SORT - Service Page 1 of 3

Thursday 19 July 2018 Help | Add to Favorites

Service Offering Reference Tool (Americas - LAN Edition)

Home Change Area Issues Advisory Assurance Tax TAS Guidance Search

G Risk Convergence Provide Feedback Export to Word Print Preview

Sub-Service Line Advisory - Risk Transformation

Solution Set Risk Transformation

EY Anchor(s) Risk Advisory

GFIS Code Global: 293

Local: 293RC

Description Advisory Delivery approaches

Services described below (either standalone or combined with other services in Advisory or other service lines) provide the following types of assistance (individually or
in combination) to clients via hours-based and/or asset-based delivery models:

κ Advice
κ Implementation (process and/or technology) [Refer to Advisory technology scope of services for details of Advisory technology scope of service and IT
Oversight Committee (ITOC) approval requirements]
κ Managed services/Outsourcing (can be IT-enabled or not) [All engagements involving managed services/outsourcing must be approved by the Area Advisory
Managed Services Oversight Committee (MSOC). “IT outsourcing” is a prohibited service as listed in the Appendix to the Scope of Services Global policy

Risk Convergence services involve assessing risk management functions and making recommendations for improvement, including helping clients with benchmarking
against baseline requirements for meeting regulatory challenges or against leading practices.

This service may involve performing an assessment of the client’s risk management competencies across the organization by:

κ Evaluation of the core risk management functions

κ Evaluation of risk coverage by risk management functions
κ Assessment of risk coverage against leading practices
κ Alignment with current and future state stakeholder expectations
κ Identification of targeted areas for improvement
κ Assistance with implementing identified opportunities for improvement

Value Proposition We help our clients determine whether their risk functions (e.g., lines of defense) are aligned to execute the organization’s risk strategy. We assist our clients with
identifying and implementing opportunities to align and coordinate their risk functions based on leading practices. This helps clients to execute and sustain their risk
strategy based on the risks that impact the organization.

Target Market / Buyer CFOs, COOs, CROs, CAEs or Business Unit Leaders of G360ss and Advisory Focus Accounts.

Client Need We offer Risk Transformation services to assist clients with the following issues:

κ Risk Strategy: (1) overall alignment of risk with corporate goals, major initiatives and emerging market trends, (2) e “risk”, and determine management and the
Board’s risk appetite and overall tolerance levels, (3) Communicate overall risk strategy to key stakeholders, (4) Clarify risk oversight at the Board and executive
management levels, (5) Deliver transparency and accountability at all levels in the organization.
κ Embed Risk Management: (1) Define the key “risks to own,” (2) Invest in the strategic “risks that matter” to the business, (3) Link risk management to business
planning and performance management, (4) Align key risk indicators (KRIs) with KPIs and key control indicators (KCIs).
κ Controls & Processes: (1) Manage cost of controls spend, (2) Leverage automated controls vs. manual controls, (3) Implement prevent vs. detect controls, (4)
Evaluate controls around key business and IT processes, (5) Monitor critical controls and KPIs continuously to manage decision-making and performance
results.
κ Risk Management Functions: (1) Manage the effectiveness and efficiency of individual risk management functions, (2) Assess and manage redundancies and
overlap in risk coverage, (3) Coordinate risk activities and align skills to leverage existing infrastructure and resources.
κ Enable Risk Management: Harness technology to manage and enable risk management, controls and processes
κ Communicate Risk coverage: embed transparency and stakeholder communications.
Risk Convergence services are focused on risk management functions (4).

Risk Management / Quality Guidance Permissibility of Services

In the table below, each service is indicated as either Allowed, Allowed subject to certain considerations, Prohibited or Not Applicable. Please review the table in
conjunction with the considerations set out below.

