risk management and internal control guidelines n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Risk Management And Internal Control Guidelines PowerPoint Presentation
Download Presentation
Risk Management And Internal Control Guidelines

Loading in 2 Seconds...

play fullscreen
1 / 120

Risk Management And Internal Control Guidelines - PowerPoint PPT Presentation


  • 152 Views
  • Uploaded on

Risk Management And Internal Control Guidelines. Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007. INTRODUCTION . MANAGEMENT’S GUIDE TO RISK MANAGEMENT AND INTERNAL CONTROL. INTRODUCTION (CONT’D). Enterprise Risk Management

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Risk Management And Internal Control Guidelines' - juliette


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
risk management and internal control guidelines

Risk Management And Internal Control Guidelines

Tennessee Department of Finance and Administration

Tennessee Comptroller of the Treasury

August 2007

introduction

INTRODUCTION

MANAGEMENT’S GUIDE TO RISK MANAGEMENT AND INTERNAL CONTROL

introduction cont d
INTRODUCTION (CONT’D)
  • Enterprise Risk Management
  • Changing Political And Regulatory Environment
    • Sarbanes-Oxley Act
    • General Accounting Office
    • AICPA Auditing Standards
introduction cont d1
INTRODUCTION (CONT’D)
  • Internal Control and Governance Problems
  • Results of Texas State Comptroller’s ERM Implementation
  • Texas State Auditor Considers Increased Accountability a Priority
introduction cont d2
INTRODUCTION (CONT’D)
  • Committee Of Sponsoring Organizations Of The Treadway Commission
    • Second report Enterprise Risk Management—Integrated Framework
    • First report Internal Control—Integrated Framework
introduction cont d3
INTRODUCTION (CONT’D)
  • Guidance--Education and Tools
  • Agency Heads Responsibility
overview1
Overview
  • Relationship of COSO I and II
  • COSO Cube (three-dimensional matrix)
    • Objectives
    • Components
    • Entity Unit
  • Effectiveness
  • Roles and responsibilities
relationship of coso i to coso ii
Relationship of COSO I to COSO II
  • Internal Control—Integrated Framework (COSO I)
    • Still important for entities looking at internal control by itself
  • Enterprise Risk Management—Integrated Framework (COSO II)
    • Broader than internal control
    • Expands and elaborates on internal control
    • Focuses more fully on risk
    • Introduces the concepts of risk appetite, risk tolerance, and portfolio view
coso cube
COSO Cube
  • Direct relationship between objectives and enterprise risk components
  • Focus on the entirety of an entity’s ERM, or by objectives categories, component, entity unit, or any subset thereof
objectives categories
Objectives Categories
  • Strategic
  • Effectiveness and efficiency of operations
  • Integrity and reliability of reporting
  • Compliance with applicable laws, regulations, contracts, and grant agreements
  • Stewardship of assets
components
Components
  • Internal environment
  • Objective setting
  • Event identification
  • Risk assessment
  • Risk response
  • Control activities
  • Information and communication
  • Monitoring
effectiveness
Effectiveness
  • Are the 8 components present and functioning effectively?
  • The components are criteria for effective ERM
  • Present and functioning properly = no significant deficiencies and material weaknesses
  • Test operating effectiveness of controls different from obtaining evidence of implementation
    • How controls were applied during the period
    • Consistency with which controls were applied
