Embed Size (px)
Citation preview
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 1/120
Risk Management And
Internal Control Guidelines
Tennessee Department of Finance and AdministrationTennessee Comptroller of the Treasury
August 2007
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 2/120
INTRODUCTIONMANAGEMENT’S GUIDE TO RISK
MANAGEMENT AND INTERNAL CONTROL
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 3/120
INTRODUCTION (CONT’D)
Enterprise Risk Management
Changing Political And RegulatoryEnvironment
Sarbanes-Oxley Act
General Accounting OfficeAICPA Auditing Standards
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 4/120
INTRODUCTION (CONT’D)
Internal Control and Governance ProblemsResults of Texas State Comptroller’s ERM
ImplementationTexas State Auditor Considers IncreasedAccountability a Priority
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 5/120
INTRODUCTION (CONT’D) Committee Of Sponsoring Organizations Of The Treadway Commission
Second report Enterprise Risk Management — Integrated Framework First report Internal Control — Integrated
Framework
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 6/120
INTRODUCTION (CONT’D)
Guidance--Education and ToolsAgency Heads Responsibility
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 7/120
OVERVIEW
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 8/120
Overview
Relationship of COSO I and IICOSO Cube (three-dimensional matrix)
ObjectivesComponentsEntity Unit
EffectivenessRoles and responsibilities
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 9/120
Relationship of COSO I to COSO IIInternal Control — Integrated Framework (COSO I)
Still important for entities looking at internal
control by itself Enterprise Risk Management — IntegratedFramework (COSO II)
Broader than internal controlExpands and elaborates on internal controlFocuses more fully on risk Introduces the concepts of risk appetite, risk
tolerance, and portfolio view
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 10/120
COSO Cube
Direct relationship between objectives andenterprise risk
componentsFocus on the entirety of an entity’s ERM, or byobjectives categories,component, entity unit,or any subset thereof
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 11/120
Objectives Categories
StrategicEffectiveness and efficiency of operations
Integrity and reliability of reportingCompliance with applicable laws, regulations,contracts, and grant agreements
Stewardship of assets
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 12/120
Components
Internal environmentObjective setting
Event identificationRisk assessmentRisk response
Control activitiesInformation and communicationMonitoring
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 13/120
EffectivenessAre the 8 components present and functioningeffectively?The components are criteria for effective ERM
Present and functioning properly = no significantdeficiencies and material weaknessesTest operating effectiveness of controls differentfrom obtaining evidence of implementation
How controls were applied during the periodConsistency with which controls were appliedBy whom and by what means they were applied
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 14/120
Roles and Responsibilities
Audit committee, board of directors, or other oversight body
Commissioner/director/department headSenior managementInternal audit
Other entity personnel
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 15/120
SECTION IINTERNAL
ENVIRONMENT
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 16/120
SECTION I
INTERNAL ENVIRONMENTWhat is it?Risk Management Philosophy
Set of shared beliefs and attitudesReflects the entity’s values, influencing its cultureand operating style
Affects how risks are identified, kinds of risksaccepted, and how they are managed
