390 likes | 428 Views
Internal controls. risk management service. Learning goals. Defining Internal Control & Understanding the Internal Control Framework GAO ’ s Standards for Internal Control in the Federal Government OMB Uniform Grant Guidance—requirements for internal controls
E N D
Internal controls risk management service
Learning goals • Defining Internal Control & Understanding the Internal Control Framework • GAO’s Standards for Internal Control in the Federal Government • OMB Uniform Grant Guidance—requirements for internal controls • ED’s A123 Internal Control Review Process • Internal Controls and YOU • Implementing Strong Internal Controls in Your Agency • Consequences of Not having Strong Internal Controls-Avoiding the Pitfalls • Case Study • Case Study Discussion & Analysis • Conclusion/Wrap Up • Questions
Defining internal control • Internal Control: a process effected by an entity’s oversight body, management and/or other personnel that provides reasonable assurance that the objectives of an entity will be achieved. These objectives and related risks can be classified into one or more categories: • 1. Operations: effectiveness and efficiency of operations and safeguarding of assets necessary to carry out operations. • 2. Reporting: reliable reporting for both internal and external use; this includes financial and non-financial reporting. • 3. Compliance: compliance with applicable laws and regulations. • What is an Internal Control System: a continuous built in component of operations, effected by people, that provides reasonable assurance, not absolute assurance that an entity’s objectives will be achieved. • How does all of this come together—the five components of Internal Control, as established by the General Accountability Office (GAO).
GAO’s Standards for Internal Controls • Recently revised: GAO revised their standards--aka the Green Book--in 2014, which then became effective in 2016. • Standards to guide agency’s operations: GAO established these standards so that government agencies know what internal control is (and isn’t), how it should work effectively within agencies, how entities should use the Green Book and identification of the five key components of internal control. (The revised version highlights 17 principles within these 5 components.) • Resource not just for federal entities: The Green Book may also be used and adopted by state & local government agencies, as well as non profits. Management can determine how to appropriately apply the elements of within the Green Book to their particular agencies’ needs.
Control Environment • Control environment: this is the foundation of any internal control system. • 5 principles • Management demonstrates commitment to integrity and ethical values. • Management/oversight body oversees the entity’s internal control system. • Management establishes an organizational structure, assigns responsibilities and delegates authority to achieve the agency’s mission and objectives. • Management demonstrates a commitment to recruit, train and retain competent people. • Management evaluates performance and holds individuals accountable for their internal control responsibilities. • Management establishes the control environment and this is the system under which employees will operate.
Control Environment (cont.) • The Control Environment should ensure controls are in • place, covering areas such as: • Hiring Practices • Training Programs • Whistleblower Policies • Code of Ethics • Clear lines of responsibility and authority • Grants/program administration • Fiscal management and operations Monitor & Update the Control Environment
Control Environment (cont.) • The Control Environment should be documented. Types of documentation that can be used are: • Process narratives • Organizational Charts • Flowcharts • Questionnaires • Memorandums • Checklists • Etc.
Risk assessment • Risk Assessment: identifying and assessing the potential risks facing the agency, and developing the appropriate risk mitigation tools and strategies to minimize risk occurrences. • 4 Principles • Management defines agency objectives so that risks can be identified and risk tolerance (or risk appetite) levels can be established. • Management identifies, analyzes and responds to risks related to the agency achieving its mission and objectives. • Management considers the risk for potential fraud. • Management identifies, analyzes and responds to significant changes that could impact the internal control system. • At all levels, management establishes the organizational priorities for how it handles its risk assessment process.
Risk assessment (Cont.) • Risk Assessment Categories to help identify and assess risks: • Strategic Risk—political risk, talent and succession planning risk, risk from dependence on other organizations • Financial Risk—risk of audit findings and other things that would undermine reporting integrity • Compliance Risk—fraud, theft, embezzlement and/or noncompliance with regulations and requirements • Operational Risk—risk that Programs may fail to meet their objectives, mishandle federal grant funds, natural disasters, lack of accessible technology, etc. • Risk assessment is critical especially when agencies are facing constrained resources because it allows for targeted and strategic use of available resources.
Risk assessment (Cont.) • Risk Assessment vs. Risk Management • Risk Assessment is an element of internal control within the risk management process that allows management to identify and assess key risks to achieving its objectives; this assessment forms the basis upon which control activities are determined. • Risk Management is a process applied in a strategic manner across the entity, that is designed to identify and manage risks to stay within a risk appetite or risk tolerance level, to provide reasonable assurance about achieving entity goals and objectives.
Risk assessment (Cont.) • Once objective is established, apply these risk assessment factors • Materiality of the amount of funds/dollars in question • Complexity or difficulty of the process • History of accounting or procedural (operational) adjustments • Propensity for change or deviations in the process or controls • This helps to assess the risk, the risk likelihood and potential impact.
Risk assessment (cont.) • External Risks • Technological advances • Impact of program changes • Changing legislature • Decentralized organization operations • Natural disasters • Changing client or constituent needs or expectations • Internal Risks • Use of qualitative/quantitative methods • Change in management • Weak or unresponsive tone set by leadership • Human capital—quality and/or quantity of personnel • Rapid growth or reduction • Change in processes
Risk assessment (cont.) • Risk Strategies
Control activities • Control Activities: actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system, which includes the agency’s information system. • 3 Principles • Management designs control activities to achieve objectives and respond to risks. • Management designs the entity’s information system and related control activities to respond to risks. • Management implements control activities through written policies. • Control Activities should be established by management.
Control activities (cont.) • Control Activities are the heart of the internal control system. • Understanding the Types of internal control activities • Preventive—these controls help management to avoid problems before they occur. Prevent the occurrence of negative events. • Detective—these controls help to uncover issues after they’ve occurred. Identify the occurrence of a negative event. • Corrective—these controls detect if risk is present, and then elicits a response and/or corrective action.
Control Activities (cont.) • Examples of Control Activities • Approvals and authorizations (Preventive) • Reconciliations (Detective) • Independent Reviews (Detective) • Segregation of Duties (Preventive) • Training (Preventive) • Corrective Action Plan (Corrective) • Monitoring (Corrective) • Update/Implement SOPs (Corrective and/or Preventive) • Asset Security (Preventive)
Control Activities (cont.) • Manual vs. automated controls • Manual controls require action(s) to be taken by an employee; automated controls are built into the network infrastructure and software applications. Automated controls are always preferable. • Manual controls: • Obtain supervisor’s approval for Overtime • Reconciliation of bank accounts • Automated controls: • Password protections • Data entry validation checks
Control activities (cont.) • Compensating Control • If a weakness or limitation exits within the control environment, a compensating control may be implemented to help mitigate risk. • Compensating controls can be preventive or detective. • Potential compensating controls could be: automation of certain transaction data and management review. • Compensating controls are put in place when management knows the recommended control activity is not possible with existing resources. • Segregation of duties is a very important compensating control activity. • Creates checks and balances within critical functions • One person is not responsible for initiation and approval • Fraud and error are major risks in payroll management • Always establish segregation of duties in financial and operational functions
Information and communication • Information and Communication: high quality information that management and personnel communicate and use to support the internal control system. • 3 Principles • Management should use quality information to achieve the agency’s goals and objectives. • Management should internally communicate the necessary quality information to achieve the entity’s objectives. • Management should externally communicate the necessary information to achieve the agency’s mission and objectives. • Management establishes expectations regarding what a quality information and communication system should look like, and staff follows suit.
Information and communication (Cont.) • Information employees and stakeholders need to know. • Agency initiatives • Goals • Challenges • Opportunities • Feedback • Questions • Policies and Procedures • Standards • Expectations • Incentives/Rewards • Consequences for non compliance • Communication strategies have evolved in the era of social media. Agencies utilize email, text messages, Twitter, Facebook, LinkedIn, apps, mail, phone, etc. to communicate internally and externally.
monitoring • Monitoring: activities management establishes to assess the quality of performance over time and to promptly resolve management reviews or audit findings. This helps to determine if controls are working as they should. • 2 Principles • Management establishes and operates monitoring activities to assess the internal control system and evaluate results. • Management remediates identified internal control deficiencies in a timely manner. • Management makes monitoring a priority and uses the results of monitoring to improve and strengthen internal controls and agency operations.
Monitoring (cont.) • Monitoring activities help to determine whether internal controls are present and functioning as intended. • Types of Evaluations • Ongoing Evaluations • Built into business practices • Provide timely information • Frequently conducted • Separate Evaluations • Conducted periodically • Variation in scope and frequency Evaluations can sometimes reveal deficiencies or findings. These need to be addressed and rectified in a timely manner.
Monitoring (cont.) • Monitoring/Validating Controls • Deficiency in Design • A critical control is not properly designed and does not meet the control objective, or is simply ineffective. • Deficiency in Operations • A critical control is designed properly but does not perform in the intended manner and is unable to address the identified risks. • Monitor frequently for effectiveness • Review supporting documentation • Review reconciliations • Review policies and procedures and observe demonstrations to ensure procedures are being followed properly
Monitoring (cont.) • The Importance of supporting documentation • Documentation should always be maintained to determine SOPs and protocols are being followed and authorized activities have occurred. • Documentation must contain adequate information that: • Identifies who performed the work and when • Indicates the nature, timing, extent and results of the procedures performed • Enables understanding of the evidence obtained • Supports the conclusions, activities and/or purchases that are made
OMB Uniform Grant guidance • Part 200—Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards, §200.303 “Internal Controls” • Non Federal Entities must execute the following (5) five actions: • (a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the award. See the Green Book and Internal Control Integrated Framework by COSO (Committee of Sponsoring Organizations of the Treadway Commission). • (b) Comply with Federal statutes, regulations, and the terms and conditions of Federal awards. • (c) Evaluate and monitor the non Federal entity’s compliance with statute, regulations and terms of conditions of Federal awards.
OMB Uniform Grant guidance (cont.) • Part 200—Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards, §200.303 “Internal Controls” • Five actions cont. • (d) Take prompt action when instances of non compliance are identified including non compliance identified in audit findings. • (e) Take reasonable measures to safeguard protected personally identifiable information (PII). TAKEAWAYS: 1. Establish and implement an internal control system that complies with laws and requirements. 2. Evaluate and monitor compliance with laws and requirements. 3. Identify and communicate findings/deficiencies with key stakeholders. 4. Develop and implement a corrective action plan when deficiencies occur. Ensure CAP completion. 5. Implement procedures to protect important information. 6. Look for ways to constantly improve internal control system.
Ed’s A-123 Internal control review process • Internal Control Review Shift: in 2008, A-123 internal control reviews at ED shifted from financial compliance audits to include the evaluation of the internal operations of ED grant-making offices. • Federal Managers Integrity Act (FMFIA): agencies must establish internal control and financial systems that provide reasonable assurance that the three objectives of internal control are achieved (effectiveness and efficiency, compliance and reliable financial reporting). FMFIA requires reporting of programs, financial reporting and financial management systems. • OMB Circular A-123 “Management’s Responsibility for Internal Controls:” promulgates the FMFIA requirement and defines management’s responsibility for implementing internal control within their agencies. • Every year ED conducts A-123 internal control reviews. Operational (programmatic/grants management) challenges are usually noted; controls and corrective actions are implemented to address concerns. • Training: employees take a mandatory annual Internal Control training to fortify knowledge and understanding of requirements.
Your agency’s internal control review process • Every unit within your organization should have an established and transparent internal control system, codified by SOPs. This includes: property & procurement, budget, payroll, accounting office, human resources, federal grants office, etc. • Establish a system that allows for clear understanding of the entire process from start to finish. • Get staff invested and educated about what the internal control system looks like within your agency.
Internal controls and you • Understand what internal control is and is not. There are requirements, but make sure your work is aligned with those requirements and not adding additional stress, burden or undue complexity. • Management establishes the internal control system. Employees must know and understand the internal control system, what their responsibilities are and how their actions contribute to and effect the overall system and their discreet duties. • Standardize your process. Follow procedures and document operational activities. • Personal Ownership: Take responsibility for your role and communicate any challenges or concerns to management. • Group Effort: Everyone is responsible for implementing strong internal controls in their every day work environment. • Value: Create meaning and purpose in work, so that executing the process is engrained in staff culture and is not viewed as burdensome or time consuming.
Internal controls and you (cont.) • Basic concepts to make Internal Controls work for you! • Establish responsibility—know who is supposed to be doing what. Key tasks need to be assigned to specific individual(s) and communicated across the agency. • Segregate Duties—maintain proper custody of assets, record transactions, authorize transactions and reconcile transactions. Create a checks and balance system to avoid theft, fraud or improprieties. • Restrict Access—do not allow just anyone to have access to critical or sensitive information. Access should be given only to those who need to complete assigned duties. • Document Procedures and Transactions—supporting documentation is critical to every business practice and operational function. Always retain documentation (electronic and manual). • Independently Verify—corroborate information.
Implementing strong internal controls within your agency • An Internal Control System is a Critical Component of Effective Grants Management • Any organization that is awarded federal grant funds must build a system of internal controls to effectively manage the grant funds it receives. • A weak internal control system can lead to mismanagement of federal grant funds. • Severe mismanagement can lead to serious problems, such as: special conditions, restrictions on grants including: route payments/disbursements, high risk designation, federal intervention (including monitoring and/or Technical Assistance), etc. • Consider developing an Internal Audit division within your agency. If your agency already has one, make sure it’s built up and operating with fidelity.
Implementing strong internal controls within youR agency (cont.) Build competence, understanding and sustainability. Implement: don’t be afraid to try new things, experiment and determine what works best for your agency, and continuously review the processes implemented. Build capacity; have the right people at the table and invest in training and professional development.
Avoiding the pitfalls • What happens when things go wrong and the internal control system fails? • Audit findings • Financial misstatements • Business or government losses • Federal Intervention • Criminal Investigations • Loss of public trust • Fraud or collusion • Program sustainability compromised • Reputational harm • Loss of funds