how to identify risks that could adversely affect …€¦ · scce higher education compliance...

SCCE Higher Education Compliance Conference

1

HOW TO IDENTIFY RISKS THAT COULD ADVERSELY

AFFECT YOUR OPERATIONS


May 31, 2015

3:00 p.m. – 5:00 p.m.

Len Ohnstad, MBA, CPA, CIA, Associate Director of Internal Audit

1

2

Len Ohnstad, MBA, CPA, CIA

• Associate Director, Kennesaw State University, 7 years.

• Senior Internal Auditor for the Board of Regents of the University System of Georgia, 1 year.

• Senior Internal Auditor at AGL Resources, Inc., 5 years.

• Senior Internal Auditor at Rollins, Inc., 5 years.

• BBA, University of Minnesota

• BAc, University of Minnesota

• MBA, Kennesaw State University


2

What is a Risk?

3

A risk is the possibility of an event or action having an adverse effect on your department’s activities and operations.

A risk is a process or event that could prevent your department from accomplishing its objectives.

“How SURPRISED do you really want to be?”

Examples of Risks• Unauthorized expenditures• Accidents/injuries• Theft • Unauthorized access to

confidential records• Unauthorized use of the

organization’s property• Inaccurate financial records• Damage to reputation• Goals and objectives not

being accomplished• Expenditures are not for

official business (e.g., travel)

4


3

How Do We Reduce Our Department’s/Organization’s Risks?

5

1. Determine our risks

2. Determine what internal controls should be in place to reduce these risks.

What are Internal Controls?INTERNAL CONTROLS – Processes and activities designed to prevent risks from materializing.

EXAMPLES of INTERNAL CONTROLS:• Written policies and procedures• Authorization of transactions• Segregation of duties• Reconciliations• Inventory counts/perpetual inventory

system• Cash counts• Access security• Safeguarding of assets• Retention of records 6


4

Benefits of Identifying Risks and Implementing Internal Controls

• Helps you prepare for an audit Auditors determine if your department has adequate internal

controls in place to mitigate your risks. You will have an audit finding if there are weak internal controls.

• Enables managers to focus on their core business activities without have to spend their time “putting out fires.”

• Protects the organization’s reputation and assets.

• Enhances effectiveness, efficiency, and productivity.

• Protects management If an adverse event occurs, management will be better able to

defend themselves if there are internal controls in place.7

How Do We Determine Our Risks?

1. Come to the realization that unaddressed risks are a serious issue and could severely affect your operations.

Develop a sense of urgency

Develop a mindset that identifying and addressing your risks is going to help you to avoid negative consequences.

Imagine what would happen if an adverse event occurred. Employee terminations Lawsuits Media Coverage Financial losses Not accomplishing goals and objectives

8


5

How Do We Determine Our Risks?2. Generate a listing of your department’s key

processes.

This is best accomplished through a group effort, including a departmental manager and the department’s key employees.

Examples: Hiring and Promotion Training Travel Recording of Transactions Purchasing Confidential Information Inventory Administrative Duties Processes that are unique to your department (e.g., for a

university – admissions, curriculum, student advising, etc.) 9

How Do You Identify Our Risks?3. For each process, determine what could go

wrong.

Examples: Hiring and Promotion – An unqualified individual is hired for a position; a

promotion results in resentment from other employees.

Training – Employees are not properly trained to perform their responsibilities; there is a policy manual but nobody has ever been trained on these policies.

Travel – Not necessary for official business; overlaps with personal travel.

Recording of Transactions – transactions are not accurate or are falsified.

Purchasing – Unauthorized purchases; personal purchases.

Confidential Information – Release of information to unauthorized individuals resulting in someone being adversely affected, damage to someone’s reputation, identity theft, lawsuits, etc.

Administrative Duties – Appointments not scheduled properly; lack of courtesy and politeness; transactions not properly accounted for. 10


6

Eight Types of Risks

11

1. Departmental

2. Compliance

3. Management

4. Operational

5. Inventory

6. Reputational

7. Strategic

8. Financial

12

Risks that apply to the activities and processes of your specific department. For example, some of the major categories of your departmental risks could include:

Curriculum is not properly prepared, reviewed, and approved.

