Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
JEFFREY COHEN
PROFESSOR
BOSTON COLLEGE
GANESH KRISHNAMOORTHY
PROFESSOR
NORTHEASTERN UNIVERSITY
ARNOLD WRIGHT
PROFESSOR
NORTHEASTERN UNIVERSITY
May 2014
An earlier version of this paper was presented at the 2013 International Symposium on Audit Research, 2013
American Accounting Association Annual Meeting, and at Bentley University. We would like to acknowledge
helpful comments from Mark Beasley, Jean Bedard, Yves Gendron, Dana Hermanson, Rani Hoitash, Lori Holder-
Webb, Bill Messier, Steve Salterio, Steve Sutton, Ken Trotman, Kim Westermann, Yves Gendron and a special
thanks to Dan Archabal who helped obtain the participants for the study.
ABSTRACT: The financial crisis has brought to the forefront the need for companies to
effectively manage their risks. One approach that has gained prominence is enterprise risk
management (ERM), but little is known about the link between ERM and the financial reporting
process. This link is important, because it is imperative that the financial reporting process
adequately depict the performance and associated risks of a company. Additionally, ERM affects
the risks of misstatement and potential lack of adequate risk disclosures, which impact audit
planning. Accordingly, the objective of this study is to examine how audit partners, CFOs, and
audit committee (AC) members (the governance triad) view ERM as it relates to the roles of
governance parties, financial reporting quality, internal controls, and external auditing. To
address these issues, we conduct semi-structured interviews of experienced individuals from 11
public companies that form 11 governance triads. Results suggest that across all three types of
participants, respondents emphasize risk assessment/identification and operational
efficiency/effectiveness when defining ERM. However, there is substantial variation in responses
which suggests that there is still lack of consensus among key players on what constitutes ERM.
Interestingly, only a minority of auditors mention strategy or strategic risks in their definition of
ERM. To the extent this is reflective of auditors not fully leveraging the strategic elements of
ERM, auditors may be underutilizing ERM in the audit process. This concern is further
corroborated in a number of comments made by CFOs and AC. Moreover, participants perceive
that the audit committee and the CFO play a large role with ERM and auditors are perceived to
play a lesser role. Additional analysis of the responses indicates that while participants view
ERM and its effect upon the financial reporting process from both an agency and resource
dependence perspective, there is a greater focus on the agency framework. In all, resource
dependence may be under-emphasized by all members, but especially by CFOs and auditors.
Implications for practice and research are discussed.
Introduction
There have been a number of dramatic corporate failures in recent years that raise
concerns of serious lapses in the risk management processes in many firms, most notably those
in the financial services industry such as Lehman Brothers, Bear Stearns, and AIG. In response,
there has been considerable interest in strengthening the enterprise risk management (ERM)
practices of firms and in the development of ERM frameworks (e.g., COSO 2004, 2009).1
Although prior research has examined ERM practices, little is known about the link between
ERM and the financial reporting process. This link is important, because it is imperative that
financial reports adequately portray a companys performance along with its risks. For example,
when a clients ERM system is ineffective, important business risks may not be identified and
disclosed. Also, this deficiency is important to an auditor when assessing whether to issue a
going concern opinion or when evaluating the viability of managements plans to address going
concern issues. Further, ERM affects the monitoring and controls of risks, which impact auditor
The overarching objective of this study is to investigate how ERM affects the financial
reporting process, based on the experiences of three key parties: CFOs, audit committee
members, and audit partners (referred to as the governance triad). Given the governance triads
1
COSO (2004) defines ERM as follows:
3
roles and responsibilities with respect to the financial reporting process, and the imperative that
financial reports adequately reflect the risks that a company has assumed, it is, thus, important to
examine the linkage between ERM and the financial reporting process from the vantage point of
the governance triad. To our knowledge, the current study is the first to fill this gap in the
literature.
One advantage ERM has over traditional risk management activities, which evaluate risks
within a particular department or function, is that ERM looks at the risks of the firm as a whole
and cross-functionally. Thus, ERM adopts a more holistic approach to risk management
compared with a silo approach (Mikes 2009, 2011), where the focus on risks may be myopic
and hence could result in an under or over estimation of risks to the entity as a whole. There is
also increasing regulatory emphasis on ensuring that there is sufficient governance oversight of
the ERM process in publicly traded companies. For instance, the SEC (2009) requires companies
to discuss in the proxy statements the boards role in the oversight of risk and a recent study
found that 92% of the companies have a separate section in their Proxy Statement for risk
oversight (Akin Gump Strauss Hauer & Feld LLP 2010). Further, the New York Stock Exchange
Additionally, with the trend towards integrative reporting, which encompasses both
financial and nonfinancial disclosures, there is an impetus for reporting and disclosure on ERM
to increase in the future (Adams et al. 2011). For example, in integrative reporting there is a need
to assess metrics that are strategically important and could incorporate past performance and
prospective events. Thus, ERM is likely to play a large role in a more holistic approach to
4
While some prior studies (Baxter et al. 2013; Hoyt and Liebenberg 2011) have focused
on the effect of ERM on firm performance and value, they have not explicitly addressed the
relationship between ERM and the quality of the financial reporting process. A strong financial
reporting process includes diligence by preparers and monitoring parties such as the audit
committee and auditors in providing accurate and transparent financial reports and associated
disclosures.
The audit process and audit quality have a significant impact on the quality of financial
reports (Knechel et al. 2013). A few prior studies (e.g., Kochetova-Kozloski and Messier 2011;
ODonnell and Schultz 2005) have examined the effect of strategic analysis and strategic risk
(components of ERM) on auditor judgments, but these studies have not considered the effect of
ERM on the audit process and audit judgments from a broader, more holistic perspective. The
strength of ERM impacts the companys monitoring of controls over major business risks, which
is important for auditors to consider in audit planning (Bell et al. 2002). Further, although audit
committees and CFOs are increasingly required to play a critical role with respect to ERM
(KPMG 2013; Clyburn 2012), there has been no research that examines how either audit
committees or CFOs view the role of ERM in ensuring a high quality financial reporting process.
the relationship between ERM and the financial reporting process, and provide evidence on how
2014; Trompeter and Wright 2010; Beasley et al. 2009; Cohen et al. 2002, 2010; Hirst and
5
companies2 that form 11 governance triads (CFO, audit committee member/chair, and audit
partner). Using the COSO ERM framework3, our findings indicate that across all three types of
operational efficiency/effectiveness when defining ERM. However there was variation in the
responses with respect to their definition of ERM which suggests that there is need for greater
guidance and direction by companies and standard setters regarding what constitutes ERM.
Interestingly, although both CFOs and audit committee members highlighted the strategic
elements when defining ERM, auditors placed minimal emphasis on strategy related factors.
Moreover, participants perceive that the audit committee and the CFO play a large role with
ERM and auditors are perceived to play a lesser role. There was also concerns expressed by the
CFOs and AC participants that auditors were not leveraging ERM to a sufficient level in the
Additional analysis of responses to all questions indicates that members of the triad
viewed ERM from both an agency and resource dependence perspective. However, all
participants, and especially CFOs and auditors, were more focused on the agency framework and
strategic risks when defining ERM, the finding that they under-emphasized the resource
companys strategic risks could allow CFOs to appropriately determine financial reporting risks
and the adequacy of disclosures. Further, an adequate consideration of the resource dependence
perspective could aid auditors in arriving at more accurate control and inherent risk assessments
2
As explained in more detail in the Method section, one audit partner declined our request to participate in the
study, resulting in a sample size of 32 participants.
3
We recognize that risk management can take many forms (Gendron et al. 2014) and could be managed through a
combination of a quantitative or qualitative basis (Mikes 2011). In this paper, we focus on the risk management
principles outlined in COSO (2004) since this framework is the most widely used in practice and its principles can
be more directly linked to the quality of the financial reporting process, the focus of this study.
6
and to appropriately determine the nature and extent of audit testing (Asare et al. 2013;
strategic perspective may potentially allow CFOs and auditors to more effectively assess the
The remainder of this paper is divided into four sections. The next section provides a
review of relevant corporate governance and ERM literatures leading to our research questions.
The two sections that follow contain a description of the method and presentation of the results.
The final section is devoted to a discussion of the major findings and their implications for future
Evidence from the capital markets suggest that the combination of ineffective ERM and
breakdowns in the financial reporting process can lead to catastrophic consequences as was the
case with Lehman Brothers. In fact, the Report of the Examiner in the Chapter 11 Proceedings of
Lehman Brothers indicated that the Repo 105 program exposed Lehman to significant
reputational and headline risks4 (Valukas 2010 884) that are critically important to an
effective ERM program. The Report further cites accounting manipulations in the form of Repo
(Collings 2013). The Report of the Examiner indicates that Lehman had taken undue risks with
respect to Repo 105 transactions, and further, such risks were not adequately disclosed by
Lehman and considered by the auditors, Ernst & Young (Collings 2013). Hence, an effective
4
According to the former Global Financial Controller of Lehman Brothers, headline risk meant that if there was
more transparency to people outside the firm around the transactions, it would present a dim picture of Lehman
(Valukas 2010 886).
7
ERM at Lehman potentially could have prevented managements use of dubious practices and
the consequent alleged financial reporting and business failure of Lehman Brothers.
