COSO and Risk/Control Self-Assessments Charles G. Chaffin, CPA, CIA Director of Audits and David B. Crawford, CPA, CIA Audit Manager The University of Texas System
Objective To provide a detailed explanation of how: • The University of Texas (UT) System adopted COSO and the techniques used to implement it. • The Risk/Control Self-Assessment Process at UT System • Self-Assessment Uses and Critical Success Factors
INTRODUCTION • 13 Billion • 5 Billion • 1.6 Billion • 2.1 Million • 170,000 • 75,000 • 15
Academic UT Austin UT San Antonio UT Dallas UT El Paso UT Brownsville UT Pan American UT Tyler UT Permian Basin UT Arlington Medical UT Medical Branch at Galveston UT HSC Houston UT HSC San Antonio UT HSC Tyler UT Southwestern UT M. D. Anderson Cancer Center U.T. System
It Could Be You The Lynn Deer Case U.T. Austin, 1994 10
1994 Action Plan • Awareness • Statements of Philosophy/Responsibility • Internal Control Training/Handbook • Accountability • Job Descriptions/Performance Evaluations • Disciplinary Action • Audit Committees • Membership/Frequency of Meetings
Statement of Philosophy Employees of The University of Texas ___________ owe a responsibility to the people of Texas in the performance of their duties. High personal and professional standards are critical in fulfilling this responsibility. Employees will be held accountable for their action (or failure to act) and such accountability cannot be delegated to others. All employees of The University of Texas ___________ agree to abide by a Code of Ethics which provides reasonable assurance that the employee will not personally benefit or accept or give favors as a result of his/her position as an employee of The University of Texas ___________. (The “Code of Ethics” is published in the Rules and Regulations of the Board of Regents, Part One, Section 4.0).
E FFECTIVELY C ONTROLLING R ISKS A Balancing Act
Internal Control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives in the following categories: • Effectiveness and efficiencies of operations, • Reliability of financial reporting, and • Compliance with applicable laws and regulations.
Risk & ControlSelf-Assessment Guideline The Process
Internal Control Training • Over 4,000 U. T. employees trained in 1995. • Central message to Chairs and Directors: “You are responsible for internal controls.” • Complete Risk Assessment and Implementation Plan for Financial and Administrative Activities. • Copy to applicable Vice President • Copy to Internal Audit
1996 Action Plan 1. Annual Statement of Philosophy 2. Annual Statement of Responsibility and Accountability 3. Disciplinary Action 4. Require membership in Internal Audit Committee (IAC) 5. Require Quarterly IAC meetings.
1996 Action Plan (cont.) 6. Regular Internal Control Training (Video & Internet Program) 7. Update Management Responsibilities Handbook 8. Amend Job Descriptions 9. Amend Performance Evaluations 10. Offer Reconciliation Training
1996 Action Plan (cont.) 11. Newsletters to Highlight Internal Controls 12. Complete Risk Assessment and Implementation Plans 13. Statement of Responsibility for Researchers 14. Internal Audits of all Departments (3 to 5 years) 15. Internal Audits of all Key Financial Information
1996 Action Plan (cont.) 16.** Offer Control Self-Assessment Workshops 17.** Develop Model CSA Workshop Manuals 18. All Departments Perform a Control Self-Assessment 19. Report on Internal Control
Control Self-Assessment Any activity where the people responsible for a business area, task, or objective using some demonstrable approach analyze the status of control and risk to provide additional assurance related to the achievement of one or more business objectives
Control Self-AssessmentWorkshop Process • Meet with Chair/Director before session #1. • 2 auditors/facilitators. • Sessions #1, 2 hours - control process. • Regularly communicate with department after Session #1 about control activities. • Session #2, Prioritize activities/processes if too many. • Homework after session #2 - Risk/Control worksheets.
Risk/Control Worksheet Department: Prepared by: Activity: Date prepared:
Final Product • Self-Assessment Report on Internal Control to Senior Management. • Internal Auditors’ Review Report. • Departmental Audit Report (optional). • Significant findings go into tracking system.
Model Participant’s Manual and Presentation Slides • Guides the facilitator through the workshop. • Designed to answer participant questions.
U.T. System Program • Types of Departments that have had CSA workshops. • Real Estate Office • University Lands Accounting Office • West Texas Operations • Office of Facilities Planning and Construction • Office of Information Resources • Office of Finance • Employee Group Insurance Program
U.T. System Program • Academic Departments • Physical Plant • Student Financial Aid • Performing Arts Center • Libraries • Research • Volunteer Services • Financial Services • Student Affairs
Impact on Performance • Better working relationship between audit and operations. • Better understanding of the business by all. • Better operational findings. • Better buy-in to planned corrective action. • More efficient audit process.
Implementation Strategy • Walk before you run. • Develop a strategy based on management’s commitment to enhancing internal controls. • Work CSA workshops into existing audit plan; sell it as a way to improve audit results. • Pilot departments that work well with audit. • Constantly adapt and revise. • Take what you get and move on.
Uses of Self Assessment • Focus/Align • Evaluate • Document • Train • Monitor • Report Status • Measure Soft Control
Self Assessment Tools • Survey • Questionnaire • Control Guide • Interviews • Workshops
Types of Self Assessments • Control • Risk • Process • Objective • Problem • Perception
Control-Based • Identify control structure • Compare to a model • Identify gaps
Risk-Based • Assess Risks • Choose Mitigation Strategy for each risk • Choose controls for each controlled risk
Process-Based • Map process • Justify process steps • Identify additional steps • Identify steps to be eliminated
Objective-Based • Identify linkage • Inventory activities for each objective • Inventory risks for each activity
Problem-Based • Identify problem • Apply group knowledge to problem • Define group solution
Perception-Based • Identify attitudes and beliefs • Provide a baseline • Soft controls
Validating Self-Assessment Products • Benchmarking • Management Attestation • Auditor Involvement • Follow-up Audit • Traditional Audit
REPLACE TRADITIONAL • Preliminary Survey • Evaluation of Control Structure • Operational Audits • Low Risk Areas of Operation
SUPPLEMENT TO TRADITIONAL AUDITING • Control Environment • Risk Assessment • Evaluation of Control Activity Efficiency • Communication and Information • Monitoring
POINT TO POTENTIAL TRADITIONAL AUDITS • Highlights high risk areas • Identifies problems or potential problem areas • Links traditional audits to operational needs
Critical Success Factors • Proper Beginnings • Spitting Image • Working Together • Absorbed in Daily Routine • Reinforce/Reward • Discipline through Doing • Learn by Falling
How Do You Insure Self Assessment Success? • Identify a Champion • Successful First Contact • Match to Corporate Culture • Align with Business Objectives • Institutionalize It • Reward the Participants • Use the Products • Be a Chameleon
Contact Information • Web site: www.utsystem.edu/aud/resources • E-mail: email@example.com • Phone: 512-499-4767 • Fax: 512-499-4550 • Address: 201 W. 7th ASH5, Austin, Texas 78701