1 / 56

Internal Control Requirements for the American Recovery and Reinvestment Act (ARRA)

Internal Control Requirements for the American Recovery and Reinvestment Act (ARRA). Texas State Agency Internal Audit Forum July 27, 2009. Background.

erin-osborn
Download Presentation

Internal Control Requirements for the American Recovery and Reinvestment Act (ARRA)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Internal Control Requirements for the American Recovery and Reinvestment Act (ARRA) Texas State Agency Internal Audit Forum July 27, 2009

  2. Background This presentation is designed for executives and employees of Texas state agencies and institutions of higher education. The purpose is to provide information to help meet auditing, accountability, and transparency requirements of Americans Recovery and Reinvestment Act (ARRA).

  3. Internal Control Internal control is an important part of an organization’s management plan that provides reasonable assurance of the accomplishment of goals and objectives, efficiency of operations, reliability of information, and legal compliance. * Internal control is management’s responsibility.

  4. Table of Contents • Internal Controls • Who is Auditing ARRA Funds? • Single Audits • Subrecipients and Vendors • Internal Controls and COSO Model • Compliance Requirements • Monitoring Subrecipients • ARRA Section 1512 and Texas Reporting Requirements

  5. Table of Contents - continued • Specific Controls from Compliance Supplement • Two Examples of Specific Controls with ARRA examples appear in RED TEXT • Reporting • Subrecipient Monitoring • Auditor Judgment • What do Managers Need to Know? • Resources

  6. Internal Controls for ARRA All federal grant recipients are required to comply with federal internal control standards. *ARRA is no different. ARRA specifically requires non-federal entities receiving federal awards to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements.

  7. Who is Auditing the ARRA Funds? The answer is nearly everyone! Each federal and state agency is required to have a process to investigate allegations of fraud, waste, or abuse. Government Accountability Office (GAO) will be auditing at the federal, state, and local level and reporting to the U.S. Congress every two months.

  8. Federal Agencies Federal agencies will continue performing financial and program monitoring, and their Offices of Inspector General (OIG) will increase their involvement. They will audit and monitor on the state, pass-through agency, and local level.

  9. Texas State Agencies The Texas State Auditor’s Office (SAO) and its contractor KPMG will audit Texas state agencies, including their subrecipient monitoring processes. Texas state agencies and other pass-through entities will continue to perform financial and program monitoring.

  10. Single Audits * Recipients that expend $500,000 or more in federal funding are required to have a “Single Audit,” which includes an audit of compliance with OMB Circular A-133 as well as a financial audit. With the increased amount of funding available under ARRA, many subrecipients may need to obtain a Single Audit for the first time.

  11. Subrecipient A subrecipient is a non-federal entity that expends federal awards received from another entity to carry out a federal program but does not include an individual who is a beneficiary of such a program.

  12. Subrecipient vs. Vendor How do we know if it is a subrecipient or a vendor? Subrecipients carry out the mission of the agency. They determine eligibility and how to deliver the services. Vendors are paid to provide goods or services and do not determine eligibility.

  13. History of Internal Controls In the mid-1970s, the Foreign Corrupt Practices Act required companies to implement internal control programs. In 1985, the Treadway Commission was formed to study the factors that cause fraudulent financial reporting, make recommendations to reduce the occurrence of fraudulent financial reports, and develop integrated guidance on internal control. The Treadway Commission consisted of several independent private sector organizations that became known as the Committee of Sponsoring Organizations, or COSO.

  14. Internal Controls for ARRA OMB Circular A-133 Compliance Supplement (May 2009) Part 6 requires auditors to gain an understanding of the internal controls over federally funded programs. The format the auditors will use is based on the COSO Internal Control – Integrated Framework.

  15. Internal Controls for ARRA New subrecipients may not have formal, established, and documented internal controls. They may not be familiar with the terminology that the federal GAO and Inspectors General, or the State Auditors and Texas state agency monitors use. * Agencies may want to provide additional information to subrecipients to assist them in complying with these requirements.

  16. COSO Internal Control – Integrated Framework The COSO Internal Control – Integrated Framework is made up of five interrelated parts that work together to create a system of internal controls to assist management in achieving the internal controls objectives. The five elements of internal control include: • Control Environment • Risk Assessment • Control Activities • Information and Communications • Monitoring If one of the elements is missing or weak, the risk increases that the organization will not meet its objectives or that fraud, waste, or abuse will occur and not be detected.

  17. COSO Internal Control Framework

  18. 1. Control Environment Control environment is the organizational structure and culture created by management and employees. Control environment includes: • “tone at the top” • objective setting • clearly defined areas of authority and responsibility • human resource policies.

  19. 2. Risk Assessment Risk assessment is the process used by organizations to identify internal and external risks or obstacles to achieving their objectives. Each risk identified is evaluated based on: • Impact – How bad would it be if the risk occurred? • Likelihood – How probable is it the risk will occur?