The link between ERM and financial reporting quality can also be illustrated by dramatic
losses that emanated from firms engaging in exotic financial transactions. For example, Phillips
(2013) states that a key to understanding the London Whale trading losses at JP Morgan Chase
is whether such losses resulted from hedging or proprietary trading transactions. Hedging
transactions, by their very nature, are designed to offset and balance an identifiable risk and their
fundamental objective is risk- avoidance. Proprietary trading, on the other hand, often involves
accounting standards for hedging and proprietary trading activities vary significantly (IAS 39),
and an erroneous or willful misclassification of the gains and losses from the activities can result
in misstated financial statements. Hence, CFOs, audit committees, and auditors of companies
engaged in the trading of derivative instruments (which includes industries well beyond financial
services, such as airlines hedging fuel costs or industrial companies engaging in transactions with
interest rate swaps) need to understand the ramifications of how critical enterprise-wide risks
facing the organization, including their ERM practices, impact financial reports, disclosures of
(2013) reports that an internal investigation of a trading loss in excess of $6 billion stated that the
banks CFO should bear part of the blame for the massive loss resulting from a failure in risk
management processes and controls. Despite the presence of a Chief Risk Officer at the bank, the
internal report states that the CFO bears responsibility since a sufficient distribution of daily
8
trading activity reports could have helped detect the problems on a timely basis (Ryan 2013). An
internal JP Morgan Management Task Force Report states that although primary responsibility
for managing risk lies with the business head and risk organization, the CFOmissed a number
of opportunities during the first quarter to meaningfully challenge the trading strategy, (JP
Morgan Chase & Co., 2013) The significant financial loss incurred by the shareholders of J.P.
Morgan Chase is a clear indication of the notion that the financial reporting function (both
business organizations.
As stated earlier, ERM refers to a more holistic view of enterprise-wide risks, of which
component, it is an open question as to how other components of ERM (e.g., strategic risk,
reputational risk) impact or should impact the quality of the financial reporting process and the
audit process. Critics have argued that weak ERM, poor governance, and in some instances audit
failures have collectively led to poor financial reporting that served to hide the financial
difficulties facing failing firms (e.g., off Balance Sheet debt) and, thus, significantly exacerbated
the financial crisis (Baxter et al. 2012; Valukas 2010). For instance, Ernst & Young, the
erstwhile auditor of Lehman, was strongly criticized for failing to challenge and question
Lehmans management on some of their excessively risky positions (The Economist 2010).
While there are several frameworks for ERM, there is no universally accepted definition
or framework that provides a definitive guide with respect to the roles played by various parties
within the ERM structure of a firm. A survey by Beasley et al. (2011) documents that ERM
practices vary widely among companies. For example, there is divergence in practice on which
party has the primary responsibility for ERM (the board of directors, the audit committee, a risk
9
committee, others). Further, Mikes and Kaplan (2012) identified a number of ways that ERM has
been implemented and suggested that a contingency approach be used that allows research to
view the success of ERM within the companys particular context. For example, a firm that is
confronting an environment that is in a state of flux and faces many uncertain external risks may
engage in war games in which the company plans their potential course of action for a variety
important information to auditors in assessing inherent and control risks, financial viability, and
Messier 2011). Despite this, the COSO ERM framework (2004) does not discuss how auditors
might consider ERM in the audit or internal control evaluation process. The current study
examines the auditors knowledge and involvement in ERM, an issue not fully addressed both in
Practitioners and academics have asserted (Viscelli 2013; Beasley et al. 2011) that a key
to effective financial reporting and ERM is achieving a synergistic relationship among the audit
committee, Chief Financial Officer (CFO), and external auditor (the governance triad).
Further, there is also limited understanding of how the governance triad interacts among
themselves and with others to develop ERM practices that impact the quality of the financial
reporting process. Accordingly, we study the governance triad since CFOs are often involved in
implementing ERM, audit committees are often charged with monitoring ERM and financial
reporting, and auditor engagement and planning risks are impacted by questionable accounting
(COSO 2004). The discussion above leads to our first research question.
10
RQ 1: What impact does ERM have on the financial reporting process, including the
strength of internal controls over financial reporting and the role of external auditing?
ERM Roles of the Governance Triad and Its Effect on the Financial Reporting Process
There is limited evidence regarding the roles of different parties involved in ERM
practices. For instance, Beasley et al. (2011) survey 450 companies and find that only about one
third of the respondents indicate ERM oversight is a formal responsibility assigned to a board
committee. However, this proportion varies considerably by company size and ownership status
with 74.2% of the largest organizations (over $1 billion in revenues) and 62.7% of public
companies formally assigning such responsibilities. In those cases where it is assigned, the audit
committee is most frequently given this responsibility. However, given the numerous demands
placed on the audit committee (Beasley et al. 2009), it is unclear if the audit committee has the
expertise and the resources to provide effective monitoring and oversight of the ERM system.
Beasley et al. (2011) find that ERM practices vary significantly, with only 14.9% of the
companies indicating that they had a complete formal ERM process in place, 32.3% for the
largest companies, 23.5% for public companies, and 22.7% for financial services companies.
High-level management normally plays a very significant role in creating and then
overseeing ERM practices (Beasley et al. 2011). Twenty-five percent of the companies surveyed
(half of the largest companies, public companies, and financial services) report the creation of a
chief risk officer (CRO) position whereby the CRO reports to the CEO and/or board regarding
key enterprise risks (Beasley et al. 2011). Alternatively, about an equal percentage (25%) of
companies charge a risk committee with this responsibility, with the CFO serving on this
11
As noted, several prior financial failures in recent years (e.g., Lehman Brothers) have
been accompanied by what many view as poor financial reporting to obscure the weak financial
health of the company. Beasley et al. (2011) find that companies recognize the importance of
disclosing risk information to external parties with 59% of the companies surveyed indicating
pressure to provide such information (84% of the largest companies, 82% of public companies,
and 87% of financial services companies). The past financial failures inevitably lead to the
questions of why external auditors in these cases continued to issue unqualified audit reports,
thus providing assurance to users regarding the fair presentation of the financial statements.
business risks and take measures to contain or control such risks. To the extent that these risks
impact financial reporting or potentially can significantly negatively affect the well-being of a
company, these risks should be reflected in financial statement estimates and disclosures.
Further, auditors who are aware of significant risks are required by auditing standards to plan the
nature and extent of audit tests to address business and inherent risks (AICPA 2007; IFAC 2006).
There is little evidence on the emphasis or relative importance placed on various ERM
components within organizations and the role that the governance triad takes in addressing ERM
objectives. Accordingly, we examine the link between ERM practices and the quality of the
financial reporting process including the role of auditing, as reflected in our second research
question.
RQ 2: What roles does the governance triad play with respect to ERM and what is the
effect of these roles on the financial reporting process?
Method
12
To address our research questions we use the widely accepted COSO ERM framework
established in 2004 (Beasley et al. 2010; COSO 2004). As will be discussed more fully, the
framework identifies eight components of ERM: internal environment; objective setting; event
identification; risk assessment; risk response; control activities; information and communication;
and monitoring. Further, four overriding objectives are proposed: strategic objectives
(establishing high-level goals); operational objectives (effective and efficient use of resources);
reporting objectives (high reliability in reporting); and compliance objectives (compliance with
(Westermann et al. 2014; Hermanson et al. 2012; Trompeter and Wright 2010; Cohen et al.
2010; Beasley et al. 2009), we employ a semi-structured interview approach to address our
research questions. An interview approach allows us to gain insights into the black box of the
ERM process and the interactions among members of the governance triad for each of the 11
We use contacts from alumni and colleagues in a large Northeastern city in the U.S. to
solicit the voluntary participation of the audit partner, an audit committee member, and the CFO
from the same company to document their experiences in working with ERM at that firm. As
Table 1, panel A presents provides demographic data about our sample, and Panel B
presents selected company information. The audit partners have a mean (standard deviation) of
5
As noted earlier, one audit partner declined our request to participate in the study. Further, one individual served as
the audit committee chair of two companies and hence this individuals responses are included in the triads of these
two companies, and counted as two participants. This resulted in a total count of 32 participants. Finally, the CEO of
one of the companies volunteered to participate in the study, in addition to the governance triad from this company.
However, in the interest of maintaining consistency across all triads and the different roles a CEO may play in this
position, we exclude the CEOs responses from the results reported in the tables. In the interests of full disclosure,
including the responses from the CEO, however, does not qualitatively change the results reported in the study.
13
7.00 (5.95) years of experience with ERM, 19.4 (6.8) years of industry specialization and an
average of 5.11 (5.37) years with the client in question. In addition, the audit partners have an
average of 68 percent of their recent experience with public company clients. The data suggest
that the audit partners have the relevant expertise to take part in the study.
The audit committee members are also an experienced group. Their mean (standard
deviation) experience as a director is 11.23 (8.62) years, as a member of the audit committee for
the company is 7.85 (7.07) years, and with ERM is 9.55 (11.20) years. Eight of the 11 audit
committee respondents note that they are chairs of the committee and have served in that
capacity for 4.94 (4.33) years. Other demographic data (untabulated) about audit committee
participants indicate the following: CPAs (64 %); current or former CEOs (45%); current or
Finally, the CFOs have a mean (standard deviation) of 24.44 (7.81) years of finance or
reporting experience and 8.0 (8.09) years of experience with ERM. Further, they have been the
CFO for 4.7 (4.06) years. Collectively, across all three types of participants, the demographics
suggest that our sample is a group of highly experienced individuals who are appropriate for the
Panel B indicates that the mean number of audit committee members in the companies
from which the triads were drawn was approximately four, with an average of 2.27 having
accounting or financial expertise. In five of the companies, the CEO is also the chair of the
board. Finally, six of the 11 companies are listed on the New York Stock Exchange, three on
OTC, one on NASDAQ, and one was a mutual insurance company. The participant firms are
from a wide range of industries as indicated by their SIC 4-digit industry classification.
