More Perspectives on Audit Committees and ERM

BY ARNOLD H. SCHANFIELD AND DAN HELMING

We are offering additional commentary on the article titled “Rising Expectations: Audit Committee Oversight of Enterprise Risk Management ” (April 08, page 44). I am an internal audit director and part-time NYU faculty member running an ERM consulting business in New Jersey, together with another practitioner and colleague in New York.

On the topic of risk silos, two related concepts are available to help ensure that the risk silos can be eliminated, because without elimination as a goal, the company will never have an effective ERM model. The first concept is control self-assessment (CSA). CSA is well-known but perhaps not so widely practiced. CSA is a recognized rigorous method of identifying business risks in a group, like using a facilitator, voting technology, etc. Second, we believe quite strongly that each manager’s performance management plan needs to include criteria for specific ERM metric goals. With ERM metrics established as goals upon which their performance, compensation and incentive will be measured, this will provide the incentive to “stay the course regarding ERM.”

On page 48, the discussion of probability and impact: once the risks are ranked, but prior to a risk response, the company needs to compare these rankings to the stated risk tolerance, which should have been previously established at the executive management level of the company. It is important to initially measure how much risk exists and then compare this measurement to what the board is willing to live with. It is not appropriate to embark on a risk treatment plan until this important step has been taken, since each risk treatment decision has costs vs. benefits associated with it.

Though the article focuses mostly on the COSO ERM Framework, the authors do refer briefly to the Australian/New Zealand Standard 4360. We do not want to diminish importance of the landmark COSO ERM document. We just believe that the Australian framework is far easier to implement.

On page 51, Exhibit 5 provides an example of defining risk probability and impact assessments. We would add that after the risks have been identified, it is time to assess/evaluate them. Part of this assessment/evaluation comprises quantifying the risks, which can be done qualitatively, semi-quantitatively or quantitatively. Qualitative “quantification” is an easier-to-use method and is better known by the terms “nominal” and “ordinal” measurement. What the authors have presented in Exhibit 5 is a form of ordinal measurement, where narrative terms are used to describe the likelihood and the severity. These ratings will be used to evaluate each risk. It is the simplest form of risk quantification. Many organizations are moving towards more sophisticated methods if their business justifies it.

Arnold H. Schanfield, CPA,
and Dan Helming, CPA
Fort Lee, N.J.

Give Us Your Feedback

The JofA encourages readers to write letters commenting on the magazine’s content. Letters should be no longer than 500 words and may be edited for length and clarity. Please include your telephone number, city and state of residence and e-mail address.

E-mail: joaed@aicpa.org • Fax: 919-419-5241

Mail: Letters to the Editor, Journal of Accountancy, AICPA
220 Leigh Farm Road, Durham, NC 27707-8110.

 

SPONSORED REPORT

Keeping client information safe in an age of scams and security threats

A look at the Dirty Dozen tax scams and ways to protect taxpayer information.

TECHNOLOGY Q&A

How to create maps in Excel 2016

Microsoft Excel 2016 has two new mapping capabilities. J. Carlton Collins, CPA, demonstrates how to make masterful 2D and 3D maps in Excel 2016.

QUIZ

News quiz: IRS enforcement, a hot job, and audit value

The IRS’s 2016 Data Book, a “hot job” of particular interest at this time of year, and insight into how executive and audit committees view the insights from financial statement audits received attention recently. See how much you know with this short quiz.