NSAA/NASC JOINT MIDDLE MANAGEMENT

CONFERENCE

April 10-12, 2006

Presented by: David R. Hancox, CIA, CGFMCo-Author: Government Performance Audit in ActionFaculty: Siena College and USDA Graduate School, Washington DCDirector of Audits: NYS Comptroller’s Office

Management's Responsibility for Internal Controls Does anyone get it?

David R. Hancox CIA CGFM 2

Scrap Your Thinking About Control

• Controls over people aggravate them

• The more you control someone – the more they rebel

• Strong Controls – But the Wrong Controls

David R. Hancox CIA CGFM 3

Five Components

• Control Environment

• Risk Assessment

• Control Activities

• Information & Communication

• Monitoring

David R. Hancox CIA CGFM 4

The glue that holds it all together

• Information & Communication

– Communication channels in many

organizations flow top down.

• What’s the top know?

David R. Hancox CIA CGFM 5

Control Environment

• Characteristic of people who have the skill, knowledge, ability and tools to perform a task– Management must ensure that staff possess the

knowledge, skills, and ability necessary to do their jobs

– Management must ensure that staff have what they need – such as equipment, software and policy and procedure manuals

Competence

David R. Hancox CIA CGFM 6

Control Environment

• Management should reflect a commitment to:– Establishing levels of knowledge and skill required for

every position– Verifying the qualifications of job candidates– Hiring and promoting only those with the required

knowledge and skills– Establishing training programs that help employees

increase their knowledge and skills

Competence

David R. Hancox CIA CGFM 7

Control Environment

The attitude people have about their work, as exhibited by their confidence, their

discipline, enthusiasm and their willingness to perform tasks

Morale

David R. Hancox CIA CGFM 8

Control Environment

• Management is responsible to maintain good Morale– Staff should have a sense that:

• Their opinions and contributions are welcomed, valued and recognized

• The organization is willing to help improve their level of competency

• There is opportunity for continuous improvement• They have a stake in the mission, goals and objective of the

organization• The lines of communication are open

Morale

David R. Hancox CIA CGFM 9

Control Environment

• Executive management should set a tone that emphasizes the importance of internal controls, including:– Ongoing education to ensure everyone understands

the internal control system and their role in it– An openness to control self evaluations and internal

and external audits of controls– Responsiveness to issues raised as the result of the

evaluations and audits– Minimal and guarded use of control overrides

Supportive Attitude

David R. Hancox CIA CGFM 10

Components of Internal Controls

• Risks are events that threaten the accomplishment of objectives

• There are both internal and external risks• Examples of risks include:

– Human error– Fraud– System breakdowns– Natural disasters

Assessing and Managing Risk

David R. Hancox CIA CGFM 11

Assessing and Managing Risk

• Identify each risk in terms of:– Likelihood– Significance or impact– Cause

• You don’t know, what you don’t know!

Risk Assessment Process

David R. Hancox CIA CGFM 12

Risk Assessment Process

The probability that an unfavorable event would occur if there were no internal controls or limited internal controls

Likelihood

David R. Hancox CIA CGFM 13

Risk Assessment Process

• A measure of the magnitude of the effect on an organization if the unfavorable event were to occur– Inherent Risk

• Innate to the program, function or activity • Evaluated by the ultimate harm that may be

done or the opportunity that may be lost

Significance or Impact

David R. Hancox CIA CGFM 14

Risk Assessment Process

The Reason why an unfavorable event may occur

Cause

David R. Hancox CIA CGFM 15

LIKELIHOOD

High

Low

Low HighImpact

Judgment

Required

David R. Hancox CIA CGFM 16

Risk Assessment Process

• How to manage risk

• How to prevent or reduce risk

• How to schedule the frequency of internal control system evaluations

• How to manage risk during change

Risk Assessment Considerations

David R. Hancox CIA CGFM 17

Risk Assessment Process

• Accept the risk: Do not establish control activities

• Prevent or reduce the risk: Establish control activities

• Avoid the risk: Do not carry out the function

Managing Risk

David R. Hancox CIA CGFM 18

Risk Assessment Process

• What is the cause of the risk?

• What is the cost of control vs. the cost of the unfavorable event?

• What is the priority of this risk?

Preventing or Reducing Risk

David R. Hancox CIA CGFM 19

Risk Assessment Process

• New processes

• New systems

• Changes in job responsibilities

• Reorganizations

• Changes in personnel

Managing Risk During Change

David R. Hancox CIA CGFM 20

Control Activities

• The cost of the control activity should not exceed the cost incurred if the undesirable event occurred

• Build control activities into business processes and systems as the processes and systems are being designed

• The distribution of resources among the control activities should be based on the significance and likelihood of the risk it is preventing or reducing

Control Activity Considerations

David R. Hancox CIA CGFM 21

Control Activities

• Preventive– Approvals, authorizations

• Detective– Reconciliation’s, audits

Categories

David R. Hancox CIA CGFM 22

Obsolete Control Activities

• Documentation

• Approval and Authorization

• Separation of Duties – in many cases

Commonly Used Control Activities

David R. Hancox CIA CGFM 23

Important Control Activities

• Verification

• Supervision

• Safeguarding Assets

• Reporting