Risk Assessment and Control Activities Worksheet
Revised 3/03/2014State of Michigan
Evaluation of the Internal Control
Risks, Control Activities, and Monitoring Components (RCAM)
As of October 1, ______
Description of Department Activity ______
Column 1 / Column 2 / Col 3 / Col 4 / Column 5 / Column 6 / Column 7Objective / Risks / Severity / Frequency / Control Activities / Actual Monitoring / Conclusion
What is the program or unit trying to achieve?
/ What events could prevent us from achieving our objectives (cause)?
AND/OR
What negative outputs or outcomes would result if we don’t meet our objectives (effect)? / What would the impact be and how often could the event occur ifno controls existed to stop it?
HI MED LO
SeverityFreq. / What we do(policies and procedures) to prevent the risks in column #2 from happening, to help achieve the objectives in column #1? / What we did to ensure that the control activities in column /#5 are working effectively? / Do the monitoring results indicate that the control activities in place are sufficient to mitigate the risks so that we feel confident that the objective will be met? If not, what changes are necessary?
1. / Risks should be numbered to correspond with the objective they relate to. For example:
1.1:
1.2:
1.3: / Number control activities to correspond with the risk(s) they relate to. For example:
1.1:
1.1:
1.2:
1.3: / Number actual monitoring activities to correspond with the control activities, risks, and objectives they relate to. For example:
1.1:
1.1:
1.1:
1.2:
1.3:
2. / 2.1 / 2.1 / 2.1
3. / 3.1 / 3.1 / 3.1
4. / 4.1 / 4.1 / 4.1
5. / 5.1 / 5.1 / 5.1
6. / 6.1 / 6.1 / 6.1
ACTIVITY LEVEL OBJECTIVES - Overall Conclusion/Control System Weaknesses
ICE Material Weakness Summary Information:
ICE Material Weakness(es): / Indicate if from a prior ICE evaluation or the current. If from prior, also enter the date. / Control and monitoring activities that address the weakness. Indicate which row number(s) from above document the corrective actions taken to mitigate the weakness. If corrective action plan has not been implemented, indicate “Corrective Action Not taken”, identify the row number the weakness relates to, and the anticipated date of corrective action.Weaknesses from OAG, OIAS, and Other Audits:
OAG, OIAS, and Other Audit Findings. Identify the audit entity, report title, and finding title. / Identify date of audit report. / Control and monitoring activities that address the weakness. Indicate which row number(s) from above document the corrective actions taken to mitigate the weakness. If corrective action plan has not been implemented, indicate “Corrective Action Not taken”, identify the row number the weakness relates to, and the anticipated date of corrective action.Third-Party Service Organization (TPSO) Information (Part VII, Chapter 1, Section 1000 of FMG): (control activities, monitoring, and conclusions identified are incorporated above and/or on a separate form):
TPSOs materially impacting this accessible unit’s operating, reporting, or compliance objectives.I certify that this evaluation of the Risks, Control Activities, and the Monitoringcomponent as of October 1, ____has been conducted in accordance with guidance established by the State Budget Office, Office of Internal Audit Services, and I concur with the conclusions documented above as a result of this evaluation.
______
PreparerDate
ICO’s Initials______Date______
I certify that I have reviewed this worksheet and agree with the conclusions OR I disagree with the conclusions for the followingreasons:______
______
Page 1 of 3