Risk Assessment and Control Activities Worksheet
Agency Arkansas Department of Labor
Department: Administrative Services Prepared By: Jeanette Donahue
Activity: Planning and Publication Date Prepared: May 31, 2007
Risk Assessment Actions to Manage Risks/ Mgmt Corrective Action Plan
Objective Significance Conclusio
Type Objectives Risks / Impact Likelihood Control Activities n New or Additional Control Activity
(1) (2) (3) (4) (5) (6) (7) (8)
O Design and development of agency printed Inaccurate data in printed Moderate Medium Division supervisor proofreads, gives verbal or email approval to publishing personnel. S
materials such as the annual report, posters, code materials. Sample of printed material sent to Legal and General Business Manager for approval;
books, safety brochures and award certificates in approval and/or required corrections are noted on "Printing Approval" form attached to
an accurate and timely manner. sample. If corrections are needed, Management Project Analyst signs to confirm that all
required corrections were made.
Publishing software is damaged Moderate Medium Identical program software loaded on both PC's used in publishing process. Program S
or obsolete. software can be reloaded by IT personnel from backups stored on network drives or from CD-
Rom. Publishing software updated or upgraded by IT personnel when new releases are
available and after testing.
Loss of data and computerized Moderate Medium Triple redundancy of agency data backup, with master data maintained on multiple media S
designs sets in a separate building in a fire resistant cabinet with restricted access.
O Printing agency publications (The Safety News Publication deadlines missed Small Medium Management Project Analyst enforces non-flexible deadlines with occasional assistance from NS Management enforces deadlines and documents noncompliance which will effect employee's
and Labor News quarterly newsletters) and General Business Manager. For flexible deadlines, Management Project Analyst sends performance evaluation.
brochures, code books, safety training materials, frequent reminder emails until necessary information is received. Management Project Implementation Date: July 1, 2007
award certificates, in-house forms, etc., with Analyst records publication due dates on Outlook and task bars as well as on the calendar
accuracy and timely delivery. included in the publishing software. Publishing software also tracks project status, enabling
Management Project Analyst to determine if all information has been received, keyed,
approved, and printed.
Equipment Failure - includes Large Medium Schedule regular in-house & vendor-performed equipment maintenance to reduce S
computers, printers, copiers, etc. breakdowns. Management Project Analyst logs last maintenance performed and requests
either IT or vendor maintenance when necessary, or when regular maintenance is due. (IT
also keeps maintenance logs, and has backup PC's in inventory.)
Supply Shortage Large Medium Keep inventory of supplies needed for production of at least two quarterly publications on S
hand at all times. Management Project Analyst checks supplies immediately after publication
of each of the two newsletters, each quarter. Any needed supplies are noted on the supply
requisition form and are reordered immediately since some supplies have two-month delivery
time.
O, F Distribution and mailing newsletters and other Postal Standards not met: errors Moderate Medium Postal Standards publication for bulk mail requirements is available to staff. Mailing labels S
printed materials in the most cost effective manner. in bundling for cheapest bulk rates are printed by zip code order to reduce bundling errors.
O Maintain agency website, keeping the federal and Inaccurate information on website Moderate High Division supervisor supplies information via email to Management Project Analyst. Website S
state regulatory information and other labor pages are printed and sent to Legal and General Business Manager for approval; approval
information up-to-date and accurate. and/or required corrections are noted on the accompanying "Printing Approval" form. If
corrections are needed, Management Project Analyst signs to confirm that all required
corrections were made.
O Publish monthly employee calendar, the Equipment Failure - includes Small Low
Laborgram, for improved communications within computers, printers, copiers, etc.
the agency.
O Publish monthly employee calendar, the Inaccurate data in printed Small Low
Laborgram, for improved communications within materials.
the agency. (continued)
O, F Accurately process division timesheets and leave Inaccurate time reporting Small Medium Management Project Analyst (division supervisor) approves AASIS timesheets, Management S
requests. Project Analyst's timesheet is approved by Director or General Business Manager.
Leave time tracked inaccurately Small Medium Manual records compared to AASIS by Management Project Analyst after every payroll S
cycle. Administrative Assistant's AASIS timesheet files are used to resolve any
discrepancies.
O, F, Fr Procure supplies necessary for division's efficient Employee purchases items for Moderate Low Purchase requisitions approved by General Business Manager or Director. S
operations. non-business use.
Management's Conclusion:
( ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for
achieving the stated objective(s).
( X ) The control activities are sufficient to mitigate all of the identified risks and provide a reasonable
basis for achieving the stated objective(s), except for the control activities listed as not sufficient in
column #7. The new or additional control activities needed to mitigate the identified risk to an acceptable
level are included as the corrective action plan in column #8. The corrective action will be sufficient to
mitigate the risk when implemented.
( ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable basis for
achieving the stated objective(s). Management has not identified any control activities that would be cost
efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that
the stated objective(s) may not be achieved.
Risk Assessment and Control Activities Worksheet
Agency Arkansas Department of Labor
Department: Administrative Services Prepared By: Denise Oxley
Activity: Legal Date Prepared: May 31, 2007
Risk Assessment Actions to Manage Risks/ Mgmt Corrective Action Plan
Objective Significance / Conclusio
Type Objectives Risks Impact Likelihood Control Activities n New or Additional Control Activity
(1) (2) (3) (4) (5) (6) (7) (8)
C, O Timely and professionally litigate wage cases Professional negligence and/or Large Low Legal staff is licensed and regulated by the Arkansas Supreme Court. At a minimum,
and other cases for the agency errors in legal work. staff attended the required Continuing Legal Education (CLE) to maintain their
licenses. CLE documentation is maintained in the employee's personnel file. Job-
related CLE is required to obtain a rating above satisfactory on the employee's S
performance evaluation. Legal staff must abide by their Professional Code of Ethics.
Attorney Supervisor reviews entire case file documentation before file is closed.
Statute of limitations expires Large Low Legal Assistant enters the date the file is referred/received in the case file database
before attorney can begin and on a manual calendar. The assigned attorney must perform an initial review
Run Case Status report, showing statute of limitations, on quarterly basis. Reviewed by
proceedings. within 30 days of receipt in the Legal Division and determine the statute of limitations.
NS Chief Legal Counsel, who documents review.
Notations are placed in front of the case file and in the case file database. Each file
Implementation Date: July 1, 2007
is reviewed by an attorney every 30 days or more frequently as needed.
Attorney schedules could be Large Low Each attorney keeps his/her own Outlook calendar and/or manual calendar. Legal
double-booked or an imposed Assistant enters court dates in the case file database and on the manual master S
deadline could be missed. calendar.
Legal Assistant maintains the master calendar with court dates and deadlines. No
court or statutorily imposed deadline may be missed, or the employee responsible will S
receive an unsatisfactory performance evaluation.
