Professional Documents
Culture Documents
Risk Services
PHASE III:
MONITORING
In Development
WORK STEP:
OUTPUT /
DELIVERABLE(S):
7. Develop
control test
scripts; design
1. Identify the in-scope
2.processes
Document each process
3. Identify objectives and 4.
risks,
Identify
and assess
the controls
the risks
5.&Determine
perform awhich
controls
of6.
the
gap
Develop
controls
analysis
written
are "significant"
procedurescontrols
for the significant contro
and carry out
routine
monitoring.
Listing of inscope
processes and
sub-processes
Process
narratives and
maps
Risk
Assessment
Matrix (RAM)
RiskControl
Matrix (RCM)
Listing of
significant
controls
Control
templates
7. Monitoring
plan, Test of
Control (TOC)
scripts,
completed TOCs
Return to Dashboard
Toolkit Overview:
This toolkit provides the overall process, work steps, work templates, and examples
to help you (a) identify the risks inherent in a process or project, (b) assess those
risks and rank them by severity, (c) identify the controls that mitigate the risks, and
(d) determine if the controls are adequately mitigating the risks.
Depending on your project and where you are with it, this tool can help you to carry
out all or just some of these activities.
The main page for the toolkit is the dashboard, which provides an overview of the
process, and contains hyperlinks to worksheets for each of the seven work steps
that make up the process.
Toolkit Functionality:
By clicking on a dashboard work step, the user is taken to a worksheet for that
step. All the worksheets are organized in the same way, containing the same
resources for carrying out that step.
The resources for each work step include statements describing the purpose of the
work step and its outcomes, a listing of the specific tasks that must be carried out
to complete the work step, tips, templates that can be downloaded and filled out,
and examples of completed templates.
You may need to zoom in or out in your version of Excel to optimize the view of
each worksheet.
You may need to scroll p or down to see all the content available for that page.
Navigation Tips:
Advanced Excel users: Although the formula bar, headings, and gridlines are not
shown, and each sheet is "locked," there is no password to unlock each sheet; so if
you feel you need to adjust a setting to improve your interaction with the toolkit,
you are able to do so.
Return to Dashboard
Work Step:
Purpose:
Output / Deliverable(s):
Principal Tasks:
Tips!
Template(s):
Definition(s):
Return to Dashboard
Document
<None--See examples>
Document
Sample process categories and sub-categories
Sample business process listing--financial reporting
focus
Word or Concept
Business process
Link
<None>
Link
Link
Link
Definition
Wikipedia link
Financial Close
Payroll Processing
Hire to Retire
Human Resources
Award Setup
Award Closeout
Return to Dashboard
Work Step:
Purpose:
Output / Deliverable(s):
Principal Tasks:
2b. Write up the process in narrative (paragraph) form. Provide the draft
to knowledgeable people for review and comment. Finalize narrative.
2c. Develop the process map(s)--a.k.a., work-flow diagrams. Provide the
draft to knowledgeable people for review and comment. Finalize process
map(s).
Tips!
Template(s):
Definitions:
Return to Dashboard
>The two documents (narrative and process maps) support each other's
development. So it may be more efficient to develop one, then use it as a
basis to develop the other.
>Before beginning interviews, search websites for descriptions of what
the entity does.
>Ask for existing documents that describe the entity's activities.
>Obtain the entity's organization chart, which is often a good indication of
how the entity defines the various activities it carries out.
>Determine if there have been internal audit reports related to the entity;
these can be a good source of background information.
>With regard to existing process descriptions, be aware that what is
documented may not be what is actually done. Validate this during
interviews.
Document
Process narrative (MS Word)
<<Process map: See examples>>
Process
Process
Process
Process
Document
narrative, student fin. aid
narrative, treasury
map, CSS IT
map, AREC
Word or Concept
<None>
Link
Link
<None>
Link
Link
Link
Link
Link
Definition
Return to Dashboard
Purpose:
Output / Deliverable(s):
Principal Tasks:
3b(1). <Optional> For each risk, identify its consequences.
Consequences can be the same for two or more risks.
3c. Assess the likelihood and impact of each risk, or group of risks (you
may choose to assess risks as a group (by objective), or separate out each
risk; this choice depends on whether the risks vary broadly in their
severity).
3d. Multiply the likelihood and impact scores to achieve the risk severity
score.