EU PIE CONSIDERATIONS ARE REFERENCED BELOW

SEC Ch1 Clients Other Ch1 PIEs Other Ch1 Clients Ch2 Clients
Allowed 1 Allowed 1 Allowed 1 X Allowed 1
X Allowed subject to certain X Allowed subject to certain X Allowed subject to certain Allowed subject to certain
considerations 2 considerations 2 considerations 2 considerations 2
Prohibited 3 Prohibited 3 Prohibited 3 Prohibited 3
N/A 4 N/A 4 N/A 4 N/A 4

1 Allowed: The service is generally allowed. There are no specific prohibited activities identified for this service. As indicated below, teams should remain
general policies and procedures governing service delivery.
2 Allowed subject to certain considerations: The provision of the service or activities within the service may require further analysis by the engagement team
may be subject to certain considerations or restrictions as noted below.
3 Prohibited: The service is prohibited due to specific service activities which are not suitable for the particular type of client. If the provision of a component of
service identified is being contemplated, consultation with Independence resources is required.
4 N/A: The service is not relevant to and therefore not offered to the type of client indicated. For example, audit support services are not applicable to a Channel
client, for whom, by definition, we do not provide audit services.

Conflict Check not required unless the service provided will have an impact on, or involve, or be used by a specific known third party or counterparty.
Reference should be made to the Conflicts guidance where detailed below.

Overarching Considerations

Prior to providing any service, an analysis of the suitability of providing the service as contemplated to a particular client must be evaluated. The following
Independence Prologue addresses the factors that should be required as part of such an assessment.
κ Independence Prologue
EU PIE Considerations

The European Union Audit Reform (EUAR) legislation, effective from June 17, 2016 introduces important new requirements with respect to the audits of PIEs in the
European Union (EU) and their affiliates. These new requirements generally apply from the start of the first reporting period commencing after June 17, 2016.
independence rules include wide ranging non-audit service prohibitions that are stricter than the IESBA Code of Ethics for Professional Accountants.

https://sort.ey.net/ServiceOffering.aspx?SOID=2902&SubAreaID=5 19/07/2018
SORT - Service Page 2 of 3

Individual EU Country assessments may be more restrictive than Global SORT independence assessments. The Global SORT assessments for EU PIEs
(available at the link below) are based on current interpretation of Article 5 of EU Regulation 537/2014. Individual EU Country assessments are based on
EU Member State implementation of the Regulation and may therefore reflect additional country restrictions that have been enacted into local Member
State law.

PLEASE REFER TO YOUR REGIONAL SORT FOR COUNTRY CONSIDERATIONS BEFORE CONCLUDING ON THE PERMISSIBILITY OF A SERVICE.

Listing of all Global SORT Independence assessments for EU PIEs

Other Considerations

Additional considerations relevant to this service offering should also be contemplated when evaluating the suitability of providing the service to a particular client.
Where references are made to a particular policy, other sections of the policy may also be applicable depending on specific client circumstances and the scope of
engagement.

To address the Allowed Subject to Certain Considerations restrictions, you must consider the independence restrictions in the EYG Independence Policy
(including Supplementary Guidance) and applicable local policies, specifically the sections noted below.

Local Considerations

κ Regarding the requirements of Section 309 of the EYG Independence Policy, the Mexican Rules for Public and Regulated audit clients prohibit internal audit
services regarding financial statements and accounting controls of the Issuer or Regulated Company, regardless of significance, materiality or if the activities
are related to non significant part of internal controls over financial reporting. This is only applicable to the Mexican Listed or Regulated company, not applicable
to its subsidiaries or affiliates.
κ Regarding the requirements of Section 310 of the EYG Independence Policy, the Mexican Rules for Public and Regulated audit clients prohibit information
technology systems services that involve the operation, supervision, design or implementation of IT systems (hardware and software) of the Listed or
Company, that concentrate data supporting the Financial Statements, regardless of significance or materiality, and also prohibit operation, supervision, design
or implementation of IT systems generating information that is significant for the preparation of the Financial Statements. Since IT services provide underlying
data to the financial statements, this service is prohibited for the Mexican listed or regulated companies and for their subsidiaries or affiliates in Mexico and
abroad. There is no "not subject to audit exception".
κ Regarding the requirements of Section 314 of the EYG Independence Policy, the Mexican Rules for Public and Regulated audit clients prohibit recruitment and
selection of General Directors and the two levels below General Director, for the Listed or Regulated Companies, regardless of the activities to be performed.
This is applicable to Mexican listed or regulated companies, no to their subsidiaries or affiliates.

