CONDUCTING RISK ASSESSMENT FOR INTERNAL CONTROLS


CONDUCT RISK ASSESSMENT


The achievement of objectives and goals is dependent on how the organization management assesses and monitors risks against those objectives and goals. The organization faces risks from both internal and external factors. The following are among the consideration in assessing and monitoring risks:


Choose Appropriate Risk Assessment Method


Risk assessment can be done using two main methods i.e. the use of a survey questionnaire or a workshop. The survey, a team is formed to collect inputs from different departments/units of the organization. However, the major limitation with the survey approach is its inherent slow pace and dependency on people to complete the form.


CONDUCTING RISK ASSESSMENT FOR INTERNAL CONTROLS




The most convenient method in risk assessment is the use of workshops. In this approach a team (e.g. activity/process owners, key staff, control experts, and other important stakeholders) works in brainstorming session to identify risks to achieving the process control objective and suggest/selecting the most feasible control activities to mitigate the identified risks. This exercise should result into comprehensive documentation of:

·    The process flow of activities.


·    The risks against the process (including respective ratings).


·    Selected control activities.







Specify Objectives


Risks operate against objectives. It is important therefore to specify objectives with sufficient clarity to enable the identification and assessment of risks relating to these objectives.

As it can be recalled there are four types of objectives that should be the focus for internal control framework:

i.    Operations  objectives:  Operations  objectives  are  the  management  choices  about  the structure and the desired level of performance.

In  the  public  sector  setting,  the  organization  will  be  more  concerned  on  the  economy, effectiveness and efficiency of operations (i.e. value for money), which later become the basis for performance measurement.

ii.  Reporting objectives: Reporting objectives relates to the preparation and submission of reports  that  are  reliable,  transparent,  and  timely  and  which  align  to  terms  set  by regulators, standard-setting bodies and internal policies.

Reporting objectives should be viewed in the following areas:


a.   Internal reporting objectives: Internal reports are those determined by the organizations strategic  directions  and  reporting  needs  of  the  management.  Internal  reports include financial reports and operational/performance reports, which are given at different intervals e.g. monthly, quarterly, or annual reports.

b.   External reporting objectives: External reports are those required by laws, rules and regulations and standards-setting bodies and accounting bodies (i.e. external governance requirements).

External  reports  can  be  financial  or  non-financial  and  have  the  following objectives:

· External financial reporting objectives: objective for external financial reports is to comply with accounting standards (e.g. IPSAS or IFRS) and to meet external reporting obligations.

· External non-financial reporting objectives: Apart from financial reports, organizations have to report to external bodies on other performance issues which are non-financial.

iii. Compliance objectives: Compliance should be assessed in two levels: compliance with laws and regulations, and compliance with organizations internal policies and procedures

In this aspect, the organization objective is to comply with each of the applicable laws and regulations by conducting its activities in accordance to these laws and regulations.

The first step in specifying the compliance objectives, the organization management should understand which laws and regulations apply across the organisation.

iv. Safeguarding of assets and resources: Safeguarding public resources is among the key objectives in organizations. This objective is not reflected in other internal control frameworks like the COSO (2013).




Identify the Risks


After the specification of objective, risks to the achievement of those objectives should be identified. This is the basis designing control procedures/activities to mitigate those risks. Risk should be identified at two main levels namely: the Institutional/entity-level and the Activity/Transaction-level

i.      Institutional/ Entity-level: The top management should set the entities risk perspective with regarding risks that affect the overall organization from both internal and external factors.

At this level the main emphasis will be on “events/situations” that will affect the organizations

ability to achieve its  strategic objectives.


ii.      Process/Activity – level: Line management (i.e. process owners/manager e.g. head of human resources, procurement, revenue, payroll, expenditure etc) should consider events that may impact the achievement of control objectives in their domain of activity/process (i.e. operating, reporting/accountability, compliance and safeguarding objectives).

