The Crawford Risk Assessment Methodology

1
The Crawford Risk Assessment Methodology

• Presented by
• Mark Paganelli, Executive Director
• Judy Burns, Assistant Director
• Audit Consulting Services
• The University of Tennessee

for AGA Nashville Chapter Winter Seminar January
8-9, 2008
2
Session objectives

• Provide an understanding of the risk assessment
  process
• Demonstrate one University's application of this
  process
• Equip you with resources for conducting your own
  assessment

3
Source

• David B. Crawford
• Audit Manager Emeritus
• The University of Texas System
• The Assurance Continuum An Enterprise Risk
  Management Model

4
What is risk assessment?

• A process that defines how an organization
• Identifies risks to the achievement of its
  mission, goals, objectives
• Measures the significance of each identified risk
• Determines the most appropriate business response
  to each risk
• Monitors how well the responses are carried out

5
Why do it?

• External requirement
• State of TN
• Audit Committee Act
• Directive from State Comptroller and Director of
  State Audit
• Anticipates SOX
• Good business practice

6
Benefits

• Focus efforts and resources on most critical
  issues
• Enhance understanding of risks and controls
• Clarify accountability and improve communication
• Demonstrate due diligence to stakeholders

7
Who is responsible?

• Management
• vs.
• Internal audit

8
Three phases

• Risk Assessment
• Risk Footprint
• Control Documentation
• Control Footprints
• Control Evaluation and Monitoring
• Monitoring Plans

9
Phase 1 Risk Footprint
10
What is a risk?

• A potential negative event that would affect the
  organizations ability to meet its mission,
  goals, and objectives.

11
Phase 1 Risk assessment steps

• ID mission, goals, objectives
• ID all activities
• Consolidate into major processes prioritize
• ID risks for each process
• Rank risks by impact and probability of occurrence

12
1. ID mission, goals, objectives

• Mission The mission of the procurement card
  program is to reduce the cost of paying vendors
  and provide departments flexibility in making
  purchases.
•  
• Goals
• Obtain the best rebate amount for purchases.
• Make as many purchases with p-cards as
  possible.
• Ensure that purchases comply with policies.
• Maintain adequate records to support
  purchases.
• Protect the university from fraudulent card
  use.

13
How to ID mission, goals, objectives

• Owners review and revise existing or develop
  new
• Other stakeholders review and comment
• Reach consensus

14
2. ID all activities
15
How to ID all activities

• Individuals with knowledge of the area
• Brainstorming
• Univ of TX Excel workbook with macros or any
  spreadsheet

16
3. Consolidate activities into major processes
and prioritize
17
How to consolidate and prioritize

• Same individuals who brainstormed activities
• Cluster activities with related purposes name
  the process
• Prioritize processes
• Univ of TX Excel workbook or any spreadsheet

18
4. ID risks for each process
19
How to ID risks

• Involve employees working in the area being
  assessed
• Brainstorming
• Univ of TX Excel workbook or any spreadsheet

20
5. Rank risks by impact and probability
21
Risk ranking characteristics

• IMPACT Effect on achievement of mission, goals,
  objectives
• High - showstopper
• Medium - inefficient and extra work
• Low - no effect
• PROBABILITY Likelihood of the risk happening
• High - will happen frequently
• Medium - will happen infrequently
• Low - will seldom happen

22
How to determine impact

• Develop a list of consequences if a risk were to
  become a reality
• Value the effect each consequence would have on
  the organization (high, medium, or low)
• The impact value of the risk is the value of its
  highest potential consequence.

23
Sample consequences
24
How to determine probability

• Determine how often a risk is likely to occur.
• Assume only Level 1 controls are in place.

