Docstoc

Click to add session title here

Document Sample
Click to add session title here Powered By Docstoc
					The “Crawford” Risk Assessment
         Methodology


             Presented by
    Mark Paganelli, Executive Director
     Judy Burns, Assistant Director
      Audit & Consulting Services
      The University of Tennessee



                   for
       AGA Nashville Chapter
             Winter Seminar
            January 8-9, 2008
Session objectives

   • Provide an understanding of the risk
     assessment process
   • Demonstrate one University's
     application of this process
   • Equip you with resources for
     conducting your own assessment
Source

  •   David B. Crawford
  •   Audit Manager Emeritus
  •   The University of Texas System
  •   The Assurance Continuum: An
      Enterprise Risk Management Model
What is risk assessment?

   A process that defines how an
    organization:
  • Identifies risks to the achievement of its
    mission, goals, & objectives
  • Measures the significance of each
    identified risk
  • Determines the most appropriate
    business response to each risk
  • Monitors how well the responses are
    carried out
Why do it?

  • External requirement
     • State of TN:
        • “Audit Committee Act”
        • Directive from State Comptroller and Director
          of State Audit


  • Anticipates SOX

  • Good business practice
Benefits

   • Focus efforts and resources on most
     critical issues
   • Enhance understanding of risks and
     controls
   • Clarify accountability and improve
     communication
   • Demonstrate due diligence to
     stakeholders
Who is responsible?

  • Management
       vs.
  • Internal audit
Three phases

  • Risk Assessment
    • Risk Footprint

  • Control Documentation
    • Control Footprints

  • Control Evaluation and Monitoring
    • Monitoring Plans
Phase 1: Risk Footprint

      ACTIVITIES   RISKS                      1                      2                    3                   4                    5                  6                   7

                                                                                                                     Users do not                                  Cards are
                                                               Card numbers    Users are not        Users disobey    understand                Users make          stolen during
                                  Fraudulent purchases go      are stolen      adequately           policies         policies                  fraudulent          distribution
      Program Administration   HH undetected. (2,3,4,14,17) HM (2,10,14)    MH trained (4,14,17) MH (2,4,12,14)   MH (4,14,12,17)           MH charges (2,4,14) MM (2,14)


                                                                                                                           Incorrect
                                                               Fraudulent          Failure to          Failure to use      rebate
                                  Charges that violate         charges are         communicate         card program        amounts are         Rebates are
                                  policies are not detected    not discovered      disputed            to its full         received            not received
      Monitoring               HH (2,3,4,12,14,17)          HH (2,3,4,14,17)  MH   charges (4,14)   MH potential (4)    MM (2,4,14)         MM on time (4,14)   -   n/a
                                                             Department
                                                             does not
                                                             cancel card
                                                             when                                    User doesn’t
                                                             cardholder                              secure card or
                                  User makes a fraudulent    terminates         User violates        card number            User not
      Using the Card           HH purchase (2,4,14,5,17)  MH (4,14,)         MH policies (2,4,14) MM (2,4,14,)      ML      trained (14,)   -   n/a             -   n/a
                                                              Selection
                                                              process
                                                              violates
                                                              purchasing
                                  The best vendor is not      policy
      Vendor Selection         HM selected (4,10)          ML (2,6,12,14)    -     n/a              -   n/a             -   n/a             -   n/a             -   n/a
                                                                                                                                             transactions
                                                              Expenses not      User doesn't                                                 are not
                                                              posted to         distribute                                                   properly
                                  Disputed charges not        correct G/L       charges to the       Incorrect              Rebate posted    distributed to
                                  removed from account        account           correct fund         amount posted          to the wrong     departments
      Accounting               MH (4,14)                   MH (4,12,14)      MM (13,14)           ML to fund (14)  ML       account (14)  ML (14)               -   n/a
                                                                                No action is
                                                             No action is       taken against a
                                  No action is taken         taken against a    user when an
                                  against users who steal    user who           audit detects
                                  with the card              violates           policy
      Enforcement              HL (2,3,4,5,12,14,17)      MH policies (4,14) ML violations (4,14) - n/a            -        n/a             -   n/a             -   n/a
What is a risk?

   • A potential negative event that would
     affect the organization’s ability to meet
     its mission, goals, and objectives.
Phase 1: Risk assessment steps

  1. ID mission, goals, objectives
  2. ID all activities
  3. Consolidate into major processes &
     prioritize
  4. ID risks for each process
  5. Rank risks by impact and probability of
     occurrence
1. ID mission, goals, objectives

   Mission: The mission of the procurement card
     program is to reduce the cost of paying vendors
     and provide departments flexibility in making
     purchases.

   Goals:
   * Obtain the best rebate amount for purchases.
   * Make as many purchases with p-cards as possible.
   * Ensure that purchases comply with policies.
   * Maintain adequate records to support purchases.
   * Protect the university from fraudulent card use.
How to: ID mission, goals, objectives

   • “Owners” review and revise existing or
     develop new

   • Other stakeholders review and comment

   • Reach consensus
2. ID all activities

                                     Develop a method
           Develop specs for         of communicating       Discipline users who
       1   RFP                   9   policy changes      17 violate the rules         25
                                    Enter into
           Solicit banks to         contract with
           provide p-card           vendor for p-card       Obtain rebate from
       2   program               10 program              18 bank                      26
                                    Ensure correct
           Review bids for          rebates are             Investigate misuse
       3   best deal             11 received             19 with cards                27
                                    Obtain
           Provide training to      transactions from       Dispute improper
       4   users                 12 bank                 20 charges                   28


           Develop policies         Distribute charges      Post transactions to
       5   for p-card program    13 to users             21 accounting system         29
                                    Monitor
           Issue cards to end       transactions for        Expense purchases to
       6   users                 14 fraud                22 correct object code       30
           Ensure users
           understand
           responsibilities         Pay bank for            Post rebates to correct
       7   with the card         15 purchases            23 account                   31
                                    Audit program for
           Distribute policies      compliance with         Deposit rebate
       8   to users              16 policies             24 amounts                   32
How to: ID all activities

   • Individuals with knowledge of the area

   • Brainstorming

   • Univ of TX Excel workbook with macros or any
     spreadsheet
3. Consolidate activities into major
     processes and prioritize
                                                                      PRIORITIZED
      ACTIVITIES FROM
                               CONSOLIDATED ACTIVITIES              CONSOLIDATED
      BRAINSTORMING
                                                                      ACTIVITIES
     Develop specs for                                          Program Administration
     RFP                      Vendor Selection (1,2,3,10)       (4,5,6,8,9,14,30)
     Solicit banks to         Program Administration            Using the card
     provide P-card           (4,5,6,8,9,14,30)                 (25,26,27,28,29)
     Review bids for best
     deal                     Monitoring (7,11,14,16)           Monitoring (7,11,14,16)
     Provide training to                                        Accounting
     users                    Enforcement (17,19, 30)           (20,21,22,23,24,12,13,15,18)
     Develop policies for     Accounting
     P-card program           (20,21,22,23,24,12,13,15,18)      Enforcement (17,19, 30)
     Issue cards to end
     users                    Using the card (25,26,27,28,29)   Vendor Selection (1,2,3,10)
     Ensure users
     understand
     responsibilities with
     the card
     Distribute policies to
     users
     Develop a method of
     communicating
     policy changes
     Enter into contract
     with vendor for P-
     card program

     Ensure correct
     rebates are received
     Obtaining
     transactions from
     banks.
How to: consolidate and prioritize

   • Same individuals who brainstormed
     activities

   • Cluster activities with related purposes &
     name the process

   • Prioritize processes

   • Univ of TX Excel workbook or any
     spreadsheet
4. ID risks for each process

     Program Administration (4, 5, 6, 8, 9, 14, 30)
     Users are not adequately trained
     Card numbers are stolen
     Fraudulent purchases go undetected
     Policies do not address a material process
     Cards are stolen during distribution
     Users make fraudulent charges
     Policy changes are not communicated to users
     Users disobey policies
     Users do not understand policies
How to: ID risks

   • Involve employees working in the area
     being assessed

   • Brainstorming

   • Univ of TX Excel workbook or any
     spreadsheet
5. Rank risks by impact and probability