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 17/120
Internal Environment
(cont’d) Risk Appetite
Amount of risk management is willing to accept
Influences the entity’s culture and operating style
Oversight by Audit Committee
Oversight by another groupMay significantly influence elements of InternalEnvironment
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 18/120
Internal Environment
(cont’d) Integrity and Ethical Values
Management’s values
Code of conductCommitment to Competence
Knowledge and skills of staff
How well tasks need to be accomplish
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 19/120
Internal Environment
(cont’d) Organizational Structure
Framework to plan, execute, control, and
monitor activitiesAssignment of Authority and Responsibility
Extent of authority and responsibility
Human Resource StandardsStaff development, training, and evaluation
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 20/120
SECTION II
OBJECTIVE SETTING
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 21/120
Objective Setting
EVERY AGENCY FACES A VARIETY OFRISKS FROM EXTERNAL AND
INTERNAL SOURCES, AND APRECONDITION TO EFFECTIVE EVENTIDENTIFICATION, RISK ASSESSMENT,AND RISK RESPONSE ISESTABLISHMENT OF OBJECTIVES
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 22/120
Objective Setting
OBJECTIVES MUST EXIST BEFOREMANAGEMENT CAN IDENTIFY POTENTIALEVENTS AFFECTING THEIR ACHEIVEMENT
ENTERPRISE RISK MANAGEMENT (ERM)ENSURES THAT MANAGEMENT HAS INPLACE A PROCESS TO SET OBJECTIVES ANDTHAT THE CHOSEN OBJECTIVES SUPPORTAND ALIGN WITH THE AGENCY’S MISSIONAND ARE CONSISTENT WITH ITS RISK APPETITE
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 23/120
Objective Setting
WHILE AN AGENCY’S MISSION ANDSTRATEGIC OBJECTIVES ARE GENERALLYSTABLE, ITS STRATEGY AND MANY
RELATED OBJECTIVES ARE MORE DYNAMICAND ADJUSTED FOR CHANGING INTERNALAND EXTERNAL CONDITIONS
AS CONDITIONS CHANGE, STRATEGY ANDRELATED OBJECTIVES ARE REALIGNEDWITH STRATEGIC OBJECTIVES
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 24/120
Objective Setting
IN CONSIDERING WAYS TO ACHIEVE ITSSTRATEGIC OBJECTIVES, MANAGEMENTIDENTIFIES RISKS ASSOCIATED WITH ARANGE OF STRATEGY CHOICES ANDCONSIDERS THEIR IMPLICATIONS
VARIOUS EVENT IDENTIFICATION AND RISK ASSESSMENT TECHNIQUES ARE USED INTHE STRATEGY-SETTING PROCESS
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 25/120
Objective Setting
BY FOCUSING FIRST ON STRATEGICOBJECTIVES AND STRATEGY, AN AGENCY ISIN A POSITION TO DEVELOP RELATEDOBJECTIVESAGENCY WIDE OBJECTIVES ARE THENLINKED TO AND INTEGRATED WITH MORE
SPECIFIC OBJECTIVES THAT CASCADETHROUGH THE ORGANIZATION TO SUB-OBJECTIVES ESTABLISHED FOR VARIOUSACTIVITIES
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 26/120
Objective Setting
OBJECTIVES NEED TO BE READILYUNDERSTOOD AND MEASURABLEERM REQUIRES THAT PERSONNEL AT ALL
LEVELS HAVE AN UNDERSTANDING OF THEAGENCY’S OBJECTIVES AS THEY RELATETO THAT INDIVIDUAL’S SPHERE OFINFLUENCEALL EMPLOYEES MUST HAVE A MUTUALUNDERSTANDING OF WHAT IS TO BEACCOMPLISHED AND A MEANS OFMEASURING WHAT IS BEINGACCOMPLISHED
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 27/120
Objective Setting
THREE BROAD CATEGORIES OFOBJECTIVES
OPERATIONSREPORTING
COMPLIANCE
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 28/120
SMART OBJECTIVES
S pecific Use specific terms rather than vague abstract ones
M easurable Include some method for objectively measuring their achievement
Achievable Are challenging but realistic
R elevant Follow the business strategyof the organization
T imely Specify a time period
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 29/120
Objective Setting
EFFECTIVE ERM PROVIDES REASONABLEASSURANCE THAT AN AGENCY’S REPORTING ANDCOMPLIANCE OBJECTIVES ARE BEING ACHIEVED
BECAUSE, HOWEVER, ACHEIVEMENT OFOPERATIONS OBJECTIVES IS NOT SOLEY WITHINAN AGENCY’S CONTROL (i.e. IT IS SUBJECT TOEXTERNAL EVENTS) ERM PROVIDES REASONABLE
ASSURANCE THAT MANAGEMENT IS MADE AWAREOF THE EXTENT TO WHICH AN AGENCY IS MOVINGTOWARD THE ACHIEVEMENT OF THESEOBJECTIVES ON A TIMELY BASIS
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 30/120
Objective Setting
• STRATEGIES OF THE BUSINESS
• KEY BUSINESS OBJECTIVES
• RELATED OBJECTIVES THAT CASCADEDOWN THE ORGANIZATION FROM KEYBUSINESS OBJECTIVES
• ASSIGNMENT OF RESPONSIBILITIES TOORGANIZATIONAL ELEMENTS ANDLEADERS (LINKAGE)
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 31/120
Objective Setting
EFFECTIVE ERM DOES NOT DICTATEWHICH OBJECTIVES MANAGEMENTSHOULD CHOOSE, BUT THATMANAGEMENT HAS A PROCESS THATALIGNS STRATEGIC OBJECTIVES WITH ANAGENCY’S MISSION AND ENSURES THATTHE ENTITY’S CHOSEN STRATEGIC ANDRELATED OBJECTIVES ARE CONSISTENTWITH THE AGENCY’S RISK APPETITE
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 32/120
Objective Setting – Risk appetite
RISK APPETITE IS A GUIDEPOST INSTRATEGY SETTING
THERE IS A RELATIONSHIP BETWEENAN AGENCY’S RISK APPETITE AND ITSSTRATEGY
DIFFERENT STRATEGIES CAN BE USEDTO ACHIEVE DESIRED RETURN, EACHHAVING DIFFERENT RISK
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 33/120
RISK APPETITE IS THE AMOUNT OF RISK, ONA BROAD LEVEL, AN AGENCY IS WILLINGTO ACCEPT IN PURSUIT OF ITS MISSION,VISION, BUSINESS OBJECTIVES AND VALUE
GOALSDIRECTLY RELATED TO AN AGENCY’SCULTURE, CAPABILITY, RISK CAPACITYAND STRATEGYSHOULD CONSIDER RISK APPETITE BOTHQUALITATIVELY AND QUANTITATIVELY -IT IS MANY TIMES EXPRESSED INACCEPTABLE/UNACCEPTABLE OUTCOMESOR LEVEL OF RISK
Objective Setting – Risk appetite
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 34/120
Objective Setting – Risk appetite
SOME POSSIBLE QUESTIONSWHAT RISKS WILL THE AGENCY NOT ACCEPT?(For example, environmental or quality compromises)
ARE THERE SPECIFIC RISKS THAT THE AGENCYIS NOT PREPARED TO ACCEPT? (For example, risksthat could result in non-compliance with federalregulations)
IS THE AGENCY PREPARED TO ENTER INTOPROGRAMS WITH LOWER LIKELIHOOD OFSUCCESS BUT LARGER POTENTIAL RETURNS?
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 35/120
Objective Setting – Risk appetite
USE OF A LIKELIHOOD-IMPACTASSESSMENT (MATRIX) IS A GOOD TOOL INDOCUMENTING RISK APPETITE
FOR EACH RISK FREQUENCY OFOCCURRENCE (PROBABILITY) AND WORSTOUTCOME (IMPACT) ARE ASSESSED ANDCAPTURED IN A MATRIX
THE MATRIX IS THEN COMPARED WITH ACHARTED RISK APPETITE MAP THATOUTLINES THE MAXIMUM ADVERSE RISK AN AGENCY IS WILLING TO ACCEPT
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 36/120
Impact vs. Probability
Exceeds Risk Appetite
Low
High
High
I
MPAC
T
PROBABILITY
Within Risk Appetite
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 37/120
Objective Setting – Risk tolerance
RISK TOLERANCE, THE ACCEPTABLE LEVELOF VARIATION AROUND OBJECTIVES, MUSTBE ALIGNED WITH RISK APPETITE
REQUIRES THE ARTICULATION OFACCEPTABLE VARIABILITY FROM THESPECIFIED RISK APPETITE FOR ALLPOSSIBLE OUTCOMES
OPERATIONALIZES THE RISK APPETITEGENERALLY EXPRESSED IN TERMS OF RISK MEASURES OR OUTCOMES
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 38/120
Objective Setting – Risk tolerance
SHOULD BE SET SUCH THAT THEAGGREGATION OF RISK TOLERANCESENSURES THE ORGANIZATIONOPERATES WITHIN THE RISK APPETITE
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 39/120
SECTION IIIEVENT
IDENTIFICATION
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 40/120
EVENT IDENTIFICATION
INTERNAL AND EXTERNAL EVENTSAFFECTING ACHEIVEMENT OF AN
AGENCY’S OBJECTIVES MUST BEIDENTIFIED, DISTINGUISHINGBETWEEN RISKS AND OPPORTUNITIESMANAGEMENT IDENTIFIES POTENTIALEVENTS THAT, IF THEY OCCUR, WILLAFFECT THE AGENCY, AND IN WHATMANNER
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 41/120
Event identification
EVENTS WITH A POSITIVE IMPACTREPRESENT OPPORTUNITIES THATSHOULD BE CHANNELED BACK INTOMANAGEMENT’S STRATEGY OR OBJECTIVE-SETTING PROCESSESEVENTS WITH A NEGATIVE IMPACT
REPRESENT RISKS, WHICH REQUIREMANAGEMENT’S ASSESSMENT ANDRESPONSE
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 42/120
Event identification
AN EVENT IS AN INCIDENT OR OCCURRENCE ARISING FROM
INTERNAL OR EXTERNAL SOURCESTHAT AFFECTS IMPLEMENTATION OFSTRATEGY OR ACHIEVEMENT OFOBJECTIVESA NUMBER OF EXTERNAL ANDINTERNAL FACTORS DRIVE EVENTS
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 43/120
Event identification
CONTRIBUTINGEXTERNAL FACTORS
ECONOMIC
NATURALENVIRONMENTPOLITICALSOCIAL
CONTRIBUTINGINTERNAL FACTORS
INFRASTRUCTURE
PERSONNELPROCESSTECHNOLOGY
SOME TYPICAL GOVERNMENT RISKS
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 44/120
SOME TYPICAL GOVERNMENT RISKSEconomic changes such as lower
economic growth reduce tax revenue andopportunities to provide a wider range of
services or limit the availability orquality of existing services
Failure to innovateleading to sub-
standard services
Loss or misappropriation of funds through fraud or
impropriety
Environmental damagecaused by failure of
regulations orgovernment inspection
regime
Inconsistent policyobjectives resulting in
unwanted outcomes
Project delays costoverruns and
inadequate qualitystandards
Inadequate skills orresources to deliverservices as required
Failure of contractors,partners or other
government agencies toprovide services as required
Failure to properly evaluatepilot projects before a newservice is introduced may
result in problems when theservice becomes fully
operational
Failure to measureperformanceadequately
Technical risk – failure to keeppace with technical
developments, or investment ininappropriate or mismatched
technology
Inadequate serviceplans to maintain
continuity of servicedelivery
Failure to monitorimplementation
Achieving Service
Delivery
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 45/120
Event identification
AN AGENCY’S EVENT IDENTIFICATIONMETHODOLOGY MAY BE COMPRISED
OF A COMBINATION OF TECHNIQUES,TOGETHER WITH SUPPORTING TOOLS
TECHNIQUES VARY WIDELY IN LEVELOF SOPHISTICATION
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 46/120
EXAMPLES OF TECHNIQUES FOR IDENTIFYING EVENTS:• EVENT INVENTORIES (LISTING COMMON
POTENTIAL EVENTS)• INTERNAL ANALYSIS (COMPLETED AS PART
OF A ROUTINE PLANNING CYCLE PROCESS,TYPICALLY THROUGH STAFF MEETINGS)• ESCALATION OR THRESHOLD TRIGGERS
(COMPARE CURRENT TRANSACTIONS OR EVENTS WITH PREDEFINED CRITERIA)
• FACILITATED WORKSHOPS ANDINTERVIEWS (DRAW ON ACCUMULATEDKNOWLEDGE AND EXPERIENCE OFMANAGEMENT, STAFF AND STAKEHOLDERS
THROUGH STRUCTURED DISCUSSIONS)
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 47/120
Event identification
POTENTIAL EVENTS ARE ALSO IDENTIFIEDON AN ONGOING BASIS IN CONNECTIONWITH ROUTINE BUSINESS ACTIVITIES, SUCH
ASINDUSTRY/TECHNICAL CONFERENCESPEER WEBSITES
BENCHMARKING REPORTS
TRADE & PROFESSIONAL JOURNALSMEDIA REPORTSMONTHLY MANAGEMENT REPORTS
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 48/120
Event identification
ANOTHER USEFUL TOOL IS TOINTRODUCE AN INTERMEDIATE STEP -IDENTIFYING WHAT YOU DEPEND
UPON TO ACHIEVE YOUR OBJECTIVES
THIS IS SOMETIMES MUCH EASIER THAN TRYING TO THINK ABOUT ALLTHE EVENTS THAT COULD PREVENTSUCCESS
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 49/120
Event identification
EVENTS DO NOT OCCUR IN ISOLATION – ONE EVENT CAN TRIGGER ANOTHER
AND EVENTS CAN OCCUR CONCURRENTLYMANAGEMENT SHOULD UNDERSTANDHOW EVENTS RELATE TO ONEANOTHER
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 50/120
Event identification
IT MAY BE USEFUL TO GROUP EVENTS INTOCATEGORIES (i.e. GROUPS OF SIMILAR POTENTIAL EVENTS)
SIMILAR EVENTS SHOULD BE COMBINED TODEVELOP AN INITIAL RISK UNIVERSE AND
