FFY2010

About This Presentation

Title:

FFY2010

Description:

FFY2010 EAP Annual Training Section 2.0 Risk Management Includes Risk Assessment, Risk Mitigation (Dup Check), Data Practices, Debtor Exemption Claim Notice and Security – PowerPoint PPT presentation

Number of Views:207

Avg rating:3.0/5.0

Slides: 80

Provided by: cra145

Category:

more less

Transcript and Presenter's Notes

Title: FFY2010

1
FFY2010
EAP Annual Training
Section 2.0 Risk Management
Includes Risk Assessment, Risk Mitigation (Dup
Check), Data Practices, Debtor Exemption Claim
Notice and Security

August 12 13, 2009
St. Cloud Minnesota
Holiday Inn

2
2. Risk Management
Risk Management

Involves Identifying priority activities within
the organization for risk assessment by
considering area that materially impact the
financial position and results of operations
(e.g., assets, liabilities, revenues, expenses or
expenditures account balances that are material
in dollar amount)

3
Risk Management Introduction
Risk Management

Major part of ICF
Local, regional and natural disaster and
technical failure planning are only a part of
risk management
Focus is on managing the risk of improper use of
public funds
This year the concept was introduced into the
Local Plans
Looking for a single, not a homerun this year
Build on this each year

4
What is Risk Management?
Risk Management

Lessening adverse impact if a risk event occurs
is the heart of good risk management
Assuring events do not result in disaster
It is geared towards potential events that may
occur when things are different from planned,
sometimes called omissions and errors
Above Beyond Program Design
Core EAP design addresses risk with controls
policies, technical support (eHEAT), segregation
of duties monitoring services and financial
activities. EAP has controls to reduce the
possibility of the actions of an individual
creating incident, error or fraud.
Service Providers create detailed plans for their
activities to assure, among other things,
segregation of duty back up plans if loss of
staff.

5
Risk Management
Risk Management

Risk management involves
Determining
Assessing
Planning
Monitoring
Mitigating

6
Risk Management
EAP Role In Risk Management

General Expectations
Acknowledge your responsibility to design,
implement maintain the control structure
Contribute direction to identify, prioritize and
review risks and controls
Remove obstacles for compliance remedy control
deficiencies
Conduct self-assessment testing to monitor the
controls within your processes
Routinely (Quarterly)
confirm key controls are implemented and
effective
maintain documentation to support this assessment
Immediate Action Items
Educate your personnel about this effort
Reinforce internal focus on controls within your
area
Surface any risks, concerns or issues promptly to
allow adequate attention for correction
Fix control gaps as soon as possible

7
Risk Management
Risk Considerations

Evaluate the nature types of errors omissions
that could occur, i.e., what can go wrong
Consider significant risks (errors and omissions)
common in the industry or have been experienced
in prior years (ex. Mich, Penn)
Information Technology risks (i.e. - access,
backups, security, data integrity,
non-segregation of duties)
Areas where segregation of duties would reduce
risk
Volume, size, complexity and homogeneity of the
individual transactions processed through a given
account or group of accounts (revenue,
receivables)
Susceptibility to error or omission as well as
manipulation or loss
Robustness versus subjectiveness of the processes
for determining significant estimates
Extent of change in the business and its expected
effect
Other risks extending beyond potential material
errors or omissions in the financial statements

8
Risk Management
Risk Considerations

Consider a railroad crossing and developing
appropriate controls

A rural road with little traffic slow train, a
sign

A busier road train is faster, add lights
crossing sign at tracks

9
Risk Management
Risk Management Mechanics

The risk assessment tool reduces risk when used
to identify, assess, plan for maintain routine
monitoring of risk areas

