Embed Size (px)
Citation preview
19 March 2008Assessment workshop1
Assessment methodology
19 March 2008Assessment workshop2
Characteristics
Focus on:
• Integrity, not corruption
• Prevention, not repression
• Organisations, not legislation
• Processes, not people
19 March 2008Assessment workshop3
Assessment methodology
Object definition- organisation
- processes
Assessment vulnerabilities
Assessment Maturity level
Integrity Control System
Gap analysis
Recommendations for strengthening
controls
19 March 2008Assessment workshop4
Outcome
• Depending on the objective,
thoroughness, scope and results of
these steps, the result could be:
–In-depth Risk Analysis
–Action agenda
–Audit proposal
–Audit report
19 March 2008Assessment workshop5
Assessment of vulnerabilities
Assess the vulnerability profile:
• What are the inherent vulnerabilities?
• Are there circumstances that may increase the vulnerability of the organisation?
• Result:
– Vulnerability profile
– List of vulnerable processes
19 March 2008Assessment workshop6
High vulnerability areas
Areas dealing
with the public
or with the
private sector
Collecting Assessments, taxes, import duties, excise duties, fees, charges
Contracting Tenders, orders, assignments, awards
Payment Subsidies, benefits, allowances, grants, sponsoring
Granting/ issuance Permits, passports, driving licenses, identity cards, authorisations, inspections
Public services Health care, education, garbage collection, water supply etc.
Regulating Design and implementation of new regulations
Supervising/
enforcement
Supervision, control, inspection, prosecution, detection, justice, punishment
Areas dealing
with
government
property
Information National security, confidential information, documents, dossiers, copyright
Money treasury, financial instruments, portfolio management, cash/bank via budgets,
premiums, expenses, bonuses, allowances, etc.
Goods Buying/selling (auction), management and consumption
Real estate Buying/selling (buildings / land)
19 March 2008Assessment workshop7
Vulnerability Enhancement Profile
Factors
Complexity
Change/dynamics
Management
Personnel
Problem history
19 March 2008Assessment workshop8
Assessment maturity level integrity control system
Assess the maturity level of the integrity control system
• What is the maturity of the integrity control system?
– Existence of controls
– Operation of controls
– Performance of controls
• Result:
– Maturity profile of integrity control
system
19 March 2008Assessment workshop9
Maturity levels
Level Criteria
0 - This measure does not exist
1 - This measure exists
- Its implementation / observance is unclear
2 - This measure exists
- It is implemented / observed
- Its effectiveness is unclear
3 - This measure exists
- It is implemented / observed
- It is effective
19 March 2008Assessment workshop10
Integrity Control System
Hard controls General controls Soft controls
1 Legislation and regulation 5 Values and standards
9 Recruitment & selection
2 Responsibilities 6 Integrity awareness
10 Response to integrity violations
3 Administrative organisation / internal control
7 Management attitude
4 Security 8 Organisational culture
11 Policy framework
|
12 Vulnerability/risk analysis
|
13 Accountability
|
14 Audit & monitoring
19 March 2008Assessment workshop11
Gap analysis
Match maturity level of integrity
control system with established
risks
– What are the organisations most
important integrity risks?
– Does the integrity control system
protect the organisation against
these integrity risks?
– What are the remaining risks?
19 March 2008Assessment workshop12
Gap analysis: Vulnerabilities
• Resilience is determined by the maturity level of integrity controls
• Balance may be achieved by reducing vulnerability or enhancing controls
Vulnerabilities
Resilience
Remaining Vulnerability
19 March 2008Assessment workshop13
Gap analysis: Risks
• Mitigation of risks is possible by introducing specific controls
• Remaining unbalance = Remaining risks
Vulnerabilities
Resilience
Risks
Mitigation
Remaining risks
19 March 2008Assessment workshop14
Assessment methodology
Mini workshop
19 March 2008Assessment workshop15
Assessment vulnerabilities
Assess the vulnerability profile:
• Check and name high vulnerability areas for this organisation
• Check and name vulnerability increasing circumstances
• Award score of increased vulnerability in profile
19 March 2008Assessment workshop16
Assessment maturity level of integrity control system
Assess the integrity control
system / resilience
– Assess the maturity level of the
integrity controls
– Analyse the strengths and
weaknesses of the integrity
control system
19 March 2008Assessment workshop17
Gap analysis
Match resilience (maturity
level of integrity control
system) with established
vulnerabilities
Vulnerabilities
Resilience
Remaining Vulnerability
