Introduction to Internal Control OMB Circular A-123, Appendix A December 2006
Agenda I. Introduction A. B. II. Background on Internal Control Requirements A. B. III. Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting A. B. IV. Objectives and Goals What is Internal Control? Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls A. B. C. D. Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Specific for Information Systems 1. 2. E. V. Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process A. B. C. D. VI. General Computer Controls Application Controls Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information 2
Agenda I. Introduction A. B. II. Background on Internal Control Requirements A. B. III. Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting A. B. IV. Objectives and Goals What is Internal Control? Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls A. B. C. D. Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Specific for Information Systems 1. 2. E. V. Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process A. B. C. D. VI. General Computer Controls Application Controls Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information 3
Objectives and Goals Objective • This course has been designed to provide an overview of internal controls as a precursor to beginning the assessment of internal controls that is required under OMB Circular A-123, Appendix A. • In this course, we will define internal control, discuss the benefits of internal controls, and discuss the different types of controls. We will also discuss the phases of assessment that each agency will complete in order to comply with Circular A-123, Appendix A. By the end of the course you will be able to: • Understand the background of the government’s internal control policies and regulations • Distinguish a control from an activity • Understand the different types of controls • Understand the assessment process required by Circular A-123, Appendix A 4
What is Risk? Before talking about internal controls, it is important to discuss the concept of risk. RISK is the threat that an event, action, or non-action will have an adverse affect on the ability to achieve one’s objectives. To assess risk, the following process is used: Identify the Risks Source the Risks Prioritize the Risks 5
What is Internal Control? Internal Control = Risk Mitigation Internal control is anything that provides reasonable assurance that a specified unwanted action is prevented or detected. Examples include: Alarm Clock: designed to prevent oversleeping. What are the risks? Speed Limits: designed to prevent aggressive driving. What are the risks? Log-on Password: designed to prevent unauthorized access to the proprietary information. What are the risks? 6
What is Internal Control in an Organization? Internal controls are the policies and procedures that help managers and employees be effective and efficient while avoiding serious problems such as overspending, operational failure, fraud, waste, abuse, and violations of law. They provide reasonable assurance that the following three objectives are met: Effectiveness & Efficiency of Operations Relates to an entity's basic business objectives, including performance goals and safeguarding of an entity’s resources. Reliability of Financial Reporting Relates to the preparation of reliable financial reporting, including interim and consolidated financial statements, as well as other significant internal and external reports (i. e. budget execution reports, monitoring reports, and reports used to comply with laws and regulations). Compliance with Laws & Regulations Relates to complying with those laws and regulations to which the entity is subject. 7
What are the Benefits of Good Internal Control? • • • Identification and elimination of waste, fraud and abuse Reduction of improper or erroneous payments Enhanced understanding of risk exposure Sustained performance, efficiency and effectiveness Reduced level of effort for financial management system implementation or audit Improved policies and procedures Streamlined processes Clear definition of process ownership Greater accountability Enhanced audit readiness and internal control attestation readiness Compliance with laws & regulations 8
Agenda I. Introduction A. B. II. Background on Internal Control Requirements A. B. III. Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting A. B. IV. Objectives and Goals What is Internal Control? Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls A. B. C. D. Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Specific for Information Systems 1. 2. E. V. Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process A. B. C. D. VI. General Computer Controls Application Controls Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information 9
Office of Management and Budget (OMB) and Congressional Oversight • The role of OMB is to assist the President in the development and implementation of budget, program, management, and regulatory policies. It is an independent component of the Executive Branch. • Internal control is an integral part of tools currently being used by OMB and Congress to monitor federal Agencies. – Performance and Accountability Report (PAR) – contains Administrator's assurance statement on internal and financial management controls – Program Assessment Rating Tool (PART) – developed to assess and improve program performance so that the Federal government can achieve better results – President’s Management Agenda (PMA) – aggressive strategy for improving the management of the Federal government. Contains seven government-wide and nine Agency-specific goals for improvement. Includes a “scorecard” 10
Internal Control Policy Legislative / Regulatory Authorities Internal Control Requirements Federal Managers' Financial Integrity Act (FMFIA) of 1982 Federal Financial Management Improvement Act of 1996 (FFMIA) Federal Information Security Management Act of 2002 (FISMA) Requires that agency CFOs develop and maintain an integrated system of internal controls and requires GAO to issue internal control standards Improper Payments Information Act of 2002 (IPIA) Provides for estimates and reports of improper payments by Federal agencies CFO Act of 1990 Requires that agency CFOs develop and maintain an integrated and controlled accounting and FM system Requires agencies to clarify their missions, set strategic and annual performance goals, and report on performance toward these goals Government Performance and Results Act of 1993 (GPRA) Inspector General Act of 1978 OMB Circular A-123 OMB Circular A-127 OMB Circular A-130 Requires that Federal financial management (FM) systems have reliable data and comply with financial management requirements Requires agencies to ensure the adequacy and effectiveness of information security controls by conducting annual reviews and reporting results to OMB Requires IGs to report on internal controls when conducting a performance audit Requires monitoring and improvement of internal controls associated with programs Outlines requirements for FM system controls Establishes the policy for the management of Federal information resources 11
OMB Circular A-123 • Issued under authority of FMFIA; entitled, “Management Accountability and Control” • Provides guidance to Federal managers on improving the accountability and effectiveness of Federal programs and operations by establishing, assessing, correcting, and reporting on management controls • Requires annual reporting on the effectiveness of management controls • Provides the basis for an Agency head's annual assessment and report on internal controls required by FMFIA 12
Revised OMB Circular A-123 • Circular A-123 was revised in December 2004 • Renamed “Management’s Responsibility for Internal Control” • Changes developed by Chief Financial Officers Council (CFOC) and the President’s Council on Integrity and Efficiency (PCIE) • Adopts certain concepts from the Sarbanes-Oxley Act of 2002 • Strengthens management requirements for assessing controls over financial reporting with the addition of Appendix A, “Internal Controls over Financial Reporting” • Took effect FY 2006 – initial report was due in the November 2006 Performance and Accountability Report (PAR) 13
Overview of Revised Circular OMB A-123 The Revised Circular A-123 includes the following Appendices: • Appendix A – Internal Control over Financial Reporting • Appendix B – Improving Management of Government Charge Card Programs (Issued Revised Appendix B – April 2006) – Increases frequency of review and scope of spending and transaction limits – Limits authorization and blocking card use for ‘high risk merchant category codes” • Appendix C – Requirements for Effective Measurement and Remediation of Improper Payments (Issued August 2006) – Requires a review of all programs and activities to identify those which may be susceptible to significant erroneous payments and obtaining a statistically valid estimate of the annual amount of improper payments – Requires implementation of a plan to reduce erroneous payments and the reporting of estimates of the annual amount of improper payments and the progress made in reducing them 14
Revised OMB Circular A-123, Appendix A Requirements OMB Circular A-123, Appendix A requires Agencies to: • ASSESS internal control over financial reporting using the Committee of Sponsoring Organizations (COSO)/GAO Framework • ESTABLISH a governance structure • DOCUMENT the design of controls of material accounts and assess their effectiveness as of June 30 - This includes entity-level controls and process/transaction-level controls, including Information Technology (IT) • TEST the operating effectiveness of internal controls 15
Revised OMB Circular A-123, Appendix A Requirements (continued) • INTEGRATE internal control throughout the entire agency and through the entire cycle of planning, budgeting, management, accounting, and auditing • SIGN an annual Statement of Assurance in the Performance Accountability Report (PAR) certifying effectiveness of internal control within the Agency - Assurance Statement must assert to the effectiveness of the internal controls as of June 30 and be issued in the Performance and Accountability Report by November 15 - Signed by the Secretary of Agriculture • CORRECT deficiencies in internal control over financial reporting - Agencies must create and execute corrective action plans to promptly and effectively resolve material weaknesses and other significant deficiencies 16
Why All the Trouble? • • It’s the law Every employee in USDA has an impact on financial management and, ultimately, financial reporting Over time, the metrics that evolve to monitor internal control areas will provide insight for key business decisions (e. g. , programs and budgets) Documentation provides a communication tool for management and improve ability to train employees and share with interested stakeholders (e. g. , auditors, oversight organizations) 17
Agenda I. Introduction A. B. II. Background on Internal Control Requirements A. B. III. Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting A. B. IV. Objectives and Goals What is Internal Control? Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls A. B. C. D. Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Specific for Information Systems 1. 2. E. V. Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process A. B. C. D. VI. General Computer Controls Application Controls Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information 18
Internal Control over Financial Reporting The specific focus of OMB Circular A-123, Appendix A is internal control over financial reporting • Internal control over financial reporting is a process designed to provide reasonable assurance regarding reliability of financial reporting. The process starts at the initiation of a transaction and ends with reporting • Internal control over a complete process involves controls at every step of the process including – controls over transaction initiation, – maintenance of records, – recording of transactions, and – final reporting • Internal control over financial reporting also includes – entity level controls, – information technology controls, and – operational and compliance controls 19
Management Responsibilities Management is responsible for establishing and maintaining internal control and documentation. Management must: – consistently apply the internal control standards of OMB Circular A-123, Appendix A (i. e. , the COSO Framework’s five components) – develop and maintain activities for the three objectives of OMB A-123 (i. e. , the COSO/GAO Framework) – maintain up-to-date controls documentation on an on-going basis – Provide a certification Statement related to the adequacy of controls (signed by Secretary of USDA) 20
COSO Internal Control Framework COSO is the Recognized Internal Control Framework for Financial Reporting – Per OMB, “Internal control standards and the definition of internal control are based on GAO, Standards for Internal Control in the Federal Government, November 1999, ‘Green Book’” – GAO's ‘Green Book’ has adopted many of the internal control concepts provided by the Commission of Sponsoring Organizations of the Treadway Commission (COSO), which provides a suitable criteria against which to evaluate and report on the effectiveness of the entity's Internal Control – COSO is the framework used by commercial entities in complying with the Sarbanes Oxley Act 21
COSO Internal Control Framework • Five COSO Components of Internal Controls 22
COSO Internal Control Framework • Monitoring of Controls : The processes to assess the effectiveness of internal control performance over time to ensure that controls continue to operate effectively as intended, and they are modified as appropriate for changes in conditions. • Information and Communication: The systems that support the identification, capture and exchange of information in a form and time frame that enables people to carry out their responsibilities. • Control Activities: The policies and procedures that help ensure that management directives are carried out. • • Risk Assessment: The process for identifying, analyzing and managing relevant risks. Control Environment: The foundation for all other components of internal control, providing discipline and structure. It sets the tone of an organization, influencing the control consciousness of its people. 23
Agenda I. Introduction A. B. II. Background on Internal Control Requirements A. B. III. Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting A. B. IV. Objectives and Goals What is Internal Control? Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls A. B. C. D. Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Specific for Information Systems 1. 2. E. V. Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process A. B. C. D. VI. General Computer Controls Application Controls Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information 24
Control versus Activity It is important to be able to distinguish between a control and activity: • Control activities: Control activities consist of policies and procedures that help to ensure that management directives are implemented – – – • Controls can be either preventative or detective, Controls can be either manual or automated, and Controls help to ensure that financial reporting is accurate • Examples include approvals, authorizations, reconciliations, reviews and segregation of duties Activity: An activity is something that is done in the normal course of business and is necessary to process a transaction. Not all activities are controls – Activity only qualifies as a control if it is either preventative or detective of financial statement errors • Examples of activities include completing a form, entering data, or running a report 25
Control versus Activity Exercise Description Control or Activity? 1. A suspense report is generated and sent to a manager. Activity ? 2. User fee calculations are calculated by the system and are set up to mirror terms of the contract. Any changes must be approved and reviewed by the appropriate level of management. Control ? 3. The Accounts Payable manager reviews the Accounts Payable aging monthly to ensure payments are recorded. Control ? 4. Unliquidated obligations are aged to identify outstanding items. 5. Collections are entered into the system. ? Activity ? 26
Manual versus Automated Controls may be either: • Manual – implemented through human action • Example: General Ledger entries must be reviewed and authorized by accountant who signs off on an approved document • Automated – implemented through system action • Example: Users must have a valid user id and password to access a system 27
Detective versus Preventative Controls may be either: • Detective – provide evidence that an error or exception has occurred • Example: Reviews, analyses, reconciliations, periodic physical inventories, audits, and surveillance cameras are all examples of detective controls • Preventative – are proactive in that they attempt to deter or prevent undesirable events from occurring • Example: Separation of duties, proper authorization, passwords, and physical control over custody of assets are all examples of preventative controls 28
Control Exercise Spell Check is a function that you have used in Microsoft Word. How might this be viewed as a control? What sort of control is it: detective or preventative? • It is a detective control rather than preventative because it detects errors after you have input the words; it cannot prevent you from misspelling the word! • It is unlike the preventative control in the Save function, which will not save the file if the file name contains “/” or “? ” 29
Control Exercise (continued) Continuing with the Spell Check example… What kind of errors is it designed to address? • It is designed to detect spelling errors only, not typos. For example, it will not detect the typo of “art” instead of “arc” or “cat” instead of “car. ” These are actual words which are not misspelled. Is it a manual or automated control? • It is automated, but it must be turned on. It cannot detect errors if it is not activated, so there is a manual element involved. 30
Control Activities Specific for Information Systems There are two types of Information System Controls: • General Computer Controls (GCCs): Pervasive, over-arching controls that affect every transaction. Used to manage and control the organization’s information technology infrastructure. • Application Controls: Controls that cover the processing of data within an application or computer program. OMB Circular A-123 states, “general and application controls over information systems are interrelated; both are needed to ensure complete and accurate information processing. ” Application Controls PCMS (Purchase Card Application) Oracle Database General Computer Controls Operating system (e. g. , AIX) LAN (e. g. , Desktop/NT) 31
Control Activities Specific for Information Systems: General Computer Controls should be designed to ensure that: • The overall IT environment is well-controlled • The IT organization is fit for its purpose, and there is proper management control over information systems • Critical processing can be restored timely in the event of a prolonged outage (data / systems are backed up) • New applications and changes to existing applications are properly authorized and only approved modifications are moved to the production environment • Physical and logical security controls restrict access to data, systems and sensitive facilities 32
Control Activities Specific for Information Systems: General Computer Controls (continued) Examples of General Computer Controls include: • • • Monitoring of Adherence to Entity-wide Security Program Data Processing Policies and Procedures Continuity of Operations Plan (COOP) Regularly Scheduled and Documented Change Control Board Meetings Properly Completed and Maintained Access Request Forms What must be assessed? • • • Security Planning and Management Change Control Segregation of Duties Access Controls Service Continuity System Software 33
Control Activities Specific for Information Systems: Application Controls should be designed to ensure that: • Financially significant applications process data and report results as intended • Business processes may be enabled by one or more applications • Ideally, computerized application controls are programmed into the application to ensure Completeness, Accuracy, Validity and Restricted Access • Many common applications (e. g. SAP and People. Soft) have configurable controls • Controls over ensuring on-going data quality should also be considered (i. e. problem reporting, management and resolution) 34
Control Activities Specific for Information Systems: Application Controls (continued) Examples of Application Controls include: • Automated controls built into the application (computerized edit checks and required passwords) • Manual controls surrounding the application (manual reconciliations of interfaced applications, management sign-offs, and reviews of audit logs) What must be assessed? • Input Controls (access restrictions, validity checking, source documents) • Processing Controls (integrity controls, error messages, job scheduling) • Output Controls (report generation and distribution, manual review of reports for obvious errors) 35
Exercise: General versus Application Controls Are the following controls General Computer Controls or Application Controls? 1. Only authorized personnel have access to data center (example locked doors and access cards) General ? 2. Validation check over an input field preventing letters being entered in a number field ? Application 3. The system prevents contracts from being awarded unless sufficient budget authority is available ? Application 4. System Development Life Cycle methodology has been developed General ? 36