Potential personnel issues are not adequately planned for, monitored, and addressed.

Potential issues with students are not adequately planned for, monitored, and addressed.

Department does not meet accreditation standards.

Day-to-Day management and administrative duties are not adequately performed.

1. Departmental Risks


7

13

Risk that activities will not comply with KSU, Board of Regents, State, and Federal polices and procedures.

Managers and employees do not ensure that P-Card, Travel, General Expenditure, Cash Handling, and Petty Cash transactions are in compliance with applicable policies and procedures.

Management and employees are not aware of the current policies and procedures.

Employees are not provided adequate training on current policies and procedures.

2. Compliance Risks

14

Risks that affect the effectiveness of your internal control structure.

Management does not convey the importance of strong internal controls to employees (tone at the top).

The department does not assess its risks on an ongoing basis.

The department does not have adequate internal control activities (e.g., policies and procedures, segregation of duties, approval of transactions, etc.)

The department does not have an effective information and communication system.

Management does not continuously monitor the effectiveness of its internal controls.

3. Management Risks


8

15

Risks associated with the goals, objectives, policies, procedures, employee turnover, and job responsibilities of your department.

Goals and objectives are not developed, documented, communicated, reviewed, and they are not SMART (i.e., Specific, Measurable, Assignable, Realistic, Timely).

Policies and procedures are not written, readily available, reviewed, and communicated to employees through periodic training.

Employee turnover is not monitored (where, who, when, why, and how) by management.

Job responsibilities are not assigned to specific employees, communicated to all employees, and monitored by management.

4. Operational Risks

16

Risk that individual purchases over a nominal value will be lost, stolen, damaged, converted to cash, or used for personal reasons.

There are no written departmental policies and procedures for the safeguarding of inventory.

Purchases are not tracked using a perpetual inventory system.

Periodic physical inventory counts are not taken.

Physical inventory is not reconciled to a perpetual inventory system.

Unauthorized individuals are using the department’s equipment.

Equipment is not signed in and out when taken off the campus.

Guidance and training is not provided to all employees.

Routine maintenance is not performed.

5. Inventory Risks


9

17

Risk that individuals (e.g., internal and external customers, the public, staff, students, faculty, and top management) will have a negative perception of the department as a result of certain activities and/or behaviors. Management does not ensure employees produce high-quality work.

Employees are not ethical and positive in their behavior.

Management does not stress the importance of being friendly and courteous to internal and external customers.

Management and employees do not understand that departmental activities could be publicized and negatively affect the department, KSU, or the Board of Regents.

Management does not ensure policies and procedures are followed.

Customer complaints are not taken seriously, investigated, and resolved.

Employees are not provided training on proper customer service techniques.

6. Reputational Risks

18

Risk that management will not achieve the department’s long-term goals and objectives.

Department does not have a written mission statement (i.e., a written declaration of the department’s core purpose that remains unchanged over time).

Department does not have a written vision statement (i.e., an aspirational description of what the department would like to accomplish in the mid-term or long-term future).

Management does not meet with staff as a participative work team at least once annually to develop and document long-term goals and objectives for the department.

Management does not continuously monitor the progress of long-term goals and objectives.

7. Strategic Risks


10

19

Risk that financial data is not monitored by management.

Management does not ensure all financial transactions are properly reviewed and approved.

Management does not review budget and expense reports at least monthly to ensure expenditures are appropriate and the department is operating within budget.

Key financial and operating reports are not routinely reviewed and shared with relevant personnel.

Key financial reconciliations and trend analyses are not prepared by staff members and reviewed by management.

Management does not perform spot-check reviews on financial transactions that are unusual and inconsistent.

8. Financial Risks

How Can Risks Be Reduced?

20

INTERNAL CONTROLS


11

21

What are Internal Controls?Internal controls are departmental processes and activities designed to:

1. Reduce risk or prevent risk from materializing.

2. Provide reasonable assurance regarding the achievement the department’s objectives.

3. Improve effectiveness and efficiency of operations, compliance with policies and procedures, and reliability of financial transactions and reports.

Examples of Personal Internal Controls

When you came to work today, did you lock the doors to your house and car?

Do you keep the PIN number for your ATM card in a safe place?

