risk management and internal control guidelines tennessee department of finance and administration...
Post on 19-Dec-2015
220 views
TRANSCRIPT
![Page 1: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/1.jpg)
Risk Management And Internal Control Guidelines
Tennessee Department of Finance and AdministrationTennessee Comptroller of the Treasury
August 2007
![Page 2: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/2.jpg)
INTRODUCTION MANAGEMENT’S GUIDE TO RISK
MANAGEMENT AND INTERNAL CONTROL
![Page 3: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/3.jpg)
INTRODUCTION (CONT’D)
Enterprise Risk Management
Changing Political And Regulatory Environment Sarbanes-Oxley Act General Accounting Office AICPA Auditing Standards
![Page 4: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/4.jpg)
INTRODUCTION (CONT’D)
Internal Control and Governance Problems Results of Texas State Comptroller’s ERM
Implementation Texas State Auditor Considers Increased
Accountability a Priority
![Page 5: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/5.jpg)
INTRODUCTION (CONT’D)
Committee Of Sponsoring Organizations Of The Treadway Commission
Second report Enterprise Risk Management—Integrated Framework
First report Internal Control—Integrated Framework
![Page 6: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/6.jpg)
INTRODUCTION (CONT’D)
Guidance--Education and Tools Agency Heads Responsibility
![Page 7: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/7.jpg)
OVERVIEW
![Page 8: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/8.jpg)
Overview
Relationship of COSO I and II COSO Cube (three-dimensional matrix)
Objectives Components Entity Unit
Effectiveness Roles and responsibilities
![Page 9: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/9.jpg)
Relationship of COSO I to COSO II Internal Control—Integrated Framework
(COSO I) Still important for entities looking at internal
control by itself Enterprise Risk Management—Integrated
Framework (COSO II) Broader than internal control Expands and elaborates on internal control Focuses more fully on risk Introduces the concepts of risk appetite, risk
tolerance, and portfolio view
![Page 10: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/10.jpg)
COSO Cube
Direct relationship between objectives and enterprise risk components
Focus on the entirety of an entity’s ERM, or by objectives categories, component, entity unit, or any subset thereof
![Page 11: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/11.jpg)
Objectives Categories
Strategic Effectiveness and efficiency of operations Integrity and reliability of reporting Compliance with applicable laws, regulations,
contracts, and grant agreements Stewardship of assets
![Page 12: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/12.jpg)
Components Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring
![Page 13: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/13.jpg)
Effectiveness Are the 8 components present and functioning
effectively? The components are criteria for effective ERM Present and functioning properly = no significant
deficiencies and material weaknesses Test operating effectiveness of controls different
from obtaining evidence of implementation How controls were applied during the period Consistency with which controls were applied By whom and by what means they were applied
![Page 14: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/14.jpg)
Roles and Responsibilities
Audit committee, board of directors, or other oversight body
Commissioner/director/department head Senior management Internal audit Other entity personnel
![Page 15: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/15.jpg)
SECTION IINTERNAL
ENVIRONMENT
![Page 16: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/16.jpg)
SECTION IINTERNAL ENVIRONMENTWhat is it? Risk Management Philosophy
Set of shared beliefs and attitudes Reflects the entity’s values, influencing its culture
and operating style Affects how risks are identified, kinds of risks
accepted, and how they are managed
![Page 17: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/17.jpg)
Internal Environment(cont’d) Risk Appetite
Amount of risk management is willing to accept Influences the entity’s culture and operating style
Oversight by Audit Committee Oversight by another group May significantly influence elements of Internal
Environment
![Page 18: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/18.jpg)
Internal Environment(cont’d) Integrity and Ethical Values
Management’s values Code of conduct
Commitment to Competence Knowledge and skills of staff How well tasks need to be accomplish
![Page 19: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/19.jpg)
Internal Environment(cont’d) Organizational Structure
Framework to plan, execute, control, and monitor activities
Assignment of Authority and Responsibility Extent of authority and responsibility
Human Resource Standards Staff development, training, and evaluation