10
Risk Management
Risk Management Mechanics
Uncertainty Item Result of Occurrence Probability of Occurrence Severity of Impact Response Indicators
What Geared towards events that may occur when things are different from planned sometimes called omissions and errors. Drive around gates Narrative of the outcomes if the event occurs Calculate damage School bus is very sad bad publicity Designate likelihood of event and, if helpful, a description of why the probability was selected People in this county go around Designate a level of impact if the event occurred. If applicable, a description of why the probability was selected. Slow train, low impact injury Describes what to do when you find out On rural road the injuries might be measured by EMT response time. Maybe different Preparedness for different users. (Bus tanker rules) Describes how the event becomes known
How Brainstorm with staff Reduce list Assess using this matrix. This is iterative, so change or eliminate as you learn Review periodically Describe what happens. Be as complete as possible. This helps to determine severity, response and indicator Can use rating of High, Medium and Low with narrative prose. Can use rating of High, Medium and Low with narrative prose. Key response off Result, Probability Impact. Depending on combinations, responses include 1. Prevent 2. Check Routinely 3. Response Plan ID ways event is discovered develop ways to monitor for if weaknesses are discovered. Enact these measures
11
Item Example
Uncertainty Item
Matrix Cell Direct Payments to household. Direct payments remove a check point from normal EAP controls by removing vendor registration and vendor cross checks. Could include an application processor fabricating households. If combined with falsifying households for application, multiple direct payments could be generated
Consider-ations Programmatic Controls places limits, but risk still exists. Risk manage- ment looks the Items beyond the limits EAP excepts limited risks, but this assures due diligence is done for the omissions. Program Controls EAP pays energy vendor. DOF, DOC eHEAT registration. Vendors and households gets notification. Policy Households may receive direct payments when payment to vendors is difficult. Self cut wood receive amount remaining after benefit is distributed Households with electric and heat included in the rent. Households with heat included in rent, and only exceeds their electric costs Households whose vendors refused to sign the vendor agreement. Households unable to secure a vendor.
12
Item Example
Result of Occurrence
Matrix Cell Household receives one or more cash benefit Benefit is used for non intended purposes or misused by household Very bad publicity for program affects services to others in need, when 5 Eye Witness News reports people cashing it at local bar Multiple direct payments by one person would result in services not available for other households in need
Consider-ations Thinking of results is also constrained by the program rules
13
Item Example
Probability of Occurrence
Matrix Cell Low to Medium For a single household Medium For conspiracy with an Application processor Low
Consider-ations Conspiracy reduces the probability, but this must be considered with the ease, the payback and the penalty A higher payback makes it more worth the risk Conspiracy makes it complicated to keep secret In this example For the household The penalty is low The payback is medium considering penalty For the Application processor - Penalties are high (Job) Payback is higher
14
Item Example
Severity of Impact
Matrix Cell Low to Medium For a single household Low For conspiracy with an Application processor high
Consider-ations Low because of limits on benefit amounts unless multiple
15
Item Example
Response
Matrix Cell Require accounts whenever possible Recover funds when it occurs File Incident Report Investigate incident and escalate appropriately (Error and Fraud) Terminate staff if involved
Consider-ations Plan for the response and educate people
16
Item Example
Indicators
Matrix Cell Report from concerned citizen Pattern of direct payments to a similar addresses, name etc. (Data analysis) An inordinate amount of direct payments for an SP without socio economic reason (eHEAT data) Inordinate number of direct payments form a particular Application Processor (Files and eHEAT)
Consider-ations The first bullet is a common way to hear about this but developing ways to monitor is the maturation of risk management
17
Risk Management
Risk Management Example
Uncertainty Item Result of Occurrence Probability of Occurrence Severity of Impact Response Indicators
Direct Payments to household. Direct payments remove a check point from normal EAP controls by taking vendor registration and vendor cross checks. Could include an application processor fabricating households. If combined with falsifying households for application, multiple direct payments could be generated. Household receives one or more cash benefit Benefit is used for non intended purposes or misused by household Very bad publicity for program affects services to others in need, when 5 Eye Witness News reports people cashing it at local bar Multiple direct payments by one person would result in services not available for other households in need Low to Medium For a single household Medium For conspiracy with an Application processor high but conspiracy requires more risk of secrecy and penalty Low to medium For a single household Low For conspiracy with an Application processor high especially with if multiple households Limit occurrences of direct payments by having system distribute to next available vendor. For risk areas Require accounts whenever possible Recover funds when it occurs File Incident Report Investigate incident and escalate appropriately (Error and Fraud) Terminate staff if involved Report from concerned citizen Pattern of direct payments to a similar addresses, name etc. (Data analysis) An inordinate amount of direct payments for an SP without socio economic reason (eHEAT data) Inordinate number of direct payments form a particular Application Processor (Files and eHEAT)
18
Risk Management
Risk Management and EAP

