EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
Risk management includes an organization-wide framework, as well as engagement-level considerations.
Risk management practices
Risk Management (RM) coordinates organization-wide activities designed to help EY people meet global and local compliance responsibilities and support client-facing teams in providing quality and exceptional client service. Responsibility for high-quality service and ownership of the risks associated with quality is placed with the EY member firms and their service lines.
Among other responsibilities, the Global RM Leader helps monitor how these risks are identified and mitigated. They also monitor how other risks across the organization are identified as part of the broader enterprise risk management (ERM) framework. ERM priorities are communicated to EY member firms.
The Global RM Leader is responsible for establishing a consistent risk management framework around the globe and coordinating risk management across the global EY organization.
EY member firm professionals are appointed to lead risk management initiatives, supported by other staff and professionals. Their role includes coordinating with service lines on these matters.
When events that present risks occur, Global Risk Management works with other global functions to actively seek input from EY member firms on lessons learned from both crisis management and business continuity perspectives. This after-action assessment process helps EY refine its planning for crisis response and managing crises at both the member firm and global levels. These reviews increase proactiveness, especially in identifying emerging risks before they cause significant impact, and in prioritizing risks for each member firm. For example, this process allows the EY Global Security team and Region Security Manager Network to work directly with their member firm crisis management teams to prepare for the most likely threats by incorporating training and advanced readiness into crisis management networks.
Additionally, Global Risk Management continues to prioritize business resiliency in its business continuity planning. A key part of this approach is recognizing that most crises do not just “happen”; they often show early warning signs as they develop. This allows member firms to start mitigating risks while maintaining normal operations at the very early stages of a potential impact. To support this, “escalation matrices” have been created for several ongoing and high-probability geopolitical events, allowing member firm and regional crisis management teams to respond faster and more effectively as situations escalate. These matrices, along with action item checklists, go beyond traditional workforce life and safety concerns to address factors that could affect a member firm’s ability to continue business effectively.
These changes are allowing EY member firms to navigate significant crises more effectively via a prepared holistic approach.
Cybersecurity
Managing the risk of major and complex cyberattacks is part of doing business for every organization. While no system is completely immune, we remain vigilant in protecting the EY organization and EY client data through strong security measures.
EY takes a proactive approach to cybersecurity, implementing technologies and processes to manage and reduce risks worldwide. Our information security and data protection programs, consistent with industry practices and legal requirements, are designed to protect and defend against unauthorized access to systems and data. A dedicated team of cybersecurity specialists continuously monitors EY systems and responds to cyberattacks globally.
Beyond technical and process controls, all EY people must annually confirm in writing their understanding of the EY Global Code of Conduct and their commitment to follow it. Security awareness training is also required. Policies such as the Global Information Security Policy and the Global Acceptable Use of Technology Policy outline the care that must be taken with technology and data. EY cybersecurity policies and processes also emphasize the importance of timely communication.
EY people receive regular communications reminding them of their responsibilities under these policies and reinforcing general security awareness practices.
Addressing fraud risks in the audit
As organizations grow more complex and increasingly dependent on digital systems, there is a need to evolve the auditor’s efforts to identify and respond to risks of material misstatement due to fraud, as well as respond to any identified or suspected fraud.
EY leverages data to identify and respond to the risk of fraudulent financial reporting. For example, auditors can leverage the advanced data analytics capabilities of EY Helix to identify unusual transactions and patterns that may indicate a heightened risk of fraud.
In addition to access to Forensic professionals, EY provides tools and processes to help teams identify and respond to specific fraud risks. These tools include:
- The Document Authenticity Tool, which uses a range of techniques to check for alterations in selected electronic documents. It helps identify when a document provided as audit evidence may have been altered, tampered with, or modified.
- The Journal Entry Fraud Risk Analyzer (JEFRA), which reviews each selected journal entry for characteristics associated with a higher risk of management override and flags entries for incremental consideration.
- The Short seller report alert process, which monitors short seller report activity and distributes reports to audit teams and leadership across the globe.