deficiencies to those responsible for corrective action, including senior management and
the board of directors, where appropriate.
To improve the risk management process, COSO developed a second control framework
called:
3.
COSO’s Risk Management —Integrated Framework (ERM).
ERM is the process the
board of directors and management use to set strategy, identify events that may affect the
entity, assess and manage risk, and provide reasonable assurance that the company
achieves its objectives and goals. The basic principles behind ERM are as follows:
o
Companies are formed to create value for their owners.
o
Management must decide how much uncertainty it will accept as it creates value.
o
Uncertainty results in risk, which is the possibility that something negatively affects
the company’s ability to create or preserve value.
o
Uncertainty results in opportunity, which is the possibility that something positively
affects the company’s ability to create or preserve value.
o
The ERM framework can manage uncertainty as well as create and preserve value.
COSO’s ENTERPRISE RISK MANAGEMENT FRAMEWORK VERSUS THE INTERNAL
CONTROL FRAMEWORK
The IC framework has been widely adopted as the way to evaluate internal controls, as
required by SOX. The more comprehensive ERM framework takes a risk-based rather than a
controls-based approach. ERM adds three additional elements to COSO’s IC framework:
setting objectives, identifying events that may affect the company, and developing a
response to assessed risk. As a result, controls are flexible and relevant because they are
linked to current organizational objectives. The ERM model also recognizes that risk, in
addition to being controlled, can be accepted, avoided, diversified, shared, or transferred.
Because it is more comprehensive, the text uses the ERM model to explain internal controls.
If one understands the ERM model, it is easy to understand the IC model, as it is 5 of the 8
19
components of the ERM model. It is harder to go from understanding the IC model to understanding the ERM model, as the user may not be familiar with the three additional components. The eight ERM components are shown below:Describe the components of an internal environment.The internal environment- The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives; structurebusiness activities; and identify, assess, and respond to risk.An internal environment consists of the following: 1.Management’s philosophy, operating style, and risk appetite 2.Commitment to integrity, ethical values, and competence 3.Internal control oversight by the board of directors 4.Organizational structure 5.Methods of assigning authority and responsibility 6.Human resource standards that attract, develop, and retain competent individuals 7.External influences.Describe approaches to assessing and managing risk within an organization.
20