The Local Plan requires risk assessment.
The State has started to conduct formal risk
assessment
State Service Providers identify risk and use
program specific knowledge to do diligent
planning, monitoring and actions for these risks.
The State will continue to develop risk
management requirements and practices. Examples
include
Duplication Checks and other queries
The FFY2010 Local Plan is a first step of
formalizing the SP process
SP should design practices to improve it
DOC will support the development of competency in
this area
DOC will conduct risk management activities

19
Risk Management
Dup Check

Dup Check is not a Russian hockey player
Dup Check is not a quality control effort
Dup check is a risk mitigation activity
EAP must do due diligence on risk areas to assure
responsible management of public funds

20
Risk Management
Why Dup Check on Vendor Accounts?

Payments to vendors accounts is the main way
money money flows
Using it as a key, there cross checks with other
data

HH_NBR FIRST_NM LAST_NM SSN DOB CUST_ACCT_NM VNDR_NM HOUSE_NBR STREET APT_NBR CUST_ACCT_NBR
111111 CAROL NUMBERSWITCH 717449103 16-Feb-51 CAROL NUMBERSWITCH CPE 3828 LIAR AVE S ltnullgt 1111111
888888 CAROL NUMBERSWITCH 414779103 16-Feb-51 CAROL NUMBERSWITCH S CPE 3828 LIAR AVE ltnullgt 1111111
222222 SPACEY EL ROY 472111111 03-Jul-58 SPACEY ELROY CPE 1410 GERRYRIG AVE 2 2222222
999999 TOUHY SHAM ELROY 475222222 06-Dec-82 SPACEY EL ROY CPE 1410 GERRYRIG AVE 1 2222222
333333 WANDA TRICKYBERGER 472111111 24-Oct-68 ERNEST TRICKYBURGER CPE 4208 12TH AV S ltnullgt 3333333
666666 WANDA TRICKYBERGER 475222222 24-Oct-68 WANDA TRICKYBERGER CPE 4208 12TH AVE S ltnullgt 3333333
21
Risk Management
Dup Check Procedure for FFY2010

Overview
DOC will periodically produce a matching account
numbers list (Early often to keep effort
sizable).
SP will receive a secure email with their list.
SP investigates by performing the following
processes
Analyze validate reason match is correct
Escalate as needed (Detail in the following
slides)
Take appropriate corrective action
Document results and report

22
Risk Management
Dup Check Procedure for FFY2010

Step 1 Validate the Reason for Match Is Correct
If you know a valid reason for duplication enter
the reason for the duplicate vendor account
number on the spreadsheet
Look at paper application and file. Determine
probable reason and escalate appropriately.
Ask household(s) to explain if appropriate
occurrences and record finding in list
Examples One household moved out and now rents
the house to a relative who applied for EAP.
Building has multiple units with one landlord
account.

23
Risk Management
Dup Check Procedure for FFY2010

Step 2 Duplicate Application Error
Take corrective action including recalling funds
Close duplicate applications
Record an explanation of your determination on
the spreadsheet

24
Risk Management
Dup Check Procedure for FFY2010

Step 3. Duplicate Application Fraud Suspected
Review previous years and review all the
information provided
Take corrective action including recalling funds
Submit an incident report
Close duplicate applications
Record an explanation on the spreadsheet
Investigate fraud, report to officials and
follow EAP Policy Manual Chapter 17

25
Risk Management
Dup Check Procedure for FFY2010

Step 4 Return list with validation or actions to
DOC
The completed list (Excel spreadsheet) with
explanations is due at eap.mail_at_state.mn.us
A deadline will be prescribed. DOC tracks
compliance.
Delete the households private data (name, SSN,
address, vendor account name) before returning
the spreadsheet. Contact your EAP field
representative if you have any questions.

