GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES
advertisement
MINNESOTA MANAGEMENT & BUDGET GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Internal Control & Accountability Unit (http://www.mmb.state.mn.us/fin/ic Revised March 2014 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES TABLE OF CONTENTS INTRODUCTION ...................................................................................................................................... 2 RISK ASSESSMENT PLAN ..................................................................................................................... 4 CONDUCTING A RISK ASSESSMENT.................................................................................................. 6 1. Coordinate the project ......................................................................................................................... 6 2. Document the business process .......................................................................................................... 7 Grant Programs ................................................................................................................................... 8 Functional Areas ................................................................................................................................. 8 3. Identify risks ....................................................................................................................................... 9 4. Prioritize risks ................................................................................................................................... 12 Risk Ranking..................................................................................................................................... 12 Risk Responses ................................................................................................................................. 13 5. Identify and evaluate control activities ............................................................................................. 14 Facts about Control Activities .......................................................................................................... 14 Control Activity Design .................................................................................................................... 15 Control Activity Classifications ........................................................................................................ 16 Control Activity Categories .............................................................................................................. 16 Control Activity Gaps and Redundancies ......................................................................................... 20 Prioritizing Control Activities........................................................................................................... 21 Validating Key Controls ................................................................................................................... 21 6. Create action plans to address control gaps and redundancies ......................................................... 23 7. Communicate results to management ............................................................................................... 23 SUSTAINABLE RISK ASSESSMENTS ................................................................................................ 24 APPENDIX A .............................................................................................................................................. i APPENDIX B ............................................................................................................................................. v APPENDIX C .......................................................................................................................................... viii APPENDIX D ............................................................................................................................................ xi BIBLIOGRAPHY ..................................................................................................................................... xii Note: Shaded text boxes in the guide contain useful examples and best practices. Refer to the boxes to gain more insight into the concepts discussed in that particular section. GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES INTRODUCTION To many people, risk assessments are a mystery. This is not because we do not understand risk— we think about risk everyday—but rather because we rarely write down or perform these risk assessments in a structured manner. There are many reasons why organizations perform risk assessments, including: Avoiding surprises by proactively recognizing major risks and ensuring these risks are being effectively managed Identifying and mitigating risks of fraud, waste and abuse Identifying control weaknesses and formulating action plans to plug control gaps, strengthen existing controls, or remove control redundancies where appropriate Providing documentation, including business process narratives, flowcharts, and risk/control matrices to identify key control activities Ensuring key control activities are not overlooked during periods of change, such as employee turnover, new programs, new regulations, or realignment of job duties For Minnesota state agencies, another reason to perform risk assessments is Minn. Stat. Section 16A.57 Sub. 8, which makes the head of each executive branch agency responsible for designing, implementing, and maintaining an effective internal control system within the agency. Because risk assessments are essential to an effective internal control system, completing them helps agencies comply with Minn. Stat. Section 16A.57. The COSO Framework1defines risk assessment as “…the identification and analysis of relevant risks to achievement of the [entity’s] objectives, forming a basis for the determination of how the risks should be managed.” The key elements to the above definition are: 1) identifying and analyzing risks, and 2) managing these risks. Risks are anything—big or small—that could prevent the achievement of a goal or objective. In government, the level and types of risk vary among agencies, as well as within agency divisions. Regardless of the agency’s mission, each agency faces risks. These risks must be managed to protect the state’s employees, resources, citizens and reputation. Risks are managed through the implementation of control activities. Control Activities (the third component of the COSO framework2) are actions taken to reduce risk or to minimize obstacles to achieving goals and objectives. Examples of control activities include authorization and approval, reconciliations, access security and separation of duties. 1 In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a report titled Internal Control—Integrated Framework, often referred to as the “COSO Framework”. The COSO Framework consists of five interrelated internal control components: control environment, risk assessment, control activities, monitoring, and information/communication. The State of Minnesota has adopted the COSO Framework as its internal control standard. (NOTE: The COSO framework was revised effective May 14, 2013, with a transition period of May 14, 2013 – December 15, 2014.) 2 The revised COSO framework contains underlying principles for each component of the framework. See Appendix D for a list of the principles. GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Proper risk management requires a balance between risks and control activities. As it relates to financial and compliance goals, being out of balance can cause the following problems: Excessive Risks (Control Gaps) Excessive Controls (Redundancies) Loss of assets, donors or grants Poor business decisions Noncompliance Regulatory sanctions Public scandals Increased bureaucracy Reduced productivity Increased complexity Increased cycle time Increase of no-value activities The information in this guide is provided to help state agency personnel conduct their own risk assessments. Contained in the appendices to the guide are information and examples that can be used right now, starting today, to complete a risk assessment. Agencies are free to customize the information and examples or adopt other risk assessment methodologies best suited to their business. In addition, the guide and appendices do not address every potential risk or control activity that may exist in an agency.3 Instead, these materials are living documents that will be added to and modified in the months and years ahead. In fact, agencies are encouraged to adapt the tools to fit their specific circumstances. A word of caution: questionnaires and checklists Many internal control questionnaires and checklists are available on the internet, and these documents list common risks and control activities for various business processes. However, because people who lack knowledge of your specific organization’s operations prepared these checklists, standard checklists are unlikely to be sufficient for documenting your organization’s specific risks or processes. Nevertheless, these questionnaires and checklists may be useful in validating the completeness of a risk assessment once it has been prepared and provide users with common control activities. 3 MN.IT Services (formerly OET) provides all information technology (IT) services for the executive branch, having consolidated all IT under the State CIO (Chief Information Officer) as prescribed by 2011 law. Therefore, risks and controls related to the IT environment (e.g., updates, implementation, system security, change management and maintenance) are not discussed in the guide. See Enterprise Security Control Policies at: MN.IT website (http://mn.gov/oet/policies-andstandards/information-security/) Page 3 of 24 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES RISK ASSESSMENT PLAN Prior to performing a risk assessment, a risk assessment plan4 and timeline should be developed. A plan prioritizes business processes to ensure risk assessments are performed on processes critical to achieving agency goals and objectives. A timeline provides a means for senior management to monitor plan progress. The first step in developing a plan is to identify the business processes operating within the organization. Appendix A provides a description and some examples of business processes. The second step is to prioritize the business processes. Agencies can have a multitude of business processes, but it is not cost beneficial to conduct risk assessments on all processes. Therefore, agency management can use both qualitative and quantitative factors in determining the high profile business processes most significant to achieving the agency’s goals and objectives. Special consideration should be given to the following business processes: Processes audited as material to the financial information presented in the Comprehensive Annual Financial Report (CAFR) Federal programs identified as major in the Financial and Compliance Report on Federally Assisted Programs Processes relating to the organization’s primary sources of funding and major expenditures Other processes critical to achieving the organization’s primary mission and objectives 1 IDENTIFY PROCESSES 2 PRIORITIZE PROCESSES Appendix B provides factors to consider when determining the business processes to include in the plan. The third step is to create a risk assessment plan. Plans can take on many different forms, depending on the organizational structure and business practices of the organization. At a 3 minimum, the plan must include the following information: CREATE C PLAN riteria used to identify significant business processes, including why some processes/sub-processes were included in the plan and why other processes/subprocess were not N ame and brief description of each business process B reakdown of a more complex or large process into manageable sub-processes T entative timeline for performing each identified risk assessment Name of employee(s) responsible and accountable for ensuring risk assessments are completed 4 Most agencies are required to prepare risk assessment plans (see the Minnesota Management & Budget Statewide Procedure: Risk Assessment, No. 0102-01.2). Page 4 of 24 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES MONITOR PLAN As a final point, senior management is responsible for monitoring the agency’s progress in completing the risk assessment plan. At least annually, management must also revisit and revise the plan, reflecting on any significant changes within the organization or external to the organization, such as regulatory changes, new program or service offerings, staff turnover, and reorganizations. Such changes may require revising or updating the plan accordingly. UPDATE PLAN Best Practice: Financial Reporting and Federal/State Program/Grant Compliance Consider significant business processes associated with internal and external financial reporting are included in a risk assessment plan. Citizens, investors, regulators, legislators, boards and agency management make decisions based on financial report information, expecting accuracy and reliability. Examples of financial reporting are: 1. Information provided to MMB for inclusion in the state’s Comprehensive Annual Financial Report (CAFR) and Financial and Compliance Report on Federally Assisted Programs (Single Audit Report); 2. Agency financial statements and reports prepared for public distribution 3. Financial information prepared for use by senior management, boards or legislative oversight committees A standard best practice for identifying these processes is referred to as a “top-down” approach, where management identifies significant financial processes by making three determinations: 1. Which financial reports are significant 2. Which line items (e.g., cash, accounts receivable) contain large dollar amounts in the reports 3. What significant processes support these line items (e.g., processes supporting cash may include: cash receipts, procurement, payroll, recipient/grant payments; processes supporting account receivable may include, cash receipts, revenues, estimates for expected receipts such as sales tax payments) Qualitative factors (see Appendix B) are also considered in the above approach. Equally important are the processes supporting federal/state programs/grants, since many agencies receive considerable funding to manage these programs. To identify significant programs/grants, agency management should consider the following elements: 1. Size – Which programs/grants are material to the agency 2. Complexity – Whether administration of the program/grant is routine or complex (e.g., are staff experienced/ knowledgeable? Have any significant regulatory or compliance requirements occurred?) 3. Susceptibility – Whether there have been audit findings related to the program; whether there has been any fraudulent activity impacting the program; and/or whether there is the probability that fraud would impact the program Not all processes supporting the program need to be included in the risk assessment plan. Identify the processes supporting the program/grant compliance requirements (e.g., allowable costs, eligibility, sub-recipient monitoring). Then, assess the complexity and susceptibility (steps 2 & 3 above) to determine what processes to include in the plan. Page 5 of 24 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES CONDUCTING A RISK ASSESSMENT Risk assessment projects need to be completed for each business process included in the risk assessment plan. A risk assessment project can be broken down into seven phases: 1. Coordinate the project 2. Document the business process 3. Identify risks 4. Prioritize risks 5. Identify and evaluate control activities 6. Create action plans to address control gaps and redundancies 7. Communicate results to management 1. Coordinate the project The fundamental elements that need to be in place prior to starting a risk assessment project are senior leadership sponsorship, assignment of the risk assessment team, team training and availability, and a clear project scope. Ultimately, for a risk assessment project to succeed, senior leadership needs to be supportive. Employees take their cues from senior management. If risk assessments appear unimportant to their leaders, employees will also perceive risk assessments as unnecessary. Senior management can show their support through written communications, staff meeting discussions, attendance at the initial risk assessment kickoff meeting and involvement in meetings where the project’s results are discussed. Just as important as senior leadership sponsorship is the assignment of the risk assessment team. Team members ought to represent a cross-section of subject matter experts familiar with the business process being assessed. For example, grant managers and administrators would be involved in the risk assessment for grants, as would the accountants who make payments to grantees. Similarly, the payroll risk assessment may be conducted by a team consisting of human resources, payroll, and accounting staff. In addition, the risk assessment team ought to be trained to enable them to participate effectively in risk assessment projects. Training can occur through seminars or completion of pilot risk assessments on small discrete processes, providing staff with valuable hands-on experience. Likewise, management needs to allocate time to the project to allow sufficient team member availability to complete thorough risk assessments. Finally, a clear project scope (i.e., clear determination of process beginning and end points) is necessary to ensure projects are completed on time and to avoid scope creep. Typically, the manager or supervisor responsible for the process is in the best position to decide where the beginning and end points are positioned for each risk assessment project. Page 6 of 24 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES 2. Document the business process The importance of business process documentation is to provide the risk assessment team with a common understanding of the process. Existing documentation, such as step-by-step procedures, provide the team with a basic understanding of the process. In some cases, procedures sufficiently describe the process and eliminate the need to create additional process documentation. If the existing documentation is not sufficient or non-existent, narratives or flowcharts are common tools for documenting processes. See examples of narratives and flowcharts on the MMB Internal Control and Accountability website (http://www.beta.mmb.state.mn.us/risk-examples). There are many ways to document business processes. The documentation style will depend on the size of the agency, resources available, and the complexity of the agency’s processes. In short, documentation is dependent upon agency preferences. Business process documentation should be thorough but not so detailed as to overwhelm a reader. To make efficient use of resources, documentation should focus on high-level activities, rather than on every activity within the process. In addition, the document format should allow for easy review and updating. The following should be considered when reviewing existing or developing new process documentation: What are the activities and tasks within the process? What are the key inputs (beginning) and outputs (ending) of the process? What are the decision points and alternative paths? It is important for the assessment team to identify all decision points within a process or compliance requirement, as there may be alternative paths that work items can take. If not all the alternative paths are identified, it may not be possible to identify all of the key risks and controls. What are the transfer points, or hand-offs, with other areas5 outside the department or agency? Because risks are present at hand-offs with other areas, it is important to understand where these transfer points are. If required, identify contacts for additional information. What key IT systems support the process? The supporting IT systems may determine how transactions are processed and recorded, as well as the types of risks and controls included. Who are the responsible personnel within a process? Identify positions or job titles rather than names, because personnel may be changes over time. What is the time frame of the process or compliance requirement? It is important to understand both the actual and elapsed time for tasks in the process. What is the impact on the financial statements? What general ledger accounts are affected? What are the key performance measures, monitoring controls and reporting controls? 