1 / 44

COSO and Risk/Control Self-Assessments

COSO and Risk/Control Self-Assessments Charles G. Chaffin, CPA, CIA Director of Audits and David B. Crawford, CPA, CIA Audit Manager The University of Texas System Objective To provide a detailed explanation of how:

andrew
Download Presentation

COSO and Risk/Control Self-Assessments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COSO and Risk/Control Self-Assessments Charles G. Chaffin, CPA, CIA Director of Audits and David B. Crawford, CPA, CIA Audit Manager The University of Texas System

  2. Objective To provide a detailed explanation of how: • The University of Texas (UT) System adopted COSO and the techniques used to implement it. • The Risk/Control Self-Assessment Process at UT System • Self-Assessment Uses and Critical Success Factors

  3. INTRODUCTION • 13 Billion • 5 Billion • 1.6 Billion • 2.1 Million • 170,000 • 75,000 • 15

  4. Academic UT Austin UT San Antonio UT Dallas UT El Paso UT Brownsville UT Pan American UT Tyler UT Permian Basin UT Arlington Medical UT Medical Branch at Galveston UT HSC Houston UT HSC San Antonio UT HSC Tyler UT Southwestern UT M. D. Anderson Cancer Center U.T. System

  5. It Could Be You The Lynn Deer Case U.T. Austin, 1994 10

  6. 1994 Action Plan • Awareness • Statements of Philosophy/Responsibility • Internal Control Training/Handbook • Accountability • Job Descriptions/Performance Evaluations • Disciplinary Action • Audit Committees • Membership/Frequency of Meetings

  7. Statement of Philosophy Employees of The University of Texas ___________ owe a responsibility to the people of Texas in the performance of their duties. High personal and professional standards are critical in fulfilling this responsibility. Employees will be held accountable for their action (or failure to act) and such accountability cannot be delegated to others. All employees of The University of Texas ___________ agree to abide by a Code of Ethics which provides reasonable assurance that the employee will not personally benefit or accept or give favors as a result of his/her position as an employee of The University of Texas ___________. (The “Code of Ethics” is published in the Rules and Regulations of the Board of Regents, Part One, Section 4.0).

  8. E FFECTIVELY C ONTROLLING R ISKS A Balancing Act

  9. Internal Control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives in the following categories: • Effectiveness and efficiencies of operations, • Reliability of financial reporting, and • Compliance with applicable laws and regulations.

  10. Risk & ControlSelf-Assessment Guideline The Process

  11. Internal Control Training • Over 4,000 U. T. employees trained in 1995. • Central message to Chairs and Directors: “You are responsible for internal controls.” • Complete Risk Assessment and Implementation Plan for Financial and Administrative Activities. • Copy to applicable Vice President • Copy to Internal Audit

  12. 1996 Action Plan 1. Annual Statement of Philosophy 2. Annual Statement of Responsibility and Accountability 3. Disciplinary Action 4. Require membership in Internal Audit Committee (IAC) 5. Require Quarterly IAC meetings.

  13. 1996 Action Plan (cont.) 6. Regular Internal Control Training (Video & Internet Program) 7. Update Management Responsibilities Handbook 8. Amend Job Descriptions 9. Amend Performance Evaluations 10. Offer Reconciliation Training

  14. 1996 Action Plan (cont.) 11. Newsletters to Highlight Internal Controls 12. Complete Risk Assessment and Implementation Plans 13. Statement of Responsibility for Researchers 14. Internal Audits of all Departments (3 to 5 years) 15. Internal Audits of all Key Financial Information

  15. 1996 Action Plan (cont.) 16.** Offer Control Self-Assessment Workshops 17.** Develop Model CSA Workshop Manuals 18. All Departments Perform a Control Self-Assessment 19. Report on Internal Control

  16. Control Self-Assessment Any activity where the people responsible for a business area, task, or objective using some demonstrable approach analyze the status of control and risk to provide additional assurance related to the achievement of one or more business objectives

  17. Control Self-AssessmentWorkshop Process • Meet with Chair/Director before session #1. • 2 auditors/facilitators. • Sessions #1, 2 hours - control process. • Regularly communicate with department after Session #1 about control activities. • Session #2, Prioritize activities/processes if too many. • Homework after session #2 - Risk/Control worksheets.

