Chapter 12 The Risk Intelligent Enterprise Enterprise Risk Management ACCOUNTING INFORMATION SYSTEMS The Crossroads of Accounting & IT © Copyright 2012

Chapter 12Chapter 12The Risk Intelligent The Risk Intelligent EnterpriseEnterpriseEnterprise Risk ManagementEnterprise Risk Management

ACCOUNTING INFORMATION SYSTEMSACCOUNTING INFORMATION SYSTEMSThe Crossroads of Accounting & ITThe Crossroads of Accounting & IT

© Copyright 2012 Pearson Education. All Rights Reserved.

When You Need Advice About Enterprise Risk Management,

Whom Do You Call?

Meet the CFO.


83% of chief financial officers advise on risk mitigation.


72% of chief financial officers

advise regarding IT.


The SEC acknowledged that the root cause of the recent economic

downturn was lack of risk management competency in

corporate America.


Enterprise Risk Enterprise Risk ManagementManagement

Enterprise risk management (ERM) goes beyond security and controls.

It is not possible to develop security and controls to address every threat that an enterprise might face.

Identifying, assessing, and mitigating risks has been shown to produce better business performance.





Risk IntelligenceRisk Intelligence

The risk intelligent enterprise moves beyond security and controls to managing risk and then to using risk to create value.

Risk intelligence can be categorized into:

1. Unrewarded risks:

No positive payoff.

Only a downside or negative result associated with the risk.

Example: the risk of unauthorized access and theft of confidential customer credit card information.

2. Rewarded risks:

Possibility of a positive payoff.

Example: risks associated with a business acquisition or merger.


ERMERM

Three rings:

IT controls

Internal controls

Enterprise risk management


ERMERM

IT controls can be viewed as three zones:

Entity-level controls for top management

Application controls for business processes

IT general controls for IT services


COSO defines ERM as:Enterprise risk management is a process, effected by an entity’s board of directors,

management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential

events that may affect the entity, and manage risk to be within its risk appetite,

to provide reasonable assurance regarding the achievement of entity

objectives (COSO, 2004).


ERM CubeERM Cube

Three dimensions to the ERM cube:

ERM units.

ERM objectives.

ERM components.

The COSO ERM framework encompasses the COSO internal control framework.


ERM UnitsERM Units

Enterprise units may consist of:

Entity-level units

Divisions

Business units and/or

Subsidiaries


ERM ObjectivesERM Objectives

The ERM framework specifies four categories of an enterprise’s objectives:

Strategic objectives relate to goals that support the entity’s mission.

Operational objectives relate to the effective and efficient use of the entity’s resources.

Reporting objectives relate to the reliability of the enterprise’s reporting, both internal and external.

Compliance objectives relate to the entity’s compliance with all applicable laws and regulations.


ERM ComponentsERM Components

The COSO enterprise risk management framework consists of eight interrelated components.

Internal environment

Objective setting

Event identification

Risk assessment

Risk response

Control activities

Information and communication

Monitoring


Internal Internal EnvironmentEnvironment

The internal environment relates to the culture of the organization and its risk consciousness.

Influenced by the tone set by top management, the internal environment is also reflected in policies and procedures as well as the organizational structure.

An entity’s risk management philosophy affects its risk appetite, the amount of risk it is willing to accept in pursuit of value.


Objective SettingObjective Setting

Four types of objectives:

Strategic objectives

Operations objectives

Reporting objectives

Compliance objectives

Risk tolerance is the acceptable level of variation in attaining objectives. For an IT support desk, the objective might be to resolve 100% of client issues during the client’s first call. An acceptable variation might be to resolve 85% of client issues on the first call.


Event IdentificationEvent Identification

Event identification involves identifying potential events that might affect the entity.

Events can be either:

External events, such as higher interest rates

Internal events, such as fraud enacted by an employee

Events can be classified as producing:

Negative impacts (risk)

Positive impacts (opportunities)


Risk AssessmentRisk Assessment

A risk is the possibility that an event will occur and negatively impact the entity’s ability to achieve its stated objectives.

Risk assessment is the process of assessing the extent to which events would impact an entity’s ability to achieve its objectives.

Two aspects to risk assessment:

Impact: the effect that an event will have on the entity’s ability to achieve its objectives if the event occurs.

Likelihood: the possibility or probability that a potential event will occur.



In assessing risk impact, pertinent questions are:

1.What is the asset’s value? What is the value of customer payment card data stored in the enterprise database? What is the cost to the enterprise if a hacker steals the payment card information?

2.How much is the asset, such as information, worth to the competition? These assets might include intellectual property, such as the engineering designs for the latest computer chip. What is the value of that intellectual property to the competition?

3.What is the estimated potential loss per threat?



In assessing risk likelihood, pertinent questions are:

1. What is the possibility or probability of the event (threat) occurring?

2. What is the estimated frequency of the threat occurring?

Possibility may refer to assessing likelihood using qualitative measures, such as high, medium, or low.

Probability may refer to assessing likelihood using a quantitative measure, such as percentages.



Annual loss potential is estimated by combining the impact and the frequency of the threat.

Example: A salami attack has low impact but high frequency.


Risk ResponseRisk Response

Four categories of risk response:

Avoidance: avoid or exit the activities that give rise to the risk.

Reduction: actions taken to reduce risk likelihood, risk impact, or both.

Sharing: Reduce risk likelihood or risk impact by sharing the risk with another entity, such as car insurance.

Acceptance: no action is taken to affect risk likelihood or risk impact.


Control ActivitiesControl Activities

After an entity has identified risk responses, the next step is to identify the appropriate control activities to ensure that risk responses are implemented as planned.

Examples of control activities include:

performance reviews

physical controls

segregation of duties


Information and CommunicationInformation and Communication

Identifying, capturing, and communicating information accurately, completely, and in a timely manner to enable employees to carry out responsibilities, including risk management responsibilities.

An integrated enterprise system can provide management with additional data and information for use in making enterprise risk management assessments and decisions.

Business intelligence capabilities offer management the ability to gain further insights into enterprise risk management.


MonitoringMonitoring

Process of monitoring an entity’s enterprise risk management.

Approaches to monitoring include:

Ongoing monitoring of activities that occurs on a ongoing basis, such as weekly reviews.

Separate evaluations, such as an internal audit.

A combination of both ongoing monitoring and separate evaluations.


What is Spreadsheet Risk What is Spreadsheet Risk Management? Management?

A significant risk for many enterprises is the widespread use of spreadsheets with limited controls.

A spreadsheet risk management program includes using access and change controls with spreadsheets in order to be SOX compliant.





Top Ten Tips For Spreadsheet Risk Management

Tip 1Inventory all spreadsheets using a global spreadsheet identification system.

Each spreadsheet is assigned a unique spreadsheet ID number (SSID).

Spreadsheets are inventoried in a global SSID log for tracking.

Global Spreadsheet Identification (SSID) Log



Tip 2Assign risk for each inventoried spreadsheet by assessing:

Impact of a financial statement error resulting from the spreadsheet’s use, and

The likelihood of a financial statement error.

Spreadsheet Risk Assessment



Tip 3Store all spreadsheets on a network server to accomplish control objectives:

Access security codes. Assign access logins and password protection.

Identification. A global spreadsheet ID can be assigned when the spreadsheet is stored on the server, facilitating use of a spreadsheet inventory and tracking log.

Firewall protection. Network firewalls can provide extra layers of protection that a spreadsheet on a mobile laptop does not afford.

Virtual private network. Users accessing the spreadsheet from offsite use a VPN (virtual private network), which provides a higher security level than storing spreadsheets on mobile IT assets, such as laptops.

Spreadsheet changes. Storing the spreadsheet on the server facilitates changes made by multiple users.



Tip 4Implement spreadsheet change controls using two logs:

User log: tracks users accessing the specific spreadsheet.

Change log: documents changes made to spreadsheet design, such as changes to formulas.

Spreadsheet User Log

Spreadsheet Change Log



Tip 5Add a contents tab to the spreadsheet to create a spreadsheet table of contents.

Accidental sheet deletions or unauthorized sheet additions can be tracked by comparing to the contents sheet.

Spreadsheet Contents



Tip 6Add a documentation tab to record proper documentation for the spreadsheet.

Include information about the purpose of the spreadsheet.

Authorized users.

User instructions to reduce the likelihood of user error.

Developer notes such as formula specifications, formula links, and any macros and algorithms used.



Tip 7Use data validation controls in spreadsheets to reduce data entry errors.

Data validation can be used for input controls, such as drop-down lists.

Reduce hard-keying data entry to reduce the likelihood of typing and formatting errors in entering data.



Tip 8Use the spreadsheet protection feature for an access security control.

Password protect the spreadsheet and/or specific cells to prevent unauthorized use or accidental data deletion.



Tip 9Test the spreadsheet to assure that it is functioning properly.

Use the spreadsheet auditing tool to track errors and verify formula links.

Enlist other users to test the spreadsheet to verify that it is functioning as planned.

Test spreadsheet calculations.

Test to see if spreadsheet logic is sound.



Tip 10Remember the 80/20 rule for accounting design.

Accounting Insight No. 10 also applies to spreadsheet design. Invest 80 percent of your time in the design of the spreadsheet and only 20 percent of your time maintaining it.

Use a proper system development life cycle (SDLC) methodology to design and build your spreadsheets.

Design spreadsheets so that you never hard-key data into formulas.


Documents

Chapter 12 The Risk Intelligent Enterprise Enterprise Risk Management ACCOUNTING INFORMATION SYSTEMS The Crossroads of Accounting & IT © Copyright 2012