Global Considerations

Please refer to SORT Country restrictions for additional details on independence consideration at a country level

General Independence/Regulatory Considerations when Delivering Advisory Services to clients with independence restrictions

Certain limited aspects of the activities described above can be provided to clients with independence restrictions (ie, Channel 1 or Channel 2 with restrictions), on a
limited scope basis, provided that such services are permitted under the EYG Independence Policy and the independence rules of the particular jurisdiction. In
services for Channel 1 clients are limited to assessment services related to the above described topics and activities, for example:

κ Reviewing or evaluating client materials or documentation prepared by the client

κ Interviewing or surveying the client
κ Providing findings and recommendations
κ Facilitating workshops, or participating in sessions as an advisor sharing observations and leading practices
κ Identifying gaps in a process as compared to leading practices
κ Sharing thought leadership

Depending on the delivery/contracting approach, there may be additional independence implications, for example:

κ Activities involving acting as management (or being perceived to act as management) (see supplementary guidance here) are prohibited for clients
independence restrictions
κ For clients with independence restrictions, prior written approval of independence is required for managed services/outsourcing for non-SEC CH 1.
services/outsourcing is prohibited for SEC CH1.
κ There are independence restrictions relating to providing temporary or loaned resources (also known as resource augmentation and secondment) to audit
clients see the EYG Independence Policy, Section 311 for the restrictions] for non-SEC CH 1. Temporary or loaned resources are prohibited for SEC CH1..
Additional local legal and regulatory restrictions may also apply.

Refer to supplementary independence guidance below and in Supplementary Independence guidance G310S.1 regarding providing Advisory services to Channel 1 or
other restricted clients.

Independence policies applicable:

EYG Independence Policy

κ Acting as Management Section 305 and Management Activities Section G305.1 for Other Channel 1 and US SEC clients
κ Program/project management office (PMO) services for independence restricted entities Section G305S.1 for US SEC clients
κ Internal audit Services Section 309 and Internal audit functions Section G309.1 for Other Channel 1 and US SEC clients
κ Information Technology Systems Services Sections 310 and 310S.2 for Other Channel 1 and US SEC clients
κ Temporary or Loaned Staff Assignments Section 311 and Temporary Staff Assignments Section G311.1 for Other Channel 1 and US SEC clients
κ Recruitment of management Section 314 for Other Channel 1 and US SEC clients respectively
κ Advisory services for channel 1 or other restricted clients Section G310S.1 for US SEC clients

Certain Other Channel 1 and US SEC Considerations:

Prior to providing services to a US SEC audit client the following additional considerations must be evaluated:

κ Prologue Advisory Appendix A US SEC Considerations and Other Channel 1 (including Item 1b)

Certain US SEC Considerations:

Prior to providing services to SEC Channel 1 clients (which includes any affiliates), consideration should be given to the prohibition against performing management
and employee functions or monitoring activities as described in EYG supplementary guidance G305.1, which is referenced above. Further, consideration should be
given to the prohibition against providing financial system design and implementation services to the entity subject to audit and any of its downstream affiliates, as
referenced in US Independence Guidance G307 “Financial information systems design and implementation.” The Global SEC Independence Center is available to
consult on such matters.

κ Independence Prologue Appendix A, Advisory - US SEC considerations (including Item 1b)

κ EYG G310S.1 Advisory services for channel 1 or other restricted clients

Managed Service delivery mechanism is not permitted for SEC CH1 and implementation services are not permitted for SEC CH 1 (unless at a Not Subject To Audit
(NSTA) affiliate).

