Plan Pub

Reviews
Shared by: Mariah
Categories
Tags
Stats
views:
17
rating:
not rated
reviews:
0
posted:
4/4/2009
language:
FRENCH
pages:
0
Risk Assessment and Control Activities Worksheet Agency Department: Activity: Arkansas Department of Labor Administrative Services Planning and Publication Prepared By: Date Prepared: Jeanette Donahue May 31, 2007 Objective Type (1) O Objectives (2) Design and development of agency printed materials such as the annual report, posters, code books, safety brochures and award certificates in an accurate and timely manner. Risks (3) Risk Assessment Significance / Impact (4) Moderate Actions to Manage Risks/ Likelihood (5) Medium Control Activities (6) Division supervisor proofreads, gives verbal or email approval to publishing personnel. Sample of printed material sent to Legal and General Business Manager for approval; approval and/or required corrections are noted on "Printing Approval" form attached to sample. If corrections are needed, Management Project Analyst signs to confirm that all required corrections were made. Identical program software loaded on both PC's used in publishing process. Program software can be reloaded by IT personnel from backups stored on network drives or from CDRom. Publishing software updated or upgraded by IT personnel when new releases are available and after testing. Triple redundancy of agency data backup, with master data maintained on multiple media sets in a separate building in a fire resistant cabinet with restricted access. Management Project Analyst enforces non-flexible deadlines with occasional assistance from General Business Manager. For flexible deadlines, Management Project Analyst sends frequent reminder emails until necessary information is received. Management Project Analyst records publication due dates on Outlook and task bars as well as on the calendar included in the publishing software. Publishing software also tracks project status, enabling Management Project Analyst to determine if all information has been received, keyed, approved, and printed. Schedule regular in-house & vendor-performed equipment maintenance to reduce breakdowns. Management Project Analyst logs last maintenance performed and requests either IT or vendor maintenance when necessary, or when regular maintenance is due. (IT also keeps maintenance logs, and has backup PC's in inventory.) Mgmt Conclusio n Corrective Action Plan New or Additional Control Activity (8) (7) S Inaccurate data in printed materials. Publishing software is damaged or obsolete. Moderate Medium S Loss of data and computerized designs O Printing agency publications (The Safety News and Labor News quarterly newsletters) and brochures, code books, safety training materials, award certificates, in-house forms, etc., with accuracy and timely delivery. Publication deadlines missed Moderate Medium S Small Medium NS Management enforces deadlines and documents noncompliance which will effect employee's performance evaluation. Implementation Date: July 1, 2007 Equipment Failure - includes computers, printers, copiers, etc. Large Medium S Supply Shortage Large Medium Keep inventory of supplies needed for production of at least two quarterly publications on hand at all times. Management Project Analyst checks supplies immediately after publication of each of the two newsletters, each quarter. Any needed supplies are noted on the supply requisition form and are reordered immediately since some supplies have two-month delivery time. Postal Standards publication for bulk mail requirements is available to staff. are printed by zip code order to reduce bundling errors. Mailing labels S O, F Distribution and mailing newsletters and other printed materials in the most cost effective manner. Postal Standards not met: errors Moderate in bundling for cheapest bulk rates Medium S O Maintain agency website, keeping the federal and state regulatory information and other labor information up-to-date and accurate. Inaccurate information on website Moderate High Division supervisor supplies information via email to Management Project Analyst. Website pages are printed and sent to Legal and General Business Manager for approval; approval and/or required corrections are noted on the accompanying "Printing Approval" form. If corrections are needed, Management Project Analyst signs to confirm that all required corrections were made. S O Publish monthly employee calendar, the Laborgram, for improved communications within the agency. Equipment Failure - includes computers, printers, copiers, etc. Small Low O Publish monthly employee calendar, the Laborgram, for improved communications within the agency. (continued) Accurately process division timesheets and leave requests. Inaccurate data in printed materials. Small Low O, F Inaccurate time reporting Small Medium Management Project Analyst (division supervisor) approves AASIS timesheets, Management Project Analyst's timesheet is approved by Director or General Business Manager. S Leave time tracked inaccurately Small Medium Manual records compared to AASIS by Management Project Analyst after every payroll cycle. Administrative Assistant's AASIS timesheet files are used to resolve any discrepancies. Purchase requisitions approved by General Business Manager or Director. S O, F, Fr Procure supplies necessary for division's efficient operations. Employee purchases items for non-business use. Moderate Low S Management's Conclusion: ( ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). ( X ) The control activities are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s), except for the control activities listed as not sufficient in column #7. The new or additional control activities needed to mitigate the identified risk to an acceptable level are included as the corrective action plan in column #8. The corrective action will be sufficient to mitigate the risk when implemented. ( ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). Management has not identified any control activities that would be cost efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that the stated objective(s) may not be achieved. Risk Assessment and Control Activities Worksheet Agency Department: Activity: Arkansas Department of Labor Administrative Services Legal Prepared By: Date Prepared: Denise Oxley May 31, 2007 Objective Type (1) C, O Objectives (2) Timely and professionally litigate wage cases and other cases for the agency Risks Risk Assessment Significance / Impact (4) Large Actions to Manage Risks/ Likelihood (5) Low Control Activities (6) Legal staff is licensed and regulated by the Arkansas Supreme Court. At a minimum, staff attended the required Continuing Legal Education (CLE) to maintain their licenses. CLE documentation is maintained in the employee's personnel file. Jobrelated CLE is required to obtain a rating above satisfactory on the employee's performance evaluation. Legal staff must abide by their Professional Code of Ethics. Attorney Supervisor reviews entire case file documentation before file is closed. Mgmt Conclusio n Corrective Action Plan New or Additional Control Activity (8) (3) Professional negligence and/or errors in legal work. (7) S Statute of limitations expires before attorney can begin proceedings. Large Low Legal Assistant enters the date the file is referred/received in the case file database and on a manual calendar. The assigned attorney must perform an initial review within 30 days of receipt in the Legal Division and determine the statute of limitations. Notations are placed in front of the case file and in the case file database. Each file is reviewed by an attorney every 30 days or more frequently as needed. NS Run Case Status report, showing statute of limitations, on quarterly basis. Reviewed by Chief Legal Counsel, who documents review. Implementation Date: July 1, 2007 Attorney schedules could be double-booked or an imposed deadline could be missed. Large Low Each attorney keeps his/her own Outlook calendar and/or manual calendar. Legal Assistant enters court dates in the case file database and on the manual master calendar. Legal Assistant maintains the master calendar with court dates and deadlines. No court or statutorily imposed deadline may be missed, or the employee responsible will receive an unsatisfactory performance evaluation. S S Employees on extended leave Large Medium Attorneys within the division would assume the additional case load. If necessary, the Labor Standards Administrator, who is an attorney, will be utilized. Personnel from the Labor Standards Division would be used to fill in for Legal Assistant. The