Professional Documents
Culture Documents
Enterprise Risk Management Audit Report Final - Sample 2
Enterprise Risk Management Audit Report Final - Sample 2
Person N
Person O
Person T
Person U – Company C
2 Source: www.knowledgeleader.com
INTRODUCTION AND OVERVIEW
The enterprise risk management (ERM) process is in place to establish the oversight, control and discipline to
drive continuous improvement of the entity’s risk management capabilities in a changing operating environment.
The objective of implementing ERM is to provide reasonable assurance to an entity’s management and board that
the entity’s business objectives are achieved while operating within the board’s risk appetite. ERM is tasked with
identifying, measuring, monitoring and reporting risks which significantly challenge management’s ability to
achieve its objectives. The implementation of a successful ERM process at Company A relies heavily on the
acceptance and support of Company A’s executive management.
Management is building an ERM program consistent with the Committee of Sponsoring Organization’s (COSO)
ERM framework. The COSO ERM framework encompasses:
• Aligning risk and strategy
• Defining risk response decisions
• Identifying potential events that, if they occur, will affect the entity and to manage risk within its appetite
• Identifying and managing multiple and cross enterprise risks
• Seizing opportunities
• Improving deployment of capital
During 20XY, Company A management significantly restructured the ERM program’s methodology and direction.
An ERM policy has been adopted; however, the full ERM implementation is not projected to be completed for at
least two to three years across all subsidiaries. Company A ’s ERM process is divided into four legal entities:
• Bank A
• Lending A
• Corporation A
• Company A Securities Holdings
The four legal entities are in various stages of ERM maturity with Bank A being the most mature as of Sept. 30,
20XY. A Company A executive risk committee is in place that includes all the subsidiary CEOs and key members
of executive management. In addition, Company A management established subsidiary level risk committees to
guide and facilitate the implementation of the ERM program throughout the organization. Each committee is
governed by a charter, chaired by a senior ERM representative, and meets from four to 12 times annually. A risk
assessment program is in place to identify and document key business objectives, rate critical risks challenging
those objectives and evaluate controls mitigating those risks. In addition, a Key Risk Threshold (“KRT”) program is
in place to actively monitor quantitative risk indicators. Both the risk assessment and KRT programs are being
implemented in phases across the four subsidiaries, which are expected to take two to three years for full
maturity.
The audit scope included a review of key policies and procedures and the evaluation of design effectiveness of
key controls for the following ERM scope from Oct. 1, 20XZ to Sept. 30, 20XY. Specific process and control areas
reviewed in this audit included:
3 Source: www.knowledgeleader.com
Area 2 – Policies & Practices
• Material Risk Policies and Procedures
EXECUTIVE SUMMARY
The internal controls and operations are unsatisfactory for the heightened expectations for a bank holding
company with over $10 billion in assets. Although there is a plan and timeline to improve ERM controls, the
existing ERM controls evaluated during this audit were not adequate, appropriate or effective to provide
reasonable assurance that risks are being managed within acceptable tolerances and objectives are being met.
Overall, this is due to the relative immaturity of the ERM program in its current state, which has resulted in many
controls being in an implementation phase instead of fully functional. While management appears to have a vision
of an adequately established ERM program, significant resources and support are required to complete
implementation.
AUDIT RESULTS
The risks and controls included below are consistent with those noted in the COSO ERM Framework. Risk
mitigation should be accomplished through design and implementation of the noted controls via an effective ERM
program.
4 Source: www.knowledgeleader.com
Management Management Control
IA Control
Assessed Management Control Procedures –
Risk Evaluation/Test
Inherent Procedures Implementation in
Results
Risk Level Process
reviewed/approved
annually by the risk
committees to help ensure
the strategic vision of the
ERM department (CRO)
aligns with the Risk
Committee. Control is
processes are evidenced by ERM policy
not appropriate approved annually.
or inadequate
resulting in a (C-ERM-04) As needed,
lack of See Finding 1 risk management has
communication established ERM
and ineffective procedures which are
risk reviewed/approved
management. annually by the CRO to
help ensure the strategic
vision of the ERM
department (CRO) aligns
with the risk committee.
Control is evidenced by
ERM procedures approved
annually.
5 Source: www.knowledgeleader.com
Management Management Control
IA Control
Assessed Management Control Procedures –
Risk Evaluation/Test
Inherent Procedures Implementation in
Results
Risk Level Process
committee.
(C-ERM-03) As needed,
(R-ERM-04) the Company A risk
As new committee reviews and
products and approves subsidiary risk
services are committee charters to help
introduced ensure the charters are
management adequate to monitor,
fails to update assess risks and respond
risk definitions Ineffective as needed to change to
Medium
and risk See Finding 1 the risk profile of the
tolerances company and effective
resulting in governance structure is in
ineffective risk place to clarify risk
management management roles and
and adverse responsibilities. Control is
overall evidenced by Company A
performance. risk committee meeting
minutes.