  20. 3. Control Activities Control activities are the policies, procedures, and other mechanisms put in place to ensure that objectives are met. Control activities include: • segregation of duties • physical controls over assets • authorization and documentation • access to documentation.

  21. 3. IT Control Activities IT control is a process that provides assurance for information and information services, and helps mitigate risks associated with use of technology. * Auditing standards require auditors to assess the adequacy of information technology controls. Examples of Information Technology (IT) control activities include: • business continuity • disaster recovery • backup of data • general and application controls over information systems, including mainframe, network, and end-user environments.

  22. Importance of IT Controls An IT controls assessment includes a review of system security and an application control review. Auditors must ensure that the data in a computer system is reliable before they can rely on the data. If your agency relies on internally developed systems, a self-assessment or an internal audit may reduce audit findings.

  23. 4. Information and Communication Pertinent information must be identified, captured, and communicated in a form and timeframe that allows people to carry out their responsibilities. Information should be relevant, reliable, and timely. Examples • Meetings • Memos • Emails • Reports • Webinars • Web sites

  24. 5. Monitoring • Monitoring is the process that ensures internal controls continue to operate effectively by conducting ongoing and/or separate evaluations which enable management to determine whether the other components of internal controls continue to function over time. • Examples include: • Reconciliations • Comparisons of data • Tests of transactions • Tests of programmatic measures

  25. 5. Monitoring In addition to ongoing monitoring, separate evaluation processes should occur. Monitoring the effectiveness of internal control and the results of operations should occur during the normal course of operations. ---DRAFT FOR COMMENTS---

  26. 5. Monitoring Any deficiencies in internal controls should be reported to the appropriate level of management. When deficiencies are identified through internal or external reviews, they should be evaluated and corrected. A systematic process should exist for addressing deficiencies.

  27. 5. Monitoring When deficiencies are not corrected in a timely manner, the issue should be escalated to a higher level of management to ensure that appropriate resources and corrective actions are applied to resolve the issue.

  28. 5. Monitoring Each program should establish and calculate performance measures. Performance measures should be meaningful and reported to the appropriate level of management.

  29. Compliance Requirements The federal audit guidance in OMB Circular A-133 Part 6 lists 14 types of compliance requirements. A compliance audit supplement that contains special tests and provisions may be available for federal programs. These tests and provisions are designed to audit the compliance requirements specific to the federal program.

  30. Types of Compliance Requirements • Activities Allowed or Unallowed • Allowable Costs/Cost Principles • Cash Management • Davis-Bacon Act • Eligibility • Equipment and Real Property Management • Matching, Level of Effort, Earmarking • Period of Availability of Federal Funds • Procurement and Suspension and Debarment • Program Income • Real Property Acquisition Relocation Assistance • Reporting • Subrecipient Monitoring • Special Tests and Provisions (unique to each program)

  31. ARRA Section 1512 Reporting ARRA Section 1512 has specialized reporting requirements for all ARRA funds. Quarterly, cumulative reports are required to be submitted for funds paid to recipients and vendors. Jobs created and retained with ARRA funds must also be reported. More information is available in OMB Webinars located at www.whitehouse.gov/recovery/webinartrainingmaterials

  32. Monitoring Subrecipients The OMB webinars held July 20-23, 2009 emphasized that*prime recipients are responsible for the accuracy, completeness and timely reporting of their own data as well as their subrecipients. Prime recipients MUST have processes in place to perform data quality reviews during the condensed Section 1512 reporting timelines. www.whitehouse.gov/recovery/webinartrainingmaterials

  33. Texas Reporting Requirements for ARRA Article 12 of the Texas Budget and the Texas Comptroller of Public Accounts also have specific reporting requirements to the Comptroller, LBB and Governor’s Office. Please review the Comptroller’s Reporting website and sign up for the special ARRA email alerts. https://fmx.cpa.state.tx.us/fmx/recovery/index.php

  34. Specific Controls Circular A-133 Compliance Supplement, Part 6 lists specific characteristics of internal control to audit for each compliance requirement. Part 6 also includes descriptions of the components of internal control and examples of characteristics common to the 14 types of compliance requirements.

  35. Examples To illustrate this process, the following slides show excerpts from OMB Circular A-133 Part 6 for reporting and subrecipient monitoring. ARRA examples are listed in red text. Each of the 14 compliance tests has a specific Control Objective, then specific characteristics that auditors will look for to document the Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.

  36. Example: Reporting ARRA Reporting Objective - * ARRA requires that stimulus funds must be tracked and reported separately from other federal funds. Control Objective – To provide reasonable assurance that reports of Federal awards submitted to the Federal awarding agency or pass-through entity include all activity for the reporting period, are supported by underlying accounting or performance records, and are fairly presented in accordance with program requirements. Control Environment – Persons preparing, reviewing, and approving reports possess the required knowledge, skills, and abilities.

  37. Example: Reporting Risk Management – Identification of any potentially unreliable underlying source data or analysis for performance or special reporting activities. Control Activities – Written policy establishes responsibility and provides procedures for periodic monitoring, verification, and reporting of program progress and accomplishments. * Procedures are in place for preparing complete, accurate, and timely ARRA reports.

  38. Example: Reporting Information and Communication – An accounting or information system provides for the reliable processing of financial and performance data. *Ensure ARRA receipts are identified and tracked separately. * Ensure ARRA expenditures are properly coded. * Maintain source documentation.

  39. Example: Reporting Monitoring – Communication from external parties corroborates information included in the reports for federal awards. * Documentation is sufficient. * Documentation contains evidence of quality control review of data. * Documentation provides evidence that review and required approvals occurred prior to payment.

  40. Example: Subrecipient Monitoring ARRA Subrecipient Monitoring Objective - *To provide assurance that subrecipients are adhering to ARRA reporting and compliance requirements Control Objective – To provide reasonable assurance that federal award information and compliance requirements are identified to subrecipients, subrecipient activities are monitored, subrecipient audit findings are resolved, and the impact of any subrecipient non-compliance on the prime recipient is evaluated. Also, prime recipients should perform procedures to provide reasonable assurance that the subrecipient obtained required audits and has taken appropriate corrective action on audit findings.

  41. Example: Subrecipient Monitoring Control Environment - A “tone at the top” has been established that demonstrates management’s commitment to monitoring subrecipients. Management communicates intolerance of overrides of established procedures for monitoring subrecipients. * Sufficient resources are dedicated to ARRA subrecipient monitoring. Individuals performing subrecipient monitoring possess the required knowledge, skills, and abilities.

  42. Example: Subrecipient Monitoring Risk Assessment - Key managers’ understanding of the subrecipient’s environment, systems, and controls are sufficient to identify the level and methods of monitoring required. Mechanisms exist to identify risks arising from external sources affecting subrecipients. Mechanisms exist to identify and react to changes in subrecipients, such as financial problems that could lead to diversion of grant funds, loss of essential personnel, rapid growth, or new activities. * Risk Assessment uses criteria such as first time grant recipient to select subrecipients for monitoring.

  43. Example: Subrecipient Monitoring Control Activities - Inform subrecipients of the federal award information (e.g. CFDA number) and applicable compliance requirements. Include the compliance requirements of OMB Circular A-133 inagreements and contracts. Monitor subrecipients’ compliance with audit requirements. Document current policies and procedures. * Include ARRA compliance requirements such as separate recordkeeping.

  44. Example: Subrecipient Monitoring Information and Communication - Standard award documents used by grantor pass-through agencies contain: • List of federal requirements that must be followed • Description and program number for each program • Statement signed by subrecipient official stating that the subrecipient was informed of, understands, and agrees to comply with applicable requirements. A recordkeeping system is in place to ensure documentation is retained for the time period required by the prime recipient. Procedures are in place for subrecipients to communicate concerns to the pass-through agency.

  45. Example: Subrecipient Monitoring Monitoring - Establish a tracking system to ensure timely submission of required reporting, such as financial reports, performance reports, audit reports, on-site monitoring reviews of subrecipients, and timely resolution of audit findings. Perform supervisory reviews to determine the adequacy of subrecipient monitoring. * Controls are in place to ensure accurate, complete and timely reporting of ARRA payments. * Data analysis of ARRA subrecipient data is performed to prevent material omissions and significant reporting errors to detect them timely.

  46. Auditor Judgment While OMB Circular A-133 , Part 6 is not a checklist of internal control characteristics, it does provide guidance to non-Federal entities (grantees and subrecipients) on implementing effective internal controls. Part 6 indicates that non-Federal entities and their auditors will need to exercise judgment in determining the most appropriate and cost-effective internal controls.

  47. What do Managers Need to Know? Executive management should ensure that the agency has up-to-date documentation of its internal control processes especially over reporting and subrecipient monitoring. Executive management should coordinate with the Internal Auditor in evaluating the need for audits of internal controls for high-risk programs. Program managers should maintain up-to-date documentation of their internal controls. Subrecipients should maintain up-to-date documentation of their internal controls.

  48. Summary The examples provided are a roadmap that Texas state agencies, institutions of higher education, and subrecipients can use to perform self-assessments of their internal controls prior to audits or monitoring visits. The GAO has developed a monitoring tool, and COSO published a guide for monitoring internal controls in February 2009. Information on obtaining these tools is in the Resources section that follows.

  49. Resources GAO’s Follow the Money http://www.gao.gov/recovery/ Recovery http://www.recovery.gov/

  50. Resources Texas Comptroller of Public Accounts Fiscal Management for ARRA reporting https://fmx.cpa.state.tx.us/fmx/recovery/index.php Texas Recovery website http://www.cpa.state.tx.us/recovery/

More Related