Definition IPPF Audit Standard 2120 – Risk Management A method by which both management and staff collectively identify and evaluate risks and associated controls in sessions facilitated by an Internal Audit (IA) team member. A process to identify potential events or circumstances that may affect the business unit’s ability to meet its objectives and to create a plan to handle those negative potential events.

RCSA versus Audit RCSA differs from an audit in that the scope of an RCSA is determined by management; the scope of an internal audit is determined by Internal Audit. An audit includes testing of transactions to determine whether internal controls are operating as expected. RCSA typically does not include testing within its scope of work. Any recommendations resulting from an audit are formally followed up on by IA. Follow up for action items resulting from an RCSA project are the responsibility of management.

Benefits Offers a proactive, structured framework for assessing and controlling risks potentially before consequences occur. Provides reasonable assurance to stakeholders regarding the achievement of the unit's objectives. Increases knowledge and understanding of risk and control concepts. Integrates risk management practices into the organization’s culture. Creates a relationship-building opportunity.

Steps in RCSA Obtain an understanding of the process selected. Hold facilitated session in which participants will: Identify selected process objective. Identify significant risks to achieving objective. Identify and evaluate control activities to mitigate those risks. Discuss gaps in control design, and Develop an action plan to fill control gaps and mitigate identified risks. Reporting

Fleet Management - Tire Repair and Replacement Objective: To ensure the tires on our fleet and equipment are repaired and or replaced at a frequency that is cost effective and ensures the safety of our operators. Participants: 4 levels of management from HQ and every service center as well as operational support staff.

EXAMPLE

EXAMPLE

Fleet Management - Tire Repair and Replacement Project Highlights: Operational support staff were able to communicate difficulties with our software used to create requisitions. Purchasing immediately developed a temporary workaround to relieve frustration, increase efficiency of requisition entry and greatly reduce the need for the use of a MISC line item. Provided assurance that proper approvals were being obtained before the vendor started work.

Fleet Management - Tire Repair and Replacement Project Highlights: Proposed the development of an on-call log to better track the repairs or replacements performed after hours. Identified key replacement vs. repair decisions so that management could formalize expectations in the procedure. Identified which key data points should be captured in work orders for tire repairs and replacements to allow Fleet management to analyze process performance. Obtained a cost savings of roughly $290k

Other Processes Reviewed Computer Hardware Inventory Management Employment Eligibility Verification Contract Solicitations Supply

Reminders… There will be different outcomes based on the level of participation. There is more than one way to perform or report on RCSAs. The process should and will constantly evolve as management’s understanding of risks and controls evolve.

Questions