Enterprise Risk Management Audit Report Final - Sample 2

Distribution: Report Date:
Person H, Chief Risk Officer (Insert Date)
Person I, Executive Director of Enterprise Risk

Management
Distribution CC: Audited By:
Person J Person A, Senior Consultant
Person K Person B, Manager
Person L Person C, Director
Person M Person D, Director
Person N
Person O
Person P Reviewed By:
Person Q Person E, Manager
Person R Person F, Director
Person S Person G, Internal Audit Director
Person T
Person U – Company C
2 Source: www.knowledgeleader.com
INTRODUCTION AND OVERVIEW
The enterprise risk management (ERM) process is in place to establish the oversight, control and discipline to
drive continuous improvement of the entity’s risk management capabilities in a changing operating environment.
The objective of implementing ERM is to provide reasonable assurance to an entity’s management and board that
the entity’s business objectives are achieved while operating within the board’s risk appetite. ERM is tasked with
identifying, measuring, monitoring and reporting risks which significantly challenge management’s ability to
achieve its objectives. The implementation of a successful ERM process at Company A relies heavily on the
acceptance and support of Company A’s executive management.
Management is building an ERM program consistent with the Committee of Sponsoring Organization’s (COSO)
ERM framework. The COSO ERM framework encompasses:
• Aligning risk and strategy
• Defining risk response decisions
• Identifying potential events that, if they occur, will affect the entity and to manage risk within its appetite
• Identifying and managing multiple and cross enterprise risks
• Seizing opportunities
• Improving deployment of capital
During 20XY, Company A management significantly restructured the ERM program’s methodology and direction.
An ERM policy has been adopted; however, the full ERM implementation is not projected to be completed for at
least two to three years across all subsidiaries. Company A ’s ERM process is divided into four legal entities:
• Bank A
• Lending A
• Corporation A
• Company A Securities Holdings
The four legal entities are in various stages of ERM maturity with Bank A being the most mature as of Sept. 30,
20XY. A Company A executive risk committee is in place that includes all the subsidiary CEOs and key members
of executive management. In addition, Company A management established subsidiary level risk committees to
guide and facilitate the implementation of the ERM program throughout the organization. Each committee is
governed by a charter, chaired by a senior ERM representative, and meets from four to 12 times annually. A risk
assessment program is in place to identify and document key business objectives, rate critical risks challenging
those objectives and evaluate controls mitigating those risks. In addition, a Key Risk Threshold (“KRT”) program is
in place to actively monitor quantitative risk indicators. Both the risk assessment and KRT programs are being
implemented in phases across the four subsidiaries, which are expected to take two to three years for full
maturity.
AUDIT OBJECTIVES AND SCOPE
The audit scope included a review of key policies and procedures and the evaluation of design effectiveness of
key controls for the following ERM scope from Oct. 1, 20XZ to Sept. 30, 20XY. Specific process and control areas
reviewed in this audit included:
Area 1 – Business Strategies and Risk Appetite

• Frameworks & Guidelines
• Risk Tolerances, Limits and Thresholds
• Risk Incorporation into Strategic Planning Process and Strategy Documentation
Area 2 – Policies & Practices
• Material Risk Policies and Procedures
Area 3 – Governance and Oversight

• Risk Management Organizational Model (Three Lines of Defense)
• Resource Allocation Plan
• Risk Management Committee Structures
• Charters/Mandates, Membership, Accountabilities, Self-Assessments and Risk Ownership
• Board and Management Oversight
• Roles and Responsibilities
Area 4 – Risk Management & Monitoring

• Risk Identification
• Risk Measurement
• Risk Reporting
• Risk Management Actions
Area 5 – Risk Culture