Entity Level Controls • • • Definition: Entity Level Controls are controls that management has in place to ensure that the appropriate controls exist throughout the organization, including at the individual agencies. Examples include management’s tone at the top, risk assessment, centralized processing, controls monitoring and the USDA period-end financial reporting process. Responsibility: Entity Level Controls are assessed at both the agency and department level. Purpose: Entity Level Controls can have a pervasive effect on the overall control effectiveness of the organization therefore the assessment of entity-level controls is essential to the overall evaluation of controls. Entity Level Controls 37
Agenda I. Introduction A. B. II. Background on Internal Control Requirements A. B. III. Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting A. B. IV. Objectives and Goals What is Internal Control? Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls A. B. C. D. Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Specific for Information Systems 1. 2. E. V. Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process A. B. C. D. VI. General Computer Controls Application Controls Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information 38
USDA’s Approach to the FY 07 A-123, Appendix A Assessment Process Sept Oct Nov Dec 2006 Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov Dec 2007 Phase I – Planning & Scoping Oct 2006 – Dec 2006 (3 months) Phase II – Documentation & Testing Phase III – Remediation & Validation Aug 2007 – Nov 2007 (4 months) Dec 2006 – Jul 2007 (8 months) Sept 2006 – Aug 2007 (12 months) Phase IV – Reporting & Sustaining 39
Overview of A-123 Assessment: Planning and Scoping Activities Phase I – Planning & Scoping Oct 2006 – Dec 2006 • Establish A-123 governance structure • Determine and communicate the FY 07 A-123 assessment timeline and methodology (Department’s Top-Down Approach) • Determine the scope of the significant financial reports • Determine the cycles, processes, and systems in scope for each of USDA’s Agencies and Staff Offices for the FY 07 assessment based on materiality • Develop / update standard templates to be used for documentation and testing of controls over financial reporting 40
Overview of A-123 Assessment: Documentation and Testing Activities Documentation Phase II – Documentation & Testing • Identify and document entity level controls • Identify and document process level manual and application controls • Identify and document General Computer Controls (GCCs) • Assess the design effectiveness of controls. Controls not designed effectively are considered to be control gaps Testing • Develop test plans for key controls that have been determined to Dec 2006 – Jul 2007 be designed effectively • Perform testing of entity level, manual, application, and general computer controls to assess operating effectiveness. Controls that fail testing are considered to be deficiencies • Document the results of testing, including any identified deficiencies 41
Overview of A-123 Assessment: Remediation and Validation Activities Phase III – Remediation & Validation • Classify the significance of any control gaps or deficiencies • Document Remediation / Corrective Action Plans for identified control gaps and deficiencies • Implement Corrective Action Plans. Re-test remediated controls and document results Sept 2006 – Aug 2007 42
Overview of A-123 Assessment: Reporting and Sustaining Activities • Draft and submit Agency and Staff Office Phase IV – Reporting & Sustaining Aug 2007 – Nov 2007 Certification Statements for their FY 07 assessment of internal control over financial reporting • Analyze impact of Agency and Staff Office’s control deficiencies on the Department’s annual assurance statement • Draft and finalize the Department’s Annual Assurance Statement for internal controls over financial reporting as of June 30, 2007 for inclusion in the FY 07 Performance and Accountability Report • Continue with monitoring, remediation, and reporting of controls 43
Agenda I. Introduction A. B. II. Background on Internal Control Requirements A. B. III. Internal Control Legislation and Rules Overview of OMB Circular A-123 and Appendix A Internal Control Over Financial Reporting A. B. IV. Objectives and Goals What is Internal Control? Definition of Internal Control Over Financial Reporting COSO Framework Identifying Controls A. B. C. D. Control versus Activity Manual versus Automated Controls Detective versus Preventative Controls Specific for Information Systems 1. 2. E. V. Entity Level Controls Overview of USDA’s OMB Circular A-123, Appendix A Assessment Process A. B. C. D. VI. General Computer Controls Application Controls Planning and Scoping Documentation and Testing Remediation and Validation Reporting and Sustaining Additional Sources of Information 44
Additional Sources of Information Refer to www. whitehouse. gov for OMB Circular A-123 guidance including the Appendix A Implementation Guide USDA’s FY 06 Implementation Guide can be found in Quick. Place under “Reference Materials” 45
Скачать презентацию Introduction to Internal Control OMB Circular A-123 Appendix
86a22b0931ea04fc5d310705fabc17b0.ppt