DETERMINE HOW TO TRACK AND UPDATETHE LISTING OF POTENTIAL EVENTS ANDRISKS
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 51/120
Event identification
FINANCIAL FOLKS NEED TO REMEMBER THAT:
EVENT IDENTIFICATION NEEDS TOINVOLVE A COMPLETE CROSS-SECTION OFMANAGEMENT, AS POSSIBLE EVENTS
INCLUDE BUSINESS SCENARIOS OF WHICHFINANCIAL MANAGEMENT MAY NOT BEAWARE
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 52/120
INDICATORS THAT THE ERM
OBJECTIVE SETTING PRINCIPLESARE IMPLEMENTED1. THE ORGANIZATION DEFINES GOALS AND
OBJECTIVES FOR THE ENTERPRISE AS AWHOLE
2. AN EFFECTIVE STRATEGIC PLANNINGPROCESS IS IN PLACE TO FORMULATESTRATEGIES THAT WILL ENABLE THEORGANIZATION TO ACHIEVE ITS BUSINESSOBJECTIVE
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 53/120
INDICATORS THAT THE ERM
OBJECTIVE SETTING PRINCIPLESARE IMPLEMENTED (CONT’D) 3. BUSINESS STRATEGIES ARE CLEARLY
ARTICULATED WITH OBJECTIVES LINKEDTO EACH
4. THE RISK IDENTIFICATION PROCESS ISDESIGNED TO MAKE A CLEAR LINK BETWEEN THE ORGANIZATION’SOBJECTIVES AND THE ASSOCIATED RISKS
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 54/120
INDICATORS THAT THE ERM
OBJECTIVE SETTING PRINCIPLESARE IMPLEMENTED (CONT’D) 5. RISK TO THE ACHIEVEMENT OF OBJECTIVES
IS EVALUATED TO ENSURE IT DOES NOTEXCEED THE LEVELS OF RISK DETERMINEDBY MANAGEMENT AS ACCEPTABLE
6. ACCEPTABLE TOLERANCE LIMITS ON THERISK TO THE ACHIEVEMENT OF KEYOBJECTIVES HAVE BEEN DETERMINED.
7. MANAGEMENT USES MEANINGFULPERFORMANCE MEASURES IN MONITORINGRESULTS AGAINST OTHER SETTOLERANCES
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 55/120
INDICATORS THAT THE ERM
EVENT IDENTIFICATIONPRINCIPLES ARE IMPLEMENTED1. DATA ON THE BUSINESS OPERATING ENVIRONMENT –
POLITICAL, ECONOMIC, ETC., EVENTS IS CAPTURED AND
REGULARLY EVALUATED IN TERMS OF THEIR POTENTIALIMPACT UPON THE ORGANIZATION’S BUSINESS OBJECTIVES
2. A PORTFOLIO OF EVENTS THAT COULD AFFECT THEACHIEVEMENT OF OBJECTIVES – INTERNAL AND EXTERNAL – HAS BEEN PREPARED
3. EVENTS ARE LINKED TO AND RISK EVALUATED BYINDIVIDUAL OBJECTIVE
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 56/120
INDICATORS THAT THE ERM EVENTIDENTIFICATION PRINCIPLES ARE IMPLEMENTED(CONT’D)
4. GOALS AND OBJECTIVES FOR IDENTIFYING EVENTS AND THERELATED RISKS EXIST AND ARE COMMUNICATED TO ALLSEGMENTS OF THE ORGANIZATION
5. RESPONSIBILITIES AND ACCOUNTABLES FOR RISK IDENTIFICATION ARE CLEARLY DEFINED AND UNDERSTOOD
6. RISK IS CONSIDERED IN TERMS OF NOT JUST ISOLATEDEVENTS BUT ALSO INTER-RELATED EVENTS
7. EVENTS ARE CATEGORIZED INTO USEFUL GROUPS TOFACILITATE THE AGGREGATION OF INFORMATION FOR PURPOSES OF ASSESSING RISKS
8. THE ORGANIZATION EVALUATES EVENTS IN THE CONTEXTOF THE POTENTIAL UPSIDES (OPPORTUNITIES) AS WELL ASTHE DOWNSIDE (RISKS)
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 57/120
Event identification
THE NEXT TOPIC, OR THE RISK
ASSESSMENT COMPONENT, ALLOWSAN AGENCY TO CONSIDER THEEXTENT TO WHICH POTENTIALEVENTS MIGHT HAVE AN IMPACT ONACHIEVEMENT OF OBJECTIVES
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 58/120
SECTION IV
RISK ASSESSMENT
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 59/120
Risk Assessment
Risk is ―the possibility that an event willoccur and adversely affect the achievement of
objectives.‖Thereby decreasing value for the entity’sstakeholders.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 60/120
Risk Assessment
- Risks are analyzed and assessed as to their likelihood and impact
- Management considers the mix of futureevents, both expected & unexpected- Useful first step – often a ―brainstorming‖
session- What is the ―worst that could happen,‖ or the―worst that happened?‖
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 61/120
Consider the ―Risk Appetite‖
Broadly defined as amount of risk an entity iswilling to accept in pursuing its objectives.