25
Assurance Continuum Levels of Control in COSO
Collaborative Assurance (Governance and
Management Control Processes)
Periodic Assurance
I----------I
I----------I
(Governance Control Processes)
I------------ On-going Assurance
------------I (Management Control Processes)
Level 1 Controls (Execution )
Level 3 Controls (Oversight)
Level 2 Controls (Supervisory)
Level 4 Controls (Internal Audit)
Level 4 Controls ( Internal Audit)
Pre-operations design review of on-going assurance
During execution of event or transaction
Immediately after execution of event or
transaction
Soon after execution of event or transaction
Post-operations audit of execution of on-going
assurance
26
Level 1 controls (execution controls)

• Embedded in day-to-day operations
• Policies and procedures
• Segregation of duties
• Reconciliations/comparisons
• Performed on every event/transaction
• Performed by the generators of the
  event/transaction
• Performed in real time, as the event/
  transaction is executed

27
Level 2 controls (supervisory controls)

• Re-application of operating controls
• Supervisory review quality assurance
• Performed very soon after the generation of the
  event/transaction
• Performed by line management or staff positions
  who do not originate the event/ transaction
• Performed on a sample of the total number of
  events/transactions

28
Level 3 controls (oversight controls)

• Exception reports, status reports, analytical
  reviews, variance analysis
• Performed by representatives of executive
  management
• Performed on information provided by supervisory
  management
• Performed within a short period (weeks/months)
  after the event/transaction is originated

29
Level 4 controls (internal audit controls)

• Audit of the design of controls not the operation
  of controls
• Performed either before the event/ transaction is
  originated or long after
• Performed by staff with no involvement in the
  operations
• Performed on individual events/transactions for
  discovery only

30
How to determine final ranking

• Combination of Impact Value and Probability Value
• Impact Value is always first.
• Order risks from HH to LL.

31
Completed risk rankings
32
How to create the risk footprint

• Generate automatically with U TX software.
• Create own spreadsheet with risks in columns and
  processes in rows.
• Order processes from the one with the highest
  number of critical risks.

33
Completed risk footprint
34
Phase 2 Control footprint
35
Phase 2 Control documentation steps

• ID controls (policies and procedures) for each
  process
• Map controls to risks

36
1. ID controls for each process
37
1. ID controls for each process
38
How to ID controls

• Review all related policies and procedures
• Include staff who work in the area
• Brainstorm
• Document

39
2. Map controls to risks
40
How to map controls

• Read through list of controls one at a time
• Ask which controls address which risks
• Place an X in the appropriate cell

41
How to create the control footprint

• Create spreadsheet with risks in column headings
  and processes in row headings.
• Map each control to the risks by placing an X
  in the cell under the risk.
• One footprint per process.

42
Completed control footprint
43
Phase 3 Monitoring plans
44
Phase 3 Control evaluation monitoring steps

• ID over- and under-controlled risks/critical and
  marginal controls
• Create a monitoring plan for the critical risks

45
ID over- and under-controlled risks/ critical and
marginal controls
46
How to evaluate controls

• Ask if there are any undercontrolled risks,
  particularly any red risks.
• Ask if there are any overcontrolled risks,
  particularly green or gray risks.
• Ask which controls appear to be key for
  mitigating the risks.
• Ask which controls are of little value.

47
2. Create a monitoring plan for critical risks
48
How to create a monitoring plan

• Include all controls that address the critical
  (RED) risks
• Categorize each control by level (Level 1, Level
  2, or Level 3)
• Ensure each level is covered
• Indicate the documented evidence for each control
• Assign who is responsible for monitoring

49
(No Transcript)
50
(No Transcript)
51
(No Transcript)
52
Final thoughts

• Risk environment for your institution is unique
• Risk environment continuously changes
• Risk ranking changes with the environment
• Risk assessment is ONGOING, not periodic

53
Final thoughts, cont.

• Annual Assessment
• Update risk footprint
• Determine external assurance
• Assign Internal Audit to remaining critical risks
• Cover remaining risks with management assurance
  strategies

54
Questions?

• Additional information can be found at University
  of TX website
• www.utsystem.edu/compliance
• David Crawford can be contacted via email
• Crawfordjd_at_earthlink.net

55
Questions?

• Mark Paganelli, Executive Director
• mpaganel_at_utk.edu
• Judy Burns, Assistant Director
• jaburns_at_utk.edu