Do you reconcile your bank statements each month?

22


12

Who is Responsible for Internal Controls?

All employees are responsible for ensuring internal controls are operating effectively.

All employees are responsible for compliance with KSU, BOR, State, and Federal policies and procedures.

Management is responsible for providing leadership and setting the “Tone at the Top” to ensure that internal controls are:

1. Established2. Documented3. Implemented4. Monitored

23

Internal Controls Myths and Facts

MYTHSInternal controls start with a strong set of policies and procedures.

Internal controls: That’s why we have auditors!

Internal controls are only concerned with financial transactions.

Internal controls take time away from your core business activities.

24

FACTSInternal Controls start with a strong tone at the top.

While internal auditors play a role in assessing internal controls, management is primarily responsible for implementing and/or increasing internal controls.

Internal controls reduce eight types of risks, including financial risks.

Internal controls enable you to focus more time on your core business activities.


13

Examples of Department Risks and Internal Controls

RISKS

Employees are not properly trained to perform their job responsibilities.

Travel is not for official business.

Unauthorized purchases.

Confidential information is released to unauthorized individuals.

25

INTERNAL CONTROLS

Formal, periodic training.

A travel request is reviewed by a supervisor who is above the traveler before any expenses are incurred.

Purchase requests are reviewed and approved by management before purchases are made.

Restricted access to confidential information.

Advantages of Setting Up an Effective System of Internal Controls

Reduces careless mistakes and risky transactions.

Increases management and staff effectiveness and efficiency.

Enhances responsibility and accountability.

Provides reasonable assurance regarding the achievement of your department’s objectives.

26


14

Biggest Threats to the Effectiveness of Internal Controls

27

• A well-designed internal control system, if overridden at management’s discretion, can be equivalent to no internal controls in terms of risk.

Management Override

• The best way to safeguard inventory is to control access to them.

Access to Inventory

• When an employee’s loyalties are divided, there is a risk that the employee will chose a course of action detrimental to the department.

Conflicts of Interest

• Two or more employees may agree to circumvent internal controls.Collusion

28

Preventive vs. Detective ControlsPreventive Controls

Internal controls that are built into the process or system to deter or PREVENT undesirable events BEFORE they occur.

Examples: Pre-approval of transactions Physical controls over inventory Password-protected access to computer systems Pre-numbered and sequential document numbers

(i.e., receipts) Computer backups Segregation of duties Job descriptions Written policies and procedures Perpetual inventories


15

29

Preventive vs. Detective Controls

Detective Controls

Internal controls that help to DETECT undesirable events AFTER they occur.

They provide evidence that an adverse event has occurred, but do not prevent the event from occurring.

Examples: Reconciliations Supervisory review of budgets, expenses, reports,

and payroll Physical inventories Surprise cash counts Comparison of budgets to actual results Evaluation of job performance

30

Can There Be Too Many Controls?YES!

There needs to be a balance between too little and too many internal controls.

Internal controls should be: Proactive Value added Cost effective Designed to reduce risks

Results of excessive controls: Increased bureaucracy Reduced productivity Increased complexity Excessive cost – cost vs benefit


16

Document Your Department’s Process, Risks and Internal Controls

31

PROCESS RISKS INTERNAL CONTOLS

Training 1. Employees are not properly trained to perform their job responsibilities

2. Another risk3. Another risk

1. Formal, periodic training2. Another control3. Another control

Purchasing 1. Unauthorized purchases2. Another risk3. Another risk

1. Require management review and approval before purchases are made

2. Another control3. Another control

ConfidentialInformation

1. Released to unauthorized individuals

2. Another risk3. Another risk

1. Restrict access to confidential information

2. Another control3. Another control

32

Ongoing Participative Work Team Meetings.• Management and staff working together through participative

discussions to identify risks to the department.

Periodic Risk Assessments with Internal Audit.

Open Communication Between Management and Staff Regarding Potential and Actual Risks.

Evaluation of Feedback from Internal and External Sources.

Continuous Review of Policies and Procedures.

Continuous Monitoring of Departmental Operations.

Ongoing Risks Identification


17

33

Questions and Comments?

34

how to identify risks that could adversely affect …€¦ · scce higher education compliance...

Documents