Risk Management And

Internal Control Guidelines

Tennessee Department of Finance and Administration

Tennessee Comptroller of the Treasury
August 2007

INTRODUCTION
MANAGEMENTS GUIDE TO RISK
MANAGEMENT AND INTERNAL CONTROL

INTRODUCTION (CONTD)

Enterprise Risk Management

Changing Political And Regulatory

Environment

Sarbanes-Oxley Act
General Accounting Office
AICPA Auditing Standards

INTRODUCTION (CONTD)

Internal Control and Governance Problems

Results of Texas State Comptrollers ERM
Implementation
Texas State Auditor Considers Increased
Accountability a Priority

INTRODUCTION (CONTD)

Committee Of Sponsoring Organizations Of

The Treadway Commission

Second report Enterprise Risk Management

Integrated Framework
First report Internal ControlIntegrated
Framework

INTRODUCTION (CONTD)

Guidance--Education and Tools

Agency Heads Responsibility

OVERVIEW

Overview

Relationship of COSO I and II

COSO Cube (three-dimensional matrix)

Objectives
Components
Entity Unit

Effectiveness
Roles and responsibilities

Relationship of COSO I to COSO II

Internal ControlIntegrated Framework

(COSO I)

Still important for entities looking at internal

control by itself

Enterprise Risk ManagementIntegrated

Framework (COSO II)

Broader than internal control

Expands and elaborates on internal control
Focuses more fully on risk
Introduces the concepts of risk appetite, risk
tolerance, and portfolio view

COSO Cube

Direct relationship
between objectives and
enterprise risk
components
Focus on the entirety of
an entitys ERM, or by
objectives categories,
component, entity unit,
or any subset thereof

Objectives Categories

Strategic
Effectiveness and efficiency of operations
Integrity and reliability of reporting
Compliance with applicable laws, regulations,
contracts, and grant agreements
Stewardship of assets

Components

Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring

Effectiveness

Are the 8 components present and functioning

effectively?
The components are criteria for effective ERM
Present and functioning properly = no significant
deficiencies and material weaknesses
Test operating effectiveness of controls different
from obtaining evidence of implementation

How controls were applied during the period

Consistency with which controls were applied
By whom and by what means they were applied

Roles and Responsibilities

Audit committee, board of directors, or other

oversight body
Commissioner/director/department head
Senior management
Internal audit
Other entity personnel

SECTION I
INTERNAL
ENVIRONMENT

SECTION I
INTERNAL ENVIRONMENT
What
is
it?
Risk Management Philosophy

Set of shared beliefs and attitudes

Reflects the entitys values, influencing its culture
and operating style
Affects how risks are identified, kinds of risks
accepted, and how they are managed

Internal Environment
(contd)

Risk Appetite

Amount of risk management is willing to accept

Influences the entitys culture and operating style

Oversight by Audit Committee

Oversight by another group

May significantly influence elements of Internal
Environment

Internal Environment
(contd)

Integrity and Ethical Values

Managements values
Code of conduct

Commitment to Competence

Knowledge and skills of staff

How well tasks need to be accomplish

Internal Environment
(contd)

Organizational Structure

Assignment of Authority and Responsibility

Framework to plan, execute, control, and

monitor activities
Extent of authority and responsibility

Human Resource Standards

Staff development, training, and evaluation

SECTION II
OBJECTIVE SETTING

Objective Setting

EVERY AGENCY FACES A VARIETY OF

RISKS FROM EXTERNAL AND
INTERNAL SOURCES, AND A
PRECONDITION TO EFFECTIVE EVENT
IDENTIFICATION, RISK ASSESSMENT,
AND RISK RESPONSE IS
ESTABLISHMENT OF OBJECTIVES

Objective Setting

OBJECTIVES MUST EXIST BEFORE

MANAGEMENT CAN IDENTIFY POTENTIAL
EVENTS AFFECTING THEIR ACHEIVEMENT

ENTERPRISE RISK MANAGEMENT (ERM)

ENSURES THAT MANAGEMENT HAS IN PLACE
A PROCESS TO SET OBJECTIVES AND THAT
THE CHOSEN OBJECTIVES SUPPORT AND
ALIGN WITH THE AGENCYS MISSION AND
ARE CONSISTENT WITH ITS RISK APPETITE

Objective Setting

WHILE AN AGENCYS MISSION AND

STRATEGIC OBJECTIVES ARE GENERALLY
STABLE, ITS STRATEGY AND MANY RELATED
OBJECTIVES ARE MORE DYNAMIC AND
ADJUSTED FOR CHANGING INTERNAL AND
EXTERNAL CONDITIONS

