COSO Enterprise Risk Management Establishing Effective Governance Risk and Compliance Processes 2nd edition by Robert Moeller ISBN 1118954874 9781118954874

CHAPTER 1 Introduction: Enterprise Risk Management Today

The COSO Internal Controls Framework: How Did We Get Here?

The COSO Internal Controls Framework

EXHIBIT 1.1 COSO Internal Controls Framework

COSO Internal Control Elements: The Control Environment

EXHIBIT 1.2 Code of Conduct Topics Example

COSO Internal Control Elements: Risk Assessment

Other COSO Internal Control Components and Activities

COSO Internal Controls: The Principal Recognized Internal Controls Standard

An Introduction to COSO ERM

Governance, Risk, and Compliance

Global Computer Products: Our Example Company

EXHIBIT 1.3 Example Company Background: Global Computer Products

EXHIBIT 1.4 Global Computer Products Corporate Risks Summary

NOTES

CHAPTER 2 Importance of Governance, Risk, and Compliance Principles

Road to Effective GRC Principles

EXHIBIT 2.1 GRC Concepts

Importance of GRC Governance

EXHIBIT 2.2 GRC Governance Concepts

Risk Management Component of GRC

EXHIBIT 2.3 GRC Risk Management Processes

GRC and Enterprise Compliance

EXHIBIT 2.4 Scope of Compliance Architectures Considerations

Importance of Effective GRC Practices and Principles

CHAPTER 3 Risk Management Fundamentals

Fundamentals: Risk Management Phases

Risk Identification

EXHIBIT 3.1 Sample Types of Enterprise Business Risks

EXHIBIT 3.2 Risk Identification Brainstorming Approaches

Key Risk Assessments

EXHIBIT 3.3 Risk Assessment Analysis Chart

Probability and Uncertainty

Period of Analysis

Risk Interdependencies

EXHIBIT 3.4 Risk Interdependency Hierarchy

Risk Ranking

EXHIBIT 3.5 Risk-Ranking Chart Example

Quantitative Risk Analysis: Expected Values and Response Planning

EXHIBIT 3.6 Risk-Ranking Response-Planning Example

Other Risk Assessment Techniques

The Delphi Method

Monte Carlo Simulation

EXHIBIT 3.7 Monte Carlo Risk Simulation Process Chart

Decision Tree Analysis

EXHIBIT 3.8 Decision Tree Analysis Example

NOTE

CHAPTER 4 COSO ERM Framework

ERM Definitions and Objectives: A Portfolio View of Risk

COSO ERM Framework Model

EXHIBIT 4.1 COSO ERM Framework

COSO ERM Components: Internal Environment

EXHIBIT 4.2 Energex Compliance and Risk Management Statement

EXHIBIT 4.3 Risk Appetite Map

COSO ERM Components: Objective Setting

EXHIBIT 4.4 Corporate Mission Statement Examples

EXHIBIT 4.5 Global Computer Products Corporate Risks Summary

EXHIBIT 4.6 Example Mission Statement: Global Computer Products

EXHIBIT 4.7 COSO ERM Risk Objective Setting Components

EXHIBIT 4.8 Risk Monitoring Dashboard Display Example

COSO ERM Components: Event Identification

EXHIBIT 4.9 Risk Likelihood and Impact Mapping Example

COSO ERM Components: Risk Assessment

EXHIBIT 4.10 Risk Response Planning Worksheet

COSO ERM Components: Risk Response

EXHIBIT 4.11 Portfolio View of Risk Summary

COSO ERM Components: Control Activities

EXHIBIT 4.12 Information and Communication Flows Across ERM Components

COSO ERM Components: Information and Communication

EXHIBIT 4.13 Information and Communication Flows

COSO ERM Components: Monitoring

Other Dimensions of the ERM Framework

NOTES

CHAPTER 5 Implementing ERM in the Enterprise

Roles and Responsibilities of an Enterprise Risk Management Function

EXHIBIT 5.1 Enterprise Risk Organization Responsibilities

CRO Responsibilities

EXHIBIT 5.2 Chief Risk Officer (CRO) Position Description

Risk Management Enterprise Governance and Oversight

ERM Activity Scope and Review Planning

EXHIBIT 5.3 Risk Activity Scope: Global Computer Products

EXHIBIT 5.4 Annual Risk Action Plan Example

Risk Management Policies, Standards, and Strategies

EXHIBIT 5.5 Content Management Risk Awareness Guidelines

EXHIBIT 5.6 Global Computer Products Risk Management Organization

EXHIBIT 5.7 Risk Assessment Sign-Off Acknowledgment Form

Business, IT, and Risk Transfer Processes

Risk Management Reviews and Corrective Action Practices

EXHIBIT 5.8 Risk Assessment Review and Internal Audit Report Comparison

EXHIBIT 5.9 RAR Sample Review Guidance

EXHIBIT 5.10 Sample RAR Report: San Jose Receiving and Inventory

ERM Communications Approaches

EXHIBIT 5.11 Risk Awareness Newsletter Example

CRO and an Effective Enterprise Risk Management Function

NOTES

CHAPTER 6 Importance of Strong Enterprise Governance Practices

History and Background of Enterprise Governance: A U.S. Perspective

EXHIBIT 6.1 Principal Agent Model

Enterprise Integrity and Ethical Behavior

First Steps: Developing a Mission Statement

Codes of Conduct

Communications to Stakeholders and Assuring Compliance

Disclosure and Transparency

Rights and Equitable Treatment of Shareholders and Key Stakeholders

EXHIBIT 6.2 Enterprise Governance Disclosure Policies

Governance Role and Responsibilities of the Board

Governance as a Key Element of GRC

EXHIBIT 6.3 Roles and Responsibilities of the Board of Directors

CHAPTER 7 Enterprise Compliance Issues Today

Compliance Issues Today

Establish a Compliance Assessment Team

EXHIBIT 7.1 Corporate Compliance Statement: Bayer Group

Compliance Risk Assessments and Compliance Program Reviews

EXHIBIT 7.2 Enterprise Rules versus Compliance Options

Work Unit–Level Compliance Tracking and Review Processes

Internal Audit Compliance Reviews

EXHIBIT 7.3 Major U.S. Department of Labor Compliance-Related Laws

Compliance Self-Audits

Compliance-Related Procedures and Staff Education Programs

EXHIBIT 7.4 Process Flowchart Example: Management Review

Enterprise Hotline Compliance and Whistleblower Support

EXHIBIT 7.5 Process Flowchart Hierarchy: Performing an Internal Audit

EXHIBIT 7.6 Guidelines for Setting Up a Compliance Call Center

Assessing the Overall Enterprise Compliance Program

NOTES

CHAPTER 8 Integrating ERM with COSO Internal Controls

COSO Internal Controls Background and Earlier Legislation

Foreign Corrupt Practices Act of 1977

FCPA Aftermath: What Happened?

