Download presentation
Presentation is loading. Please wait.
Published byNorah Lawrence Modified over 9 years ago
1
PUBLIC SECTOR Internal Controls Over Financial Reporting (ICOFR) Management’s Assertions Central PA Chapter of the AGA February 9, 2011 ADVISORY
2
Contents Background Federal Managers’ Financial Integrity Act (FMFIA) of 1982 Office of Management and Budget (OMB) Circular No. A-123 Significant Revisions Management Responsibilities Accountability Office’s (GAO’s) Green Book Integrate Compliance into the Internal Control Framework Annual Assurance Statement Appendix A, Internal Control Over Financial Reporting (ICOFR) Sample Assurance Statement on ICOFR Additional Resources
3
Internal Controls Over Financial Reporting (ICOFR)
“Government should lead by example. We should be as good or better than those we are regulating.” David Walker, Comptroller General to Congress CFO Magazine, June 2003
4
BACKGROUND - Overview In 2002, Congress passed the Sarbanes-Oxley Act (SOX) in response to improper financial reporting issues by a number of publicly traded companies in the United States (Enron/WorldCom) Among other things, the Act requires publicly traced companies to receive an opinion from independent auditors on their internal controls as they relate to financial reporting. SOX requirements DID NOT apply to the federal government, the Office of Management and Budget (OMB) revised OMB Circular A-123 in 2004, adding Appendix A, which required the implementation of ICOFR. Appendix A requires the 24 agencies covered by the Chief Financial Officers Act of 1990 to conduct internal control reviews over their financial reporting processes: New internal control review process stipulated New Statement of Assurance
5
Internal Controls: An Evolution
FDICIA 1991 Sarbanes- Oxley 2002 Budget and Accounting Procedures Act of 1950 IG Act 1978 FMFIA 1982 CFO Act 1990 FFMIA 1996 FISMA 2002 OMB A-123 1981 OMB Q&A 1984 OMB A-123 1995 OMB A-123 2004 Federal Managers Financial Integrity Act (FMFIA) is the statutory requirement. Replaced the Budget & Accounting Act. OMB to issue guidelines for implementing the requirements of FMFIA. OMB Circular A-123 originally issued in 1981, revised in 1995, and 2004. Background and lessons learned - GAO cited the following areas for improvement in agencies’ efforts: Inadequate training and guidance. (1984 report) The importance of a positive attitude and a mind-set to hold managers accountable for results. (1984 report) The need for more internal control testing. (1984 report) The need to reduce the paperwork associated with agency assessment efforts. Agencies had devoted considerable resources to the assessment, but management did not feel this effort provided much reliable and useful information. (1985 report) Planned corrective actions had not been implemented as envisioned, or were not effective. (1987 report) Corrective measures had not completed corrected the identified weakness. (1987 report) Actions to resolve weaknesses had been delayed, in some cases for years. (1987 report) Why was A-123 modified? By reflecting on FMFIA lesson learned, leveraging Sarbanes Oxley practices, OMB A-123 was modified to strengthen internal control / accountability by: Adding rigor to the existing process for conducting management’s assessments of internal control over financial reporting (ICOFR) Emphasizes the need for agencies to integrate and coordinate their internal control assessments with other related assessment activities GAO directed to establish the standards for internal control In 1983, GAO issued “Standards of Internal Control in the Federal Government” (also known as the “Green Book”) In 1999, revised these standards to reflect new internal control (model consistent to COSO) IG Act - CFO Act – Act to require financial statement audits FFMIA – Act to require compliance with the SGL, accounting FASAB, system requirements (including info security – OMB A-130) FISMA – Act to require annual security reviews (management and IG) Superseded GAO Green Book 1983 GAO Green Book 1999 Federal Acts Guidance Standards Non Federal
6
FMFIA of 1982 Internal accounting and administrative controls of each executive agency shall be established in accordance with standards prescribed by the Comptroller General, and shall provide reasonable assurances that: Obligations and costs are in compliance with applicable law; Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and Revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets. Annually, an agency head must evaluate and report on the control and financial systems that protect the integrity of federal programs.
