Risk Assessment (IT & Non-IT) MIS5205 2/21/2014. Control Environment (COSO framework): - The control...

Risk Assessment (IT & Non-IT)

MIS52052/21/2014

Control Environment (COSO framework): - The control environment sets the tone of an organization. It influences the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.

Control environment factors: the integrity, ethical values and competence of the people;

management's philosophy and operating style; the way management assigns authority and responsibility and

organizes; develops its people, and policies and procedures for the

prevention and detection of fraud, etc.

Risk Assessment Overview

Typical Enterprise Risks Categories: Polices and Procedures Personal Management and Supervision Training Organization Structure Fraud Prevention and Detection

Risk Definitions

Policies and Procedure: Definition:

inadequately developed, documented and/or communicated business specific policies and procedures.

Non-compliance with existing company and business specific policies;

Risk Definitions and Events

Policies and Procedure – Sample Risk Events:

Ineffective process to report unethical matters related to financial reporting (hotlines, whistleblower program)

Mechanisms for reporting unethical matters have not been properly communicated to all employees (training)

Conflicts of interest surveys with affirmative responses have not been reviewed and properly escalated by the Ethics Officers for resolution (tone from the top)

Lack of inventory of corporate policies and procedures and business line/function specific policies applicable to the business activity (review and updating)



Polices and procedures training and communication across the company

Inadequate monitoring o f changes or updates to corporate policies and procedures

Lack of active, written policies for all critical aspects of the business and corporate functions



Out-of-Date Policies and Procedures: Policies no longer reflect day-to-day activities either because of changes in the business/corporate function, impracticality of implementation, etc.

Company-wide system and information security policies and standards are not regularly reviewed and updated, or do not exist

Roles and responsibilities for information security and other system functions are not well defined and fom1alized or do not enforce a proper segregation of duties

Policy statements for new products, subsidiaries, or other strategic initiatives have not been created


Policies and Procedure – Sample Risk Events: Management does not have a formal process to re-value

and revise procedures Prior versions or copies of Standard Operating

Procedures a re not retained to support previous decision-making

Procedures are not reviewed/signed-off by Management, appropriate subject matter experts, or control groups (Law, Compliance, etc.)

Lack of appropriate, consistent approach to evaluation of exceptions to policy


PersonalDefinition:

Insufficient number of employees and retention of sufficiently competent or experienced personnel to accomplish a business goals and objectives.

Insufficient number of people with required skill levels relative to the size of the business and nature and complexity of activities and systems.

Risk Definitions

Personal – Sample Risk Events: Employees do not meet licensing requirements specified

for their job position. (Industry Specific, e.g. CISA, CFA, CPA, etc.)

Hiring decisions are not retained to support decisions to hire or reject candidates

Employees are not provide or have access necessary tools, utilities to enable them to complete their job responsibilities

Lack of (or non-adherence to) standards and criteria for hiring, training, promoting and compensating employees

Business line does not maintain job descriptions or other means of defining specific job responsibilities


Personal – Risk Events: Management doesn’t analysis of the knowledge and

skills needed to perform jobs adequately Employees are not made aware of their

responsibilities and duties expected of them through formal written performance evaluations at least annually or through other informal processes

High level of turnover of experienced staff or high level of junior staff (e.g., can lead to work backlogs)

No succession plan in place Lack of depth of resources within the business unit Lack of cross training (resulting in unrealistic reliance

on a few key personnel)


Management and SupervisionDefinition:

Inappropriate span of control, assignment of responsibility and delegation of authority to deal with organizational goals and objectives.

Inadequate availability of MIS to monitor business activity.

Inappropriate 'tone at the top', management behaviors and incentives set by management for subordinates that may have a negative impact on the control environment.

Risk Definitions

Management and Supervision – Sample Risk Events

Inappropriate "tone at the top” established by business line management (e.g., tolerance level for control breaks or other policy violations discourages adherence to policies)

Management doesn’t take disciplinary actions to clearly communicate the consequences of inappropriate actions or failure to address known and/or emerging issues

Management structure and/or span of control is not appropriate relative to business objectives

Lack of comprehensive risk analysis mechanisms, including control functions, to ensure that business line risks are identified, analyzed, monitored and controlled

Business line management does not reinforce corporate policy regarding acceptable business practices, conflicts of interest and expected standards of ethical and moral behavior

Risk Definitions

Management and Supervision – Risk Events

Management does not place a high emphasis on ethical behavior in dealings with employees, customers, regulators, control functions, etc.

Management does not have controls in place to mitigate pressure to meet unrealistic performance targets (particularly for short-term results) or reduce temptations arising from performance based compensation

Management does not have in place comprehensive MIS to monitor the business

Management behavior and/or structure does not foster communication (up, down and across)

Risk Definitions


There is no proactive policy on known or emerging control breaches, policy or legal regulatory violations, and related corrective actions, to ensure actions are taken promptly and decisively, and if warranted, appropriate disciplinary actions are taken

New businesses or products are not initiated in a controlled manner Supervisory duties are not carried out in accordance with licensing or

regulatory requirements Goals set by management may be unrealistic or incent inappropriate

behavior.