5 Examples of handoffs outside an agency: while state agencies are typically responsible for their own staff recruitment, the central payroll services unit is responsible for ensuring employees receive wage and salary payment. Consequently, some risks, such as staff hiring and training, reside with the agency while other risks, such as accurate calculation of wages, and deduction of appropriate taxes and union dues, etc., reside with the central payroll unit. Other examples of hand-offs between agencies and centralized state agency providers include information technology, vendor contract management, and financial reporting. Page 7 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Grant Programs Process documentation for grant programs will depend on what is significant for these programs. The federal Office of Management and Budget (OMB) has identified recommended controls within 13 risk areas common to most federal grant programs. A discussion of these risk areas can be found in OMB Circular A-133 Compliance Supplement, Part 6.6 Although this guidance is aimed at federal grant programs, it can be applied to any grant program. While Part 6 of the OMB Compliance Supplement has a helpful list of objectives and risks to be considered for all grants, this list is very generic. Relying solely on Part 6 of the Compliance Supplement can result in an incomplete list of objectives and risks. On the other hand, not every area addressed by Part 6 of the Compliance Supplement is applicable to every grant program. A comprehensive list of objectives and risks for a grant is best developed independently, with Part 6 forming a backstop to the risk identification process. The Minnesota Department of Administration’s Office of Grants Management has developed policies and procedures7 that are applicable to all grant programs, federal and state. There is considerable overlap between the objectives and risks noted in OMB Circular A-133 Compliance Supplement, Part 6 and the state statutes, policies, and procedures listed by the Office of Grants Management. Both aim to improve the administration of grant programs by suggesting or requiring best practices in grant administration. As with the suggested control objectives in OMB Circular A-133 Compliance Supplement, Part 6, when using the Department of Administration policies, grant risk assessments should describe how the required objectives are being achieved. Functional Areas Unlike federal and state grant programs where objectives and risks are dictated, for the most part, by the federal or state governments, processes within functional areas can vary from one agency to the next. Unfortunately, no guidance exists that identifies every possible process one might find in a functional area along with a list of potential objectives and risks. The best resources for identifying the objectives for these processes are the functional area manager and subject matter experts within these areas. Other published and internet resources can provide a starting point for documenting generic processes that one would expect to find in any organization, such as procurement, payroll or financial. The risk assessment team should pay close attention when using these materials to ensure the final documentation is an actual representation of the agency’s process. 6 See OMB Circular A-133 Compliance Supplement, Part 6 (http://www.whitehouse.gov/omb/circulars/a133_compliance_supplement_2013) 7 See Minnesota Office of Grants Management Policies and Statutes (http://mn.gov/admin/government/grants/policies-statutes-forms/) Page 8 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES 3. Identify risks The risk assessment team uses the process documentation to brainstorm risks within the business process. The team will identify countless risks given time and a little imagination. The number of risks may seem unmanageable at this point but will be reduced by prioritizing risks later in the risk assessment process. Make sure the list includes risks relating to compliance, reporting, operations, safeguarding of assets and intangible risks (e.g., reputation, loss of public trust). The risk being assessed is the inherent risk—the chance of something going wrong BEFORE steps (i.e., control activities) are in place to reduce the chance of the risk occurring. Activities with high inherent risk have a greater potential for loss from fraud, waste, unauthorized use, or misappropriation due to the nature of the activity or asset. Cash, for example, has a much higher inherent risk for theft than a stapler does. Control activities used to reduce these risks are identified and evaluated later on in the process. For each step indicated in the process documentation, ask these questions: What can go wrong? How could we fail? What must go right for us to succeed? Where are we vulnerable? How could someone steal from the department? How could someone disrupt our operations? How do we know whether we are achieving our objectives? On what information do we most rely? What would happen if key employees or subject matter experts were suddenly unavailable? Is the input or support for this process dependent on other entities or processes? What would happen if those entities or other processes failed to deliver? What decisions require the most judgment? What activities are most complex? What activities are regulated? How complex are the regulatory requirements? What is our greatest legal exposure? What could tarnish the organization’s reputation, or cause loss of public confidence or impact employee morale? Does past experience highlight any areas of concern (e.g., audit findings, media attention, and fraud)? Do not overlook fraud risks that can cause not only financial loss, but also loss of public trust in the agency. Fraud is intentional misconduct to evade detection of a wrongdoing. Both state employees and persons outside the agency can perpetrate fraud (e.g., a vendor or benefit recipient). Page 9 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES The following three conditions are generally present when fraud occurs: 1. Pressure: the motive or incentive, which provides a reason to commit the fraud. This could include lifestyle issues, such as debts from gambling or drugs. Other reasons to commit fraud may be family pressures like unemployment, medical costs, or other crises, including business pressures such as unrealistic deadlines. 2. Rationalization: the ability to justify the person’s actions in his or her own mind. Examples of rationalization may include: “I don’t get paid what I am worth!” “I intend to pay it back later.” “Nobody will miss the money.” “There is no other way to manage my problems.” “If they don’t know I’m doing it, they deserve to lose the money.” 3. Opportunity: the circumstance within the organization that allows the fraud to occur and not be detected. Opportunity most likely results from a lack of or ineffective control activities especially lack of segregations of duties. It also can result from seemingly welldesigned control activities that are not enforced or monitored. Agency management has little influence over the first two conditions but can limit opportunity by implementing control activities to reduce fraud risks. Questions that help identify fraud risks are: How might a fraudster exploit weaknesses in the system? How could a fraudster override or circumvent procedures or activities? What could a fraudster do to conceal the fraud? Examples: Fraud Risks Manipulating financial information (e.g., recording transactions in an incorrect reporting period to cover up budget overruns) Falsifying or inflating expense claims Misappropriating assets (e.g., cash, checks, inventory, laptops) Committing identity theft (e.g., from paper documentation or IT systems) Accepting bribes, kickbacks or gratuities (e.g., accepting a bribe in return for approving a vendor contract) Paying fictitious employees Submitting/approving fraudulent employee time sheets (e.g., unrecorded vacation or sick leave, inflated regular or overtime hours) Paying inflated or fictitious invoices submitted by an insider or third party vendor Submitting fraudulent eligibility applications Page 10 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Submitting fraudulent claims submitted by an insider, sub-recipient, grantee or third party provider Processing fictitious transactions to hide an unplanned variance Covering up mistakes to avoid confrontation or disciplinary action Page 11 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES 4. Prioritize risks When prioritizing risks, the team should evaluate the inherent risk, regardless and without consideration of any existing control activities intended to reduce the likelihood or impact of the risk. The identity and effectiveness of existing control activities at addressing inherent risks are evaluated later on in the risk assessment process. Risk Ranking It is impossible and unwise to attempt to address all risks. Actions taken to minimize risk (referred to as control activities) can be expensive and labor intensive. Efforts should be focused on the most critical risks, which, if they fail, could potentially disrupt or derail achievement of an agency’s goals and objectives. Risk ranking should take into consideration two criteria: 1. Likelihood - What is the possibility of the risk happening? How often does it occur or is likely to occur? 2. Impact - What is the effect on the achievement of objectives? What is the materiality or magnitude of the consequences if it happens?). As an example, the risk of loss from theft of cash easily meets the likelihood criterion—the cash can be stolen. In addition, in the absence of control activities, the probability of theft is high. The impact criterion requires more analysis and is dependent on the amount of the loss and the related consequences. The risk grows with the size of the potential loss. In addition, small repeated losses could become material if unchecked. There are many ways to rank risk; no one way is right or wrong. Whatever method is selected, it should include the following: a. A ranking scale such as high, medium, low, or 1, 2, 3, etc. The ranking scale should be simple enough to allow the quick communication of the severity of the risk associated with an activity. b. A brief explanation for choosing the risk ranking. Documenting the reasons for the rankings preserves the information for future reference. Page 12 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Best Practice: Risk Rankings Agency management may choose to go an additional step in ranking risks by developing standard ranking categories. The table below depicts some examples of basic ranking categories; agency management can customize the categories further by establishing quantifiable values, such as number of occurrences (e.g., high: more than 5, medium: 2-4, and low: less than 2). Likelihood Risk Ranking Impact Comments Ranking Comments Ave. Ranking Risk A Risk B Risk C 3 2 3 Happens frequently (high) Sometimes occurs (medium) Predictable (high) 1 2 3 Inefficient work, some or limited rework (low) Extra work, re-work (medium) Showstopper - loss of program (high) 2 2 3 Risk D Risk E 1 2 Has not happened (low) Sometimes occurs (medium) 3 2 Loss of life/death, significant injuries/illness (high) Minor injury/illness (medium) 2 2 Risk F 2 Not very predictable (medium) 1 Minor loss of assets or funds (low) 1.5 The overall risk ranking exercise is judgmental even when standard ranking criteria have been established by the entity. After applying the ranking criteria, the risk assessment team may decide to adjust the ranking of one or more risks based on additional information specific to that risk. Justification or rationale for any manual adjustments (e.g., low to high risk or vice versa) should be documented. Risk Responses In theory, there are at least four potential responses to risk: 1. Transfer the risk by having someone else assume it. However, the entity transferring the risk often remains ultimately responsible for the final outcome. Typical examples are outsourcing or obtaining insurance. In these situations, the transferring entity is still ultimately responsible for monitoring the outsourced activity and ensuring insurance coverage is sufficient. 2. Avoid the risk by choosing not to engage in the activity or program. However, in government it is impossible to avoid a mandate from the legislature. 3. Accept the risk when it has a low probability of occurrence and low impact on the organization. In this scenario, management weighs the cost of the risk occurring against the cost of implementing mitigating controls (i.e., a cost-benefit analysis). It is important to document the rationale for accepting the risk. 4. Reduce the risk by implementing control activities to reduce or mitigate the risk. Because of the difficulty in anticipating every possible outcome or circumstance, it is usually difficult and very expensive to eliminate risk completely. Generally, risk is reduced to a point where the residual (i.e., remaining) risk is acceptable to the decision maker, thus providing reasonable assurance of meeting the agency’s goals and objectives. Ultimately, senior management decides whether to accept residual risk. These decisions and rationale should be documented. Page 13 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Examples: Risk Responses Most grant programs have an eligibility risk—the chance that funds will be paid to an ineligible person or organization. A program can transfer the eligibility risk by outsourcing the eligibility determination to a third party provider. However, this will have a limited effect because the program remains ultimately responsible for ensuring grants are made to eligible grantees. The program may attempt to avoid that risk by not engaging in any grant activity—a course of action that may not be acceptable to the legislature or the public. If management is confident of the control measures in place and decides that the cost of additional measures outweighs any potential benefits, it may accept the remaining risk of paying an ineligible grantee. Management may take certain actions to reduce the eligibility risk, for example, instituting a review process for all applications and requiring supervisory review of payments before they are made. 5. Identify and evaluate control activities The next step in the risk assessment process is to identify and evaluate methods currently in place to minimize high priority risks. These methods are collectively referred to as control activities, the third component of the COSO Framework.8 Control activities are the actions and tasks imbedded in a process to help achieve expected results. Control activities occur at all levels and functions. They include a wide range of diverse activities such as training, procedures, approvals, authorizations, verifications, reconciliations, performance reviews, security measures, and the creation and maintenance of appropriate documentation. Facts about Control Activities No “one size fits all” set of control activities provides the ultimate solution to manage risk effectively. In some situations, a combination of control activities should be used, and in others, one control activity may be sufficient in reducing one or more risks. Some risks may be similar across all agencies, but the form and formality of mitigation strategies (i.e., control activities) will vary. Smaller agencies may rely on management oversight rather than other types of control activities. For example, management’s retention of authority for approving significant purchases can provide strong control over this activity, lessening the need for additional control activities. Setting up an appropriate segregation of duties can also be challenging in a smaller agency. However, even agencies with only a few employees can assign responsibilities to achieve appropriate segregation, or use management oversight of the incompatible activities to achieve a strong control system. Control activities benefit, rather than hinder, the agency by helping to achieve organizational goals. They are not intended to limit or interfere with an agency’s duly granted authority related to legislation, rule-making or other discretionary policy-making. Instead, control activities can actually help ensure the agency is acting within their authority and complying with legislative requirements. 8 Committee of Sponsoring Organizations (COSO): Internal Control-Integrated Framework Page 14 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Risks and controls need to be in balance. The cost of implementing and sustaining a control activity should not exceed the benefits derived from that control activity, especially since most agencies struggle with limited resources, such as staffing, funding, and time. Attempting to eliminate a risk completely is generally not achievable, would be prohibitively expensive, could create unnecessary obstacles and Impact Impact from from delays in providing agency services and would most risks risks likely slow down productivity. For example, purchasing an expensive locked cabinet to limit access to basic office supplies may not be cost effective. Alternatively, using a locked cabinet to secure highly negotiable assets such as daily cash receipts would be cost effective. Cost Cost of of controls controls Control Activity Design An effective control activity has three features: a carefully thought-out design, effective operation, and routine re-evaluation. A good understanding of the underlying process, obtained by performing a risk assessment, and the participation of staff directly involved in the process, are critical to the creation of a well-designed control activity that addresses the risk in question. Control activities, especially those dependent on human actions, are effective only if they are addressed in written policies and procedures, and are performed consistently. Finally, periodically updating risk assessments keeps related control activities current and relevant. Positive results, including fewer errors and less rework, allow management and staff to focus resources on the agency’s primary goals and objectives. In summary, a control activity has the following characteristics: 1. It addresses the risk in question 2. It is mandatory (i.e., addressed in policies and procedures) 3. It is currently in operation (e.g., has occurred within the last 12 months) Ineffective control activities often disrupt the underlying process and cause operational bottlenecks. A poorly designed control activity is particularly dangerous because it can lull management and staff into a false sense of security. Example: Control Design Flaws In 2003, The U. S. Government Accountability Office (GAO) issued a report titled, Travel Cards, Internal Control Weaknesses at DOD Led to Improper Use of First and Business Class Travel. The report indicated breakdowns in key controls, which resulted in improper premium class travel and millions of dollars of unnecessary costs incurred annually by the Department of Defense (DOD). For fiscal years 2001 and 2002, DOD spent almost $124 million on about 68,000 premium class airline tickets that included at least one leg of premium class service, primarily business class. To put the $124 million into perspective it exceeded the total travel expenses—including airfare, lodging, and meals—spent by each of 12 major federal agencies. In addition, GAO estimated that 72 percent of DOD’s fiscal years 2001 and 2002 premium class travel was not properly authorized, and that 73 percent was not properly justified. GAO estimated that senior civilian and military employees accounted for almost 50 percent of premium class travel. Further, analysis showed that 27 of the 28 most frequent premium class travelers were senior DOD officials. Page 15 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Control Activity Classifications Control activities can be classified as preventive or detective. Preventive control activities (also known as front-end control activities) are designed to avoid errors or improprieties before a transaction is processed. Examples of preventive control activities are delegation of authority assignments, security access restrictions, system edit checks and requiring supervisor approval prior to processing. Detective control activities (also known as back-end control activities) are designed to identify errors or irregularities that have already occurred and enable management to take prompt corrective action. Examples of detective controls are reconciliations and exception report reviews. Control activities can also be manual, automated, or IT-dependent manual. It is not unusual for a process to include a combination of these three classes of control activities. Manual control activities are performed by individuals, such as preparing a bank deposit or performing a reconciliation. Automated controls are incorporated into application systems. Automated control activities are considered more reliable, due to their ability to prevent errors from being entered into the system (e.g., inaccurate vendor number) and by detecting errors within the system (e.g., edit checks). Additionally, automated control activities occur consistently with every transaction, whereas manual control activities are more susceptible to human error. IT-dependent manual control activities are manually performed but require input based on the results of computer-produced information. Examples of IT-dependent manual control activities include management’s review and follow up of a monthly variance report. Management relies on the information system to identify variances and produce the variance report for follow-up. Control activities can also be considered soft or hard. Soft control activities are those that provide notice of a requirement but do not by themselves immediately terminate a transaction for failing to meet that requirement. Examples of soft control activities include statutes, rules, policies and procedures, all of which tell people what should and should not be done. Soft control activities are less effective if not paired up with hard control activities to enforce them. Hard control activities are those that terminate a transaction for failing to meet a requirement. Examples of hard control activities include passwords and authorization codes. Hard control activities can be preventative, such as passwords, or detective, such as audits. Control Activity Categories The following are categories of commonly used control activities. This is by no means an exhaustive list. Authorization and Approval Authorization is the power granted to an employee to perform a task. It is a delegation of duties. Management defines the terms of the authorization and ensures that these terms are documented and clearly communicated. Approval is the confirmation or sanction of employee decisions, events or transactions, based on an independent review. It signifies that the approver has reviewed the supporting Page 16 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES documentation and is satisfied that the transaction is accurate and complies with applicable laws and regulations. Management’s responsibility is to ensure significant transactions are approved and executed only by persons acting within the scope of their authority. Verification/Reconciliation Verification (or reconciliation) typically involves the comparison of an internally prepared document (e.g., purchase order) to an independent source (e.g., vendor invoice) to determine the completeness, accuracy, authenticity and/or validity of transactions, events or information. It is a control activity that enables management to ensure that other control activities are being performed in accordance with directives. Management determines what needs to be verified or reconciled, based on the inherent risk of the underlying process. Management also clearly communicates and documents these decisions in procedures. Employees responsible for conducting the verifications/reconciliations should be required to document that these activities did indeed occur. Examples: Verification/Reconciliation Reviewing vendor invoices for accuracy by comparing to purchase orders and contracts Reviewing grantee documentation prior to making grant payments Comparing cash receipt transactions to cash receipt logs and bank deposit records Reviewing and verifying a participant’s eligibility for state program services Reconciling a department’s cash records to bank statements Documentation Documentation is perhaps the most critical control activity because it preserves evidence to substantiate a decision, event, transaction, or system. All documentation should be complete, accurate, and recorded timely. Documentation should have a clear purpose and be in a usable format that will add to the efficiency and effectiveness of the agency. Examples: Documentation Critical decisions and significant events generally involve senior management. These decisions and events usually result in the use, commitment, exchange or transfer of resources, such as in strategic plans, budgets and executive policies. By recording the information related to such events, management creates an agency-wide history that can serve as justification for subsequent actions and decisions and will be of value during selfevaluations, leadership transitions and audits. Transactions should be traceable from inception through completion to demonstrate how agency resources were utilized and control activities were applied to ensure compliance with agency objectives. This means the entire life cycle of a transaction should be documented, including: (1) identifying the initiator and authorizer; (2) tracking progress and hand-offs through all stages of processing; and, (3) pinpointing where documentation is maintained and for how long. Policies and procedures are critical to the daily operations of a department. These documents set forth the fundamental framework and the underlying methods and processes all employees rely on to do their jobs, including key control activities (see discussion of key control activities on page 20). Policies and procedures provide specific direction and help form the basis for decisions made every day by employees. Without this framework of understanding by employees, conflicts or inconsistencies can occur, poor decisions can be made and serious harm can be done to the department’s reputation. Further, the efficiency and effectiveness of operations can be adversely affected. Page 17 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Position descriptions communicate control activity expectations and responsibilities to staff. At a minimum, position descriptions should include the key control activity critical to the success of the agency’s goals and objectives. Annual employee performance evaluations provide the perfect opportunity for supervisors and staff to discuss the importance of the control activities and hold staff accountable for performance of these control activities. Supervision Supervision is the ongoing oversight, management and guidance of an activity by designated employees to help ensure the results of the activity achieve the established objectives. Those with the responsibility for supervision should: Assign tasks and hold staff accountable for key control activities Establish written procedures for completing assignments Systematically review and evaluate each staff member's work Approve work at critical points to ensure quality and accuracy Provide guidance and training when necessary Document supervisory reviews (for example, initialing examined work) Separation of Duties Separation of duties is the division or segregation of key duties and responsibilities among different people to reduce the opportunities for any individual to be in a position to commit and conceal errors (intentional or unintentional), or perpetrate fraud in the normal course of their duties. The fundamental premise of segregated duties is to prevent any one individual from controlling and performing all key functions of a transaction or event: authorization/approval, Recording/ recording/accounting, reconciliation and custody. A Accounting combination of two or more of these functions performed by the same employee is called incompatible duties.9 Authorization/ Approval Separation of Duties Triangle Reconciliation Custody of Assets In cases where duties cannot be effectively separated, management can substitute increased review or supervision as an alternative control activity (i.e., a compensating control) to help reduce the risks. In an environment with a very limited number of employees, management needs to be involved in reviewing and approving transactions, reports, and reconciliations. Compensating controls are less desirable as they generally require more resources and typically occur after the fact. Examples: Incompatible Duties Requiring Separation of Duties Individuals responsible for data entry of invoices should not be responsible for approving these documents (recording/accounting and authorization/approval) Individuals responsible for acknowledging the receipt of goods or services should not also be responsible for 9 Lists of incompatible duties related to statewide systems are available on-line (http://www.beta.mmb.state.mn.us/security) (SWIFT: Conflict Matrix and Instructions for SWIFT Statewide Systems Access Form; SEMA4: Incompatible Access) Page 18 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES purchasing or payment activities (custody and recording/accounting) Individuals doing personnel onboarding (i.e., direct deposit, update/correct and personal data/job data updates) should not have access to mass time entry, business expenses or payroll adjustments (authorization/approval and recording/accounting) Managers should review and approve payroll expenses and time sheets before data entry, but should not be involved in preparing payroll transactions (authorization/approval and recording/accounting) Individuals performing physical inventory counts should not be involved in maintaining inventory records nor authorize withdrawals of items maintained in inventory (reconciliation, custody, and recording/accounting) Individuals receiving cash into the office should not be involved in authorizing and recording bank deposits in the accounting records (recording/accounting, authorization/approval and custody) Individuals receiving revenue or making deposits should not be involved in reconciling the bank accounts (custody, recording/accounting and reconciliation) Access Security Securing access to resources and information reduces the risk of unauthorized use or loss. Management should protect the department's equipment, information, cash receipts, documents and other resources that could be wrongfully used, damaged or stolen. Management can protect these resources by limiting access to authorized individuals only. Management decides which resources should be safeguarded and to what extent. Management makes this decision based on the vulnerability of the items being secured and the likelihood of loss. Examples: Access Security to Safeguard Physical Assets Securing mobile items within locked facilities Locking up cash receipts Utilizing key cards to limit access to agency facilities Performing periodic physical inventories of assets for verification of values, location, and appropriate utilization Access controls restrict access and safeguard data files and information maintained in information systems. Access controls are set based on the employee’s need to access data files and information necessary to perform his or her specific job duties while maintaining acceptable separation of duties. Periodic management reviews of system access must ensure employee access is appropriate based on any new or changed job duties. Examples: Access Security to Safeguard Electronic Assets Use of multilevel security User identification along with regularly changed passwords Callbacks and dial-up systems Firewalls Limited access to not public data Encryption of confidential information Reporting Page 19 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Reporting is a means of conveying information. Effective and accurate reporting control activities provide information on issues