Risk Management And Internal Control Guidelines

About This Presentation

Title:

Risk Management And Internal Control Guidelines

Description:

Risk Management And Internal Control Guidelines. Tennessee Department of Finance ... are necessary in situations where business activity does not lend to quant. ... – PowerPoint PPT presentation

Number of Views:517

Avg rating:3.0/5.0

Slides: 121

Provided by: fin127

Category:

more less

Transcript and Presenter's Notes

Title: Risk Management And Internal Control Guidelines

1
Risk Management And Internal Control Guidelines
Tennessee Department of Finance and
Administration Tennessee Comptroller of the
Treasury August 2007
2
INTRODUCTION

MANAGEMENTS GUIDE TO RISK MANAGEMENT AND
INTERNAL CONTROL

3
INTRODUCTION (CONTD)

Enterprise Risk Management
Changing Political And Regulatory Environment
Sarbanes-Oxley Act
General Accounting Office
AICPA Auditing Standards

4
INTRODUCTION (CONTD)

Internal Control and Governance Problems
Results of Texas State Comptrollers ERM
Implementation
Texas State Auditor Considers Increased
Accountability a Priority

5
INTRODUCTION (CONTD)

Committee Of Sponsoring Organizations Of The
Treadway Commission
Second report Enterprise Risk ManagementIntegrate
d Framework
First report Internal ControlIntegrated Framework

6
INTRODUCTION (CONTD)

Guidance--Education and Tools
Agency Heads Responsibility

7
OVERVIEW
8
Overview

Relationship of COSO I and II
COSO Cube (three-dimensional matrix)
Objectives
Components
Entity Unit
Effectiveness
Roles and responsibilities

9
Relationship of COSO I to COSO II

Internal ControlIntegrated Framework (COSO I)
Still important for entities looking at internal
control by itself
Enterprise Risk ManagementIntegrated Framework
(COSO II)
Broader than internal control
Expands and elaborates on internal control
Focuses more fully on risk
Introduces the concepts of risk appetite, risk
tolerance, and portfolio view

10
COSO Cube

Direct relationship between objectives and
enterprise risk components
Focus on the entirety of an entitys ERM, or by
objectives categories, component, entity unit, or
any subset thereof

11
Objectives Categories

Strategic
Effectiveness and efficiency of operations
Integrity and reliability of reporting
Compliance with applicable laws, regulations,
contracts, and grant agreements
Stewardship of assets

12
Components

Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring

13
Effectiveness

Are the 8 components present and functioning
effectively?
The components are criteria for effective ERM
Present and functioning properly no significant
deficiencies and material weaknesses
Test operating effectiveness of controls
different from obtaining evidence of
implementation
How controls were applied during the period
Consistency with which controls were applied
By whom and by what means they were applied

14
Roles and Responsibilities

Audit committee, board of directors, or other
oversight body
Commissioner/director/department head
Senior management
Internal audit
Other entity personnel

15
SECTION IINTERNAL ENVIRONMENT
16
SECTION IINTERNAL ENVIRONMENTWhat is it?

Risk Management Philosophy
Set of shared beliefs and attitudes
Reflects the entitys values, influencing its
culture and operating style
Affects how risks are identified, kinds of risks
accepted, and how they are managed

17
Internal Environment(contd)

Risk Appetite
Amount of risk management is willing to accept
Influences the entitys culture and operating
style
Oversight by Audit Committee
Oversight by another group
May significantly influence elements of Internal
Environment

18
Internal Environment(contd)

Integrity and Ethical Values
Managements values
Code of conduct
Commitment to Competence
Knowledge and skills of staff
How well tasks need to be accomplish

19
Internal Environment(contd)

Organizational Structure
Framework to plan, execute, control, and monitor
activities
Assignment of Authority and Responsibility
Extent of authority and responsibility
Human Resource Standards
Staff development, training, and evaluation

20
SECTION II OBJECTIVE SETTING
21
Objective Setting

EVERY AGENCY FACES A VARIETY OF RISKS FROM
EXTERNAL AND INTERNAL SOURCES, AND A PRECONDITION
TO EFFECTIVE EVENT IDENTIFICATION, RISK
ASSESSMENT, AND RISK RESPONSE IS ESTABLISHMENT OF
OBJECTIVES

22
Objective Setting

OBJECTIVES MUST EXIST BEFORE MANAGEMENT CAN
IDENTIFY POTENTIAL EVENTS AFFECTING THEIR
ACHEIVEMENT
ENTERPRISE RISK MANAGEMENT (ERM) ENSURES THAT
MANAGEMENT HAS IN PLACE A PROCESS TO SET
OBJECTIVES AND THAT THE CHOSEN OBJECTIVES SUPPORT
AND ALIGN WITH THE AGENCYS MISSION AND ARE
CONSISTENT WITH ITS RISK APPETITE

23
Objective Setting

WHILE AN AGENCYS MISSION AND STRATEGIC
OBJECTIVES ARE GENERALLY STABLE, ITS STRATEGY AND
MANY RELATED OBJECTIVES ARE MORE DYNAMIC AND
ADJUSTED FOR CHANGING INTERNAL AND EXTERNAL
CONDITIONS
AS CONDITIONS CHANGE, STRATEGY AND RELATED
OBJECTIVES ARE REALIGNED WITH STRATEGIC OBJECTIVES

24
Objective Setting

IN CONSIDERING WAYS TO ACHIEVE ITS STRATEGIC
OBJECTIVES, MANAGEMENT IDENTIFIES RISKS
ASSOCIATED WITH A RANGE OF STRATEGY CHOICES AND
CONSIDERS THEIR IMPLICATIONS
VARIOUS EVENT IDENTIFICATION AND RISK ASSESSMENT
TECHNIQUES ARE USED IN THE STRATEGY-SETTING
PROCESS

25
Objective Setting

BY FOCUSING FIRST ON STRATEGIC OBJECTIVES AND
STRATEGY, AN AGENCY IS IN A POSITION TO DEVELOP
RELATED OBJECTIVES
AGENCY WIDE OBJECTIVES ARE THEN LINKED TO AND
INTEGRATED WITH MORE SPECIFIC OBJECTIVES THAT
CASCADE THROUGH THE ORGANIZATION TO
SUB-OBJECTIVES ESTABLISHED FOR VARIOUS ACTIVITIES

26
Objective Setting

OBJECTIVES NEED TO BE READILY UNDERSTOOD AND
MEASURABLE
ERM REQUIRES THAT PERSONNEL AT ALL LEVELS HAVE AN
UNDERSTANDING OF THE AGENCYS OBJECTIVES AS THEY
RELATE TO THAT INDIVIDUALS SPHERE OF INFLUENCE
ALL EMPLOYEES MUST HAVE A MUTUAL UNDERSTANDING OF
WHAT IS TO BE ACCOMPLISHED AND A MEANS OF
MEASURING WHAT IS BEING ACCOMPLISHED

27
Objective Setting

THREE BROAD CATEGORIES OF OBJECTIVES
OPERATIONS
REPORTING
COMPLIANCE

28
SMART OBJECTIVES

Specific Use specific terms rather than
vague abstract ones
Measurable Include some method for
objectively measuring their achievement
Achievable Are challenging but realistic
Relevant Follow the business strategy of the
organization
Timely Specify a time period

29
Objective Setting

EFFECTIVE ERM PROVIDES REASONABLE ASSURANCE THAT
AN AGENCYS REPORTING AND COMPLIANCE OBJECTIVES
ARE BEING ACHIEVED
BECAUSE, HOWEVER, ACHEIVEMENT OF OPERATIONS
OBJECTIVES IS NOT SOLEY WITHIN AN AGENCYS
CONTROL (i.e. IT IS SUBJECT TO EXTERNAL EVENTS)
ERM PROVIDES REASONABLE ASSURANCE THAT MANAGEMENT
IS MADE AWARE OF THE EXTENT TO WHICH AN AGENCY IS
MOVING TOWARD THE ACHIEVEMENT OF THESE OBJECTIVES
ON A TIMELY BASIS

30
Objective Setting

STRATEGIES OF THE BUSINESS
KEY BUSINESS OBJECTIVES
RELATED OBJECTIVES THAT CASCADE DOWN THE
ORGANIZATION FROM KEY BUSINESS OBJECTIVES
ASSIGNMENT OF RESPONSIBILITIES TO ORGANIZATIONAL
ELEMENTS AND LEADERS (LINKAGE)

31
Objective Setting

EFFECTIVE ERM DOES NOT DICTATE WHICH OBJECTIVES
MANAGEMENT SHOULD CHOOSE, BUT THAT MANAGEMENT HAS
A PROCESS THAT ALIGNS STRATEGIC OBJECTIVES WITH
AN AGENCYS MISSION AND ENSURES THAT THE ENTITYS
CHOSEN STRATEGIC AND RELATED OBJECTIVES ARE
CONSISTENT WITH THE AGENCYS RISK APPETITE