Employees on extended leave Large Medium Attorneys within the division would assume the additional case load. If necessary, the
Labor Standards Administrator, who is an attorney, will be utilized. Personnel from
the Labor Standards Division would be used to fill in for Legal Assistant. The job S
description for Legal Assistant includes a list of major tasks. Desk procedures exist
for receipting and disbursing collections.
C, O, F, Fr Accurately collect and record back wages, Employee Theft, Inaccuracies Moderate Medium There is a segregation of duties between collection and depositing. Legal Assistant
fines and penalties, fees, and other records receipts in the case file database. Legal Assistant prepares internal deposit
miscellaneous funds form with: all check information, case file name and ID, AASIS account codes, and
written description of deposit type. Deposit form and checks/cash taken to Agency
Fiscal Manager for transport to the State Treasurer's Office. Agency Fiscal Manager
verifies deposit total and AASIS account numbers against accompanying documents
and keys deposit into AASIS. Agency Fiscal Manager verifies monthly deposits in S
AASIS against Total Monthly Deposits Report from the case file database. Legal
Assistant prepares notice to any claimant or employee of collection and requests
current address and SSN. The assigned attorney reviews the case file and signs the
notice. Attorney Supervisor reviews entire casefile documentation before file is closed.
Employee Theft, Inaccuracies Moderate Medium Legal Assistant prepares a receipt from the case file database printed for all funds
(continued) collected. A copy of the receipt and the check is kept in the case file. When a
check received is payable to an claimant, rather than the DOL, check information is S
recorded in the case file database and in a pre-numbered receipt book.
C, O, F, Fr Accurately collect and record back wages, Errors in distribution, e.g., Large Medium Memo for disbursements, prepared by Legal Assistant, is reconciled by Agency Fiscal
fines and penalties, fees, and other amount, payee Manager to the deposit information before a check request is prepared in AASIS. S
miscellaneous funds (continued) This reconciliation includes agreement of amounts and names.
In back wage cases, Legal Assistant gives payment letter and warrant to attorney for
review and signature. The letter and warrant are mailed to the claimant. S
Distributions are not made timely Moderate Medium When collections are deposited, the Legal Assistant documents on master calendar
approximate date funds can be available for distribution. The Legal Assistant refers
S
to the master calendar daily and submits the appropriate warrant requests to the
Fiscal Manager.
Employee Theft Moderate Low Code of Ethics must be signed at hire date and during annual evaluation. Legal staff
is licensed and must maintain required continuing professional education in ethics. S
All finance, legal staff and assistants are bonded.
Legal Assistant gives payment letter and warrant to attorney for review. Attorney
S
signs letter and letter and warrant are mailed to claimant.
Warrant requests for Settlement are approved by Attorney, parked by Buyer and
S
posted by either Agency Fiscal Manager or General Business Manager.
Distribution could be miscoded in Small Medium Legal Assistant prepares memo requesting disbursements of collections; memo
AASIS includes case file name and ID, full name and address of claimant, date collected,
amount collected and check number, and the amount of the payment and AASIS
S
account coding. Agency Fiscal Manager verifies all information from deposit backup,
documents with initials and date. Attorney Supervisor reviews entire case file
documentation before file is closed.
C, O Accurately advise each division of the ADOL Loss of federal grant funds due to Large Low Legal staff is licensed and regulated by the Arkansas Supreme Court. At a minimum,
on interpretation and application of state and incorrect legal advice on staff attended the required Continuing Legal Education (CLE) to maintain their
federal law substantive issues. licenses. CLE documentation is maintained in the employee's personnel file. Job-
related CLE is required to obtain a rating above satisfactory on the employee's S
performance evaluation. Legal staff must abide by their Professional Code of Ethics.
Staff consults the USDL Dallas Regional Office and federal counterparts as
necessary.
Enforcement actions challenged, Moderate Medium Chief Legal Counsel reviews all documents before issuance. Legal staff is licensed
resulting in litigation costs. and regulated by the Arkansas Supreme Court. At a minimum, staff attended the
required Continuing Legal Education (CLE) to maintain their licenses. CLE
documentation is maintained in the employee's personnel file. Job-related CLE is
S
required to obtain a rating above satisfactory on the employee's performance
evaluation. Staff will document sources, keep current on state laws, and consult with
other federal and state authorities as necessary. Agency may request Attorney
General opinion if necessary.
Increased HR litigation due to bad Moderate Medium Legal staff is licensed and regulated by the Arkansas Supreme Court. At a minimum,
advice. staff attended the required Continuing Legal Education (CLE) to maintain their
licenses. CLE documentation is maintained in the employee's personnel file. Job-
S
related CLE is required to obtain a rating above satisfactory on the employee's
performance evaluation. Established procedures are contained in collective
bargaining agreement and state grievance policy.
C, O Draft effective administrative rules and Increased litigation due to poorly Moderate Low A review check sheet is utilized in the rule-making process. The rule-making process
regulations; contracts; policies and drafted documents/regulations includes several reviews by both the executive and legislative branches, as well as
procedures; and other documents public hearings or public comment periods. All reviews and filings are documented.
Legal staff is licensed and regulated by the Arkansas Supreme Court. At a minimum,
S
staff attended the required Continuing Legal Education (CLE) to maintain their
licenses. CLE documentation is maintained in the employee's personnel file. Job-
related CLE is required to obtain a rating above satisfactory on the employee's
performance evaluation.
C, O Draft effective administrative rules and Failure to comply with Large Low Chief Legal Counsel reviews all rule-making documents and compares to check sheet
regulations; contracts; policies and Administrative Procedures Act. showing date of each step, signed and initialed by attorney.
S
procedures; and other documents (continued)
C, O Accurately advise the public of Arkansas's Incorrect information released Moderate Medium An attorney reviews informational publications before approving for publication.
labor laws. Approval is documented on "Printing Approval" form. Legal staff is licensed and
regulated by the Arkansas Supreme Court. At a minimum, staff attended the required
Continuing Legal Education (CLE) to maintain their licenses. CLE documentation is S
maintained in the employee's personnel file. Job-related CLE is required to obtain a
rating above satisfactory on the employee's performance evaluation.
C, O Accurately prepare annual unclaimed Retaining funds that should be Small High Annual reconciliation of Wage and Hour trust cash account which is reviewed for old,
property report sent to state. outstanding items. Legal Assistant works with Agency Fiscal Manager until any
discrepancies are identified and investigated. Agency Fiscal Manager reviews and S
reconciles to AASIS at fiscal year-end. Chief Legal Counsel (Attorney Supervisor)
compares case files to report, signs and dates.
C, O, F Accurately prepare the monthly activity report Inaccurate Small Medium Chief Legal Counsel compares monthly closed claims report to actual case files and
uses a checkmark to denote file was in order. If file is not complete, it is returned to S
Legal Assistant for appropriate action.
C, O, F Accurately and thoroughly assess cost Done inaccurately or incompletely. Small High Legal staff uses a form to document time spent on billable services to other divisions Management has not identified any control activities that would be cost efficient to
chargeback for legal services for special which is approved by the Chief Legal Counsel. Forms are processed by Agency NS implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk
revenue divisions. Fiscal Manager. that the stated objective(s) may not be achieved.