AS CONDITIONS CHANGE, STRATEGY AND

RELATED OBJECTIVES ARE REALIGNED
WITH STRATEGIC OBJECTIVES

Objective Setting

IN CONSIDERING WAYS TO ACHIEVE ITS

STRATEGIC OBJECTIVES, MANAGEMENT
IDENTIFIES RISKS ASSOCIATED WITH A
RANGE OF STRATEGY CHOICES AND
CONSIDERS THEIR IMPLICATIONS

VARIOUS EVENT IDENTIFICATION AND RISK

ASSESSMENT TECHNIQUES ARE USED IN
THE STRATEGY-SETTING PROCESS

Objective Setting

BY FOCUSING FIRST ON STRATEGIC

OBJECTIVES AND STRATEGY, AN AGENCY IS IN
A POSITION TO DEVELOP RELATED
OBJECTIVES
AGENCY WIDE OBJECTIVES ARE THEN LINKED
TO AND INTEGRATED WITH MORE SPECIFIC
OBJECTIVES THAT CASCADE THROUGH THE
ORGANIZATION TO SUB-OBJECTIVES
ESTABLISHED FOR VARIOUS ACTIVITIES

Objective Setting

OBJECTIVES NEED TO BE READILY

UNDERSTOOD AND MEASURABLE
ERM REQUIRES THAT PERSONNEL AT ALL
LEVELS HAVE AN UNDERSTANDING OF THE
AGENCYS OBJECTIVES AS THEY RELATE TO
THAT INDIVIDUALS SPHERE OF INFLUENCE
ALL EMPLOYEES MUST HAVE A MUTUAL
UNDERSTANDING OF WHAT IS TO BE
ACCOMPLISHED AND A MEANS OF
MEASURING WHAT IS BEING
ACCOMPLISHED

Objective Setting

THREE BROAD CATEGORIES OF

OBJECTIVES

OPERATIONS
REPORTING
COMPLIANCE

SMART OBJECTIVES
Specific
Measurable
Achievable
Relevant
Timely

Use specific terms rather

than vague abstract ones
Include some method for
objectively measuring their
achievement
Are challenging but realistic
Follow the business strategy
of the organization
Specify a time period

Objective Setting

EFFECTIVE ERM PROVIDES REASONABLE

ASSURANCE THAT AN AGENCYS REPORTING AND
COMPLIANCE OBJECTIVES ARE BEING ACHIEVED

BECAUSE, HOWEVER, ACHEIVEMENT OF

OPERATIONS OBJECTIVES IS NOT SOLEY WITHIN AN
AGENCYS CONTROL (i.e. IT IS SUBJECT TO
EXTERNAL EVENTS) ERM PROVIDES REASONABLE
ASSURANCE THAT MANAGEMENT IS MADE AWARE
OF THE EXTENT TO WHICH AN AGENCY IS MOVING
TOWARD THE ACHIEVEMENT OF THESE OBJECTIVES
ON A TIMELY BASIS

Objective Setting

STRATEGIES OF THE BUSINESS

KEY BUSINESS OBJECTIVES

RELATED OBJECTIVES THAT CASCADE

DOWN THE ORGANIZATION FROM KEY
BUSINESS OBJECTIVES

ASSIGNMENT OF RESPONSIBILITIES TO
ORGANIZATIONAL ELEMENTS AND LEADERS
(LINKAGE)

Objective Setting

EFFECTIVE ERM DOES NOT DICTATE

WHICH OBJECTIVES MANAGEMENT
SHOULD CHOOSE, BUT THAT
MANAGEMENT HAS A PROCESS THAT
ALIGNS STRATEGIC OBJECTIVES WITH AN
AGENCYS MISSION AND ENSURES THAT
THE ENTITYS CHOSEN STRATEGIC AND
RELATED OBJECTIVES ARE CONSISTENT
WITH THE AGENCYS RISK APPETITE

Objective Setting Risk appetite

RISK APPETITE IS A GUIDEPOST IN

STRATEGY SETTING
THERE IS A RELATIONSHIP BETWEEN
AN AGENCYS RISK APPETITE AND ITS
STRATEGY
DIFFERENT STRATEGIES CAN BE USED
TO ACHIEVE DESIRED RETURN, EACH
HAVING DIFFERENT RISK

