A Risk-Based Audit Strategy November 2006 Internal Audit Department



Similar documents
Matthew E. Breecher Breecher & Company PC November 12, 2008

Enterprise Risk Management

ENTERPRISE RISK MANAGEMENT POLICY

Developing an Effective Enterprise Risk Management Program

Analyzing Risks in Healthcare. February 12, 2014

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT HUMAN RESOURCE AUDIT PROGRAM

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

MISSION VALUES. The guide has been printed by:

Guide to Internal Control Over Financial Reporting

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

Supervisory Guidance on Operational Risk Advanced Measurement Approaches for Regulatory Capital

IFAD Policy on Enterprise Risk Management

Transmittal Letter Objectives and Scope Approach Financial System Permitting Application... 9

Operational Risk Management Program Version 1.0 October 2013

Policy : Enterprise Risk Management Policy

Risk Assessment & Enterprise Risk Management

On the Setting of the Standards and Practice Standards for. Management Assessment and Audit concerning Internal

Enterprise Risk Management Framework. Executive Summary. Exposure Draft for Public Comment

SARBANES-OXLEY SECTION 404: A Guide for Management by Internal Controls Practitioners

INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

Internal Auditing Guidelines

Internal Audit Manual

INTERNAL CONTROL AND ENTERPRISE RISK MANAGEMENT NO. П4-01 П-01 REVISION1.00

How To Save Money At The University Of California

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

Integrated Risk Management:

Control Environment Questionnaire

[300] Accounting and internal control systems and audit risk assessments

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

A Primer for Investment Trustees (a summary)

Audit of the Test of Design of Entity-Level Controls

Internal Control Questionnaire and Assessment

Montgomery County, Unique Aspects of the Medicaid Control System

Implementing an Integrated City-wide Risk Management Framework

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Internal Control - Integrated Framework

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

and Risk Tolerance in an Effective ERM Program

City of Mt. Angel. Comprehensive Financial Management Policies

Special Purpose Reports on the Effectiveness of Control Procedures

Standards for the Professional Practice of Internal Auditing

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

Internal Control Guide for Managers

Enterprise Risk Management

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

Export Development Canada

Fraud Prevention and Deterrence

ASAE s Job Task Analysis Strategic Level Competencies

Enterprise risk management: A pragmatic, four-phase implementation plan

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

COSO Internal Control Integrated Framework (2013)

SOL PLAATJE MUNICIPALITY ENTERPRISE RISK MANAGEMENT FRAMEWORK AND POLICY

Role 1 Leader The Exceptional Nurse Leader in Long Term Care:

NATIONAL BANK OF ETHIOPIA MICROFINANCE INSTITUIONS SUPERVISION DIRECTORATE. RISK MANAGEMENT GUIDLEIES for MICROFINANCE INSTITITTIONS (FINAL)

BOARD OF EDUCATION OF BALTIMORE COUNTY OFFICE OF INTERNAL AUDIT - OPERATIONS MANUAL INTERNAL AUDIT OPERATIONS MANUAL

Course Author: Dr. Monica Belcourt, School of Human Resource Management, York University; Ron Alexandrowich and Mark Podolsky

Solution Overview Better manage environmental, occupational safety, and community health hazards by turning risk into opportunity

AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

QUALITY MANAGEMENT SYSTEM MANUAL

Debt Policy. I. Purpose of the Debt Policy

IV. CREDIT CARD PROGRAM DEVELOPMENT

Strategic Plan. Valid as of January 1, 2015

How To Audit A Financial Statement

Audit of the Policy on Internal Control Implementation

Sample Enterprise Risk Management Work Plan Fiscal Years 20XX and 20YY Revised June Internal Environment / Objectives Setting

11/12/2013. Role of the Board. Risk Appetite. Strategy, Planning and Performance. Risk Governance Framework. Assembling an effective team

GAO DEFENSE CONTRACT AUDITS. Actions Needed to Improve DCAA's Access to and Use of Defense Company Internal Audit Reports

Developing Effective Internal Controls Using the COSO Model

Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)