Efforts Leading to the Treadway Commission

AICPA and CICA Commissions on Auditor Responsibilities

SEC 1979 Internal Control Reporting Proposal

Minahan Committee and Financial Executives Research Foundation

Earlier AICPA Auditing Standards: SAS No. 55

Treadway Committee Report

COSO Internal Controls Framework

COSO Internal Controls Framework Model

EXHIBIT 8.1 COSO Internal Controls Framework

COSO Internal Control Elements: The Control Environment

COSO Internal Control Elements: Risk Assessment

COSO Internal Control Elements: Control Activities

COSO Internal Control Elements: Communications and Information

COSO Internal Control Elements: Monitoring

COSO Internal Controls and COSO ERM: Compared

NOTES

CHAPTER 9 Sarbanes-Oxley and Enterprise Risk Management Concerns

Sarbanes-Oxley Act Background

SOx Legislation Overview

Public Company Accounting Oversight Board and AS5

EXHIBIT 9.1 Sarbanes-Oxley Act Key Provisions Summary

Section 404: Management’s Assessment of Internal Controls

Identifying Key Processes to Launch a Section 404 Compliance Review

Launching and Organizing a Section 404 Internal Controls Review

EXHIBIT 9.2 Section 404 Compliance Review Work Breakdown Structure

EXHIBIT 9.3 Process Review Selection Guidelines

EXHIBIT 9.4 Payroll Distribution Process Flowchart Example

EXHIBIT 9.5 Accounts Payable Process Review Procedures

Enterprise Risk Management and SOx Section 404 Reviews

Section 302: Corporate Responsibility for Financial Reports

EXHIBIT 9.6 SOx Section 302 Sample Officer Disclosure Sign-Off

Financial Officer Codes of Ethics or Conduct

Internal Controls Reporting and Materiality

PCAOB Risk-Based Auditing Standards

EXHIBIT 9.7 PCAOB Risk Standards Summary: AS8 through AS15

Sarbanes-Oxley: The Other Sections

SOx and COSO ERM

NOTES

CHAPTER 10 Corporate Culture and Risk Portfolio Management

Whistleblower and Hotline Functions

U.S. Federal Whistleblower Rules

Launching the Enterprise Help or Hotline Function

Risk Portfolio Management

Managing Risks by Portfolios

EXHIBIT 10.1 Types of Risks Facing an Enterprise

Modern Portfolio Theory

Integrated Enterprise-Wide Risk Management

EXHIBIT 10.2 NIST ERM Approach

NOTES

CHAPTER 11 OCEG Capability Model GRC Standards

GRC Capability Model “Red Book”

EXHIBIT 11.1 OCEG GRC Capability Model

OCEG’s Principled Performance Concept

GRC Capability Context and Culture Elements

GRC Capability Organize and Oversee Elements

GRC Capability Assess and Align Elements

EXHIBIT 11.2 GRC Subpractices Example: O2.4 Define and Enable GRC Rules

GRC Capability Prevent and Promote Elements

GRC Capability Detect and Discern Elements

GRC Capability Response and Resolve Elements

GRC Capability Monitor and Measure Elements

GRC Capability Inform and Integrate Elements

Other OCEG Materials: The “Burgundy Book”

Level and Scope of the OCEG Standards-Setting Authority

CHAPTER 12 Importance of GRC Principles in the Board Room

Board Decisions and Risk Management

Board Organization and Governance Rules

Corporate Charters and the Board Committee Structure

Audit Committees and Managing Risks

EXHIBIT 12.1 Waste Technology Corporation 2009 Audit Committee Charter

Establishing a Board-Level Risk Committee

EXHIBIT 12.2 Example Board Risk Committee Charter: Global Computer Products

Requirements for a Risk Committee Board Member

EXHIBIT 12.3 Board Member Risk Committee Knowledge Requirements

Audit and Risk Committee Coordination

EXHIBIT 12.4 Audit Committee and Risk Committee Coordination

COSO ERM and Corporate Governance

NOTES

CHAPTER 13 Role of Internal Audit in Enterprise Risk Management

Internal Audit Standards for Evaluating Risk

COSO ERM for More Effective Internal Audit Planning

Using COSO ERM to Build an Annual Audit Plan

Risk Tolerance and Building Internal Audit Plans

Example Risk-Based Audit Plan: Global Computer Products

Identify Auditable Entities within Internal Audit’s Scope and Capabilities

Redefine and Rank Risks

EXHIBIT 13.1 Global Computer Products San Jose Development Auditable Entities

Building a Risk-Based Internal Audit Plan

EXHIBIT 13.2 Global Computer Products Risk-Ranked Audit Entities

Execute Plan and Monitor Performance

Risk-Based Internal Audit Findings and Recommendations

COSO ERM and Internal Audit

NOTES

CHAPTER 14 Understanding Project Management Risks

Project Management Processes

PMBOK® Guide: A Guide to the Project Management Book of Knowledge

PMBOK® Guide’s Project Manager Risk Management Approach

EXHIBIT 14.1 PMBOK® Guide Project Risk Management Overview

Risk Management Planning

EXHIBIT 14.2 Project Plan Risk Breakdown Structure

Risk Identification

EXHIBIT 14.3 Project Planning Risk Register Control Report

Qualitative Risk Analysis

EXHIBIT 14.4 Risk Impact Matrix

Quantitative Risk Analysis

Risk Response Planning

EXHIBIT 14.5 Project Management Decision Tree Analysis

Risk Monitoring and Control

Project-Related Risks: What Can Go Wrong

EXHIBIT 14.6 Integrating Project Risk with Other Management Functions

EXHIBIT 14.7 Project Risk in a Project Life Cycle

Implementing ERM for Project Managers

EXHIBIT 14.8 Typical Project Risks

Embracing Project Management Standards

EXHIBIT 14.9 Steps to Build a Project Management Organization

Establishing a Program Management Office

NOTES

CHAPTER 15 Information Technology and Enterprise Risk Management

IT and the COSO ERM Framework

EXHIBIT 15.1 IT General and Application Controls Examples

IT Application Systems Risks

Application Development and Acquisition Risks

System Development Life Cycle Waterfall Development Processes

EXHIBIT 15.2 SDLC Waterfall Model

EXHIBIT 15.3 Minimizing SDLC Risks Checklist

Purchased Software Application Risks

In-House Developed Software Application Risks

EXHIBIT 15.4 Purchased Software Contract Guidelines to Reduce Risks

Software and Application Systems Testing

Internal Controls and System Balancing Procedures

Effective IT Continuity Planning

EXHIBIT 15.5 Business Continuity Plan Requirements

Worms, Viruses, and System Network Risks

IT and Effective ERM Processes

NOTES

CHAPTER 16 Establishing an Effective GRC Culture throughout the Enterprise

First Steps to Establishing a GRC Culture: An Example

Promoting the Concept of Enterprise Risk

Defining the Risk Management Philosophy

EXHIBIT 16.1 Management GRC Philosophy: Global Computer Products

Translating a Risk Philosophy into a Culture

EXHIBIT 16.2 Relative Risks versus Expected Returns

Establishing of Enterprise-Wide Governance Awareness

Understanding the GRC Environment

Ethics-Related Findings from Past Reviews or Special Audits

Employee and Stakeholder Ethics Attitude Surveys

EXHIBIT 16.3 Ethics and GRC Attitude Survey Questions

Summarizing Ethics Survey Results: Do We Have a Problem?

Enterprise Codes of Conduct

The Contents: What Should Be the Code’s Message?

Communications to Stakeholders and Assuring Compliance

Building a GRC Culture: Risk, Governance, and Compliance Education Programs

EXHIBIT 16.4 Understanding Risk Management Course Outline

Keeping the GRC Culture Current

NOTES

CHAPTER 17 ISO 31000 and 38500 Risk Management Worldwide Standards

ISO Standards-Setting Process

Understanding ISO 31000

Role of ISO 31000 Enterprise Risk Management

EXHIBIT 17.1 ISO 31000 Framework for Managing Risks

ISO 31000 Risk Management Definitions

EXHIBIT 17.2 ISO 31000 Risk Management Processes

ISO 38500: The Corporate Governance of IT

EXHIBIT 17.3 ISO 31000 Risk Management Terminology

Implementing an ISO Standard

NOTES

CHAPTER 18 ERM and GRC Principles Going Forward

ERM and GRC for the Internal Controls Professional

FEI Guidance for GRC and COSO ERM Issues

The IIA and GRC

ISACA, ITGI, and GRC

AICPA: GRC and COSO ERM

COSO’s Ongoing Support Role

COSO ERM and GRC Future Prospects

NOTES

Back Matter

About the Author

Index