• Risk Training and Communication Plans
• Compensation and Performance Reviews/Goal Setting
EXECUTIVE SUMMARY
The internal controls and operations are unsatisfactory for the heightened expectations for a bank holding
company with over $10 billion in assets. Although there is a plan and timeline to improve ERM controls, the
existing ERM controls evaluated during this audit were not adequate, appropriate or effective to provide
reasonable assurance that risks are being managed within acceptable tolerances and objectives are being met.
Overall, this is due to the relative immaturity of the ERM program in its current state, which has resulted in many
controls being in an implementation phase instead of fully functional. While management appears to have a vision
of an adequately established ERM program, significant resources and support are required to complete
implementation.
AUDIT RESULTS
The risks and controls included below are consistent with those noted in the COSO ERM Framework. Risk
mitigation should be accomplished through design and implementation of the noted controls via an effective ERM
program.
Management Management Control

IA Control
Assessed Management Control Procedures –
Risk Evaluation/Test
Inherent Procedures Implementation in
Results
Risk Level Process
(R-ERM-01) Medium (C-ERM-01) Risk Partially

Oversight and management has Effective
reporting lines established ERM policies
over the ERM which are
IA Control
Results
Risk Level Process
reviewed/approved
annually by the risk
committees to help ensure
the strategic vision of the
ERM department (CRO)
aligns with the Risk
Committee. Control is
processes are evidenced by ERM policy
not appropriate approved annually.
or inadequate
resulting in a (C-ERM-04) As needed,
lack of See Finding 1 risk management has
communication established ERM
and ineffective procedures which are
risk reviewed/approved
management. annually by the CRO to
help ensure the strategic
vision of the ERM
department (CRO) aligns
with the risk committee.
Control is evidenced by
ERM procedures approved
annually.
(R-ERM-02) Medium (C-ERM-02) Annually, the

Lack of Company A risk committee
communication Ineffective reviews and approves the
between See Finding 2 risk appetite statements for
executive each subsidiary and the
stakeholders consolidated risk appetite
and the CRO to help ensure that they
causing the are aligned with the
risk appetite strategic goals of the
statements to organization. Control is
misalign with evidenced by Company A
the strategic risk committee meeting
plan and minutes.
business
objectives (C-ERM-07) Annually, the
resulting in in CRO reviews the strategic
the inability of plan and the risk appetite
the risk statement for the
function to consolidated organization
properly to help ensure that the risk
execute on its appetite aligns with the
objectives. strategic plan. Control is
evidenced by risk
committee materials and
meeting minutes of CRO
presentation to the risk
IA Control
Results
Risk Level Process
committee.
(C-ERM-02) Annually, the

Company A risk
committee reviews and
approves the risk appetite
statements for each
(R-ERM-03)
subsidiary and the
The risk
consolidated risk appetite
appetite
to help ensure that they
statements are
are aligned with the
not accurate,
strategic goals of the
complete or do
organization. Control is
not include the
evidenced by Company A
appropriate
risk committee meeting
information in
minutes.
line with
regulatory
guidance
CRO reviews the strategic
which could
plan and the risk appetite
result in Ineffective
High statement for the
mismatched
See Finding 2 consolidated organization
objectives and
to help ensure that the risk
potential
appetite aligns with the
losses to the
strategic plan. Control is
company.
evidenced by risk
committee materials and
meeting minutes of CRO
presentation to the risk
committee.
(C-ERM-03) As needed,
(R-ERM-04) the Company A risk
As new committee reviews and
products and approves subsidiary risk
services are committee charters to help
introduced ensure the charters are
management adequate to monitor,
fails to update assess risks and respond
risk definitions Ineffective as needed to change to
Medium
and risk See Finding 1 the risk profile of the
tolerances company and effective
resulting in governance structure is in
ineffective risk place to clarify risk
management management roles and
and adverse responsibilities. Control is
overall evidenced by Company A
performance. risk committee meeting
minutes.
IA Control
Results
Risk Level Process
(C-ERM-03) As needed,
the Company A risk
committee reviews and
approves subsidiary risk
committee charters to help
ensure the charters are
adequate to monitor,
assess risks and respond
as needed to changes to
the risk profile of the
company and effective
(R-ERM-05)
governance structure is in
The risk
place to clarify risk
committees do
management roles and
not have
responsibilities. Control is
defined roles,
responsibilities Partially risk committee meeting
and authority Medium Effective minutes.
to govern risks
resulting in See Finding 1
(C-ERM-01) Risk
adverse overall
management has
performance.
established ERM policies
which are
reviewed/approved
committees to help ensure
aligns with the risk
committee. Control is
evidenced by ERM policy
approved annually.
(R-ERM-06) Medium Ineffective (C-ERM-03) As needed,

The risk the Company A risk
See Finding 1
committee committee reviews and
charters do not approves subsidiary risk
align with the committee charters to help
company's risk ensure the charters are
profile and adequate to monitor,
strategic assess risks and respond
objectives as needed to change to
which could the risk profile of the
result in company and effective
adverse overall governance structure is in
performance. place to clarify risk
management roles and
responsibilities. Control is
IA Control
Results
Risk Level Process
minutes.

Company A risk
(R-ERM-07)
committee reviews the
Untimely or
ERM implementation
inadequate
status project document to
ERM program
help ensure ERM
implementation
implementation is being
resulting in Ineffective monitored and tracked
inefficiencies High
See Finding 3 periodically and
with resource
implementation is
management
completed over
and
managements' intended
noncompliance
time frame. Control is
with laws and
regulations.
minutes.
(R-ERM-08)
Inaccurate,
(C-ERM-06) Quarterly, the
incomplete, or
subsidiary risk committees
untimely
review the level one and
progress
level two key risk
reporting of the
Ineffective threshold dashboard
established
High report to help ensure the
risk metrics See Finding 1 risk metrics are accurate,
which could
complete and reported
result in
timely. Control is
adverse overall
evidenced in the risk
performance
committee minutes.
losses to the
company.

Company A risk
(R-ERM-09) committee reviews the
Insufficient ERM implementation
resources and status project document to
staffing of the help ensure ERM
ERM implementation is being
department Ineffective monitored and tracked
High
resulting in the See Finding 3 periodically and
inability to implementation is
efficiently completed over
accomplish managements' intended
stated time frame. Control is
objectives. evidenced by Company A
minutes.
IA Control
Results
Risk Level Process
(R-ERM-10)
ERM training is
inadequate (C-ERM-08)
and does not Recommended Control:
reflect current Annually, the CRO
regulations reviews the training needs
and best Ineffective assessment to help
practices Medium ensure ERM training
resulting in See Finding 4 aligns with company
ineffective risk objectives and regulations.
management Control is evidenced by
and non- review and approval
compliance evidence from the CRO.
with laws and
regulations.
(R-ERM-11)
New or
updated
(C-ERM-01) Risk
regulatory and
management has
legal
established ERM policies
requirements
which are
(state or
reviewed/approved
federal)
affecting ERM
Medium committees to help ensure Effective
are not
identified and
addressed
aligns with the risk
timely resulting
committee. Control is
in
evidenced by ERM policy
noncompliance
approved annually.
and increased
regulatory
criticism.
(R-ERM-12) High Ineffective (C-ERM-10) Company A

Unacceptable has established policies
See Finding 1
levels of risk and procedures which are
continue to reviewed annually to help
exist without ensure if a risk category
being exists outside their
addressed threshold, management
across the will enforce a treatment
lines of plan documenting why it’s
business above their threshold and
resulting in a strategy for why it is
adverse overall accepted, as well as an
performance explanation of mitigating
and potential factors. Control is
losses to the evidenced by subsidiary
company. risk committee meeting
IA Control
Results
Risk Level Process
minutes.
(C-ERM-10) Company A
has established policies
and procedures which are
reviewed annually to help
ensure if a risk category
exists outside their
threshold, management
(R-ERM-13) will enforce a treatment
Inappropriate, plan documenting why it’s
untimely or above their threshold and
incomplete a strategy for why it is
treatment of accepted, as well as an
key risk explanation of mitigating
threshold factors. Control is
Medium
breaches evidenced by subsidiary
resulting in Ineffective risk committee meeting
adverse overall minutes.
See Finding 1
performance and
and potential (C-ERM-11) As needed,
losses to the Finding 5 the subsidiary risk
company. committees review
updates to key risk
thresholds to help ensure
the key risk thresholds are
appropriate. Control is
evidenced by subsidiary
minutes.
(R-ERM-14) Medium Ineffective (C-ERM-06) Quarterly, the

