Presentation is loading. Please wait.

Presentation is loading. Please wait.

ENTERPRISE RISK MANAGEMENT

Published byNoah Gilmore Modified over 6 years ago

Similar presentations

Presentation on theme: "ENTERPRISE RISK MANAGEMENT"— Presentation transcript:

1 ENTERPRISE RISK MANAGEMENT

2 Risk Assessment Technology Company? Medical Provider? Government?
Short product life cycle Medical Provider? Accurate treatment and diagnosis Government? High sensitivity to fraud, waste, or abuse of public funds

3 Risks in Government “We have felt such a serious impact from the fraudulent transactions identified and realize that these matters extend beyond the individual perpetrating the fraud into the public trust with our entire system.” -- Commission response to audit

4 Changing Risks Modified Documents Electronic Fund Transfers
Spear Phishing And Other Scams

5 Spear Phishing Targeted email scam thrives on:
Familiarity, using information publicly available on an entity’s website – such as names, titles, or other references. Familiarity often makes the recipient of the less vigilant in verifying the requests. Urgency, indicating that the payment must be made immediately.

6 Why Risk Assessment? Asked our Executive and senior management teams
What has worked well and what would you do differently? Frequency of risk assessments? Employee evaluation concerns – giving too much credibility to matters reported. “What are we talking about and why do we do this? Take away – need to help management understand why risk assessment.

7 What Is Risk Management?
Management is responsible for risk management Goal of risk assessment is not to eliminate all risks List Management vs. Risk Management – Consider Strategy and Performance

8 Why Risk Assessment? Comply with Utah Code 63I-5-401
“The agency internal audit director shall: … develop audit plans … based on the findings of periodic risk assessments.” Comply with Uniform Guidance 2 CFR § – Establish and maintain effective internal control… Comply with Internal Audit Standards, 2010 – Planning and 2120 Risk Management. First sentence of report: We have assisted the senior management team in completing a department wide enterprise risk assessment …

9 Why Risk Assessment? Uniform Guidance 2 CFR §200.303
The nonfederal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the nonfederal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

10 Information and Communication
Conducts ongoing evaluations to ascertain whether internal controls are present and functioning Evaluates and communicates deficiencies Monitoring Relevant information is generated to assist those who conduct control activities Information is internally and externally communicated Information and Communication Selects and develops control activities such as reviews, approvals, reconciliations, etc. Selects and develops general control over technology Deploys through policies and procedures Control Activities Specifies suitable objectives Identifies and analyzes risk Assess fraud risk Identifies and analyzes significant change Risk Assessment Commitment to integrity and ethical values Structure of authority and responsibility Commitment to competence Enforces Accountability Control Environment

11 Why Risk Assessment Comply with internal audit standards:
2010 – Planning The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. Interpretation: To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls. 2010.A1 – The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

12 Why Risk Assessment 2120 – Risk Management
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. 2120.A1 – The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the: Achievement of the organization’s strategic objectives. Reliability and integrity of financial and operational information. Effectiveness and efficiency of operations and programs. Safeguarding of assets. Compliance with laws, regulations, policies, procedures, and contracts.

13 Why Risk Assessment 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. 2120.C1 – During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks. 2120.C2 – Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s risk management processes. 2120.C3 – When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.

14 Not Intended to Eliminate Risk

15 COSO – Enterprise Risk Management
Recent guidance includes risks to strategy and performance

16 Top Down Met with senior leadership teams:
One director said (partially kidding) “I’m not saying a word because anything I say ends up as an audit and I don’t have any more time to pull information and respond to recommendations.” Brainstorming with open ended questions Some divisions more engaged than others Risks were summarized and returned to division directors for them to review, modify and rate the potential impact and likelihood of each risk.

17 Risk Assessment Process
Identify Assess Respond

18

19 SIGNIFICANT RISKS IDENTIFIED BY DIVISION DIRECTORS
Compliance with complex or changing federal program requirements Customer fraud Physical security of data Inappropriate access or release of information by employees Hiring, training, and retaining employees

20 SIGNIFICANT RISKS IDENTIFIED BY DIVISION DIRECTORS
Leave and time abuse Accurate IT inventory - ensuring equipment is properly safeguarded and that the department is being charged only for equipment being used Software licenses - software may be on machines for which we do not have a license Possible harm to ESD employees while conducting home visits Hostile or threatening customer behavior

21 Bottom Up Random survey of 20% of department employees
Effectiveness of hotline reporting system Identify potential risks Evaluate “soft controls” such as Culture – posters and charts in elevators and breakrooms communicate organizational vision, strategy, and values, but does employee behavior align with department values? Employee knowledge, expertise, assignment of authority and responsibility.

