Risk Assessment (IT & Non-IT)
description
Transcript of Risk Assessment (IT & Non-IT)
Risk Assessment (IT & Non-IT)
MIS52052/21/2014
Control Environment (COSO framework): - The control environment sets the tone of an organization. It influences the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
Control environment factors: the integrity, ethical values and competence of the people;
management's philosophy and operating style; the way management assigns authority and responsibility and
organizes; develops its people, and policies and procedures for the
prevention and detection of fraud, etc.
Risk Assessment Overview
Typical Enterprise Risks Categories: Polices and Procedures Personal Management and Supervision Training Organization Structure Fraud Prevention and Detection
Risk Definitions
Policies and Procedure: Definition:
inadequately developed, documented and/or communicated business specific policies and procedures.
Non-compliance with existing company and business specific policies;
Risk Definitions and Events
Policies and Procedure – Sample Risk Events:
Ineffective process to report unethical matters related to financial reporting (hotlines, whistleblower program)
Mechanisms for reporting unethical matters have not been properly communicated to all employees (training)
Conflicts of interest surveys with affirmative responses have not been reviewed and properly escalated by the Ethics Officers for resolution (tone from the top)
Lack of inventory of corporate policies and procedures and business line/function specific policies applicable to the business activity (review and updating)
Risk Definitions and Events
Policies and Procedure – Sample Risk Events:
Polices and procedures training and communication across the company
Inadequate monitoring o f changes or updates to corporate policies and procedures
Lack of active, written policies for all critical aspects of the business and corporate functions
Risk Definitions and Events
Policies and Procedure – Sample Risk Events:
Out-of-Date Policies and Procedures: Policies no longer reflect day-to-day activities either because of changes in the business/corporate function, impracticality of implementation, etc.
Company-wide system and information security policies and standards are not regularly reviewed and updated, or do not exist
Roles and responsibilities for information security and other system functions are not well defined and fom1alized or do not enforce a proper segregation of duties
Policy statements for new products, subsidiaries, or other strategic initiatives have not been created
Risk Definitions and Events
Policies and Procedure – Sample Risk Events: Management does not have a formal process to re-value and
revise procedures Prior versions or copies of Standard Operating
Procedures a re not retained to support previous decision-making
Procedures are not reviewed/signed-off by Management, appropriate subject matter experts, or control groups (Law, Compliance, etc.)
Lack of appropriate, consistent approach to evaluation of exceptions to policy
Risk Definitions and Events
PersonalDefinition:
Insufficient number of employees and retention of sufficiently competent or experienced personnel to accomplish a business goals and objectives.
Insufficient number of people with required skill levels relative to the size of the business and nature and complexity of activities and systems.
Risk Definitions
Personal – Sample Risk Events: Employees do not meet licensing requirements specified
for their job position. (Industry Specific, e.g. CISA, CFA, CPA, etc.)
Hiring decisions are not retained to support decisions to hire or reject candidates
Employees are not provide or have access necessary tools, utilities to enable them to complete their job responsibilities
Lack of (or non-adherence to) standards and criteria for hiring, training, promoting and compensating employees
Business line does not maintain job descriptions or other means of defining specific job responsibilities
Risk Definitions and Events
Personal – Risk Events: Management doesn’t analysis of the knowledge and skills
needed to perform jobs adequately Employees are not made aware of their
responsibilities and duties expected of them through formal written performance evaluations at least annually or through other informal processes
High level of turnover of experienced staff or high level of junior staff (e.g., can lead to work backlogs)
No succession plan in place Lack of depth of resources within the business unit Lack of cross training (resulting in unrealistic reliance on
a few key personnel)
Risk Definitions and Events
Management and SupervisionDefinition:
Inappropriate span of control, assignment of responsibility and delegation of authority to deal with organizational goals and objectives.
Inadequate availability of MIS to monitor business activity.
Inappropriate 'tone at the top', management behaviors and incentives set by management for subordinates that may have a negative impact on the control environment.
Risk Definitions
Management and Supervision – Sample Risk Events Inappropriate "tone at the top” established by business line
management (e.g., tolerance level for control breaks or other policy violations discourages adherence to policies)
Management doesn’t take disciplinary actions to clearly communicate the consequences of inappropriate actions or failure to address known and/or emerging issues
Management structure and/or span of control is not appropriate relative to business objectives
Lack of comprehensive risk analysis mechanisms, including control functions, to ensure that business line risks are identified, analyzed, monitored and controlled
Business line management does not reinforce corporate policy regarding acceptable business practices, conflicts of interest and expected standards of ethical and moral behavior
Risk Definitions
Management and Supervision – Risk Events Management does not place a high emphasis on ethical
behavior in dealings with employees, customers, regulators, control functions, etc.
Management does not have controls in place to mitigate pressure to meet unrealistic performance targets (particularly for short-term results) or reduce temptations arising from performance based compensation
Management does not have in place comprehensive MIS to monitor the business
Management behavior and/or structure does not foster communication (up, down and across)
Risk Definitions
Management and Supervision – Sample Risk Events
There is no proactive policy on known or emerging control breaches, policy or legal regulatory violations, and related corrective actions, to ensure actions are taken promptly and decisively, and if warranted, appropriate disciplinary actions are taken
New businesses or products are not initiated in a controlled manner Supervisory duties are not carried out in accordance with licensing
or regulatory requirements Goals set by management may be unrealistic or incent inappropriate
behavior.
