AGA Gulf Region PDT COSO and the Green Book: An Enhanced Internal Control Framework

Transcription

1 AGA Gulf Region PDT COSO and the Green Book: An Enhanced Internal Control Framework Isabelle Dikland, Director, MorganFranklin Consulting Timothy Grace, Director, MorganFranklin Consulting May 6, 2015 Agenda Introductions Background Green Book Revisions Internal Control Overview Standards Documentation Requirements Service Organizations Questions and Answers Resources 2 1

2 Background: GAO Green Book The Government Accountability Office (GAO) is required to issue standards for internal control in the government Standards for Internal Control in the Federal Government ( The Green Book ) November 1999 o Reflects federal internal control standards required for the Federal Managers Financial Integrity Act (FMFIA) o Serves as a base for OMB Circular No. A-123 o Leverages private sector guidance issued by the Committee of Sponsoring Organizations (COSO), the 1992 COSO Framework 1983 Present 3 Background: Updated COSO Framework Released May 14, 2013 Relationship of Objectives and Components Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives) COSO cube o Three objectives represented by columns o Five components represented by rows o Entity s organization structure is represented by the third dimension 4 2

3 Revisions - From COSO to The Green Book 2013 COSO Framework Update 2013/2014 Green Book Revision 5 Green Book: Reasons for Revisions Updated Green Book Issued September

4 Green Book: Revision Process 1. GAO performs preliminary revision 2. Green Book Advisory Council, comprised of members from the following entities: Federal agency management (nominated by OMB) Inspector general State and Local Government Private Sector Academia Independent public accounting firms 3. Exposure Draft distributed for review and comment by the Public 4. Comment Period can be extended if significant volume of salient comments received. For most recent version: 43 comment letters resulting in 527 comments Major themes of comments o Clarification of requirements o Definition of key terms o Applicability to state, local, and not-for-profit organizations o Documentation requirements o Editorial suggestions 5. Revisions are not an ad hoc process but a deliberative one 6. Final Green Book issued September Green Book: What did / did not Change? What Did NOT Change Core definition of internal control Three categories of objectives and five components of internal control Each of the five components of internal control are required for effective internal control Important role of judgment in designing, implementing and operating an internal control system and evaluating its effectiveness What did Change Changes in operating environments considered Operations and reporting objectives expanded Fundamental concepts underlying five components articulated as principles Additional consideration given to operations, compliance, and non-financial reporting objectives 8 4

5 Green Book Revision: Standards for Internal Control in the Federal Government Overview Standards Standards 9 Overview: Fundamental Concepts What is Internal Control? Internal control comprises the plans, methods, policies, and procedures used to fulfill the mission, strategic plan, goals, and objectives of the organization. Internal control serves as the first line of defense in safeguarding assets. In short, internal control helps federal managers achieve desired results through effective stewardship of public resources. What is an Internal Control System? An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable, not absolute assurance, that an organization s objectives will be achieved. Emphasis on reasonable assurance and flexibility in achieving it. 10 5

6 Overview: Establishing an Internal Control System All components, principles, and attributes are relevant for an effective internal control system Control Objectives 5 Components Components Entity should implement relevant principles Principles Attributes contribute to the design implementation and operating effectiveness of principles Attributes 11 Overview: Evaluation of an Internal Control System Framework to Evaluate an Internal Control System An effective internal control system provides reasonable assurance that the organization will achieve its objectives, and requires that each of the five components are: o Effectively designed, implemented, and operating o Operating together in an integrated manner Management evaluates the effect of deficiencies on the internal control system A component is likely to not be effective if related principles are not effective Components Principles Attributes 12 6

7 Standards: Objectives, Components, and Principles Objectives Components Principles Attributes 13 Standards: Objectives 1. Operations Effectiveness and Efficiency of Operations 2. Reporting Reliability of Reporting for Internal and External Use External Financial Reporting Objectives Agency Financial Report External Nonfinancial Reporting Objectives Management Assurance Statement Internal Financial and Nonfinancial Reporting Objectives Reporting on Aging of Receivables (financial), Staffing Reports (nonfinancial) 3. Compliance Compliance with Applicable Laws and Regulations Safeguarding of Assets Subset of 3 categories of objectives Prevention or prompt detection of unauthorized acquisition, use, or disposition of an entity s assets 14 7

8 Standards: Five Components and Seventeen Principles 15 Standards: Control Environment Principles and Attributes 1. Commitment to integrity and ethical values Tone at the top Establishment of standards of conduct Evaluate adherence to standards of conduct 2. Exercise oversight responsibility Establish oversight structure Provide oversight for internal control system Provide input for remediation of deficiencies 3. Establish structure, authority, and responsibility Establish organizational structure Assign responsibility and delegate authority Document internal control system 4. Demonstrate commitment to competence Establish expectations of competence Attract, develop, and retain individuals Plan and prepare for succession 5. Enforce accountability Enforce accountability for performance of internal control responsibilities Consider excessive pressures 16 8

9 Standards: Risk Assessment Principles and Attributes 6. Define objectives and risk tolerances Define objectives in specific and measurable terms Define risk tolerances for objectives 7. Identify, analyze, and respond to risk Identify risks throughout the entity Analyze risks to estimate their significance Design risk responses 8. Assess fraud risk Consider types of fraud Consider fraud risk factors Respond to fraud risks 9. Identify, analyze and respond to change Identify changes that could significantly impact the entity s internal control system Analyze and respond to identified changes 17 Standards: Control Activities Principles and Attributes 10. Design control activities Respond to objectives and risks Design the types of control activities Design control activities at various levels Consider segregation of duties 11. Design activities for the information system Design the entity s information system Design appropriate types of control activities Design the information technology infrastructure Design security management Design IT acquisition, development, and maintenance 12. Implement Control Activities Document responsibilities through policies Periodically review control activities to determine continued relevance, redesign when necessary, and communicate as appropriate 18 9

10 Standards: Information and Communication Principles and Attributes 13. Use quality information Identify information requirements Obtain relevant data from reliable sources Process data into quality information 14. Communicate internally Communicate quality information throughout the entity using established reporting lines Select appropriate methods of communication 15. Communicate externally Communicate with external parties using established reporting lines Select appropriate methods of communication 19 Standards: Monitoring Principles and Attributes 16. Perform Monitoring Activities Establish a baseline for monitoring the internal control system Monitor the internal control system through ongoing monitoring and separate evaluations Evaluate and document the results 17. Remediate Deficiencies Report internal control issues to appropriate parties on a timely basis Evaluate and document internal control issues and determine corrective action approach Complete and document corrective actions to remediate internal control deficiencies 20 10

11 Standards: Component, Principle, Attribute 21 Standards: Principle can be effected by controls in other components 22 11

12 Principal/ Attribute: Specified Documentation Requirements Management must determine the level of documentation needed to assess the effectiveness of internal control Documentation is essential It enables monitoring and enables the assurance process Green Book specifies the minimum level of documentation required for an entity s internal control system: o o o o o Control Environment: 3.12 Management should develop and maintain documentation of its internal control system Control Activities: Management should document in policies the internal control responsibilities of the organization Monitoring: Management should evaluate and document the results of ongoing monitoring and separate evaluations to identify internal control issues Monitoring: Management should evaluate and document internal control issues and determine appropriate corrective actions for internal control deficiencies on a timely basis Monitoring: Management should complete and document corrective actions and remediate internal control deficiencies on a timely basis 23 Additional Consideration: Service Organizations Service Organizations are external parties that perform certain operational processes for the department/agency Management retains responsibility for the performance of processes aligned to service organizations Management needs to understand the controls each service organization has designed, implemented, and operates, and how the service organization s internal control system impacts the entity s internal control system Management considerations for the determination of the extent of oversight controls required: o Controls identified by auditors o Nature of services outsourced o Service organization s standard of conduct o Magnitude and level of complexity of entity s operations o Availability and content of SSAE16 Report 24 12

13 Components Operating Together in an Integrated Manner An effective internal control system provides reasonable assurance that the organization will achieve its objectives, and requires that each of the give components are: Effectively designed, implemented, and operating Operating together in an integrated manner 25 Key Resources for Additional Information GAO Green Book Page: Green Book Issued September 2014 COSO: Framework Executive Summary Thought Leadership Papers 26 13

14 About MorganFranklin MorganFranklin is an execution-oriented business consulting and technology solutions company. We deliver financial management, performance improvement, and technology enablement solutions to industry and government clients. Business Facts Founded in 1998 Headquartered in the Washington, D.C. National presence and international reach Diverse full-time workforce comprised of industry, global consulting, Big Four, and government professionals Technical excellence: CPA, CIA, CISA, CISSP, MCSE, RCDD, MBA, Ph.D., PMP Fast access to a powerful network of trusted partners with solid industry experience Unique blend of industry and government clients Industry recognition as a top consulting firm in the U.S. Recognized for industry-leading workplace best practices 27 Questions & Answers 14