14
participants), manufacturing (6), software and retail (4 each), medical devices and life sciences
(3 each), and services, healthcare, and consumer products (2 each), with some participants
having experience in more than one industry. The mean (median) company sales revenue is
$1,964 million ($ 267 million), and the mean (median) total assets are $985 million ($824
million). However, as indicated by the standard deviations of $ 3,429 million and $1,031 million
for sales revenue and total assets respectively, there is significant variation, thus providing a
Insert Table 1
The interviews are structured around eight questions, with most having subparts. The
interview questions are reported in Appendix A.6 When constructing the questionnaire, we
carefully reviewed the following sources to identify significant issues for interview questions:
the COSO framework on ERM (COSO 2004); the literature on the implementation of ERM in
practice (e.g., Beasley et al. 2010); academic accounting research (Beasley et al. 2011; Beasley
et al. 2008; Beasley et al 2005); and discussions with two recently retired senior audit partners
who had been involved in ERM issues. In order to ensure external and internal validity of the
questions, four practicing audit partners and several academic researchers (not associated with
this study) independently evaluated the questions for clarity, completeness, and relevance.
The interviews were conducted by one member of the research team over the phone (30)
or in-person (two) with each interview taking approximately 45 minutes to one hour. With the
permission of the participant, interviews were audio-taped to allow greater accuracy in the
transcription process and to capture relevant quotes. Interview questions were emailed to the
participants in advance with an explicit instruction that participants refrain from discussing the
6
We also asked questions regarding the role of internal auditors in ERM, but do not report the findings on these
questions since this topic is outside of the primary focus of the current paper, i.e., the governance triad (auditors,
CFO, audit committee).
15
questions or their responses with colleagues. Participants were informed that the objective of the
study was to obtain their experiences with the particular company that was being studied, and not
about their general perceptions. Following the protocol of other qualitative studies, each
participants anonymity was ensured. As the interviews were semi-structured (Westermann et al.
2014; Trompeter and Wright 2010; Cohen et al. 2010; Beasley et al. 2009), individual responses
were followed-up whenever appropriate to ensure that responses would be fully examined. The
interviews were audio-taped to ensure completeness and accuracy and they were then transcribed
by research assistants.7
whenever appropriate we employed the COSO ERM (2004) framework to guide the questions
and the coding. Thus, for instance, when we ask the participants for their definition of ERM, we
examined whether they mention operational, reporting, strategic, and compliance objectives. All
interviews were independently coded by two members of the research team with an average
initial inter-coder agreement of 82 percent, indicating a high level of coding reliability (Miles
and Huberman, 1994). We attempted to reconcile all disagreements, with all remaining
unresolved disagreements reconciled by a third member of the research team. The reported
Results
Tables 2, 3, and 4 provide results from the analysis of coded responses. Responses to
open-ended (OE) questions (e.g., What is your definition of enterprise risk management?) are
coded as 1 (0) if the response is (is not) consistent with our ex ante coding scheme based on the
7
Two participants did not provide their consent for the interview to be tape-recorded. For these interviews, the
interviewer took careful notes during the interview and later submitted them as transcriptions of the interview for
data analysis, similar to the ones employed for other participants.
16
COSO ERM framework. We also collect data on questions that required a discrete response (e.g.,
Yes/No) or responses that used a 10 point scale (e.g., Based on your experiences at the
company and your definition of ERM above, what role(s) do the following governance
players/managers play in ERM? The scales are anchored by (1) No Role to (10) Significant
Role.). We refer to questions that require a discrete response or a response on a 10-point scale
question is not asked or if the participant did not respond to the question. Responses coded as
NA were excluded from the computation of percentages. For each question we provided
Definition of ERM
data relating to their definition of ERM. Despite the increasing importance placed on ERM in
academia and in practice, there is no universally accepted definition. Hence, and not surprisingly,
the definition of ERM varied across respondents. This is an important issue because participants
definitions reflect the focus and nature of ERM practices within the sample company. Consistent
with prior qualitative studies (Cohen et al. 2010, Trompeter and Wright 2010) we do not offer a
formal definition of ERM, but rather ask participants to provide us their definition.
Across all participant types, the emphasis with respect to ERM was on a holistic
approach to risk, rather than focusing only on financial reporting or controls risks. For example,
Management of any and all risks that could impact survival, reputation or the
success of the company. Expansive definition that includes financial reporting
risk, operational risk, reputational risk, and internal failure risk.
17
Consistent with a broader notion of ERM than merely looking at financial risks, one audit
I think its managing risks in the broad scheme of things. Its not only financial risk, that
is risks that affect the income statement or balance sheet of the company, but it also
includes risk exposures that the company has with its customers, with its suppliers, with
its brands its really a very broad definition.
Further, across all three types of respondents, the participants emphasize the risk
assessment/identification component of the ERM process8. For example, one CFO stated:
Overall, I think [ERM] is a very simple concept. Its all about understanding and
having the identification of your key risks and uncertainties for any corporation.
(NYSE CFO)
you [have] enterprise risk management as it relates to the financial side, what
are the concerns there, what are the controls the company has in place.
One component of ERM that is important in controlling acceptable risk is ensuring that
risk is aligned with a companys strategic direction. A majority of AC members and CFOs
identified strategic issues in their definition of ERM. For instance, an AC member stated:
So I would define it as the process to analyze the business environment, the strategy, to
assess systemic risk, and to control those risks
(NYSE audit committee chair)
8
When referring to risk assessment we refer to the risk assessment process in which risks are identified. When
discussing the results, risk assessment will include identification of risk and we will refer to it simply as risk
assessment.
18
Thus, the AC members and CFOs appear to articulate the importance of strategic risks when
defining ERM. In contrast, only a few audit partners mentioned this in their definition of ERM.
The fact that audit partners did not frequently mention strategic issues is surprising given the
discussion of such issues in auditing standards (i.e., the business risk assessment of SAS #109).
Further, the standards highlight that auditors have an opportunity to exploit knowledge of the
strategic aspects of ERM to plan and manage their audit to address these business risks.
One audit committee member also explicitly drew a connection between ERM and
Are they coherent (the numbers) that they get out end of every quarter and then asking
the question what is it that has both systematic risk or operational risk that we should be
focused on coming to the board.
(OTC audit committee chair)
As indicated by the following quotes, some participants emphasized the notion that ERM
is broad-based with respect to encompassing all phases and components of the risk management
process, including but not limited to risk assessment, response, and monitoring.
Probably that [ERM is] a framework or process for risk management in an organization.
Of identifying objectives in a company, assessing the various risks associated with that,
and then taking whatever action or controls that are associated with those risks.
(NASDAQ CFO)
In the last three columns of Table 2, we present data on the consensus of the triads within
the 11 companies regarding the definition of ERM. It is important to examine the level of
consensus of triads because a lack of consensus among participants within a particular company
signals misalignment among triad members with respect to the objectives and potential benefits
19
of ERM. We indicate the number of triads where all three parties mention a factor as well as the
number of triads where the majority (two out of three members) mentions it. The ERM factor
majority in over half of the triads and by all members of the triad in five out of the 11 triads. This
result appears intuitive since risk assessment/identification appears inherently to be the first stage
of an ERM system.
Strategy is mentioned by two triads unanimously and in over half of the triads it is noted
by the majority. Of note, these results are largely driven by the agreement of the AC member
and the CFO and not by agreement with the audit partner, despite the potential to increase the
effectiveness of an audit by examining the risks resulting from a clients business strategy (Bell
et al. 1997).
Four out of 11 triads have unanimous agreement that ERM deals with operational issues,
with the majority mentioning it in five triads. It is interesting that there are no triads that mention
either the internal environment or monitoring which may perhaps be attributed to the difficulty in
measuring these factors such as the tone at the top and then linking them to risk management.
Five triads (one unanimous; four majority) indicated control activities when defining ERM,
Finally, a total of seven triads (two unanimous; five majority) mention reporting issues in their
definition of ERM, highlighting that reporting (including financial reporting issues) is considered
a central aspect of the rubric of ERM. In all, there is relatively high consensus within the triads
for some ERM components, especially for risk assessment/identification, reporting risks, and
operational issues.
20
RQ 1: Impact of ERM on the Financial Reporting Process, including Internal Controls,
After establishing the participants conceptualization of ERM, we ask them about the
impact of ERM on the quality of the financial reporting process, including internal controls and
the role of external auditing. We pose two questions asking the participant how important the
role ERM plays (should play) in achieving high quality financial reporting to the capital markets
on a 10 point scale (1-no role-10-significant role). As we report in Table 3, participants felt ERM
plays a significant role (mean 6.6) and should even play a larger role (mean 7.4). Highlighting
the importance of considering ERM when evaluating the quality of financial reports, one audit
partner notes:
While some triad members articulate the importance of considering ERM in ensuring
high quality financial reporting, a small minority view is present. One AC member states:
I dont quite see the linkage. I mean the financial reporting is something that is coming
out of what we have done. In my mind, ERM is much more focused on where were
going.
(OTC AC Member)
In terms of the role ERM should play in achieving high quality financial reporting, some
participants indicate that there is a need for greater appreciation of the integrated nature of ERM
21
everything is all wrapped together. I still think people view ERM as some other risk
assessment initiative as being separate from how they are managing the business and the
problem is they are not separate. The terminology and the fact there is an element of
compliance associated with [ERM] you know there is a gap that needs to be bridged there
and I just dont know if we are there yet.
