1 / 32

INTERNAL AUDIT SERVICES Internal Controls as they Relate to OMB Circular A-123

INTERNAL AUDIT SERVICES Internal Controls as they Relate to OMB Circular A-123. December 2006 Audit Project No. 2509. OMB Circular A-123 Background. Management’s Responsibility for Internal Control

elvis-kirby
Download Presentation

INTERNAL AUDIT SERVICES Internal Controls as they Relate to OMB Circular A-123

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INTERNAL AUDIT SERVICESInternal Controls as they Relate to OMB Circular A-123 December 2006 Audit Project No. 2509

  2. OMB Circular A-123 Background Management’s Responsibility for Internal Control In December 2004, The United States Office of Management and Budget (OMB) released a revised Circular A-123, which stipulates that federal agencies must provide assurance about the adequacy of internal controls and the reliability of financial reporting. The Circular was issued under the authority of the Federal Managers’ Financial Integrity Act of 1982 (FMFIA) and became effective fiscal year 2006. DOE delegated responsibility for implementation of OMB Circular A-123 to its contractors.

  3. OMB Guidance Federal agencies must test, evaluate, and report on the effectiveness of their internal controls over financial reporting, which is similar to what is required of publicly traded companies under Sarbanes-Oxley section 404. Key difference between Sarbanes-Oxley and OMB A-123 is that Federal agencies are not required to have an external audit opinion on their internal controls.

  4. Definition of Internal Control Internal control is a process, put in place by management and other personnel, designed to provide reasonable assurance that we will achieve the following objectives: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations

  5. FY07 OMB A-123 Team Members • Jeffrey Fernandez, OCFO – Attester • Minh Huebner, OCFO – Implementer • Grace Huang, OCFO – Project Lead • Kim Martens, IAS – Testing Lead • John Chernowski, OIA - Project Team Member • Ira Nishibayashi, OIA - Project Team Member • Michele Mock, OCFO – Project Team Member • Rose Katsus, OCFO – Project Team Member • Lauretta Corsair, OCFO – Project Team Member • Rosalyn Height, OCFO – Project Team Member • Rich Nosek, IT – Project Team Member

  6. OMB A-123 Steering Committee • Jeffrey Fernandez, Chief Financial Officer • David McGraw, Chief Operations Officer • James Krupnick, Institutional Assurance Director • Sandy Merola, Deputy Chief Operations Officer • James Siegrist, Associate Laboratory Director • Graham Fleming, Deputy Laboratory Director • Glenn Woods, Laboratory Counsel • Terrence Hamilton, Internal Audit Director

  7. COSO Framework of Internal Control Control Environment – Sets the tone of the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Risk Assessment - Internal control should provide for an assessment of the risks the Lab faces from both external and internal sources in order to determine how risks should be managed. Control Activities -Internal control activities help ensure that management's directives are carried out. The control activities should be effective and efficient in accomplishing control objectives. Includes policies and procedures. Monitor Performance - Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved. Information and Communication - Information should be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities.

  8. Five Control Components All 5 of the internal control components work together to establish a strong internal control structure.

  9. Control Environment Control Environment

  10. Risk Assessment Perform Risk Assessment Control Environment

  11. Control Activities Perform Risk Assessment Control Environment Implement Control Activities

  12. Two Types of Control Activities Control Activities Preventive controls are designed to provide reasonable assurance that only valid transactions are recognized, approved and submitted for processing. They are applied before the processing activity occurs. This type of control is generally more effective in a strong control environment than detective controls. Detective controls are designed to provide reasonable assurance that errors and irregularities are discovered and corrected on a timely basis. Detective Controls normally are performed after processing has been completed. They are particularly important in an environment that has relatively weak preventive techniques.

  13. Monitor Performance Perform Risk Assessment Control Environment Monitor Performance Implement Control Activities

  14. Information and Communication Information Perform Risk Assessment Control Environment and and Monitor Performance Implement Control Activities Communication

  15. Limitations of an Internal Control Structure • Errors may arise frommisunderstandingsof instructions,mistakesof judgment,fatigue, etc. • Controls that depend on the segregation of duties may be circumvented bycollusion. • Managementmay overridethe structure • Compliance maydeteriorate over time

  16. Internal Control Myths and Facts MYTHS: Internal control starts with a strong set of policies and procedures. Internal control: That’s why we have internal auditors! Internal control is a finance thing. Internal controls are essentially negative, like a list of “thou-shalt-nots.” Internal controls take time away from our core activities of research, operations, and customer service. FACTS: Internal control starts with a strong control environment. While internal auditors play a key role in the system of control, management is the primary owner of internal control. Internal control is integral to every aspect of business. Internal control makes the right things happen the first time. Internal controls should be built “into,” not “onto” business processes. Source: Institute of Internal Auditors, 2003