22 Objective of Questions 1-4
To evaluate the effectiveness of the hotline reporting system by evaluating: Employee awareness Fear of retaliation Whether employees feel appropriate action will be taken

23 Question #1 I know what action to take if I become aware of potentially unethical or fraudulent activity; a communication channel exists to report the activity.

24 Question #2 Employees who report potentially unethical or fraudulent behavior are protected from retaliation.

25 Question #3 If potential wrongdoing is reported to my supervisor, I am confident that the matter will be adequately considered and any known wrongdoing will be addressed.

26 Question #4 Are you aware of any instances of potentially unethical or fraudulent activity?

27 Potential Unethical or Fraudulent Activity
Matters previously reported and addressed by the department (5) Employee time abuse (4) Improperly influencing team performance metrics (4) Improperly accessing or sharing private information (3) Personal use of office supplies or equipment (2) Customer Fraud (1)

28 Objective of Question #5
To identify potential risks, this supports the “Risk Assessment” component of the internal control framework.

29 Question #5 If unethical or fraudulent activity were to occur how would it most likely occur? 150 employees responded, specific instances included: Inappropriate Access (69) – Concerns included accessing family member cases, misuse of information, identity theft, information security, customer privacy, etc. Inappropriate Case Management (38) – Concerns included issuing benefits inappropriately, not following policy and procedure, entering incorrect information intentionally, etc. Employee Misconduct (33) – Concerns included time abuse, employee theft, creating a fraudulent case, etc. Conflict of Interest (18) – Concerns included customer relationships, provider relationships, favoritism, etc.

30 Question #5 Management Concerns (13) – Providing preference when hiring, promoting and making work assignments, influencing information to achieve performance metrics, not following policies and procedures, etc. Customer Fraud (9) – Concerns included customers not reporting information accurately, EBT card misuse, household composition, etc. Mistakes / Errors (8) – Concerns included lack of training or education. Other (9) – Concerns included provider fraud, collusion, purchasing, billing, etc. The number of responses in the bulleted list exceeds the total who responded because some employees identified more than one area where fraud could occur.

31 Objective of Questions #6-8
To identify potential risks related to employee knowledge and expertise, this supports the “Risk Assessment” and “Control Environment” components of the internal control framework.

32 Question #6 I have the knowledge, skills and experience to effectively perform my job.

33 Question #7 Training resources are available to help me effectively perform my job.

34 Question #8 Appropriate supervision is available to help me effectively perform my job.

35 Objective of Question #9
To identify whether polices effectively communicate employee authority and responsibility, this supports the “Control Environment”, “Control Activities” and “Information & Communication” components of the internal control framework.

36 Question #9 Written policies and procedures adequately define the authority and responsibility of my job.

37 Objective of Question #10
To identify whether polices effectively communicate employee authority and responsibility, this supports the “Control Environment”, “Control Activities” and “Information & Communication” components of the internal control framework.

38 Question #10 The importance of protecting confidential customer, employee, or department information has been adequately communicated to me.

39 Objective of Question #11
To identify potential risks, this supports the “Risk Assessment” component of the internal control framework.

40 Question #11 Please note any other matters or suggestions in the space provided: 51 employees responded; responses included: Positive Comments – keep up the good work, online training is helpful, managers and team are helpful. Management Support – providing more opportunities for advancement, supervisor accessibility, distributing workload, etc. Policies and Procedures – ensure policies are clear, succinct, well organized and regularly communicated to staff. Training –provide job specific training, improve and simplify existing training, provide timely training related to changes to programs, etc. Operational – increasing the number of available shred bins and improving physical security.

41 Question #12 Does your job function involve managing or supervising staff?

42 Question #13 If you would like to be contacted by the Internal Audit Division to provide additional information or report a concern, please provide your name, phone number, and address. Six employees provided contact information. Four did not have concerns and provided contact information without knowing it was only if they would like to be contacted to report a concern. Two indicated that they may contact internal audit at a future date, but had no additional matters to communicate at this time.

43 Now What? Contact Information: Van Christensen –

Download ppt "ENTERPRISE RISK MANAGEMENT"

Similar presentations

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
Internal Audit Awareness

Internal Audit Awareness
This is an audio presentation Compliance Program Training for First Tier, Downstream and Related Entities.

This is an audio presentation Compliance Program Training for First Tier, Downstream and Related Entities.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza

The Islamic University of Gaza
Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.

Office of the Secretary of Defense – Comptroller Financial Improvement and Audit Readiness Directorate Unclassified 17 September 2014 GAO Revised “Green.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Purpose of the Standards

Purpose of the Standards
Presented By: Donna Denker, CPA Donna Denker & Associates.

Presented By: Donna Denker, CPA Donna Denker & Associates.
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Information Technology Audit

Information Technology Audit
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Central Piedmont Community College Internal Audit.

Central Piedmont Community College Internal Audit.

Similar presentations

Ads by Google