Objective Setting Risk appetite

RISK APPETITE IS THE AMOUNT OF RISK, ON

A BROAD LEVEL, AN AGENCY IS WILLING TO
ACCEPT IN PURSUIT OF ITS MISSION, VISION,
BUSINESS OBJECTIVES AND VALUE GOALS
DIRECTLY RELATED TO AN AGENCYS
CULTURE, CAPABILITY, RISK CAPACITY AND
STRATEGY
SHOULD CONSIDER RISK APPETITE BOTH
QUALITATIVELY AND QUANTITATIVELY - IT
IS MANY TIMES EXPRESSED IN
ACCEPTABLE/UNACCEPTABLE OUTCOMES
OR LEVEL OF RISK

Objective Setting Risk appetite

SOME POSSIBLE QUESTIONS

WHAT RISKS WILL THE AGENCY NOT ACCEPT?

(For example, environmental or quality compromises)
ARE THERE SPECIFIC RISKS THAT THE AGENCY
IS NOT PREPARED TO ACCEPT? (For example, risks
that could result in non-compliance with federal
regulations)
IS THE AGENCY PREPARED TO ENTER INTO
PROGRAMS WITH LOWER LIKELIHOOD OF
SUCCESS BUT LARGER POTENTIAL RETURNS?

Objective Setting Risk appetite

USE OF A LIKELIHOOD-IMPACT ASSESSMENT

(MATRIX) IS A GOOD TOOL IN DOCUMENTING
RISK APPETITE
FOR EACH RISK FREQUENCY OF OCCURRENCE
(PROBABILITY) AND WORST OUTCOME
(IMPACT) ARE ASSESSED AND CAPTURED IN A
MATRIX
THE MATRIX IS THEN COMPARED WITH A
CHARTED RISK APPETITE MAP THAT OUTLINES
THE MAXIMUM ADVERSE RISK AN AGENCY IS
WILLING TO ACCEPT

Impact vs. Probability

High
I
M
P
A
C
T
Low

Exceeds Risk Appetite

Within Risk Appetite

PROBABILITY

High

Objective Setting Risk tolerance

RISK TOLERANCE, THE ACCEPTABLE LEVEL

OF VARIATION AROUND OBJECTIVES, MUST
BE ALIGNED WITH RISK APPETITE
REQUIRES THE ARTICULATION OF
ACCEPTABLE VARIABILITY FROM THE
SPECIFIED RISK APPETITE FOR ALL
POSSIBLE OUTCOMES
OPERATIONALIZES THE RISK APPETITE
GENERALLY EXPRESSED IN TERMS OF RISK
MEASURES OR OUTCOMES

Objective Setting Risk tolerance

SHOULD BE SET SUCH THAT THE

AGGREGATION OF RISK TOLERANCES
ENSURES THE ORGANIZATION
OPERATES WITHIN THE RISK APPETITE

SECTION III
EVENT
IDENTIFICATION

EVENT IDENTIFICATION

INTERNAL AND EXTERNAL EVENTS

AFFECTING ACHEIVEMENT OF AN
AGENCYS OBJECTIVES MUST BE
IDENTIFIED, DISTINGUISHING BETWEEN
RISKS AND OPPORTUNITIES
MANAGEMENT IDENTIFIES POTENTIAL
EVENTS THAT, IF THEY OCCUR, WILL
AFFECT THE AGENCY, AND IN WHAT
MANNER

Event identification

EVENTS WITH A POSITIVE IMPACT

REPRESENT OPPORTUNITIES THAT
SHOULD BE CHANNELED BACK INTO
MANAGEMENTS STRATEGY OR
OBJECTIVE-SETTING PROCESSES
EVENTS WITH A NEGATIVE IMPACT
REPRESENT RISKS, WHICH REQUIRE
MANAGEMENTS ASSESSMENT AND
RESPONSE

Event identification

AN EVENT IS AN INCIDENT OR
OCCURRENCE ARISING FROM
INTERNAL OR EXTERNAL SOURCES
THAT AFFECTS IMPLEMENTATION OF
STRATEGY OR ACHIEVEMENT OF
OBJECTIVES
A NUMBER OF EXTERNAL AND
INTERNAL FACTORS DRIVE EVENTS

Event identification

CONTRIBUTING
EXTERNAL FACTORS
ECONOMIC
NATURAL
ENVIRONMENT
POLITICAL
SOCIAL

CONTRIBUTING
INTERNAL FACTORS
INFRASTRUCTURE
PERSONNEL
PROCESS
TECHNOLOGY

SOME TYPICAL GOVERNMENT RISKS

Economic changes such as lower
economic growth reduce tax revenue and
opportunities to provide a wider range of
services or limit the availability or quality
of existing services