(NYSE CFO)
Another question we ask is, what role does ERM play in achieving strong internal
controls over financial reporting? The overall mean response is 6.5, indicating a fairly significant
role, with CFOs indicating the highest response (7.3). Some participants indicate that weak
internal controls might be symptomatic of risks that may need to be considered for the enterprise
as a whole, thus highlighting the importance of the inter-relationship between strong internal
if the internal work essentially [has] material weaknesses or if we find out that there
are weaknesses in our control system and they rise to [the level of] material weakness or
even significant deficiencies that would be, if it continued to be, an enterprise risk.
Qualitative responses regarding the nature of the role of ERM on controls indicate the
So, I think [ERM] plays a very high role in the sense of if I see that the company
understands its risk, they manage [it] well, how do I set my scope (extent of
testing) and how does it make me sleep at night?
Our next two questions examine the role of ERM on the quality of audit services and the
extent to which ERM affects (should affect) the external auditors risk assessment and audit
scope decisions. Responses to the first question indicate ERM plays only a moderate role (5.7)
on the quality of audit services with, notably, the lowest mean response expressed by audit
committee members (4.9). However, respondents indicate overall that ERM plays a fairly
22
significant role in auditors risk assessment and scope decisions (6.0) and should play an even
I am focused with risks related to the financial statements but understanding the
pervasive risks of the organization, the specific ones that are financially related are most
critical.
(NYSE audit partner)
Again, audit committee members assess the lowest impact of ERM on auditors
judgments among members of the governance triad with the mean of 4.9 as to the actual role and
5.8 as the role ERM should play. In explaining his response, an audit committee member stated:
I think (in a) world of best practices you need more formalized risk assessments
by auditors. - I do not think [formalized risk assessments are] done because the
fees would probably double, it would take too many hours.
One CFO expresses his dissatisfaction in his experiences with external auditors as follows:
(NYSE CFO)
Qualitative responses are equally divided between the role that ERM plays on risk assessments
(50%) and scope decisions (53%) with the same pattern for the role ERM should play on these
Collectively, responses indicate that participants view ERM as playing a significant role
in ensuring the quality of financial reporting with the prevailing view that ERM helps monitor
the risks that emanate from the financial reporting process. Further, ERM is linked to the quality
9
The only areas where the triads demonstrated consensus was on the role ERM plays in audit risk assessments
where five triads had a majority indicating that ERM played a role in the audit risk assessment.
23
of internal controls. Finally, there are disparate views on the extent to which ERM influences the
audit process with some respondents experiences indicating a lower impact than desired.
RQ 2: Roles Played by the Governance Triad with Respect to ERM and its Effect on the
We followed the initial question with a series of questions regarding the role that each
participant in the governance triad plays in ERM within his/her company. The questions were
anchored by (1) No role, (5) Moderate role and (10) Significant role, and quantitative
responses are followed by an opportunity for respondents to add their thoughts and experiences.
The findings on participants roles with respect to ERM are presented in Table 4.
Some academics and practitioners view the audit committee as a logical committee to
oversee ERM (Beasley et al. 2011), since the audit committee may be effective in managing
enterprise-wide risks, especially if such risks impact the financial reporting process (Krishnan
2005). Consistent with this view, the mean rating across all participants for the role played by
the audit committee with respect to ERM was 7.8 (on a 10-point scale). As expected,
approximately half of the respondents in each group mentioned reporting objectives as a key
aspect of the oversight function of the audit committee. For example, one CFO stated that the
in that the [Audit Committee] is very much on top of the control environment
inclusive of entity level controls and how those controls mitigate enterprise risk.
(NYSE CFO)
Further, audit committees were also seen by some respondents as having an influence
over the ERM focus on operational and compliance objectives. For example, one AC member
said that:
24
Risk is really our thing in the audit committee, and were focused highly on not
just (that), I think as an audit committee we care not only about our financial
obligations with regards to X company, but also, its a healthcare company, so
weve got many compliance issues.
Respondents also perceive that the CFO plays a major role in ERM (mean=8.2) with not
surprisingly, the CFO respondents providing the highest rating (mean=9.4). The CFOs
responses were varied in that they viewed their role as being important in a number of areas in
relation to ERM. For example, a CFO who described a number of functions of the CFO, stated:
we viewed our role as being very active in not only setting the tone from the top
as to how the company would be run in terms of integrity and ethics, [but also
have] the ability to have mechanisms and reporting in place to identify what we
view as key critical risks, and then doing our best in terms of building a system of
checks and balances and internal control mechanisms that managed and
prioritized the risks in the corporate environment.
(NYSE CFO)
The AC members rated the CFOs role as high (mean=8.0), with no area standing out.
Interestingly, although the audit partners rate the CFO role as high (mean=7.2), auditors were
concerned that the CFOs role may be overstating their boundaries. This is exemplified by the
following quote:
on a lot of my current experiences you just see ERM kind of running through the
finance organization and [the finance group is] off trying to pull it together on
behalf of the organization when it probably needs to be driven by more of the
operational team than just the finance team.
Consistent with the role of the external audit, respondents view the external auditor as
being only moderately important with respect to their role in ERM (overall mean = 5.3). Further,
25
all groups rate reporting objectives as the most important for the external auditor (70% for
So obviously thats kind of our audit approach is to first assess the overall risk
environment which includes the business risk you know the things I mentioned
(like) financial reporting risk and then we go down to inherent risk versus control
risk and the like so thats the front end part of our focus
One partner also commented that auditors have to understand the strategic objectives of ERM:
In the context of the role of the audit, I think we do look at the strategic objectives
because those identify where the risks potentially are and they also drive us to
focus on what types of controls there are in place to monitor those risks
However, even the external auditors note that they may not be focusing enough on ERM. As one
partner put it, "They (auditors) need to expand their knowledge base" (NYSE audit partner). This
[Auditors] are almost 100% focused on making sure that the financial statements
are fair and not misstated and so to the extent that they are considered a major
enterprise risk they are not doing anything else in way of adding value from
an operational standpoint.
contributing in a major way with respect to ERM objectives (beyond reporting objectives) may
be beyond the scope and expertise of the external auditor. This is reflected in the following
It is not their area of expertise. There is none of those people who can tell us
what the risk is in our operations better than our people can and unfortunately
[auditors] dont always understand that.
26
Taken together, these comments suggest that our participants view external auditors currently as
neither having the expertise nor sufficient focus on ERM. However, as will be described more
fully in the conclusions, there appears to be opportunities for auditors to leverage knowledge of
the ERM system to make the audit more effective and efficient and improve the overall quality
We then ask each respondent what they perceived their own particular role is for each of
the four objectives of COSOs (2004) ERM framework: strategic, operational, reporting and
compliance. As before, each question was anchored by (1) No role (5) Moderate role and
(10) Significant role, and this was followed up by an opportunity for respondents to add their
thoughts. External auditors note only reporting objectives as being above the midpoint of the
scale (mean = 7.3). In contrast to the external auditors, both the audit committee members and
CFOs rate their role as between 7.3 and 9.1 on the different objectives, with CFOs rating their
role on each of the objectives higher than the rating by audit committee members. For example, a
So I think that its very important that a company understand, and, as they are
going through their strategic objectives, they understand the risk. And I know in
here, one of the other questions you ask is, What other types of risks are
surrounding the risk management philosophy, the risk appetite, ethical values? I
think all those have to be on the table when you make your strategic plan. You
cant ignore those.
(NYSE CFO)
This is echoed by the following two audit committee members who stated:
We consider the two major ones to be: making sure we have the right leader and
making sure we have the right strategy,
My role as a director is very high on helping to challenge and assess the strategic
objectives that management brings to us and the plan they bring to us. That has
27
not always been the case. I would say that over the past 4 or 5 years weve
evolved a lot to be a much more strategic board in terms of the discussions that
we have than what I observed earlier with a lot of tactical discussions.
objectives indicate that the audit committee members and the CFO report that they play a
significant role with respect to all ERM objectives (strategic, operational, reporting, and
compliance) while external auditors indicate a weak role with respect to all objectives
(strategic, operational, and compliance) with the exception of reporting objectives. The
company represents a significant lost opportunity since audit quality can be enhanced by
consideration of the strategic risks that the client faces (Knechel et al. 2013). This
as the financial services where there is the potential for large scale losses and upheaval if
As further analysis, we explored whether respondents perceive ERM from the lens of
Agency Theory (AG) and/or Resource Dependence (RD) Theory. Under Agency Theory,
managers are presumed to act in their own self-interest even if detrimental to the shareholders;
thus, various contractual mechanisms, such as corporate boards and audit committees, are
formed to align the interests of the management with those of the stockholders (Shleifer and
Vishny 1997; Fama and Jensen 1983). By employing an ERM system in which the board and the
audit committee focus on monitoring the CEO and other high level executives, a firm can in
28
theory reduce excessive risk taking by management. For example, evidence of an agency
viewpoint is a focus on whether there is monitoring by the audit committee that management is
not taking risks beyond the risk appetite of the stockholders. Thus, ERM can be a mechanism
that allows for a more formal and transparent perspective on risk, which in turn can reduce the
information asymmetry between management and other corporate stakeholders that exists over
In contrast, RD Theory (Pfeffer and Salancik 1978; Boyd 1990) posits that governance
should be focused on helping companies successfully cope with strategy and environmental
uncertainty, and have access to external capital and knowledge networks. RD Theory suggests
several roles that governance parties may play in ERM including identification of risks, risk
responses, and setting the proper balance between corporate strategies, opportunities, and
business risks. If a RD perspective is adopted, then the governance parties would focus on
determining that managements risk activities are aligned with the strategic objectives the firm is
with evaluating strategic risks this would be indicative of a resource dependence view. It is
important to state that the AG and RD perspectives are not necessarily mutually exclusive in the
sense that they can co-exist10, nor are these perspectives collectively exhaustive. 11
10
We explore agency theory and resource dependence both separately and in combination, when there is evidence of
both perspectives at play. Our views are consistent with those expressed in Cohen, Krishnamoorthy and Wright
(2008 183) where they state that these perspectives are not necessarily mutually exclusive and that a board may
be structured so as to be strong in both the agency and the resource dependence perspectives.
