Risk and Controls 101



Similar documents
KANSAS CITY, MISSOURI RESPONSES TO THE FISCAL YEAR 2013 AUDIT MANAGEMENT LETTER

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015

Segregation of Duties

Risk Management in Role-based Applications Segregation of Duties in Oracle

Fraud and Role of Information Technology. September 2008

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

Monthly Closing & Reconciliations. Presented by Bronwyn Duprey

Communicating Internal Control Related Matters Identified in an Audit

Proposal for Accounting Services (Sample)

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

Chapter 15 Auditing the Expenditure Cycle

Electronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014

Submitted by: Christopher Mead, Director, Department of Information Technology

DEPARTMENT REVIEW FINANCE

Application controls testing in an integrated audit

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act*

FRAUD RISK ASSESSMENT

Leverage T echnology: Move Your Business Forward

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement


7/9/2015 SCRIPTPRO 340B SOLUTIONS SHAFI SHILAD, VP BUSINESS DEVELOPMENT A Comprehensive/ Seamless Approach

Automated Accounts Payable and Commercial Card Management from AOC Solutions

ACS 1803 Accounting SUPPLEMENTARY NOTES prepared by E. Kaluzniacky & K. Augustine. Computerized Accounting - The General Ledger System

Wave 2 User Acceptance Testing (UAT) Scenario Workshop Cash Management (CM)

Continuous Monitoring: Match Your Business Needs with the Right Technique

Case Study Top-Down, Risk-Based Approach Purchase to Pay Process

Internal Control Systems

How to set up a people based. accounting system that makes your. small business work for you. Thomas G. Post. Certified Public Accountant

MEMORANDUM INTERNAL CONTROL REQUIREMENTS FOR NON-PROFITS

Internal Controls, Fraud Detection and ERP

Antifraud program and controls assessment grid*

Navy s Contract/Vendor Pay Process Was Not Auditable

Information Technology General Controls (ITGCs) 101

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

Agency Insight: EE1 Business Processes, Assets, and Projects October 9, 2014

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

The Importance of IT Controls to Sarbanes-Oxley Compliance

SUBSIDIARY LEDGER MANAGEMENT AND INTERNAL CONTROLS

For illustrative purposes only, we will look at the logical flow of the Data Pro Job Cost package as a general contractor might use it.

B Resource Guide: Implementing Financial Controls

Reference Document Month-End Closing

Internal Control Evaluations

Section 7 Internal Control Framework

Interim Audit Report. Borough of Broxbourne Audit 2010/11

CORP RISK MANAGEMENT POLICY & METHODOLOGY

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 315

10-1. Auditing Business Process. Objectives Understand the Auditing of the Enteties Business. Process

Practice Note. 23Revised. October 2009 AUDITING COMPLEX FINANCIAL INSTRUMENTS INTERIM GUIDANCE

Internal Controls. A short presentation from Your Internal Audit Department

Eclipx Group Limited Risk Management Policy

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Connecting the dots: IT to Business

MANAGEMENT LETTER. Nassau Health Care Corporation and Subsidiaries Year Ended December 31, Ernst & Young LLP

Report on. Office of the Superintendent of Financial Institutions. Corporate Services Sector Human Resources Payroll. April 2010

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Procure-to-Pay Best Practices

Significant Revisions to OMB Circular A-127. Section Revision to A-127 Purpose of Revision Section 1. Purpose

Enterprise Resource Planning (ERP) II Pre-System Implementation Interim Audit Report. Accounts Payable Module. December 5, Mayor.

Bank Account Reconciliation, Bank Account Access and Automated Clearing House (ACH) Transactions Review

Operational Risk Publication Date: May Operational Risk... 3

COSO Internal Control Integrated Framework (2013)

RISK ASSESSMENT CHECKLIST

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT PAYROLL AUDIT PROGRAM

[RELEASE NOS ; ; FR-77; File No. S ]

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Enterprise Risk Management

ACCOUNTING AND FINANCIAL REPORTING REGULATION MANUAL

MD AOC Project Introduction to PeopleSoft

General Ledger Auditing. Presented By: Jim Lee

Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)

Standard Procedures and Controls for the Title Industry. Prepared by the ALTA Internal Auditing Committee ALTA

