Sort.ey

SORT - Service

Page 1 of 3

Thursday 19 July 2018

Help | Add to Favorites

Service Offering Reference Tool (Americas - LAN Edition)

Home

Change Area

Issues

Advisory

Assurance

Tax

TAS

Search

Guidance

G Risk Convergence

Provide Feedback

Sub-Service Line

Advisory - Risk Transformation

Solution Set

Risk Transformation

EY Anchor(s)

Risk Advisory

GFIS Code

Global: 293

Export to Word

Print Preview

Local: 293RC Description

Advisory Delivery approaches Services described below (either standalone or combined with other services in Advisory or other service lines) provide the following types of assistance (individually or in combination) to clients via hours-based and/or asset-based delivery models: κ κ

Advice Implementation (process and/or technology) [Refer to Advisory technology scope of services for details of Advisory technology scope of service and IT

Oversight Committee (ITOC) approval requirements]

κ

Managed services/Outsourcing (can be IT-enabled or not) [All engagements involving managed services/outsourcing must be approved by the Area Advisory Managed Services Oversight Committee (MSOC). “IT outsourcing” is a prohibited service as listed in the Appendix to the Scope of Services Global policy

Risk Convergence services involve assessing risk management functions and making recommendations for improvement, including helping clients with benchmarking against baseline requirements for meeting regulatory challenges or against leading practices. This service may involve performing an assessment of the client’s risk management competencies across the organization by: κ κ κ κ κ κ

Evaluation of the core risk management functions Evaluation of risk coverage by risk management functions Assessment of risk coverage against leading practices Alignment with current and future state stakeholder expectations Identification of targeted areas for improvement Assistance with implementing identified opportunities for improvement

Value Proposition

We help our clients determine whether their risk functions (e.g., lines of defense) are aligned to execute the organization’s risk strategy. We assist our clients with identifying and implementing opportunities to align and coordinate their risk functions based on leading practices. This helps clients to execute and sustain their risk strategy based on the risks that impact the organization.

Target Market / Buyer

CFOs, COOs, CROs, CAEs or Business Unit Leaders of G360ss and Advisory Focus Accounts.

Client Need

We offer Risk Transformation services to assist clients with the following issues: κ

κ κ

κ κ κ

Risk Strategy: (1) overall alignment of risk with corporate goals, major initiatives and emerging market trends, (2) e “risk”, and determine management and the Board’s risk appetite and overall tolerance levels, (3) Communicate overall risk strategy to key stakeholders, (4) Clarify risk oversight at the Board and executive management levels, (5) Deliver transparency and accountability at all levels in the organization. Embed Risk Management: (1) Define the key “risks to own,” (2) Invest in the strategic “risks that matter” to the business, (3) Link risk management to business planning and performance management, (4) Align key risk indicators (KRIs) with KPIs and key control indicators (KCIs). Controls & Processes: (1) Manage cost of controls spend, (2) Leverage automated controls vs. manual controls, (3) Implement prevent vs. detect controls, (4) Evaluate controls around key business and IT processes, (5) Monitor critical controls and KPIs continuously to manage decision-making and performance results. Risk Management Functions: (1) Manage the effectiveness and efficiency of individual risk management functions, (2) Assess and manage redundancies and overlap in risk coverage, (3) Coordinate risk activities and align skills to leverage existing infrastructure and resources. Enable Risk Management: Harness technology to manage and enable risk management, controls and processes Communicate Risk coverage: embed transparency and stakeholder communications. Risk Convergence services are focused on risk management functions (4).