7
OMB Circular No. A-123 Defines management’s responsibility for internal controls for federal agencies and government corporations. Appendix A revision was influenced by the Sarbanes-Oxley Act of 2002 and was based on recommendations by a joint committee: Required for the 24 Chief Financial Officer (CFO) Act of 1990 agencies; Strengthen the requirements for conducting management’s assessments of ICOFR; and Emphasize the need for agencies to integrate and coordinate their internal control assessments with other related assessment activities. Effective October 1, 2005, for federal fiscal year 2006.
8
OMB A-123: Revised Requirements (continued)
Additional Key Management Requirements (Appendix A): Management must provide a conclusion on the operating effectiveness of internal control over financial reporting using the framework provided by OMB Circular No. A-123 as of June 30 of each fiscal year Suggests establishing a senior management council and a senior assessment team, or body of similar construct Determine those financial reports that will be included in the agency’s assessment Identify significant accounts, classes of transactions, and business processes that support the agency’s financial reporting processes Assess the agency’s control environment, risk assessment, control activities, information and communication, and monitoring processes, as related to financial reporting Document the agency’s understanding of its financial reporting business processes Test a sample of controls to determine if the agency’s internal control over financial reporting is in place and operating effectively Maintain a corrective action plan to remediate control deficiency Monitor the agency’s internal control over financial reporting through periodic testing of controls throughout the year Notes to Instructors: Appendix A limited to the 24 CFO Agencies There is no audit requirement for most agencies at this time. While a SAT, per slide, is not required, it - or a body of similar construct - is strongly encouraged. Therefore, it should be recognized that subsequent references to responsibilities the SAT, could be applied to a body of similar construct. It is not clear as to whether the conclusion on ICOFR is a standalone statement or should be included as part of the overall annual assurance statement. Further discussion in the Reporting module. Separately assess and document ICOFR consistent with Appendix A Scope – defines the boundaries of the assessment Assess – sets accountability and evaluates controls at the entity, process, transaction, or application level Document – defines the extent of documentation Report – defines the scope and timing of statement of assurance Correct – defines the expectations for correcting material weaknesses
9
Significant Revisions
Mandates FMFIA annual assurance statement to be included within an agency’s Performance Accountability Report (PAR). Updates internal control standards and changes certain terminology. Integrates related statutes into an agency’s internal control framework. Establishes a Senior Management Council and Senior Assessment Team. Defines the type of ICOFR deficiencies. Requires management to document its assessment process and test of controls. Appendix A describes a high-level process to assess, document, and report. Does not require an audit opinion for internal controls.
10
Information and Communication
GAOs Green Book ` Risk Assessment Every entity faces a variety of risks from external and internal sources that must be assessed at both the entity and the activity level. Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. Control Activities These policies and procedures help ensure management directives are carried out. Information and Communication Pertinent information must be identified, captured, and communicated in a form and time frame that supports all other control components. Monitoring Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time.
11
Reduce Compliance Cost via Integration
The cost of compliance with controls initiatives (e.g., A-123, FISMA, etc.) is high. The commercial sector’s experience with Sarbanes-Oxley provides some perspective FISMA FFMIA GPRA IPIA FMFIA Single Audit Act IG Act Clinger Cohen CFO Act Average $ spent Average time taken Average FTE’s utilized Planned $ to be spent Planned time to execute Planned resources Management can integrate multiple compliance initiatives into a single process, thereby fulfilling numerous regulatory requirements cost effectively. Source: KPMG LLP (U.S.), 2005
12
Management’s Steps to Compliance
Plan and Scope the Evaluation: Scoping Document Assessment Process Documentation Identify and Correct Deficiencies Categorization of Deficiencies Corrective Action Plans Remediated Controls Documentation Deliverables Report on Internal Control: Assurance Letters Conclusion of Effectiveness FMFIA Annual Assurance Statement Document Controls: Entity-level Framework Process-level Flowcharts and/or Narratives Internal Control Matrix: Objectives, Risks & Controls Evaluate Design and Operating Effectiveness Test approach and test plans Test Results Internal Control Matrix: Assessment of Design and Operating Effectiveness List of Design or Operating Deficiencies
13
Annual Statement of Assurance
FMFIA Annual Assurance Statement previously included: • Section 2, Internal Controls Achieved Objectives; and • Section 4, Conformance with System Requirements. OMB Circular No. A-123 consolidates these statements of assurance: • Overall adequacy and effectiveness of internal controls, both financial, operational, and compliance; • Each annual statement prepared pursuant to Section 4 shall include a separate report on whether the agency's accounting system conforms to the principles, standards, and related requirements prescribed by the Comptroller General; and • Under the revised A-123, includes a Statement of Assurance on the ICOFR.