Project Tracking 2015

INFORMATION TECHNOLOGY CONTROLS

How to improve account reconciliation activities*

How To Audit A Company

Table of Contents. Agencies are required to provide two reports on financial management and one on grants management:

Top 10 System Implementation Audit Considerations

UNIVERSITY OF MISSISSIPPI MEDICAL CENTER. Internal Control Plan

Assessing Credit Risk

Executive - Salary Guide

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

NASA Financial Management

Reduced Total Cost of Ownership (TCO) and Increased Scalability with a New Accounting Solution

Montgomery County, Maryland Office of the County Executive Office of Internal Audit

ORACLE CASH MANAGEMENT. Release 12 Features

Transcription:

Risk and Controls 101

Agenda What is a Risk and Control? Controls 101 What is Risk and Control? Control Types Control Execution Control Categories A-123 Process here at LBNL Wrap-up Process Risk Map Control Summary 2

What is Risk? A risk is a possibility of suffering harm or loss, or what can go wrong Example: The Airline Industry Risks: Terrorism, Bankruptcy 3

What is a control? A control is an activity that prevents or detects errors to mitigate risks Example: The Airline Industry Controls: Security measures 4

Two Basic Types of Controls Control Types Description Examples Preventive Controls Prevent undesirable events from occurring Facilitate desirable events System controls preventing unauthorized access Restrictions of user overrides Segregation of duties Detective Controls Example: The Airline Industry Preventive? Detective? Identify/Detect undesirable events Dual entry of sensitive managerial transactions Exception reports, management review and action taken on the exceptions 5

Two Ways Controls are Executed Manual (performed by people) Examples: Authorizations, Management reviews Automatic (embedded in application code) Examples: Exception reports, Interface controls, System access Example: The Airline Industry Manual controls? Automatic controls? 6

Control Categories Control Category Legend Description Example Authorization Approval of transactions executed and access to assets and records only in accordance with management's general or specific policies and procedures. Authorization limits. Configuration/ Account Mapping "Switches" to secure data against inappropriate processing. Screen layouts with required fields. Exception/ Edit Reports Reports are generated to monitor something and exceptions are followed up to resolution. (Exception - a violation of a set standard, Edit - a change to a master file). Reports of transactions exceeding limits. Interface/ Conversion Controls Controls over moving data between computer systems. Process used to migrate data from a legacy system. Interface between AP system and GL system. Key Performance Indicators Financial and non-financial quantitative measurements that are collected by the entity and used to evaluate progress toward meeting objectives. A/R over 90 days. Management Review A person different from the preparer analyzing evidence and performing oversight of the activities performed. Manager review of reconciliations. Reconciliation Check whether two items (account balances, computer systems) are consistent. Items must be from different systems or records. Reconciliation of A/R to G/L. Segregation of Duties Separation of duties and responsibilities for authorizing transactions, recording transactions and maintaining custody. Staff who bill accounts receivable do not post cash collections. System Access Capabilities that individual users or groups of users have within a computer information system as determined by access rights are configured in the system. Password protection linked to level of access. 7

LBNL Process Risk Assessment Perform a risk assessment using the financial statements Document Controls Identify controls in processes Test Controls Test controls for their effectiveness by pulling a sample of transactions Remediate Identify control deficiencies and create a corrective action plan (CAP) Report to DOE Report in FMA Tool and Annual Assurance letter 8

Risk Ranking 1. General Ledger Management 2. Funds Management 3. Cost Management 4. Property Management 5. Environmental Liabilities 6. Payroll 7. Acquisition Management 8. Payables Management 9. Project Cost Management 10. Receivables Management 11. Benefits Administration 12. Revenue Recognition 13. Travel Impact 5 3 4 8 A-123 Risk MAP FY12 1 2 3 7 6 5 1 2 1 3 1 1 1 0 9 1 3 5 Likelihood Inherent Risk Key: High Medium Low 9

Key Control Summary-FY12 Process Manual Automated Total Funds 0 0 0 Cost 3 0 3 GL 5 1 6 Property 5 0 5 8 3 11 AP/Improper Payments Project Cost Management 20 3 25 Acquisitions 19 6 25 Payroll 10 9 19 Environmental Liabilities 16 3 19 IT* 5 7 12 Totals 91 32 123 * Internal Audit to Test 10

Wrap-Up Questions? Contact jwick@lbl.gov 11