32
Objective Setting Risk appetite

RISK APPETITE IS A GUIDEPOST IN STRATEGY SETTING
THERE IS A RELATIONSHIP BETWEEN AN AGENCYS RISK
APPETITE AND ITS STRATEGY
DIFFERENT STRATEGIES CAN BE USED TO ACHIEVE
DESIRED RETURN, EACH HAVING DIFFERENT RISK

33
Objective Setting Risk appetite

RISK APPETITE IS THE AMOUNT OF RISK, ON A BROAD
LEVEL, AN AGENCY IS WILLING TO ACCEPT IN PURSUIT
OF ITS MISSION, VISION, BUSINESS OBJECTIVES AND
VALUE GOALS
DIRECTLY RELATED TO AN AGENCYS CULTURE,
CAPABILITY, RISK CAPACITY AND STRATEGY
SHOULD CONSIDER RISK APPETITE BOTH QUALITATIVELY
AND QUANTITATIVELY - IT IS MANY TIMES EXPRESSED
IN ACCEPTABLE/UNACCEPTABLE OUTCOMES OR LEVEL OF
RISK

34
Objective Setting Risk appetite

SOME POSSIBLE QUESTIONS
WHAT RISKS WILL THE AGENCY NOT ACCEPT? (For
example, environmental or quality compromises)
ARE THERE SPECIFIC RISKS THAT THE AGENCY IS NOT
PREPARED TO ACCEPT? (For example, risks that
could result in non-compliance with federal
regulations)
IS THE AGENCY PREPARED TO ENTER INTO PROGRAMS
WITH LOWER LIKELIHOOD OF SUCCESS BUT LARGER
POTENTIAL RETURNS?

35
Objective Setting Risk appetite

USE OF A LIKELIHOOD-IMPACT ASSESSMENT (MATRIX) IS
A GOOD TOOL IN DOCUMENTING RISK APPETITE
FOR EACH RISK FREQUENCY OF OCCURRENCE
(PROBABILITY) AND WORST OUTCOME (IMPACT) ARE
ASSESSED AND CAPTURED IN A MATRIX
THE MATRIX IS THEN COMPARED WITH A CHARTED RISK
APPETITE MAP THAT OUTLINES THE MAXIMUM ADVERSE
RISK AN AGENCY IS WILLING TO ACCEPT

36
Impact vs. Probability
High
Exceeds Risk Appetite
I M P A C T
Within Risk Appetite
Low
High
PROBABILITY
37
Objective Setting Risk tolerance

RISK TOLERANCE, THE ACCEPTABLE LEVEL OF VARIATION
AROUND OBJECTIVES, MUST BE ALIGNED WITH RISK
APPETITE
REQUIRES THE ARTICULATION OF ACCEPTABLE
VARIABILITY FROM THE SPECIFIED RISK APPETITE FOR
ALL POSSIBLE OUTCOMES
OPERATIONALIZES THE RISK APPETITE
GENERALLY EXPRESSED IN TERMS OF RISK MEASURES OR
OUTCOMES

38
Objective Setting Risk tolerance

SHOULD BE SET SUCH THAT THE AGGREGATION OF RISK
TOLERANCES ENSURES THE ORGANIZATION OPERATES
WITHIN THE RISK APPETITE

39
SECTION IIIEVENT IDENTIFICATION
40
EVENT IDENTIFICATION

INTERNAL AND EXTERNAL EVENTS AFFECTING
ACHEIVEMENT OF AN AGENCYS OBJECTIVES MUST BE
IDENTIFIED, DISTINGUISHING BETWEEN RISKS AND
OPPORTUNITIES
MANAGEMENT IDENTIFIES POTENTIAL EVENTS THAT, IF
THEY OCCUR, WILL AFFECT THE AGENCY, AND IN WHAT
MANNER

41
Event identification

EVENTS WITH A POSITIVE IMPACT REPRESENT
OPPORTUNITIES THAT SHOULD BE CHANNELED BACK INTO
MANAGEMENTS STRATEGY OR OBJECTIVE-SETTING
PROCESSES
EVENTS WITH A NEGATIVE IMPACT REPRESENT RISKS,
WHICH REQUIRE MANAGEMENTS ASSESSMENT AND
RESPONSE

