1 / 29

Risk Assessment (IT & Non-IT)

Risk Assessment (IT & Non-IT). MIS5205 2/21/2014. Risk Assessment Overview.

dick
Download Presentation

Risk Assessment (IT & Non-IT)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Assessment (IT & Non-IT) MIS5205 2/21/2014

  2. Risk Assessment Overview Control Environment (COSO framework): - The control environment sets the tone of an organization. It influences the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors: the integrity, ethical values and competence of the people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes; develops its people, and policies and procedures for the prevention and detection of fraud, etc.

  3. Risk Definitions Typical Enterprise Risks Categories: Polices and Procedures Personal Management and Supervision Training Organization Structure Fraud Prevention and Detection

  4. Risk Definitions and Events Policies and Procedure: Definition: • inadequately developed, documented and/or communicated business specific policies and procedures. • Non-compliance with existing company and business specific policies;

  5. Risk Definitions and Events Policies and Procedure – Sample Risk Events: Ineffective process to report unethical matters related to financial reporting (hotlines, whistleblower program) Mechanisms for reporting unethical matters have not been properly communicated to all employees (training) Conflicts of interest surveys with affirmative responses have not been reviewed and properly escalated by the Ethics Officers for resolution(tone from the top) Lack of inventory of corporate policies and procedures and business line/function specific policies applicable to the business activity (review and updating)

  6. Risk Definitions and Events Policies and Procedure – Sample Risk Events: Polices and procedures training and communication across the company Inadequate monitoring o f changes or updates to corporate policies and procedures Lack of active, written policies for all critical aspects of the business and corporate functions

  7. Risk Definitions and Events Policies and Procedure – Sample Risk Events: Out-of-Date Policies and Procedures: Policies no longer reflect day-to-day activities either because of changes in the business/corporate function, impracticality of implementation, etc. Company-wide system and information security policies and standards are not regularly reviewed and updated, or do not exist Roles and responsibilities for information security and other system functions are not well defined and fom1alized or do not enforce a proper segregation of duties Policy statements for new products, subsidiaries, or other strategic initiatives have not been created

  8. Risk Definitions and Events Policies and Procedure – Sample Risk Events: Management does not have a formal process to re-value and revise procedures Prior versions or copies of Standard Operating Procedures a re not retained to support previous decision-making Procedures are not reviewed/signed-off by Management, appropriate subject matter experts, or control groups (Law, Compliance, etc.) Lack of appropriate, consistent approach to evaluation of exceptions to policy

  9. Risk Definitions Personal Definition: • Insufficient number of employees and retention of sufficiently competent or experienced personnel to accomplish a business goals and objectives. • Insufficient number of people with required skill levels relative to the size of the business and nature and complexity of activities and systems.

  10. Risk Definitions and Events Personal – Sample Risk Events: Employees do not meet licensing requirements specified for their job position. (Industry Specific, e.g. CISA, CFA, CPA, etc.) Hiring decisions are not retained to support decisions to hire or reject candidates Employees are not provide or have access necessary tools, utilities to enable them to complete their job responsibilities Lack of (or non-adherence to) standards and criteria for hiring, training, promoting and compensating employees Business line does not maintain job descriptions or other means of defining specific job responsibilities

  11. Risk Definitions and Events Personal – Risk Events: Management doesn’t analysis of the knowledge and skills needed to perform jobs adequately Employees are not made aware of their responsibilities and duties expected of them through formal written performance evaluations at least annually or through other informal processes High level of turnover of experienced staff or high level of junior staff (e.g., can lead to work backlogs) No succession plan in place Lack of depth of resources within the business unit Lack of cross training (resulting in unrealistic reliance on a few key personnel)

  12. Risk Definitions Management and Supervision Definition: • Inappropriate span of control, assignment of responsibility and delegation of authority to deal with organizational goals and objectives. • Inadequate availability of MIS to monitor business activity. • Inappropriate 'tone at the top', management behaviors and incentives set by management for subordinates that may have a negative impact on the control environment.

  13. Risk Definitions Management and Supervision – Sample Risk Events Inappropriate "tone at the top” established by business line management (e.g., tolerance level for control breaks or other policy violations discourages adherence to policies) Management doesn’t take disciplinary actions to clearly communicate the consequences of inappropriate actions or failure to address known and/or emerging issues Management structure and/or span of control is not appropriate relative to business objectives Lack of comprehensive risk analysis mechanisms, including control functions, to ensure that business line risks are identified, analyzed, monitored and controlled Business line management does not reinforce corporate policy regarding acceptable business practices, conflicts of interest and expected standards of ethical and moral behavior

  14. Risk Definitions Management and Supervision – Risk Events Management does not place a high emphasis on ethical behavior in dealings with employees, customers, regulators, control functions, etc. Management does not have controls in place to mitigate pressure to meet unrealistic performance targets (particularly for short-term results) or reduce temptations arising from performance based compensation Management does not have in place comprehensive MIS to monitor the business Management behavior and/or structure does not foster communication (up, down and across)

  15. Risk Definitions Management and Supervision – Sample Risk Events There is no proactive policy on known or emerging control breaches, policy or legal regulatory violations, and related corrective actions, to ensure actions are taken promptly and decisively, and if warranted, appropriate disciplinary actions are taken New businesses or products are not initiated in a controlled manner Supervisory duties are not carried out in accordance with licensing or regulatory requirements Goals set by management may be unrealistic or incent inappropriate behavior.