job description for Legal Assistant includes a list of major tasks. Desk procedures exist for receipting and disbursing collections. There is a segregation of duties between collection and depositing. Legal Assistant records receipts in the case file database. Legal Assistant prepares internal deposit form with: all check information, case file name and ID, AASIS account codes, and written description of deposit type. Deposit form and checks/cash taken to Agency Fiscal Manager for transport to the State Treasurer's Office. Agency Fiscal Manager verifies deposit total and AASIS account numbers against accompanying documents and keys deposit into AASIS. Agency Fiscal Manager verifies monthly deposits in AASIS against Total Monthly Deposits Report from the case file database. Legal Assistant prepares notice to any claimant or employee of collection and requests current address and SSN. The assigned attorney reviews the case file and signs the notice. Attorney Supervisor reviews entire casefile documentation before file is closed. S C, O, F, Fr Accurately collect and record back wages, fines and penalties, fees, and other miscellaneous funds Employee Theft, Inaccuracies Moderate Medium S Employee Theft, Inaccuracies (continued) Moderate Medium Legal Assistant prepares a receipt from the case file database printed for all funds collected. A copy of the receipt and the check is kept in the case file. When a check received is payable to an claimant, rather than the DOL, check information is recorded in the case file database and in a pre-numbered receipt book. S C, O, F, Fr Accurately collect and record back wages, fines and penalties, fees, and other miscellaneous funds (continued) Errors in distribution, e.g., amount, payee Large Medium Memo for disbursements, prepared by Legal Assistant, is reconciled by Agency Fiscal Manager to the deposit information before a check request is prepared in AASIS. This reconciliation includes agreement of amounts and names. In back wage cases, Legal Assistant gives payment letter and warrant to attorney for review and signature. The letter and warrant are mailed to the claimant. S S Distributions are not made timely Moderate Medium When collections are deposited, the Legal Assistant documents on master calendar approximate date funds can be available for distribution. The Legal Assistant refers to the master calendar daily and submits the appropriate warrant requests to the Fiscal Manager. Code of Ethics must be signed at hire date and during annual evaluation. Legal staff is licensed and must maintain required continuing professional education in ethics. All finance, legal staff and assistants are bonded. Legal Assistant gives payment letter and warrant to attorney for review. Attorney signs letter and letter and warrant are mailed to claimant. Warrant requests for Settlement are approved by Attorney, parked by Buyer and posted by either Agency Fiscal Manager or General Business Manager. S Employee Theft Moderate Low S S S Distribution could be miscoded in AASIS Small Medium Legal Assistant prepares memo requesting disbursements of collections; memo includes case file name and ID, full name and address of claimant, date collected, amount collected and check number, and the amount of the payment and AASIS account coding. Agency Fiscal Manager verifies all information from deposit backup, documents with initials and date. Attorney Supervisor reviews entire case file documentation before file is closed. Legal staff is licensed and regulated by the Arkansas Supreme Court. At a minimum, staff attended the required Continuing Legal Education (CLE) to maintain their licenses. CLE documentation is maintained in the employee's personnel file. Jobrelated CLE is required to obtain a rating above satisfactory on the employee's performance evaluation. Legal staff must abide by their Professional Code of Ethics. Staff consults the USDL Dallas Regional Office and federal counterparts as necessary. Chief Legal Counsel reviews all documents before issuance. Legal staff is licensed and regulated by the Arkansas Supreme Court. At a minimum, staff attended the required Continuing Legal Education (CLE) to maintain their licenses. CLE documentation is maintained in the employee's personnel file. Job-related CLE is required to obtain a rating above satisfactory on the employee's performance evaluation. Staff will document sources, keep current on state laws, and consult with other federal and state authorities as necessary. Agency may request Attorney General opinion if necessary. Legal staff is licensed and regulated by the Arkansas Supreme Court. At a minimum, staff attended the required Continuing Legal Education (CLE) to maintain their licenses. CLE documentation is maintained in the employee's personnel file. Jobrelated CLE is required to obtain a rating above satisfactory on the employee's performance evaluation. Established procedures are contained in collective bargaining agreement and state grievance policy. S C, O Accurately advise each division of the ADOL on interpretation and application of state and federal law Loss of federal grant funds due to Large incorrect legal advice on substantive issues. Low S Enforcement actions challenged, resulting in litigation costs. Moderate Medium S Increased HR litigation due to bad Moderate advice. Medium S C, O Draft effective administrative rules and regulations; contracts; policies and procedures; and other documents Increased litigation due to poorly drafted documents/regulations Moderate Low A review check sheet is utilized in the rule-making process. The rule-making process includes several reviews by both the executive and legislative branches, as well as public hearings or public comment periods. All reviews and filings are documented. Legal staff is licensed and regulated by the Arkansas Supreme Court. At a minimum, staff attended the required Continuing Legal Education (CLE) to maintain their licenses. CLE documentation is maintained in the employee's personnel file. Jobrelated CLE is required to obtain a rating above satisfactory on the employee's performance evaluation. Chief Legal Counsel reviews all rule-making documents and compares to check sheet showing date of each step, signed and initialed by attorney. S C, O Draft effective administrative rules and regulations; contracts; policies and procedures; and other documents (continued) Failure to comply with Administrative Procedures Act. Large Low S C, O Accurately advise the public of Arkansas's labor laws. Incorrect information released Moderate Medium An attorney reviews informational publications before approving for publication. Approval is documented on "Printing Approval" form. Legal staff is licensed and regulated by the Arkansas Supreme Court. At a minimum, staff attended the required Continuing Legal Education (CLE) to maintain their licenses. CLE documentation is maintained in the employee's personnel file. Job-related CLE is required to obtain a rating above satisfactory on the employee's performance evaluation. S C, O Accurately prepare annual unclaimed property report Retaining funds that should be sent to state. Small High Annual reconciliation of Wage and Hour trust cash account which is reviewed for old, outstanding items. Legal Assistant works with Agency Fiscal Manager until any discrepancies are identified and investigated. Agency Fiscal Manager reviews and reconciles to AASIS at fiscal year-end. Chief Legal Counsel (Attorney Supervisor) compares case files to report, signs and dates. Chief Legal Counsel compares monthly closed claims report to actual case files and uses a checkmark to denote file was in order. If file is not complete, it is returned to Legal Assistant for appropriate action. Legal staff uses a form to document time spent on billable services to other divisions which is approved by the Chief Legal Counsel. Forms are processed by Agency Fiscal Manager. All employees fill out internal time-sheets, Director approves Chief Legal Counsel. Chief Legal Counsel approves all others in division. Chief Legal Counsel compares internal time sheets to AASIS before approval. Chief Legal Counsel tracks leave requests on manual calendar. Chief Legal Counsel approves leave for employees in division. Director approves Chief Legal Counsel's leave slips. Legal staff initiates a purchase request which requires the Chief Legal Counsel's approval; Chief Legal Counsel initiates a purchase request which requires approval of the Director or General Business Manager. Legal Assistant generates request for destruction. Chief Legal Counsel approves destruction. Planning & Publications Division approves request after contacting History Commission & State Library to determine they do not want the records. Final approval is obtained from the Director. Legal Assistant certifies that the records are destroyed and the date. Permanent documentation maintained by General Business Manager. S C, O, F Accurately prepare the monthly activity report Inaccurate Small Medium S C, O, F Accurately and thoroughly assess cost chargeback for legal services for special revenue divisions. Accurately process timesheets and leave requests for the division Done inaccurately or incompletely. Small High NS Management has not identified any control activities that would be cost efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that the stated objective(s) may not be achieved. F Inaccuracies in time reporting Large Medium S Employee leave slips not completed Small Medium S F Procurement for Legal division's efficient operation Unauthorized purchase request Moderate Low S C, O, F Follow agency record retention guidelines. File destroyed early. Large Medium S Management's Conclusion: ( ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). ( X ) The control activities are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s), except for the control activities listed as not sufficient in column #7. The new or additional control activities needed to mitigate the identified risk to an acceptable level are included as the corrective action plan in column #8. The corrective action will be sufficient to mitigate the risk when implemented. ( X ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). Management has not identified any control activities that would be cost efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that the stated objective(s) may not be achieved. Risk Assessment and Control Activities Worksheet Agency Department: Activity: ARKANSAS DEPARTMENT OF LABOR ADMIN / INFORMATION TECHNOLOGY Agency Network Operations Prepared By: Date Prepared: Doris Anderson May 31, 2007 Objective Type (1) O, C, Fr Objectives (2) Provide employees with technology resources and a local area network with access to the Internet. Risks Risk Assessment Significance / Impact (4) Large Actions to Manage Risks/ Likelihood (5) Medium Control Activities (6) Supervisors communicate responsibilities and agency policies clearly to employees at hire date and repeat at employee evaluation dates. Require agency employees to sign acknowledgement of understanding. Standardize PC configurations set by IT staff. Use group policies (user/network/server security settings) to restrict user(s) access to data only to areas authorized. Deploy security solutions and comply with security standards and best practices as established by the Office of Information Technology (OIT) and technology industry. Conduct classes for required employee training on appropriate uses of technology and on Information Security Awareness. Employees are given certificates at completion of training, and their training is notated in their personnel files. Written policies, signed by employee, prohibiting this and other security violations. Signed statement kept in employee's personnel file. Supervisor can initiate disciplinary actions up to and including termination. General Business Manager determines in discussion with employee's supervisor what roles IT assigns to a new employee in any division. Division supervisor completes "Computer Security Checklist for New Employee" form which specifies activation date, access to selected network folders, printers and programs. Copy is retained in employee file. Mgmt Conclusio n Corrective Action Plan New or Additional Control Activity (8) (3) Information system misuse, in general. (7) S O, C, F, Fr Ensure agency remains in compliance with state security standards Employees are not aware of their responsibilities. Moderate Medium S Employees share passwords. Moderate Medium S Employees are given access to files Moderate or programs that are not necessary for the performance of their job duties. Low S Employees have access to sensitive Large data and use it inappropriately. Medium Code of Ethics must be signed by all employees at date of hire and re-signed yearly during performance evaluation. Criminal background checks are performed for certain positions. Event logs are reviewed by IT personnel upon request, and on a random spot-check basis. Supervisor can initiate disciplinary actions up to / including termination. S Employees take confidential data off- Large site where it is lost or stolen. Medium Encryption required for sensitive data; sensitive data off-site is minimized where possible. Field employees are encouraged to backup laptops on USB portable storage devices in case of loss. At least two layers of passwords are necessary to access PC. S Employee leaves PC logged on and unattended. Large Medium Auto cutoff in 15 minutes, then employee must log back on. Employees are reminded when necessary to lock their computers when leaving their desks to avoid unwanted access. S O, C, Fr Provide adequate IT resources to employees Theft of fixed assets inventory Moderate Low Inventory Database generates listing of assets assigned to employees which employee signs and re-signs when there are any changes or additions to the assets assigned to him/her. S Inventory Database generates listing of assets by location. Divisions are responsible for yearly physical count which Division head signs and returns to Buyer. Discrepancies are investigated by Buyer. Division heads held accountable by the Director for any unresolved discrepancies. Employee's equipment is damaged. Moderate Low All portable devices are covered for accidental damage by insurance and/or extended warranties at the time of purchase. S S O, C, Fr Provide adequate IT resources to employees (continued) Inadequate staff to handle agency's requirements. Inadequate inventory of repair parts & new equipment Large Medium Cross training, IT liaisons in each agency division to perform updates & keep security up to date. Maintain a minimum of 10% of surplus equipment in inventory. Inventory is inspected quarterly. ALL agency software is kept in a locked area with restricted access. S Moderate Low S O, C, Fr Ensure that agency servers, PC's and software are protected from physical and technological risks and remain available to service agency programs. Theft of software Moderate Low S Technological risks: Software viruses, spyware, hackers or security breach. Large Medium Anti-virus program runs automatically each time PC is turned on. Anti-virus program automatically updates itself from vendor website daily. Monitoring is through Symantec 10.0 anti-virus server which will notify IT staff of any PC or server that didn't auto update. Any suspicious email or other incoming data is quarantined; firewall log will expose hackers. Logs are checked daily by IT personnel. Back-up copies of master software kept in a secure-off site location. Use software vendors that will replace damaged or stolen programs if necessary. Servers are kept in a temperature controlled room with restricted access. Fire extinguishers are located nearby; extinguishers are checked quarterly and documented via inspection tag hanging on extinguisher. Prior testing on single computer before IT installs on others is documented on "Software Installation Sheet." Administrative rights are limited so that only IT personnel can install software of any kind. Installer initials and dates documentation. S Master program software damaged. Moderate Low S Physical risks to agency servers. Moderate Medium S Online or CD-ROM updates or upgrades fail, conflict with other software, or do not perform as expected. Power failures and/or electrical surges. Moderate Medium S Large High Uninterruptible power source (UPS) on every PC. Provides at least 15 minutes of power so that PC can be safely shut down. UPS sounds a continuous alarm until the PC is shut down. Employees are instructed to call IT immediately if a UPS alarm begins sounding. S Inadequate electrical supply; circuits Moderate overloaded. Paper or electrical fires. Large Medium Testing of circuits before new PC's or other hardware plugged into an area. S Medium Emergency operations plan which includes posted emergency exits, fire extinguishers checked quarterly and documented via inspection tag hanging on extinguisher. Selfinspections to clear out hazardous areas. Fire extinguishers available for both paper and electrical fires are located in the area. S Inadequate inventory of toner and supplies, causing out-of-service delays. Natural disasters: tornadoes, etc. which cause extensive damage. Small Low Large Low Hot site (location where backup tapes can be restored to dedicated equipment, usually within 24-72 hours), multiple vendor contracts for repair or service on site or at emergency backup location. All computers pre-configured, prior testing before assigned to users. Users do not have administration rights and cannot install ANY software without access. Prior testing performed before installation. Documentation in IT Service Log of any incidences so that duplicate problems can be avoided. S Newly installed software conflicts with other software. Moderate Low S Newly installed software doesn't run Moderate properly with older hardware such as printers. O, C, F Protect the agency from catastrophic data loss which will impair its ability to serve the public. Loss of agency data. Moderate Low S Medium Triple redundancy of agency data backup, with one dataset stored in a separate building in a fire resistant cabinet with restricted access. One dataset is stored in locked, fire resistant cabinet in the IT area, and a third less frequent backup is maintained at another off-site location. S O, C, F Protect the agency from catastrophic data loss which will impair its ability to serve the public. (continued) Restore procedures fail. Moderate Medium Employees are properly trained by IT Manager on restore procedures and at least quarterly attempt an actual restore to a backup server to verify the integrity of the hardware and software. Results of tests are documented in "Restore Log." Backups self-verify with an event log that discloses any backup errors or open files that were skipped during the backup process. The event log is checked each morning by IT. Establish telephone contact with backup hardware / software vendors to trouble-shoot if IT staff are unable to accomplish restoration of files. Maintenance contracts exist on all hardware and software that provide guaranteed call-back times of two hours or less. S S O, C Ensure that IT staff maintains and improves skills through required continuing education. Technology Skill sets: staff does not have adequate training to meet agency requirements. Moderate Low To meet long-range skills requirements, minimum of 40 hours of training provided by hardware and software vendors required each year. Training is documented and placed in employee file for performance evaluation consideration. General Business Manager and IT Supervisor will screen IT candidates for a minimum skill set. When new equipment is acquired or new wiring installed, network data and documentation is updated and placed in the fire resistant cabinet. Highly trained, professional IT staff cross-checks each other's work on a daily basis. Serious errors or omissions are documented in employee file. When notified by software vendors that upgrades or updates are available, IT staff will study accompanying documentation and test on a single PC before installing. "Software Installation Checklist" is updated when equipment software is upgraded. Installer initials and dates documentation. "Software Installation Log" is updated for all software purchased; updated when employee leaves or machine is retired. Log shows maximum number of licenses available for use, and licenses actually in use. Spreadsheet of all hardware warranties is inspected quarterly by IT Supervisor. If extended warranty is not available, IT plans for immediate replacement of hardware. Connectivity hardware, laptops, and PC are carried in equipment inventory, which enable quick replacement of malfunctioning equipment. Inventory is inspected at least quarterly by the IT supervisor and a minimum of 10% of surplus equipment is constantly maintained. S O, C Maintain complete and accurate network documentation in a secure location. Out-dated network documentation Large Medium S Incomplete network documentation Large Medium S O, C Support currently installed hardware and software technology through upgrades, extended warranties and training. Application lifecycle - software not upgraded or updated as new releases become available. Large Medium S Software and/or site licenses insufficient or expired. Large Medium S Hardware or software no longer supported by vendor. O, C Maintain effective connections to state and INA networks so that employees may access agency services and information. Large Medium S Employees are unable to connect to Large State network or INA network due to equipment failure. Low S Phone lines / DSL connections out of service due to theft of copper wires in building. O, C Ensure compliance with Arkansas Records Retention Schedule by safely and efficiently maintaining electronic files for the required period of time. Inadequate hard drive storage space for scanned data. Large Medium All employees are reminded to keep main doors locked after hours, and to keep doors to various suites locked after 5 pm. S Moderate Low Hard drive file space remaining monitored constantly. Hard drives are added when free space capacity falls below 25%. S Employees unable to retrieve data scanned & saved to CD. Insufficient personnel to perform scanning function. Small Low Large Medium Cross training, added features to software to drag & drop documents with no scanning required. Drag and drop allows employee to move documents from PC to network drives dedicated to storage. Backup equipment already prepared. S Equipment failure Management's Conclusion: ( X ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). ( ) The control activities are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s), except for the control activities listed as not sufficient in column #7. The new or additional control activities needed to mitigate the identified risk to an acceptable level are included as the corrective action plan in column #8. The corrective action will be sufficient to mitigate the risk when implemented. Large Low S ( ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). Management has not identified any control activities that would be cost efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that the stated objective(s) may not be achieved. Risk Assessment and Control Activities Worksheet Agency Department: Activity: Arkansas Department of Labor Administrative Services Procurement Prepared By: Date Prepared: Vicki Campo May 31, 2007 Objective Type (1) O, F, FR Objectives (2) Accurately record, maintain and safeguard fixed assets. Risks (3) Loss/Theft of fixed assets. Risk Assessment Significance / Impact (4) Moderate Actions to Manage Risks/ Likelihood (5) Low Control Activities (6) Buyer creates asset shell, for low value assets ($500 - $2,499) and fixed assets ($2,500+) in AASIS subsidiary ledger when an assets is requested then a PO is created in AASIS, notating "A" in the account assignment field. When asset arrives Buyer attaches a DOL inventory tag, which is sequential, the item is entered into the Inventory Database in Access by DOL inventory tag number. All fixed assets are entered in the Inventory Database, even items less than $500. Items that are issued to employees are also tracked in the Inventory Database. The location used is the employee's name. The Buyer generates listing of assets assigned to employees which employee signs. Mgmt Conclusio n Corrective Action Plan New or Additional Control Activity (8) (7) S S A complete inventory of all assets is conducted annually. Inventory Database generates listing of assets by location. Departments are responsible for yearly physical count which Department head signs and returns to Buyer. Inventory count includes items issued to individual employees; listing is signed by employee and Department head. Discrepancies are investigated by Buyer. Department heads held accountable by the Director for any unresolved discrepancies. There is insurance on "mobile" equipment such as laptops and OSHA testing equipment. The coverage is for replacement cost. Inventory not updated for purchases and releases. Moderate Medium Buyer and General Business Manager attended fixed assets class provided by AASIS training staff and OSP classes as available. Buyer participates in at least 12 hours of continuing education yearly which is part of the performance evaluation. Buyer reviews purchase request which includes description of purchase provided by division and approval by General Business Manager. Buyer determines asset classification based on dollar value and description. General Business Manager reviews purchase request and approves in AASIS. Annually the Buyer runs the Directory of Unposted Assets report, S_ALR_87012056, in AASIS subsidiary ledger. This