830 likes | 2.06k Views
PUBLIC SECTOR. Internal Controls Over Financial Reporting (ICOFR) Management’s Assertions Central PA Chapter of the AGA February 9, 2011 . ADVISORY. Contents. Background Federal Managers’ Financial Integrity Act (FMFIA) of 1982 Office of Management and Budget (OMB) Circular No. A-123
E N D
PUBLIC SECTOR Internal Controls Over Financial Reporting (ICOFR)Management’s AssertionsCentral PA Chapter of the AGA February 9, 2011 ADVISORY
Contents • Background • Federal Managers’ Financial Integrity Act (FMFIA) of 1982 • Office of Management and Budget (OMB) Circular No. A-123 • Significant Revisions • Management Responsibilities • Accountability Office’s (GAO’s) Green Book • Integrate Compliance into the Internal Control Framework • Annual Assurance Statement • Appendix A, Internal Control Over Financial Reporting (ICOFR) • Sample Assurance Statement on ICOFR • Additional Resources
Internal Controls Over Financial Reporting (ICOFR) “Government should lead by example. We should be as good or better than those we are regulating.” David Walker, Comptroller General to Congress CFO Magazine, June 2003
BACKGROUND - Overview • In 2002, Congress passed the Sarbanes-Oxley Act (SOX) in response to improper financial reporting issues by a number of publicly traded companies in the United States (Enron/WorldCom) • Among other things, the Act requires publicly traced companies to receive an opinion from independent auditors on their internal controls as they relate to financial reporting. • SOX requirements DID NOT apply to the federal government, the Office of Management and Budget (OMB) revised OMB Circular A-123 in 2004, adding Appendix A, which required the implementation of ICOFR. • Appendix A requires the 24 agencies covered by the Chief Financial Officers Act of 1990 to conduct internal control reviews over their financial reporting processes: • New internal control review process stipulated • New Statement of Assurance
Internal Controls: An Evolution Sarbanes- Oxley 2002 FDICIA 1991 Budget and Accounting Procedures Act of 1950 FMFIA 1982 CFO Act 1990 FFMIA 1996 FISMA 2002 IG Act 1978 OMB A-123 1995 OMB A-123 2004 OMB A-123 1981 OMB Q&A 1984 Superseded GAO Green Book 1999 GAO Green Book 1983 Federal Acts Guidance Standards Non Federal
FMFIA of 1982 • Internal accounting and administrative controls of each executive agency shall be established in accordance with standards prescribed by the Comptroller General, and shall provide reasonable assurances that: • Obligations and costs are in compliance with applicable law; • Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation; and • Revenues and expenditures applicable to agency operations are properly recorded and accounted for to permit the preparation of accounts and reliable financial and statistical reports and to maintain accountability over the assets. • Annually, an agency head must evaluate and report on the control and financial systems that protect the integrity of federal programs.
OMB Circular No. A-123 • Defines management’s responsibility for internal controls for federal agencies and government corporations. • Appendix A revision was influenced by the Sarbanes-Oxley Act of 2002 and was based on recommendations by a joint committee: • Required for the 24 Chief Financial Officer (CFO) Act of 1990 agencies; • Strengthen the requirements for conducting management’s assessments of ICOFR; and • Emphasize the need for agencies to integrate and coordinate their internal control assessments with other related assessment activities. • Effective October 1, 2005, for federal fiscal year 2006.
OMB A-123: Revised Requirements (continued) • Additional Key Management Requirements (Appendix A): • Management must provide a conclusion on the operating effectiveness of internal control over financial reporting using the framework provided by OMB Circular No. A-123 as of June 30 of each fiscal year • Suggests establishing a senior management council and a senior assessment team, or body of similar construct • Determine those financial reports that will be included in the agency’s assessment • Identify significant accounts, classes of transactions, and business processes that support the agency’s financial reporting processes • Assess the agency’s control environment, risk assessment, control activities, information and communication, and monitoring processes, as related to financial reporting • Document the agency’s understanding of its financial reporting business processes • Test a sample of controls to determine if the agency’s internal control over financial reporting is in place and operating effectively • Maintain a corrective action plan to remediate control deficiency • Monitor the agency’s internal control over financial reporting through periodic testing of controls throughout the year
Significant Revisions • Mandates FMFIA annual assurance statement to be included within an agency’s Performance Accountability Report (PAR). • Updates internal control standards and changes certain terminology. • Integrates related statutes into an agency’s internal control framework. • Establishes a Senior Management Council and Senior Assessment Team. • Defines the type of ICOFR deficiencies. • Requires management to document its assessment process and test of controls. • Appendix A describes a high-level process to assess, document, and report. • Does not require an audit opinion for internal controls.