  16. Risk Definitions Management and Supervision – Sample Risk Events Employee satisfaction or moral Employee concerns are not been heard or addressed by management Management is not able to effectively gauge or review employee performance

  17. Risk Definitions Training Definition: • Inadequate training of personnel to meet position requirements or to fulfill company’s professional and ethical standards.

  18. Risk Definitions Training– Sample Risk Events Lack of formal training programs for new hires and existing employees Employees are not encouraged to attend job related training programs Management does not have mechanisms in place to ensure that employees attend appropriate training programs Failure to properly monitor compliance with tracking requirements Inadequate function/product specific or control related skills training Inadequate training to perform supervisory responsibilities Training programs are not frequently updated

  19. Risk Definitions Training– Sample Risk Events Lack of cross training for periods where employees are absent, re-assigned, and/or unavailable Failure to communicate lessons learnt from historical or recent experiences to mitigate the risk of reoccurrence. Training programs are not delivered in a timely manner (e.g., prior to a systems implementation/major release). Training programs do not support continuing education requirements for licensed representatives.

  20. Risk Definitions Training– Sample Risk Events Qualifications of training providers Lack of practice to collect and analyze training feedback Out-of-date training courses: training is not kept current with changes to products, systems, benefits, etc. Lack of training budget

  21. Risk Definitions Organizational Structure Definition: • Inadequate organizational structure to provide the necessary information flow to manage the business’ activities, assign responsibilities and ensure an adequate segregation of duties.

  22. Risk Definitions Organizational Structure – Sample Risk Events Inappropriate organizational structure and an inability y to provide necessary information flow to manage its activities Inadequate definition of key managers' responsibilities and their understanding of these responsibilities (i.e., avoidance of ambiguity) Inadequate knowledge and experience of key managers in light of responsibilities

  23. Risk Definitions Organizational Structure – Sample Risk Events Management has not assigned responsibility and delegated authority to deal with organizational goals and objectives, operating functions and regulatory requirements and to ensure that appropriate segregation of duties is maintained Inappropriate level of interaction between business line personal, operations management and other control functions, particularly when geographically removed Inappropriate segregation of duties between Sales, Operational and Finance functions. Inappropriate segregation of duties (e.g. Sales, Operational and Finance functions)

  24. Risk Definitions Fraud Prevention and Detection (Industry Specific e.g. FIs) • Inadequate, and/or infrequently performed activities designed to prevent and/or detect fraud.

  25. Risk Definitions Fraud Prevention and Detection (Industry Specific) – Sample Risk Events Administrative systems do not have 'red flags’ or reports to alert management to potentially fraudulent transactions (address change and disbursement transactions processed within a short period of one another) Documentation to support transactions being processed can be deleted, altered, or lost Signature verification process does not exist for high dollar disbursement transact ions Special payee/address procedures are not in place for routine and non-routine payments

  26. Risk Definitions Fraud Prevention and Detection (Industry Specific) – Sample Risk Events Management has not evaluated administrative systems user access for certain dangerous combinations Role-based security does not align with segregation of duties and is not inclusive of both IT and non-IT based capabilities Management has not been proactive in enhancing the staffs fraud awareness Training is incomplete and/or outdates and does not address current fraud schemes. Call Center authentication procedures are not adequate and do not provide an escalation process or suspicious caller guidance

  27. Risk Definitions Fraud Prevention and Detection (Industry Specific) – Sample Risk Events No quality review or second check exists over transactions where fraud could be perpetuated no sampling of transactions occurs over transactions where fraud could be perpetuated Journal entries or 'top side' entries impacting quarterly results are posted without a second review and proper approvals Bonus/incentive compensation for individuals responsible for posting financial data is tied to company performance in a manner outside the existing performance management process Non-Designated and Covered individuals can view non-public financial data before results become public. Officers and Senior Executives a re granted stock options, that when exercised will inappropriately benefit them (i.e. backdating)

  28. Risk Definitions Fraud Prevention and Detection (Industry Specific) – Sample Risk Events Vendor due diligence is not conducted on firms w ho have t he ability to commit fraud Vendor relationships a re not disclosed or monitored for conflict of interest or collusion Vendor invoices/charges are not reviewed against support or are not thoroughly examined Miscellaneous loss accounts are not monitored

  29. Risk Definitions Fraud Prevention and Detection (Industry Specific) – Sample Risk Events Agents and Investment advisors are gran ted too much access to process transactions on behalf of customers Underwriters and agents/brokers develop friendly relationships that may lead to preferential treatment (i.e. more favorable underwriting decisions) Original, unaltered documentation is not available to support transactions. Management is incented to meet certain business-related targets (such as number of complaints, sales targets, and/or quality assurance processing results).

More Related