report indicates any asset shells which have been created but have not been purchased. The Buyer investigates and resolves any errors. Division head notifies Buyer by email or by inventory change form when equipment needs disposal. Buyer initiates with Marketing & Redistribution for disposal. Buyer retires asset from AASIS sub ledger and references Surplus Disposal Form (SDF) number. Buyer updates Inventory Database by changing location to the SDF number. A complete inventory of all assets is conducted annually. Inventory Database generates listing of assets by location. Departments are responsible for yearly physical count which Department head signs and returns to Buyer. Inventory count includes items issued to individual employees; listing is signed by employee and Department head. Discrepancies are investigated by Buyer. Department heads held accountable by the Director for any unresolved discrepancies. Legislative Audit reviews purchases and releases during the annual audit. S S S S S S O, F, FR Accurately record, maintain and safeguard fixed assets. (continued) Inventory not updated for purchases and releases. (continued) Assets recorded in wrong accounting period. Moderate Medium S Moderate Medium Cut-off date for purchasing prior to end of fiscal year is May 10, or six weeks prior to fiscal year end. S Annually the Buyer runs the Directory of Unposted Assets report, S_ALR_87012056, in AASIS subsidiary ledger. This report indicates any asset shells which have been created but have not been purchased. The Buyer investigates and resolves any errors. Excess Inventory Fixed assets improperly classed as expenses. Small Moderate Low Medium Buyer attended fixed assets class provided by AASIS training staff and OSP classes as available. Buyer participates in at least 12 hours of continuing education yearly which is part of the performance evaluation. General Business Manager was also trained in Fixed Assets by AASIS staff. General Business Manager approves purchase order. S S Agency Fiscal Manager runs cost center reports monthly and looks for large or unusual amounts in expense accounts. O, F, FR Accurately and timely process purchase requisitions. Employee theft of supplies. Moderate Low Items are placed in locking supply cabinets in Buyer's area or if IT supplies in locked areas within division. Purchase requisition must be approved by division supervisor or department head AND General Business Manager or Director. Purchase requisition requires justification statement. General Business Manager or Director reviews purchase order in AASIS and compares to purchase requisition before posting. Contracts are not awarded in accordance with Arkansas Procurement laws. Moderate Medium Buyer has attended training offered by Office of State Procurement. Buyer has extensive experience working in procurement for DOL. Buyer participates in at least 12 hours of continuing education yearly which is part of the performance evaluation. For infrequent purchases, Buyer refers to OSP website and checks for state contract. General Business Manager or Director must give final approval. Goods received do not agree with specifications on purchase order. Moderate Medium Assistant Personnel Manager MIGO's item in AASIS based on packing slip. AASIS will not allow payment processing until MIGO is complete. Buyer will work with vendor to resolve any discrepancies. General Business Manager must approve any goods received that deviate from purchase order or goods will be returned by Buyer. S S Inappropriate or unauthorized purchases Moderate Low S S S S S The individual receiving the goods will compare the actual goods received to the enclosed packing slip noting items that were received and any discrepancies between packing slip and actual goods. The individual will sign and date the packing slip as indication that the step was performed. Implementation Date: July 1, 2007 NS Purchases in excess of budget. Large Low AASIS will not allow purchase orders to be posted that exceed budgeted amounts. Buyer can park but cannot post invoices that might have bypassed PO system. Either Agency Fiscal Manager or General Business Manager must post, therefore purchase order will either be voided or budgeted can be modified within the same commitment item. S Large purchase broken into several Large smaller ones to avoid state bidding regulations. Large Low General Business Manager approves purchase orders; because of the size of the office and the small number of transactions processed the General Business Manager would be aware of repetitive payments to vendors. Buyer must report P-card purchases to OSP monthly. OSP will notify Buyer's supervisor if purchasing laws have been violated. S Low NS General Business Manager analyzes monthly Buyer's report before it is submitted to OSP, looking for repetitive purchases to same vendors. Implementation Date: July 1, 2007 Purchase order documentation missing or misfiled. Insufficient inventory of necessary supplies, or supplies ordered that are no longer used. Untrained Staff Small Low Small Low Moderate Low Buyer has been with DOL and working as the procurement agent for several years. Buyer is required to attend at least 12 hours continuing education through OSP or AASIS training staff. Continuing education is part of merit pay and performance evaluation. S O, F, FR Accurately and timely processing of accounts payable. Disbursements made before goods received or for incorrect items. Moderate Medium Assistant Personnel Manager receipts goods in AASIS using the MIGO function. Buyer can only then MIRO and park invoice for payment. NS The individual receiving the goods will compare the actual goods received to the enclosed packing slip noting items that were received and any discrepancies between packing slip and actual goods. The individual will sign and date the packing slip as indication that the step was performed. Implementation Date: July 1, 2007 Duplicate payments. Moderate Low Pay from original invoice documents only. Buyer keys invoice number into AASIS which checks the field for duplicate numbers. Buyer reviews AASIS vendor listing. All new vendors must go through OSP vendor set-up process. This process runs the FEIN against the IRS database and will kick out fictitious vendors. S Payment made to fictitious vendor. Moderate Low S Invoice hard copy missing or misfiled after entry into AASIS. Vendor complaints: nonpayment, slow payment, etc. Small Low Moderate Low Any errors in invoices are corrected upon receipt by Buyer. Department guidelines specify payment according to vendor terms, with invoices processed and paid weekly. OSP presets vendor terms. Certification letter for each prior-year invoice prepared by Buyer and signed by Agency Fiscal Manager. Buyer runs open items list from AASIS and investigates discrepancies. After any corrections, Buyer will rerun listing and check for accuracy. S Liabilities may be recorded in wrong Moderate accounting period. Low S S Inaccurate-extensions & footings on Moderate invoice may not be correct. Low Invoice is checked by Buyer before entry into AASIS. If invoice does not match PO, Buyer will investigate and document resolution on the invoice. Invoice and purchase order documents are given to Assistant Personnel Manager to be cross-checked and goods receipted before posting in AASIS. Buyer has a file with all open payables, when an invoice is received Buyer reviews open payable file and plus appropriate PO. At year end or as needed, Buyer reviews open item report and verifies accuracy of the report. Appropriate adjustments are made and Buyer runs report again. Final report is kept in year end file. S Payment may be processed as a Moderate direct payment when goods were ordered through the purchase order system. Expense duplicated. Low S Payment may be processed as a direct payment rather than using a purchase order, and goods were not received. Moderate Low Department policy is to use PO system for all but recurring monthly invoices which have had reservation of funds in AASIS. Procurement card is used (like VISA), but approved invoices/receipts must be attached to monthly report log, which Agency Fiscal Manager reviews and approves monthly. (Purchases approved by General Business Manager or Director). OSP does random audits. S Discounts may be missed. O, F Provide accurate monthly procurement reports and reports required by CAFR. Inaccurate reporting. Small Moderate Low Low Agency Fiscal Manager and General Business Manager reviews cost center reports monthly. Follow state assigned deadlines for various fiscal-year-end tasks as published by CAFR. Both