14
Appendix A - ICOFR Applies to all three internal control objectives:
Operational; Financial (including the assessment of ICOFR); and Compliance. OMB Circular No. A-123, Appendix A provides a methodology for agency management to assess, document, and report on their ICOFR. .
15
Appendix A – ICOFR – Management’s Steps
Defines the boundaries of the assessment. Establish assessment process. Identify significant financial reports. Define materiality. Identify significant accounts, relevant financial report assertions, and major transaction cycles. Link the accounts and cycles. Plan & Scope the Evaluation 1 Document and obtain an understanding of controls for all significant accounts, groups of accounts, and transactions. Document Controls 2 Evaluate design and operating effectiveness of internal control over financial reporting at the entity, process, transaction, or application level and document results of evaluation. Evaluate Design & Operating Effectiveness 3 Identify, accumulate and evaluate design and operating control deficiencies; communicate findings and correct deficiencies. Identify & Correct Deficiencies 4 Prepare management’s written assurance on the effectiveness of internal control over financial reporting. Report on Internal Control 5 If required, prepare for independent auditor to conduct the internal control audit and attestation on management’s assertion. Independent Audit of Internal Control 6 Under the Circular, this step is optional. Provide a high level overview of each phase and the expected outputs. Process is not sequential
16
Appendix A – ICOFR - Scope
Objectives of ICOFR Should provide reasonable assurance to enable management to make the following assertions: Existence and occurrence; Completeness; Rights and obligations; Valuation; Presentation and disclosure; Compliance; Assets are safeguarded against fraud and abuse; and Documentation for internal control, all transactions, and other significant events is readily available for examination. Definition of Financial Reporting An agency needs to determine the scope of financial.
17
Current Chatter: Loud and Confusing
Growing (Unfunded) Costs Software Provider Claims Media Additional Legislation A-123 Requirements Marketplace Perplexity GAO and Congressional Concerns Market noise regarding A-123 is on the rise: Lack of “clear” guidance from regulators has increased the noise in the system, as agencies struggle to keep up with changing interpretations. requirements are on the horizon. GAO is encouraging the need for opinions on internal controls and claims the additional effort to do so would be minimal; thus contradicting the firms’ position on the level of effort needed to perform an opinion. President, Congress, taxpayers want more accountability, but at what cost? The media and govt community has drawn significant attention. Software firms claim “silver bullets”. Costs are on the rise with new requirements that are unfunded. Program managers are expected to do more with less with little visibility to longer-term investment implications. In fact, cost concerns are a primary driver of current planning efforts. Forums and Professional Associations Consulting Firm Promises More Accountability
18
Challenges Today, agency managers face three major challenges:
Compliance with laws and requirements Minimize the cost of compliance by integrating related internal controls Reduce the overall cost of controls and transform operations to improve mission effectiveness These challenges also present opportunities to:
19
Risk and Internal Controls
Objectives Risk Measuring Risk Risk and Internal Control Self Assessment
20
Internal Controls Lessons Learned
Expensive and chaotic to change controls or systems Realization that requirements are permanent Surprising degree to which information technology contributes to all operations and financial processes Better understanding and analysis of monitoring controls and what controls can do for you Need to embed internal controls within programs and operations Re-implementation of basic controls “Over-identified” key controls Sarbanes-Oxley Act (SOx) The Private-Sector counterpart to A-123 Publicly-traded companies must evaluate and disclose the effectiveness of their ICOFR Certification of financial reports by CEOs and CFOs 2004 was first year of implementation Experiences with SOx compliance Realization that SOx requirements are permanent2 Hard lesson: cannot see SOx as only a one-time effort Need for ongoing SOx compliance planning, resource allocation Corporations now taking SOx seriously, seeking ways to benefit Need for compliance “steering committee”1 Multidisciplinary effort for quick resolution of issues Creates accountability for compliance Creation of a “Chief Internal Control Officer”2 Done by some companies; delegation of SOX compliance duties Permits chief audit executives to focus on primary responsibilities Surprising degree to which information technology contributes to financial processes1 Understanding of risks associated with general computer controls2 Need to improve control and audit procedures to mitigate risks Better understanding and analysis of monitoring controls2 Monitoring is integral part of the ICOFR processes Re-implementation of basic controls2 Segregation of duties Periodic account reconciliation Basic authorization and access processes Companies “over-identified” key controls3 Need to better identify actual vs. perceived key controls3 Able to reduce the ICOFRs that require testing
