Introduction
-
Threat: any potential adverse occurrence or unwanted event, to be injurious to either AIS or organization
-
Exposure / impact of the threat: potential dollar loss if a particular threat comes true
-
Likelihood: probability to happen
-
Internal control: the process by the board of directors / management / those under their direction, to provide reasonable assurance of a number of goals
-
Preventive controls: deter before problems
-
Detective controls: discover as soon as problems
-
Corrective controls: remedy after problems discovered
-
Levers of control: to reconcile the conflict between creativity and controls
- Belief system: communicates company core values to employees, and inspire them to live by them
- Boundary system: helps employees act ethically by setting forbidding rules
- Diagnostic system: measures company process by comparing actual to planned
- Interactive control system: helps top managers with high level activities, that demand frequent and regular attention
ERM (Enterprise risk management - integrated framework)
- Objectives:
- Provide reasonable assurance to achieve goals and minimize problems
- Achieve financial & performance targets
- Assess risks continuously, and identify instructions and resources against risks
- Avoid adverse publicity and disreputes
- Basic principles:
- Companies are formed to create value for owners
- Company management must decide how much uncertainty can be acepted
- Uncertainty results in risk or opportunity
- ERM framework is to help management manage uncertainty, and risk & opportunity, to build or preserve value
- Components
- Internal environment
- Objective setting
- Event identification
- Risk assessment
- Risk response
- Control activities
- Information & communication
- Monitoring
The Internal Environment (most important part of ERM)
- Management's philosophy, operating style, and risk appetite
- The board of directors
- Oversee management & scrutinize its plans, performance, andactivities
- Approve company stretegy
- Review financial results
- Annually review security policy
-
Interact with internal & external auditors
- Audit committee: non-employee independent directors
- Commitment to integrity, ethical values, and competence
- To create an organization culture that stresses integrity and commitment of ethical values and competence
- To endorse integrity as a basic operating principle, teach & require
- To reward and encourage honesty, give verbal label to honest and dishonest behavior
- To develop clear policies explicitly describe honest and dishonest behavior
- To require employees to report dishonest, illegal, or unethical acts, discipline who not
- To make a commitment to competence by competent employees
- Organizational structure
- Lines of authority, responsibility, and reporting
- Overall framework for planning, directing, executing, controlling & monitoring operations
- Methods of assigning authority and responsibility
- To make sure employees understand entity's objectives, assign authority & responsibility for business objectives to specific departments and individuals, encourage them to use initiative to solve problem, then hold them accountable for achieving objectives
- Human resource standards
- Employees can be both the greatest control strength and weakness
- External influences
Objective Setting
- Precedes the later six
- Cooperate vision / mission: why the company exists and that it hopes to achieve
- Strategic objectives: supporting mission, intended to create shareholder value
- Operator objectives: a product of management preferences, judgments, and style, varying among entities
- Compliance & reporting objectives: many imposed by external entities
Event Identification
- Event: incident or occurrence emanating from internal or external sources to affect strategy or objectives
Risk Assessment & Response
- Inherent / residual risk: unable / able to avoid before
- Estimate likelihood and impact (with softwares)
- Identify controls (to protect from each event)
- Estimate costs & benefits & determine cost/benefit effectiveness
- Implement control or avoid, share, or accept the risk
Control Activities
- Policies, procedures & rules to provide reasonable assurance for objectives and anti-risk
- Must also ensure compliance & enforcement
- Segregation of duties: no single employee given too much responsibility
- Segregation of accounting duties: authorization, recording, custody
- Project development & acquisition controls: to have a formal, appropriate & proven methodology to govern
- Change management: making sure changes do not harm reliability, security, confidentiality, integrity & availability
Information & Communication
Monitoring
- Perform ERM evaluations
- Implement effective supervision
- Use responsibility accounting
- Monitor system activities
网友评论