F Accurately process timesheets and leave Inaccuracies in time reporting Large Medium All employees fill out internal time-sheets, Director approves Chief Legal Counsel.
requests for the division Chief Legal Counsel approves all others in division. Chief Legal Counsel compares S
internal time sheets to AASIS before approval.
Employee leave slips not Small Medium Chief Legal Counsel tracks leave requests on manual calendar. Chief Legal Counsel
completed approves leave for employees in division. Director approves Chief Legal Counsel's S
leave slips.
F Procurement for Legal division's efficient Unauthorized purchase request Moderate Low Legal staff initiates a purchase request which requires the Chief Legal Counsel's
operation approval; Chief Legal Counsel initiates a purchase request which requires approval of S
the Director or General Business Manager.
C, O, F Follow agency record retention guidelines. File destroyed early. Large Medium Legal Assistant generates request for destruction. Chief Legal Counsel approves
destruction. Planning & Publications Division approves request after contacting
History Commission & State Library to determine they do not want the records. Final
S
approval is obtained from the Director. Legal Assistant certifies that the records are
destroyed and the date. Permanent documentation maintained by General Business
Manager.
Management's Conclusion:
( ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for
achieving the stated objective(s).
( X ) The control activities are sufficient to mitigate all of the identified risks and provide a reasonable
basis for achieving the stated objective(s), except for the control activities listed as not sufficient in
column #7. The new or additional control activities needed to mitigate the identified risk to an
acceptable level are included as the corrective action plan in column #8. The corrective action will be
sufficient to mitigate the risk when implemented.
( X ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable
basis for achieving the stated objective(s). Management has not identified any control activities that
would be cost efficient to implement in order to mitigate the risk to an acceptable level; therefore, we
accept the risk that the stated objective(s) may not be achieved.
Risk Assessment and Control Activities Worksheet
Agency ARKANSAS DEPARTMENT OF LABOR
Department: ADMIN / INFORMATION TECHNOLOGY Prepared By: Doris Anderson
Activity: Agency Network Operations Date Prepared: May 31, 2007
Risk Assessment Actions to Manage Risks/ Mgmt Corrective Action Plan
Objective Significance / Conclusio
Type Objectives Risks Impact Likelihood Control Activities n New or Additional Control Activity
(1) (2) (3) (4) (5) (6) (7) (8)
O, C, Fr Provide employees with technology resources and Information system misuse, in Large Medium Supervisors communicate responsibilities and agency policies clearly to employees at hire
a local area network with access to the Internet. general. date and repeat at employee evaluation dates. Require agency employees to sign
acknowledgement of understanding. Standardize PC configurations set by IT staff. Use S
group policies (user/network/server security settings) to restrict user(s) access to data only to
areas authorized.
O, C, F, Fr Ensure agency remains in compliance with state Employees are not aware of their Moderate Medium Deploy security solutions and comply with security standards and best practices as
security standards responsibilities. established by the Office of Information Technology (OIT) and technology industry. Conduct
classes for required employee training on appropriate uses of technology and on Information S
Security Awareness. Employees are given certificates at completion of training, and their
training is notated in their personnel files.
Employees share passwords. Moderate Medium Written policies, signed by employee, prohibiting this and other security violations. Signed
statement kept in employee's personnel file. Supervisor can initiate disciplinary actions up to S
and including termination.
Employees are given access to files Moderate Low General Business Manager determines in discussion with employee's supervisor what roles
or programs that are not necessary IT assigns to a new employee in any division. Division supervisor completes "Computer
for the performance of their job Security Checklist for New Employee" form which specifies activation date, access to S
duties. selected network folders, printers and programs. Copy is retained in employee file.
Employees have access to sensitive Large Medium Code of Ethics must be signed by all employees at date of hire and re-signed yearly during
data and use it inappropriately. performance evaluation. Criminal background checks are performed for certain positions.
Event logs are reviewed by IT personnel upon request, and on a random spot-check basis. S
Supervisor can initiate disciplinary actions up to / including termination.
Employees take confidential data off- Large Medium Encryption required for sensitive data; sensitive data off-site is minimized where possible.
site where it is lost or stolen. Field employees are encouraged to backup laptops on USB portable storage devices in case
S
of loss. At least two layers of passwords are necessary to access PC.
Employee leaves PC logged on and Large Medium Auto cutoff in 15 minutes, then employee must log back on. Employees are reminded when
unattended. necessary to lock their computers when leaving their desks to avoid unwanted access. S
O, C, Fr Provide adequate IT resources to employees Theft of fixed assets inventory Moderate Low Inventory Database generates listing of assets assigned to employees which employee signs
and re-signs when there are any changes or additions to the assets assigned to him/her. S
Inventory Database generates listing of assets by location. Divisions are responsible for
yearly physical count which Division head signs and returns to Buyer. Discrepancies are
S
investigated by Buyer. Division heads held accountable by the Director for any unresolved
discrepancies.
Employee's equipment is damaged. Moderate Low All portable devices are covered for accidental damage by insurance and/or extended
S
warranties at the time of purchase.
O, C, Fr Provide adequate IT resources to employees Inadequate staff to handle agency's Large Medium Cross training, IT liaisons in each agency division to perform updates & keep security up to
S
(continued) requirements. date.
Inadequate inventory of repair parts Moderate Low Maintain a minimum of 10% of surplus equipment in inventory. Inventory is inspected
S
& new equipment quarterly.
O, C, Fr Ensure that agency servers, PC's and software Theft of software Moderate Low ALL agency software is kept in a locked area with restricted access.
are protected from physical and technological
S
risks and remain available to service agency
programs.
Technological risks: Software Large Medium Anti-virus program runs automatically each time PC is turned on. Anti-virus program
viruses, spyware, hackers or automatically updates itself from vendor website daily. Monitoring is through Symantec 10.0
security breach. anti-virus server which will notify IT staff of any PC or server that didn't auto update. Any S
suspicious email or other incoming data is quarantined; firewall log will expose hackers. Logs
are checked daily by IT personnel.
Master program software damaged. Moderate Low Back-up copies of master software kept in a secure-off site location. Use software vendors
S
that will replace damaged or stolen programs if necessary.
Physical risks to agency servers. Moderate Medium Servers are kept in a temperature controlled room with restricted access. Fire extinguishers
are located nearby; extinguishers are checked quarterly and documented via inspection tag S
hanging on extinguisher.
Online or CD-ROM updates or Moderate Medium Prior testing on single computer before IT installs on others is documented on "Software
upgrades fail, conflict with other Installation Sheet." Administrative rights are limited so that only IT personnel can install
S
software, or do not perform as software of any kind. Installer initials and dates documentation.
expected.
Power failures and/or electrical Large High Uninterruptible power source (UPS) on every PC. Provides at least 15 minutes of power so
surges. that PC can be safely shut down. UPS sounds a continuous alarm until the PC is shut down.