11
Another theory that is potentially relevant to ERM is institutional theory which posits that the use of ERM may
merely be symbolic in nature due to mimetic isomorphism (Powell 1991). This theory would imply that ERM
practices are adopted merely to demonstrate to outsiders that the company is doing something tangible about ERM
without perhaps doing anything of substance. Further, Gendron et al. (2014) find that champions of risk
management on boards and consultants involved in risk management often engage in a discourse of legitimacy to
justify the risk management activities irrespective of how effectively they are working. However, our interviews
with the triads do not reveal anything related to the ritualistic nature of ERM and hence do not provide evidence
consistent with the institutional theory approach to ERM. Nevertheless, there is the potential that in industries such
29
In examining participants responses over all of the questions, we find quotes that are
evidence of the AG and RD perspectives, as it relates to the issues and research questions
Definition of ERM
you [have] enterprise risk management as it relates to the financial side, what
are the concerns there, what are the controls the company has in place.
(NYSE CFO)
stated:
I think you have to start with [a companys] system for evaluating business and other
financial oriented risks that the company has employed and not just evaluating what they
are but dealing with managing the risk obviously, mediating any risk issues that need to
be mediated. Generally it is system for looking at business and accounting financial risks
throughout the company.
(NASDAQ AC Member)
as financial services, where risk management is required (Baxter et al. 2013), ERM practices may be more form
than substance (Cohen et al. 2008).
30
I have a pretty broad definition of ERM and it includes basically your traditional financial
and internal control types of areas. Economics and market risk, data and information
integrity risk, regulatory risk execution risk as well as reputation risk.
(OTC AC Member).
Overall, the variation in the responses from participants with respect to their AG/RD
perspectives is consistent with the lack of a universally accepted definition of ERM and suggests
that there is need for gaining a common understanding of what constitutes ERM.
Impact of ERM on the Financial Reporting Process, including Internal Controls, and
External Auditing
As we previously note, we have a number of questions that examine the role of ERM and
the financial reporting process. Responses to these questions indicate a number of themes from
both an AG and an RD perspective. When asked about the role of ERM in achieving high quality
financial reporting, there are a number of quotes that emphasize a monitoring orientation that is
We are kind of a very control oriented company and we do an awful lot of making sure
that we are very controlled and how we do our reporting. Certainly legal becomes very
important in that process of making sure that whatever is being required by the SEC
nowadays that we are complying with.
(NYSE CFO)
I think it plays a high role, because clearly part of the culture around risk management is
that this particular company is very keenly focused on Where are our business risks?
What are the enterprises? Where are we going to challenge them? And therefore, that
drives a lot of their judgments about conservative accounting practices, if they do get into
a situation, its your point about estimates and judgments used and reserves, they tend to
air more towards the conservative side. And I think that adds to a higher quality so
theyre not caught by surprises.
31
The RD perspective was highlighted by comments that discussed other risks besides a
direct link to the financial reports but would ultimately be part of the reporting package. This
I will tell you a number of other risks that would not show up in your financial statements
that potentially could drive your shareholder value up or down.
Interestingly, there were also sentiments that reflected both an AG and RD perspective as
respondents perceived that the risk associated with monitoring covered both financial and
Because obviously any risk or any material or critical risk has and can have a significant
consequence on financial reporting. And so it was my job and the teams job to make
sure that we had sufficient systems and controls and a knowledge base in place such that
those risks were well understood and well managed, otherwise the quality of the financial
reporting would be impacted, inversely impacted, so I think [what is important is] the
combination of having a confident management, a strong financial team and a solid
understanding of the business and the key risks
(NYSE CFO)
When looking at ERMs role in achieving strong controls, the respondents emphasize
primarily the monitoring perspective of ERM which suggests an AG perspective. This is not
surprising since controls are primarily intended to serve as a monitoring mechanism (COSO
2004).
There is a tendency for the ERM side to be built around and evolve around more of the
financial and compliance risk.
(NYSE CFO)
So [in] some environments you go in people do what they have to do because Sarbanes
Oxley is dictating it or because they get a directive from the board that they are going to
do certain types of things and its a check the box exercise. You have a checklist whereas
other places you go there is a real emphasis [on]an environment that identifies
32
problems or prevents problems, detects problems early on. You are actually going to
use and not just give it lip service.
(NYSE CFO)
My rationale there would be very limited value that the external auditors deliver. The
exercise for them is theoretical and they again lack operating experience and
judgmentIdentify the key risks that brought the company down. How could you
possibly have understood their business? lets say if you got a significant contract, with
customer revenue recognition nuances to it. Before you start talking about revenue
recognition you need to understand the essence of the contract and the economics behind
it. .and businesses run based on the economics; its not based on the revenue
recognition accounting so what happens is you are always technically focused on oh you
have got revenue recognition issue with the contract. Not Jeez, I want to understand the
contract and the economics of it and by the way we also need to talk about revenue.
(OTC AC Member)
One CFO stated that the lack of using an RD perspective negatively affects the external
A more generic approach can be made to a finance or compliance focus, you can get
away with that, but that does not hold true from a strategic and operational perspective.
You must have a deeper and broader understanding of whats going on both within the
companys business as well as outside the companys business whether it be trends or
technologies or competition, and thats always been a knock on outside auditors, their
abilities to balance the two: the financial audit versus the more strategic operational
33
perspective, and I didnt really see anything in my experience which led me to
conclude the external audit group was getting much better at strategic operations risk
assessment.
(NYSE CFO)
Perhaps the lack of recognition by the auditors of the importance that ERM can play in
managing strategic risk is the result of auditors viewing ERM from a check the box mentality
(Tremblay and Gendron 2011). That is, these quotes suggest that some auditors focus on the
presence or absence of ERM as a monitoring mechanism in evaluating internal controls but fail
to fully consider ERM processes to explicitly recognize strategic risks, such as the feasibility of
promoting a product, that are of consequence with respect to the financial reporting process (e.g.,
When examining the perceived roles various parties play in ERM processes, there are
quotes that reflect AG, RD and a combination of the two perspectives. The following quote
What I am coming from is I think boards of directors have two basic responsibilities the
first is to make sure you have a competent CEO, who is able to put together a business plan and
operating and the second is to evaluate and foresee the overall strategic direction of the company
and its ability to operate successfully within that and obviously understanding the nature of risks
as well as rewards it is you know the boards first job and there is a need to do that with
management obviously.
(NYSE AC member)
This sentiment of having the board monitor the risk of the strategic direction is also
There are some governance things that certainly you want to have in place to help
manage enterprise risks around the company. But then in terms of oversight the biggest
responsibility from oversight standpoint is to understand what the companys strategic direction
is and what would the company do to go in that direction. Understand it, validate it have a
consensus that its the thing to do at any point in time and then understand how [the strategy] is
being executed. So if you say those are the two things that boards do, in case of our company,
34
we spend a lot of time dealing with strategic issues with the company. I see it as a certainly a
huge starting point or end point in some cases for ERM programs.
(NASDAQ AC Member)
committee and the external auditors. As one CFO states about the audit committee:
[There is] far less on the more strategic or more operational side of ERM. I think clearly
and likely so the [audit committees] focus was mostly on the financial and compliance
types risks, but even there most of the Board relied heavily on management and outside
auditors and the like to provide the necessary information to truly help assess and help
interpret any types of risks that were identified or discussed in the committee capacity.
(NYSE CFO)
The external auditors are often also characterized as merely focusing on compliance
You know, in a perfect world, youd say It should be a 10. External auditors should be
reporting on ERM. The reality is thats not done with what were chartered with right
now. Doesnt mean that it shouldnt be, but until the way of the world changes, that
includes Sarbanes Oxley, where people step back and say Hey, the external auditors
should be reporting on that more often than not
In addition, some AC members criticized the external auditors as being too compliance-
I actually find in the current environment auditors have become very compliance oriented
and their relevance for the business is insignificant.
I dont think that they really focus on Enterprise Risk theyre focused on their job of the
historical audit and the completion of 404 . they really dont participate with us in the
discussions of enterprise risk.
35
In contrast, other functions were also brought up as being useful for aiding in risk
The corporate development function I would say is an area where you might say is a fair
degree of ERM kind of activities going on in the way of you know identifying strategic
objectives, strategic initiatives whether they are M&A initiatives, partnering initiatives
just trying to understand the strategy in the market so that you can figure out what those
initiatives and objectives should be.