26
Risk Management
Dup Check Procedure for FFY2010

Best Other Practice
Applications with the same vendor for Heat
Electric should list the vendor once, choose heat
and electric as vendor type. Less likely to get
false positives for risk and best for application
processing.
Need to report issues and non issues. As a
program we need to assure we have done due
diligence to protect the integrity of the program
Late report will result if you dont respond to
request

27
Data Practices in the EAP Manual
Risk Management

Chapter 19. DATA PRACTICES AND RECORDS p. 120

28
Chapter 19. DATA PRACTICES AND RECORDS
Risk Management

Data Practices Policies and Procedures, Private
Data
Who has access
Who does not
Must be released to the individual or to a 3rd
party with consent
Social Security Number for EAP Applications
Optional

29
Chapter 19. DATA PRACTICES AND RECORDS
Risk Management

Application Documentation, p. 122
Where and how to save application documentation
Security Of Records, p. 123
List of requirements to secure records
Records Accessibility, p.124
What it means to have access to records
Reasons for maintaining access to records
Record Retention Requirements, p.124
Records to retain

30
Informed Consent For Release Of Information
Risk Management

Informed consent is needed when the information
will be given or sent to a third party.
Example Garnishment information requests often
go to an attorney
Informed consent are key words that need to be
taken at face value
The statute is very specific about what must be
included in an informed request

31
Data Practices Focus
Risk Management

Develop a good working relationship with the data
practices contact in your agency, if there is one
Plan Have a written policy
Who will have authority to see private data
Who will have authority to release private data
How your agency will maintain data security in
all situations
How you will request private data and document
the request
How you will maintain documentation of requests
for private data
How you will train staff on data privacy
requirements
Use centralized authority in the agency, if any
Centralize authority in EAP, if possible

32
Plan - Local Procedures Needed
Risk Management

To request information allowed by the application
consent so the request is done in a consistent
manner and so each request is documented
Best practice is for the local procedures to use
a form for requesting information by letter or
e-mail and a format for documenting a request by
telephone

33
Minnesota Department of Administration
Information Policy Analysis Division IPAD
Risk Management

The State authority on Data Practices
If you have questions about information policy
laws, including Minnesotas Data Practices Act
and the Open Meeting Law, youre at the right
place. Look over the resources on this website or
give us a call. (Copied from IPAD website)
http//www.ipad.state.mn.us

34
New Technology New Data Practices
Risk Management

Laptop Security
Imaging Equipment
Data access
Data storage
Data retrieval and back-up
Best Practice Before destroying paper documents
Make sure it all works
Every imaged document is accessible and as
readable
No problems exist regarding record retention

35
Electronic Records Management Guidelines
Risk Management

Recommended by IPAD
Minnesota Historical Society
http//www.mnhs.org/index.htm - home page
http//www.mnhs.org/preserve/records/electronicrec
ords/erintro.html
Imaging/scanning and storage of household files
Which Minnesota laws apply to electronic records?
How do we use electronic records to help ensure
public accountability while ensuring that
not-public records are protected?
Who is responsible for developing our electronic
records management strategy?
How do we dispose of electronic records?
Should we manage our electronic records
differently from our paper records?
How do we know what information is an electronic
record?
Is an electronic copy of a record an acceptable
substitute for the original?
Does an electronic record have the same legal
significance as a paper record?

36
eHEAT Security and Agreements
Risk Management

Levels of authority
State Data Base Administrator
Local (or vendor) eHEAT Administrators
Administrative Change Process, Chapter 3, p. 16
Local (or vendor) users
AgreementsAnnual
See EAP Tools on website www.energy.mn.gov

37
Summary of Data Practices
Risk Management

Staff should know
What private data is and how it relates to EAP
What data they can reveal and what they need to
do to assure they arent violating data privacy
How to document information they have revealed
Staff with authority to release private data
should know
All of the above
The SP-approved processes for following up on
data requests
Agency management should
Support the data practices activities with
knowledge and practical resources

38
Debtors Exemption Claims
39
Debtors Exemption Claims (Issue)

Collection Firms are asking for information
beyond what the manual states that we have to
tell them
They are saying that unless we tell them when
payments were made, they will not honor the
garnishment exemption (sometimes people lie)
We need a universal form that gives only the
information that they need

40
Debtors Exemptions Claims (Solution)

You dont need to be experts in the law but you
do need to know and understand it
There were changes made to the law for 2009
Garnishment firms need to be told EAP rules and
timelines by you
You are the EAP expert!

41
Debtors Exemption Claims

Many of you may have already seen these requests
A household is being pursued to pay a debt by a
third party collection agent that may or may not
be an attorney
The collection agents use tools like garnishment
of wages and levies aka Freezing of the bank
accounts
The law provides certain protections of some or
all of their money in certain situations, for
certain people
The form used to claim these protections is
called an Exemption Notice

42
Debtors Exemption Claims

Some or all of their money is protected if
The source of the money is Government benefits
such as Social Security benefits Unemployment
benefits Workers' compensation or Veterans
benefits
They currently receive other assistance based on
need
They have received government benefits in the
last six months
They were in jail or prison in the last six
months
Some or all of their earnings (wages) are
protected if
They get government benefits (see list of
government benefits)
They currently receive other assistance based on
need
They have received government benefits in the
last six months
They were in jail or prison in the last six
months

43
Debtors Exemptions Claims Law

The legislation, which will become effective on
Aug. 1, 2009, updates the exemption process and
makes technical changes to the current law
The legislation modifies legal requirements
regarding levies and garnishments and expedites
the process for both the creditor and debtor and
makes the following revisions to the current
garnishment law
Modifies the process
Updates forms
Creates a new notice of intent to garnish
Alters the exemption form and creditors
exemption form and
Adjusts timing requirements.
It does not change the intent of existing law or
impact current or future case law (quote from the
new law)

44
Debtors Exemption Claim Laws

Website MN office of the Revisor of Statues
Index of the laws relating to Fuel Assistance in
MN
https//www.revisor.leg.state.mn.us/statutes/?topi
c202092
Address of the website with the new law
https//www.revisor.leg.state.mn.us/laws/?id31do
ctypechapteryear2009type0

45
Debtors Exemption Claim Form

Section 1. Minnesota Statutes 2008, section
550.143, is amended to read 550.143 LEVY ON
FUNDS AT A FINANCIAL INSTITUTION.
Form of notice. The notice required by
subdivision 3 must be provided as a separate form
and must be substantially in the following form
EXEMPTION FORM
HOW MUCH MONEY IS PROTECTED.....
I claim ALL of the money being frozen by the bank
is protected......
I claim SOME of the money is protected. The
amount I claim is protected is .......

46
Debtors Exemption Claim Form

WHY THE MONEY IS PROTECTED
My money is protected because I get it from one
or more of the following places (Check all that
apply).....
Government benefits include, but are not limited
to, the following
MFIP - Minnesota family investment program, MFIP
Diversionary Work Program, Work participation
cash benefit, GA - general assistance, EA -
emergency assistance, MA - medical assistance,
GAMC - general assistance medical care, EGA -
emergency general assistance, MSA - Minnesota
supplemental aid, MSA-EA - MSA emergency
assistance, Food Support, SSI - Supplemental
Security Income, Minnesota Care, Medicare part B
premium payments, Medicare part D extra help,
Energy or fuel assistance.

47
Debtors Exemption Claim Form

Government benefits also include..... Social
Security benefits..... Unemployment benefits.....
Workers' compensation..... Veterans benefits
If you receive any of these government benefits,
include copies of any documents you have that
show you receive Social Security, unemployment,
workers' compensation, or veterans benefits......
Other assistance based on need You may have
assistance based on need from another source that
is not on the list. If you do, check this box,
and fill in the source of your money on the line
below
Case Number..... County ... Source .....
Include copies of any documents you have that
show the source of this money.
Some of your earnings (wages) are protected

48
Debtors Exemption Claim Form

OTHER EXEMPT FUNDS
The money from the following are also completely
protected......
An accident, disability, or retirement pension or
annuity.....
Payments to you from a life insurance policy.....
Earnings of your child who is under 18 years of
age.....
Child support
Money paid to you from a claim for damage or
destruction of property
Property includes household goods, farm tools or
machinery, tools for your job, business
equipment, a mobile home, a car, a musical
instrument, a pew or burial lot, clothes,
furniture, or appliances......
Death benefits paid to you

49
Debtors Exemption Claim Form

I give permission to any agency that has given me
cash benefits to give information about my
benefits to the above-named creditor, or its
attorney.
The information will ONLY concern whether I get
benefits or not, or whether I have gotten them in
the past six months
If I was an inmate in the last six months, I give
my permission to the correctional institution to
tell the above-named creditor that I was an
inmate there.
There are additional instructions and timelines
in the new law that I did not include here, but
would encourage you all to take a look at so
youre familiar