42
Event identification

AN EVENT IS AN INCIDENT OR OCCURRENCE ARISING
FROM INTERNAL OR EXTERNAL SOURCES THAT AFFECTS
IMPLEMENTATION OF STRATEGY OR ACHIEVEMENT OF
OBJECTIVES
A NUMBER OF EXTERNAL AND INTERNAL FACTORS DRIVE
EVENTS

43
Event identification

CONTRIBUTING EXTERNAL FACTORS
ECONOMIC
NATURAL ENVIRONMENT
POLITICAL
SOCIAL

CONTRIBUTING INTERNAL FACTORS
INFRASTRUCTURE
PERSONNEL
PROCESS
TECHNOLOGY

44
SOME TYPICAL GOVERNMENT RISKS
45
Event identification

AN AGENCYS EVENT IDENTIFICATION METHODOLOGY MAY
BE COMPRISED OF A COMBINATION OF TECHNIQUES,
TOGETHER WITH SUPPORTING TOOLS
TECHNIQUES VARY WIDELY IN LEVEL OF SOPHISTICATION

46
EXAMPLES OF TECHNIQUES FOR IDENTIFYING EVENTS

EVENT INVENTORIES (LISTING COMMON POTENTIAL
EVENTS)
INTERNAL ANALYSIS (COMPLETED AS PART OF A ROUTINE
PLANNING CYCLE PROCESS, TYPICALLY THROUGH STAFF
MEETINGS)
ESCALATION OR THRESHOLD TRIGGERS (COMPARE CURRENT
TRANSACTIONS OR EVENTS WITH PREDEFINED CRITERIA)
FACILITATED WORKSHOPS AND INTERVIEWS (DRAW ON
ACCUMULATED KNOWLEDGE AND EXPERIENCE OF
MANAGEMENT, STAFF AND STAKEHOLDERS THROUGH
STRUCTURED DISCUSSIONS)

47
Event identification

POTENTIAL EVENTS ARE ALSO IDENTIFIED ON AN
ONGOING BASIS IN CONNECTION WITH ROUTINE BUSINESS
ACTIVITIES, SUCH AS
INDUSTRY/TECHNICAL CONFERENCES
PEER WEBSITES
BENCHMARKING REPORTS
TRADE PROFESSIONAL JOURNALS
MEDIA REPORTS
MONTHLY MANAGEMENT REPORTS

48
Event identification

ANOTHER USEFUL TOOL IS TO INTRODUCE AN
INTERMEDIATE STEP - IDENTIFYING WHAT YOU DEPEND
UPON TO ACHIEVE YOUR OBJECTIVES
THIS IS SOMETIMES MUCH EASIER THAN TRYING TO
THINK ABOUT ALL THE EVENTS THAT COULD PREVENT
SUCCESS

49
Event identification

EVENTS DO NOT OCCUR IN ISOLATION ONE EVENT CAN
TRIGGER ANOTHER AND EVENTS CAN OCCUR CONCURRENTLY
MANAGEMENT SHOULD UNDERSTAND HOW EVENTS RELATE TO
ONE ANOTHER

50
Event identification

IT MAY BE USEFUL TO GROUP EVENTS INTO CATEGORIES
(i.e. GROUPS OF SIMILAR POTENTIAL EVENTS)
SIMILAR EVENTS SHOULD BE COMBINED TO DEVELOP AN
INITIAL RISK UNIVERSE AND DETERMINE HOW TO TRACK
AND UPDATE THE LISTING OF POTENTIAL EVENTS AND
RISKS

51
Event identification

FINANCIAL FOLKS NEED TO REMEMBER THAT
EVENT IDENTIFICATION NEEDS TO INVOLVE A COMPLETE
CROSS-SECTION OF MANAGEMENT, AS POSSIBLE EVENTS
INCLUDE BUSINESS SCENARIOS OF WHICH FINANCIAL
MANAGEMENT MAY NOT BE AWARE

52
INDICATORS THAT THE ERM OBJECTIVE SETTING
PRINCIPLES ARE IMPLEMENTED

1. THE ORGANIZATION DEFINES GOALS AND OBJECTIVES
FOR THE ENTERPRISE AS A WHOLE
2. AN EFFECTIVE STRATEGIC PLANNING PROCESS IS IN
PLACE TO FORMULATE STRATEGIES THAT WILL ENABLE
THE ORGANIZATION TO ACHIEVE ITS BUSINESS OBJECTIVE