Risk Definitions


Employee satisfaction or moral Employee concerns are not been heard or

addressed by management Management is not able to effectively gauge

or review employee performance

Risk Definitions

TrainingDefinition:

Inadequate training of personnel to meet position requirements or to fulfill company’s professional and ethical standards.

Risk Definitions

Training– Sample Risk Events

Lack of formal training programs for new hires and existing employees

Employees are not encouraged to attend job related training programs

Management does not have mechanisms in place to ensure that employees attend appropriate training programs

Failure to properly monitor compliance with tracking requirements

Inadequate function/product specific or control related skills training

Inadequate training to perform supervisory responsibilities Training programs are not frequently updated

Risk Definitions


Lack of cross training for periods where employees are absent, re-assigned, and/or unavailable

Failure to communicate lessons learnt from historical or recent experiences to mitigate the risk of reoccurrence.

Training programs are not delivered in a timely manner (e.g., prior to a systems implementation/major release).

Training programs do not support continuing education requirements for licensed representatives.

Risk Definitions


Qualifications of training providers Lack of practice to collect and analyze

training feedback Out-of-date training courses: training is

not kept current with changes to products, systems, benefits, etc.

Lack of training budget

Risk Definitions

Organizational StructureDefinition:

Inadequate organizational structure to provide the necessary information flow to manage the business’ activities, assign responsibilities and ensure an adequate segregation of duties.

Risk Definitions

Organizational Structure – Sample Risk Events Inappropriate organizational structure and an

inability y to provide necessary information flow to manage its activities

Inadequate definition of key managers' responsibilities and their understanding of these responsibilities (i.e., avoidance of ambiguity)

Inadequate knowledge and experience of key managers in light of responsibilities

Risk Definitions

Organizational Structure – Sample Risk Events Management has not assigned responsibility and

delegated authority to deal with organizational goals and objectives, operating functions and regulatory requirements and to ensure that appropriate segregation of duties is maintained

Inappropriate level of interaction between business line personal, operations management and other control functions, particularly when geographically removed

Inappropriate segregation of duties between Sales, Operational and Finance functions.

Inappropriate segregation of duties (e.g. Sales, Operational and Finance functions)

Risk Definitions

Fraud Prevention and Detection (Industry Specific e.g. FIs)

Inadequate, and/or infrequently performed activities designed to prevent and/or detect fraud.

Risk Definitions

Fraud Prevention and Detection (Industry Specific) – Sample Risk Events

Administrative systems do not have 'red flags’ or reports to alert management to potentially fraudulent transactions (address change and disbursement transactions processed within a short period of one another)

Documentation to support transactions being processed can be deleted, altered, or lost

Signature verification process does not exist for high dollar disbursement transact ions

Special payee/address procedures are not in place for routine and non-routine payments

Risk Definitions


Management has not evaluated administrative systems user access for certain dangerous combinations

Role-based security does not align with segregation of duties and is not inclusive of both IT and non-IT based capabilities

Management has not been proactive in enhancing the staffs fraud awareness

Training is incomplete and/or outdates and does not address current fraud schemes.

Call Center authentication procedures are not adequate and do not provide an escalation process or suspicious caller guidance

Risk Definitions


No quality review or second check exists over transactions where fraud could be perpetuated

no sampling of transactions occurs over transactions where fraud could be perpetuated

Journal entries or 'top side' entries impacting quarterly results are posted without a second review and proper approvals

Bonus/incentive compensation for individuals responsible for posting financial data is tied to company performance in a manner outside the existing performance management process

Non-Designated and Covered individuals can view non-public financial data before results become public.

Officers and Senior Executives a re granted stock options, that when exercised will inappropriately benefit them (i.e. backdating)

Risk Definitions


Vendor due diligence is not conducted on firms w ho have t he ability to commit fraud

Vendor relationships a re not disclosed or monitored for conflict of interest or collusion

Vendor invoices/charges are not reviewed against support or are not thoroughly examined

Miscellaneous loss accounts are not monitored

Risk Definitions


Agents and Investment advisors are gran ted too much access to process transactions on behalf of customers

Underwriters and agents/brokers develop friendly relationships that may lead to preferential treatment (i.e. more favorable underwriting decisions)

Original, unaltered documentation is not available to support transactions.

Management is incented to meet certain business-related targets (such as number of complaints, sales targets, and/or quality assurance processing results).

Risk Definitions

Date post:	23-Dec-2015
Category:	Documents
Upload:	hollie-wheeler
View:	225 times
Download:	0 times

Risk Assessment (IT & Non-IT) MIS5205 2/21/2014. Control Environment (COSO framework): - The control...

Documents