1 / 74

Risk Management

Risk Management. Internal Audit Internal Controls Management Oversight Ethics Conflicts of Interest FERPA/HIPAA. Internal Audit. Who We Are What We Do How We Can Help. Charter.

jerica
Télécharger la présentation

Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Management Internal Audit Internal Controls Management Oversight Ethics Conflicts of Interest FERPA/HIPAA

  2. Internal Audit Who We Are What We Do How We Can Help

  3. Charter Our mission is to assist the University in the accomplishment of its goals. We do this by providing a systematic, disciplined, approach to evaluating, advising, and improving the processes of resource application, risk management, control and governance throughout the University.

  4. Organization & Reporting • ISU Internal Audit Office consists of three employees: director, senior auditor, and staff auditor. Also utilize two student auditors when funding is available. • Director reports functionally to the State Board of Education Audit Committee and administratively to the University President. • Staff are ISU employees. • Internal Audit reports are submitted to the President and in summary form to the Audit Committee.

  5. Objectives • Appraise the economy and efficiency of operations • Identify and evaluate significant risk exposures • Verify the existence of and control over University assets • Ascertain compliance with policies, regulations, and laws • Provide guidance for new policies, procedures, processes, and systems • Investigate fiscal misconduct, fraud, conflicts of interest, waste, and abuse • Act as a liaison with external audit organizations

  6. Services We Provide • Risk-based operational audits • Compliance audits • Special request reviews • Investigations • Purchase card audits • Verification of assets • Consultative services • Assistance to external auditors

  7. How We Help • We are a constructive link between policy-making and operational levels of the University • Early warning system to identify financial or other risks • Identify opportunities for fiscal and operational improvement • An independent, internal entity for employees and students to address concerns or present ideas for improvement

  8. Where is Internal Audit? We are located in the Continuing Education Building - 1001 N. 7th Ave, Suite 202 ISU Stop 8093 282-3182

  9. Internal Controls What They Are & Why I Should Care

  10. What are Internal Controls? Internal controls are processes designed to provide reasonable assurance regarding the achievement of an organization’s objects related to: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws, regulations and policies

  11. What is Risk? Risk can be defined simply as anything that could prevent an organization from accomplishing its goals and objectives.

  12. Internal Controls are Designed to Minimize Risk by: • Protecting assets. • Ensuring records are accurate. • Promoting operational efficiency. • Encouraging adherence to policies, rules, regulations, and laws. • Reducing the opportunity for fraudulent activity.

  13. Components of Internal Control – COSO Model • Control Environment • Control Activities • Risk Assessment • Information and Communication • Monitoring

  14. Control Environment • Sets the tone for an organization – “Tone at the Top”. Establishes the organizational culture. • Provides discipline and structure. • Is the foundation of the organization’s control system. • Key factors include: • Integrity and ethical values. • Competence of institutional personnel. • Leadership philosophy and management style. • How management assigns authority & responsibility and organizes and develops its people.

  15. Control Activities • Policies and procedures established to ensure management directives are carried out. • Actions taken to address risk. • Include a range of activities: • Authorizations • Verifications (e.g. physical inventory) • Reconciliations • Physical security of assets • Access limitations • Segregation of duties

  16. Risk Assessment • Identification and analysis of relevant risks (e.g. operational, financial, and compliance). • After risks have been identified they must be evaluated using a formal/informal process which includes: • Estimating the significance of a risk. • Assessing the likelihood (or frequency) of the risk occurring. • Assess the actions that could be taken to manage risk and their associated costs. • Is an on-going process.

  17. Information and Communication • Information systems produce reports containing operational, financial and compliance-related information. • Information must flow down, across and up within in the organization. • The effectiveness of information systems depends on many factors: • Information systems must be based on a strategic plan. • Adequate resources must be allocated to the system. • Information must reach the right people. • Information must be in sufficient detail and be timely. • Reports must be accurate and provide necessary information.

