.
This introductory chapter briefly looks at an important guidance standard for defining internal control, the Committee of Sponsoring Organizations' (COSO) internal control framework. This COSO guidance has become the worldwide accepted standard for defining internal control in enterprises today. From this internal controls framework the chapter then introduces the similar looking in appearance, but very different, COSO enterprise risk management (ERM) framework, the major topic of many of the chapters in this book.
The chapter will also introduce us to an example company, Global Computer Products, which will be referenced in many examples throughout other chapters. The Global Computer Products hypothetical enterprise is a U.S.-headquartered computer hardware and software products manufacturer with worldwide development and distribution facilities. Although no example can be comprehensive or complete, we will try to use this Global Computer Products example as a vehicle to better understand and implement COSO ERM and governance, risk and compliance (GRC) issues in an enterprise today as well as to use them for implementing effective enterprise practices.
The COSO Internal Controls Framework: How Did We Get Here?
Similar to the many acronyms for products and techniques common in information technology (IT), product and process names are quickly turned into acronyms in the worlds of auditing, accounting, and corporate management. In the IT world, we quickly forget the names, words, or even the concepts that created the acronym and just use the several-letter acronyms. For example, International Business Machines Corporation (IBM) launched a custom software product for just one customer called the Customer Information Control System (CICS), back in the old mainframe or legacy computer system days of the early 1970s when IBM needed to develop software to access files in an online basis. Other computer manufacturing competitors at that time had online, real-time software, but IBM did not. IBM's CICS product was enhanced and generalized over the years. It is still around today for legacy systems, and today's users call it “Kicks” as their pronunciation of CICS. The definition or meaning of this acronym has been essentially forgotten and CICS has now become an IT “word.”
The internal control guidance-setting organization, COSO, is a similar example with an abbreviated name standing for the Committee of Sponsoring Organizations of the Treadway Commission. Of course, an explanation of that COSO name does not offer much help—who is this committee, what are they sponsoring, and what is the Treadway Commission? To understand how this internal control standard came about, it is necessary to go back to the late 1970s and early 1980s, a period when there were many major enterprise financial failures in the United States due to conditions including very high inflation, the resultant high interest rates, and some aggressive enterprise accounting approaches. The scope of these failures seems minor today when contrasted with the financial meltdowns of 2009 and 2010 or the financial frauds at the beginning of this century that led to the Sarbanes-Oxley Act (SOx). Financial crises will always be with us, and a concern back in the 1970s was that several major corporations suffered a financial collapse even though their recently published audited financial reports, signed by their external auditors, showed both adequate earnings and good financial health. Some of these failures were caused by fraudulent financial reporting, but most turned out to be victims of the high inflation and resultant high interest rates during that period. It was not uncommon for many companies that failed to have issued fairly positive annual reports despite the bad news about to come. This also was another period of high regulatory activity in the United States and some members of Congress drafted legislation to “correct” these business or audit failures. Congressional hearings were held, but no legislation was ever passed. Rather, a private professional group, called the National Commission on Fraudulent Financial Reporting, was formed to study the issue. Five U.S. professional financial organizations sponsored this National Commission: the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), the Financial Executives Institute (FEI), the American Accounting Association (AAA), and the Institute of Management Accountants (IMA). Named after its chair, SEC Commissioner James C. Treadway, the authority adopted as its official name The Committee of Sponsoring Organizations of the Treadway Commission. Today, that group has become known by its acronym name, COSO.
The original focus of COSO was not on enterprise risk management but on the reasons behind the internal control problems that had contributed to those financial reporting failures of many years ago. COSO's first report, released in 1987,1 called for management to report on the effectiveness of their internal control systems. Called the Treadway Commission Report, it emphasized the key elements of an effective system of internal controls, including a strong control environment, a code of conduct, a competent and involved audit committee, and a strong management function. Enterprise risk management was not a key topic at that time. The Treadway report emphasized the need for a consistent definition of internal control and subsequently published what is now known as the COSO definition of internal control, now the generally recognized worldwide internal accounting control guidance or framework.