Finally, another function that was mentioned to assist ERM is the legal counsel which
Their legal counsel is heavily involved in the compliance aspect to ensure what
compliance laws are regulations and as they have strategic changes in the company and
as they go into new markets and new products there is a lot of focus on that by [legal
counsel] which is a relatively small group.
that members of the triad generally view ERM more through an AG lens than through an RD
lens. While as expected, the focus on AG versus RD varied significantly based on the specific
question to which triad members were responding, it is clear that overall, the emphasis appears to
be more on AG than on RD.12 To some extent, the greater emphasis on AG may be an outcome
of the notions of monitoring and control that are inherent in accounting and financial reporting
aspects that all members of the triad are predominately focused on. However, this also raises the
broader issue of whether overall, RD is underemphasized by members of the triad, thus not fully
utilizing the potential benefits of ERM to help improve financial reporting quality. While the
12
It is important to note that we employed a broader and a more comprehensive framework of AG and RD when
evaluating responses for the additional analysis and interpretation section than we did for the results section which
was guided by the COSO (2004) framework.
36
limited RD emphasis by external auditors is somewhat expected given their role, the lack of
emphasis by CFOs (and to a lesser extent by AC members) may provide opportunities for
significant improvement in how preparers and monitors of financial reporting could benefit from
taking a broader, more strategic perspective to ERM. Future research should explore this issue in
greater detail.
Conclusions
Given recent corporate failures, such as in the real estate and financial services industries,
there has been a growing emphasis on strengthening ERM practices to identify and control
business risks and ensure they are consistent with corporate strategies and risk appetite. Further,
many critics argue that significant company strategies and risks should be more explicitly and
transparently disclosed to investors (Adams et al. 2011) and considered by auditors in risk
assessment and program planning (Kochetova-Kozloski and Messier 2011). However, prior
research has not examined the link between ERM and the quality of the financial reporting
process. The current study addresses this gap in the literature by conducting semi-structured
interviews to capture the experiences relating to ERM practices of three key players (CFOs, audit
committee members, and auditors, which we refer to as the governance triad) within 11
theory as the driver for ERM practices, and we evaluate the roles played by the governance triad
in accomplishing the objectives laid out in the COSO ERM framework (2004).
Table 5 provides a summary of our results. We find that participants primarily define
ERM in terms of risk assessment/identification practices of the company with a much lesser
focus on setting strategy. All members of the triad see agency theory and, to a lesser degree,
37
resource dependence driving ERM practices. The variation in the responses in defining ERM
suggests the need for developing a common understanding which has the potential to enhance
ERM effectiveness in the future. The importance of the CFO in playing an integral role in ERM
is stressed by participants as the liaison between the CEO, audit committee, the board of
Of concern, auditors are rated by all members of the governance triad as having relatively
low involvement with ERM, especially with little focus on strategic risks. Further, although audit
committee members and CFOs perceive they play a significant role with respect to all ERM
objectives (strategic, operational, reporting, and compliance), external auditors indicate a weak
role with respect to strategic, operational, and compliance objectives. One explanation for this
finding may be that the auditors perceive their primary responsibilities revolve around financial
reporting and do not involve a significant role with respect to other aspects of ERM such as
corporate strategies. Another explanation for this finding may be that auditors are not sufficiently
sensitive to the effect of strategic risk on financial reporting quality because of lack of
understanding or focus on the link between strategic risks and the financial reporting process.
For example, an understanding of the strategic risks could allow auditors to assess the viability of
their clients more effectively in terms of a going concern opinion or whether the audit firm
should continue to be associated with a particular client. However, the lack of auditor
involvement with understanding the risks of the corporate strategy of their client may be because
of the perceived need to maintain auditor independence and objectivity, an issue for future
research. The experiences of many of the CFOs and audit committee participants indicate that
auditors have a relatively low and narrow consideration of ERM practices and strategic risks,
which suggest auditors may not have sufficient understanding of these matters. Assessing
38
business and strategic risks is important in establishing an appropriate audit strategy (Bell et al.
1997) and in ensuring that financial reporting risks are adequately disclosed. Further, auditors
can use this assessment of the clients risks in helping determine fair market value or other
subjective judgments inherent in estimates that are prevalent in financial reporting (Bratten et al.
2013). An important area for future research and auditing standard setting is the appropriate level
of knowledge and role of auditors in considering the various components and objectives of ERM.
the quality of the financial reporting process and the strength of internal controls. However, their
experiences indicate ERM has little impact on the quality of audit services. Some participants,
particularly audit committee members, argue for greater auditor knowledge and consideration of
ERM.
In all, the findings highlight the importance of ERM in impacting the quality of the
financial reporting process, internal controls, and external auditing. ERM appears to primarily
play a monitoring (agency theory) role within the sampled companies; however, the potential for
ERM to balance corporate strategy and business risks (resource dependence theory) is
recognized and, at times, achieved. One limitation though is that our sample was primarily in the
midrange of companies in terms of size. Perhaps a future study could explore how ERM is being
implemented in large companies, which are especially prone to reputation and other strategic
risks. A second limitation is that given the companies in our study may be at various stages with
respect to their experience and maturity related to ERM, the potential exists for respondents to
understate or overstate the role and importance of ERM in their organizations. Finally, there is
some evidence in prior research that some parties involved in the risk management area such as
consultants or champions on the board often try to legitimize risk management activities even in
39
the presence of perhaps contradictory evidence (Gendron et al. 2014). This situation was not
evident in the current study perhaps because we used the widely adopted COSO framework
(Beasley et al. 2011) which allowed us to focus more directly on the link between ERM and the
This study provides insights that also have implications in an integrated reporting
context. Adams et al. (2011 2) argue that the major differences between integrated reporting and
traditional reporting are incorporating a variety of financial and non-financial metrics and their
strategy. Thus, given the initiatives on integrated reporting that propose enhanced discussion of
risk in non-financial disclosures (Adams et al. 2011; Cohen et al. 2012), an understanding of the
ERM process will provide guidance on the components of risk that should be reported upon in an
Our responses can also be evaluated within the framework for ERM proposed by Mikes
and Kaplan (2012). They propose that risk management practices can be viewed within three
categories that they denote as preventable risks, strategy execution risks and external risks. It
appears that the majority of our respondents viewed ERM within the preventable risk category in
terms of attempting to identify risks that were operational or compliance oriented. The second
category of strategy execution risks deals with managing the risks associated with a firms
strategy. Although there was some evidence of using an RD perspective with respect to ERM,
overall it appears that the triad approaches ERM largely from an agency perspective. Mikes and
Kaplan (2102) suggest that the third category, external risks, can be managed with the use of
contingency plans. None of our respondents mentioned items within this category. However,
Mikes and Kaplan argue that even within the same organization different parties may be
40
emphasizing different risk categories that may not be captured by our examination of those
parties most responsible for the risks associated with the financial reporting process.
The focus of the current study was on the experiences of the CFO, audit committee, and
audit partners regarding ERM practices with respect to the COSO (2004) ERM framework,
which is the most widely used ERM approach (Beasley et al. 2011). However, other parties such
as the board and a risk committee, if established, can also play significant roles with respect to
ERM. For example, Viscelli (2013) found that although very few firms had departments
dedicated to ERM, a number of key players were in involved in ERM including at times the
general counsel. Future research may focus on the experiences of these parties to get a more
complete picture of their roles and focus in ERM to provide additional insights on the very
important unresolved issue today of which party(ies) appear to be optimal as the primary one(s)
responsible to oversee ERM practices and how that affects the financial reporting process.
41
References
Adams, A., S. Fries and R. Simnett. 2011. The journey towards integrative reporting.
Accountants Digest (May): Issue 558.
Akin Gump Strauss Hauer & Feld LLP. 2010. Corporate Alert: The Boards Role in Risk
Oversight: A Survey of Recent Proxy Statement Disclosures. April 6:
http://cdn.akingump.com/images/content/6/5/v4/6507/100406-The-Boards-Role-in-Risk-
Oversight.pdf.
American Institute of Certified Public Accountants (AICPA). 2007. SAS No. 109.
Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement. AICPA.
Asare, S. and A. Wright. 2004. The impact of risk checklists and a standard audit program on the
planning of fraud detection procedures. Contemporary Accounting Research (Summer):
325-352.
Baxter, R., J. C. Bedard, R. Hoitash and A. Yezegel. 2013. Enterprise risk management program
quality: Determinants, value relevance and the financial crisis. Contemporary Accounting
Research (Winter): 1264-1295.
Beasley, M. Branson, B., and B. Hancock. 2011. Report on the current state of enterprise risk
oversight: 3rd edition. AICPA.
Beasley, M.J., J. Carcello, D. Hermanson and T. Neal. 2009. The audit committee oversight
process. Contemporary Accounting Research 26 (1):65-122.
Beasley, M., D. Pagach, and R. Warr. 2008. Information conveyed in hiring announcements of
senior executives overseeing enterprise-wide risk management processes. Journal of
Accounting, Auditing & Finance 23 (3): 311-332.
42
Bell, T., Marrs, F., Solomon, I., and Thomas, H. 1997. Auditing Organizations Through a
Strategic-Systems Lens. KPMG Peat Marwick LLP, New York.
Boyd, B. 1990. Corporate linkages and organizational environment: A test of the resource
dependence model. Strategic Management Journal 11: 419-430.
Bratten, B., L. M. Gaynor, L. McDaniel, N. R. Montague and G. E. Sierra. 2013. The audit of
fair values and other estimates: The effects of underlying environmental, task and auditor
specific factors. Auditing: A Journal of Practice and Theory (Supplement): 7-44.
Clyburn, G. 2012. The CFOs Relationship with the Audit Committee for Effective Risk
Management. Enterprise Risk Management Initiative, North Carolina State University,
Raleigh, NC. http://www.poole.ncsu.edu/erm/index.php/articles/entry/CFO-audit-
committee/
Cohen, J., C. Hayes, G. Krishnamoorthy, G. Monroe and A. Wright. 2013. The effectiveness of
SOX regulation: An interview study of directors. Behavioral Research in Accounting
(Spring): 61-89.
