Professional Documents
Culture Documents
Particularly to support an understanding of both COSO and SOx internal controls, internal
auditors need to have a good understanding of risk management on an enterprise level and how it
impacts their skills for building and developing effective internal control processes. Management
and external auditors should consider relative risks when implementing and assessing internal
controls to achieve compliance with the SOx Section 404 internal control rules.
COSO released their Enterprise Risk Management Integrated Framework (COSO ERM). This
is an approach to allow an enterprise and internal audit to consider and assess its risks at all
levels, whether it be in an individual area such as an information technology (IT) development
project, or global risks regarding an international expansion. While released by the same COSO
guidance‐setting function that has developed and maintains the COSO internal controls
framework, COSO ERM sometimes looks like its internal controls brother, but it has a much
different feel and approach.
- Risk Identification
Management should endeavor to identify all possible risks that may impact the success of the
enterprise, ranging from the larger or more significant risks to the overall business down to the
less major risks associated with individual projects or smaller business units. The risk
identification process requires a studied, deliberate approach to looking at potential risks in each
area of operations and then identifying the more significant risk areas that may impact each
operation in a reasonable time period.
A good way to start the risk identification process is to begin with a high‐level enterprise
chart that lists corporate‐level as well as operating units. Each of those units may have facilities
in multiple global locations and also may consist of multiple and different types of operations.
- Risk Interdependencies
We have discussed risks at an individual organizational unit level, but risk independencies
must always be considered. Risk independencies must be considered and evaluated throughout
the organizational structure. Any entity should be concerned about risks at all levels of the
organization but only really has control over the risks within its own sphere.
- Risk Ranking
The risk significance and probabilities of occurrence are often called the risk drivers or the
primary risks for a set of identified risks. An enterprise should then focus its attention going
forward on these primary risks. These types of risk‐ranked schedules can be organized on a
unit‐by‐unit basis and adjusted to accommodate all related risks in parallel with as well as
above or below the entity being ranked or evaluated.
The COSO ERM framework starts by defining enterprise risk management as follows:
Enterprise risk management is a process, effected by an entity’s board of directors, management
and other personnel, applied in a strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be within its risk appetite, to
provide reasonable assurance regarding the achievement of entity objectives.
Professionals should consider these key points and concepts supporting the COSO ERM
framework definition, including
1. ERM is a process.
2. The ERM process is implemented by people in the enterprise.
3. ERM is applied through the setting of strategies across the overall enterprise.
4. An enterprise’s risk appetite must be considered.
5. ERM provides only reasonable, not positive, assurance on objective achievements.
6. An ERM is designed to help attain the achievement of objectives.
ENTITY‐LEVEL RISKS
COSO ERM framework shows four divisions or slices in this framework dimension: entity‐
level, division, business unit, and subsidiary risks. This is not a prescribed company‐type
division, and ERM suggests that risks should closely follow the given enterprise’s official
organization chart. COSO ERM risks should be identified and managed within each significant
organizational unit, including risks on an entity‐wide basis through individual business units. An
enterprise with four major operating divisions and with multiple business units or subsidiary
units under each would have an ERM framework that reflected all of these units. While these
risks are important on an overall organizational level, there should be a level of consideration on
a unit‐by‐unit basis to as low a level as necessary to allow the enterprise to understand and
manage its risks.
Because the two framework models look quite similar on first observation, it is very easy to
miss thinking about the unique characteristics of COSO ERM. Risk management, and COSO
ERM in particular, are standards that should be part of every internal auditor’s CBOK. Internal
auditors should use risk management principles when deciding which areas to select for their
reviews, risk‐based audit planning, and then to use risk principles when assessing audit evidence.
Perhaps even more important, COSO ERM will grow in importance and recognition as more
enterprises understand and adopt the ERM framework. Internal auditors should understand
COSO ERM both in order to audit compliance with these processes and to consult with
management to ensure more effective implementations.