COSO and RiskControl SelfAssessments

1
COSO and Risk/Control Self-Assessments

• Charles G. Chaffin, CPA, CIA
• Director of Audits
• and
• David B. Crawford, CPA, CIA
• Audit Manager
• The University of Texas System

2
Objective

• To provide a detailed explanation of how
• The University of Texas (UT) System adopted COSO
  and the techniques used to implement it.
• The Risk/Control Self-Assessment Process at UT
  System
• Self-Assessment Uses and Critical Success Factors

3
INTRODUCTION

• 13 Billion
• 5 Billion
• 1.6 Billion
• 2.1 Million
• 170,000
• 75,000
• 15

4
U.T. System

• Academic
• UT Austin
• UT San Antonio
• UT Dallas
• UT El Paso
• UT Brownsville
• UT Pan American
• UT Tyler
• UT Permian Basin
• UT Arlington

• Medical
• UT Medical Branch at Galveston
• UT HSC Houston
• UT HSC San Antonio
• UT HSC Tyler
• UT Southwestern
• UT M. D. Anderson Cancer Center

5
It Could Be You

• The Lynn Deer Case
• U.T. Austin, 1994

10
6
1994 Action Plan

• Awareness
• Statements of Philosophy/Responsibility
• Internal Control Training/Handbook
• Accountability
• Job Descriptions/Performance Evaluations
• Disciplinary Action
• Audit Committees
• Membership/Frequency of Meetings

7
Statement of Philosophy

• Employees of The University of Texas ___________
  owe a responsibility to the people of Texas in
  the performance of their duties. High personal
  and professional standards are critical in
  fulfilling this responsibility. Employees will
  be held accountable for their action (or failure
  to act) and such accountability cannot be
  delegated to others. All employees of The
  University of Texas ___________ agree to abide by
  a Code of Ethics which provides reasonable
  assurance that the employee will not personally
  benefit or accept or give favors as a result of
  his/her position as an employee of The University
  of Texas ___________. (The Code of Ethics is
  published in the Rules and Regulations of the
  Board of Regents, Part One, Section 4.0).

8
E
FFECTIVELY
C
ONTROLLING
R
ISKS
A Balancing Act
9
Internal Control
is a process, effected by an entitys board of
directors, management and other personnel,
designed to provide reasonable assurance
regarding the achievement of the objectives in
the following categories

• Effectiveness and efficiencies of operations,
• Reliability of financial reporting, and
• Compliance with applicable laws and regulations.

10
Risk ControlSelf-Assessment Guideline
The Process
11
Internal Control Training

• Over 4,000 U. T. employees trained in 1995.
• Central message to Chairs and Directors You
  are responsible for internal controls.
• Complete Risk Assessment and Implementation Plan
  for Financial and Administrative Activities.
• Copy to applicable Vice President
• Copy to Internal Audit

12
1996 Action Plan

• 1. Annual Statement of Philosophy
• 2. Annual Statement of Responsibility and
  Accountability
• 3. Disciplinary Action
• 4. Require membership in Internal Audit Committee
  (IAC)
• 5. Require Quarterly IAC meetings.

13
1996 Action Plan (cont.)
6. Regular Internal Control Training (Video
Internet Program) 7. Update Management
Responsibilities Handbook 8. Amend Job
Descriptions 9. Amend Performance
Evaluations 10. Offer Reconciliation Training
14
1996 Action Plan (cont.)
11. Newsletters to Highlight Internal
Controls 12. Complete Risk Assessment and
Implementation Plans 13. Statement of
Responsibility for Researchers 14. Internal
Audits of all Departments (3 to 5
years) 15. Internal Audits of all Key Financial
Information
15
1996 Action Plan (cont.)
16. Offer Control Self-Assessment
Workshops 17. Develop Model CSA Workshop
Manuals 18. All Departments Perform a Control
Self-Assessment 19. Report on Internal Control
16
Control Self-Assessment

• Any activity where the people responsible for a
  business area, task, or objective using some
  demonstrable approach analyze the status of
  control and risk to provide additional assurance
  related to the achievement of one or more
  business objectives

17
Control Self-AssessmentWorkshop Process

• Meet with Chair/Director before session 1.
• 2 auditors/facilitators.
• Sessions 1, 2 hours - control process.
• Regularly communicate with department after
  Session 1 about control activities.
• Session 2, Prioritize activities/processes if
  too many.
• Homework after session 2 - Risk/Control
  worksheets.

