utsouthwestern风险与内部控制.ppt

An Educational Computer Based Training Program C B T Effectively Controlling Risk UT Southwestern General Compliance Training Effectively Controlling Risk In order to achieve the goals of providing the highest levels of medical education, biomedical research and patient care, UT Southwestern must have effective internal controls. There needs to be an appropriate balance between controls and risks is necessary to provide reasonable assurance that the medical centers operations will be effective,efficient and in compliance with laws and regulations. Effectively Controlling Risk uWhat is the purpose of this training? uWhy is it necessary? uWhat is internal control? uWhat are the components of internal control? uWhere can I learn more? Effectively Controlling Risk What is the purpose of this training? uProvide employees with the training and tools to evaluate internal control at the activity, process and department levels. Two tools available to achieve this goal are the: -Risk and Control Self-Assessment Guideline -Risk Assessment and Control Activities Worksheet Effectively Controlling Risk Why is it necessary? uHighly publicized frauds at other public institutions have caused concerns among UT System and component administrators. uWhat was determined to be the problem? WEAK INTERNAL CONTROLS Effectively Controlling Risk What is internal control? : Internal control is a process, effected by UT Southwesterns governing board, administration, faculty, and staff, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations, Reliability of financial reporting, and Compliance with applicable laws and regulations. Effectively Controlling Risk Internal Control Process 5 Components Establish Control Environment Perform Risk Assessment Implement Control Activities Communicate Information Monitor Performance Internal Control Process Establish Control Environment uThe control environment is the control consciousness of an organization. uThe control environment includes the integrity and ethical values of its people, their competence, and the way they do business. Internal Control Process Elements of the Control Environment uStandards of Conduct Guide uRegents Rules, Business Procedures Memorandums, etc. uDepartment standards of conduct uHuman resources policies and procedures uDepartment policies and procedures uConflicts of interest-disclosure forms uEthics Guide uHonesty uZero tolerance Internal Control Process Perform Risk Assessment uRisk assessment is the identification and analysis of risks associated with achieving your objectives. uRisk assessment helps to form a basis for determining how to manage identified risks. Internal Control Process What is our risk? With internal controls, RISK is . . . uThe possibility that the organization will NOT: Achieve its goals Operate effectively and efficiently Protect itself from loss Provide reliable financial data (reports) Comply with applicable laws, regulations, policies, and procedures Internal Control Process Perform Risk Assessment uComponents and Departments must define their goals and objectives in relation to their: Mission, Operations, Financial reporting, Compliance, and Significant activities or processes. uThen, they must identify and analyze potential risks by asking certain questions: What could go wrong? What must go right? What is the significance of our risks? What is the likelihood of occurrence? Internal Control Process Perform Risk Assessment Questions employees should consider: uWhat business are you in? uWho are your customers? uWhat do they need and want? uWhat does that say about what you are trying to accomplish? uHow will you know you have been successful? Internal Control Process Perform Risk Assessment uA risk is ANYTHING that could jeopardize the achievement of a goal or objective. uFor each goal or objective, identify your risks. uBe comprehensive, by considering external and internal factors. Internal Control Process Perform Risk Assessment uFor each identified risk, estimate the potential significance (cost, safety, institutional image) and likelihood of occurrence. uFocus on the major risks, and determine how those risks should be managed and minimized to acceptable levels. Internal Control Process Implement Control Activities uControl activities are the policies and procedures that help ensure that actions identified as necessary to manage risks are carried out properly and in a timely manner. uControl activities should be proactive, value-added, and cost effective. Internal Control Process Implement Control Activities Risks Controls Properly balancing risks and controls makes good business sense! Internal Control Process Implement Control Activities Examples of Control Activities at UT Southwestern: uApprovals, authorizations, and verifications Having written policies and procedures and limits to authority uReconciliations Explanations of the difference between two sets of data AND taking corrective action Internal Control Process Implement Control Activities Examples of Control Activities at UT Southwestern, continued. . . u Reviews of performance For components, departments, and individual employees u Security of Assets Limiting access, keeping records, and making periodic counts to compare to our records Internal Control Process Implement Control Activities Examples of Control Activities at UT Southwestern, continued . . . uSegregation of Duties Make sure no one person can initiate, approve, record and reconcile transactions uControls over Information Systems General controls over access and development, as well as specific controls within applications Internal Control Process Communicate Information uReliable and relevant information, from both internal and external sources, must be identified and communicated to employees. uInformation should be processed and communicated in a timely manner and in a form that is usable. Internal Control Process Communicate Information What information is relevant and reliable? uJob responsibilities uGoals and objectives uInformation to assess risks uPolicies and procedures uLaws and regulations uPerformance indicators uCustomer feedback uPerformance evaluations Internal Control Process Communicate Information How should we communicate? uMethods include one-on-one, staff meetings, telephone calls, e-mail, memos, and reports uONLY communicate information to those who need it Communicate up, down, and across the organization Internal Control Process Monitor Performance uMonitoring involves evaluating internal control performance over time to determine whether controls are: adequately designed, properly executed, and effective. uHow do we know? Internal Control Process Monitor Performance uInternal controls are adequately designed and properly executed if all five internal control components are present and functioning as designed: Control environment Risk assessment Control activities Information and communication Monitoring Internal Control Process Monitor Performance uInternal controls are effective if administrators believe: -They understand the extent to which the objectives of their operations are being achieved, -Financial statements are reliable, and -Laws and regulations are complied with. Internal Control Process Monitor Performance Monitoring Activities Include: uManagerial and supervisory monitoring uSelf-assessments uInternal audits Effectively Controlling Risk Self-Assessment What is a self-assessment? uA self-assessment is a “self- audit” of a departments internal control components performed on a periodic basis. Effectively Controlling Risk Performing a Self-Assessment Steps in performing a self-assessment include: Evaluating your strengths and deficiencies Testing the strengths Documenting tests Disclosing weaknesses Developing an action plan to correct problems Summarizing and documenting results Effectively Controlling Risk Performing a Self-Assessment What is a weakness? uA material weakness is an internal control shortcoming which increases the risk of irregularities, illegal acts, errors, waste, ineffectiveness, or conflicts of interest above a REASONABLE level. Effectively Controlling Risk Summary What does all this have to do with me? uInternal control effectiveness is primarily determined by the knowledge and commitment of ALL UT Southwestern employees. uBy knowing the internal control policies and procedures and complying with all laws and regulations, YOU can help the medical center achieve its goals. uThis training is an internal control activity! Effectively Controlling Risk Where can I learn more? uUT Southwestern Internal Audit Department. uAsk your supervisor or a UT Southwestern Institutional Compliance Committee member. Test Your Knowledge Following are several questions to test your knowledge of the information presented. Answer all questions correctly to receive credit for the training. Question #1 The major problem which caused recent frauds at other Texas institutions was weak internal controls? TRUETRUEFALSEFALSE Sorry, the correct answer is . uHighly publicized frauds at other public institutions have caused concerns among UT System and component administrators. uWhat was determined to be the problem? WEAK INTERNAL CONTROLS Question #1 The major problem which caused recent frauds at other Texas institutions was weak internal controls? TRUETRUEFALSEFALSE Question #2 Which of the following are components of the internal control process? ESTABLISHING A CONTROLESTABLISHING A CONTROL ENVIRONMENTENVIRONMENT PERFORMING A RISKPERFORMING A RISK ASSESSMENTASSESSMENT BOTH OF THE ABOVEBOTH OF THE ABOVE Sorry, the correct answer is . 5 Components Establish Control Environment Perform Risk Assessment Implement Control Activities Communicate Information Monitor Performance Question #2 Which of the following are components of the internal control process? ESTABLISHING A CONTROLESTABLISHING A CONTROL ENVIRONMENTENVIRONMENT PERFORMING A RISKPERFORMING A RISK ASSESSMENTASSESSMENT BOTH OF THE ABOVEBOTH OF THE ABOVE Question #3 With internal controls, RISK includes the possibility that our organization will NOT achieve its goals and protect itself from loss? TRUETRUEFALSEFALSE Sorry, the correct answer is . With internal controls, RISK is . . . uThe possibility that the organization will NOT: Achieve its goals Operate effectively and efficiently Protect itself from loss Provide reliable financial data (reports) Comply with applicable laws, regulations, policies, and procedures Question #3 With internal controls, RISK includes the possibility that our organization will NOT achieve its goals and protect itself from loss? TRUETRUEFALSEFALSE Question #4 Control Activities should be . . . RESTRICTIONS ON ANRESTRICTIONS ON AN EMPLOYEES AUTHORITYEMPLOYEES AUTHORITY PROACTIVE, VALUE-ADDED,PROACTIVE, VALUE-ADDED, AND COST-EFFECTIVEAND COST-EFFECTIVE BOTH OF THE ABOVEBOTH OF THE ABOVE uControl activities are the policies and procedures that help ensure that actions identified as necessary to manage risks are carried out properly and in a timely manner. uControl activities should be proactive, value-added, and cost effective. Sorry, the correct answer is Question #4 Control Activities should be . . . RESTRICTIONS ON ANRESTRICTIONS ON AN EMPLOYEES AUTHORITYEMPLOYEES AUTHORITY PROACTIVE, VALUE-ADDED,PROACTIVE, VALUE-ADDED, AND COST-EFFECTIVEAND COST-EFFECTIVE BOTH OF THE ABOVEBOTH OF THE ABOVE Question #5 Some examples of control activities at UT Southwestern include reconciliations and having written policies and procedures? TRUETRUEFALSEFALSE The correct answer is . Examples of Control Activities at UT Southwestern: uApprovals, authorizations, and verifications Having written policies and procedures and limits to authority uReconciliations Explanations of the difference between two sets of data AND taking corrective action Question #5 Some examples of control activities at UT Southwestern include reconciliations and having written policies and procedures? TRUETRUEFALSEFALSE Question #6 Which of the following is relevant information for UT Southwestern employees? JOB RESPONSIBILITIESJOB RESPONSIBILITIES POLICIES AND PROCEDURESPOLICIES AND PROCEDURES CUSTOMER FEEDBACKCUSTOMER FEEDBACK ALL OF THE ABOVEALL OF THE ABOVE Sorry, the correct answer is . What information is relevant and reliable? uJob responsibilities uGoals and objectives uInformation to assess risks uPolicies and procedures uLaws and regulations uPerformance indicators uCustomer feedback uPerformance evaluations Question #6 Which of the following is relevant information for UT Southwestern employees? JOB RESPONSIBILITIESJOB RESPONSIBILITIES POLIC