Agency Fiscal Manager and General Business Manager monitor timelines in Outlook and in manual calendars. S CAFR deadlines missed. Moderate Low S Management's Conclusion: ( ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). ( X ) The control activities are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s), except for the control activities listed as not sufficient in column #7. The new or additional control activities needed to mitigate the identified risk to an acceptable level are included as the corrective action plan in column #8. The corrective action will be sufficient to mitigate the risk when implemented. ( ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). Management has not identified any control activities that would be cost efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that the stated objective(s) may not be achieved. Risk Assessment and Control Activities Worksheet Agency Department: Activity: Arkansas Department of Labor Administrative Services Finance Prepared By: Date Prepared: Sandra Welchman May 31, 2007 Objective Type (1) O, F Objectives (2) Efficient management of Agency funds. Risks (3) Lack of Appropriation Risk Assessment Significance / Impact (4) Large Actions to Manage Risks/ Likelihood (5) Low Control Activities (6) Agency Fiscal Manager reviews Available Budget report in AASIS weekly. Agency Fiscal Manager requests transfer of appropriation as needed and parks transaction in AASIS, Budget Analyst reviews, transaction is posted by DFA-Office of Accounting. Agency Fiscal Manager reviews AASIS trial balance report daily and requests transfer of funds to appropriate level. Either General Business Manager or Office of Accounting reviews and posts. Monthly revenue report letters prepared by each division and reviewed by department heads are reconciled back to cash receipts fund in AASIS by Agency Fiscal Manager. Reports are maintained by Agency Fiscal Manager. Experienced personnel are aware of payroll transfers deadlines every other Thursday. DFA funds management personnel will notify DOL if funds transfers are missing or insufficient. OPM notifies timekeepers by email if any payroll will be running out of sequence. Mgmt Conclusio n Corrective Action Plan New or Additional Control Activity (8) (7) S Lack of Funds Large Medium S Incorrect or missing entries to record funds transfers. Large High S Untimely transfers of payroll funds. Large Low S Insufficient staff, or staff absent for lengthy period. Large Medium Cross training. Ability to work from home for Attorney, Agency Fiscal Manager, General Business Manager and Assistant Personnel Manager only. IT restricts access from off-site locations to only those above. AASIS controls will prevent PO's in excess of budget from being entered. Approval for all purchase requisitions given by General Business Manager or Director prior to purchase order data entry. Budget may be modified within the same commitment item by General Business Manager with Director's approval if funds are available. Agency Fiscal Manager and General Business Manager run budget to actual reports monthly. General Business Manager will take steps to curb expenditures up to and including enforcing the State Reduction in Force policy, if necessary Each department head submits budget request forms with justification to General Business Manager and Director. Changes from prior year's budget are reviewed by Agency Fiscal Manager for reasonableness. General Business Manager and Director review the budget request with analyzed information and make appropriate adjustments, as needed, before approving. Department heads submit budget requests form with justifications for changes to previous year's budget to General Business Manager and Director. Changes from prior year's budget are reviewed by Agency Fiscal Manager for reasonableness. S Expenditures in excess of budget. Moderate Medium S Budget crisis - budgeted amounts are insufficient to cover needed expenditures. O, F, Fr Development of an accurate budget document. Budget is inaccurately developed and is not comprehensive Large Low S Large Low S Accuracy - estimates not supported by historical expenditures and realistic projections. Moderate Low S Keying error when entering approved budgets Moderate Medium Agency Fiscal Manager accesses Planning Budgeting Administrative System (PBAS), enters changes to previous year's budget from approved budget request forms and parks. General Business Manager reviews and posts. S O, F, Fr Develop an accurate budget document. (continued) Unauthorized expenditures inserted into budget. Moderate Low Department heads submit budget request form with justification for changes from previous year's amounts. Agency Fiscal Manager analyzes all significant changes for reasonableness. General Business Manager and Director review the budget request with analyzed information and make appropriate adjustments, as needed, before approving. Agency Fiscal Manger inputs information into PBAS and parks, General Business Manager reviews and posts in AASIS. Agency Fiscal Manager maintains spreadsheet of monthly projections vs. actual revenues and expenditures from AASIS records. Agency Fiscal Manager and General Business Manager meet with department heads quarterly. Experienced program managers are knowledgeable about grant requirements and administering grant funds . Agency Fiscal Manager analyzes cost center report for each grant monthly, investigates unusual variances from budget. Each quarter, Agency Fiscal Manager and General Business Manager meet with Program Managers to review grant reports. Cut-off date for purchasing is May 10, or six weeks prior to fiscal year end. S O, F, C Appropriate administration of grant funds Lack of Funds Large Medium S Grant revenues and expenditures may not be recorded in the fiscal year. Large Medium S Failure to follow Federal Guidelines Large Low Agency Fiscal Manager and General Business Manager attend regional and national training in grant programs. Agency Fiscal Manager, General Business Manager and Buyer participate in online training offered by OSHA. Program managers have been trained on federal guidelines and have many years experience in administering the grants. S Preparation of grant applications incorrect or not timely. Large High Outlook tasks, Outlook calendars and emailed reminders from federal agencies to all Finance personnel help ensure deadlines are met. Meeting deadlines is part of the employee's performance evaluations. Project managers prepare program section of grant and Agency Fiscal Manager prepares financial data. Reviewed by General Business Manager and Director who also sign grant application. Agency Fiscal Manager maintains a calendar of due dates and federal government sends notifications when the system is available for filing. All grant data maintained in WBS elements; GD13 reports by cost center are sorted by WBS elements and reconciled to AASIS trial balance. Agency Fiscal Manager prepares FSRs from GD 13 report which are reviewed by General Business Manager. The Director signs the Financial Status Report. S Financial status reports not filed timely or are inaccurate. Large Low S AASIS not used as primary federal award accounting system. Moderate Medium Grant expenditures are tracked by WBS elements, cost center reports are reviewed by Agency Fiscal Manager monthly for reasonableness. Agency Fiscal Manager, General Business Manager and Program Manager(s) will review grant report quarterly and confirm data with AASIS. Buyer verifies division's internal deposit for to cash and checks and issues a receipt to the division. Agency Fiscal Manager prepares deposit from division's internal deposit form and parks entry in AASIS. General Business Manager compares internal deposit slips to AASISand post entry. DOL policy is not to accept cash. Treasury will not deposit funds unless accompanied by the Arkansas Revenue Receipt of Deposit as proof of entry into AASIS. Cash in Treasury is reconciled monthly by DFA - OA Fund Reconciliation. S O, F, FR Accurately record revenues and deposits Employee theft of cash. Moderate Low NS The General Business Manager will receive a copy of all division's monthly revenue letter directly and will compare those to AASIS. Implementation date: August 1, 2007 Deposits are not recorded in the general ledger. Moderate Medium S Department could accept a bad check. Deposits not recorded in proper period. Small Low Small Medium Deposits must be handed to accounting by 10 am. Treasury also publishes the required end of month deposit date if EOM falls on holiday or weekend. Monthly revenue report letter