Table : Levels and Sources of Risks in Public Sector Organizations

Level of risk
Source of risks

Institutional/Entity

level

External factors:
i.   Economic changes (e.g. changes in pricing)
ii.  Natural environments (e.g. floods and droughts)
iii. Regulatory/compliance (e.g. change government policy)
iv. Social changes (e.g. change in stakeholders expectations)
v.   Technology (e.g. new ways of information sharing, security)

Internal factors:
i.   Infrastructure and facilities (e.g. breakage, or outdated)
ii.  Management (e.g. change in management/structure)
iii. Personnel (e.g. unavailability of some skills, high turnover)
iv. Assets/resources (e.g. misappropriation)
v.   Technology (e.g. service disruption, unauthorized access).




Level of risk
Source of risks

Process/Activity     

level
i.   Process/ Activity level risks go within directorates, department,

unit and functions to affect processes like:

o procurement process,

o payment process,

o revenue collection process, o financial reporting process o service-delivery process
o etc.
ii.  At each transaction cycle, the focus should be on the risks that

affect the transaction achieving the “control objectives” namely:

o Economy, efficiency and effectiveness,

o Compliance with applicable laws and regulations,

o Reliable and timely reports, and

o Resources/records/assets are safeguarded.




 Consider the Possibility of Fraud


Fraud is yet another type of risk that has the potential to affect the organization’s ability to meet its objectives. Among the factors that lead to individuals to commit fraud is the opportunity given by weak internal control.

In assessing the risk of fraud the management should take the following steps:


i.    Consider all types and various ways of frauds: Take in account various types of frauds that may affect financial reports, assets, including issues of corruption etc.

The following could be considered when identifying the various ways in which fraud can occur:

·    Fraud schemes and scenarios which are common to the sector in which the organization operates.


·    Incentives that may motivate fraudulent behaviors (see ii below).

·    Nature of automation and IT systems application.

·    Unusual or complex transactions subject to management influence.

·    Last-minute transactions.

·    Possibility to management override of established procedures.

ii.  Assess the factors leading to fraud: An individual will commit fraud when three factors materialize namely: the attitudes/rationalization, pressure and opportunity to commit fraud. The management should assess the state of each of these factors:

a. Attitudes/rationalization and pressure: This is more of assessing on how management and other personnel may engage in fraud or justify inappropriate actions.

b.   Assess possible opportunities: The assessment of the risk of fraud considers opportunities for authorized acquisition, use, or disposal of assets, altering of the entity’s reporting records, or to committing other inappropriate acts.




Consider Changes


Change also creates a degree of risk. In this case, every significant change a organization undergoes or anticipates need to be assessed and monitored in terms of potential risks it exposes the organization to the following types of changes require particular attention:


i.   Changes in operating environment (e.g. intense media scrutiny or political debates).


ii.  Changes in laws and regulations or government policy (e.g. amendments in laws like

Public Procurement Act and Public Finance Act).


iii. Changes  in  personnel  (e.g.  need  to  train  new  personnel  or  unavailability  of  a replacement).


iv. Changes  in  information  system  and  technology  (e.g.  disruption  of  services  due  to installation and stabilizing of new software, and security threats).

v.   Rapid  growth  (e.g.  new  demands  for  service  increase  pressure  to  personnel  and

management leading to staff “cutting corners in attempt to avoid complaints).


vi. New programs and services (e.g. staff inexperience with new program and applicable laws and regulations).




Assess the Likelihood and Impact of Risks


A risk assessment needs to be performed in order to determine the likelihood and impact of each risk to a given objective (either at the entity-level or process-level).

The analysis helps to determine the potential importance of each risk.


i.    Estimate the impact of risk: The degree of harm that could result if that risk is not successfully avoided.

ii.  Estimate the likelihood of risk: The probability that a given risk will actually materialize.


iii. Consider the Inherent nature of risks: The impact and likelihood of risks should be established assuming no controls are in place. This is referred to as the inherent risks (or the exposure risk rating.

iv. Rate the risks: A specific risk rating approach should be adopted in rating the impact and likelihood of each risk.

Ratings are usually done using a risk matrix where impact and likelihood are plotted in a

5 band scale.


Table : A 5-band risk rating scale for impact and likelihood


Number

Impact

Likelihood

5

Catastrophic

Almost certain

4

Major

Likely

3

Moderate

Possible

2

Minor

Unlikely

1

Low

Rare

The significance of a given risk is measured by multiplying the impact and likelihood such that the product is compared to the area that it falls within the risk matrix. As given in Table above , the maximum risk product for a 5-band rating is 25 (i.e. 5 of impact x 5 of likelihood) whereas the lowest will be 1 (i.e. 1 of impact x 1 of likelihood).

Table below  gives the risk status thresholds and descriptions as used in the risk matrix in.


Table : Risk Status, Description and Color Expression in the Risk Matrix

Risk Status
(Impact x
Likelihood)
Description
Expression in Color
15-25
Extreme
Red
10-14
High
Light brown
5-9
Moderate
Yellow
1-4
Low
Green



Figure  below presents a risk matrix showing risk status regions with their appropriate responses.


Text Box: LikelihoodFigure : Risk Matrix for Plotting Risk Status to Determine Responses


Almost Certain

(5)



Likely

(4)


Moderate

(3)




Unlikely (2) Rare (1)





Extreme








Medium
High








Low




Low                     Minor                    Moderate                    Major                  Catastrophic


(1)                         (2)                            (3)                            (4)                             (5)


Impact





Develop Risk Responses



Risk responses should be developed to match with the risk status in the risks matrix. The responses can be divided into four categories namely:  avoid, share, mitigate and control, and accept.


Table : Risk status and their Appropriate Responses

Risk Status
(Impact x
Likelihood)
Description
Expression in Color
Meaning and Response

15-25

Extreme

Red

Very serious concern; highest priority. Take immediate action and review regularly.

10-14

High

Light brown

Serious concern; higher priority. Take immediate action and review at least three times a year

5-9

Moderate

Yellow

Moderate concern; steady improvement needed.

Possibly review biannually

1-4

Low

Green

Low concern; occasional monitoring. Tolerate/ Accept. Continue with existing measures and review annually.


In choosing and design controls (i.e. whether to avoid, share, mitigate or accept), it is important that control activity established is proportionate to the risk.

Comments

Post a Comment

Popular posts from this blog

What are the Misconceptions about employee motivation?

Image
Misconceptions about employee motivation In order for an employee to be motivated, depends on various factors such as level and status of the respective employee. There is no one principle to motivate all employees. There are some factors that are considered as motivating tolls for employees however in reality these may not be motivational. The followings are some misconceptions about employee motivation; 1.       Financial reward Money alone cannot generally act as a motivational tool for employees. Formal and informal recognition tends to add motivation for some employees rather than money. Money may tend only to motivate some employees in short term where an employee may be in high need for money. At some stage, i.e. senior level an employee may have enough money and therefore money may no longer motivate him/her. 2.       Natural motivation There is no such a natural motivation. No one can be motivated naturall...
Read more

Share capital, Invitation, Application, Allotment, calls and paid-up procedures

Capital of a limited company is divided into shares of a fixed amount . The amount stated in the Memorandum is known as the Authorized Share Capital . For example, this may be shs. 10 million divided into 100,000 shares of shs. 100 per share. This fixed amount per share is called its par or nominal value . A company may not issue share capital in excess of what has been authorized . The actual amount that has been issued to shareholders is termed Issued Share Capital . If in the above example only 80,000 shares have been issued, then the company's issued capital is shs. 8 million. The steps followed when a company issues shares are: Invitation The company invites the public to apply for its shares through a Prospectus which is an offer document that invites the public to subscribe and purchase shares of a company . A Prospectus gives objectives and information on attractiveness of the company. Application The public applies for shares in the company, usually...
Read more

CLASSIFICATION OF MANUFACTURING COSTS

CLASSIFICATION OF MANUFACTURING COSTS The three elements of production costs are materials, labour and expenses.   Each one may be categorized as either direct or indirect cost. Direct costs are those costs which may be identified with the product and therefore can be included directly in the cost of the product. These are costs that can conveniently and easily be traced to a particular product, department or any other object that costs are accumulated.   Examples are: (a) Direct materials - all materials that form an integral part of the finished product, like leather for shoes, wood for furniture, etc. (b) Direct labour - it is labour applied directly on the raw materials, in order to convert these into finished product. Like the wages paid to factory workers or machine operators engaged in the production process are classified under this category. (c) Direct expenses - are those specifically attributed to the product, like the royalty paid to an inve...
Read more