  18. Information and Communication • The effectiveness of communication systems also depends on many factors: • Employees’ duties and control responsibilities must be effectively communicated. • Channels of communication must exist for employees to report suspected improprieties. • Management should be receptive to employee suggestions for improvement. • Communication must be effective across departmental lines. • Communication must be timely and sufficient for individuals to effectively discharge their responsibilities. • Outside parties should be made aware of the institution’s standards. • Their must be timely and appropriate follow-up to information feedback.

  19. Monitoring • Monitoring is a process that assesses the quality of the internal control system through on-going monitoring activities and separate evaluations. • On-going monitoring activities include: • Review of operating and financial reports to identify significant inaccuracies or exceptions. • Investigation of information received from external parties. • Organizational structure and supervisory activities. • Comparison of data recorded in the information system to physical assets. Periodic confirmations by personnel that they understand and are complying with the institution’s code of conduct. • Separate evaluations can be conducted by management or by internal and external auditors.

  20. Internal Control Objectives A good system of internal controls will accomplish the following objectives: • Authorization: All transactions are approved by responsible personnel. • Completeness: All valid transactions are included in the accounting records. • Accuracy: All valid transactions are accurate, consistent with the originating transaction data, and information is recorded in a timely manner. • Validity: All recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management’s general authorization.

  21. Internal Control Objectives • Physical Safeguards and Security: Access to physical assets and information systems are controlled and properly restricted to authorized personnel. • Error Handling: Errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management. • Segregation of Duties: Duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing a transaction.

  22. Who is responsible for internal control? Management: • The President provides leadership and direction to senior administrators. • Vice presidents provide direction to senior administrators responsible for major functional areas. • Deans and department heads have line responsibility for designing and implementing control systems at detailed levels.

  23. Who else is responsible? All employees should: • Read and understand the policies and procedures which affect their jobs. • Evaluate the propriety of transactions (legal and ethical?) • Safeguard assets. • Evaluate the economy and efficiency of operations. • Follow the established internal controls. • Notify management when internal controls are not effective or are being circumvented.

  24. Limitations of Internal Control Internal controls, no matter how well designed and executed, can only provide reasonable assurance regarding the achievement of objects. Limitations include: • Judgment – Decisions must be made constrained by available time, information at hand and under the pressures of getting a job done. • Breakdowns – Employees may misunderstand instructions. Errors may occur from new technology or due to complex systems. • Management override – High level personnel may be able to overrule controls for personal gain or advantage. • Collusion – Two or more individuals may work together to bypass controls. No internal control system is immune from collusion!

  25. Is cost of control consideration? Yes! In determining whether a particular control should be established, the risk of failure and the potential effect must be considered along with the cost of establishing the control. Excessive control is costly and counterproductive. Too little control presents undue risk. There should be a conscious effort made to strike an appropriate balance.

  26. Management Oversight The Key to Control & Risk Management

  27. Management – The buck stops here! As a manager, you are responsible for: • Establishing the “tone at the top” and promoting an ethical business environment by providing structure, feedback, and discipline. • Assessing risks specific to your operations and developing a control system to address risks that could prevent achieving established goals (see handouts). • Establishing and maintaining control activities such as reconciliations, approvals, and review of operating activities. • Ensuring appropriate access to and use of University information and systems. • Monitoring control system and activities to identify and correct breakdowns timely.

  28. Management – Best Practices • Read all requests to spend University funds before approving them. • Develop written procedures for critical operations. • Develop measurable departmental goals based on strategic plans. Create an action plan that is communicated to all employees. • Ensure every transaction involves at least two people. • Review departmental transactions monthly and investigate concerns. • Deposit funds daily (properly secure cash, check and CC info). • Review processes on a continuous basis (a better way?). • Ensure all expenditures have a clear business purpose. • Maintain good supporting documentation for all expenditures. • Make sure time sheets are reviewed and approved by a supervisor who is familiar with the employee’s work hours.

  29. Propriety of University Expenditures University expenditures will be considered proper if they meet all of the following seven tests: • Are in the best interest of the University and for official business only. • Comply with all applicable federal and state laws, and University regulations, policies and procedures. • Do not appear to or actually provide a personal benefit to employees. • Are within approved budgets. • Are necessary to accomplish University business. • Are reasonable. Quality and quantity are sufficient to meet but not exceed identified need. • Approved by the appropriate level of management.

  30. Ethics The Foundation

  31. What Does Ethics Mean to You? Sociologist Raymond Baumhart asked some business people this question. Replies included: • "Ethics has to do with what my feelings tell me is right or wrong.” • "Ethics has to do with my religious beliefs.” • "Being ethical is doing what the law requires.” • "Ethics consists of the standards of behavior our society accepts.” • "I don't know what the word means."

  32. What is Ethics? Simply stated, ethics refers to the standards of behavior that tell us how human beings ought to act in many situations in which they find themselves as friends, parents, children, citizens, employees, teachers, professionals, etc.

  33. What Ethics is Not Ethics is not: • The same as feelings • Religion • Just following the law • Following culturally accepted social norms • Science

  34. Why is Identifying Ethical Standards Difficult? Two fundamental problems: • On what do we base our ethical standards? • How do those standards get applied to specific situations?

  35. Framework for Ethical Decision Making • Recognize an Ethical Issue • Get the Facts • Evaluate Alternative Actions • Make a Decision and Test It • Act and Reflect on the Outcome

  36. Recognize an Ethical Issue • Could this decision or situation be damaging to someone or to some group? • Does this decision involve a choice between a good and bad alternative; between two “goods”; or between two “bads”? • Is this issue about more than about what is legal or what is most efficient. If so, how?

  37. Get the Facts • What are the relevant facts of the situation? • What facts are not known? • Do I have enough information to make a decision? • What individuals and groups have an important stake in the outcome? • Are some concerns more important? Why? • What are the options for acting? • Have I identified creative options?

  38. Evaluate Alternative Actions Ask yourself the following questions: • Which option will produce the most good and do the least harm (Utilitarian Approach)? • Which option best respects the right of all who have a stake (Rights Approach)? • Which option treats people equally (Justice Approach)? • Which option best serves the community as a whole (Common Good Approach)? • Which option leads me to act as the sort of person I want to be (Virtue Approach)?

  39. Make a Decision and Test It • Considering all these approaches, which option best addresses the situation? • Would I make the same decision if I knew it would be public—in a newspaper article or on a TV news report (newspaper test)? • Would mom approve? • Could I rationally and honestly defend my decision? • If a colleague made the same decision, would I support him or her? • Are there laws, policies, rules or directives governing or restricting my decision?

  40. Act and Reflect on the Outcome • How can my decision be implemented with the greatest care and attention to the concerns of all stakeholders? • Reflect on how the decision turned out and what you learned from the situation. • Be willing to reassess your decision if more facts become available.

  41. Obstacles to Ethical Decision Making Rationalizations: • If it’s necessary, it’s ethical • If it’s legal and permissible, it’s proper • It’s just part of the job • It’s all for a good cause • I was just doing it for you • I’m fighting fire with fire • It doesn’t hurt anyone • Everyone’s doing it • It’s okay if I don’t gain personally • I’ve got it coming • It’s just politics

  42. Ethical Rules Pertaining to ISU • ISU currently does not have a comprehensive code of conduct or ethical policy. Have individual policies that need to be updated. • State Board of Education Conflict of Interest and Ethical Conduct policy (Section II, Subsection Q). • Idaho Statutes: • Bribery and Corrupt Practices Act (Title 18, Chapter 13) • Prohibitions Against Contracts with Officers (Title 59, Chapter 2) • Ethics in Government Act (Title 59, Chapter 7) • State Board of Education Compliance Program policy (not finalized yet). Institutions must establish: • A code of ethics that applies to all employees. • A published list of all major compliance areas categorized by risk. • A mechanism for coordinating compliance oversight, monitoring, and enforcement. • A means of assuring institutional policies are regularly reviewed for compliance with federal and state laws and regulations and Board policies.