Identifying objectives:
>Department or initiative websites often contain objectives in the form of
mission, vision, and values statements.
>Also look for strategic and operations plans as a source of objectives.
>Service-level agreements (SLAs) are good sources of operational
objectives.
Tips!
Document
Template(s):
Link
Link
Link
Link
Document
Link
Link
Link
Risk consequences:
>For each risk, if you asked the question, "So what?", the answer gets you
to the consequences of that risk.
>You will find that consequences can often be repeated for (be common
to) a number of your risk statements.
>There will often be more than one consequence per risk.
>Having a concrete list of consequences helps to clarify the potential
impact (severity) of the risk once you move on to the risk assessment
task.
Objective:
An entitys objectives are defined under four categories:
Strategichigh-level goals, aligned with and supporting its mission.
Definitions:
Risk:
The possibility that an event will occur that will adversely affect the
achievement of objectives.
Risk severity:
>The combination of a risk's likelihood of occurring and its impact if it
does occur.
>Usually severity is the product (multiplication) of the risk's numerical
likelihood and impact scores.
>When using a 15 scale, the severity range of a risk is 1 (lowest risk,
1x1) to 25 (highest risk, 5x5).
Return to Dashboard
SAMPLE OBJECTIVES
All categories of compensation that should be reported are reported
All compensation reported is accurate
All employees who should be included in the AREC report are
included, and only those who should be included are included
All expenses charged to the UCB ghost card are valid and authorized
All travel vouchers are input and processed accurately and timely
Campus security and privacy requirements are met
Centers must meet the operational needs of users and be
accountable to users
Conform with the allowability of costs provisions of A-21, or limitations
in the program agreement, program regulations, or program statute
Costs are given consistent accounting treatment within and between
accounting periods
Costs are reasonable and necessary for the performance and
administration of federal awards
Employee compensation and benefits are accurate
Information in the SLIS accurately reflects the UC Berkeley covered
population
Information in the SLIS is up to date
Information submitted to UCOP is properly authorized
IT investments are aligned with the campuss IT standards
Personnel records are accurate and complete
Quality of service to the user must be equal to, if not better than,
services available now
Shared Service Centers must be large enough to achieve economies
of scale
Significant financial savings for the campus must result
Staff are hired possessing the skills appropriate to the position
Technology support services are delivered timely and effectively
Travel vouchers are properly approved
Sample Consequences
Prevent environmental
contamination.
Injury/death.
Bad public relations.
Damage to reputation.
Lawsuits.
Loss of revenue.
Litigation
Complaints
Possible corrective action
Approach
Objectives-Oriented
Approach
<<RECOMMENDED>>
Summary
How Done
Downside
Risk-Oriented Approach
Metric-Oriented Approach
Opportunity-Oriented
Approach
Return to Dashboard
Purpose:
Output / Deliverable(s):
4a. Identify and describe the entity's controls (see "Tips" and
"Definitions" below for guidance on to how to spot controls).
>If a process narrative was developed, read through the narrative and
highlight (bold) any control statements.
>Similarly, if process maps were developed, identify points along the work
flow where controls occur.
>Synch up controls on narratives and process maps.
>Process narratives and maps reflect each other, so it may be most
efficient to identify controls on one, then transfer those to the other. It
may be appropriate that there is not a complete match of controls to both
documents, given potentially different levels of information
communicated.
>Give each control a unique number (the numbering method is not
important at this stage).
Principal Tasks:
b(2). Once the RCM is completed, for each risk at the top of the RCM, look
down its column and review the controls coverage for that risk. Based on
the number and type of controls, make a determination as to whether the
risk is adequately mitigated. (Key presumption: the controls are designed
and operating effectively.)
b(3). For each control, look across the row at how many risks it helps to
mitigate, and assess whether it may be unnecessary (a control that does
not mitigate any of the risks may be unnecessary).
b(4). Make a final determination as to whether there are any control gaps
or control redundancies. If there are gaps, determine the response: add a
new control, accept the risk, etc.
Tips!
IDENTIFYING CONTROLS
>For guidance in thinking about what are the controls in your process,
remember that based on the COSO definition of internal control (see
below), a control is a "process," so it is not necessarily a single activity but
a series of activities, or process steps. (However, limit your control
statements to a few sentences; avoid highlighting an entire paragraph and
calling it the control; it may need to be separated into several controls.)