![Page 20: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/20.jpg)
SECTION II OBJECTIVE SETTING
![Page 21: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/21.jpg)
Objective Setting
EVERY AGENCY FACES A VARIETY OF RISKS FROM EXTERNAL AND INTERNAL SOURCES, AND A PRECONDITION TO EFFECTIVE EVENT IDENTIFICATION, RISK ASSESSMENT, AND RISK RESPONSE IS ESTABLISHMENT OF OBJECTIVES
![Page 22: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/22.jpg)
Objective Setting
OBJECTIVES MUST EXIST BEFORE MANAGEMENT CAN IDENTIFY POTENTIAL EVENTS AFFECTING THEIR ACHEIVEMENT
ENTERPRISE RISK MANAGEMENT (ERM) ENSURES THAT MANAGEMENT HAS IN PLACE A PROCESS TO SET OBJECTIVES AND THAT THE CHOSEN OBJECTIVES SUPPORT AND ALIGN WITH THE AGENCY’S MISSION AND ARE CONSISTENT WITH ITS RISK APPETITE
![Page 23: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/23.jpg)
Objective Setting
WHILE AN AGENCY’S MISSION AND STRATEGIC OBJECTIVES ARE GENERALLY STABLE, ITS STRATEGY AND MANY RELATED OBJECTIVES ARE MORE DYNAMIC AND ADJUSTED FOR CHANGING INTERNAL AND EXTERNAL CONDITIONS
AS CONDITIONS CHANGE, STRATEGY AND RELATED OBJECTIVES ARE REALIGNED WITH STRATEGIC OBJECTIVES
![Page 24: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/24.jpg)
Objective Setting
IN CONSIDERING WAYS TO ACHIEVE ITS STRATEGIC OBJECTIVES, MANAGEMENT IDENTIFIES RISKS ASSOCIATED WITH A RANGE OF STRATEGY CHOICES AND CONSIDERS THEIR IMPLICATIONS
VARIOUS EVENT IDENTIFICATION AND RISK ASSESSMENT TECHNIQUES ARE USED IN THE STRATEGY-SETTING PROCESS
![Page 25: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/25.jpg)
Objective Setting
BY FOCUSING FIRST ON STRATEGIC OBJECTIVES AND STRATEGY, AN AGENCY IS IN A POSITION TO DEVELOP RELATED OBJECTIVES
AGENCY WIDE OBJECTIVES ARE THEN LINKED TO AND INTEGRATED WITH MORE SPECIFIC OBJECTIVES THAT CASCADE THROUGH THE ORGANIZATION TO SUB-OBJECTIVES ESTABLISHED FOR VARIOUS ACTIVITIES
![Page 26: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/26.jpg)
Objective Setting
OBJECTIVES NEED TO BE READILY UNDERSTOOD AND MEASURABLE
ERM REQUIRES THAT PERSONNEL AT ALL LEVELS HAVE AN UNDERSTANDING OF THE AGENCY’S OBJECTIVES AS THEY RELATE TO THAT INDIVIDUAL’S SPHERE OF INFLUENCE
ALL EMPLOYEES MUST HAVE A MUTUAL UNDERSTANDING OF WHAT IS TO BE ACCOMPLISHED AND A MEANS OF MEASURING WHAT IS BEING ACCOMPLISHED
![Page 27: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/27.jpg)
Objective Setting
THREE BROAD CATEGORIES OF OBJECTIVES
OPERATIONS REPORTING COMPLIANCE
![Page 28: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/28.jpg)
SMART OBJECTIVES
Specific Use specific terms rather than vague abstract ones
Measurable Include some method for objectively measuring their achievement
Achievable Are challenging but realistic
Relevant Follow the business strategy of the organization
Timely Specify a time period
![Page 29: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/29.jpg)
Objective Setting
EFFECTIVE ERM PROVIDES REASONABLE ASSURANCE THAT AN AGENCY’S REPORTING AND COMPLIANCE OBJECTIVES ARE BEING ACHIEVED
BECAUSE, HOWEVER, ACHEIVEMENT OF OPERATIONS OBJECTIVES IS NOT SOLEY WITHIN AN AGENCY’S CONTROL (i.e. IT IS SUBJECT TO EXTERNAL EVENTS) ERM PROVIDES REASONABLE ASSURANCE THAT MANAGEMENT IS MADE AWARE OF THE EXTENT TO WHICH AN AGENCY IS MOVING TOWARD THE ACHIEVEMENT OF THESE OBJECTIVES ON A TIMELY BASIS
![Page 30: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/30.jpg)
Objective Setting
• STRATEGIES OF THE BUSINESS
• KEY BUSINESS OBJECTIVES
• RELATED OBJECTIVES THAT CASCADE DOWN THE ORGANIZATION FROM KEY BUSINESS OBJECTIVES
• ASSIGNMENT OF RESPONSIBILITIES TO ORGANIZATIONAL ELEMENTS AND LEADERS (LINKAGE)
![Page 31: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/31.jpg)
Objective Setting
EFFECTIVE ERM DOES NOT DICTATE WHICH OBJECTIVES MANAGEMENT SHOULD CHOOSE, BUT THAT MANAGEMENT HAS A PROCESS THAT ALIGNS STRATEGIC OBJECTIVES WITH AN AGENCY’S MISSION AND ENSURES THAT THE ENTITY’S CHOSEN STRATEGIC AND RELATED OBJECTIVES ARE CONSISTENT WITH THE AGENCY’S RISK APPETITE
![Page 32: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/32.jpg)
Objective Setting – Risk appetite
RISK APPETITE IS A GUIDEPOST IN STRATEGY SETTING
THERE IS A RELATIONSHIP BETWEEN AN AGENCY’S RISK APPETITE AND ITS STRATEGY
DIFFERENT STRATEGIES CAN BE USED TO ACHIEVE DESIRED RETURN, EACH HAVING DIFFERENT RISK
![Page 33: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/33.jpg)
RISK APPETITE IS THE AMOUNT OF RISK, ON A BROAD LEVEL, AN AGENCY IS WILLING TO ACCEPT IN PURSUIT OF ITS MISSION, VISION, BUSINESS OBJECTIVES AND VALUE GOALS
DIRECTLY RELATED TO AN AGENCY’S CULTURE, CAPABILITY, RISK CAPACITY AND STRATEGY
SHOULD CONSIDER RISK APPETITE BOTH QUALITATIVELY AND QUANTITATIVELY - IT IS MANY TIMES EXPRESSED IN ACCEPTABLE/UNACCEPTABLE OUTCOMES OR LEVEL OF RISK
Objective Setting – Risk appetite
![Page 34: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/34.jpg)
Objective Setting – Risk appetite
SOME POSSIBLE QUESTIONS WHAT RISKS WILL THE AGENCY NOT ACCEPT?
