KnowledgeLeader provides best practice articles, tools, guides and other resources on enterprise risk management (ERM). This page contains some examples of the many resources and tools on ERM that are available for download. The tools are provided in downloadable versions, so they can be customized for use in your organization.
2014 Internal Audit Capabilities and Needs Survey of Healthcare Provider Organizations
In this report, we will detail the results of the 2014 Internal Audit Capabilities and Needs Survey to present a portrait of a healthcare internal audit function that is intent on delivering assurance across multiple risk realms while simultaneously enhancing the efficiency and quality of heavy workloads.
2015 Internal Audit Capabilities and Needs Survey of Healthcare Provider Organizations
The 2015 healthcare provider organization results from AHIA and Protiviti shed light on the ways in which CAEs and internal audit professionals are performing strategic juggling acts while providing assurance across an ever-increasing number of risk areas.
2015 IT Audit Benchmarking Survey: Key Takeaways
A closer look at some of the notable takeaways from Protiviti and ISACA's 5th Annual IT Audit Benchmarking Survey.
2015 IT Security and Privacy Survey
From the boardroom and C-suite to IT, legal, finance and more, every corner and function of the business appears intent on addressing cybersecurity issues aggressively. But are these intentions translating into effective policies and actions to secure the"crown jewels" of organizations?
2016 Finance Priorities: Forward, With Caution
Despite the signs of economic growth in 2015—including the Federal Reserve’s recent decision to raise interest rates for the first time in almost a decade—U.S.-based companies are laying up stores against the potential of hard times, cutting costs and favoring healthy profit margins over increased market share.
2016 IT Audit Benchmarking Survey
ISACA and Protiviti partnered to conduct the 5th Annual IT Audit Benchmarking Survey in the third quarter of 2015 to determine where IT audit functions stand in their capabilities to address key challenges. What may be most notable in this year’s results is the lack of significant change over the findings in the prior years of our study. The results are not changing, the question is,"Why?" In this report, we explore this and highlight valuable IT audit insights from this year’s Annual IT Audit Benchmarking Survey study.
A Barista, A Shot and Better Security
When reviewing security failure’s root cause, a frequent contributing factor is the organization’s inability to move at the speed of the wild. Looking to the future, the wrong security methods will increasingly struggle as attackers learn more lessons in deception from the history of armed conflict, sports or the natural wild. To meet the threat, methods must be able to move at the speed of the wild. Designed to move at the speed of the wild is the 5+2 Step Cycle for managing risk. The 5+2 Step Cycle achieves this because it was designed to be simple, save time and money, and enable both technical and cultural change at the same time. In addition to the 5+2 Step Cycle, security professionals can improve their success with two other actions.
A Business-Centric Approach to Auditing: Applying the New IPPF Principles
In order to raise findings beyond "tick-the-box" exercises and written reports that never get management and the board’s attention, auditors need to do more than checklist auditing.
A Value-Based Approach to Risk Oversight
Every Chief Executive officer (CEO) pursues opportunities and takes risks in the pursuit of building enterprise value; it’s what the CEO’s board expects. At the same time, those risks must be well managed. For risk management and internal control to function when crucial decision-making moments or changing circumstances arise, directors and executive management must be committed to making them work. Can the risk management process itself contribute value? In this issue of Board Perspectives: Risk Oversight, we examine two perspectives on a value-based approach to the board’s risk oversight: strategic and proprietary.
A Risk-Based Approach to Implementing COSO
This presentation links the Protiviti Risk Model to the COSO framework, and can be used by companies implementing COSO concepts.
Active Directory Work Program: User Management/Administration, Powerful User Rights
This active directory audit work program focuses on the powerful user rights aspect of user management/administration. It includes questions on key controls, the goal state for production, and the status of designed controls.
Advancing the Practice of Risk Management
A risk management program is a long-term investment into making the organization’s governance practices more effective. This article provides several guidelines to help advance an enterprise risk management program and ensure that it gains in effectiveness.
Agile Risk Management: Re-Engineering Risk Solutions to Enable Business Strategies
This white paper introduces a new agile risk management philosophy that will enable proactive organizations to take the lead in adopting an agile approach to risk management to better meet the challenges of today’s operating environment.
Aligning Strategy Setting and Performance Management With Risk
Risk management is flawed when risks are evaluated after the strategy is formulated. The end result could be strategic objectives that are unrealistic and risk management that is simply an appendage to performance management. A disciplined approach to understanding the potential downside of executing the strategy, and the extent to which worst-case scenarios might hurt, will help the company know what to watch over time. In this issue of Board Perspectives: Risk Oversight, we discuss the importance of integrating risk management with strategy setting and performance management, and the board of director's role in this process.
Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry
In this report, we detail the key findings of our study. In addition to beefed up security, the financial services industry IT leaders we surveyed cited an increased and competing number of IT priorities they are juggling, including regulatory and compliance issues, big data planning, and standards and framework governance. Our survey also includes special sections addressing IT transformation as well as IT knowledge within the financial services industry. More than 1,000 respondents in our survey, primarily CIOs and IT directors, share this outlook and are consequently dedicating more IT hours, resources and mindshare to defending against cyber predator attacks this year.
An Effective Way to Conduct a Risk Assessment Guide
There are many ways to conduct a risk assessment. For example, companies may conduct interviews or surveys of key personnel, review key documents, conduct facilitated workshops, perform targeted reviews, or utilize any combination of these options. This guide describes various options to conduct an effective risk assessment.
An Integrated Approach to Managing Identity and Privileged Access Risk
This article outlines the Protiviti IAM Capability Model, which can be used to provide an understanding of an organization’s current IAM strengths and weaknesses.
Applying Best Practices Across the Organization Key Performance Indicators (KPIs)
This benchmarking tool outlines key performance indicators (KPIs) for applying best practices across the organization.
Applying the Five Lines of Defense in Managing Risk
Many lessons were learned from the financial crisis. For example, if a chief executive ignores the warning signs posed by risk management, resists contrarian information suggesting the corporate strategy is either not working or losing relevance, or fails to consider critical risks when evaluating whether to enter a new market or consummate a complex acquisition, the stakeholders can end up paying a high price. Essential to effective risk management, the lines-of-defense model is implicit in COSO’s recently issued internal control framework. An effectively designed and implemented"lines-of-defense" framework can provide strong safeguards. In this issue of The Bulletin, we explore five essential lines of defense for managing risk.
Are You Protecting Your Digital Assets?
Safeguarding assets has been an important objective of all organizations for centuries. In today’s digital age, however, what does safeguarding your assets really mean? Who is responsible for it? And how is"protection" actually achieved?
Assessing Process Maturity for Internal Control over Financial Reporting Compliance – Capability Maturity Model
The following five capability levels represent states of maturity by which the project team can rate the upstream business processes where the company’s internal controls are embedded. Organizations can use this model to assess the impact of process maturity on internal control over financial reporting for Section 404(b) compliance.
Assessing SharePoint Security: Are You Due for a Check-Up?
Microsoft’s SharePoint enterprise content management platform is everywhere, but only about one-third of companies have a SharePoint security plan in place. This article explains how a secure SharePoint environment is certainly possible and not too difficult to achieve.
Assessing Risk: A Strategic Perspective
Strategic risks are risks that the business model is not effectively aligned with the strategy, or risks where one or more strategic assumptions lag behind industry realities and the strategy does not reflect the new conditions. Arising from internal process issues and disruptive change in the external business environment, these risks can be lethal because they may not be known to management and the board of directors. Because these risks are not susceptible to precise measurement as operational risks are, the analytical framework applied to them must be more qualitative in nature. This issue of Board Perspectives: Risk Oversight describes how strategic risk analysis can assist senior management with understanding the critical assumptions underlying the strategy and using contrarian analysis to challenge those assumptions.
Assessing Risks and Internal Controls Guide
This presentation was developed to help with training process owners to assess risks and take responsibility for managing internal controls.
Audit Committee Annual Planning Schedule
This sample schedule provides an annual planner for audit committee activities and demonstrates how to schedule and track audit committee activities throughout the year.
Audit Committee Charter: Sample 3
This sample charter outlines the purpose, structure and operations, responsibilities and duties, and meeting procedures of the audit committee.
Audit Committee Responsibilities Questionnaire
The role of the audit committee has significantly expanded in recent years. This is a sample self-assessment questionnaire for audit committees to use when evaluating the scope of their responsibilities. Topics include: risk management and internal controls, finance and accounting, audit resources and processes, and audit committee performance and operating practices.
Auditing a Compliance and Ethics Program
Improving governance results is critical to every organization, and auditing an organization’s compliance and ethics program is a key means for internal audit to support good governance. This article outlines leading practices regarding compliance and ethics programs.
Auditing to Spot Fraud, From Start to End
Fraud-risk management is here to stay. Has your organization implemented an effective strategy for fraud prevention, detection and response? Are you part of the problem or part of the solution?
Basel III Overview
Developed by the Basel Committee on Banking Supervision, Basel III is a comprehensive set of reform measures intended to strengthen the regulation, supervision and risk management of the banking sector. This guide provides a detailed overview of the standard.
Board of Directors Authorization Charter
This sample charter determines the objective, authority, communications/reporting and responsibilities of the board of directors.
Board Oversight of Reputation Risk
This issue of Board Perspectives outlines 10 keys to the board’s oversight of reputation risk management and classifies them in five critical areas.
Board Oversight of Talent Strategy
This issue of Board Perspectives: Risk Oversight discusses current challenges and effective practices in the board’s oversight of talent strategy, drawing from experience.
Board Perspectives: Risk Oversight Newsletters
Board Perspectives: Risk Oversight is a periodic newsletter that offers ongoing commentary about the risk management oversight process for boards of directors. The goal is to provide board members with concise discussions of practical ideas that will help them improve their boards' risk oversight.
Booz Allen Hamilton Internal Audit: Value-Adding Partners from the Beginning
Booz Allen Hamilton is a leading provider of management and technology consulting services to the US government in defense, intelligence and civil markets, and to major corporations, institutions, and not-for-profits. The internal audit function has evolved over the past several years and trends important to it include those that broaden the concept of control beyond being strictly the purview of the internal audit function – such as the codification and publication of guidelines related to ERM and governance, risk and compliance. In this profile, Sandra Masino, Director of Internal Audit, discusses how internal audit’s focus has recently expanded beyond Sarbanes-Oxley to now touch on the core values of the company, such as ethics and compliance. The group is now seen as the experts in process and controls.
Building a More Secure Structure, Brick by Brick, at Under Armour
Under Armour, Inc. is a United States based sports clothing, accessories and footwear company. Its internal audit function operates within the risk management function and is staffed by six full-time auditors. The team seeks to add value to the company by completing the global internal audit plan, helping management comply with Sarbanes-Oxley (SOX), and acting as a business partner on key initiatives. In this profile, Jonathan Schwartz, Senior Director of Risk Management, and Elysa Lipsky, Senior Manager of Internal Audit, discuss the need to profoundly learn the business as sheer growth led Under Armour to leverage internal audit as a primary strategic resource. As the business pulled internal audit into more significant projects, it was given the chance to really showcase its skill sets. This led to more demand on the team’s time and resources, and has raised its visibility in the organization.
Building Upon Section 404 Compliance: Moving Beyond Year One
In this issue of The Bulletin, we outline imperative steps for certifying officers to take to demonstrate care in reinforcing the responsibility and accountability of process owners, and in supporting these owners in their respective roles. Certifying officers should waste no time in giving these steps their strongest consideration and in discussing their conclusions with the audit committee and board of directors.
Business Continuity Process Ownership Policy
This sample establishes policies and procedures for business continuity process ownership.
Business Continuity Management Audit Work Program
This audit work program focuses on the appropriateness of enterprise-wide business continuity planning, oversight and support, business impact analysis, and risk management.
Business Continuity Management Methodology
Business continuity management (BCM) is best addressed by using a proven methodology. The methodology should be based upon the risks related to an organization’s key business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise. This seven-phased BCM methodology adheres to industry best practices and can be tailored to companies of all sizes.
Business Continuity Management Policy
This sample outlines a set of policies and procedures for formalizing a business continuity program, and provides guidelines for developing, maintaining and exercising business continuity plans (BCPs). Such plans will ensure independence of crisis location, crisis duration and availability of any specific person or group of people.
Business Continuity/Disaster Recovery Program Assessment Report
This audit report sample focuses on whether an appropriate enterprise-wide governance structure is in place to manage the ongoing development, enhancement and maintenance of a business continuity and disaster recovery program.
Capability Maturity Model – Legal Spend Management
The capability maturity model (CMM) is a framework that describes an improvement path from an ad hoc, immature process to a mature, disciplined process focused on continuous improvement. This CMM defines the attributes of each element of infrastructure within the capability maturity continuum for legal spend management.
Capability Maturity Model (CMM)
The Capability Maturity Model (CMM) is a framework that describes an improvement path from an ad-hoc, immature process to a mature, disciplined process focused on continuous improvement. The CMM defines the state of a process using a common language which is based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model. The CMM consists of a continuum of five process maturity levels, enabling process owners to rate the state, or maturity, of a given process as Initial, Repeatable, Defined, Managed or Optimizing.
Channel Effectiveness Risk Key Performance Indicators
Channel effectiveness risk is the risk that poorly performing or positioned supply chain and/or distribution channels may threaten a firm’s capacity to effectively and efficiently interact with suppliers, and to access current and potential customers and end users. This document outlines business risks, recommended practices for channel effectiveness, and questions to consider.
Chief Information Officer Job Description
This job description provides an overview of the responsibilities and qualifications for the chief information officer (CIO) position.
Chief Risk Officer Job Description
This job description provides an overview, job duties and specifications for the chief risk officer role.
Chief Risk Officer Job Description: Sample 2
This job description outlines responsibilities and requirements for the chief risk officer position.
Collaboration, Sharing Compromise and Trust at Dassault Systèmes
Dassault Systèmes,"the 3DEXPERIENCE Company", is a global company based in France that provides businesses and people with virtual universes to imagine sustainable innovations. Its 3D design software, 3D digital mock-up, and product life cycle management solutions facilitate product design, production and support. The company’s internal audit function is focused on becoming a trusted business partner – not only for finance teams, but for other operations within the company as well. In this profile, Etienne Grobon, Corporate Audit Director for Dassault Systèmes, oversees a group of four auditors at the company’s headquarters. This relatively small team is strengthened and supported by a collaborative approach with other business functions throughout Dassault Systèmes. There is not a single person or department responsible for risk management - it is a shared exercise.
Communicating Critical Enterprise Risks to the Board
Directors need to consider several categories of risk, particularly the normal ongoing business management risks, emerging risks and critical enterprise risks. Certain risks require directors to have sufficient information in advance to prepare them for discussions with management about the risks and how they are managed. These risks are the ones that threaten the company’s strategy and the viability of its business model. In this issue of Board Perspectives: Risk Oversight, we focus on what we define as the top risks that can threaten a company’s strategy, business model or ongoing viability. These risks should be a significant focal point of the board of director’s risk oversight agenda.
Compliance Issue Resolution: Responsible Business Conduct in Financial Services
This article discusses four expectations for"responsible business conduct" in a 2013 bulletin published by the Consumer Financial Protection Bureau (CFPB).
Computing Operations and Support: Service-Levels Policy
This sample policy ensures that there are defined and documented IT services, service times, and user-agreed metrics for objective evaluation of services provided.
Conducting Enterprise Risk Assessments That Make a Difference
An enterprise risk assessment (ERA) identifies and prioritizes the organization’s risks and provides quality inputs for purposes of formulating effective risk responses, including information about the current state of capabilities around managing the priority risks. Boards of directors and management need an effective ERA process to effectively discharge their responsibilities, especially in today’s rapidly changing environment. The strategy-setting process which is fueled by an annual risk assessment will mitigate the potential disconnects in the operating environment and is"best practice" in today’s world. In this issue of The Bulletin, we focus on the vital steps in executing an effective ERA and why integrating these assessments with strategy setting is important. We also explain what ERA is, outline how it is conducted and suggest how it must be integrated with the strategic choices affecting enterprise value.
Control Objectives and Activities Guide
This guide provides a list of control objectives, potential risks, and points-of-focus for potential control activities within a business enterprise.
Controls Monitoring Work Program
This sample work program provides steps to perform a quarterly assessment of management’s monitoring of company-level controls.
Core Competency: The Case for FSI IT Modernization
FSI respondents to Protiviti’s 2015 IT Priorities Survey identified some important catalysts driving them to replace core systems. In this article, we discuss the three main drivers: risk mitigation; cost savings; revenue generation.
COSO 2013 and the Implications to IT Controls
As organizations transition to COSO 2013 from the earlier 1992 version, adopters will find themselves taking a hard look at the updated framework’s 17 principles as well as their impact on IT controls.
COSO Element: Risk Assessment
This 42-page presentation thoroughly examines risk assessment as it relates to the COSO Internal Control Framework, from objective setting to risk identification, risk analysis, and risk assessment evaluation.
COSO ERM Diagnostic Questionnaire
This tool can be used to assess the effectiveness of a company’s ERM process, specifically senior management’s effectiveness in performing the key elements of the eight components of the COSO ERM Framework.
COSO ERM: What It Means to the Board
This issue of Board Perspectives summarizes five significant takeaways from the new COSO ERM framework.
Creating Transparency Into Your Largest Risk Exposures
This issue of The Bulletin offers approaches for improving transparency into an entity’s most significant risk exposures, with the objective of minimizing the risk of unwanted surprises.
Credit Rating Analysis of Enterprise Risk Management at Nonfinancial Companies: Are You Ready?
Enterprise risk management (ERM) initiatives have gained strong support from a new source: credit rating analysts. In November 2007, Standard & Poor’s (S&P) issued its Request for Comment: Enterprise Risk Management Analysis for Credit Ratings of Nonfinancial Companies (RFC), reflecting the rating service’s intention to assign scores of ERM quality to all companies it reviews and incorporate an ERM segment into its ratings reports. Standard & Poor (S&P) continues its initiative to assess ERM quality of all companies it reviews. S&P plans to eventually score companies to benchmark its opinions on ERM quality as one proxy for its assessment of management. This issue of The Bulletin explores how consideration of ERM quality can impact the ratings process and what nonfinancial companies can do to prepare for this added dimension to the process.
Criteria for Rating Strategic and Process Risks
This 28-page, comprehensive guide covers the risk response framework, highlighting process risk criteria and characteristics for each maturity level as well as strategic planning risk criteria (leveraging the Six Elements of Infrastructure).
Currency Risk Key Performance Indicators (KPIs)
This tool describes risks associated to currency, identifies their root causes, and provides risk measurement information, management practices, and questions to consider.
Cybersecurity Looms Large at Debate on Geopolitical Risk
This article outlines the geopolitical environment the West faces is highly dynamic as economic uncertainty continues, tensions rise in the East China Sea and the Middle East, Russia flexes its muscles, and cyber threats expand unabated.
Cybersecurity: What Are the Boardroom Implications?
What does safeguarding your assets really mean? Who is responsible for it? This article answers those questions and helps you determine how to protect your digital assets, ensure cybersecurity is appropriately considered, and decide what actions to take.
Data Governance Questionnaire
Data governance is a wide set of management and technical disciplines designed to ensure than an institution has the right data available at the right time and that the data is accurate and in the correct format required to satisfy specific business needs. Putting data into the context of an institution's business needs requires understanding of the business definition of specific data elements, the way those elements are used within specific business processes across the enterprise, the individual systems or databases that house the elements, and any business roles or transformations that occur on the data. This requires complete knowledge of both business and technical metadata to provide a full view of the lineage and proper use of key data elements. An effective data governance program should provide the answers to each of these questions, and many more.
Dismissing an Individual with System Privileges: Actions Checklist
This checklist lists the steps to be taken to ensure the security of critical systems and data after an individual with system privileges has been dismissed.
Does Your Organization Face Change With Confidence?
In this issue of Board Perspectives: Risk Oversight, we discuss how facing change with confidence is crucial in a rapidly shifting business environment for any enterprise, whether public, private or nonprofit.
Driving Risk Appetite: A Pragmatic Approach to Implementing a Broad Effective Framework
While driving may connote a top-down approach, here we use it to communicate a successful implementation, or realization, of risk appetite—a combination of a top-down and a bottom-up approach, the goal being an iterative process that combines push and pull.
Effective Use of Executive Sessions When Overseeing Risk
Executive sessions may be held by independent directors for a number of reasons; depending on the organization’s culture and circumstances, certain issues require more candid, confidential conversations and consequently, a more limited audience. Used appropriately, executive sessions can be an important part of a board’s risk oversight process. Our focus in this issue of Board Perspectives: Risk Oversight, is on how to use executive sessions as part of the board of director’s risk oversight process. These meetings present an opportunity for directors to obtain unfiltered input from selected executives, who otherwise might be influenced to couch or hold back on their responses to questions in the presence of senior executives.
Emerging Risks: Looking Around the Corner
This article summarizes practical principles for recognizing emerging risks.
Enhanced Telecom Operations Model (eTOM) Process Classification Scheme
This conceptual view of an example Enhanced Telecom Operation Model (eTOM) process classification scheme (PCS) addresses the major business process areas of strategy, infrastructure & product, operations and enterprise management, and just as importantly, the supporting functional process areas. Read this document to learn more about the fundamental knowledge of telecommunication customer needs and all functionalities necessary for the acquisition, enhancement and retention of a relationship with a customer.
Ensuring Risk Management Success
Given that there is no one-size-fits-all solution for risk and the risk management function, how risk is governed varies across industries and organizations. A fundamental role of the board of directors in discharging its risk oversight responsibilities is to ensure the success of the independent risk management function. Has the board articulated its risk oversight objectives and evaluated the effectiveness of its processes in achieving those objectives? There are five interrelated principles that underlie effective risk management within all organizations, in both good times and bad. In this issue of Board Perspectives: Risk Oversight, we discuss these five fundamental principles to attaining risk management success.
Enterprise Accounting System Post-Implementation Review Memo
This review focuses on the configurable application controls, application security, and segregation of duties for the accounts payable and general ledger modules.
Enterprise Information Security Policy
This policy establishes information security policies setting baseline criteria for access to, through, or from an organization’s communication networks. It is intended to set the information security criteria, means, methods and measures to protect the confidentiality, integrity and availability of information assets and communication networks.
Enterprise Risk Assessment Methodology for Internal Audit Plan Development Guide
This guide presents a detailed approach to enterprise risk assessment methodology for internal audit plan development.
Enterprise Risk Management - Mortgage Companies
This guide discusses the benchmarks, importance and benefits of enterprise risk management in mortgage companies.
Enterprise Risk Management Education and Awareness Presentation - Guide
The presentation focuses on enterprise risk management (ERM) and how to begin educating an organization on this concept.
Enterprise Risk Management in Practice
Enterprise Risk Management (ERM) establishes the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a changing operating environment. ERM continues to mature as a process, and organizations are finding many ways to implement practical ideas to continuously improve their risk management capabilities. In this booklet, we profile 11 companies that are operating in different industries and countries to provide ERM ideas in that can be customized to your own organization. In producing the various profiles for this publication, several common themes emerged that demonstrate why and how companies across multiple industries are improving their risk management capabilities.
Enterprise Risk Management Key Performance Indicators
This tool discusses the key components of an enterprise risk management framework, provides questions to help analyze an organization’s risk management processes, and shares leading practices.
Enterprise Risk Management Project Plan
This document is a sample project plan for use during the planning phase of implementing ERM across an organization. It supports a phased implementation approach, detailing tasks, deliverables, and a project timeline.
Enterprise Risk Management Questionnaire
This questionnaire can be used when analyzing an organization’s enterprise risk management strategy, focusing on the internal environment, objective setting, risk identification, risk assessment, risk response, control activities, information and communication, role of the board of directors, role of management, common risk failures, and trading activity.
Enterprise Risk Management: Practical Implementation Advice
Many executives do not know the value proposition of Enterprise Risk Management (ERM). Some may even consider ERM a fad or"flavor of the month," and are just humoring the dialogue, wishing it would go away. What leaves many cold on the subject of ERM is the inability to quickly grasp what it is. This issue of The Bulletin addresses this and other relevant questions.
Entity Level Controls - Control Environment Questionnaire
The control environment provides an atmosphere in which people conduct their activities and carry out their control responsibilities. It is the foundation for all other components of internal control, providing discipline and structure. This excel-based template provides a number of COSO elements and the related control objectives for entity-level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity Level Controls - Risk Assessment Questionnaire
Risk assessment is the component of the entity’s internal control that involves identifying and analyzing risks internally and externally. Risk assessment is relevant to achieving business objectives as well as objectives related to the preparation of reliable financial statements. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management’s action plan for deficiencies. The Entity-Wide Objectives and Manage Change sections have been updated in this questionnaire.
Entity Level Internal Audit Methodology
The entity level business process audit methodology focuses on understanding and analyzing the business. This understanding is primarily used to identify the target processes and risks during the audit planning process. Tools are provided to help with each phase is the process.
ERM Concepts, Process and Objectives – Guide
This presentation defines risk management (what it is, and what it is not). It also outlines a five-part risk management framework: Establish the Context, Identify Risks, Analyze Risks, Evaluate Risks, Treat Risks.
ERM Summary Approach – Guide
Identifying, understanding and evaluating the organization’s most significant risk areas will set the foundation for a robust ERM program. This guide outlines an approach to building ERM capabilities that includes the following components: planning, facilitated risk discussion, risk analysis, external verification, management review and gap assessment.
Establishing and Nurturing an Effective Risk Culture
This white paper focuses on risk culture because it is a topic in which regulators have a keen interest. Organizational learning is supportive of an effective risk culture that in turn is supportive of effective risk management. Supported by empirical research, this whitepaper explores such topics as the attributes of successful learning organizations, the importance of risk culture in financial services, challenges in making risk culture actionable, success factors for an effective risk culture, physical and behavioral characteristics of risk culture, a process for strengthening risk culture, and how the CRO can facilitate the development of an effective risk culture.
Executive Perspectives on Top Risks for 2014
In this report, we review the top risks on the minds of global boards of directors and executives for 2014 from the findings of Protiviti and North Carolina State University’s Enterprise Risk management (ERM) Initiative.
Executive Perspectives on Top Risks for 2015
This report focuses on the top risks on the minds of global boards of directors and executives in 2015.
Executive Perspectives on Top Risks for 2016 Podcast
In this podcast, North Carolina State University’s Mark Beasley and Protiviti’s Jim DeLoach discuss key findings from the Executive Perspectives on Top Risks for 2016 study.
Executive Perspectives on Top Risks for 2016
This report from Protiviti and North Carolina State University’s ERM Initiative contains results from our fourth annual risk survey of directors and executives to obtain their views on the extent to which a broad collection of risks are likely to affect their organizations over the next year.
External Complaints Management and Dispute Resolution Policy
This policy is based on the ISO Standards for handling complaints, with some sections on negotiation, mediation and arbitration resolution techniques that are used before litigation. The author of this policy asserts that complaints management is an integral part of Enterprise Risk Management.
Facilitating SOA Compliance Using Committees
Following the release of Sarbanes-Oxley and new SEC regulations, many organizations have created a "Disclosure Committee" and a"Section 404 Committee." This guide discusses the duties, composition, structure and interrelationships of these committees and suggests some general rules to follow.
Facing Change With Confidence
Facing change with confidence is the name of the game in a rapidly changing business environment for any enterprise, whether public, private or nonprofit. Change is inevitable and necessary because if organizations fail to improve their products, services, processes and capabilities continuously, they will ultimately encounter serious performance gaps relative to more adaptive competitors. Change provides both opportunities to enhance and threats to impair enterprise value. Facing change with confidence means accelerating the decision-making process regarding actions to address recognized performance issues, market opportunities and emerging risks. This issue discusses the what, why, when and how underlying"facing change with confidence."
Financial Close Optimization: Five Steps for Identifying and Resolving Systems and Process Inefficiencies
A recent survey by the Institute of Management Accountants found that financial closing is one of the key challenges accounting and finance organizations face. More than half of the survey's respondents said that streamlining the financial close process could help improve their team’s productivity, but making improvements to the financial close isn’t easy. This white paper outlines five steps to improve the financial close process.
Financial Ratio Analysis Guide
This guide describes several types of ratios and calculations that can be used in conjunction with Ratio Analytical Techniques.
Finding the Right Chief Risk Officer
In this issue of Board Perspectives: Risk Oversight, we argue what qualifications a company should look for when evaluating CRO candidates.
Five Risk Categories for Focusing Risk Oversight
As the board of directors organizes itself for risk oversight, the question arises as to whether it should adopt its own risk language to ensure it is covering all bases. While each board must decide for itself whether a risk language is useful given the nature of the enterprise’s operations, in this issue of Board Perspectives: Risk Oversight we explore five risk categories that directors may want to consider during the risk oversight process. The broad categories recommended by The National Association of Corporate Directors apply to every company, regardless of its industry and strategy.
Five Risk Oversight Questions Directors Should Ask
As the business environment changes, risk profiles change and business models are exposed to disruption. Corporate strategies and risk management capabilities must keep pace in response to these changes. There are many questions directors can ask risk management about an organization’s risks as they discharge their risk oversight responsibilities. To keep up in this dynamic environment, we offer five questions for boards to consider as they take a fresh look at their risk oversight agenda for 2014 in this issue of Board Perspectives: Risk Oversight.
Focus on the"Tone of the Organization"
“Tone at the top" is a term often used to describe how an organization’s leadership creates an environment that fosters ethical and responsible business behavior. While leaders communicate the company’s vision, mission, core values and commitment to ethical behavior, what really drives the culture and resonates with employees is what they see and hear every day from their supervisors. While tone at the top is important and a vital foundation, is it enough? This issue of Board Perspectives: Risk Oversight explains why it is essential that the tone at the top be translated into an effective "tone in the middle" before it can reach the rest of the organization.
Focusing the Board’s Risk Oversight on What Matters
Many companies have adopted a risk language or taxonomy to facilitate an ongoing dialogue regarding their risks. With respect to board risk oversight, the question arises as to whether directors should adopt their own risk language to ensure they are covering the bases and focusing the oversight process. If the board of directors is mired in the minutiae of risk management, the oversight process lacks the necessary focus to be effective. While each board must decide for itself whether such a language is useful given the nature of the enterprise’s operations, we explore five risk categories directors may want to consider in this issue of Board Perspectives: Risk Oversight.
Formulating an Initial Risk Appetite Statement
A risk appetite statement establishes a common understanding between executive management and the board of directors, regarding desirable risks underlying the execution of the enterprise’s strategy. Every company has an appetite for risk, whether it chooses to acknowledge it explicitly or not. When defining risk appetite, we suggest companies begin with understanding their historical risk-taking characteristics and then frame their risk appetite in the context of their strategies and business models. In this issue of Board Perspectives: Risk Oversight, we advise what to include when formulating assertions to include in a risk appetite statement.
Four Foundational Elements of Risk Management
When discussing how to improve the value contributed by risk management, we often are asked,"Where do we start?" At the heart of this question is the desire for a simple and practical point of view that makes sense in practice. While there is no one size that fits all solution, there are four foundational elements of risk management to consider. These elements are intended to be flexible in application, which is essential because risk profiles vary in complexity across industries. In this issue of Board Perspectives: Risk Oversight, we examine the four elements that define what executives should assess when evaluating the role and effectiveness of risk management.
Four Things to Know Before Your IPO
The IPO appeal is immense, but what companies don’t know about the process can drive an offering off the rails in a hurry. These tips could help companies avoid common missteps.
From Pandemics to Drones to Planning for Resource Scarcity
Protiviti evaluates emerging risks from macro-level trends according to the five global risk categories established by the World Economic Forum.
Gaining Traction With Enterprise Risk Management
Issue 49 of Board Perspectives: Risk Oversight
provides seven design principles that will help overcome ERM implementation challenges.
Global Compliance Questionnaire
This questionnaire will act as the starting point for assessing the level of compliance in areas such as: corporate governance; quality systems; anti-fraud programs; business ethics; business continuity; and health, safety and environmental management.
Global Cross Governance Council at General Mills Facilitates Collaboration and Supports a Shared Mission
General Mills’ products, which include Gold Medal flour, Pillsbury, Green Giant and Betty Crocker, have been household names for decades. The Global Internal Audit (GIA) team at General Mills’ primary purpose is to provide assurance to senior management and the board of directors that the company’s internal control over financial reporting, IT and business operations are operating efficiently. In this profile, Cathy Harris, VP of GIA, outlines the benefits to collaborating across the organization. GIA strives to add value through selective risk advisory projects, typically focused on emerging operational or strategic risks. GIA has a collaborative relationship with the company’s director of internal controls, who reports to the corporate controller and assumes a coordinating role for the company’s enterprise risk management steering committee. Harris is a member of that steering committee, which provides assurance that risks are effectively managed.
Global Instability, Cybersecurity on the Minds of Manufacturing and Distribution Industry Executives
In this article, Sharon Lindstrom, Protiviti managing director, outlines top concerns for manufacturing and distribution industry executives.
Going Beyond Assurance
This article looks beyond the traditional role of assurance to explore ways internal audit departments can effectively serve as strategic advisers to the board of directors.
Governance, Risk and Compliance Platform Considerations
In this article, we will provide background and an overview of GRC technology.
GRC Platforms: Harmonization or Hegemony?
This article addresses an important question—should companies be investing in a single platform to develop a more aggregated picture, or are there more significant benefits to using multiple custom point solutions to support GRC efforts?
Guide to Business Continuity Management FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to Business Continuity Management FAQ.
Guide to Business Continuity Management
Business Continuity Management (BCM) is a management process that provides protection or alternative modes of operation for those activities or business processes which might bring about a significant loss to the enterprise if they were interrupted. Many companies never fully consider potential threats to their business until the damage has been done - during such times, business can come to a standstill. Many of the aforementioned risks are evolving and present growing business continuity and disaster recovery challenges for businesses, particularly with regard to maintaining critical IT systems and processes. In this booklet, our intention is to help companies evaluate and manage these risks through a comprehensive set of recovery and operational plans.
Guide to Mergers and Acquisitions FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to Mergers and Acquisitions, which provides a starting point for answering the core questions identified in mergers and acquisitions – from due diligence to the integration of people, processes and technology, supported by key project and change management enablers.
Guide to Mergers and Acquisitions
As global competition continues to intensify, investors and boards of directors are demanding more top-line growth as a way to increase shareholder value. Many are pursuing this growth in revenues and earnings through mergers and acquisitions (M&A), which are some of the more challenging endeavors a company can undertake. M&A transactions are like assembling a complex puzzle with thousands of unique pieces. In this booklet, we provide a starting point for answering the core questions identified in M&A deals – from due diligence to the integration of people, processes and technology, supported by key project and change management enablers. It’s designed to serve as a resource that executives and managers can consult to utilize the lessons learned and improve the odds of achieving the targeted values of proposed transactions.
Guide to Public Company Transformation
The objective of this Guide to Public Company Transformation is to help organizations focus on what they should have in place from a governance, technology and business transformation perspective to prepare successfully for an IPO. This guidance is designed to serve as a convenient and user-friendly resource that executives and managers at pre-public and post-IPO companies can consult to help achieve readiness.
Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404
This booklet is designed to help answer questions about the sections of SOX pertaining to public reporting; this information will assist Section 404 project sponsors, leaders and team members. We have provided responses and points of view based on our experience that we hope will assist companies as they document, evaluate and improve their internal control over financial reporting, and as they continue to enhance their executive certification process. We have also held discussions from time-to-time with both the SEC and PCAOB staff to understand their views on key points and confirm our interpretations in certain areas.
Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404: Table of Contents
This table of contents and FAQ list is a reference for the Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404, which considers the SEC’s interpretive guidance to management and incorporates the PCAOB’s major revisions to Auditing Standard No. 2.
Guide to Enterprise Risk Management FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to Enterprise Risk Management FAQ
, which addresses some of the most commonly asked questions with respect to ERM and offers ideas, suggestions and insights to executives responsible for ERM implementation.
Guide to Enterprise Risk Management
In today’s challenging global economy, business opportunities and risks are constantly changing. There is a need for identifying, assessing, managing and monitoring an organization’s business opportunities and risks. The concept of enterprise risk management (ERM) helps to redefine the value proposition of risk management by elevating its focus from the tactical to strategic level. ERM is about designing and implementing capabilities for managing the risks that matter. Many are asking questions about the value proposition of ERM and practical steps on how to implement it. This booklet addresses over 160 questions relating to some of the most commonly asked questions with respect to ERM. It offers ideas, suggestions and insights to executives responsible for ERM implementation.
Helping Organizations Face Future Uncertainty Confidently
This issue of Board Perspectives explores the attributes of confidence that executives and directors can use to assess and advance their organization’s ability to apply a set of behaviors that enable sustainable competitive advantage.
Hot Topics in Cybersecurity: An IT Audit Perspective
In this article, we review the hot topics in cybersecurity. All organizations—regardless of size—should review and discuss the following points.
How COSO Frameworks Improve Organizational Performance and Governance
Since their inception, COSO’s Enterprise Risk Management — Integrated Framework and Internal Control — Integrated Framework (the COSO frameworks) were intended to provide guidance for management on how to implement and evaluate effective enterprise risk management (ERM) and internal control processes, leading to the improvement of management and governance processes. When applied effectively, the frameworks’ concepts contribute to the end result of improving organizational performance and governance in significant ways. The COSO frameworks use a common language for risk-focused communications, enabling directors, executive management, and internal and external stakeholders to communicate more effectively regarding risk, risk management and internal control. This booklet illustrates how the enterprise risk management (ERM) framework and the new internal control framework can enhance organizational performance, governance, strategy setting and management processes.
How Mature Are Our Risk Management Capabilities?
You have likely been asked or heard the question,"How mature is our risk management?" We hear it often as well. The presumption is that the more mature a process, the more effective it is. But what does that really mean? How does the concept of maturity apply to risk management? Effective enterprise risk management enables timely responses to the risks that matter most. This issue of Board Perspectives: Risk Oversight, outlines the five levels of a capability maturity framework (CMF): the initial state, the repeatable state, the defined state, the managed state, and the optimizing state.
How Risk Appetite Should Impact Behavior
A risk appetite statement is a reminder to management and the board of directors about the core risk strategy rising from the strategy-setting process. A winning strategy emphasizes the areas in which the company excels in comparison to its competitors. There are three elements that make up a risk appetite statement: risks that are acceptable or on-strategy, risks that are undesirable or off-strategy, and important strategic, financial and operational risk parameters. Together, these elements frame the organization’s risk appetite. In this issue of Board Perspectives: Risk Oversight, we address how a risk appetite statement should be used.
Identifying Emerging Risks
Emerging risks are newly developing risks that cannot yet be fully assessed, but that could affect the viability of an organization’s strategy in the future. Effective risk management requires identifying emerging risks. Too often, risk assessments shuffle"known knowns" around on a risk or heat map, leaving executives and directors asking,"Can you tell me something I don’t know?" In this issue of Board Perspectives: Risk Oversight, we discuss how to identify emerging risks which may affect the long-term viability of an organization’s strategy.
Identifying Emerging Risks: A Long-Term Perspective
The business environment continues to change – and with it, the landscape of opportunities and risks that companies face. Part of the challenge when assessing this landscape is looking far enough into the future. Companies and their boards of directors should be thinking about the implications of longer-term trends that reach beyond the planning horizons considered by management during the strategy-setting and risk assessment processes. Is your organization thinking sufficiently long term? This issue of Board Perspectives: Risk Oversight, discusses the World Economic Forum’s (WEF) annual update on global risks, and considers whether risk assessment processes use a time or planning horizon that looks out far enough into the future.
Identity and Access Management and the Extended Enterprise
Organizations must enter the current brave new world with care. As identity access management decisions and controls are extended further from the core of the enterprise, organizations must implement a rigorous governance regimen to mitigate security and privacy risks.
Improving Utilities’ Operational Efficiency with SAP HANA Advanced Analytics
SAP’s recent technological innovation, Enterprise HANA, offers exciting new opportunities for utility companies who are under substantial margin pressure due to growing capital expenditures, borrowing costs and regulatory controls on pricing for electric and gas services.
Improving Working Capital Management Processes
There are three fundamental building blocks of effective cash management that must be tightly linked to maximize cash flow benefits: working capital optimization, cash flow forecasting and liquidity management. In this issue of The Bulletin, we focus on elements of working capital optimization, the first building block.
Information Asset Classification Guide
The purpose of the information asset classification process is to ensure assets are identified, properly classified and protected throughout their lifecycles. The five phased approach to classification involves: management education, implementation strategy, employee education, implementation and maintenance.
Information Technology Security and Assurance (Sample Syllabus)
This graduate course covers information security, control, and assurance procedures related to business processes and information technology (IT).
Information Technology Risk Management, Security & Audit (Sample Syllabus)
This course is designed to examine the critical business issues, technological infrastructure, and contemporary foundations of information technology risk management, security and assurance, including the principles on which managerial strategy can be formulated and technical solutions can be selected.
Integrating Risk With Business Planning
In a business plan, it is critical to define the inherent soft spots, loss drivers and incongruities that could dramatically affect performance and execution. The budgeting and forecasting processes supporting the business plan also must be effective in managing risks. Two important risks to consider are ensuring the plan itself can be delivered according to expectations, and ensuring the company won’t run out of money as it delivers the plan. While strategy-setting defines an enterprise’s overall strategic direction, differentiating capabilities and required infrastructure, the business plan lays out how the company intends to execute the strategy during an annual period or the operating cycle. This issue of Board Perspectives: Risk Oversight illustrates how risk should be integrated into the annual business planning process.
Intellectual Property Risk Key Performance Indicators
This document outlines core risks and key performance indicators related to intellectual property, including creative works that have economic value and are protected by law.
Internal Audit and IT's Role in Mergers and Acquisitions
This guide illustrates how the internal audit function can improve the quality of risk management throughout the M&A process by conducting due diligence and providing expertise in business process integration, and how IT departments play an increasingly larger role in the long-term success or failure of the global M&A activity.
Internal Audit and Risk Management: The Basics
This page contains a list of links to KnowledgeLeader publications and tools that will assist a new professional in understanding and getting started in a career in internal audit and risk management.
Internal Audit Embraces Role of Change Agent in National University of Singapore’s Vision to be a World-Class Teaching and Research University
The National University of Singapore (NUS) is the oldest and largest higher-learning institution in Singapore. NUS brought in a new internal audit team as part of its process to transform from a government agency into a corporatized nonprofit organization. In this profile, Audrey Han, Chief Audit Officer, discusses how the audit team has played the role of a change agent to help build up the university’s governance and control environment. To prepare for this new role, extensive research into the education industry was carried out to gather knowledge so the team could conduct audits effectively, and add value and offer best practice recommendations as NUS transitions into a research-intensive university with an international student population.
Internal Audit Priorities for 2014
Internal audit efforts must be risk-based and contribute to the long-term assurance needs of the organization and its board. A formal audit risk assessment should be completed at least annually and the results of that assessment should direct internal audit priorities. Fall is an excellent time to refocus one’s sights on the long-term horizon. Certainly, each organization will have different goals, objectives, issues and challenges; no single"standard" long-term internal audit plan will work. In this article, we outline 12 top priorities for internal audit departments to consider when evaluating their organizations’ internal audit efforts.
Internal Audit Strategic Focus Questionnaire
This questionnaire explores internal audit’s strategic contributions and what management and boards should expect from audit going forward.
Internal Audit Risk Assessment Questionnaire: Sample 2
This internal audit risk assessment questionnaire seeks management's input regarding the actual, inherent and perceived risks for the organization.
Internal Audit’s Performance – Raising the Bar
The internal audit function’s position within a company is unique; internal audit’s continuous improvement to its own practices is implicit in executing high-profile duties.
This summary presents an overview of the role of the Internal Audit department to the Board of Directors. It informs the Board about the definition of internal audit and internal control, and briefly describes what auditors do and who is involved in the work. This example also includes a brief overview of the projects on which the audit department intends to focus.
Internal Auditing Around the World: Volume 10
In this booklet, we share accounts from some of the world’s leading organizations’ internal audit executives that show the evolution of their function during the past decade, in addition to weighing in on what the future may hold for the internal audit profession.
Internal Auditing Around the World: Volume 11
This volume of Internal Auditing Around the World uncovers how internal audit departments, along with their organizations, are in the midst of significant change and transformation—a period of reinvention. They must rise to the call to become more of a strategic partner to the business—a role many internal audit teams have been actively working to achieve for years—while not compromising their independence and objectivity.
Internal Auditing Around the World: Volume 7
Enterprise risk management (ERM) guidance is more critical than ever for business success today. Amid perceived risk management failures in the wake of the recent global financial crisis and its lingering consequences, increasing regulatory scrutiny, and growing technology risks, boards are mandating that ERM be a high priority in their organizations. One major benefit of effective ERM is being able to reassure both internal and external stakeholders that critical risk management concerns are being addressed. In this booklet, we profile companies that are taking steps to integrate ERM into processes for formulating and executing audit plans. These companies are truly international in the scope and size of their operations to reveal common practices that these organizations employ to make ERM a strategic imperative.
Internal Control Over Financial Reporting -- An Update on Section 404 of Sarbanes-Oxley
The SEC released its final rules in June 2003 regarding Section 404, making time an asset rather than a liability. This issue of The Bulletin addresses these final rules and what they mean.
Internal Controls Over Financial Reporting: Understanding Section 404 of Sarbanes-Oxley
In this issue of The Bulletin, we address in detail Section 404, a provision of SOX that is certain to garner the attention of public company executives.
Internal Controls Sustainability Training Guide
This training presentation focuses on building a sustainable internal control process. This type of process focuses on developing and executing a communication plan, monitoring the business and rule changes, and analyzing for continuous improvement opportunities.
Internet Usage Policy
This sample policy defines the conditions under which an employee, contractor, vendor or other person may access and use the internet via a company’s private network.
Is the Collaborative Economy Reshaping Business?
In a"collaborative economy," people obtain essential goods and services from each other rather than from established brands and businesses. Just as social media enabled peer-to-peer (P2P) sharing of content, the technologies and peer communities underlying the collaborative economy enable P2P sharing of goods, services, transportation, space and money at a speed and scale unimaginable a decade ago. There are well-funded established companies and startups that facilitate the sharing that makes the collaborative economy possible. Like the early days of the Internet and social media, the collaborative economy has its champions and skeptics. In this issue of The Bulletin, we explore why it is a strategic imperative to watch developments with the collaborative economy closely to ascertain whether established business models will be at risk or have an opportunity to enhance the customer experience.
Is Your Company Exposed to the Right Risks?
A company’s strategic direction and its ability to execute on that direction are both fundamental elements of risk-taking. Issue 47 of Board Perspectives: Risk Oversight discusses how companies can determine which risks are good bets to take.
Is Your Competitive Intelligence Providing Early Warning?
Competitive intelligence comprises the actions of defining, gathering, analyzing and distributing intelligence about innovation, customers, competitors, government actions, and any other aspects of the marketplace to enable more effective decision-making. In its truest form, it’s an ethical and essential function that involves collecting and analyzing often public but little-noticed information with an objective of"connecting the dots" to uncover insights that may provide a source of competitive advantage. Effectively aligned with strategy-setting, competitive intelligence can help companies decipher the early signs of opportunity or trouble before they become obvious to everyone else. In this issue of Board Perspectives: Risk Oversight, we look at why companies should use competitive intelligence as an enterprise value protection tool.
Is Your Finance Function World-Class?
The finance function is a strategic one because it helps drive organizations to higher levels of performance by delivering information that enables key strategic decisions to be made. A good finance function is about much more than accurate financial reporting. A good audit of the finance function is about much more than that, too.
Is Your Organization an Early Mover? The Bulletin, Volume 4, Issue 7
An"early mover" is a firm that quickly recognizes a unique opportunity or risk and uses that knowledge to evaluate its options either before anyone else or along with other firms that also recognize the significance of what’s developing; they seize the initiative to either capitalize on the opportunity or reduce the risk. Early movers have the advantage of time, which brings with it more options for decision-making before market shifts invalidate critical assumptions underlying their strategy. Failing to attain"early-mover status," as we’ve defined it, can be fatal in today’s complex business environment.
ISO 9000 Certification Policy
The following sample provides an outline of the policies and procedures that an organization must undertake in order to achieve ISO 9000 certification.
IT Application Control Deficiency Decision Process Questionnaire
This questionnaire serves as a guide in determining the severity of control application deficiencies cited during the SOX control testing process. The results of this process are used to determine potential significant deficiencies/material weaknesses. Topics in this questionnaire assist management in assessing IT application controls.
IT Automated Controls Policy
This sample policy outlines the internal control testing processes and the testing frequency of automated controls at a company.
IT Process Questionnaire: Change Management
The purpose of this IT process questionnaire is to ensure that all changes to IT resources and infrastructure configurations are carried out in a planned and authorized manner. It involves distinct processes both for managing change requests and also for deploying those changes throughout the enterprise.
IT Security and Privacy Survey Webinar Highlights
One in three organizations falls victim to a cyberattack. If your organization is not keeping pace with the threats, then you are falling behind.
IT Selection and Integration Risk Questionnaire
IT integration is a process in which separately produced components or subsystems are combined and problems in their interactions are addressed. Proper selection and integration of hardware and software is essential to achieve the desired benefits and mitigate the associated risks. This questionnaire addresses strategies for managing IT selection and integration risks.
IT System Access and Re-Certification Policy
This sample This sample establishes the standards and procedures for maintaining proper system access security at a company.
IT Enterprise Change Management Policy
The enterprise change management process provides the structure to consistently manage IT assets. This policy focuses on effectively mitigating the risks to system availability, integrity of data, and the interoperability of the organization’s information resources.
IT Risk Assessment: The Big Picture
Most, if not all, business transactions executed today touch the information technology (IT) environment at some point in their lifecycle. As organizations plan for the next calendar year, it’s logical to regard the IT risk assessment as a critical component that should be reviewed through the internal audit function.
IT Risk Management in the Banking Sector
Key IT risks currently threatening the banking industry, including data theft, hacking, state-sponsored attacks, emerging technologies and phishing threats, are discussed in detail in this 19-page guide.
It’s That Time of Year: The 2016 Audit Committee Agenda
Jim DeLoach recaps Protiviti’s ten Mandates for Audit Committees in 2016.
Key Questions to Consider for the Risk Appetite Dialogue
Issue 48 of Board Perspectives: Risk Oversight considers three elements of a risk appetite statement: risks that are acceptable or on-strategy; risks that are undesirable or off-strategy; and strategic, financial and operational risk parameters.
Knowing What You Don’t Know
If the financial crisis has but a single lesson, it is this: what we don’t know can be more important than what we do know. This raises the ultimate rhetorical question,"Do we know what we don’t know?" The reality of today’s environment is that management and the board can never be certain that they know everything they need to know. Nonetheless, this issue of Board Perspectives: Risk Oversight suggests eight steps executives and directors can take to manage uncertainty.
Maintaining Margins While Staying Vigilant
Finance functions were historically busy last year. Whether or not these workloads are leveling off, finance functions cannot afford to back off. In the coming year, between maintaining margins, forecasting cash flow, complying with new regulations and combatting cyberthreats, finance functions will have much to monitor on their radars and need to be incredibly vigilant. The results of the 2016 Finance Priorities Survey from the Financial Executives Research Foundation and Protiviti indicate that CFOs and finance professionals remain alert to intensifying volatility while continuing to address a large and growing set of priorities.
Maintaining Margins While Staying Vigilant
Survey results indicate that CFOs and finance professionals remain alert to intensifying volatility on the radar while continuing to address a large and growing set of priorities.
Making the Value Case for Enterprise Risk Management
Few terms in the business lexicon are causing more confusion than enterprise risk management. As a result, only a small number of business leaders have a good understanding of ERM's value proposition. This article aims to help organizations reduce miscommunication around ERM and provides a five-step guideline for ERM implementation.
Making Your Risk Assessments Count: A Strategic Perspective
Every organization should ask the following question,"Do we devote enough attention to thinking about what we don’t know by focusing on our strategy and the external environment?" An indicator of the quality of the risk assessment process is the extent to which it fosters the sharing of new insights among the company’s executives and directors. Understanding risks and how they are managed used to be the threshold for most companies. Today risk management must also instill greater confidence in the board of directors that the corporate strategy can be executed successfully, and the business plan and performance goals achieved. In this issue of The Bulletin, we look at why traditional approaches to risk assessment aren’t meeting expectations, and what can be done differently to increase management’s confidence in the process going forward.
Making Your Risk Assessments Count: An Operational and a Compliance Perspective
Traditional assessment approaches often do not address the unique characteristics of the risks a company faces. While using a common analytical framework to evaluate risks with different characteristics may make the assessment process easier to execute, it also may not be as effective as approaches that could provide more insight into how to respond to assessed risks. An enterprise risk management process does not envision that all risks be subject to the same assessment methodology. In this issue of The Bulletin, we suggest that robust approaches applied to different risk categories according to the underlying characteristics of risks are needed to identify the top risks of those categories. We also suggest four reasons why companies find it challenging to move beyond a risk assessment to actionable steps that could be incorporated into a business plan.
Manage Service RCM
This document outlines risks and controls common to the "manage service" process in a risk and control matrix (RCM) format.
Managing Corruption Risk Involving Foreign Officials and Avoiding Its Impact on Reputation
Civil and criminal fines stemming from anti-corruption noncompliance can be costly. Firms that paid bribes to foreign officials have been subjected to criminal and civil enforcement actions, resulting in large fines, as well as suspension and debarment from federal procurement contracting. In addition, reputation damage due to negative media attention can devastate the bottom line and impair shareholder value. To avoid these consequences, many firms have implemented detailed compliance programs intended to prevent, deter and detect improper payments by employees and agents. It is critical for management to ensure that a robust anti-corruption compliance program, including anti-corruption controls, is in place. This issue of The Bulletin briefs on how to manage corruption risk and uses the FCPA as a framework for this discussion.
Managing Corruption Risk
Consequences of corruption violations include criminal and civil enforcement actions, profit disgorgements, mega fines, and suspensions from government contracting, jail terms for employees and reputation-damaging headlines. To avoid these consequences, firms should consider an anti-corruption program intended to prevent, deter and detect improper payments by employees and agents. Companies should establish risk-based policies and procedures that provide reasonable assurance the organization and its agents are adhering to the provisions of applicable anti-corruption laws, and implementing adequate systems of internal controls. This issue of Board Perspectives: Risk Oversight shares how a robust anti-corruption program can save companies from the expensive consequences of corruption violations.
Managing Country Risk
The primary objective of managing country risk is to protect company investments in foreign markets and sustain acceptable investment returns. This issue of Board Perspectives: Risk Oversight provides some points for multinational companies to consider when faced with high-risk situations.
Managing Cyber Threats With Confidence
The realities of risk management are that risks are impossible to eliminate, resources are finite, and risk profiles are ever-changing. Such is the case with cyber threats. Cybersecurity attacks continue to be the focus of front-page media coverage and remain a highly relevant topic in the boardroom. Cutting across strategy, risk management, change management and access control, information security is concerned with confidentiality, integrity and availability of information systems. This issue of Board Perspectives: Risk Oversight, articulates why it’s important to focus on protecting an organization’s most important information assets and systems, by understanding the changing threat landscape and preparing for the inevitable incidents.
Managing Outsourcing and Offshoring Risk – Questionnaire
As companies focus on managing their operations in a difficult economic environment, they seek to become leaner and more focused, efficient and effective. This document focuses on questions for board members and management to consider when managing risks related to outsourcing or offshoring business activities.
Managing Outsourcing and Offshoring Risk
Outsourcing is subcontracting a process to a third-party company. The decision to outsource is often made in the interest of reducing firm costs, redirecting focus on the competencies of a particular business, or making more efficient use of HR, IT and other resources. As companies focus on managing their operations in a difficult economic environment, they seek to become leaner and more focused, efficient and effective. Outsourcing and offshoring initiatives can help an organization fine-tune its business model to become more resilient and profitable. However when outsourced functions and processes have financial reporting implications, public reporting risks may arise. This issue of The Bulletin explores the advantages, disadvantages and risks associated with outsourcing and offshoring, and how the risks can be managed when decisions are made to outsource and/or offshore business activities.
Managing Reputation Risk
From a risk oversight standpoint, crisis management is an integral component of effective reputation management. Rapid and effective response to sudden, unexpected events can enhance reputation. Effective identification and management of risk can reveal major threats to reputation and ensure they are reduced to an acceptable level. While reputation is hard to define in terms of exactly what it is, everyone agrees it’s important and recognizes a reputation that has been damaged beyond repair. In this issue of Board Perspectives: Risk Oversight, we explain how a company’s reputation management is inextricably linked to its risk management and crisis management.
Managing Supply Chain Disruption Risk
Supply strategies are complex by nature; there are many instances where a single-source supply strategy is the right business decision even when alternative options exist. Management’s decisions to decrease inventory levels, rely on a single-source strategic supplier, and adopt just-in-time manufacturing and delivery techniques involve trade-offs in which quality, time and cost considerations often win out over business continuity considerations. Supply chain disruptions are a reminder that these trade-offs are not without risk. This issue of Board Perspectives: Risk Oversight provides key considerations regarding supply chain disruption risk and how to manage it.
Measure Organizational Performance Key Performance Indicators (KPIs)
This benchmarking tool focuses on the key performance indicators (KPIs) for measuring organizational performance.
Measuring the Success of Enterprise Risk Management
Often, we hear the question many consider to be the Holy Grail in risk management,"How do we measure the value of enterprise risk management (ERM)?" This is a deceptively simple question for which there is no simple answer. How do we measure the success of ERM, or risk management in general, when there are so many forces at work that shape the future and the organization’s ultimate success or failure over time? If management makes good decisions, how do we know whether the decision would have been different had the entity’s ERM process not been in place? In this issue of Board Perspectives: Risk Oversight, we study 10 measures of success directly related to risk management that companies can use. While they don’t necessarily answer the Holy Grail question directly, they do provide useful insights on the contribution of ERM to an organization’s success.
New ORSA Requirement Set to Raise Expectations of Risk Management
In this article, we outline the key areas to focus on when weaving the ORSA framework into the fabric of an organization’s current operations, infrastructure and governance structure.
Organizational Alignment Risk Key Performance Indicators (KPIs)
This tool explains the meaning of organizational alignment risk, outlines business risks and management practices related to organizational alignment, and provides questions to consider.
Organizing for Risk Oversight
“Risk oversight" describes the board of director’s role in the risk management process. Effective risk oversight determines that the company has in place a robust process for identifying, prioritizing, sourcing, managing and monitoring its critical risks, and that this process is improved continuously as the business environment changes. Risk oversight is a high priority for today’s boards of directors. This issue of Board Perspectives: Risk Oversight provides suggested questions that boards may consider, as appropriate to the entity's operations, as they seek to clarify their risk oversight responsibilities.
ORSA: Getting Ready for the 2015 Summary Report
The Own Risk Solvency Assessment (ORSA) Summary Report will bring significant changes to the way U.S. insurers conduct, report and govern risk management. Protiviti's latest white paper covers the ORSA process and its associated challenges in order to help you prepare for the first 2015 filing.
Outsourcing in Investment Banking
This guide provides a detailed overview of the outsourcing process for banks, focusing on what to outsource, what not to outsource, and considerations for selecting a vendor. It also discusses key drivers, such as cost reduction and increased flexibility.
Overcoming Bias in Risk Management
With respect to risk management, bias has always existed and always will. It is not unusual to find evidence of groupthink, dominant personalities, overreliance on numbers, disregard of contrary information, disproportionate weighting of recent events, and tendencies toward risk avoidance or risk-taking in any organization. Suppressing dissenting viewpoints, ignoring creative thinking and isolating the organization from outside influences are sure ways for executive management to lose touch with business realities. In this issue of Board Perspectives: Risk Oversight, we examine how to overcome bias in risk management; it’s all about improving risk/reward decision-making processes continuously so that alternative views are expressed and considered.
Positioning Compliance for Effectiveness
We often receive questions regarding the proper positioning of compliance in an organization. The debate frequently centers on addressing to whom compliance reports. Unfortunately, this line of inquiry does not focus on the fundamental issue of roles and responsibilities. An understanding of these roles provides a powerful context for evaluating how to position the compliance function within the organization. Positioning the compliance function for effectiveness is a matter of first defining the roles executive management and the board of directors want the function to play. In this issue of Board Perspectives: Risk Oversight, we explore the different views regarding the responsibilities expected of the compliance function and their implications to positioning compliance.
Positioning the CRO for Success
When it is appropriate for a chief risk officer (CRO) or an equivalent senior risk executive to be in place, the board of directors, management, and the company’s shareholders all have a stake in that executive’s success. This is the time for the organization to consider a fundamental question,"Is that executive, as well as risk management in general, positioned to be successful within the organization?" Like all C-suite executives, the CRO has a difficult job. To be effective, he or she must have a prominent and meaningful voice in the C-level dialogue. Poor positioning of the CRO leads to a risk management failure. This issue of Board Perspectives: Risk Oversight reviews the elements that enable the CRO to be successful.
Preparing for a Black Swan
In a business context, a"black swan" is a high-impact, hard-to-predict and rare event that is beyond the realm of normal expectations in history, science, finance and technology. The nature of a black swan is that it represents an event or combination of events that impact the business in a significant manner. Since we can’t can predict the future, how do we gain an understanding of what we don’t know? In this issue of Board Perspectives: Risk Oversight, we discuss an approach which uses the most critical assumptions underlying the strategy as a context for understanding, preparing for and managing risks related to a black swan.
PreView: Protiviti's View on Emerging Risks, March 2016
Emerging risks may be difficult to identify. Hence, comprehensive risk management options to assess, quantify, monitor and develop response plans are challenging for organizations to design and implement. As more organizations continue to evolve risk governance practices, focused and relevant information about emerging risks is at a premium. In this issue of the PreView, we take a second look at topics we discussed previously, to help organizations understand how these issues have progressed and anticipate their potential ramifications. We revisit the ongoing troubles caused by municipal financial instability, the possibilities created by the unstoppable growth of Big Data, the opportunities that mobile banking offers to previously marginalized consumers, and the evolvement of, and key risks connected with, social media lending.
PreView: Protiviti's View on Emerging Risks, July 2016
In this PreView newsletter, we focus on emerging risk topics such as viral outbreaks, drone technology, natural resources, blockchain technology and autonomous vehicles.
Price Administration Policy
This sample outlines a set of policies and procedures for establishing guidelines related to price administration, including price set-up, price maintenance and review, and the timely update of prices.
Principles for Improving Board Risk Reporting
This issue of Board Perspectives discusses six principles for delivering the focused risk reporting the board needs.
Privacy: Our Next Organizational Challenge?
Even as information privacy and protection objectives grow more critical and complex, they are also increasingly subject to scrutiny by both internal and external auditors. This article explains how management and internal/external audit can get more involved in the process of protecting sensitive and personal data.
Process Alignment Risk Key Performance Indicators
This tool discusses the meaning of process alignment risk, the process alignment in value chains, business risks related to process alignment, management best practices and performance measures, and shares questions to consider.
Process Classification Scheme (PCS)
The Process Classification Scheme (PCS) is a framework used by Protiviti that can be utilized to organize information about a company according to relevant business and/or industry processes.
Process Level Internal Audit Methodology
Once a process has been identified for an audit or review, this methodology provides guidance and tools for the phases to be performed during the review process. Process level reviews should focus on business risks and on improving process performance. This tool addresses The IIA Standards, information technology, and fraud.
Procurement and Accounts Payable: Segregation of Duties Questionnaire
This is a segregation of duties overview, matrix, and questionnaire for the procurement and accounts payable process. It will assist internal auditors in identifying individuals who may be performing incompatible duties that could lead to a circumvention of internal controls.
Procurement Power-Up: Building an Internal"Brand"
This article explores best practices in procurement brand building.
Product Development Audit Work Program
This sample product development audit program includes risk analysis, special and operational considerations, and evaluation components for an audit review.
Program Management Office Transformation: Selecting the Right Enterprise-Level Tools to Unlock Strategic Value
Establishing an effective enterprise PMO is a collaborative process combining people, processes and technology to advance carefully considered goals and objectives.
Project Management Office Guide
A project management office (PMO) can help organizations create effective control and oversight of projects and integrate them into overall business outcomes. This guide provides detailed information on the key elements, benefits, best practices, and steps for building an efficient PMO.
Project Management Risk Key Performance Indicators
Project management is a decision-making and strategic risk. It is defined as the application of knowledge, skills, tools, and techniques to project activities in order to meet or exceed stakeholder needs and expectations from a project. This document includes questions to consider and performance measurements related to project management risk.
Protecting Enterprise Value Through Your Anti-Fraud Program – Questionnaire
A company’s anti-fraud program is an integral part of its corporate governance process and is fundamental to protecting tangible and intangible enterprise value and preserving the reliability of public reporting. This document focuses on key questions for board members and management when evaluating the anti-fraud program.
Protecting Enterprise Value Through Your Anti-Fraud Program
Simply stated, an anti-fraud program is a group of policies and procedures, backed by senior management, which fosters ethical and responsible business behavior. A company’s anti-fraud program is an integral part of its corporate governance process and is fundamental to protecting enterprise value and preserving the reliability of public reporting. With the audit committee providing oversight, management is tasked with establishing, validating and monitoring effective internal controls to quickly prevent, deter and detect fraud. What is an anti-fraud program? Why is it important? How should companies evaluate their anti-fraud program? In this issue of The Bulletin, we will answer these and other questions. We will also provide observations and recommendations for management and audit committees to consider when evaluating their anti-fraud program.
Protiviti's Sarbanes-Oxley Section 404 Compliance Initiatives Methodology
Protiviti has developed a phased approach to the execution of Sarbanes-Oxley Section 404 compliance. The approach is facilitated by project management, knowledge sharing, communication and continuous improvement. It applies the COSO Internal Control – Integrated Framework by taking both an entity-level and a process-level view of the business. This document provides a high level overview of Protiviti’s approach.
Recognizing Emerging Risks
Effective risk management requires understanding more about what we don’t know than what we do know. In particular, effective risk management must recognize when new risks are emerging. Too often, risk assessments plot the usual"known knowns" on yet another risk map, leaving executives and directors underwhelmed because the process doesn’t really tell new information and leaves little insight about what to do next. It’s essential for boards to be able to discuss the"unthinkables". In this issue of Board Perspectives: Risk Oversight, we introduce effective techniques for identifying emerging risks and how management can apply those techniques to update the board of director’s risk oversight process.
Recommendations from Protiviti’s Board Risk Oversight Survey
In the prior issue, we provided insights into the areas where the risk oversight process could be improved. These insights were based on the results of a comprehensive survey we conducted of more than 200 directors regarding the current state of board risk oversight. Sponsored by the Committee of Sponsoring Organizations (COSO), this survey provides a basis for boards to examine how they can improve their risk oversight process. Boards may want to consider the recommendations in view of the nature and complexity of their organizations’ operations and risks, as well as the current state of their risk oversight processes. In this issue of Board Perspectives: Risk Oversight, we take the additional step of listing some recommendations based on the insights from the survey.
Reducing the Risk of Rogue Trading
“Tone at the top" is vital to managing the use of financial derivatives, as dysfunctional behavior can undermine established policies and controls, creating organizational"blind spots" that can lead to inappropriate risk-taking. Effective internal control design, including segregation of authorization, execution and settlement activities, is the first line of defense against unauthorized trading or speculation. Significant losses are an excellent example of what can happen when the trading of financial derivatives goes awry. This issue of Board Perspectives: Risk Oversight focuses on tone at the top, effective internal controls, and provides seven important questions for boards and senior executives to consider about organization’s use of financial instruments.
Research and Development Expense Policy
Research and development expense includes the conceptual formulation, design and testing of product alternatives, construction of prototypes and operation of pilot plants. This policy addresses how to account for these costs.
Retail Industry Risks Guide
This guide describes the risks associated with the retail industry, including finance and operational, IT, and safety risks.
Risk Appetite: Is Your Entire Organization Engaged?
For companies that have grasped the concept of an evolving risk appetite statement, driving the risk appetite statement through the organization by translating it into clear, understandable guidelines and metrics for business units and operations personnel is turning out to be a formidable challenge.
Risk Assessment Audit Work Program
This sample audit work program assesses and validates key controls in place for the risk assessment component of the COSO framework.
Risk Assessment Facilitated Session Results Matrix - Sample
This template will help capture the results of a risk assessment facilitated session. It allows leaders of these sessions to document their final results in an organized format.
Risk Assessment Map and Guide
This risk assessment sample helps to identify and document critical business processes.
Risk Assessment Process - Facilitation Tips
This guide provides tips and tricks to be used when facilitating a risk assessment workshop. These tips are organized to guide you through the high-level phases of a risk assessment discussion and provide insight into the facilitator’s role for this process.
Risk Assessment Survey Template - Sample
The goal of Enterprise Risk Management is to identify, evaluate and manage key risks impacting an organization’s ability to achieve its objectives and strategies. This document provides a template to inventory and assess critical risk areas (business functions) and the associated risks embedded within each area. The results can be used to help develop an Internal Audit Plan. The results may also be included in the Risk Assessment Report provided to the Audit Committee.
Risk Assessment Workshop Presentation - Sample
The purpose of this presentation is to facilitate a risk assessment workshop. It explains to workshop participants the objectives and ground rules, how to identify key risks, and how to plot significance and likelihood on a risk map.
Risk Culture Assessment Questionnaire
This tool focuses on topics that can help shape and support an effective risk culture.
Risk Management Oversight Committee Charter
The purpose of the risk management oversight committee is to monitor the organization’s risk environment and provide direction for the activities to mitigate, to an acceptable level, the risks that may adversely affect the company’s ability to achieve its goals. This charter serves as an example document outlining this committee’s various responsibilities, including: identifying and prioritizing business risks, evaluating the effectiveness of risk mitigation activities, ensuring that gaps in effectiveness are addressed for high-priority risks, and improving ERM infrastructure.
Risk Management Policy
This sample outlines a set of policies and procedures for a common and systematic approach for managing risk across a company.
Risk Management Policy: Sample 2
This policy outlines a structured process to evaluate, manage and mitigate business expansion risk.
Risk Management: A Look Back and a Look Forward
On January 28, 1986, the space shuttle Challenger broke apart 73 seconds into its flight, leading to the tragic deaths of its crew members. Since then, the paradigm of risk management shifted from reactive to proactive. Taxonomies, frameworks, methodologies and tools have evolved over time to meet this need to manage risk proactively. While we are more confident today, we still face the realization that we are not truly able to answer an imperative proactive question,"Will we be riskier tomorrow than we are today?" In this issue of The Bulletin, we will look back 25 years on how risk management has evolved and some of the lessons we can draw from the past. We also take a look forward 25 years and envision how risk management is likely to shape itself in the future.
Risk Oversight and Risk Management Questionnaire
Risk oversight and risk management are high priorities on the agenda of most organizations. The purpose of this questionnaire is to help boards and management think about how they can develop a deeper knowledge of the risk oversight and risk management processes, understanding both the current state and desired future state.
Risk Oversight: A Board Imperative
Included in the inaugural edition of Board Perspectives: Risk Oversight
are questions board members should ask of executive management regarding the organization’s risk management processes. In this newsletter as well as future editions, we intend to explore the right questions without suggesting standard"cookie cutter" answers. Sample questions in this edition include: Is there a robust process in place for identifying, prioritizing, sourcing, managing and monitoring the enterprise’s critical risks in a changing operating environment? Do we understand the risks inherent in the corporate strategy? Is there a sufficient understanding of the significant assumptions underlying the strategy and is a process in place to monitor for changes in the environment that could alter those assumptions?
SAP HANA: Bringing Business Warehouse Home
SAP has released a new product called SAP HANA—a high-performance, in-memory data warehousing platform offered in addition to SAP BW. This new platform, combined with other upgraded HANA modeling capabilities, enables better integration and vastly improves performance.
Sarbanes-Oxley Section 404: Compliance Plan – Sample
This sample document establishes a framework and standard policy for compliance with Section 404 of the Sarbanes-Oxley Act.
Senior Vice President, Chief Risk Officer Job Description
This job description outlines the responsibilities and qualifications for the senior vice president, chief risk officer. The role provides oversight and direction for the management of all risks across an organization’s business segments.
Sensitive Data Handling Policy
The purpose of this policy is to ensure that all sensitively classified data is properly handled whether being transmitted within the organization or to a trusted third party.
Setting the 2006 Audit Committee Agenda
Much has happened since 2003 when the SEC adopted rules mandated by The Sarbanes-Oxley Act of 2002 (SOX) that, among other things, expanded and formalized the responsibilities of audit committees. Rather than focus on history, this issue of The Bulletin provides observations and ideas for boards and their audit committees regarding matters they should consider during the coming year.
Setting the 2008 Audit Committee Agenda
Audit committees have another crowded agenda over the next year. Many aspects of the audit committee charter continue to require ongoing attention, including the myriad of committee activities around the rules issued by the U.S. Securities and Exchange Commission (SEC) and the listing standards promulgated by the exchange to which the company is subject. Obviously, audit committees must continue to address these important requirements, as they provide the minimum standards by which they operate. This issue of The Bulletin provides observations and ideas for boards of directors and their audit committees regarding matters they should consider during the coming year. The agenda items we have listed are significant matters warranting audit committee attention and we believe that the committee can play an important oversight role in addressing these items.
Setting the 2011 Audit Committee Agenda
This issue of The Bulletin provides observations for consideration by boards of directors and their audit committees as 2011 unfolds.
Setting the 2014 Audit Committee Agenda
The profile of macroeconomic, strategic and operational risks continues to evolve in terms of significance and complexity for many organizations. The risks companies face in today’s global business environment create uncertainty for executive management and the board of directors. Given the uncertainties of the environment, this issue of The Bulletin offers observations and ideas for consideration by boards of directors and their audit committees when setting the 2014 agenda. We present 10 major challenges many companies will face over the next 12 months and summarize an agenda that is broken down into enterprise process and technology risk issues and financial reporting issues.
Setting the 2015 Audit Committee Agenda
Audit committees continue to face crowded agendas and increasing complexity as we look forward into 2015. Many audit committees retain responsibility for making inquiries regarding the company’s risk assessment process and risk management capabilities. The risk assessment process should consider a variety of existing risks and address the adequacy of risk management capabilities. Based on our interactions with client audit committees, roundtables we’ve conducted, and discussions with directors at conferences and other forums, we have developed an agenda with 10 items for audit committees to consider for the coming year. In this issue of The Bulletin, we detail the 10 items in our proposed agenda relating to enterprise, process, technology, and financial reporting issues.
Setting the 2016 Audit Committee Agenda
Interesting challenges are in store for audit committees in the coming year and in this issue of The Bulletin, we deliver the top risk issues warranting consideration by audit committees for inclusion on the 2016 agenda.
Shaping the 2013 Risk Oversight Agenda
Changing markets and circumstances spawn new risks, alter risk profiles and reduce the effectiveness of established risk management capabilities. The risk oversight agenda should take such changes into account. This issue of Board Perspectives: Risk Oversight poses 10 questions for boards to consider as reminders as they evaluate their risk oversight agenda for 2013.
Should the Board Have a Separate Risk Committee?
Given that there is no one-size-fits-all solution for risk and the risk management function, how risk is governed varies across industries and organizations. A fundamental role of the board of directors in discharging its risk oversight responsibilities is to ensure the success of the independent risk management function. Has the board articulated its risk oversight objectives and evaluated the effectiveness of its processes in achieving those objectives? There are five interrelated principles that underlie effective risk management within all organizations, in both good times and bad. In this issue of Board Perspectives: Risk Oversight, we discuss these five fundamental principles to attaining risk management success.
Should the Board Have a Separate Risk Committee?
The full board should retain overall responsibility for risk oversight; mirroring its overall responsibility for strategy. Except where there are statutory requirements, the board of directors has the flexibility to organize itself in a manner that makes sense considering its company’s size, structure, complexity, culture and risk profile, as well as the board’s size, composition and structure. To enhance effectiveness, efficiency and to address specific regulatory requirements, risk oversight responsibilities can be allocated to various standing committees in keeping with the specific risks appropriate to each committee’s responsibilities. In this issue of Board Perspectives: Risk Oversight, we weigh the pros and cons for establishing a separate board risk committee and discuss appropriate roles for the potential risk committee of the board.
Six Elements of Infrastructure for ERM
The Six Elements of Infrastructure is a useful tool for categorizing issues, understanding where problems are occurring within an organization, and drawing conclusions to form the basis for recommendations. This example of the Six Elements focuses on key aspects to build strong enterprise risk management infrastructure.
Software Acquisition, Implementation and Maintenance: Application Development and Implementation Policy
The purpose of this sample policy is to control application development and to ensure that application development is efficient, cost-effective, and aligned with the IT strategic plan.
Sooner or Later, Your Fundamentals Will Change
Disruptive change presents remarkable opportunities to take a business to another level. Conversely, it can be a sign of the beginning of the end if a timely reaction doesn’t follow. Whichever side of the change curve management and the board of directors find themselves, disruptive change itself cannot be taken lightly. In business environments exposed to disruptive change, adaptive processes are needed to alter underlying assumptions quickly to reflect the newly changed circumstances. This issue of Board Perspectives: Risk Oversight, looks at why the ability to recognize the vital signs of change and act on them decisively is essential to the business.
Staying Engaged in the Risk Oversight Process
Most bystanders would agree that risk oversight entails more than just looking at a risk assessment once a year. Depending on the nature of the business and its risks, the board of directors should regularly self-evaluate its risk oversight process. How does the board remain engaged with its risk oversight responsibilities over time? In this issue of Board Perspectives: Risk Oversight, we illustrate how the board can remain engaged with the risk oversight process beyond reviewing the results of an annual risk assessment.
Strengthening Governance Through Risk Management
Boards of directors and management know that the price of surprise is steep and should work together on an effective plan for managing risk. This issue of The Bulletin provides five comprehensive recommendations for strengthening governance through improved risk management.
Strengthening Your Risk Culture
Risk culture is the glue that binds all elements of risk management infrastructure together. It reflects the shared values, goals, practices and reinforcement mechanisms that embed risk into an organization’s decision-making processes and risk management into its operations. However, risk culture is an enigma in many organizations. We agree it is important when someone asserts its significance − even though we may not be sure exactly what it is or what to do about it if it requires improvement. This issue of Board Perspectives: Risk Oversight looks at how the use of self-assessment techniques, internal surveys, focus groups and other methods can help an organization understand its current risk culture state.
Supply Chain Risk Questionnaire
The appropriate risk assessment approach applied to operational risks suggests the need for an end-to-end, extended enterprise view of the value chain, looking upstream to supplier relationships as well as downstream to channels. This document offers several questions to consider when evaluating supply chain risk.
Survey Results Provide Baseline for Board Risk Oversight
In 2010, Protiviti conducted a survey of more than 200 directors regarding the current state of board risk oversight. Sponsored by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), this survey provides insight as to how the risk oversight process could be improved. In assessing the overall results of the survey, we found there are mixed signals about the effectiveness of board risk oversight across organizations. While some directors believe their boards are performing Risk Oversight responsibilities diligently and achieving a high level of effectiveness, a strong majority indicate that their boards are not formally executing mature and robust risk oversight processes. This issue of Board Perspectives: Risk Oversight summarizes the results of this comprehensive survey.
This questionnaire analyzes an organization's strengths, weakness opportunities and threats.
Taking the Best Route to Managing Fraud and Corruption Risks
Given the dynamic nature of white-collar crime and fraud, it isn’t surprising that the Yates Memo is only the latest in a series of catalysts that prompted Protiviti and the Economic Crime and Justice Studies Department at Utica College to conduct a comprehensive survey of white-collar crime and the fraud risk management frameworks used to combat them. In this report, we detail notable findings that emerged from our survey.
Technology Change Management Audit Report
This report discusses the results of a technology change management (TCM) process audit. The document offers insight into of the company’s TCM practices and strategies, and identifies strengths and improvement opportunities.
Technology Change Management Policy
This document provides the structure for ensuring that technological changes are consistently and properly recorded, assessed, authorized, tested, and released efficiently while effectively mitigating the risks to system availability, integrity of data, and the interoperability of the organization’s information resources.
Technology Leaders Worry That Their Companies May Be Too Resistant to Change
This article by Gordon Tucker, Protiviti Managing Director, looks at technology leaders’ concern that resistance to change in their companies could stand in the way of necessary adjustments to their business models.
Technology, Privacy and Cybersecurity Among Top Risks for Healthcare
This article by Susan Haseley, Protiviti managing director, outlines the responses of healthcare survey participants from the Executive Perspectives on Top Risks for 2016 survey.
Ten Common Risk Management Failures and How to Avoid Them
In this issue of The Bulletin, we explore 10 common risk management mistakes and how they can be avoided.
Ten Keys to Managing Reputation Risk
According to Warren Buffett, it takes 20 years to build a reputation and five minutes to ruin it. With today’s electronic media, the news cycle reporting on the downward spiral of a once-proud organization that has suffered severe reputation impairment is not a pleasant one to watch. Applied to a business, reputation represents an interpretation or perception of an organization’s trustworthiness or integrity. While the truth ultimately prevails long term, reputation can be based on false perceptions in the near term. In this issue of The Bulletin, we explore 10 essential keys for managing reputation risk. Through strategic and cultural alignment, a commitment to quality, a strong operational focus and increased resiliency, companies can lay the foundation for building and sustaining a strong reputation.
Ten Lessons in Integrating Risk Management with Strategy
In recent years, much has been learned about the importance of integrating risk into strategy-setting. This integration theme is vital because if it is ignored, risk becomes an afterthought to strategy and an appendage to performance management. Aligning governance, risk management and internal control processes toward striking the appropriate balance is curtail. In this issue of The Bulletin, we share 10 lessons for executives and directors to keep in mind when integrating risk into the process of formulating and executing strategy. Every organization and industry is different, so there is no one-size-fits-all approach in terms of applying these lessons for integrating risk with strategy. However, they provide insights to executive management responsible for an organization’s strategic thinking and execution processes and to directors when providing strategic and Risk Oversight.
Ten Principles for Risk Oversight Revisited
While risk oversight has always been an important part of the board’s agenda, the disruptive financial crisis taught everyone a lesson about just how important it is. The risk oversight playbook has evolved over recent years. This issue of Board Perspectives: Risk Oversight revisits 10 timeless principles that boards can use to evaluate their risk oversight process as it stands today. Directors should use these 10 principles to assess their board’s risk oversight process to ascertain whether the process needs redirection.
Ten Questions the Board Should Ask
Rising shareholder activism is driving increased expectations for governance oversight, including risk oversight. The speed and complexity of business continue to increase and technological advances continue to grow. Regulatory demands continue to expand, workforce dynamics continue to evolve. All of these trends drive new risks, alter risk profiles and expose business models to disruptive change. Given the dynamic environment, each board should take a fresh look at its risk oversight agenda. In this issue of Board Perspectives: Risk Oversight, we review 10 key questions for boards to consider as they plan their 2012 risk oversight agendas.
Ten Ways Risk Oversight Can Fail
Risk oversight is a top-of-mind issue for boards today because of the dramatic failures associated with the financial crisis, and the unanswered questions around what directors might have done to thwart it. Many believe directors in the financial services industry, for example, must do more to avoid another crisis. Has the board of directors articulated its risk oversight objectives and evaluated the effectiveness of its risk oversight processes in achieving these objectives? This issue of Board Perspectives: Risk Oversight reviews 10 causes that can contribute to failure of the board’s risk oversight process.
Ten Risk Oversight Principles
This issue of Board Perspectives: Risk Oversight provides an overview of 10 key principles that will assist boards in strengthening their risk oversight.
Termination of Benefits Liability Policy
This policy establishes guidelines for appropriate recognition of a liability relating to employee termination benefits and other related costs.
The Board’s Role in Overseeing Acquisitions
As companies spend more than $2 trillion every year on acquisitions, many studies peg the rate of failure of these transactions in fulfilling expectations somewhere between 70 and 90 percent. Such performance is unacceptable in just about any endeavor. However, over time old lessons in mergers and acquisitions (M&A) failures continue to be relearned by many companies. The question arises as to the board of director’s risk oversight role in overseeing the process of screening, selecting and pursuing M&A candidates, closing M&A transactions, and integrating merged and acquired entities, with emphasis on reducing risk in M&A activity. This issue of Board Perspectives: Risk Oversight analyzes the board's risk oversight role from an acquiring company's perspective.
The Bulletin Newsletters
The Bulletin is a periodic newsletter from Protiviti offering detailed insights on corporate governance and related risk management issues, including key processes impacted by the Sarbanes-Oxley Act.
The Changing Face of Internal Audit at Estée Lauder
Estée Lauder Companies, founded in 1946 in New York, is a global leader in makeup, skin care, fragrance and hair care products. Estée Lauder products are sold in more than 135 countries and territories around the world. Its internal control team focuses on risk assessment, operational and compliance reviews, Sarbanes-Oxley testing and compliance, and managing internal talent to ensure the function is at peak performance in the midst of ongoing change and evolution throughout the company. In this profile, Bob Tyler, Corporate VP and Chief Internal Control Officer, discusses the importance of internal audit taking initiative. Tyler believes internal audit has to proactively put many of its services in front of business owners for them to see the value add, and leverage internal audit. The challenge is motivating business units to ask for internal audit services rather than fixing things themselves and keeping internal audit in the dark.
The Current State of Board Risk Oversight
To develop deeper knowledge of the risk oversight process, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) commissioned Protiviti to conduct a survey regarding the risk oversight responsibilities of the board of directors and how those responsibilities are being performed. This issue of The Bulletin highlights the findings and recommendations of that survey.
The Death of the Tick Mark, Birth of the Rockstar Internal Auditor
This article explains why eradicating the tick mark and what it symbolizes is just the first step in making groundbreaking progress toward transformation for internal auditors.
The Dollars and Sense of Procurement’s Real Value
This white paper focuses on the savings and value calculations, documentation, and communications—along with six related, value-driving practices—that procurement departments should consider deploying to build a credible reputation and internal brand for driving value.
The Evolving Risk Landscape
The business environment continues to change and with it the risk landscape that companies face. In early 2011, the World Economic Forum (WEF) published its update on Global Risks. The report’s objective is to improve public and private sector efforts to map, monitor and manage global risks, all of which cross national boundaries. WEF organizes some 50 risks in five categories: economic, environmental, geopolitical, societal and technological. Presented as five separate landscapes mapping risks based on severity of impact and likelihood of occurrence over the next 10 years, the report examined in this issue of Board Perspectives: Risk Oversight provides a useful longer-term view.
The Five Lines of Defense: A Shareholder’s Perspective
It goes without saying that organizations exist to create enterprise value. As the board of directors focuses its attention on Risk Oversight, there are many questions to consider, including how the organization safeguards against breakdowns in risk management and compliance management. When executive management ignores warning signs posted by the risk management function, fails to address critical compliance requirements when considering a new product or service, or resists contrarian information suggesting the corporate strategy is not working, the board must step up. In this issue of Board Perspectives: Risk Oversight, we look at how an effectively designed and implemented lines-of-defense framework can provide strong safeguards against these breakdowns.
The Future Auditor Revisited
This issue of The Bulletin provides an update on the future auditor and its implications to internal audit’s value proposition.
The Importance of Tone at the Top to Risk Management
This issue of Board Perspectives: Risk Oversight reviews 10 key indicators that collectively provide red flags that potential issues may exist within an organization.
The Most Important Risks for 2014
Changing markets and circumstances are spawning new risks, altering risk profiles and reducing the effectiveness of established risk management capabilities. The profile of macroeconomic, strategic and operational risks continues to evolve in terms of significance and complexity for many organizations. As companies compete in the global business environment, these risks create uncertainty for their executive management and boards of directors. This issue of Board Perspectives: Risk Oversight summarizes the major business challenges identified by nearly 400 C-level executive respondents in a Protiviti and North Carolina State University ERM Initiative survey, and provides a context for many of the top-of-mind risks and uncertainties companies are facing as they move forward into 2014.
The Most Important Risks for 2015
Protiviti partnered with North Carolina State University’s Enterprise Risk Management (ERM) Initiative to conduct our third-annual Executive Perspectives on Top Risks Survey of C-level executives regarding the macroeconomic, strategic and operational risks their organizations face. In this issue of Board Perspectives: Risk Oversight, we outline the top 10 risks for 2015 which reflect some marked differences compared to 2014. We also provide insight as to what’s on the minds of senior executives and directors. The board of directors may want to consider these risks in evaluating its risk oversight focus for the year.
The Most Important Risks for 2016
This issue of Board Perspectives summarizes the top risks for 2016 as identified by North Carolina State University’s ERM Initiative and Protiviti’s latest survey of C-level executives and directors regarding the macroeconomic, strategic and operational risks their organizations face.
The Enterprise Risk Assessment Process Questionnaire
This questionnaire addresses key issues that boards and management should consider as they evaluate their confidence in the organization’s enterprise risk assessment process.
The Enterprise Risk Assessment Process
An enterprise risk assessment (ERA) is a systematic and forward-looking analysis of the impact and likelihood of potential future events on the achievement of an organization’s business objectives within a stated time horizon. An effective enterprise risk assessment process lays the foundation for management to respond with confidence to the question,"What are our most critical risks?" It also instills confidence in the board of directors that management has a basis for answering the question. In this issue of Board Perspectives: Risk Oversight, we take a deep dive into the key considerations to take when engaging in the enterprise risk assessment process.
The Risk Appetite Dialogue
Risk appetite is the mutual understanding between management and the board of directors regarding the drivers of, and parameters around, opportunity-seeking behavior. It is a high-level view of how much performance variability the entity is willing to accept. Risk oversight begins with understanding the risk appetite; successful organizations must take risk to create value. The question is, how much risk should they take? This issue of Board Perspectives: Risk Oversight defines risk appetite and reviews ways in which the board and management should discuss it on an ongoing basis.
To Manage Disruption, Understand Strategic Assumptions
When it comes to managing the risk of disruption to the business model, what executive management and the board of directors don’t know can harm the organization. A recent study determined that strategic risks showed the largest year-over-year increase for 2014, compared to macroeconomic and operational risks. Risks are strategic when they could potentially affect the validity of an organization’s plans to pursue growth opportunities. In this issue of Board Perspectives: Risk Oversight, we discuss why management should identify and consider the key assumptions underlying the drivers that shape the organization’s strategy. Similarly, the board should review and constructively challenge those assumptions when evaluating the strategy.
Top Priorities for Internal Audit in a Changing Environment
In response to new challenges, changes and expectations within the business environment, internal audit (IA) has emerged as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. Effective IA functions help organizations accomplish their business objectives by bringing a disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes. Drawing from The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing and experience with leading internal audit functions, Protiviti recommends 10 strategic priorities for every public and private organization to employ in its IA function in this booklet.
Top Priorities for Internal Audit in Financial Services Organizations
This white paper focuses on the outlook of internal audit leaders within the financial services industry.
Top Risks 2016 Webinar Follow-Up: Jim DeLoach on Changes in Risk, Technology and Culture Challenges
This article addresses topics such as: operational risks are trending higher than strategic risks, concern over economic risk, and an uptick in the perceived global risk environment.
Top Risks in 2015: Are You Asking the Right Questions?
Companies need useful information to stay abreast, if not ahead, of critical issues looming on the horizon and to prepare for potential opportunities and adverse scenarios. Top issues? Regulatory scrutiny, economic uncertainty, and cyberthreats—not a great surprise.
Top Risks in 2015: Webinar Takeaways with Mark S. Beasley
This article analyzes the trends behind shifting priorities for executives with one particular trend calling for attention: creating an organizational culture capable of effectively responding to the escalating speed of change and risk is key.
Transaction Authority Risk Key Performance Indicators (KPIs)
This tool explains the meaning of transaction authority risk and transaction authenticity, outlines business risks related to transaction authority, and shares management practices and questions to consider.
Transformational Change at AMP Limited Requires Internal Audit to Focus on What Really Matters
AMP Limited (AMP) is a leading financial services company in Australia and New Zealand providing superannuation, investment, insurance, banking products and financial advice to customers across the globe. Since AMP merged with AXA Asia Pacific Holdings (AXA) in 2011, AMP has been focused on reshaping the organization to become more customer-centric, contemporary, agile and efficient. In this profile, David Barry, Director of Internal Audit, discusses how this period of transformational change has had an impact on the internal audit function. AMP’s internal audit team now assesses not only the control environment, but also management’s awareness of risk. This approach allows the internal audit function to assess whether there is a clear link between business performance and risk management.
Unlocking the Value of Enterprise Risk Management in the Public Sector
Enterprise risk management (ERM) has demonstrated its value in the private sector, producing successful organizations that follow an effective process to minimize risks and achieve desired outcomes. It should come as no surprise, then, that the federal government has taken a heightened interest in this proven practice, adapting it to public agencies in an effort to better manage risks that tend to hide in complex bureaucracies with limited interdepartmental communication.
Updated COSO ERM Framework: What's New?
This issue of The Bulletin discusses why the COSO ERM Framework needed to be updated and how the focus is now on what is really important in making enterprise risk management work within an organization.
Updated COSO Internal Control Framework: Frequently Asked Questions
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), an organization providing thought leadership and guidance on internal control, enterprise risk management and fraud deterrence, has released its long-awaited updated Internal Control – Integrated Framework (New Framework). The original version, released by COSO in 1992, has gained broad acceptance and continues to be recognized as a leading resource to provide guidance on the design and evaluation of internal control. The New Framework issued by COSO is an important development, as it enables organizations to develop systems of internal control effectively and efficiently. It In this issue of The Bulletin, we address various questions regarding the New Framework, including the reasons why it was updated, what has changed, the process for transitioning to its use, and steps companies should take now.
Virtual Reality Check: Managing the Internet of Things
The increased interconnection of mobile and sensory devices is expected to usher in a new era of automation, smart objects and data sources—the possibilities are almost limitless as the Internet of Things reshapes the Internet of tomorrow.
Virus Awareness Policy: Employee Responsibilities
This policy highlights an employee's responsibility with regard to keeping their workstation virus free. The document describes tasks that an employee should undertake on a routine basis to identify and remove infected files.
What It Means to Face Future Uncertainty Confidently
This issue of The Bulletin discusses the attributes of confidence that executives and directors can use to assess and advance their organizations’ ability to apply a set of behaviors that enables sustainable competitive advantage.
What Lens Do You Use to Evaluate Your Governance Efforts?
There has been much debate about principles-based versus rules-based governance. To improve governance practices, it is absolutely vital to consider the different perspectives of the various stakeholders in good governance.
Working Capital Management: A Tool for Optimizing Costs and Reducing Risk
In 2011, APQC and Protiviti released a report showcasing how organizations have developed effective strategies and processes to reduce working capital requirements and optimize cash used to fund operations. The report highlights the exceptional performance and approaches around working capital management of three companies, and provides specific examples of four broad categories of best practices in action. This issue of Board Perspectives: Risk Oversight focuses on aspects of the first building block on why companies should also use competitive intelligence as an enterprise value protection tool.