Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply



Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. May 2005 Volume 1, Issue 5 Feature Articles Industry News Using COSO-ERM in Your Sarbox Program The Sarbanes-Oxley Act of 2002 requires CEOs and CFOs Limit C-level Management in Sarbanes-Oxley to employ an industry-recognized framework when assessing Reviews, Says AberdeenGroup the adequacy of controls on financial reporting. Neither the Act A new benchmark report by AberdeenGroup, "Automating SOX nor the Securities and Exchange Commission (SEC), which has Compliance Benchmark Report", concludes that companies that oversight responsibilities for the Act, have specified the involve much of the organization in their SOX review process are framework to use. So what are the most popular frameworks? experiencing lower costs and increased profits. By contrast, Why was the COSO-ERM framework designed, and is it right for companies who limit SOX reviews to a small group of senior your company? management have the worst performance records. Financial disciplines favor the original COSO framework, which was designed as a tool for evaluating internal control PCAOB Proposes Internal Control Standard systems and to provide a common basis for management What is a company to do when it identifies a material weakness teams, directors, regulators, and others to better understand and and then eliminates it? Section 404 of the Sarbanes-Oxley Act of effectively communicate enterprise risk management. Designed 2002 requires public companies to include an assessment of the with an emphasis on fiduciary controls, it was developed by the company's internal control over financial reporting in its financial Committee of Sponsoring Organizations of the Treadway reports. The company’s independent auditor must attest to, and Commission (COSO), a voluntary private sector organization report on, management's assessment. dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate Sometimes management's assessment of the company's governance. internal control reveals that the company has one or more material (continued next page — see COSO-ERM) weaknesses, which are serious defects in the company's internal control over financial reporting. Understanding Your Company's Appetite for Currently, if the company eliminates a material weakness, it is Sarbox-Related Risk required only to disclose that information. Investors and No company can avoid risk. Likewise, no company can companies, however, have sometimes sought assurance by the afford to take every measure necessary to avoid every risk. company's independent auditor that they support management's Sometimes, management must simply choose to accept the assertions about those internal control improvements. The PCAOB, possibility that something bad will happen. therefore, has proposed a standard providing a new option for Do you know what potential problems your Board of corporations and auditors to report on corrections to "material weaknesses." Directors and executive management team have chosen to ignore? Do you know which ones they are managing by putting in place controls to either prevent the problem or to reduce its (continued on page 6 — see Industry News impact should it occur? Do you know what risks they expect you to address yourself, should they arise? In this issue... In the best of all worlds, you should know. Senior Focus: The COSO-ERM Risk Framework leadership in your company will have identified potential issues Articles and will have communicated their attitude toward risk. They will have shared their risk management plans and will have outlined Industry News - page 1 unambiguous roles and responsibilities for identifying problems, Using COSO-ERM in Your Sarbox Program - page 1 choosing risk management strategies, designing controls, and Understanding Your Company's Appetite for Sarbox- implementing control activities. You will know what you are Related Risk - page 1 empowered to address. What if you don't live in that best of all possible worlds? Sarbox Project Templates How do you go about understanding your company's appetite for Reference: The 8 Components of COSO-ERM - page 4 assuming Sarbox-related risk? Checklist: Are You Ready for COSO? - page 5 • Your first step is to understand the terms your Roles and Responsibilities Chart: Enterprise Risk executives might use in describing risk. Management – page 5 Visual Aid: Comparing COSO and COBIT - page 4 Questionnaire: Is this too Risky? - page 5 (continued page 4 — see Understanding) Crossword Puzzle: COSO-ERM - page 7 © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 2. S A R B O X A L E R T Volume I, Number 5 page 2 © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 3. S A R B O X A L E R T Volume I, Number 5 page 3 Using COSO-ERM – continued from previous page created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise The COSO framework is designed to help companies day-to-day. meet three objectives: economy and efficiency of operations (this includes achieving performance goals and safeguarding ERM supports value creation by enabling of assets against loss); reliable financial and operational data management to: and reports; and compliance with laws and regulations. The  Deal effectively with potential framework contains five control components needed to help future events that create assure sound business objectives: uncertainty.  Control Environment  Respond in a manner that reduces  Risk Assessment the likelihood of downside outcomes and increases the  Control Activities upside.  