PRACTICE GUIDE. Formulating and Expressing Internal Audit Opinions

Five-Year Strategic Plan

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

RISK MANAGEMENT IN A FOR-

WFP ENTERPRISE RISK MANAGEMENT POLICY

The IIA Global Internal Audit Competency Framework

State University of New York Charter Renewal Benchmarks Version 5.0, May 2012

Revenue Administration: Performance Measurement in Tax Administration

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Organizational Capacity Assessment for Community-Based Organizations. New Partners Initiative Technical Assistance (NuPITA) Project

Internal Audit. Audit of HRIS: A Human Resources Management Enabler

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies

Principles for An. Effective Risk Appetite Framework

LOCAL GOVERNMENT MANAGEMENT ASSESSMENT OVERVIEW AND QUESTIONNAIRE

Enterprise Risk Management Integrated Framework. Executive Summary

Regulatory Compliance Management (RCM) (formerly Legislative Compliance Management (LCM))

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

Status Report of the Auditor General of Canada to the House of Commons

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

Sample Financial institution Risk Management Policy 2011

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund

Transcription:

Mental Health Mental Retardation Authority of Harris County ENTERPRISE RISK MANAGEMENT A Framework For Assessing, Evaluating And Measuring Our Agency s Risk A Risk-Based Audit Strategy November 2006 Internal Audit Department

The Internal Audit Department MHMRA of Harris County ERM is a continuous process that involves managing risk across all parts of the enterprise. Enterprise Risk Management: Optimizing Controls While Supporting The Agency s Mission, Goals And Objectives Prepared by Henry Webb Internal Auditor Every organization has a mission, and all business involves risk. One of the roles of management is to assess the impact of potential risks to the business and to set in place management controls that will minimize the impact of the identified risk. An effective risk management process is an important component of the Agency in its quest to perform its mission and reach stated objectives as well as the Strategic Plan. When these risks are successfully recognized, managed and mitigated through a well-orchestrated Enterprise Risk Management (ERM) approach, they become key elements in a strategic plan and offer forward-thinking organizations a tool for achieving business success. WHAT IS ENTERPRISE RISK MANAGEMENT? ERM, as defined in the Risk Management Handbook for Health Care Organizations (4 th ed.), is a structured analytical process that focuses on identifying and eliminating the financial impact and volatility of a portfolio of risks rather than on risk avoidance alone. Essential to this approach is an understanding that risk can be managed to gain competitive advantage. ERM utilizes a process or framework for assessing, evaluating and measuring all of an organization s risk. In essence, it is integrated risk management. ERM quantifies risks to determine significance, groups them into components or domains looking for either inter-relatedness or inter-dependency, and devises strategies to manage each. RISK DOMAINS The risks facing the Agency today can be classified into domains as detailed in the Risk Management Handbook for Health Care Organizations that ERM recognizes: Operational: Derived from the organization s core business, including its systems and practices. Examples include clinical services and patient care. Financial: Risks related to the organization s ability to earn, raise or access capital as well as costs associated with its transfer of risk. Examples might include insurance premiums and bonds. I

Human: Relates to the risk related to recruiting, retaining and managing its workforce. Examples include worker s compensation, employee turnover and absenteeism, and discrimination. Strategic: Risks related to the ability of the organization to grow and expand. Examples include joint ventures, mergers, profitability, customer satisfaction and financial performance. Legal/Regulatory: Risks related to health care statutory and regulatory compliance, licensure and accreditation. Examples include HIPPA compliance, OSHA regulations, Medicare/Medicaid-deemed status. Technological: Risk associated with equipment, devices and telemedicine. Examples include clinical/financial information systems and communications. The Commission of Sponsoring Organizations (COSO) ERM Framework Is a process Is effected by people Is applied in strategy setting Is applied across the enterprise Is designed to identify potential events Manages risks to be within risk tolerance Provides reasonable assurance Supports achievement of key objectives Commission of Sponsoring Organizations of the Treadway Commission (COSO). The Commission of Sponsoring Organizations of the Treadway Commission (COSO) developed a model ERM program that is utilized and adapted to the unique needs of the health care organization. This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. Entity objectives can be viewed in the context of four categories: Strategic Operations Reporting Compliance II