53
INDICATORS THAT THE ERM OBJECTIVE SETTING
PRINCIPLES ARE IMPLEMENTED (CONTD)

3. BUSINESS STRATEGIES ARE CLEARLY ARTICULATED
WITH OBJECTIVES LINKED TO EACH
4. THE RISK IDENTIFICATION PROCESS IS DESIGNED TO
MAKE A CLEAR LINK BETWEEN THE ORGANIZATIONS
OBJECTIVES AND THE ASSOCIATED RISKS

54
INDICATORS THAT THE ERM OBJECTIVE SETTING
PRINCIPLES ARE IMPLEMENTED (CONTD)

5. RISK TO THE ACHIEVEMENT OF OBJECTIVES IS
EVALUATED TO ENSURE IT DOES NOT EXCEED THE LEVELS
OF RISK DETERMINED BY MANAGEMENT AS ACCEPTABLE
6. ACCEPTABLE TOLERANCE LIMITS ON THE RISK TO
THE ACHIEVEMENT OF KEY OBJECTIVES HAVE BEEN
DETERMINED.
7. MANAGEMENT USES MEANINGFUL PERFORMANCE
MEASURES IN MONITORING RESULTS AGAINST OTHER SET
TOLERANCES

55
INDICATORS THAT THE ERM EVENT IDENTIFICATION
PRINCIPLES ARE IMPLEMENTED

1. DATA ON THE BUSINESS OPERATING ENVIRONMENT
POLITICAL, ECONOMIC, ETC., EVENTS IS CAPTURED
AND REGULARLY EVALUATED IN TERMS OF THEIR
POTENTIAL IMPACT UPON THE ORGANIZATIONS BUSINESS
OBJECTIVES
2. A PORTFOLIO OF EVENTS THAT COULD AFFECT THE
ACHIEVEMENT OF OBJECTIVES INTERNAL AND EXTERNAL
HAS BEEN PREPARED
3. EVENTS ARE LINKED TO AND RISK EVALUATED BY
INDIVIDUAL OBJECTIVE

56
INDICATORS THAT THE ERM EVENT IDENTIFICATION
PRINCIPLES ARE IMPLEMENTED (CONTD)

4. GOALS AND OBJECTIVES FOR IDENTIFYING EVENTS
AND THE RELATED RISKS EXIST AND ARE COMMUNICATED
TO ALL SEGMENTS OF THE ORGANIZATION
5. RESPONSIBILITIES AND ACCOUNTABLES FOR RISK
IDENTIFICATION ARE CLEARLY DEFINED AND UNDERSTOOD
6. RISK IS CONSIDERED IN TERMS OF NOT JUST
ISOLATED EVENTS BUT ALSO INTER-RELATED EVENTS
7. EVENTS ARE CATEGORIZED INTO USEFUL GROUPS TO
FACILITATE THE AGGREGATION OF INFORMATION FOR
PURPOSES OF ASSESSING RISKS
8. THE ORGANIZATION EVALUATES EVENTS IN THE
CONTEXT OF THE POTENTIAL UPSIDES (OPPORTUNITIES)
AS WELL AS THE DOWNSIDE (RISKS)

57
Event identification

THE NEXT TOPIC, OR THE RISK ASSESSMENT COMPONENT,
ALLOWS AN AGENCY TO CONSIDER THE EXTENT TO WHICH
POTENTIAL EVENTS MIGHT HAVE AN IMPACT ON
ACHIEVEMENT OF OBJECTIVES

58
SECTION IVRISK ASSESSMENT
59
Risk Assessment

Risk is the possibility that an event will occur
and adversely affect the achievement of
objectives.
Thereby decreasing value for the entitys
stakeholders.

60
Risk Assessment

- Risks are analyzed and assessed as to their
likelihood and impact
- Management considers the mix of future
events, both expected unexpected
- Useful first step often a brainstorming
session
- What is the worst that could happen, or
the worst that happened?

61
Consider the Risk Appetite

Broadly defined as amount of risk an entity is
willing to accept in pursuing its objectives.
For most government entities risk appetite is
fairly low!
Related is risk tolerance tolerable level of
variation associated w/ a particular objective.

62
Consider Both Inherent Residual Risk

Inherent Risk without any management activity
or before controls are in place.
Example inherent risk mitigated by payment
cards policies and procedures.

Residual level of risk that remains after
management has a plan in place to deal with the
risk.
Example residual risk remains after payment card
policies are in place.