Information and Communication This COSO ERM framework defines  Monitoring. essential components, suggests a common The first problem with COSO is that it doesn't meet the language, and provides clear direction and needs of IT. It simply doesn't contain enough technical guidance for enterprise risk management. categories of areas to control – much less the guidance for how to control them – to serve as a framework for Data How your corporate management chooses to go about the Management and Information Technology Departments. The business of realizing value for its stakeholders is the key to COBIT framework fills this need. whether COSO-ERM is right for your organization. Some COBIT (Control Objectives for Information and Related management teams are comfortable taking a very structured Technologies) is an open standard published by the IT approach to identifying and evaluating their opportunities and Governance Institute and the Information Systems Audit and risks. They enjoy defining what they have to work with, what Control Association. COBIT addresses information quality and they're trying to accomplish, what threatens their vision, and security requirements in seven overlapping categories: what risks they must face along the way. For executive teams effectiveness, efficiency, confidentiality, integrity, availability, that prefer an ultra-structured approach, some aspects of risk compliance, and reliability of information. management can resemble a really complicated mathematical These categories form the foundation of COBIT's 34 problem – one that is complex, but solvable, given the right control objectives. Companies employing COBIT approach IT information and formulas. For such teams, COSO-ERM can control by considering the information needed to support be an excellent tool. business requirements, then applying controls to the IT For other management teams with different management resources and processes used to deliver, manage, and monitor styles and preferences, taking a structured approach to that information. These companies find that COBIT – Enterprise Risk Management may seem like… well, a really especially if supplemented with special security standards such complicated mathematical problem, and an unnecessary as ISO 17799 – is adequate to organize Information headache. Technology efforts for Sarbox compliance. Every manager at every level of the business manages So if Finance Departments like COSO and IT groups like risk. That's a given. And learning about COSO-ERM should COBIT, and COSO and COBIT work well together, what's add to every manager's risk management toolset. But missing? employing a formal Enterprise Risk Management approach to For some companies, it's the executive viewpoint. In its Sarbox compliance requires a top-down, executive-driven presentation, "Applying COSO’s Enterprise Risk Management push. So… in math class, did your execs show their work? — Integrated Framework," the Institute of Internal Auditors Did they work the geometry theorems carefully, showing each explains why a focus on Enterprise Risk Management is step? Or did they provide an answer and argue with the important to corporate leaders. teacher that how they got it was their own business? If you find that COSO-ERM is right for your company, you're probably going to really like it. It's a post-Sarbox framework built on the original COSO framework. COSO-ERM expands and elaborates on elements of internal control as set out in the original COSO control framework. It also provides a Single year subscription : $495. new component, objective setting, which is a prerequisite for Group subscription inquiries: 212.825.1525 or internal control. It also expands other areas. The new COSO- Advertising: Contact Igor Lamser at 212.825.1525 ERM framework consists of eight components: Publisher: Igor Lamser Editor-In-Chief: Gwen Thomas Editorial Office: 82 Wall Street, Suite 707, New York, NY 10005 phone: 212.825.1525 fax: 212.825.1530  Internal control environment (from original COSO) © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law  Objective setting (new component) prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.  Event identification (new component) (continued next page — see COSO-ERM) Every entity, whether for-profit or not, exists to realize value for its stakeholders. Value is © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 4. S A R B O X A L E R T Volume I, Number 5 page 4 Using COSO-ERM – continued from previous page Understanding – continued from page 1  Risk assessment (from original COSO) • Risk appetite is the amount of risk — on a broad level  Risk response (new component) — that your company is willing to accept in pursuit of  Control activities (from original COSO) value.  Information and communication (from original COSO) • Risk tolerance, a related concept, means the acceptable level of variation around objectives. That  Monitoring (from original COSO). is, if an executive's stated objective is to "make sure an issue won't occur," what does that really mean? Taken together, these eight components form a framework How sure is sure enough? for managing internal controls and control activities while • Residual risk is the risk that is left over after you've taking a risk management approach to running your business put in place to controls to reduce the risk. and managing your financial data. • Risk assessment is the identification and analysis of risks to the achievement of business objectives. It For more information about COSO, see the Sarbox Project forms a basis for determining how risks should be Template "Reference: The Eight Components of COSO-ERM" managed. and "Visual Aid: Comparing COSO and COBIT." Both are Your second step is to try to understand the general risk stand-alone Microsoft Word documents. appetite of your executives and board. They may make it easy for you by employing quantitative or qualitative terms (e.g. - - earnings at risk vs. reputation risk) in corporate communications to discuss their risk appetites. Or, you may have to reach you own conclusions about their risk appetites. Try asking the following questions. • What risks do you know the organization will not