Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office of Operations 2009 Fall Conference Navigating Uncertain Times October 21-22, 2009 Risk Assessment and Internal Controls Internal Controls Anna Tomassacci.

Similar presentations


Presentation on theme: "Office of Operations 2009 Fall Conference Navigating Uncertain Times October 21-22, 2009 Risk Assessment and Internal Controls Internal Controls Anna Tomassacci."— Presentation transcript:

1 Office of Operations 2009 Fall Conference Navigating Uncertain Times October 21-22, 2009 Risk Assessment and Internal Controls Internal Controls Anna Tomassacci Beth Ferracane Brendan McClune

2 Office of Operations 2009 Fall ConferenceObjectives Complete a basic risk assessment. Complete a basic risk assessment. Set up a system of internal controls to mitigate the risks identified during the assessment. Set up a system of internal controls to mitigate the risks identified during the assessment. Apply internal controls to potentially deter negative events (e.g., fraud, inappropriate procurements, improper payments, etc.). Apply internal controls to potentially deter negative events (e.g., fraud, inappropriate procurements, improper payments, etc.).

3 Office of Operations 2009 Fall ConferenceAgenda Internal Controls Overview Internal Controls Overview Group Exercises : Group Exercises : Global Risk Assessment for Procurement and Accounts Payable departments Global Risk Assessment for Procurement and Accounts Payable departments Identify objectives and risks Identify objectives and risks Design control activities Design control activities Risk Assessment – Program Areas Risk Assessment – Program Areas Rank risks by impact and likelihood assuming there are no controls Rank risks by impact and likelihood assuming there are no controls Rank risks by impact and likelihood given existing controls Rank risks by impact and likelihood given existing controls Attack and Defend Exercises Attack and Defend Exercises

4 Office of Operations 2009 Fall Conference Internal Controls History NYS Governmental Accountability, Audit & Internal Control Act of 1987 NYS Governmental Accountability, Audit & Internal Control Act of 1987 Budget Bulletin 350 Budget Bulletin 350 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Committee of Sponsoring Organizations of the Treadway Commission (COSO)

5 Office of Operations 2009 Fall Conference Internal Control The integration of the activities, plans, attitudes, policies, and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its mission. The integration of the activities, plans, attitudes, policies, and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its mission.

6 Office of Operations 2009 Fall Conference Basic Components Control Environment Control Environment Risk Assessment Risk Assessment Control Activities Control Activities Information & Communication Information & Communication Monitoring Monitoring

7 Office of Operations 2009 Fall Conference Internal Controls Pyramid Control Environment Risk Assessment Control Activities Monitoring Information & Communication

8 Office of Operations 2009 Fall Conference Control Environment Influences all of the decisions and activities of an organization, and on the control consciousness of its people Influences all of the decisions and activities of an organization, and on the control consciousness of its people The Tone at the Top The foundation for all the other components

9 Office of Operations 2009 Fall Conference Risk Assessment Risk Assessment The possibility that an event will occur and adversely affect the achievement of objectives. To evaluate; to examine carefully; to determine or set the value of something.

10 Office of Operations 2009 Fall Conference Control Activities The tools – both manual and automated – that help prevent or reduce the risks that can stop an organization from meeting its objectives and goals. The tools – both manual and automated – that help prevent or reduce the risks that can stop an organization from meeting its objectives and goals.

11 Office of Operations 2009 Fall Conference Information & Communication The exchange of information between and among people and organizations.

12 Office of Operations 2009 Fall ConferenceMonitoring The ongoing review of the organization's daily activities and transactions to determine whether controls are effective in ensuring that operations work as intended. The ongoing review of the organization's daily activities and transactions to determine whether controls are effective in ensuring that operations work as intended.

13 Office of Operations 2009 Fall Conference Risk Assessment Risk Assessment The possibility that an event will occur and adversely affect the achievement of objectives. To evaluate; to examine carefully; to determine or set the value of something.

14 Office of Operations 2009 Fall ConferenceProcess What are the objectives? What could go wrong (the Risk)? What’s the likelihood of it occurring? What’s the impact if it happens? Prioritize and respond accordingly.

15 Office of Operations 2009 Fall Conference Risk Assessment Assess each risk in terms of: The likelihood of the negative event. The significance or impact of the event.

16 Office of Operations 2009 Fall Conference Risk Assessment Likelihood Likelihood The probability that an unfavorable event would occur if there were: No internal controls. Existing internal controls. Impact Impact A measure of the magnitude of the effect on an organization if the unfavorable event were to occur

17 Office of Operations 2009 Fall Conference Ask the questions … What obstacles could stand in the way of achieving your objective? What can go wrong? What is the worst thing that could happen? What is the worst thing that has happened?

18 Office of Operations 2009 Fall Conference Ask the questions … Are there new processes? Changed ones? New goals or legislation? Staffing changes? What keeps you awake at night?

19 Office of Operations 2009 Fall Conference Evaluating Risk Judgment Required LOW IMPACT HIGH LOW LIKELIHOODLIKELIHOOD HIGH Area I Least Concern Area III Moderate Concern Area IV Most Concern Area II Minimal Concern

20 Office of Operations 2009 Fall Conference Helpful Hints Change is the one constant. Change is the one constant. A risk assessment is never “done.” A risk assessment is never “done.” Communication and education can make all the difference. Communication and education can make all the difference. The greatest risk is turning a blind eye to the possibility of risk. The greatest risk is turning a blind eye to the possibility of risk. Knowledge is power! Knowledge is power!

21 Office of Operations 2009 Fall Conference Managing Risk Three options: Avoid the risk Avoid the risk Accept it Accept it Prevent it Prevent it

22 Office of Operations 2009 Fall Conference Managing Risk Avoid the risk: Whatever the risky activity is… Don’t do it! Don’t do it! No additional controls are required

23 Office of Operations 2009 Fall Conference Managing Risk Accept the risk: Continue the way you’re going Maintain the Status Quo Maintain the Status Quo No changes, no new controls No changes, no new controls

24 Office of Operations 2009 Fall Conference Managing Risk Prevent or reduce the risk: Actively work to control the risk Actively work to control the risk Change how you operate! Change how you operate! Establish whatever controls are necessary to manage the risk Establish whatever controls are necessary to manage the risk

25 Office of Operations 2009 Fall Conference Control Activities The tools – both manual and automated – that help prevent or reduce the risks that can stop an organization from meeting its objectives and goals. The tools – both manual and automated – that help prevent or reduce the risks that can stop an organization from meeting its objectives and goals.

26 Office of Operations 2009 Fall Conference Control Activities Controls can be… Directive: guide an organization toward desired outcome. Directive: guide an organization toward desired outcome. Preventive: deter the occurrence of an undesirable event. Preventive: deter the occurrence of an undesirable event. Detective: identify undesirable events and alert management. Detective: identify undesirable events and alert management.

27 Office of Operations 2009 Fall Conference Commonly Used Control Activities Documentation Documentation Approval and Authorization Approval and Authorization Verification Verification Supervision Supervision Separation of Duties Separation of Duties Safeguarding Assets Safeguarding Assets

28 Office of Operations 2009 Fall Conference Risk & Controls Judgment Required LOW IMPACT HIGH LOW LIKELIHOODLIKELIHOOD HIGH Area I Least Concern Area III Moderate Concern Area IV Most Concern Area II Minimal Concern

29 Office of Operations 2009 Fall Conference Control Activities Cost v. Benefit The cost of the controls shouldn’t be greater than the cost of the potential loss.

30 Office of Operations 2009 Fall ConferenceQuestions


Download ppt "Office of Operations 2009 Fall Conference Navigating Uncertain Times October 21-22, 2009 Risk Assessment and Internal Controls Internal Controls Anna Tomassacci."

Similar presentations


Ads by Google