S
Employees are instructed to call IT immediately if a UPS alarm begins sounding.
Inadequate electrical supply; circuits Moderate Medium Testing of circuits before new PC's or other hardware plugged into an area.
S
overloaded.
Paper or electrical fires. Large Medium Emergency operations plan which includes posted emergency exits, fire extinguishers
checked quarterly and documented via inspection tag hanging on extinguisher. Self-
S
inspections to clear out hazardous areas. Fire extinguishers available for both paper and
electrical fires are located in the area.
Inadequate inventory of toner and Small Low
supplies, causing out-of-service
delays.
Natural disasters: tornadoes, etc. Large Low Hot site (location where backup tapes can be restored to dedicated equipment, usually within
which cause extensive damage. 24-72 hours), multiple vendor contracts for repair or service on site or at emergency backup S
location.
Newly installed software conflicts Moderate Low All computers pre-configured, prior testing before assigned to users. Users do not have
S
with other software. administration rights and cannot install ANY software without access.
Newly installed software doesn't run Moderate Low Prior testing performed before installation. Documentation in IT Service Log of any
properly with older hardware such incidences so that duplicate problems can be avoided. S
as printers.
O, C, F Protect the agency from catastrophic data loss Loss of agency data. Moderate Medium Triple redundancy of agency data backup, with one dataset stored in a separate building in a
which will impair its ability to serve the public. fire resistant cabinet with restricted access. One dataset is stored in locked, fire resistant
S
cabinet in the IT area, and a third less frequent backup is maintained at another off-site
location.
O, C, F Protect the agency from catastrophic data loss Restore procedures fail. Moderate Medium Employees are properly trained by IT Manager on restore procedures and at least quarterly
which will impair its ability to serve the public. attempt an actual restore to a backup server to verify the integrity of the hardware and
(continued) software. Results of tests are documented in "Restore Log." Backups self-verify with an S
event log that discloses any backup errors or open files that were skipped during the backup
process. The event log is checked each morning by IT.
Establish telephone contact with backup hardware / software vendors to trouble-shoot if IT
staff are unable to accomplish restoration of files. Maintenance contracts exist on all S
hardware and software that provide guaranteed call-back times of two hours or less.
O, C Ensure that IT staff maintains and improves skills Technology Skill sets: staff does Moderate Low To meet long-range skills requirements, minimum of 40 hours of training provided by
through required continuing education. not have adequate training to meet hardware and software vendors required each year. Training is documented and placed in
S
agency requirements. employee file for performance evaluation consideration. General Business Manager and IT
Supervisor will screen IT candidates for a minimum skill set.
O, C Maintain complete and accurate network Out-dated network documentation Large Medium When new equipment is acquired or new wiring installed, network data and documentation is
S
documentation in a secure location. updated and placed in the fire resistant cabinet.
Incomplete network documentation Large Medium Highly trained, professional IT staff cross-checks each other's work on a daily basis. Serious
S
errors or omissions are documented in employee file.
O, C Support currently installed hardware and software Application lifecycle - software not Large Medium When notified by software vendors that upgrades or updates are available, IT staff will study
technology through upgrades, extended upgraded or updated as new accompanying documentation and test on a single PC before installing. "Software
S
warranties and training. releases become available. Installation Checklist" is updated when equipment software is upgraded. Installer initials and
dates documentation.
Software and/or site licenses Large Medium "Software Installation Log" is updated for all software purchased; updated when employee
insufficient or expired. leaves or machine is retired. Log shows maximum number of licenses available for use, and S
licenses actually in use.
Hardware or software no longer Large Medium Spreadsheet of all hardware warranties is inspected quarterly by IT Supervisor. If extended
S
supported by vendor. warranty is not available, IT plans for immediate replacement of hardware.
O, C Maintain effective connections to state and INA Employees are unable to connect to Large Low Connectivity hardware, laptops, and PC are carried in equipment inventory, which enable
networks so that employees may access agency State network or INA network due to quick replacement of malfunctioning equipment. Inventory is inspected at least quarterly by
S
services and information. equipment failure. the IT supervisor and a minimum of 10% of surplus equipment is constantly maintained.
Phone lines / DSL connections out Large Medium All employees are reminded to keep main doors locked after hours, and to keep doors to
of service due to theft of copper various suites locked after 5 pm. S
wires in building.
O, C Ensure compliance with Arkansas Records Inadequate hard drive storage Moderate Low Hard drive file space remaining monitored constantly. Hard drives are added when free
Retention Schedule by safely and efficiently space for scanned data. space capacity falls below 25%.
S
maintaining electronic files for the required period
of time.
Employees unable to retrieve data Small Low
scanned & saved to CD.
Insufficient personnel to perform Large Medium Cross training, added features to software to drag & drop documents with no scanning
scanning function. required. Drag and drop allows employee to move documents from PC to network drives S
dedicated to storage.
Equipment failure Large Low Backup equipment already prepared. S
Management's Conclusion:
( X ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for
achieving the stated objective(s).
( ) The control activities are sufficient to mitigate all of the identified risks and provide a reasonable basis
for achieving the stated objective(s), except for the control activities listed as not sufficient in column #7.
The new or additional control activities needed to mitigate the identified risk to an acceptable level are
included as the corrective action plan in column #8. The corrective action will be sufficient to mitigate the
risk when implemented.
( ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable basis for
achieving the stated objective(s). Management has not identified any control activities that would be cost
efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that
the stated objective(s) may not be achieved.
Risk Assessment and Control Activities Worksheet
Agency Arkansas Department of Labor
Department: Administrative Services Prepared By: Vicki Campo
Activity: Procurement Date Prepared: May 31, 2007
Risk Assessment Actions to Manage Risks/ Mgmt Corrective Action Plan
Objective Significance / Conclusio
Type Objectives Risks Impact Likelihood Control Activities n New or Additional Control Activity
(1) (2) (3) (4) (5) (6) (7) (8)
O, F, FR Accurately record, maintain and safeguard fixed Loss/Theft of fixed assets. Moderate Low Buyer creates asset shell, for low value assets ($500 - $2,499) and fixed assets ($2,500+)
assets. in AASIS subsidiary ledger when an assets is requested then a PO is created in AASIS,
notating "A" in the account assignment field. When asset arrives Buyer attaches a DOL
S
inventory tag, which is sequential, the item is entered into the Inventory Database in Access
by DOL inventory tag number. All fixed assets are entered in the Inventory Database, even
items less than $500.
Items that are issued to employees are also tracked in the Inventory Database. The
location used is the employee's name. The Buyer generates listing of assets assigned to
S
employees which employee signs.
A complete inventory of all assets is conducted annually. Inventory Database generates
listing of assets by location. Departments are responsible for yearly physical count which
Department head signs and returns to Buyer. Inventory count includes items issued to
S
individual employees; listing is signed by employee and Department head. Discrepancies
are investigated by Buyer. Department heads held accountable by the Director for any
unresolved discrepancies.
There is insurance on "mobile" equipment such as laptops and OSHA testing equipment.
S
The coverage is for replacement cost.
Inventory not updated for Moderate Medium Buyer and General Business Manager attended fixed assets class provided by AASIS
purchases and releases. training staff and OSP classes as available. Buyer participates in at least 12 hours of
continuing education yearly which is part of the performance evaluation. Buyer reviews
purchase request which includes description of purchase provided by division and approval S
by General Business Manager. Buyer determines asset classification based on dollar
value and description. General Business Manager reviews purchase request and approves
in AASIS.
Annually the Buyer runs the Directory of Unposted Assets report, S_ALR_87012056, in
AASIS subsidiary ledger. This report indicates any asset shells which have been created S
but have not been purchased. The Buyer investigates and resolves any errors.
Division head notifies Buyer by email or by inventory change form when equipment needs
disposal. Buyer initiates with Marketing & Redistribution for disposal. Buyer retires asset
S
from AASIS sub ledger and references Surplus Disposal Form (SDF) number. Buyer
updates Inventory Database by changing location to the SDF number.
A complete inventory of all assets is conducted annually. Inventory Database generates
listing of assets by location. Departments are responsible for yearly physical count which
Department head signs and returns to Buyer. Inventory count includes items issued to
S
individual employees; listing is signed by employee and Department head. Discrepancies
are investigated by Buyer. Department heads held accountable by the Director for any
unresolved discrepancies.
O, F, FR Accurately record, maintain and safeguard fixed Inventory not updated for Moderate Medium Legislative Audit reviews purchases and releases during the annual audit.
assets. (continued) purchases and releases. S
(continued)
Assets recorded in wrong Moderate Medium Cut-off date for purchasing prior to end of fiscal year is May 10, or six weeks prior to fiscal
S
accounting period. year end.
Annually the Buyer runs the Directory of Unposted Assets report, S_ALR_87012056, in
AASIS subsidiary ledger. This report indicates any asset shells which have been created S
but have not been purchased. The Buyer investigates and resolves any errors.
Excess Inventory Small Low
Fixed assets improperly classed as Moderate Medium Buyer attended fixed assets class provided by AASIS training staff and OSP classes as
expenses. available. Buyer participates in at least 12 hours of continuing education yearly which is
part of the performance evaluation. General Business Manager was also trained in Fixed S
Assets by AASIS staff. General Business Manager approves purchase order.
Agency Fiscal Manager runs cost center reports monthly and looks for large or unusual
S
amounts in expense accounts.
O, F, FR Accurately and timely process purchase Employee theft of supplies. Moderate Low Items are placed in locking supply cabinets in Buyer's area or if IT supplies in locked areas
S
requisitions. within division.
Inappropriate or unauthorized Moderate Low Purchase requisition must be approved by division supervisor or department head AND
purchases General Business Manager or Director. Purchase requisition requires justification S
statement.
General Business Manager or Director reviews purchase order in AASIS and compares to
S
purchase requisition before posting.
Contracts are not awarded in Moderate Medium Buyer has attended training offered by Office of State Procurement. Buyer has extensive
accordance with Arkansas experience working in procurement for DOL. Buyer participates in at least 12 hours of S
Procurement laws. continuing education yearly which is part of the performance evaluation.
For infrequent purchases, Buyer refers to OSP website and checks for state contract. S
General Business Manager or Director must give final approval. S
Goods received do not agree with Moderate Medium Assistant Personnel Manager MIGO's item in AASIS based on packing slip. AASIS will not The individual receiving the goods will compare the actual goods received to the enclosed
specifications on purchase order. allow payment processing until MIGO is complete. Buyer will work with vendor to resolve packing slip noting items that were received and any discrepancies between packing slip
any discrepancies. General Business Manager must approve any goods received that and actual goods. The individual will sign and date the packing slip as indication that the
NS
deviate from purchase order or goods will be returned by Buyer. step was performed.
Implementation Date: July 1, 2007
Purchases in excess of budget. Large Low AASIS will not allow purchase orders to be posted that exceed budgeted amounts. Buyer
can park but cannot post invoices that might have bypassed PO system. Either Agency
Fiscal Manager or General Business Manager must post, therefore purchase order will S
either be voided or budgeted can be modified within the same commitment item.
Large purchase broken into several Large Low General Business Manager approves purchase orders; because of the size of the office and
smaller ones to avoid state bidding the small number of transactions processed the General Business Manager would be aware S
regulations. of repetitive payments to vendors.
Large Low Buyer must report P-card purchases to OSP monthly. OSP will notify Buyer's supervisor if General Business Manager analyzes monthly Buyer's report before it is submitted to OSP,
purchasing laws have been violated. NS looking for repetitive purchases to same vendors.
Implementation Date: July 1, 2007
Purchase order documentation Small Low
missing or misfiled.
Insufficient inventory of necessary Small Low
supplies, or supplies ordered that
are no longer used.
Untrained Staff Moderate Low Buyer has been with DOL and working as the procurement agent for several years. Buyer
is required to attend at least 12 hours continuing education through OSP or AASIS training
S
staff. Continuing education is part of merit pay and performance evaluation.
O, F, FR Accurately and timely processing of accounts Disbursements made before goods Moderate Medium Assistant Personnel Manager receipts goods in AASIS using the MIGO function. Buyer can The individual receiving the goods will compare the actual goods received to the enclosed
payable. received or for incorrect items. only then MIRO and park invoice for payment. packing slip noting items that were received and any discrepancies between packing slip
and actual goods. The individual will sign and date the packing slip as indication that the
NS
step was performed.
Implementation Date: July 1, 2007
Duplicate payments. Moderate Low Pay from original invoice documents only. Buyer keys invoice number into AASIS which
S
checks the field for duplicate numbers.
Payment made to fictitious vendor. Moderate Low Buyer reviews AASIS vendor listing. All new vendors must go through OSP vendor set-up
process. This process runs the FEIN against the IRS database and will kick out fictitious S
vendors.
Invoice hard copy missing or Small Low
misfiled after entry into AASIS.
Vendor complaints: nonpayment, Moderate Low Any errors in invoices are corrected upon receipt by Buyer. Department guidelines specify
slow payment, etc. payment according to vendor terms, with invoices processed and paid weekly. OSP pre- S
sets vendor terms.
Liabilities may be recorded in wrong Moderate Low Certification letter for each prior-year invoice prepared by Buyer and signed by Agency
S
accounting period. Fiscal Manager.
Buyer runs open items list from AASIS and investigates discrepancies. After any
S
corrections, Buyer will rerun listing and check for accuracy.
Inaccurate-extensions & footings on Moderate Low Invoice is checked by Buyer before entry into AASIS. If invoice does not match PO, Buyer
invoice may not be correct. will investigate and document resolution on the invoice. Invoice and purchase order
S
documents are given to Assistant Personnel Manager to be cross-checked and goods
receipted before posting in AASIS.