prepared by each division and reviewed by division head are reconciled back to cash receipts fund in AASIS and to Treasury by Agency Fiscal Manager. The Agency Fiscal Manager resolves discrepancies between the letters and incoming mail logs with the appropriate division administrative assistant. Quarterly calendars with critical dates and times are distributed to divisions. S S S O, F, FR Accurately record revenues and deposits (continued) Accurately record revenues and deposits Deposits lost / stolen in transit to Treasury. Cash received for wage claims restitution is posted to the wrong fund or general ledger account, or for the incorrect amount. Moderate Low Deposits are in a bank bag placed inside a briefcase S O, F, FR Small Medium Each disbursement is reconciled with wage and hour division and/or legal showing how much cash received and how much paid out against specific claims. Deposit information included in check request. Wage and Hour supervisor issues warrant request, giving all necessary information to Agency Fiscal Manager, who compares to the deposit information for the employers check. Agency Fiscal Manager reconciles quarterly with the wage and hour database with wage and hour cash fund. Both databases must agree with AASIS. S S S S O, F, FR, C Reporting - Financial Agency misses deadline Inaccurate financial data reports published. End of fiscal year accruals not made, or journal entries are inaccurate. Inaccuracies - Revenues and expenditures may not be recorded in the appropriate accounting year. Moderate Moderate Low Low Agency Fiscal Manager uses Outlook to record all deadlines. Various ACCESS database reports are prepared by Agency Fiscal Manager who reconciles data back to AASIS. General Business Manager and Director also review. CAFR sends end-of-year checklist which is completed by Agency Fiscal Manager and returned to CAFR. General ledger entries prepared and parked by Agency Fiscal Manager. General Business Manager reviews entries and posts. Schedules are prepared by Buyer, Assistant Personnel Manager and Agency Fiscal Manager and are filed with closing books in Agency Fiscal Manager's office. Reviewed by General Business Manager who also signs a certification letter to CAFR. Moderate Medium S Moderate Low S Intentional misrepresentation. Moderate Low AASIS controls (park and post requires two different people), proofreading for integrity and accuracy by General Business Manager, Agency Fiscal Manager, and Director. S Management's Conclusion: ( ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). ( X ) The control activities are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s), except for the control activities listed as not sufficient in column #7. The new or additional control activities needed to mitigate the identified risk to an acceptable level are included as the corrective action plan in column #8. The corrective action will be sufficient to mitigate the risk when implemented. ( ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). Management has not identified any control activities that would be cost efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that the stated objective(s) may not be achieved. Risk Assessment and Control Activities Worksheet Agency Department: Activity: Arkansas Department of Labor Administrative Services Payroll/Personnel Prepared By: Date Prepared: Linda Whisnant May 31, 2007 Objective Type (1) O, F, FR Objectives (2) Accurate and timely processing of payroll Risks Risk Assessment Significance / Impact Actions to Manage Risks/ Likelihood (5) Medium Control Activities (6) Assistant Personnel Manager runs simulations and verifies amounts keyed by each division against approved timesheets and leave requests. Time is entered by division timekeeper, division supervisor approves in AASIS while comparing to timesheet hard copies. Assistant Personnel Manager runs simulation and compares to all documents in pay period work file: termination checklists, master data changes, timesheets, leave requests, etc. General Business Manager is notified automatically by AASIS of any personnel changes made by Assistant Personnel Manager. Immediate Supervisor introduces new employees to Agency Fiscal Manager, Assistant Personnel Manager and General Business Manager. (Note: this is a small agency in which General Business Manager knows all employees.) Mgmt Conclusio n Corrective Action Plan New or Additional Control Activity (8) (4) (3) Employee paid for incorrect number Moderate of hours. Terminated employee could be paid. Moderate (7) S Medium S Fictitious employee could be paid. Moderate Medium S Employee master data changed without authorization. (personal data, withholding, etc) Moderate Medium Written authorization from employee, Director or General Business Manager is required before Assistant Personnel Manager makes changes in AASIS to the employee's master data. General Business Manager is notified automatically by AASIS of any master data changes made by Assistant Personnel Manager. NS When AASIS notification is received, the General Business Manger reviews the employee's master data to insure that changes were made accurately according to the request that was submitted. Implementation date: August 1, 2007 Timeliness of payroll data entry. Moderate Low Follow all established OPM and AASIS payroll schedules; schedule is posted in HR area on master calendar. Employees, timekeepers and supervisors are notified in advance by email if there is a deviation from the normal schedule. Supervisor is responsible for collecting leave forms and submitting with approved timesheets to Assistant Personnel Manager. Please refer to each divisions tab. Administrative Assistant in Administrative Services Department maintains both a manual record for each employee's leave balances and the request for leave is maintained with the employee's time sheet. After each payroll, the Administrative Assistant checks AASIS time entry with actual time sheets to insure accuracy. The manual record is reconciled back to AASIS after each payroll. Supervisor accounts for all property issued to terminated employee on inventory database listing and signs and dates listing. Supervisor sends listing and items to Buyer. Buyer verifies that all equipment is accounted for and notes on termination checklist and communicates by email to Assistant Personnel Manager that all property is returned. General Business Manager and employee's supervisor notify IT of termination; IT immediately disables computer access. The direct supervisor or General Business Manager checks the appropriate box on the termination checklist, which is signed when the checklist is complete. S Employee does not complete leave form for time missed. Leave records incomplete or missing at audit. Small Medium S Moderate Medium S O, F, FR On a timely basis, retrieve assets assigned to terminating employees and safeguard agency data. Terminated employee doesn't turn in keys, equipment or other state property. Moderate Medium S IT not notified to terminate employee computer access. Moderate Medium S O, F, FR Accurate and timely information is distributed to employees about available benefits; Accurate processing of benefit withholdings Inaccuracy of master data, including payroll deductions for benefits. Moderate Medium Employee must sign form requesting any changes to master data. Assistant Personnel Manager parks entry in AASIS, and an automatic notification is sent to the General Business Manager. Employee can verify accuracy against remuneration statement or on employee self-serve in AASIS. New employee is given checklist of required paperwork and deadlines during orientation. Assistant Personnel Manager prepares master list of employees and their benefits. Assistant Personnel Manager notifies each employee of enrollment deadlines via EBD, email or personal phone calls. NS When AASIS notification is received, the General Business Manger reviews the employee's master data to insure that changes were made accurately according to the request that was submitted. Implementation date: August 1, 2007 New Employee signs and dates an acknowledgement of any benefit brochures, paperwork or other documents provided by to them by the Assistant Personnel Manager during orientation. Assistant Personnel Manager will use e-mail tracking system to determine that all employees have received notification. Implementation date: August 1, 2007 New Employee signs and dates an acknowledgement of any benefit brochures, paperwork or other documents provided by to them by the Assistant Personnel Manager during orientation. Assistant Personnel