    • By whom and by what means they were applied
roles and responsibilities
Roles and Responsibilities
  • Audit committee, board of directors, or other oversight body
  • Commissioner/director/department head
  • Senior management
  • Internal audit
  • Other entity personnel
section i internal environment what is it
SECTION IINTERNAL ENVIRONMENTWhat is it?
  • Risk Management Philosophy
    • Set of shared beliefs and attitudes
    • Reflects the entity’s values, influencing its culture and operating style
    • Affects how risks are identified, kinds of risks accepted, and how they are managed
internal environment cont d
Internal Environment(cont’d)
  • Risk Appetite
    • Amount of risk management is willing to accept
    • Influences the entity’s culture and operating style
  • Oversight by Audit Committee
    • Oversight by another group
    • May significantly influence elements of Internal Environment
internal environment cont d1
Internal Environment(cont’d)
  • Integrity and Ethical Values
    • Management’s values
    • Code of conduct
  • Commitment to Competence
    • Knowledge and skills of staff
    • How well tasks need to be accomplish
internal environment cont d2
Internal Environment(cont’d)
  • Organizational Structure
    • Framework to plan, execute, control, and monitor activities
  • Assignment of Authority and Responsibility
    • Extent of authority and responsibility
  • Human Resource Standards
    • Staff development, training, and evaluation
objective setting
Objective Setting
  • EVERY AGENCY FACES A VARIETY OF RISKS FROM EXTERNAL AND INTERNAL SOURCES, AND A PRECONDITION TO EFFECTIVE EVENT IDENTIFICATION, RISK ASSESSMENT, AND RISK RESPONSE IS ESTABLISHMENT OF OBJECTIVES
objective setting1
Objective Setting
  • OBJECTIVES MUST EXIST BEFORE MANAGEMENT CAN IDENTIFY POTENTIAL EVENTS AFFECTING THEIR ACHEIVEMENT
  • ENTERPRISE RISK MANAGEMENT (ERM) ENSURES THAT MANAGEMENT HAS IN PLACE A PROCESS TO SET OBJECTIVES AND THAT THE CHOSEN OBJECTIVES SUPPORT AND ALIGN WITH THE AGENCY’S MISSION AND ARE CONSISTENT WITH ITS RISK APPETITE
objective setting2
Objective Setting
  • WHILE AN AGENCY’S MISSION AND STRATEGIC OBJECTIVES ARE GENERALLY STABLE, ITS STRATEGY AND MANY RELATED OBJECTIVES ARE MORE DYNAMIC AND ADJUSTED FOR CHANGING INTERNAL AND EXTERNAL CONDITIONS
  • AS CONDITIONS CHANGE, STRATEGY AND RELATED OBJECTIVES ARE REALIGNED WITH STRATEGIC OBJECTIVES
objective setting3
Objective Setting
  • IN CONSIDERING WAYS TO ACHIEVE ITS STRATEGIC OBJECTIVES, MANAGEMENT IDENTIFIES RISKS ASSOCIATED WITH A RANGE OF STRATEGY CHOICES AND CONSIDERS THEIR IMPLICATIONS
  • VARIOUS EVENT IDENTIFICATION AND RISK ASSESSMENT TECHNIQUES ARE USED IN THE STRATEGY-SETTING PROCESS
objective setting4
Objective Setting
  • BY FOCUSING FIRST ON STRATEGIC OBJECTIVES AND STRATEGY, AN AGENCY IS IN A POSITION TO DEVELOP RELATED OBJECTIVES
  • AGENCY WIDE OBJECTIVES ARE THEN LINKED TO AND INTEGRATED WITH MORE SPECIFIC OBJECTIVES THAT CASCADE THROUGH THE ORGANIZATION TO SUB-OBJECTIVES ESTABLISHED FOR VARIOUS ACTIVITIES
objective setting5
Objective Setting
  • OBJECTIVES NEED TO BE READILY UNDERSTOOD AND MEASURABLE
  • ERM REQUIRES THAT PERSONNEL AT ALL LEVELS HAVE AN UNDERSTANDING OF THE AGENCY’S OBJECTIVES AS THEY RELATE TO THAT INDIVIDUAL’S SPHERE OF INFLUENCE
  • ALL EMPLOYEES MUST HAVE A MUTUAL UNDERSTANDING OF WHAT IS TO BE ACCOMPLISHED AND A MEANS OF MEASURING WHAT IS BEING ACCOMPLISHED
objective setting6
Objective Setting
  • THREE BROAD CATEGORIES OF OBJECTIVES
    • OPERATIONS
    • REPORTING
    • COMPLIANCE
smart objectives
SMART OBJECTIVES