6 Source: www.knowledgeleader.com
Management Management Control
IA Control
Assessed Management Control Procedures –
Risk Evaluation/Test
Inherent Procedures Implementation in
Results
Risk Level Process
(C-ERM-03) As needed,
the Company A risk
committee reviews and
approves subsidiary risk
committee charters to help
ensure the charters are
adequate to monitor,
assess risks and respond
as needed to changes to
the risk profile of the
company and effective
(R-ERM-05)
governance structure is in
The risk
place to clarify risk
committees do
management roles and
not have
responsibilities. Control is
defined roles,
evidenced by Company A
responsibilities Partially risk committee meeting
and authority Medium Effective minutes.
to govern risks
resulting in See Finding 1
(C-ERM-01) Risk
adverse overall
management has
performance.
established ERM policies
which are
reviewed/approved
annually by the risk
committees to help ensure
the strategic vision of the
ERM department (CRO)
aligns with the risk
committee. Control is
evidenced by ERM policy
approved annually.
7 Source: www.knowledgeleader.com
Management Management Control
IA Control
Assessed Management Control Procedures –
Risk Evaluation/Test
Inherent Procedures Implementation in
Results
Risk Level Process
minutes.
(R-ERM-08)
Inaccurate,
(C-ERM-06) Quarterly, the
incomplete, or
subsidiary risk committees
untimely
review the level one and
progress
level two key risk
reporting of the
Ineffective threshold dashboard
established
High report to help ensure the
risk metrics See Finding 1 risk metrics are accurate,
which could
complete and reported
result in
timely. Control is
adverse overall
evidenced in the risk
performance
committee minutes.
losses to the
company.
8 Source: www.knowledgeleader.com
Management Management Control
IA Control
Assessed Management Control Procedures –
Risk Evaluation/Test
Inherent Procedures Implementation in
Results
Risk Level Process
(R-ERM-10)
ERM training is
inadequate (C-ERM-08)
and does not Recommended Control:
reflect current Annually, the CRO
regulations reviews the training needs
and best Ineffective assessment to help
practices Medium ensure ERM training
resulting in See Finding 4 aligns with company
ineffective risk objectives and regulations.
management Control is evidenced by
and non- review and approval
compliance evidence from the CRO.
with laws and
regulations.
(R-ERM-11)
New or
updated
(C-ERM-01) Risk
regulatory and
management has
legal
established ERM policies
requirements
which are
(state or
reviewed/approved
federal)
annually by the risk
affecting ERM
Medium committees to help ensure Effective
are not
the strategic vision of the
identified and
ERM department (CRO)
addressed
aligns with the risk
timely resulting
committee. Control is
in
evidenced by ERM policy
noncompliance
approved annually.
and increased
regulatory
criticism.
9 Source: www.knowledgeleader.com
Management Management Control
IA Control
Assessed Management Control Procedures –
Risk Evaluation/Test
Inherent Procedures Implementation in
Results
Risk Level Process
minutes.
(C-ERM-10) Company A
has established policies
and procedures which are
reviewed annually to help
ensure if a risk category
exists outside their
threshold, management
(R-ERM-13) will enforce a treatment
Inappropriate, plan documenting why it’s
untimely or above their threshold and
incomplete a strategy for why it is
treatment of accepted, as well as an
key risk explanation of mitigating
threshold factors. Control is
Medium
breaches evidenced by subsidiary
resulting in Ineffective risk committee meeting
adverse overall minutes.
See Finding 1
performance and
and potential (C-ERM-11) As needed,
losses to the Finding 5 the subsidiary risk
company. committees review
updates to key risk
thresholds to help ensure
the key risk thresholds are
appropriate. Control is
evidenced by subsidiary
risk committee meeting
minutes.
10 Source: www.knowledgeleader.com
Management Management Control
IA Control
Assessed Management Control Procedures –
Risk Evaluation/Test
Inherent Procedures Implementation in
Results
Risk Level Process
strategic plan.
See below for the details for all issues identified during the audit and management’s corrective action plans.
Finding 1: Written procedures have not been established to adequately support the periodic and ad hoc
reporting to the board and management. (High Priority)
Risk Category: Operational – Execution, Delivery and Process Management – Monitoring and Reporting
Formal ERM reporting procedures do not exist to support the timely and complete reporting to the board and
management of a) risk escalation of key risk indicators/thresholds, and b) operational loss monitoring results.
Lack of documented ERM reporting procedures may result in failure to consistently and timely notify the board
and management in trends of key risk events that could result in increased negative impacts to the operations and
regulatory compliance of the enterprise.