Failure to innovate
leading to substandard services

Loss or misappropriation of
funds through fraud or
impropriety

Environmental damage
caused by failure of
regulations or
government inspection
regime

Project delays cost

overruns and
inadequate quality
standards

Inconsistent policy
objectives resulting in
unwanted outcomes

Achieving Service
Delivery

Failure to monitor
implementation

Inadequate service
plans to maintain
continuity of service
delivery

Inadequate skills or
resources to deliver
services as required

Failure to measure
performance
adequately

Failure of contractors,
partners or other
government agencies to
provide services as required

Failure to properly evaluate

pilot projects before a new
service is introduced may
result in problems when the
service becomes fully
operational

Technical risk failure to keep

pace with technical
developments, or investment in
inappropriate or mismatched
technology

Event identification

AN AGENCYS EVENT IDENTIFICATION

METHODOLOGY MAY BE COMPRISED
OF A COMBINATION OF TECHNIQUES,
TOGETHER WITH SUPPORTING TOOLS

TECHNIQUES VARY WIDELY IN LEVEL

OF SOPHISTICATION

EXAMPLES OF TECHNIQUES FOR

IDENTIFYING EVENTS:

EVENT INVENTORIES (LISTING COMMON

POTENTIAL EVENTS)
INTERNAL ANALYSIS (COMPLETED AS PART OF A
ROUTINE PLANNING CYCLE PROCESS, TYPICALLY
THROUGH STAFF MEETINGS)
ESCALATION OR THRESHOLD TRIGGERS (COMPARE
CURRENT TRANSACTIONS OR EVENTS WITH
PREDEFINED CRITERIA)
FACILITATED WORKSHOPS AND INTERVIEWS
(DRAW ON ACCUMULATED KNOWLEDGE AND
EXPERIENCE OF MANAGEMENT, STAFF AND
STAKEHOLDERS THROUGH STRUCTURED
DISCUSSIONS)

Event identification

POTENTIAL EVENTS ARE ALSO IDENTIFIED

ON AN ONGOING BASIS IN CONNECTION
WITH ROUTINE BUSINESS ACTIVITIES, SUCH
AS

INDUSTRY/TECHNICAL CONFERENCES
PEER WEBSITES
BENCHMARKING REPORTS
TRADE & PROFESSIONAL JOURNALS
MEDIA REPORTS
MONTHLY MANAGEMENT REPORTS

Event identification

ANOTHER USEFUL TOOL IS TO

INTRODUCE AN INTERMEDIATE STEP IDENTIFYING WHAT YOU DEPEND
UPON TO ACHIEVE YOUR OBJECTIVES

THIS IS SOMETIMES MUCH EASIER

THAN TRYING TO THINK ABOUT ALL
THE EVENTS THAT COULD PREVENT
SUCCESS

Event identification

EVENTS DO NOT OCCUR IN ISOLATION

ONE EVENT CAN TRIGGER ANOTHER
AND EVENTS CAN OCCUR
CONCURRENTLY
MANAGEMENT SHOULD UNDERSTAND
HOW EVENTS RELATE TO ONE
ANOTHER

Event identification

IT MAY BE USEFUL TO GROUP EVENTS INTO

CATEGORIES (i.e. GROUPS OF SIMILAR
POTENTIAL EVENTS)

SIMILAR EVENTS SHOULD BE COMBINED TO

DEVELOP AN INITIAL RISK UNIVERSE AND
DETERMINE HOW TO TRACK AND UPDATE
THE LISTING OF POTENTIAL EVENTS AND
RISKS

Event identification

FINANCIAL FOLKS NEED TO REMEMBER

THAT:
EVENT IDENTIFICATION NEEDS TO INVOLVE
A COMPLETE CROSS-SECTION OF
MANAGEMENT, AS POSSIBLE EVENTS
INCLUDE BUSINESS SCENARIOS OF WHICH
FINANCIAL MANAGEMENT MAY NOT BE
AWARE

INDICATORS THAT THE ERM

OBJECTIVE SETTING PRINCIPLES
ARE IMPLEMENTED
1. THE ORGANIZATION DEFINES GOALS AND
OBJECTIVES FOR THE ENTERPRISE AS A
WHOLE
2. AN EFFECTIVE STRATEGIC PLANNING
PROCESS IS IN PLACE TO FORMULATE
STRATEGIES THAT WILL ENABLE THE
ORGANIZATION TO ACHIEVE ITS BUSINESS
OBJECTIVE

