Web AuditNet

Dan's Internal Audit Corner

Auditing Risk Management is strongly recommended

 

Each month Dan Swanson, a senior security and internal audit professional will provide his list of recommended resources for AuditNet readers. If you have questions about this page or the links, you can reach Dan at www.securitybenchmark.com and dswanson_2005@yahoo.com.


Some questions to consider:

  • Are the organization's risk management effort appropriate to its needs?
     
  • Has a risk management program been developed and implemented?
     
  • How effective are the risk management efforts?
     
  • Do we need to increase the understanding of our key risks?
     
  • Has accountability been established (for risk management?
     
  • What else needs to be done? - i.e. Have we done everything necessary?

 

Some resources to assist your risk management efforts are provided here.

 

Have another great month.

 

Best regards.

 

Dan Swanson


 

The drill down resource page (is provided below).

 

My Risk Management resource "summary".

 

After you review just some of the numerous sites and documents listed below it will become very apparent there are a huge number of resources out there that your organization should consider. This summary was NOT developed to advocate one organization's approach or guidance over another but to spur the understanding and learning of what is available and to encourage serious debate on what will work for your specific environment & meet your "needs".

 

Finally, (and this is also important) there are numerous web sites which point to numerous other links and documents, most notably the IIA web site; but there are several others too. (for e.g.; Felix Kloman's web site is a perfect
example of the extensive access to knowledge that is possible when "drilling down" within the various leading web sites that are cited below).

 

Good luck in your research, and as important, in your efforts to implement a robust risk management program within your organization; where the "rubber meets the road"; AND always remember, its the actual "EXECUTION" that drives the "IMPACT" on an organization's RESULTS.

Enjoy.

Dan Swanson

 My personal favorites:

 

1. The Australia Standards web site

 

2. The IIA's risk management resource repository:

 

3. Felix Kloman's web site - Truly "The Place To Start" (your risk "journey").

Useful links

Useful information

 

4. ERM publications and tools on KnowledgeLeader.com

 KnowledgeLeader provides policies, tools, articles, and other resources to help you understand enterprise risk management, develop risk management and risk assessment checklists, policies, and procedures; and discover best practices to mitigate risk.
 

5. OCEG (The Open Compliance and Ethics Group).

 

6. ISACA and the IT Governance Institute (ITGI)

 Ask the Auditor: Business Risk vs. Audit Risk  

 

Business risk relates mainly to an organization's goals and objectives. It is essentially the potential cost incurred if the business does not achieve its strategic plans. The assessment and management of business risk has evolved into formalized enterprise risk management (ERM) in many organizations. By contrast, audit risk relates mainly to the internal and external audit efforts to achieve its objectives; that is, provide effective, timely, and efficient assurance and consulting support to management and the board. Traditionally, audit risk has been seen as strictly the risk of incorrect audit conclusions. Contemporary views, however, include big-picture audit risks; specifically, that the internal audit function is not doing the right things or working in the best ways.  Checklist for Risk Management Are you prepared for your next risk management audit? Know what to expect. The IT Audit Checklist for Risk Management offers: 80 specific checklist items to help assess your audit-readiness Clarification on what auditors want to see Tips on how to effectively communicate with an auditor Pointers on audit preparation, testing, and reporting One of my other personal favorites - i.e. an excellent summary of leading resources from various organizations created over the past four years of research.

 

NACD's blue ribbon report on "Risk Oversight" is one of the very best papers on this important subject.

The NACD BRC on Risk Oversight

 

The CICA 20 Questions Directors Should Ask papers (this excellent series includes risk management).

 The COSO Related Resources Internal Control over Financial Reporting - Guidance for Smaller Public Companies This small business guidance takes the concepts of the 1992 Internal Control Integrated Framework and demonstrates their applicability for achieving financial reporting objectives of smaller publicly traded companies. Executive Summary (PDF, 249KB)

 

For more information, visit the COSO site, 

 

Compliance Week article on COSO Guidance for Smaller Public Companies Reporting on Internal Control over Financial Reporting (PDF, 70KB)

Expressing an Opinion on Internal Control

Access the COSO Enterprise Risk Management  Integrated Framework

 

Download the free COSO ERM Executive Summary (PDF). Also available in other translations.

