1. INTERNAL CONTROLS AND THE DPS ASSURANCE CONTINUUM Presented at the IIA San Antonio Chapter December 12, 2012 A review of the theory, components, factors, and relationships needed to provide continued accountability and assurance in your organization.

2. The Plan  Topics to be covered  Background on the theory of the assurance continuum.  Overview of teaching control types, terms, and the effects of culture  What Internal Controls and levels to focus on  The applicable Assurance Continuum Model  The purpose of establishing Internal Controls and an Assurance Continuum model in your organization  How to coordinate and establish an Assurance Continuum  Best Practices to achieve optimization of assurance

3. Background  What does it mean to provide Assurance in your organization?

4. Background  What can assurance do for your shop and your organization?

5. Background  What is the auditor’s role in reviewing internal controls and providing assurance?  Experts in identification of risks and reviewing of control structures.  Provide management with an independent review of the risk and control situation of their area.  Provide recommendations to improve the control structure to align with Department goals, mission, and strategy.

6. Risks  Assist your clients with explaining audit terminology of risks and identifying their risks.  First Step: Risks must be properly identified and accepted by the client  Focus on the impact and likelihood of risks.  Coordinate with ERM when possible

7. Controls  Explain the basics of controls  Relate to their business  Obtain understanding since most are already doing this but not considering it in the same way.  Focus on the minimizing of risks  Encourage process mapping.

8. Controls Focus customer attention on:  Control Environment  The attitude and actions of the board and management regarding the significance of control within the organization. Provides the discipline and structure for the achievement of the primary objectives of the system of internal control.  Control Design  The control structure developed that takes into consideration the control environment and the established appropriate control objectives to accomplish the organizations goals and activities as a whole.  Control Objectives  The events identified and established to meet the achievement of the activities or directives to accomplish the mission and goals of the organization.

9. Controls  Organizational Culture  How does culture effect controls and assurance?  How is the culture at your organization?

10. Controls Where are these in your organization:  Control Categories  Active - task that prevents or detects a deviation.  Passive - operates without human intervention.  Types of Controls  Preventive - proactive controls that deter undesirable events from occurring.  Detective - identify undesirable events that have occurred.  Directive - proactive controls that cause or encourage a desirable event to occur.  Mitigating or Compensating - compensate for the lack of an expected control.

11. Controls  Hard vs. Soft Controls  Hard Controls Procedures  Soft Controls Human 90/10 Rule: 90% of the time the Procedure works and 10% of the time the Human fails. - John Hall, CPA

12. Assurance Cycle MissionObjectivesKey Activities Control Objectives Control Activities Control Objectives for each Activity Activity Controls in which Performance is Measured Measure Performance for each Activity How does this relate to your organization?

13. Controls  Obtain customer understanding on these elements:  Fraud  Temptation and opportunity  Most people don’t go out looking to commit fraud.  How do controls help prevent fraud?  Override of Controls  What effect does this have on your control framework? Environment?  What about RUSH Orders?  What about during emergency’s  Tire Store Example

14. Levels of Internal Controls  Explain what internal controls are?  IIA Definition: A fundamental part of any system to standardize and guide operations which are designed to improve performance in order to accomplish an organization's goal and objectives.  Why they are important to organizations and why auditors love them  Establish and build on your foundation

17. Levels of Controls  Operating Controls  Focusing on:  Policies and Procedures  Segregation of Duties  Etc.  Monitoring Controls  Focus on:  Reviews and reconciliations  Verifications of existence  Etc.

18. Levels of Control  Oversight Controls  Focus on:  Budget v. actual comparisons  Evaluations of operating and monitoring controls  High level QA  Trend and variance analysis  Internal Audit  Focus on:  Not being management or having a role in control implementation  Assistance available in advisory role  Traditional audits  Process/structure reviews

19. Assurance Continuum  What is an Assurance Continuum?  A theory that incorporates a framework/model representing a system of internal controls for organizational application, which illustrates the relationships between controls and risks.  Use to evaluate:  Effectiveness and efficiency of goal achievement  Reliability of information and decision making processes  Accountability for assets, personnel and financial report  Compliance with applicable rules, standards, policies, best practices, and laws.

