Trademarks are properties of the holders, who are not affiliated with mind map author.
The objectives are represented by the columns.
The components are represented by the rows.
The entity structure is represented by the third dimension of the cube
Represent what is required to achieve objectives.
Principles, 1. Demonstrates Commitment to Integrity and Ethical Values, 2. Exercises Oversight Responsibility, 3. Establishes structure, authority and responsibility, 4. Demonstrates Commitment to Competence, 5. Enforces Accountability
Principles, 6. Specify Suitable Objectives, 7. Identify and Analyze Risks, 8. Assess Fraud Risk, 9. Identify and Analyze Significant Change
Principles, 10. Selects and Develops Control Activities, 11. Selects and Develops General Controls over Technology, 12. Deploys through Policies and Procedures
Principles, 13. Uses Relevant, Quality Information, 14. Communicates Internally, 15. Communicates Externally
Principles, 16. Selects, develops and performs evaluations to determine if components of IC are present and functioning, 17. Evaluates and communicates IC deficiencies
Are what an entity desires to achieve.
“Internal control is a process effected by an entities board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.”
Represent the operating units, legal entities and other structures
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Is a process, Enterprise risk management is not one event or circumstance, but a series of actions that permeate an entity's activities.
Is effected by people, Enterprise risk management is effected by a board of directors, management and other personnel. It is accomplished by the people of an organization, by what they do and say.
Is applied in strategy setting, An entity sets out its mission or vision and establishes strategic objectives, which are the high-level goals that align with and support its vision or mission.
Is applied across the enterprise, To successfully apply enterprise risk management, an entity must consider its entire scope of activities. Enterprise risk management considers activities at all levels of the organization, from enterprise-level activities such as strategic planning and resource allocation, to business unit activities such as marketing and human resources, to business processes such as production and new customer credit review.
Is designed to identify events potentially affecting the entity and manage risk within its risk appetite, Risk appetite is directly related to an entity’s strategy. It is considered in strategy setting, where the desired return from a strategy should be aligned with the entity’s risk appetite. Different strategies will expose the entity to different risks. Enterprise risk management, applied in strategy setting, helps management select a strategy consistent with the entity’s risk appetite.
Provides reasonable assurance, Well-designed and operated enterprise risk management can provide management and the board of directors reasonable assurance regarding achievement of an entity's objectives., They understand the extent to which the entity’s strategic objectives are being achieved., They understand the extent to which the entity's operations objectives are being achieved., The entity’s reporting is reliable., Applicable laws and regulations are being complied with.
Is geared to the achievement of objectives, Effective enterprise risk management can be expected to provide reasonable assurance of achieving objectives relating to the reliability of reporting and to compliance with laws and regulations. Achievement of those categories of objectives is within the entity’s control and depends on how well the entity’s related activities are performed.
Risk appetite is the amount of risk an entity is willing to accept in pursuit of value. Entities often consider risk appetite qualitatively, with such categories as high, moderate or low, or they may take a quantitative approach, reflecting and balancing goals for growth, return and risk.
Risk appetite is directly related to an entity’s strategy. It is considered in strategy setting, where the desired return from a strategy should be aligned with the entity’s risk appetite.
Risk culture is the set of shared attitudes, values and practices that characterize how an entity considers risk in its day-to-day activities. For many companies, the risk culture flows from the entity’s risk philosophy and risk appetite. For those entities that do not explicitly define their risk philosophy, the risk culture may form haphazardly, resulting in significantly different risk cultures within an enterprise or even within a particular business unit, function or department.
Individual business units, functions and departments will have slightly different risk cultures. Managers of some are prepared to take more risk, while others are more conservative, and these different cultures sometimes work at cross-purposes.