Order the COSO ERM framework and application techniques
For more information, visit the COSO site, www.coso.org

IIA Resources

 

The first tier of information - (leading resources, studies, papers, articles, etc.)

 

 

A Risk Management Reading List (from Risk Management Reports, December 2006) (provided with permission).

 

Periodically throughout the years of Risk Management Reports, Felix Kloman has suggested a selection of those books that, he believes, belong in the library of any student of the discipline of risk management. He felt at the conclusion of the 33rd year of his monthly newsletter that it was an appropriate time to re-issue his favorites list. It is thoroughly personal, based on his own reading and interests, and he is sure that others can and will take issue with some selections as well as add others. Please do so, (he says) as he would like to find a new jewel! This list, which started out as his ten best originally, has inevitably expanded to a top fifteen, because of the need to cover history and philosophy as well as the significant offerings in finance, public policy and other risk specialties. One was written in 1921 and the latest came out this year.

Website: www.riskreports.com 

Risk Management Handbook for Health Care Organizations (5th edition)

Your job is bigger so is your Handbook. The new edition of the Risk Management Handbook for Health Care Organizations presents the most authoritative enterprise-wide techniques and practices of today's health care risk management professionals, all expanded into a user-friendly, three-volume format. Volume 1: The Essentials covers basic concepts, Volume 2: Clinical Risk focuses on patient care issues and Volume 3: Business Risk looks at legal, regulatory and technical issues. The three-volume set includes a bonus CD-ROM with exhibits, figures, tables and appendices. The collected expertise of 82 risk management professionals and four editors makes the 5th edition one of the most important health care resources available today and for some time to come. Catalog # 178162. Available as a set of three volumes plus CD for $299 through Jan. 31, 2007; thereafter $350 for ASHRM members, $375 for non-members.

 
Preview Volume 1 Table of Contents
Preview Volume 2 Table of Contents
Preview Volume 3 Table of Contents

 

Organizational risk reporting for internal and external decision making Management and audit reports on internal control don't provide any assurance on the viability of a business or its ability to achieve financial goals. Consequently, the needs of many internal and external reporting audiences aren't met they need more information on the risks organizations face and how they intend to manage them. There hasn't been an integrated framework for such reporting until now.

 

The Reporting of Organizational Risks for Internal and External Decision Making External shareholders and other stakeholders are demanding increased reporting of organizational risks to better evaluate corporate performance. This guideline helps financial professionals gain a clear understanding of organizational risks and methods by which to provide fair disclosure to both internal and external decision makers. The guideline acts as a companion piece to the management accounting guideline entitled

 

"Identifying, Measuring, and Managing Organizational Risk for Improved Performance, which presents a model and measures for improving the identification and measurement of risks to improve management decisions. Identifying, Measuring, and Managing Organizational Risk for Improved Performance (Published in 2005). Risk is an inescapable element of competing in a market economy. Organizations must be able to evaluate many types of risk - political, social, environmental, technological, economic, competitive and financial - and incorporate the results into decisions regarding investments and operations as well as into the systems used to monitor and evaluate the effectiveness of the actions taken. This guideline provides a Risk Management Payoff Model that includes a selection of performance measures to properly identify, measure, manage and report risks.

 

Guide to Enterprise Risk Management: Frequently Asked Questions  Many are asking questions about the value proposition of ERM and practical steps on how to implement it. The purpose of this publication is to address some of the most commonly asked questions with respect to ERM. It offers ideas, suggestions and insights to executives responsible for ERM implementation.

 

Enterprise Risk Management: Practical Implementation Advice  Many executives do not know the value proposition of Enterprise Risk Management (ERM). Some may even consider ERM a fad or "flavor of the month", and are just humoring the dialogue, wishing it would go away. What leaves many cold on the subject of ERM is the inability to quickly grasp what it is. This issue of The Bulletin addresses this and other relevant questions.

 

Enterprise Risk Management: Practical Implementation Ideas It has become clear that traditional risk management approaches do not adequately identify, evaluate, and manage risk. Protiviti's Jim DeLoach discusses how ERM transforms risk management to a proactive, continuous, and process-driven activity. Additionally, he offers practical ideas on how to implement ERM within an organization. These include articulating a risk management vision, using the capability maturity model, evaluating the existing risk management structure, and selecting the enterprise's priority risks.

 

Other ERM publications and tools can be found on KnowledgeLeader.com  KnowledgeLeader provides policies, tools, articles, and other resources to help you understand enterprise risk management, develop risk management and risk assessment checklists, policies, and procedures; and discover best practices to mitigate risk. Free 30-day trials are available.

 

RIMS Launches Risk Maturity Model for Enterprise Risk Management (An Overview).  

 

April Cover SmallThe Risk Management Magazine is the premier source of analysis, insight and news for corporate risk managers. RM strives to explore existing and emerging techniques and concepts that address the needs of those who are tasked with protecting the physical, financial, human and intellectual assets of their companies. As the business world and the world at large change with increasing speed, RM keeps its readers informed about new challenges and solutions. RM is delivered monthly to 17,000 readers. It is published by the Risk and Insurance Management Society, Inc. It is reviewed by an Editorial Advisory Council.

 

The new RIMS ERM Center of Excellence is an excellent source for news, tools and peer-to-peer networking on all topics connected to enterprise risk management. Whether you are initiating an ERM program within your organization, in the implementation phase or streamlining processes, here, you will gain access to information and touch base with risk management colleagues that will help you gain perspective on your ERM program. Stay updated on ERM content.

 

Enterprise Risk Management - Complacency Is No Longer an Option, But a Practical Start Is In an environment in which risks are proliferating, shareholders are demanding growth, and first-movers are expanding rapidly into new markets, many leaders recognize that implementing an enterprise risk management (ERM) program is becoming an urgent business priority. The KPMG's Advisory practice has produced a new white paper entitled "Enterprise Risk Management  Complacency is No Longer an Option, But a Practical Start Is" that explains that with a clear and practical vision and a few key steps, leaders can build on existing risk assessments to get an ERM effort under way. 

The 2nd tier of information - NOT second class; just a 2nd accumulation of good resources.

Risk Management for Small Business is a new workbook from the Public Entity Risk Institute  in Fairfax, Virginia, written by Claire Reiss, deputy executive director & general counsel. It is brief, clearly written, and eminently practical. Its first chapter "Why Risk Management is Important for Small Business" is a succinct one-page synopsis of the risk management discipline. The author then moves into a description of the "never-ending process" of risk management, followed by some 70 pages of sample worksheets and checklists.  

 

Various other publications are available from the Public Entity Risk Institute.

 

Tougher Boards for Tougher Times: Corporate Governance in the Post-Enron Era  (John Wiley & Sons Canada, 2006).

 

The OCEG Internal Audit Guide (IAG) Evaluating Your Compliance and Ethics Program: This 88 page guide provides a roadmap for internal auditors to audit a compliance and ethics program. It is also useful for all people charged with governance responsibilities.

 

The Role of Information Technology in Sustained Regulatory Compliance (2006).

 

Why Sustainability Counts for Professional Accountants in Business This information paper provides an overview of enterprise sustainability and sets out the business/financial case for addressing sustainable development at the enterprise level. It also seeks to identify the main sustainability- related roles that professional accountants in business might occupy today or at some time in the future.

 

Purpose -- The Starting Point of Great Companies The latest strategy & business (s&b) newsletter is out and this issue is regarding "Purpose and Innovation". Consider checking out their web site too (its amazing). 

 

Professional Accountants in Business - At the Heart of Sustainability? This paper features interviews conducted with eleven senior professionals in various enterprises around the world on the role of professional accountants in business and the challenges they face in promoting and implementing sustainable development strategies.

 

Managing Risk to Enhance Shareholder Value This booklet was developed by the PAIB Committee to focus on the theme of risk management from both the traditional review of the financial risks of a company and the more recent application of risk management techniques in the areas of strategy, reputation and people.