18
Risk/Control Worksheet
Department
Prepared by Activity
Date prepared
19
Final Product

• Self-Assessment Report on Internal Control to
  Senior Management.
• Internal Auditors Review Report.
• Departmental Audit Report (optional).
• Significant findings go into tracking system.

20
Model Participants Manual and Presentation Slides

• Guides the facilitator through the workshop.
• Designed to answer participant questions.

21
U.T. System Program

• Types of Departments that have had CSA workshops.
• Real Estate Office
• University Lands Accounting Office
• West Texas Operations
• Office of Facilities Planning and Construction
• Office of Information Resources
• Office of Finance
• Employee Group Insurance Program

22
U.T. System Program

• Academic Departments
• Physical Plant
• Student Financial Aid
• Performing Arts Center
• Libraries
• Research
• Volunteer Services
• Financial Services
• Student Affairs

23
Impact on Performance

• Better working relationship between audit and
  operations.
• Better understanding of the business by all.
• Better operational findings.
• Better buy-in to planned corrective action.
• More efficient audit process.

24
Implementation Strategy

• Walk before you run.
• Develop a strategy based on managements
  commitment to enhancing internal controls.
• Work CSA workshops into existing audit plan sell
  it as a way to improve audit results.
• Pilot departments that work well with audit.
• Constantly adapt and revise.
• Take what you get and move on.

25
Questions
26
Self-Assessment Demographics
27
Uses of Self Assessment

• Focus/Align
• Evaluate
• Document
• Train
• Monitor
• Report Status
• Measure Soft Control

28
Self Assessment Tools

• Survey
• Questionnaire
• Control Guide
• Interviews
• Workshops

29
Types of Self Assessments

• Control
• Risk
• Process
• Objective
• Problem
• Perception

30
Control-Based

• Identify control structure
• Compare to a model
• Identify gaps

31
Risk-Based

• Assess Risks
• Choose Mitigation Strategy for each risk
• Choose controls for each controlled risk

32
Process-Based

• Map process
• Justify process steps
• Identify additional steps
• Identify steps to be eliminated

33
Objective-Based

• Identify linkage
• Inventory activities for each objective
• Inventory risks for each activity

34
Problem-Based

• Identify problem
• Apply group knowledge to problem
• Define group solution

35
Perception-Based

• Identify attitudes and beliefs
• Provide a baseline
• Soft controls

36
Validating Self-Assessment Products

• Benchmarking
• Management Attestation
• Auditor Involvement
• Follow-up Audit
• Traditional Audit

37
Internal Audit Uses of Self-Assessment
38
REPLACE TRADITIONAL

• Preliminary Survey
• Evaluation of Control Structure
• Operational Audits
• Low Risk Areas of Operation

39
SUPPLEMENT TO TRADITIONAL AUDITING

• Control Environment
• Risk Assessment
• Evaluation of Control Activity Efficiency
• Communication and Information
• Monitoring

40
POINT TO POTENTIAL TRADITIONAL AUDITS

• Highlights high risk areas
• Identifies problems or potential problem areas
• Links traditional audits to operational needs

41
Critical Success Factors
42
Critical Success Factors

• Proper Beginnings
• Spitting Image
• Working Together
• Absorbed in Daily Routine
• Reinforce/Reward
• Discipline through Doing
• Learn by Falling

43
How Do You Insure Self Assessment Success?

• Identify a Champion
• Successful First Contact
• Match to Corporate Culture
• Align with Business Objectives
• Institutionalize It
• Reward the Participants
• Use the Products
• Be a Chameleon

44
Contact Information

• Web site www.utsystem.edu/aud/resources
• E-mail dcraw_at_utsystem.edu
• Phone 512-499-4767
• Fax 512-499-4550
• Address 201 W. 7th ASH5, Austin, Texas
  78701