  43. SBoE – Ethical Conduct All employees of the institutions and agencies shall: • Not hold financial interests that are in conflict with the conscientious performance of their official duties and responsibilities; • Not engage in any financial transaction in order to further any private interest; • Put forth honest effort in the performance of their duties; • Make no unauthorized commitments or promises of any kind purporting to bind the Board or any Board-governed entity; • Not use their public offices for private gain; • Act impartially and not give preferential treatment to any private or public organization or individual; • Protect and conserve public property and shall not use it for other than authorized activities; • Not engage in outside employment or activities, including seeking or negotiating for employment, that conflicts with official duties and responsibilities; • Promptly disclose to their chief executive officer waste, fraud, abuse, or corruption; • Endeavor to avoid any actions that would create the appearance that they are violating the law or the ethical standards of the Board or the relevant Board-governed entity; • k. shall disclose potential conflicts of and avoid conflicts of interest, potential conflicts of interest, and circumstances giving rise to the appearance of a conflict of interest.

  44. Current ISU Policies • Academic Freedom/Faculty Ethics • Employment of Relatives/Nepotism • Faculty/Student Relationships • Outside Employment • Private Consulting Outside the University • Sexual Harassment • Misconduct in Research and Scholarship • Research Conflict of Interest • Financial Interest Disclosure Form

  45. How do you create an ethical work environment? • Establish an enforceable code of conduct • Ensure executive modeling – tone at the top • Provide initial and on-going training • Encourage regular communication • Maintain an anonymous hotline • Take action – hold individuals accountable • Reward employees that maintain an ethical work environment • Implement equitable policies that are communicated • Provide fair compensation and reasonable working conditions.

  46. Code of Ethical Conduct Driven by the University’s mission of teaching, research and public service: • Sets expectation of highest standards of ethical conduct. • Commits to upholding the reputation of the University. • Encourages compliance with applicable laws, regulations, and University policies. • Does not condone retaliation for any good faith report of improper activity. • Be honest, ethical, truthful. • Obey the law. • Follow University policies and procedures.

  47. What is Fraud? A dishonest and deliberate course of action that results in the obtaining of money, property or an advantage to which the person committing the action would not normally be entitled. Intentional misleading or deceitful conduct that deprives another of his/her resources or rights. Fraud always involves intent and some violation of trust.

  48. What is Waste? Waste occurs when someone makes careless or extravagant expenditures, incurs unnecessary expenses, or grossly mismanages resources. This activity results in unnecessary costs. It may or may not provide the person with personal gain. Waste is almost always the result of poor management decisions and practices or poor accounting controls.

  49. What is Abuse? Abuse most often involves an employee exploiting “loopholes” in policies and procedures for personal benefit. Abuse is very close to fraud, but often is not prosecutable as such. Abuse includes, but is not limited to the misuse or destruction of resources, using the powers of an official position inappropriately, or any other seriously improper practice that cannot be prosecuted as a fraud or other illegal act.

  50. Examples of Fraud, Waste and Abuse • An employee purchases a meal for a meeting which has a valid business purpose. The meal meets University policy, all receipts are provided and the proper form is completed. (Acceptable) • The employee has a meeting with a valid business purpose. A meal is purchased, receipts are provided and required forms are completed. However, the meeting could have taken place without a meal. (Waste) • The employee purchases a meal over a casual meeting with colleagues. The business purpose and necessity of the meeting is questionable. (Abuse) • The employee purchases lunch for himself/herself and friends using University funds. (Fraud)

More Related