 

GRC 360 THE SUMMER 2006 ISSUE

 

INSIDE THIS ISSUE

 

BE PART OF THE OCEG IT FORUM Thought Leaders Convene

 

THE POWER OF POSITIVE TECHNOLOGY Better Information Produces Better Results

 

Canada Treasury Board of Canada's Integrated Risk Management Framework Web site

 

Auditor Answers: What Should Your Business Continuity Efforts Focus On?

 

Ask the Auditor: Who is Responsible for Information Security?

 

The FEI 404 blog

 

Australia has Corporate Governance Standards, the AS 8000 series: The AU Governance series has five main parts: I. Good governance principles II. Fraud and corruption control III. Organizational codes of conduct IV. Corporate social responsibility V. Whistleblower protection programs for entities

Section A is from AICPA and the Big 4.

 

Section B is efforts by The IIA and COSO.

 

Section C is about assisting revenue reporting.

Section A

1. AICPA's audit committee effectiveness center.

 

2. The Big 4's informational site (good content).

 

3. An AC tool - working through "adverse" opinions.

 

4. The Big 4's view internal control representations.

 

5. Addressing fraud

 

Section B

1. Expressing Opinions on Internal Control.>>>> THE Key Entry Page <<<<

 

2. Putting COSO's theory into practice An issue of Tone at the Top focuses on COSO's new guidance for using the Internal Control Integrated Framework to ensure the effectiveness of internal control over financial reporting. Although the Guidance for Smaller Public Companies Reporting on Internal Controls over Financial Reporting was developed for smaller organizations, it is appropriate for companies of all sizes.

 

3. Other COSO related resources

 

4.Enterprise Wide Risk Management.

 

5. Other resources from the IIA .

 

6. The IIA's efforts in technology

SECTION C - Revenue reporting resource

 

1. Revenue recognition ok? (check out the CFO site).
 

2. Internal control over financial reporting

 

3. Are your opinions in order?

 

4. Disclosures working well? - CICA has finalized some great guidance.Understanding Disclosure Controls & Procedures: Helping CEOs and CFOs Respond to the Need for Better Disclosure (December 2005)- by Peter W. Roberts, FCA, CPA (Illinois) and Gordon Beal, CA.

 

5. Improving your Finance function? (I always study the resources available at FEI and CMA Canada although there are many others such as IFAC, AICPA, NACD, and many more).

 

a) FEI

b) CMA-Canada

c) IFAC

d) AICPA

e) NACD (National Association of Corporate Directors)

f) OCEG (Open Compliance and Ethics Group).

The Role of Auditing in Public Sector Governance.

 

Government Auditors' Resource repository.

 

Government Auditors: Meeting New Challenges.

 

Organizational Governance: Guidance for Internal Auditors.

 ACI/KPMG resources on Risk Management:

 Soon to be added to this link will be ACI's Publication: Oversight of Risk Management: Considering the Audit Committee's Role and Responsibilities

The Role of U.S. Corporate Boards in Enterprise Risk Management

 

Boards of Directors in the United States , having focused heavily on Sarbanes-Oxley requirements and more rigorous governance and compliance standards, are now beginning to assess their evolving role in providing oversight in the area of enterprise risk management (ERM). In view of the rapidly developing state of ERM in U.S. corporations, boards face a particularly challenging set of issues in responding to the need for improved oversight of risk management. The Conference Board with McKinsey & Company and KPMG's Audit Committee Institute conducted research on the role of U.S. corporate boards in Enterprise Risk Management between October 2005 through February 2006. Topics Covered: Executive Summary Key Research Findings Recommendations to Corporate Boards What Is Enterprise Risk Management? Key Steps In Implementing An ERM System Evolving Legal Developments Make it Prudent for Directors to Ensure They Have a Robust ERM Oversight Process in Place. Directors Should Consider Making Improvements in Their ERM Oversight Processes. Sound ERM Oversight Practices are Now Recognizable in a Number of Leading Companies. Companies are Looking at Best-In-Class Peers for Emerging Practices in ERM Oversight.

 

 THE END OF THIS RISK MANAGEMENT RESOURCE SUMMARY

 

The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®