accept? (For example, will they tolerate causing an environmental spill or delivering spoiled products?) • What risks has the organization demonstrated it is willing to take during new initiatives? (For example, how tolerant are they of failures when testing new product line? Do they making assumptions about customer wishes? Would they merge with another company without fully understanding their internal practices?) • What risks will the organization accept in reaching compromises for competing objectives? (For example, gross profit vs. market share?) Your third step to understanding your company's appetite for Sarbox-related risk is to understand the types of Sarbox- related risk. Your company may have a different tolerance for each type of risk. The risk of failing the audit. What does your company believe will be the worst thing that would happen to them if they receive an adverse opinion from their outside auditors? Some companies have been treating this scenario as completely unacceptable. As a result, they have gone to great effort to understand their auditor's expectations and to meet them. Other companies, on the other hand, either didn't believe they were much at risk or weren't worried about the consequences. They've done the minimum effort, in their minds, to comply with Sarbanes-Oxley. Dips in stock price as a result of a potential failure, they might have reasoned, would be easier to deal with than the pain of a full-out compliance effort. The risk of being delisted. It's hard to imagine a publicly-traded company being willing to risk losing the privilege of having its stock traded on a major exchange. Especially if the way to avoid this risk is to simply comply with easy provisions such as implementing a confidential whistleblower's hotline. You can probably expect that your company has a zero tolerance for this risk. (continued next page — see Understanding) © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 5. S A R B O X A L E R T Volume I, Number 5 page 5 Understanding – continued from previous page The risk that your CEO or CFO will go to jail. Your gut Is COSO-ERM right for your organization? See the Sarbox reaction may be that no executive is willing to risk prison time Project Template "Checklist: Are You Ready for COSO?," a when that risk could be avoided. You'd probably be right for stand-alone Microsoft Word document. Want some questions the overwhelming majority of executives. They're going to to use as a starting point for discussion risk within your certify the company financial statements as required, and organization? Check out "Questionnaire: Is this too Risky?" they're going to put the company through enough exercises Want to know who should do what if you do implement COSO- that the execs will have a good defense that they believed they ERM at your organization? It's spelled out in "Roles and were telling the truth when they certified those statements. Responsibilities Chart: Enterprise Risk Management". They will have asked corporate counsel for an opinion of the meaning of the word "willfully" in the section of the act that - - significantly increases the penalties should the exec willfully misrepresent financial statements. It would be foolish to assume, however, that no executive is going to risk going to jail under the Sarbanes-Oxley provisions. After all, most executives are risk takers – that's how they've risen so far up the corporate ladder. They may have decided that plausible deniability would work for them, should a problem arise. They may be betting that, barring actual fraud, prosecutors wouldn't bother with prosecuting execs who were mistaken when they signed Sarbox attestations. Or, they may have taken provisions you wouldn't be aware of to reduce their chances of being convicted, should they be charged with a violation. Question: What's the first step every CFO should take as part of the company's Sarbox preparation program Answer: Apply for a passport. Your Board of Directors has also probably assessed the risk that your CEO and/or CFO are crooks who would gladly risk jail time in return for bilking the company of enough money and/or perks. If your executives are still in place, you can assume that: a) the Board decided to accept the risk, or b) the Board has decided its internal control system is strong enough that larcenous executives couldn't succeed, or c) the Board is VERY trusting. To advertise in The risk of overspending to avoid a failed audit. In retrospect, many companies are now confessing that they feel SARBOX ALERT, they might have over-prepared for Sarbanes-Oxley. Are your execs making this sort of statement? If so, what are they or saying they'll do differently this next year? Will they do less? for group subscriptions, Do the same but spend less doing it? Will increases or decreases in their allocation of Sarbox resources be uniformly applied, or can you still expect deep dives in certain area. contact The risk of spending attention on Sarbox that needs to Igor Lamser go elsewhere. Many companies felt they had no choice last year but to give Sarbox as much attention as it needed. They at may be planning to change this approach going forward. 