  18. Risk/Control Worksheet Department: Prepared by: Activity: Date prepared:

  19. Final Product • Self-Assessment Report on Internal Control to Senior Management. • Internal Auditors’ Review Report. • Departmental Audit Report (optional). • Significant findings go into tracking system.

  20. Model Participant’s Manual and Presentation Slides • Guides the facilitator through the workshop. • Designed to answer participant questions.

  21. U.T. System Program • Types of Departments that have had CSA workshops. • Real Estate Office • University Lands Accounting Office • West Texas Operations • Office of Facilities Planning and Construction • Office of Information Resources • Office of Finance • Employee Group Insurance Program

  22. U.T. System Program • Academic Departments • Physical Plant • Student Financial Aid • Performing Arts Center • Libraries • Research • Volunteer Services • Financial Services • Student Affairs

  23. Impact on Performance • Better working relationship between audit and operations. • Better understanding of the business by all. • Better operational findings. • Better buy-in to planned corrective action. • More efficient audit process.

  24. Implementation Strategy • Walk before you run. • Develop a strategy based on management’s commitment to enhancing internal controls. • Work CSA workshops into existing audit plan; sell it as a way to improve audit results. • Pilot departments that work well with audit. • Constantly adapt and revise. • Take what you get and move on.

  25. Questions

  26. Self-Assessment Demographics

  27. Uses of Self Assessment • Focus/Align • Evaluate • Document • Train • Monitor • Report Status • Measure Soft Control

  28. Self Assessment Tools • Survey • Questionnaire • Control Guide • Interviews • Workshops

  29. Types of Self Assessments • Control • Risk • Process • Objective • Problem • Perception

  30. Control-Based • Identify control structure • Compare to a model • Identify gaps

  31. Risk-Based • Assess Risks • Choose Mitigation Strategy for each risk • Choose controls for each controlled risk

  32. Process-Based • Map process • Justify process steps • Identify additional steps • Identify steps to be eliminated

  33. Objective-Based • Identify linkage • Inventory activities for each objective • Inventory risks for each activity

  34. Problem-Based • Identify problem • Apply group knowledge to problem • Define group solution

  35. Perception-Based • Identify attitudes and beliefs • Provide a baseline • Soft controls

  36. Validating Self-Assessment Products • Benchmarking • Management Attestation • Auditor Involvement • Follow-up Audit • Traditional Audit

  37. Internal Audit Uses of Self-Assessment

  38. REPLACE TRADITIONAL • Preliminary Survey • Evaluation of Control Structure • Operational Audits • Low Risk Areas of Operation

  39. SUPPLEMENT TO TRADITIONAL AUDITING • Control Environment • Risk Assessment • Evaluation of Control Activity Efficiency • Communication and Information • Monitoring

  40. POINT TO POTENTIAL TRADITIONAL AUDITS • Highlights high risk areas • Identifies problems or potential problem areas • Links traditional audits to operational needs

  41. Critical Success Factors

  42. Critical Success Factors • Proper Beginnings • Spitting Image • Working Together • Absorbed in Daily Routine • Reinforce/Reward • Discipline through Doing • Learn by Falling

  43. How Do You Insure Self Assessment Success? • Identify a Champion • Successful First Contact • Match to Corporate Culture • Align with Business Objectives • Institutionalize It • Reward the Participants • Use the Products • Be a Chameleon

  44. Contact Information • Web site: www.utsystem.edu/aud/resources • E-mail: dcraw@utsystem.edu • Phone: 512-499-4767 • Fax: 512-499-4550 • Address: 201 W. 7th ASH5, Austin, Texas 78701

More Related