Sie sind auf Seite 1von 17


Risk Services



In Development

7. Develop
control test
WORK STEP: 1. Identify the in-scope processes
2. Document each process
3. Identify objectives and risks,
4. Identify
and assess
the controls
the risks&
5. perform
a controls
which ofgap
6. analysis
are "significant"
for the significant controls
and carry out

Listing of in- 7. Monitoring

scope processes Process Risk Assessment Risk–Control Listing of Control plan, Test of
DELIVERABLE(S): and sub- narratives and Matrix (RAM) Matrix (RCM) significant templates Control (TOC)
processes maps controls scripts,
completed TOCs

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

Return to Dashboard


Using the Toolkit

This toolkit provides the overall process, work steps, work templates, and
examples to help you (a) identify the risks inherent in a process or project, (b)
assess those risks and rank them by severity, (c) identify the controls that mitigate
Toolkit Overview: the risks, and (d) determine if the controls are adequately mitigating the risks.

Depending on your project and where you are with it, this tool can help you to
carry out all or just some of these activities.

The main page for the toolkit is the dashboard, which provides an overview of
the process, and contains hyperlinks to worksheets for each of the seven work
steps that make up the process.

By clicking on a dashboard work step, the user is taken to a worksheet for that
Toolkit Functionality:
step. All the worksheets are organized in the same way, containing the same
resources for carrying out that step.

The resources for each work step include statements describing the purpose of
the work step and its outcomes, a listing of the specific tasks that must be carried
out to complete the work step, tips, templates that can be downloaded and filled
out, and examples of completed templates.

You may need to zoom in or out in your version of Excel to optimize the view of
each worksheet.

You may need to scroll p or down to see all the content available for that page.
Navigation Tips:
Advanced Excel users: Although the formula bar, headings, and gridlines are not
shown, and each sheet is "locked," there is no password to unlock each sheet; so
if you feel you need to adjust a setting to improve your interaction with the
toolkit, you are able to do so.

To report any functionality issues with the toolkit, please contact:

Hans Gude—Director, Enterprise Risk Services
Office of Ethics, Risk, and Compliance Services 510.643.3812
Vr. 12.21.12

Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

Return to Dashboard
Work Step:
1. Identify the In-Scope Processes
Purpose: To categorize and group the activities the organization carries out, and
to clarify and articulate which processes will be assessed.

Output / Deliverable(s): A listing of in-scope processes and sub-processes.

1a. Identify the major process(es) to be assessed.

Principal Tasks: 1b. Identify the sub-processes to be assessed.
1c. Document the processes identified.
enterprisewide to a small department.
Tips! >Do some research, as appropriate, to see if your organization has
already defined its major processes.
Document Link
Template(s): <None--See examples> <None>

Document Link
Sample process categories and sub-categories Link
Guidance & Example(s):
Sample business process listing--financial reporting
focus Link

Word or Concept Definition

Definition(s): Business process Wikipedia link

Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

Return to Work Step 1


Examples of Process Categories Examples of Process Sub-Categories
Buy to Pay

Financial Reporting Financial Close

Payroll Processing

Hire to Retire

Human Resources Rewards and Recognition

Employee Development

End-User Device Support

Information Technology Device Procurement and Provisioning

Physical and Logical Security

Proposal Development and Submittal

Research Administration Award Setup

Award Closeout

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

Return to Dashboard


Work Step:
2. Document Each Process

To understand the principal steps / activities involved in a process, and

Purpose: to document them in order to have a baseline for identifying the
processes' control activities.

Output / Deliverable(s): Process narratives and maps

2a. Obtain all available information about how each process is carried
out; follow up with interviews as necessary. If the process is
transactional, then one technique is to take a single transaction and
"walk it through" (perform a walk-through of) each step, documenting
the step as you go.

Principal Tasks: 2b. Write up the process in narrative (paragraph) form. Provide the
draft to knowledgeable people for review and comment. Finalize

2c. Develop the process map(s)--a.k.a., work-flow diagrams. Provide the

draft to knowledgeable people for review and comment. Finalize
process map(s).

