 |
American Accounting Association2006 Midwest Region MeetingMarch 30 – April 1
|
Friday, March 31, 10:20 a.m.-12:00 noon
Concurrent session 2D - SOX and Assessing Risk (Auditing)Title: CARVER + Shock: An Alternative ERM Risk Assessment Tool
George Peek
Western Illinois UniversityLucia Peek
Western Illinois UniversityABSTRACT: Successful organizations have always assessed and managed risks, but the process has become more formalized with the passage of Sarbanes-Oxley Act of 2002 (SOX Act) and the 2004 release of the Committee of Sponsoring Organizations (COSO) Enterprise Risk Management – Integrated Framework. The SOX Act Section 404 authorized the SEC to issue final rules requiring publicly traded corporations to include a report by management on the effectiveness of the company's internal control over financial reporting in their annual reports. The SEC’s Final Rule on Section 404 (2003, 13) discussed the COSO Internal Control - Integrated Framework (1992), as an acceptable framework corporations and external auditors can use for Section 404 reporting.
COSO Internal Control - Integrated Framework (COSO Framework) (1992) emphasizes that internal controls assist organizations in achieving their financial reporting, operational, and compliance objectives. Risk Assessment is one of the essential components of the COSO Framework, but COSO also saw a need to provide more guidance on the entire risk management process. COSO Enterprise Risk Management – Integrated Framework (COSO ERM Framework) (2004) provides managers with a framework to improve their identification, assessment, and management of risk.
This paper discusses the CARVER+Shock model that was initially developed by the military to assess the quality of military targets. The CARVER+Shock model was adapted as a threat and vulnerability assessment tool by the food sector industries and government regulators after the increased risk of terrorist threats to the U.S. food supply following 9/11. Companies can effectively utilize the CARVER+Shock Model as an application tool in implementing the COSO ERM Framework’s (2004, 22) Event Identification, Risk Assessment, and Risk Response components. The Model not only applies to external terrorist threats, but can also be applied to assess the risk of threats from other external and internal events, such as Hurricane Katrina or disgruntled employees.