Payment may be processed as a Moderate Low Buyer has a file with all open payables, when an invoice is received Buyer reviews open
direct payment when goods were payable file and plus appropriate PO. At year end or as needed, Buyer reviews open item
ordered through the purchase order report and verifies accuracy of the report. Appropriate adjustments are made and Buyer S
system. Expense duplicated. runs report again. Final report is kept in year end file.
Payment may be processed as a Moderate Low Department policy is to use PO system for all but recurring monthly invoices which have had
direct payment rather than using a reservation of funds in AASIS. Procurement card is used (like VISA), but approved
purchase order, and goods were invoices/receipts must be attached to monthly report log, which Agency Fiscal Manager
S
not received. reviews and approves monthly. (Purchases approved by General Business Manager or
Director). OSP does random audits.
Discounts may be missed. Small Low
O, F Provide accurate monthly procurement reports Inaccurate reporting. Moderate Low Agency Fiscal Manager and General Business Manager reviews cost center reports
S
and reports required by CAFR. monthly.
CAFR deadlines missed. Moderate Low Follow state assigned deadlines for various fiscal-year-end tasks as published by CAFR.
Both Agency Fiscal Manager and General Business Manager monitor timelines in Outlook S
and in manual calendars.
Management's Conclusion:
( ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for
achieving the stated objective(s).
( X ) The control activities are sufficient to mitigate all of the identified risks and provide a reasonable
basis for achieving the stated objective(s), except for the control activities listed as not sufficient in
column #7. The new or additional control activities needed to mitigate the identified risk to an acceptable
level are included as the corrective action plan in column #8. The corrective action will be sufficient to
mitigate the risk when implemented.
( ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable basis for
achieving the stated objective(s). Management has not identified any control activities that would be cost
efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that
the stated objective(s) may not be achieved.
Risk Assessment and Control Activities Worksheet
Agency Arkansas Department of Labor
Department: Administrative Services Prepared By: Sandra Welchman
Activity: Finance Date Prepared: May 31, 2007
Risk Assessment Actions to Manage Risks/ Mgmt Corrective Action Plan
Objective Significance / Conclusio
Type Objectives Risks Impact Likelihood Control Activities n New or Additional Control Activity
(1) (2) (3) (4) (5) (6) (7) (8)
O, F Efficient management of Agency funds. Lack of Appropriation Large Low Agency Fiscal Manager reviews Available Budget report in AASIS weekly. Agency Fiscal
Manager requests transfer of appropriation as needed and parks transaction in AASIS, S
Budget Analyst reviews, transaction is posted by DFA-Office of Accounting.
Lack of Funds Large Medium Agency Fiscal Manager reviews AASIS trial balance report daily and requests transfer of
funds to appropriate level. Either General Business Manager or Office of Accounting reviews S
and posts.
Incorrect or missing entries to Large High Monthly revenue report letters prepared by each division and reviewed by department heads
record funds transfers. are reconciled back to cash receipts fund in AASIS by Agency Fiscal Manager. Reports are S
maintained by Agency Fiscal Manager.
Untimely transfers of payroll funds. Large Low Experienced personnel are aware of payroll transfers deadlines every other Thursday. DFA
funds management personnel will notify DOL if funds transfers are missing or insufficient.
S
OPM notifies timekeepers by email if any payroll will be running out of sequence.
Insufficient staff, or staff absent for Large Medium Cross training. Ability to work from home for Attorney, Agency Fiscal Manager, General
lengthy period. Business Manager and Assistant Personnel Manager only. IT restricts access from off-site S
locations to only those above.
Expenditures in excess of budget. Moderate Medium AASIS controls will prevent PO's in excess of budget from being entered. Approval for all
purchase requisitions given by General Business Manager or Director prior to purchase order
S
data entry. Budget may be modified within the same commitment item by General Business
Manager with Director's approval if funds are available.
Budget crisis - budgeted amounts Large Low Agency Fiscal Manager and General Business Manager run budget to actual reports
are insufficient to cover needed monthly. General Business Manager will take steps to curb expenditures up to and including S
expenditures. enforcing the State Reduction in Force policy, if necessary
O, F, Fr Development of an accurate budget document. Budget is inaccurately developed Large Low Each department head submits budget request forms with justification to General Business
and is not comprehensive Manager and Director. Changes from prior year's budget are reviewed by Agency Fiscal
Manager for reasonableness. General Business Manager and Director review the budget S
request with analyzed information and make appropriate adjustments, as needed, before
approving.
Accuracy - estimates not supported Moderate Low Department heads submit budget requests form with justifications for changes to previous
by historical expenditures and year's budget to General Business Manager and Director. Changes from prior year's budget
S
realistic projections. are reviewed by Agency Fiscal Manager for reasonableness.
Keying error when entering Moderate Medium Agency Fiscal Manager accesses Planning Budgeting Administrative System (PBAS), enters
approved budgets changes to previous year's budget from approved budget request forms and parks. General S
Business Manager reviews and posts.
O, F, Fr Develop an accurate budget document. Unauthorized expenditures inserted Moderate Low Department heads submit budget request form with justification for changes from previous
(continued) into budget. year's amounts. Agency Fiscal Manager analyzes all significant changes for
reasonableness. General Business Manager and Director review the budget request with
S
analyzed information and make appropriate adjustments, as needed, before approving.
Agency Fiscal Manger inputs information into PBAS and parks, General Business Manager
reviews and posts in AASIS.
O, F, C Appropriate administration of grant funds Lack of Funds Large Medium Agency Fiscal Manager maintains spreadsheet of monthly projections vs. actual revenues
and expenditures from AASIS records. Agency Fiscal Manager and General Business
S
Manager meet with department heads quarterly. Experienced program managers are
knowledgeable about grant requirements and administering grant funds .
Grant revenues and expenditures Large Medium Agency Fiscal Manager analyzes cost center report for each grant monthly, investigates
may not be recorded in the fiscal unusual variances from budget. Each quarter, Agency Fiscal Manager and General S
year. Business Manager meet with Program Managers to review grant reports.
Cut-off date for purchasing is May 10, or six weeks prior to fiscal year end.
Failure to follow Federal Guidelines Large Low Agency Fiscal Manager and General Business Manager attend regional and national training
in grant programs. Agency Fiscal Manager, General Business Manager and Buyer
participate in online training offered by OSHA. Program managers have been trained on S
federal guidelines and have many years experience in administering the grants.
Preparation of grant applications Large High Outlook tasks, Outlook calendars and emailed reminders from federal agencies to all Finance
incorrect or not timely. personnel help ensure deadlines are met. Meeting deadlines is part of the employee's
performance evaluations. Project managers prepare program section of grant and Agency S
Fiscal Manager prepares financial data. Reviewed by General Business Manager and
Director who also sign grant application.
Financial status reports not filed Large Low Agency Fiscal Manager maintains a calendar of due dates and federal government sends
timely or are inaccurate. notifications when the system is available for filing. All grant data maintained in WBS
elements; GD13 reports by cost center are sorted by WBS elements and reconciled to
S
AASIS trial balance. Agency Fiscal Manager prepares FSRs from GD 13 report which are
reviewed by General Business Manager. The Director signs the Financial Status Report.
