Professional Documents
Culture Documents
C ertainly, it is an understate-
ment to say that today’s
audit committee members
have a lot on their plates. A quick
From a big-picture perspective,
there is nothing more important to
an organization’s success — or to
its very survival — than its ability
Are you fully aware of your organi-
zation’s overall risk strategy? Has it
clearly been articulated and have the
risks been made fully transparent to
glance at an audit committee meeting to manage risks. you? Can you affirm that the risk pro-
agenda will reveal far more issues cess is robust, independent, and fully
than can be adequately addressed It has been said that every risk aligned with your organization’s over-
during the few short hours reserved ultimately results in a financial all strategy? Is a risk management
for an audit committee session. It is risk. Surely, that has proven true culture instilled throughout the
likely that audit committee members in many business failures over the entire enterprise?
sometimes leave their meetings years. Failure to pay attention to
feeling less than perfectly satisfied day-to-day activities, changes in Clearly, knowing about and
with the comprehensiveness of the the economy, and the demands of understanding both internal and
information they have received, consumers and regulators have external risks that can potentially
or the thoroughness of their resulted in immeasurable financial impact the organization, and
discussions. losses. And unheeded risks ensuring that these risks are
to an organization’s reputation managed to an optimal level,
Given their broad range of oversight have brought many a company should be top priorities for board
responsibilities, what can audit to its knees. and audit committee members.
committee members do to determine This, in short, is enterprise risk
their agendas and priorities are In a KPMG/National Association of management, or ERM.
appropriate? How can they ensure Corporate Directors survey of public
that the most critical issues rise to company audit committees, 80
the top and subsequently get the percent felt that failure, resulting
attention they deserve? from poor risk management, couldn’t
happen to them. However, 50
percent thought it could happen
to other companies. Could these
statistics point to a blind spot?
1
A Holistic View of Risk
The Audit Committee:
Why ERM is Important
Effective ERM:
2
Trends Toward Integration
T he Conference Board —
the global research
organization best known for
its Consumer Confidence Index and
• Directors today believe
strategic risk, rather than
financial risk, is their key
concern.
Inherent in the ongoing ERM
process are a variety of activities
that help an organization achieve
its performance and profitability
Leading Economic Indicators — • Making ERM oversight targets. These include aligning risk
identified and documented, among improvements is critical to appetite and strategy, enhancing
others, the following trends. These effective governance. Less risk response decisions, reducing
trends support shifting a board’s than half of directors surveyed operational surprises and losses,
focus toward ERM and its integration have access to robust identifying and managing multiple
within the strategic oversight techniques for risk oversight, and cross-enterprise risks, seizing
responsibilities of the board: and the majority do not use a opportunities, and improving
• Evolving legal developments, ranking system as part of their deployment of capital.
such as listing standards and risk assessment process.
regulations, make it prudent for
directors to ensure they have a
ERM helps ensure effective
robust ERM oversight process
reporting and compliance with
in place.
laws and regulations and helps
• An increasing number of prevent losses — whether in the
directors acknowledge they form of revenues or reputation.
must oversee business risk An ERM approach to risk is
as part of their strategy- applicable to any organization,
setting role. regardless of its industry
or sector.
3
A Holistic View of Risk
The Audit Committee:
T he Committee of Sponsoring
Organizations of the Treadway
Commission (COSO) states that ERM
is a process, effected by an entity’s board of
directors, management, and other personnel,
applied in strategy setting and across the
enterprise, designed to identify potential
events that may affect the entity, and
manage risk to be within its risk appetite,
to provide reasonable assurance regarding
the achievement of entity objectives.
COSO
4
COSO’s Framework
CE
G
IC
TI
TI
I
R
AT
PL
RA
EP
PE
CO
ST
R
O
INTERNAL ENVIRONMENT
BUSINESS UNIT
SUBSIDIARY
OBJECTIVE SETTING
ENTITY LEVEL
DIVISION
EVENT IDENTIFICATION
RISK ASSESSMENT
RISK RESPONSE
CONTROL ACTIVITIES
MONITORING
5
A Holistic View of Risk
The Audit Committee:
Risk Inventory
COSO’s ERM Framework was designed for global application, and many organizations
in countries around the world have embraced it and use it as a basis for their risk
management efforts.
6
Who’s Responsible
7
A Holistic View of Risk
The Audit Committee:
Internal Auditing and the
Audit Committee
8
Internal Auditing’s Value to the ERM Process
����
�
���
���
������
������
���
����
�����������������
������
�����
����
���
��
���
���
���������������
�
����
����
��
���
�������
������
� ��
���
����
���
����
���
��
��
��
�� � �
���
���
����
���
����
��
������
��
���
�
����
�����
���
��
����
���
���
���
���
����������������
��
���
� ��
����
�
�
���
���
��
��
��
�� �
���
���
��
���
���
��
��
����
��
��� ��
��
���
��� ���
����
��
��
�� �
���
����
�� �
��
�� �
����
�� �
�
�
���
�
���
���
���
��� ���
� ��
� ��
��
���
����
���
��
��
���
���� ��� � �
��
� �
�����
��
����
�
��� ��� �
�
��� � ����
��
�� �
���� �� ����
�
������ ��� ���� ���
������ ���� ��� �������
������
������� � � � �����
�
������ ������
������ �����
�������
������ � � � �� �������
� ���
���������������� ����� ���������������
�
�����������������
�������������� ������������������
FREE SUBSCRIPTION
The IIA’s guidance staff is available to respond to your questions about ERM and other
governance issues. For more information, contact guidance@theiia.org at The IIA’s global
headquarters. Also visit the professional guidance section of The IIA’s Web site at
www.theiia.org for additional resources on risk, internal control, and governance.
10
T HE INSTITUTE OF INTERNAL
AUDITORS (IIA) is the acknowledged
leader, recognized authority and
chief educator for the profession worldwide.
The IIA presents leading-edge conferences
and seminars for professional development;
promotes quality assurance and improvement;
provides benchmarking; and creates growth and
Established in 1941, The IIA has 246 affiliates networking opportunities for specialty groups.
around the world and serves more than 130,000
members in internal auditing, risk management, The IIA Research Foundation produces forward-
governance, internal control, IT auditing, thinking educational products and works in
education, and security in 160 countries. partnership with experts from around the globe
conducting valuable research projects on the
The world’s leader in certification, education, top issues affecting the business world today.
research, and technical guidance for the The IIA also brings great value to its members
profession, The Institute sets the International through Internal Auditor, the award-winning
Standards for the Professional Practice professional magazine, and other outstanding
of Internal Auditing and provides leading-edge periodicals that address the profession’s most
guidance. Serving as internal auditing’s global pressing issues and challenges and present
professional association, The IIA certifies viable solutions and exemplary practices.
professionals through the stringent Certified
Internal Auditor® (CIA®) program and specialty As the global voice of the profession, The IIA
certification programs, such as the Certification promotes quality, professionalism, effective
in Control Self-Assessment (CCSA®), Certified governance, ethical business practices, and
Government Auditing Professional (CGAP®), world-class internal auditing. Dedicated to
and Certified Financial Services Auditor (CFSA®). providing extensive support and services to
help internal auditors add value across the
board, The Institute delivers best-practice
guidance and information to internal audit
practitioners, executive management, boards
of directors, and audit committees all around
the world.
06544 – MF/GD