(For example, environmental or quality compromises) ARE THERE SPECIFIC RISKS THAT THE AGENCY
IS NOT PREPARED TO ACCEPT? (For example, risks that could result in non-compliance with federal regulations)
IS THE AGENCY PREPARED TO ENTER INTO PROGRAMS WITH LOWER LIKELIHOOD OF SUCCESS BUT LARGER POTENTIAL RETURNS?
![Page 35: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/35.jpg)
Objective Setting – Risk appetite
USE OF A LIKELIHOOD-IMPACT ASSESSMENT (MATRIX) IS A GOOD TOOL IN DOCUMENTING RISK APPETITE
FOR EACH RISK FREQUENCY OF OCCURRENCE (PROBABILITY) AND WORST OUTCOME (IMPACT) ARE ASSESSED AND CAPTURED IN A MATRIX
THE MATRIX IS THEN COMPARED WITH A CHARTED RISK APPETITE MAP THAT OUTLINES THE MAXIMUM ADVERSE RISK AN AGENCY IS WILLING TO ACCEPT
![Page 36: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/36.jpg)
Impact vs. Probability
Exceeds Risk Appetite
Low
High
High
IMPACT
PROBABILITY
Within Risk Appetite
![Page 37: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/37.jpg)
Objective Setting – Risk tolerance
RISK TOLERANCE, THE ACCEPTABLE LEVEL OF VARIATION AROUND OBJECTIVES, MUST BE ALIGNED WITH RISK APPETITE
REQUIRES THE ARTICULATION OF ACCEPTABLE VARIABILITY FROM THE SPECIFIED RISK APPETITE FOR ALL POSSIBLE OUTCOMES
OPERATIONALIZES THE RISK APPETITE GENERALLY EXPRESSED IN TERMS OF RISK
MEASURES OR OUTCOMES
![Page 38: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/38.jpg)
Objective Setting – Risk tolerance
SHOULD BE SET SUCH THAT THE AGGREGATION OF RISK TOLERANCES ENSURES THE ORGANIZATION OPERATES WITHIN THE RISK APPETITE
![Page 39: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/39.jpg)
SECTION IIIEVENT
IDENTIFICATION
![Page 40: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/40.jpg)
EVENT IDENTIFICATION
INTERNAL AND EXTERNAL EVENTS AFFECTING ACHEIVEMENT OF AN AGENCY’S OBJECTIVES MUST BE IDENTIFIED, DISTINGUISHING BETWEEN RISKS AND OPPORTUNITIES
MANAGEMENT IDENTIFIES POTENTIAL EVENTS THAT, IF THEY OCCUR, WILL AFFECT THE AGENCY, AND IN WHAT MANNER
![Page 41: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/41.jpg)
Event identification
EVENTS WITH A POSITIVE IMPACT REPRESENT OPPORTUNITIES THAT SHOULD BE CHANNELED BACK INTO MANAGEMENT’S STRATEGY OR OBJECTIVE-SETTING PROCESSES
EVENTS WITH A NEGATIVE IMPACT REPRESENT RISKS, WHICH REQUIRE MANAGEMENT’S ASSESSMENT AND RESPONSE
![Page 42: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/42.jpg)
Event identification
AN EVENT IS AN INCIDENT OR OCCURRENCE ARISING FROM INTERNAL OR EXTERNAL SOURCES THAT AFFECTS IMPLEMENTATION OF STRATEGY OR ACHIEVEMENT OF OBJECTIVES
A NUMBER OF EXTERNAL AND INTERNAL FACTORS DRIVE EVENTS
![Page 43: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/43.jpg)
Event identification
CONTRIBUTING EXTERNAL FACTORS ECONOMIC NATURAL
ENVIRONMENT POLITICAL SOCIAL
CONTRIBUTING INTERNAL FACTORS INFRASTRUCTURE PERSONNEL PROCESS TECHNOLOGY
![Page 44: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/44.jpg)
SOME TYPICAL GOVERNMENT RISKSEconomic changes such as lower
economic growth reduce tax revenue and opportunities to provide a wider
range of services or limit the availability or quality of existing
services
Failure to innovate leading to sub-
standard services
Loss or misappropriation of funds through fraud or
impropriety
Environmental damage caused by
failure of regulations or government
inspection regime
Inconsistent policy objectives resulting
in unwanted outcomes
Project delays cost overruns and
inadequate quality standards
Inadequate skills or resources to deliver services as required
Failure of contractors, partners or other
government agencies to provide services as
required
Failure to properly evaluate pilot projects before a new service is
introduced may result in problems when the
service becomes fully operational
Failure to measure performance adequately
Technical risk – failure to keep pace with technical
developments, or investment in inappropriate or mismatched technology
Inadequate service plans to maintain
continuity of service delivery
Failure to monitor implementation
Achieving Service Delivery
![Page 45: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/45.jpg)
Event identification
AN AGENCY’S EVENT IDENTIFICATION METHODOLOGY MAY BE COMPRISED OF A COMBINATION OF TECHNIQUES, TOGETHER WITH SUPPORTING TOOLS
TECHNIQUES VARY WIDELY IN LEVEL OF SOPHISTICATION
![Page 46: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/46.jpg)
EXAMPLES OF TECHNIQUES FOR IDENTIFYING EVENTS:• EVENT INVENTORIES (LISTING COMMON
POTENTIAL EVENTS)• INTERNAL ANALYSIS (COMPLETED AS PART OF A
ROUTINE PLANNING CYCLE PROCESS, TYPICALLY THROUGH STAFF MEETINGS)
• ESCALATION OR THRESHOLD TRIGGERS (COMPARE CURRENT TRANSACTIONS OR EVENTS WITH PREDEFINED CRITERIA)
• FACILITATED WORKSHOPS AND INTERVIEWS (DRAW ON ACCUMULATED KNOWLEDGE AND EXPERIENCE OF MANAGEMENT, STAFF AND STAKEHOLDERS THROUGH STRUCTURED DISCUSSIONS)
![Page 47: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/47.jpg)
Event identification
POTENTIAL EVENTS ARE ALSO IDENTIFIED ON AN ONGOING BASIS IN CONNECTION WITH ROUTINE BUSINESS ACTIVITIES, SUCH AS INDUSTRY/TECHNICAL CONFERENCES PEER WEBSITES BENCHMARKING REPORTS TRADE & PROFESSIONAL JOURNALS MEDIA REPORTS MONTHLY MANAGEMENT REPORTS
![Page 48: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/48.jpg)
Event identification
ANOTHER USEFUL TOOL IS TO INTRODUCE AN INTERMEDIATE STEP - IDENTIFYING WHAT YOU DEPEND UPON TO ACHIEVE YOUR OBJECTIVES
THIS IS SOMETIMES MUCH EASIER THAN TRYING TO THINK ABOUT ALL THE EVENTS THAT COULD PREVENT SUCCESS
![Page 49: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/49.jpg)
Event identification
EVENTS DO NOT OCCUR IN ISOLATION – ONE EVENT CAN TRIGGER ANOTHER AND EVENTS CAN OCCUR CONCURRENTLY
MANAGEMENT SHOULD UNDERSTAND HOW EVENTS RELATE TO ONE ANOTHER
![Page 50: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/50.jpg)
Event identification
IT MAY BE USEFUL TO GROUP EVENTS INTO CATEGORIES (i.e. GROUPS OF SIMILAR POTENTIAL EVENTS)
SIMILAR EVENTS SHOULD BE COMBINED TO DEVELOP AN INITIAL RISK UNIVERSE AND DETERMINE HOW TO TRACK AND UPDATE THE LISTING OF POTENTIAL EVENTS AND RISKS
![Page 51: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/51.jpg)
Event identification
FINANCIAL FOLKS NEED TO REMEMBER THAT:
EVENT IDENTIFICATION NEEDS TO INVOLVE A COMPLETE CROSS-SECTION OF MANAGEMENT, AS POSSIBLE EVENTS INCLUDE BUSINESS SCENARIOS OF WHICH FINANCIAL MANAGEMENT MAY NOT BE AWARE
![Page 52: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/52.jpg)
INDICATORS THAT THE ERM OBJECTIVE SETTING PRINCIPLES ARE IMPLEMENTED1. THE ORGANIZATION DEFINES GOALS AND
OBJECTIVES FOR THE ENTERPRISE AS A WHOLE
2. AN EFFECTIVE STRATEGIC PLANNING PROCESS IS IN PLACE TO FORMULATE STRATEGIES THAT WILL ENABLE THE ORGANIZATION TO ACHIEVE ITS BUSINESS OBJECTIVE
![Page 53: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/53.jpg)
INDICATORS THAT THE ERM OBJECTIVE SETTING PRINCIPLES ARE IMPLEMENTED (CONT’D)3. BUSINESS STRATEGIES ARE CLEARLY
ARTICULATED WITH OBJECTIVES LINKED TO EACH
4. THE RISK IDENTIFICATION PROCESS IS DESIGNED TO MAKE A CLEAR LINK BETWEEN THE ORGANIZATION’S OBJECTIVES AND THE ASSOCIATED RISKS
![Page 54: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/54.jpg)