     Program Administration (4,5,6,8,9,14,30)         IMPACT   PROB.   RANKING


      Users are not adequately trained (4,14,17)        M       H       MH

      Card numbers are stolen (2, 10, 14)               H       M       HM

      Fraudulent purchases go undetected
      (2,3,4,14,17)                                     H       H        HH

      Policies do not address a material process
      (2,4,12,14)                                       M       M       MM
      Cards are stolen during distribution (2,14)       M       M       MM

      Users make fraudulent charges (2,4,14)            M       H       MH

      Policy changes are not communicated to
      users (4,14,12,17)                                M       M       MM
      Users disobey policies (2,4,12,14)                M       H       MH

      Users do not understand policies (4,12,14,17)     M       H       MH
Risk ranking characteristics

   IMPACT: Effect on achievement of mission,
     goals, objectives
        High -     “showstopper”
        Medium -   inefficient and extra work
        Low -      no effect

   PROBABILITY: Likelihood of the risk happening
        High -     will happen frequently
        Medium -   will happen infrequently
        Low -      will seldom happen
How to: determine impact

  • Develop a list of consequences if a risk
    were to become a reality

  • Value the effect each consequence would
    have on the organization (high, medium, or
    low)

  • The impact value of the risk is the value of
    its highest potential consequence.
Sample consequences

                  CONSEQUENCES                   Rating
     1    Appropriation reduced/Loss of
                                                   H
          funding or revenue stream
     2    Bad PR (short term)                      M
     3    Loss of public trust (long term)         H
     4    Loss of assets                           M
     5    Discontinue operations                   H
     6    Individual lawsuit                       M
     7    Class action lawsuit                     M
     8    Criminal fines & penalties               M
     9    Civil fines & penalties                  M
     10   Significant interruption to business
                                                   H
          continuity
     11   Loss of accreditation                    H
How to: determine probability

   • Determine how often a risk is likely to occur.

   • Assume only Level 1 controls are in place.
                         Assurance Continuum
                       Levels of Control in COSO
                              Collaborative Assurance
                   (Governance and Management Control Processes)


  I----------I                      Periodic Assurance                    I----------I
                              (Governance Control Processes)

                   I------------ On-going Assurance ------------I
                          (Management Control Processes)
  Level 4            Level 1        Level 2          Level 3               Level 4
  Controls           Controls      Controls         Controls               Controls
(Internal Audit)     (Execution )        (Supervisory)    (Oversight)    ( Internal Audit)

 Pre-operations      During              Immediately       Soon after    Post-operations
 design review       execution of       after execution   execution of   audit of
 of on-going         event or             of event or        event or    execution of on-
 assurance           transaction          transaction      transaction   going assurance
Level 1 controls (execution controls)

   • Embedded in day-to-day operations
     • Policies and procedures
     • Segregation of duties
     • Reconciliations/comparisons
   • Performed on every event/transaction
   • Performed by the generators of the
     event/transaction
   • Performed in “real time,” as the event/
     transaction is executed
Level 2 controls (supervisory controls)

   • Re-application of operating controls
     • Supervisory review; quality assurance
   • Performed very soon after the generation of
     the event/transaction
   • Performed by line management or staff
     positions who do not originate the event/
     transaction
   • Performed on a sample of the total number
     of events/transactions
Level 3 controls (oversight controls)

   • Exception reports, status reports, analytical
     reviews, variance analysis
   • Performed by representatives of executive
     management
   • Performed on information provided by
     supervisory management
   • Performed within a short period
     (weeks/months) after the event/transaction
     is originated
Level 4 controls (internal audit controls)

   • Audit of the design of controls not the
     operation of controls
   • Performed either before the event/
     transaction is originated or long after
   • Performed by staff with no involvement in
     the operations
   • Performed on individual events/transactions
     for discovery only
How to: determine final ranking

   • Combination of Impact Value and
     Probability Value

   • Impact Value is always first.