>The two documents (narrative and process maps) support each other's
development. So it may be more efficient to develop one, then use it as
a basis to develop the other.
>Before beginning interviews, search websites for descriptions of what
the entity does.
>Ask for existing documents that describe the entity's activities.
Tips! >Obtain the entity's organization chart, which is often a good indication
of how the entity defines the various activities it carries out.
>Determine if there have been internal audit reports related to the
entity; these can be a good source of background information.
>With regard to existing process descriptions, be aware that what is
documented may not be what is actually done. Validate this during

Document Link
Template(s): Process narrative (MS Word) Link
<<Process map: See examples>> <None>

Document Link
Process narrative, student fin. aid Link
Guidance & Example(s): Process narrative, treasury Link
Process map, CSS IT Link
Process map, AREC Link

Word or Concept Definition

Definitions: <None>
Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

Return to Dashboard


Work Step: 3. Identify Objectives and Risks, and Assess the

To understand why the process is carried out (its objectives), the risks to
Purpose: achieving the objectives, and the controls currently in place that
mitigate the risks.

Output / Deliverable(s): Risk Assessment Matrix (RAM)

3a. Identify the entity's objectives. As appropriate, organize them into

strategic, operations, financial, and compliance objectives. These
categories overlap, so that a particular objective might fall into more
than one category.

3a(1). <Optional> For each objective, list several activities the

entity carries out that help it to achieve the objectives.

3b. Identify the risks to achieving the objectives.

Principal Tasks:
3b(1). <Optional> For each risk, identify its consequences.
Consequences can be the same for two or more risks.

3c. Assess the likelihood and impact of each risk, or group of risks (you
may choose to assess risks as a group (by objective), or separate out
each risk; this choice depends on whether the risks vary broadly in their

3d. Multiply the likelihood and impact scores to achieve the risk severity

Identifying objectives:
>Department or initiative websites often contain objectives in the form
of mission, vision, and values statements.
>Also look for strategic and operations plans as a source of objectives.
>Service-level agreements (SLAs) are good sources of operational

Identifying risks:Click here for different techniques used to identify risks.


Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

How to write a risk statement:

Tips! >Risks are events that MIGHT occur; as a result, risk statements should
contain one of the following words: could, might, may.
>Remember, risks are the events that could hinder your ability to
achieve your objectives.
>Risk statements should be complete sentences that enable readers to
understand exactly what the risk is.
>Avoid single words or phrases that simply allude to a risk or that
require special knowledge or group membership to understand.

How to identify and assess the risks:

1. Assemble a group of cross-functional or multi-level individuals to
draw on the group's collective knowledge.
2. As an alternate first step, work with one or two people with deep
understanding of the entity to take a first cut, then share the results
with the larger group to validate results.

Document Link
Risk assessment matrix (MS Word) Link
Risk assessment scale--5 levels by category (Excel) Link

Risk assessment scale--4 levels simplified (jpg) Link

Document Link
Guidance & Example(s): Sample objective statements Link
Sample risk and consequences statements Link

Risk consequences:
>For each risk, if you asked the question, "So what?", the answer gets
you to the consequences of that risk.

>You will find that consequences can often be repeated for (be common
to) a number of your risk statements.
>There will often be more than one consequence per risk.
>Having a concrete list of consequences helps to clarify the potential
impact (severity) of the risk once you move on to the risk assessment

An entity’s objectives are defined under four categories:

Strategic–high-level goals, aligned with and supporting its mission.

Definitions: Operations–effective and efficient use of its resources.

Financial reporting–reliability of financial reporting.

Compliance–compliance with applicable laws and regulations.

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

The possibility that an event will occur that will adversely affect the
achievement of objectives.

Risk severity:
>The combination of a risk's likelihood of occurring and its impact if it
does occur.
>Usually severity is the product (multiplication) of the risk's numerical
likelihood and impact scores.

>When using a 1–5 scale, the severity range of a risk is 1 (lowest risk,
1x1) to 25 (highest risk, 5x5).

Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

Return to Work Step 3

All categories of compensation that should be reported are reported
All compensation reported is accurate
All employees who should be included in the AREC report are
included, and only those who should be included are included
All expenses charged to the UCB ghost card are valid and authorized
All travel vouchers are input and processed accurately and timely
Campus security and privacy requirements are met
Centers must meet the operational needs of users and be
accountable to users
Conform with the allowability of costs provisions of A-21, or
limitations in the program agreement, program regulations, or
program statute
Costs are given consistent accounting treatment within and
between accounting periods
Costs are reasonable and necessary for the performance and
administration of federal awards
Employee compensation and benefits are accurate
Information in the SLIS accurately reflects the UC Berkeley covered
Information in the SLIS is up to date
Information submitted to UCOP is properly authorized
IT investments are aligned with the campus’s IT standards
Personnel records are accurate and complete
Quality of service to the user must be equal to, if not better than,
services available now
Shared Service Centers must be large enough to achieve economies
of scale
Significant financial savings for the campus must result
Staff are hired possessing the skills appropriate to the position
Technology support services are delivered timely and effectively
Travel vouchers are properly approved

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

Return to Work Step 3


Sample Objective Sample Risk Statements Sample Consequences

• Public health impacts (acute and chronic).

Pollutants (chemical, radiological, biological) could • Agency fines.
Prevent environmental contamination. be released to the atmosphere.
• Bad public relations.

• Injury/death.
One or more persons could become ill through • Bad public relations.
Prevent food-borne illness. • Damage to reputation.
consumption of contaminated food. • Lawsuits.
• Loss of revenue.

• Staff, faculty, student injury/death.

• Loss of research funding
All or part of the body could be exposed to • State fines.
Prevent laboratory injuries. chemical(s). • Bad public relations.
• Damage to campus facility.
• Temporary loss of campus space.

• Change in accreditation status

Maintain industry / UCB standards for Protected information may be inappropriately • Subject to review by external agencies
system and network security. accessed and released. • 3rd party actions
• State and federal fines for privacy violations

Ensure that gifts are processed

accurately and timely and confirm that Funds may be improperly used due to fund terms • Need to refund money.
fund terms have been accurately being inaccurate or incomplete. • Loss of trust.
recorded in the Berkeley Financial • Loss of future donations.

Address disability needs of staff who Requested accommodation may be inappropriately

request accommodations. addressed. • Litigation
• Complaints
• Possible corrective action

• Recovery of damages (back pay,

Ensure program services, data capture reinstatement of position, etc)
activities and reporting activities Medical treatment and benefits may not be • Loss of self-insurance status
comply with UC policy and federal / appropriately provided to employees.
state disability laws. • Fines (specific to unlimited, e.g. under ADA)
• 3rd party actions

Provide entertainment expense Employees could submit expense reimbursement Customers could violate a policy, resulting in
reimbursement policy guidance and
interpretation. requests for unallowable expenses. payment to them of ineligible expenses.

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

Return to Work Step 3


Source: ERM for Dummies, Vance and Makomaski, Wiley Publishing, 2007
Approach Summary How Done Downside

>Could overlook risks not uncovered

through an objective, like external
“What risks or events could cause
Objectives-Oriented Approach Starts from the perspective of the events not normally thought of as
the organization to not meet its
organization’s objectives. tied to objectives.
<<RECOMMENDED>> goals and objectives?” >Have you got the right objectives?
>Have you got ANY objectives?

Focus on the risks themselves. You

want people to speculate about “What are the most important risks What risks didn’t the group think of,
Risk-Oriented Approach what events or uncertainties might you believe your organization perhaps because not all the “right”
cause the organization unacceptable faces?” people were in the room?
levels of disruption.

Focus on risks that have a bearing Numbers driven. Appropriate for Could miss big natural or
Metric-Oriented Approach on organization’s key metrics (KPIs / organizations focused on financial operational risks.
SLAs) performance metrics.

Departs from the “negatives”

approach to risk identification. Start
thinking about what life like in a “If we could eliminate any risks we Be cautious not to lose sight of
risk-free universe.
Opportunity-Oriented wanted to, what opportunities could organizational priorities and
Approach we take that would make us even
This approach is a good way to objectives.
more successful?”
identify areas where risk
management can help remove
barriers to value creation.

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

Return to Dashboard


Work Step: 4. Identify the Controls & Perform a Controls Gap

To identify the current set of controls, and to determine if the current

set of controls is adequate to mitigate the identified risks (whether
Purpose: there are any "gaps" in control coverage). Also, to determine if any of
the existing controls might be unnecessary.

Output / Deliverable(s): Risk–Control Matrix (RCM)

4a. Identify and describe the entity's controls (see "Tips" and
"Definitions" below for guidance on to how to spot controls).
>If a process narrative was developed, read through the narrative and
highlight (bold) any control statements.
>Similarly, if process maps were developed, identify points along the
work flow where controls occur.
>Synch up controls on narratives and process maps.
>Process narratives and maps reflect each other, so it may be most
efficient to identify controls on one, then transfer those to the other. It
may be appropriate that there is not a complete match of controls to
both documents, given potentially different levels of information
>Give each control a unique number (the numbering method is not
important at this stage).

4b. Develop the risk–control matrix (RCM) and Do a Gap Analysis.

>Down the left-hand column place the controls you have identified (as
best as you can, place them in chronological order).
>Complete all attributes for each control, including where it is
performed, whether it is automated or manual, and whether it is
preventive or detective.
Principal Tasks: >Across the top of the RCM, place the risks you have identified. For
each risk, indicate its risk severity from the earlier risk assessment.

4b(1). For each intersection of a risk and a control, determine if the

control contributes to mitigatigating the risk, even just a little. If it does,
put an X in the cell; if not, leave the cell blank.

b(2). Once the RCM is completed, for each risk at the top of the RCM,
look down its column and review the controls coverage for that risk.
Based on the number and type of controls, make a determination as to
whether the risk is adequately mitigated. (Key presumption: the
controls are designed and operating effectively.)

b(3). For each control, look across the row at how many risks it helps to
mitigate, and assess whether it may be unnecessary (a control that does
not mitigate any of the risks may be unnecessary).

b(4). Make a final determination as to whether there are any control

gaps or control redundancies. If there are gaps, determine the
response: add a new control, accept the risk, etc.

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

>For guidance in thinking about what are the controls in your process,
remember that based on the COSO definition of internal control (see
below), a control is a "process," so it is not necessarily a single activity
but a series of activities, or process steps. (However, limit your control
statements to a few sentences; avoid highlighting an entire paragraph
and calling it the control; it may need to be separated into several
>Also, before identifying controls, review the links below to "COSO
control components" and "control categories." These will help you spot
>Finally, because controls are those activities that help you to achieve
Tips! your objectives (or mitigate the risks to achieving your objectives), when
reviewing your written process narratives to spot and call out control
activities, think about whether the sub-section of your process narrative
helps to achieve one or more objectives; if yes, then it may be a control
>Bear in mind that when a control is tested as part of routine
monitoring to determine if it is working as designed, if one part of the
control design fails in the test, then the whole control fails. As a result,
when identifying control statements, you may not want to pack too
much into a single control, but rather break it out into two or more
separate controls.


>The determination of how adequate the control coverage is against a
specific risk cannot typically be quantified, but must rather be
Tips! determined through discussion and judgement.
>The determination about control adequacy should take into
consideration the severity of the risk and whether the risk is mitigated
by an appropriate combination of preventive and detective controls and
manual and automated controls.

Document Link
Template(s): Risk–control matrix (Excel) Link
Controls inventory Link

Document Link
Mapping controls to a process map (example 1) Link
Mapping controls to a process map (example 2) Link
COSO control components Link
Guidance & Example(s): Control categories Link
Sample control statements Link
RCM--objectives driven (ITGCCs) Link
RCM--objectives driven (AREC) Link
RCM--simplified risk driven (travel) Link

Internal control (controls):

Official COSO definition: "A process, effected by an entity's board of
directors, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the
Definition(s): following categories:

>"Effectiveness and efficiency of operations,

>"Reliability of financial reporting, and
>"Compliance with applicable laws and regulations."

Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

Return to Work Step 4

Note: These examples are
for illustration purposes only, The SMG coordinator notifies Payroll via email that a new AREC-reportable employee
intended to show the has been hired.
composition of a control
statement, and are not
intended to reflect actual Athletics reconciles the list of names provided by the SMG coordinator from the SLIS to
control activities. the tracking spreadsheet that Athletics has been updating throughout the calendar
year. Differences are followed up on, and updates are provided as appropriate to
Comments: Control Payroll and the SMG coordinator for corrections to SLIS.
"statements" are a summary
of the control, usually from
one sentence to a short
paragraph in length, and are
intended for use in After all certifications are received and the SLIS is up to date, the SMG coordinator
conducting the contols gap prints out from SLIS the campus’s report, reviews it, and signs it. The chancellor
analysis. The control reviews the UC Berkeley data and certifies with his signature that the population
template will contain all the contained in the report is accurate and complete before it is sent to UCOP.
information about the

The control statement should Reconciliations between the Student Aid Management System (SAMS), Campus
indicate who performs the Accounts Receivable System (CARS), and the general ledger are performed monthly by
control. the Financial Aid Office’s (FASO’s) Fiscal Management Unit. These reconciliations are
prepared by the assistant director of fiscal management and reviewed by the associate
Control frequency does not director.
need to be indicated in the
control statement; that will
be identified in the risk- All checks and EFTs greater than or equal to $100,000 require an additional manual
control matrix and control signature.