For SEC issuer audit clients, we are required to comply with PCAOB Rule 3525 prior to engaging in any non-audit services related to internal controls over financial
reporting. The PCAOB Rule 3525 requires a) the scope of service be submitted to the audit committee in writing prior to engagement, b) discussion of the scope of
service and independence effects with the audit committee and c) timely documentation of the substance of the aforementioned discussion.

Channel 2 situations involving a US SEC audit client vendor:

Review notes 4 and 5 of Prologue appendix A prior to providing services to Channel 2 clients, as some limitations may apply with respect to the delivery of this service
as a result of third parties who are US SEC audit clients. See EYG Independence Sections G207.1d, Mutuality of interests with a US SEC audit client, G207.2a
engagements and client facing activities, G310S.2, Audit client vendors and avoiding a "mutuality of interest", and G310S.3, Vendor selection services for further
considerations.

Advisory does not provide copies of internal EY training materials to targets or clients, except in limited circumstances only after consultation with relevant Advisory
Quality contacts.

Overarching considerations

https://sort.ey.net/ServiceOffering.aspx?SOID=2902&SubAreaID=5 19/07/2018
SORT - Service Page 3 of 3

Software resale: The resale of software is considered a business relationship and requires an approved BRET for both the software vendor and EY's
client.

SOFTWARE RESALE:

IESBA Restrictions:

The resale of software from a vendor that is an audit client (and not a US SEC audit client), including its affiliates under the appropriate definition (PIE
or non PIE), is a business relationship and only permitted if immaterial and insignificant (in fact and in appearance).

The resale of software to an audit client that is not a US SEC audit client, including its affiliates under the appropriate definition, requires an
assessment of the following independence concerns:

κ The resale activity: whether the associated fee structure with the software vendor constitutes a commission or referral requiring disclosure to
audit client;
κ The nature of the software and the associated EY services: whether such services involve assuming a management function and whether the
functionality creates a self-review threat under the applicable independence framework (PIE or non PIE);
κ Maintenance and other potential EY on-going responsibilities , such as warranty and liability (applicable to the software itself or the EY
associated services).

Additional independence restrictions may apply in the local jurisdiction. These arrangements require consultation with Region Independence Leader.

SEC restrictions: Because the resale of software is considered to be a business relationship, it is not permitted with an SEC restricted entity, including
the audit client, its affiliates or substantial stockholders. These restrictions apply to both the software vendor and EY's client.

APPROPRIATE STAFFING OF ENGAGEMENTS

In accordance with the Appropriate Staffing of Engagements Global Policy, Advisory services must only be delivered by Advisory
staff/partners with the appropriate technical skills and experience, accreditations, qualifications and maintained knowledge in the
matter. Approval and other requirements apply for non-Advisory staff/partners to deliver Advisory services – contact the Region Advisory
Quality team – see contact names below.

Contacts Service Line Contacts: Risk Management / Quality Contacts:

, Advisory Service Line leader , Regional Risk Management Leader
+524777177062 +525552831387
, Global Risk Transformation Leader , Regional Independence Leader
+14126440407 +50625751692
, Advisory Quality Leader
+525511018402

Countries This Service is offered in the following Countries within this Edition:
Bolivia, Colombia, Costa Rica, Dominican Republic, Ecuador, El Salvador, Guatemala, Honduras, Mexico, Nicaragua, Panama, Peru, Venezuela

Other Locations This Service is also offered in the following locations:

Americas: BBC, Canada, EYC, Israel, LAS, US
Asia Asia Pacific
Pacific:
EMEIA: Africa, CIS, CSE, GSA, India, Mediterranean, MENA, Nordics,
UK&I, WEM
Japan: Japan

Links to relevant Service Line EYG Independence Policy CHS

resources Independence Prologue Appendix A

Last updated on: Fri, 23 Feb 2018 12:45:11 GMT

Copyright © 2007~2018 EY. All Rights Reserved. The information provided on the SORT Web Site is proprietary, confidential and legally privileged to EY. For internal use only.

https://sort.ey.net/ServiceOffering.aspx?SOID=2902&SubAreaID=5 19/07/2018