   • Order risks from HH to LL.
Completed risk rankings


     Program Administration (4,5,6,8,9,14,30)         IMPACT   PROB.   RANKING
      Fraudulent purchases go undetected
      (2,3,4,14,17)                                     H       H        HH
      Card numbers are stolen (2, 10, 14)               H       M       HM

      Users are not adequately trained (4,14,17)        M       H       MH
      Users disobey policies (2,4,12,14)                M       H       MH

      Users do not understand policies (4,12,14,17)     M       H       MH

      Users make fraudulent charges (2,4,14)            M       H       MH

      Cards are stolen during distribution (2,14)       M       M       MM
      Policies do not address a material process
      (2,4,12,14)                                       M       M       MM
      Policy changes are not communicated to
      users (4,14,12,17)                                M       M       MM
How to: create the risk footprint

   • Generate automatically with U TX
     software.

   • Create own spreadsheet with risks in
     columns and processes in rows.

   • Order processes from the one with the
     highest number of critical risks.
Completed risk footprint

     ACTIVITIES   RISKS                      1                      2                    3                   4                    5                  6                   7

                                                                                                                    Users do not                                  Cards are
                                                              Card numbers    Users are not        Users disobey    understand                Users make          stolen during
                                 Fraudulent purchases go      are stolen      adequately           policies         policies                  fraudulent          distribution
     Program Administration   HH undetected. (2,3,4,14,17) HM (2,10,14)    MH trained (4,14,17) MH (2,4,12,14)   MH (4,14,12,17)           MH charges (2,4,14) MM (2,14)


                                                                                                                          Incorrect
                                                              Fraudulent          Failure to          Failure to use      rebate
                                 Charges that violate         charges are         communicate         card program        amounts are         Rebates are
                                 policies are not detected    not discovered      disputed            to its full         received            not received
     Monitoring               HH (2,3,4,12,14,17)          HH (2,3,4,14,17)  MH   charges (4,14)   MH potential (4)    MM (2,4,14)         MM on time (4,14)   -   n/a
                                                            Department
                                                            does not
                                                            cancel card
                                                            when                                    User doesn’t
                                                            cardholder                              secure card or
                                 User makes a fraudulent    terminates         User violates        card number            User not
     Using the Card           HH purchase (2,4,14,5,17)  MH (4,14,)         MH policies (2,4,14) MM (2,4,14,)      ML      trained (14,)   -   n/a             -   n/a
                                                             Selection
                                                             process
                                                             violates
                                                             purchasing
                                 The best vendor is not      policy
     Vendor Selection         HM selected (4,10)          ML (2,6,12,14)    -     n/a              -   n/a             -   n/a             -   n/a             -   n/a
                                                                                                                                            transactions
                                                             Expenses not      User doesn't                                                 are not
                                                             posted to         distribute                                                   properly
                                 Disputed charges not        correct G/L       charges to the       Incorrect              Rebate posted    distributed to
                                 removed from account        account           correct fund         amount posted          to the wrong     departments
     Accounting               MH (4,14)                   MH (4,12,14)      MM (13,14)           ML to fund (14)  ML       account (14)  ML (14)               -   n/a
                                                                               No action is
                                                            No action is       taken against a
                                 No action is taken         taken against a    user when an
                                 against users who steal    user who           audit detects
                                 with the card              violates           policy
     Enforcement              HL (2,3,4,5,12,14,17)      MH policies (4,14) ML violations (4,14) - n/a            -        n/a             -   n/a             -   n/a
Phase 2: Control footprint

                   Risks                        Department
                                User makes a    does not cancel                        User doesn’t
                  Controls      fraudulent      card when                             secure card or
                                purchase        cardholder        User violates        card number     User not trained
     Using the card             (2,4,14,5,17)   terminates (4,14) policies (2,4,14)      (2,4,14,)           (14)

     Users take a test before
     obtaining card                                                                                           X
     Users sign an
     agreement listing rules
     before obtaining the                                                                                     X
     Policy requires
     department to cancel
     card when employee                                 X
     Monthly review is done
     by audit of transactions          X                                  X
     Department head and
     verifier review
     transactions                      X                                  X
     Audits are performed of
     departments                       X                                  X

     Sleeve for card
     identifies key rules                                                                                     X

