Title: Extreme Makeover Commitment from Agency Leadership Tone at the Top Buyin from Management
1Extreme Makeover Taking Control of Your Stale
Internal Control Program October 27, 2009 Matt
Downey
2Extreme Makeover Moving from Unit Assessments
to Functional Group Assessments
3Extreme Makeover
- Commitment from Agency Leadership
- Tone at the Top
- Buy-in from Management
4Extreme Makeover
- Identify the Function and Key Players
- Make Sure That Appropriate Decision Makers are
Included - Group has Ownership of the Function
5Risk Management
- A systematic process used to identify risks and
promote Internal Control activities that result
in mitigation of risk.
6The Risk Assessment Process
- Document the process
- Uncover deficiencies and highlight opportunities
for improvement - Clarify roles and responsibilities
- Provide reasonable assurance that what is
supposed to happen actually does
7The Four Step Risk Management Thought Process
Step 1 Understand the Business Objective and the
Major Steps in the Process Step 2 Identify and
Assess the Risks Step 3 Identify, Document,
Evaluate and Test the Controls Step 4 Recommend
Corrective Action and Follow-up
8Step 1 Understand the Business Objective and
the Major Steps in the Process
What the process or program under review is
trying to accomplish?
- Ensure objective is
- Specific
- Measurable
- Achievable
- Relevant
- Time framed
9Objectives
Operational What needs to be done.
Financial Revenues to be raised, dollars to be
saved, accurate recording and reporting of
financial data.
Compliance Applicable regulations and policies
will be upheld.
10Example of Objectives
- To ensure new call center representatives receive
the necessary training within six months of hire
date and demonstrate proficiency with subject
matter and public voice. - To answer 90 of Call Center calls within 60
seconds or less and have the average speed of
answering Call Center calls be less than 25
seconds.
11The Four Step Risk Management Thought Process
Step 1 Understand the Business Objective and the
Major Steps in the Process Step 2 Identify and
Assess the Risks Step 3 Identify, Document,
Evaluate and Test the Controls Step 4 Recommend
Corrective Action and Follow-up
12Step 2Identify and Assess the Risks
- Identify the internal and external factors that
threaten the achievement of HESCs objectives.
- Prioritize by
- Impact
- Likelihood
13Questions to Consider During Risk Identification
What could go wrong? Why or how could it
occur? How bad could it be? How likely is it to
occur?
14Prioritizing Risks
- High Risk A most serious problem or threat to
achieving the business objective. It must be
addressed immediately. Failure to comply with
applicable laws are high risk. - Medium Risk A problem which would make it hard
to achieve the business objective and would take
a lot of time and effort to fix if it happened. - Low Risk A problem from which HESC could
recover rather easily and still achieve the
business objective. - Do not consider the effect of contare in place
Do not consider the effect of controls that are
in place
159
8
7
6
4
3
2
1
6 7 8 9
1 2 3 4
16Tips for Describing Risks
- Write a description of the negative event.
- Include a description of why or how the risk
could occur. - Differentiate risk impacts from risk causes.
- The risk description should be clear and detailed.
17Example of Risks
- Customer Service Risk Call Center
representatives provide inaccurate information to
HESC customers. - Customer Service Risk Calls go unanswered due to
system issues, low number of staff, untrained
staff.
18The Four Step Risk Management Thought Process
Step 1 Understand the Business Objective and the
Major Steps in the Process Step 2 Identify and
Assess the Risks Step 3 Identify, Document,
Evaluate and Test the Controls Step 4 Recommend
Corrective Action and Follow-up
19Step 3Identify, Document, Evaluate and Test the
Controls
- Identify the controls in place to reduce or
eliminate risks. - Evaluate the adequacy of those controls.
- Verify controls are working as intended.
20Controls
- Provide reasonable assurance that what is
supposed to happen actually does. Controls also
minimize the likelihood of negative surprises.
21Types of Controls
- Documentation
- Approval/Authorization
- Verification
- Supervision
- Segregation of Duties
- Safeguarding Assets
- Reporting
- Reconciliation
22Questions to Consider During Control Documentation
- Who performs the controls?
- When is the control being performed?
- Why is it performed?
- What happened to exceptions?
- Where is the control performed?
- How is it performed?
23What to Consider When Evaluating Controls
- The nature of the operation
- The program objective
- The risk priority
- The need for cost-efficiency and
time-effectiveness - The need for mandated controls
24Managing Risks
- Control Environmental Elements Sets the tone of
the Agency. Includes ethical values, integrity,
employee experience, training programs. - Control Activities Policies and procedures
established to ensure directives are carried out.
Includes passwords, authorization requests,
physical control over assets, documentation. - Monitors Assesses the effectiveness of the
internal control system. Includes customer
satisfaction surveys, reviews, data comparisons,
reconciliations.
25Example of Controls
- Supervisor tracks calls and runs, constantly
providing real-time reporting on each
supervisors computer screen. At the end of the
day supervisors run historical reports which are
reviewed and distributed to all of their staff. - Emergency Skills Announcement is used if IVR is
up but the Call Center is closed (i.e., a fire
drill).
26Testing
- Provide proof that controls are operating as
intended to manage the risks and achieve the
related control objectives.
27Walkthrough Methods
- Document Analysis Review records, forms, or
other documents. - Observation Watch the control being performed
in practice. - Interview Elicit information from those
performing that control.
28The Four Step Risk Management Thought Process
Step 1 Understand the Business Objective and the
Major Steps in the Process Step 2 Identify and
Assess the Risks Step 3 Identify, Document,
Evaluate and Test the Controls Step 4 Recommend
Corrective Action and Follow-up
29Step 4Recommend Corrective Action and Follow-up
- Based on the results of the control evaluation
and testing, management may need to develop an
appropriate action plan to correct situations in
which the controls are either non-existent, not
functioning as intended, or inefficient.
30Take Corrective Action
Risk Response
When weaknesses are found, decide to
- Institute new controls.
- Improve existing controls.
- Accept the risk.
31Example of Corrective Action
- Call Center will implement a system/process to
monitor complaints using a spreadsheet with
details of complaint and resolution. - Create a log of compliments received.
32Titanic Disaster
- The Titanic received seven different iceberg
warnings on the day of her sinking. Six of which
were disregarded by Captain E. J. Smith. The
seventh warning never made it to the bridge.
33Space Shuttle Disaster
- Disintegration of the entire vehicle began
after an O-ring seal in its right Solid Rocket
Booster (SRB) failed at liftoff. NASA managers
had known that contractor Morton Thiokols
design of the SRBs contained a potentially
catastrophic flaw in the O-rings since 1977, but
they failed to address it properly. They also
disregarded warnings from engineers about the
dangers of launching on such a cold day and had
failed to adequately report these technical
concerns to their superiors.
34Next Steps
- Choose a function
- Decide the scope
- Select personnel
- Attend meetings
- Complete walkthrough
- Risk Management Report to executives
35Conclusion
- Lessons learned
- It is better to disclose risks and weaknesses
before something happens - You can influence the process by offering
solutions
36Extreme Makeover A Special Thank You to Maryann
Kresge for helping to prepare this presentation