such as timely achievement of goals, accurate financial position and payroll irregularities. Reporting also, helps promote accountability for actions and decisions. Examples: Effective and Accurate Reporting Project status reports to alert management to potential cost or time overruns Payroll Register reports to confirm accuracy of current and prior pay period adjustments, salary increase adjustments, special payments, earnings codes, hours, pay rates, salary amounts, and amounts of any lumpsum payments The state’s Comprehensive Annual Financial Report (CAFR) audited and issued for the public’s review of Minnesota’s financial performance and position Control Activity Gaps and Redundancies Once all the control activities within a business process are identified, it may become apparent that control gaps and redundancies exist. A control gap occurs when there are either insufficient or no actions (i.e., control activities) taken to avoid or mitigate a significant risk. For example, in a process that involves the collection of large amounts of cash, there is a control gap if no effort is made to secure the cash before depositing it. A redundancy occurs when multiple control activities address the same risk. Control redundancies often occur by design to provide additional assurance in high-risk circumstances. Control gaps should be clearly documented in the risk assessment in a manner that draws them to the attention of management. Each control gap should be reviewed to confirm that there is a control gap and to evaluate potential steps to sufficiently mitigate the risk. Where possible, a plan should be formulated to address the gap, assign responsibility and establish a target resolution date. Risk assessments with control gaps should be reviewed more frequently so that management can ensure corrective action is being taken where necessary. On the other hand, redundant controls should only be removed after careful consideration, and where written documentation substantiates that eliminating the control activity would not jeopardize the process. Redundancy should not be the only factor leading to elimination of the control activity. Seemingly, redundant controls may address other risks or add another level of protection against occurrence of a significantly high risk. Page 20 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Prioritizing Control Activities The initial exercise of identifying control activities within a particular business process may result in an extensive list of control activities. Even though it may be beneficial, in certain situations, to have backup controls in case a main control activity fails, managing a large number of redundant control activities can reduce process effectiveness and efficiency. Control activities are only as important as the risks they address, and management cannot devote the same amount of resources to all control activities. At this point, the judgment of management and subject matter experts are needed to determine which individual controls are key10 to addressing one or more significant risks in the event that all other controls fail. Once key control activities have been identified by the team, documentation is essential to showing that key control activities actually exist and are effectively designed. The documentation also provides management with a clear picture of critical points requiring special attention when proposing modifications to the existing process. Documented details about each key control include: Who is performing the control When the control occurs and at what frequency How the control is performed What evidence exists proving the control was performed Which reports, if any, are used in the operation of the control activity Best Practices: Documenting Key Controls Draw attention to each key control activity in the business process narrative or flowchart (e.g., bold font or shaded flowchart box, making the key control activity more visible) Include key control activities in policies and procedures Include key control activities in position descriptions of employees responsible for carrying them out and discuss the responsibilities during formal performance reviews Validating Key Controls To ensure a key control activity operates as intended, a three-step validation is performed: (1) determining whether the control activity is properly designed, (2) confirming whether the control activity is operating as intended, and (3) effectively mitigating the applicable risks. To determine whether a key control activity is properly designed, a tester11, independent of the business process, validates the design of the control by answering the following questions: Does the control activity occur at the right point in the process? Does the control activity occur at the right frequency? Would the control activity prevent or detect the intended error or nonconforming circumstance (e.g., ineligible recipient, inaccurate amount, etc.)? Is the control activity the most cost effective way to address the risk? 10 A key control activity is (1) one that addresses one or more significant risks to an organization or process, or (2) one that addresses multiple risks that cumulatively are significant. However, even though the control activity meets one or both of these criteria, whether it is a key control activity is a management decision. 11 A tester can be an employee in the division; department or unit as long as that person is not directly involved in performing the actions or steps in the business process. Page 21 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES To ensure a key control activity is operating as intended, the tester performs a walkthrough of the process to ensure the employee or application performing the key control activities is in fact doing the tasks described in the narrative or flowchart. A walkthrough is normally performed by following a transaction or work item through the process, focusing on the key control activities. To begin the walkthrough, the tester selects at least one transaction or work item (e.g., recipient eligibility documentation) and follows the item through the process. To corroborate the process documentation that was used for the risk assessment, the tester: Asks employees to demonstrate how the control activity is performed and documented Asks how exceptions to the prescribed processing procedures and controls are identified as well as any differences and verifies the exception procedures were followed Documents differences between what the narrative or flowchart indicate and what is actually done Examples: Walkthrough Steps for Selected Control Activities (to be completed by the tester) Approval: Ask an employee what he/she is looking for prior to approval, such as reviewing supporting documentation to ensure a transaction is accurate and posted to the appropriate account. Inquire as to how the approval is documented (e.g., initials and date), and what the approver does if an error or discrepancy is found. The tester examines documents to confirm approval (i.e., evidence of supporting documentation and approver initials) and ensure error resolution procedures were performed as discussed. Reconciliation: Ask employee to explain or demonstrate how a reconciliation is performed. Obtain a completed reconciliation and perform the following steps: o Review one or more of the reconciliations to determine whether all the relevant data are accurately and promptly included o Note the explanation and disposition of any unusual items o Inquire about actions taken when actual or potential errors are indicated on the reconciliation o Inquire how the errors occurred o When practical, obtain evidence of the error corrections noted during the reconciliation process o Ensure timely completion of the reconciliation and clearing of reconciling items In addition to walking through the physical flow of documents and forms, the flow of data and information through IT systems is equally as important. These steps may include inquiry of independent and knowledgeable personnel, review of user manuals, observation of a user processing transactions at a terminal in the case of an online application, and review of documentation such as output reports. The following outcomes are possible upon completion of a walkthrough: 1. The process outlined in the narrative/flowchart matches the actual process, and the key control activities are documented and operating as intended. 2. The process outlined in the narrative/flowchart does not match the actual process, indicating some key control activities are not operating as intended. Action steps should be developed to revise the narrative/flowchart and improve compliance with these control activities. 3. The process outlined in the narrative/flowchart matches the actual process and the key control activities are operating, but one or more of the key control activities is not mitigating the risk as intended. Action steps should be developed to either evaluate the situation and implement corrections, such as revising the existing control activity or develop/implement a new control activity. At a later point in time, any revised or new control activities should be re-evaluated to ensure they are operating effectively. Page 22 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Walkthroughs of business processes and related control activities should be documented (i.e., brief memos) describing the procedures performed. This documentation provides proof that management determined whether the key control activities were effectively operating to mitigate risks. 6. Create action plans to address control gaps and redundancies Over the course of the risk assessment project, it is likely the assessment team and/or tester will identify situations where the existing internal control structure contains deficiencies, thereby requiring further action, such as: Modification or enhancement to strengthen a weak or ineffective control activity Development and implementation of a control activity to mitigate an uncontrolled or under controlled risk Automation of manual controls to improve both efficiency and compliance within the business process Removal of redundant control activities or other procedures that do not add value to controlling a risk To address the above deficiencies, management, or employees assigned the responsibility, develop and monitor any action plans to ensure issues are followed up and resolved in a timely manner. Action plans typically include the following: Business process name Description of control activity Issue (control gap or redundancy) Risk or implication of the control issue Actions planned for improvement Person(s) responsible for resolving the issue Target completion date for resolving the issue 7. Communicate results to management At the completion of a risk assessment project, the project leader or team communicates the results, both positive and negative, to senior management. The method of communication can take on various forms, such as a written report or oral presentation. Depending on management’s experience and perspective, the assessment team might decide to provide some general background on internal controls and an overview of the risk assessment process. The risk assessment results should include a discussion of the team’s views on the effectiveness of the control system and opportunities for improvement (e.g., action plans). Senior management can use this information to track risk assessment plan progress. The agency head can use the information to support the annual certification of the agency’s internal control system. Page 23 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES SUSTAINABLE RISK ASSESSMENTS Internal and external influences (e.g., new management, regulatory changes) can trigger agency business processes to evolve and change over time. These changes often affect the internal control structure by introducing new risks and/or making existing control activities ineffective or obsolete. Therefore, it is important and necessary for agencies to reassess completed risk assessments affected by change and revise the risk assessment documentation accordingly. Examples of documentation revisions may include: Updating business process documentation Identifying and prioritizing any new risks Assessing the effectiveness of existing control activities at addressing new risks Developing and implementing action plans to address any control gaps or weaknesses Appendix C, Ongoing Change Indicators for Completed Risk Assessment Questionnaire, provides guidance in detecting changes requiring updates to completed risk assessment documentation, Risk assessments requiring updating should be communicated to management and added to the risk assessment plan. Also, agencies may encounter instances where certain business processes appear to be static and not affected by changes. However, subtle changes may have occurred over time, such as control activities becoming ineffective or no longer being performed. Completed risk assessments for these processes should be reviewed periodically to ensure documentation remains accurate, key control activities continue to operate as intended and as described in the documentation, and key control activities are effectively mitigating applicable risks. The review may be accomplished by performing a walkthrough of the process, testing a sample of applicable transactions, or a combination of both. (Refer to the “Validating Key Controls” section of this guide.) Page 24 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Page 25 of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES APPENDIX A BUSINESS PROCESS DEFINITION (Back to RISK ASSESSMENT PLAN) Management can easily become overwhelmed by the volume and complexity of activities performed within an organization, such as grant management, payroll, procurement, cash receipts, etc. To simplify this task, we suggest grouping activities into business processes or sub processes. A business process can be defined as a group of interrelated activities or tasks initiated in response to an event that achieves a specific result for the customer of the process. Adding more specific detail to that general definition: group of interrelated: o the process steps relate to each other o interrelationship is through sequence and flow (e.g., the completion of one step leads to, or flows into, the beginning of the next step) o steps are related by dealing with the same goal or objective o steps are related by being traceable back to the same initial event activities or tasks: o a collection of actions or steps making up a process initiated in response to an event: o a clear starting point exists o the process must be initiated in response to a specific occurrence (e.g., a request for benefits, employee completes time entry) o having an event AND a result allows the tracing of the sequence of tasks that turns the event into the result achieves a specific result: o delivery of a specific goal or objective (e.g., determination of recipient eligibility, employee gets paid) o a clear endpoint exists customer of the process: o the customer can be a person or an organization that is internal (employee, other state agencies) or external to the organization (recipient of grant or service) o a customer receives the result or is the beneficiary of it (e.g., recipient becomes eligible for benefits, employee gets paid) Below are some examples of processes one might find operating within an agency: Human Resources/Payroll New hire on-boarding Bi-weekly payroll processing Employee separations Competitive Grants Grant awarding Grant payments Grant closeout i Cash Receipts/Accounts Receivable Billing and accounts receivable Cash collections GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Breaking down complex or large business processes into sub processes might become necessary to effectively manage risk assessments. Sub processes create efficiencies, such as having a smaller group of actions or steps that can be more easily understood and evaluated for risks and control activities. In addition, sub process risk assessment projects typically take less time to complete and involve a fewer number of subject matter experts or team members. Below are some examples of possible sub processes within the Bi-Weekly Payroll Processing business process: SEMA4 Self Service Central payroll processing through SEMA4 Payroll and deduction distributions The following diagram illustrates an event, activities/tasks and result for a SEMA4 Self Service sub process: Page ii of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES There are two interconnected approaches (see image below) for identifying business processes within an agency: by functional area and by program/service. Identifying processes by functional area is appropriate when the activities and tasks performed are consistent, regardless of the program or service (e.g., cash management). This approach is also efficient, in that the process is looked at one time for all programs, rather than duplicated on a program-by-program basis. Conversely, identifying processes within a program/service is appropriate where processes are unique to a particularly large or complex program/service. A combination of both approaches should be considered to ensure process identification is efficient and includes all significant processes within the entity. Programs/Services* Functional Areas* Disbursements/ Purchasing/ Accounts Payable Competitive Grants Licensing X Recipient Benefits Administrative Expenditures Capital Construction X X X X X X Receipts/Accounts Receivable Payroll X X Recipient Eligibility X X Sub-Recipient Monitoring X X Cash Management X X Financial/Program Reporting X X X X X Budgeting X X X X X Capital Assets X X * The above functional areas and programs/services are for illustrative purposes only and not intended to be all-inclusive. Page iii of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Page iv of 23 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES APPENDIX B BUSINESS PROCESS PRIORITIZING FACTORS (Back to RISK ASSESSMENT PLAN) Below is a list of factors agency management might consider when evaluating business processes for inclusion in the agency’s risk assessment plan (i.e., those processes/programs that inherently pose the greatest risks and threats to achieving agency mission and objectives). The list is provided as a starting point. It is not meant to be all-inclusive; each factor may not be relevant to every agency. Agency management is encouraged to add, delete or revise the factors, as they deem appropriate to better align them with the agency’s mission and responsibilities. Size and Composition (materiality) – the significance of total dollars flowing through the process or program/grant compared to the agency’s overall budget. Special consideration should be given to the following processes/programs: o Processes audited as material to the financial information presented in the Comprehensive Annual Financial Report (CAFR) o Federal programs identified as major in the Financial and Compliance Report on Federally Assisted Programs (Single Audit) o Processes relating to the organization’s primary sources of funding and major expenditures o Other processes critical to achieving the organization’s primary mission and objectives Volume or frequency of transactions – number of transactions funneled through the process or program/grant, and/or how often transactions occur Complexity of transactions – whether transactions are routine or require calculations, estimates or adherence to complex accounting or program requirements Operating changes – significance of process changes, regulatory changes, new personnel, new products/services, new programs, rapid growth, rapid downsizing Policies and procedures – whether policies and procedures exist, are kept current and reflect operating changes as these changes occur External environment – outside influences that may impact the organization and cause volatility/uncertainty in the way the organization currently operates (e.g., economic, regulatory, technological, legal, and physical conditions) IT – whether activities are automated or manual, new technologies have been recently implemented, significant changes have been made to existing technology, and/or whether the business process is reliant on a legacy or unsupported system Staffing – tenure and expertise of employees, staffing levels, succession planning, training and development plans, cross-training Legal – complexity of existing legal and regulatory requirements, pending litigation/legislation, previous legal proceedings v GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Audit Issues – significance of internal/external audit findings (e.g., material weaknesses or significant deficiencies), repeat audit findings Reputation – susceptibility to media exposure/scrutiny; probability of negative publicity associated with perceived or actual breaches in an organization’s business practices, such as security breaches, fraud, lawsuits, mismanagement, customer complaints and public concerns Not Public data – whether or not public data is collected and how the data is managed (i.e., business purpose, storage, security, access, retention and