Chapter 5

100
 Chapter 5

Control activates and accounting information system

This chapter discuss the control activities , the types of controls

and some models and frameworks for applying the control in the
organization . This chapter will be explained in the following
objectives :
 Explaining the control concepts and why computer control
and security are important.
 Compare and contrast the COBIT, COSO, and ERM control
frameworks.
 Discussing the COSO Framework
 Explaining the COSO‘s Enterprise Risk Management Framework
 Discussing the COBIT framework
 Explaining the Enterprise Risk Management (ERM) model.

101
Introduction:
An accounting information system is an integral computing component in
many organizations and the business processes that drive them. Accounting
is a component of every business process and the AIS is an important
aspect of business process integration. Due to the nature of the
transactional and master data in AIS databases, it is important to establish
controls and preventative measures to ensure the security and integrity of
the data that they contain. In the overview of AIS summarized in the
previous literature review, it is apparent that there are numerous risks
surrounding AIS as well as numerous controls that can be implemented to
manage AIS risk. SO we will discuss in this chapter the control system,
fraud threats with AIS through the organization.

1/5 – Explaining the control concepts and why computer control are
important.

What are control activities?

Control activities are the policies, procedures, techniques, and

mechanisms that help ensure that management‘s response to reduce
risks identified during the risk assessment process is carried out. In
other words, control activities are actions taken to minimize risk. The
need for a control activity is established in the risk assessment process.
When the assessment identifies a significant risk to the achievement of
an organization‘s objective, a corresponding control activity or
activities is determined and implemented.

102
In an organization setting, control involves the regulations or guidelines
that regulate the individuals within an organization and the actions of the
organization itself.

Internal control activities can be incorporated into the following:

• Policies
• Procedures
• Sequences or combinations of procedures
• Assignments of duties, responsibilities, and authorities
• Physical arrangements or processes
• Combinations of the above

Internal controls are the processes implemented to provide reasonable

assurance that the following control objectives are achieved:
● Safeguard assets—prevent or detect their unauthorized acquisition, use, or
disposition.
● Maintain records in sufficient detail to report organization's assets accurately
and fairly.
● Provide accurate and reliable information.
● Prepare financial reports in accordance with established criteria.
● Promote and improve operational efficiency.
● Encourage adherence to prescribed managerial policies.
● Comply with applicable laws and regulations.

Internal control is a process because it permeates an organization‘s operating

activities and is an integral part of management activities. Internal control
provides reasonable assurance is difficult to achieve and prohibitively
expensive.

103
Developing an internal control system requires a thorough understanding of
information technology (IT) capabilities and risks, as well as how to use IT to
achieve an organization‘s control objectives.
Accountants and systems developers help management achieve their control
objectives by (1) designing effective control systems that take a proactive
approach to eliminating system threats and that detect, correct, and recover
from threats when they occur; and (2) making it easier to build controls into a
system at the initial design stage than to add them after the fact.

Internal controls perform three important functions:

1- Preventive activities are designed to deter the occurrence of an undesirable
event. The development of these controls involves predicting potential
problems before they occur and implementing procedures to avoid them.
Examples include hiring qualified personnel, segregating employee duties, and
controlling physical access to assets and information.
2- Detective activities are designed to identify undesirable events that do
occur and alert management about what has happened. This enables
management to take corrective action promptly. Examples include duplicate
checking of calculations and preparing bank reconciliations and monthly trial
balances.
3- Corrective controls identify and correct problems as well as correct and
recover from the resulting errors. Examples include maintaining backup copies
of files, correcting data entry errors, and resubmitting transactions for
subsequent processing.

104
Internal controls are often segregated into two categories:
1. General controls make sure an organization‘s control environment is
stable and well managed. Examples include security; IT infrastructure; and
software acquisition, development, and maintenance controls.
2. Application controls prevent, detect, and correct transaction errors and
fraud in application programs. They are concerned with the accuracy,
completeness, validity, and authorization of the data captured, entered,
processed, stored, transmitted to other systems, and reported.

How should control activities be incorporated into an organization’s

internal control plan?
Control activities occur at all levels and functions of the organization.
Management should establish control activities that are effective and
efficient. When designing and implementing control activities ,
management should aim to get the maximum benefit at the lowest possible
cost. Consideration should be given to the following:
1- The cost of the control activity should not exceed the cost that would be
incurred by the organization if the undesirable event occurred.
2- Management should build control activities into business processes and
systems as the processes and systems are being designed.
3- Adding control activities after the development of a process or system is
generally more costly.
4- The allocation of resources among control activities should be based on
the likelihood and impact of the risk.
5- For any given risk, there may be multiple appropriate control activities
that can be put into place, either individually or in combination with other
control activities.
6- Excessive use of controls could impede productivity.

105
- Commonly used control activities:
The following are descriptions of some commonly used control
activities. This is not an exhaustive listing of the alternatives available to
management.
Authorization – Control activities in this category are designed to
provide reasonable assurance that all transactions are within the limits
set by policy or that exceptions to policy have been granted by the
appropriate officials.
Review and approval – Control activities in this category are designed
to provide reasonable assurance that transactions have been reviewed for
accuracy and completeness by appropriate personnel.
Verification – Control activities in this category include a variety of
computer and manual controls designed to provide reasonable assurance
that all accounting information has been correctly captured.
Reconciliation – Control activities in this category are designed to
provide reasonable assurance of the accuracy of financial records
through the periodic comparison of source documents to data recorded in
accounting information systems.
Physical security over assets – Control activities in this category are
designed to provide reasonable assurance that assets are safeguarded and
protected from loss or damage due to accident, natural disaster,
negligence or intentional acts of fraud, theft or abuse.
Segregation of duties – Control activities in this category reduce the
risk of error and fraud by requiring that more than one person is
involved in completing a particular fiscal process.
Education, training and coaching – Control activities in this category
reduce the risk of error and inefficiency in operations by ensuring that

106
personnel have the proper education and training to perform their duties
effectively. Education and training programs should be periodically
reviewed and updated to conform to any changes in the organization
environment or fiscal processing procedures.
Performance planning and evaluation – Control activities in this
category establish key performance indicators for the organization that
may be used to identify unexpected results or unusual trends in data
which could indicate situations that require further investigation and/or
corrective actions. Evaluations may be done at multiple levels within the
organization.

What are some limitations of control activities?

Control activities, can provide only reasonable assurance regarding
achievement of objectives. The likelihood of achievement is affected by
limitations inherent in all control systems. These limitations include the
following:
Judgment – The effectiveness of controls will be limited by the fact that
decisions must be made with human judgment in the time available,
based on information at hand and under the pressures to conduct
business.
Breakdowns – Even if control activities are well designed, they can
break down. Personnel may misunderstand instructions or simply make
mistakes. Errors may also stem from new technology and the complexity
of computerized information systems.
Management override – Even in an effectively controlled organization,
high-level personnel may be able to override prescribed policies or
procedures for personal gain or advantage. This should not be confused
with management intervention, which represents management actions to

107
 depart from prescribed policies or procedures for legitimate purposes.
Collusion – Collusion between two or more individuals can result in
control failures. Individuals acting collectively often can alter financial
data or other management information in a manner that cannot be
identified by the control system.
Costs versus benefit – In determining whether a particular control
activity should be established, the cost of establishing the control must
be considered along with the risk of failure and the potential impact.
Excessive control is costly and counterproductive. Too little control
presents undue risk. Organizations should make a conscious effort to
strike an appropriate balance.
Resource limitations – Every organization must prioritize control
activities because resources are not available to put every control activity
into practice.
We will discusses three frameworks that used to develop internal control
systems with applying the AIS

Compare and contrast the COBIT, COSO, and ERM control

frameworks.

2/5- COSO Framework

In May 2013, COSO released a revised ―Internal Control – Integrated

Framework,‖ which replaced the original version developed in 1992. The
original framework formally defined internal control and contained
relevant and helpful guidance. In 2002, the Sarbanes-Oxley Act (SOX) was
established; it mandates that U.S. listed companies report on the
effectiveness of their internal control over financial reporting (ICFR) using
a suitable framework and in some cases also requires separate audit of

108
ICFR. Furthermore, many organizations around the world have voluntarily
used the framework to help them create, develop, mature, and continuously
improve their systems of internal control beyond just financial reporting.

The COSO Framework was designed to help businesses establish, assess

and enhance their internal control. The importance of Internal Control in
the Operations and Financial Reporting of an entity cannot be over-
emphasized as the existence or the absence of the process determines the
quality of output produced in the Financial Statements.

A present and functioning Internal Control process provides the users with
a ―reasonable assurance‖ that the amounts presented in the Financial
Statements are accurate and can be relied upon for informed decision
making.

The COSO Internal Control 2013 Framework:

COSO defines internal control as ―a process, affected by an entity‘s board

of directors, management, and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives relating to
operations, reporting, and compliance.‖

COSO provides further characterization of the objectives, which allow

organizations to focus on different aspects of internal control: "Operational
objectives pertain to effectiveness and efficiency of the entity‘s operations,
including operational and financial performance goals, and safeguarding
assets against loss. Reporting objectives pertain to internal and external
financial and nonfinancial reporting and may encompass reliability,
timeliness, transparency, or other terms as set forth by regulators,
recognized standard setters, or the entity‘s policies. Compliance objectives
pertain to adherence to laws and regulations to which the entity is subject."

109
Internal Control over Financial Reporting therefore is the controls
specifically designed to address the risks of intentional or unintentional
misstatements in the financial statements.

The COSO framework divides internal control objectives into three

categories: operations, reporting and compliance.

Operations objectives, such as performance goals and securing the

organization‘s assets against fraud, focus on the effectiveness and
efficiency of your business operations.

Reporting objectives, including both internal and external financial

reporting as well as non-financial reporting, relate to transparency,
timeliness and reliability of the organization‘s reporting habits.

Compliance objectives are internal control goals based around adhering to

laws and regulations that the organization must comply with.

The 2013 Framework focuses on five integrated components of internal

control: control environment, risk assessment, control activities,
information and communication, and monitoring activities (see Figure1).

The updated 2013 Framework:

• Clarifies the application of the 2013 Framework in today‘s environment
with the various business models, technology, and related risks
• Codifies criteria that can be used in developing and evaluating the
effectiveness of systems of internal control – making explicit 17
principles, each with points of focus (see Figure1)
• Expands reporting objectives to support internal, financial and
nonfinancial reporting, and operational and compliance objectives
110
• Emphasizes the need for judgment in evaluating whether a company
achieves effective internal control
Focuses on accountability for internal control throughout the organization
starting at the board level and senior management

• Explicitly considers IT controls and identifies the need for fraud risk
consideration not limited to financial statements but also within compliance
and operations

- The COSO Integrated Framework 's components:

The COSO Integrated Framework for Internal Control has five (5)
components which include:

1. Control Environment: The control environment is the set of

standards, processes, and structures that provide the basis for carrying out
internal control across the organization.

According to the Institute of Internal Auditors (IIA), a control environment

is the foundation on which an effective system of internal control is built
and operated in an organization that strives to 1- achieve its strategic
objectives, 2- provide reliable financial reporting to internal and external
stakeholders, 3- operate its business efficiently and effectively, 4- comply
with all applicable.

2. Risk Assessment: Every entity faces a variety of risks from external

and internal sources.

Risk is defined as the possibility that an event will occur and adversely
affect the achievement of objectives.

111
Risk assessment involves a dynamic and iterative process for identifying
and assessing risks to the achievement of objectives. Thus, risk assessment
forms the basis for determining how risks will be managed.

A precondition to risk assessment is the establishment of objectives, linked

at different levels of the entity. Management specifies objectives within
categories relating to operations, reporting, and compliance with sufficient
clarity to be able to identify and analyze risks to those objectives.

Management also considers the suitability of the objectives for the entity.
Risk assessment also requires management to consider the impact of pos-
sible changes in the external environment and within its own business
model that may render internal control ineffective.

3. Control Activities: Control activities are the actions established

through policies and procedures that help ensure that management‘s
directives to mitigate risks to the achievement of objectives are carried out.
Control activities are performed at all levels of the entity, at various stages
within business processes, and over the technology environment.

Control activities may be preventive or detective in nature and may

encompass a range of manual and automated activities such as
authorizations and approvals, verifications, reconciliations, and business
performance reviews.

Segregation of duties is typically built into the selection and development

of control activities. Where segregation of duties is not practical, manage-
ment selects and develops alternative control activities.

112
4. Information and communications:

Information is obtained or generated by management from both internal

and external sources in order to support internal control components.
Communication based on internal and external sources is used to
disseminate important information throughout and outside of the
organization, as needed to respond to and support meeting requirements
and expectations.
The internal communication of information throughout an organization also
allows senior management to demonstrate to employees that control
activities should be taken seriously.

5. Monitoring:

Monitoring activities are periodic or ongoing evaluations to verify that

each of the five components of internal control, including the controls that
affect the principles within each component, is present and functioning,
around their products.

At a minimum, monitoring is performed by an internal auditor who makes

sure that employees are adhering to established internal controls. However,
in the case of public companies, it is relatively common for an outside
auditor to evaluate the organization's regulatory compliance. In either case,
the audit results are usually reported to the board of directors.

The image of the cube shows the relationship between all the parts of an
effective internal control system.

The columns are the three objective categories (operations, reporting and
compliance). The rows consist of the five components. Your organizational
structure fits into the third dimension of the cube.

113
 Figure ( 1 ) The COSO Cube

The framework also lists 17 principles you should apply to meet your
organization‘s internal control objectives, divided by component.

The 2013 Framework is a flexible, reliable, and cost – effective approach to

the design and evaluation of internal control systems for organizations
looking to achieve operational, compliance, and reporting objectives. The
2013 Framework can be applied regardless of organization size or type:
public organizations, private organizations, not-for-profit organizations,
and governmental organizations.

114
 Table (1) 5 components and 17 principles of internal control

5 components 17 principles
Control environment 1. Demonstrates commitment to integrity
and ethical values

2. Exercises oversight responsibility

3. Establishes structure, authority, and
responsibility

4. Demonstrates commitment to competence

5. Enforces accountability.

Risk assessment 6. Specifies suitable objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

Control activities 10. Selects and develops control activities

11. Selects and develops general controls

over technology

12. Deploys control activities through

policies and procedures

Information and 13. Uses relevant information

communication 14. Communicates internally

15. Communicates externally

Monitoring activities 16. Conducts ongoing and/or separate

evaluations

17. Evaluates and communicates deficiencies

115
- Key observations for a successful implementation of the COSO's
framework:
1. The accomplishment of significant goals and objectives is affected by
bringing attention to managing operational, financial, compliance, and IT
processes.
2. Strong internal control functions can help mitigate many of the risks
associated with current and future complex legislative, regulatory, and
market pressures.
3. Consideration should be given to the following steps for the applicable
areas: planning and scoping; assessment and documentation; remediation
design and implementation; testing of design, execution, and reporting;
continuous monitoring; and optimization of effectiveness of internal
controls.

3/5- COSO’s Enterprise Risk Management Framework

To improve the risk management process, COSO developed a second

control framework called Enterprise Risk Management—Integrated
Framework (ERM). ERM is the process the board of directors and
management use to set strategy, identify events that may affect the
organization, assess and manage risk, and provide reasonable assurance
that the organization achieves its objectives and goals. The basic principles
behind ERM are as follows:
● Organizations are formed to create value for their owners.
● Management must decide how much uncertainty it will accept as it
creates value.

116
● Uncertainty results in risk, which is the possibility that something
negatively affects the organization‘s ability to create or preserve value.
● Uncertainty results in opportunity, which is the possibility that something
positively affects the organization‘s ability to create or preserve value.
● The ERM framework can manage uncertainty as well as create and
preserve value.

COSO developed the ERM model shown in the figure (2) to illustrate the
elements of ERM.
The four columns at the top represent the objectives management that must
meet to achieve company goals. The columns on the right represent the
organization‘s units. The horizontal rows are the eight interrelated risk and
control components of ERM. The ERM model is three dimensional. Each
of the eight risks and control elements applies to each of the four objectives
and to the organization and/or one of its subunits.

What Are the 8 Components of ERM?

The COSO framework for ERM identifies eight components: internal
environment, objective setting, event identification, risk assessment, risk
response, control activities, information & communication, and monitoring.
These eight core components drive a company's ERM practices.

117
 Figure ( 2 ) The COSO's ERM framework Cube

4/5- COBIT framework

What is COBIT?

COBIT stands for Control Objectives for Information and Related

Technology. It is a framework created by the ISACA (Information Systems
Audit and Control Association). It was designed to be a supportive tool for
managers—and allows bridging the crucial gap between technical issues,
business risks, and control requirements.

COBIT is a thoroughly recognized guideline that can be applied to any

organization in any industry. Overall, COBIT ensures quality, control, and

118
reliability of information systems in an organization, which is also the most
important aspect of every modern business.

The COBIT model has governance and management objectives, grouped

into 5 domains. It is the basis for designing and implementing the
governance system. The COBIT model is customized as the organizational
requirements. These objectives help organizations to focus on their
governance system.

The domains express the key purpose and areas of activity, as

 Evaluate, Direct and Monitor (EDM)

 Align, Plan and Organize (APO)
 Build, Acquire and Implement (BAI)
 Deliver, Service and Support (DSS)
 Monitor, Evaluate and Assess (MEA)

The EDM domain has governance objectives. In this domain, the governing
body evaluates strategic options, directs senior management on the chosen
strategic options and monitors achievement of the strategy as mentioned
previously in the 3 essential tasks.

Management objectives are grouped in four domains, as

 APO—Addresses the overall organization, strategy and supporting

activities for organizations IT
 BAI—Treats the definition, acquisition and implementation of IT
solutions and their integration into organizations processes
 DSS—Addresses operational delivery and support of IT services,
including security

119
  MEA—Addresses performance monitoring and conformity of IT to
internal performance targets, internal control objectives and external
requirements

Why Use COBIT 5?

Managers face new challenges every day in their organizations. New user
demands, risk scenarios, and industry-specific regulations appear every day
to challenge the stability of an organization.

With the development of technology, enhancing the value of intellectual

property, managing risk, and security, and assuring compliance via
effective IT management and governance has attained a whole new level. It
has become very important as well as challenging to take care of all these
factors. Here, you will find COBIT as the best guide to reach perfection.

There is no other framework based on the organization's IT available now

that offers the same benefits as COBIT. It helps all sizes of organizations to
maintain their stability and focus on their growth. That might help you in
getting the answers about why you must use COBIT for your organizations.

 It maintains high-quality information for supporting organizations

decisions.
 It helps in achieving strategic goals via the innovative and effective
use of IT.
 It helps in achieving operational excellence via reliable, efficient
application of technology.
 It maintains IT-related risk at an acceptable level.
 It helps in optimizing the cost of IT services.

120
  It supports compliance with contractual policies and agreements,
relevant regulations, and laws.

Who Uses COBIT 5?

COBIT 5, the latest version offered by ISACA, is compatible with every

kind and size of the organization. COBIT 5 is useful and generic for every
size organization. COBIT 5 is used by the ones who have primary
responsibility for business processes and technology.

Moreover, it is used by persons who depend on technology for reliable and

relevant information. The individuals who are focused on providing
quality, reliability, and control of information as well as related technology
also use COBIT 5 to enhance their performance. Most of the COBIT 5
users include consultants and enterprise executives in the following sectors:

1. Audit and Assurance

2. Compliance
3. IT Operations
4. Governance
5. Risk and Security Management

What is the COBIT Framework?

COBIT allows the management to control all the IT operations of

organization so that management can minimize the risk and enhance the
work power in a disciplined manner. COBIT allows all the managers to fill
the gap between technical issues, control requirements, and business risks.

Moreover, it enables clear policy development, as well as fine practice for

IT, control throughout your organization. The main difference between
COBIT and other frameworks is that it offers attention to risk management,
121
security, and information governance. The overall COBIT framework is
designed to provide organization an enhanced and flexible experience of
customizing an IT governance strategy. The main focus of COBIT remains
stable on the following domains mentioned in the below-given points:

 Planning and Organizing

 Delivery and Support
 Acquiring and Implementation
 Monitoring and Evaluating

Apart from this, if we talk about the key points of COBIT framework‘s
working, it is entirely aimed at the following points given below:

 Strategic Alignment
 Value Delivery
 Performance Management
 Risk Management

The Advantages of COBIT 5:

A COBIT 5 not only prepares professionals for challenges to the
organization IT process but also delivers a substantial amount of expertise
information on:
1. IT management issues and how they can affect organizations
2. Principles of IT governance and organization IT while establishing the
differences between management and governance
3. Accessing the ways in which COBIT 5 processes can help the
establishment of the five basic principles .
4. Discussing COBIT 5 with respect to its process reference model and
goals.

122
 Figure ( 3 ) The COBIT framework

What are the goals of the COBIT Framework ?

There are four primary goals of the COBIT framework:

1. To help organizations achieve their objectives for the governance and

management of enterprise IT.
2. To provide a comprehensive set of best practices for organization IT
governance and management.
3. To promote alignment between organization IT and the business goals of
the organization.
4. To provide a common language for organization IT governance and
management.

123
What are the COBIT Framework Basics?
COBIT is more than a set of technical standards for IT managers. This
framework supports the requirements of organization via combined IT
applications, related processes and sources. It provides the following two
main parameters:

 Control: IT management practices, policies, procedures, and structures,

providing an acceptable assurance level that organization goal will be
met.
 IT control objective: States the acceptable results level that must be
attained on implementing control procedures for a particular IT
operation.

What are the COBIT 5 principles?

COBIT 5 is based on five principles that are essential for the effective
management and governance of organization IT:

 Principle 1: Meeting stakeholder needs

 Principle 2: Covering the organization end to end
 Principle 3: Applying a single integrated framework
 Principle 4: Enabling a holistic approach
 Principle 5: Separating governance from management

These five principles enable an organization to build a holistic framework

for the governance and management of IT that is built on seven ‗enablers‘:

1. People, policies and frameworks

2. Processes
3. Organizational structures

124
 4. Culture, ethics and behavior
5. Information
6. Services, infrastructure and applications
7. People, skills and competencies

What Do You Need to Know Before Using COBIT?

 Objectives: The latest version has 37 governance and business

management objectives. IT professionals can prioritize or ignore the
objectives based on the stakeholders‘ needs.
 Design factors: Include strategic, contextual, and tactical factors that
help define an organization‘s requirements and how they must be
addressed in a framework. They drive implementation choices for
technology, methods, and outsourcing.
 Domains: The objectives are categorized into specific domains that map
to various business processes such as planning, creating, and monitoring.
 Goals cascade: It defines the connection between business goals and
requirements.
 Components: These are elements such as infrastructure, skills, process
descriptions and structures influencing IT.

125
 COBIT 5

It has five governance principles.

The term ―manage‖ is for management processes.

The term ―ensure‖ is for governance processes.

37 processes

Governance framework principles are absent

Enablers are included

Design factors are not available

A 0-5 scale based on ISO/IEC 33000 is used to measure performance.

Table (2) The COBIT 5 components

- The Various COBIT Components:

 Framework
IT helps in organizing the objectives of IT governance and bringing in
the best practices in IT processes and domains while linking business
requirements.
 Process Descriptions
It is a reference model and also acts as a common language for every
individual in the organization. The process descriptions include
planning, building, running, and monitoring of all IT processes.
 Control Objectives

126
 This provides a complete list of requirements that have been
considered by the management for effective IT business control.
 Maturity Models
Accesses the maturity and the capability of every process while
addressing the gaps.
 Management Guidelines
Helps in better-assigning responsibilities, measuring performances,
agreeing on common objectives, and illustrating better interrelationships
with every other process.

COBIT is being used by all organizations whose primary responsibilities

happen to be business processes and related technologies—all
organizations and businesses that depend on technology for reliable and
relevant information. COBIT is used by both government and private sector
organizations because it helps in increasing the sensibility of IT processes.

5/5-Explaining the Enterprise Risk Management (ERM) model.

ERM model

The more comprehensive ERM framework takes a risk-based rather than a

controls-based approach. ERM adds three additional elements to COSO‘s
IC framework: setting objectives, identifying events that may affect the
company, and developing a response to assessed risk. As a result, controls
are flexible and relevant because they are linked to current organizational
objectives. The ERM model also recognizes that risk, in addition to being
controlled, can be accepted, avoided, diversified, shared, or transferred.

127
What is Enterprise Risk Management (ERM)?

Enterprise Risk Management (ERM) is a term used in business to

describe risk management methods that firms use to identify and mitigate
risks that can pose problems for the organization. The simple question that
ERM practitioners attempt to answer is: ―What are the major risks that
could stop us from achieving the mission?‖

What Types of Risks Does Enterprise Risk Management Address?

ERM can help devise plans for almost any type of business risk. Business
risk threatens an organization's ability to survive, and these risks may be
further classified into different risks discussed below. In general, ERM
most commonly addresses the following types of risk:

 Compliance risk threatens an organization due to a violation of

external law or requirement. An example of compliance risk is an
organization's inability to produce timely financial statements in
accordance with applicable accounting rules such as GAAP.
 Legal risk threatens an organization should the organization face
lawsuit or penalty for contractual, dispute, or regulatory issues. An
example of legal risk is a billing dispute with a major customer.
 Strategic risk threatens an organization's long-term plan. For
example, new market participants in the future may supplant the
organization as the lowest-cost provider of a good.
 Operational risk threatens the day-to-day activities required for the
organization to operate. An example of operational risk is a natural
disaster that damages an organization's warehouse where inventory is
stored.

128
  Security risk threatens the organization's assets if physical or digital
assets are misappropriated. An example of security risk is
insufficient controls overseeing sensitive client information stored on
network servers.
 Financial risk threatens the debt or financial standing of an
organization. An example of financial risk is translation losses by
holding foreign currency.

- Risk Response Strategies for Enterprise Risk Management:

management selects one of the five appropriate risk response strategies
below to deal with their identified risks:

1. Risk avoidance: The elimination of risks or activities that can

negatively impact the organization‘s assets. For example, the
cancellation or halt of a proposed production or product line.
2. Risk reduction: The mitigation or limitation of the severity of
losses. For example, management can plan frequent visits to their
major suppliers to identify potential problems early.
3. Alternative actions: The consideration of other possible ways to
reduce risks.
4. Share or insure: The actions of transferring risks to third parties,
like insurance agencies. For example, buying an insurance policy
that could cover any unexpected loss for the business.
5. Risk acceptance: The acknowledgment of the identified risks and
the willingness to accept their consequences. Typically, any loss
from a risk not covered or avoided is an example of risk acceptance.

129
- Risk response falls into four categories of its own:
Avoidance
As the name clearly suggests, this type of risk response involves simply
―walking away‖ from the risk.
For example, a company might decide to relocate based on risks
resulting from certain geo-political tension, or completely abandoning a
product or service that is proving to be particularly risky.
Often it will be too late to avoid risks, because the damage has been
done and the costs incurred.
That‘s why preventative measures and adequate analysis of potential
risks are so important – to keep the avoidance response on the table.
Reduction
Often, risks can be reduced in a number of different ways.
Diversifying a product line may reduce the risk that changing trends or
seasonal buying poses, employing multiple stop-gaps for fault tolerance
like offline backups and multiple operations centers will reduce the risk
posed by natural disasters, automating certain tasks in a process will
reduce the risk of human error, and so on.
Simple tweaks to standard operating procedures, even seemingly
mundane changes like making sure employees are properly informed on
company policies can sometimes result in significant reduction of risk.
Sharing
Risk ―sharing‖ is the principle of purchasing insurance to hedge or
offset their risks.
To use a financial example, the concept of short calls and long puts
allow investors to hedge their bets on price movements.
Joint venture agreements can also mean businesses share potential risks
and rewards.

130
Basically, risk sharing is the idea of having a portion of the risk
offloaded onto another party with the understanding that you‘re
substituting the perceived ―value‖ of that risk for a more tangible
monetary cost.
Acceptance
To accept a risk is to take no action.
Rather than buying an insurance policy, a business may decide to ―self-
insure‖. This might take the form of putting aside resources to deal with
certain risks, should they manifest.

5. Risk monitoring
Identifying risks isn‘t something that‘s done once – like continuous
improvement , it‘s an ongoing process.
The context in which certain risks are identified is constantly changing,
and as such risks need to be monitored to continually determine the
significance they represent.
Sometimes, changing circumstances may lead to the risk becoming
even greater. A clear example of this is geopolitical unrest.
Organizations need proper systems in place to monitor and respond to
changes in circumstances and adequately determine if identified risks
still pose a threat.

- Elements of an Enterprise Risk Management Process

ERM follows a very distinct and ongoing process, where it actively

identifies and reassesses the various strategic and major risks to ensure

131
financial security for the organization. The process includes five specific
elements:

1. Strategy/Objective setting: Understand the strategies and associated

risks of the organization.
2. Risk identification: Provide a clear profile of major risks that can
negatively impact the organization‘s overall financials.
3. Risk assessment: Identified risks are strictly analyzed to determine
both their likelihood and potential.
4. Risk response: Consider various risk response strategies and select
appropriate actionable paths to align identified risks with
management‘s risk tolerances.
5. Communication and monitoring: Relevant information and data
need to be constantly monitored and communicated across all
departmental levels.

- Advantages and Disadvantages of Enterprise Risk Management

Advantages of ERM
ERM sets the organizational-wide expectations around the organization's
culture. This includes communicating more openly about the risks the
organization faces and how to mitigate them. This leads to less unexpected
risks and more guided direction on how to respond to certain events.

In addition, this may lead to greater employee satisfaction knowing plans

are in place to protect the organization resources as well as greater
customer service knowing how to respond to customers should certain risks
actually occur.

ERM practices are often synthesized by a standardized risk report delivered

to upper management. This report succinctly summaries the risks the

132
organization faces, the actions being taken, and information needed for
decision-making. As a result, the organization may be more efficient with
its time, especially considering what is delivered to upper management

ERM may also have the organization positive impact on the

resourcefulness of the business. ERM may eliminate redundant process,
ensure efficient use of staff, reduce theft, or increase profitability by better
understanding what markets to enter into.

Disadvantages of ERM
As the organization builds out its ERM practices, it will likely consider
familiar risks it has been exposed to in the past. Therefore, ERM is limited
in identifying future risks that the organization is unaware that may have
more detrimental impacts. In this manner, some may consider ERM as
reactive organizations can only forecast risk based on what they have prior
experience on.

ERM also relies very heavily on management estimates and inputs. This
may be nearly impossible to accurately predict.

ERM practices are time-intensive and therefore require resources of the

organization to be successful. Though the organization will benefit from
protecting its assets, the organization must detract time of its staff and may
make capital investments to implement ERM strategies. In addition, the
organization may find it difficult to quantify the success of ERM as
financial risks that do not occur must simply be projected.

133
- Risk management process:
1. Establish context: internal and external scope of the
organization, and the scope of the ERM system
2. Identify risks: As they relate to the organization‘s objectives;
these should be well-documented and include the corresponding
potential for gaining competitive advantage as a result of process
improvement
3. Analyze severity risks: For each of the risks identified, assess
the severity of each risk
4. Integrate risks: Based on the results of previous risk analysis,
aggregate all risk distributions and align the analysis with the
determined impact on KPIs
5. Prioritizing risks: Determine a ranked order of prioritization for
each of the risks identified
6. Risk management strategies: This involves strategies for
resolving and exploiting risks identified
7. Monitoring and reviewing results: The continuous
improvement of the risk management process by way of
monitoring and assessment of the risk environment; basically
what works and what doesn‘t, and figuring out how to improve
the process.

- Enterprise Risk Management: Integrating with Strategy and

Performance.

1. Governance and culture: Enterprise risk management cannot

succeed unless the organization seeks to fully integrate it within
the culture of their workplace. This pertains to the ethics behind worker

134
responsibilities, codes of conduct, and the proper comprehension of
risks, as well as all associated management programs and solutions.

2. Strategy and objective-setting: A fundamental part of ERM is

making sure the risk management strategies align with core objectives
and broader business strategies. Business objectives are the basis for
planning and implementing strategies, while simultaneously serving as
a launch-pad for identifying, assessing, and responding to risks.

3. Performance: Assessing how certain risks will impact the

performance of key processes is important for risk prioritization. In this
context, risks are prioritized in order of their severity.

Following this, risk responses are selected based on an assessment of

the potential for risk that has been identified. Results of this part of the
process are typically reported to key stakeholders.

4. Review and revision: By reviewing the performance of risk

management processes, organizations can determine how well the ERM
program is working, including whether or not changes are needed.

5. Information, communication, and reporting: ERM is not a

single checklist or a fixed set of steps; it is an ongoing process of
collecting and assessing information from internal and external sources,
across all parts of an organization. The five components above are
supported by an additional set of principles. These principles are wide-
ranging, covering everything from corporate leadership of the ERM
program to risk monitoring methods.

135
Each of the principles is short and succinct; here they are, as they
appear in Enterprise Risk Management: Integrating with Strategy and
Performance.

Organizations can use these principles as a clear reference point for

contextualizing and evidencing their efforts to understand and strive for
an enterprise risk management program that is firmly aligned with its
strategy and business objectives.

Figure ( 4 ) The ERM Integrating with Strategy and Performance.

- How to Implement Enterprise Risk Management Practices

ERM practices will vary based on a company's size, risk preferences, and
business objectives. Below are best practices most companies can use to
implement ERM strategies.

136
 Define risk philosophy. Before implementing any practices, a
company must identify how it feels about risk and what its strategy
around risk will be. This should involve strategic discussions
between management and an analysis of a organization's entire risk
profile.
 Create action plans. With a company's risk philosophy in hand, it is
time to create an action plan. This defines the steps a company must
take to protect its assets and plans to protect the future of the
organization after a risk assessment has been performed.
 Be creative. When considering risks, ERM entails thinking broadly
about the problems a company may face. Though far-fetched, it is in
a company's best interest to think of as many challenges it may face
and how it will respond (or decide to not respond) to should the
event happen.
 Communicate priorities. A company may determine several high-
important risks are critical to mitigate for the continuation of the
company. These priorities should be communicated and broadly
understood as the risks that should not be incurred under any
circumstance. Alternatively, a company may wish to communicate
the plans if the event were to occur.
 Assign responsibilities. When an action plan has been devised,
specific employees should be identified to carry out specific parts of
the plan. This may include delegating tasks to specific positions
should employees leave the company. This not only allows for all
action items to be worked on but will hold members responsible for
their area(s) of risk.
 Maintain flexibility. As companies and risks evolve, a company
must design ERM practices to be adaptable. The risks a company

137
 faces one day may be different the next; the company must be able to
carry its current plan while still making plans for new, future risks.
 Leverage technology. ERM digital platforms may host, summarize,
and track many of the risks of a company. Technology can also be
used to implement internal controls or gather data on how
performance is tracking to ERM practices.
 Continually monitor. Once ERM practices are in place, a company
must ensure the practices are adhered to. This means tracking
progress towards goals, ensuring certain risks are being mitigated,
and employees are performing tasks as expected.
 Use metrics. As part of monitoring ERM practices, a company
should develop a series of metrics to quantifiably gauge whether it is
meeting targets. Often referred to as SMART goals, these metrics
keep a company accountable on whether it met objectives or not.

As the organization implements ERM practices, it is widely advised to

continually gather feedback from all employees. Everyone will have a
different perspective of what might not be working or what could be done
better.

138
 Chapter Quiz
Choose the correct answer :

1- A control procedure designed so that the employee that records cash

received from customers does not also have access to the cash itself is an
example of a(n)
A) preventive control.
B) detective control.
C) corrective control.
D) authorization control

2- Duplicate checking of calculations and preparing bank reconciliations

and monthly trial balances are examples of what type of control?
A) Preventive control
B) Detective control
C) Corrective control
D) Authorization control
3- Internal control is often referred to as a(n) ________, because it
permeates an organization's operating activities and is an integral part of
management activities.
A) event
B) activity
C) process
D) system
4- Which of the following is not a component of the COSO Enterprise Risk
Management Integrated Framework (ERM)?
A) Monitoring.
B) Ethical culture.
C) Risk assessment.
D) Control environment.
5- The purpose of the COSO Enterprise Risk Management framework is
A) to improve the organization's risk management process.
B) to improve the organization's financial reporting process.
C) to improve the organization's manufacturing process.
D) to improve the organization's internal audit process.

139