INDICATORS THAT THE ERM

OBJECTIVE SETTING PRINCIPLES
ARE IMPLEMENTED (CONTD)
3. BUSINESS STRATEGIES ARE CLEARLY
ARTICULATED WITH OBJECTIVES LINKED TO
EACH
4. THE RISK IDENTIFICATION PROCESS IS
DESIGNED TO MAKE A CLEAR LINK
BETWEEN THE ORGANIZATIONS
OBJECTIVES AND THE ASSOCIATED RISKS

INDICATORS THAT THE ERM

OBJECTIVE SETTING PRINCIPLES
ARE IMPLEMENTED (CONTD)
5. RISK TO THE ACHIEVEMENT OF OBJECTIVES
IS EVALUATED TO ENSURE IT DOES NOT
EXCEED THE LEVELS OF RISK DETERMINED
BY MANAGEMENT AS ACCEPTABLE
6. ACCEPTABLE TOLERANCE LIMITS ON THE
RISK TO THE ACHIEVEMENT OF KEY
OBJECTIVES HAVE BEEN DETERMINED.
7. MANAGEMENT USES MEANINGFUL
PERFORMANCE MEASURES IN MONITORING
RESULTS AGAINST OTHER SET TOLERANCES

INDICATORS THAT THE ERM

EVENT IDENTIFICATION
PRINCIPLES ARE IMPLEMENTED
1.

DATA ON THE BUSINESS OPERATING ENVIRONMENT

POLITICAL, ECONOMIC, ETC., EVENTS IS CAPTURED AND
REGULARLY EVALUATED IN TERMS OF THEIR POTENTIAL
IMPACT UPON THE ORGANIZATIONS BUSINESS OBJECTIVES

2. A PORTFOLIO OF EVENTS THAT COULD AFFECT THE

ACHIEVEMENT OF OBJECTIVES INTERNAL AND EXTERNAL
HAS BEEN PREPARED
3.

EVENTS ARE LINKED TO AND RISK EVALUATED BY

INDIVIDUAL OBJECTIVE

INDICATORS THAT THE ERM EVENT

IDENTIFICATION PRINCIPLES ARE IMPLEMENTED
(CONTD)
4.

GOALS AND OBJECTIVES FOR IDENTIFYING EVENTS AND THE

RELATED RISKS EXIST AND ARE COMMUNICATED TO ALL SEGMENTS
OF THE ORGANIZATION

5.

RESPONSIBILITIES AND ACCOUNTABLES FOR RISK IDENTIFICATION

ARE CLEARLY DEFINED AND UNDERSTOOD

6.

RISK IS CONSIDERED IN TERMS OF NOT JUST ISOLATED EVENTS BUT

ALSO INTER-RELATED EVENTS

7.

EVENTS ARE CATEGORIZED INTO USEFUL GROUPS TO FACILITATE THE

AGGREGATION OF INFORMATION FOR PURPOSES OF ASSESSING RISKS

8.

THE ORGANIZATION EVALUATES EVENTS IN THE CONTEXT OF THE

POTENTIAL UPSIDES (OPPORTUNITIES) AS WELL AS THE DOWNSIDE
(RISKS)

Event identification

THE NEXT TOPIC, OR THE RISK

ASSESSMENT COMPONENT, ALLOWS
AN AGENCY TO CONSIDER THE
EXTENT TO WHICH POTENTIAL
EVENTS MIGHT HAVE AN IMPACT ON
ACHIEVEMENT OF OBJECTIVES

SECTION IV
RISK ASSESSMENT

Risk Assessment

Risk is the possibility that an event will

occur and adversely affect the achievement of
objectives.
Thereby decreasing value for the entitys
stakeholders.

Risk Assessment
- Risks are analyzed and assessed as to their
likelihood and impact
- Management considers the mix of future
events, both expected & unexpected
- Useful first step often a brainstorming
session
- What is the worst that could happen, or the
worst that happened?

Consider the Risk Appetite

Broadly defined as amount of risk an entity is

willing to accept in pursuing its objectives.
For most government entities: risk appetite is
fairly low!
Related is risk tolerance: tolerable level of
variation associated w/ a particular objective.

Consider Both Inherent & Residual

Risk

Inherent Risk
without any
management activity or
before controls are in
place.
Example: inherent risk
mitigated by payment
cards policies and
procedures.