  17. Your Role as Process Owner • Acknowledge your responsibility for the control structure within your business processes • Identify, prioritize and review risks and controls • Remove obstacles for compliance; remedy control deficiencies • Perform self-assessments and document test work • Educate your personnel about OMB requirements • Reinforce internal focus on controls within your area • Surface any risks, concerns or issues promptly to allow adequate attention for correction (don’t wait for an audit!) • Fix control gaps as soon as possible

  18. Entity + Process Controls = Assurance Entity Controls • Entity Controls relate to the organization as a whole and are not specific to processes. • Ensure the integrity and effectiveness of the organization and its leadership. • Entity Controls focus on 5 Standard Entity Areas (COSO). Process Controls • Process Controls ensure the integrity and accuracy of the business transactions as they impact the financial statements. • In some cases, Process Controls supplement Entity Controls to mitigate risk. Adapted from DOE A-123 All Hands Training

  19. OMB Entity Control Areas and Sub-Categories Source: A-123 All Hands Training

  20. Process Cycles and Processes

  21. Example: Procure to Pay Process Cycle and Processes/Sub-Processes

  22. Inherent Risk • DOE’s approach to A-123 is based on evaluating controls to offset inherent risk. • Inherent Risk is the chance that a material misstatement will occur because there are no related internal controls in place. • Risks should be identified to cover the end to end process and should consider financial statement assertions (PERCV).

  23. PERCV – Financial Reporting Assertions

  24. Example of Process Risk Statement Process: Payable Management Sub-Process: Disbursing Risk Statement: Invalid or duplicate Payment may be made in excess of approved contract amount, resulting in loss to DOE (if not detected) and an increase in improper payments reported to DOE (if later detected). Relation to PERCV: • Existence and occurrence: Liabilities/Payables recorded do not exist. • Rights and Obligations: Liabilities/Payables do not reflect valid obligations of the entity. • Valuation or allocation: Expenses/Payments are inappropriately recorded/valued in financial statements. Adapted from A-123 All Hands Training

  25. Example of Process Cycle Controls Process: Payable Management Sub-Process: Disbursing Risk Statement: Invalid or duplicate Payment may be made in excess of approved contract amount, resulting in loss to DOE (if not detected) and an increase in improper payments reported to DOE (if later detected). Controls: • System automatically closes contracts when receipts and invoices have been posted and paid equal to the amount of the contract. • Invoices in excess of contract are automatically rejected with the reason code indicating that the contract is complete. • Rejected invoices are sent back to appropriate departments for follow-up. Adapted from A-123 All Hands Training

  26. Example of Entity Controls Adapted from A-123 All Hands Training Adapted from A-123 All Hands Training

  27. Inherent Risk Rating/Assessment

  28. Dual-Purpose Testing A-123 employs a two step dual purpose testing approach. 1. Determining whether a control failure occurred (control operation); and 2. Determining whether the risk actually occurred (impact) as a result of the control failure, where reasonable and appropriate.

  29. Types of Tests Inquiry – ask a question – Interview staff to validate knowledge of a policy or requirement – Conduct a survey to obtain or validate information Inspection – did it happen – Review sample of source documents for evidence of control execution – Review exception reports and related documentation to identify preventive control failures and validate follow-up for risk occurrence – Reconcile process/system documentation to actual operation Observation – watch it happen – Monitor personnel to validate execution of manual controls – Observe occurrence of automated controls (e.g. popup warnings) Re-performing – make it happen Enter a valid transaction to test control operation

  30. OMB Test Ratings Test Ratings: Effective in FY 2007, test results will be scored on a scale of 3 to 7.

  31. Communicating Internal Control Weaknesses Reportable

  32. Sample Assurance Statement Internal Control Certification: Revised OMB A-123: Sample Assurance Statement Fiscal Year 2XXX Annual Assurance Statement on Internal Control over Financial Reporting The [Agency’s] management is responsible for establishing and maintaining effective internal control over financial reporting, which includes safeguarding of assets and compliance with applicable laws and regulations. The [Agency]conducted its assessment of the effectiveness of the [Agency’s] internal control over financial reporting in accordance with OMB Circular A-123, Management’s Responsibility for Internal Control. Based on the results of this evaluation, the [Agency] can provide reasonable assurance that the internal control over financial reporting as of June 30, 2XXX was operating effectively and no material weaknesses were found in the design or operation of the internal controls over financial reporting. _____________________________ Head of Agency Adapted from A-123 All Hands Training

More Related