The invoicing and receivable system is reconciled to related accounts receivable

accounts. Reconciliations are prepared by an accounts receivable analyst and
reviewed by the director.

All vouchers (except credits) are approved online in BFS by the department approver
before payments are issued to the vendor.

The PI reviews and approves subrecipient invoices to ensure the items requested for
payment relate to an activity that is allowed per the grant agreement (and that the
requested payments are proper given the status of technical deliverables).

The RA reviews the detailed payroll expenses each month for general propriety and to
validate the accuracy of the charges, including the accuracy of employee names and
pay rates, and for possible other key entry errors.

Deficit fund balances (where actual expenses exceed budget) are swept monthly to
discretionary department funds.

IT management meets periodically to conduct strategic planning, address issues, and

monitor controls.

IT roles and responsibilities are defined, reviewed on a periodic basis, and

communicated to staff.

Management understands and provides oversight to ensure that separation of duties

is in place between critical functions.

IST maintains policies and procedures that address program development, changes,
security, and operations. These policies and procedures are guided by the governance
and oversight of the UC Office of the President.

Management understands and provides oversight to ensure that program

maintenance and program development activities are controlled.

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

IT management tracks, responds to, and ensures appropriate resolution to incidents

that reflect possible control issues, such as significant security breaches or data
corruption problems.

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

Return to Dashboard


Work Step: 5. Determine Which of the Controls are
"Significant" Controls

To identify the significant controls that are relied upon to achieve the
Purpose: control objectives, and that (because they are significant) are the ones
that will be documented and routinely tested to ensure they are
operating effectively.

Output / Deliverable(s): A listing of the significant controls for each process.

5a. Identify the significant controls.

Principal Tasks:
5b. Document the significant controls identified.

If you completed a risk-control matrix in work step 4, controls that

Tips! mitigate a lot of the risks (support a lot of the objectives) may be

Document Link
Template(s): Controls Inventory Link

Document Link

Guidance & Example(s): List of significant controls (1) Link

List of significant controls (2) Link

Word or Concept Definition

Significant control
A control that, if other controls fail, provides reasonable assurance that
objectives will still be achieved in the following categories:

>Effectiveness and efficiency of operations,

Definition(s): >Reliability of financial reporting, and
>Compliance with applicable laws and regulations.

Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley
Risk Services

Return to Dashboard


Work Step: 6. Develop Detailed Procedures for the Significant

To document the design of each control so it is clear how the control is

to be performed--who does it, how often, and using what reports. The
Purpose: control template acts as a procedure document, and also serves as a
guide for how to test the control during the monitoring phase.

Output / Deliverable(s): Control Template

6a. Based on any existing control descriptions and (as needed) on

interviews with the people carrying out the control, fill out the control
template. Modify the template as appropriate to add pertinent
Principal Tasks:
6b. Distribute the draft control template for review and comment.

6c. Finalize the control template, and obtain sign-off from the
appropriate manager(s).

>When documenting the control, be clear and precise: err on the side
of giving more information rather than less.
>The description of each control step should begin with a verb:
"Review," "Compare," "Send," "Monitor," etc.
>Exercise good version control.
Tips! >Update control templates whenever there is a change in the control
procedure; review them at least annually.
>Archive the control templates in such a way that they are accessible to
the control performers, and so that there is no confusion about which
version is current.

Document Link
Control template (MS Word) Link

Document Link
Control template, asset reconciliation Link
Guidance & Example(s):
Control template, revenue–gifts Link
Control template, IT general computer controls Link

Word or Concept Definition

Definitions: <None>
Return to Dashboard

Office of Ethics, Risk, and Compliance Services

UC Berkeley