Title: The Crawford Risk Assessment Methodology
1The Crawford Risk Assessment Methodology
- Presented by
- Mark Paganelli, Executive Director
- Judy Burns, Assistant Director
- Audit Consulting Services
- The University of Tennessee
for AGA Nashville Chapter Winter Seminar January
8-9, 2008
2Session objectives
- Provide an understanding of the risk assessment
process - Demonstrate one University's application of this
process - Equip you with resources for conducting your own
assessment
3Source
- David B. Crawford
- Audit Manager Emeritus
- The University of Texas System
- The Assurance Continuum An Enterprise Risk
Management Model
4What is risk assessment?
- A process that defines how an organization
- Identifies risks to the achievement of its
mission, goals, objectives - Measures the significance of each identified risk
- Determines the most appropriate business response
to each risk - Monitors how well the responses are carried out
5Why do it?
- External requirement
- State of TN
- Audit Committee Act
- Directive from State Comptroller and Director of
State Audit - Anticipates SOX
- Good business practice
6Benefits
- Focus efforts and resources on most critical
issues - Enhance understanding of risks and controls
- Clarify accountability and improve communication
- Demonstrate due diligence to stakeholders
7Who is responsible?
- Management
- vs.
- Internal audit
8Three phases
- Risk Assessment
- Risk Footprint
- Control Documentation
- Control Footprints
- Control Evaluation and Monitoring
- Monitoring Plans
9Phase 1 Risk Footprint
10What is a risk?
- A potential negative event that would affect the
organizations ability to meet its mission,
goals, and objectives.
11Phase 1 Risk assessment steps
- ID mission, goals, objectives
- ID all activities
- Consolidate into major processes prioritize
- ID risks for each process
- Rank risks by impact and probability of occurrence
121. ID mission, goals, objectives
- Mission The mission of the procurement card
program is to reduce the cost of paying vendors
and provide departments flexibility in making
purchases. - Â
- Goals
- Obtain the best rebate amount for purchases.
- Make as many purchases with p-cards as
possible. - Ensure that purchases comply with policies.
- Maintain adequate records to support
purchases. - Protect the university from fraudulent card
use.
13How to ID mission, goals, objectives
- Owners review and revise existing or develop
new - Other stakeholders review and comment
- Reach consensus
142. ID all activities
15How to ID all activities
- Individuals with knowledge of the area
- Brainstorming
- Univ of TX Excel workbook with macros or any
spreadsheet
163. Consolidate activities into major processes
and prioritize
17How to consolidate and prioritize
- Same individuals who brainstormed activities
- Cluster activities with related purposes name
the process - Prioritize processes
- Univ of TX Excel workbook or any spreadsheet
184. ID risks for each process
19How to ID risks
- Involve employees working in the area being
assessed - Brainstorming
- Univ of TX Excel workbook or any spreadsheet
205. Rank risks by impact and probability
21Risk ranking characteristics
- IMPACT Effect on achievement of mission, goals,
objectives - High - showstopper
- Medium - inefficient and extra work
- Low - no effect
- PROBABILITY Likelihood of the risk happening
- High - will happen frequently
- Medium - will happen infrequently
- Low - will seldom happen
22How to determine impact
- Develop a list of consequences if a risk were to
become a reality - Value the effect each consequence would have on
the organization (high, medium, or low) - The impact value of the risk is the value of its
highest potential consequence.
23Sample consequences
24How to determine probability
- Determine how often a risk is likely to occur.
- Assume only Level 1 controls are in place.
25Assurance Continuum Levels of Control in COSO
Collaborative Assurance (Governance and
Management Control Processes)
Periodic Assurance
I----------I
I----------I
(Governance Control Processes)
I------------ On-going Assurance
------------I (Management Control Processes)
Level 1 Controls (Execution )
Level 3 Controls (Oversight)
Level 2 Controls (Supervisory)
Level 4 Controls (Internal Audit)
Level 4 Controls ( Internal Audit)
Pre-operations design review of on-going assurance
During execution of event or transaction
Immediately after execution of event or
transaction
Soon after execution of event or transaction
Post-operations audit of execution of on-going
assurance
26Level 1 controls (execution controls)
- Embedded in day-to-day operations
- Policies and procedures
- Segregation of duties
- Reconciliations/comparisons
- Performed on every event/transaction
- Performed by the generators of the
event/transaction - Performed in real time, as the event/
transaction is executed
27Level 2 controls (supervisory controls)
- Re-application of operating controls
- Supervisory review quality assurance
- Performed very soon after the generation of the
event/transaction - Performed by line management or staff positions
who do not originate the event/ transaction - Performed on a sample of the total number of
events/transactions
28Level 3 controls (oversight controls)
- Exception reports, status reports, analytical
reviews, variance analysis - Performed by representatives of executive
management - Performed on information provided by supervisory
management - Performed within a short period (weeks/months)
after the event/transaction is originated
29Level 4 controls (internal audit controls)
- Audit of the design of controls not the operation
of controls - Performed either before the event/ transaction is
originated or long after - Performed by staff with no involvement in the
operations - Performed on individual events/transactions for
discovery only
30How to determine final ranking
- Combination of Impact Value and Probability Value
- Impact Value is always first.
- Order risks from HH to LL.
31Completed risk rankings
32How to create the risk footprint
- Generate automatically with U TX software.
- Create own spreadsheet with risks in columns and
processes in rows. - Order processes from the one with the highest
number of critical risks.
33Completed risk footprint
34Phase 2 Control footprint
35Phase 2 Control documentation steps
- ID controls (policies and procedures) for each
process - Map controls to risks
361. ID controls for each process
371. ID controls for each process
38How to ID controls
- Review all related policies and procedures
- Include staff who work in the area
- Brainstorm
- Document
392. Map controls to risks
40How to map controls
- Read through list of controls one at a time
- Ask which controls address which risks
- Place an X in the appropriate cell
41How to create the control footprint
- Create spreadsheet with risks in column headings
and processes in row headings. - Map each control to the risks by placing an X
in the cell under the risk. - One footprint per process.
42Completed control footprint
43Phase 3 Monitoring plans
44Phase 3 Control evaluation monitoring steps
- ID over- and under-controlled risks/critical and
marginal controls - Create a monitoring plan for the critical risks
45ID over- and under-controlled risks/ critical and
marginal controls
46How to evaluate controls
- Ask if there are any undercontrolled risks,
particularly any red risks. - Ask if there are any overcontrolled risks,
particularly green or gray risks. - Ask which controls appear to be key for
mitigating the risks. - Ask which controls are of little value.
472. Create a monitoring plan for critical risks
48How to create a monitoring plan
- Include all controls that address the critical
(RED) risks - Categorize each control by level (Level 1, Level
2, or Level 3) - Ensure each level is covered
- Indicate the documented evidence for each control
- Assign who is responsible for monitoring
49(No Transcript)
50(No Transcript)
51(No Transcript)
52Final thoughts
- Risk environment for your institution is unique
- Risk environment continuously changes
- Risk ranking changes with the environment
- Risk assessment is ONGOING, not periodic
53Final thoughts, cont.
- Annual Assessment
- Update risk footprint
- Determine external assurance
- Assign Internal Audit to remaining critical risks
- Cover remaining risks with management assurance
strategies
54Questions?
- Additional information can be found at University
of TX website - www.utsystem.edu/compliance
- David Crawford can be contacted via email
- Crawfordjd_at_earthlink.net
55Questions?
- Mark Paganelli, Executive Director
- mpaganel_at_utk.edu
- Judy Burns, Assistant Director
- jaburns_at_utk.edu