INDICATORS THAT THE ERM OBJECTIVE SETTING PRINCIPLES ARE IMPLEMENTED (CONT’D)5. RISK TO THE ACHIEVEMENT OF OBJECTIVES
IS EVALUATED TO ENSURE IT DOES NOT EXCEED THE LEVELS OF RISK DETERMINED BY MANAGEMENT AS ACCEPTABLE
6. ACCEPTABLE TOLERANCE LIMITS ON THE RISK TO THE ACHIEVEMENT OF KEY OBJECTIVES HAVE BEEN DETERMINED.
7. MANAGEMENT USES MEANINGFUL PERFORMANCE MEASURES IN MONITORING RESULTS AGAINST OTHER SET TOLERANCES
![Page 55: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/55.jpg)
INDICATORS THAT THE ERM EVENT IDENTIFICATION PRINCIPLES ARE IMPLEMENTED1. DATA ON THE BUSINESS OPERATING ENVIRONMENT –
POLITICAL, ECONOMIC, ETC., EVENTS IS CAPTURED AND REGULARLY EVALUATED IN TERMS OF THEIR POTENTIAL IMPACT UPON THE ORGANIZATION’S BUSINESS OBJECTIVES
2. A PORTFOLIO OF EVENTS THAT COULD AFFECT THE ACHIEVEMENT OF OBJECTIVES – INTERNAL AND EXTERNAL – HAS BEEN PREPARED
3. EVENTS ARE LINKED TO AND RISK EVALUATED BY INDIVIDUAL OBJECTIVE
![Page 56: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/56.jpg)
INDICATORS THAT THE ERM EVENT IDENTIFICATION PRINCIPLES ARE IMPLEMENTED (CONT’D)
4. GOALS AND OBJECTIVES FOR IDENTIFYING EVENTS AND THE RELATED RISKS EXIST AND ARE COMMUNICATED TO ALL SEGMENTS OF THE ORGANIZATION
5. RESPONSIBILITIES AND ACCOUNTABLES FOR RISK IDENTIFICATION ARE CLEARLY DEFINED AND UNDERSTOOD
6. RISK IS CONSIDERED IN TERMS OF NOT JUST ISOLATED EVENTS BUT ALSO INTER-RELATED EVENTS
7. EVENTS ARE CATEGORIZED INTO USEFUL GROUPS TO FACILITATE THE AGGREGATION OF INFORMATION FOR PURPOSES OF ASSESSING RISKS
8. THE ORGANIZATION EVALUATES EVENTS IN THE CONTEXT OF THE POTENTIAL UPSIDES (OPPORTUNITIES) AS WELL AS THE DOWNSIDE (RISKS)
![Page 57: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/57.jpg)
Event identification
THE NEXT TOPIC, OR THE RISK ASSESSMENT COMPONENT, ALLOWS AN AGENCY TO CONSIDER THE EXTENT TO WHICH POTENTIAL EVENTS MIGHT HAVE AN IMPACT ON ACHIEVEMENT OF OBJECTIVES
![Page 58: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/58.jpg)
SECTION IVRISK ASSESSMENT
![Page 59: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/59.jpg)
Risk Assessment
Risk is “the possibility that an event will occur and adversely affect the achievement of objectives.”
Thereby decreasing value for the entity’s stakeholders.
![Page 60: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/60.jpg)
Risk Assessment
- Risks are analyzed and assessed as to their likelihood and impact
- Management considers the mix of future events, both expected & unexpected
- Useful first step – often a “brainstorming” session
- What is the “worst that could happen,” or the “worst that happened?”
![Page 61: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/61.jpg)
Consider the “Risk Appetite”
Broadly defined as amount of risk an entity is willing to accept in pursuing its objectives.
For most government entities: risk appetite is fairly low!
Related is risk tolerance: “tolerable level of variation associated w/ a particular objective.”
![Page 62: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/62.jpg)
Consider Both Inherent & Residual Risk
Inherent – Risk without any management activity or before controls are in place.
Example: inherent risk mitigated by payment card’s policies and procedures.
Residual – level of risk that remains after management has a plan in place to deal with the risk.
Example: residual risk remains after payment card policies are in place.
![Page 63: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/63.jpg)
Consider both Likelihood and Impact
Likelihood: possibility an event will occur, measured in “low, medium, high,’ percentage or some frequency of occurrence.
Impact: Effect on an agency on others.
![Page 64: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/64.jpg)
Risk Assessment Uses Qualitative and Quantitative Methods
Quantitative methods more precise Qualitative methods are necessary in
situations where business activity does not lend to quant. evaluation, or is not cost/effective.
Choice should reflect needs of the business unit and its employees.
![Page 65: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/65.jpg)
Consider Risk in Objective Setting
The framework of objectives: strategic, operational, reporting, compliance, (see COSO cube).
Typically considerable overlap. Several examples follow.
![Page 66: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/66.jpg)
Example: Operational
Risk that subrecipients in HIV/AIDS program are being reimbursed for unsupported expenditures.
Assessment – Extent of reimbursement and frequency is analyzed. Note that paying subrecipient invoices for which no documentation exists subjects agency to possible fraud.
![Page 67: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/67.jpg)
Example: Reporting
Risk that management does not notify the Comptroller’s Office of overpayments; and failure to recover funds.
Assess why a breakdown in both state policy and actual recoupment.
Lack of notification negates possibility of a thorough investigation.
![Page 68: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/68.jpg)
SECTION V RISK RESPONSE
![Page 69: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/69.jpg)
V – Risk Response
“Having assessed relevant risks, management determines how it will respond, reviewing likelihood and impact, evaluating costs and benefits, and selecting options that bring residual (remaining risk) within the entity’s risk tolerances.”
![Page 70: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/70.jpg)
The Four Categories of Risk Response:
Avoidance – not participating in events that give rise to risk.
Reduction: Specific actions taken to reduce likelihood or impact or both.
Sharing: Reducing likelihood or impact by sharing portion of the risk (insurance)
Acceptance: No action taken. “learns to live with the risk,” and monitor it...
![Page 71: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/71.jpg)
Additional Factors in Risk Response
- For many risks, responses are obvious & well accepted.
- Response to risk may affect other factors, or affect likelihood/impact differently.
- Cost/Benefit – often cost side easier to analyze; benefit side may be more subjective.
- Risk response may lead to improvements in service areas or additional value.
- Considers both inherent and residual risk.
![Page 72: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/72.jpg)
A Portfolio Perspective
ERM approach requires that risk be considered from a “portfolio” or entity-wide perspective.
Management first determines risk in each division or business unit.
Develops a composite assessment of risk reflecting unit’s residual risk profile relative to its objectives & risk tolerances.
![Page 73: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/73.jpg)
A Portfolio View of Risk:
Can be depicted in several ways – focusing on major risk or event categories across divisions, program units, etc.
While risk in a program unit may be within risk tolerance; taken together they may exceed the risk appetite of entity.
Or have common elements that raise concerns.
![Page 74: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/74.jpg)
Back to our previous examples:
1. Subrecipients in HIV/AIDS programs are routinely reimbursed for unsupported expenditures.
1. After further analysis corrective action plan identified and remedies failures in the reimbursement process, a cost/effective methodology to monitor expenditures.
![Page 75: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/75.jpg)
And our other example…
2. Management did not notify the Comptroller of the Treasury of overpayments and failed to recoup overpaid funds.
2. Corrective action plan requires compliance with Policy 11; reviews recoupment procedures.
![Page 76: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/76.jpg)
SECTION VICONTROL ACTIVITIES
![Page 77: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/77.jpg)
Integration with Risk Responses
Control activities generally are established to ensure risk responses are carried out. However, control activities themselves are risk responses.
![Page 78: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/78.jpg)
Integration with Risk Responses
Risk responses Share risk
Agency participates in state’s collateral pool or risk management fund.
Reduce risk Reduces likelihood and impact, e.g. Disaster recovery plan in place
to reduce the impact of a natural disaster. Risk Avoidance
Policies that forbid certain “risky business” e.g., agency not authorized to invest in certain risky investment instruments.
Risk Acceptance Monitoring of certain activities that are deemed high risk e.g., high
risk investments.
![Page 79: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/79.jpg)
CONTROL ACTIVITIES
A single control activity can address multiple risk responses or
Multiple control activities may be needed for one risk response.