     Policy requires card to
     kept in secure location                                                                X
Phase 2: Control documentation steps

  1. ID controls (policies and procedures)
     for each process
  2. Map controls to risks
1. ID controls for each process

              Risks                     Department
                        User makes a    does not cancel                        User doesn’t
             Controls   fraudulent      card when                             secure card or
                        purchase        cardholder        User violates        card number     User not trained
     Using the card     (2,4,14,5,17)   terminates (4,14) policies (2,4,14)      (2,4,14,)           (14)
1. ID controls for each process

                  Risks                         Department
                                User makes a    does not cancel                        User doesn’t
                  Controls      fraudulent      card when                             secure card or
                                purchase        cardholder        User violates        card number     User not trained
     Using the card             (2,4,14,5,17)   terminates (4,14) policies (2,4,14)      (2,4,14,)           (14)
     Users take a test before
     obtaining card
     Users sign an
     agreement listing rules
     before obtaining the
     Policy requires
     department to cancel
     card when employee
     Monthly review is done
     by audit of transactions
     Department head and
     verifier review
     transactions
     Audits are performed of
     departments
     Sleeve for card
     identifies key rules
     Policy requires card to
     kept in secure location
How to: ID controls

   • Review all related policies and
     procedures

   • Include staff who work in the area

   • Brainstorm

   • Document
2. Map controls to risks

                   Risks                        Department
                                User makes a    does not cancel                        User doesn’t
                  Controls      fraudulent      card when                             secure card or
                                purchase        cardholder        User violates        card number     User not trained
     Using the card             (2,4,14,5,17)   terminates (4,14) policies (2,4,14)      (2,4,14,)           (14)

     Users take a test before
     obtaining card                                                                                           X
     Users sign an
     agreement listing rules
     before obtaining the                                                                                     X
     Policy requires
     department to cancel
     card when employee                                 X
     Monthly review is done
     by audit of transactions          X                                  X
     Department head and
     verifier review
     transactions                      X                                  X
     Audits are performed of
     departments                       X                                  X

     Sleeve for card
     identifies key rules                                                                                     X

     Policy requires card to
     kept in secure location                                                                X
How to: map controls

  • Read through list of controls one at a
    time
  • Ask which controls address which
    risks
  • Place an “X” in the appropriate cell
How to: create the control footprint

   • Create spreadsheet with risks in
     column headings and processes in
     row headings.

   • Map each control to the risks by
     placing an “X” in the cell under the
     risk.

   • One footprint per process.
Completed control footprint

                   Risks                        Department
                                User makes a    does not cancel                        User doesn’t
                  Controls      fraudulent      card when                             secure card or
                                purchase        cardholder        User violates        card number     User not trained
     Using the card             (2,4,14,5,17)   terminates (4,14) policies (2,4,14)      (2,4,14,)           (14)

     Users take a test before
     obtaining card                                                                                           X
     Users sign an
     agreement listing rules
     before obtaining the                                                                                     X
     Policy requires
     department to cancel
     card when employee                                 X
     Monthly review is done
     by audit of transactions          X                                  X
     Department head and
     verifier review
     transactions                      X                                  X
     Audits are performed of
     departments                       X                                  X

     Sleeve for card
     identifies key rules                                                                                     X

     Policy requires card to
     kept in secure location                                                                X
Phase 3: Monitoring plans


                                 Operating     Evidence of Supervisory Evidence of Oversight Evidence of
   Board/Exec. Mgmt               Control       Operating    Control    Supervisory Control   Oversight
   Specific Risks                 Level 1        Control      Level 2     Control    Level 3   Control
                             Adhere to P&P                 Review bid &            Mgmt.
   Loss of Confidence        (L)               Checklist   checklist    Signature  Review    Mgmt. Sign.
                             Staff             Training    Auth. To
   Loss of qualified staff   dev./expertise    Log         part.        Certi.
   Re-organization,                                                                QC#3-
   downsizing,               QC#1-Buyer                    QC#2-2nd                Director
   decentralization          review                        Buyer review            review

                                                           Mgmt.          Checklist    Sr. Mgmt.   Calendar
                              Bd. Doc. Prep.   Bd. Doc.    Review         signature    Review      sch.
                             Bd. Doc.                                                  Bus.
                             Briefing          Calendar    Pre-briefing   Agenda       Briefing    Agenda
                             Adhere to         Published
                             mission state.    statement
                             Key reports,
                             is.e., workload               Review of      Summary of
                             & savings         Reports     results        Results
Phase 3: Control evaluation & monitoring
         steps

   1. ID over- and under-controlled
      risks/critical and marginal controls
   2. Create a monitoring plan for the
      critical risks
1. ID over- and under-controlled risks/
   critical and marginal controls


                                                       Re-
                                                   organizatio
  Activity: Board/Exec                                  n,                                                 Penalties
  Mgmt                                    Loss of downsizing,                        Delay in   Micro-   (reprimands,
  RISKS                       Loss of    qualified decentraliz Outsourci Reduction   contract   manage     changed
  CONTROL STEPS             confidence     staff      ation       ng     in budget   awards      ment      agendas)
  Adhere to P&P (L)             X                      X          X                     X         X           X
  Staff dev/Expertise           X           X          X                                          X           X
  QC 1 - Buyer Review                                                                   X         X           X
  QC 2 - 2nd Buyer Review                                                               X         X           X
  QC 3 - Director Review                                                                X         X           X
  QC 4 - Board Doc. Prep.                                                               X         X           X
  Board Doc. Briefing                                                                   X         X           X
  Adhere to Mission
  Statement                     X                      X          X                     X         X           X
  Key Reports, i.e.,
  workload & savings            X           X          X          X         X
How to: evaluate controls

   • Ask if there are any undercontrolled
     risks, particularly any “red” risks.
   • Ask if there are any overcontrolled
     risks, particularly “green” or “gray”
     risks.
   • Ask which controls appear to be key
     for mitigating the risks.
   • Ask which controls are of little value.
2. Create a monitoring plan for critical risks


                                   Operating         Evidence of Supervisory Evidence of Oversight Evidence of
     Board/Exec. Mgmt               Control           Operating     Control   Supervisory Control   Oversight
     Specific Risks                  Level 1           Control      Level 2     Control   Level 3    Control
                               Adhere to P&P                     Review bid &            Mgmt.
     Loss of Confidence        (L)                   Checklist   checklist    Signature  Review    Mgmt. Sign.
                               Staff
     Loss of qualified staff   dev./expertise        Training Log Auth. To part. Certi.
     Re-organization,                                                                          QC#3-
     downsizing,               QC#1-Buyer                          QC#2-2nd                    Director
     decentralization          review                              Buyer review                review

                                                                                Checklist      Sr. Mgmt.   Calendar
                               Bd. Doc. Prep.        Bd. Doc.      Mgmt. Review signature      Review      sch.
                                                                                               Bus.
                               Bd. Doc. Briefing     Calendar      Pre-briefing   Agenda       Briefing    Agenda
                               Adhere to             Published
                               mission state.        statement
                               Key reports, is.e.,
                               workload &                          Review of      Summary of
                               savings               Reports       results        Results
How to: create a monitoring plan

   • Include all controls that address the critical
     (RED) risks
   • Categorize each control by level (Level 1,
     Level 2, or Level 3)
   • Ensure each level is covered
   • Indicate the documented evidence for each
     control
   • Assign “who” is responsible for monitoring
Final thoughts

   • Risk environment for your institution
     is unique
   • Risk environment continuously
     changes
   • Risk ranking changes with the
     environment
   • Risk assessment is ONGOING, not
     periodic
Final thoughts, cont.

   • Annual Assessment:
     • Update risk footprint

     • Determine external assurance

     • Assign Internal Audit to remaining critical
       risks

     • Cover remaining risks with management
       assurance strategies
Questions?

  • Additional information can be found at
    University of TX website
    • www.utsystem.edu/compliance

  • David Crawford can be contacted via
    email
     • Crawfordjd@earthlink.net
Questions?

  • Mark Paganelli, Executive Director
    • mpaganel@utk.edu

  • Judy Burns, Assistant Director
     • jaburns@utk.edu

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:2/16/2010
language:English
pages:55