FFIRS 07/02/2011 10:22:33 Page2 FFIRS 07/02/2011 10:22:33 Page1 COSO Enterprise Risk Management FFIRS 07/02/2011 10:22:33 Page2 FFIRS 07/02/2011 10:22:33 Page3 COSO Enterprise Risk Management Establishing Effective Governance, Risk, and Compliance Processes Second Edition ROBERT R. MOELLER JohnWiley&Sons,Inc. FFIRS 07/02/2011 10:22:33 Page4 Copyright#2007,2011byJohnWiley&Sons,Inc.Allrightsreserved.Firstedition2007 Secondedition2011 PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJersey. PublishedsimultaneouslyinCanada. ‘‘PMI’’and‘‘PMBOK’’areregisteredmarksfortheProjectManagementInstitute,Inc. Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmittedinany formorbyanymeans,electronic,mechanical,photocopying,recording,scanning,orotherwise, exceptaspermittedunderSection107or108ofthe1976UnitedStatesCopyrightAct,without eitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentofthe appropriateper-copyfeetotheCopyrightClearanceCenter,Inc.,222RosewoodDrive,Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment, JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201)748- 6008, or online at http://www.wiley.com/go/permissions. LimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveusedtheirbestefforts inpreparingthisbook,theymakenorepresentationsorwarrantieswithrespecttotheaccuracyor completenessofthecontentsofthisbookandspecificallydisclaimanyimpliedwarrantiesof merchantabilityorfitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysales representativesorwrittensalesmaterials.Theadviceandstrategiescontainedhereinmaynotbe suitableforyoursituation.Youshouldconsultwithaprofessionalwhereappropriate.Neitherthe publishernorauthorshallbeliableforanylossofprofitoranyothercommercialdamages,including butnotlimitedtospecial,incidental,consequential,orotherdamages. Forgeneralinformationonourotherproductsandservicesorfortechnicalsupport,please contactourCustomerCareDepartmentwithintheUnitedStatesat(800)762-2974,outsidethe UnitedStatesat(317)572-3993orfax(317)572-4002. Wileyalsopublishesitsbooksinavarietyofelectronicformats.Somecontentthatappearsin printmaynotbeavailableinelectronicbooks.FormoreinformationaboutWileyproducts,visit our web site at www.wiley.com. LibraryofCongressCataloging-in-PublicationData Moeller,RobertR COSOenterpriseriskmanagement:establishingeffectivegovernance,risk,andcompliance processes/RobertR.Moeller.—2nded. p.cm.—(Wileycorporatef&a;560) Includesindex. ISBN978-0-470-91288-1(hardback);ISBN978-1-118-10252-7(ebk); ISBN978-1-118-10253-4(ebk);ISBN978-1-118-10254-1(ebk) 1. Riskmanagement. I. Title. HD61.M5682011 658.1505—dc22 2011012021 PrintedintheUnitedStatesofAmerica 10 9 8 7 6 5 4 3 2 1 FFIRS 07/02/2011 10:22:33 Page5 To my wife and very best friend, Lois Moeller FFIRS 07/02/2011 10:22:33 Page6 FTOC 06/07/2011 11:36:42 Page7 Contents Preface xi Chapter1:Introduction:EnterpriseRiskManagementToday 1 TheCOSOInternalControlsFramework:HowDidWeGetHere? 2 TheCOSOInternalControlsFramework 3 COSOInternalControls:ThePrincipalRecognizedInternalControlsStandard 14 AnIntroductiontoCOSOERM 14 Governance,Risk,andCompliance 15 GlobalComputerProducts:OurExampleCompany 16 Chapter2:ImportanceofGovernance,Risk,andCompliance Principles 21 RoadtoEffectiveGRCPrinciples 22 ImportanceofGRCGovernance 23 RiskManagementComponentofGRC 25 GRCandEnterpriseCompliance 26 ImportanceofEffectiveGRCPracticesandPrinciples 28 Chapter3:RiskManagementFundamentals 31 Fundamentals:RiskManagementPhases 32 OtherRiskAssessmentTechniques 45 Chapter4:COSOERMFramework 51 ERMDefinitionsandObjectives:APortfolioViewofRisk 51 COSOERMFrameworkModel 55 OtherDimensionsoftheERMFramework 86 Chapter5:ImplementingERMintheEnterprise 89 RolesandResponsibilitiesofanEnterpriseRiskManagementFunction 90 RiskManagementPolicies,Standards,andStrategies 100 Business,IT,andRiskTransferProcesses 105 RiskManagementReviewsandCorrectiveActionPractices 108 ERMCommunicationsApproaches 112 CROandanEffectiveEnterpriseRiskManagementFunction 113 vii FTOC 06/07/2011 11:36:43 Page8 viii & Contents Chapter6:ImportanceofStrongEnterpriseGovernancePractices 115 HistoryandBackgroundofEnterpriseGovernance:AU.S.Perspective 116 EnterpriseIntegrityandEthicalBehavior 119 DisclosureandTransparency 125 RightsandEquitableTreatmentofShareholders andKeyStakeholders 126 GovernanceRoleandResponsibilitiesoftheBoard 128 GovernanceasaKeyElementofGRC 128 Chapter7:EnterpriseComplianceIssuesToday 131 ComplianceIssuesToday 132 EstablishaComplianceAssessmentTeam 133 ComplianceRiskAssessmentsandComplianceProgramReviews 136 WorkUnit–LevelComplianceTrackingandReviewProcesses 138 Compliance-RelatedProceduresandStaffEducationPrograms 141 EnterpriseHotlineComplianceandWhistleblowerSupport 142 AssessingtheOverallEnterpriseComplianceProgram 144 Chapter8:IntegratingERMwithCOSOInternalControls 147 COSOInternalControlsBackgroundandEarlierLegislation 147 EffortsLeadingtotheTreadwayCommission 151 COSOInternalControlsFramework 156 COSOInternalControlsandCOSOERM:Compared 174 Chapter9:Sarbanes-OxleyandEnterpriseRiskManagement Concerns 177 Sarbanes-OxleyActBackground 177 SOxLegislationOverview 179 EnterpriseRiskManagementandSOxSection404Reviews 193 InternalControlsReportingandMateriality 198 PCAOBRisk-BasedAuditingStandards 199 Sarbanes-Oxley:TheOtherSections 200 SOxandCOSOERM 201 Chapter10:CorporateCultureandRiskPortfolioManagement 203 WhistleblowerandHotlineFunctions 204 RiskPortfolioManagement 208 IntegratedEnterprise-WideRiskManagement 211 Chapter11:OCEGCapabilityModelGRCStandards 215 GRCCapabilityModel‘‘RedBook’’ 215 OtherOCEGMaterials:The‘‘BurgundyBook’’ 223 LevelandScopeoftheOCEGStandards-SettingAuthority 224
Description: