Upload
karen-fox
View
213
Download
0
Embed Size (px)
Citation preview
Audits & Assessments: What are the Differences
and How Do We Learn from the Results?
Brown Bag
March 12, 2009
Sal Rubano – Director, Office of the Vice President and General Counsel, Enterprise Risk
Management [email protected] 432-54949
Tammy Raccio – Associate Director, Audit Department
[email protected] 432-7830
Julia Janowick – Deputy University Research Compliance Officer, Office of Research
Administration, [email protected] 432-6977
Agenda
• Terminology and principles
• Common objectives
• Enterprise risk management
• Audits
• Assessments
• Q&A
Terminology and principles
Risk: the potential for a scenario in which an individual or situation fails to adhere to a regulation, policy or procedure that applies to the activity in which they are engaged, and/or the failure of an internal control to prevent adherence to a regulation, policy or procedure
• Risk is generally measured by likelihood and impact:
– How likely is it that the risk will occur?
– What is the impact if the risk does occur?
• How do we handle risks once identified and measured?
– Accept
– Manage
– Transfer
– Eliminate
Internal Controls: policies and procedures for preventing and detecting the failure of adherence to a regulation, policy or procedure
Common objectives of audits, enterprise risk management & assessments
• Protect the University and University community from liability and risk
• Enable management to act proactively and avoid “unwanted surprises”
• Identify and correct non-compliance• Identify gaps in process and understanding in order
to determine:– What policies and procedures need to be
clarified and/or created?– Where there are opportunities for increased
training and education?
Enterprise Risk Management (ERM)
What is ERM ?
• Process of planning, organizing, leading, and controlling the activities of the University in order to minimize the effects of risk to its operations.
• Expands risk management beyond the traditional concept of insurable risks associated with accidental losses to include reputation, health & safety, operational, compliance, financial and other risks.
• Views University’s operations as a portfolio of activities with attendant risks.
• Focuses on identifying and managing University risks in a proactive and anticipatory manner
Enterprise risk management goals
• Foster a risk-aware culture
• Anticipate institutional risks
• Escalate major institutional risks
• Develop information and provide recommendations to Officers in prioritizing risk areas for special attention and resources
• Report status of institutional risks to Trustees
Enterprise risk management focus
Inherent Risk
Residual Risk
ResearchResearch Information TechnologyInformation TechnologyOEH&SOEH&S FinanceFinanceStudent
LifeStudent
LifeInternationalInternational MedicineMedicine External RelationsExternal Relations
Academic Affairs
Academic Affairs
Human Resources
Human Resources
Ongoing Monitoring by Risk Process Owner
Independent evaluation by University Audit
Risk Mitigation Strategies
1.Policies/Procedures
2.Training/Awareness
3.Automated Controls
4.Process/Workflow
5.Monitoring
Enterprise risk management outcomes
• Most important risk exposures to the University are identified and addressed proactively
• Risk awareness is embedded into day-to-day business decisions
Internal Audit Department’s Risk Based Auditing
• Analyzes financial data to identify high risk areas or high risk transaction types
– Identify specific period of review– Identify greatest areas of exposure– Determine areas deserving a specific risk review
Internal Audit Department’sRisk Based Auditing
• Assess the internal controls utilized to reduce risks to an acceptable level or eliminate risks altogether
• Document internal controls employed to obtain reasonable assurance that goals and objectives can be met for areas identified as high risk
– Through various methods (inquiry, observation, review) document the processes in place to achieve an effective control environment
– Sample transactions to verify documented internal controls are working properly
Internal Audit Department’s Risk Based Auditing
Auditors Evaluate Internal Controls related to high risk areas
Examples of Internal Controls include(proactive and detective controls)
• Creation of an Environment of Control Awareness• Separation of Duties• Authorizations/Approval• Reviews• Reconciliations• Monitoring• Asset Security• Information and Communication
Internal Auditing Department’sRisk Based Auditing
Not designed to:
• Detect fraud or collusion
• Find transactions not in compliance with policies and procedures
• Increase technical competence
• Assess staffing
Any one of these may happen in our audits however, our audits are not designed to find or test for these.
We are not the transaction police but are
governance partners with management!
Research compliance assessments
What is a research compliance assessment?
• A review of a particular process or work area to determine conformance with federal regulations and University policies and procedures related to research– What are the applicable requirements?
• What should we be doing?
– What is our practice?
• What are we actually doing?
– Where are there gaps between requirements and practice?
• Is there a disconnect between what we should be doing and what we are doing?
– Where are there opportunities for improvement?• What strategies can we develop to close any gaps between
requirements and practice and ensure compliance?
Research assessment goals
• Identification and measurement of risks– Take a proactive approach to identifying and managing
research compliance risks– Identify, classify, quantify and prioritize risks
• Elimination or management of risks– Identify and correct non-compliance– Make recommendations for process improvements which
will minimize liability and risk – Partner with the research community in innovative and
effective ways to minimize and manage risks– Better identify and target the most useful and
effective training and education
Research assessment focus
Sponsored projects administration
Protection of human subjects
Conflict of interest
Export Controls
Use and care of animals
Intellectual property
Operating environment
Environmental health and safety
Stem cell research
Research Misconduct
Clinical trial billing
HIPAA
Research assessment process
• Discussions and interviews with process owners
• Process reviews
• Information and data review
Research assessment outcomes
• Identification, prioritization and elimination or managment of real and potential research compliance risks– Enhance and clarify existing policies, procedures and
guidance and/or create new policies, procedures and guidance to address non-compliance, operational deficiencies and/or gaps in knowledge and understanding
– Recommendations for process improvements– Identify and target necessary training and education– Correct non-compliance– Develop self-assessment tools for process owners to
regularly assess their own activities
Recap: commonalities and differences in our general processes
ERM Audits Assessments
Identification of risks and risk management strategies
√ √ √
Discussions with process owners
√ √ √
Escalation of key risk issues
√ √ √
Process reviews √ √
Information and data review
√ √
Transaction sampling √
Fiscal focus √
Research compliance focus √
Conclusion: we are all in this together!
Our offices work together, complementing each other’s methods to mitigate risks to the University
– We meet regularly to:• Share ideas and information• Avoid duplication of effort• Cover more ground
20
You too can help with identification of risks –
“if you see something, say something!”
Questions?