Your organization has implemented a robust ERM program similar to the one outlin
ID: 2422597 • Letter: Y
Question
Your organization has implemented a robust ERM program similar to the one outlined in this chapter. The audit committee has asked you to assess the design adequacy and operating effectiveness of the program. Because the audit committee members are familiar with COSO ERM, they would like you to assess the veracity of the ERM program relative to the eight components of ERM. Based on this request, develop a list of steps you would follow to test each of the ERM components. Include at least two work steps for each components.
Explanation / Answer
S.No COSO Frame work component Tests to be conducted 1 Internal environment 1) Has the internal environment been taken into account while designing the ERM like whether the resolution of the management for implementation of the ERM. 2)Whether the Audit Charter of the company has been obtained and whether it sets the expectations from the internal control environment etc. 2 Objective setting 1)Whether the objective for setting up the ERM is defined before implementation, this is to be ascertained by obtaining the specifications given for implementation of the ERM. 2) Whether the same has been taken care at various stages of implementation, this is to be ascertained by obtaining the design of the control systems in place. 3 Event identification 1) Event identification, i.e., both risk and opportunities are defined at the time of implementation this is to be ascertained by testing the response system for risk and as well as oppurtunity. 2) In case of risk whether the concerned people are being informed about the same 3) In case it is an opportunitiny whether the same is being brought to the attention of the relavant for assessing of the same. 4 Risk Assessment 1)Ascertain whether risk assessement matrix is defined, like what are considered as High risk, medium risk and low risk etc., the factors considered for defining the intensity or degree of risk or in line with the industry or sector the company is operating or not. 2) Whether such risk assessement logic is implemented in to ERM or not? 5 Risk Response 1) Whether the organization has well defined risk response system in place that is approved by the top management. 2) Whether the same has been obtained while defining the control systems in the ERM.3) Test the risk response system by identifying the transactions of the organization and assessing whether the response to such events are in line with the response system defined for the concerned risk or not 6 Control activities 1)Verify whether the Control systems and control activities are in place for all the identified risks. 2) Pick up transactions that occurred during the year and assessing the control systmes and the relavant control activities by observing the flow of the transactions into the system and the consequent actions and reactions to it by the ERM 7 Information and communication 1) Whether the information that is entering into the system is in line with the design of the ERM and2) Whether any reports that are to be generated are being generated and communicated to relavant persons. 3) Whether the information is entering into the system at the correct time at which it has to enter and the reports that are being generated also carry the timely data that help the decision makers. 8 Monitoring 1) Whether the ERM is being monitored for its effectiveness by way of periodic tests to the system 2) In case any changes are required are identified and addressed as per the organiztion's policy for modification for the ERM and whether proper log and documentation of such changes in being made and in case of modification to the ERM whether ERM is being checked for completeness of the effective working of the ERM and not in isolation of the system as a whole.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.