Manager will use e-mail tracking system to determine that all employees have received notification of changes to benefits. Implementation date: August 1, 2007 Timeliness - benefit provider deadlines missed. Large Low NS Available benefit information not communicated or communicated incorrectly to employees. Large Low New hire package lists all benefits, and website addresses are given to new hires during orientation. Specific questions are answered by either of the two Assistant Personnel Managers who attend required training offered by the Employee Benefits Division. Training is documented and placed in employee file. NS Changes to existing benefits not communicated to employees in a timely manner. Moderate Low Awareness of changes in benefit programs: Assistant Personnel Manager, Agency Fiscal Manager and General Business Manager keep benefits documentation and update / change notifications in HR files after General Business Manager publishes information to staff via email. HIPPA training is offered by EBD; Assistant Personnel Manager and all supervisors are required to attend; documentation of attendance is placed in employee file. Sensitive materials are locked up in a secure area. Access to both secure area and files is limited to General Business Manager, Agency Fiscal Manager and Assistant Personnel Manager. S O, F, FR Maintaining and protecting confidential Employee Records Lack of security. Large Medium S S Terminated employee files stored inappropriately. C, O Recruiting of qualified personnel in a timely manner Hiring unqualified personnel. Small Low Moderate Medium OPM regulates minimum qualifications; Assistant Personnel Manager or General Business Manager compares applicant's qualifications to most recent OPM standards. Notations are made on employment application and communicated to supervisor. State Police driving records checked via online service by Assistant Personnel Manager or Administrative Assistant. Any violations are brought to the attention of hiring supervisor before applicant is employed. State Police report is attached to employment application. Hiring supervisor verifies experience and written exam scores of boiler inspectors before hiring. (20-23-202) Requires copies of licenses or certifications placed in employee's permanent file. S S S Positions remain vacant for long periods. Moderate Medium Assistant Personnel Manager may place advertising with specific organizations that divisions deal with; advertise on website and in newspapers. Director will sometimes authorize special labor rate for exceptionally well-qualified applicant. Employees required to have certain number of training hours each year thru Merit Pay program. DOL's Information Technology department also furnishes training in various areas. Each employee's training requirements mapped out each year during the performance evaluation and documentation of requirements placed in employee file. S O Employee receive necessary training in timely manner Employees not aware of their responsibilities, or not trained to accomplish their duties. Moderate Medium S Management's Conclusion: ( ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). ( X ) The control activities are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s), except for the control activities listed as not sufficient in column #7. The new or additional control activities needed to mitigate the identified risk to an acceptable level are included as the corrective action plan in column #8. The corrective action will be sufficient to mitigate the risk when implemented. ( ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). Management has not identified any control activities that would be cost efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that the stated objective(s) may not be achieved. Risk Assessment and Control Activities Worksheet Agency Department: Activity: Arkansas Department of Labor Agency-wide Agency Culture Prepared By: Date Prepared: Becky Bryant and Linda Whisnant May 31, 2007 Risk Assessment Objective Type (1) O, C, Fr Significance / Impact (4) Moderate Actions to Manage Risks/ Mgmt Conclusion Corrective Action Plan Objectives (2) Establish a culture of honesty and ethical behavior within the Department of Labor. Risks (3) Employee theft / fraud Likelihood (5) Medium Control Activities (6) Employees must read and sign an acknowledgement of the Code of Ethics. Consequences of violation of the Code are explained to new employee at orientation. Code must be re-signed each year at employee performance evaluation. Employees must read and sign an acknowledgement of the Code of Ethics. Consequences of violation of the Code are explained to new employee at orientation. Code must be re-signed each year at employee performance evaluation. Employees acknowledge receipt of the Department's Policies and Procedures manual. The manual includes the Leave Without Pay (LWOP) policy, which requires the Director's approval to allow an employee to be in a LWOP status. The Administrative Service's Administrative Assistance monitors leave balances bi-weekly when reconciling manual leave balance records to AASIS. The Administrative Assistant will notify any supervisor who has an employee that is in jeopardy of being in a LWOP status. New or Additional Control Activity (8) (7) S Employee dishonesty Moderate Medium S Abuse of leave time Moderate Small S Employees not aware of how to report fraud, waste and abuse. Moderate Small Fraud Hotline poster is displayed in main break areas. General Business Manager has "open-door" policy. Employees sign Code of Ethics at hire date, then annually thereafter. S Management's Conclusion: ( X ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). ( ) The controls are sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s), except for the control activities listed as insufficient in column #7. The new or additional control activities needed to mitigate the identified risk to an acceptable level are included as the corrective action plan in column #8. The corrective action will be sufficient to mitigate the risk when implemented. ( ) The controls are not sufficient to mitigate all of the identified risks and provide a reasonable basis for achieving the stated objective(s). Management has not identified any control activities that would be cost efficient to implement in order to mitigate the risk to an acceptable level; therefore, we accept the risk that the stated objective(s) may not be achieved.

Related docs
newsletter .pub
Views: 3  |  Downloads: 0
pub letter.qxd
Views: 17  |  Downloads: 0
brochure 2009_pt.pub
Views: 25  |  Downloads: 0
Bulletin May09-es.pub
Views: 0  |  Downloads: 0
Pub For Sale
Views: 0  |  Downloads: 0
FY 2007 Strategic Plan (FINAL).pub
Views: 2  |  Downloads: 0
Pub 3498
Views: 1  |  Downloads: 0
Pub 3908
Views: 3  |  Downloads: 0
Pub 3498-A
Views: 2  |  Downloads: 0
Pub 4268
Views: 1  |  Downloads: 0
Pub 967
Views: 0  |  Downloads: 0
EAP Brochure Oct2009_HSS.pub
Views: 0  |  Downloads: 0
Oct06 (2).pub
Views: 9  |  Downloads: 2
Copy of Winter2003_JustFriends.pub
Views: 8  |  Downloads: 0
premium docs
Business Plan Presentation Template$4.95
Marketing Plan$29.95
Business Plan$25.00
Letter of Intent for Business Transactions$14.95
Employee Handbook for Company$39.95
Sample Business Case$19.95
Sample Project Closeout Report$14.95
Other docs by Mariah
President Franklin Roosevelt's Radio Address unveiling the second half of the New Deal _1936_ - 1
Views: 124  |  Downloads: 3
Sample Business Plan Zydeco
Views: 198  |  Downloads: 6
OSHA FIREWORKS SAFETY TIPS DISPLAY OPERATORS
Views: 236  |  Downloads: 2
McCulloch v. Maryland _1819_
Views: 126  |  Downloads: 2
CERTIFICATE OF RETENTION OF DEBTOR IN POSSESSION
Views: 144  |  Downloads: 0
Executive Order 10730 -- Desegregation of Central High School _1957_ - 2
Views: 109  |  Downloads: 1
TRAINING REQUIREMENTS IN OSHA STANDARDS AND TRAINING GUIDELINES
Views: 265  |  Downloads: 11
President Abraham Lincoln's Second Inaugural Address _1865_ - 2
Views: 97  |  Downloads: 0
FORM 14 CLASS BALLOT FOR ACCEPTING OR REJECTING PLAN OF REORGANIZATION
Views: 114  |  Downloads: 0
OSHA BEST PRACTICES GUIDE FUNDAMENTALS OF A WORKPLACE FIRST AID PROGRAM
Views: 559  |  Downloads: 24
Sample Business Overview JH Reid
Views: 1319  |  Downloads: 17
FORM 8384 EMPLOYEE BENEFIT PLAN LIMITATIONS ON CONTRIBUTIONS AND BENEFITS
Views: 182  |  Downloads: 1
Monroe Doctrine _1823_ - 1
Views: 116  |  Downloads: 1
Form 2 Declaration Unde Penalty of Perjury on Behalf of a Corporation or Partnership
Views: 160  |  Downloads: 0
Sample Business Plan Trycos
Views: 320  |  Downloads: 13