21
Just Check the Box? Compliance
Federal agencies are usually more willing to embrace new initiatives that address program improvement However, new regulatory compliance initiatives are generally seen as “necessary evils” that distract an agency from its mission Compliance with new regulations often degenerates into “check the box” exercises Agencies miss out by just “checking the box” Compliance is an opportunity to transform and improve.
22
Driving Value From Compliance
The results of the analyses (top-down and bottom-up) will help agencies identify opportunities to Improve the quality of controls and better manage risks Improve mission performance Reduce the ongoing cost of compliance over time Develop better operations insights Applying the agency’s prioritization framework to those opportunities helps to identify priority initiatives for both immediate and future change – and make the business case for change Speaker’s Notes The results of these analyses may help organizations identify opportunities to better manage risk and improve business performance – as well as reduce the cost of compliance over time. As a result of this effort to build on what the organization learned during initial compliance, the organization should be better able to create an implementation plan to address both short- and long-term priorities
23
Deriving Value from Compliance
Agencies can build on the foundation of compliance to improve both controls and business processes. Over time, agencies can achieve both risk management and program improvement by transforming compliance initiatives into efficient and sustainable efforts that enable them to identify cost-saving opportunities and improve operations. Realize Opportunities Risk Management Program Improvement Transform Operations Managers need to recognize opportunities to manage risk and improve processes Managers also need to consider the controls in light of mission evolution. Otherwise, existing controls may become irrelevant and their associated cost unnecessary, and new risks may arise that are not addressed by appropriate controls. Costs are likely to remain high at the outset of compliance activities, due to the creation of an overarching compliance function and the additional people, infrastructure and technology it would typically require. Costs are expected to drop as the process of sustaining compliance becomes more effective and efficiencies are realized over time. Integrate Compliance Comply
24
Deriving Value from Compliance – Understanding the Controls Portfolio
A portfolio view helps managers understand the scope, magnitude, and impact of controls across their agency. Documenting and managing the controls portfolio enables managers to assess the quantity and quality of controls. The portfolio is mapped by attribute (automated or manual, detective or preventive) and analyzed to assess which controls need to evolve to support changes in agency programs. Automated Manual Preventive Increased Risk and Cost Lower Risk and Cost Detective Control Portfolio X Manual controls Depend on adequate human resources and human performance – carrying a greater risk of failure Tend to drive the cost of control upward Automated controls Can help reduce costs, better manage risk, and provide more predictive insights into program performance. Often embedded in software programs to prevent or detect data anomalies and enforce control objectives. Examples: balancing control activities, predefined data listings, data reasonableness tests, logic tests The overarching goal is to implement controls at appropriate places in a process to generate relevant information that can enable appropriate action, thereby preventing rather than detecting a control failure. Achieving this goal requires an understanding of the process, control objectives, enabling technology and the financial and performance information that flows through the process WARNING: simply automating controls is no cure-all 1. Business processes must be understood, 2. controls must exist at the proper places, 3. total costs of controls must be understood
25
Deriving Value from Compliance – Understanding the Cost of Controls
Performance Ongoing Assessment and Monitoring Total Cost Largely “Hidden” Increasingly Visible Assessing and monitoring controls may require an investment. This cost is in addition to performance cost of controls. Of the potentially thousands of controls throughout an agency, much of their cost is related to their actual performance. Although the performance cost of control tends to be larger than the cost related to control assessment, the more visible cost is the costs associated with self assessments and independent reviews.