Current subsidiary risk committees
See Finding 1
business review the level one and
practices result level two key risk
in risks that threshold dashboard
exceed report to help ensure the
acceptable risk risk metrics are accurate,
based upon complete and reported
the risk timely. Control is
appetite evidenced in the risk
statement committee minutes.
which could
result in poor
business
decision
making and
the business
not aligning
with the
IA Control
Results
Risk Level Process
strategic plan.
AUDIT ISSUES AND MANAGEMENT ACTION PLANS
See below for the details for all issues identified during the audit and management’s corrective action plans.
Finding 1: Written procedures have not been established to adequately support the periodic and ad hoc
reporting to the board and management. (High Priority)
Risk Category: Operational – Execution, Delivery and Process Management – Monitoring and Reporting
Formal ERM reporting procedures do not exist to support the timely and complete reporting to the board and
management of a) risk escalation of key risk indicators/thresholds, and b) operational loss monitoring results.
Lack of documented ERM reporting procedures may result in failure to consistently and timely notify the board
and management in trends of key risk events that could result in increased negative impacts to the operations and
regulatory compliance of the enterprise.
While the board and management have established a policy for governing ERM at the Company A Holdings
enterprise level and a documented ERM framework and methodology, internal audit noted written procedures
have not been established to adequately support the periodic and ad hoc reporting to the board and management
of:
• The results of the enterprise risk assessment
• New and emerging risks identified throughout the year
• Significant risk management deficiencies
• The level and trends of key risk indicators/thresholds, including operational loss monitoring results
• The escalation of breaches of key risk indicators/thresholds
Recommendation
The ERM management team should establish formal procedures to ensure the timely and complete reporting to
management where written procedures were not established to adequately support the periodic and ad hoc
reporting to the board and management of:
• The results of the enterprise risk assessment
• New and emerging risks identified throughout the year
• Significant risk management deficiencies
• The level and trends of key risk indicators/thresholds, including operational loss monitoring results
• The risk escalation of breaches of key risk indicators/thresholds
Management Response
Management agrees with the recommendations and will be supplementing newly developed ERM policies and
processes with formal procedures as the function matures. Written procedures will be developed and approved
(EDERM/CRO) by June 30, 20XX. Formalizing written procedures is an ongoing effort, and we will continue to
update procedures as needed.
Finding 2: The Company A risk committee, as delegated by the board, has not formally approved a risk
appetite statement. (High Priority)
Management did not have a formally approved risk appetite statement by the Company A board risk committee;
however, there are preliminary risk appetite statements developed for all of the subsidiaries and for the roll up.
Lack of a formal and clearly articulated risk appetite statement can result in management not having clear
direction on the appropriate level of risk to accept and avoid in its daily and strategic activities. This could
negatively impact the operations and regulatory compliance of the enterprise.
Recommendation
The risk committee should establish a formal risk appetite statement that can be measured against the strategic
risks and objectives of the enterprise. An effective risk appetite statement should:
• Have strong linkages to corporate goals and strategic business objectives
• Clearly establish the type and amount of risk the enterprise is prepared to accept in pursuit of its corporate
goals and strategic business objectives
• Express the maximum level of risk the organization is willing to operate within normal and stressed conditions
• Include qualitative and quantitative statements that articulate the motivations for taking on or avoiding certain
types of risk and includes a reasonable number of appropriately selected risk metrics
• Be supported by appropriate levels of controls and stress tests
• Allow the organization to view its desired risk profile under a variety of future state scenarios
Management Response
We agree with the recommendations. To date, we have finalized risk appetite statements for all Company A
subsidiaries and have formalized a consolidated statement for the parent. All draft statements will be presented,
reviewed and approved by the Company A risk committee at the next committee meeting (February 20XX). We
will ensure that other elements of the ERM function, such as stress testing, support risk ratings and the strategic
planning process.
Finding 3: While management did have an implementation plan to monitor the development of the ERM
risk & control matrices, there was not an implementation plan to track the progress of ERM
implementation within the department and to monitor specific action item dates and milestones related to
the:
• Development of key risk thresholds
• Roll-out of the eGRC tool BWise
• Other relevant project tasks and milestones
(High Priority)
Lack of a complete and adequate ERM implementation plan addressing key aspects of the ERM function may
result in the ERM implementation date being pushed out without any clear accountability to missed project
deadlines. The Federal Reserve expects implementation of key aspects of the ERM function at Company A by the
end of 20XX; therefore, a defined implementation plan for those key aspects should be defined and management
should be accountable to the plan.
Recommendation
Management should enhance its existing ERM implementation plan to monitor specific action item dates and
milestones related to the:
• Development of key risk thresholds
• Roll-out of the eGRC tool BWise
• Other relevant project tasks and milestones deemed important by the risk committee
Reports tracking progress against the implementation plan should be provided to the risk committee periodically.
Management Response
ERM leadership (CRO/EDERM) will review current initiatives to determine which are critical enough to require
detailed planning efforts. Once identified, these initiatives will require timelines, action dates and metrics where
applicable to measure progress going forward. A formal plan to complete critical initiatives will be developed and
approved by the (CRO/EDERM) by the end of 20XX.
Finding 4: The company did not have formalized roles and responsibilities clearly defined within the ERM
department. In addition, the company has not conducted an assessment of resource capabilities versus
what is needed to meet its department objectives and timelines for ERM implementation or established
professional development (training) standards to support the achievement of ERM implementation and
ongoing department objectives. (Medium Priority)
Risk Category: Operational – Execution, Delivery and Process Management – Transaction Capture, Execution
and Maintenance
Through inquiry and review of evidence obtained from ERM personnel, we noted:
• There are no formal job descriptions for key personnel within the ERM department
• The ERM department does not have a formal and periodic gap assessment of current skills and capabilities of
ERM personnel or a corresponding training plan to close those gaps
Knowledgeable and capable risk professionals are a key component to an ERM function. A mature ERM function
should have clearly defined roles and responsibilities of the individuals within its department to ensure the
people’s skills and capabilities are sufficient to meet the goals of the ERM function. Lack of formal job descriptions
and ongoing skills assessment and training may lead to ineffective execution of Company A ’s ERM program.
Recommendation
• Management should create formal job descriptions for all key personnel within the ERM department
• Management should assess current skills and capabilities and offer risk management- related training to close
any gaps within the ERM department personnel to ensure the department is kept well-informed with the latest
risk management industry trends/standards and applicable laws and regulations
Developing and assessing the items above will allow management to adequately align job responsibilities with the
objectives of the department and ensure ERM personnel develop the necessary skills and capabilities to
implement and execute an effective ERM function.
Management Response
We concur with the recommendation and are finalizing an ERM organizational chart that will encompass all risk
functions including ERM, model risk management and stress testing. Once finalized, formal job descriptions, titles
and responsibilities will be drafted and incorporated into the Company A HR system. As part of this effort, a skill
set gap analysis will be completed along with an assessment of personnel needs. We anticipate completing this
effort by the end of 20XX.
Finding 5: While ERM management (“Second line of Defense”) did have an approved listing of key risk
thresholds (“KRTs”) to actively monitor risks, it lacked an independent understanding of the metrics and
a monitoring function of how the “First line of Defense” computed the KRT analytics. Therefore, ERM
management was unable to independently verify the completeness and accuracy of KRT analytics, prior
to reporting to the board and management. (Low Priority)
Through inquiry and review of evidence obtained from ERM personnel, we noted there was a lack of independent
understanding and monitoring of how the “First line of Defense” computed the KRT analytics. Therefore, ERM
management was unable to independently verify the completeness and accuracy of KRT analytics prior to
reporting them to the board and management. Lack of independent understanding and monitoring of how the
“First line of Defense” computes KRTs makes the ERM function dependent on the “First line of Defense” and the
KRTs they provide to ERM. This impedes the independent monitoring capabilities of the ERM function and may
result in incorrect and incomplete reporting of significant risk events to the board and management, as well as,
potential non-compliance with laws and regulations.
Recommendation
We recommend that the ERM department become more knowledgeable of the KRT computation methodology
used by the “First line of Defense” to allow the ERM department to independently verify the completeness and
accuracy of KRTs on their own and to better serve as an independent monitor of front line management.
Management Response
By the end of 20XX ERM will establish a maturity plan for its KRT program which will include working with the
business to understand the metric’s calculation, and to the extent possible monitor critical drivers of each metric.
Where applicable, ACL will allow ERM to extract leading indicator information, which supports the underlying
KRT, from subsidiary systems, and calculate various ratios and metrics independently from the business.
APPENDIX A
Internal Audit: Issue and Audit Ratings
Audit Rating Scale
Audit Rating Description
Satisfactory Controls evaluated are generally adequate, appropriate and effective to provide
reasonable assurance that risks are being managed with acceptable tolerances and
objectives are being met. Some enhancements may have been recommended and any
control weaknesses noted are minor or limited in scope.
Needs Numerous specific control weaknesses were noted. Controls evaluated are unlikely to
Improvement provide reasonable assurance that risks are being managed within acceptable tolerances
and objectives are being met.
Unsatisfactory Controls evaluated are not adequate, appropriate or effective to provide reasonable
assurance that risks are being managed within acceptable tolerances and objectives are
being met.
Issue Ratings
Audit Issue Description