Specific Use specific terms rather than vague abstract ones

Measurable Include some method for objectively measuring their achievement

Achievable Are challenging but realistic

Relevant Follow the business strategy of the organization

Timely Specify a time period

objective setting7
Objective Setting
  • EFFECTIVE ERM PROVIDES REASONABLE ASSURANCE THAT AN AGENCY’S REPORTING AND COMPLIANCE OBJECTIVES ARE BEING ACHIEVED
  • BECAUSE, HOWEVER, ACHEIVEMENT OF OPERATIONS OBJECTIVES IS NOT SOLEY WITHIN AN AGENCY’S CONTROL (i.e. IT IS SUBJECT TO EXTERNAL EVENTS) ERM PROVIDES REASONABLE ASSURANCE THAT MANAGEMENT IS MADE AWARE OF THE EXTENT TO WHICH AN AGENCY IS MOVING TOWARD THE ACHIEVEMENT OF THESE OBJECTIVES ON A TIMELY BASIS
objective setting8
Objective Setting
  • STRATEGIES OF THE BUSINESS
  • KEY BUSINESS OBJECTIVES
  • RELATED OBJECTIVES THAT CASCADE DOWN THE ORGANIZATION FROM KEY BUSINESS OBJECTIVES
  • ASSIGNMENT OF RESPONSIBILITIES TO ORGANIZATIONAL ELEMENTS AND LEADERS (LINKAGE)
objective setting9
Objective Setting
  • EFFECTIVE ERM DOES NOT DICTATE WHICH OBJECTIVES MANAGEMENT SHOULD CHOOSE, BUT THAT MANAGEMENT HAS A PROCESS THAT ALIGNS STRATEGIC OBJECTIVES WITH AN AGENCY’S MISSION AND ENSURES THAT THE ENTITY’S CHOSEN STRATEGIC AND RELATED OBJECTIVES ARE CONSISTENT WITH THE AGENCY’S RISK APPETITE
objective setting risk appetite
Objective Setting – Risk appetite
  • RISK APPETITE IS A GUIDEPOST IN STRATEGY SETTING
  • THERE IS A RELATIONSHIP BETWEEN AN AGENCY’S RISK APPETITE AND ITS STRATEGY
  • DIFFERENT STRATEGIES CAN BE USED TO ACHIEVE DESIRED RETURN, EACH HAVING DIFFERENT RISK
objective setting risk appetite1
Objective Setting – Risk appetite
  • RISK APPETITE IS THE AMOUNT OF RISK, ON A BROAD LEVEL, AN AGENCY IS WILLING TO ACCEPT IN PURSUIT OF ITS MISSION, VISION, BUSINESS OBJECTIVES AND VALUE GOALS
  • DIRECTLY RELATED TO AN AGENCY’S CULTURE, CAPABILITY, RISK CAPACITY AND STRATEGY
  • SHOULD CONSIDER RISK APPETITE BOTH QUALITATIVELY AND QUANTITATIVELY - IT IS MANY TIMES EXPRESSED IN ACCEPTABLE/UNACCEPTABLE OUTCOMES OR LEVEL OF RISK
objective setting risk appetite2
Objective Setting – Risk appetite
  • SOME POSSIBLE QUESTIONS
    • WHAT RISKS WILL THE AGENCY NOT ACCEPT? (For example, environmental or quality compromises)
    • ARE THERE SPECIFIC RISKS THAT THE AGENCY IS NOT PREPARED TO ACCEPT? (For example, risks that could result in non-compliance with federal regulations)
    • IS THE AGENCY PREPARED TO ENTER INTO PROGRAMS WITH LOWER LIKELIHOOD OF SUCCESS BUT LARGER POTENTIAL RETURNS?
objective setting risk appetite3
Objective Setting – Risk appetite
  • USE OF A LIKELIHOOD-IMPACT ASSESSMENT (MATRIX) IS A GOOD TOOL IN DOCUMENTING RISK APPETITE
  • FOR EACH RISK FREQUENCY OF OCCURRENCE (PROBABILITY) AND WORST OUTCOME (IMPACT) ARE ASSESSED AND CAPTURED IN A MATRIX
  • THE MATRIX IS THEN COMPARED WITH A CHARTED RISK APPETITE MAP THAT OUTLINES THE MAXIMUM ADVERSE RISK AN AGENCY IS WILLING TO ACCEPT
impact vs probability
Impact vs. Probability

High

Exceeds Risk Appetite

I

M

P

A

C

T

Within Risk Appetite

Low

High

PROBABILITY

objective setting risk tolerance
Objective Setting – Risk tolerance
  • RISK TOLERANCE, THE ACCEPTABLE LEVEL OF VARIATION AROUND OBJECTIVES, MUST BE ALIGNED WITH RISK APPETITE
  • REQUIRES THE ARTICULATION OF ACCEPTABLE VARIABILITY FROM THE SPECIFIED RISK APPETITE FOR ALL POSSIBLE OUTCOMES
  • OPERATIONALIZES THE RISK APPETITE
  • GENERALLY EXPRESSED IN TERMS OF RISK MEASURES OR OUTCOMES
objective setting risk tolerance1
Objective Setting – Risk tolerance
  • SHOULD BE SET SUCH THAT THE AGGREGATION OF RISK TOLERANCES ENSURES THE ORGANIZATION OPERATES WITHIN THE RISK APPETITE
event identification
EVENT IDENTIFICATION
  • INTERNAL AND EXTERNAL EVENTS AFFECTING ACHEIVEMENT OF AN AGENCY’S OBJECTIVES MUST BE IDENTIFIED, DISTINGUISHING BETWEEN RISKS AND OPPORTUNITIES
  • MANAGEMENT IDENTIFIES POTENTIAL EVENTS THAT, IF THEY OCCUR, WILL AFFECT THE AGENCY, AND IN WHAT MANNER
event identification1
Event identification
  • EVENTS WITH A POSITIVE IMPACT REPRESENT OPPORTUNITIES THAT SHOULD BE CHANNELED BACK INTO MANAGEMENT’S STRATEGY OR OBJECTIVE-SETTING PROCESSES
  • EVENTS WITH A NEGATIVE IMPACT REPRESENT RISKS, WHICH REQUIRE MANAGEMENT’S ASSESSMENT AND RESPONSE
event identification2
Event identification
  • AN EVENT IS AN INCIDENT OR OCCURRENCE ARISING FROM INTERNAL OR EXTERNAL SOURCES THAT AFFECTS IMPLEMENTATION OF STRATEGY OR ACHIEVEMENT OF OBJECTIVES
  • A NUMBER OF EXTERNAL AND INTERNAL FACTORS DRIVE EVENTS
event identification3
CONTRIBUTING EXTERNAL FACTORS

ECONOMIC

NATURAL ENVIRONMENT

POLITICAL

SOCIAL

CONTRIBUTING INTERNAL FACTORS

INFRASTRUCTURE

PERSONNEL

PROCESS

TECHNOLOGY

Event identification
slide44

Economic changes such as lower economic growth reduce tax revenue and opportunities to provide a wider range of services or limit the availability or quality of existing services

Failure to innovate leading to sub-standard services

Loss or misappropriation of funds through fraud or impropriety

Environmental damage caused by failure of regulations or government inspection regime

Inconsistent policy objectives resulting in unwanted outcomes

Achieving Service Delivery

Failure to measure performance adequately

Project delays cost overruns and inadequate quality standards

Failure to monitor implementation

Inadequate service plans to maintain continuity of service delivery

Inadequate skills or resources to deliver services as required

Failure of contractors, partners or other government agencies to provide services as required

Failure to properly evaluate pilot projects before a new service is introduced may result in problems when the service becomes fully operational

Technical risk – failure to keep pace with technical developments, or investment in inappropriate or mismatched technology

SOME TYPICAL GOVERNMENT RISKS

event identification4
Event identification
  • AN AGENCY’S EVENT IDENTIFICATION METHODOLOGY MAY BE COMPRISED OF A COMBINATION OF TECHNIQUES, TOGETHER WITH SUPPORTING TOOLS
  • TECHNIQUES VARY WIDELY IN LEVEL OF SOPHISTICATION
examples of techniques for identifying events
EXAMPLES OF TECHNIQUES FOR IDENTIFYING EVENTS:
  • EVENT INVENTORIES (LISTING COMMON POTENTIAL EVENTS)
  • INTERNAL ANALYSIS (COMPLETED AS PART OF A ROUTINE PLANNING CYCLE PROCESS, TYPICALLY THROUGH STAFF MEETINGS)
  • ESCALATION OR THRESHOLD TRIGGERS (COMPARE CURRENT TRANSACTIONS OR EVENTS WITH PREDEFINED CRITERIA)
  • FACILITATED WORKSHOPS AND INTERVIEWS (DRAW ON ACCUMULATED KNOWLEDGE AND EXPERIENCE OF MANAGEMENT, STAFF AND STAKEHOLDERS THROUGH STRUCTURED DISCUSSIONS)
event identification5
Event identification
  • POTENTIAL EVENTS ARE ALSO IDENTIFIED ON AN ONGOING BASIS IN CONNECTION WITH ROUTINE BUSINESS ACTIVITIES, SUCH AS
    • INDUSTRY/TECHNICAL CONFERENCES
    • PEER WEBSITES
    • BENCHMARKING REPORTS
    • TRADE & PROFESSIONAL JOURNALS
    • MEDIA REPORTS
    • MONTHLY MANAGEMENT REPORTS
event identification6
Event identification
  • ANOTHER USEFUL TOOL IS TO INTRODUCE AN INTERMEDIATE STEP - IDENTIFYING WHAT YOU DEPEND UPON TO ACHIEVE YOUR OBJECTIVES
  • THIS IS SOMETIMES MUCH EASIER THAN TRYING TO THINK ABOUT ALL THE EVENTS THAT COULD PREVENT SUCCESS
event identification7
Event identification
  • EVENTS DO NOT OCCUR IN ISOLATION – ONE EVENT CAN TRIGGER ANOTHER AND EVENTS CAN OCCUR CONCURRENTLY
  • MANAGEMENT SHOULD UNDERSTAND HOW EVENTS RELATE TO ONE ANOTHER
event identification8
Event identification
  • IT MAY BE USEFUL TO GROUP EVENTS INTO CATEGORIES (i.e. GROUPS OF SIMILAR POTENTIAL EVENTS)
  • SIMILAR EVENTS SHOULD BE COMBINED TO DEVELOP AN INITIAL RISK UNIVERSE AND DETERMINE HOW TO TRACK AND UPDATE THE LISTING OF POTENTIAL EVENTS AND RISKS
event identification9
Event identification
  • FINANCIAL FOLKS NEED TO REMEMBER THAT:

EVENT IDENTIFICATION NEEDS TO INVOLVE A COMPLETE CROSS-SECTION OF MANAGEMENT, AS POSSIBLE EVENTS INCLUDE BUSINESS SCENARIOS OF WHICH FINANCIAL MANAGEMENT MAY NOT BE AWARE

indicators that the erm objective setting principles are implemented
INDICATORS THAT THE ERM OBJECTIVE SETTING PRINCIPLES ARE IMPLEMENTED