Risk Definitions
Management and Supervision – Sample Risk Events
Employee satisfaction or moral Employee concerns are not been heard or
addressed by management Management is not able to effectively gauge or
review employee performance
Risk Definitions
TrainingDefinition:
Inadequate training of personnel to meet position requirements or to fulfill company’s professional and ethical standards.
Risk Definitions
Training– Sample Risk Events Lack of formal training programs for new hires and existing
employees Employees are not encouraged to attend job related training
programs Management does not have mechanisms in place to ensure
that employees attend appropriate training programs Failure to properly monitor compliance with tracking
requirements Inadequate function/product specific or control related skills
training Inadequate training to perform supervisory responsibilities Training programs are not frequently updated
Risk Definitions
Training– Sample Risk Events
Lack of cross training for periods where employees are absent, re-assigned, and/or unavailable
Failure to communicate lessons learnt from historical or recent experiences to mitigate the risk of reoccurrence.
Training programs are not delivered in a timely manner (e.g., prior to a systems implementation/major release).
Training programs do not support continuing education requirements for licensed representatives.
Risk Definitions
Training– Sample Risk Events
Qualifications of training providers Lack of practice to collect and analyze
training feedback Out-of-date training courses: training is not
kept current with changes to products, systems, benefits, etc.
Lack of training budget
Risk Definitions
Organizational StructureDefinition:
Inadequate organizational structure to provide the necessary information flow to manage the business’ activities, assign responsibilities and ensure an adequate segregation of duties.
Risk Definitions
Organizational Structure – Sample Risk Events Inappropriate organizational structure and an
inability y to provide necessary information flow to manage its activities
Inadequate definition of key managers' responsibilities and their understanding of these responsibilities (i.e., avoidance of ambiguity)
Inadequate knowledge and experience of key managers in light of responsibilities
Risk Definitions
Organizational Structure – Sample Risk Events Management has not assigned responsibility and delegated
authority to deal with organizational goals and objectives, operating functions and regulatory requirements and to ensure that appropriate segregation of duties is maintained
Inappropriate level of interaction between business line personal, operations management and other control functions, particularly when geographically removed
Inappropriate segregation of duties between Sales, Operational and Finance functions.
Inappropriate segregation of duties (e.g. Sales, Operational and Finance functions)
Risk Definitions
Fraud Prevention and Detection (Industry Specific e.g. FIs)
Inadequate, and/or infrequently performed activities designed to prevent and/or detect fraud.
Risk Definitions
Fraud Prevention and Detection (Industry Specific) – Sample Risk Events
Administrative systems do not have 'red flags’ or reports to alert management to potentially fraudulent transactions (address change and disbursement transactions processed within a short period of one another)
Documentation to support transactions being processed can be deleted, altered, or lost
Signature verification process does not exist for high dollar disbursement transact ions
Special payee/address procedures are not in place for routine and non-routine payments
Risk Definitions
Fraud Prevention and Detection (Industry Specific) – Sample Risk Events
Management has not evaluated administrative systems user access for certain dangerous combinations
Role-based security does not align with segregation of duties and is not inclusive of both IT and non-IT based capabilities
Management has not been proactive in enhancing the staffs fraud awareness
Training is incomplete and/or outdates and does not address current fraud schemes.
Call Center authentication procedures are not adequate and do not provide an escalation process or suspicious caller guidance
Risk Definitions
Fraud Prevention and Detection (Industry Specific) – Sample Risk Events
No quality review or second check exists over transactions where fraud could be perpetuated
no sampling of transactions occurs over transactions where fraud could be perpetuated
Journal entries or 'top side' entries impacting quarterly results are posted without a second review and proper approvals
Bonus/incentive compensation for individuals responsible for posting financial data is tied to company performance in a manner outside the existing performance management process
Non-Designated and Covered individuals can view non-public financial data before results become public.
Officers and Senior Executives a re granted stock options, that when exercised will inappropriately benefit them (i.e. backdating)
Risk Definitions
Fraud Prevention and Detection (Industry Specific) – Sample Risk Events
Vendor due diligence is not conducted on firms w ho have t he ability to commit fraud
Vendor relationships a re not disclosed or monitored for conflict of interest or collusion
Vendor invoices/charges are not reviewed against support or are not thoroughly examined
Miscellaneous loss accounts are not monitored
Risk Definitions
Fraud Prevention and Detection (Industry Specific) – Sample Risk Events
Agents and Investment advisors are gran ted too much access to process transactions on behalf of customers
Underwriters and agents/brokers develop friendly relationships that may lead to preferential treatment (i.e. more favorable underwriting decisions)
Original, unaltered documentation is not available to support transactions.
Management is incented to meet certain business-related targets (such as number of complaints, sales targets, and/or quality assurance processing results).
Risk Definitions