COSO Enterprise Risk Management (eBook)

ROBERT R. MOELLER, CPA, CISA, CISSP, is an internal audit specialist and project manager with a strong understanding of business risk management, information systems, corporate governance, and security. He has over twenty-five years of experience in internal auditing, ranging from launching new internal audit functions in several companies to serving as audit director for a Fortune 50 corporation. Formerly national director of computer auditing at Grant Thornton and internal audit director at Sears Roebuck, he is the author of six books published by Wiley. He is the former president of the Institute of Internal Auditors' Chicago chapter and the former chair of the AICPA's Computer Audit Subcommittee.

COSO Enterprise Risk Management 3
Contents 9
Preface 13
NOTES 19
Chapter 1: Introduction: Enterprise Risk Management Today 21
The COSO Internal Controls Framework: How Did We Get Here? 22
The COSO Internal Controls Framework 23
COSO Internal Control Elements: The Control Environment 25
COSO Internal Control Elements: Risk Assessment 33
Other COSO Internal Control Components and Activities 33
COSO Internal Controls: The Principal Recognized Internal Controls Standard 34
An Introduction to COSO ERM 34
Governance, Risk, and Compliance 35
Global Computer Products: Our Example Company 36
NOTES 39
Chapter 2: Importance of Governance, Risk, and Compliance Principles 41
Road to Effective GRC Principles 42
Importance of GRC Governance 43
Risk Management Component of GRC 45
GRC and Enterprise Compliance 46
Importance of Effective GRC Practices and Principles 48
Chapter 3: Risk Management Fundamentals 51
Fundamentals: Risk Management Phases 52
Risk Identification 53
Key Risk Assessments 57
Quantitative Risk Analysis: Expected Values and Response Planning 63
Other Risk Assessment Techniques 65
The Delphi Method 65
Monte Carlo Simulation 67
Decision Tree Analysis 69
NOTE 70
Chapter 4: COSO ERM Framework 71
ERM Definitions and Objectives: A Portfolio View of Risk 71
COSO ERM Framework Model 75
COSO ERM Components: Internal Environment 76
COSO ERM Components: Objective Setting 82
COSO ERM Components: Event Identification 86
COSO ERM Components: Risk Assessment 91
COSO ERM Components: Risk Response 94
COSO ERM Components: Control Activities 98
COSO ERM Components: Information and Communication 101
COSO ERM Components: Monitoring 104
Other Dimensions of the ERM Framework 106
NOTES 107
Chapter 5: Implementing ERM in the Enterprise 109
Roles and Responsibilities of an Enterprise Risk Management Function 110
CRO Responsibilities 111
Risk Management Enterprise Governance and Oversight 114
ERM Activity Scope and Review Planning 116
Risk Management Policies, Standards, and Strategies 120
Business, IT, and Risk Transfer Processes 125
Risk Management Reviews and Corrective Action Practices 128
ERM Communications Approaches 132
CRO and an Effective Enterprise Risk Management Function 133
NOTES 134
Chapter 6: Importance of Strong Enterprise Governance Practices 135
History and Background of Enterprise Governance: A U.S. Perspective 136
Enterprise Integrity and Ethical Behavior 139
First Steps: Developing a Mission Statement 140
Codes of Conduct 142
Communications to Stakeholders and Assuring Compliance 144
Disclosure and Transparency 145
Rights and Equitable Treatment of Shareholders and Key Stakeholders 146
Governance Role and Responsibilities of the Board 148
Governance as a Key Element of GRC 148
Chapter 7: Enterprise Compliance Issues Today 151
Compliance Issues Today 152
Establish a Compliance Assessment Team 153
Compliance Risk Assessments and Compliance Program Reviews 156
Work Unit–Level Compliance Tracking and Review Processes 158
Internal Audit Compliance Reviews 159
Compliance Self-Audits 161
Compliance-Related Procedures and Staff Education Programs 161
Enterprise Hotline Compliance and Whistleblower Support 162
Assessing the Overall Enterprise Compliance Program 164
NOTES 165
Chapter 8: Integrating ERM with COSO Internal Controls 167
COSO Internal Controls Background and Earlier Legislation 167
Foreign Corrupt Practices Act of 1977 169
FCPA Aftermath: What Happened? 171
Efforts Leading to the Treadway Commission 171
AICPA and CICA Commissions on Auditor Responsibilities 172
SEC 1979 Internal Control Reporting Proposal 173
Minahan Committee and Financial Executives Research Foundation 174
Earlier AICPA Auditing Standards: SAS No. 55 174
Treadway Committee Report 175
COSO Internal Controls Framework 176
COSO Internal Controls Framework Model 177
COSO Internal Controls and COSO ERM: Compared 194
NOTES 194
Chapter 9: Sarbanes-Oxley and Enterprise Risk Management Concerns 197
