Professional Documents
Culture Documents
Risk Management Internal Control Guidelines
Risk Management Internal Control Guidelines
INTRODUCTION
MANAGEMENTS GUIDE TO RISK
MANAGEMENT AND INTERNAL CONTROL
INTRODUCTION (CONTD)
Sarbanes-Oxley Act
General Accounting Office
AICPA Auditing Standards
INTRODUCTION (CONTD)
INTRODUCTION (CONTD)
INTRODUCTION (CONTD)
OVERVIEW
Overview
Objectives
Components
Entity Unit
Effectiveness
Roles and responsibilities
COSO Cube
Direct relationship
between objectives and
enterprise risk
components
Focus on the entirety of
an entitys ERM, or by
objectives categories,
component, entity unit,
or any subset thereof
Objectives Categories
Strategic
Effectiveness and efficiency of operations
Integrity and reliability of reporting
Compliance with applicable laws, regulations,
contracts, and grant agreements
Stewardship of assets
Components
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring
Effectiveness
SECTION I
INTERNAL
ENVIRONMENT
SECTION I
INTERNAL ENVIRONMENT
What
is
it?
Risk Management Philosophy
Internal Environment
(contd)
Risk Appetite
Internal Environment
(contd)
Managements values
Code of conduct
Commitment to Competence
Internal Environment
(contd)
Organizational Structure
SECTION II
OBJECTIVE SETTING
Objective Setting
Objective Setting
Objective Setting
Objective Setting
Objective Setting
Objective Setting
Objective Setting
OPERATIONS
REPORTING
COMPLIANCE
SMART OBJECTIVES
Specific
Measurable
Achievable
Relevant
Timely
Objective Setting
Objective Setting
ASSIGNMENT OF RESPONSIBILITIES TO
ORGANIZATIONAL ELEMENTS AND LEADERS
(LINKAGE)
Objective Setting
PROBABILITY
High
SECTION III
EVENT
IDENTIFICATION
EVENT IDENTIFICATION
Event identification
Event identification
AN EVENT IS AN INCIDENT OR
OCCURRENCE ARISING FROM
INTERNAL OR EXTERNAL SOURCES
THAT AFFECTS IMPLEMENTATION OF
STRATEGY OR ACHIEVEMENT OF
OBJECTIVES
A NUMBER OF EXTERNAL AND
INTERNAL FACTORS DRIVE EVENTS
Event identification
CONTRIBUTING
EXTERNAL FACTORS
ECONOMIC
NATURAL
ENVIRONMENT
POLITICAL
SOCIAL
CONTRIBUTING
INTERNAL FACTORS
INFRASTRUCTURE
PERSONNEL
PROCESS
TECHNOLOGY
Failure to innovate
leading to substandard services
Loss or misappropriation of
funds through fraud or
impropriety
Environmental damage
caused by failure of
regulations or
government inspection
regime
Inconsistent policy
objectives resulting in
unwanted outcomes
Achieving Service
Delivery
Failure to monitor
implementation
Inadequate service
plans to maintain
continuity of service
delivery
Inadequate skills or
resources to deliver
services as required
Failure to measure
performance
adequately
Failure of contractors,
partners or other
government agencies to
provide services as required
Event identification
Event identification
INDUSTRY/TECHNICAL CONFERENCES
PEER WEBSITES
BENCHMARKING REPORTS
TRADE & PROFESSIONAL JOURNALS
MEDIA REPORTS
MONTHLY MANAGEMENT REPORTS
Event identification
Event identification
Event identification
Event identification
5.
6.
7.
8.
Event identification
SECTION IV
RISK ASSESSMENT
Risk Assessment
Risk Assessment
- Risks are analyzed and assessed as to their
likelihood and impact
- Management considers the mix of future
events, both expected & unexpected
- Useful first step often a brainstorming
session
- What is the worst that could happen, or the
worst that happened?
Inherent Risk
without any
management activity or
before controls are in
place.
Example: inherent risk
mitigated by payment
cards policies and
procedures.
Example: Operational
Assessment Extent of
reimbursement and
frequency is analyzed.
Note that paying
subrecipient invoices
for which no
documentation exists
subjects agency to
possible fraud.
Example: Reporting
Assess why a
breakdown in both
state policy and actual
recoupment.
Lack of notification
negates possibility of a
thorough investigation.
SECTION V
RISK RESPONSE
V Risk Response
A Portfolio Perspective
1. Subrecipients in
HIV/AIDS programs
are routinely
reimbursed for
unsupported
expenditures.
2. Corrective action
plan requires
compliance with Policy
11; reviews
recoupment
procedures.
SECTION VI
CONTROL ACTIVITIES
Risk responses
Share risk
Reduce risk
Risk Avoidance
Policies that forbid certain risky business e.g., agency not authorized
to invest in certain risky investment instruments.
Risk Acceptance
Monitoring of certain activities that are deemed high risk e.g., high
risk investments.
CONTROL ACTIVITIES
Preventive
Detective
Manual (People Based)
Automated (System Based)
Prevents errors
Proactive approach frees up people resources
LESS RELIABLE
People Based
Detective
Preventive
MORE RELIABLE
Automated
Detective
Preventive
Reconciliations (Detective)
Reviews (Detective)
Budget to Actual
Current to prior period comparisons
Performance measurements
Approval/Authorizations (Preventive)
Physical safeguards
Record retention
Periodic counts/Inventories
Approval
Accounting/Reconciling
Asset Custody
Pervasive Level
Specific Level
Validation
Reconciliation
CONTROL ACTIVITIES
Budget Process
Cash Disbursement/Expenditures
Cash Receipts/Revenues
Cash Management
Liabilities
Capital Assets/Inventory/Equipment
Information Systems/Data Processing
Personnel/Employee Compensation
Financial Reporting
Accounts Receivable
Investments
Misappropriation of assets
Corruption
Fraudulent Reporting
Information systems;
Contracts;
Grants and other payments or benefits programs;
Purchasing;
Services provided to the community;
Revenue collection;
Use of government credit cards;
Travel allowance and other common allowances;
Salaries; And
Property and other physical assets including physical security.
Other Considerations
Other Considerations
Inherent Risks - Control Activities= Residual Risks
Ensure you evaluate all insignificant risks not
addressed with control activities on an aggregate
basis to ensure your residual risk is within your
risk tolerance.
Other Considerations
SECTION VII
INFORMATION AND
COMMUNICATION
Information
identify,
assess, and
respond to risks, and
remain within risk tolerances
Information Quality
Appropriate Accurate
Timely
Accessible
Current
Communication
expectations,
responsibilities of individuals and groups
Other important matters
Internal Communication
External Communication
Investigate
Take necessary corrective actions
Focus on impact on financial reporting and
compliance as well as operating objectives
Means of Communicating
SECTION VIII
MONITORING
Monitoring
Variance analysis
Comparisons of information with disparate
sources
Dealing with unexpected occurrences
significance of risks
importance of risk responses and
related controls in managing the risks
Who Evaluates
Self assessments
Methodology
Checklists
Questionnaires
Flowcharting techniques
Comparing or benchmarking to best in class entity
Planning steps
Performance steps
Documentation
Reporting Deficiencies
What Is Reported
To Whom to Report