Auditing and Advisory Services

Risk Management

Risk Management and Internal Control questions:

What is Risk?

Risk is anything that could jeopardize the achievement of an objective.  Risk can pertain to internal or external factors.  External factors can include, but are not limited to, economic changes, new or revised laws and regulations, technological developments, and social changes.  Internal factors can include changes in personnel, new information systems, and reorganizations.

Can risk be prevented?

Good internal controls can effectively minimize or often even prevent the risks.  Generally speaking, a control is any action taken to enhance the likelihood that established objectives and goals will be achieved.

What are controls?

There are two types of controls:

  • Preventative Controls - are designed to discourage errors or irregularities from occurring.  Example: Processing vouchers only after signatures have been obtained from appropriate personnel.
  • Detective Controls - are designed to find errors or irregularities after they have occurred. Example: Reviewing departmental phone bills for personal calls.

In the UTHealth environment, internal controls serve the same purpose:

  • Protect the University's assets
  • Ensure that records are accurate
  • Promote operational efficiency
  • Encourage adherence to laws, policies, and regulations

Who is responsible for internal controls?

Ultimately, it is UTHealth management's responsibility to ensure that appropriate controls are in place. That responsibility is delegated to each area of operation. Every employee has some responsibility for making this internal control system function. Therefore, all UTHealth employees need to be aware of the concept and purpose of internal controls.  Thus, control is the result of proper planning, organizing, and directing by management.

How can management determine what controls are necessary?

Management should identify and analyze the risks for each key accountability area and then consider what steps are needed to mitigate or limit high-risks.  This process is called risk assessment.  For risk-assessing their area of operation, management can refer to A&AS-prepared example of risk assessment matrix for UTHealth's key accountability areas and the related good business practice criteria.  However, this matrix should not be considered as all-encompassing and/or exhaustive, neither in relation to the accountability areas nor the criteria.  Management should always take into consideration the situations or risks particular to their specific areas of operation, e.g., compliance with an applicable federal or state law or internal policy. 

Because business environment continuously changes, management should perform an ongoing assessment of risks and their impact on existing internal controls.

What is internal audit's function in relation to internal controls?

Internal auditing is an independent appraisal function established within an organization to examine and evaluate the adequacy and effectiveness of the organization's internal control system and its overall quality of performance. Internal auditing furnishes top management with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed.