deficiencies to those responsible for corrective action including senior

Deficiencies to those responsible for corrective

This preview shows page 19 - 22 out of 37 pages.

deficiencies to those responsible for corrective action, including senior management and the board of directors, where appropriate. To improve the risk management process, COSO developed a second control framework called: 3. COSO’s Risk Management —Integrated Framework (ERM). ERM is the process the board of directors and management use to set strategy, identify events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves its objectives and goals. The basic principles behind ERM are as follows: o Companies are formed to create value for their owners. o Management must decide how much uncertainty it will accept as it creates value. o Uncertainty results in risk, which is the possibility that something negatively affects the company’s ability to create or preserve value. o Uncertainty results in opportunity, which is the possibility that something positively affects the company’s ability to create or preserve value. o The ERM framework can manage uncertainty as well as create and preserve value. COSO’s ENTERPRISE RISK MANAGEMENT FRAMEWORK VERSUS THE INTERNAL CONTROL FRAMEWORK The IC framework has been widely adopted as the way to evaluate internal controls, as required by SOX. The more comprehensive ERM framework takes a risk-based rather than a controls-based approach. ERM adds three additional elements to COSO’s IC framework: setting objectives, identifying events that may affect the company, and developing a response to assessed risk. As a result, controls are flexible and relevant because they are linked to current organizational objectives. The ERM model also recognizes that risk, in addition to being controlled, can be accepted, avoided, diversified, shared, or transferred. Because it is more comprehensive, the text uses the ERM model to explain internal controls. If one understands the ERM model, it is easy to understand the IC model, as it is 5 of the 8 19
Image of page 19
components of the ERM model. It is harder to go from understanding the IC model to understanding the ERM model, as the user may not be familiar with the three additional components. The eight ERM components are shown below:Describe the components of an internal environment.The internal environment- The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structurebusiness activities; and identify, assess, and respond to risk.An internal environment consists of the following: 1.Management’s philosophy, operating style, and risk appetite 2.Commitment to integrity, ethical values, and competence 3.Internal control oversight by the board of directors 4.Organizational structure 5.Methods of assigning authority and responsibility 6.Human resource standards that attract, develop, and retain competent individuals 7.External influences.Describe approaches to assessing and managing risk within an organization. 20
Image of page 20
Image of page 21
Image of page 22

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture