KnowledgeLeader provides best practice articles, tools, guides and other resources on the audit committee and board of directors. This page contains some examples of the many resources and tools on the audit committee and board of directors that are available for download. The tools are provided in downloadable versions, so they can be customized for use in your organization.
2016 Audit Committee Agenda Webinar Q&A (Part 1)
Protiviti’s January 7 webinar, The 2016 Audit Committee Agenda, drew a large and diverse audience and a lot of interesting and relevant questions were asked. In this article, Jim DeLoach and David Brand take turns answering some of the questions that couldn't be addressed live due to time.
2016 Audit Committee Agenda Webinar Q&A (Part 2)
Protiviti’s January 7 webinar, The 2016 Audit Committee Agenda, drew a large and diverse audience and a lot of interesting and relevant questions were asked. In this second article of a four-part series, Jim DeLoach and David Brand take turns answering some of the questions that couldn't be addressed live due to time.
2016 Audit Committee Agenda Webinar Q&A (Part 3)
Protiviti’s January 7 webinar, The 2016 Audit Committee Agenda, drew a large and diverse audience and a lot of interesting and relevant questions were asked. In this third article of a four-part series, Jim DeLoach and David Brand take turns answering some of the questions that couldn't be addressed live due to time.
2016 Audit Committee Agenda Webinar Q&A (Part 4)
Protiviti’s January 7 webinar, The 2016 Audit Committee Agenda, drew a large and diverse audience and a lot of interesting and relevant questions were asked. In this final article of a four-part series, Jim DeLoach answers some of the questions that couldn't be addressed live due to time.
A Value-Based Approach to Risk Oversight
Every Chief Executive officer (CEO) pursues opportunities and takes risks in the pursuit of building enterprise value; it’s what the CEO’s board expects. At the same time, those risks must be well managed. For risk management and internal control to function when crucial decision-making moments or changing circumstances arise, directors and executive management must be committed to making them work. Can the risk management process itself contribute value? In this issue of Board Perspectives: Risk Oversight, we examine two perspectives on a value-based approach to the board’s risk oversight: strategic and proprietary.
Accounting for Revenue Recognition: A New Era
A new revenue recognition standard has been issued by the Financial Accounting Standards Board (FASB). Developed in collaboration with the International Accounting Standards Board (IASB), the standard’s overall objective is to achieve one comprehensive, principles-based revenue recognition model that replaces the myriad existing industry-specific guidance. The joint effort of the FASB and the IASB results in aligning U.S. generally accepted accounting principles (GAAP) and international accounting standards. The transition process for implementing the new revenue recognition standard issued requires careful attention by management and stakeholders. In this issue of The Bulletin, we discuss several important topics relating to the FASB’s new revenue recognition standard, including the latest implementation timetable, potential accounting and reporting changes, industry implications, an approach for getting started, and a transition road map.
Accounts Receivable/Credit & Collections Audit Work Program
This work program explains the audit steps that should be followed while evaluating a company’s compliance with corporate policies, procedures and known best practices in relation to accounts receivable and credit and collections.
Integrating Section 404 and Section 302 Compliance Questionnaire
For most companies, the administrative burden encountered during the first year of Section 404 compliance warranted a fresh look at the overall compliance process. This questionnaire focuses on strategies for integrating compliance activities around Sections 404 and 302 of The Sarbanes-Oxley Act of 2002 with the objective of achieving a sustainable internal control structure.
Applying the Five Lines of Defense in Managing Risk
Many lessons were learned from the financial crisis. For example, if a chief executive ignores the warning signs posed by risk management, resists contrarian information suggesting the corporate strategy is either not working or losing relevance, or fails to consider critical risks when evaluating whether to enter a new market or consummate a complex acquisition, the stakeholders can end up paying a high price. Essential to effective risk management, the lines-of-defense model is implicit in COSO’s recently issued internal control framework. An effectively designed and implemented “lines-of-defense” framework can provide strong safeguards. In this issue of The Bulletin, we explore five essential lines of defense for managing risk.
2016 Internal Audit Capabilities and Needs Survey
In the 10th year of the Internal Audit Capabilities and Needs Survey, Protiviti believes that internal audit has arrived at a tipping point.
Assessing New Rules Regarding the Personal Obligation of Senior Accounting Officers of Large Companies
In this booklet, we answer common questions regarding Schedule 46 and suggest a roadmap to compliance.
Assessing Risk: A Strategic Perspective
Strategic risks are risks that the business model is not effectively aligned with the strategy, or risks where one or more strategic assumptions lag behind industry realities and the strategy does not reflect the new conditions. Arising from internal process issues and disruptive change in the external business environment, these risks can be lethal because they may not be known to management and the board of directors. Because these risks are not susceptible to precise measurement as operational risks are, the analytical framework applied to them must be more qualitative in nature. This issue of Board Perspectives: Risk Oversight describes how strategic risk analysis can assist senior management with understanding the critical assumptions underlying the strategy and using contrarian analysis to challenge those assumptions.
Asset and Liability Management Policy Review Audit Work Program
This audit work program reviews the policies governing the asset and liability management process. While performing this review, an auditor can determine if these policies are reviewed on a regular basis and assess the board of director’s and asset and liability management committee’s oversight of this function within the organization.
Audit Committee Annual Planning Schedule
This sample schedule provides an annual planner for audit committee activities and demonstrates how to schedule and track audit committee activities throughout the year.
Audit Committee Charter Review Checklist
This checklist addresses a variety of topics and acts that often fall within the Audit Committee’s responsibilities. It provides a broad framework and a set of activities that can be undertaken by the Audit Committee to achieve appropriate oversight. This document is intended to only be used as a sample guide to understanding and reviewing the current charter.
Audit Committee Charter: Pre-Approval of Audit and Non-Audit Services
This charter outlines audit committee roles and responsibilities, particularly focusing on the pre-approval of services.
Audit Committee Charter: Sample 1
This sample charter outlines the purpose, composition, meeting procedures, responsibilities and duties, and annual performance evaluation requirements of the audit committee.
Audit Committee Charter: Sample 2
This sample charter outlines the purpose, authorities and responsibilities of the audit committee.
Audit Committee Charter: Sample 3
This sample charter outlines the purpose, structure and operations, responsibilities and duties, and meeting procedures of the audit committee.
Audit Committee Charter: Sample 4
Audit committees assist the board in monitoring the integrity of the financial statements, external auditor qualifications, performance of the internal audit function and external auditors, and company’s compliance with regulatory requirements. This charter provides one example.
Audit Committee Charter: Sample 5
Audit committees assist the board in monitoring the integrity of the financial statements, external auditor qualifications, performance of the internal audit function and external auditors, and company’s compliance with regulatory requirements. This charter provides one example.
Audit Committee Charter: Sample 6
This sample charter outlines the role, membership procedures, operations, communications/reporting, education requirements, authorities and responsibilities of the audit committee.
Audit Committee Charter: Sample 7
This sample charter outlines the purpose and authority, membership and meeting procedures, and duties and responsibilities of the audit committee.
Audit Committee Charter: Sample 8
This sample charter outlines the purpose, procedures, and oversight responsibilities of the Audit Committee of the Board of Directors.
Audit Committee Questionnaire – Auditor Effectiveness
This questionnaire helps solicit internal audit performance feedback from members of the audit committee. The audit department can use this feedback to continually improve their service to the audit committee and the entire organization.
Audit Committee Report – Sarbanes-Oxley Update
This audit report discusses Sarbanes-Oxley project updates including status of the documentation process, testing results, and opportunities for process improvements.
Audit Committee Report: Annual Audit Plan
This sample audit report outlines the procedures for preparing and reporting an audit plan to the audit committee.
Audit Committee Responsibilities and Key Performance Indicators (KPIs)
The ten areas listed in this document offer an overview of what typically encompasses the most common audit committee responsibilities.
Audit Committee Responsibilities Questionnaire
The role of the audit committee has significantly expanded in recent years. This is a sample self-assessment questionnaire for audit committees to use when evaluating the scope of their responsibilities. Topics include: risk management and internal controls, finance and accounting, audit resources and processes, and audit committee performance and operating practices.
Audit Committee Risk Assessment Survey Questionnaire
This questionnaire solicits inputs during an integrated audit risk assessment to direct the current year's audit plan.
Audit Committee Self-Assessment Checklist
This is a sample self-assessment checklist for audit committees to use when evaluating their current involvement in a company’s control environment.
Audit Plan Presentation
This example presentation shows some of the documents that can be included in the presentation of the audit plan to management and the audit committee.
Bank Audit Plan Report
This audit report relays the results of a risk-based audit plan. Internal audit identified auditable areas, performed a risk assessment for each, and assigned a risk rating of high, medium or low.
Board of Directors Authorization Charter
This sample charter determines the objective, authority, communications/reporting and responsibilities of the board of directors.
Board Perspectives: Risk Oversight Newsletters
Board Perspectives: Risk Oversight is a periodic newsletter that offers ongoing commentary about the risk management oversight process for boards of directors. The goal is to provide board members with concise discussions of practical ideas that will help them improve their boards' risk oversight.
Briefing the Board on IT Matters
In today’s environment, many businesses are actually technology businesses because their business models cannot function without technology. We often receive feedback from board members, stating they do not have a sufficient understanding of the IT risks facing their organizations. When directors are briefed on IT matters, do they fully understand the message? In this issue of Board Perspectives: Risk Oversight, we outline three contexts for conducting IT briefings with the board of directors. Each context provides directional insights for the chief information officer and the chief information security officer in organizing delivery of the briefing.
Business Continuity Plan Exercise and Testing Policy
This policy outlines business continuity plan testing guidelines.
Code of Conduct Questionnaire
If there is one constant for success in a rapidly changing global marketplace, it is the immutable bedrock of an unwavering commitment to ethical and responsible business behavior. This document discusses important questions for boards and management to consider when designing and implementing an effective code of ethics.
Communicating Critical Enterprise Risks to the Board
Directors need to consider several categories of risk, particularly the normal ongoing business management risks, emerging risks and critical enterprise risks. Certain risks require directors to have sufficient information in advance to prepare them for discussions with management about the risks and how they are managed. These risks are the ones that threaten the company’s strategy and the viability of its business model. In this issue of Board Perspectives: Risk Oversight, we focus on what we define as the top risks that can threaten a company’s strategy, business model or ongoing viability. These risks should be a significant focal point of the board of director’s risk oversight agenda.
Compensation Committee Charter: Sample 2
This charter outlines the purpose, authority and responsibilities of a compensation committee, which establishes policies related to the compensation of a company’s officers.
Conducting Enterprise Risk Assessments That Make a Difference
An enterprise risk assessment (ERA) identifies and prioritizes the organization’s risks and provides quality inputs for purposes of formulating effective risk responses, including information about the current state of capabilities around managing the priority risks. Boards of directors and management need an effective ERA process to effectively discharge their responsibilities, especially in today’s rapidly changing environment. The strategy-setting process which is fueled by an annual risk assessment will mitigate the potential disconnects in the operating environment and is “best practice” in today’s world. In this issue of The Bulletin, we focus on the vital steps in executing an effective ERA and why integrating these assessments with strategy setting is important. We also explain what ERA is, outline how it is conducted and suggest how it must be integrated with the strategic choices affecting enterprise value.
This policy outlines the steps a company and its employees should take to maintain a level of confidentiality over all appropriate business information and personnel information. This document also contains an appendix: “10 Principles for the Protection of Personal Information.”
Conflict of Interest (Trust Company) Audit Work Program
This audit work program focuses on the conflict of interest between a trust company and its affiliates. It addresses factors such as employees' access to the company's code of ethics, authorization from the governing trust instrument, disclosure of terms, fees charges, fiduciary accounts, securities transaction agreement, monitoring of the soft dollar arrangement, compliance with the safe harbor provision, service agreement, and investments.
Control Environment Audit Work Program
This audit work program focuses on the control environment component of the COSO Framework.
Control Self-Assessment Questionnaire
In complying with the Sarbanes-Oxley Act, it is management’s responsibility to design, adhere to and monitor the significant operating and financial controls of the organization. This short self-assessment questionnaire has been designed to obtain management’s input in order to establish a common understanding of the level of control of an organization or department.
Corporate Aircraft Policy
This policy sample details the administrative and accounting procedures related to corporate aircraft usage.
Corporate Governance Compliance Questionnaire
The objective of this questionnaire is to assist the board and management in assessing the organization’s current corporate governance environment.
Corporate Governance Policy: Relationship With Internal Auditors
This sample policy establishes reporting relationships for the internal auditors of a company.
Corporate Governance Policy: Board Committees
This sample policy sets standards for board committee structures and protocols.
Corporate Audit Department Charter
This sample charter outlines the mission statement, objectives, responsibilities and services of the corporate audit department of a company.
COSO 2013: What Have We Learned?
United States in their efforts to comply with Section 404 of the Sarbanes-Oxley Act of 202 (SOX). As background, the U.S. Securities and Exchange Commission (SEC) requires companies to use a “suitable framework” as a basis for evaluating the effectiveness of internal control over financial reporting (ICFR), as required by Section 404. The COSO Framework meets the SEC’s criteria for suitability. No doubt Section 404 compliance is important, as it relates to maintaining effective ICFR. However, as important as the lessons learned in this critical area are, there are other important lessons that should be of interest to boards as directors consider the relevance of internal control to their risk oversight endeavors.
COSO 2013: Why Should You Care?
The updated COSO Internal Control – Integrated Framework has been out for over a year. Many companies are now using the updated Framework to evaluate their internal control over financial reporting to comply with Section 404 of the Sarbanes-Oxley Act of 2002. The COSO Framework emphasizes the importance of the tone at the top and the board of director’s responsibility for overseeing the development and performance of internal control. This issue of Board Perspectives: Risk Oversight explores six reasons why the board, or one or more of its committees, should care about the updated Framework and offer pertinent questions for boards to consider.
Credit Rating Analysis of Enterprise Risk Management at Nonfinancial Companies: Are You Ready?
Enterprise risk management (ERM) initiatives have gained strong support from a new source: credit rating analysts. In November 2007, Standard & Poor’s (S&P) issued its Request for Comment: Enterprise Risk Management Analysis for Credit Ratings of Nonfinancial Companies (RFC), reflecting the rating service’s intention to assign scores of ERM quality to all companies it reviews and incorporate an ERM segment into its ratings reports. Standard & Poor (S&P) continues its initiative to assess ERM quality of all companies it reviews. S&P plans to eventually score companies to benchmark its opinions on ERM quality as one proxy for its assessment of management. This issue of The Bulletin explores how consideration of ERM quality can impact the ratings process and what nonfinancial companies can do to prepare for this added dimension to the process.
Director of Internal Audit Job Description: Sample 2
This job description provides an overview of the director of internal audit position responsibilities, which include preparing and implementing a risk-based audit plan in order to assess, report on, and recommend improvements to the company’s key operational and finance activities and internal controls.
Disclosure Committee Questionnaire
The purpose of this questionnaire is to ensure that all necessary quarterly financial reporting disclosures are addressed, and any changes to these disclosures are explained by management.
Driving Risk Appetite: A Pragmatic Approach to Implementing a Broad Effective Framework
While driving may connote a top-down approach, here we use it to communicate a successful implementation, or realization, of risk appetite—a combination of a top-down and a bottom-up approach, the goal being an iterative process that combines push and pull.
Earnings-Per-Share (EPS) Policy
This sample establishes uniform policies for correct calculation of earnings-per-share as governed by U.S. Statements of Financial Accounting Standards (SFAS) 123R.
E-Business Risks: Internal Security – Questionnaire for Audit Committees
Internal security, as it relates to eBusiness, is the task associated with minimizing the risk of loss of information and system resources, corruption of data, disruption of access to the data, and unauthorized disclosure of information. This questionnaire can be used to help assess internal security risks in eBusiness.
E-Business Risks: Privacy and Data Protection – Questionnaire for Audit Committees
This questionnaire can be used to help assess privacy and data protection risks in eBusiness.
E-Business: Availability – Questionnaire for Audit Committees
Availability risk is the risk that the people, processes and technology that support critical business functions will not be available for business operations. This questionnaire can be used to help assess availability risk in eBusiness.
Effective Use of Executive Sessions When Overseeing Risk
Executive sessions may be held by independent directors for a number of reasons; depending on the organization’s culture and circumstances, certain issues require more candid, confidential conversations and consequently, a more limited audience. Used appropriately, executive sessions can be an important part of a board’s risk oversight process. Our focus in this issue of Board Perspectives: Risk Oversight, is on how to use executive sessions as part of the board of director’s risk oversight process. These meetings present an opportunity for directors to obtain unfiltered input from selected executives, who otherwise might be influenced to couch or hold back on their responses to questions in the presence of senior executives.
Electronic Discovery: An Academic Exercise or Your Next Crisis?
Electronic discovery (or e-discovery) refers to the process by which relevant electronically stored information (ESI) is produced when an organization faces legal or regulatory action. This process is important because parties in a lawsuit can now demand from each other word processing documents, e-mails, voice mail and instant messages, blogs, backup tapes and database files. Failure to comply with these electronic production obligations can lead to serious sanctions, sometimes to the tune of millions of dollars, and increased compliance costs. The harsh consequences of non-compliance are growing exponentially. This issue of The Bulletin provides ideas for companies to implement practical approaches in proportion to their litigation risk exposure and ongoing operations that will significantly reduce the cost, burden and time associated with records retention and e-discovery.
Emergency Executive Committee Charter
This charter establishes an EEC and outlines its objective, authority, reporting, and pre-event and post-event responsibilities.
Emerging Risks: Looking Around the Corner
This article summarizes practical principles for recognizing emerging risks.
Ensuring Internal Audit Is Doing What Really Matters
Internal audit has had a long-standing objective of adding value and improving an organization’s operations through a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes. Unfortunately, many internal audit functions fall short of this objective. Chief audit executives and their functions are striving to become more anticipatory, change-oriented and adaptive. This issue of Board Perspectives: Risk Oversight, reflects on how the board of directors can maximize the value it receives from internal audit and considers 10 ways the future auditor can contribute value to the organization.
Ensuring Risk Management Success
Given that there is no one-size-fits-all solution for risk and the risk management function, how risk is governed varies across industries and organizations. A fundamental role of the board of directors in discharging its risk oversight responsibilities is to ensure the success of the independent risk management function. Has the board articulated its risk oversight objectives and evaluated the effectiveness of its processes in achieving those objectives? There are five interrelated principles that underlie effective risk management within all organizations, in both good times and bad. In this issue of Board Perspectives: Risk Oversight, we discuss these five fundamental principles to attaining risk management success.
Enterprise Risk Assessment Methodology for Internal Audit Plan Development Guide
This guide presents a detailed approach to enterprise risk assessment methodology for internal audit plan development.
Enterprise Risk Management in Practice
Enterprise Risk Management (ERM) establishes the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a changing operating environment. ERM continues to mature as a process, and organizations are finding many ways to implement practical ideas to continuously improve their risk management capabilities. In this booklet, we profile 11 companies that are operating in different industries and countries to provide ERM ideas in that can be customized to your own organization. In producing the various profiles for this publication, several common themes emerged that demonstrate why and how companies across multiple industries are improving their risk management capabilities.
Enterprise Risk Management Project Plan Guide
This document is a sample project plan for use during the planning phase of implementing ERM across an organization. It supports a phased implementation approach, detailing tasks, deliverables, and a project timeline.
Enterprise Risk Management Questionnaire
This questionnaire can be used when analyzing an organization’s enterprise risk management strategy, focusing on the internal environment, objective setting, risk identification, risk assessment, risk response, control activities, information and communication, role of the board of directors, role of management, common risk failures, and trading activity.
Entity-Level Controls Environment Questionnaire
This questionnaire template provides a number of COSO elements and the related control objectives for entity-level controls. Within the questionnaire, you can document whether the control exists, whether it was designed properly, related test procedures, and management's action plan for deficiencies.
Entity-Level Controls Monitoring Questionnaire
Monitoring is a process that assesses the quality of the entity's internal control performance over time. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity-Level Controls Fraud Questionnaire
Fraud prevention is essential to set the right tone for an effective internal control framework. This excel-based template links the COSO components to a number of control objectives for entity-level fraud controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and the management action plan for deficiencies.
Entity-Level Controls Memo
This memo outlines a process for reviewing entity-level controls.
Entity-Level Controls Audit Work Program
This sample audit work program evaluates the entity-level controls in an organization, specifically focusing on the control environment, risk assessment, information and communication, control activities, and monitoring.
Entity-Level Fraud Risk Assessment Process Report
This sample report provides an overview of the process one company undertook to satisfy the requirements of evaluating fraud risks that pertain to internal control over financial reporting.
Request for Proposal: Establishing an Internal Audit Function
This sample request for proposal (RFP) is used to solicit services to establish an internal audit function. It discusses the standard information providers should include in their proposals.
Etihad Airways Quells Conflict, Quantifies Internal Audit Value by Tracking Revenue Enhancements and Cost Improvements
Etihad Airways (Etihad) is the national airline of the United Arab Emirates (UAE). During its first decade, it grew more than US$6 billion in revenue and is now the second-largest carrier in the UAE. Etihad’s team of internal auditors is divided into five specialties: flagship airline, airline partners, compliance, IT assurance, risk assessment. In this profile, Harsh Mohan, SVP of Audit, Compliance and Risk, discusses how he solved many of the differences between management and internal audit. Mohan implemented a collaborative approach, making sure auditors praised managers for their accomplishments, explained the significance of adverse findings and prioritized recommendations according to business value. This approach resulted in a significant increase in satisfaction with audit engagement across the business; conflict has been replaced with collaboration.
Evaluation of Internal Audit Performance – Audit Committee Questionnaire
This questionnaire allows members of the audit committee to review, critique, and evaluate the internal audit function on an annual/periodic basis.
Executive Perspectives on Top Risks for 2016
This report from Protiviti and North Carolina State University’s ERM Initiative contains results from our fourth annual risk survey of directors and executives to obtain their views on the extent to which a broad collection of risks are likely to affect their organizations over the next year.
Executive Report on Internal Controls: A Report From the CAE to the Audit Committee
This sample audit report provides specific guidance on how the audit approach general plan will be accomplished in a year.
Executive Report on Internal Controls: Sample 2
This audit report sample provides an opinion based on an annual assessment of the adequacy of a company’s systems of internal controls.
Request for Proposal: External Quality Assessment Review
This sample request for proposal (RFP) document focuses on finding a service provider to perform an external quality assessment review of an internal audit department. It details the process and timeline for responding to the RFP.
External Auditor Interview Questionnaire
This questionnaire can be used to conduct interviews with the External Auditor to solicit their views and feedback on a company's Internal Audit function.
Facilitating SOA Compliance Using Committees
Following the release of Sarbanes-Oxley and new SEC regulations, many organizations have created a "Disclosure Committee" and a “Section 404 Committee.” This guide discusses the duties, composition, structure and interrelationships of these committees and suggests some general rules to follow.
Facing Change With Confidence
Facing change with confidence is the name of the game in a rapidly changing business environment for any enterprise, whether public, private or nonprofit. Change is inevitable and necessary because if organizations fail to improve their products, services, processes and capabilities continuously, they will ultimately encounter serious performance gaps relative to more adaptive competitors. Change provides both opportunities to enhance and threats to impair enterprise value. Facing change with confidence means accelerating the decision-making process regarding actions to address recognized performance issues, market opportunities and emerging risks. This issue discusses the what, why, when and how underlying “facing change with confidence.”
Finance Code of Conduct Policy
This sample policy serves as a code of conduct specific to senior financial officers of a company with the purpose of documenting a clear understanding of roles and responsibilities.
Finding Opportunities to Improve Efficiency and Enhance Processes Never Goes Out of Style at JCPenney
JCPenney operates more than 1,000 midrange department stores in the United States and Puerto Rico, selling everything from apparel and shows for men, women and children, to furniture and luggage. When JCPenney made changes to the board and management teams to help lay the foundation for new beginnings, its internal audit function also changed. In this profile, Benita Casey, SVP of Internal Audit, discusses the importance of developing a new internal audit reporting structure for JCPenney. This structure assigns senior-level auditors to specific business functions, while junior staff are exposed cross-functionally to gain expertise across the business. Such an approach allows the internal audit team to develop new talent and allows subject matter experts to apply their expertise in specific areas of the business.
Five Risk Categories for Focusing Risk Oversight
As the board of directors organizes itself for risk oversight, the question arises as to whether it should adopt its own risk language to ensure it is covering all bases. While each board must decide for itself whether a risk language is useful given the nature of the enterprise’s operations, in this issue of Board Perspectives: Risk Oversight we explore five risk categories that directors may want to consider during the risk oversight process. The broad categories recommended by The National Association of Corporate Directors apply to every company, regardless of its industry and strategy.
Five Risk Oversight Questions Directors Should Ask
As the business environment changes, risk profiles change and business models are exposed to disruption. Corporate strategies and risk management capabilities must keep pace in response to these changes. There are many questions directors can ask risk management about an organization’s risks as they discharge their risk oversight responsibilities. To keep up in this dynamic environment, we offer five questions for boards to consider as they take a fresh look at their risk oversight agenda for 2014 in this issue of Board Perspectives: Risk Oversight.
Focusing the Board’s Risk Oversight on What Matters
Many companies have adopted a risk language or taxonomy to facilitate an ongoing dialogue regarding their risks. With respect to board risk oversight, the question arises as to whether directors should adopt their own risk language to ensure they are covering the bases and focusing the oversight process. If the board of directors is mired in the minutiae of risk management, the oversight process lacks the necessary focus to be effective. While each board must decide for itself whether such a language is useful given the nature of the enterprise’s operations, we explore five risk categories directors may want to consider in this issue of Board Perspectives: Risk Oversight.
Formulating an Initial Risk Appetite Statement
A risk appetite statement establishes a common understanding between executive management and the board of directors, regarding desirable risks underlying the execution of the enterprise’s strategy. Every company has an appetite for risk, whether it chooses to acknowledge it explicitly or not. When defining risk appetite, we suggest companies begin with understanding their historical risk-taking characteristics and then frame their risk appetite in the context of their strategies and business models. In this issue of Board Perspectives: Risk Oversight, we advise what to include when formulating assertions to include in a risk appetite statement.
Four Foundational Elements of Risk Management
When discussing how to improve the value contributed by risk management, we often are asked, “Where do we start?” At the heart of this question is the desire for a simple and practical point of view that makes sense in practice. While there is no one size that fits all solution, there are four foundational elements of risk management to consider. These elements are intended to be flexible in application, which is essential because risk profiles vary in complexity across industries. In this issue of Board Perspectives: Risk Oversight, we examine the four elements that define what executives should assess when evaluating the role and effectiveness of risk management.
This sample policy details the actions constituting fraud and non-fraud irregularities, investigation responsibilities, confidentiality statements, authorization for investigating suspected fraud, reporting procedures, and termination and administration procedures.
From Reasonable Assurance to Trusted Adviser, Euroclear’s Internal Audit Odyssey
Based in Belgium, Euroclear is one of the world’s largest providers of domestic and cross-border settlement and related services for bond, equity, exchange-traded fund and mutual fund transactions. Euroclear’s team of 42 internal auditors, generating 160 reports a year, is led by Chief Auditor, Peter Sneyers. In this profile, Sneyers discusses how the internal audit function transformed based on feedback from stakeholders who wanted more insight and analysis. Although technically proficient, there was a general feeling among stakeholders that there was too much reporting, with too little emphasis on root causes, business impacts and consequences. Based on an analysis of stakeholder’s needs, the department switched from a broad fixed audit rotation to a risk-based rotational audit plan, which allowed them to answer the question: ‘What are the business impacts, and how might they be addressed?’
Gaining Traction With Enterprise Risk Management
Issue 49 of Board Perspectives: Risk Oversight provides seven design principles that will help overcome ERM implementation challenges.
Governance in Not-For-Profit Organizations Policy
This sample policy provides guidance for not-for-profit organizations in the areas of mandate, roles of volunteer boards and executive directors, special board committees and their roles, and volunteer principles.
Guide to Enterprise Risk Management
In today’s challenging global economy, business opportunities and risks are constantly changing. There is a need for identifying, assessing, managing and monitoring an organization’s business opportunities and risks. The concept of enterprise risk management (ERM) helps to redefine the value proposition of risk management by elevating its focus from the tactical to strategic level. ERM is about designing and implementing capabilities for managing the risks that matter. Many are asking questions about the value proposition of ERM and practical steps on how to implement it. This booklet addresses over 160 questions relating to some of the most commonly asked questions with respect to ERM. It offers ideas, suggestions and insights to executives responsible for ERM implementation.
Guide to Internal Audit
The internal audit (IA) profession has undergone significant changes since the New York Stock Exchange (NYSE) issued its new listing standard requiring an IA function. Companies are far more likely to have in place highly developed IA functions that address not only the NYSE standards, but also the SEC’s interpretive guidance on Section 404 of the Sarbanes-Oxley (SOX) Act and PCAOB Auditing Standard No. 5 (AS5). These regulatory developments have had a significant impact on internal audit functions. This booklet is designed to be a resource for IA professionals can refer to regularly in their jobs. The publication offers detailed insights into everything from building an IA function to managing and improving the function as the organization evolves.
Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404
Since the third edition of Frequently Asked Questions Regarding Section 404 of Protiviti’s Guide to the Sarbanes-Oxley Act (SOX) series was released in August of 2004, much has happened. For example: The U.S. SEC has created a “large accelerated filer” category and has adopted different deadlines for initial Section 404 compliance for accelerated foreign private issuer filers and non-accelerated U.S. domestic issuer and foreign private issuer filers. This booklet is designed to help answer questions about the sections of SOX pertaining to public reporting; this information will assist Section 404 project sponsors, leaders and team members. We have provided responses and points of view based on our experience that we hope will assist companies as they document, evaluate and improve their internal control over financial reporting, and as they continue to enhance their executive certification process. We have also held discussions from time-to-time with both the SEC and PCAOB staff to understand their views on key points and confirm our interpretations in certain areas.
High-Tech Company Audit Plan
This report shows the results of a business self-assessment (BSA) session, which is a focused discussion of risks facing a corporation and an evaluation of the effectiveness of management controls designed to mitigate exposures.
How Mature Are Our Risk Management Capabilities?
You have likely been asked or heard the question, “How mature is our risk management?” We hear it often as well. The presumption is that the more mature a process, the more effective it is. But what does that really mean? How does the concept of maturity apply to risk management? Effective enterprise risk management enables timely responses to the risks that matter most. This issue of Board Perspectives: Risk Oversight, outlines the five levels of a capability maturity framework (CMF): the initial state, the repeatable state, the defined state, the managed state, and the optimizing state.
How Risk Appetite Should Impact Behavior
A risk appetite statement is a reminder to management and the board of directors about the core risk strategy rising from the strategy-setting process. A winning strategy emphasizes the areas in which the company excels in comparison to its competitors. There are three elements that make up a risk appetite statement: risks that are acceptable or on-strategy, risks that are undesirable or off-strategy, and important strategic, financial and operational risk parameters. Together, these elements frame the organization’s risk appetite. In this issue of Board Perspectives: Risk Oversight, we address how a risk appetite statement should be used.
HR and Compensation Committee Charter
This charter outlines the purpose, membership and meeting procedures; retention and delegation authorities; and duties and responsibilities of the HR and compensation committee.
Identifying Emerging Risks
Emerging risks are newly developing risks that cannot yet be fully assessed, but that could affect the viability of an organization’s strategy in the future. Effective risk management requires identifying emerging risks. Too often, risk assessments shuffle “known knowns” around on a risk or heat map, leaving executives and directors asking, “Can you tell me something I don’t know?” In this issue of Board Perspectives: Risk Oversight, we discuss how to identify emerging risks which may affect the long-term viability of an organization’s strategy.
Information and Communication Audit Work Program
The purpose of this audit work program is to assess, at a high level, and validate key controls in place for the information and communication component of the COSO Framework. Inadequate or ineffective controls in this area may give rise to financial and operational risks.
Integrating Risk With Business Planning
In a business plan, it is critical to define the inherent soft spots, loss drivers and incongruities that could dramatically affect performance and execution. The budgeting and forecasting processes supporting the business plan also must be effective in managing risks. Two important risks to consider are ensuring the plan itself can be delivered according to expectations, and ensuring the company won’t run out of money as it delivers the plan. While strategy-setting defines an enterprise’s overall strategic direction, differentiating capabilities and required infrastructure, the business plan lays out how the company intends to execute the strategy during an annual period or the operating cycle. This issue of Board Perspectives: Risk Oversight illustrates how risk should be integrated into the annual business planning process.
Integrating Risk With Managing Operations
Operational risk is the risk that one or more future events will impair the effectiveness or viability of the business model in creating value for customers and achieving expected financial results. These risks relate to the various activities along the value chain within which the organization’s business model operates. What would happen to the organization’s business model if any critical component of the value chain were taken away or altered in a significant way through either a process failure or an unexpected catastrophic event? In this issue of Board Perspectives: Risk Oversight, we discuss key considerations when evaluating operational risks.
Internal Disclosure Certification Process Policy: Sample 2
This policy outlines procedures to ensure the fair presentation and disclosure of financial results, and is designed to ensure comfort to executives responsible for signing the external disclosure certification submitted to the SEC in accordance with SEC rules and regulations required by the Sarbanes-Oxley Act of 2002. For each section within Management’s Discussion and Analysis, the notes, and all parts preceding and following these sections, the preparer should prepare a checklist of procedures designed to ensure the accuracy of the disclosure. The preparer should sign the checklist stating that to the best of his/her knowledge the disclosure is materially complete and accurate, nothing has been knowingly omitted, and all controversial matters have been discussed and resolved with management.
Internal Audit – Board of Directors Orientation Report
This document provides a board level overview of internal audit and internal controls. It can be used as an orientation guide for board members to a company’s internal audit department.
Internal Audit and Corporate Governance Structure Guide
This guide outlines sample organization structures for internal audit and corporate governance services.
Internal Audit at Bayer AG
Bayer AG is a German multinational chemical and pharmaceutical company with core competencies in healthcare, agriculture and high-tech polymer materials. Bayer AG operates as a strategic management holding company that defines the values, goals and strategies of the entire corporation, including its three primary businesses: Bayer HealthCare, Bayer CropScience and Bayer MaterialScience. In this profile, Dr. Rainer Schwarz, Head of Corporate Auditing, discusses his mission of becoming able to identify and fix problems before they materialize. Schwarz believes that in order to be positioned to know what might go wrong in the organization before it actually happens, the internal audit function needs to strengthen partnerships throughout the organization. The objective for the internal audit team is to become trusted advisers the business calls upon before making major, potentially high risk, decisions.
Internal Audit at Eni S.p.A. Enters “New Frontier” as Business Consultant, but Keeps Focus on Maintaining Independence
Eni S.p.A. (Eni) is an Italian multinational oil and gas company headquartered in Rome. Eni operates across the entire energy chain and focuses on health, safety, the environment, and is committed to preventing and mitigating operational risks. In this profile, Marco Petracchini, Senior Executive Vice President and Director of Internal Audit, discusses how a recent reorganization of the internal audit function enabled auditors to be closer to the business and acquire a deeper knowledge of activities and risks. During the reorganization, Petracchini created units in charge of audit on specific processes in different business areas. This structure allows Eni’s internal audit function to liaise with management to identify potential future risk areas and determine how internal controls should be implemented to mitigate those risks.
Internal Audit Charter
This sample charter sets out the nature, role, responsibility, status and authority of the internal audit function at a company.
Internal Audit Charter: Sample 2
This sample charter outlines the mission, scope of work, accountability, independence, responsibility and authority of a company’s internal audit department.
Internal Audit Plan and Report to the Audit Committee
This sample audit report presents an anticipated two-year internal audit plan, including details of each audit area.
Internal Audit Plan Status – Report to the Audit Committee
This sample internal audit report to the audit committee presents a logical, easy-to-follow summary of completed, in-progress and scheduled audit projects.
Internal Audit Policy
The policy focuses on the establishment of an internal audit department and its purpose, responsibilities and reporting structure within the organization.
Internal Audit Qualitative Diagnostic Presentation - Sample
This example presentation displays the results of an internal audit department evaluation to the audit committee, particularly following the quality assessment review process.
Internal Audit Report to the Audit Committee
This presentation provides attractive examples of content that can be included within an internal audit report to the auditcommittee. It includes examples of audit planning calendars, dashboard summaries of audit activities and findings, budget and benchmarking material, and ways to present the audit organization and qualifications to the committee.
Internal Audit Risk Assessment Audit Committee Report
This sample audit report summarizes internal audit risk assessment results to the audit committee. Report topics include: risk assessment approach, risk model, risk map update, top risks, proposed internal audits, audit universe coverage, distribution of internal audit efforts, and internal audit and Sarbanes-Oxley budgets.
Internal Audit Risk Assessment and Proposed Internal Audit Plan
This sample audit report identifies perceived areas of risk and potential internal audit projects for a company after an internal audit risk assessment.
Internal Audit Risk Assessment Report: Sample 3
This report outlines an internal audit risk assessment approach that facilitates the audit planning process.
Internal Audit Strategic Focus Questionnaire
This questionnaire explores internal audit’s strategic contributions and what management and boards should expect from audit going forward.
Internal Audit’s Focus on Reinvention Helps Australian Taxation Office Strengthen Its Risk Management
The Australian Taxation Office (ATO) is the principal revenue collection agency for Australia’s government. The ATO’s responsibilities include collecting income, goods and services, and other federal taxes for the Australian government. The organization, including internal audit, has been on a path of reinvention to transform the client experience, while continuing to deliver quality customer service. In this profile, the ATO’s Chief Internal Auditor, Greg Hollyman, discusses how the internal audit function made it easier for stakeholders to see the big picture of the organization’s risk and assurance. Internal auditors at the ATO participate in a rotational program where they work temporary assignments within the organization. This program has shaped the internal auditors into business-minded strategic thinkers who can assess risk in any part of the organization.
Internal Auditing Around the World: Volume 10
Almost a decade ago, we published a book consisting of 13 Performer Profiles that highlighted the internal audit and risk management practices of leading international organizations. The magnitude of change that has taken place within these internal audit functions during the past decade may be staggering, but it is not entirely surprising given the nature of economic upheaval, regulatory change (the finalization of the Sarbanes-Oxley Act [SOX], as well as Dodd-Frank and the Basel Accords, to name only the largest), and technology-fueled transformation (social media, big data and the emergence of powerful analytics tools). As these leading internal audit executives look ahead, it is clear that these forces will enact more frequent and intense changes to their enterprises and, in response, to the nature of internal auditing itself. Although the profile subjects once again this year represent a diverse slate of industries and confront unique strategic risks, their approaches to fostering internal audit functions that contribute to their organizations’ overall success remain remarkably similar. What’s even more striking, however, is the extent to which this year’s profiles describe and build upon themes identified in the previous nine Internal Auditing Around the World installments in regard to how their functions have progressed in the past 10 years. Among other concepts and practices, these themes include adding value as a business partner, becoming more collaborative, investing in technology-enabled auditing, and embracing a risk-based auditing approach. The future auditor will conduct even greater levels of collaboration, employ more powerful technology, and assume a sharper risk focus, while taking on a greater leadership role. In this booklet, we share accounts from some of the world’s leading organizations’ internal audit executives that show the evolution of their function during the past decade, in addition to weighing in on what the future may hold for the internal audit profession.
Internal Auditing Around the World: Volume 11
This volume of Internal Auditing Around the World uncovers how internal audit departments, along with their organizations, are in the midst of significant change and transformation—a period of reinvention. They must rise to the call to become more of a strategic partner to the business—a role many internal audit teams have been actively working to achieve for years—while not compromising their independence and objectivity.
Internal Auditing Around the World: Volume 2
Globally, organizations face escalating financial, operational, strategic and physical risks that have been increasing steadily in terms of impact, likelihood and complexity. Corporate governance regulations and guidelines, financial reporting requirements, operational efficiencies, customer satisfaction levels – all these factors drive the internal audit (IA) functions of multinational companies to add value beyond any standard that has been set in the past. In this booklet, we detail the IA best practices, processes and strategies being employed at 14 successful companies. The companies represent different regions, industries and markets. They are highly successful organizations competing in a dynamic global landscape. Excellence is the benchmark for these organizations – their internal audit functions have been shaped and, in some cases, reinvented by this level of achievement.
Internal Auditing Around the World: Volume 3
Given the value added by having strong internal audit (IA) teams, it is not surprising that people play the most essential role in every IA function represented in this book. Demand for highly qualified, talented internal auditors continues to grow throughout the world, as the number of professionals meeting this description shrinks. What drives top-performing IA functions today? In this booklet, we profile 16 successful IA functions from companies across the globe and examine common denominators that separate these leaders from their peers. While there certainly are differences among the companies profiled, they share a number of important similarities in terms of philosophies, approaches, performance measurements and lessons learned – and perhaps most notably, the core concept driving IA activities within these organizations is adding value.
Internal Auditing Around the World: Volume 4
Today’s internal audit (IA) functions are achieving their objectives and improving operations by being resourceful and flexible, engaging in dialogue with management about IA activities and their alignment with company goals, stressing the importance of internal controls throughout the organization, and relying on technology to help manage routine auditing tasks and focus on risk assessment. This booklet examines the challenges and successes of 19 top-performing IA teams. One of the key takeaways from the IA functions profiled in this publication is that today’s internal auditors are actively striving to be highly visible to the entire operation. To achieve this, many auditors must travel to far-flung destinations to learn firsthand about their company’s activities and industry and build strong relationships with personnel throughout the organization, and with external auditors and other outside resources.
Internal Auditing Around the World: Volume 5
Without question, the risk landscape has changed dramatically since 2005, when we published the first volume of Internal Auditing Around the World. Four years ago, many organizations were investing more in their internal audit (IA) functions as they sought to comply with the internal control requirements of the Sarbanes-Oxley (SOX) Act. Not surprisingly, internal auditors today find themselves in a very different place and facing challenges difficult to imagine just a short time ago. How are IA functions helping their organizations adapt and even succeed in these unprecedented times? This booklet profiles 11 successful international companies undergoing significant changes, such as restructuring, mergers and acquisitions, and industry transformation internal audit best practices, processes and strategies being employed. These organizations have not only adapted successfully, but that they also have uncovered many untapped opportunities.
Internal Auditing Around the World: Volume 7
Enterprise risk management (ERM) guidance is more critical than ever for business success today. Amid perceived risk management failures in the wake of the recent global financial crisis and its lingering consequences, increasing regulatory scrutiny, and growing technology risks, boards are mandating that ERM be a high priority in their organizations. One major benefit of effective ERM is being able to reassure both internal and external stakeholders that critical risk management concerns are being addressed. In this booklet, we profile companies that are taking steps to integrate ERM into processes for formulating and executing audit plans. These companies are truly international in the scope and size of their operations to reveal common practices that these organizations employ to make ERM a strategic imperative.
Internal Auditing Around the World: Volume 9
A fundamental shift toward collaborative working is under way at many businesses around the globe. However, becoming more collaborative has not been an easy transition for many internal audit functions. This is not only because they aren’t used to taking center stage, but also because others in the organization must adapt to interacting with internal auditors more frequently, proactively and strategically. The benefits of enhanced collaboration for the business make working through the challenges worthwhile. In this booklet, we profile eight organizations– leaders in industries as diverse as mining, computer software, consumer foods, financial services, electronics, global payments and telecommunications – and discuss the trend towards greater collaboration extending to internal audit.
Introduction to the Internal Audit Profession (KLplus CPE Course)
Internal auditing is an important and pragmatic process which can be of significant value to all commercial enterprises. This course serves as a roadmap to the understanding and efficient operation of the internal audit profession.
Introduction to the Internal Audit Profession (KLplus FREE Course)
This basic-level course explains the general purpose, role, and skills required of an internal auditor. The course explains the steps in an internal audit and the role of information technology in the audit process, as well as the roles of the audit committee and the benefits of internal audit functions to the audit committee.
Introduction to the Sarbanes-Oxley Act of 2002 (KLplus FREE Course)
This basic-level course provides a summary of the Sarbanes-Oxley Act and provides an overview of key sections. The course explains the role of the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) that was created by the Act to oversee auditors.
Investments in Securities, Derivative Instruments and Hedging Activities Audit Work Program
The objective of this audit program is to review the controls related to a company’s investment procedures. This audit program reviews whether investment transactions are initiated in accordance with management’s established policies, the accuracy of investment information, and the results reported in the financial statements. One of the key steps in this work program includes reviewing board of directors meeting minutes (or its finance, asset/liability, investment or other committee) for evidence that reports of securities transactions have been reviewed and for evidence that changes in securities policies have been approved.
Is the Collaborative Economy Reshaping Business?
In a “collaborative economy,” people obtain essential goods and services from each other rather than from established brands and businesses. Just as social media enabled peer-to-peer (P2P) sharing of content, the technologies and peer communities underlying the collaborative economy enable P2P sharing of goods, services, transportation, space and money at a speed and scale unimaginable a decade ago. There are well-funded established companies and startups that facilitate the sharing that makes the collaborative economy possible. Like the early days of the Internet and social media, the collaborative economy has its champions and skeptics. In this issue of The Bulletin, we explore why it is a strategic imperative to watch developments with the collaborative economy closely to ascertain whether established business models will be at risk or have an opportunity to enhance the customer experience.
Is Your Company Exposed to the Right Risks?
A company’s strategic direction and its ability to execute on that direction are both fundamental elements of risk-taking. Issue 47 of Board Perspectives: Risk Oversight
discusses how companies can determine which risks are good bets to take.
Is Your Compliance Management Making a Difference? Board Perspectives: Risk Oversight, Issue 35
Compliance management consists of an organization’s processes for adhering to laws, regulations and internal policies. To be effective, it requires metrics, measures and monitoring that provide assurance to management and the board of directors that established policies and procedures for fostering compliance are performing as intended. Without effective management of the compliance risks that really matter, the organization is reactive at best and noncompliant at worst. Companies should ensure that established policies and procedures provide reasonable assurance that the organization is adhering to the requirements of applicable laws and regulations and internal policies. This issue of Board Perspectives: Risk Oversight describes several key elements of an effective compliance program for boards to consider.
Is Your Compliance Management Making a Difference? The Bulletin, Volume 4, Issue 10
Compliance management consists of the organization’s policies and processes for adhering to applicable laws and regulations. It requires metrics, measures and monitoring that provide assurance to management and the board that established policies and procedures for fostering compliance and responsible business behavior are performing as intended. Without effective management of the compliance risks that really matter, the organization is reactive, at best, and non-compliant, at worst. Companies should ensure that they are implementing a holistic, top-down and proactive approach to managing compliance. This issue of The Bulletin focuses on the issues that surround compliance, its current state, true cost and value proposition, as well as its organizational structure and offers suggestions on ways it can be improved.
Is Your Organization an Early Mover? Board Perspectives: Risk Oversight, Issue 22
An “early mover” is a firm that quickly recognizes a unique opportunity or risk, and uses that knowledge to evaluate its options either before or along with other firms that also seize the initiative. Early movers have the advantage of time, which brings more decision-making options before market shifts invalidate critical assumptions underlying the strategy. Failing to attain “early mover status,” can be fatal in today’s complex and rapidly changing business environment. In this issue of Board Perspectives: Risk Oversight, we offers insights on why organizations should be early movers when it comes to identifying and acting on opportunities and risks.
Is Your Organization an Early Mover? The Bulletin, Volume 4, Issue 7
An “early mover” is a firm that quickly recognizes a unique opportunity or risk and uses that knowledge to evaluate its options either before anyone else or along with other firms that also recognize the significance of what’s developing; they seize the initiative to either capitalize on the opportunity or reduce the risk. Early movers have the advantage of time, which brings with it more options for decision-making before market shifts invalidate critical assumptions underlying their strategy. Failing to attain “early-mover status,” as we’ve defined it, can be fatal in today’s complex business environment.
IT Change Advisory Board Charter
In accordance with the company’s IT change management policy, the IT change advisory board reviews and approves technology changes scheduled for upcoming release dates. This charter establishes the IT change advisory board and outlines its scope, key roles and responsibilities, activity sequence, and meeting objectives. The IT change advisory board provides a structured framework for achieving the objectives of ensuring appropriate awareness of changes and change impacts (e.g., cost impact and schedule); assessing changes for potential conflicts, issues and resource management; and negotiating, authorizing, approving and informing the business of risks associated with the request for change. The IT change advisory board is responsible for review and approval of all requests for change from the company’s personnel, contractors and third-party vendors.
IT Risk Assessment Questionnaire
This tool includes risk assessment questions for both IT management and executive IT management.
IT Audit Benchmarking Webinar: David Brand and Robert Kress Answer Your Questions
Protiviti’s David Brand and Accenture’s Bob Kress answer questions received during the 2016 IT Audit Benchmarking Survey webinar.
It’s That Time of Year: The 2016 Audit Committee Agenda
Jim DeLoach recaps Protiviti’s ten Mandates for Audit Committees in 2016.
Key Questions to Consider for the Risk Appetite Dialogue
Issue 48 of Board Perspectives: Risk Oversight considers three elements of a risk appetite statement: risks that are acceptable or on-strategy; risks that are undesirable or off-strategy; and strategic, financial and operational risk parameters.
Knowing What You Don’t Know
If the financial crisis has but a single lesson, it is this: what we don’t know can be more important than what we do know. This raises the ultimate rhetorical question, “Do we know what we don’t know?” The reality of today’s environment is that management and the board can never be certain that they know everything they need to know. Nonetheless, this issue of Board Perspectives: Risk Oversight suggests eight steps executives and directors can take to manage uncertainty.
Making Internal Audit a Value-Adding Contributor to Economic Recovery
The severity of the current global economic downturn has left organizations around the world searching for ways to contain costs, improve efficiencies, maintain customer satisfaction levels and protect their balance sheets. This unprecedented economic crisis has been nothing short of an urgent call to action for more robust risk management practices in organizations. Not only is it essential for internal audit to ensure that its activities are fully aligned with the expectations of the organization’s leadership, it is vital for the organization’s leaders to look to the internal audit function for the support they need. This issue of The Bulletin explores how internal audit can contribute to the organization as it recovers from crisis, and what management and boards of directors should expect of internal audit going forward.
Making Your Risk Assessments Count: A Strategic Perspective
Every organization should ask the following question, “Do we devote enough attention to thinking about what we don’t know by focusing on our strategy and the external environment?” An indicator of the quality of the risk assessment process is the extent to which it fosters the sharing of new insights among the company’s executives and directors. Understanding risks and how they are managed used to be the threshold for most companies. Today risk management must also instill greater confidence in the board of directors that the corporate strategy can be executed successfully, and the business plan and performance goals achieved. In this issue of The Bulletin, we look at why traditional approaches to risk assessment aren’t meeting expectations, and what can be done differently to increase management’s confidence in the process going forward.
Making Your Risk Assessments Count: An Operational and a Compliance Perspective
Traditional assessment approaches often do not address the unique characteristics of the risks a company faces. While using a common analytical framework to evaluate risks with different characteristics may make the assessment process easier to execute, it also may not be as effective as approaches that could provide more insight into how to respond to assessed risks. An enterprise risk management process does not envision that all risks be subject to the same assessment methodology. In this issue of The Bulletin, we suggest that robust approaches applied to different risk categories according to the underlying characteristics of risks are needed to identify the top risks of those categories. We also suggest four reasons why companies find it challenging to move beyond a risk assessment to actionable steps that could be incorporated into a business plan.
Manage Relations With the Board of Directors—Key Performance Indicators (KPIs)
This tool describes cost-based, quality-based and time-based performance measures and lists measures that can be used as a starting point for discussions about managing relations with the board of directors.
Management Development and Compensation Committee Charter
The purpose of the management development and compensation committee is to carry out the board of directors’ overall responsibility relating to executive compensation. This charter provides an example of its structure, authority and responsibilities.
Management Response to Internal Audit Reports Memo
This memo outlines specifics to consider when drafting management responses to audit observations.
Managing Corruption Risk
Consequences of corruption violations include criminal and civil enforcement actions, profit disgorgements, mega fines, and suspensions from government contracting, jail terms for employees and reputation-damaging headlines. To avoid these consequences, firms should consider an anti-corruption program intended to prevent, deter and detect improper payments by employees and agents. Companies should establish risk-based policies and procedures that provide reasonable assurance the organization and its agents are adhering to the provisions of applicable anti-corruption laws, and implementing adequate systems of internal controls. This issue of Board Perspectives: Risk Oversight shares how a robust anti-corruption program can save companies from the expensive consequences of corruption violations.
Managing Cyber Threats With Confidence
The realities of risk management are that risks are impossible to eliminate, resources are finite, and risk profiles are ever-changing. Such is the case with cyber threats. Cybersecurity attacks continue to be the focus of front-page media coverage and remain a highly relevant topic in the boardroom. Cutting across strategy, risk management, change management and access control, information security is concerned with confidentiality, integrity and availability of information systems. This issue of Board Perspectives: Risk Oversight, articulates why it’s important to focus on protecting an organization’s most important information assets and systems, by understanding the changing threat landscape and preparing for the inevitable incidents.
Managing Cybersecurity Risk
In this issue of Board Perspectives: Risk Oversight, we present four considerations for managing cybersecurity risk.
Managing Reputation Risk
From a risk oversight standpoint, crisis management is an integral component of effective reputation management. Rapid and effective response to sudden, unexpected events can enhance reputation. Effective identification and management of risk can reveal major threats to reputation and ensure they are reduced to an acceptable level. While reputation is hard to define in terms of exactly what it is, everyone agrees it’s important and recognizes a reputation that has been damaged beyond repair. In this issue of Board Perspectives: Risk Oversight, we explain how a company’s reputation management is inextricably linked to its risk management and crisis management.
Measuring the Success of Enterprise Risk Management
Often, we hear the question many consider to be the Holy Grail in risk management, “How do we measure the value of enterprise risk management (ERM)?” This is a deceptively simple question for which there is no simple answer. How do we measure the success of ERM, or risk management in general, when there are so many forces at work that shape the future and the organization’s ultimate success or failure over time? If management makes good decisions, how do we know whether the decision would have been different had the entity’s ERM process not been in place? In this issue of Board Perspectives: Risk Oversight, we study 10 measures of success directly related to risk management that companies can use. While they don’t necessarily answer the Holy Grail question directly, they do provide useful insights on the contribution of ERM to an organization’s success.
Monitoring Controls (Entity-Level) Audit Work Program
The purpose of this audit work program is to evaluate the operating effectiveness of the monitoring component of COSO, as it relates to the attributes of ongoing monitoring, separate evaluations and reporting deficiencies. Each section of this work program focuses on a specific attribute and the documentation that evidences the operating effectiveness of entity-level controls. After each attribute, the work program details the steps for evaluating each entity-level control.
Nominating and Governance Committee Charter
This charter outlines the purpose, membership procedures, meeting procedures, and roles and responsibilities of the nominating and governance committee.
Nominating and Governance Committee Charter: Sample 2
This charter outlines the structure, purpose and responsibilities of the nominating and corporate governance committee, which assists in nominating board members and in developing a company’s corporate governance guidelines.
Nominating and Governance Committee Charter: Sample 3
This sample charter outlines the purpose, membership procedures, authorities and responsibilities of the nominating and governance committee.
Nominating and Governance Committee Charter: Sample 4
This charter outlines the purpose, authority and responsibilities of the nominating and governance committee and describes its membership and administrative procedures.
Organizational Alignment Risk Key Performance Indicators (KPIs)
This tool explains the meaning of organizational alignment risk, outlines business risks and management practices related to organizational alignment, and provides questions to consider.
Organizing for Risk Oversight
“Risk oversight” describes the board of director’s role in the risk management process. Effective risk oversight determines that the company has in place a robust process for identifying, prioritizing, sourcing, managing and monitoring its critical risks, and that this process is improved continuously as the business environment changes. Risk oversight is a high priority for today’s boards of directors. This issue of Board Perspectives: Risk Oversight provides suggested questions that boards may consider, as appropriate to the entity's operations, as they seek to clarify their risk oversight responsibilities.
Overcoming Bias in Risk Management
With respect to risk management, bias has always existed and always will. It is not unusual to find evidence of groupthink, dominant personalities, overreliance on numbers, disregard of contrary information, disproportionate weighting of recent events, and tendencies toward risk avoidance or risk-taking in any organization. Suppressing dissenting viewpoints, ignoring creative thinking and isolating the organization from outside influences are sure ways for executive management to lose touch with business realities. In this issue of Board Perspectives: Risk Oversight, we examine how to overcome bias in risk management; it’s all about improving risk/reward decision-making processes continuously so that alternative views are expressed and considered.
Physician Contract Compliance Review Audit Report
This report focuses on the effectiveness of a healthcare organization’s physician contracting and payment processes.
Positioning Compliance for Effectiveness
We often receive questions regarding the proper positioning of compliance in an organization. The debate frequently centers on addressing to whom compliance reports. Unfortunately, this line of inquiry does not focus on the fundamental issue of roles and responsibilities. An understanding of these roles provides a powerful context for evaluating how to position the compliance function within the organization. Positioning the compliance function for effectiveness is a matter of first defining the roles executive management and the board of directors want the function to play. In this issue of Board Perspectives: Risk Oversight, we explore the different views regarding the responsibilities expected of the compliance function and their implications to positioning compliance.
Positioning the CRO for Success
When it is appropriate for a chief risk officer (CRO) or an equivalent senior risk executive to be in place, the board of directors, management, and the company’s shareholders all have a stake in that executive’s success. This is the time for the organization to consider a fundamental question, “Is that executive, as well as risk management in general, positioned to be successful within the organization?” Like all C-suite executives, the CRO has a difficult job. To be effective, he or she must have a prominent and meaningful voice in the C-level dialogue. Poor positioning of the CRO leads to a risk management failure. This issue of Board Perspectives: Risk Oversight reviews the elements that enable the CRO to be successful.
Preparing for a Black Swan
In a business context, a “black swan” is a high-impact, hard-to-predict and rare event that is beyond the realm of normal expectations in history, science, finance and technology. The nature of a black swan is that it represents an event or combination of events that impact the business in a significant manner. Since we can’t can predict the future, how do we gain an understanding of what we don’t know? In this issue of Board Perspectives: Risk Oversight, we discuss an approach which uses the most critical assumptions underlying the strategy as a context for understanding, preparing for and managing risks related to a black swan.
Principles for Improving Board Risk Reporting
This issue of Board Perspectives discusses six principles for delivering the focused risk reporting the board needs.
Protecting Enterprise Value Through Your Anti-Fraud Program – Questionnaire
A company’s anti-fraud program is an integral part of its corporate governance process and is fundamental to protecting tangible and intangible enterprise value and preserving the reliability of public reporting. This document focuses on key questions for board members and management when evaluating the anti-fraud program.
Protiviti Risk Model
The Protiviti Risk Model is a comprehensive organizing framework for defining and understanding potential business risks and creating and managing the organization’s dynamic risk universe.
Public Company Readiness Questionnaire
When preparing for an initial public offering (IPO), it is vital to pay close attention to the underlying business and IT processes, policies, and internal controls. This questionnaire focuses on certain aspects of the IPO preparation process and specific areas management should address, including common financial reporting challenges, the close process, Sarbanes-Oxley compliance and IT infrastructure.
Public Company Readiness: Getting Ready for Prime Time Before the Market Does
The recent economic environment has been a tough one for the capital markets, making all sources of capital increasingly difficult for companies to access. While there has been a recent uptick in the IPO market in the United States following one of the worst IPO droughts in decades, bank lending has declined and venture capital remains hard to secure. Companies with IPO aspirations are advised to run as if they were already public in order to be ready to strike when the market begins to recover. In this issue of The Bulletin, we focus on certain aspects of the IPO preparation process, including the need for a readiness assessment along with specific areas management should address – common financial reporting challenges, the close process, Sarbanes-Oxley compliance and the IT infrastructure.
Purchase-to-Payment Process Assessment: Sample 2
This audit report focuses on the purchase-to-payment process, assessing spend data for a specified period of time.
Quality Assurance Function Charter
The quality assurance function helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control and corporate governance processes in the organization. Example responsibilities include: risks are appropriately identified and managed; interaction with the various governance groups occurs as needed; and significant financial, managerial and operating information is accurate, reliable and timely. This charter describes the purpose, responsibilities and authority of a distinct quality assurance function that reports directly to the audit committee.
Quality Assurance Review Plan Report
This audit report outlines the approach followed to establish a quality assurance function, which includes evaluating the organization’s risks.
Quarterly Compliance Assessment – Audit Report
The purpose of this report is to document internal audit’s quarterly assessment of compliance policies and procedures and the validation of the operational effectiveness of key activities and controls within those policies and procedures.
Recognizing Emerging Risks
Effective risk management requires understanding more about what we don’t know than what we do know. In particular, effective risk management must recognize when new risks are emerging. Too often, risk assessments plot the usual “known knowns” on yet another risk map, leaving executives and directors underwhelmed because the process doesn’t really tell new information and leaves little insight about what to do next. It’s essential for boards to be able to discuss the “unthinkables.” In this issue of Board Perspectives: Risk Oversight, we introduce effective techniques for identifying emerging risks and how management can apply those techniques to update the board of director’s risk oversight process.
Recommendations from Protiviti’s Board Risk Oversight Survey
In the prior issue, we provided insights into the areas where the risk oversight process could be improved. These insights were based on the results of a comprehensive survey we conducted of more than 200 directors regarding the current state of board risk oversight. Sponsored by the Committee of Sponsoring Organizations (COSO), this survey provides a basis for boards to examine how they can improve their risk oversight process. Boards may want to consider the recommendations in view of the nature and complexity of their organizations’ operations and risks, as well as the current state of their risk oversight processes. In this issue of Board Perspectives: Risk Oversight, we take the additional step of listing some recommendations based on the insights from the survey.
Reducing the Risk of Rogue Trading
“Tone at the top” is vital to managing the use of financial derivatives, as dysfunctional behavior can undermine established policies and controls, creating organizational “blind spots” that can lead to inappropriate risk-taking. Effective internal control design, including segregation of authorization, execution and settlement activities, is the first line of defense against unauthorized trading or speculation. Significant losses are an excellent example of what can happen when the trading of financial derivatives goes awry. This issue of Board Perspectives: Risk Oversight focuses on tone at the top, effective internal controls, and provides seven important questions for boards and senior executives to consider about organization’s use of financial instruments.
Refocusing the Internal Audit Agenda: Capitalizing on Changing Expectations
Years ago, the Institute of Internal Auditors (IIA) published a definition of internal auditing that was focused on a broad range of evaluation and improvement activities, namely, “risk management, control and governance processes.” This definition has been viewed by some as ahead of its time, since many internal audit functions still lack the knowledge and skills required to expand the focus of the audit plan to address all of these activities fully. Our view is that this definition continues to provide a pathway for refocusing the internal audit agenda in an environment of ever changing expectations. In this issue of The Bulletin, we explore some of the factors that are driving higher expectations for internal audit and outlines how Chief Audit Executives (CAEs), with support from management and the audit committee, can respond to the challenge.
Relationship with External Auditors Policy
This policy outlines the relationship between a company and its external auditors. This document also discusses the importance of providing external auditors adequate information and other related company responsibilities.
Request for Proposal: Internal Audit – Energy Industry
This sample request for proposal (RFP) document focuses on finding an internal audit service provider to support an organization in the energy industry.
Request for Proposal: Internal Audit Services and Sarbanes-Oxley Regulatory Compliance
This is a sample request for proposal (RFP) and vendor questionnaire from a company seeking a service provider to establish an internal audit function with an emphasis on compliance with the Sarbanes-Oxley Act.
Request for Proposal: Internal Audit Department Quality Assessment Review
This sample request for proposal (RFP) includes a vendor questionnaire and is designed for an internal audit department seeking a service provider to conduct a quality assessment review of its performance and coverage of its entities.
Revenue Process Control Questionnaire
Revenue process controls are important to financial reporting because this process measures the accomplishments of the operating activities of a company. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Risk Assessment Results Audit Committee Report
This sample report to the audit committee primarily focuses on the audit risk assessment process and its results and the internal audit planning process.
Risk Assessment Audit Work Program
This sample audit work program assesses and validates key controls in place for the risk assessment component of the COSO framework.
Risk Management Oversight Committee Charter
The purpose of the risk management oversight committee is to monitor the organization’s risk environment and provide direction for the activities to mitigate, to an acceptable level, the risks that may adversely affect the company’s ability to achieve its goals. This charter serves as an example document outlining this committee’s various responsibilities, including: identifying and prioritizing business risks, evaluating the effectiveness of risk mitigation activities, ensuring that gaps in effectiveness are addressed for high-priority risks, and improving ERM infrastructure.
Risk Management Policy
This sample outlines a set of policies and procedures for a common and systematic approach for managing risk across a company.
Risk Oversight and Risk Management Questionnaire
Risk oversight and risk management are high priorities on the agenda of most organizations. The purpose of this questionnaire is to help boards and management think about how they can develop a deeper knowledge of the risk oversight and risk management processes, understanding both the current state and desired future state.
Risk Oversight: A Board Imperative
Included in the inaugural edition of Board Perspectives: Risk Oversight are questions board members should ask of executive management regarding the organization’s risk management processes. In this newsletter as well as future editions, we intend to explore the right questions without suggesting standard “cookie cutter” answers. Sample questions in this edition include: Is there a robust process in place for identifying, prioritizing, sourcing, managing and monitoring the enterprise’s critical risks in a changing operating environment? Do we understand the risks inherent in the corporate strategy? Is there a sufficient understanding of the significant assumptions underlying the strategy and is a process in place to monitor for changes in the environment that could alter those assumptions?
Sarbanes-Oxley Section 404 Management Testing Plan Policy
This sample policy helps to summarize management’s approach to plan, organize, execute, document and support its assessment of the effectiveness of a company and its subsidiaries’ internal control over financial reporting.
Sarbanes-Oxley Section 404 Process Prioritization Report
This document outlines the steps used by management in assessing the criticality of business processes, which is important in setting the scope for the internal control over financial reporting assessments. This includes prioritizing financial reporting elements, defining processes, linking processes to financial elements, and prioritizing processes.
Sarbanes-Oxley Section 404 Program Executive Scorecard - Sample
This document serves as an executive report template focused on the progress of the Sarbanes-Oxley Section 404 program.
Sarbanes-Oxley Section 404 Audit Committee Questionnaire
There is no question that complying with Sarbanes-Oxley Section 404 requires much effort. This seven-page questionnaire includes important questions audit committees should ask throughout the inception of a project and the first year of compliance.
Sarbanes-Oxley Section 404 Committees
This guide describes the composition, function and operating style of a Sarbanes-Oxley Section 404 compliance steering committee, and the interrelationship between a steering committee and a disclosure committee.
Sarbanes-Oxley Sustainable Compliance Questionnaire
This questionnaire addresses how organizations can make Sarbanes-Oxley compliance sustainable while improving business processes that impact financial reporting.
Self-Assessment Process Questionnaire: Process Owner Accountability
Self-assessment is a recognized best practice and has been applied to risks and controls for many years. This questionnaire provides a format to evaluate current self-assessment practices and identify areas for improvement.
Senior Vice President of Internal Audit Job Description: Sample 2
This job description provides an overview of specific responsibilities and qualifications for the senior vice president of internal audit position.
Senior Vice President, Chief Risk Officer Job Description
This job description outlines the responsibilities and qualifications for the senior vice president, chief risk officer. The role provides oversight and direction for the management of all risks across an organization’s business segments.
Setting the 2006 Audit Committee Agenda
Much has happened since 2003 when the SEC adopted rules mandated by The Sarbanes-Oxley Act of 2002 (SOX) that, among other things, expanded and formalized the responsibilities of audit committees. Rather than focus on history, this issue of The Bulletin provides observations and ideas for boards and their audit committees regarding matters they should consider during the coming year.
Setting the 2008 Audit Committee Agenda
Audit committees have another crowded agenda over the next year. Many aspects of the audit committee charter continue to require ongoing attention, including the myriad of committee activities around the rules issued by the U.S. Securities and Exchange Commission (SEC) and the listing standards promulgated by the exchange to which the company is subject. Obviously, audit committees must continue to address these important requirements, as they provide the minimum standards by which they operate. This issue of The Bulletin provides observations and ideas for boards of directors and their audit committees regarding matters they should consider during the coming year. The agenda items we have listed are significant matters warranting audit committee attention and we believe that the committee can play an important oversight role in addressing these items.
Setting the 2009 Audit Committee Agenda
Since we published Setting the 2008 Audit Committee Agenda a year ago, the world has dramatically changed. 2009 promises to be a challenging year for audit committees. Without a doubt, the financial crisis has increased uncertainty and created changes to strategic plans, operating budgets and organizations. Uncertainty and change increase the need to identify, understand and manage risk effectively. This issue of The Bulletin provides observations and ideas and matters to consider for boards of directors and their audit committee to get through the trying times in the upcoming year. The agenda items we have listed are significant matters warranting audit committee attention, and we believe that the committee can play an important oversight role in addressing them.
Setting the 2010 Audit Committee Agenda
Given that the importance of periodically evaluating the business model, managing profitability, controlling costs and managing risk is not only a sign of the times but also is essential to sustaining longer-term performance, internal audit committees should evaluate their composition and current charter to ensure they are up to the challenge. In this issue of The Bulletin, we provide concepts for consideration by boards of directors and their audit committees as 2010 unfolds, and describe 10 major challenges businesses face as they set the 2010 audit committee agenda. These 10 mandates are based on our interactions with client audit committees, roundtables we have conducted, and discussions with directors at conferences and other forums.
Setting the 2011 Audit Committee Agenda
This issue of The Bulletin provides observations for consideration by boards of directors and their audit committees as 2011 unfolds.
Setting the 2012 Audit Committee Agenda for Non-Financial Services Companies
Over the past year, the economic environment has shown signs of stabilizing, but recent events suggest the seas are likely to remain choppy for some time to come. There are many factors contributing to the uncertainty businesses face as they look to the future. Committee members should exercise an attitude of healthy skepticism when working with management on new and emerging issues. In this issue of The Bulletin, we explore these issues and provide observations for boards of directors and their audit committees to consider while setting the 2012 audit committee agenda. There are 10 major challenges non-financial services businesses will likely face over the next 12 months and the 2012 agenda items we suggest are significant matters warranting audit committee oversight.
Setting the 2013 Audit Committee Agenda
The complexity and velocity of change in an increasingly interdependent world are altering the dynamics of doing business. As the business environment continues to change, so does the risk landscape that companies and their audit committees face. Given the dynamic economic, business, regulatory and political environment, committee members should be mindful of developments over the course of a year that may drive emerging issues requiring the committee’s attention. This issue of The Bulletin provides observations and ideas for consideration by boards of directors and their audit committees when setting the 2013 agenda. We present 10 major challenges many companies will likely face over the course of a year and summarize an audit committee agenda that is broken down into two categories – enterprise, process and technology risk issues and financial reporting issues.
Setting the 2014 Audit Committee Agenda
The profile of macroeconomic, strategic and operational risks continues to evolve in terms of significance and complexity for many organizations. The risks companies face in today’s global business environment create uncertainty for executive management and the board of directors. Given the uncertainties of the environment, this issue of The Bulletin offers observations and ideas for consideration by boards of directors and their audit committees when setting the 2014 agenda. We present 10 major challenges many companies will face over the next 12 months and summarize an agenda that is broken down into enterprise process and technology risk issues and financial reporting issues.
Setting the 2015 Audit Committee Agenda
Audit committees continue to face crowded agendas and increasing complexity as we look forward into 2015. Many audit committees retain responsibility for making inquiries regarding the company’s risk assessment process and risk management capabilities. The risk assessment process should consider a variety of existing risks and address the adequacy of risk management capabilities. Based on our interactions with client audit committees, roundtables we’ve conducted, and discussions with directors at conferences and other forums, we have developed an agenda with 10 items for audit committees to consider for the coming year. In this issue of The Bulletin, we detail the 10 items in our proposed agenda relating to enterprise, process, technology, and financial reporting issues.
Setting the 2016 Audit Committee Agenda
Interesting challenges are in store for audit committees in the coming year and in this issue of The Bulletin, we deliver the top risk issues warranting consideration by audit committees for inclusion on the 2016 agenda.
Setting the Audit Committee Agenda Questionnaire
Good business leaders are aware that the world is changing–dramatically. This questionnaire is for executive management, boards of directors and their audit committees to help ensure their organizations are ready to address change. It also addresses management’s perspective on the audit committee’s agenda and lists challenges and business-facing mandates for audit committees to assess.
Shaping the 2013 Risk Oversight Agenda
Changing markets and circumstances spawn new risks, alter risk profiles and reduce the effectiveness of established risk management capabilities. The risk oversight agenda should take such changes into account. This issue of Board Perspectives: Risk Oversight poses 10 questions for boards to consider as reminders as they evaluate their risk oversight agenda for 2013.
Shareholders’ Equity – Investor Relations Policy
This policy focuses on having continuous dialogue with present and potential investors; informing them of the company’s progress, goals and other pertinent information as required by law and to maintain good business relations.
Should the Board Have a Separate Risk Committee?
Given that there is no one-size-fits-all solution for risk and the risk management function, how risk is governed varies across industries and organizations. A fundamental role of the board of directors in discharging its risk oversight responsibilities is to ensure the success of the independent risk management function. Has the board articulated its risk oversight objectives and evaluated the effectiveness of its processes in achieving those objectives? There are five interrelated principles that underlie effective risk management within all organizations, in both good times and bad. In this issue of Board Perspectives: Risk Oversight, we discuss these five fundamental principles to attaining risk management success.
Should the Board Have a Separate Risk Committee?
The full board should retain overall responsibility for risk oversight; mirroring its overall responsibility for strategy. Except where there are statutory requirements, the board of directors has the flexibility to organize itself in a manner that makes sense considering its company’s size, structure, complexity, culture and risk profile, as well as the board’s size, composition and structure. To enhance effectiveness, efficiency and to address specific regulatory requirements, risk oversight responsibilities can be allocated to various standing committees in keeping with the specific risks appropriate to each committee’s responsibilities. In this issue of Board Perspectives: Risk Oversight, we weigh the pros and cons for establishing a separate board risk committee and discuss appropriate roles for the potential risk committee of the board.
SOX Coordinator Job Description
This job description provides an overview of the responsibilities for the Sarbanes-Oxley coordinator (internal controls) position.
Staying Engaged in the Risk Oversight Process
Most bystanders would agree that risk oversight entails more than just looking at a risk assessment once a year. Depending on the nature of the business and its risks, the board of directors should regularly self-evaluate its risk oversight process. How does the board remain engaged with its risk oversight responsibilities over time? In this issue of Board Perspectives: Risk Oversight, we illustrate how the board can remain engaged with the risk oversight process beyond reviewing the results of an annual risk assessment.
Strategic Internal Audit Plan
This template is to be used by internal audit when developing an annual audit plan. It provides areas to document the planning approach, major projects and associated timelines, and project sponsors.
Strengthening Your Risk Culture
Risk culture is the glue that binds all elements of risk management infrastructure together. It reflects the shared values, goals, practices and reinforcement mechanisms that embed risk into an organization’s decision-making processes and risk management into its operations. However, risk culture is an enigma in many organizations. We agree it is important when someone asserts its significance − even though we may not be sure exactly what it is or what to do about it if it requires improvement. This issue of Board Perspectives: Risk Oversight looks at how the use of self-assessment techniques, internal surveys, focus groups and other methods can help an organization understand its current risk culture state.
Supply Chain Risk Questionnaire
The appropriate risk assessment approach applied to operational risks suggests the need for an end-to-end, extended enterprise view of the value chain, looking upstream to supplier relationships as well as downstream to channels. This document offers several questions to consider when evaluating supply chain risk.
Survey Results Provide Baseline for Board Risk Oversight
In 2010, Protiviti conducted a survey of more than 200 directors regarding the current state of board risk oversight. Sponsored by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), this survey provides insight as to how the risk oversight process could be improved. In assessing the overall results of the survey, we found there are mixed signals about the effectiveness of board risk oversight across organizations. While some directors believe their boards are performing risk oversight responsibilities diligently and achieving a high level of effectiveness, a strong majority indicate that their boards are not formally executing mature and robust risk oversight processes. This issue of Board Perspectives: Risk Oversight summarizes the results of this comprehensive survey.
Team Member Resources Audit Report
This audit report discusses the resources allocated to an organization by level of team member, including components such as timekeeping, team member files, hiring process, and action items to improve each component reviewed.
Ten Common Risk Management Failures and How to Avoid Them
In this issue of The Bulletin, we explore 10 common risk management mistakes and how they can be avoided.
Ten Lessons in Integrating Risk Management with Strategy
In recent years, much has been learned about the importance of integrating risk into strategy-setting. This integration theme is vital because if it is ignored, risk becomes an afterthought to strategy and an appendage to performance management. Aligning governance, risk management and internal control processes toward striking the appropriate balance is curtail. In this issue of The Bulletin, we share 10 lessons for executives and directors to keep in mind when integrating risk into the process of formulating and executing strategy. Every organization and industry is different, so there is no one-size-fits-all approach in terms of applying these lessons for integrating risk with strategy. However, they provide insights to executive management responsible for an organization’s strategic thinking and execution processes and to directors when providing strategic and risk oversight.
Ten Principles for Risk Oversight Revisited
While risk oversight has always been an important part of the board’s agenda, the disruptive financial crisis taught everyone a lesson about just how important it is. The risk oversight playbook has evolved over recent years. This issue of Board Perspectives: Risk Oversight revisits 10 timeless principles that boards can use to evaluate their risk oversight process as it stands today. Directors should use these 10 principles to assess their board’s risk oversight process to ascertain whether the process needs redirection.
Ten Questions the Board Should Ask
Rising shareholder activism is driving increased expectations for governance oversight, including risk oversight. The speed and complexity of business continue to increase and technological advances continue to grow. Regulatory demands continue to expand, workforce dynamics continue to evolve. All of these trends drive new risks, alter risk profiles and expose business models to disruptive change. Given the dynamic environment, each board should take a fresh look at its risk oversight agenda. In this issue of Board Perspectives: Risk Oversight, we review 10 key questions for boards to consider as they plan their 2012 risk oversight agendas.
Ten Risk Oversight Principles
This issue of Board Perspectives: Risk Oversight provides an overview of 10 key principles that will assist boards in strengthening their risk oversight.
Ten Ways Risk Oversight Can Fail
Risk oversight is a top-of-mind issue for boards today because of the dramatic failures associated with the financial crisis, and the unanswered questions around what directors might have done to thwart it. Many believe directors in the financial services industry, for example, must do more to avoid another crisis. Has the board of directors articulated its risk oversight objectives and evaluated the effectiveness of its risk oversight processes in achieving these objectives? This issue of Board Perspectives: Risk Oversight reviews 10 causes that can contribute to failure of the board’s risk oversight process.
The Changing Corporate Governance Landscape and Its Implications – Questionnaire
Corporate governance requirements established by The Sarbanes-Oxley Act have permanently mandated executive certification of public reports for all registrants. In this environment, companies are feeling greater pressures to take further actions. This questionnaire focuses on what boards and management should do as they work to improve corporate governance.
The Current State of Board Risk Oversight
To develop deeper knowledge of the risk oversight process, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) commissioned Protiviti to conduct a survey regarding the risk oversight responsibilities of the board of directors and how those responsibilities are being performed. This issue of The Bulletin highlights the findings and recommendations of that survey.
Enterprise Risk Assessment Process Questionnaire
This questionnaire addresses key issues that boards and management should consider as they evaluate their confidence in the organization’s enterprise risk assessment process.
The Enterprise Risk Assessment Process
An enterprise risk assessment (ERA) is a systematic and forward-looking analysis of the impact and likelihood of potential future events on the achievement of an organization’s business objectives within a stated time horizon. An effective enterprise risk assessment process lays the foundation for management to respond with confidence to the question, “What are our most critical risks?” It also instills confidence in the board of directors that management has a basis for answering the question. In this issue of Board Perspectives: Risk Oversight, we take a deep dive into the key considerations to take when engaging in the enterprise risk assessment process.
The Evolving Risk Landscape
The business environment continues to change and with it the risk landscape that companies face. In early 2011, the World Economic Forum (WEF) published its update on Global Risks. The report’s objective is to improve public and private sector efforts to map, monitor and manage global risks, all of which cross national boundaries. WEF organizes some 50 risks in five categories: economic, environmental, geopolitical, societal and technological. Presented as five separate landscapes mapping risks based on severity of impact and likelihood of occurrence over the next 10 years, the report examined in this issue of Board Perspectives: Risk Oversight provides a useful longer-term view.
The Expanded Responsibilities of the Audit Committee: A New Mandate
This issue of The Bulletin explores the new requirements of audit committees and their implications, and suggests six keys to an effectively functioning audit committee.
The Financial Reporting Risk Profile: Getting Ahead of the Curve
In this issue of The Bulletin, we address the process of understanding and continuously evaluating an organization’s financial reporting risk profile (FRRP), and why this process is important to senior management and the board of directors.
The Five Lines of Defense: A Shareholder’s Perspective
It goes without saying that organizations exist to create enterprise value. As the board of directors focuses its attention on risk oversight, there are many questions to consider, including how the organization safeguards against breakdowns in risk management and compliance management. When executive management ignores warning signs posted by the risk management function, fails to address critical compliance requirements when considering a new product or service, or resists contrarian information suggesting the corporate strategy is not working, the board must step up. In this issue of Board Perspectives: Risk Oversight, we look at how an effectively designed and implemented lines-of-defense framework can provide strong safeguards against these breakdowns.
The Future Auditor: The Chief Audit Executive’s Endgame
According to The Institute of Internal Auditors (IIA), “internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” This definition of internal auditing captures a vision concerning the endgame to which a chief audit executive (CAE) should aspire. The term "future auditor" describes a CAE who takes definitive steps toward making this vision a reality within the organization he or she serves. It’s up to progressive chief audit executives to take the lead and show the way to reach the profession’s full potential as a discipline. This issue of The Bulletin provides observations regarding our view of the future auditor and their implications to internal audit’s value proposition. We also suggest 12 ways the future auditor can contribute to value to their organization.
The Importance of Tone at the Top to Risk Management
This issue of Board Perspectives: Risk Oversight reviews 10 key indicators that collectively provide red flags that potential issues may exist within an organization.
The Most Important Risks for 2014
Changing markets and circumstances are spawning new risks, altering risk profiles and reducing the effectiveness of established risk management capabilities. The profile of macroeconomic, strategic and operational risks continues to evolve in terms of significance and complexity for many organizations. As companies compete in the global business environment, these risks create uncertainty for their executive management and boards of directors. This issue of Board Perspectives: Risk Oversight summarizes the major business challenges identified by nearly 400 C-level executive respondents in a Protiviti and North Carolina State University ERM Initiative survey, and provides a context for many of the top-of-mind risks and uncertainties companies are facing as they move forward into 2014.
The Most Important Risks for 2015
Protiviti partnered with North Carolina State University’s Enterprise Risk Management (ERM) Initiative to conduct our third-annual Executive Perspectives on Top Risks Survey of C-level executives regarding the macroeconomic, strategic and operational risks their organizations face. In this issue of Board Perspectives: Risk Oversight, we outline the top 10 risks for 2015 which reflect some marked differences compared to 2014. We also provide insight as to what’s on the minds of senior executives and directors. The board of directors may want to consider these risks in evaluating its risk oversight focus for the year.
The Most Important Risks for 2016
This issue of Board Perspectives summarizes the top risks for 2016 as identified by North Carolina State University’s ERM Initiative and Protiviti’s latest survey of C-level executives and directors regarding the macroeconomic, strategic and operational risks their organizations face.
The Risk Appetite Dialogue
Risk appetite is the mutual understanding between management and the board of directors regarding the drivers of, and parameters around, opportunity-seeking behavior. It is a high-level view of how much performance variability the entity is willing to accept. Risk oversight begins with understanding the risk appetite; successful organizations must take risk to create value. The question is, how much risk should they take? This issue of Board Perspectives: Risk Oversight defines risk appetite and reviews ways in which the board and management should discuss it on an ongoing basis.
The Role of Personal Accountability in the New Environment
This issue of The Bulletin outlines seven key principles that provide a framework for establishing and reinforcing the personal accountability of management and the board of directors. Application of these principles will create a healthy tension within the organization and facilitate communication between management and the board.
The Self-Assessment Process: Management’s Tool for Reinforcing Process Owner Accountability
In this issue of The Bulletin, we discuss the self-assessment process and how one can be implemented to reinforce process owner accountability, or if one is already in place, how to improve it.
The Board’s Role in Overseeing Acquisitions
As companies spend more than $2 trillion every year on acquisitions, many studies peg the rate of failure of these transactions in fulfilling expectations somewhere between 70 and 90 percent. Such performance is unacceptable in just about any endeavor. However, over time old lessons in mergers and acquisitions (M&A) failures continue to be relearned by many companies. The question arises as to the board of director’s risk oversight role in overseeing the process of screening, selecting and pursuing M&A candidates, closing M&A transactions, and integrating merged and acquired entities, with emphasis on reducing risk in M&A activity. This issue of Board Perspectives: Risk Oversight analyzes the board's risk oversight role from an acquiring company's perspective.
To Manage Disruption, Understand Strategic Assumptions
When it comes to managing the risk of disruption to the business model, what executive management and the board of directors don’t know can harm the organization. A recent study determined that strategic risks showed the largest year-over-year increase for 2014, compared to macroeconomic and operational risks. Risks are strategic when they could potentially affect the validity of an organization’s plans to pursue growth opportunities. In this issue of Board Perspectives: Risk Oversight, we discuss why management should identify and consider the key assumptions underlying the drivers that shape the organization’s strategy. Similarly, the board should review and constructively challenge those assumptions when evaluating the strategy.
Top Priorities for Internal Audit in a Changing Environment
In response to new challenges, changes and expectations within the business environment, internal audit (IA) has emerged as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. Effective IA functions help organizations accomplish their business objectives by bringing a disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes. Drawing from The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing and experience with leading internal audit functions, Protiviti recommends 10 strategic priorities for every public and private organization to employ in its IA function in this booklet.
Vice President, Chief Compliance Officer (CCO) Job Description
This job description outlines the specific duties and responsibilities of the chief compliance officer.
Vice President, Corporate Audit Job Description
This position is responsible for developing the internal audit department with involvement in the financial, operational and IT areas of all of a company’s operating divisions.
Vice President, Internal Audit Job Description
This job description outlines the role and responsibilities of the vice president of internal audit.
Vice President, Internal Audit/Chief Audit Executive Job Description
This job description outlines the responsibilities, qualifications and experience for the vice president, internal audit/chief audit executive position.
When Insolvency Issues Arise
Independent directors are charged with protecting the interests of the organization and its shareholders by providing appropriate oversight and making objective decisions. When the organization is in financial distress, a whole new set of issues arise; experienced independent directors can provide a fresh unbiased perspective on corporate issues. In circumstances involving matters of insolvency or potential insolvency, independent directors should be mindful of the issues involved. In this issue of Board Perspectives: Risk Oversight, we focus on personal liability risks and responsibilities for independent directors in times of financial distress.
Whistleblower Policy and Procedures
This policy establishes standards and procedures to ensure that the accounting and audit-related complaint handling process complies with management’s and the audit committee’s objectives.