disposal practices) Fraud – consideration of the types of fraud or misconduct that could occur, such as: o Reporting: intentional misstatements, omissions, misrepresentations or intentional misapplication of accounting principles o Assets: misappropriation of physical assets and information, including theft of property, embezzlement of receipts, fraudulent payments and identity theft o Fiduciary cash or property: theft or mismanagement of cash or property held in a fiduciary capacity for the benefit of another person or organization o Corruption: bribery and other illegal acts o Waste: the act of using or expending agency resources carelessly, extravagantly or to no purpose o Abuse: improper behavior, including misuse of authority/position for personal gain vi GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES Best Practice: Business Process Prioritization Agency management may choose to develop standard criteria for prioritizing business processes as demonstrated in the table below: Factor Size and composition – impact of process on account balance or total program expenditures Probability of error or fraud impacting the process Complexity – degree of judgment or subjectivity involved, such as estimating a transaction amount/account balance or determining recipient eligibility Operations – length of time business process has been operating without significant changes. IT Dependency Total Score High (3 points) Process impacts the account balance or program expenditures > 30% Recent or history of recurring audit findings and/or material adjustments; recent fraudulent activity Highly complex Medium (2 points) Process impacts the account balance or program expenditures < 30% but > 10% History of past audit findings or immaterial adjustments; past fraudulent activity Low (1 point) Process impacts the account balance or program expenditures < 10% No history of audit findings or fraud in previous 5 years Moderately complex Not complex Less than one year. Staff is relatively inexperienced 5 years or less; no significant changes to process within last 12 months; no turnover of key employees within last 12 months Moderately automated Process has been in operation for over 5 years; no significant changes to process; no turnover of key employees Highly automated Highly manual and complex; IT infrastructure is older with many manual interfaces > 15 < 15 but > 10 vii < 10 GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES APPENDIX C Ongoing Change Indicators for Completed Risk Assessments Questionnaire Agency: ___________________________________________________________________ Certification Year: ___________________________________________________________________ Risk Assessment: ___________________________________________________________________ Person(s) Responsible: ___________________________________________________________________ To be completed annually for all risk assessments included in the plan Yes: No: 1. Has there been any significant change(s) in the operating environment since the risk assessment was last completed/updated? 2. Has there been any significant change(s) in leadership or personnel since the risk assessment was last completed/updated? 3. Has there been any change(s) in information technology equipment or information systems (e.g. software, operating systems, etc.) since the risk assessment was last completed/updated? 4. Has there been any expansion or reduction(s) in personnel or funding of the business process area since the risk assessment was last completed/updated? 5. Has there been any change(s) in service delivery models, legislation, program requirements, products or activities since the risk assessment was last completed/updated? 6. Has there been any audit findings (Internal, OLA, Federal, External, etc.) associated with business process area since the risk assessment was last completed/updated? 7. Has there been any indication of failure in control activities since the risk assessment was last completed/updated (e.g. media reports, legal issues, litigation, fraud, customer or public complaints, etc.)? 8. Have any other issues developed or relevant incidents occurred since the risk assessment was last completed/updated that should be considered or evaluated? Total (add up the number of “yes” and “no” responses in each column): A. Based on the responses to the questions in the change factors questionnaire above, does this risk assessment area need to be reviewed and updated? (Note: A risk assessment that scored three or more “yes” responses may provide a strong indication of needing review and updating). ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ________________________________ B. If you answered ‘yes’ to question ‘A’ above, what is your plan and timing for updating this risk assessment and the supporting documentation? viii GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ________________________________ C. Comments ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ ________________________ ix GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES x GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES APPENDIX D COSO FRAMEWORK - PRINCIPLES The revised COSO Framework, effective May 2013, added a set of underlying principles for each internal control component, including the components of risk assessment and control activities. To have an effective internal control system, the COSO Framework emphasizes the need for each component and relevant principle to exist and be functioning. The principles are considered suitable for any organization; however, some organizations may determine that one or more principles are not relevant based on their specific business model. In these instances, management should document the rationale for excluding a principle. The underlying principles for the risk assessment component and control activities component were incorporated into the guide unless otherwise noted. Risk Assessment 1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 3. The organization considers the potential for fraud in assessing risk to the achievement of objectives. 4. The organization identifies and assesses changes that could significantly impact the system of internal control. Control Activities 1. The organization selects and develops control activities that contribute to the mitigation of risk to the achievement of objectives to acceptable levels. 2. The organization selects and develops general control activities over technology to support the achievement of objectives. (Not addressed in the guidance. General control activities relating to the IT environment are managed by MN.IT Services.) 3. The organization deploys control activities though policies that establish what is expected and procedures that put policies into action. xi GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES BIBLIOGRAPHY 1. American Institute of Certified Public Accountants Statement of Auditing Standards No. 106, Audit Evidence. (A.U. § 326, para .14 & .15). 2. Committee on Sponsoring Organizations of the Treadway Commission (COSO). (1994). Internal Control – Integrated Framework. American Institute of Certified Public Accountants. 3. Gauthier, S. J. (1994). An Elected Official’s Guide to Internal Controls and Fraud Prevention. Government Finance Officers Association. 4. Institute of Internal Auditors (January 2008). SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners. Retrieved July 2011 from www.theiia.org/download.cfm?file=31866 5. Mattie, A.J., Hanley, P.F., & Cassidy, D.L. (2005). Internal Controls: The Key to Accountability. Retrieved August 2010 from PriceWaterHouseCoopers: www.pwc.com/education 6. Minnesota Department of Administration, Office of Grants Management, Minnesota Grants Management—Policies and Statutes. 7. Minnesota Statute 16A.057 Internal Controls and Internal Auditing 8. National Association of State Auditors, Controllers and Treasurers (NASACT). (July 2008). The Internal Control Guidebook. Retrieved March 15, 2010 from http://www.nasact.org/nasc/committees/multistate/downloads/Internal_Control_Guidebook.pdf 9. North Carolina State University, Poole College of Management, Enterprise Risk Management Initiative. Retrieved March 2013 from http://poole.ncsu.edu/erm/ 10. Raftery, W. J. (Revised April 2005) State of Wisconsin: Instructions for the Preparation of an Agency Internal Control Plan. Retrieved June 2010, from http://www.nasact.org/nasc/committees/multistate/index.cfm 11. Sponsoring organizations (AICPA, IIA, and ACFE). Managing the Business Risk of Fraud: A Practical Guide. Retrieved May 2013, from http://www.aicpa.org 12. State of Maine, Office of the State Comptroller, Internal Audit. Internal Control Guide for Managers. Retrieved March 2013 from http://www.maine.gov/osc/internalaudit/guideformgrs.shtml 13. State of Mississippi Department of Finance and Administration. (2008, 30 June). Internal Control. Retrieved June 2011 from http://www.dfa.state.ms.us/Offices/OFM/BFR%20Files/MAAPP%20files/30%20Internal%20Contro l%201.pdf 14. State of Montana Department of Administration, State Accounting Division. Retrieved April 2013 from http://accounting.mt.gov/forms/chapters/default.mcpx xii GUIDE TO RISK ASSESSMENT AND CONTROL ACTIVITIES 15. State of New York Comptroller. (October 2007). Standards for Internal Control in New York State Government. Retrieved July 2011 from http://www.osc.state.ny.us/agencies/ictf/docs/intcontrol_stds.pdf 16. State of North Carolina Office of the State Controller. EAGLE Program Guidance Manual. Retrieved June 2011 from http://www.osc.nc.gov/eagle 17. State of Vermont Department of Finance and Management. Internal Control Standards: A Guide for Managers. Retrieved June 2011 from http://finance.vermont.gov/sites/finance/files/pdf/IC/IC_Standards_Guide_Managers.pdf 18. State of Washington Office of Financial Management, Risk Management Basics (September 2008). Retrieved April 2013 from http://www.docstoc.com/docs/25241340/Risk-Management-BasicsManual 19. United States General Accounting Office (November 1999) Standards for Internal Control in the Federal Government. 20. United States Office of Management and Budget (June 2010) Circular A-133, Audits of States, Local Governments and Non-Profit Organizations, Compliance Supplement, Part 6—Internal Controls. 21. United States Office of Management and Budget (July 2005) Circular A-123, Management's Responsibility for Internal Control, Appendix A—Implementation Guide. 22. University of California, Understanding Internal Controls. Retrieved April 2013 from http://www.ucop.edu/ucophome/businit/boi/docs/03-understanding_internal_control.pdf. xiii