Risk Management / Quality Guidance Permissibility of Services In the table below, each service is indicated as either Allowed, Allowed subject to certain considerations, Prohibited or Not Applicable. Please review the table in conjunction with the considerations set out below. EU PIE CONSIDERATIONS ARE REFERENCED BELOW SEC Ch1 Clients Allowed 1 X Allowed subject to certain considerations 2

Other Ch1 PIEs Allowed 1 X Allowed subject to certain considerations 2

Other Ch1 Clients Allowed 1 X Allowed subject to certain considerations 2

Ch2 Clients X Allowed 1

Allowed subject to certain considerations 2

Prohibited 3

Prohibited 3

Prohibited 3

Prohibited 3

N/A 4

N/A 4

N/A 4

N/A 4

1

Allowed: The service is generally allowed. There are no specific prohibited activities identified for this service. As indicated below, teams should remain general policies and procedures governing service delivery.

2

Allowed subject to certain considerations: The provision of the service or activities within the service may require further analysis by the engagement team may be subject to certain considerations or restrictions as noted below.

3

Prohibited: The service is prohibited due to specific service activities which are not suitable for the particular type of client. If the provision of a component of service identified is being contemplated, consultation with Independence resources is required.

4

N/A: The service is not relevant to and therefore not offered to the type of client indicated. For example, audit support services are not applicable to a Channel client, for whom, by definition, we do not provide audit services.

Conflict Check not required unless the service provided will have an impact on, or involve, or be used by a specific known third party or counterparty. Reference should be made to the Conflicts guidance where detailed below. Overarching Considerations Prior to providing any service, an analysis of the suitability of providing the service as contemplated to a particular client must be evaluated. The following Independence Prologue addresses the factors that should be required as part of such an assessment. κ

Independence Prologue

EU PIE Considerations

The European Union Audit Reform (EUAR) legislation, effective from June 17, 2016 introduces important new requirements with respect to the audits of PIEs in the European Union (EU) and their affiliates. These new requirements generally apply from the start of the first reporting period commencing after June 17, 2016. independence rules include wide ranging non-audit service prohibitions that are stricter than the IESBA Code of Ethics for Professional Accountants.

https://sort.ey.net/ServiceOffering.aspx?SOID=2902&SubAreaID=5

19/07/2018

SORT - Service

Page 2 of 3

Individual EU Country assessments may be more restrictive than Global SORT independence assessments. The Global SORT assessments for EU PIEs (available at the link below) are based on current interpretation of Article 5 of EU Regulation 537/2014. Individual EU Country assessments are based on EU Member State implementation of the Regulation and may therefore reflect additional country restrictions that have been enacted into local Member State law. PLEASE REFER TO YOUR REGIONAL SORT FOR COUNTRY CONSIDERATIONS BEFORE CONCLUDING ON THE PERMISSIBILITY OF A SERVICE. Listing of all Global SORT Independence assessments for EU PIEs Other Considerations Additional considerations relevant to this service offering should also be contemplated when evaluating the suitability of providing the service to a particular client. Where references are made to a particular policy, other sections of the policy may also be applicable depending on specific client circumstances and the scope of engagement. To address the Allowed Subject to Certain Considerations restrictions, you must consider the independence restrictions in the EYG Independence Policy (including Supplementary Guidance) and applicable local policies, specifically the sections noted below. Local Considerations κ

κ

κ

Regarding the requirements of Section 309 of the EYG Independence Policy, the Mexican Rules for Public and Regulated audit clients prohibit internal audit services regarding financial statements and accounting controls of the Issuer or Regulated Company, regardless of significance, materiality or if the activities are related to non significant part of internal controls over financial reporting. This is only applicable to the Mexican Listed or Regulated company, not applicable to its subsidiaries or affiliates. Regarding the requirements of Section 310 of the EYG Independence Policy, the Mexican Rules for Public and Regulated audit clients prohibit information technology systems services that involve the operation, supervision, design or implementation of IT systems (hardware and software) of the Listed or Company, that concentrate data supporting the Financial Statements, regardless of significance or materiality, and also prohibit operation, supervision, design or implementation of IT systems generating information that is significant for the preparation of the Financial Statements. Since IT services provide underlying data to the financial statements, this service is prohibited for the Mexican listed or regulated companies and for their subsidiaries or affiliates in Mexico and abroad. There is no "not subject to audit exception". Regarding the requirements of Section 314 of the EYG Independence Policy, the Mexican Rules for Public and Regulated audit clients prohibit recruitment and selection of General Directors and the two levels below General Director, for the Listed or Regulated Companies, regardless of the activities to be performed. This is applicable to Mexican listed or regulated companies, no to their subsidiaries or affiliates.

Global Considerations Please refer to SORT Country restrictions for additional details on independence consideration at a country level General Independence/Regulatory Considerations when Delivering Advisory Services to clients with independence restrictions Certain limited aspects of the activities described above can be provided to clients with independence restrictions (ie, Channel 1 or Channel 2 with restrictions), on a limited scope basis, provided that such services are permitted under the EYG Independence Policy and the independence rules of the particular jurisdiction. In services for Channel 1 clients are limited to assessment services related to the above described topics and activities, for example: κ κ κ κ κ κ

Reviewing or evaluating client materials or documentation prepared by the client Interviewing or surveying the client Providing findings and recommendations Facilitating workshops, or participating in sessions as an advisor sharing observations and leading practices Identifying gaps in a process as compared to leading practices Sharing thought leadership

Depending on the delivery/contracting approach, there may be additional independence implications, for example: κ κ κ

Activities involving acting as management (or being perceived to act as management) (see supplementary guidance here) are prohibited for clients independence restrictions For clients with independence restrictions, prior written approval of independence is required for managed services/outsourcing for non-SEC CH 1. services/outsourcing is prohibited for SEC CH1. There are independence restrictions relating to providing temporary or loaned resources (also known as resource augmentation and secondment) to audit clients see the EYG Independence Policy, Section 311 for the restrictions] for non-SEC CH 1. Temporary or loaned resources are prohibited for SEC CH1.. Additional local legal and regulatory restrictions may also apply.

Refer to supplementary independence guidance below and in Supplementary Independence guidance G310S.1 regarding providing Advisory services to Channel 1 or other restricted clients. Independence policies applicable: EYG Independence Policy κ κ κ κ κ κ κ

Acting as Management Section 305 and Management Activities Section G305.1 for Other Channel 1 and US SEC clients Program/project management office (PMO) services for independence restricted entities Section G305S.1 for US SEC clients Internal audit Services Section 309 and Internal audit functions Section G309.1 for Other Channel 1 and US SEC clients Information Technology Systems Services Sections 310 and 310S.2 for Other Channel 1 and US SEC clients Temporary or Loaned Staff Assignments Section 311 and Temporary Staff Assignments Section G311.1 for Other Channel 1 and US SEC clients Recruitment of management Section 314 for Other Channel 1 and US SEC clients respectively Advisory services for channel 1 or other restricted clients Section G310S.1 for US SEC clients

Certain Other Channel 1 and US SEC Considerations: Prior to providing services to a US SEC audit client the following additional considerations must be evaluated: κ

Prologue Advisory Appendix A US SEC Considerations and Other Channel 1 (including Item 1b)

Certain US SEC Considerations: Prior to providing services to SEC Channel 1 clients (which includes any affiliates), consideration should be given to the prohibition against performing management and employee functions or monitoring activities as described in EYG supplementary guidance G305.1, which is referenced above. Further, consideration should be given to the prohibition against providing financial system design and implementation services to the entity subject to audit and any of its downstream affiliates, as referenced in US Independence Guidance G307 “Financial information systems design and implementation.” The Global SEC Independence Center is available to consult on such matters. κ κ

Independence Prologue Appendix A, Advisory - US SEC considerations (including Item 1b) EYG G310S.1 Advisory services for channel 1 or other restricted clients

Managed Service delivery mechanism is not permitted for SEC CH1 and implementation services are not permitted for SEC CH 1 (unless at a Not Subject To Audit (NSTA) affiliate). For SEC issuer audit clients, we are required to comply with PCAOB Rule 3525 prior to engaging in any non-audit services related to internal controls over financial reporting. The PCAOB Rule 3525 requires a) the scope of service be submitted to the audit committee in writing prior to engagement, b) discussion of the scope of service and independence effects with the audit committee and c) timely documentation of the substance of the aforementioned discussion. Channel 2 situations involving a US SEC audit client vendor: Review notes 4 and 5 of Prologue appendix A prior to providing services to Channel 2 clients, as some limitations may apply with respect to the delivery of this service as a result of third parties who are US SEC audit clients. See EYG Independence Sections G207.1d, Mutuality of interests with a US SEC audit client, G207.2a engagements and client facing activities, G310S.2, Audit client vendors and avoiding a "mutuality of interest", and G310S.3, Vendor selection services for further considerations. Advisory does not provide copies of internal EY training materials to targets or clients, except in limited circumstances only after consultation with relevant Advisory Quality contacts.

Overarching considerations

https://sort.ey.net/ServiceOffering.aspx?SOID=2902&SubAreaID=5

19/07/2018

SORT - Service

Page 3 of 3

Software resale: The resale of software is considered a business relationship and requires an approved BRET for both the software vendor and EY's client. SOFTWARE RESALE: IESBA Restrictions: The resale of software from a vendor that is an audit client (and not a US SEC audit client), including its affiliates under the appropriate definition (PIE or non PIE), is a business relationship and only permitted if immaterial and insignificant (in fact and in appearance). The resale of software to an audit client that is not a US SEC audit client, including its affiliates under the appropriate definition, requires an assessment of the following independence concerns: κ

The resale activity: whether the associated fee structure with the software vendor constitutes a commission or referral requiring disclosure to audit client;

κ

The nature of the software and the associated EY services: whether such services involve assuming a management function and whether the functionality creates a self-review threat under the applicable independence framework (PIE or non PIE);

κ

Maintenance and other potential EY on-going responsibilities , such as warranty and liability (applicable to the software itself or the EY associated services).

Additional independence restrictions may apply in the local jurisdiction. These arrangements require consultation with Region Independence Leader. SEC restrictions: Because the resale of software is considered to be a business relationship, it is not permitted with an SEC restricted entity, including the audit client, its affiliates or substantial stockholders. These restrictions apply to both the software vendor and EY's client.

APPROPRIATE STAFFING OF ENGAGEMENTS In accordance with the Appropriate Staffing of Engagements Global Policy, Advisory services must only be delivered by Advisory staff/partners with the appropriate technical skills and experience, accreditations, qualifications and maintained knowledge in the matter. Approval and other requirements apply for non-Advisory staff/partners to deliver Advisory services – contact the Region Advisory Quality team – see contact names below. Contacts

Service Line Contacts: , Advisory Service Line leader +524777177062 , Global Risk Transformation Leader +14126440407

Countries

This Service is offered in the following Countries within this Edition: Bolivia, Colombia, Costa Rica, Dominican Republic, Ecuador, El Salvador, Guatemala, Honduras, Mexico, Nicaragua, Panama, Peru, Venezuela

Other Locations

This Service is also offered in the following locations: Americas: BBC, Canada, EYC, Israel, LAS, US Asia Asia Pacific Pacific: EMEIA: Africa, CIS, CSE, GSA, India, Mediterranean, MENA, Nordics, UK&I, WEM Japan: Japan

Links to relevant Service Line resources

EYG Independence Policy CHS Independence Prologue Appendix A

Last updated on:

Risk Management / Quality Contacts: , Regional Risk Management Leader +525552831387 , Regional Independence Leader +50625751692 , Advisory Quality Leader +525511018402

Fri, 23 Feb 2018 12:45:11 GMT Copyright © 2007~2018 EY. All Rights Reserved. The information provided on the SORT Web Site is proprietary, confidential and legally privileged to EY. For internal use only.

https://sort.ey.net/ServiceOffering.aspx?SOID=2902&SubAreaID=5

19/07/2018