For most government entities: risk appetite isfairly low!Related is risk tolerance: ―tolerable level of
variation associated w/ a particular objective.‖
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 62/120
Consider Both Inherent & Residual
Risk Inherent – Risk without anymanagement activity or
before controls are in place. Example : inherent risk
mitigated by paymentcard’s policies and procedures.
Residual – level of risk that remains after management has a planin place to deal withthe risk.
Example: residual risk
remains after paymentcard policies are in place.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 63/120
Consider both Likelihood and
ImpactLikelihood: possibility an event will occur,measured in ―low, medium, high,’ percentageor some frequency of occurrence.Impact: Effect on an agency on others.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 64/120
Risk Assessment Uses Qualitative
and Quantitative MethodsQuantitative methods more preciseQualitative methods are necessary in
situations where business activity does notlend to quant. evaluation, or is notcost/effective.
Choice should reflect needs of the businessunit and its employees.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 65/120
Consider Risk in Objective Setting
The framework of objectives: strategic,operational, reporting, compliance, (seeCOSO cube).Typically considerable overlap.Several examples follow.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 66/120
Example: Operational
Risk that subrecipientsin HIV/AIDS programare being reimbursedfor unsupportedexpenditures.
Assessment – Extent of reimbursement andfrequency is analyzed.
Note that payingsubrecipient invoicesfor which nodocumentation existssubjects agency to
possible fraud.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 67/120
Example: Reporting
Risk that managementdoes not notify theComptroller’s Office of overpayments; andfailure to recover funds.
Assess why a breakdown in bothstate policy and actualrecoupment.Lack of notificationnegates possibility of athorough investigation.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 68/120
SECTION V
RISK RESPONSE
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 69/120
V – Risk Response
“Having assessed relevant risks, management determines how it will respond, reviewing likelihood and impact, evaluating costs and benefits, and selecting options that bring residual (remaining risk) within the entity’srisk tolerances.”
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 70/120
The Four Categories of Risk
Response:Avoidance – not participating in events thatgive rise to risk.
Reduction: Specific actions taken to reducelikelihood or impact or both.Sharing: Reducing likelihood or impact by
sharing portion of the risk (insurance)Acceptance: No action taken. ―learns to livewith the risk,‖ and monitor it...
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 71/120
Additional Factors in Risk Response
- For many risks, responses are obvious & wellaccepted.- Response to risk may affect other factors, or affectlikelihood/impact differently.- Cost/Benefit – often cost side easier to analyze;
benefit side may be more subjective.
- Risk response may lead to improvements in serviceareas or additional value.- Considers both inherent and residual risk.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 72/120
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 73/120
A Portfolio View of Risk:
Can be depicted in several ways – focusing onmajor risk or event categories acrossdivisions, program units, etc.While risk in a program unit may be withinrisk tolerance; taken together they may exceedthe risk appetite of entity.Or have common elements that raiseconcerns.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 74/120
Back to our previous examples:
1. Subrecipients inHIV/AIDS programsare routinely
reimbursed for unsupportedexpenditures.
1. After further analysis correctiveaction plan identified
and remedies failuresin the reimbursement
process, acost/effectivemethodology tomonitor expenditures.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 75/120
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 76/120
SECTION VI
CONTROL ACTIVITIES
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 77/120
Integration with Risk Responses
Control activities generally are established toensure risk responses are carried out.However, control activities themselves arerisk responses.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 78/120
Integration with Risk Responses
Risk responsesShare risk
Agency participates in state’s collateral pool or risk managementfund.
Reduce risk Reduces likelihood and impact, e.g. Disaster recovery plan in
place to reduce the impact of a natural disaster.
Risk Avoidance
Policies that forbid certain ―risky business‖ e.g., agency notauthorized to invest in certain risky investment instruments.