1. THE ORGANIZATION DEFINES GOALS AND OBJECTIVES FOR THE ENTERPRISE AS A WHOLE

2. AN EFFECTIVE STRATEGIC PLANNING PROCESS IS IN PLACE TO FORMULATE STRATEGIES THAT WILL ENABLE THE ORGANIZATION TO ACHIEVE ITS BUSINESS OBJECTIVE

indicators that the erm objective setting principles are implemented cont d
INDICATORS THAT THE ERM OBJECTIVE SETTING PRINCIPLES ARE IMPLEMENTED (CONT’D)

3. BUSINESS STRATEGIES ARE CLEARLY ARTICULATED WITH OBJECTIVES LINKED TO EACH

4. THE RISK IDENTIFICATION PROCESS IS DESIGNED TO MAKE A CLEAR LINK BETWEEN THE ORGANIZATION’S OBJECTIVES AND THE ASSOCIATED RISKS

indicators that the erm objective setting principles are implemented cont d1
INDICATORS THAT THE ERM OBJECTIVE SETTING PRINCIPLES ARE IMPLEMENTED (CONT’D)

5. RISK TO THE ACHIEVEMENT OF OBJECTIVES IS EVALUATED TO ENSURE IT DOES NOT EXCEED THE LEVELS OF RISK DETERMINED BY MANAGEMENT AS ACCEPTABLE

6. ACCEPTABLE TOLERANCE LIMITS ON THE RISK TO THE ACHIEVEMENT OF KEY OBJECTIVES HAVE BEEN DETERMINED.

7. MANAGEMENT USES MEANINGFUL PERFORMANCE MEASURES IN MONITORING RESULTS AGAINST OTHER SET TOLERANCES

indicators that the erm event identification principles are implemented
INDICATORS THAT THE ERM EVENT IDENTIFICATION PRINCIPLES ARE IMPLEMENTED

1. DATA ON THE BUSINESS OPERATING ENVIRONMENT – POLITICAL, ECONOMIC, ETC., EVENTS IS CAPTURED AND REGULARLY EVALUATED IN TERMS OF THEIR POTENTIAL IMPACT UPON THE ORGANIZATION’S BUSINESS OBJECTIVES

2. A PORTFOLIO OF EVENTS THAT COULD AFFECT THE ACHIEVEMENT OF OBJECTIVES – INTERNAL AND EXTERNAL – HAS BEEN PREPARED

3. EVENTS ARE LINKED TO AND RISK EVALUATED BY INDIVIDUAL OBJECTIVE

indicators that the erm event identification principles are implemented cont d
INDICATORS THAT THE ERM EVENT IDENTIFICATION PRINCIPLES ARE IMPLEMENTED (CONT’D)

4. GOALS AND OBJECTIVES FOR IDENTIFYING EVENTS AND THE RELATED RISKS EXIST AND ARE COMMUNICATED TO ALL SEGMENTS OF THE ORGANIZATION

5. RESPONSIBILITIES AND ACCOUNTABLES FOR RISK IDENTIFICATION ARE CLEARLY DEFINED AND UNDERSTOOD

6. RISK IS CONSIDERED IN TERMS OF NOT JUST ISOLATED EVENTS BUT ALSO INTER-RELATED EVENTS

7. EVENTS ARE CATEGORIZED INTO USEFUL GROUPS TO FACILITATE THE AGGREGATION OF INFORMATION FOR PURPOSES OF ASSESSING RISKS

8. THE ORGANIZATION EVALUATES EVENTS IN THE CONTEXT OF THE POTENTIAL UPSIDES (OPPORTUNITIES) AS WELL AS THE DOWNSIDE (RISKS)

event identification10
Event identification
  • THE NEXT TOPIC, OR THE RISK ASSESSMENT COMPONENT, ALLOWS AN AGENCY TO CONSIDER THE EXTENT TO WHICH POTENTIAL EVENTS MIGHT HAVE AN IMPACT ON ACHIEVEMENT OF OBJECTIVES
risk assessment
Risk Assessment
  • Risk is “the possibility that an event will occur and adversely affect the achievement of objectives.”
  • Thereby decreasing value for the entity’s stakeholders.
risk assessment1
Risk Assessment

- Risks are analyzed and assessed as to their likelihood and impact

- Management considers the mix of future events, both expected & unexpected

- Useful first step – often a “brainstorming” session

- What is the “worst that could happen,” or the “worst that happened?”

consider the risk appetite
Consider the “Risk Appetite”
  • Broadly defined as amount of risk an entity is willing to accept in pursuing its objectives.
  • For most government entities: risk appetite is fairly low!
  • Related is risk tolerance: “tolerable level of variation associated w/ a particular objective.”
consider both inherent residual risk
Inherent – Risk without any management activity or before controls are in place.

Example: inherent risk mitigated by payment card’s policies and procedures.

Residual – level of risk that remains after management has a plan in place to deal with the risk.

Example: residual risk remains after payment card policies are in place.