>Also, before identifying controls, review the links below to "COSO control
components" and "control categories." These will help you spot controls.
>Finally, because controls are those activities that help you to achieve
your objectives (or mitigate the risks to achieving your objectives), when
reviewing your written process narratives to spot and call out control
activities, think about whether the sub-section of your process narrative
helps to achieve one or more objectives; if yes, then it may be a control
activity.
WHEN TO SEPARATE OUT CONTROLS VS. CALL IT ALL ONE
CONTROL
>Bear in mind that when a control is tested as part of routine monitoring
to determine if it is working as designed, if one part of the control design
fails in the test, then the whole control fails. As a result, when identifying
control statements, you may not want to pack too much into a single
control, but rather break it out into two or more separate controls.
Tips!
Document
Template(s):
Definition(s):
Link
Controls inventory
Link
Document
Mapping controls to a process map (example 1)
Link
Link
Link
Link
Control categories
Link
Link
Link
Link
Link
Return to Dashboard
Link
The SMG coordinator notifies Payroll via email that a new AREC-reportable employee has
been hired.
Athletics reconciles the list of names provided by the SMG coordinator from the SLIS to
the tracking spreadsheet that Athletics has been updating throughout the calendar year.
Differences are followed up on, and updates are provided as appropriate to Payroll and
the SMG coordinator for corrections to SLIS.
After all certifications are received and the SLIS is up to date, the SMG coordinator prints
out from SLIS the campuss report, reviews it, and signs it. The chancellor reviews the
UC Berkeley data and certifies with his signature that the population contained in the
report is accurate and complete before it is sent to UCOP.
Reconciliations between the Student Aid Management System (SAMS), Campus Accounts
Receivable System (CARS), and the general ledger are performed monthly by the
Financial Aid Offices (FASOs) Fiscal Management Unit. These reconciliations are
prepared by the assistant director of fiscal management and reviewed by the associate
director.
All checks and EFTs greater than or equal to $100,000 require an additional manual
signature.
The invoicing and receivable system is reconciled to related accounts receivable
accounts. Reconciliations are prepared by an accounts receivable analyst and reviewed
by the director.
All vouchers (except credits) are approved online in BFS by the department approver
before payments are issued to the vendor.
The PI reviews and approves subrecipient invoices to ensure the items requested for
payment relate to an activity that is allowed per the grant agreement (and that the
requested payments are proper given the status of technical deliverables).
The RA reviews the detailed payroll expenses each month for general propriety and to
validate the accuracy of the charges, including the accuracy of employee names and pay
rates, and for possible other key entry errors.
Deficit fund balances (where actual expenses exceed budget) are swept monthly to
discretionary department funds.
IT management meets periodically to conduct strategic planning, address issues, and
monitor controls.
IT roles and responsibilities are defined, reviewed on a periodic basis, and communicated
to staff.
Management understands and provides oversight to ensure that separation of duties is in
place between critical functions.
IST maintains policies and procedures that address program development, changes,
security, and operations. These policies and procedures are guided by the governance
and oversight of the UC Office of the President.
Management understands and provides oversight to ensure that program maintenance
and program development activities are controlled.
IT management tracks, responds to, and ensures appropriate resolution to incidents that
reflect possible control issues, such as significant security breaches or data corruption
problems.
Return to Dashboard
Purpose:
Output / Deliverable(s):
Principal Tasks:
Tips!
Template(s):
Controls Inventory
Link
Document
Link
Link
Link
Link
Word or Concept
Definition
Significant control
A control that, if other controls fail, provides reasonable assurance that
objectives will still be achieved in the following categories:
Definition(s):
Return to Dashboard
Return to Dashboard
Purpose:
Output / Deliverable(s):
Control Template
Tips!
Template(s):
>When documenting the control, be clear and precise: err on the side of
giving more information rather than less.
>The description of each control step should begin with a verb: "Review,"
"Compare," "Send," "Monitor," etc.
>Exercise good version control.
>Update control templates whenever there is a change in the control
procedure; review them at least annually.
>Archive the control templates in such a way that they are accessible to
the control performers, and so that there is no confusion about which
version is current.
Document
Control template (MS Word)
Document
Return to Dashboard
Link
Link
Link
Link
Link
Word or Concept
Definitions:
Link
<None>
Definition