ERM considers activities at all levels of the organization: Enterprise-level Division or subsidiary Business unit processes The eight components of the framework are interrelated: Internal Environment: a) Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. b) Establishes the entity s risk culture. c) Considers all other aspects of how the Agency s actions may affect its risk culture. Objective Setting: a) Is applied when management considers risks strategy in the setting of objectives. b) Forms the risk appetite of the entity a high-level view of how much risk management and the board are willing to accept. c) Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite. Event Identification: a) Differentiates risk and opportunities. b) Events that may have a negative impact represent risks. c) Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting. d) Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. e) Addresses how internal and external factors combine and interact to influence the risk profile. Risk Assessment: a) Allows an entity to understand the extent to which potential events might impact objectives. b) Assess risk from two perspectives: 1. Likelihood 2. Impact c) Is used to assess risks and is normally also used to measure the related objectives. d) Employs a combination of both qualitative and quantitative risk assessment methodologies. e) Relates time horizons to objective horizons. f) Assesses risk on both an inherent and a residual basis. Risk Response: a) Identifies and evaluates possible responses to risk. b) Evaluates options in relation to entity s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. c) Selects and executes response based on evaluation of the portfolio of risks and responses. Control Activities: a) Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. b) Occurs throughout the Agency, at all levels and in all functions. c) Includes application and general information technology controls. III

Information & Communication: a) Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. b) Communication occurs in a broader sense, flowing down, across, and up the organization. Monitoring: Effectiveness of the other ERM components is monitored through: - Ongoing monitoring activities. - Separate evaluations. - A combination of the two. Internal Control A strong system of internal control is essential to effective enterprise risk management. Relationship to Internal Control: Expands and elaborates on elements of internal control as set out in COSO s control framework. Includes objective setting as a separate component. Objectives are a prerequisite for internal control. Expands the control framework s Financial Reporting and Risk Assessment. Standards: 2010.A1 The internal audit activity s plan of engagements should be based on a risk assessment, undertaken at least annually. 2120.A1 Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization s governance, operations, and information systems. 2210.A1 When planning the engagement, the internal auditor should identify and assess risks relevant to the activity under review. The engagement objectives should reflect the results of the risk assessment. Risk Analysis Risk Assessment Risk Management Risk Monitoring Identification Control It Process Level Measurement Share or Transfer It Activity Level Prioritization Diversify or Avoid It Entity Level IV

RISK OR OPPORTUNITY A risk is an observable event with potential for a negative impact on the goals and objectives of the Agency. An opportunity is an event that may have a positive impact on the Agency. V

The Risk Management Process 1. Identify risks 6. Revise policies 2. Develop strategies and procedures to prioritize risks 5. Test effectiveness and monitor results 3. Design policies to mitigate risks 4. Implement policies and assign responsibility Internal Audit believes the following are the Keys to Effective Risk Management : Stated mission and core values Motivated and confident people Conducive environment Sound methodology Accountability and transparency Security Performance and efficiency Reliable management information systems Clarity of Mission and Values The key to shaping strategic success is clarity of mission. To be successful, MHMRA recognizes the importance of having organizational values and is committed to a process of developing those values. Staff need to understand what business the Agency is in and how its values drive that business. Without such understanding employees will not develop much commitment or loyalty to the organization and its success. The mission statement provides a sense of purpose and incorporates a vision of future accomplishment. Equally important for the Agency to develop is to communicate a statement of core values or guiding principles that complements the mission statement. When both the mission and core values are understood, managing risk becomes more attainable. The Limitations of Internal Controls No matter how well internal controls are designed, they can only provide reasonable assurance that objectives will be achieved. Some limitations are inherent in all internal control systems. VI