63
Consider both Likelihood and Impact

Likelihood possibility an event will occur,
measured in low, medium, high, percentage or
some frequency of occurrence.
Impact Effect on an agency on others.

64
Risk Assessment Uses Qualitative and Quantitative
Methods

Quantitative methods more precise
Qualitative methods are necessary in situations
where business activity does not lend to quant.
evaluation, or is not cost/effective.
Choice should reflect needs of the business unit
and its employees.

65
Consider Risk in Objective Setting

The framework of objectives strategic,
operational, reporting, compliance, (see COSO
cube).
Typically considerable overlap.
Several examples follow.

66
Example Operational

Risk that subrecipients in HIV/AIDS program are
being reimbursed for unsupported expenditures.

Assessment Extent of reimbursement and
frequency is analyzed. Note that paying
subrecipient invoices for which no documentation
exists subjects agency to possible fraud.

67
Example Reporting

Risk that management does not notify the
Comptrollers Office of overpayments and failure
to recover funds.

Assess why a breakdown in both state policy and
actual recoupment.
Lack of notification negates possibility of a
thorough investigation.

68
SECTION V RISK RESPONSE
69
V Risk Response

Having assessed relevant risks, management
determines how it will respond, reviewing
likelihood and impact, evaluating costs and
benefits, and selecting options that bring
residual (remaining risk) within the entitys
risk tolerances.

70
The Four Categories of Risk Response

Avoidance not participating in events that give
rise to risk.
Reduction Specific actions taken to reduce
likelihood or impact or both.
Sharing Reducing likelihood or impact by sharing
portion of the risk (insurance)
Acceptance No action taken. learns to live with
the risk, and monitor it...

71
Additional Factors in Risk Response

- For many risks, responses are obvious well
accepted.
- Response to risk may affect other factors, or
affect likelihood/impact differently.
- Cost/Benefit often cost side easier to
analyze benefit side may be more subjective.
- Risk response may lead to improvements in
service areas or additional value.
- Considers both inherent and residual risk.

72
A Portfolio Perspective

ERM approach requires that risk be considered
from a portfolio or entity-wide perspective.
Management first determines risk in each division
or business unit.
Develops a composite assessment of risk
reflecting units residual risk profile relative
to its objectives risk tolerances.

73
A Portfolio View of Risk

Can be depicted in several ways focusing on
major risk or event categories across divisions,
program units, etc.
While risk in a program unit may be within risk
tolerance taken together they may exceed the
risk appetite of entity.
Or have common elements that raise concerns.

74
Back to our previous examples

1. Subrecipients in HIV/AIDS programs are
routinely reimbursed for unsupported
expenditures.

1. After further analysis corrective action plan
identified and remedies failures in the
reimbursement process, a cost/effective
methodology to monitor expenditures.

75
And our other example

2. Management did not notify the Comptroller of
the Treasury of overpayments and failed to recoup
overpaid funds.

2. Corrective action plan requires compliance
with Policy 11 reviews recoupment procedures.

76
SECTION VICONTROL ACTIVITIES
77
Integration with Risk Responses

Control activities generally are established to
ensure risk responses are carried out. However,
control activities themselves are risk responses.

78
Integration with Risk Responses

Risk responses
Share risk
Agency participates in states collateral pool or
risk management fund.
Reduce risk
Reduces likelihood and impact, e.g. Disaster
recovery plan in place to reduce the impact of a
natural disaster.
Risk Avoidance
Policies that forbid certain risky business
e.g., agency not authorized to invest in certain
risky investment instruments.
Risk Acceptance
Monitoring of certain activities that are deemed
high risk e.g., high risk investments.

79
CONTROL ACTIVITIES

A single control activity can address multiple
risk responses or
Multiple control activities may be needed for one
risk response.