Sarbanes-Oxley Act Background 197
SOx Legislation Overview 199
Public Company Accounting Oversight Board and AS5 200
Section 404: Management’s Assessment of Internal Controls 202
Enterprise Risk Management and SOx Section 404 Reviews 213
Section 302: Corporate Responsibility for Financial Reports 214
Financial Officer Codes of Ethics or Conduct 217
Internal Controls Reporting and Materiality 218
PCAOB Risk-Based Auditing Standards 219
Sarbanes-Oxley: The Other Sections 220
SOx and COSO ERM 221
NOTES 222
Chapter 10: Corporate Culture and Risk Portfolio Management 223
Whistleblower and Hotline Functions 224
U.S. Federal Whistleblower Rules 225
Launching the Enterprise Help or Hotline Function 227
Risk Portfolio Management 228
Managing Risks by Portfolios 229
Modern Portfolio Theory 230
Integrated Enterprise-Wide Risk Management 231
NOTES 234
Chapter 11: OCEG Capability Model GRC Standards 235
GRC Capability Model “Red Book” 235
OCEG’s Principled Performance Concept 237
GRC Capability Context and Culture Elements 238
GRC Capability Organize and Oversee Elements 238
GRC Capability Assess and Align Elements 239
GRC Capability Prevent and Promote Elements 240
GRC Capability Detect and Discern Elements 240
GRC Capability Response and Resolve Elements 241
GRC Capability Monitor and Measure Elements 241
GRC Capability Inform and Integrate Elements 242
Other OCEG Materials: The “Burgundy Book” 243
Level and Scope of the OCEG Standards-Setting Authority 244
Chapter 12: Importance of GRC Principles in the Board Room 245
Board Decisions and Risk Management 246
Board Organization and Governance Rules 250
Corporate Charters and the Board Committee Structure 251
Audit Committees and Managing Risks 255
Establishing a Board-Level Risk Committee 258
Requirements for a Risk Committee Board Member 262
Audit and Risk Committee Coordination 264
COSO ERM and Corporate Governance 265
NOTES 266
Chapter 13: Role of Internal Audit in Enterprise Risk Management 267
Internal Audit Standards for Evaluating Risk 268
COSO ERM for More Effective Internal Audit Planning 271
Using COSO ERM to Build an Annual Audit Plan 273
Risk Tolerance and Building Internal Audit Plans 277
Example Risk-Based Audit Plan: Global Computer Products 279
Risk-Based Internal Audit Findings and Recommendations 284
COSO ERM and Internal Audit 285
NOTES 285
Chapter 14: Understanding Project Management Risks 287
Project Management Process 288
PMBOK® Guide: A Guide to the Project Management Book of Knowledge 289
PMBOK® Guide’s Project Manager Risk Management Approach 292
Risk Management Planning 293
Risk Identification 296
Qualitative Risk Analysis 298
Quantitative Risk Analysis 299
Risk Response Planning 299
Risk Monitoring and Control 302
Project-Related Risks: What Can Go Wrong 302
Implementing ERM for Project Managers 305
Embracing Project Management Standards 307
Establishing a Program Management Office 309
NOTES 310
Chapter 15: Information Technology and Enterprise Risk Management 311
IT and the COSO ERM Framework 312
IT Application Systems Risks 314
Application Development and Acquisition Risks 315
Software and Application Systems Testing 320
Internal Controls and System Balancing Procedures 320
Effective IT Continuity Planning 322
Worms, Viruses, and System Network Risks 327
IT and Effective ERM Processes 329
NOTES 329
Chapter 16: Establishing an Effective GRC Culture throughout the Enterprise 331
First Steps to Establishing a GRC Culture: An Example 332
Promoting the Concept of Enterprise Risk 334
Defining the Risk Management Philosophy 335
Translating a Risk Philosophy into a Culture 337
Establishing of Enterprise-Wide Governance Awareness 339
Understanding the GRC Environment 340
Summarizing Ethics Survey Results: Do We Have a Problem? 343
Enterprise Codes of Conduct 343
The Contents: What Should Be the Code’s Message? 344
Communications to Stakeholders and Assuring Compliance 345
Building a GRC Culture: Risk, Governance, and Compliance Education Programs 346
Keeping the GRC Culture Current 347
NOTES 349
Chapter 17: ISO 31000 and 38500 Risk Management Worldwide Standards 351
ISO Standards-Setting Process 352
Understanding ISO 31000 354
Role of ISO 31000 Enterprise Risk Management 354
ISO 31000 Risk Management Definitions 356
ISO 38500: The Corporate Governance of IT 357
Implementing an ISO Standard 360
NOTES 361
Chapter 18: ERM and GRC Principles Going Forward 363
ERM and GRC for the Internal Controls Professional 364
FEI Guidance for GRC and COSO ERM Issues 364
The IIA and GRC 365
ISACA, ITGI, and GRC 365
AICPA: GRC and COSO ERM 366
COSO’s Ongoing Support Role 367
COSO ERM and GRC Future Prospects 368
NOTES 368
About the Author 371
Index 373
EULA 387