While the board and management have established a policy for governing ERM at the Company A Holdings
enterprise level and a documented ERM framework and methodology, internal audit noted written procedures
have not been established to adequately support the periodic and ad hoc reporting to the board and management
of:
• The results of the enterprise risk assessment
• New and emerging risks identified throughout the year
• Significant risk management deficiencies
• The level and trends of key risk indicators/thresholds, including operational loss monitoring results
• The escalation of breaches of key risk indicators/thresholds
Recommendation
The ERM management team should establish formal procedures to ensure the timely and complete reporting to
management where written procedures were not established to adequately support the periodic and ad hoc
reporting to the board and management of:
• The results of the enterprise risk assessment
• New and emerging risks identified throughout the year
• Significant risk management deficiencies
• The level and trends of key risk indicators/thresholds, including operational loss monitoring results
• The risk escalation of breaches of key risk indicators/thresholds
Management Response
Management agrees with the recommendations and will be supplementing newly developed ERM policies and
processes with formal procedures as the function matures. Written procedures will be developed and approved
(EDERM/CRO) by June 30, 20XX. Formalizing written procedures is an ongoing effort, and we will continue to
update procedures as needed.
11 Source: www.knowledgeleader.com
Finding 2: The Company A risk committee, as delegated by the board, has not formally approved a risk
appetite statement. (High Priority)
Risk Category: Operational – Execution, Delivery and Process Management – Monitoring and Reporting
Management did not have a formally approved risk appetite statement by the Company A board risk committee;
however, there are preliminary risk appetite statements developed for all of the subsidiaries and for the roll up.
Lack of a formal and clearly articulated risk appetite statement can result in management not having clear
direction on the appropriate level of risk to accept and avoid in its daily and strategic activities. This could
negatively impact the operations and regulatory compliance of the enterprise.
Recommendation
The risk committee should establish a formal risk appetite statement that can be measured against the strategic
risks and objectives of the enterprise. An effective risk appetite statement should:
• Have strong linkages to corporate goals and strategic business objectives
• Clearly establish the type and amount of risk the enterprise is prepared to accept in pursuit of its corporate
goals and strategic business objectives
• Express the maximum level of risk the organization is willing to operate within normal and stressed conditions
• Include qualitative and quantitative statements that articulate the motivations for taking on or avoiding certain
types of risk and includes a reasonable number of appropriately selected risk metrics
• Be supported by appropriate levels of controls and stress tests
• Allow the organization to view its desired risk profile under a variety of future state scenarios
Management Response
We agree with the recommendations. To date, we have finalized risk appetite statements for all Company A
subsidiaries and have formalized a consolidated statement for the parent. All draft statements will be presented,
reviewed and approved by the Company A risk committee at the next committee meeting (February 20XX). We
will ensure that other elements of the ERM function, such as stress testing, support risk ratings and the strategic
planning process.
Finding 3: While management did have an implementation plan to monitor the development of the ERM
risk & control matrices, there was not an implementation plan to track the progress of ERM
implementation within the department and to monitor specific action item dates and milestones related to
the:
• Development of key risk thresholds
• Roll-out of the eGRC tool BWise
• Other relevant project tasks and milestones
(High Priority)
Risk Category: Operational – Execution, Delivery and Process Management – Monitoring and Reporting
Lack of a complete and adequate ERM implementation plan addressing key aspects of the ERM function may
result in the ERM implementation date being pushed out without any clear accountability to missed project
deadlines. The Federal Reserve expects implementation of key aspects of the ERM function at Company A by the
end of 20XX; therefore, a defined implementation plan for those key aspects should be defined and management
should be accountable to the plan.
Recommendation
12 Source: www.knowledgeleader.com
Management should enhance its existing ERM implementation plan to monitor specific action item dates and
milestones related to the:
• Development of key risk thresholds
• Roll-out of the eGRC tool BWise
• Other relevant project tasks and milestones deemed important by the risk committee
Reports tracking progress against the implementation plan should be provided to the risk committee periodically.
Management Response
ERM leadership (CRO/EDERM) will review current initiatives to determine which are critical enough to require
detailed planning efforts. Once identified, these initiatives will require timelines, action dates and metrics where
applicable to measure progress going forward. A formal plan to complete critical initiatives will be developed and
approved by the (CRO/EDERM) by the end of 20XX.
Finding 4: The company did not have formalized roles and responsibilities clearly defined within the ERM
department. In addition, the company has not conducted an assessment of resource capabilities versus
what is needed to meet its department objectives and timelines for ERM implementation or established
professional development (training) standards to support the achievement of ERM implementation and
ongoing department objectives. (Medium Priority)
Risk Category: Operational – Execution, Delivery and Process Management – Transaction Capture, Execution
and Maintenance
Through inquiry and review of evidence obtained from ERM personnel, we noted:
• There are no formal job descriptions for key personnel within the ERM department
• The ERM department does not have a formal and periodic gap assessment of current skills and capabilities of
ERM personnel or a corresponding training plan to close those gaps
Knowledgeable and capable risk professionals are a key component to an ERM function. A mature ERM function
should have clearly defined roles and responsibilities of the individuals within its department to ensure the
people’s skills and capabilities are sufficient to meet the goals of the ERM function. Lack of formal job descriptions
and ongoing skills assessment and training may lead to ineffective execution of Company A ’s ERM program.
