310 likes | 516 Views
Department of Homeland Security Federal Emergency Management Agency Association of Government Accountants Improving Controls Can Improve Program Performance Audio Conference on Internal Controls June 8, 2011. Agenda. FEMA’s History FEMA’s Audit Remediation/Internal Control Efforts:
E N D
Department of Homeland Security Federal Emergency Management Agency Association of Government Accountants Improving Controls Can Improve Program Performance Audio Conference on Internal Controls June 8, 2011
Agenda • FEMA’s History • FEMA’s Audit Remediation/Internal Control Efforts: • Mission Action Plan (MAP) Process • Internal Control Board • Internal Control Program • A-123/IPIA Program • Accomplishments and Impact • Risk Assessment • Moving Forward
Financial Statement Audit History • In FY06, FEMA had a total of six material weaknesses (MWs) and contributed to the Department’s disclaimer conditions
A-123/IPIA History • FEMA began A-123 compliance activities in FY06 and performed TOD/TOE assessments of several business processes • FEMA focused on remediating internal control weaknesses in FY08 and resumed its A-123 assessments in FY09 • FEMA began IPIA compliance activities in FY06 and tested one Program • FEMA was non-compliant with IPIA requirements until FY08
FEMA Audit Progress • FEMA has made significant progress over the past 5 years to strengthen its internal controls and reduce control weaknesses
Mission Action Plan (MAP) • Definition: An overall plan that FEMA’s management creates to correct specific deficiencies. These plans contain items such as a Root Cause Analysis and milestones with specific completion dates and remedial actions. • Process:
Root Cause Analysis Definition:The specific underlying cause(s) of events that lead to control deficiencies. They fall under one or more of the following areas: • Human Capital – Insufficient training, need for more people, or wrong people in positions • Process – Break in the process flow, need for updated or additional processes • Policy – Insufficient or no policies or procedures in place • Systems – System failures or inadequate systems Benefits of an Effective RCA: • Critical to preventing similar recurrences • Over time, the root causes identified across the population of control deficiencies can be used to target major opportunities for improvement
Case Study – Financial Reporting Issues • Lack of sufficient resources with the required financial management skill set within the OCFO to ensure segregation of duties and oversight over the financial reporting process • Inadequate processes and controls to ensure that all adjustments are fully researched, substantiated, documented, and/or appropriately reviewed prior to preparation and submission of financial data to the Department • Insufficient level of review and approval of supporting documentation for significant JVs recorded in the general ledger/Treasury Information Executive Repository (TIER) • Lack of policy and procedures and clearly documented roles and responsibilities over the financial reporting process • Systematic errors related to incorrect attributes and poor data quality Corrective Actions • Filled strategic OCFO vacancies to aid in implementing corrective actions to correct control weaknesses • Developed and implemented improved control procedures over the TIER process (including TIER to GL reconciliation procedures) • Developed and published budget/finance blueprint to improve accuracy of budget entries • Updated, published, and implemented OCFO’s Journal Voucher (JV) Process standard operating procedures • Improved JV documentation and the review/approval of JVs • Performed data clean-up
Internal Control Board (ICB) • Objectives • Support FEMA’s internal control structure through improved control awareness, communication, and coordination • Set the tone of the organization’s control environment • Prioritize, direct, and monitor internal control activities • Improve internal control environment and achieve objectives • Address enterprise-wide/cross-cutting internal control issues requiring collaboration at FEMA’s most senior levels of leadership • Structure • Chaired by the FEMA Deputy Administrator • Championed by the FEMA Administrator • Comprised of a cross-functional team of senior FEMA officials/representatives
Value of the ICB • Demonstrates commitment of senior leadership (“tone at the top”) • Provides the governance structure needed to improve internal controls and achieve program goals and business objectives • Establishes accountability throughout the agency • Increases awareness as to the importance of maintaining effective internal control through continuous monitoring • Improves integration and coordination of internal control-related activities • Positions agency to better address multiple requirements • Strengthens annual assurance statement process
Internal Controls Program (ICP) - Overview • Created in November 2008 and chartered in January 2009 • Key Functions: • Provides support to its divisions/offices to remain compliant with Federal internal control requirements: • Federal Manager’s Financial Integrity Act (FMFIA) • Office of Management and Budget (OMB) Circular A-123 • Oversees the assessment of internal control within each Mission Support Bureau (MSB) Office to ensure compliance with governing legislative, regulatory, and Departmental guidance • Summarizes and communicates results of the assessments to FEMA’s Deputy Associate Administrator • Assists the MSB Offices in creating their annual Assurance Statements
ICP Activities • In FY11, the ICP performs the following activities: • Conducting a self-assessment of each MSB Office’s Entity-Level Controls (ELCs) • Coordinating the design and implementation of more effective/efficient Business Processes • Performing a FEMA-Wide Risk Assessment to assist the Region and Program Offices create their Assurance Statements • Below is an example of the Tools & Templates used:
ICP Structure ICP Chair: FEMA Deputy Administrator ICP Sponsor: Director of RM&C ICP Lead: RM&C Staff ICP Core Team
Value of the ICP • Develops an internal control ethic in all employees • Identifies areas of weakness and vulnerability • Creates remediation plans to improve FEMA’s efficiency and effectiveness • Allows FEMA to stay ahead of auditors • Manages the Enterprise-Wide Internal Control Issues • Enhances focus on customer experience • Improves decision making • Increases accountability • Trains FEMA employees across FEMA programs • Moves control monitoring to the front end of the process
A-123 Progress *FEMA determined the need to perform an A-123 assessment ** DHS exempted FEMA from performing an A-123 assessment to focus on remediation efforts for FY2008
A-123 – Current Year Activities • Perform A-123 assessments over the Fund Balance with Treasury Process and the Purchase and Fleet Card Programs • Extend assessments to focus on internal controls over operations • Integrate A-123 into the Internal Control Program
IPIA Progress • FEMA began IPIA compliance activities in FY06 and tested one Program • For FY11, FEMA is testing nine Programs (including the Port Security Grant Program (PSGP)) • FEMA’s past and current IPIA activities include testing, risk assessments, pilot studies, and communications strategy development • Over time, FEMA Programs have taken on increasing levels of responsibility for and collaboration with IPIA testing and related activities
Accomplishments and Impact FEMA has performed activities to improve its internal controls and program performance including, but not limited to: • Implemented an audit remediation and internal controls strategy that has led to the successful downgrading/elimination of 5 out of 6 material weaknesses • Sustained progress to date through continued efforts to monitor and strengthen internal controls over financial reporting and operations • Improved communication with external auditor resulting in a more effective and efficient annual financial statement audit • Enhanced Management’s assessment of internal controls over financial reporting and operations • Improved awareness, communication and coordination at all levels of the agency • Integrated processes and assessments • Established the ICB to address enterprise-wide/cross-cutting issues
Risk Assessment Overview • FEMA faces a variety of risks that could detract from its mission to build, sustain, and improve the Nation's capability to prepare for, protect against, respond to, recover from, and mitigate all hazards • FEMA’s risk assessment methodology is flexible and scalable to allow for the development of a multi-year implementation plan that will improve financial reporting and operational processes and infrastructure • FEMA’s risk assessment methodology is intended to employ comprehensive risk management to enhance FEMA programs and operations
Risk Assessment Framework • Combines traditional “bottom-up” and “top-down” stakeholder value approach
Risk Assessment Methodology • FEMA’s risk assessment methodology involves a five step process: • Planning – Gather information and conduct interviews • Drafting the Risk Strategy Map – Populate tool to capture and analyze risk • Evaluating Risk – Complete Risk Register Template • Prioritizing Activities – Prioritize based on Inherent Risk and Control Environment • Preparing the Annual Plan – Identify processes to be remediated by corrective action or assessed through Self Inspection Plan (A-123)
Risk Assessment Outcomes • The intersection of the inherent risk rating and the control environment strength on the Risk Assessment Matrix details the proposed follow-up activity High Assessment of Controls Remediation 5 4 3 2 1 Inherent Risk Assess Controls on Rotational Basis Lower Remediation Priority Low 1 2 3 4 5 Strong Weak Control Environment
Value of the Risk Assessment • FEMA’s Risk Assessment Methodology provides the following benefits: • Includes ICOFR and ICOOPs processes/risks/controls • Directly links to actionable outcomes including: processes to be assessed and remediation areas of focus • Creates a simple, not overly complex methodology that is flexible and scalable for business needs • Has the approval and sponsorship of the ICB • Links to strategic goals and objectives • Forms an Annual Plan, which takes into account prioritization, current initiatives, and resource considerations
Moving Forward • Implement a process to more effectively and efficiently assess entity-wide risks, evaluate internal controls, improve processes, and achieve compliance with Federal requirements • Create an organizational structure and culture that promotes the importance and value of internal control and accountability throughout the agency • Promote the integration and coordination of internal control-related activities throughout the agency • Establish a formal standardized entity-wide process/methodology/tool for assessing risks to better prioritize internal control initiatives and remediation efforts and dedicate resources where most needed • Move beyond a compliance driven responsiveness toward strategic decision making based on risks
FEMA’s Future State FEMA’s future state will enable us to more effectively and efficiently assess entity-wide risks, evaluate internal controls, improve processes, achieve compliance with Federal requirements, and achieve program goals and business objectives Internal Control Board • Cross Functional • Oversight • Direction • Monitoring Program / Operations Financial Information Systems • FMFIA – Sec. 2 • Charge Cards (A-123, App. B) • ICOFR (A-123, App. A) • IPIA/IPERA (A-123, App. C) • FMFIA – Sec. 4 • FISMA • FFMIA • Mission Action Plans • Policies & Procedures • Business Process Redesign • Communication • Reporting & Tracking Progress • Training Remediation Benefits • Effective and Efficient Operations • Compliant with Laws & Regulation • Reliable Financial Reporting
Contact Information: Kathy Hill: Director of Risk Management & Compliance – FEMA OCFO Email: Kathy.Hill@fema.dhs.gov