Risk Assessment and Internal Controls Anna Tomassacci Beth Ferracane Brendan McClune - PowerPoint PPT Presentation

adamdaniel
slide1 l.
Skip this Video
Loading SlideShow in 5 Seconds..
Risk Assessment and Internal Controls Anna Tomassacci Beth Ferracane Brendan McClune PowerPoint Presentation
Download Presentation
Risk Assessment and Internal Controls Anna Tomassacci Beth Ferracane Brendan McClune

play fullscreen
1 / 30
Download Presentation
Risk Assessment and Internal Controls Anna Tomassacci Beth Ferracane Brendan McClune
693 Views
Download Presentation

Risk Assessment and Internal Controls Anna Tomassacci Beth Ferracane Brendan McClune

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Risk Assessment and Internal Controls Anna Tomassacci Beth FerracaneBrendan McClune

  2. Objectives • Complete a basic risk assessment. • Set up a system of internal controls to mitigate the risks identified during the assessment. • Apply internal controls to potentially deter negative events (e.g., fraud, inappropriate procurements, improper payments, etc.). Office of Operations 2009 Fall Conference

  3. Agenda • Internal Controls Overview • Group Exercises: • Global Risk Assessment for Procurement and Accounts Payable departments • Identify objectives and risks • Design control activities • Risk Assessment – Program Areas • Rank risks by impact and likelihood assuming there are no controls • Rank risks by impact and likelihood given existing controls • Attack and Defend Exercises Office of Operations 2009 Fall Conference

  4. Internal Controls History • NYS Governmental Accountability, Audit & Internal Control Act of 1987 • Budget Bulletin 350 • Committee of Sponsoring Organizations of the Treadway Commission (COSO) Office of Operations 2009 Fall Conference

  5. Internal Control The integration of the activities, plans, attitudes, policies, and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its mission. Office of Operations 2009 Fall Conference

  6. Basic Components • Control Environment • Risk Assessment • Control Activities • Information & Communication • Monitoring Office of Operations 2009 Fall Conference

  7. Internal Controls Pyramid Monitoring Control Activities Risk Assessment Information & Communication Information& Communication ControlEnvironment Office of Operations 2009 Fall Conference

  8. Control Environment Influences all of the decisions and activities of an organization, and on the control consciousness of its people The Tone at theTop The foundation for all the other components Office of Operations 2009 Fall Conference

  9. Risk Assessment The possibility that an event will occur and adverselyaffect the achievement of objectives. To evaluate; to examine carefully; to determine or set the value of something. Office of Operations 2009 Fall Conference

  10. Control Activities The tools – both manual and automated – that help prevent or reduce the risks that can stop an organization from meeting its objectives and goals. Office of Operations 2009 Fall Conference

  11. Information & Communication The exchange of information between and among people and organizations. Office of Operations 2009 Fall Conference

  12. Monitoring The ongoing review of the organization's daily activities and transactions to determine whether controls are effective in ensuring that operations work as intended. Office of Operations 2009 Fall Conference

  13. The possibility that an event will occur and adverselyaffect the achievement of objectives. To evaluate; to examine carefully; to determine or set the value of something. Risk Assessment Office of Operations 2009 Fall Conference

  14. Process • What are the objectives? • What could go wrong (the Risk)? • What’s the likelihood of it occurring? • What’s the impact if it happens? • Prioritize and respond accordingly. Office of Operations 2009 Fall Conference

  15. Risk Assessment Assess each risk in terms of: • The likelihood of the negative event. • The significance or impact of the event. Office of Operations 2009 Fall Conference

  16. Likelihood The probability that an unfavorable event would occur if there were: No internal controls. Existing internal controls. Impact A measure of the magnitude of the effect on an organization if the unfavorable event were to occur Risk Assessment Office of Operations 2009 Fall Conference

  17. Ask the questions … • What obstacles could stand in the way of achieving your objective? • What can go wrong? • What is the worst thing that could happen? • What is the worst thing that has happened? Office of Operations 2009 Fall Conference

  18. Ask the questions … • Are there new processes? Changed ones? • New goals or legislation? • Staffing changes? • What keeps you awake at night? Office of Operations 2009 Fall Conference

  19. Evaluating Risk HIGH Area IV Most Concern Area II Minimal Concern LIKELIHOOD Judgment Required Area I Least Concern Area III Moderate Concern LOW LOW IMPACT HIGH Office of Operations 2009 Fall Conference

  20. Helpful Hints • Change is the one constant. • A risk assessment is never “done.” • Communication and education can make all the difference. • The greatest risk is turning a blind eye to the possibility of risk. • Knowledge is power! Office of Operations 2009 Fall Conference

  21. Managing Risk Three options: • Avoid the risk • Accept it • Prevent it Office of Operations 2009 Fall Conference

  22. Managing Risk Avoid the risk: Whatever the risky activity is… Don’t do it! No additional controls are required Office of Operations 2009 Fall Conference

  23. Managing Risk Accept the risk: Continue the way you’re going Maintain the Status Quo No changes, no new controls Office of Operations 2009 Fall Conference

  24. Managing Risk Prevent or reduce the risk: Actively work to control the risk Change how you operate! Establish whatever controls are necessary to manage the risk Office of Operations 2009 Fall Conference

  25. Control Activities The tools – both manual and automated – that help prevent or reduce the risks that can stop an organization from meeting its objectives and goals. Office of Operations 2009 Fall Conference

  26. Control Activities Controls can be… • Directive:guide an organization toward desired outcome. • Preventive:deter the occurrence of an undesirable event. • Detective:identify undesirable events and alert management. Office of Operations 2009 Fall Conference

  27. Commonly Used Control Activities • Documentation • Approval and Authorization • Verification • Supervision • Separation of Duties • Safeguarding Assets Office of Operations 2009 Fall Conference

  28. Risk & Controls HIGH Area IV Most Concern Area II Minimal Concern LIKELIHOOD Judgment Required Area I Least Concern Area III Moderate Concern LOW LOW IMPACT HIGH Office of Operations 2009 Fall Conference

  29. Control Activities Cost v. Benefit The cost of the controls shouldn’t be greater than the cost of the potential loss. Office of Operations 2009 Fall Conference

  30. Questions Office of Operations 2009 Fall Conference