Internal Audit Memorandum To: From: R Dharmarajan Date: February 10, 2010 Re: Risk Assessment Heat Map and Planning Format I RISK ASSESSMENT APPROACH 1. Conduct a risk assessment of the Company’s operations. A. Determine mission, goals, objectives, and size B. Research literature to identify potential management risks C. Brainstorm initial risks, expected management controls D. Interview third party officials to identify other potential risks Legislature Fiscal Staff Executive Department Staff Other Auditors Interest Groups Regulatory Agencies E. Brainstorm further risks and refine original risks 2. Develop and Audit Scope Analysis that includes: A. Audit B. Background C. Audit Scope – what topics the audit would review D. Contribution – what the audit would accomplish E. Resource Requirements- preliminary time and cost estimates 3. Management Meeting to Select the Prioritize Audits A. Evaluation of potential audit topics B. Consider audit user needs and expectations C. Establish audit priorities and cyclical audit requirements D. Decide which audit topics are to proceed to the detailed planning phase RISK ASSESSMENT MATRIX SUBJECT: (Department) Control Effects of Inadequate Control Risk Level Testing Risk Techniques Controls or Controls Methods Cited Hi, Med, Methods/Steps (Expected) Not Applied by Management Low Obtain More Information on Company Operations Detailed Company Budget Policies and Procedures Organization Charts Performance Measures Interview Company Management Focus Questions on Identified Risks and Management Controls Use Standardized Questionnaire If Management Indicates Controls: Are Not In Place: Are in Place: * Review List Of Expected Controls * Review Relevant Documents With Management to Confirm they * Conduct Tours Do Not Exist * Review A Small Number Of Records Or Transactions Finalize Matrix Assign High, Medium, Or Low Risk Determine Audit Ability Record Testing Methods/Audit Steps For High Risk Area Test Potential Audit Steps to Determine: Whether Testing Methodologies Are Sound Whether Information Is Available Estimated Time Needed To Complete the Audit Steps II PLANNING FORMAT The following questionnaire should be useful to access the degree of internal controls exercised by management in the Company. A. Control Environment The control environment defines the tone of the Company and the way it operates. Some basic concerns are: The Control Environment Yes No W/P (1) Does the Company have a written mission statement (a concise written statement concerning purpose goals and objectives of the Company)? (2) Is there an organization chart for the Company? (3) Are there written management plans for the Company (workplans, program plans, policies and procedures, other)? (4) Is there a written delegation of authority in the Company to identify the chain-of-command and reporting responsibilities? (5) Are employees aware of their responsibilities pursuant to the work plans? (Do employees have common sense knowledge of the Company’s mission)? (6) Do job descriptions reflect what the employees do and do they have the competencies to perform their required tasks? (7) Are performance evaluations on file and up to date? (8) Are department supervisors held accountable for staff performance? (9) What is the size of the staff? (10) How does the Company recruit qualified people? (11) Does the Company do background and resume checks? (12) How does the agency foster integrity amoung its employees? (13) Does the Company have adequate employee training (compute average training per staff person)? (14) Is there an adequate separation of duties (no employee should have sole responsibility for a significant activity from beginning to end)? (15) Are the objectives for internal controls documented? (16) Do the departments hold regular staff meeting? (17) Are reports distributed timely? B. Risk Assessment Risk Assessment is a process to determine how management deals with the risks posing a threat to the accomplishment of its objectives. This process identifies risk and analyzes its likelihood of occurrence and impact. This process will allow management to determine how much risk they are willing to accept and set priorities accordingly. (1) The objectives of the Institution and statement as to what the objectives are trying to achieve. Describe each department being assessed. List all people and organizations (internal and external) that are associated with this function and how they are associated. Outline the Company’s activities and briefly describe the procedures involved in performing each activity. Describe what would happen if the procedures above were not performed or done poorly. What is the risk associated with each activity? Describe the existing controls and potential problems. (2) Company’s methods for evaluating adequacy of Internal Controls and program accomplishments. Techniques used such as observation, discussion, evaluation or testing of controls. Are there any inadequate procedures in place? Are improvements suggested? (3) Identify the risk factors the Company evaluated. These should be simple, clear, meaningful, definable and be answerable. Such as: The extent of regulation on the Company and the risk of non-compliance or the negative aspects of adverse publicity as well as those of lack of public awareness. The liquidity of its assets. The extent of computer data processing. The extent of government to meet objectives. The size of the Company. Etc. (4) What is the likelihood of the risk occurring? If the Company has good internal controls the risk of occurrence will be low. If adequate controls are not in place the risk of occurrence will be high. (5) What is the impact on the Company if an adverse event happens? What are the impacts of: An erroneous decision from the use of incorrect or unreliable data. Erroneous record-keeping, inappropriate accounting, fraudulent reporting, loss and exposure. Failure to adequately safeguard assets. C. Control Activities Control activities are the policies and procedures in place to assure that management’s directives are carried out. These activities include a system of approvals, authorizations, verifications, reconciliations, reviews of operating performance, security, and segregation of duties. We should ask the following questions: Control Activities Yes No W/P (1) Are procedures kept in a manual that is current and readily available? (2) Are policies and procedures consistent with statutory and Company authority? (3) Are policies and procedures easy to understand? (4) Do the policies and procedures in place address approvals, authorizations, verifications, reconciliations, assist security and the separation of duties? (5) Is the budget system incorporated in the Company’s planning process? (E.g., is performance compared to budget and forecasts?) (6) Are there approved spending and operating plans in use? (7) Do performance reports show a comparison with planned performance and past performance? (8) Are program achievement reports used as a management tool? (9) Are problem areas identified and corrective action plans prepared? (10) Are financial and program achievement reports scrutinized by third parties or higher level management? (11) Are audit findings corrected promptly? (12) Has the scope of prior reviews been very limited? D. Information Network and Communications System Each department should have an effective system in place to capture and store relevant information timely and accurately. Information System Yes No W/P (1) Is the Company highly dependent of ECP systems? (2) Is data safeguarded to prevent unauthorized access, changes, or loss? (3) Is there a process to document the application development and life cycle? (4) Are ECP applications reviewed and updated periodically? (5) Is input promptly reviewed for authorization, completeness, accuracy, and timeliness? (6) Is output promptly reviewed for usefulness, completeness, accuracy, and timeliness? (7) Does information provide reports on the Company’s goals and objectives? (8) Are there clear and open channels of communications within the Company and its customers? E. Monitoring To ensure that internal control systems are performing as intended the Company should monitor operations. This can be done by reviewing ongoing operations and by having separate evaluations by management, often with the assistance of the internal or external auditors. The degree of ongoing monitoring lessens the need for separate evaluations. When problems are identified they should be promptly reported to upper management and appropriate remedial action taken. Monitoring Yes No W/P (1) When was the last internal control review? (2) When was the last external review? (3) Does the Company have a system for tracking corrective actions? (4) Is there a corrective action plan (steps to be taken to eliminate identified weaknesses)? (5) Does this plan assign responsibility? (6) Does this plan establish time frames? (7) Is this corrective action plan responsive to the audit recommendations? (8) Is this corrective action plan workable and cost-beneficial? (Was cost benefit evaluated?) (9) Is there and ongoing monitoring plan in effect? (This would include worker performance review.) (10) Does this plan assign responsibility to one employee for overall accomplishment? E. Compliance Concerns Compliance concerns would be any laws, rules, or regulations that specifically pertain to the Institution. List all laws and rules that apply and briefly describe the compliance concerns. Compliance Issue Law, Rule or Regulation W/P Reference 1. 2. 3.