NSAA/NASC JOINT MIDDLE MANAGEMENT CONFERENCE April 10-12, 2006 Presented by: David R. Hancox, CIA,...
-
Upload
kevin-stafford -
Category
Documents
-
view
213 -
download
0
Transcript of NSAA/NASC JOINT MIDDLE MANAGEMENT CONFERENCE April 10-12, 2006 Presented by: David R. Hancox, CIA,...
NSAA/NASC JOINT MIDDLE MANAGEMENT
CONFERENCE
April 10-12, 2006
Presented by: David R. Hancox, CIA, CGFMCo-Author: Government Performance Audit in ActionFaculty: Siena College and USDA Graduate School, Washington DCDirector of Audits: NYS Comptroller’s Office
Management's Responsibility for Internal Controls Does anyone get it?
David R. Hancox CIA CGFM 2
Scrap Your Thinking About Control
• Controls over people aggravate them
• The more you control someone – the more they rebel
• Strong Controls – But the Wrong Controls
David R. Hancox CIA CGFM 3
Five Components
• Control Environment
• Risk Assessment
• Control Activities
• Information & Communication
• Monitoring
David R. Hancox CIA CGFM 4
The glue that holds it all together
• Information & Communication
– Communication channels in many
organizations flow top down.
• What’s the top know?
David R. Hancox CIA CGFM 5
Control Environment
• Characteristic of people who have the skill, knowledge, ability and tools to perform a task– Management must ensure that staff possess the
knowledge, skills, and ability necessary to do their jobs
– Management must ensure that staff have what they need – such as equipment, software and policy and procedure manuals
Competence
David R. Hancox CIA CGFM 6
Control Environment
• Management should reflect a commitment to:– Establishing levels of knowledge and skill required for
every position– Verifying the qualifications of job candidates– Hiring and promoting only those with the required
knowledge and skills– Establishing training programs that help employees
increase their knowledge and skills
Competence
David R. Hancox CIA CGFM 7
Control Environment
The attitude people have about their work, as exhibited by their confidence, their
discipline, enthusiasm and their willingness to perform tasks
Morale
David R. Hancox CIA CGFM 8
Control Environment
• Management is responsible to maintain good Morale– Staff should have a sense that:
• Their opinions and contributions are welcomed, valued and recognized
• The organization is willing to help improve their level of competency
• There is opportunity for continuous improvement• They have a stake in the mission, goals and objective of the
organization• The lines of communication are open
Morale
David R. Hancox CIA CGFM 9
Control Environment
• Executive management should set a tone that emphasizes the importance of internal controls, including:– Ongoing education to ensure everyone understands
the internal control system and their role in it– An openness to control self evaluations and internal
and external audits of controls– Responsiveness to issues raised as the result of the
evaluations and audits– Minimal and guarded use of control overrides
Supportive Attitude
David R. Hancox CIA CGFM 10
Components of Internal Controls
• Risks are events that threaten the accomplishment of objectives
• There are both internal and external risks• Examples of risks include:
– Human error– Fraud– System breakdowns– Natural disasters
Assessing and Managing Risk
David R. Hancox CIA CGFM 11
Assessing and Managing Risk
• Identify each risk in terms of:– Likelihood– Significance or impact– Cause
• You don’t know, what you don’t know!
Risk Assessment Process
David R. Hancox CIA CGFM 12
Risk Assessment Process
The probability that an unfavorable event would occur if there were no internal controls or limited internal controls
Likelihood
David R. Hancox CIA CGFM 13
Risk Assessment Process
• A measure of the magnitude of the effect on an organization if the unfavorable event were to occur– Inherent Risk
• Innate to the program, function or activity • Evaluated by the ultimate harm that may be
done or the opportunity that may be lost
Significance or Impact
David R. Hancox CIA CGFM 14
Risk Assessment Process
The Reason why an unfavorable event may occur
Cause
David R. Hancox CIA CGFM 15
LIKELIHOOD
High
Low
Low HighImpact
Judgment
Required
David R. Hancox CIA CGFM 16
Risk Assessment Process
• How to manage risk
• How to prevent or reduce risk
• How to schedule the frequency of internal control system evaluations
• How to manage risk during change
Risk Assessment Considerations
David R. Hancox CIA CGFM 17
Risk Assessment Process
• Accept the risk: Do not establish control activities
• Prevent or reduce the risk: Establish control activities
• Avoid the risk: Do not carry out the function
Managing Risk
David R. Hancox CIA CGFM 18
Risk Assessment Process
• What is the cause of the risk?
• What is the cost of control vs. the cost of the unfavorable event?
• What is the priority of this risk?
Preventing or Reducing Risk
David R. Hancox CIA CGFM 19
Risk Assessment Process
• New processes
• New systems
• Changes in job responsibilities
• Reorganizations
• Changes in personnel
Managing Risk During Change
David R. Hancox CIA CGFM 20
Control Activities
• The cost of the control activity should not exceed the cost incurred if the undesirable event occurred
• Build control activities into business processes and systems as the processes and systems are being designed
• The distribution of resources among the control activities should be based on the significance and likelihood of the risk it is preventing or reducing
Control Activity Considerations
David R. Hancox CIA CGFM 21
Control Activities
• Preventive– Approvals, authorizations
• Detective– Reconciliation’s, audits
Categories
David R. Hancox CIA CGFM 22
Obsolete Control Activities
• Documentation
• Approval and Authorization
• Separation of Duties – in many cases
Commonly Used Control Activities
David R. Hancox CIA CGFM 23
Important Control Activities
• Verification
• Supervision
• Safeguarding Assets
• Reporting