Judgment The effectiveness of controls will be limited by decisions made with human judgment under pressures to conduct business based on information at hand. Breakdowns Even well designed internal controls can break down. Employees sometimes misunderstand instructions or simply make mistakes. Errors may also result from new technology and the complexity of computerized information systems. Controls may become obsolete with new systems and operations. Management Override High-level personnel may be able to override prescribed policies or procedures for personal gain or advantage. This should not be confused with management intervention, which represents management actions to depart from prescribed policies and procedures for legitimate purposes. Collusion Control systems can be circumvented by employee collusion. Individuals acting collectively can alter financial data or other management information in a manner that cannot be identified by control systems. Costs It may be too costly to install certain controls based on the anticipated benefits of installing that control. Human Error People can make mistakes, can be misdirected, irresponsible, can show poor judgment, or have high workloads. They might not know what to do, how to do it or where. General Responsibilities of Internal Audit Internal Audit Executive Director and Staff Audit Committee Develops a comprehensive annual work plan for board approval, including time schedule and budgets Develops audit work programs that provide audit coverage of Agency operations and adhere, to audit standards Designs work papers that clearly document the evidence of audit work performed and conclusions drawn Maintains and develops a professional audit staff, requiring highly qualified individuals Participates in field work as appropriate to ensure quality of staff work and procedures Reports findings to the Audit Committee on a regular basis and assists them in fulfilling their responsibilities relating to audits Follows up on previous findings to ensure that corrective action has been taken Manages the audit function independent of management but maintains appropriate communication with the Executive Director and staff Establishes and maintains professional ties with related professional groups Establishes policies and procedures within the Agency Establishes an environment that says controls are important to the Agency Facilitates access of the auditor to all areas of the Agency Provides necessary resources Receives copies of audit reports Enforces response provision by affected departments and staff Oversees correction and implementation of recommendations Oversees internal audit function Monitors risk Ensures that an appropriate system of controls is in place Oversees job description preparation and internal audit hiring process Finalizes selection of Internal Auditor Must be a functioning audit committee Ensures that the internal auditor reports to the Audit Committee Ensures that reporting requirements are established and followed Appraises the performance of the internal auditor Mediates issues between management and the auditor Reviews internal audit report and directs management to make needed corrections Approves annual Internal Audit work plan and summary VII

In summary, managing risk requires a continuous cycle of controls that are preventive, detective and corrective. The Risk Management Process Corrective 1. Identify risks 6. Revise policies 5. Test effectiveness and monitor results 2. Develop strategies and procedures to prioritize risks 3. Design policies to mitigate risks P R E V E N T I V E 4. Implement policies and assign responsibility Detective Internal Audit provides the Executive Director and the Audit Committee with an annual audit plan. The audit plan serves as a working document that incorporates the assessments documented in the comprehensive Agency-wide business risk assessment, Executive Staff s, and department management s input and results from previous audits. As such, this plan will serve as the primary work plan to carry out the audit responsibilities in an efficient manner consistent with the priorities established by the Internal Auditor. Due to the continual request for audit services, unknown extent of findings, and the required testing for the planned audits, the plan will be monitored and revised as necessary throughout the year. Background The Internal Audit Department is an independent, objective assurance and consulting activity that issues its findings and recommendations to the Executive Director, Agency Management, and Audit Committee Members. The mission of the Internal Audit Department is to provide the Executive Director, Agency Management, and Audit Committee Members with independent analyses, assurances, and VIII

recommendations concerning the adequacy and effectiveness of the Agency s internal control structure, effective safeguarding and utilization of Agency resources, and management s performance in carrying out assigned responsibilities. The scope of activities carried out by the Audit Department may relate to any phase of Agency activities including: * Evaluating and enhancing the Agency s accounting policies and procedures that constitute its internal control structure. * Assessing compliance with appropriate policies, laws, and regulations. * Evaluating the accuracy of reported data utilized by departmental and Agency management in making operational decisions. * Appraising the economy, efficiency, and effectiveness of the Agency s organizations, programs, functions, and activities. * Assessing the efficiency of operations and developing recommendations for cost savings. * Ascertaining that all Agency revenue is maximized, safeguarded and controlled. * Ascertaining that all operational data is safeguarded and accurately maintained. * Ascertaining the extent to which Agency assets are accounted for and safeguarded from loss. * Investigating allegations of financial fraud, waste, and theft through various sources. Risk Assessment Risk assessment is the identification and analysis of relevant risk to the achievement of an organization s objectives for the purpose of determining how those risks should be managed. Risk assessment implies an initial determination of operating objectives then a systematic identification of those things that could prevent each objective from being attained. In other words, it s an analysis of what could go wrong. Not all risks are equal. Some are more likely than others to occur, and as such, will have a greater impact than others if they occur. So, once risks are identified, their probability and significance must be assessed. Finally, having identified and assessed risk, management must decide how to deal with it. In some cases, the decision may be to control it; in others it may be to accept it. The risk management process is an ongoing one. Internal and external factors constantly develop, presenting new hazards to the Agency. Change itself is a risk, and management must continually adapt its policies and procedures to manage its changing risks to a comfortable level. Each unit at the Agency faces its own challenges and must assess how it will manage them to meet its objectives. A good internal control system can mitigate those risks, and Internal Audit can advise how to develop good internal controls. The Internal Audit Department assesses business risks throughout the Agency. We seek input from Executive Staff, management, and our external auditors for possible risks IX