26
Integrating and Sustaining Compliance
Deriving Value from Compliance – Transformation and Program Improvement Integrating and Sustaining Compliance Implement an efficient, sustainable process that integrates and evaluates its internal control environment on a periodic basis Consider employing documentation standards, planning, and documentation templates, questionnaires, and work plans, and automated tools Monitor change – capture relevant trigger events that could affect compliance Analyze and plan action – analyze triggers of change for action and needed resources Update controls portfolio – update control/process documentation and implement new controls. Consider opportunities related to control demographics and attributes. Perform tests – create and execute test plans to determine operating effectiveness of ICOFR Report and archive – analyze, communicate, and certify compliance efforts; archive results for future reference By transforming separate, distinct, and unstructured compliance initiatives into a well-defined, sustainable, and efficient compliance program, an agency can being to realize compliance-based cost efficiencies while sustaining compliance.
27
Integrating and Balancing Risk with Program Improvement
Deriving Value from Compliance – Transformation and Program Improvement Integrating and Balancing Risk with Program Improvement In addition to people, process and technology, risk and controls must be equally considered in managing change. Program initiatives need to be executed with a balance of the four dimensions above. Then agency managers can perform quantitative analyses of the portfolio (controls and processes) to determine how many controls they have and their attributes, number of supporting processes, enabling systems, and the total cost of control
28
Opportunities Desired Control Portfolio Improved Business Practices
Better Understanding of Costs Linking Controls to Performance, cont. Desired Control Portfolio Automated Existing Control Previous Control Manual Future (new) Control Detective Preventive Desired Control Portfolio Mostly automated controls that prevent anomalies from occurring or taking effect Anomalies’ effects (wasted money, time, effort) are never felt Reduce control costs by introducing cost-savings Help agencies better manage their risks of doing business
29
Move to Sustainability
Today What happens when? Tomorrow Project oriented Viewed in isolation Managed disparately Separated from the flow of business Owned by compliance Manual and detective “The way we do business” Dynamic and action-oriented Integrated into processes Process and data centric Owned by the “business” Automated and preventive People leave Processes are improved New systems are implemented Businesses are sold/acquired Processes are outsourced The question: “How do we comply with A-123?” Becomes… “How can we use controls as a new lens to support the integrity and value of information in an ever-changing business?”
30
Summary Implementing an approach to ongoing compliance with a focus on efforts to best use scarce resources can reduce compliance risk and cost over time. High-level and detailed analyses of the controls portfolio can help identify areas to enhance risk management, reduce compliance costs, reprogram funds for mission needs, and improve performance Transforming compliance will likely take many months or years During each step of transformation, seek to balance controls improvements with improved business performance Alignment of people, processes, systems, risk and controls, along with the appropriate tone at the top can help shape ongoing compliance issues as opportunities rather than problems
31
Contact Information Terry L. Carnahan, CGFM, CPA Managing Director, KPMG LLP McLean, VA Office Phone: (703) Mr. Carnahan is a Managing Director in KPMG’s Federal Internal Audit Services practice. He is responsible for, and involved in, internal control assessments of Federal, State and local government entities. Prior to joining KPMG, Mr. Carnahan worked for the District of Columbia Government, as well as for the U.S. Government Accountability Office for over 20 years, where he directed and managed risk-based audits of government programs and operations on various levels. All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.