80
Types of Control Activities

Types of Control Activities
Preventive
Detective
Manual (People Based)
Automated (System Based)

81
Types of Control Activities

Preventive Controls are more reliable
Prevents errors
Proactive approach frees up people resources

82
Types of Control Activities
83
Types of Control Activities

Reconciliations (Detective)
Personnel approving or executing transactions
should not perform reconciliations.
Reviews (Detective)
Budget to Actual
Current to prior period comparisons
Performance measurements

84
Types of Control Activities

Approval/Authorizations (Preventive)
Policies and procedures
Limits to authority
Supporting documentation
Question unusual items

85
Types of Controls of Control Activities

Assets Security (Preventive and Detective)
Physical safeguards
Record retention
Periodic counts/Inventories

86
Types of Controls of Control Activities

Segregation of Duties (Preventive and Detective)
The following functions should be segregated
Approval
Accounting/Reconciling
Asset Custody

87
Levels of Control Activities

Entity Level Controls
Controls management implement to establish the
appropriate tone at the top. (Strategic
Objectives)
E.g., Employees sign a code of conduct
Process Level Controls
Mitigate risks involved in initiating, recording,
processing or reporting transactions.
IT and Application Controls
Further mitigates process level risks

88
Levels of Control Activities

Pervasive Level
Adequate training of personnel
Access restrictions
Authorization
Segregation of duties
Specific Level
Validation
Reconciliation

89
CONTROL ACTIVITIES

The Writing on The Wall
Applying too narrow a focus to the identification
of risks can lead to overlooking potential risks
and issues.
Think about risks without considering the
existing processes and controls in place.

90
Effectiveness and Efficiency

Control activities must be tested to ensure there
are no material weaknesses or significant
deficiencies.
Management should also ensure that control
activities are carried out in a timely manner.
Internal auditors may support management by
providing assurance on the effectiveness and
efficiency of control activates.

91
Control Activities Worksheet

Worksheet provided in Section VI can be used
as a template for documenting risks and related
controls
Divided into 3 parts
Part I Strategic, Operations, and Reporting
Objectives
Part II Compliance Objectives
Part III Fraud

92
Control Activities Worksheet

Worksheet is NOT all inclusive.
N/A responses need to be addressed.
Remember the writing on the wall.
Any policy or procedure used as a risk response
in Part I or III should be addressed in Part II,
Compliance.
Template may be modified.

93
Control Activities Worksheet Part I Strategic,
Operations, and Reporting Objectives

Categorized by business processes.
Budget Process
Cash Disbursement/Expenditures
Cash Receipts/Revenues
Cash Management
Liabilities
Capital Assets/Inventory/Equipment
Information Systems/Data Processing
Personnel/Employee Compensation
Financial Reporting
Accounts Receivable
Investments

94
Control Activities Worksheet Part III Fraud

Categorized by the Association of Certified Fraud
Examiners Categories of Fraud.
Misappropriation of assets
Corruption
Fraudulent Reporting

95
Control Activities Worksheet Part III Fraud

Categories should be applied to each business
process.
Fraud control risk management should be
integrated into the agency's philosophy,
practices and business plans rather than be seen
or practiced as a separate program. When it is
integrated, risk management becomes the business
of everyone in the organization.

96
Control Activities Worksheet Part III Fraud

Core areas to focus on
Information systems
Contracts
Grants and other payments or benefits programs
Purchasing
Services provided to the community
Revenue collection
Use of government credit cards
Travel allowance and other common allowances
Salaries And
Property and other physical assets including
physical security.

97
Other Considerations

Risks with large or moderate impact and probable
(high) or reasonably possible (medium) likelihood
of occurrence are your significant risks. These
are the risks you need to address with control
activities.
No risk response is needed for insignificant
risks but BE CAUTIOUS AND OBJECTIVE.
Insignificant risks still need to be documented
on the worksheet. Explanation of insignificant
nature should be documented.

98
Other Considerations

Inherent Risks - Control Activities Residual
Risks
Ensure you evaluate all insignificant risks not
addressed with control activities on an aggregate
basis to ensure your residual risk is within your
risk tolerance.
All risks (regardless of significance) should
still be included.

99
Other Considerations

If any of the risks already included in the
worksheet are deemed as having a low impact or
remote likelihood of occurrence, treat as as a
risk that is not applicable to your agency and
document explanation on worksheet.
Dont forget about abuse.

100
SECTION VIIINFORMATION ANDCOMMUNICATION
101
Information

Needed at all levels of an organization
to identify, assess, and respond to risks
to run the entity
to achieve its objectives
Internal and external sources
Financial and nonfinancial

102
Strategic and Integrated Systems

Data processing and data management become a
shared responsibility
IS architecture needs to be flexible and agile to
effectively integrate with affiliated external
parties
Has managements risk management techniques
contemplated organizational goals in making
technology selection and implementation decisions?