That COSO report on internal controls was released in 1992 with the official title Internal Control–Integrated Framework.2 Throughout this book, it is referred to as the COSO Internal Controls report or framework to differentiate it from the COSO Enterprise Risk Management or the COSO ERM framework, our main topic. The COSO Internal Controls report proposed a common framework for the definition of internal control, as well as procedures to evaluate those controls.3 For virtually all persons involved in modern business today, an understanding of that COSO definition of internal controls is essential.
The COSO Internal Controls Framework
The term internal control had been part of the vocabulary of business for many years, but it historically never had had a precise, consistent definition. COSO developed a now almost universally accepted definition or description of internal control, as follows:
Internal control is a process, affected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations
The COSO definition of internal control uses a three-dimensional model to describe an internal control system in an enterprise. The model, as shown in Exhibit 1.1, consists of five horizontal levels or layers, three vertical components, and multiple sectors spanning its third dimension. This model, as shown in the exhibit, might be viewed in terms of its 5 × 3 × 3 or 45 individual cells or components. However, these are not individual and separate components but are all interconnected with internal controls in each depending on the others. While each level and component of the COSO internal control framework is important for understanding internal controls in an enterprise, we will focus here on two horizontal levels: the control environment foundation level and the risk environment level. These are particularly important components for understanding how the COSO internal control framework relates to the COSO ERM model introduced later in Chapter 4 and illustrated in Exhibit 4.1.
Exhibit 1.1 COSO Internal Controls Framework
COSO Internal Control Elements: The Control Environment
Just as any building needs a strong foundation, the COSO internal control framework has its foundation in what COSO calls the internal control environment, the starting basis for all internal controls in an entity. An enterprise's control environment influences how business activities are structured and risks assessed in an enterprise. It serves as a foundation for all other components of internal control and has an influence on each of the three internal control objectives and all activities. The control environment reflects the overall attitude, awareness, and actions by the board of directors, management, and others regarding the importance of internal controls in the enterprise.
An enterprise's history and culture plays a major role in forming its control environment. For example, when an enterprise and its management places a strong emphasis on producing error-free products, when senior management continues to emphasize the importance of error-free products, and if this message has been communicated to all levels, this becomes an important control environment factor for the enterprise. The words of the chief executive officer (CEO) and other members of senior management communicate a strong message to employees, customers, and other stakeholders. This very important set of these messages is known as the tone at the top. However, if senior management has had a reputation of “looking the other way” at policy violations and oth...

Table des matiĂšres

  1. Cover
  2. Title Page
  3. Copyright
  4. Dedication
  5. Preface
  6. Chapter 1: Introduction: Enterprise Risk Management Today
  7. Chapter 2: Importance of Governance, Risk, and Compliance Principles
  8. Chapter 3: Risk Management Fundamentals
  9. Chapter 4: COSO ERM Framework
  10. Chapter 5: Implementing ERM in the Enterprise
  11. Chapter 6: Importance of Strong Enterprise Governance Practices
  12. Chapter 7: Enterprise Compliance Issues Today
  13. Chapter 8: Integrating ERM with COSO Internal Controls
  14. Chapter 9: Sarbanes-Oxley and Enterprise Risk Management Concerns
  15. Chapter 10: Corporate Culture and Risk Portfolio Management
  16. Chapter 11: OCEG Capability Model GRC Standards
  17. Chapter 12: Importance of GRC Principles in the Board Room
  18. Chapter 13: Role of Internal Audit in Enterprise Risk Management
  19. Chapter 14: Understanding Project Management Risks
  20. Chapter 15: Information Technology and Enterprise Risk Management
  21. Chapter 16: Establishing an Effective GRC Culture throughout the Enterprise
  22. Chapter 17: ISO 31000 and 38500 Risk Management Worldwide Standards
  23. Chapter 18: ERM and GRC Principles Going Forward
  24. About the Author
  25. Index