GAOs Green Book • Control Environment • The control environment sets the tone of an • organization, influencing the control consciousness • of its people. • Risk Assessment • Every entity faces a variety of risks from external and internal sources that must be assessed at both the entity and the activity level. • ` • Control Activities • These policies and procedures help ensure • management directives are carried out. • Information and Communication • Pertinent information must be identified, captured, • and communicated in a form and time frame that supports all other control components. Monitoring Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time.
FISMA FFMIA GPRA SingleAuditAct IPIA FMFIA ClingerCohen IG Act CFO Act Reduce Compliance Cost via Integration The cost of compliance with controls initiatives (e.g., A-123, FISMA, etc.) is high. The commercial sector’s experience with Sarbanes-Oxley provides some perspective • Management can integrate multiple compliance initiatives into a single process, thereby fulfilling numerous regulatory requirements cost effectively. • Average $ spent • Average time taken • Average FTE’s utilized • Planned $ to be spent • Planned time to execute • Planned resources Source: KPMG LLP (U.S.), 2005
Management’s Steps to Compliance • Plan and Scope the Evaluation: • Scoping Document • Assessment Process Documentation • Identify and Correct Deficiencies • Categorization of Deficiencies • Corrective Action Plans • Remediated Controls Documentation Deliverables • Report on Internal Control: • Assurance Letters • Conclusion of Effectiveness • FMFIA Annual Assurance Statement • Document Controls: • Entity-level Framework • Process-level Flowcharts and/or Narratives • Internal Control Matrix: Objectives, Risks & Controls • Evaluate Design and Operating Effectiveness • Test approach and test plans • Test Results • Internal Control Matrix: Assessment of Design and Operating Effectiveness • List of Design or Operating Deficiencies
Annual Statement of Assurance • FMFIA Annual Assurance Statement previously included: • • Section 2, Internal Controls Achieved Objectives; and • • Section 4, Conformance with System Requirements. • OMB Circular No. A-123 consolidates these statements of assurance: • • Overall adequacy and effectiveness of internal controls, both financial, operational, and compliance; • • Each annual statement prepared pursuant to Section 4 shall include a separate report on whether the agency's accounting system conforms to the principles, standards, and related requirements prescribed by the Comptroller General; and • • Under the revised A-123, includes a Statement of Assurance on the ICOFR.
Appendix A - ICOFR • Applies to all three internal control objectives: • Operational; • Financial (including the assessment of ICOFR); and • Compliance. • OMB Circular No. A-123, Appendix A provides a methodology for agency • management to assess, document, and report on their ICOFR. • .
1 Plan & Scope the Evaluation Defines the boundaries of the assessment. Establish assessment process. Identify significant financial reports. Define materiality. Identify significant accounts, relevant financial report assertions, and major transaction cycles. Link the accounts and cycles. 2 Document Controls Document and obtain an understanding of controls for all significant accounts, groups of accounts, and transactions. 3 Evaluate Design & Operating Effectiveness • Evaluate design and operating effectiveness of internal control over financial reporting at the entity, process, transaction, or application level and document results of evaluation. 4 Identify & Correct Deficiencies Identify, accumulate and evaluate design and operating control deficiencies; communicate findings and correct deficiencies. 5 Report on Internal Control Prepare management’s written assurance on the effectiveness of internal control over financial reporting. 6 Independent Audit of Internal Control If required, prepare for independent auditor to conduct the internal control audit and attestation on management’s assertion. Under the Circular, this step is optional. Appendix A – ICOFR – Management’s Steps
Appendix A – ICOFR - Scope • Objectives of ICOFR • Should provide reasonable assurance to enable management to make the following assertions: • Existence and occurrence; Completeness; Rights and obligations; Valuation; Presentation and disclosure; Compliance; • Assets are safeguarded against fraud and abuse; and • Documentation for internal control, all transactions, and other significant events is readily available for examination. • Definition of Financial Reporting • An agency needs to determine the scope of financial.
Current Chatter: Loud and Confusing Growing (Unfunded) Costs Software Provider Claims Media Additional Legislation A-123 Requirements Marketplace Perplexity GAO and Congressional Concerns Forums and ProfessionalAssociations Consulting Firm Promises More Accountability
Challenges • Today, agency managers face three major challenges: • Compliance with laws and requirements • Minimize the cost of compliance by integrating related internal controls • Reduce the overall cost of controls and transform operations to improve mission effectiveness • These challenges also present opportunities to: • Minimize the cost of compliance by integrating related internal controls • Reduce the overall cost of controls and transform operations to improve mission effectiveness
Risk and Internal Controls • Objectives • Risk • Measuring Risk • Risk and Internal Control • Self Assessment
Internal Controls Lessons Learned • Expensive and chaotic to change controls or systems • Realization that requirements are permanent • Surprising degree to which information technology contributes to all operations and financial processes • Better understanding and analysis of monitoring controls and what controls can do for you • Need to embed internal controls within programs and operations • Re-implementation of basic controls • “Over-identified” key controls
Just Check the Box? Compliance • Federal agencies are usually more willing to embrace new initiatives that address program improvement • However, new regulatory compliance initiatives are generally seen as “necessary evils” that distract an agency from its mission • Compliance with new regulations often degenerates into “check the box” exercises • Agencies miss out by just “checking the box” • Compliance is an opportunity to transform and improve.
Driving Value From Compliance • The results of the analyses (top-down and bottom-up) will help agencies identify opportunities to • Improve the quality of controls and better manage risks • Improve mission performance • Reduce the ongoing cost of compliance over time • Develop better operations insights • Applying the agency’s prioritization framework to those opportunities helps to identify priority initiatives for both immediate and future change – and make the business case for change
Deriving Value from Compliance • Agencies can build on the foundation of compliance to improve both controls and business processes. • Over time, agencies can achieve both risk management and program improvement by transforming compliance initiatives into efficient and sustainable efforts that enable them to identify cost-saving opportunities and improve operations. Realize Opportunities Risk Management Program Improvement Transform Operations Integrate Compliance Comply
Control Portfolio X Lower Risk and Cost Automated Manual Preventive Detective Increased Risk and Cost Deriving Value from Compliance –Understanding the Controls Portfolio • A portfolio view helps managers understand the scope, magnitude, and impact of controls across their agency. • Documenting and managing the controls portfolio enables managers to assess the quantity and quality of controls. • The portfolio is mapped by attribute (automated or manual, detective or preventive) and analyzed to assess which controls need to evolve to support changes in agency programs.
Ongoing Assessment and Monitoring Performance Increasingly Visible Total Cost Largely “Hidden” Deriving Value from Compliance –Understanding the Cost of Controls Although the performance cost of control tends to be larger than the cost related to control assessment, the more visible cost is the costs associated with self assessments and independent reviews.
Deriving Value from Compliance –Transformation and Program Improvement • Integrating and Sustaining Compliance • Implement an efficient, sustainable process that integrates and evaluates its internal control environment on a periodic basis • Consider employing documentation standards, planning, and documentation templates, questionnaires, and work plans, and automated tools
Deriving Value from Compliance –Transformation and Program Improvement Integrating and Balancing Risk with Program Improvement
Opportunities Improved Business Practices Better Understanding of Costs Linking Controls to Performance, cont. Desired Control Portfolio • Desired Control Portfolio • Mostly automated controls that prevent anomalies from occurring or taking effect • Anomalies’ effects (wasted money, time, effort) are never felt • Reduce control costs by introducing cost-savings • Help agencies better manage their risks of doing business Automated Existing Control Previous Control Manual Future (new) Control Detective Preventive
Move to Sustainability Today What happens when? Tomorrow • Project oriented • Viewed in isolation • Managed disparately • Separated from the flow of business • Owned by compliance • Manual and detective • “The way we do business” • Dynamic and action-oriented • Integrated into processes • Process and data centric • Owned by the “business” • Automated and preventive • People leave • Processes are improved • New systems are implemented • Businesses are sold/acquired • Processes are outsourced The question: “How do we comply with A-123?” Becomes… “How can we use controls as a new lens to support the integrity and value of information in an ever-changing business?”
Summary • Implementing an approach to ongoing compliance with a focus on efforts to best use scarce resources can reduce compliance risk and cost over time. • High-level and detailed analyses of the controls portfolio can help identify areas to enhance risk management, reduce compliance costs, reprogram funds for mission needs, and improve performance • Transforming compliance will likely take many months or years • During each step of transformation, seek to balance controls improvements with improved business performance • Alignment of people, processes, systems, risk and controls, along with the appropriate tone at the top can help shape ongoing compliance issues as opportunities rather than problems
Terry L. Carnahan, CGFM, CPA Managing Director, KPMG LLPMcLean, VA OfficePhone: (703) 286-8560 E-mail: tcarnahan@kpmg.com Mr. Carnahan is a Managing Director in KPMG’s Federal Internal Audit Services practice. He is responsible for, and involved in, internal control assessments of Federal, State and local government entities. Prior to joining KPMG, Mr. Carnahan worked for the District of Columbia Government, as well as for the U.S. Government Accountability Office for over 20 years, where he directed and managed risk-based audits of government programs and operations on various levels. Contact Information All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.