20. Assurance Continuum  How is this different than the levels of Internal Controls?  Don’t think different, Think complimentary!  The framework is developed using the Levels of Internal Control model as a basis.  Customizable to each area of the organization  Allows management to determine if the controls are operating according to their design.  Overall, provides assurance to management in meeting the goals, strategies, and mission of the organization.

21. Assurance Continuum Model Texas Department of Public Safety Assurance Continuum Assurance LevelLeadSupportTime Involvement in Process by Lead CoverageReports go to: Operating Controls Supervisory Oversight Field – Sgt. Level / Team Lead / Managers Field Chain of Command / Division ContinuallyTotalEvery Transaction Field Chain of Command Monitoring Controls Line Quality Check / Inspection Regional Commander Designee Division / CAOQuarterlySome Sample of Transactions Regional Commander / Division AD / CAO Oversight Controls Assistant Director Quality Check / Inspection Assistant Director Designee CAO / FieldPeriodicallyLittle Subsample of Transactions Deputy Director / CAO Internal Audit Chief Auditor’s Office (CAO) Review CAODivision / FieldAnnuallyNone Isolated Items – Risk Based Objectives Director / CAO/ PSC

22. TxDPS Assurance Continuum* CAO Audit Projects Assurance LevelResponsibleSupportActivity Criteria / Guidelines TimeReports go to: Auditor TransactionsTeam Members Project Manager/ Audit Manager Transactions and Initial Sign-off CAO P & P and Audit Standards Real Time Project Manager/ Audit Manager Project Manager Review Project Manager Team Members/Audit Manager 1 st level review and approval CAO P & P and Audit Standards ContinualAudit Manager/CAE Quality Assurance Review/Manager Review Audit Manager Project Manager/CAE 2 nd level review and approval CAO P & P and Audit Standards Continual Project Manager/CAE CAE/Oversight Review Chief Audit Executive/ Designee Audit Manager/Project Manager Review for Standard Compliance CAO P & P and Audit Standards Quarterly PSC/CAE/ Audit Managers Peer Review Process External Peer Review Team CAE/Audit Managers/Audit Stakeholders External Audit Audit Standards Every 3 yearsDirector /CAE/ PSC

23. Assurance Continuum  Assurance Levels:  Level 1: Operating Controls  Level 2: Monitoring Controls  Level 3: Program Oversight Controls  Level 4: Internal Agency Oversight Controls  Bonus-Level 5: External Agency Oversight Controls

24. Assurance Continuum  Level1: Operating Controls  Processes and activities executed at the base, line, or production areas where the service or product is provided or carried out.  Level 2: Monitoring Controls  Processes and activities used in the supervision of the base, line, or service provision areas with feedback and guidance provided to the operation.  Level 3: Program Oversight Controls  Processes and activities used by management in supporting or carrying out specific strategies while assuring adherence to operating and monitoring controls.

25. Assurance Continuum  Level 4: Internal Agency Oversight Controls  Guidance and advisory activities used in assuring agency fulfillment of the Department mission and compliance with statutory requirements.  Level 5: External Agency Oversight Controls (Bonus)  Guidance and advisory activities used by external entities in assuring fulfillment of the Department mission and compliance with statutory requirements. Each of these control levels is dependent on the one before it. Without each level, a solid foundation for providing assurance cannot be acquired.

26. Line of Defence  Three main lines of defence  First Line of Defence: Management oversight Reliance on operating and monitoring controls  Second Line of Defence: Management of risk Reliance on oversight controls Think interoperability of processes within the organization  Third Line of Defence: Independent Assurance Reliance on all control levels to be established and working Can be internal and external

27. Assurance Continuum: Example of a Hypothetical Situation Chief Auditor’s Office: Obtains and Reviews quality assurance results to determine if significant risk areas would benefit from a performance audit that would focus on the high risk areas while obtaining a narrow scope. Will also provide, upon request, advisory services that would be beneficial to executive management. Executive Coordinator of Quality Assurance: Performed by coordinator that is selected by the Director to coordinate, review, and recommend areas for quality assurance. Assistant Director Level Quality Control Review: Performed by a selected coordinator for the AD Service is similar to staff inspection function previously conducted by CAO. Quality Control Function/Personnel: Performed in sections within each Division or Office by selected staff

28. Assurance Continuum  Primary Benefits to Management:  Identifies and provides assistance with risk assessment, control activities, and control outcomes.  Provide management with a model to review their control structures and evaluate the sufficiency.  Other Benefits?