Residual level of risk

that remains after
management has a plan
in place to deal with
the risk.
Example: residual risk
remains after payment
card policies are in
place.

Consider both Likelihood and

Impact

Likelihood: possibility an event will occur,

measured in low, medium, high, percentage
or some frequency of occurrence.
Impact: Effect on an agency on others.

Risk Assessment Uses Qualitative

and Quantitative Methods

Quantitative methods more precise

Qualitative methods are necessary in
situations where business activity does not
lend to quant. evaluation, or is not
cost/effective.
Choice should reflect needs of the business
unit and its employees.

Consider Risk in Objective Setting

The framework of objectives: strategic,

operational, reporting, compliance, (see
COSO cube).
Typically considerable overlap.
Several examples follow.

Example: Operational

Risk that subrecipients

in HIV/AIDS program
are being reimbursed
for unsupported
expenditures.

Assessment Extent of
reimbursement and
frequency is analyzed.
Note that paying
subrecipient invoices
for which no
documentation exists
subjects agency to
possible fraud.

Example: Reporting

Risk that management

does not notify the
Comptrollers Office of
overpayments; and
failure to recover
funds.

Assess why a
breakdown in both
state policy and actual
recoupment.
Lack of notification
negates possibility of a
thorough investigation.

SECTION V
RISK RESPONSE

V Risk Response

Having assessed relevant risks, management

determines how it will respond, reviewing
likelihood and impact, evaluating costs and
benefits, and selecting options that bring
residual (remaining risk) within the entitys
risk tolerances.

The Four Categories of Risk

Response:

Avoidance not participating in events that

give rise to risk.
Reduction: Specific actions taken to reduce
likelihood or impact or both.
Sharing: Reducing likelihood or impact by
sharing portion of the risk (insurance)
Acceptance: No action taken. learns to live
with the risk, and monitor it...

Additional Factors in Risk Response

- For many risks, responses are obvious & well

accepted.
- Response to risk may affect other factors, or affect
likelihood/impact differently.
- Cost/Benefit often cost side easier to analyze;
benefit side may be more subjective.
- Risk response may lead to improvements in service
areas or additional value.
- Considers both inherent and residual risk.

A Portfolio Perspective

ERM approach requires that risk be

considered from a portfolio or entity-wide
perspective.
Management first determines risk in each
division or business unit.
Develops a composite assessment of risk
reflecting units residual risk profile relative
to its objectives & risk tolerances.

A Portfolio View of Risk:

Can be depicted in several ways focusing on

major risk or event categories across
divisions, program units, etc.
While risk in a program unit may be within
risk tolerance; taken together they may
exceed the risk appetite of entity.
Or have common elements that raise
concerns.

Back to our previous examples:

1. Subrecipients in
HIV/AIDS programs
are routinely
reimbursed for
unsupported
expenditures.

1. After further analysis

corrective action plan
identified and remedies
failures in the
reimbursement process,
a cost/effective
methodology to
monitor expenditures.

And our other example

2. Management did not

notify the Comptroller
of the Treasury of
overpayments and
failed to recoup
overpaid funds.

2. Corrective action
plan requires
compliance with Policy
11; reviews
recoupment
procedures.

SECTION VI
CONTROL ACTIVITIES

Integration with Risk Responses

Control activities generally are established to

ensure risk responses are carried out.
However, control activities themselves are
risk responses.

Integration with Risk Responses

Risk responses

Share risk

Reduce risk

Reduces likelihood and impact, e.g. Disaster recovery plan in place to

reduce the impact of a natural disaster.

Risk Avoidance

Agency participates in states collateral pool or risk management fund.

Policies that forbid certain risky business e.g., agency not authorized
to invest in certain risky investment instruments.

Risk Acceptance

Monitoring of certain activities that are deemed high risk e.g., high
risk investments.

CONTROL ACTIVITIES

A single control activity can address multiple

risk responses or
Multiple control activities may be needed for
one risk response.

Types of Control Activities

Types of Control Activities

o
o
o
o

Preventive
Detective
Manual (People Based)
Automated (System Based)

Types of Control Activities

Preventive Controls are more reliable

1.
2.

Prevents errors
Proactive approach frees up people resources

Types of Control Activities

LESS RELIABLE
People Based
Detective
Preventive

MORE RELIABLE
Automated
Detective
Preventive

Types of Control Activities

Reconciliations (Detective)

Personnel approving or executing transactions

should not perform reconciliations.