212.825.1525 The risk of being sucked into a painful program. If your company is resisting employing a formal Enterprise Risk or Management program, even if it looks like a good fit for the company, this may be why. COSO-ERM requires execs to deal with a portfolio of risks rather than individual standalone issues. Someone must assess exposure levels, business impacts, cost requirements, and resolution priority and importance. In taking these steps, difference in opinions will surface about the importance of individual risks and how to manage them. Viewpoints will no doubt differ dramatically based on individuals' agendas, backgrounds, roles, and where they are placed in the organization. Your execs may simply feel they need a year off from such drama. © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 6. S A R B O X A L E R T Volume I, Number 5 page 6 Industry News – Continued from Page 1 The proposed standard would establish a voluntary, stand- alone engagement, performed only at the request of the company. The comment period for the proposed standard is 45 days. Any final standard adopted will be submitted to the Securities and Exchange Commission for approval. Next Issue: SOX Accounting Expensive for Fortune 1000 Security Planning Firms According to two University of Nebraska at Omaha Articles: accounting faculty, Sarbanes-Oxley compliance costs keep Planning to Address Critical Sarbox Security rising. Fortune 1000 companies' auditing costs have increased Concerns by $1.4 billion collectively so far, and much of this increase is in response to Sarbanes-Oxley. Accounting professors Susan Aligning Your Security and Sarbox Efforts Eldridge and Burch Kealey have helped develop an automatic text-mining and data extraction technique that they say makes hundreds of hours of data-collection manageable. With the Sarbox Project Templates: latest figures reported, as of April 27, 633 Fortune 1000 firms Reference: The Seven Information Quality Criteria have reportedly paid more than $3.6 billion for their 2004 Flowchart: Assigning Governance and Controls to audits, compared to $2.2 billion in 2003 Security Risks Deloitte & Touche, SEC Settle Checklist: Assigning Accountability for Security Risks Deloitte & Touche LLP issued the following statement on Checklist: Common Security Controls April 26 regarding the settlement announced between Deloitte & Touche LLP and the United States Securities and Exchange Roles and Responsibilities Chart: Aligning Security and Sarbox Commission: Deloitte & Touche LLP announced today it is pleased to have reached settlements related to the 2000 audit of Adelphia and the 1998 audit of Just For Feet. Each of these cases involves a consent decree, signed by Deloitte & Touche LLP, in which it neither admits nor denies wrongdoing. These two settlements are the first enforcement cases for Deloitte & Touche LLP since Deloitte & Touche was formed by combination in 1989. Deloitte & Touche LLP believes that the settlements are in the best interest of its people, clients and the organization. As a condition of the Adelphia settlement, Deloitte & Touche LLP will pay a $25 million penalty, plus a $25 million contribution to a fund to compensate Adelphia shareholders and debt holders. Deloitte & Touche LLP also has agreed on Sarbox Project Templates steps for enhancing audit quality for its clients. As part of the Sarbox Project Templates to complement the topics covered in settlement on Just For Feet, there will be a payment of this issue's features are available as stand-alone Microsoft $375,000 to the U.S. Treasury. Neither of the settlements Word documents. restricts Deloitte & Touche LLP’s ability to provide services to new or existing clients. Reference: The Eight Components of COSO-ERM In both the Adelphia and Just For Feet cases, the primary Checklist: Are You Ready for COSO? basis of the SEC’s claim is that the wrongdoing by the client Roles and Responsibilities Chart: Enterprise Risk and certain members of its management should have been Management uncovered, despite their collusion in some instances with Visual Aid: Comparing COSO and COBIT others specifically to deceive the external auditors. The client and certain of its senior executives and others deliberately Questionnaire: Is this too Risky? misled Deloitte & Touche LLP through the financial information Crossword Puzzle: COSO-ERM they provided. In the case of Adelphia, certain executives were found guilty of fraud, while in the case of Just For Feet, certain executives and third party vendor employees agreed to plead guilty to fraud charges. - - © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 7. S A R B O X A L E R T Volume I, Number 5 page 7 Sarbox Project Template Crossword Puzzle: The COSO-ERM Framework _____________________________________________________ 1 2 3 4 5 6 7 8 C r eated w ith Ec lips eC ros s w or d — w w w .ec lips ec r os s w ord.c om Across 1. A place your CEO doesn't want to go 1 A 4. Public Company Accounting Oversight Board 2 T E S T I N G 3 E 5. Type of controls emphasized in the COSO framework 4 T S T A N D A R D S 6. ___ ___: A new component in COSO-ERM that helps define goals. E V 8. Risk ___: the acceptable level of variation around objectives S I 5 T F R 6 7 8 Down I A U T O M A T I O N S T U I N A I R C M 2. Risk ___: Has nothing to do with food. 9 P C A O B P E 3. The E in COSO-ERM 7. The C in COBIT A N A N T C reated w ith Ec lips eC ros s w ord — w w w .ec lips ec ros s w ord.c om © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.
  • 8. S A R B O X A L E R T Volume I, Number 5 page 8 Yes! Please send me one year of SARBOX ALERT at the SPECIAL RATE of $495. Name Title Organization Address City State Zip Code Phone Fax E-mail (required)  Payment enclosed  Charge my: Mastercard Visa American Express Discover Account Number Expiration Date Signature Make all checks payable to RiskCenter, LLC Client agrees to pay any and all applicable sales tax. Suggestions for additional coverage are always welcome. In fact, we encourage it! This is one of the reasons RiskCenter stays on top of market trends. If you have an idea or two on new issues, trends, interview subjects - anything really - in this new market, feel free to jot down your thoughts in the space below. We will likely take your suggestions to heart. Use the space below or send us an email at Thank you in advance for your comments. - The Editor Comments: SARBOX ALERT – published by RiskCenter, LLC 82 Wall Street, Suite 707, New York, NY 10005 phone: 212.825.1525 fax: 212.825.1530 © Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.