Consider Both Inherent & Residual Risk
consider both likelihood and impact
Consider both Likelihood and Impact
  • Likelihood: possibility an event will occur, measured in “low, medium, high,’ percentage or some frequency of occurrence.
  • Impact: Effect on an agency on others.
risk assessment uses qualitative and quantitative methods
Risk Assessment Uses Qualitative and Quantitative Methods
  • Quantitative methods more precise
  • Qualitative methods are necessary in situations where business activity does not lend to quant. evaluation, or is not cost/effective.
  • Choice should reflect needs of the business unit and its employees.
consider risk in objective setting
Consider Risk in Objective Setting
  • The framework of objectives: strategic, operational, reporting, compliance, (see COSO cube).
  • Typically considerable overlap.
  • Several examples follow.
example operational
Risk that subrecipients in HIV/AIDS program are being reimbursed for unsupported expenditures.

Assessment – Extent of reimbursement and frequency is analyzed. Note that paying subrecipient invoices for which no documentation exists subjects agency to possible fraud.

Example: Operational
example reporting
Risk that management does not notify the Comptroller’s Office of overpayments; and failure to recover funds.

Assess why a breakdown in both state policy and actual recoupment.

Lack of notification negates possibility of a thorough investigation.

Example: Reporting
v risk response
V – Risk Response
  • “Having assessed relevant risks, management determines how it will respond, reviewing likelihood and impact, evaluating costs and benefits, and selecting options that bring residual (remaining risk) within the entity’s risk tolerances.”
the four categories of risk response
The Four Categories of Risk Response:
  • Avoidance – not participating in events that give rise to risk.
  • Reduction: Specific actions taken to reduce likelihood or impact or both.
  • Sharing: Reducing likelihood or impact by sharing portion of the risk (insurance)
  • Acceptance: No action taken. “learns to live with the risk,” and monitor it...
additional factors in risk response
Additional Factors in Risk Response
  • - For many risks, responses are obvious & well accepted.
  • - Response to risk may affect other factors, or affect likelihood/impact differently.
  • - Cost/Benefit – often cost side easier to analyze; benefit side may be more subjective.
  • - Risk response may lead to improvements in service areas or additional value.
  • - Considers both inherent and residual risk.
a portfolio perspective
A Portfolio Perspective
  • ERM approach requires that risk be considered from a “portfolio” or entity-wide perspective.
  • Management first determines risk in each division or business unit.
  • Develops a composite assessment of risk reflecting unit’s residual risk profile relative to its objectives & risk tolerances.
a portfolio view of risk
A Portfolio View of Risk:
  • Can be depicted in several ways – focusing on major risk or event categories across divisions, program units, etc.
  • While risk in a program unit may be within risk tolerance; taken together they may exceed the risk appetite of entity.
  • Or have common elements that raise concerns.
back to our previous examples
1. Subrecipients in HIV/AIDS programs are routinely reimbursed for unsupported expenditures.

1. After further analysis corrective action plan identified and remedies failures in the reimbursement process, a cost/effective methodology to monitor expenditures.

Back to our previous examples:
and our other example
2. Management did not notify the Comptroller of the Treasury of overpayments and failed to recoup overpaid funds.

2. Corrective action plan requires compliance with Policy 11; reviews recoupment procedures.

And our other example…
integration with risk responses
Integration with Risk Responses
  • Control activities generally are established to ensure risk responses are carried out. However, control activities themselves are risk responses.
integration with risk responses1
Integration with Risk Responses
  • Risk responses
    • Share risk
      • Agency participates in state’s collateral pool or risk management fund.
    • Reduce risk
      • Reduces likelihood and impact, e.g. Disaster recovery plan in place to reduce the impact of a natural disaster.
    • Risk Avoidance
      • Policies that forbid certain “risky business” e.g., agency not authorized to invest in certain risky investment instruments.
    • Risk Acceptance
      • Monitoring of certain activities that are deemed high risk e.g., high risk investments.
control activities
CONTROL ACTIVITIES
  • A single control activity can address multiple risk responses or
  • Multiple control activities may be needed for one risk response.
types of control activities
Types of Control Activities
  • Types of Control Activities
    • Preventive
    • Detective
    • Manual (People Based)
    • Automated (System Based)
types of control activities1
Types of Control Activities
  • Preventive Controls are more reliable
    • Prevents errors
    • Proactive approach – frees up people resources
types of control activities3
Types of Control Activities
  • Reconciliations (Detective)
    • Personnel approving or executing transactions should not perform reconciliations.
  • Reviews (Detective)
    • Budget to Actual
    • Current to prior period comparisons
    • Performance measurements
types of control activities4
Types of Control Activities
  • Approval/Authorizations (Preventive)
    • Policies and procedures
    • Limits to authority
    • Supporting documentation
    • Question unusual items
types of controls of control activities
Types of Controls of Control Activities
  • Assets Security (Preventive and Detective)
    • Physical safeguards
    • Record retention
    • Periodic counts/Inventories
types of controls of control activities1
Types of Controls of Control Activities
  • Segregation of Duties (Preventive and Detective)
    • The following functions should be segregated
      • Approval
      • Accounting/Reconciling
      • Asset Custody
levels of control activities
Levels of Control Activities
  • Entity Level Controls
    • Controls management implement to establish the appropriate tone at the top. (Strategic Objectives)
      • E.g., Employees sign a code of conduct
  • Process Level Controls
    • Mitigate risks involved in initiating, recording, processing or reporting transactions.
  • IT and Application Controls
    • Further mitigates process level risks
levels of control activities1
Levels of Control Activities
  • Pervasive Level
    • Adequate training of personnel
    • Access restrictions
    • Authorization
    • Segregation of duties
  • Specific Level
    • Validation
    • Reconciliation
control activities1
CONTROL ACTIVITIES
  • The Writing on The Wall
    • Applying too narrow a focus to the identification of risks can lead to overlooking potential risks and issues.
    • Think about risks without considering the existing processes and controls in place.
effectiveness and efficiency
Effectiveness and Efficiency
  • Control activities must be tested to ensure there are no material weaknesses or significant deficiencies.
  • Management should also ensure that control activities are carried out in a timely manner.
    • Internal auditors may support management by providing assurance on the effectiveness and efficiency of control activates.
control activities worksheet
Control Activities Worksheet