![Page 80: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/80.jpg)
Types of Control Activitieso Preventiveo Detectiveo Manual (People Based)o Automated (System Based)
Types of Control Activities
![Page 81: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/81.jpg)
Types of Control Activities
Preventive Controls are more reliable1. Prevents errors
2. Proactive approach – frees up people resources
![Page 82: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/82.jpg)
Types of Control Activities
LESS RELIABLE
Detective Preventive Detective PreventivePeople Based Automated
MORE RELIABLE
![Page 83: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/83.jpg)
Reconciliations (Detective) Personnel approving or executing transactions
should not perform reconciliations. Reviews (Detective)
Budget to Actual Current to prior period comparisons Performance measurements
Types of Control Activities
![Page 84: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/84.jpg)
Approval/Authorizations (Preventive) Policies and procedures Limits to authority Supporting documentation Question unusual items
Types of Control Activities
![Page 85: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/85.jpg)
Assets Security (Preventive and Detective) Physical safeguards Record retention Periodic counts/Inventories
Types of Controls of Control Activities
![Page 86: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/86.jpg)
Segregation of Duties (Preventive and Detective) The following functions should be segregated
Approval Accounting/Reconciling Asset Custody
Types of Controls of Control Activities
![Page 87: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/87.jpg)
Entity Level Controls Controls management implement to establish the
appropriate tone at the top. (Strategic Objectives) E.g., Employees sign a code of conduct
Process Level Controls Mitigate risks involved in initiating, recording,
processing or reporting transactions. IT and Application Controls
Further mitigates process level risks
Levels of Control Activities
![Page 88: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/88.jpg)
Pervasive Level Adequate training of personnel Access restrictions Authorization Segregation of duties
Specific Level Validation Reconciliation
Levels of Control Activities
![Page 89: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/89.jpg)
The Writing on The Wall Applying too narrow a focus to the identification
of risks can lead to overlooking potential risks and issues.
Think about risks without considering the existing processes and controls in place.
CONTROL ACTIVITIES
![Page 90: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/90.jpg)
Effectiveness and Efficiency
Control activities must be tested to ensure there are no material weaknesses or significant deficiencies.
Management should also ensure that control activities are carried out in a timely manner. Internal auditors may support management by
providing assurance on the effectiveness and efficiency of control activates.
![Page 91: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/91.jpg)
Control Activities Worksheet
Worksheet provided in Section VI can be used as a template for documenting risks and related controls
Divided into 3 parts Part I Strategic, Operations, and Reporting
Objectives Part II Compliance Objectives Part III Fraud
![Page 92: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/92.jpg)
Worksheet is NOT all inclusive. N/A responses need to be addressed. Remember the writing on the wall. Any policy or procedure used as a risk
response in Part I or III should be addressed in Part II, Compliance.
Template may be modified.
Control Activities Worksheet
![Page 93: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/93.jpg)
Categorized by business processes.1. Budget Process2. Cash Disbursement/Expenditures3. Cash Receipts/Revenues4. Cash Management5. Liabilities6. Capital Assets/Inventory/Equipment7. Information Systems/Data Processing8. Personnel/Employee Compensation9. Financial Reporting10. Accounts Receivable11. Investments
Control Activities Worksheet Part I Strategic, Operations, and
Reporting Objectives
![Page 94: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/94.jpg)
Categorized by the Association of Certified Fraud Examiner’s Categories of Fraud. Misappropriation of assets Corruption Fraudulent Reporting
Control Activities Worksheet Part III Fraud
![Page 95: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/95.jpg)
Control Activities Worksheet Part III Fraud
Categories should be applied to each business process.
Fraud control risk management should be integrated into the agency's philosophy, practices and business plans rather than be seen or practiced as a separate program. When it is integrated, risk management becomes the business of everyone in the organization.
![Page 96: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/96.jpg)
Core areas to focus on Information systems; Contracts; Grants and other payments or benefits programs; Purchasing; Services provided to the community; Revenue collection; Use of government credit cards; Travel allowance and other common allowances; Salaries; And Property and other physical assets including physical security.
Control Activities Worksheet Part III Fraud
![Page 97: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/97.jpg)
Other Considerations
Risks with large or moderate impact and probable (high) or reasonably possible (medium) likelihood of occurrence are your significant risks. These are the risks you need to address with control activities. No risk response is needed for insignificant risks but BE
CAUTIOUS AND OBJECTIVE. Insignificant risks still need to be documented on the
worksheet. Explanation of insignificant nature should be documented.
![Page 98: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/98.jpg)
Other Considerations
Inherent Risks - Control Activities= Residual Risks Ensure you evaluate all insignificant risks not
addressed with control activities on an aggregate basis to ensure your residual risk is within your risk tolerance.
All risks (regardless of significance) should still be included.
![Page 99: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/99.jpg)
Other Considerations
If any of the risks already included in the worksheet are deemed as having a low impact or remote likelihood of occurrence, treat as as a risk that is not applicable to your agency and document explanation on worksheet.
Don’t forget about abuse.
![Page 100: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/100.jpg)
SECTION VIIINFORMATION ANDCOMMUNICATION
![Page 101: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/101.jpg)
Information
Needed at all levels of an organization to identify, assess, and respond to risks to run the entity to achieve its objectives
Internal and external sources Financial and nonfinancial
![Page 102: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/102.jpg)
Strategic and Integrated Systems
Data processing and data management become a shared responsibility
IS architecture needs to be flexible and agile to effectively integrate with affiliated external parties
Has management’s risk management techniques contemplated organizational goals in making technology selection and implementation decisions?
![Page 103: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/103.jpg)
Integration with Operations
Applications facilitate access to information previously trapped in functional or departmental silos Information becomes available for widespread use
Transactions are recorded and tracked in real time Managers have immediate access to financial and
operating information more effectively to control agency activities
![Page 104: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/104.jpg)
Depth and Timeliness of Information
Information infrastructure sources and captures data in a timeframe and at a depth consistent with an entity’s need to identify, assess, and respond to risks, and remain within risk tolerances
Timeliness needs to be consistent with the rate of change in the entity’s internal and external environments
![Page 105: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/105.jpg)
Information Quality Data reliability is a critical attribute of
information systems and data-driven automated decision systems
Inaccurate data results in unidentified risks or poor assessments and bad management decisions
Quality of information includes ascertaining whether informational content is Appropriate Accurate Timely Accessible Current
![Page 106: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/106.jpg)
Communication Inherent in information systems Must provide information to appropriate
personnel to carry out strategic, operating, reporting, compliance, and stewardship responsibilities
Must deal with expectations, responsibilities of individuals and groups Other important matters
![Page 107: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/107.jpg)
Internal Communication Behavioral expectations and responsibilities of
personnel Clear statement of entity’s risk management philosophy
and approach Clear delegation of authority
Should effectively convey The importance and relevance of effective ERM The entity’s objectives, risk appetite, risk tolerances A common risk language Roles and responsibilities of personnel in effecting and
supporting the components of ERM
![Page 108: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/108.jpg)
External Communication Open external communication channels
Constituents provide highly significant input on design and quality of products and services
Enables an entity to address evolving customer demands or preferences
Recognize such implications Investigate Take necessary corrective actions Focus on impact on financial reporting and
compliance as well as operating objectives
![Page 109: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/109.jpg)
Means of Communicating Actions speak louder than words Actions influenced by the entity’s history and
culture Operating with integrity Culture is well understood throughout the
organization Embed communications on ERM into an
entity’s broad-based, ongoing communications programs and into the fabric of the organization
![Page 110: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/110.jpg)
SECTION VIIIMONITORING
![Page 111: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/111.jpg)
Monitoring Assessing the presence and functioning of
components over time Accomplished through
Ongoing monitoring activities Separate evaluations Combination of the two
ERM changes over time Once effective risk responses become irrelevant Control activities become less effective or no longer are
performed Entity objectives might change
![Page 112: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/112.jpg)
Ongoing Monitoring Activities
Occur through regular management activities Variance analysis Comparisons of information with disparate
sources Dealing with unexpected occurrences
![Page 113: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/113.jpg)
Scope and Frequency
Evaluations of ERM depend on significance of risks importance of risk responses and related controls in managing the risks
Address application in strategy setting with respect to significant activities
Scope depends on which objectives categories are addressed
![Page 114: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/114.jpg)
Who Evaluates Self assessments
Person responsible for particular unit or function determines effectiveness of ERM for their activities
Division/function head Line managers Controller Senior management Internal auditors (management cannot delegate its
responsibility) External auditors (caution!)
![Page 115: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/115.jpg)
The Evaluation Process Evaluating ERM is a process in itself Approaches and techniques vary Consistent and disciplined approach should be
brought to the process Understand entity activities and components of ERM
being addressed Determine ERM system actually works Discuss with personnel who actually perform or are
affected by ERM Analyze ERM process design and results of tests
performed Determine if process provides reasonable assurance with
respect to the stated objectives
![Page 116: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/116.jpg)
Methodology
A variety of evaluation methodologies and techniques are available Checklists Questionnaires Flowcharting techniques Comparing or benchmarking to best in class
entity Planning steps Performance steps
![Page 117: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/117.jpg)
Documentation
Varies based on the entity’s size, complexity, and similar factors
Evaluations more effective and efficient with appropriate level of documentation
Document and retain Evaluation process itself Descriptions of tests and analyses Support for statement to external parties
regarding ERM effectiveness Retention policy
![Page 118: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/118.jpg)
Reporting Deficiencies Deficiencies noted from
Ongoing monitoring procedures Separate evaluations External parties
Reported directly to persons directly responsible for achieving business objectives affected by the deficiency
Report specific types of deficiencies to senior management and/or oversight body
Corrective actions taken or to be taken should be reported back to relevant personnel
![Page 119: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/119.jpg)
What Is Reported All identified ERM deficiencies that affect an
entity’s ability to develop and implement its strategy and to set and achieve its objectives
Must report significant deficiencies and material weaknesses Use qualitative and quantitative materiality
Report identified opportunities to increase the likelihood entity objectives will be achieved
![Page 120: Risk Management And Internal Control Guidelines Tennessee Department of Finance and Administration Tennessee Comptroller of the Treasury August 2007](https://reader034.vdocuments.us/reader034/viewer/2022042702/56649d265503460f949fd561/html5/thumbnails/120.jpg)
To Whom to Report Determining right party is critical Immediate superiors through normal channels They in turn communicate upstream or
laterally so the information ends up with someone who has the authority to act e.g., senior management, department head, audit
committee, other oversight body Consider alternative channels for reporting
sensitive information Fraud and illegal or improper acts