and their likelihood or importance. the annual audit plan. The results of the assessment are used to prepare The risk assessment model measured many different risk factors for each process, with the following key risk criteria factors more heavily considered in the achievement of the Agency s strategic objectives: Nature of Operations: 1) Significant Changes 2) Pressure Meeting Objectives 3) Clearly Defined Objectives 4) Strategic Value 5) Inherent Risks Nature of Transactions: 1) Number of Transactions 2) Complexity of Transactions 3) Accuracy of Information Management: 1) Attention Given by Management 2) Monitoring Activities External Influences: 1) Compliance With Regulations 2) Market Stability Systems: 1) Integrity: Reliance on Information Systems 2) Relevance: Ability to Satisfy Business Objectives 3) Access: Unauthorized Access and Transactions 4) Availability: Level of Support 5) Complexity: Relative Number of Transactions, Files, and Devices Dollar Volume/Materiality: Materiality Changes in Procedures/Personnel: 1) Training/Experience 2) Adequacy of Staffing Levels 3) Segregation of Duties Results of Prior Audits/Management Interest: 1) Audit Findings 2) Follow-up X

Time Since Last Audit: Prior Audit Published Opportunities to Achieve Operating Benefits: 1) Opportunity Identification 2) Risk Assessment 3) Management Interest/Request Department processes or activities with high or moderate residual risk are noted in the Agency s current Business Risk Assessment Model. Audit Focus Areas The Business Risk Assessment serves as a planning tool to determine the best investment for audit efforts. Annually, the audit plan prioritizes the Audit Department s limited resources of people and budget dollars based on MHMRA s Business Risk Profile and management s need for vital information. This audit plan prioritizes audit focus on either Agency-wide processes or departments with processes or activities having high or moderate residual risk. As such, the Agency s audit function serves as a risk management tool through the development of improved control processes as a result of performance improvement and financial auditing, as well as a control with the performance of the revenue enhancement and compliance audits. Audit Programs Audit activities will vary as a result of the differences in the nature of operations, organizational structure, and management style and by the competence, employee capabilities, and concepts of operation control. Specific audit programs will be developed from each activity to the audited within the year ending August 31, 2007. Audit programs will be designed in regards to business services, compliance requirements, performance considerations, and specialized skills required for each project. All audit programs, workpapers and reports will be conducted in accordance with appropriate professional standards. The Internal Audit Department will also provide any assistance to the Agency s management when they request special assignments/projects. These special assignments/projects will normally be performed in addition to the normally scheduled audit work planned. XI

The Top Five Agency risks identified by Internal Audit are based on the Fiscal Year 2007 Risk Assessment worksheet (copy attached as Exhibit A.) The following represent these top five risks and associated mitigation efforts. RISK DOMAINS RISK (1) Operational - Lack of adherence to established policy and procedures - Management s ability to override internal controls (2) Financial - Accounts Receivable - Return of funds not expended - Accounts Payable - Payroll - Bad Debt (3) Human - High turn over of staff in key areas - Client care - Facility care - Professionalism, care and safeguard of assets (4) Strategic - Continue positive financial performance under ever changing environment and demands - Clinical software venture (5) Technological - Keeping pace with required technology and equipment for both clinical and financial needs MITIGATE RISK - Staff to be held accountable - Open communication with ED and Board - Establish benchmarks - Require continual monitoring and requirements - Continued training and maintain high benchmarks - Fully utilize payroll module - Establish benchmarks above standards - Determine root cause and corrective action - Maintain higher than required targets - Continue facility reviews and Project Management - Require strict code of Conduct and Ethics - Evaluate ALL financial commitments and prioritize based on funding and critical needs (objective) - Evaluate on an on-going philosophy with future State system in mind - All IT projects should be value driven and prioritized XII

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information