Worksheet provided in Section VI can be used as a template for documenting risks and related controls

Divided into 3 parts

  • Part I Strategic, Operations, and Reporting Objectives
  • Part II Compliance Objectives
  • Part III Fraud
control activities worksheet1
Control Activities Worksheet
  • Worksheet is NOT all inclusive.
  • N/A responses need to be addressed.
  • Remember the writing on the wall.
  • Any policy or procedure used as a risk response in Part I or III should be addressed in Part II, Compliance.
  • Template may be modified.
control activities worksheet part i strategic operations and reporting objectives
Control Activities Worksheet Part I Strategic, Operations, and Reporting Objectives
  • Categorized by business processes.
    • Budget Process
    • Cash Disbursement/Expenditures
    • Cash Receipts/Revenues
    • Cash Management
    • Liabilities
    • Capital Assets/Inventory/Equipment
    • Information Systems/Data Processing
    • Personnel/Employee Compensation
    • Financial Reporting
    • Accounts Receivable
    • Investments
control activities worksheet part iii fraud
Control Activities Worksheet Part III Fraud
  • Categorized by the Association of Certified Fraud Examiner’s Categories of Fraud.
    • Misappropriation of assets
    • Corruption
    • Fraudulent Reporting
control activities worksheet part iii fraud1
Control Activities Worksheet Part III Fraud
  • Categories should be applied to each business process.
  • Fraud control risk management should be integrated into the agency's philosophy, practices and business plans rather than be seen or practiced as a separate program. When it is integrated, risk management becomes the business of everyone in the organization.
control activities worksheet part iii fraud2
Control Activities Worksheet Part III Fraud
  • Core areas to focus on
      • Information systems;
      • Contracts;
      • Grants and other payments or benefits programs;
      • Purchasing;
      • Services provided to the community;
      • Revenue collection;
      • Use of government credit cards;
      • Travel allowance and other common allowances;
      • Salaries; And
      • Property and other physical assets including physical security.
other considerations
Other Considerations
  • Risks with large or moderate impact and probable (high) or reasonably possible (medium) likelihood of occurrence are your significant risks. These are the risks you need to address with control activities.
    • No risk response is needed for insignificant risks but BE CAUTIOUS AND OBJECTIVE.
    • Insignificant risks still need to be documented on the worksheet. Explanation of insignificant nature should be documented.
other considerations1
Other Considerations