Reviews (Detective)

Budget to Actual
Current to prior period comparisons
Performance measurements

Types of Control Activities

Approval/Authorizations (Preventive)

Policies and procedures

Limits to authority
Supporting documentation
Question unusual items

Types of Controls of Control

Activities

Assets Security (Preventive and Detective)

Physical safeguards
Record retention
Periodic counts/Inventories

Types of Controls of Control

Activities

Segregation of Duties (Preventive and

Detective)

The following functions should be segregated

Approval
Accounting/Reconciling
Asset Custody

Levels of Control Activities

Entity Level Controls

Controls management implement to establish the

appropriate tone at the top. (Strategic Objectives)

Process Level Controls

E.g., Employees sign a code of conduct

Mitigate risks involved in initiating, recording,

processing or reporting transactions.

IT and Application Controls

Further mitigates process level risks

Levels of Control Activities

Pervasive Level

Adequate training of personnel

Access restrictions
Authorization
Segregation of duties

Specific Level

Validation
Reconciliation

CONTROL ACTIVITIES

The Writing on The Wall

Applying too narrow a focus to the identification

of risks can lead to overlooking potential risks
and issues.
Think about risks without considering the
existing processes and controls in place.

Effectiveness and Efficiency

Control activities must be tested to ensure

there are no material weaknesses or
significant deficiencies.
Management should also ensure that control
activities are carried out in a timely manner.

Internal auditors may support management by

providing assurance on the effectiveness and
efficiency of control activates.

Control Activities Worksheet

Worksheet provided in Section VI can be
used as a template for documenting risks and
related controls
Divided into 3 parts

Part I Strategic, Operations, and Reporting

Objectives
Part II Compliance Objectives
Part III Fraud

Control Activities Worksheet

Worksheet is NOT all inclusive.

N/A responses need to be addressed.
Remember the writing on the wall.
Any policy or procedure used as a risk
response in Part I or III should be addressed
in Part II, Compliance.
Template may be modified.

Control Activities Worksheet

Part I Strategic, Operations, and
Reporting Objectives

Categorized by business processes.

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.

Budget Process
Cash Disbursement/Expenditures
Cash Receipts/Revenues
Cash Management
Liabilities
Capital Assets/Inventory/Equipment
Information Systems/Data Processing
Personnel/Employee Compensation
Financial Reporting
Accounts Receivable
Investments

Control Activities Worksheet

Part III Fraud

Categorized by the Association of Certified

Fraud Examiners Categories of Fraud.

Misappropriation of assets
Corruption
Fraudulent Reporting

Control Activities Worksheet

Part III Fraud

Categories should be applied to each business

process.
Fraud control risk management should be integrated
into the agency's philosophy, practices and business
plans rather than be seen or practiced as a separate
program. When it is integrated, risk management
becomes the business of everyone in the
organization.

Control Activities Worksheet

Part III Fraud

Core areas to focus on

Information systems;
Contracts;
Grants and other payments or benefits programs;
Purchasing;
Services provided to the community;
Revenue collection;
Use of government credit cards;
Travel allowance and other common allowances;
Salaries; And
Property and other physical assets including physical security.

Other Considerations

Risks with large or moderate impact and probable

(high) or reasonably possible (medium) likelihood of
occurrence are your significant risks. These are the
risks you need to address with control activities.

No risk response is needed for insignificant risks but BE

CAUTIOUS AND OBJECTIVE.
Insignificant risks still need to be documented on the
worksheet. Explanation of insignificant nature should be
documented.

Other Considerations
Inherent Risks - Control Activities= Residual Risks
Ensure you evaluate all insignificant risks not
addressed with control activities on an aggregate
basis to ensure your residual risk is within your
risk tolerance.

All risks (regardless of significance) should still

be included.

Other Considerations

If any of the risks already included in the

worksheet are deemed as having a low impact
or remote likelihood of occurrence, treat as as
a risk that is not applicable to your agency
and document explanation on worksheet.

Dont forget about abuse.

SECTION VII
INFORMATION AND
COMMUNICATION

Information

Needed at all levels of an organization

to identify, assess, and respond to risks

to run the entity
to achieve its objectives

Internal and external sources

Financial and nonfinancial

Strategic and Integrated Systems

Data processing and data management become

a shared responsibility
IS architecture needs to be flexible and agile
to effectively integrate with affiliated external
parties
Has managements risk management
techniques contemplated organizational goals
in making technology selection and
implementation decisions?

Integration with Operations

Applications facilitate access to information

previously trapped in functional or
departmental silos

Information becomes available for widespread use

Transactions are recorded and tracked in real

time

Managers have immediate access to financial and

operating information more effectively to control
agency activities

Depth and Timeliness of Information

Information infrastructure sources and

captures data in a timeframe and at a depth
consistent with an entitys need to

identify,
assess, and
respond to risks, and
remain within risk tolerances

Timeliness needs to be consistent with the

rate of change in the entitys internal and
external environments

Information Quality

Data reliability is a critical attribute of

information systems and data-driven automated
decision systems
Inaccurate data results in unidentified risks or
poor assessments and bad management
decisions
Quality of information includes ascertaining
whether informational content is

Appropriate Accurate
Timely
Accessible
Current

Communication

Inherent in information systems

Must provide information to appropriate
personnel to carry out strategic, operating,
reporting, compliance, and stewardship
responsibilities
Must deal with

expectations,
responsibilities of individuals and groups
Other important matters

Internal Communication

Behavioral expectations and responsibilities of

personnel

Clear statement of entitys risk management philosophy

and approach
Clear delegation of authority

Should effectively convey

The importance and relevance of effective ERM

The entitys objectives, risk appetite, risk tolerances
A common risk language
Roles and responsibilities of personnel in effecting and
supporting the components of ERM

External Communication

Open external communication channels

Constituents provide highly significant input on

design and quality of products and services
Enables an entity to address evolving customer
demands or preferences

Recognize such implications

Investigate
Take necessary corrective actions
Focus on impact on financial reporting and
compliance as well as operating objectives

Means of Communicating

Actions speak louder than words

Actions influenced by the entitys history and
culture

Operating with integrity

Culture is well understood throughout the
organization

Embed communications on ERM into an

entitys broad-based, ongoing
communications programs and into the fabric
of the organization

SECTION VIII
MONITORING

Monitoring

Assessing the presence and functioning of

components over time
Accomplished through

Ongoing monitoring activities

Separate evaluations
Combination of the two

ERM changes over time

Once effective risk responses become irrelevant

Control activities become less effective or no longer are
performed
Entity objectives might change

Ongoing Monitoring Activities

Occur through regular management activities

Variance analysis
Comparisons of information with disparate
sources
Dealing with unexpected occurrences

Scope and Frequency

Evaluations of ERM depend on

significance of risks
importance of risk responses and
related controls in managing the risks

Address application in strategy setting with

respect to significant activities
Scope depends on which objectives categories
are addressed

Who Evaluates

Self assessments

Person responsible for particular unit or function

determines effectiveness of ERM for their
activities
Division/function head
Line managers
Controller
Senior management
Internal auditors (management cannot delegate its
responsibility)
External auditors (caution!)

The Evaluation Process

Evaluating ERM is a process in itself

Approaches and techniques vary
Consistent and disciplined approach should be
brought to the process

Understand entity activities and components of ERM

being addressed
Determine ERM system actually works
Discuss with personnel who actually perform or are
affected by ERM
Analyze ERM process design and results of tests
performed
Determine if process provides reasonable assurance with
respect to the stated objectives

Methodology

A variety of evaluation methodologies and

techniques are available

Checklists
Questionnaires
Flowcharting techniques
Comparing or benchmarking to best in class entity

Planning steps
Performance steps

Documentation

Varies based on the entitys size, complexity,

and similar factors
Evaluations more effective and efficient with
appropriate level of documentation
Document and retain

Evaluation process itself

Descriptions of tests and analyses
Support for statement to external parties
regarding ERM effectiveness
Retention policy

Reporting Deficiencies

Deficiencies noted from

Ongoing monitoring procedures

Separate evaluations
External parties

Reported directly to persons directly responsible for

achieving business objectives affected by the
deficiency
Report specific types of deficiencies to senior
management and/or oversight body
Corrective actions taken or to be taken should be
reported back to relevant personnel

What Is Reported

All identified ERM deficiencies that affect an

entitys ability

Must report significant deficiencies and

material weaknesses

to develop and implement its strategy and

to set and achieve its objectives

Use qualitative and quantitative materiality

Report identified opportunities to increase the

likelihood entity objectives will be achieved

To Whom to Report

Determining right party is critical

Immediate superiors through normal channels
They in turn communicate upstream or
laterally so the information ends up with
someone who has the authority to act

e.g., senior management, department head, audit

committee, other oversight body

Consider alternative channels for reporting

sensitive information

Fraud and illegal or improper acts