Auditing the Enterprise Risk Management Process - OAR341


With the advent of corporate governance strategies that must embrace the entire organization, enterprise-wide risk assessment and management has taken on critical dimensions of importance. In addition, the SEC and PCAOB have concluded that the key to effective compliance is a “top-down, risk-based approach.” When properly defined and implemented, ERM provides the ideal baseline for this process.

In this intensive three-day seminar you will cover alternative methods, structures and tools that can be used for establishing an ERM. You will learn how to define which aspects need to be audited and how it should be done, gain an understanding of the key qualities that an ERM should possess, and discover why they are critical. You will explore the integration of controls and business risk and find out how an oversight tool can be created that can be owned by operations and that will yield real business returns.

The key historical aspects of what ERM is and where it has come from will be discussed. However, the COSO organization have redefined the ERM model as we know it from 2004 to make it a much more business centric focus. It has done away with the classic cube format and have introduced some very significant changes in what they view the future of what ERM is today and where it is going to go from here. You will leave this session thoroughly understanding what you should expect to see when you evaluate your ERM environment or what you need to know to build the ERM environment that your organization requires to be successful or to dominate your industry.

What you will learn

You will learn the characteristics and functionality of effective ERM programs, and how auditors can evaluate the risk management process.


Defining the Key Components of ERM and the History of Same

  • the original 2004 COSO model and its key features that differentiated it from the COSO model
  • the new COSO migration to the more business centric strategy and the ramifications of same
  • other pronouncements and models that have major implications for how ERM is implemented

Structuring an Effective ERM Organization and Framework

  • the risk organizational structure
  • makeup
  • reporting structure
  • process design
  • operating format
  • mapping the organization to determine the natural risk assessment framework
  • methods of developing risk inventories to be used as the baseline for ERM
  • searching for commonalities

A Top-Down Risk-Based Approach to Establishing an ERM Process – Key Components

  • identifying risk events
  • assessing risk, probability, and impact
  • risk responses
  • monitoring the ERM process on an ongoing basis
  • evaluating alternative ERM structures: subjective vs. objective
  • system-centric
  • data-centric
  • determining the data/information inventory that will be the primary indicators of risk in each part of the organization
  • establishing the logical data pathway of the risk data indicators that drive to the root cause of organizational failures
  • designing the responsibility spectrum for risk

Integrating Business Risk and Internal Control

  • the concept of business risk
  • determining the relationship of key business risks and internal controls
  • focusing the strategy on fundamental business process
  • understanding the key attributes of outcome and output and its impact on governance
  • using KRIs as the baseline for process-based oversight

Developing an ERM Audit Process:

  • gaining an understanding of the ERM environment
  • risk assessing the ERM environment
  • focusing the audit and establishing the audit scope
  • determining the audit approach/tools/techniques/strategy
  • defining an effective report format to bring about change

Auditing the ERM Process

  • auditing the risk organizational structure: who, what, where, how and why
  • auditing the risk infrastructure for completeness and coverage
  • auditing the information flow of the ERM environment
  • timeliness
  • accuracy
  • usefulness

Auditing the ERM Process

  • evaluation criteria of success for the ERM
  • evaluating the real-world organizational impact of the ERM process in precluding or minimizing risks
  • auditing areas of special concern in ERM, including outsourcing
  • auditing the maintenance and future strategic initiatives within ERM to keep it current and cutting-edge auditing the

Further information

ACI Learning
ACI Learning
3 Days
Amsterdam, Atlanta, Ga, Bandar Seri Begawan, Boston, Ma, Burlington, Ma, Cape Town, Charlotte, Nc, Chicago, Il, Dallas, Tx, Denver, Co, Dubai, Dublin, Dublin, Oh, Hong Kong, Houston, Tx, Las Vegas, Nv, London, Manila, New York, Ny, Oman, Orlando, Fl, Philadelphia, Pa, San Antonio, San Diego, Ca, San Francisco, Ca, Seattle, Wa, Singapore, Virtual Training Room Only, Washington, Dc

Contact Information

ACI Learning

6855 S. Havana St.
Suite 230
80112 USA