Inherent Risks - Control Activities= Residual Risks

    • Ensure you evaluate all insignificant risks not addressed with control activities on an aggregate basis to ensure your residual risk is within your risk tolerance.
  • All risks (regardless of significance) should still be included.
other considerations2
Other Considerations
  • If any of the risks already included in the worksheet are deemed as having a low impact or remote likelihood of occurrence, treat as as a risk that is not applicable to your agency and document explanation on worksheet.
  • Don’t forget about abuse.
information
Information
  • Needed at all levels of an organization
    • to identify, assess, and respond to risks
    • to run the entity
    • to achieve its objectives
  • Internal and external sources
  • Financial and nonfinancial
strategic and integrated systems
Strategic and Integrated Systems
  • Data processing and data management become a shared responsibility
  • IS architecture needs to be flexible and agile to effectively integrate with affiliated external parties
  • Has management’s risk management techniques contemplated organizational goals in making technology selection and implementation decisions?
integration with operations
Integration with Operations
  • Applications facilitate access to information previously trapped in functional or departmental silos
    • Information becomes available for widespread use
  • Transactions are recorded and tracked in real time
    • Managers have immediate access to financial and operating information more effectively to control agency activities
depth and timeliness of information
Depth and Timeliness of Information
  • Information infrastructure sources and captures data in a timeframe and at a depth consistent with an entity’s need to
    • identify,
    • assess, and
    • respond to risks, and
    • remain within risk tolerances
  • Timeliness needs to be consistent with the rate of change in the entity’s internal and external environments
information quality
Information Quality
  • Data reliability is a critical attribute of information systems and data-driven automated decision systems
  • Inaccurate data results in unidentified risks or poor assessments and bad management decisions
  • Quality of information includes ascertaining whether informational content is
    • Appropriate Accurate
    • Timely Accessible
    • Current
communication
Communication
  • Inherent in information systems
  • Must provide information to appropriate personnel to carry out strategic, operating, reporting, compliance, and stewardship responsibilities
  • Must deal with
    • expectations,
    • responsibilities of individuals and groups
    • Other important matters
internal communication
Internal Communication
  • Behavioral expectations and responsibilities of personnel
    • Clear statement of entity’s risk management philosophy and approach
    • Clear delegation of authority
  • Should effectively convey
    • The importance and relevance of effective ERM
    • The entity’s objectives, risk appetite, risk tolerances
    • A common risk language
    • Roles and responsibilities of personnel in effecting and supporting the components of ERM
external communication
External Communication
  • Open external communication channels
    • Constituents provide highly significant input on design and quality of products and services
    • Enables an entity to address evolving customer demands or preferences
  • Recognize such implications
    • Investigate
    • Take necessary corrective actions
    • Focus on impact on financial reporting and compliance as well as operating objectives
means of communicating
Means of Communicating
  • Actions speak louder than words
  • Actions influenced by the entity’s history and culture
    • Operating with integrity
    • Culture is well understood throughout the organization
  • Embed communications on ERM into an entity’s broad-based, ongoing communications programs and into the fabric of the organization
monitoring
Monitoring
  • Assessing the presence and functioning of components over time
  • Accomplished through
    • Ongoing monitoring activities
    • Separate evaluations
    • Combination of the two
  • ERM changes over time
    • Once effective risk responses become irrelevant
    • Control activities become less effective or no longer are performed
    • Entity objectives might change
ongoing monitoring activities
Ongoing Monitoring Activities
  • Occur through regular management activities
    • Variance analysis
    • Comparisons of information with disparate sources
    • Dealing with unexpected occurrences
scope and frequency
Scope and Frequency
  • Evaluations of ERM depend on
    • significance of risks
    • importance of risk responses and
    • related controls in managing the risks
  • Address application in strategy setting with respect to significant activities
  • Scope depends on which objectives categories are addressed
who evaluates
Who Evaluates
  • Self assessments
    • Person responsible for particular unit or function determines effectiveness of ERM for their activities
    • Division/function head
    • Line managers
    • Controller
    • Senior management
    • Internal auditors (management cannot delegate its responsibility)
    • External auditors (caution!)
the evaluation process
The Evaluation Process
  • Evaluating ERM is a process in itself
  • Approaches and techniques vary
  • Consistent and disciplined approach should be brought to the process
    • Understand entity activities and components of ERM being addressed
    • Determine ERM system actually works
    • Discuss with personnel who actually perform or are affected by ERM
    • Analyze ERM process design and results of tests performed
    • Determine if process provides reasonable assurance with respect to the stated objectives
methodology
Methodology
  • A variety of evaluation methodologies and techniques are available
    • Checklists
    • Questionnaires
    • Flowcharting techniques
    • Comparing or benchmarking to best in class entity
  • Planning steps
  • Performance steps
documentation
Documentation
  • Varies based on the entity’s size, complexity, and similar factors
  • Evaluations more effective and efficient with appropriate level of documentation
  • Document and retain
    • Evaluation process itself
    • Descriptions of tests and analyses
    • Support for statement to external parties regarding ERM effectiveness
    • Retention policy
reporting deficiencies
Reporting Deficiencies
  • Deficiencies noted from
    • Ongoing monitoring procedures
    • Separate evaluations
    • External parties
  • Reported directly to persons directly responsible for achieving business objectives affected by the deficiency
  • Report specific types of deficiencies to senior management and/or oversight body
  • Corrective actions taken or to be taken should be reported back to relevant personnel
what is reported
What Is Reported
  • All identified ERM deficiencies that affect an entity’s ability
    • to develop and implement its strategy and
    • to set and achieve its objectives
  • Must report significant deficiencies and material weaknesses
    • Use qualitative and quantitative materiality
  • Report identified opportunities to increase the likelihood entity objectives will be achieved
to whom to report
To Whom to Report
  • Determining right party is critical
  • Immediate superiors through normal channels
  • They in turn communicate upstream or laterally so the information ends up with someone who has the authority to act
    • e.g., senior management, department head, audit committee, other oversight body
  • Consider alternative channels for reporting sensitive information
    • Fraud and illegal or improper acts