Cohen, J., L. Holder-Webb, L. Nath, and D. Wood. 2012. Discretionary corporate reporting of
non-financial performance metrics. Accounting Horizons (March): 65-90.
Cohen, J., G. Krishnamoorthy, and A. Wright. 2010. Corporate governance in the post Sarbanes-
Oxley era: Auditors experiences. Contemporary Accounting Research (Autumn): 751-
786.
Cohen, J., G. Krishnamoorthy, and A. Wright. 2008. Form versus substance: The implications
for auditing practice and research of alternative perspectives on corporate governance.
Auditing: A Journal of Practice & Theory (November): 181-198.
Cohen, J., G. Krishnamoorthy, and A. Wright. 2002. Corporate governance and the audit
process. Contemporary Accounting Research (Winter): 573-594.
Dalton, D.R. and C.M. Daily. 1999. Whats wrong with having friends on the board? Across the
Board 36 (March): 28-32.
43
Fama, E. and M. Jensen. 1983. Separation of ownership and control. Journal of Law and
Economics 26: 301-325.
Gendron, Y., J. Bdard and Gosselin, M. 2004. Getting inside the blackbox: A field study of
practices in effective audit committees. Auditing: A Journal of Practice and Theory
(March): 153-171.
Gendron, Y., M. Brivot and H. Gunin-Paracini 2014. The construction of risk management
legitimacy in corporate boardrooms. European Accounting Review (Forthcoming).
Hermanson, D. R., Tompkins, J. G., Veliyath, R., & Ye, Z. (2012). The compensation committee
process. Contemporary Accounting Research, 29, 666709.
Hirst, D.E. and L. Koonce. 1996. Audit analytical procedures: A field investigation.
Contemporary Accounting Research 13 (2): 457-486.
Hoyt, R. E. and A. P. Liebenberg. 2011. The value of enterprise risk management. Journal of
Risk and Insurance 78 (4): 795-822.
International Federation of Accountants (IFAC) 2006. Identifying and Assessing the Risks of
Material Misstatement Through Understanding the Entity. International Standards on
Auditing No. 315. New York, NY: IFAC.
Knechel. W. R., G. Kishnan, M. Pevzner, L. Shefchik and U. Velury. 2013. Audit quality:
Insights from the academic literature. Auditing: A Journal of Practice and Theory
(Supplement): 45-97.
Kochetova-Kozloski, N., and W. F. Messier, Jr. 2011. Strategic analysis and auditor risk
judgments. Auditing: A Journal of Practice and Theory, Vol. 30 (4): 149-171.
KPMG. 2011. Enhancing business performance through governance, risk and compliance.
http://www.kpmg.com/SG/en/IssuesAndInsights/CFOPublications/Documents/Enhancing
BusinessPerformancethroughGovernanceRiskandCompliance_Governance.pdf.
KPMG. 2013. Global Audit Committee Survey. Audit Committee Institute (January).
Krishnan, J. 2005. Audit committee quality and internal control: An empirical analysis. The
Accounting Review 80 (2): 649-678.
44
Liebenberg, A. P., & Hoyt, R. E. (2003). The determinants of enterprise risk management:
Evidence from the appointment of chief risk officers. Risk Management and Insurance
Review, 6(1), 37-52.
Miles, M. and M. Huberman. 1994. Qualitative data analysis (2nd ed.). Thousand Oaks, CA:
Sage.
Mikes, A. 2009. Risk management and calculative cultures. Management Accounting Research,
20(1), 18-40.
Mikes, A. 2011. From counting risks to making risk count: Boundary work in risk mangement.
Accounting, Organizations and Society 36 (4-5): 226-245.
Mikes, A. and R. Kaplan. 2012. Managing risks: Towards a contingency theory of enterprise risk
management. Working paper, Harvard Business School.
Moeckel, C. 1990. The effect of experience on auditors memory errors. Journal of Accounting
Research. Vol. 28, No. 2: 368-387.
ODonnell, E., and J. J. Schultz, Jr. 2005. The halo effect in business risk audits: Can strategic
assessment bias auditor judgment about accounting details? The Accounting Review 80
(3): 921939.
Paape, L., & Spekle, R. F. (2012). The adoption and design of enterprise risk management
practices: An empirical study. European Accounting Review, 21 (3): 533-564.
Pagach, D. and R. Warr. 2010. The effects of enterprise risk management on firm performance.
Working paper, North Carolina State University.
Proxy Disclosure Enhancements, 17 CFR Parts 229,239, 240, 249 and 274 C.F.R. (2009).
45
Ryan, V. 2013. JPMorgan CFOs Slammed for Risk-Management Failures. CFO.com.
http://www3.cfo.com/article/2013/1/capital-markets_jp-morgan-whale-trading-loss-risk-
management-synthetic-credit-cio-braunstein-dimon
Shleifer and Vishney 1997.A survey of corporate governance. Journal of Finance (June): 737-
83.
Tremblay, M-S and Y. Gendron. 2011. Governance prescriptions under trial: On the interplay
between the logics of resistance and compliance in audit committees. Critical
Perspectives on Accounting 22 (3): 259-272.
Trompeter, G. and A. Wright. 2010. The world has changedhave analytical procedure
practices? Contemporary Accounting Research 27 (2): 669-700.
Valukas, A.R. 2010. Lehman Brothers Holdings Inc. Chapter 11 Proceedings Examiner
Report.http://jenner.com/lehman/.
Viscelli, T. 2013. The ERM process. Evidence from interviews of ERM champions. Unpublished
dissertation. Kennesaw State University.
Warther, V. A. 1998. Board effectiveness and board dissent: A model of the boards relationship
to management and shareholders. Journal of Corporate Finance 4: 53-70.
Westermann, K., J. Bedard, and C. Earley. 2014. Learning the craft of auditing: A dynamic
view of auditors on-the-job learning. Contemporary Accounting Research
(Forthcoming).
46
Appendix A: List of Interview Questions
2. Based on your experiences at XYZ Company and your definition of ERM above, what
role(s) do the following governance players/managers play in ERM?
Board of Directors:
1--------------------------------------------5---------------------------------------10
Audit Committee:
1--------------------------------------------5---------------------------------------10
CEO:
1--------------------------------------------5---------------------------------------10
CFO:
1--------------------------------------------5---------------------------------------10
47
No Role Moderate Role Significant Role
1--------------------------------------------5---------------------------------------10
External Auditors:
1--------------------------------------------5---------------------------------------10
Others, if any that play an important role: (Please identify the party(ies) and explain
the nature and extent of their role(s) in ERM)
3. Based on your experiences with XYZ Company, please indicate your role with respect
to the following ERM objectives of XYZ.
Strategic Objectives defined as high-level goals, aligned with and supporting the
companys mission.
1--------------------------------------------5---------------------------------------10
1--------------------------------------------5---------------------------------------10
1--------------------------------------------5---------------------------------------10
48
Please explain your answer.
1--------------------------------------------5---------------------------------------10
4. A. Based on your experiences with XYZ Company, what role does ERM play in
achieving high quality financial reporting that is provided to capital markets?
1--------------------------------------------5---------------------------------------10
B. Based on your experiences with XYZ Company, what role should ERM play in
achieving high quality financial reporting that is provided to capital markets?
1--------------------------------------------5---------------------------------------10
5. Based on your experiences with XYZ Company, what role does ERM play, if any, in
achieving strong internal controls with respect to financial reporting within the
organization?
1--------------------------------------------5---------------------------------------10
6. Based on your experiences with XYZ Company, what role does ERM play, if any, in the
quality of audit services provided by the external auditor?
1--------------------------------------------5---------------------------------------10
49
Please explain your answer.
7. A. Based on your experiences, what role does ERM play in the external auditors risk
assessment and audit scope decisions with respect to XYZ Company?
1--------------------------------------------5---------------------------------------10
B. Based on your experiences, what role should ERM play in the external auditors risk
assessment and audit scope decisions with respect to XYZ Company?
1--------------------------------------------5---------------------------------------10
1--------------------------------------------5---------------------------------------10
Risk Assessment Risks are analyzed, considering likelihood and impact, as a basis
for determining how they should be managed. Risks are assessed on an inherent and a
residual basis.
1--------------------------------------------5---------------------------------------10
50
Risk Response Management selects risk responses avoiding, accepting, reducing,
or sharing risk developing a set of actions to align risks with the entitys risk
tolerances and risk appetite.
1--------------------------------------------5---------------------------------------10
Control Activities Policies and procedures are established and implemented to help
ensure the risk responses are effectively carried out.
1--------------------------------------------5---------------------------------------10
1--------------------------------------------5---------------------------------------10
Please explain your answer.
Conclusion
Are there issues related to ERM and financial reporting that you believe are important but have
not been covered in this questionnaire? If yes, please explain.