Rating
High Priority Immediate management attention is required. This is a serious internal control or risk
management issue that if not mitigated, may, with a high degree of certainty, lead to:
• Substantial losses, possibly in conjunction with other weaknesses in the control
framework or the organizational entity or process being audited
• Serious violation of corporate strategies, policies or values
• Serious reputation damage, such as negative publicity in national or international
media
• Significant adverse regulatory impact, such as loss of operating licenses or material
fines
Medium Priority Timely management attention is warranted. This is an internal control or risk
management issue that could lead to:
• Moderate financial losses
• Loss of controls within the organizational entity or process being audited
• Reputation damage, such as negative publicity in local or regional media
• Adverse regulatory impact, such as public sanctions or immaterial fines
Low Priority Routine management attention is warranted. This is an internal control or risk
management issue, the solution to which may lead to improvement in the quality and/or
efficiency of the organizational entity or process being audited. Risks are limited.
Improvement Recommendation to improve effectiveness or efficiency of internal control environment.
Opportunity

Enterprise Risk Management Audit Report Final - Sample 2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterprise Risk Management Audit Report Final - Sample 2

Uploaded by

Copyright:

Available Formats

Distribution: Report Date:

Person H, Chief Risk Officer (Insert Date)

Person I, Executive Director of Enterprise Risk

Distribution CC: Audited By:

Person J Person A, Senior Consultant

Person K Person B, Manager

Person L Person C, Director

Person M Person D, Director

Person P Reviewed By:

Person Q Person E, Manager

Person R Person F, Director

Person S Person G, Internal Audit Director

AUDIT OBJECTIVES AND SCOPE

Area 1 – Business Strategies and Risk Appetite

Area 3 – Governance and Oversight

Area 4 – Risk Management & Monitoring

Area 5 – Risk Culture

Management Management Control

(R-ERM-01) Medium (C-ERM-01) Risk Partially

(R-ERM-02) Medium (C-ERM-02) Annually, the

(C-ERM-02) Annually, the

(R-ERM-06) Medium Ineffective (C-ERM-03) As needed,

(C-ERM-05) Annually, the

(C-ERM-05) Annually, the

(R-ERM-12) High Ineffective (C-ERM-10) Company A

(R-ERM-14) Medium Ineffective (C-ERM-06) Quarterly, the

AUDIT ISSUES AND MANAGEMENT ACTION PLANS

Audit Rating Scale

Audit Rating Description

Audit Issue Description

Improvement Recommendation to improve effectiveness or efficiency of internal control environment.

You might also like