5.doc

May 2005 Volume 1, Issue 5

Feature ArticlesUsing COSO-ERM in Your Sarbox Program

The Sarbanes-Oxley Act of 2002 requires CEOs and CFOs to employ an industry-recognized framework when assessing the adequacy of controls on financial reporting. Neither the Act nor the Securities and Exchange Commission (SEC), which has oversight responsibilities for the Act, have specified the framework to use. So what are the most popular frameworks? Why was the COSO-ERM framework designed, and is it right for your company?

Financial disciplines favor the original COSO framework, which was designed as a tool for evaluating internal control systems and to provide a common basis for management teams, directors, regulators, and others to better understand and effectively communicate enterprise risk management. Designed with an emphasis on fiduciary controls, it was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.

(continued next page — see COSO-ERM )

Understanding Your Company's Appetite for Sarbox-Related Risk

No company can avoid risk. Likewise, no company can afford to take every measure necessary to avoid every risk. Sometimes, management must simply choose to accept the possibility that something bad will happen.

Do you know what potential problems your Board of Directors and executive management team have chosen to ignore? Do you know which ones they are managing by putting in place controls to either prevent the problem or to reduce its impact should it occur? Do you know what risks they expect you to address yourself, should they arise?

In the best of all worlds, you should know. Senior leadership in your company will have identified potential issues and will have communicated their attitude toward risk. They will have shared their risk management plans and will have outlined unambiguous roles and responsibilities for identifying problems, choosing risk management strategies, designing controls, and implementing control activities. You will know what you are empowered to address.

What if you don't live in that best of all possible worlds? How do you go about understanding your company's appetite for assuming Sarbox-related risk?

• Your first step is to understand the terms your executives might use in describing risk.

Industry News

Limit C-level Management in Sarbanes-Oxley Reviews, Says AberdeenGroup

A new benchmark report by AberdeenGroup, "Automating SOX Compliance Benchmark Report", concludes that companies that involve much of the organization in their SOX review process are experiencing lower costs and increased profits. By contrast, companies who limit SOX reviews to a small group of senior management have the worst performance records.

PCAOB Proposes Internal Control StandardWhat is a company to do when it identifies a material

weakness and then eliminates it? Section 404 of the Sarbanes-Oxley Act of 2002 requires public companies to include an assessment of the company's internal control over financial reporting in its financial reports. The company’s independent auditor must attest to, and report on, management's assessment.

Sometimes management's assessment of the company's internal control reveals that the company has one or more material weaknesses, which are serious defects in the company's internal control over financial reporting.

Currently, if the company eliminates a material weakness, it is required only to disclose that information. Investors and companies, however, have sometimes sought assurance by the company's independent auditor that they support management's assertions about those internal control improvements. The PCAOB, therefore, has proposed a standard providing a new option for corporations and auditors to report on corrections to "material weaknesses."

(continued on page 6 — see Industry News

In this issue...Focus: The COSO-ERM Risk FrameworkArticles

Industry News - page 1 Using COSO-ERM in Your Sarbox

Program - page 1 Understanding Your Company's

Appetite for Sarbox-Related Risk - page 1

Sarbox Project Templates Reference: The 8 Components of

© Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.

S A R B O X A L E R T Volume I, Number 5 page 2

(continued page 4 — see Understanding ) COSO-ERM - page 4

Checklist: Are You Ready for COSO? - page 5

Roles and Responsibilities Chart: Enterprise Risk Management – page 5

Visual Aid: Comparing COSO and COBIT - page 4

Questionnaire: Is this too Risky? - page 5

Crossword Puzzle: COSO-ERM - page 7





Using COSO-ERM – continued from previous page

The COSO framework is designed to help companies meet three objectives: economy and efficiency of operations (this includes achieving performance goals and safeguarding of assets against loss); reliable financial and operational data and reports; and compliance with laws and regulations. The framework contains five control components needed to help assure sound business objectives:

Control Environment

Risk Assessment

Control Activities

Information and Communication

Monitoring.

The first problem with COSO is that it doesn't meet the needs of IT. It simply doesn't contain enough technical categories of areas to control – much less the guidance for how to control them – to serve as a framework for Data Management and Information Technology Departments. The COBIT framework fills this need.

COBIT (Control Objectives for Information and Related Technologies) is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association. COBIT addresses information quality and security requirements in seven overlapping categories: effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information.

These categories form the foundation of COBIT's 34 control objectives. Companies employing COBIT approach IT control by considering the information needed to support business requirements, then applying controls to the IT resources and processes used to deliver, manage, and monitor that information. These companies find that COBIT – especially if supplemented with special security standards such as ISO 17799 – is adequate to organize Information Technology efforts for Sarbox compliance.

So if Finance Departments like COSO and IT groups like COBIT, and COSO and COBIT work well together, what's missing?

For some companies, it's the executive viewpoint. In its presentation, "Applying COSO’s Enterprise Risk Management — Integrated Framework," the Institute of Internal Auditors explains why a focus on Enterprise Risk Management is important to corporate leaders.

Single year subscription : $495.Group subscription inquiries: 212.825.1525 or [email protected]: Contact Igor Lamser at 212.825.1525Publisher: Igor LamserEditor-In-Chief: Gwen ThomasEditorial Office: 82 Wall Street, Suite 707, New York, NY 10005phone: 212.825.1525 fax: 212.825.1530 www.riskcenter.com© Copyright 2005 RiskCenter, LLC. Published bi-weekly. Federal

copyright law prohibits duplication or reproduction in any form, including electronic, without express permission by the publisher.

Every entity, whether for-profit or not, exists to realize value for its stakeholders. Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.

ERM supports value creation by enabling management to:

Deal effectively with potential future events that create uncertainty.

Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.

This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.

How your corporate management chooses to go about the business of realizing value for its stakeholders is the key to whether COSO-ERM is right for your organization. Some management teams are comfortable taking a very structured approach to identifying and evaluating their opportunities and risks. They enjoy defining what they have to work with, what they're trying to accomplish, what threatens their vision, and what risks they must face along the way. For executive teams that prefer an ultra-structured approach, some aspects of risk management can resemble a really complicated mathematical problem – one that is complex, but solvable, given the right information and formulas. For such teams, COSO-ERM can be an excellent tool.

For other management teams with different management styles and preferences, taking a structured approach to Enterprise Risk Management may seem like… well, a really complicated mathematical problem, and an unnecessary headache.

Every manager at every level of the business manages risk. That's a given. And learning about COSO-ERM should add to every manager's risk management toolset. But employing a formal Enterprise Risk Management approach to Sarbox compliance requires a top-down, executive-driven push. So… in math class, did your execs show their work? Did they work the geometry theorems carefully, showing each step? Or did they provide an answer and argue with the teacher that how they got it was their own business?

If you find that COSO-ERM is right for your company, you're probably going to really like it. It's a post-Sarbox framework built on the original COSO framework. COSO-ERM expands and elaborates on


http://www.riskcenter.com/

http://www.itgovernance.org/


elements of internal control as set out in the original COSO control framework. It also provides a new component, objective setting, which is a prerequisite for internal control. It also expands other areas. The new COSO-ERM framework consists of eight components:

Internal control environment (from original COSO)

Objective setting (new component)

Event identification (new component) (continued next page — see COSO-ERM )



Using COSO-ERM – continued from previous page

Risk assessment (from original COSO)

Risk response (new component)

Control activities (from original COSO)

Information and communication (from original COSO)

Monitoring (from original COSO).

Taken together, these eight components form a framework for managing internal controls and control activities while taking a risk management approach to running your business and managing your financial data.

For more information about COSO, see the Sarbox Project Template "Reference: The Eight Components of COSO-ERM" and "Visual Aid: Comparing COSO and COBIT." Both are stand-alone Microsoft Word documents.

- -

Understanding – continued from page 1

• Risk appetite is the amount of risk — on a broad level — that your company is willing to accept in pursuit of value.

• Risk tolerance, a related concept, means the acceptable level of variation around objectives. That is, if an executive's stated objective is to "make sure an issue won't occur," what does that really mean? How sure is sure enough?

• Residual risk is the risk that is left over after you've put in place to controls to reduce the risk.

• Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed.

Your second step is to try to understand the general risk appetite of your executives and board. They may make it easy for you by employing quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk) in corporate communications to discuss their risk appetites. Or, you may have to reach you own conclusions about their risk appetites. Try asking the following questions.

• What risks do you know the organization will not accept? (For example, will they tolerate causing an environmental spill or delivering spoiled products?)

• What risks has the organization demonstrated it is willing to take during new initiatives? (For example, how tolerant are they of failures when testing new product line? Do they making assumptions about customer wishes? Would they merge with another company without fully understanding their internal practices?)

• What risks will the organization accept in reaching compromises for competing objectives? (For example, gross profit vs. market share?)

Your third step to understanding your company's appetite for Sarbox-related risk is to understand the types of Sarbox-related risk. Your company may have a different tolerance for each type of risk.

The risk of failing the audit. What does your company believe will be the worst thing that would happen to them if they receive an adverse opinion from their outside auditors? Some companies have been treating this scenario as completely unacceptable. As a result, they have gone to great effort to understand their auditor's expectations and to meet them. Other companies, on the other hand, either didn't believe they were much at risk or weren't worried about the consequences. They've done the minimum effort, in their minds, to comply with Sarbanes-Oxley. Dips in stock price as a result of a potential failure, they might have reasoned, would be easier to deal with than the pain of a full-out compliance effort.



The risk of being delisted. It's hard to imagine a publicly-traded company being willing to risk losing the privilege of having its stock traded on a major exchange. Especially if the way to avoid this risk is to simply comply with easy provisions such as implementing a confidential whistleblower's hotline. You can probably expect that your company has a zero tolerance for this risk.

(continued next page — see Understanding )

Understanding – continued from previous page

The risk that your CEO or CFO will go to jail. Your gut reaction may be that no executive is willing to risk prison time when that risk could be avoided. You'd probably be right for the overwhelming majority of executives. They're going to certify the company financial statements as required, and they're going to put the company through enough exercises that the execs will have a good defense that they believed they were telling the truth when they certified those statements. They will have asked corporate counsel for an opinion of the meaning of the word "willfully" in the section of the act that significantly increases the penalties should the exec willfully misrepresent financial statements.

It would be foolish to assume, however, that no executive is going to risk going to jail under the Sarbanes-Oxley provisions. After all, most executives are risk takers – that's how they've risen so far up the corporate ladder. They may have decided that plausible deniability would work for them, should a problem arise. They may be betting that, barring actual fraud, prosecutors wouldn't bother with prosecuting execs who were mistaken when they signed Sarbox attestations. Or, they may have taken provisions you wouldn't be aware of to reduce their chances of being convicted, should they be charged with a violation.

Question: What's the first step every CFO should take as part of the company's Sarbox preparation program Answer: Apply for a passport.

Your Board of Directors has also probably assessed the risk that your CEO and/or CFO are crooks who would gladly risk jail time in return for bilking the company of enough money and/or perks. If your executives are still in place, you can assume that: a) the Board decided to accept the risk, or b) the Board has decided its internal control system is strong enough that larcenous executives couldn't succeed, or c) the Board is VERY trusting.

The risk of overspending to avoid a failed audit. In retrospect, many companies are now confessing that they feel they might have over-prepared for Sarbanes-Oxley. Are your execs making this sort of statement? If so, what are they saying they'll do differently this next year? Will they do less? Do the same but spend less doing it? Will increases or decreases in their allocation of Sarbox resources be uniformly applied, or can you still expect deep dives in certain area.

The risk of spending attention on Sarbox that needs to go elsewhere. Many companies felt they

had no choice last year but to give Sarbox as much attention as it needed. They may be planning to change this approach going forward.

The risk of being sucked into a painful program. If your company is resisting employing a formal Enterprise Risk Management program, even if it looks like a good fit for the company, this may be why. COSO-ERM requires execs to deal with a portfolio of risks rather than individual standalone issues. Someone must assess exposure levels, business impacts, cost requirements, and resolution priority and importance.

In taking these steps, difference in opinions will surface about the importance of individual risks and how to manage them. Viewpoints will no doubt differ dramatically based on individuals' agendas, backgrounds, roles, and where they are placed in the organization. Your execs may simply feel they need a year off from such drama.

Is COSO-ERM right for your organization? See the Sarbox Project Template "Checklist: Are You Ready for COSO?," a stand-alone Microsoft Word document. Want some questions to use as a starting point for discussion risk within your organization? Check out "Questionnaire: Is this too Risky?" Want to know who should do what if you do implement COSO-ERM at your organization? It's spelled out in "Roles and Responsibilities Chart: Enterprise Risk Management".

- -



To advertise inSARBOX ALERT,

or for group subscriptions,

contact Igor Lamser

at 212.825.1525

[email protected].

Sarbox Project Templates

Sarbox Project Templates to complement the topics covered in this issue's features are available as stand-alone Microsoft Word documents.

Reference: The Eight Components of COSO-ERM Checklist: Are You Ready for COSO? Roles and Responsibilities Chart: Enterprise Risk

Management Visual Aid: Comparing COSO and COBIT Questionnaire: Is this too Risky? Crossword Puzzle: COSO-ERM


Next Issue:Security Planning

Articles: Planning to Address Critical Sarbox Security

Concerns

Aligning Your Security and Sarbox Efforts

Sarbox Project Templates: Reference: The Seven Information Quality Criteria

Flowchart: Assigning Governance and Controls to Security Risks

Checklist: Assigning Accountability for Security Risks

Checklist: Common Security Controls

Roles and Responsibilities Chart: Aligning Security and Sarbox

mailto:[email protected]


Industry News – Continued from Page 1

The proposed standard would establish a voluntary, stand-alone engagement, performed only at the request of the company.

The comment period for the proposed standard is 45 days. Any final standard adopted will be submitted to the Securities and Exchange Commission for approval.

SOX Accounting Expensive for Fortune 1000 Firms

According to two University of Nebraska at Omaha accounting faculty, Sarbanes-Oxley compliance costs keep rising. Fortune 1000 companies' auditing costs have increased by $1.4 billion collectively so far, and much of this increase is in response to Sarbanes-Oxley. Accounting professors Susan Eldridge and Burch Kealey have helped develop an automatic text-mining and data extraction technique that they say makes hundreds of hours of data-collection manageable. With the latest figures reported, as of April 27, 633 Fortune 1000 firms have reportedly paid more than $3.6 billion for their 2004 audits, compared to $2.2 billion in 2003

Deloitte & Touche, SEC SettleDeloitte & Touche LLP issued the following

statement on April 26 regarding the settlement announced between Deloitte & Touche LLP and the United States Securities and Exchange Commission:

Deloitte & Touche LLP announced today it is pleased to have reached settlements related to the 2000 audit of Adelphia and the 1998 audit of Just For

Feet. Each of these cases involves a consent decree, signed by Deloitte & Touche LLP, in which it neither admits nor denies wrongdoing. These two settlements are the first enforcement cases for Deloitte & Touche LLP since Deloitte & Touche was formed by combination in 1989. Deloitte & Touche LLP believes that the settlements are in the best interest of its people, clients and the organization.

As a condition of the Adelphia settlement, Deloitte & Touche LLP will pay a $25 million penalty, plus a $25 million contribution to a fund to compensate Adelphia shareholders and debt holders. Deloitte & Touche LLP also has agreed on steps for enhancing audit quality for its clients. As part of the settlement on Just For Feet, there will be a payment of $375,000 to the U.S. Treasury. Neither of the settlements restricts Deloitte & Touche LLP’s ability to provide services to new or existing clients.

In both the Adelphia and Just For Feet cases, the primary basis of the SEC’s claim is that the wrongdoing by the client and certain members of its management should have been uncovered, despite their collusion in some instances with others specifically to deceive the external auditors. The client and certain of its senior executives and others deliberately misled Deloitte & Touche LLP through the financial information they provided. In the case of Adelphia, certain executives were found guilty of fraud, while in the case of Just For Feet, certain executives and third party vendor employees agreed to plead guilty to fraud charges.

- -



Sarbox Project Template

Crossword Puzzle: The COSO-ERM Framework_____________________________________________________

1 2 3

4

5

6 7

8

Created with EclipseCrossword — www.eclipsecrossword.com

Across

1. A place your CEO doesn't want to go4. Public Company Accounting Oversight Board5. Type of controls emphasized in the COSO framework6. ___ ___: A new component in COSO-ERM that helps define

goals.8. Risk ___: the acceptable level of variation around objectives

Down

2. Risk ___: Has nothing to do with food.3. The E in COSO-ERM7. The C in COBIT


1

2 3

4

5

6 7 8

9

Created with EclipseCrossword — www.eclipsecrossword.com

T

P

E

I

S

A

C

A

S

A

A

T

T

E

S

T

A

T

I

O

N

I

U

B

N

T

G

F

O

U

R

M

S

A

I

C

P

A

T

T

A

I

E

N

V

I

R

O

N

M

E

N

T

D

N

A R D S


Yes! Please send me one year of SARBOX ALERT at the SPECIAL RATE of $495.

Name Title Organization

Address City State Zip Code

Phone Fax E-mail (required)

Payment enclosed Charge my:

Mastercard Visa American Express Discover

Account Number Expiration Date Signature

Make all checks payable to RiskCenter, LLCClient agrees to pay any and all applicable sales tax.

Suggestions for additional coverage are always welcome. In fact, we encourage it! This is one of the reasons RiskCenter stays on top of market trends.

If you have an idea or two on new issues, trends, interview subjects - anything really - in this new market,feel free to jot down your thoughts in the space below.

We will likely take your suggestions to heart. Use the space below or send us an email [email protected]. Thank you in advance for your comments. - The Editor

SARBOX ALERT – published by RiskCenter, LLC82 Wall Street, Suite 707, New York, NY 10005

phone: 212.825.1525 fax: 212.825.1530www.riskcenter.com


Comments:

http://www.riskcenter.com/

Documents

5.doc