What s New In GAO s Revised Greenbook

Transcription

1 What s New In GAO s Revised Greenbook Association of Government Accountants, KC Chapter Fall 2014 Professional Development Seminar November 10, 2014 Michael A. Fiene Chief, USDA/FSA-Internal Control and Planning Office

2 Agenda GAO Greenbook (Theory) Practical Applications Enterprise Risk Management (ERM) 2

3 Which Presentation? GAO Greenbook Preparing to Retire the Cheapskate Way Or

4 GAO Green Book (Theory) GAO Greenbook (Theory) 4

5 GAO Green Book (Theory) COSO updated its guidance in 2013 Provides greater detail and depth Retains the 5 components of internal control Presents 17 new principles that enumerate management responsibilities 5

6

7 GAO Green Book (Theory) Effective and Efficient Operations COSO Cube Accurate Reporting Compliance with Laws and Regulations 7

8 GAO Green Book (Theory) Highlights Page Sample Page 11/04/2014 8

9 GAO Green Book (Theory) New: Components are aligned to Principles and Attributes 11/04/2014 9

10 GAO Green Book (Theory) Financial Non-Financial External Internal External Financial Reports Internal Financial Reports External Non-Financial Reports Internal Non-Financial Reports 10

11 GAO Green Book (Theory) New: Principle 2, explicitly states oversight body should oversee the entity s internal control system. Control Environment Principles 1) The oversight body and management should demonstrate a commitment to integrity and ethical values. 2) The oversight body should oversee the entity s internal control system. 3) Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity s objectives. 4) Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 5) Management should evaluate performance and hold individuals accountable for their internal control responsibilities. 11/04/

12 GAO Green Book (Theory) New: Principle 8, explicitly states Management should consider the potential for fraud in its risk assessment Risk Assessment Principles 6. Management should define objectives clearly to enable the identification of risks and define risk tolerances. 7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. 8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 9. Management should identify, analyze, and respond to significant changes that could impact the internal control system. 11/04/

13 GAO Green Book (Theory) New: Language very similar but modified to remove the word should in several places to more clearly state Management s responsibility for designing and implementing an effective internal control system. Control Activities Principles 10.Management should design control activities to achieve objectives and respond to risks. 11.Management should design the entity s information system and related control activities to achieve objectives and respond to risks. 12.Management should implement control activities through policies. 11/04/

14 GAO Green Book (Theory) New: Emphasis on the quality of information. Information and Communication Principles 13.Management should use quality information to achieve the entity s objectives. 14.Management should internally communicate the necessary quality information to achieve the entity s objectives. 15.Management should externally communicate the necessary quality information to achieve the entity s objectives. 11/04/

15 GAO Green Book (Theory) New: The attributes provide guidance on establishing a baseline for monitoring as well as establishing ongoing monitoring that is built into the entity s operations, performed continually and is responsive to change. Monitoring Principles 16.Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. 17.Management should remediate identified internal control deficiencies on a timely basis. 11/04/

16 GAO Green Book Practical Applications 16

17 GAO Green Book: Practical Applications New: Principle 8, explicitly states Management should consider the potential for fraud in its risk assessment Risk Assessment Principles 6. Management should define objectives clearly to enable the identification of risks and define risk tolerances. 7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. 8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 9. Management should identify, analyze, and respond to significant changes that could impact the internal control system. 11/04/

18 The New Greenbook 18

19 GAO Green Book: Practical Applications Control Objective All collections and disbursements of fund balance with Treasury are recorded and are recorded accurately in the general ledger Recorded FSA direct loans are valid and are approved/authorized by management All FSA direct loans are recorded and are recorded accurately in the general ledger Risk All collections and disbursements of fund balance with Treasury are not recorded and/or are not recorded accurately in the general ledger Recorded FSA direct loans are not valid and/or are not approved/authorized by management All FSA direct loans are not recorded and/or are not recorded accurately in the general ledger 19

20 GAO Green Book: Practical Applications New: Principle 8, explicitly states Management should consider the potential for fraud in its risk assessment Risk Assessment Principles 6. Management should define objectives clearly to enable the identification of risks and define risk tolerances. 7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. 8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 9. Management should identify, analyze, and respond to significant changes that could impact the internal control system. 11/04/

21 Low Risk 21

22 High Risk 22

23 23

24 GAO Green Book: Practical Applications New: The attributes provide guidance on establishing a baseline for monitoring as well as establishing ongoing monitoring that is built into the entity s operations, performed continually and is responsive to change. Monitoring Principles 16.Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. 17.Management should remediate identified internal control deficiencies on a timely basis. 11/04/

25 GAO Green Book: Practical Applications Ongoing Monitoring Occurs when the routine operations of an organization provides feedback to those responsible for the effectiveness of the internal control system Separate Evaluations Designed to evaluate controls periodically and are not ingrained in the routine operations of the organization 25

26 The New Greenbook 26

27 GAO Green Book: Practical Applications 27

28 GAO Green Book: Practical Applications Monitoring promotes good control operation. When people who are responsible for internal control know their work is subject to oversight through monitoring, they are more likely to perform their duties properly over time. COSO Guidance on Monitoring Internal Control Systems, January,

29 GAO Green Book Enterprise Risk Management (ERM) 29

30 GAO Green Book: ERM COSO I/C Framework Effective and Efficient Operations Accurate Reporting COSO ERM Framework Strategic Effective and Efficient Operations Compliance with Laws and Regulations Accurate Reporting Compliance with Laws and Regulations 30

31 GAO Green Book: ERM Proposed Revisions to OMB Circular A-123 Clarify technical terminology to ensure that program managers can understand and use internal controls properly; Replace check the box compliance approaches with risk management based approaches to support agency missions; Introduce Enterprise Risk Management (ERM); and Build on internal controls over financial reporting, while at the same time reducing compliance burdens to focus on program controls Implementing ERM and a Broader View of Risk 11/04/

32 GAO Green Book: ERM OMB s Direction (A-11, ERM Direction) What is Enterprise Risk Management (ERM)? What are the key roles of risk managers at an agency? Why is ERM a best practice and how is it relevant to strategic reviews? What other guidance does OMB provide agencies regarding risk management concepts discussed in this Circular? What is the difference between internal control and risk? What is the difference between OMB Circular A-123 and Enterprise Risk Management? 11/04/

33 Questions? GAO Greenbook Preparing to Retire the Cheapskate Way Or