29. Purpose for Establishment  Simple rule:  “To provide accountability and responsibility to the activities and products developed and relied upon by the various stakeholders of the organization”  What if we don’t establish these controls?  Benefits clearly outweigh their costs.

30. Implementation  Bring in the right people from each level  Review the control levels and determine where each part fits  Determine the following components:  The lead person accountable,  Who the lead is supporting or being accountable to,  The frequency of the control activities,  The involvement in the process by the lead,  The coverage of the control over the process, and  Who the lead reports to for assurance responsibility

31. Implementation  Communication of efforts and goals is necessary  Develop a plan that follows the model and establish leads for the prime responsibility centers/activities.  Set short and long term goals  Determine the end product or trigger  Focus on continual improvement and build in process changes into your model. “As our business changes, so will the framework”

32. Best Practices  Use benchmarks- think outside your organization  Consider the elementary items:  Detailed and established Policies and Procedures  Clear chain of command  Established accountability and responsibility  Process to continually review your changing risks and adjusting controls as necessary.  Continuing education and professional models  Consider a Control Self-Assessment  Implement a Risk and Control Self Assessment Program

33. Important Notes to Remember  Not everything discussed will be clearly known, identifiable, or able to be implemented.  The nature of our business will require special needs or more attention.  Bring in your in-house experts, without them the system will be flawed. “ Remember, Rome was not built in a day and neither is a solid foundation for providing assurance to the entire organization.”

34. Recap  Reviewed the basics of getting clients on the same page in regards to risks and controls.  Reviewed the theory and models of Internal Controls and the Assurance Continuum  Discussed implementation, best practices and points to consider.  Promoted the management’s and auditor’s role in providing this assurance.

35. Questions

36. Thank You If you have any questions, please contact: Steve Goodson, CIA, CISA, CCSA, CGAP, CLEA, CRMA Chief Audit Executive Texas Department of Public Safety, Chief Auditor’s Office 512-424-2158 Steve. Goodson@dps.texas.gov W. Brandon Tanous, CIA, CGAP, CRMA, CLEA Senior Internal Auditor Texas Department of Public Safety, Chief Auditor’s Office 512-424-2124 Brandon.Tanous@dps.texas.gov

37. Sources  Urton, Anderson and Salamasick, Mark. “Assurance Mapping-Meeting Stakeholder Expectations for Assurance: It Takes a Village”. UT Austin and UT Dallas. Presented at the IIA International Conference: Boston, MA. July 9, 2012.  International Professional Practices Framework. Altamonte Springs, Florida: The Institute of Internal Auditors, 2009.  Crawford, David B. “Levels of Internal Controls”. UT System: Austin Office. Austin, TX. July, 28, 1999.  Hall, John CPA. Fraud and Internal Controls Seminar. http://www.hallconsulting.biz/. May 2011. You Tube Seminar: http://www.youtube.com/watch?v=lQI84RuiYas\ http://www.hallconsulting.biz/ http://www.youtube.com/watch?v=lQI84RuiYas\  The Institute of Internal Auditors. “The IIA CIA Learning System, Part 2”. Altamonte Springs, Florida. 2010.  The Institute of Internal Auditors, www.theiia.orgwww.theiia.org  PriceWaterhouseCoopers: Business School-Risk Assurance. “Preparation. Perseverance.Payoff: Implementing a combined assurance approach in the era of King III.” http://www.pwc.co.za/en/king3/index.jhtml. 2009.http://www.pwc.co.za/en/king3/index.jhtml