Recommendation
• Management should create formal job descriptions for all key personnel within the ERM department
• Management should assess current skills and capabilities and offer risk management- related training to close
any gaps within the ERM department personnel to ensure the department is kept well-informed with the latest
risk management industry trends/standards and applicable laws and regulations
Developing and assessing the items above will allow management to adequately align job responsibilities with the
objectives of the department and ensure ERM personnel develop the necessary skills and capabilities to
implement and execute an effective ERM function.
Management Response
We concur with the recommendation and are finalizing an ERM organizational chart that will encompass all risk
functions including ERM, model risk management and stress testing. Once finalized, formal job descriptions, titles
and responsibilities will be drafted and incorporated into the Company A HR system. As part of this effort, a skill
set gap analysis will be completed along with an assessment of personnel needs. We anticipate completing this
effort by the end of 20XX.
13 Source: www.knowledgeleader.com
Finding 5: While ERM management (“Second line of Defense”) did have an approved listing of key risk
thresholds (“KRTs”) to actively monitor risks, it lacked an independent understanding of the metrics and
a monitoring function of how the “First line of Defense” computed the KRT analytics. Therefore, ERM
management was unable to independently verify the completeness and accuracy of KRT analytics, prior
to reporting to the board and management. (Low Priority)
Risk Category: Operational – Execution, Delivery and Process Management – Monitoring and Reporting
Through inquiry and review of evidence obtained from ERM personnel, we noted there was a lack of independent
understanding and monitoring of how the “First line of Defense” computed the KRT analytics. Therefore, ERM
management was unable to independently verify the completeness and accuracy of KRT analytics prior to
reporting them to the board and management. Lack of independent understanding and monitoring of how the
“First line of Defense” computes KRTs makes the ERM function dependent on the “First line of Defense” and the
KRTs they provide to ERM. This impedes the independent monitoring capabilities of the ERM function and may
result in incorrect and incomplete reporting of significant risk events to the board and management, as well as,
potential non-compliance with laws and regulations.
Recommendation
We recommend that the ERM department become more knowledgeable of the KRT computation methodology
used by the “First line of Defense” to allow the ERM department to independently verify the completeness and
accuracy of KRTs on their own and to better serve as an independent monitor of front line management.
Management Response
By the end of 20XX ERM will establish a maturity plan for its KRT program which will include working with the
business to understand the metric’s calculation, and to the extent possible monitor critical drivers of each metric.
Where applicable, ACL will allow ERM to extract leading indicator information, which supports the underlying
KRT, from subsidiary systems, and calculate various ratios and metrics independently from the business.
14 Source: www.knowledgeleader.com
APPENDIX A
Internal Audit: Issue and Audit Ratings
Satisfactory Controls evaluated are generally adequate, appropriate and effective to provide
reasonable assurance that risks are being managed with acceptable tolerances and
objectives are being met. Some enhancements may have been recommended and any
control weaknesses noted are minor or limited in scope.
Needs Numerous specific control weaknesses were noted. Controls evaluated are unlikely to
Improvement provide reasonable assurance that risks are being managed within acceptable tolerances
and objectives are being met.
Unsatisfactory Controls evaluated are not adequate, appropriate or effective to provide reasonable
assurance that risks are being managed within acceptable tolerances and objectives are
being met.
Issue Ratings
High Priority Immediate management attention is required. This is a serious internal control or risk
management issue that if not mitigated, may, with a high degree of certainty, lead to:
• Substantial losses, possibly in conjunction with other weaknesses in the control
framework or the organizational entity or process being audited
• Serious violation of corporate strategies, policies or values
• Serious reputation damage, such as negative publicity in national or international
media
• Significant adverse regulatory impact, such as loss of operating licenses or material
fines
Medium Priority Timely management attention is warranted. This is an internal control or risk
management issue that could lead to:
• Moderate financial losses
• Loss of controls within the organizational entity or process being audited
• Reputation damage, such as negative publicity in local or regional media
• Adverse regulatory impact, such as public sanctions or immaterial fines
Low Priority Routine management attention is warranted. This is an internal control or risk
management issue, the solution to which may lead to improvement in the quality and/or
efficiency of the organizational entity or process being audited. Risks are limited.
15 Source: www.knowledgeleader.com
Opportunity
16 Source: www.knowledgeleader.com