Office of Operations 2009 Fall Conference Navigating Uncertain Times October 21-22, 2009 Risk Assessment and Internal Controls Internal Controls Anna Tomassacci

Office of OperationsOffice of Operations

2009 Fall Conference2009 Fall Conference

Navigating Uncertain TimesNavigating Uncertain Times

October 21-22, 2009

Risk Assessment Risk Assessment andand

Internal ControlsInternal ControlsAnna TomassacciAnna TomassacciBeth FerracaneBeth Ferracane

Brendan McCluneBrendan McClune

Office of Operations 2009 Fall Conference

ObjectivesObjectives

Complete a basic risk assessment.Complete a basic risk assessment.

Set up a system of internal controls to Set up a system of internal controls to mitigate the risks identified during the mitigate the risks identified during the assessment.assessment.

Apply internal controls to potentially Apply internal controls to potentially deter negative events (e.g., fraud, deter negative events (e.g., fraud, inappropriate procurements, improper inappropriate procurements, improper payments, etc.).payments, etc.).


AgendaAgenda

Internal Controls OverviewInternal Controls Overview Group ExercisesGroup Exercises::

Global Risk Assessment for Procurement and Accounts Global Risk Assessment for Procurement and Accounts Payable departmentsPayable departments

Identify objectives and risksIdentify objectives and risks Design control activitiesDesign control activities

Risk Assessment – Program AreasRisk Assessment – Program Areas Rank risks by impact and likelihood assuming there Rank risks by impact and likelihood assuming there

are no controlsare no controls Rank risks by impact and likelihood given existing Rank risks by impact and likelihood given existing

controlscontrols Attack and Defend ExercisesAttack and Defend Exercises


Internal Controls HistoryInternal Controls History

NYS Governmental Accountability, NYS Governmental Accountability, Audit & Internal Control Act of 1987Audit & Internal Control Act of 1987

Budget Bulletin 350Budget Bulletin 350

Committee of Sponsoring Committee of Sponsoring Organizations of the Treadway Organizations of the Treadway Commission (COSO)Commission (COSO)


Internal ControlInternal Control

The integration of the activities, The integration of the activities, plans, attitudes, policies, and plans, attitudes, policies, and efforts of the people of an efforts of the people of an organization working together to organization working together to provide reasonable assurance provide reasonable assurance that the organization will achieve that the organization will achieve its mission.its mission.


Basic ComponentsBasic Components

Control EnvironmentControl Environment

Risk AssessmentRisk Assessment

Control ActivitiesControl Activities

Information & CommunicationInformation & Communication

MonitoringMonitoring


Internal Controls PyramidInternal Controls Pyramid

Control Environment

Risk Assessment

ControlActivities

Monitoring

Info

rmat

ion

& C

omm

unic

atio

n Information &

Com

munication


Control EnvironmentControl Environment

Influences all of the decisions Influences all of the decisions and activities of an organization, and activities of an organization, and on the control consciousness and on the control consciousness of its peopleof its people

The Tone at the

TopThe The foundationfoundation for all the other for all the other componentscomponents



The possibility that an event will occur and

adversely affect the

achievement of objectives.

To evaluate; to examine

carefully; to determine or set

the value of something.



The tools – both manual and The tools – both manual and automated – that help prevent automated – that help prevent or reduce the risks that can or reduce the risks that can stop an organization from stop an organization from meeting its objectives and meeting its objectives and goals.goals.


Information & CommunicationInformation & Communication

The exchange of The exchange of information information between and between and among people and among people and organizations.organizations.


MonitoringMonitoring

The ongoing review of the The ongoing review of the organization's daily activities and organization's daily activities and transactions to determine transactions to determine whether controls are effective in whether controls are effective in ensuring that operations work as ensuring that operations work as intended.intended.



The possibility that an event will occur and

adversely affect the

achievement of objectives.

To evaluate; to examine

carefully; to determine or set

the value of something.


ProcessProcess

1.1. What are the objectives?

2. What could go wrong (the Risk)?

3. What’s the likelihood of it occurring?

4. What’s the impact if it happens?

5. Prioritize and respond accordingly.



Assess each risk in terms of:

The likelihood of the negative event.

The significance or impact of the event.



LikelihoodLikelihood The probability that

an unfavorable event would occur if there were:

No internal controls. Existing internal

controls.

ImpactImpact A measure of the

magnitude of the effect on an organization if the unfavorable event were to occur


Ask the questions …Ask the questions …

What obstacles could stand in the way of achieving your objective?

What can go wrong?

What is the worst thing that could happen?

What is the worst thing that has happened?


Ask the questions …Ask the questions …

Are there new processes? Changed ones?

New goals or legislation?

Staffing changes?

What keeps you awake at night?


Evaluating RiskEvaluating Risk

Judgment Required

LOW IMPACT HIGH

LOW

LIKELIHOOD

HIGH

Area I Least Concern

Area IIIModerate Concern

Area IVMost Concern

Area IIMinimal Concern


Helpful HintsHelpful Hints Change is the one constant.Change is the one constant.

A risk assessment is never “done.”A risk assessment is never “done.”

Communication and education can Communication and education can make all the difference.make all the difference.

The greatest risk is turning a blind The greatest risk is turning a blind eye to the possibility of risk.eye to the possibility of risk.

Knowledge is power!Knowledge is power!


Managing RiskManaging Risk

Three options:Three options:

• Avoid the riskAvoid the risk

• Accept itAccept it

• Prevent itPrevent it



Avoid the risk:Avoid the risk:

Whatever the risky activity is…Whatever the risky activity is…

Don’t do it!Don’t do it!

No additional controls are requiredNo additional controls are required



Accept the risk:Accept the risk:

Continue the way you’re goingContinue the way you’re going

Maintain the Status QuoMaintain the Status Quo

No changes, no new controlsNo changes, no new controls



Prevent or reduce the risk:Prevent or reduce the risk:

Actively work to control the riskActively work to control the risk

Change how you operate!Change how you operate!

Establish whatever controls are Establish whatever controls are necessary to manage the risknecessary to manage the risk



The tools – both manual and The tools – both manual and automated – that help prevent automated – that help prevent or reduce the risks that can or reduce the risks that can stop an organization from stop an organization from meeting its objectives and meeting its objectives and goals.goals.



Controls can be…

DirectiveDirective:: guide an organization toward guide an organization toward desired outcome.desired outcome.

PreventivePreventive:: deter the occurrence of an deter the occurrence of an undesirable event.undesirable event.

DetectiveDetective:: identify undesirable events and identify undesirable events and alert management.alert management.


Commonly Used Control Commonly Used Control ActivitiesActivities

DocumentationDocumentation Approval and AuthorizationApproval and Authorization VerificationVerification SupervisionSupervision Separation of DutiesSeparation of Duties Safeguarding AssetsSafeguarding Assets


Risk & ControlsRisk & Controls

Judgment Required

LOW IMPACT HIGH

LOW

LIKELIHOOD

HIGH

Area I Least Concern

Area IIIModerate Concern

Area IVMost Concern

Area IIMinimal Concern



Cost v. Benefit

The cost of the controls shouldn’t be greater than the cost of the potential loss.


QuestionsQuestions

Documents

Office of Operations 2009 Fall Conference Navigating Uncertain Times October 21-22, 2009 Risk Assessment and Internal Controls Internal Controls Anna Tomassacci