51
Table 1: Participant & Company Information
Standard
Mean Median Deviation Min Max
Audit Partner
Experience with ERM Years 7 5 5.95 0 20
Recent experience with public clients % 68% 75% 25% 25% 100%
Years industry specialization Years 19.40 20.00 6.80 10 30
Number of years associated with client Years 5.11 3.00 5.37 1 18
52
Panel B: Company Demographic Data
Standard
Mean Median Deviation Min Max
Members on Audit Committee at company # 3.90 4.00 0.88 3.00 6.00
Members with accounting or financial expertise # 2.27 2.00 1.42 0.00 4.00
Members with non-accounting financial expertise # 2.10 2.00 1.20 0.00 4.00
n
Chair of Board also CEO 1=Yes, 0=No 5
Stock Exchange: n
NYSE 6
NASDAQ 1
OTC 3
OTHER (Mutual Insurance) 1
TOTAL 11
53
Table 2: Definition of ERM
Total Number of Participants = 32 (AC Members = 11; CFOs = 11; Partners = 10)
AC Mem (11) CFO (11) Partner (10) Total (32) Triad Consensus
Number of
Number of All
Triads -
Triads - All +
% % % % Majority
Mentioned Majority
Coding Coding Coding Coding Coding Coding Coding Total Mentioned
Definition of
OE ERM
OE Reporting 6 54.5% 6 54.5% 4 40.0% 16 50.0% 2 5 7
OE Operational 9 81.8% 6 54.5% 7 70.0% 22 68.8% 4 5 9
OE Strategic 8 72.7% 9 81.8% 3 30.0% 20 62.5% 2 6 8
OE Compliance/legal 2 18.2% 3 27.3% 2 20.0% 7 21.9% 1 1 2
Other(s)--list
OE below 4 36.4% 0 0.0% 0 0.0% 4 12.5% 0 0 0
Internal
OE Environment 0 0.0% 1 9.1% 1 10.0% 2 6.3% 0 0 0
Risk
Assessment/Ident
OE ification 9 81.8% 9 81.8% 8 80.0% 26 81.3% 5 6 11
OE Risk Response 5 45.5% 5 45.5% 5 50.0% 15 46.9% 1 4 5
Control
OE Activities 3 27.3% 6 54.5% 3 30.0% 12 37.5% 1 4 5
OE Monitoring 0 0.0% 2 18.2% 1 10.0% 3 9.4% 0 0 0
54
Note 1: Responses to open-ended (OE) questions (e.g., What is your definition of ERM?) are coded as 1 (0) if the indicated response was (was
not) identified by the respondent. The percentage reflects the total number of participants indicating the response out of a total of 32 participants.
For example, 16 out of 32 participants identified Reporting in their response to the above question, resulting in a 50% score.
Note 2: Responses to closed-ended (CE) questions (e.g., Based on your experiences with XYZ Company, please indicate your role with respect to
the following ERM objectives of XYZ: Strategic Objectives defined as high-level goals, aligned with and supporting the companys mission.
(1=No Role; 5=Moderate Role; 10=Significant Role)) are coded based on the number of participants responding. A response was coded as NA if
the question was not asked or if the participant did not respond to the question. Responses coded as NA were excluded from the computation of
percentages. For example, if 30 out of 32 participants provided an answer in response to a question, the mean, range, and standard deviation will
be based on 30 responses.
55
Table 3: ERM and the Financial Reporting Process
Total Number of Participants = 32
(AC Members = 11; CFOs = 11; Partners = 10)
56
Role ERM plays in quality of audit
CE servicesMean 4.9 81.8% 6.3 63.6% 6.1 80.0% 5.7 75.0%
Role ERM plays in quality of audit
CE servicesRange 1-8.5 3-10 2-8.5 1-10
Role ERM plays in quality of audit
CE servicesStandard Deviation 2.5 2.3 2.1 2.3
See Notes 1 and 2 in Table 2 for an explanation of how OE and CE were coded.
57
Table 4: Triad Roles and its Effect on the Financial Reporting Process
Total Number of Participants = 32
(AC Members = 11; CFOs = 11; Partners = 10)
AC Member CFO Partner Total
Coding %Coding Coding %Coding Coding %Coding Coding %Coding
Roles Played by Governance Triad
in ERM
CE Audit CommitteeMean 8.4 100.0% 7.6 100.0% 7.4 100.0% 7.8 100.0%
CE Audit CommitteeRange 5.5-10 5-10 5-9 5-10
Audit CommitteeStandard
CE Deviation 1.4 1.7 1.2 1.5
OE Strategic Objectives 2 18.2% 0 0.0% 2 20.0% 4 12.5%
OE Operational Objectives 3 27.3% 0 0.0% 0 0.0% 3 9.4%
OE Reporting Objectives 5 45.5% 6 54.5% 5 50.0% 16 50.0%
OE Compliance Objectives 2 18.2% 6 54.5% 4 40.0% 12 37.5%
OE Internal Environment 0 0.0% 1 9.1% 0 0.0% 1 3.1%
OE Risk Assessment 5 45.5% 1 9.1% 4 40.0% 10 31.3%
OE Risk Response 4 36.4% 0 0.0% 2 20.0% 6 18.8%
OE Control Activities 1 9.1% 2 18.2% 2 20.0% 5 15.6%
OE Monitoring 1 9.1% 1 9.1% 0 0.0% 2 6.3%
CE CFOMean 8.0 90.9% 9.4 100.0% 7.2 100.0% 8.2 96.9%
CE CFORange 4.5-10 8-10 3-10 3-10
CE CFOStandard Deviation 1.8 0.9 2.6 2.0
OE Strategic Objectives 1 9.1% 3 27.3% 0 0.0% 4 12.5%
OE Operational Objectives 1 9.1% 4 36.4% 2 20.0% 7 21.9%
OE Reporting Objectives 1 9.1% 3 27.3% 3 30.0% 7 21.9%
OE Compliance Objectives 0 0.0% 2 18.2% 1 10.0% 3 9.4%
OE Internal Environment 0 0.0% 2 18.2% 0 0.0% 2 6.3%
OE Risk Assessment 2 18.2% 3 27.3% 2 20.0% 7 21.9%
58
OE Risk Response 2 18.2% 2 18.2% 2 20.0% 6 18.8%
OE Control Activities 1 9.1% 1 9.1% 0 0.0% 2 6.3%
OE Monitoring 1 9.1% 1 9.1% 0 0.0% 2 6.3%
CE External AuditMean 4.8 72.7% 5.6 90.9% 5.4 90.0% 5.3 84.4%
CE External AuditRange 0-9 0-10 3-7.5 0-10
External AuditStandard
CE Deviation 2.6 3.2 1.6 2.5
OE Strategic Objectives 0 0.0% 0 0.0% 1 10.0% 1 3.1%
OE Operational Objectives 1 9.1% 0 0.0% 0 0.0% 1 3.1%
OE Reporting Objectives 4 36.4% 6 54.5% 7 70.0% 17 53.1%
OE Compliance Objectives 3 27.3% 4 36.4% 0 0.0% 7 21.9%
OE Internal Environment 1 9.1% 1 9.1% 0 0.0% 2 6.3%
OE Risk Assessment 2 18.2% 1 9.1% 3 30.0% 6 18.8%
OE Risk Response 0 0.0% 0 0.0% 1 10.0% 1 3.1%
OE Control Activities 0 0.0% 1 9.1% 2 20.0% 3 9.4%
OE Monitoring 0 0.0% 0 0.0% 1 10.0% 1 3.1%
59
Respondent's Role with respect to
the following ERM objectives
CE Strategic ObjectivesMean 8.0 72.7% 9.1 100.0% 4.0 100.0% 7.1 90.6%
CE Strategic ObjectivesRange 4-10 7-10 1-7.5 1-10
Strategic ObjectivesStandard
CE Deviation 2.3 1.1 2.5 3
CE Operational ObjectivesMean 7.3 81.8% 8.4 100.0% 3.3 100.0% 6.4 93.8%
CE Operational ObjectivesRange 4-10 5-10 1-5 1-10
Operational ObjectivesStandard
CE Deviation 1.9 1.8 1.7 2.8
CE Reporting ObjectivesMean 8.2 100.0% 9.1 100.0% 7.3 90.0% 8.3 96.9%
CE Reporting ObjectivesRange 5-10 5-10 4-10 4-10
Reporting ObjectivesStandard
CE Deviation 1.6 1.6 2.5 2.0
CE Compliance ObjectivesMean 7.6 72.7% 8.3 90.9% 5.0 90.0% 7.0 84.4%
CE Compliance ObjectivesRange 0-10 6-10 1-10 0-10
Compliance ObjectivesStandard
CE Deviation 3.4 1.5 2.9 2.9
See Notes 1 and 2 in Table 2 for an explanation of how OE and CE were coded.
60
TABLE 5: SUMMARY OF THE MAJOR FINDINGS
Definition of ERM:
RQ 1: What impact does ERM have on the financial reporting process, including the
strength of internal controls over financial reporting and external auditing?
ERM plays a significant role in the quality of financial reporting (FRQ) and
should be even higher (estimates/compliance).
ERM plays a significant role for identification of risks and controls.
ERM has a low impact on quality of audit (lowest assessment by audit committee
members).
Some impact on audit risk assessment and scope but should be higher especially
for strategic & operational risks.
RQ 2: What role(s) does the governance triad play with respect to ERM and what is
the effect of this role on the financial reporting process?
All members of triad play a major role except auditors.
o Focus on risk assessment/identification. CEO/BOD are the major parties
in setting strategy.
o Audit committee (AC) focus on reporting.
o Auditors appear to be insufficiently using and considering ERM in the
audit process.
o Auditors do not perceive they have a major role in the strategic,
operational, and compliance objectives of ERM.
o Concerns by CFOs and AC members of whether auditors have sufficient
knowledge of ERM.
Additional Analysis:
Members of the triad generally view ERM more through an Agency lens than
through a Resource Dependence lens.
The significance of resource dependence (strategic direction) may be under-
emphasized by all members, but especially by CFOs and auditors.
61