50
Debtors Exemption Claims and EAP

A person's wages are exempt if they currently
receive need based aid, or have been a recipient
within the last 6 months
Households are now required to provide bank
statements with the exemption notices
The creditor is looking for some proof that the
debtor currently receives EAP or was a recipient
in the last 6 months
Will need additional help from us unless they
received a direct payment
A benefit statement from us will suffice
So, heres what you need to do
The new export will contain information on
payments and dates
Redact what is unnecessary (payment amounts)
If they demand more you can refer them to the
state

51
Debtors Exemption Claims and EAP

You are the EAP experts
You have the support of DOC and our timelines for
eligibility is clearly documented in our EAP
policy manual
Once determined eligible a household is eligible
until the end of the program year (September 30)
They are still protected for 6 months after they
last received assistance

52
Debtors Exemption Claim Notice

The Debtors Exemption Claim Notice is a type
of Informed Consent form (Appendix 19B) and will
be updated to reflect the new statues
New template letter for providing the information
that will meet the legal requirements and reflect
EAP policy guidelines

53
Data Security and You!
Risk Management

Richard Gooley Chief Information Security Officer
Minnesota Department of Commerce

54
Data Security and You!
Risk Management
55
Executive Summary
Risk Management

Be cyber smart Sec rity needs U!
Security is everyones responsibility
Security doesnt need to be intimidating
Security doesnt have to cost an arm and a leg

56
Agenda
Risk Management

7 Top Tips for Keeping Your Data Secure
Identify and guard sensitive information
Create bulletproof passwords
Use secure email
Protect your computer
Keep your computer patched
Properly dispose of information no longer needed
Be mindful of social engineering
Excellent Resources for Free Stuff!
Questions and Discussion

57
7 Top Tips for Keeping Your Data Secure
Risk Management

aka How to Keep Out of Current Events

58
7 Top Tips for Keeping Your Data Secure
Risk Management

Tip 1 Identify and guard sensitive information
Dumpster diving
What sensitive information do you work with?
Social Security Number
Addresses
Children
Household income
Private financial information

59
7 Top Tips for Keeping Your Data Secure
Risk Management

Tip 2 Create bulletproof passwords
Weak passwords are all too common
They are easy for users to remember.
They include personal information about the user.
They consist of known words found in many hacker
password dictionaries.

60
7 Top Tips for Keeping Your Data Secure
Risk Management

Examples of bulletproof passwords
eX_at_mp13s0f
Bu!1e7Pr0of
Do you know my address?
DUKma?45410akland

61
7 Top Tips for Keeping Your Data Secure
Risk Management

Tip 3 Use secure email
All email from The State containing private data
will be sent using secure email
Method for retrieving secure email
Use link in email to go to The States secure
site
Establish password
Retrieve email and attachments
Retain password for future use

62
Example of Secure email from The State
Risk Management
63
Establish/enter password
Risk Management
64
Retrieve email/attachment
Risk Management
65
Secure email
Risk Management

What is TLS encryption?
Transport Layer Security TLS is a standard
protocol that is used to provide secure Web
communications on the Internet or intranets. It
enables clients to authenticate servers or,
optionally, servers to authenticate clients. It
also provides a secure channel by encrypting
communications. TLS is the latest version of the
Secure Sockets Layer (SSL) protocol.

66
Secure email TLS encryption
Risk Management
67
7 Top Tips for Keeping Your Data Secure
Risk Management

Tip 4 Protect your computer (with your life!)
Wheres my laptop?

68
7 Top Tips for Keeping Your Data Secure
Risk Management

Tip 5 Properly dispose of information no longer
needed
Where's that usb drive?

69
7 Top Tips for Keeping Your Data Secure
Risk Management

Tip 6 Keep your computer patched

70
Patch Management
Risk Management

71
7 Top Tips for Keeping Your Data Secure
Risk Management

Tip 7 Be mindful of social engineering
Know thy neighbor

72
All I did was smile and they let me in the door

Risk Management
73
Excellent Resources for Free Stuff!
Risk Management
74
https//www.act-online.net/
Risk Management
75
Business Continuity Disaster Recovery
Risk Management
76
www.flu.gov
Risk Management
77
Excellent Resources for Free Stuff!
Risk Management