AASIS not used as primary federal Moderate Medium Grant expenditures are tracked by WBS elements, cost center reports are reviewed by
award accounting system. Agency Fiscal Manager monthly for reasonableness. Agency Fiscal Manager, General
S
Business Manager and Program Manager(s) will review grant report quarterly and confirm
data with AASIS.
O, F, FR Accurately record revenues and deposits Employee theft of cash. Moderate Low Buyer verifies division's internal deposit for to cash and checks and issues a receipt to the The General Business Manager will receive a copy of all division's monthly revenue letter
division. Agency Fiscal Manager prepares deposit from division's internal deposit form and directly and will compare those to AASIS.
NS
parks entry in AASIS. General Business Manager compares internal deposit slips to Implementation date: August 1, 2007
AASISand post entry. DOL policy is not to accept cash.
Deposits are not recorded in the Moderate Medium Treasury will not deposit funds unless accompanied by the Arkansas Revenue Receipt of
general ledger. Deposit as proof of entry into AASIS. Cash in Treasury is reconciled monthly by DFA - OA - S
Fund Reconciliation.
Department could accept a bad Small Low
check.
Deposits not recorded in proper Small Medium Deposits must be handed to accounting by 10 am. Treasury also publishes the required end
S
period. of month deposit date if EOM falls on holiday or weekend.
Monthly revenue report letter prepared by each division and reviewed by division head are
reconciled back to cash receipts fund in AASIS and to Treasury by Agency Fiscal Manager.
S
The Agency Fiscal Manager resolves discrepancies between the letters and incoming mail
logs with the appropriate division administrative assistant.
Quarterly calendars with critical dates and times are distributed to divisions. S
O, F, FR Accurately record revenues and deposits Deposits lost / stolen in transit to Moderate Low Deposits are in a bank bag placed inside a briefcase
S
(continued) Treasury.
O, F, FR Accurately record revenues and deposits Cash received for wage claims Small Medium Each disbursement is reconciled with wage and hour division and/or legal showing how
restitution is posted to the wrong much cash received and how much paid out against specific claims. Deposit information
fund or general ledger account, or included in check request. Wage and Hour supervisor issues warrant request, giving all S
for the incorrect amount. necessary information to Agency Fiscal Manager, who compares to the deposit information
for the employers check.
Agency Fiscal Manager reconciles quarterly with the wage and hour database with wage and
S
hour cash fund. Both databases must agree with AASIS.
O, F, FR, C Reporting - Financial Agency misses deadline Moderate Low Agency Fiscal Manager uses Outlook to record all deadlines. S
Inaccurate financial data reports Moderate Low Various ACCESS database reports are prepared by Agency Fiscal Manager who reconciles
S
published. data back to AASIS. General Business Manager and Director also review.
End of fiscal year accruals not Moderate Medium CAFR sends end-of-year checklist which is completed by Agency Fiscal Manager and
made, or journal entries are returned to CAFR. General ledger entries prepared and parked by Agency Fiscal Manager. S
inaccurate. General Business Manager reviews entries and posts.
Inaccuracies - Revenues and Moderate Low Schedules are prepared by Buyer, Assistant Personnel Manager and Agency Fiscal Manager
expenditures may not be recorded and are filed with closing books in Agency Fiscal Manager's office. Reviewed by General
S
in the appropriate accounting year. Business Manager who also signs a certification letter to CAFR.
Intentional misrepresentation. Moderate Low AASIS controls (park and post requires two different people), proofreading for integrity and
accuracy by General Business Manager, Agency Fiscal Manager, and Director.
S
Management's Conclusion:
( ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for
achieving the stated objective(s).
( X ) The control activities are sufficient to mitigate all of the identified risks and provide a reasonable basis
for achieving the stated objective(s), except for the control activities listed as not sufficient in column #7.
The new or additional control activities needed to mitigate the identified risk to an acceptable level are
included as the corrective action plan in column #8. The corrective action will be sufficient to mitigate the
risk when implemented.
( ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable basis for
achieving the stated objective(s). Management has not identified any control activities that would be cost
efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that
the stated objective(s) may not be achieved.
Risk Assessment and Control Activities Worksheet
Agency Arkansas Department of Labor
Department: Administrative Services Prepared By: Linda Whisnant
Activity: Payroll/Personnel Date Prepared: May 31, 2007
Risk Assessment Actions to Manage Risks/ Mgmt Corrective Action Plan
Objective Significance Conclusio
Type Objectives Risks / Impact Likelihood Control Activities n New or Additional Control Activity
(1) (2) (3) (4) (5) (6) (7) (8)
O, F, FR Accurate and timely processing of payroll Employee paid for incorrect number Moderate Medium Assistant Personnel Manager runs simulations and verifies amounts keyed by each division S
of hours. against approved timesheets and leave requests.
Terminated employee could be paid. Moderate Medium Time is entered by division timekeeper, division supervisor approves in AASIS while S
comparing to timesheet hard copies. Assistant Personnel Manager runs simulation and
compares to all documents in pay period work file: termination checklists, master data
changes, timesheets, leave requests, etc.
Fictitious employee could be paid. Moderate Medium General Business Manager is notified automatically by AASIS of any personnel changes S
made by Assistant Personnel Manager. Immediate Supervisor introduces new employees
to Agency Fiscal Manager, Assistant Personnel Manager and General Business Manager.
(Note: this is a small agency in which General Business Manager knows all employees.)
Employee master data changed Moderate Medium Written authorization from employee, Director or General Business Manager is required NS When AASIS notification is received, the General Business Manger reviews the employee's
without authorization. (personal before Assistant Personnel Manager makes changes in AASIS to the employee's master master data to insure that changes were made accurately according to the request that was
data, withholding, etc) data. General Business Manager is notified automatically by AASIS of any master data submitted.
changes made by Assistant Personnel Manager. Implementation date: August 1, 2007
Timeliness of payroll data entry. Moderate Low Follow all established OPM and AASIS payroll schedules; schedule is posted in HR area on S
master calendar. Employees, timekeepers and supervisors are notified in advance by email
if there is a deviation from the normal schedule.
Employee does not complete leave Small Medium Supervisor is responsible for collecting leave forms and submitting with approved S
form for time missed. timesheets to Assistant Personnel Manager. Please refer to each divisions tab.
Leave records incomplete or Moderate Medium Administrative Assistant in Administrative Services Department maintains both a manual S
missing at audit. record for each employee's leave balances and the request for leave is maintained with the
employee's time sheet. After each payroll, the Administrative Assistant checks AASIS time
entry with actual time sheets to insure accuracy. The manual record is reconciled back to
AASIS after each payroll.
O, F, FR On a timely basis, retrieve assets assigned Terminated employee doesn't turn Moderate Medium Supervisor accounts for all property issued to terminated employee on inventory database S
to terminating employees and safeguard in keys, equipment or other state listing and signs and dates listing. Supervisor sends listing and items to Buyer. Buyer
agency data. property. verifies that all equipment is accounted for and notes on termination checklist and
communicates by email to Assistant Personnel Manager that all property is returned.
IT not notified to terminate Moderate Medium General Business Manager and employee's supervisor notify IT of termination; IT S
employee computer access. immediately disables computer access. The direct supervisor or General Business
Manager checks the appropriate box on the termination checklist, which is signed when the
checklist is complete.
O, F, FR Accurate and timely information is Inaccuracy of master data, Moderate Medium Employee must sign form requesting any changes to master data. Assistant Personnel NS When AASIS notification is received, the General Business Manger reviews the employee's
distributed to employees about available including payroll deductions for Manager parks entry in AASIS, and an automatic notification is sent to the General master data to insure that changes were made accurately according to the request that was
benefits; Accurate processing of benefit benefits. Business Manager. Employee can verify accuracy against remuneration statement or on submitted.
withholdings employee self-serve in AASIS. Implementation date: August 1, 2007
Timeliness - benefit provider Large Low New employee is given checklist of required paperwork and deadlines during orientation. NS New Employee signs and dates an acknowledgement of any benefit brochures, paperwork
deadlines missed. Assistant Personnel Manager prepares master list of employees and their benefits. or other documents provided by to them by the Assistant Personnel Manager during
Assistant Personnel Manager notifies each employee of enrollment deadlines via EBD, orientation. Assistant Personnel Manager will use e-mail tracking system to determine that
email or personal phone calls. all employees have received notification.
Implementation date: August 1, 2007
Available benefit information not Large Low New hire package lists all benefits, and website addresses are given to new hires during NS New Employee signs and dates an acknowledgement of any benefit brochures, paperwork
communicated or communicated orientation. Specific questions are answered by either of the two Assistant Personnel or other documents provided by to them by the Assistant Personnel Manager during
incorrectly to employees. Managers who attend required training offered by the Employee Benefits Division. Training orientation. Assistant Personnel Manager will use e-mail tracking system to determine that
is documented and placed in employee file. all employees have received notification of changes to benefits.
Implementation date: August 1, 2007
Changes to existing benefits not Moderate Low Awareness of changes in benefit programs: Assistant Personnel Manager, Agency Fiscal S
communicated to employees in a Manager and General Business Manager keep benefits documentation and update /
timely manner. change notifications in HR files after General Business Manager publishes information to
staff via email.
O, F, FR Maintaining and protecting confidential Lack of security. Large Medium HIPPA training is offered by EBD; Assistant Personnel Manager and all supervisors are S
Employee Records required to attend; documentation of attendance is placed in employee file.
Sensitive materials are locked up in a secure area. Access to both secure area and files is S
limited to General Business Manager, Agency Fiscal Manager and Assistant Personnel
Manager.
Terminated employee files stored Small Low
inappropriately.
C, O Recruiting of qualified personnel in a timely Hiring unqualified personnel. Moderate Medium OPM regulates minimum qualifications; Assistant Personnel Manager or General Business S
manner Manager compares applicant's qualifications to most recent OPM standards. Notations are
made on employment application and communicated to supervisor.
State Police driving records checked via online service by Assistant Personnel Manager or S
Administrative Assistant. Any violations are brought to the attention of hiring supervisor
before applicant is employed. State Police report is attached to employment application.
Hiring supervisor verifies experience and written exam scores of boiler inspectors before S
hiring. (20-23-202) Requires copies of licenses or certifications placed in employee's
permanent file.
Positions remain vacant for long Moderate Medium Assistant Personnel Manager may place advertising with specific organizations that S
periods. divisions deal with; advertise on website and in newspapers. Director will sometimes
authorize special labor rate for exceptionally well-qualified applicant.
O Employee receive necessary training in Employees not aware of their Moderate Medium Employees required to have certain number of training hours each year thru Merit Pay S
timely manner responsibilities, or not trained to program. DOL's Information Technology department also furnishes training in various
accomplish their duties. areas. Each employee's training requirements mapped out each year during the
performance evaluation and documentation of requirements placed in employee file.
Management's Conclusion:
( ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis
for achieving the stated objective(s).
( X ) The control activities are sufficient to mitigate all of the identified risks and provide a
reasonable basis for achieving the stated objective(s), except for the control activities listed as
not sufficient in column #7. The new or additional control activities needed to mitigate the
identified risk to an acceptable level are included as the corrective action plan in column #8. The
corrective action will be sufficient to mitigate the risk when implemented.
( ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable
basis for achieving the stated objective(s). Management has not identified any control activities
that would be cost efficient to implement in order to mitigate the risk to an acceptable level;
therefore, we accept the risk that the stated objective(s) may not be achieved.
Risk Assessment and Control Activities Worksheet
Agency Arkansas Department of Labor
Department: Agency-wide Prepared By: Becky Bryant and Linda Whisnant
Activity: Agency Culture Date Prepared: May 31, 2007
Risk Assessment Actions to Manage Risks/ Corrective Action Plan
Objective Significance / Mgmt
Type Objectives Risks Impact Likelihood Control Activities Conclusion New or Additional Control Activity
(1) (2) (3) (4) (5) (6) (7) (8)
O, C, Fr Establish a culture of honesty and ethical behavior Employee theft / fraud Moderate Medium Employees must read and sign an acknowledgement of the Code of Ethics. S
within the Department of Labor. Consequences of violation of the Code are explained to new employee at orientation.
Code must be re-signed each year at employee performance evaluation.
Employee dishonesty Moderate Medium Employees must read and sign an acknowledgement of the Code of Ethics. S
Consequences of violation of the Code are explained to new employee at orientation.
Code must be re-signed each year at employee performance evaluation.
Abuse of leave time Moderate Small Employees acknowledge receipt of the Department's Policies and Procedures manual. S
The manual includes the Leave Without Pay (LWOP) policy, which requires the
Director's approval to allow an employee to be in a LWOP status. The Administrative
Service's Administrative Assistance monitors leave balances bi-weekly when reconciling
manual leave balance records to AASIS. The Administrative Assistant will notify any
supervisor who has an employee that is in jeopardy of being in a LWOP status.
Employees not aware of how to Moderate Small Fraud Hotline poster is displayed in main break areas. General Business Manager has S
report fraud, waste and abuse. "open-door" policy. Employees sign Code of Ethics at hire date, then annually
thereafter.
Management's Conclusion:
( X ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for
achieving the stated objective(s).
( ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for
achieving the stated objective(s), except for the control activities listed as insufficient in column #7. The
new or additional control activities needed to mitigate the identified risk to an acceptable level are included
as the corrective action plan in column #8. The corrective action will be sufficient to mitigate the risk when
implemented.
( ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable basis for
achieving the stated objective(s). Management has not identified any control activities that would be cost
efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that
the stated objective(s) may not be achieved.