103
Integration with Operations

Applications facilitate access to information
previously trapped in functional or departmental
silos
Information becomes available for widespread use
Transactions are recorded and tracked in real
time
Managers have immediate access to financial and
operating information more effectively to control
agency activities

104
Depth and Timeliness of Information

Information infrastructure sources and captures
data in a timeframe and at a depth consistent
with an entitys need to
identify,
assess, and
respond to risks, and
remain within risk tolerances
Timeliness needs to be consistent with the rate
of change in the entitys internal and external
environments

105
Information Quality

Data reliability is a critical attribute of
information systems and data-driven automated
decision systems
Inaccurate data results in unidentified risks or
poor assessments and bad management decisions
Quality of information includes ascertaining
whether informational content is
Appropriate Accurate
Timely Accessible
Current

106
Communication

Inherent in information systems
Must provide information to appropriate personnel
to carry out strategic, operating, reporting,
compliance, and stewardship responsibilities
Must deal with
expectations,
responsibilities of individuals and groups
Other important matters

107
Internal Communication

Behavioral expectations and responsibilities of
personnel
Clear statement of entitys risk management
philosophy and approach
Clear delegation of authority
Should effectively convey
The importance and relevance of effective ERM
The entitys objectives, risk appetite, risk
tolerances
A common risk language
Roles and responsibilities of personnel in
effecting and supporting the components of ERM

108
External Communication

Open external communication channels
Constituents provide highly significant input on
design and quality of products and services
Enables an entity to address evolving customer
demands or preferences
Recognize such implications
Investigate
Take necessary corrective actions
Focus on impact on financial reporting and
compliance as well as operating objectives

109
Means of Communicating

Actions speak louder than words
Actions influenced by the entitys history and
culture
Operating with integrity
Culture is well understood throughout the
organization
Embed communications on ERM into an entitys
broad-based, ongoing communications programs and
into the fabric of the organization

110
SECTION VIIIMONITORING
111
Monitoring

Assessing the presence and functioning of
components over time
Accomplished through
Ongoing monitoring activities
Separate evaluations
Combination of the two
ERM changes over time
Once effective risk responses become irrelevant
Control activities become less effective or no
longer are performed
Entity objectives might change

112
Ongoing Monitoring Activities

Occur through regular management activities
Variance analysis
Comparisons of information with disparate sources
Dealing with unexpected occurrences

113
Scope and Frequency

Evaluations of ERM depend on
significance of risks
importance of risk responses and
related controls in managing the risks
Address application in strategy setting with
respect to significant activities
Scope depends on which objectives categories are
addressed

114
Who Evaluates

Self assessments
Person responsible for particular unit or
function determines effectiveness of ERM for
their activities
Division/function head
Line managers
Controller
Senior management
Internal auditors (management cannot delegate its
responsibility)
External auditors (caution!)

115
The Evaluation Process

Evaluating ERM is a process in itself
Approaches and techniques vary
Consistent and disciplined approach should be
brought to the process
Understand entity activities and components of
ERM being addressed
Determine ERM system actually works
Discuss with personnel who actually perform or
are affected by ERM
Analyze ERM process design and results of tests
performed
Determine if process provides reasonable
assurance with respect to the stated objectives

116
Methodology

A variety of evaluation methodologies and
techniques are available
Checklists
Questionnaires
Flowcharting techniques
Comparing or benchmarking to best in class entity
Planning steps
Performance steps

117
Documentation

Varies based on the entitys size, complexity,
and similar factors
Evaluations more effective and efficient with
appropriate level of documentation
Document and retain
Evaluation process itself
Descriptions of tests and analyses
Support for statement to external parties
regarding ERM effectiveness
Retention policy

118
Reporting Deficiencies

Deficiencies noted from
Ongoing monitoring procedures
Separate evaluations
External parties
Reported directly to persons directly responsible
for achieving business objectives affected by the
deficiency
Report specific types of deficiencies to senior
management and/or oversight body
Corrective actions taken or to be taken should be
reported back to relevant personnel

119
What Is Reported

All identified ERM deficiencies that affect an
entitys ability
to develop and implement its strategy and
to set and achieve its objectives
Must report significant deficiencies and material
weaknesses
Use qualitative and quantitative materiality
Report identified opportunities to increase the
likelihood entity objectives will be achieved

120
To Whom to Report

Determining right party is critical
Immediate superiors through normal channels
They in turn communicate upstream or laterally so
the information ends up with someone who has the
authority to act
e.g., senior management, department head, audit
committee, other oversight body
Consider alternative channels for reporting
sensitive information
Fraud and illegal or improper acts