Risk AcceptanceMonitoring of certain activities that are deemed high risk e.g.,high risk investments.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 79/120
CONTROL ACTIVITIES
A single control activity can address multiplerisk responses or
Multiple control activities may be needed for one risk response.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 80/120
Types of Control Activitieso Preventiveo
Detectiveo Manual (People Based)o Automated (System Based)
Types of Control Activities
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 81/120
Types of Control Activities
Preventive Controls are more reliable1. Prevents errors2.
Proactive approach – frees up people resources
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 82/120
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 83/120
Reconciliations (Detective)Personnel approving or executing transactionsshould not perform reconciliations.
Reviews (Detective)Budget to ActualCurrent to prior period comparisonsPerformance measurements
Types of Control Activities
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 84/120
Approval/Authorizations (Preventive)Policies and procedures
Limits to authoritySupporting documentationQuestion unusual items
Types of Control Activities
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 85/120
Assets Security (Preventive and Detective)Physical safeguards
Record retentionPeriodic counts/Inventories
Types of Controls of Control
Activities
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 86/120
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 87/120
Entity Level ControlsControls management implement to establish theappropriate tone at the top. (Strategic Objectives)
E.g., Employees sign a code of conductProcess Level Controls
Mitigate risks involved in initiating, recording, processing or reporting transactions.
IT and Application ControlsFurther mitigates process level risks
Levels of Control Activities
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 88/120
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 89/120
The Writing on The WallApplying too narrow a focus to the identificationof risks can lead to overlooking potential risksand issues.Think about risks without considering theexisting processes and controls in place.
CONTROL ACTIVITIES
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 90/120
Effectiveness and Efficiency
Control activities must be tested to ensurethere are no material weaknesses or significant deficiencies.Management should also ensure that control
activities are carried out in a timely manner.Internal auditors may support management by
providing assurance on the effectiveness andefficiency of control activates.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 91/120
Control Activities Worksheet
Worksheet provided in Section VI can beused as a template for documenting risks andrelated controls
Divided into 3 partsPart I Strategic, Operations, and ReportingObjectives
Part II Compliance ObjectivesPart III Fraud
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 92/120
Worksheet is NOT all inclusive. N/A responses need to be addressed.
Remember the writing on the wall.Any policy or procedure used as a risk response in Part I or III should be addressed
in Part II, Compliance.Template may be modified.
Control Activities Worksheet
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 93/120
Categorized by business processes.
1. Budget Process2. Cash Disbursement/Expenditures3. Cash Receipts/Revenues4. Cash Management5. Liabilities6. Capital Assets/Inventory/Equipment7. Information Systems/Data Processing8. Personnel/Employee Compensation9. Financial Reporting10. Accounts Receivable11. Investments
Control Activities Worksheet
Part I Strategic, Operations, andReporting Objectives
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 94/120
Categorized by the Association of CertifiedFraud Examiner’s Categories of Fraud.
Misappropriation of assetsCorruptionFraudulent Reporting
Control Activities Worksheet
Part III Fraud
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 95/120
Control Activities Worksheet
Part III FraudCategories should be applied to each business process.Fraud control risk management should be integratedinto the agency's philosophy, practices and business
plans rather than be seen or practiced as a separate program. When it is integrated, risk management becomes the business of everyone in theorganization.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 96/120
Core areas to focus onInformation systems;Contracts;
Grants and other payments or benefits programs;Purchasing;Services provided to the community;Revenue collection;Use of government credit cards;Travel allowance and other common allowances;Salaries; AndProperty and other physical assets including physical security.
Control Activities Worksheet
Part III Fraud
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 97/120
Other Considerations
Risks with large or moderate impact and probable(high) or reasonably possible (medium) likelihood of occurrence are your significant risks. These are the
risks you need to address with control activities. No risk response is needed for insignificant risks but BECAUTIOUS AND OBJECTIVE.Insignificant risks still need to be documented on the
worksheet. Explanation of insignificant nature should bedocumented.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 98/120
Other Considerations
Inherent Risks - Control Activities= Residual Risks Ensure you evaluate all insignificant risks notaddressed with control activities on an aggregate
basis to ensure your residual risk is within your risk tolerance.
All risks (regardless of significance) should stillbe included.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 99/120
Other Considerations
If any of the risks already included in theworksheet are deemed as having a low impactor remote likelihood of occurrence, treat as asa risk that is not applicable to your agencyand document explanation on worksheet.
Don’t forget about abuse.
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 100/120
SECTION VIIINFORMATION ANDCOMMUNICATION
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 101/120
Information
Needed at all levels of an organizationto identify, assess, and respond to risksto run the entityto achieve its objectives
Internal and external sources
Financial and nonfinancial
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 102/120
Strategic and Integrated Systems
Data processing and data management become a shared responsibilityIS architecture needs to be flexible and agileto effectively integrate with affiliated external
partiesHas management’s risk management
techniques contemplated organizational goalsin making technology selection andimplementation decisions?
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 103/120
Integration with Operations
Applications facilitate access to information previously trapped in functional or departmental silos
Information becomes available for widespreaduse
Transactions are recorded and tracked in realtime
Managers have immediate access to financial andoperating information more effectively to controlagency activities
D h d Ti li f I f i
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 104/120
Depth and Timeliness of Information
Information infrastructure sources andcaptures data in a timeframe and at a depthconsistent with an entity’s need to
identify,assess, andrespond to risks, andremain within risk tolerances
Timeliness needs to be consistent with therate of change in the entity’s internal andexternal environments
I f ti Q lit
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 105/120
Information QualityData reliability is a critical attribute of information systems and data-drivenautomated decision systemsInaccurate data results in unidentified risks or
poor assessments and bad managementdecisionsQuality of information includes ascertaining
whether informational content isAppropriate AccurateTimely AccessibleCurrent
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 106/120
Communication
Inherent in information systemsMust provide information to appropriate
personnel to carry out strategic, operating,reporting, compliance, and stewardshipresponsibilitiesMust deal with
expectations,responsibilities of individuals and groupsOther important matters
I t l C i ti
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 107/120
Internal Communication
Behavioral expectations and responsibilities of personnelClear statement of entity’s risk management philosophyand approach
Clear delegation of authorityShould effectively convey
The importance and relevance of effective ERMThe entity’s objectives, risk appetite, risk tolerances A common risk languageRoles and responsibilities of personnel in effecting andsupporting the components of ERM
E t l C i ti
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 108/120
External CommunicationOpen external communication channels
Constituents provide highly significant input ondesign and quality of products and servicesEnables an entity to address evolving customer
demands or preferencesRecognize such implications
InvestigateTake necessary corrective actionsFocus on impact on financial reporting andcompliance as well as operating objectives
M f C i ti g
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 109/120
Means of Communicating
Actions speak louder than wordsActions influenced by the entity’s history andculture
Operating with integrityCulture is well understood throughout theorganization
Embed communications on ERM into anentity’s broad -based, ongoingcommunications programs and into the fabricof the organization
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 110/120
SECTION VIIIMONITORING
Monitoring
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 111/120
MonitoringAssessing the presence and functioning of
components over timeAccomplished through
Ongoing monitoring activitiesSeparate evaluationsCombination of the two
ERM changes over timeOnce effective risk responses become irrelevant
Control activities become less effective or no longer are performedEntity objectives might change
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 112/120
Ongoing Monitoring Activities
Occur through regular management activitiesVariance analysisComparisons of information with disparatesourcesDealing with unexpected occurrences
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 113/120
Scope and Frequency
Evaluations of ERM depend onsignificance of risksimportance of risk responses andrelated controls in managing the risks
Address application in strategy setting withrespect to significant activitiesScope depends on which objectives categoriesare addressed
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 114/120
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 115/120
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 116/120
Methodology
A variety of evaluation methodologies andtechniques are available
Checklists
QuestionnairesFlowcharting techniquesComparing or benchmarking to best in classentity
Planning stepsPerformance steps
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 117/120
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 118/120
What Is Reported
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 119/120
What Is Reported
All identified ERM deficiencies that affect anentity’s ability
to develop and implement its strategy and
to set and achieve its objectivesMust report significant deficiencies andmaterial weaknesses
Use qualitative and quantitative materiality
Report identified opportunities to increase thelikelihood entity objectives will be achieved
To Whom to Report
7/27/2019 RiskManagementInternalControlGuidelines.ppt
http://slidepdf.com/reader/full/riskmanagementinternalcontrolguidelinesppt 120/120
To Whom to Report
Determining right party is criticalImmediate superiors through normal channelsThey in turn communicate upstream or
laterally so the information ends up withsomeone who has the authority to acte.g., senior management, department head, auditcommittee, other oversight body
Consider alternative channels for reportingsensitive information
