Office of OperationsOffice of Operations
2009 Fall Conference2009 Fall Conference
Navigating Uncertain TimesNavigating Uncertain Times
October 21-22, 2009
Risk Assessment Risk Assessment andand
Internal ControlsInternal ControlsAnna TomassacciAnna TomassacciBeth FerracaneBeth Ferracane
Brendan McCluneBrendan McClune
Office of Operations 2009 Fall Conference
ObjectivesObjectives
Complete a basic risk assessment.Complete a basic risk assessment.
Set up a system of internal controls to Set up a system of internal controls to mitigate the risks identified during the mitigate the risks identified during the assessment.assessment.
Apply internal controls to potentially Apply internal controls to potentially deter negative events (e.g., fraud, deter negative events (e.g., fraud, inappropriate procurements, improper inappropriate procurements, improper payments, etc.).payments, etc.).
Office of Operations 2009 Fall Conference
AgendaAgenda
Internal Controls OverviewInternal Controls Overview Group ExercisesGroup Exercises::
Global Risk Assessment for Procurement and Accounts Global Risk Assessment for Procurement and Accounts Payable departmentsPayable departments
Identify objectives and risksIdentify objectives and risks Design control activitiesDesign control activities
Risk Assessment – Program AreasRisk Assessment – Program Areas Rank risks by impact and likelihood assuming there Rank risks by impact and likelihood assuming there
are no controlsare no controls Rank risks by impact and likelihood given existing Rank risks by impact and likelihood given existing
controlscontrols Attack and Defend ExercisesAttack and Defend Exercises
Office of Operations 2009 Fall Conference
Internal Controls HistoryInternal Controls History
NYS Governmental Accountability, NYS Governmental Accountability, Audit & Internal Control Act of 1987Audit & Internal Control Act of 1987
Budget Bulletin 350Budget Bulletin 350
Committee of Sponsoring Committee of Sponsoring Organizations of the Treadway Organizations of the Treadway Commission (COSO)Commission (COSO)
Office of Operations 2009 Fall Conference
Internal ControlInternal Control
The integration of the activities, The integration of the activities, plans, attitudes, policies, and plans, attitudes, policies, and efforts of the people of an efforts of the people of an organization working together to organization working together to provide reasonable assurance provide reasonable assurance that the organization will achieve that the organization will achieve its mission.its mission.
Office of Operations 2009 Fall Conference
Basic ComponentsBasic Components
Control EnvironmentControl Environment
Risk AssessmentRisk Assessment
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Office of Operations 2009 Fall Conference
Internal Controls PyramidInternal Controls Pyramid
Control Environment
Risk Assessment
ControlActivities
Monitoring
Info
rmat
ion
& C
omm
unic
atio
n Information &
Com
munication
Office of Operations 2009 Fall Conference
Control EnvironmentControl Environment
Influences all of the decisions Influences all of the decisions and activities of an organization, and activities of an organization, and on the control consciousness and on the control consciousness of its peopleof its people
The Tone at the
TopThe The foundationfoundation for all the other for all the other componentscomponents
Office of Operations 2009 Fall Conference
Risk AssessmentRisk Assessment
The possibility that an event will occur and
adversely affect the
achievement of objectives.
To evaluate; to examine
carefully; to determine or set
the value of something.
Office of Operations 2009 Fall Conference
Control ActivitiesControl Activities
The tools – both manual and The tools – both manual and automated – that help prevent automated – that help prevent or reduce the risks that can or reduce the risks that can stop an organization from stop an organization from meeting its objectives and meeting its objectives and goals.goals.
Office of Operations 2009 Fall Conference
Information & CommunicationInformation & Communication
The exchange of The exchange of information information between and between and among people and among people and organizations.organizations.
Office of Operations 2009 Fall Conference
MonitoringMonitoring
The ongoing review of the The ongoing review of the organization's daily activities and organization's daily activities and transactions to determine transactions to determine whether controls are effective in whether controls are effective in ensuring that operations work as ensuring that operations work as intended.intended.
Office of Operations 2009 Fall Conference
Risk AssessmentRisk Assessment
The possibility that an event will occur and
adversely affect the
achievement of objectives.
To evaluate; to examine
carefully; to determine or set
the value of something.
Office of Operations 2009 Fall Conference
ProcessProcess
1.1. What are the objectives?
2. What could go wrong (the Risk)?
3. What’s the likelihood of it occurring?
4. What’s the impact if it happens?
5. Prioritize and respond accordingly.
Office of Operations 2009 Fall Conference
Risk AssessmentRisk Assessment
Assess each risk in terms of:
The likelihood of the negative event.
The significance or impact of the event.
Office of Operations 2009 Fall Conference
Risk AssessmentRisk Assessment
LikelihoodLikelihood The probability that
an unfavorable event would occur if there were:
No internal controls. Existing internal
controls.
ImpactImpact A measure of the
magnitude of the effect on an organization if the unfavorable event were to occur
Office of Operations 2009 Fall Conference
Ask the questions …Ask the questions …
What obstacles could stand in the way of achieving your objective?
What can go wrong?
What is the worst thing that could happen?
What is the worst thing that has happened?
Office of Operations 2009 Fall Conference
Ask the questions …Ask the questions …
Are there new processes? Changed ones?
New goals or legislation?
Staffing changes?
What keeps you awake at night?
Office of Operations 2009 Fall Conference
Evaluating RiskEvaluating Risk
Judgment Required
LOW IMPACT HIGH
LOW
LIKELIHOOD
HIGH
Area I Least Concern
Area IIIModerate Concern
Area IVMost Concern
Area IIMinimal Concern
Office of Operations 2009 Fall Conference
Helpful HintsHelpful Hints Change is the one constant.Change is the one constant.
A risk assessment is never “done.”A risk assessment is never “done.”
Communication and education can Communication and education can make all the difference.make all the difference.
The greatest risk is turning a blind The greatest risk is turning a blind eye to the possibility of risk.eye to the possibility of risk.
Knowledge is power!Knowledge is power!
Office of Operations 2009 Fall Conference
Managing RiskManaging Risk
Three options:Three options:
• Avoid the riskAvoid the risk
• Accept itAccept it
• Prevent itPrevent it
Office of Operations 2009 Fall Conference
Managing RiskManaging Risk
Avoid the risk:Avoid the risk:
Whatever the risky activity is…Whatever the risky activity is…
Don’t do it!Don’t do it!
No additional controls are requiredNo additional controls are required
Office of Operations 2009 Fall Conference
Managing RiskManaging Risk
Accept the risk:Accept the risk:
Continue the way you’re goingContinue the way you’re going
Maintain the Status QuoMaintain the Status Quo
No changes, no new controlsNo changes, no new controls
Office of Operations 2009 Fall Conference
Managing RiskManaging Risk
Prevent or reduce the risk:Prevent or reduce the risk:
Actively work to control the riskActively work to control the risk
Change how you operate!Change how you operate!
Establish whatever controls are Establish whatever controls are necessary to manage the risknecessary to manage the risk
Office of Operations 2009 Fall Conference
Control ActivitiesControl Activities
The tools – both manual and The tools – both manual and automated – that help prevent automated – that help prevent or reduce the risks that can or reduce the risks that can stop an organization from stop an organization from meeting its objectives and meeting its objectives and goals.goals.
Office of Operations 2009 Fall Conference
Control ActivitiesControl Activities
Controls can be…
DirectiveDirective:: guide an organization toward guide an organization toward desired outcome.desired outcome.
PreventivePreventive:: deter the occurrence of an deter the occurrence of an undesirable event.undesirable event.
DetectiveDetective:: identify undesirable events and identify undesirable events and alert management.alert management.
Office of Operations 2009 Fall Conference
Commonly Used Control Commonly Used Control ActivitiesActivities
DocumentationDocumentation Approval and AuthorizationApproval and Authorization VerificationVerification SupervisionSupervision Separation of DutiesSeparation of Duties Safeguarding AssetsSafeguarding Assets
Office of Operations 2009 Fall Conference
Risk & ControlsRisk & Controls
Judgment Required
LOW IMPACT HIGH
LOW
LIKELIHOOD
HIGH
Area I Least Concern
Area IIIModerate Concern
Area IVMost Concern
Area IIMinimal Concern
Office of Operations 2009 Fall Conference
Control ActivitiesControl Activities
Cost v. Benefit
The cost of the controls shouldn’t be greater than the cost of the potential loss.